ibm tivoli access manager for e-business: command reference
TRANSCRIPT
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference
Version
5.1
SC32-1354-00
���
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference
Version
5.1
SC32-1354-00
���
Note
Before
using
this
information
and
the
product
it
supports,
read
the
information
in
Appendix
C,
“Notices,”
on
page
289.
First
Edition
(November
2003)
This
edition
applies
to
version
5.1
of
IBM
Tivoli
Access
Manager
(product
number
5724-C08)
and
to
all
subsequent
releases
and
modifications
until
otherwise
indicated
in
new
editions
©
Copyright
International
Business
Machines
Corporation
2001,
2003.
All
rights
reserved.
US
Government
Users
Restricted
Rights
–
Use,
duplication
or
disclosure
restricted
by
GSA
ADP
Schedule
Contract
with
IBM
Corp.
Contents
Preface
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Who
should
read
this
book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
What
this
book
contains
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. viii
Release
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. viii
Base
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. viii
Web
security
information
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. viii
Developer
references
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. ix
Technical
supplements
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
Related
publications
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. x
Accessing
publications
online
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiii
Accessibility
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiii
Contacting
software
support
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiv
Conventions
used
in
this
book
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiv
Typeface
conventions
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiv
Operating
system
differences
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. xiv
Chapter
1.
pdadmin
command
line
utility
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
pdadmin
utility
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 1
Command
modes
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 2
Single
command
mode
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 2
Interactive
command
mode
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 3
Multiple
command
mode
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
pdadmin
in
a
locale
other
than
English
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 6
Error
handling
for
pdadmin
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 7
Return
codes
for
a
single
command
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 7
Return
codes
for
an
interactive
command
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
Return
codes
for
multiple
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 8
Local
or
other
domain
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
Command
option
processing
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 9
Tivoli
Access
Manager
pdadmin
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 10
Access
control
list
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 10
Action
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 11
Authorization
rule
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 11
Config
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 11
Context
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 12
Domain
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 12
Group
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 12
Login
and
logout
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 13
Object
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 13
Object
space
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 13
Policy
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 14
Protected
object
policy
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 14
Resource
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 14
Server
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 15
User
commands
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 15
acl
attach
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 16
acl
create
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 17
acl
delete
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 18
acl
detach
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
acl
find
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 20
acl
list
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 21
acl
modify
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 22
acl
show
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 27
action
create
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 28
©
Copyright
IBM
Corp.
2001,
2003
iii
action
delete
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 30
action
group
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 31
action
list
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 32
admin
show
conf
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 33
authzrule
attach
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 34
authzrule
create
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
authzrule
delete
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 37
authzrule
detach
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 38
authzrule
find
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 39
authzrule
list
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 40
authzrule
modify
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 41
authzrule
show
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 43
config
modify
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 45
config
show
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 48
context
show
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 50
domain
create
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 52
domain
delete
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 54
domain
list
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 55
domain
modify
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 56
domain
show
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 57
errtext
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 58
exit
or
quit
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 60
group
create
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 61
group
delete
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 63
group
import
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 64
group
list
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 66
group
modify
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 68
group
show
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 70
help
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 72
login
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 74
logout
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 77
object
access
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 78
object
create
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 80
object
delete
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 82
object
exists
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 83
object
list
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 84
object
listandshow
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 86
object
modify
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 88
object
show
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 91
objectspace
create
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 93
objectspace
delete
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 95
objectspace
list
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 96
policy
get
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 97
policy
set
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 99
pop
attach
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 102
pop
create
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 103
pop
delete
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 104
pop
detach
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 105
pop
find
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 106
pop
list
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 107
pop
modify
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 108
pop
show
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 111
rsrc
create
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 113
rsrc
delete
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 115
rsrc
list
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 116
rsrc
show
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 117
rsrccred
create
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 118
rsrccred
delete
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 120
rsrccred
list
user
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 122
rsrccred
modify
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 123
rsrccred
show
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 125
iv
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
rsrcgroup
create
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 127
rsrcgroup
delete
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 129
rsrcgroup
list
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 130
rsrcgroup
modify
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 131
rsrcgroup
show
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 133
server
list
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 134
server
listtasks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 135
server
replicate
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 137
server
show
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 138
server
task
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 140
server
task
(WebSEAL)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 142
server
task
add
(WebSEAL)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 146
server
task
create
(WebSEAL)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 150
server
task
delete
(WebSEAL)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 157
server
task
remove
(WebSEAL)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 159
server
task
show
(WebSEAL)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 161
server
task
stats
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 163
server
task
trace
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 166
user
create
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 168
user
delete
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 170
user
import
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 171
user
list
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 173
user
modify
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 175
user
show
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 177
Chapter
2.
Tivoli
Access
Manager
utilities
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 179
amwebcfg
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 182
AMWLSConfigure
–action
config
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 187
AMWLSConfigure
–action
unconfig
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 189
AMWLSConfigure
–action
create_realm
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 190
AMWLSConfigure
–action
delete_realm
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 192
amwpmcfg
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 193
bassslcfg
–add_replica
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 196
bassslcfg
–chgpwd
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 197
bassslcfg
–chg_replica
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 198
bassslcfg
–config
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 199
bassslcfg
–getcacert
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 201
bassslcfg
–getmgtdomain
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 202
bassslcfg
–modify
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 203
bassslcfg
–ping
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 205
bassslcfg
–rmv_replica
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 206
cdsso_key_gen
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 207
install_component
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 209
ivrgy_tool
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 213
migrateEAR4
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 215
migrateEAR5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 218
mgrsslcfg
–chgcert
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 221
mgrsslcfg
–chgpwd
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 222
mgrsslcfg
–config
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 223
mgrsslcfg
–modify
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 225
pdbackup
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 226
pdconfig
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 234
pdjrtecfg
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 235
pd_start
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 239
pdversion
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 240
pdwascfg
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 242
pdweb
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 246
pdwebpi
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 248
pdwebpi_start
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 249
pdwpi-version
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 251
pdwpicfg
–action
config
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 252
Contents
v
pdwpicfg
–action
unconfig
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 255
query_contents
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 257
svrsslcfg
–add_replica
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 259
svrsslcfg
–chg_replica
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 261
svrsslcfg
–chgcert
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 263
svrsslcfg
–chgport
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 265
svrsslcfg
–chgpwd
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 266
svrsslcfg
–config
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 267
svrsslcfg
–modify
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 270
svrsslcfg
–rmv_replica
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 271
svrsslcfg
–unconfig
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 272
wesosm
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 274
wslstartwte
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 276
wslstopwte
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 277
Appendix
A.
Disallowed
characters
and
passwords
limitations
.
.
.
.
.
.
.
.
.
.
. 279
Password
policies
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 279
Character
limitations
for
passwords
and
user
names
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 280
Characters
allowed
for
secure
domain
names
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 280
Characters
disallowed
for
user
and
group
name
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 281
Characters
disallowed
for
distinguished
names
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 281
Characters
disallowed
for
GSO
names
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 281
Characters
disallowed
for
authorization
rules
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 281
Characters
disallowed
for
access
control
lists
names
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 282
Characters
disallowed
for
protected
object
policy
names
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 282
Appendix
B.
User
registry
differences
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 285
Appendix
C.
Notices
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 289
Trademarks
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 290
Glossary
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 293
Index
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 299
vi
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Preface
IBM®
Tivoli®
Access
Manager
(Tivoli
Access
Manager)
is
the
base
software
that
is
required
to
run
applications
in
the
IBM
Tivoli
Access
Manager
product
suite.
It
enables
the
integration
of
IBM
Tivoli
Access
Manager
applications
that
provide
a
wide
range
of
authorization
and
management
solutions.
Sold
as
an
integrated
solution,
these
products
provide
an
access
control
management
solution
that
centralizes
network
and
application
security
policy
for
e-business
applications.
Note:
IBM
Tivoli
Access
Manager
is
the
new
name
of
the
previously
released
software
entitled
Tivoli
SecureWay®
Policy
Director.
Also,
for
users
familiar
with
the
Tivoli
SecureWay
Policy
Director
software
and
documentation,
the
management
server
is
now
referred
to
as
the
policy
server.
This
book
provides
detailed
information
about
the
pdadmin
command
line
interface
and
other
command
line
utilities,
which
can
help
you
manage
servers
and
resources
in
your
secure
domain.
Who
should
read
this
book
This
reference
is
for
system
administrators
responsible
for
the
administration
of
Tivoli
Access
Manager
software.
Readers
should
be
familiar
with
the
following:
v
Microsoft®
Windows®
and
UNIX®
operating
systems
v
Database
architecture
and
concepts
v
Security
management
v
Internet
protocols,
including
HTTP,
HTTPS,
TCP/IP,
File
Transfer
Protocol
(FTP),
and
Telnet
v
Lightweight
Directory
Access
Protocol
(LDAP)
and
directory
services
v
Authentication
and
authorization
v
Tivoli
Access
Manager
security
model
and
its
capabilities
If
you
are
enabling
Secure
Sockets
Layer
(SSL)
communication,
you
also
should
be
familiar
with
SSL
protocol,
key
exchange
(public
and
private),
digital
signatures,
cryptographic
algorithms,
and
certificate
authorities.
What
this
book
contains
This
reference
contains
the
following
sections:
v
Chapter
1,
“pdadmin
command
line
utility,”
on
page
1
Provides
reference
information
about
pdadmin
commands.
v
Chapter
2,
“Tivoli
Access
Manager
utilities,”
on
page
179
Lists
other
Tivoli
Access
Manager
utilities
that
can
help
you
maintain
your
environment
and
troubleshoot
problems
that
can
arise
during
normal
operations.
©
Copyright
IBM
Corp.
2001,
2003
vii
Publications
Review
the
descriptions
of
the
Tivoli
Access
Manager
library,
the
prerequisite
publications,
and
the
related
publications
to
determine
which
publications
you
might
find
helpful.
After
you
determine
the
publications
you
need,
refer
to
the
instructions
for
accessing
publications
online.
Additional
information
about
the
IBM
Tivoli
Access
Manager
for
e-business
product
itself
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-e-bus/
The
Tivoli
Access
Manager
library
is
organized
into
the
following
categories:
v
“Release
information”
v
“Base
information”
v
“Web
security
information”
v
“Developer
references”
on
page
ix
v
“Technical
supplements”
on
page
x
Release
information
v
IBM
Tivoli
Access
Manager
for
e-business
Read
This
First
(GI11-4155-00)
Provides
information
for
installing
and
getting
started
using
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Release
Notes
(GI11-4156-00)
Provides
late-breaking
information,
such
as
software
limitations,
workarounds,
and
documentation
updates.
Base
information
v
IBM
Tivoli
Access
Manager
Base
Installation
Guide
(SC32-1362-00)
Explains
how
to
install
and
configure
the
Tivoli
Access
Manager
base
software,
including
the
Web
Portal
Manager
interface.
This
book
is
a
subset
of
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide
and
is
intended
for
use
with
other
Tivoli
Access
Manager
products,
such
as
IBM
Tivoli
Access
Manager
for
Business
Integration
and
IBM
Tivoli
Access
Manager
for
Operating
Systems.
v
IBM
Tivoli
Access
Manager
Base
Administration
Guide
(SC32-1360-00)
Describes
the
concepts
and
procedures
for
using
Tivoli
Access
Manager
services.
Provides
instructions
for
performing
tasks
from
the
Web
Portal
Manager
interface
and
by
using
the
pdadmin
command.
Web
security
information
v
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide
(SC32-1361-00)
Provides
installation,
configuration,
and
removal
instructions
for
the
Tivoli
Access
Manager
base
software
as
well
as
the
Web
Security
components.
This
book
is
a
superset
of
IBM
Tivoli
Access
Manager
Base
Installation
Guide.
v
IBM
Tivoli
Access
Manager
Upgrade
Guide
(SC32-1369-00)
Explains
how
to
upgrade
from
Tivoli
SecureWay
Policy
Director
Version
3.8
or
previous
versions
of
Tivoli
Access
Manager
to
Tivoli
Access
Manager
Version
5.1.
viii
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
v
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide
(SC32-1359-00)
Provides
background
material,
administrative
procedures,
and
technical
reference
information
for
using
WebSEAL
to
manage
the
resources
of
your
secure
Web
domain.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere
Application
Server
Integration
Guide
(SC32-1368-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
IBM
WebSphere®
Application
Server.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
WebSphere
Edge
Server
Integration
Guide
(SC32-1367-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
the
IBM
WebSphere
Edge
Server
application.
v
IBM
Tivoli
Access
Manager
for
e-business
Plug-in
for
Web
Servers
Integration
Guide
(SC32-1365-00)
Provides
installation
instructions,
administration
procedures,
and
technical
reference
information
for
securing
your
Web
domain
using
the
plug-in
for
Web
servers.
v
IBM
Tivoli
Access
Manager
for
e-business
BEA
WebLogic
Server
Integration
Guide
(SC32-1366-00)
Provides
installation,
removal,
and
administration
instructions
for
integrating
Tivoli
Access
Manager
with
BEA
WebLogic
Server.
v
IBM
Tivoli
Access
Manager
for
e-business
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide
(SC32-1364-00)
Provides
an
overview
of
the
tasks
related
to
integrating
Tivoli
Access
Manager
and
Tivoli
Identity
Manager
and
explains
how
to
use
and
install
the
Provisioning
Fast
Start
collection.
Developer
references
v
IBM
Tivoli
Access
Manager
for
e-business
Authorization
C
API
Developer
Reference
(SC32-1355-00)
Provides
reference
material
that
describes
how
to
use
the
Tivoli
Access
Manager
authorization
C
API
and
the
Tivoli
Access
Manager
service
plug-in
interface
to
add
Tivoli
Access
Manager
security
to
applications.
v
IBM
Tivoli
Access
Manager
for
e-business
Authorization
Java
Classes
Developer
Reference
(SC32-1350-00)
Provides
reference
information
for
using
the
Java™
language
implementation
of
the
authorization
API
to
enable
an
application
to
use
Tivoli
Access
Manager
security.
v
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference
(SC32-1357-00)
Provides
reference
information
about
using
the
administration
API
to
enable
an
application
to
perform
Tivoli
Access
Manager
administration
tasks.
This
document
describes
the
C
implementation
of
the
administration
API.
v
IBM
Tivoli
Access
Manager
for
e-business
Administration
Java
Classes
Developer
Reference
(SC32-1356-00)
Provides
reference
information
for
using
the
Java
language
implementation
of
the
administration
API
to
enable
an
application
to
perform
Tivoli
Access
Manager
administration
tasks.
v
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Developer
Reference
(SC32-1358-00)
Preface
ix
Provides
administration
and
programming
information
for
the
cross-domain
authentication
service
(CDAS),
the
cross-domain
mapping
framework
(CDMF),
and
the
password
strength
module.
Technical
supplements
v
IBM
Tivoli
Access
Manager
for
e-business
Command
Reference
(SC32-1354-00)
Provides
information
about
the
command
line
utilities
and
scripts
provided
with
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
Error
Message
Reference
(SC32-1353-00)
Provides
explanations
and
recommended
actions
for
the
messages
produced
by
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide
(SC32-1352-00)
Provides
problem
determination
information
for
Tivoli
Access
Manager.
v
IBM
Tivoli
Access
Manager
for
e-business
Performance
Tuning
Guide
(SC32-1351-00)
Provides
performance
tuning
information
for
an
environment
consisting
of
Tivoli
Access
Manager
with
the
IBM
Tivoli
Directory
server
as
the
user
registry.
Related
publications
This
section
lists
publications
related
to
the
Tivoli
Access
Manager
library.
The
Tivoli
Software
Library
provides
a
variety
of
Tivoli
publications
such
as
white
papers,
datasheets,
demonstrations,
redbooks,
and
announcement
letters.
The
Tivoli
Software
Library
is
available
on
the
Web
at:
http://www.ibm.com/software/tivoli/library/
The
Tivoli
Software
Glossary
includes
definitions
for
many
of
the
technical
terms
related
to
Tivoli
software.
The
Tivoli
Software
Glossary
is
available,
in
English
only,
from
the
Glossary
link
on
the
left
side
of
the
Tivoli
Software
Library
Web
page
http://www.ibm.com/software/tivoli/library/
IBM
Global
Security
Kit
Tivoli
Access
Manager
provides
data
encryption
through
the
use
of
the
IBM
Global
Security
Kit
(GSKit)
Version
7.0.
GSKit
is
included
on
the
IBM
Tivoli
Access
Manager
Base
CD
for
your
particular
platform,
as
well
as
on
the
IBM
Tivoli
Access
Manager
Web
Security
CDs,
the
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
CDs,
and
the
IBM
Tivoli
Access
Manager
Directory
Server
CDs.
The
GSKit
package
provides
the
iKeyman
key
management
utility,
gsk7ikm,
which
is
used
to
create
key
databases,
public-private
key
pairs,
and
certificate
requests.
The
following
document
is
available
on
the
Tivoli
Information
Center
Web
site
in
the
same
section
as
the
IBM
Tivoli
Access
Manager
product
documentation:
v
IBM
Global
Security
Kit
Secure
Sockets
Layer
and
iKeyman
User’s
Guide
(SC32-1363-00)
Provides
information
for
network
or
system
security
administrators
who
plan
to
enable
SSL
communication
in
their
Tivoli
Access
Manager
environment.
x
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
IBM
Tivoli
Directory
Server
IBM
Tivoli
Directory
Server,
Version
5.2,
is
included
on
the
IBM
Tivoli
Access
Manager
Directory
Server
CD
for
the
desired
operating
system.
Note:
IBM
Tivoli
Directory
Server
is
the
new
name
for
the
previously
released
software
known
as:
v
IBM
Directory
Server
(Version
4.1
and
Version
5.1)
v
IBM
SecureWay
Directory
Server
(Version
3.2.2)
IBM
Directory
Server
Version
4.1,
IBM
Directory
Server
Version
5.1,
and
IBM
Tivoli
Directory
Server
Version
5.2
are
all
supported
by
IBM
Tivoli
Access
Manager
Version
5.1.
Additional
information
about
IBM
Tivoli
Directory
Server
can
be
found
at:
http://www.ibm.com/software/network/directory/library/
IBM
DB2
Universal
Database
IBM
DB2®
Universal
Database™
Enterprise
Server
Edition,
Version
8.1
is
provided
on
the
IBM
Tivoli
Access
Manager
Directory
Server
CD
and
is
installed
with
the
IBM
Tivoli
Directory
Server
software.
DB2
is
required
when
using
IBM
Tivoli
Directory
Server,
z/OS™,
or
OS/390®
LDAP
servers
as
the
user
registry
for
Tivoli
Access
Manager.
Additional
information
about
DB2
can
be
found
at:
http://www.ibm.com/software/data/db2/
IBM
WebSphere
Application
Server
IBM
WebSphere
Application
Server,
Advanced
Single
Server
Edition
5.0,
is
included
on
the
IBM
Tivoli
Access
Manager
Web
Administration
Interfaces
CD
for
the
desired
operating
system.
WebSphere
Application
Server
enables
the
support
of
both
the
Web
Portal
Manager
interface,
which
is
used
to
administer
Tivoli
Access
Manager,
and
the
Web
Administration
Tool,
which
is
used
to
administer
IBM
Tivoli
Directory
Server.
IBM
WebSphere
Application
Server
Fix
Pack
2
is
also
required
by
Tivoli
Access
Manager
and
is
provided
on
the
IBM
Tivoli
Access
Manager
WebSphere
Fix
Pack
CD.
Additional
information
about
IBM
WebSphere
Application
Server
can
be
found
at:
http://www.ibm.com/software/webservers/appserv/infocenter.html
IBM
Tivoli
Access
Manager
for
Business
Integration
IBM
Tivoli
Access
Manager
for
Business
Integration,
available
as
a
separately
orderable
product,
provides
a
security
solution
for
IBM
MQSeries®,
Version
5.2,
and
IBM
WebSphere®
MQ
for
Version
5.3
messages.
IBM
Tivoli
Access
Manager
for
Business
Integration
allows
WebSphere
MQSeries
applications
to
send
data
with
privacy
and
integrity
by
using
keys
associated
with
sending
and
receiving
applications.
Like
WebSEAL
and
IBM
Tivoli
Access
Manager
for
Operating
Systems,
IBM
Tivoli
Access
Manager
for
Business
Integration,
is
one
of
the
resource
managers
that
use
the
services
of
IBM
Tivoli
Access
Manager.
Additional
information
about
IBM
Tivoli
Access
Manager
for
Business
Integration
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
Preface
xi
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
Business
Integration
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Administration
Guide
(SC23-4831-01)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Problem
Determination
Guide
(GC23-1328-00)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Release
Notes
(GI11-0957-01)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Read
This
First
(GI11-4202-00)
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers,
available
as
part
of
IBM
Tivoli
Access
Manager
for
Business
Integration,
provides
a
security
solution
for
WebSphere
Business
Integration
Message
Broker,
Version
5.0
and
WebSphere
Business
Integration
Event
Broker,
Version
5.0.
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
operates
in
conjunction
with
Tivoli
Access
Manager
to
secure
JMS
publish/subscribe
applications
by
providing
password
and
credentials-based
authentication,
centrally-defined
authorization,
and
auditing
services.
Additional
information
about
IBM
Tivoli
Access
Manager
for
WebSphere
Integration
Brokers
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-bus-integration/
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
WebSphere
Integration
Brokers,
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
Administration
Guide
(SC32-1347-00)
v
IBM
Tivoli
Access
Manager
for
WebSphere
Business
Integration
Brokers
Release
Notes
(GI11-4154-00)
v
IBM
Tivoli
Access
Manager
for
Business
Integration
Read
This
First
(GI11-4202-00)
IBM
Tivoli
Access
Manager
for
Operating
Systems
IBM
Tivoli
Access
Manager
for
Operating
Systems,
available
as
a
separately
orderable
product,
provides
a
layer
of
authorization
policy
enforcement
on
UNIX
systems
in
addition
to
that
provided
by
the
native
operating
system.
IBM
Tivoli
Access
Manager
for
Operating
Systems,
like
WebSEAL
and
IBM
Tivoli
Access
Manager
for
Business
Integration,
is
one
of
the
resource
managers
that
use
the
services
of
IBM
Tivoli
Access
Manager.
Additional
information
about
IBM
Tivoli
Access
Manager
for
Operating
Systems
can
be
found
at:
http://www.ibm.com/software/tivoli/products/access-mgr-operating-sys/
xii
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
The
following
documents
associated
with
IBM
Tivoli
Access
Manager
for
Operating
Systems
Version
5.1
are
available
on
the
Tivoli
Information
Center
Web
site:
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Installation
Guide
(SC23-4829-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Administration
Guide
(SC23-4827-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Problem
Determination
Guide
(SC23-4828-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Release
Notes
(GI11-0951-00)
v
IBM
Tivoli
Access
Manager
for
Operating
Systems
Read
Me
First
(GI11-0949-00)
IBM
Tivoli
Identity
Manager
IBM
Tivoli
Identity
Manager
Version
4.5,
available
as
a
separately
orderable
product,
enables
you
to
centrally
manage
users
(such
as
user
IDs
and
passwords)
and
provisioning
(that
is
providing
or
revoking
access
to
applications,
resources,
or
operating
systems.)
Tivoli
Identity
Manager
can
be
integrated
with
Tivoli
Access
Manager
through
the
use
of
the
Tivoli
Access
Manager
Agent.
Contact
your
IBM
account
representative
for
more
information
about
purchasing
the
Agent.
Additional
information
about
IBM
Tivoli
Identity
Manager
can
be
found
at:
http://www.ibm.com/software/tivoli/products/identity-mgr/
Accessing
publications
online
The
publications
for
this
product
are
available
online
in
Portable
Document
Format
(PDF)
or
Hypertext
Markup
Language
(HTML)
format,
or
both
in
the
Tivoli
software
library:
http://www.ibm.com/software/tivoli/library
To
locate
product
publications
in
the
library,
click
the
Product
manuals
link
on
the
left
side
of
the
library
page.
Then,
locate
and
click
the
name
of
the
product
on
the
Tivoli
software
information
center
page.
Product
publications
include
release
notes,
installation
guides,
user’s
guides,
administrator’s
guides,
and
developer’s
references.
Note:
To
ensure
proper
printing
of
publications,
select
the
Fit
to
page
check
box
in
the
Adobe
Acrobat
window
(which
is
available
when
you
click
File
→
Print).
Accessibility
Accessibility
features
help
a
user
who
has
a
physical
disability,
such
as
restricted
mobility
or
limited
vision,
to
use
software
products
successfully.
With
this
product,
you
can
use
assistive
technologies
to
hear
and
navigate
the
interface.
You
also
can
use
the
keyboard
instead
of
the
mouse
to
operate
all
features
of
the
graphical
user
interface.
Preface
xiii
Contacting
software
support
Before
contacting
IBM
Tivoli
Software
Support
with
a
problem,
refer
to
the
IBM
Tivoli
Software
Support
site
by
clicking
the
Tivoli
support
link
at
the
following
Web
site:
http://www.ibm.com/software/support/
If
you
need
additional
help,
contact
software
support
by
using
the
methods
described
in
the
IBM
Software
Support
Guide
at
the
following
Web
site:
http://techsupport.services.ibm.com/guides/handbook.html
The
guide
provides
the
following
information:
v
Registration
and
eligibility
requirements
for
receiving
support
v
Telephone
numbers,
depending
on
the
country
in
which
you
are
located
v
A
list
of
information
you
should
gather
before
contacting
customer
support
Conventions
used
in
this
book
This
reference
uses
several
conventions
for
special
terms
and
actions
and
for
operating
system-dependent
commands
and
paths.
Typeface
conventions
The
following
typeface
conventions
are
used
in
this
reference:
Bold
Lowercase
commands
or
mixed
case
commands
that
are
difficult
to
distinguish
from
surrounding
text,
keywords,
parameters,
options,
names
of
Java
classes,
and
objects
are
in
bold.
Italic
Variables,
titles
of
publications,
and
special
words
or
phrases
that
are
emphasized
are
in
italic.
Monospace
Code
examples,
command
lines,
screen
output,
file
and
directory
names
that
are
difficult
to
distinguish
from
surrounding
text,
system
messages,
text
that
the
user
must
type,
and
values
for
arguments
or
command
options
are
in
monospace.
Operating
system
differences
This
book
uses
the
UNIX
convention
for
specifying
environment
variables
and
for
directory
notation.
When
using
the
Windows
command
line,
replace
$variable
with
%variable%
for
environment
variables
and
replace
each
forward
slash
(/)
with
a
backslash
(\)
in
directory
paths.
If
you
are
using
the
bash
shell
on
a
Windows
system,
you
can
use
the
UNIX
conventions.
xiv
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Chapter
1.
pdadmin
command
line
utility
The
pdadmin
command
line
utility
is
installed
as
part
of
the
Tivoli
Access
Manager
runtime
package.
Use
this
interface
to
manage
access
control
lists,
groups,
servers,
users,
objects,
and
other
resources
in
your
secure
domain.
You
can
also
automate
certain
management
functions
by
writing
scripts
that
use
pdadmin
commands.
Note
that
the
Web
Portal
Manager
interface,
discussed
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide
enables
you
to
perform
similar
administrative
tasks
remotely,
without
requiring
any
special
network
configuration.
Many
of
these
tasks
can
also
be
performed
by
using
administration
C
API
functions
or
by
using
administration
Java
class
functions
discussed
in
the
IBM
Tivoli
Access
Manager
for
e-business
Administration
C
API
Developer
Reference
or
IBM
Tivoli
Access
Manager
for
e-business
Administration
Java
Classes
Developer
Reference,
respectively.
pdadmin
utility
USAGE:
pdadmin
[[–a
admin_id
[–p
password]
[–d
domain
|
–m]]
|
–l]
[–linelen
max-linelen
]
[–v]
[cmd
|
file]
–a
admin_id
Logs
you
in
as
the
user
admin_id.
If
you
do
not
specify
this
option
on
the
command
line,
you
are
considered
unauthenticated,
and
your
access
to
other
commands
is
limited.
Unauthenticated
users
can
only
use
the
context,
errtext,
exit,
help,
login,
logout
and
quit
commands.
–p
password
Specifies
the
password
for
the
user
admin_id.
Using
this
option
might
expose
your
password
to
others
because
the
password
is
visible
on
the
screen
and
also
in
the
process
table.
If
you
do
not
specify
this
option
on
the
command
line,
you
are
prompted
for
a
password.
This
option
cannot
be
used
unless
the
–a
option
is
used.
–d
domain
Specifies
the
Tivoli
Access
Manager
secure
domain
to
log
in
to.
Login
to
this
domain
requires
authentication.
The
admin_id
user
specified
must
exist
in
this
domain.
For
example:
-d
test_domain
–m
Specifies
that
the
login
operation
should
be
directed
to
the
management
domain.
Login
to
this
domain
requires
authentication.
The
admin_id
user
specified
must
exist
in
this
domain.
Users
can
run
the
pdadmin
context
show
command
to
view
their
authentication
information.
Note:
Only
one
of
the
following
domain
options
can
be
specified:
–d
domain
or
–m.
If
neither
option
is
specified,
the
target
domain
is
the
local
domain
configured
for
the
system.
–l
Specifies
a
local
login
operation.
When
modifications
are
made
to
local
configuration
files
by
using
the
pdadmin
config
commands,
a
local
login
is
required
before
you
can
run
commands.
©
Copyright
IBM
Corp.
2001,
2003
1
–linelen
max–linelen
This
option
is
currently
ignored.
–v
Prints
out
the
version
number
of
the
pdadmin
utility.
If
this
option
is
specified,
all
other
valid
options
are
ignored.
The
following
example
is
output
you
might
see
when
you
use
this
option:
Tivoli
Access
Manager
Administrative
Tool
v5.1.0
(Build
031030)
Copyright
(C)
IBM
Corporation
1994-2003.
All
Rights
Reserved.
cmd|file
Specifies
a
single
pdadmin
command
to
run
(the
cmd
argument)
or
a
path
and
file
name
containing
a
list
of
commands
to
execute
(the
file
argument).
The
command
or
commands
are
executed
one
time,
and
pdadmin
does
not
enter
interactive
mode.
Only
one
of
the
following
can
be
specified:
cmd
or
file.
Command
modes
You
can
use
the
pdadmin
command
line
interface
in
one
of
the
following
three
modes:
v
Single
command
mode
v
Interactive
command
mode
v
Multiple
command
mode
These
modes
are
described
in
the
following
sections.
Single
command
mode
To
run
a
single
pdadmin
command
from
a
command
prompt,
type
the
following:
pdadmin
[
–a
admin_id
[–p
password]
[–m
|
–d
domain]
|
–l]
]
[–v]
[cmd]
Where:
–a
admin_id
Logs
you
in
as
the
user
admin_id.
If
you
do
not
specify
this
option
on
the
command
line,
you
are
considered
unauthenticated,
and
your
access
to
other
commands
is
limited.
Unauthenticated
users
can
only
use
the
context,
errtext,
exit,
help,
login,
logout
and
quit
commands.
–p
password
Specifies
the
password
for
the
user
admin_id.
Using
this
option
might
expose
your
password
to
others
because
the
password
is
visible
on
the
screen
and
also
in
the
process
table.
If
you
do
not
specify
this
option
on
the
command
line,
you
are
prompted
for
a
password.
This
option
cannot
be
used
unless
the
–a
option
is
used.
–m
Specifies
that
the
login
operation
should
be
directed
to
the
management
domain.
The
admin_id
user
must
exist
in
this
domain.
For
example,
to
log
in
as
the
user
sec_master
to
the
management
domain
(Default)
and
authenticate,
enter
(on
one
line)
a
command
similar
to
the
following:
c:\>
pdadmin
-a
sec_master
-p
secmstrpw
-m
pdadmin_command
2
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
–d
domain
Specifies
the
Tivoli
Access
Manager
secure
domain
to
log
in
to.
The
admin_id
user
must
exist
in
this
domain.
For
example,
to
log
in
as
the
user
sec_master
to
another
domain
domain01
and
authenticate,
enter
(on
one
line)
a
command
similar
to
the
following:
c:\>
pdadmin
-a
sec_master
-p
secmstrpw
-d
domain01
pdadmin_command
–l
Specifies
a
local
login
operation.
Log
in
to
your
local
domain
is
required
before
you
can
run
pdadmin
config
commands.
For
example,
to
log
in
locally
and
use
a
pdadmin
configuration
command,
enter
a
command
similar
to
the
following:
c:\>
pdadmin
-l
config_command
–v
Specifies
verbose.
cmd
Allows
you
to
run
a
one-time
command.
For
example,
user
chris
is
created
if
you
type
the
following
command,
all
on
one
line.
c:\>
pdadmin
–a
sec_master
–p
password
user
create
chris
cn=chris,o=tivoli,c=us
chris
chris
chris1234
Notes:
v
If
you
specify
the
admin_id
(–a)
and
password
(–p),
you
are
logged
in
as
that
user.
Using
this
method
might
expose
your
password
to
others.
For
example,
if
one
user
is
using
pdadmin
with
this
command,
and
another
user
lists
the
processes
that
are
running,
the
full
command
(including
the
password),
might
be
visible
to
that
user.
v
If
you
do
not
specify
the
admin_id
(–a)
or
the
local
login
(–l)
option,
you
are
logged
in
as
an
unauthenticated
user.
Unauthenticated
users
can
only
use
the
context,
errtext,
exit,
help,
login,
logout
and
quit
commands.
v
The
admin_id
user
must
exist
in
the
domain.
v
Only
one
of
the
following
domain
options
can
be
specified:
–d
domain
or
–m.
If
neither
option
is
specified,
the
target
domain
is
the
local
domain
configured
for
the
system.
v
If
you
specify
the
admin_id
(–a)
but
do
not
specify
a
password
(–p),
you
will
be
prompted
for
a
password.
v
Users
can
run
the
pdadmin
context
show
command
to
view
their
authentication
information.
Interactive
command
mode
To
start
pdadmin
in
interactive
mode,
type
the
pdadmin
command.
This
command
starts
pdadmin
without
any
authentication
required,
where
your
access
to
other
pdadmin
commands
is
limited
for
unauthenticated
users,
such
as:
context,
errtext,
exit,
help,
login,
logout
and
quit
c:\>
pdadmin
pdadmin>
limited_pdadmin_command
Chapter
1.
pdadmin
command
line
utility
3
This
command
starts
pdadmin
and
login
authentication
is
required
before
you
can
use
other
pdadmin
commands.
You
can
be
prompted
for
both
the
administrator
ID
and
the
password:
c:\>
pdadmin
pdadmin>
login
Enter
User
ID:
sec_master
Enter
Password:
secmstrpw
pdadmin
sec_master>
pdadmin_command
Or,
you
can
be
prompted
for
just
the
administrator
password:
c:\>
pdadmin
pdadmin>
login
-a
sec_master
Enter
Password:
secmstrpw
pdadmin
sec_master>
pdadmin_command
Or,
you
can
bypass
being
prompted,
which
is
less
secure
because
your
password
could
be
seen:
c:\>
pdadmin
pdadmin>
login
-a
sec_master
-p
secmstrpw
pdadmin
sec_master>
pdadmin_command
To
start
pdadmin
in
interactive
mode
with
a
login
for
issuing
local
configuration
commands,
use
the
local
login
(pdadmin
login
–l)
command.
A
local
login
enables
you
to
use
the
config
show
or
the
config
modify
commands.
For
example:
pdadmin
login
–l
pdadmin
local>
config_command
To
start
pdadmin
in
interactive
mode
with
a
login
to
a
domain
(management
domain
or
other)
where
the
ID
and
password
are
authenticated
before
access
is
permitted
and
where
user
privileges
are
verified
before
commands
are
allowed
to
be
issued.
For
example,
to
log
into
the
management
domain
(Default)
and
authenticate,
type:
pdadmin
login
-a
admin_id
-p
password
-m
pdadmin
sec_master@Default>
pdadmin_command
For
example,
to
log
into
another
domain
domain01
and
authenticate,
type:
pdadmin
login
-a
sec_master
-p
secmstrpw
-d
domain01
pdadmin
sec_master@domain01>
pdadmin_command
At
the
pdadmin
prompt,
type
the
appropriate
commands
and
their
associated
options.
The
pdadmin
prompt
changes,
depending
on
the
type
of
login.
See
“Login
and
logout
commands”
on
page
13
for
additional
information
about
the
login
command
and
prompt
changes.
Note:
In
this
release,
the
length
of
a
command
line
used
in
pdadmin
interactive
mode
is
limited
to
1023
characters.
4
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Multiple
command
mode
You
can
create
a
file
that
contains
multiple
pdadmin
commands,
one
per
line,
that
together
perform
a
complete
task
or
series
of
tasks.
Login
commands
can
be
included
in
the
command
file
to
switch
between
local
and
remote
login
as
needed.
Login
commands
can
be
included
in
the
command
file
to
switch
between
local
and
remote
login
as
needed.
To
run
commands
in
this
file,
type
the
following:
pdadmin
[–a
admin_id
[–p
password]
[–d
domain|
–m]]
file
Note:
Login
commands
can
be
included
in
the
command
file
to
switch
between
pdadmin
login
–l
local
login
(where
no
authentication
is
required)
and
where
authentication
is
required,
as
needed.
Where:
–a
admin_id
Logs
you
in
as
the
user
admin_id.
If
you
do
not
specify
this
option
on
the
command
line,
you
are
considered
unauthenticated,
and
your
access
to
other
commands
is
limited.
Unauthenticated
users
can
only
use
the
context,
errtext,
exit,
help,
login,
logout
and
quit
commands.
–p
password
Specifies
the
password
for
the
user
admin_id.
Using
this
option
might
expose
your
password
to
others
because
the
password
is
visible
on
the
screen
and
also
in
the
process
table.
If
you
do
not
specify
this
option
on
the
command
line,
you
are
prompted
for
a
password.
This
option
cannot
be
used
unless
the
–a
option
is
used.
–d
domain
Specifies
the
Tivoli
Access
Manager
secure
domain
to
log
in
to.
The
admin_id
user
must
exist
in
this
domain.
–m
Specifies
that
the
login
operation
should
be
directed
to
the
management
domain.
The
admin_id
user
must
exist
in
this
domain.
–l
Specifies
a
local
login
operation.
Local
login
is
required
before
you
can
run
commands
if
the
command
is
a
pdadmin
config
command.
file
Specifies
the
complete
path
and
name
of
the
file
containing
the
pdadmin
commands.
A
valid
file
name
is
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Note:
For
Windows,
file
names
cannot
have
these
characters:
a
backward
slash
(\),
a
colon
(:),
a
question
mark
(?),
or
double
quotation
marks.
Notes:
v
If
you
specify
the
admin_id
(–a)
and
password
(–p),
you
are
logged
in
as
that
user.
Typing
both
the
–a
and
–p
options
on
the
command
line
might
expose
your
password
to
others.
For
example,
if
one
user
is
using
pdadmin
with
this
command,
and
another
user
lists
the
processes
that
are
running,
the
full
command
(including
the
password)
might
be
visible
to
that
user.
Chapter
1.
pdadmin
command
line
utility
5
v
If
you
do
not
specify
the
admin_id
(–a),
you
are
logged
in
as
an
unauthenticated
user.
Unauthenticated
users
can
only
use
the
context,
errtext,
exit,
help,
login,
logout
and
quit
commands.
v
The
admin_id
user
must
exist
in
the
domain.
v
Only
one
of
the
following
domain
options
can
be
specified:
–d
domain
or
–m.
If
neither
option
is
specified,
the
target
domain
is
the
local
domain
configured
for
the
system.
v
If
you
specify
the
admin_id
(–a),
but
do
not
specify
a
password
(–p),
you
are
prompted
for
a
password
one
time
before
all
the
commands
in
the
file
can
be
run.
v
Users
can
run
the
pdadmin
context
show
command
to
view
their
authentication
information.
v
In
this
release,
the
length
of
any
command
in
an
input
command
file
used
for
pdadmin
multiple
command
mode
is
limited
to
299
characters.
However,
if
the
command
file
is
redirected
into
the
pdadmin
command,
the
length
of
any
command
in
the
file
is
limited
to
1023
characters.
pdadmin
in
a
locale
other
than
English
For
Tivoli
Access
Manager
software,
you
can
specify
localized
behavior
by
setting
the
desired
locale.
Different
operating
systems
often
encode
text
in
different
ways.
For
example,
Windows
systems
use
SJIS
(code
page
932)
for
Japanese
text
while
UNIX
systems
often
use
eucJP.
The
installation
guide
contains
complete
information
about
code
pages
and
internationalization.
However,
be
aware
of
the
following
issues
when
you
are
running
the
pdadmin
utility
in
a
non-English
locale.
v
On
Windows
systems,
when
you
input
commands
to
pdadmin
through
a
command
file
argument,
the
command
file
must
be
encoded
in
the
system’s
local
(ANSI)
code
page.
For
example:
C:>
pdadmin
-a
sec_master
-p
password
cmds.text
You
can
determine
the
system’s
local
code
page
by
viewing
the
value
of
the
Nls/CodePage/ACP
key
in
the
Windows
registry.
Files
that
are
created
by
standard
Windows
editing
tools
(such
as
Notepad
or
Wordpad)
are
encoded
in
this
way.
On
UNIX
systems,
you
must
run
the
pdadmin
command
in
the
same
locale
that
was
used
to
create
the
command
file.
v
On
Windows
systems,
when
you
input
commands
to
pdadmin
by
redirecting
a
command
file,
the
command
file
must
be
encoded
in
a
Microsoft
Original
Equipment
Manufacturer
(OEM)
code
page
that
corresponds
to
the
active
code
page
in
the
command
window
in
which
the
pdadmin
command
will
be
run.
For
example:
C:>
pdadmin
-a
sec_master
-p
password
<
cmds.text
The
active
code
page
can
be
determined
by
issuing
the
chcp
command
in
the
pdadmin
command
window.
Alternatively,
you
can
redirect
a
file
that
is
encoded
in
the
system’s
local
code
page,
but
you
must
change
the
command
window’s
active
code
page
to
correspond
to
the
file’s
encoding.
Change
the
window’s
active
code
page
6
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
by
using
the
chcp
command.
For
example,
entering
the
command
chcp
1252
changes
the
active
code
page
to
the
ANSI
code
page
for
Western
Europe
and
the
United
States.
On
UNIX
systems,
you
must
run
the
pdadmin
command
in
the
same
locale
that
was
used
to
create
the
redirected
command
file.
v
On
both
Windows
and
UNIX
systems,
Tivoli
Access
Manager
data
that
was
created
in
one
locale
might
not
display
correctly
on
a
system
that
is
configured
to
another
locale.
Whether
data
displays
correctly
depends
on
the
second
system’s
configuration
(for
example,
what
the
current
locale
is,
and
whether
or
not
the
necessary
code
pages
and
fonts
are
installed).
Error
handling
for
pdadmin
commands
The
pdadmin
command
has
two
return
code
values:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
displays
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Also
see
the
pdadmin
errtext
command
for
an
explanation
of
how
you
can
use
the
message
number
that
is
associated
with
a
message
as
input
to
display
only
the
descriptive
text.
Return
codes
for
a
single
command
A
single
command
is
normally
typed
from
a
DOS
command
prompt,
Korn
shell
prompt,
C
shell
prompt,
and
so
forth.
Single
command
mode
does
not
automatically
display
the
0
or
1
return
code
values;
the
operating
system
must
be
queried
for
the
return
code
value.
For
command
failures,
the
hexadecimal
error
code
status
with
its
associated
error
message
is
shown
in
addition
to
the
error
message
ID
(for
example,
HPDMG0754W).
You
can
redirect
the
error
that
is
normally
displayed
on
the
screen
out
to
a
text
file.
When
a
single
command
fails,
you
see
an
error
message
similar
to
the
following
displayed:
C:>
pdadmin
-a
admin_id
-p
password
user
show
oogle
Could
not
perform
the
administration
request.
Error:
HPDMG0754W
The
entry
was
not
found.
If
...
(status
0x14c012f2)
To
display
the
0
or
1
return
code
values,
you
must
type
the
pdadmin
command,
followed
by
either
the
UNIX
echo
or
the
Windows
errorlevel
command:
v
For
UNIX:
#
pdadmin_command
#
echo
$?
v
For
Windows:
C:>pdadmin_command
C:>echo
%errorlevel%
Chapter
1.
pdadmin
command
line
utility
7
Return
codes
for
an
interactive
command
Interactive
command
mode
does
not
automatically
display
the
0
or
1
return
code
values.
Neither
can
you
follow
an
interactive
command
with
the
UNIX
echo
nor
the
Windows
errorlevel
command.
For
a
command
failure,
you
see
a
message
similar
to:
pdadmin
sec_master>
user
show
oogle
Could
not
perform
the
administration
request.
Error:
HPDMG0754W
The
entry
was
not
found.
If
...
(status
0x14c012f2)
Only
the
hexadecimal
exit
status
code
is
displayed.
Return
codes
for
multiple
commands
You
can
use
a
text
file
containing
pdadmin
commands
to
run
those
commands
in
a
single
pdadmin
invocation.
If
an
error
occurs
for
any
command
while
running
the
commands
(multiple
command
mode),
an
error
message
for
the
failed
command
will
be
provided.
Processing
of
the
remaining
commands
in
the
file
continues
after
an
error.
At
the
end
of
multiple
command
processing,
a
final
status
is
provided.
Note
that
the
final
status
code
at
the
termination
of
multiple
command
processing
is
only
for
the
last
command
that
was
attempted.
For
example,
if
the
last
command
was
successful,
the
final
status
will
be
0;
if
the
last
command
failed,
the
final
status
will
be
1.
For
example,
a
text
file
might
contain
the
following
pdadmin
commands:
user
show
cwright
user
show
oogle
To
run
the
commands,
run
the
following
command:
pdadmin
–a
admin_id
-p
password
cmd_filename
The
command
file
would
produce
results
similar
to
the
following:
cmd>
user
show
cwright
Login
ID:
cwright
LDAP
DN:
cn=Claude
Wright,ou=Dallas,o=Tivoli,c=us
LDAP
CN:
Claude
Wright
LDAP
SN:
Wright
Description:
Is
SecUser:
yes
Is
GSO
user:
no
Account
valid:
yes
Password
valid:
yes
Authorization
mechanism:
Default:LDAP
cmd:>
user
show
oogle
Could
not
perform
the
administration
request.
Error:
HPDMG0754W
The
entry
was
not
found.
If
...
(status
0x14c012f2)
8
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Local
or
other
domain
Use
the
pdadmin
command
to
authenticate
your
user
ID
and
password
before
you
log
in
to
the
local
domain
or
to
a
domain
other
than
the
local
domain.
To
authenticate
and
login
in
interactive
mode
to
your
local
domain,
type:
pdadmin>
login
-a
dlucas
-p
lucaspwd
pdadmin
dlucas>
where
your
user_name
logs
you
in
as
the
authenticated
user
dlucas
to
your
own
local
domain.
To
authenticate
and
login
in
interactive
mode
to
a
domain
with
a
name
that
is
different
from
the
local
domain,
type:
pdadmin>
login
-a
dlucas
-p
lucaspwd
-d
domain_a
pdadmin
dlucas@domain_a>
where
your
user_name
logs
you
in
as
the
authenticated
user
dlucas,
and
domain_a
is
the
domain_name
to
which
you
want
to
log
in.
Command
option
processing
Some
pdadmin
command
options
begin
with
a
hyphen
(–).
For
example,
the
following
command
uses
the
–gsouser
option:
pdadmin
sec_master>
user
import
–gsouser
mlucaser
cn=mlucaser,o=Tivoli,c=US
The
pdadmin
command
interprets
any
token
beginning
with
a
hyphen
as
a
command
option,
even
if
the
hyphen
is
placed
within
double
quotation
marks.
Occasionally,
you
might
want
a
token
that
begins
with
a
–
to
be
interpreted
as
an
argument
rather
than
as
a
command
option.
For
example,
you
might
want
to
name
the
user
–mlucaser
or
"–mlucaser"
by
typing:
pdadmin
sec_master>
user
import
–gsouser
–mlucaser
cn=mlucaser,o=tivoli,c=us
In
this
example,
the
first
–gsouser
option
in
the
command
is
still
processed.
However,
because
the
user
name
token
begins
with
a
hyphen,
the
user
name
would
be
interpreted
as
a
command
option.
The
command
would
fail
because
the
—mlucaser
command
option
does
not
exist.
You
can
specify
the
single
hyphen
character
to
turn
off
the
pdadmin
command’s
interpretation
of
the
optional
arguments.
Following
the
single
hyphen
character,
–mlucaser
is
now
interpreted
as
the
user
name.
For
example:
pdadmin
sec_master>
user
import
–gsouser
–
–mlucaser
cn=mlucaser,o=Tivoli,c=us
Options
on
the
command
line
are
position-independent.
You
can
change
the
order
so
that
all
tokens
that
begin
with
a
hyphen,
which
are
not
command
options,
follow
the
single
hyphen
character.
Chapter
1.
pdadmin
command
line
utility
9
Tivoli
Access
Manager
pdadmin
commands
This
section
lists
Tivoli
Access
Manager
pdadmin
commands
by
category
and
by
command
name.
v
“Access
control
list
commands”
on
page
10
v
“Action
commands”
on
page
11
v
“Authorization
rule
commands”
on
page
11
v
“Context
commands”
on
page
12
v
“Domain
commands”
on
page
12
v
“Group
commands”
on
page
12
v
“Login
and
logout
commands”
on
page
13
v
“Object
commands”
on
page
13
v
“Object
space
commands”
on
page
13
v
“Policy
commands”
on
page
14
v
“Protected
object
policy
commands”
on
page
14
v
“Resource
commands”
on
page
14
v
“Server
commands”
on
page
15
v
“User
commands”
on
page
15
Access
control
list
commands
Table
1
lists
acl
commands,
which
enable
you
to
manage
access
control
list
(ACL)
policies
and
extended
attributes.
Table
1.
Access
control
list
(ACL)
commands
Command
Description
acl
attach
Attaches
an
ACL
policy
to
a
protected
object.
If
the
protected
object
already
has
an
ACL
attached,
the
ACL
is
replaced
with
a
new
one.
acl
create
Creates
an
ACL
policy
in
the
ACL
database.
This
command
does
not
create
ACL
entries.
acl
delete
Deletes
an
ACL
policy
from
the
ACL
database.
acl
detach
Detaches
the
current
ACL
policy
from
a
protected
object.
This
command
does
not
delete
the
ACL
policy
from
the
ACL
database.
acl
find
Finds
and
lists
all
protected
objects
that
have
a
specific
ACL
policy
attached.
acl
list
Lists
the
names
of
all
defined
ACLs.
Also
lists
the
extended
attribute
keys
associated
with
a
specific
ACL.
acl
modify
Modifies
ACLs,
their
extended
attributes,
and
associated
values.
acl
show
Lists
the
complete
set
of
entries
for
a
specific
ACL
policy.
Also
lists
the
values
of
a
specific
extended
attribute
associated
with
an
ACL
policy.
10
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Action
commands
Table
2
lists
action
commands,
which
are
used
to
define
additional
authorization
actions
(ACL
permissions)
and
action
groups.
Table
2.
Action
commands
Command
Description
action
create
Defines
an
action
(permission)
code
in
an
action
group.
Also
adds
an
action
code
to
a
specific
extended
action
group.
action
delete
Deletes
an
action
code
for
an
action
group.
Also
defines
a
specific
action
group
from
which
to
delete
an
action.
action
group
Creates,
deletes,
and
lists
ACL
action
groups.
action
list
Lists
all
defined
action
codes
for
an
action
group.
Authorization
rule
commands
Table
3
lists
authzrule
commands,
which
are
used
to
manage
authorization
rules.
Table
3.
Authorization
rule
commands
Command
Description
authzrule
attach
Attaches
an
authorization
rule
to
the
specified
protected
object.
authzrule
create
Creates
an
authorization
rule.
authzrule
delete
Deletes
an
authorization
rule.
authzrule
detach
Detaches
an
authorization
rule
from
the
specified
protected
object.
authzrule
find
Finds
and
lists
all
the
protected
objects
that
have
the
specified
authorization
rule
attached.
authzrule
list
Lists
all
of
the
registered
authorization
rules.
authzrule
modify
Modifies
an
authorization
rule.
authzrule
show
Shows
all
of
the
attributes
of
an
authorization
rule,
including
description,
rule
text,
and
fail
reason
code.
Config
commands
Table
5
on
page
12
lists
config
commands
that
are
configuration
database
commands.
These
commands
modify
the
local
configuration
files.
Table
4.
Config
commands
Command
Description
config
modify
Updates
the
Tivoli
Access
Manager
server
configuration
files
or
any
customized
server
configuration
files.
config
show
Shows
the
value
associated
with
specified
stanzas
or
keys
in
Tivoli
Access
Manager
server
configuration
files
or
in
customized
server
configuration
files.
Chapter
1.
pdadmin
command
line
utility
11
Context
commands
Table
5
lists
context
commands,
which
are
used
to
display
the
context
(authentication)
information
for
the
user
executing
the
pdadmin
utility.
Table
5.
Context
commands
Command
Description
context
show
Displays
the
user
ID
and
domain
ID
used
to
establish
the
current
context.
Domain
commands
Table
6
lists
domain
commands,
which
are
used
to
manage
Tivoli
Access
Manager
secure
domains.
Table
6.
Domain
commands
Command
Description
domain
create
Creates
a
Tivoli
Access
Manager
secure
domain.
domain
delete
Deletes
the
specified
Tivoli
Access
Manager
secure
domain,
and
optionally
deletes
the
information
about
the
domain
from
the
user
registry.
domain
list
Lists
all
of
the
domains
except
for
the
management
domain.
domain
modify
Modifies
the
description
of
the
specified
domain.
domain
show
Displays
the
specified
attributes
of
the
domain,
including
name
and
description.
Group
commands
A
group
is
a
set
of
Tivoli
Access
Manager
user
accounts
that
have
similar
attributes.
Groups
allow
you
to
use
a
group
name
in
an
access
control
list
(ACL)
instead
of
listing
all
users
individually.
When
an
LDAP-based
user
registry
is
used,
group
names
are
not
case
sensitive.
Table
7
lists
group
commands,
which
are
used
to
manage
Tivoli
Access
Manager
groups.
Table
7.
Group
commands
Command
Description
group
create
Creates
a
Tivoli
Access
Manager
group.
group
delete
Deletes
the
specified
Tivoli
Access
Manager
group
and
optionally
deletes
the
information
about
the
group
from
the
user
registry.
ACL
entries
associated
with
the
group
are
also
deleted.
group
import
Imports
the
information
about
an
existing
registry
group
to
create
a
Tivoli
Access
Manager
group.
group
list
Generates
a
list
of
all
groups,
by
group
names,
whose
names
match
the
specified
pattern.
group
modify
Changes
an
existing
group
by
adding
a
description,
or
adding
or
removing
a
list
of
members.
group
show
Displays
details
about
a
specified
group.
12
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Login
and
logout
commands
Table
8
lists
login
and
logout
commands,
which
are
used
to
log
in
to
and
log
out
of
a
Tivoli
Access
Manager
secure
domain.
Table
8.
Login
commands
Command
Description
login
Authenticates
the
user
to
the
Tivoli
Access
Manager
policy
server
as
a
given
administrative
identity
in
a
given
domain.
logout
Discards
any
authentication
credentials
that
are
in
effect.
Object
commands
Table
9
lists
objects
commands,
which
enable
you
to
protect
objects
by
attaching
ACLs
or
protected
object
policy
(POP).
Table
9.
Object
commands
Command
Description
object
access
Confirms
whether
a
specified
access
is
permitted
on
the
named
protected
object.
object
create
Creates
a
protected
object.
object
delete
Deletes
a
protected
object.
object
exists
Confirms
whether
a
protected
object
is
located
in
either
the
policy
database
or
in
an
objectspace
that
is
managed
by
an
administration
service
plug-in.
object
list
Lists
any
objects
grouped
under
the
specified
protected
object.
Also
lists
all
the
extended
attributes
associated
with
the
specified
protected
object.
object
listandshow
Lists
any
child
objects
grouped
under
the
specified
protected
object
and
displays
all
values
associated
with
each
of
those
objects.
object
modify
Modifies
an
existing
object.
object
show
Shows
all
values
associated
with
a
protected
object.
Object
space
commands
Table
10
lists
objectspace
commands,
which
allow
the
creation
of
additional
object
spaces
containing
protected
objects
used
by
third-party
applications.
Table
10.
Objectspace
commands
Command
Description
objectspace
create
Creates
a
protected
object
space
under
which
protected
objects
can
be
placed.
objectspace
delete
Deletes
an
existing
protected
object
space
and
all
associated
protected
objects.
objectspace
list
Lists
all
of
the
existing
protected
object
spaces
in
the
policy
server.
Chapter
1.
pdadmin
command
line
utility
13
Policy
commands
Table
11
lists
policy
commands
that
are
used
to
manage
user
password
and
account
policies.
Table
11.
Policy
commands
Command
Description
policy
get
Displays
user
password,
account
rules,
and
conditions.
policy
set
Sets
user
password,
account
rules,
and
conditions.
Protected
object
policy
commands
Table
12
lists
pop
commands,
which
allow
the
creation
of
a
protected
object
policy
(POP)
and
extended
attributes
for
the
protected
object
policies.
Table
12.
Protected
object
policy
(POP)
commands
Command
Description
pop
attach
Attaches
a
protected
object
policy
to
a
specified
protected
object.
pop
create
Creates
a
protected
object
policy.
pop
delete
Deletes
the
specified
protected
object
policy.
pop
detach
Detaches
a
protected
object
policy
from
the
specified
protected
object.
pop
find
Finds
and
lists
all
protected
objects
that
have
protected
object
policies
attached.
pop
list
Lists
all
protected
object
policies
that
have
been
created.
pop
modify
Modifies
the
protected
object
policy.
pop
show
Shows
details
of
the
protected
object
policy.
Resource
commands
Table
13
lists
resource
commands,
which
are
used
to
manage
resource-related
information.
Table
13.
Resource
commands
Command
Description
rsrc
create
Creates
and
names
a
server
as
a
resource.
rsrc
delete
Deletes
the
specified
single
signon
resource.
rsrc
list
Returns
a
list
of
all
the
single
signon
resource
names.
rsrc
show
Displays
the
resource
information
for
the
named
resource.
rsrccred
create
Creates
and
names
a
resource
credential.
rsrccred
delete
Deletes
only
the
resource
credential
information
for
an
existing
user.
rsrccred
list
user
Displays
the
names
of
all
defined
resources
and
their
type
for
the
specified
user.
rsrccred
modify
Changes
the
user
ID
and
password
resource
credential
information
for
the
named
resource.
rsrccred
show
Displays
the
resource
credential
information
for
a
specified
user.
rsrcgroup
create
Creates
and
names
a
resource
group.
14
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Table
13.
Resource
commands
(continued)
Command
Description
rsrcgroup
delete
Deletes
the
named
resource
group,
including
any
description
information.
rsrcgroup
list
Displays
the
names
of
all
resource
groups
defined
in
the
user
registry.
rsrcgroup
modify
Adds
or
removes
a
single
signon
resource
to
or
from
a
single
signon
resource
group.
rsrcgroup
show
Displays
the
resource
group
information
for
the
specified
resource
group.
Server
commands
Table
14
lists
server
commands
and
the
admin
show
configuration
command,
which
perform
management
tasks
on
Tivoli
Access
Manager
servers.
Table
14.
Server
commands
Command
Description
admin
show
conf
Displays
current
policy
server
configuration
information.
server
list
Lists
all
registered
servers.
server
listtasks
Retrieves
the
list
of
tasks
(commands)
available
for
this
server.
server
replicate
Notifies
authorization
servers
to
receive
database
updates.
server
show
Displays
the
specified
properties
of
the
server.
server
task
Sends
the
specified
command
to
the
specified
server.
WebSEAL-specific
options
are
also
included.
User
commands
Table
15
lists
user
commands,
which
are
used
to
manage
Tivoli
Access
Manager
users.
Table
15.
User
commands
Command
Description
user
create
Creates
a
Tivoli
Access
Manager
user
account.
user
delete
Deletes
a
Tivoli
Access
Manager
user
and
optionally
deletes
the
user
information
from
the
user
registry.
ACL
entries
associated
with
the
user
are
also
deleted.
user
import
Imports
the
information
about
an
existing
registry
user
to
create
a
Tivoli
Access
Manager
user.
user
list
Generates
a
list
of
all
users
whose
names
match
the
specified
pattern,
listed
by
user
names.
user
modify
Modifies
various
user
account
parameters.
user
show
Displays
details
about
a
specified
user.
Chapter
1.
pdadmin
command
line
utility
15
acl
attach
Attaches
an
ACL
policy
to
a
protected
object.
If
the
protected
object
already
has
an
ACL
attached,
the
ACL
is
replaced
with
a
new
one.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
acl
attach
object_name
acl_name
Options
object_name
Specifies
the
object
to
which
to
apply
the
named
ACL
policy.
The
object
name
must
exist,
or
an
error
is
displayed.
Examples
of
object
names:
/Management/Groups/Travel,
/WebSEAL,
and
/Management
acl_name
Specifies
the
ACL
policy
that
is
applied
to
the
named
object.
The
ACL
policy
must
exist,
or
an
error
is
displayed.
Examples:
default-root,
test,
default-management,
pubs_acl3
Description
At
most,
one
ACL
can
be
attached
to
a
given
protected
object.
The
same
ACL
can
be
attached
to
multiple
protected
objects.
Ensure
that
you
are
familiar
with
ACL
management
before
using
this
function.
Examples
The
following
example
attaches
the
ACL
policy
pubs_acl3
to
the
protected
object
/Management.
pdadmin
sec_master>
acl
attach
/Management
pubs_acl3
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
acl
create
acl
detach
16
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
acl
create
Creates
an
ACL
policy
in
the
ACL
database.
Note
that
this
command
does
not
create
ACL
entries.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
acl
create
acl_name
Options
acl_name
Specifies
the
name
of
the
ACL
policy
being
created.
A
valid
ACL
policy
name
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
not
allowed.
The
following
characters
cannot
be
used
in
the
name
of
the
ACL
policy:
!
"
#
&
(
)
*
+
,
;
:
<
>
=
@
/
\
|
.
Examples:
default-root,
test,
default-management,
and
pubs_acl3
Examples
1.
The
following
example
creates
a
new
ACL
policy
named
pubs_acl3:
pdadmin
sec_master>
acl
create
pubs_acl3
2.
The
following
example
creates
a
new
ACL
policy
named
Test-ACL:
pdadmin
sec_master>
acl
create
Test-ACL
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Managerr
error
messages
by
decimal
or
hexadecimal
codes.
See
also
acl
attach
acl
delete
acl
modify
Chapter
1.
pdadmin
command
line
utility
17
acl
delete
Deletes
an
ACL
policy
from
the
ACL
database.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
acl
delete
acl_name
Options
acl_name
Specifies
the
name
of
the
ACL
policy
being
deleted
from
the
ACL
database.
The
ACL
policy
must
exist,
or
an
error
is
displayed.
Examples:
default-root,
test,
default-management,
and
pubs_acl3
Examples
1.
The
following
example
deletes
the
ACL
policy
named
pubs_acl3:
pdadmin
sec_master>
acl
delete
pubs_acl3
2.
The
following
example
deletes
the
ACL
policy
named
Test-ACL
pdadmin
sec_master>
acl
delete
Test-ACL
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
acl
detach
18
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
acl
detach
Detaches
the
current
ACL
policy
from
a
protected
object.
Note
that
this
command
does
not
delete
the
ACL
policy
from
the
ACL
database.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
acl
detach
object_name
Options
object_name
Specifies
the
object
from
which
the
current
ACL
policy
is
being
removed.
The
object
must
exist
and
have
an
ACL
attached,
or
an
error
is
displayed.
Examples
of
object
names:
/Management/Groups/Travel,
/WebSEAL,
and
/Management
Description
Only
one
access
control
list
at
a
time
can
be
attached
to
an
object.
Therefore,
the
currently
attached
access
control
list
is
detached.
If
the
object
does
not
have
an
ACL
policy
attached,
an
error
will
be
displayed.
Examples
The
following
example
detaches
the
ACL
from
the
protected
object
/Management.
pdadmin
sec_master>
acl
detach
/Management
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
acl
attach
acl
delete
acl
modify
Chapter
1.
pdadmin
command
line
utility
19
acl
find
Returns
a
list
of
protected
objects,
which
have
the
specified
ACL
attached.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
acl
find
acl_name
Options
acl_name
Specifies
the
name
of
the
ACL
policy
that
you
want
to
find.
The
ACL
policy
must
exist,
or
an
error
is
displayed.
Examples:
default-root,
test,
default-management,
and
pubs_acl3
Description
A
user
must
have
the
browse
(b)
and
view
(v)
permissions
for
the
object
to
be
listed
when
the
pdadmin
object
show
command
is
issued.
Otherwise,
an
error
is
returned:
The
user
is
not
authorized
to
view
one
or
more
protected
objects
where
the
requested
acl
is
attached.
Examples
1.
The
following
example
lists
the
protected
object
that
has
the
default-config
ACL
attached:
pdadmin
sec_master>
acl
find
default-config
Provides
output
similar
to:
/Management/Config
2.
The
following
example,
entered
on
one
line,
lists
the
protected
objects
that
have
the
user-defined
ACL
_WebAppServer_deployedResources_CosNamingDelete_admin_ACL
attached:
pdadmin
sec_master>
acl
find
_WebAppServer_deployedResources_CosNamingDelete_admin_ACL
Provides
output
similar
to:
/WebAppServer/deployedResources/CosNamingDelete/admin
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
acl
list
acl
show
20
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
acl
list
Lists
the
names
of
all
defined
access
control
lists.
Alternatively,
lists
the
extended
attribute
keys
associated
with
a
specific
ACL.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
acl
list
[acl_name
attribute]
Options
acl_name
Specifies
the
ACL
policy
for
which
to
list
the
attributes.
The
ACL
policy
must
exist,
or
an
error
is
displayed.
Examples:
default-root,
test,
default-management
and
pubs_acl3
Examples
The
following
example
lists
ACL
policies:
pdadmin
sec_master>
acl
list
Output
is
similar
to
the
following:
default-webseal
default-root
test
default-replica
default-management
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
acl
find
acl
show
Chapter
1.
pdadmin
command
line
utility
21
acl
modify
Modifies
access
control
list
(ACL)
policies.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
acl
modify
acl_name
delete
attribute
attribute_name
[attribute_value]
acl
modify
acl_name
description
description
acl
modify
acl_name
remove
any-other
acl
modify
acl_name
remove
group
group_name
acl
modify
acl_name
remove
unauthenticated
acl
modify
acl_name
remove
user
user_name
acl
modify
acl_name
set
any-other
[permissions]
acl
modify
acl_name
set
attribute
attribute_name
attribute_value
acl
modify
acl_name
set
description
description
acl
modify
acl_name
set
group
group_name
[permissions]
acl
modify
acl_name
set
unauthenticated
[permissions]
acl
modify
acl_name
set
user
user_name
[permissions]
Options
acl_name
Specifies
the
ACL
policy
that
you
want
to
be
modified.
The
ACL
policy
must
exist,
or
an
error
is
displayed.
Examples:
default-root,
test,
default-management,
and
pubs_acl3
delete
attribute
attribute_name
[attribute_value]
Deletes
the
specified
extended
attribute
name
and
value
from
the
specified
ACL.
The
attribute
must
exist,
or
an
error
is
displayed.
The
optional
attribute_value
deletes
the
specified
value
from
the
specified
extended
attribute
key
in
the
specified
ACL.
Examples
of
extended
attribute
names
and
values:
Dept_No
445
Employee_Name
"Diana
Lucas"
22
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
description
description
Sets
or
modifies
the
description
for
the
specified
ACL.
This
option
is
equivalent
to
the
acl
modify
set
description
command.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
allowed.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
description.
Example
of
description:
"Department
number
of
employee"
remove
any-other
Removes
the
ACL
entry
for
the
any-other
user
category
from
the
specified
ACL.
remove
group
group_name
Removes
the
ACL
entry
for
the
specified
group
from
the
specified
ACL.
The
group
must
exist,
or
an
error
is
displayed.
Examples
of
group
names:
Credit,
Sales,
Test-group
remove
unauthenticated
Removes
the
ACL
entry
for
the
unauthenticated
user
category
from
the
specified
ACL.
remove
user
user_name
Removes
the
ACL
entry
for
the
specified
user
from
the
specified
ACL.
The
user
must
exist,
or
an
error
is
displayed.
Examples
of
user
names:
dlucas,
sec_master,
and
"Mary
Jones"
set
any-other
[permissions]
Sets
or
modifies
the
ACL
entry
for
the
user
any-other
user
category
in
the
ACL.
Valid
actions,
or
permissions,
are
represented
by
single
alphabetic
ASCII
characters
(a-z,
A-Z).
Tivoli
Access
Manager
uses
a
default
set
of
actions
(referred
to
as
primary
action
tasks
and
permissions)
that
cover
a
wide
range
of
operations.
You
can
also
create
your
own
action
tasks
and
permissions.
Primary
permissions
and
procedures
for
entering
custom
permissions
into
ACL
entries
are
discussed
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
A
complete
list
of
primary
action
tasks
and
their
associated
permissions
includes:
T
Traverse
Base
c
Control
Base
g
Delegation
Base
m
Modify
Generic
d
Delete
Generic
b
Browse
Base
s
Server
Admin
Generic
v
View
Generic
a
Attach
Base
B
Bypass
POP
Base
t
Trace
Base
r
Read
WebSEAL
x
Execute
WebSEAL
l
List
Directory
WebSEAL
Chapter
1.
pdadmin
command
line
utility
23
N
Create
Base
W
Password
Base
A
Add
Base
R
Bypass
AuthzRule
Base
set
attribute
attribute_name
attribute_value
Sets
the
extended
attribute
value
for
the
specified
extended
attribute
key
in
the
specified
ACL.
The
attribute
must
exist,
or
an
error
is
displayed.
If
the
attribute
already
exists,
the
attribute
value
is
added
as
an
additional
value
if
the
same
value
does
not
exist
for
this
attribute.
If
the
same
value
exists
for
this
attribute,
it
does
not
get
added
again
(duplicate
values
are
not
allowed),
and
no
error
is
returned.
The
optional
attribute_value
deletes
the
specified
value
from
the
specified
extended
attribute
key
in
the
specified
ACL.
Examples
of
extended
attribute
names
and
values:
Dept_No
445
Employee_name
"Diana
Lucas"
set
description
description
Sets
or
modifies
the
description
for
the
specified
ACL.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
allowed.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
description.
Example
of
description:
"Department
number
of
employee"
set
group
group_name
[permissions]
Sets
or
modifies
the
ACL
entry
for
the
specified
group
in
the
specified
ACL.
The
group
must
exist,
or
an
error
is
displayed.
Examples
of
group
names:
Credit,
Sales,
Test-group
Tivoli
Access
Manager
uses
a
default
set
of
actions
that
cover
a
wide
range
of
operations.
Valid
actions,
or
permissions,
are
represented
by
single
alphabetic
ASCII
characters
(a-z,
A-Z).
See
the
option
set
any-other
[permissions]
for
the
list
of
possible
permissions.
set
unauthenticated
[permissions]
Sets
or
modifies
the
ACL
entry
for
the
unauthenticated
user
category
in
the
specified
ACL.
Tivoli
Access
Manager
uses
a
default
set
of
actions
that
cover
a
wide
range
of
operations.
Valid
actions,
or
permissions,
are
represented
by
single
alphabetic
ASCII
characters
(a-z,
A-Z).
See
the
option
set
any-other
[permissions]
for
examples
of
permissions.
set
user
user_name
[permissions]
Sets
permissions
that
the
user
is
permitted
to
perform.
The
user
must
exist
or
an
error
is
displayed.
Examples
of
user
names:
dlucas,
sec_master,
and
"Mary
Jones"
Tivoli
Access
Manager
uses
a
default
set
of
actions
that
cover
a
wide
range
of
operations.
Valid
actions,
or
permissions,
are
represented
by
single
alphabetic
ASCII
characters
(a-z,
A-Z).
See
the
option
set
any-other
[permissions]
for
examples
of
permissions.
24
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Examples
1.
The
following
example
sets
the
any-other
user
entry
in
the
pubs
ACL
to
have
r,
the
Read
(WebSEAL)
permission:
pdadmin
sec_master>
acl
modify
pubs
set
any-other
r
2.
The
following
example
sets
the
sales
group
entry
in
the
pubs
ACL
to
have
the
Tr
permissions,
which
are
the
Traverse
and
Read
(Base)
permissions:
pdadmin
sec_master>
acl
modify
pubs
set
group
sales
Tr
3.
The
following
example
sets
the
unauthenticated
user
entry
in
the
docs
ACL
to
have
the
r
permission,
which
is
the
Read
(WebSEAL)
permission:
pdadmin
sec_master>
acl
modify
docs
set
unauthenticated
r
4.
The
following
example
sets
the
peter
user
entry
in
the
pubs
ACL
to
have
the
Tr
permissions,
which
are
the
Traverse
(Base)
and
Read
(WebSEAL)
permissions:
pdadmin
sec_master>
acl
modify
pubs
set
user
peter
Tr
5.
The
following
example
sets
the
kathy
user
entry
in
the
test
ACL
to
have
Tbr
permissions,
which
are
the
Traverse
(Base),
Browse
(Base)
and
Read
(WebSEAL)
permissions.
It
also
sets
custom
permissions
PS
for
the
existing
test-group
action
group.
It
then
displays
the
results.
pdadmin
sec_master>
acl
modify
test
set
user
kathy
Tbr[test-group]PS
pdadmin
sec_master>
acl
show
test
ACL
Name:
test
Description:
Entries:
User
sec_master
TcmdbsvaBl
Group
ivmgrd-servers
Tl
Any-other
r
User
kathy
Tbr[test-group]PS
6.
The
following
example
sets
the
kathy
user
entry
in
the
test
ACL
to
have
Tbr
permissions,
which
are
the
Traverse
(Base),
Browse
(Base),
and
Read
(WebSEAL)
permissions.
It
then
displays
the
results.
pdadmin
sec_master>
acl
modify
test
set
user
kathy
Tbr
pdadmin
sec_master>
acl
show
test
ACL
Name:
test
Description:
Entries:
User
sec_master
TcmdbsvaBl
Group
ivmgrd-servers
Tl
Any-other
r
User
kathy
Tbr
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
1.
pdadmin
command
line
utility
25
See
also
acl
attach
acl
create
26
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
acl
show
Lists
the
complete
set
of
entries
for
a
specific
access
control
list
(ACL)
policy.
Alternatively,
lists
the
values
of
a
specific
extended
attribute
associated
with
an
ACL
policy.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
acl
show
acl_name
[attribute
attribute_name]
Options
acl_name
Specifies
the
access
control
list
for
which
the
extended
attribute
values
are
displayed.
The
ACL
policy
must
exist,
or
an
error
is
displayed.
Examples:
default-root,
test,
default-management,
and
pubs_acl3
attribute
attribute_name
Specifies
the
name
of
the
extended
attribute
whose
values
are
displayed.
The
attribute
must
exist,
or
an
error
is
displayed.
Examples
of
extended
attribute
names:
Dept_No
and
Employee_Name
Examples
The
following
example
shows
details
of
ACL
test-acl:
pdadmin
sec_master>
acl
show
test-acl
ACL
Name:
test-acl
Description:
Entries:
User
sec_master
Tcmdbva
Group
ivmgrd-servers
Tl
Any
other
r
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
acl
find
acl
list
Chapter
1.
pdadmin
command
line
utility
27
action
create
Defines
an
action
code
(permission)
in
a
specified
action
group
or
the
primary
action
group.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
action
create
action_name
action_label
action_type
[action_group_name]
Options
action_name
Specifies
the
new
single-character
permission
being
created,
which
can
be
specified
using
any
case.
Tivoli
Access
Manager
uses
a
default
set
of
actions
that
cover
a
wide
range
of
operations.
Valid
actions,
or
permissions,
are
represented
by
single
alphabetic
ASCII
characters
(a-z,
A-Z).
For
example,k
is
the
action
name
in
the
following
example:
k
time
Ext-Authzn
action_label
Specifies
the
label
or
description
for
the
action.
Each
default
permission
is
displayed
with
a
label
describing
the
operation
it
governs.
In
addition,
the
ACLs
are
grouped
according
to
their
use
in
a
particular
part
of
the
object
space
(such
as
WebSEAL)
or
their
use
across
the
entire
object
space
(Base,
Generic).
For
example,
time
is
the
action
label
in
the
following
example:
k
time
Ext-Authzn
A
valid
action
label
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
not
allowed.
Examples
of
action
labels:
time,
Generic,
Base,
and
WebSEAL
action_type
Specifies
the
organizational
category
for
this
action
within
a
given
action
group.
The
action
type
can
be
a
description
of
the
action,
such
as
what
application
the
action
is
specific
to.
The
action
type
is
application-specific
and
typically
refers
to
the
application
that
defined
the
action
(such
as
WebSEAL)
or
the
function
that
uses
the
action
(such
as
Ext-Authzn
for
extended
authorization
checks).
A
valid
action
type
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
not
allowed.
For
example,
Ext-Authzn
is
the
action
type
in
the
following
example:
k
time
Ext-Authzn
action_group_name
Specifies
the
action
group
to
which
the
action
code
is
to
be
added.
If
no
action_group_name
is
specified,
the
action
will
be
added
to
the
primary
action
group.
Supports
a
maximum
of
32
action
groups.
Examples
of
action
group
names:
primary
and
test-group
28
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Description
Action
codes
(permissions)
consist
of
one
alphabetic
character
(a–z
or
A–Z)
and
are
case-sensitive.
Each
action
code
only
can
be
used
once
within
an
action
group.
Ensure
that
you
do
not
attempt
to
redefine
the
default
action
codes
when
adding
custom
codes
to
the
primary
group.
Examples
1.
The
following
example
creates
an
action
code
named
k
with
an
action
label
of
time
and
an
action
type
of
Ext-Authzn
within
the
primary
action
group:
pdadmin
sec_master>
action
create
k
time
Ext-Authzn
2.
The
following
example
creates
a
customized
action
named
P
and
an
action
label
of
Test-Action
with
an
action
type
of
Special
within
an
action
group
named
test-group:
pdadmin
sec_master>
action
create
P
Test-Action
Special
test-group
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
action
delete
Chapter
1.
pdadmin
command
line
utility
29
action
delete
Deletes
an
action
(permission)
code
from
an
action
group.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
action
delete
action_name
[action_group_name]
Options
action_name
Specifies
the
name
of
the
action
to
be
deleted.
The
action
code
must
exist,
or
an
error
is
displayed.
Tivoli
Access
Manager
uses
a
default
set
of
actions
that
cover
a
wide
range
of
operations.
Valid
actions,
or
permissions,
are
represented
by
single
alphabetic
ASCII
characters
(a-z,
A-Z).
For
example,
k
is
the
action
name
in
the
following
example:
k
time
Ext-Authzn
action_group_name
Specifies
the
name
of
the
action
group
from
which
the
specified
action
needs
to
be
deleted.
Examples
of
action
group
names:
primary
and
test-group
Examples
1.
The
following
example
deletes
action
k
from
the
primary
action
group:
pdadmin
sec_master>
action
delete
k
2.
The
following
example
deletes
the
action
z
from
the
action
group
agz:
pdadmin
sec_master>
action
delete
z
agz
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
action
create
30
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
action
group
Creates,
deletes,
and
lists
ACL
action
groups.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
action
group
{create
action_group_name|
delete
action_group_name|
list}
Options
create
action_group_name
Specifies
the
name
of
the
action
group
to
create.
Supports
a
maximum
of
32
action
groups.The
action
group
must
not
already
exist,
or
an
error
is
displayed.
A
valid
action
group
name
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
not
allowed.
Examples
of
action
group
names:
primary
and
test-group
delete
action_group_name
Specifies
the
name
of
the
action
group
to
delete.
All
of
the
actions
that
belong
to
the
specified
group
are
also
deleted.The
action
group
must
exist,
or
an
error
is
displayed.
Examples
of
action
group
names:
primary
and
test-group
list
Lists
all
the
defined
action
group
names.
Examples
1.
The
following
example
lists
the
names
of
all
defined
action
groups:
pdadmin
sec_master>
action
group
list
primary
test-group
2.
The
following
example
creates
an
action
group
test:
pdadmin
sec_master>
action
group
create
test
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
1.
pdadmin
command
line
utility
31
action
list
Lists
all
the
defined
action
(permission)
codes
from
an
action
group.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
action
list
[action_group_name]
Options
action_group_name
Specifies
the
name
of
the
action
group
for
which
all
actions
are
displayed.
If
this
option
is
not
specified,
actions
defined
in
the
primary
action
group
will
be
listed.
The
action
group
must
exist,
or
an
error
is
displayed.
Examples
of
action
group
names:
primary
and
test-group
Examples
The
following
example
displays
all
existing
actions
in
the
primary
action
group:
pdadmin
sec_master>
action
list
T
Traverse
Base
c
Control
Base
g
Delegation
Base
m
Modify
Generic
d
Delete
Generic
b
Browse
Base
s
Server
Admin
Generic
v
View
Generic
a
Attach
Base
B
Bypass
POP
Base
t
Trace
Base
r
Read
WebSEAL
x
Execute
WebSEAL
l
List
Directory
WebSEAL
N
Create
Base
W
Password
Base
A
Add
Base
R
Bypass
AuthzRule
Base
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
32
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
admin
show
conf
Displays
the
current
policy
server
configuration
information,
such
as
the
type
of
registry
or
whether
global
signon
is
enabled.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
admin
show
conf
Options
None.
Examples
The
following
example
displays
the
current
server
configuration
information:
pdadmin
sec_master>
admin
show
conf
LDAP:
yes
secAuthority
GSO:
yes
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
1.
pdadmin
command
line
utility
33
authzrule
attach
Attaches
an
authorization
rule
to
the
specified
protected
object.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
authzrule
attach
protobjid
ruleid
Options
protobjid
Specifies
the
fully-qualified
name
of
the
protected
object
to
which
the
authorization
rule
is
attached.
The
object
must
exist,
or
an
error
is
displayed.
ruleid
Specifies
the
name
of
the
authorization
rule
to
attach.
The
rule
must
exist,
or
an
error
is
displayed.
Description
At
most,
one
rule
can
be
attached
to
a
given
protected
object.
If
the
object
already
has
a
rule
attached
to
it,
the
specified
rule
replaces
the
existing
one.
The
same
rule
can
be
attached
to
multiple
protected
objects.
Ensure
that
the
protected
object
exists
in
the
protect
object
space
before
attempting
to
attach
a
rule.
Examples
The
following
example
attaches
a
rule
named
r1
to
a
protected
object
named
/Test-Space/folder1:
pdadmin
sec_master>
authzrule
attach
/Test-Space/folder1
r1
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
authzrule
create
authzrule
detach
34
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
authzrule
create
Creates
an
authorization
rule.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
authzrule
create
ruleid
{–rulefile
filename
|
ruletext}
[–desc
description]
[–failreason
failreason]
Options
ruleid
Specifies
the
name
of
the
authorization
rule
to
create.
A
valid
authorization
rule
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
not
allowed.
The
following
characters
cannot
be
used
in
the
name
of
an
authorization
rule:
!
"
#
&
(
)
*
+
,
;
:
<
>
=
@
/
\
|
.
–rulefile
filename
Specifies
the
file
from
which
to
read
the
XSL
rule
text.
The
rule
file
must
exist,
or
an
error
is
displayed.
ruletext
Specifies
the
rule
policy
used
to
evaluate
the
rule
in
XSL
format.
The
rule
must
be
enclosed
in
double
quotation
marks
(″).
If
the
rule
specifies
a
double
quotation
mark
as
part
of
the
rule
text,
escape
the
double
quotation
mark
by
preceding
it
with
a
backward
slash
mark
(\).
–desc
description
Specifies
the
description
of
the
authorization
rule.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
description.
Example
of
description:
"time-of-day
rule
for
engineering
object
space"
–failreason
failreason
Specifies
the
message
that
is
returned
if
the
rule
denies
access
to
a
protected
object.
If
authorization
is
denied
as
a
result
of
this
rule’s
evaluation,
but
other
authorization
checks
succeed,
this
reason
code
is
returned
to
the
application
making
the
authorization
check.
Chapter
1.
pdadmin
command
line
utility
35
Description
An
authorization
rule
can
be
attached
to
a
protected
object,
and
user
credential
and
application
context
attributes
can
be
compared
against
the
rule
for
authorizing
access
to
the
protected
object.
Note:
Quotes
within
an
authorization
rule
need
to
be
escaped
using
the
back
slash
(
\
)
when
entering
the
rule
without
using
the
–rulefile
option.
Examples
The
following
example
creates
a
rule
named
r1
with
a
rule
file
named
r1.xsl
that
implements
the
time-of-day
rule
for
the
marketing
object
space
and
returns
a
fail
reason
code:
pdadmin
sec_master>
authzrule
create
r1
-rulefile
r1.xsl
-desc
"time-of-day
rule
for
engineering
object
space"
-failreason
"An
error
occurred
during
r1
creation"
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
authzrule
attach
authzrule
delete
36
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
authzrule
delete
Deletes
an
authorization
rule.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
authzrule
delete
ruleid
Options
ruleid
Specifies
the
name
of
the
authorization
rule
to
delete.
The
authorization
rule
must
exist,
or
an
error
is
displayed.
Examples
The
following
example
deletes
a
rule
named
eng-test:
pdadmin
sec_master>
authzrule
delete
eng-test
The
following
example
deletes
a
rule
named
myRule:
pdadmin
sec_master>
authzrule
delete
myRule
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
authzrule
create
authzrule
detach
Chapter
1.
pdadmin
command
line
utility
37
authzrule
detach
Detaches
an
authorization
rule
from
the
specified
protected
object.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
authzrule
detach
protobjid
Options
protobjid
Specifies
the
name
of
the
protected
object
from
which
the
authorization
rule
is
detached.
The
object
must
exist
and
have
an
authorization
rule
attached,
or
an
error
is
displayed.
Examples
The
following
example
detaches
a
rule
from
a
protected
object
named
/WebSEAL/tivoli.com/w3junction/index.html:
pdadmin
sec_master>
authzrule
detach
/WebSEAL/tivoli.com/w3junction/index.html
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
authzrule
attach
authzrule
delete
38
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
authzrule
find
Finds
and
lists
all
protected
objects
that
have
the
specified
authorization
rule
attached.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
authzrule
find
ruleid
Options
ruleid
Specifies
the
name
of
the
authorization
rule
to
find.
The
authorization
rule
must
exist,
or
an
error
is
displayed.
Description
A
user
must
have
the
browse
(b)
and
view
(v)
permissions
for
the
object
to
be
listed
when
the
pdadmin
object
show
command
is
issued.
Otherwise,
an
error
is
returned:
The
user
is
not
authorized
to
view
one
or
more
protected
objects
where
the
requested
authzrule
is
attached.
Examples
The
following
example
finds
protected
objects
attached
to
a
rule
named
r2:
pdadmin
sec_master>
authzrule
find
r2
/Marketing/Folder1
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
authzrule
list
Chapter
1.
pdadmin
command
line
utility
39
authzrule
list
Lists
all
of
the
authorization
rules.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
authzrule
list
Options
None.
Examples
The
following
example
lists
authorization
rules:
pdadmin
sec_master>
authzrule
list
r1
r2
r3
r4
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
authzrule
find
40
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
authzrule
modify
Changes
an
authorization
rule.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
authzrule
modify
ruleid
[ruletext
[–rulefile]
{filename
|
ruletext}]
[description
description]
[failreason
failreason]
Options
ruleid
Specifies
the
name
of
the
authorization
rule
to
change.
The
authorization
rule
must
exist,
or
an
error
is
displayed.
ruletext
Specifies
the
new
rule
text
in
XSL
format.
Do
not
use
the
–rulefile
option
when
specifying
rule
text
directly.
–rulefile
filename
Specifies
the
file
from
which
to
read
the
XSL
rule
text.
The
–rulefile
option
must
be
used
when
specifying
a
file
that
contains
the
rule
text.
A
valid
file
name
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
description
description
Specifies
the
new
description
of
the
rule.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
allowed.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
description.
Example
of
description:
"time-of-day
access"
failreason
failreason
Specifies
the
fail
reason
code.
If
authorization
is
denied
as
a
result
of
this
rule’s
evaluation,
but
other
authorization
checks
succeed,
this
reason
code
will
be
returned
to
the
application
making
the
authorization
check.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
fail
reason.
Examples
The
following
example
changes
the
description
of
a
rule
named
r2:
pdadmin
sec_master>
authzrule
modify
r2
description
"time-of-day
access"
Chapter
1.
pdadmin
command
line
utility
41
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
authzrule
attach
authzrule
create
42
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
authzrule
show
Shows
all
of
the
attributes
of
an
authorization
rule,
including
description,
rule
text,
and
fail
reason
code.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
authzrule
show
ruleid
Options
ruleid
Specifies
the
name
of
the
authorization
rule
to
show.
The
rule
must
exist,
or
an
error
is
displayed.
Examples
The
following
example
shows
attributes
for
a
rule
named
r2:
pdadmin
sec_master>
authzrule
show
r2
Output
is
similar
to
the
following:
Authorization
Rule
Name:
r2
Description:
time-of-day
access
Rule
Text:
<xsl:if
test="/XMLADI/session[contains(status,’login’)]">
<xsl:for-each
select="/XMLADI/userid/level">
<xsl:if
test=".
=
’administrator’">
<xsl:choose>
<xsl:when
test="../paid
=
’in-full’">
!TRUE!
</xsl:when>
<xsl:when
test="../paid
=
’partial’">
!FALSE!
</xsl:when>
<xsl:when
test="../paid
=
’introductory’">
!TRUE!
</xsl:when>
<xsl:otherwise>
!FALSE!
</xsl:otherwise>
</xsl:choose>
</xsl:if>
</xsl:for-each>
</xsl:if>
Fail
Reason:
Error
when
creating
R2
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
1.
pdadmin
command
line
utility
43
See
also
authzrule
find
authzrule
list
44
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
config
modify
Updates
the
Tivoli
Access
Manager
server
configuration
files
or
any
customized
server
configuration
files.
Requires
a
local
login
to
use
this
command.
No
authentication
is
required.
Requires
a
local
login
for
all
options,
except
for
the
svrpassword
option.
No
authentication
is
required
except
for
the
svrpassword
option,
which
requires
authentication
(administrator
ID
and
password).
Syntax
config
modify
svrpassword
config_file
password
config
modify
keyvalue
set
[–obfuscate]
config_file
stanza
key
value
config
modify
keyvalue
append
[–obfuscate]
config_file
stanza
key
value
config
modify
keyvalue
remove
config_fileconfig_file
stanza
key
value
config
modify
keyvalue
remove
config_file
stanza
key
Options
svrpassword
config_file
password
Sets
the
server
user
account’s
password
by
updating
the
server’s
user
account
password
in
the
registry
and
in
the
specified
local
configuration.
The
user
must
have
the
necessary
Tivoli
Access
Manager
ACL
policy
and
the
Password
Base
(W)
action
set
as
well
as
the
necessary
operating
system
permissions
to
modify
the
configuration
file
or
the
database.
The
server
password
is
obfuscated
in
the
configuration
file.
The
password
is
the
password
for
the
application
server.
The
password
must
be
specified;
it
cannot
be
an
empty
string.
The
user
must
have
performed
a
remote
login
(using
login,
login
–d,
or
login
–m)
to
execute
this
command.
keyvalue
set
[–obfuscate]
Sets
the
key
and
corresponding
values
in
the
specified
configuration
file
stanza,
and
optionally
indicates
that
the
key
should
be
placed
in
the
obfuscated
configuration
file.
The
user
must
have
performed
a
local
login
(login
–l)
to
run
this
command.
keyvalue
append
[–obfuscate]
Adds
input
values
to
any
existing
values
for
the
key
for
the
specified
configuration
file
stanza,
or
appends
the
key
or
value
to
the
obfuscated
configuration
database.
Duplicate
values
are
ignored.
Chapter
1.
pdadmin
command
line
utility
45
If
you
specify
the
–obfuscate
flag
and
non-obfuscated
data
already
exists
for
the
key,
an
error
will
be
displayed.
Similarly,
if
you
do
not
specify
the
–obfuscate
flag
and
obfuscated
data
already
exists
for
the
key,
the
same
error
will
be
displayed.
Configuration
data
for
a
specified
stanza
and
key
can
exist
only
in
non-obfuscated
or
obfuscated
form,
but
cannot
exist
in
both.
The
user
must
have
performed
a
local
login
(login
–l)
to
run
this
command.
keyvalue
remove
[–obfuscate]
Removes
key
values
from
the
specified
configuration
file
or
obfuscated
configuration
file.
If
the
value
parameter
is
omitted,
the
specified
key
will
be
deleted.
The
user
must
have
performed
a
local
login
(login
–l)
to
run
this
command.
config_file
Specifies
the
Tivoli
Access
Manager
or
custom
configuration
file
to
use.
Unless
the
configuration
file
is
in
the
current
directory,
the
configuration
file
name
must
be
a
fully
qualified
path
name.
The
necessary
operating
system
permissions
are
required
to
read
and
update
the
configuration
file.
Valid
values
for
Tivoli
Access
Manager
keys
are
documented
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
stanza
Specifies
the
name
of
a
Tivoli
Access
Manager
or
custom
stanza
that
contains
the
input
key.
A
valid
stanza
name
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Valid
Tivoli
Access
Manager
stanzas
are
documented
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
key
Specifies
the
name
of
the
Tivoli
Access
Manager
or
custom
server
keys
whose
value
is
being
modified.
A
valid
key
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Valid
Tivoli
Access
Manager
keys
are
documented
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
value
Specifies
the
configuration
value
to
associate
with
the
key
in
the
specified
configuration
file
stanza.
Valid
Tivoli
Access
Manager
values
are
documented
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
Examples
1.
The
following
example
shows
a
config
command
without
a
local
login
(login
–l):
pdadmin
local>
config
modify
keyvalue
set
c:\temp\my.conf
meta-info
version
6789
Because
a
local
login
(login
–l)
must
be
performed
to
run
config
commands,
the
config
operation
fails.
An
error
is
displayed.
Error:
HPDMS4061E
Local
authentication
(local
login)
is
required
to
perform
this
operation
(status
0x14c52fdd)
46
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
2.
The
following
example
provides
a
local
login
and
changes
the
configuration
to
replace
an
existing
key
value.
Note
that
the
prompt
changes
to
show
that
the
login
is
local:
pdadmin>login
-l
pdadmin
local>
config
modify
keyvalue
set
d:\temp\my.conf
meta-info
version
6798
The
contents
of
the
d:\temp\my.conf
configuration
file
would
be
similar
to:
...
[meta-info]
version
=
6798
....
3.
The
following
example
provides
a
local
login
and
adds
a
new
obfuscated
key
and
value.
The
prompt
changes
to
show
that
the
login
is
local:
pdadmin>login
-l
pdadmin
local>
config
modify
keyvalue
set
-obfuscate
d:\temp\my.conf
meta-info
mynewkey
mynewvalue
14
The
new
key
and
value
are
added
to
the
obfuscated
configuration
file
and
are
not
visible
in
the
configuration
file.
To
view
the
contents
of
the
configuration
file,
use
the
pdadmin
config
show
command.
If
there
is
already
a
non-obfuscated
value
present,
an
error
message
will
be
displayed;
otherwise,
the
value
(obfuscated)
will
be
assigned
to
the
key,
replacing
any
existing
values.
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
config
show
login
Chapter
1.
pdadmin
command
line
utility
47
config
show
Shows
the
value
that
is
associated
with
the
specified
stanza
and
key
in
the
Tivoli
Access
Manager
server
configuration
files
or
in
customized
server
configuration
files.
The
stanza
and
key
must
exist,
or
an
error
is
displayed.
Requires
a
local
login
to
use
this
command.
No
authentication
is
required.
Syntax
config
show
config_file
stanza
key
Options
config_file
Specifies
the
Tivoli
Access
Manager
or
custom
configuration
file
to
use.
Unless
the
configuration
file
is
in
the
current
directory,
the
configuration
file
name
must
be
a
fully
qualified
path
name.
The
necessary
operating
system
permissions
are
required
to
read
and
update
the
configuration
file.
Valid
values
for
Tivoli
Access
Manager
keys
are
documented
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
stanza
Specifies
the
name
of
a
Tivoli
Access
Manager
or
custom
stanza
that
contains
the
input
key.
A
valid
stanza
name
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Valid
Tivoli
Access
Manager
stanzas
are
documented
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
key
Specifies
the
configuration
value
to
associate
with
the
key
in
the
specified
configuration
file
stanza.
Valid
Tivoli
Access
Manager
values
are
documented
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
Examples
1.
The
following
example,
entered
on
one
line,
provides
a
local
login
and
requests
the
value
of
the
version
key
for
the
[meta-info]
stanza.
The
value
is
1296.
Note
that
the
prompt
changes
to
show
that
the
login
is
local:
pdadmin>
login
-l
pdadmin
local>
config
show
"c:\Program
Files\Tivoli\Policy
Directory\etc\activedir.conf"
meta-info
version
Provides
output
similar
to:
1296
2.
The
following
example
provides
a
local
login
and
requests
the
value
of
the
enabled
key
for
the
[ldap]
stanza.
The
output
provides
a
key
value
of
yes.
Note
that
the
prompt
changes
to
show
that
the
login
is
local:
pdadmin>login
-l
pdadmin
local>
config
show
"c:\Program
Files\IBM\LDAP\etc\ldap.conf"
ldap
enabled
Provides
output
similar
to:
yes
48
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
config
modify
login
Chapter
1.
pdadmin
command
line
utility
49
context
show
Displays
the
user
ID
and
domain
ID
used
to
establish
the
current
authentication
context.
Also,
specifies
whether
the
domain
is
the
management
domain
or
a
domain
other
than
the
management
domain.
This
command
does
not
require
a
login
or
authentication
to
use.
Syntax
pdadmin
context
show
Options
None.
Examples
1.
The
following
example
shows
that
no
login
and
no
authentication
is
being
performed:
c:\>
pdadmin
context
show
The
output
is
similar
to
the
following:
No
login
information
2.
The
following
example
shows
local
authentication
before
the
context
show
command
is
issued:
c:\>
pdadmin
-l
pdadmin
local>
context
show
The
output
is
similar
to
the
following:
The
user
is
logged
in
to
the
local
system
3.
The
following
example
shows
local
authentication,
similar
to
example
2,
except
the
command
in
issued
interactively:
pdadmin
sec_master>
login
-l
pdadmin
local>
context
show
The
output
is
similar
to
the
following:
The
user
is
logged
in
to
the
local
system
4.
The
following
example
shows
authentication
context
information
for
a
user
who
is
logged
in
to
the
management
domain
(non-local
authentication).
c:\>
pdadmin
-a
sec_master
-p
mypwd
-m
pdadmin
sec_master>
context
show
The
output
is
similar
to
the
following:
User:
sec_master
Domain:
Default
The
user
is
logged
into
the
management
domain
50
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
5.
The
following
example
shows
authentication
context
information
for
the
testdomain_admin
administrator
who
logs
in
interactively
to
a
domain
(testdomain)
other
than
the
management
domain:
pdadmin>
login
-a
testdomain_admin
-p
testpwd
-d
testdomain
pdadmin
testdomain_admin@testdomain_admin>
context
show
The
output
is
similar
to
the
following:
User:
testdomain_admin
Domain:
testdomain
The
user
is
not
logged
in
to
the
management
domain
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
domain
show
user
show
login
logout
Chapter
1.
pdadmin
command
line
utility
51
domain
create
Creates
a
domain,
including
an
administrator
ID
and
password
to
log
in
to
the
specified
domain.
You
must
log
in
to
the
management
domain
as
an
administrator
to
perform
this
command.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
domain
create
domain
domain_admin_id
domain_admin_password
[–desc
description]
Options
domain
Specifies
the
name
of
the
domain
to
be
created.
The
name
is
limited
to
64
characters
in
length,
is
case
sensitive,
and
can
contain
any
of
the
following:
a–z,
A–Z,
0–9,
hyphen
(-),
underscore
(_),
period
(.),
at
sign
(@),
ampersand
(&),
or
any
character
from
a
double-byte
character
set.
domain_admin_id
Specifies
an
administrator
ID,
which
will
be
created
in
the
specified
domain.
domain_admin_password
Specifies
the
password
for
the
domain_admin_id
user.
–desc
description
Specifies
an
optional
description
for
the
domain.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
description.
Examples
of
description:
"accounting
area"
Description
An
initial
domain
is
created
when
the
policy
server
is
configured.
This
domain,
called
the
management
domain,
is
the
default
domain
in
which
Tivoli
Access
Manager
enforces
security
policies
for
authentication,
authorization,
and
access
control.
You
must
log
in
to
the
management
domain
to
create
additional
policy
domains.
When
you
create
a
new
domain,
you
must
specify
an
administrative
ID
and
password
for
the
domain.
This
ID
and
password
are
subsequently
assigned
to
the
administrator
responsible
for
handling
policy
management
tasks
for
the
specific
domain
by
the
administrator
of
the
management
domain.
As
users,
groups,
or
resources
change,
the
domain’s
administrator
is
responsible
for
updating
the
security
policy
for
that
particular
domain.
This
domain
administrator
can
also
delegate
administration
tasks
to
others
within
that
specific
domain.
For
additional
information
about
managing
domains,
see
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
52
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Examples
1.
The
following
example
creates
a
domain
named
Marketing,
a
domain
administrator
ID
Admin1,
and
an
initial
password
to
log
in
to
the
domain:
pdadmin
sec_master>
domain
create
Marketing
Admin1
password
2.
The
following
example,
entered
on
one
line,
creates
a
domain
named
Finance,
a
domain
administrator
ID
Admin2,
a
password,
and
a
domain
description:
pdadmin
sec_master>
domain
create
Finance
Admin2
password
-desc
"accounting
area"
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
domain
delete
domain
list
domain
modify
domain
show
Chapter
1.
pdadmin
command
line
utility
53
domain
delete
Deletes
a
domain,
excluding
the
management
domain,
and
optionally
deletes
the
domain’s
user
and
group
information
from
the
user
registry.
You
must
log
in
to
the
management
domain
as
an
administrator
to
perform
this
command.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
domain
delete
domain
[–registry]
Options
domain
Specifies
the
name
of
the
domain
to
be
deleted.
The
domain
must
exist,
or
an
error
is
displayed.
–registry
Specifies
that
the
domain’s
information,
including
user
and
group
data,
be
deleted
from
the
user
registry.
If
this
option
is
not
selected,
user
and
group
data
for
the
specified
domain
remains
in
the
registry
and
can
be
used
again
if
the
domain
is
recreated.
Description
A
domain
can
be
deleted
within
the
management
domain
only
by
an
administrator
with
the
appropriate
privileges.
Examples
1.
The
following
example
deletes
a
domain
named
Marketing:
pdadmin
sec_master>
domain
delete
Marketing
2.
The
following
example
deletes
a
domain
named
Finance
and
removes
any
user
and
group
information
in
the
user
registry:
pdadmin
sec_master>
domain
delete
Finance
-registry
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
domain
create
domain
list
domain
modify
domain
show
54
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
domain
list
Lists
all
domains,
excluding
the
management
domain.
You
must
log
in
to
the
management
domain
as
an
administrator
to
perform
this
command.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
domain
list
Options
None.
Examples
The
following
example
lists
existing
domains
other
than
the
management
domain
(Default):
pdadmin
sec_master>
domain
list
Output
is
similar
to
the
following:
Marketing
Finance
Advertising
Receiving
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
domain
create
domain
delete
domain
modify
domain
show
Chapter
1.
pdadmin
command
line
utility
55
domain
modify
Changes
the
description
of
a
domain.
You
must
log
in
to
the
management
domain
as
an
administrator
to
perform
this
command.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
domain
modify
domain
description
description
Options
domain
Specifies
the
name
of
the
domain
to
modify.
description
description
Specifies
a
new
description
for
the
domain.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
allowed.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
description.
Example
of
description:
"marketing
and
advertising
areas"
Examples
The
following
example,
entered
on
one
line,
changes
the
description
specified
for
the
Marketing
domain:
pdadmin
sec_master>
domain
modify
Marketing
description
"marketing
and
advertising
areas"
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
domain
create
domain
delete
domain
list
domain
show
56
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
domain
show
Displays
the
properties
of
a
domain.
You
must
log
in
to
the
management
domain
as
an
administrator
to
perform
this
command.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
domain
show
domain
Options
domain
Specifies
the
name
of
the
domain
for
which
to
display
properties.
The
domain
must
exist,
or
an
error
is
displayed.
Examples
The
following
example
displays
properties
for
the
Marketing
domain:
pdadmin
sec_master>
domain
show
Marketing
Output
is
similar
to
the
following:
Domain
Name:
Marketing
Description:
marketing
and
advertising
areas
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
domain
create
domain
delete
domain
list
domain
modify
Chapter
1.
pdadmin
command
line
utility
57
errtext
Displays
the
error
message
of
a
given
error
number.
For
detailed
information
on
messages,
see
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
command
does
not
require
a
login
or
authentication
to
use.
Syntax
errtext
error_number
Options
error_number
Specifies
the
number,
in
either
decimal
or
hexadecimal,
of
the
error
for
which
to
generate
the
error
text.
Description
The
message
ID
is
also
displayed
(for
example,
HPDMS4047E)
The
message
ID
consists
of
10
alphanumeric
characters
that
uniquely
identify
the
message.
The
message
ID
is
composed
of:
v
A
3-character
product
identifier
(for
example,
HPD
indicates
this
message
is
for
Tivoli
Access
Manager
base
or
Web
Portal
Manager)
v
A
2-character
component
or
subsystem
identifier
v
A
4-digit
message
number
v
A1-character
type
code
indicating
the
severity
of
the
message
(I
for
informational,
W
for
warning,
and
E
for
error)
Examples
1.
The
following
example
displays
the
error
message
associated
with
a
given
hexadecimal
number:
pdadmin
sec_master>
errtext
0x14c52fcf
Output
is
similar
to
the
following:
HPDMS4047E:
Non-local
authentication
(login)
is
required
to
perform
this
operation
(status
0x14c52fcf)
2.
The
following
example
displays
the
error
message
associated
with
a
given
decimal
number:
pdadmin>
errtext
268808652
Output
is
similar
to
the
following:
HPDAC0460E
The
protected
object
space
specified
already
exists
in
the
authorization
policy
database
(status
0x1005b1cc)
58
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
1.
pdadmin
command
line
utility
59
exit
or
quit
Exits
from
the
pdadmin
utility
interactive
command
line
mode.
This
command
does
not
require
a
login
or
authentication
to
use.
Syntax
exit
quit
Options
None.
Examples
1.
The
following
example
displays
how
to
exit
the
pdadmin
utility:
pdadmin>
exit
2.
The
following
example
displays
how
to
quit
the
pdadmin
utility:
pdadmin>
quit
See
also
login
logout
context
show
60
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
group
create
Creates
a
Tivoli
Access
Manager
group.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
group
create
group_name
dn
cn
[group_container]
Options
group_name
Specifies
the
name
of
the
group
being
created.
This
name
must
be
unique
within
the
domain.
A
valid
group
name
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
not
allowed.
Examples
of
group
names:
Credit,
Sales,
Test-group
dn
Specifies
the
registry
identifier
assigned
to
the
group
being
created.
The
format
for
a
distinguished
name
is
similar
to:
cn=credit,ou=Austin,o=Tivoli,c=US
cn
Specifies
the
common
name
assigned
to
the
group
being
created.
For
example:
cwright
group_container_object
Specifies
the
group
container
object
assigned
to
the
group
being
created.
If
this
option
is
not
specified,
the
group
by
default
is
placed
in
the
object
space
under
/Management/Groups.
Examples
of
group
containers:
Credit
and
Sales_Teams
Examples
1.
The
following
example,
entered
on
one
line,
creates
a
group
named
credit1
with
a
common
name
of
credit01
within
an
optional
group
container
object
named
Credit:
pdadmin
sec_master>
group
create
credit1
"cn=credit01,o=Tivoli,c=US"
Credit
2.
The
following
example
creates
a
group
named
salesteam
with
a
common
name
of
sales
within
an
optional
group
container
object
named
Sales_Teams:
pdadmin
sec_master>
group
create
salesteam
"cn=sales,o=tivoli,c=us"
Sales_Teams
Chapter
1.
pdadmin
command
line
utility
61
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
group
delete
group
import
62
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
group
delete
Deletes
the
specified
Tivoli
Access
Manager
group
and
optionally
deletes
the
group’s
information
from
the
user
registry.
ACL
entries
associated
with
the
group
are
also
deleted.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
group
delete
[–registry]
group_name
Options
–registry
Deletes
the
entire
group
object
from
the
user
registry.
group_name
Specifies
the
name
of
the
Tivoli
Access
Manager
group
to
be
deleted.
The
group
must
exist,
or
an
error
is
displayed.
Examples
of
group
names:
Credit,
Sales,
and
Test-group
Examples
1.
The
following
example
deletes
the
existing
engineering
group:
pdadmin
sec_master>
group
delete
engineering
2.
The
following
example
deletes
the
group
object
from
the
user
registry
and
also
deletes
the
existing
Test-group
group:
pdadmin
sec_master>
group
delete
-registry
Test-group
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
group
create
group
import
Chapter
1.
pdadmin
command
line
utility
63
group
import
Creates
a
Tivoli
Access
Manager
group
by
importing
group
data
that
already
exists
in
the
user
registry.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
group
import
group_name
dn
[group_container]
Options
group_name
Specifies
the
Tivoli
Access
Manager
name
of
the
group
to
create.
A
valid
group
name
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
not
allowed.
Examples
of
group
names:
Credit,
Sales,
Test-group
dn
Specifies
the
registry
identifier
of
the
group
to
import.
The
distinguished
name
must
exist,
or
an
error
is
displayed.
The
format
for
a
distinguished
name
is
similar
to
"cn=engineering,ou=Austin,o=Tivoli,c=us"
group_container
Specifies
the
group
container
object
assigned
to
the
group
being
created.
By
default,
the
group
is
placed
in
the
object
space
under
/Management/Groups.
If
the
container
object
does
not
currently
exist,
it
is
automatically
created.
Examples
1.
The
following
example,
entered
on
one
line,
creates
a
Tivoli
Access
Manager
group
by
importing
a
group
that
already
exists
in
the
user
registry:
pdadmin
sec_master>
group
import
engineering
"cn=engineering,o=Tivoli,c=US"
2.
The
following
example
creates
a
new
group
named
sales
and
optionally
places
this
group
in
a
group
container
object
named
Sales2003.
pdadmin
sec_master>
group
import
sales
"cn=sales,o=tivoli,c=us"
Sales2003
64
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
group
create
Chapter
1.
pdadmin
command
line
utility
65
group
list
Generates
a
list
of
all
groups,
by
group
names,
whose
names
match
the
specified
pattern.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
group
{list
|
list-dn}
pattern
max_return
Options
list
pattern
max_return
Specifies
the
pattern
for
the
group
name
for
which
to
be
searched.
The
pattern
can
include
a
mixture
of
wildcard
and
string
constants,
and
is
case
insensitive
(for
example,
*austin*).
The
max_return
option
specifies
the
limit
of
how
many
entries
should
be
returned
for
a
single
request;
for
example,
2.
Note
that
the
number
returned
is
also
governed
by
the
server
configuration,
which
specifies
the
maximum
number
of
results
that
can
be
returned
as
part
of
a
search
operation.
The
actual
maximum
returned
entries
is
the
minimum
of
max_return
and
the
configured
value
on
the
server.
list-dn
pattern
max_return
Lists
user
registry
identifiers
whose
user
registry
common
name
attribute
matches
the
pattern
specified.
The
returned
list
are
groups,
which
are
defined
in
the
user
registry,
but
they
might
not
necessarily
be
Tivoli
Access
Manager
groups.
You
can
import
groups
that
are
not
Tivoli
Access
Manager
groups
into
Tivoli
Access
Manager
using
the
group
import
command.
Examples
1.
The
following
example
lists
3
groups
matching
the
specified
pattern
of
a
group
name
containing
the
letter
a:
pdadmin
sec_master>
group
list
*a*
3
Output
is
similar
to
the
following:
Sales
Marketing
Alex
2.
The
following
example
lists
2
groups
matching
the
specified
pattern
of
a
distinguished
name
containing
the
letter
t:
pdadmin
sec_master>
group
list-dn
*t*
2
Output
is
similar
to
the
following:
cn=credit,ou=Austin,o=Tivoli,c=US
Sales
cn=marketing,ou=Boston,o=Austin
Sale,c=US
Marketing
66
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
group
show
Chapter
1.
pdadmin
command
line
utility
67
group
modify
Changes
an
existing
group
by
adding
a
description,
or
adding
or
removing
a
list
of
members.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
group
modify
group_name
{add
{user
|
(user1
user2
...
)
|description
description
|
remove
{user
|
(user1
user2
...
)
group
modify
group_name
add
(
user_name1
user_name2
...)
group
modify
group_name
description
description
group
modify
group_name
remove
(
user_name1
user_name2
...)
Options
group_name
Specifies
the
name
of
the
group
to
be
modified.
The
group
must
exist,
or
an
error
is
displayed.
Examples
of
group
names:
Credit,
Sales,
Test-group
add
{user
|
(user1
user2
...
)}
Adds
a
user
or
a
list
of
specified
users
to
the
specified
group.
The
format
of
the
user
list
is
a
parenthesized
list
of
user
names,
separated
by
spaces.
For
example,
the
specified
users
to
be
added
might
be:
dlucas
or
("Mary
Jones"
dsmith
mlucaser)
description
description
Changes
the
description
for
the
specified
group.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
allowed.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
description.
Example
of
description:
"Credit,
Dept
HCUS"
remove
{user
|
(user1
user2
...
)}
Removes
a
user
or
a
list
of
specified
users
from
the
specified
group.
The
format
of
the
user
list
is
a
parenthesized
list
of
user
names,
separated
by
spaces.
For
example,
the
specified
users
to
be
deleted
might
be:
dlucas
or
("Mary
Jones"
dsmith
mlucaser)
68
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Examples
1.
The
following
example
adds
a
new
user
dlucas
to
the
engineering
group:
pdadmin
sec_master>
group
modify
engineering
add
dlucas
2.
The
following
example
adds
three
new
users
to
the
engineering
group:
pdadmin
sec_master>
group
modify
engineering
add
("Mary
Jones"
dsmith
mlucaser)
3.
The
following
example,
entered
on
one
line,
deletes
three
existing
users
from
the
engineering
group:
pdadmin
sec_master>
group
modify
engineering
remove
("Mary
Jones"
dlucas
mlucaser)
4.
The
following
example
changes
the
description
of
the
credit
group:
pdadmin
sec_master>
group
modify
credit
description
"Credit,
Dept
HCUS"
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
group
create
group
import
Chapter
1.
pdadmin
command
line
utility
69
group
show
Shows
the
properties
of
the
specified
group.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
group
{show
group_name
|
show-dn
dn
|
show-members
group_name}
group
show
group_name
group
show-dn
dn
group
show-members
group_name
Options
show
group_name
Shows
the
properties
of
the
group
specified
by
group_name.
The
group
must
exist,
or
an
error
is
displayed.
Examples
of
group
names:
Credit,
Sales,
Test-group
show-dn
dn
Shows
the
group
specified
by
the
group’s
identifier
in
the
user
registry.
The
returned
group
is
defined
in
the
user
registry,
but
it
is
not
necessarily
a
Tivoli
Access
Manager
group.
Groups
that
are
not
Tivoli
Access
Manager
groups
can
be
imported
into
Tivoli
Access
Manager
by
use
of
the
pdadmin
group
import
command.
The
format
for
a
distinguished
name
is
similar
to:
"cn=engineering,ou=Austin,o=Tivoli,c=us"
show-members
group_name
Lists
the
user
names
of
the
members
of
the
specified
group.
The
group
must
exist,
or
an
error
is
displayed.
Examples
of
group
names:
Credit,
Sales,
and
Test-group
Examples
1.
The
following
example
displays
properties
of
the
credit
group:
pdadmin
sec_master>
group
show
credit
Output
is
similar
to
the
following:
Group
ID:
credit
LDAP
dn:
cn=credit,ou=Austin,o=Tivoli,c=US
Description:
Credit,
Dept
HCUS
LDAP
cn:
credit
Is
SecGroup:
yes
70
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
2.
The
following
example
displays
properties
specified
by
the
group’s
identifier
cn=credit,ou=Austin,o=Tivoli,c=US
in
the
user
registry:
pdadmin
sec_master>
group
show-dn
cn=credit,ou=Austin,o=Tivoli,c=US
Output
is
similar
to
the
following:
Group
ID:
credit
LDAP
dn:
cn=credit,ou=Austin,o=Tivoli,c=US
Description:
Credit,
Dept
HCUS
LDAP
cn:
credit
Is
SecGroup:
yes
3.
The
following
example
lists
the
user
names
of
the
members
of
the
credit
group:
pdadmin
sec_master>
group
show-members
credit
Output
is
similar
to
the
following:
dlucas
mlucaser
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
group
list
Chapter
1.
pdadmin
command
line
utility
71
help
Obtains
system
help
for
pdadmin
commands
and
options.
This
command
does
not
require
a
login
or
authentication
to
use.
Syntax
help
{topic|command}
Options
topic
Specifies
the
help
command
topic
for
which
help
is
needed.
command
Specifies
the
miscellaneous
command
for
which
help
is
needed.
Examples
1.
The
following
example
lists
help
topics
and
commands:
pdadmin>
help
Output
is
similar
to
the
following:
Type
’help
<topic>’
or
’help
<ommand>
for
more
information
Topics:
acl
action
admin
authzrule
config
context
domain
errtext
exit
group
help
login
logout
object
objectspace
policy
pop
quit
rsrc
rsrccred
rsrcgroup
server
user
Miscellaneous
Commands:
exit
help
quit
72
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
2.
The
following
example
lists
options
and
descriptions
available,
whether
you
specify
the
topic
action
or
action
create:
pdadmin>
help
action
Or,
type:
pdadmin>
help
action
create
Output
is
similar
to
the
following:
action
create
<action-name>
<action-label>
<action-type>
Creates
a
new
ACL
action
definition
action
create
<action-name>
<action-label>
<action-type>
<action-group-name>
Creates
a
new
ACL
action
definition
in
a
group
...
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
1.
pdadmin
command
line
utility
73
login
Establishes
authentication
credentials
used
when
communicating
with
the
Tivoli
Access
Manager
policy
server.
These
credentials
are
used
to
determine
access
privileges
for
the
user
to
policy
server
data.
Most
commands
cannot
be
performed
unless
an
explicit
login
is
done.
This
command
does
not
require
a
login
or
authentication
to
use.
Syntax
login
–a
admin_id
–p
password
[–d
domain|–m]
login
–l
Options
–a
admin_id
Specifies
an
administrator
ID.
–p
password
Specifies
the
password
for
the
admin_id
user.
If
this
option
is
not
specified,
the
user
is
prompted
for
the
password.
The
password
cannot
be
specified
if
the
admin_id
is
not
specified.
–d
domain
Specifies
the
Tivoli
Access
Manager
secure
domain
to
log
in
to.
The
admin_id
user
must
exist
in
this
domain.
–m
Specifies
that
the
login
operation
should
be
directed
to
the
management
domain.
The
admin_id
user
must
exist
in
this
domain.
Note:
Only
one
of
the
following
domain
options
can
be
specified:
–d
domain
or
–m.
If
neither
option
is
specified,
the
target
domain
is
the
local
domain
configured
for
the
system.
The
admin_id
user
must
exist
in
the
target
domain,
whether
or
not
it
is
explicitly
specified.
–l
Specifies
a
local
login
operation.
When
modifications
are
made
to
local
configuration
files
by
using
the
pdadmin
config
commands,
a
local
login
is
required
before
you
can
run
commands.
The
user
can
run
the
pdadmin
context
show
command
to
view
additional
authentication
information.
Description
Credentials
are
used
to
determine
user
access
privileges
to
policy
server
data.
With
the
exception
of
the
context,
errtext,
exit,
help,
login,
logout,
and
quit
commands
and
the
local
configuration
commands,
a
user
ID
and
password
is
needed
for
authentication.
Credentials
are
not
accumulated
or
stacked.
A
login
command
completely
replaces
any
existing
credentials.
74
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
In
interactive
mode,
the
pdadmin
prompt
changes,
depending
upon
how
the
user
has
logged
in.
Examples:
c:\>
pdadmin
pdadmin>
Not
interactive
mode.
This
commands
starts
the
pdadmin
utility.
In
interactive
mode,
the
login
commands
are
entered
from
the
pdadmin>
prompt.
pdadmin>
login
-l
pdadmin
local>
A
user
local
login
performed
for
local
configuration.
No
authentication
is
required.
pdadmin>
login
-a
sec_master
-p
secmstrpw
pdadmin
sec_master>
An
administrator
login
performed
to
the
local
domain.
In
some
cases,
the
local
domain
might
be
the
management
domain,
which
is
named
Default.
Authentication
is
required.
pdadmin>
login
-a
dlucas
-p
lucaspw
pdadmin
dlucas>
A
user
login
performed
to
the
local
domain.
Authentication
is
required.
pdadmin>
login
-a
dlucas
-p
lucaspw
-d
domain_a
pdadmin
dlucas@domain_a>
A
user
login
performed
to
another
domain
other
than
their
local
domain.
Authentication
is
required.
pdadmin>
login
-a
dlucas
-p
lucaspw
-m
pdadmin
dlucas@Default>
A
user
login
to
the
management
domain
performed.
Authentication
is
required.
Examples
1.
The
following
example
logs
the
sec_master
user
into
the
management
domain
and
then
displays
the
authentication
context
for
the
user:
pdadmin>
login
-a
sec_master
-p
pa55w0rd
-m
pdadmin
sec_master>
context
show
User:
sec_master
Domain:
Default
The
user
is
logged
in
to
the
management
domain.
2.
The
following
example
logs
a
user
into
the
domain1
domain
and
then
displays
the
authentication
context
for
the
user:
pdadmin>
login
-a
domain1_admin
-p
d0main1pwd
-d
domain1
pdadmin
domain1_admin@domain1>
context
show
User:
domain1_admin
Domain:
domain1
The
user
is
not
logged
in
to
the
management
domain
Chapter
1.
pdadmin
command
line
utility
75
3.
The
following
example
interactively
logs
the
user
into
their
local
domain
that
is
configured
for
the
system
(the
domain
name
is
testdomain)
and
then
displays
the
authentication
context
of
the
user:
pdadmin>
login
Enter
User
ID:
testdomain_admin
Enter
password:
adminpwd
pdadmin
testdomain_admin>
context
show
User:
testdomain_admin
Domain:
testdomain
The
user
is
not
logged
in
to
the
management
domain
4.
The
following
example
of
a
local
login
demonstrates
how
the
prompt
changes,
depending
on
the
type
of
interactive
login:
c:\>
pdadmin
login
-l
Provides
this
prompt:
pdadmin
local>
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
exit
or
quit
logout
context
show
76
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
logout
Discards
any
authentication
credentials
that
are
in
effect.
This
command
does
not
require
a
login
or
authentication
to
use.
Syntax
logout
Options
None.
Examples
1.
The
following
example
first
shows
a
local
login
and
then
demonstrates
how
the
prompt
changes:
pdadmin
login
-l
pdadmin
local>
The
following
example
demonstrates
the
logout
command:
pdadmin
local>
logout
2.
The
following
example
displays
context
information
about
the
user
ID,
the
domain
ID,
and
whether
the
domain
is
the
management
domain:
pdadmin
domain1_admin@domain1>
context
show
User:
domain1_admin
Domain:
domain1
The
user
is
not
logged
in
to
the
management
domain.
The
following
example
shows
a
logout
command,
and
then
displays
context
information
after
the
logout
command
has
been
issued:
pdadmin
domain1_admin@domain1>
logout
The
user
has
been
logged
out
and
credentials
have
been
discarded.
pdadmin>context
show
No
login
information.
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
exit
or
quit
login
context
show
Chapter
1.
pdadmin
command
line
utility
77
object
access
Confirms
whether
the
specified
access
is
permitted
on
the
specified
object.
The
access
is
determined
based
on
this
user’s
permissions.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
object
access
object_name
permissions
Options
object_name
Specifies
the
protected
object,
which
is
the
fully-qualified
name
of
the
object,
including
the
object
space
within
which
it
is
located.
The
object
must
exist,
or
an
error
is
displayed.
Examples
of
object
names:
/Management/Groups/Travel,
/WebSEAL,
and
/Management
permissions
Specifies
the
permission
or
permissions
to
check.
Tivoli
Access
Manager
uses
a
default
set
of
actions
that
cover
a
wide
range
of
operations.
Actions
are
represented
by
single
alphabetic
ASCII
characters
(a-z,
A-Z).
For
example,
a
list
of
primary
action
tasks
and
associated
permissions
for
the
user
sec_master,
with
WebSEAL
as
the
Web
server,
might
include:
T
Traverse
Base
c
Control
Base
g
Delegation
Base
m
Modify
Generic
d
Delete
Generic
b
Browse
Base
s
Server
Admin
Generic
v
View
Generic
a
Attach
Base
B
Bypass
POP
Base
t
Trace
Base
r
Read
WebSEAL
x
Execute
WebSEAL
l
List
Directory
WebSEAL
N
Create
Base
W
Password
Base
A
Add
Base
R
Bypass
AuthzRule
Base
Examples
1.
The
following
example
confirms
whether
the
user
running
pdadmin
has
the
Bypass
POP
(B)
permission
on
the
object
named
/Management:
pdadmin
sec_master>
object
access
/Management
B
Output
is
similar
to
the
following:
Access:
No
78
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
2.
The
following
example
confirms
whether
the
user
running
pdadmin
has
action
Password
(W)
permission
on
the
object
named
/Management/test-object:
pdadmin
sec_master>
object
exists
/Management/test-object
W
Output
is
similar
to
the
following:
Access:
Yes
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
object
listandshow
object
show
Chapter
1.
pdadmin
command
line
utility
79
object
create
Creates
a
protected
object.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
object
create
object_name
description
type
ispolicyattachable
{yes|no}
Options
object_name
Specifies
the
name
for
the
object
being
created.
This
name
must
be
unique.
A
valid
object
name
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Examples
of
object
names:
/Management/Groups/Travel,
/WebSEAL,
and
/Management
description
Specifies
any
text
string
describing
the
object
being
created.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
description.
Example
of
description:
"Travel
Groups"
type
Specifies
the
type
of
object
to
be
created.
Types
range
from
0-17.
For
example,
types
10
or
16
are
appropriate
for
container
objects.
Object
types
are
discussed
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
You
can
assign
any
of
the
following
types:
0
–
unknown
1
–
secure
domain
2
–
file
3
–
executable
program
4
–
directory
5
–
junction
6
–
WebSEAL
server
7
–
unused
8
–
unused
9
–
HTTP
server
10
–
nonexistent
object
11
–
container
object
12
–
leaf
object
13
–
port
14
–
application
container
object
15
–
application
leaf
object
16
–
management
object
17
–
unused
80
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
ispolicyattachable
{yes|no}
Specifies
whether
an
ACL,
a
protected
object
policy,
or
an
authorization
rule
can
be
attached
to
this
object.
Valid
values
are
yes
or
no.
Examples
1.
The
following
example,
entered
on
one
line,
creates
the
object
named
/Management/test-object
that
has
a
description
of
Test
Object
and
is
an
application
container
object
(14).
An
ACL
or
a
protected
object
policy
can
be
attached
to
this
object:
pdadmin
sec_master>
object
create
/Management/test-object
"Test
Object"
14
ispolicyattachable
yes
2.
The
following
example,
entered
on
one
line,
creates
the
object
named
/Management/Groups/Travel
that
has
a
description
of
Travel
Container
Object
and
is
an
application
container
object
(14).
An
ACL
or
a
protected
object
policy
cannot
be
attached
to
this
object:
pdadmin
sec_master>
object
create
/Management/Groups/Travel
"Travel
Container
Object"
14
ispolicyattachable
no
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
object
delete
Chapter
1.
pdadmin
command
line
utility
81
object
delete
Deletes
a
protected
object.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
object
delete
object_name
Options
object_name
Specifies
the
protected
object
to
be
deleted.
The
object
must
exist,
or
an
error
is
displayed.
Examples
of
object
names:
/Management/Groups/Travel,
/WebSEAL,
and
/Management
Examples
1.
The
following
example
deletes
the
object
named
/Management/test-object:
pdadmin
sec_master>
object
delete
/Management/test-object
2.
The
following
example
deletes
the
object
named
/Management/Groups/Travel:
pdadmin
sec_master>
object
delete
/Management/Groups/Travel
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
object
create
82
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
object
exists
Confirms
whether
a
protected
object
is
located
either
in
the
policy
database
or
in
an
objectspace
managed
by
an
administration
service
plug-in.
The
administration
service
plug-in
might
be
registered
by
an
authorization
application,
such
as
WebSEAL.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
object
exists
object_name
Options
object_name
Specifies
the
protected
object,
which
is
the
fully-qualified
name
of
the
object,
including
the
object
space
within
which
it
is
located.
The
object
must
exist,
or
an
error
is
displayed.
Examples
of
object
names:
/Management/Groups/Travel,
/WebSEAL,
and
/Management
Examples
1.
The
following
example
confirms
whether
the
object
named
/Management
exists:
pdadmin
sec_master>
object
exists
/Management
Output
is
similar
to
the
following:
Exists:
Yes
2.
The
following
example
confirms
whether
the
object
named
/Management/notAnObject
exists:
pdadmin
sec_master>
object
exists
/Management/notAnObject
Output
is
similar
to
the
following:
Exists:
No
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
object
listandshow
object
show
Chapter
1.
pdadmin
command
line
utility
83
object
list
Lists
any
objects
grouped
under
the
specified
protected
object.
Alternatively,
lists
all
the
extended
attributes
associated
with
the
specified
protected
object.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
object
list
object
list
object_name
object
list
object_name
attribute
Options
object
list
Lists
all
protected
objects.
The
output
will
be
the
same
as
if
you
issued
the
objectspace
list
command.
object
list
object_name
Lists
all
objects
grouped
under
the
specified
protected
object.
The
object
must
exist,
or
an
error
is
displayed.
object
list
object_name
attribute
Lists
all
extended
attributes
associated
with
the
specified
protected
object.
The
object
must
exist,
or
an
error
is
displayed.
Examples
1.
The
following
example
lists
all
the
protected
object
spaces
under
the
root
of
the
object
namespace
(/):
pdadmin
sec_master>
object
list
Displays
a
list
similar
to
the
following:
/Management
/MyObjectSpace_1
...
/WebSEAL
2.
The
following
example
lists
all
the
protected
objects
under
the
protected
object
named
/Management.
In
this
example,
both
/Management
and
/Management/ACL
are
object
spaces:
pdadmin
sec_master>
object
list
/Management
Displays
a
list
similar
to
the
following:
/Management/ACL
/Management/Action
/Management/Config
...
/Management/test-object
3.
The
following
example
lists
the
extended
attributes
for
the
object
named
/Management/test-object:
pdadmin
sec_master>
object
list
/Management/test-object
attribute
Displays
a
list
of
attributes
similar
to
the
following:
test1
84
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
object
listandshow
object
show
Chapter
1.
pdadmin
command
line
utility
85
object
listandshow
Lists
any
child
objects
grouped
under
the
specified
protected
object
and
displays
all
values
associated
with
each
object.
Shows
all
values
associated
with
the
protected
object,
including
the
attached
ACLs,
POPs,
and
authorization
rules.
Also
shows
any
policies
that
are
inherited
from
protected
objects
higher
in
the
hierarchy.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
object
listandshow
object_name
Options
object_name
Specifies
the
protected
object
for
which
the
child
objects
and
associated
values
are
to
be
displayed.
The
object
must
exist,
or
an
error
is
displayed.
Examples
of
object
names:
/Management/Groups/Travel,
/WebSEAL,
and
/Management
Examples
1.
The
following
example
lists
the
object
named
/Management/Groups/Travel
and
also
automatically
lists
extended
attributes,
if
any:
pdadmin
sec_master>
object
listandshow
/Management/Groups/Travel
Displays
information
similar
to
the
following:
Name
:
/Management/Groups/Travel
Description
:
Travel
Container
Object
Type
:
<Application
Container
Object>
:
14
Is
Policy
Attachable
:
no
Extended
Attributes
:
test1
1111
2.
The
following
example,
entered
on
one
line,
displays
the
object
named
/Management/test-object
and
lists
any
attached
policies
(myrule)
and
effective
policies
(myacl
and
mypop):
pdadmin
sec_master>
object
listandshow
/Management/test-object
Displays
information
similar
to
the
following:
Name
:
/Management/test-object
Description
:
Test
Object
Type
:
<Application
Container
Object>
:
14
Is
Policy
Attachable
:
yes
Attached
ACL
:
Attached
Policy
:
Attached
AuthzRule
:
myrule
Effective
ACL
:
myacl
Effective
Policy
:
mypop
Effective
AuthzRule
:
myrule
86
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
object
list
object
show
Chapter
1.
pdadmin
command
line
utility
87
object
modify
Modifies
an
existing
object.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
object
modify
object_name
delete
attribute
attribute_name
[attribute_value]
object
modify
object_name
set
attribute
attribute_name
attribute_value
object
modify
object_name
set
description
description
object
modify
object_name
set
ispolicyattachable
{yes|no}
object
modify
object_name
set
type
type
Options
object_name
Specifies
the
protected
object
to
be
modified.
The
object
must
exist,
or
an
error
is
displayed.
Examples
of
object
names:
/Management/Groups/Travel,
/WebSEAL,
and
/Management
delete
attribute
attribute_name
[attribute_value]
Deletes
the
specified
extended
attribute
(name
and
value)
from
the
specified
protected
object.
The
attribute
must
exist,
or
an
error
is
displayed.
When
you
delete
the
last
value
for
an
attribute,
it
also
deletes
the
attribute
from
the
ACL
The
optional
attribute_value
deletes
the
specified
value
from
the
specified
extended
attribute
key
in
the
specified
ACL.
Examples
of
attribute
names
and
values:
test1
1111
Dept_No
445
Employee_name
"Diana
Lucas"
set
attribute
attribute_name
attribute_value
Creates
an
extended
attribute,
with
the
specified
name
and
value,
and
adds
it
to
the
specified
protected
object.
If
the
attribute
already
exists,
the
attribute
value
is
added
as
an
additional
value
if
the
same
value
does
not
exist
for
this
attribute.
If
the
same
value
exists
for
this
attribute,
it
does
not
get
added
again
(duplicate
values
are
not
allowed),
and
no
error
is
returned.
The
optional
attribute_value
deletes
the
specified
value
from
the
specified
extended
attribute
key
in
the
specified
protected
object.
The
attribute
value
must
exist,
or
an
error
is
displayed.
Examples
of
extended
attribute
names
and
values:
attr1
valueA
attr1
valueB
attr2
valueC
88
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
set
description
description
Sets
the
description
field
of
the
specified
protected
object.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
allowed.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
description.
Example
of
description:
"Travel
Group
aaa"
set
ispolicyattachable
{yes|no}
Sets
whether
the
protected
object
can
have
an
ACL,
a
POP,
or
an
authorization
rule
attached
or
not.
Valid
values
are
yes
or
no.
set
type
type
Specifies
the
type
of
the
object
space
to
be
created.
Types
range
from
0-17.
For
example,
types
10
or
16
are
appropriate
for
objects.
You
can
assign
any
of
the
following
types:
0
–
unknown
1
–
secure
domain
2
–
file
3
–
executable
program
4
–
directory
5
–
junction
6
–
WebSEAL
server
7
–
unused
8
–
unused
9
–
HTTP
server
10
–
nonexistent
object
11
–
container
object
12
–
leaf
object
13
–
port
14
–
application
container
object
15
–
application
leaf
object
16
–
management
object
17
–
unused
Examples
1.
The
following
example,
entered
on
one
line,
sets
the
ispolicyattachable
option
for
the
object
/Management/Groups/Travel:
pdadmin
sec_master>
object
modify
/Management/Groups/Travel
set
ispolicyattachable
yes
2.
The
following
example,
entered
on
one
line,
sets
the
attributes
for
the
object
/Management/test-object:
pdadmin
sec_master>
object
modify
/Management/test-object
set
attribute
test1
1111
Chapter
1.
pdadmin
command
line
utility
89
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
object
create
90
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
object
show
Shows
all
values
associated
with
the
protected
object.
Alternatively,
returns
the
value
associated
with
the
specified
extended
attribute
for
the
specified
protected
object.
Displays
ACLs,
POPs
and
authorization
rules
that
are
attached
directly
to
the
object
or
are
inherited
from
protected
objects
that
are
higher
in
the
hierarchy.
This
command
limits
the
output
for
POPs,
ACLs,
and
authorization
rules,
based
on
the
user’s
permissions.
A
user
must
have
the
view
(v)
permission
on
the
object
to
show
it.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
object
show
object_name
[attribute
attribute_name]
Options
object_name
Returns
the
specified
protected
object.
The
object
must
exist,
or
an
error
is
displayed.
Examples
of
object
names:
/Management/Groups/Travel,
/WebSEAL,
and
/Management
attribute
attribute_name
Specifies
the
name
of
the
extended
attribute
whose
values
are
to
be
displayed.
The
attribute
must
exist,
or
an
error
is
displayed.
Examples
of
extended
attribute
names:
Dept_No
and
Employee_Name
Examples
1.
The
following
example
lists
the
object
named
/Management/test-object,
which
also
lists
any
extended
attribute
names
and
values:
pdadmin
sec_master>
object
show
/Management/test-object
Displays
information
similar
to
the
following:
Name
:
/Management/test-object/
Description
:
Test
Object
Type
:
<Application
Container
Object>
:
14
Is
Policy
Attachable
:
yes
2.
The
following
example,
entered
on
one
line,
displays
the
object
named
/Management/test-object
and
lists
the
extended
attribute
name
and
value
for
the
attribute
named
test1:
pdadmin
sec_master>
object
show
/Management/test-object
attribute
test1
Displays
information
similar
to
the
following:
Name
:
/Management/test-object/
Description
:
Test
Object
Type
:
<Application
Container
Object>
:
14
Is
Policy
Attachable
:
yes
Extended
Attributes
:
test1
1111
Chapter
1.
pdadmin
command
line
utility
91
3.
The
following
example,
entered
on
one
line,
displays
the
object
named
/Management/test-object
and
lists
any
attached
(myrule)
and
effective
(myacl
and
mypop)
policies:
pdadmin
sec_master>
object
show
/Management/test-object
Displays
information
similar
to
the
following:
Name
:
/Management/test-object/
Description
:
Test
Object
Type
:
<Application
Container
Object>
:
14
Is
Policy
Attachable
:
yes
Attached
ACL
:
Attached
Policy
:
Attached
AuthzRule
:
myrule
Effective
ACL
:
myacl
Effective
Policy
:
mypop
Effective
AuthzRule
:
myrule
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
object
list
object
listandshow
92
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
objectspace
create
Creates
a
protected
object
space
under
which
protected
objects
can
be
placed.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
objectspace
create
objectspace_name
description
type
Options
objectspace_name
Specifies
the
name
of
the
object
space
to
be
created.
A
valid
object
space
name
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Examples
of
object
space
names:
/Management,
/WebSEAL
description
Specifies
the
description
of
the
new
object
space.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
description.
Example
of
description:
"Accounting"
type
Specifies
the
type
of
the
object
space
to
be
created.
Types
range
from
0-17.
For
example,
types
10
or
16
are
appropriate
for
objects
and
object
spaces.
You
can
assign
any
of
the
following
types:
0
–
unknown
1
–
secure
domain
2
–
file
3
–
executable
program
4
–
directory
5
–
junction
6
–
WebSEAL
server
7
–
unused
8
–
unused
9
–
HTTP
server
10
–
nonexistent
object
11
–
container
object
12
–
leaf
object
13
–
port
14
–
application
container
object
15
–
application
leaf
object
16
–
management
object
17
–
unused
Description
The
root
of
the
new
protected
object
space
automatically
has
the
ispolicyattachable
option
set
to
true.
Chapter
1.
pdadmin
command
line
utility
93
Examples
1.
The
following
example
creates
an
object
space
named
/Test-Space
that
is
an
application
container
object
(type
14):
pdadmin
sec_master>
objectspace
create
/Test-Space
"New
Object
Space"
14
2.
The
following
example
creates
an
object
space
named
/Dept4D4
that
is
a
management
object
(type
16):
pdadmin
sec_master>
objectspace
create
/Dept4D4
"Department
4D4"
16
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
objectspace
delete
94
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
objectspace
delete
Deletes
the
specified
protected
object
space.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
objectspace
delete
objectspace_name
Options
objectspace_name
Specifies
the
name
of
the
object
space
to
be
deleted.
The
objectspace
must
exist
or
an
error
is
displayed.
Examples
of
object
space
names:
/Management
and
/WebSEAL
Examples
1.
The
following
example
deletes
the
object
space
named
/Test-Space:
pdadmin
sec_master>
objectspace
delete
/Test-Space
2.
The
following
example
deletes
the
object
space
named
/Dept4D4:
pdadmin
sec_master>
objectspace
delete
/Dept4D4
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
objectspace
create
Chapter
1.
pdadmin
command
line
utility
95
objectspace
list
Lists
all
of
the
existing
protected
object
spaces
in
the
policy
server.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
objectspace
list
Options
None.
Examples
The
following
example
lists
all
the
protected
object
spaces:
pdadmin
sec_master>
objectspace
list
Displays
a
list
similar
to
the
following:
/Management
/MyObjectSpace_1
...
/WebSEAL
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
96
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
policy
get
Displays
user
password,
account
rules,
and
conditions.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
policy
get
account-expiry-date
[–user
user_name]
policy
get
disable-time-interval
[–user
user_name]
policy
get
max-login-failures
[–user
user_name]
policy
get
max-password-age
[–user
user_name]
policy
get
max-password-repeated-chars
[–user
user_name]
policy
get
min-password-alphas
[–user
user_name]
policy
get
min-password-length
[–user
user_name]
policy
get
min-password-non-alphas
[–user
user_name]
policy
get
password-spaces
[–user
user_name]
policy
get
tod-access
[–useruser_name]
Options
account-expiry-date
Displays
the
account
expiration
date.
disable-time-interval
Displays
the
time,
in
seconds,
to
disable
user
accounts
when
the
maximum
number
of
login
failures
is
exceeded.
max-login-failures
Displays
the
maximum
number
of
login
failures.
max-password-age
Displays
the
maximum
time,
in
days
expressed
as
000–00:00:00
(for
example,
31-08:30:00
for
31
days,
8
hours,
30
minutes,
0
seconds)
that
a
password
will
be
valid.
This
time
is
relative
to
the
last
time
the
password
was
changed.
max-password-repeated-chars
Displays
the
maximum
number
of
repeated
characters
allowed
in
a
password.
min-password-alphas
Displays
the
minimum
number
of
alphabetic
characters
required
in
a
password.
min-password-length
Displays
the
minimum
password
length.
min-password-non-alphas
Displays
the
minimum
number
of
non-alphabetic
characters
required
in
a
password.
Chapter
1.
pdadmin
command
line
utility
97
password-spaces
Displays
whether
spaces
are
allowed
in
passwords.
tod-access
Displays
the
time
of
day
access
policy.
–user
user_name
Specifies
the
user
whose
policy
information
is
to
be
displayed.
If
this
option
is
not
specified,
the
general
policy
is
displayed.
For
any
given
policy,
if
a
user
has
a
specific
policy
applied,
this
specific
policy
takes
precedence
over
any
general
policy
that
might
also
be
defined.
The
precedence
applies
regardless
of
whether
the
specific
policy
is
more
or
less
restrictive
than
the
general
policy.
Examples
of
user
names:
dlucas,
sec_master,
and
"Mary
Jones"
Examples
1.
The
following
example
returns
the
account
expiration
date
of
unlimited
for
the
specified
user
dlucas:
pdadmin
sec_master>
policy
get
account-expiry-date
-user
dlucas
Account
expiry
date:
unlimited
2.
The
following
example
returns
the
maximum
time
of
0
days,
where
zero
indicates
unlimited,
that
the
password
is
valid
for
the
specified
user
dlucas:
pdadmin
sec_master>
policy
get
max-password-age
-user
dlucas
Returns
information
similar
to
the
following
for
unlimited
password
age:
Maximum
password
age:
0-0:0:0
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
policy
set
98
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
policy
set
Sets
user
password,
account
rules,
and
conditions.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
policy
set
account-expiry-date
{unlimited|absolute_time|unset}
[–user
user_name]
policy
set
disable-time-interval
{number|unset|disable}
[–user
user_name]
policy
set
max-login-failures
number|unset
[–user
user_name]
policy
set
max-password-age
{unset|relative_time}
[–user
user_name]
policy
set
max-password-repeated-chars
number|unset
[–user
user_name]
policy
set
min-password-alphas
{unset|number}
[–user
user_name]
policy
set
min-password-length
{unset|number}
[–user
user_name]
policy
set
min-password-non-alphas
{unset|number}
[–user
user_name]
policy
set
password-spaces
{yes|no|unset}
[–user
user_name]
policy
set
tod-access
{{anyday|weekday|day_list}:{anytime|time_spec-time_spec}
[:{utc|local}]|unset}[–user
user_name]
Options
account-expiry-date
{unlimited|absolute_time|unset}
Sets
the
account
expiration
date.
The
absolute_time
format
is
specified
as
YYYY-MM-DD-hh:mm:ss.
The
hours
must
be
entered
using
a
24-hour
clock
(for
example,
09
for
9
a.m.
or
14
for
2
p.m.).
The
default
value
is
unset.
If
you
set
the
account
expiration
date,
note
that
it
will
be
set
for
all
accounts
that
do
not
use
the
-user
user_name
option.
By
default,
the
sec_master
user
account
has
a
per-user
account
expiration
date
of
unlimited.
If
you
set
the
account
expiration
date
to
unlimited,
it
is
recommended
that
you
also:
v
Set
max-password-age
to
0
for
unlimited.
v
Set
tod-access
to
anyday:anytime:local.
v
Use
the
-user
user_name
option.
disable-time-interval
{number|unset|disable}
Sets
the
time,
in
seconds,
to
disable
each
user
account
when
the
maximum
number
of
login
failures
is
exceeded.
Tivoli
Access
Manager
does
not
impose
an
upper
limit
for
the
maximum
number
allowed.
Use
a
range
from
0
(unlimited)
to
a
number
that
represents
the
value
that
is
most
logical
for
the
parameter
you
are
trying
to
set.
The
default
value
is
180
seconds.
Chapter
1.
pdadmin
command
line
utility
99
max-login-failures
number|unset
Sets
the
maximum
number
of
login
failures
allowed.
Tivoli
Access
Manager
does
not
impose
an
upper
limit
for
the
maximum
number
allowed.
Instead
use
a
range
from
zero
to
a
number
that
represents
the
value
that
is
most
logical
for
the
parameter
you
are
trying
to
set.
If
the
number
is
too
large,
it
might
render
the
login
policy
ineffective.
The
default
value
is
10.
max-password-age
{unset|relative_time}
Sets
the
maximum
time,
in
days,
that
a
password
will
be
valid.
This
policy
is
a
global
password
policy
as
opposed
to
the
individual
pdadmin
user
modify
user_name
password-valid
policy.
The
individual
user
policy
enables
or
disables
the
validity
of
a
password
for
the
specified
user
account.
The
relative_time
option
is
relative
to
the
number
of
days
since
the
last
password
change
occurred.
The
relative_time
format
is
specified
as
DDD-hh:mm:ss.
The
valid
range
is
from
000–00:00:00
to
999–23:59:59.
The
default
value
is
91
days,
which
is
expressed
as
91–00:00:00.
max-password-repeated-chars
number|unset
Sets
the
maximum
number
of
repeated
characters
allowed
in
a
password.
Tivoli
Access
Manager
does
not
impose
an
upper
limit
for
the
maximum
number
allowed.
Instead
use
a
range
from
0
to
a
number
that
represents
the
value
that
is
most
logical
for
the
parameter
you
are
trying
to
set.
If
the
number
is
too
large,
it
might
render
the
password
policy
ineffective.
The
default
value
is
2.
min-password-alphas
{unset|number}
Sets
the
minimum
number
of
alphabetic
characters
required
in
a
password.
Tivoli
Access
Manager
does
not
impose
an
upper
limit
for
the
minimum
number
allowed.
Instead
use
a
number
that
represents
the
value
that
is
most
logical
for
the
parameter
you
are
trying
to
set.
If
the
number
is
too
small,
it
might
render
the
password
policy
ineffective.
The
default
value
is
4.
min-password-length
{unset|number}
Sets
the
minimum
password
length.
Tivoli
Access
Manager
does
not
impose
an
upper
limit
for
the
minimum
number
allowed.
Instead
use
a
number
that
represents
the
value
that
is
most
logical
for
the
parameter
you
are
trying
to
set.
If
the
number
is
too
large,
the
password
policy
might
be
difficult
to
adhere
to.
The
default
value
is
8.
min-password-non-alphas
{unset|number}
Sets
the
minimum
number
of
non-alphabetic
characters
required
in
a
password.
Tivoli
Access
Manager
does
not
impose
an
upper
limit
for
the
minimum
number
allowed.
Instead
use
a
number
that
represents
the
value
that
is
most
logical
for
the
parameter
you
are
trying
to
set.
If
the
number
is
too
large,
the
password
policy
might
be
difficult
to
adhere
to.
The
default
value
is
1.
password-spaces
{yes
|
no
|
unset}
Sets
the
policy
of
whether
spaces
are
allowed
in
passwords.
The
default
value
is
unset.
100
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
tod-access
{{anyday
|
weekday
|
day_list}:{anytime
|time_spec-time_spec}[:{utc
|
local}]
|
unset}}
[–user
user_name]
Sets
the
time
of
day
access
policy.
The
day_list
is
a
comma-separated
list
of
days
of
the
week,
each
of
which
is
represented
by
a
3-character
value
(for
example,
mon,wed,fri).
The
day_list
specifies
which
days
of
the
week
the
account
can
be
logged
in
to.
If
you
want
to
list
every
day
of
the
week,
specify
anyday;
if
you
do
not
want
to
include
the
weekend
days,
specify
weekday.
The
time_spec
format
is
specified
as
hhmm
and
is
expressed
using
a
24-hour
clock
(for
example,
0900
for
9
a.m.
or
1430
for
2:30
p.m.).
The
default
value
is
unset,
and
the
optional
time
zone
is
local
by
default.
The
time_spec
and
time
zone
specify
the
time
of
day
the
account
can
be
logged
in
to.
Note:
utc=GMT
–user
user_name
Specifies
the
user
whose
policy
information
is
to
be
set.
If
this
option
is
not
specified,
the
general
policy
is
set.
For
any
given
policy,
if
a
user
has
a
specific
policy
applied,
this
specific
policy
takes
precedence
over
any
general
policy
that
might
also
be
defined.
The
precedence
applies
regardless
of
whether
the
specific
policy
is
more
or
less
restrictive
than
the
general
policy.
A
valid
user
name
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Examples
of
user
names:
dlucas,
sec_master,
and
"Mary
Jones"
Examples
1.
The
following
example,
entered
on
one
line,
sets
the
account
expiration
date
of
December
30,
1999,
at
11:30
p.m.
for
the
specified
user
dlucas:
pdadmin
sec_master>
policy
set
account-expiry-date
1999-12-30-23:30:00
-user
dlucas
2.
The
following
example
sets
the
maximum
password
age
of
31
days,
8
hours,
30
minutes,
and
0
seconds
for
the
specified
user
dlucas:
pdadmin
sec_master>
policy
set
max-password-age
031-08:30:00
-user
dlucas
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
policy
get
Chapter
1.
pdadmin
command
line
utility
101
pop
attach
Attaches
a
protected
object
policy
(POP)
to
the
specified
protected
object.
The
POP
must
be
created
before
it
can
be
attached.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
pop
attach
object_name
pop_name
Options
object_name
Specifies
the
name
of
the
protected
object
to
which
the
protected
object
policy
will
be
attached.
The
object
must
exist,
or
an
error
is
displayed.
Examples
of
object
names:
/Management/Groups/Travel,
/WebSEAL,
and
/Management
pop_name
Specifies
the
name
of
the
protected
object
policy
to
be
attached.
The
POP
must
exist,
or
an
error
is
displayed.
Examples
of
POP
names:
poptest
and
pop1
Description
At
most,
one
POP
can
be
attached
to
a
given
protected
object.
If
the
object
already
has
a
POP
attached
to
it,
the
specified
POP
replaces
the
existing
one.
The
same
POP
can
be
attached
to
multiple
protected
objects.
Ensure
that
the
protected
object
exists
in
the
protect
object
space
before
attempting
to
attach
a
POP.
Examples
1.
The
following
example
attaches
the
POP
pop1
to
the
protected
object
named
/Management/test-object:
pdadmin
sec_master>
pop
attach
/Management/test-object
pop1
2.
The
following
example
attaches
the
POP
poptest
to
the
protected
object
named
/Test-Space:
pdadmin
sec_master>
pop
attach
/Test-Space
poptest
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
pop
create
pop
detach
102
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
pop
create
Creates
a
protected
object
policy
object.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
pop
create
pop_name
Options
pop_name
Specifies
the
name
of
the
protected
object
policy
(POP)
to
be
created.
A
valid
protected
object
policy
name
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
not
allowed.
The
following
characters
cannot
be
used
in
the
name
of
the
POP:
!
"
#
&
(
)
*
+
,
;
:
<
>
=
@
/
\
|
.
Examples
of
POP
names:
poptest
and
pop1
Examples
The
following
example
shows
how
to
create
and
display
a
POP:
pdadmin
sec_master>
pop
create
test
The
new
POP
contains
new
POP
settings
similar
to
the
following:
pdadmin
sec_master>
pop
show
test
Protected
object
policy:
test
Description:
Warning:
no
Audit
Level:
none
Quality
of
protection:
none
Time
of
day
access:
sun,
mon,
tue,
wed,
thu,
fri,
sat:
anytime:
local
IP
Endpoint
Authentication
Method
Policy
Any
Other
Network
0
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
pop
attach
pop
delete
Chapter
1.
pdadmin
command
line
utility
103
pop
delete
Deletes
the
specified
protected
object
policy
(POP).
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
pop
delete
pop_name
Options
pop_name
Specifies
the
name
of
the
protected
object
policy
to
be
deleted.
The
POP
must
exist,
or
an
error
is
displayed.
Examples
of
POP
names:
poptest
and
pop1
Examples
1.
The
following
example
deletes
the
POP
pop1:
pdadmin
sec_master>
pop
delete
pop1
2.
The
following
example
deletes
the
POP
poptest:
pdadmin
sec_master>
pop
delete
poptest
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
pop
create
pop
detach
104
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
pop
detach
Detaches
a
protected
object
policy
from
the
specified
protected
object.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
pop
detach
object_name
Options
object_name
Specifies
the
protected
object
from
which
the
protected
object
policy
is
to
be
detached.
The
object
must
exist
and
have
a
protected
object
policy
attached,
or
an
error
is
displayed.
Examples
of
object
names:
/Management/Groups/Travel,
/WebSEAL,
and
/Management
Examples
1.
The
following
example
detaches
all
POPs
from
the
protected
object
named
/Management/test-object:
pdadmin
sec_master>
pop
detach
/Management/test-object
2.
The
following
example
detaches
all
POPs
from
the
protected
object
named
/Test-Space:
pdadmin
sec_master>
pop
detach
/Test-Space
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
pop
attach
pop
delete
Chapter
1.
pdadmin
command
line
utility
105
pop
find
Finds
and
lists
all
protected
objects
that
have
protected
object
policies
attached.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
pop
find
pop_name
Options
pop_name
Specifies
the
name
of
the
protected
object
policy
for
which
to
search.
The
POP
must
exist,
or
an
error
is
displayed.
Examples
of
POP
names:
poptest
and
pop1
Description
A
user
must
have
the
browse
(b)
and
view
(v)
permissions
for
the
object
to
be
listed
when
the
pdadmin
object
show
command
is
issued.
Otherwise,
an
error
is
returned:
The
user
is
not
authorized
to
view
one
or
more
protected
objects
where
the
requested
acl
is
attached.
Examples
1.
The
following
example
finds
all
objects
to
which
the
POP
pop1
is
attached:
pdadmin
sec_master>
pop
find
pop1
/Management/test-object
2.
The
following
example
finds
all
objects
to
which
the
POP
poptest
is
attached:
pdadmin
sec_master>
pop
find
poptest
/Test-Space
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
pop
list
106
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
pop
list
Lists
all
protected
object
policies
that
have
been
created.
Alternatively,
lists
all
extended
attributes
associated
with
a
protected
object
policy.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
pop
list
[pop_name
attribute]
Options
pop_name
Specifies
the
POP
for
which
to
list
the
attributes.
The
POP
must
exist,
or
an
error
is
displayed.
Examples
of
POP
names:
poptest
and
pop1
Examples
1.
The
following
example
shows
how
to
list
all
POPs:
pdadmin
sec_master>
pop
list
test
pop1
poptest
2.
The
following
example
shows
how
to
list
all
the
attributes
for
the
POP
named
pop1:
pdadmin
sec_master>
pop
list
pop1
attribute
attr1
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
pop
find
Chapter
1.
pdadmin
command
line
utility
107
pop
modify
Modifies
protected
object
policies.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
pop
modify
pop_name
delete
attribute
attribute_name
[attribute_value]
pop
modify
pop_name
set
attribute
attribute_name
attribute_value
pop
modify
pop_name
set
audit-level
{all
|
none
|
permit
|
deny
|
audit_level_list}
pop
modify
pop_name
set
description
description
pop
modify
pop_name
set
ipauth
add
network
netmask
authentication_level
pop
modify
pop_name
set
ipauth
anyothernw
authentication_level
pop
modify
pop_name
set
ipauth
remove
network
netmask
pop
modify
pop_name
set
qop
{none|integrity|privacy}
pop
modify
pop_name
set
tod-access
{anyday
|
weekday
|
day_list}:{anytime
|time_spec-time_spec}[:{utc|local}]
pop
modify
pop_name
set
warning
{yes|no}
Options
delete
attribute
attribute_name
[attribute_value]
Deletes
the
specified
value
from
the
specified
extended
attribute
key
in
the
specified
POP.
The
attribute
must
exist,
or
an
error
is
displayed.
The
optional
attribute_value
deletes
the
specified
value
from
the
specified
extended
attribute
key
in
the
specified
POP.
Examples
of
extended
attribute
names
and
values:
Dept_No
445
Employee_Name
"Diana
Lucas"
pop_name
Specifies
the
name
of
the
protected
object
policy
to
be
modified.
The
POP
must
exist,
or
an
error
is
displayed.
set
attribute
attribute_name
attribute_value
Sets
or
modifies
the
specified
value
from
the
specified
extended
attribute
key
in
the
specified
POP.
If
the
attribute
already
exists,
the
attribute
value
is
added
as
an
additional
value
if
the
same
value
does
not
exist
for
this
attribute.
If
the
same
value
exists
for
this
attribute,
it
does
not
get
added
again
(duplicate
values
are
not
allowed),
and
no
error
is
returned.
The
attribute_value
sets
the
specified
value
from
the
specified
extended
attribute
key
in
the
specified
POP.
Example:
"Credit
Card"
108
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
set
audit-level
{all|none|permit|deny|audit_level_list}
Sets
the
audit
level
for
the
specified
POP.
The
format
of
an
audit_level_list
is
a
comma-separated
list
that
contains
one
or
more
of
the
following:
permit,deny,error,admin
set
description
description
Sets
the
description
of
the
specified
POP.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
description.
Example
of
description:
"Policies
of
Jenson
Corp."
set
ipauth
add
network
netmask
authentication_level
Sets
the
IP
endpoint
authentication
settings
in
the
specified
POP.
Network
and
netmask
are
TCP/IP
addresses
in
dotted-decimal
format.
Valid
values
for
authentication_level
are:
forbidden
A
value
that
prohibits
object
access.
integer_values
Application-specific
integer
values
that
define
the
step-up
authentication
levels.
Step-up
authentication
is
described
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
set
ipauth
anyothernw
authentication_level
Sets
the
anyothernw
(any
other
network
setting)
for
the
IP
authentication
level
in
the
specified
POP.
If
controlling
access
by
IP
address
is
not
important,
use
the
anyothernw
option
to
set
the
authentication
level
for
all
IP
addresses
and
IP
address
ranges
not
listed
explicitly
in
the
POP.
Valid
values
for
authentication_level
are
forbidden,
which
prohibits
object
access,
or
integer_values,
which
are
application-specific
integer
values
that
define
the
step-up
authentication
levels.
Step-up
authentication
is
described
in
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
set
ipauth
remove
network
netmask
Removes
the
IP
endpoint
authentication
settings
from
the
specified
POP.
Network
and
netmask
are
TCP/IP
addresses
in
dotted-decimal
format.
set
pop
{none|integrity|privacy}
Sets
the
quality
of
protection
level
for
the
specified
POP.
The
following
string
values
are
supported:
v
none
v
integrity
v
privacy
set
tod-access
{anyday
|
weekday|day_list}:{anytime
|
time_spec-time_spec}
[:{utc
|
local}]
Sets
the
time
of
day
range
for
the
specified
protected
object
policy.
The
day_list
is
a
comma-separated
list
of
days
of
the
week,
each
of
which
is
represented
by
a
3-character
value
(for
example,
mon,wed,fri).
The
day_list
specifies
which
days
of
the
week
the
object
can
be
accessed.
If
you
want
to
list
every
day
of
the
week,
specify
anyday;
if
you
do
not
want
to
include
the
weekend
days,
specify
weekday.
Chapter
1.
pdadmin
command
line
utility
109
The
time_spec
format
is
specified
as
hhmm
and
is
expressed
using
a
24-hour
clock
(for
example,
0900
for
9
a.m.
or
1430
for
2:30
p.m.).
The
default
value
is
unset,
and
the
optional
time
zone
is
local
by
default.
The
time_spec
and
time
zone
specify
the
time
of
day
the
object
can
be
accessed.
Note:
utc=GMT
set
warning
{yes|no}
Sets
the
warning
mode
for
the
specified
protected
object
policy.
Valid
values
are
yes
or
no.
Examples
1.
This
example
shows
how
to
modify
the
description
for
the
POP
named
test:
pdadmin
sec_master>
pop
modify
test
description
"Test
POP"
2.
This
example
shows
how
to
turn
the
warning
mode
on
or
the
POP
named
test:
pdadmin
sec_master>
pop
modify
test
set
warning
yes
3.
This
example
shows
how
to
set
the
audit
level
to
audit
all
requests
on
a
protected
object
that
result
in
successful
access
(permit)
and
in
denial
of
access
(deny).
pdadmin
sec_master>
pop
modify
test
set
audit-level
permit,deny
4.
This
example
shows
how
to
set
an
attribute
named
attr1
with
a
value
of
valueA
for
the
POP
named
pop1:
pdadmin
sec_master>
pop
modify
pop1
set
attribute
attr1
valueA
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
pop
attach
pop
create
110
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
pop
show
Shows
details
of
the
protected
object
policy
(POP).
Alternatively,
displays
the
values
for
the
specified
extended
attribute
from
the
specified
protected
object
policy.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
pop
show
pop_name
pop
show
pop_name
attribute
attribute_name
Options
pop_name
Specifies
the
POP
to
display.
The
POP
must
exist,
or
an
error
is
displayed.
Examples
of
POP
names:
poptest
and
pop1
attribute
attribute_name
Specifies
the
name
of
the
extended
attribute
whose
values
you
want
to
display.
The
attribute
must
exist,
or
an
error
is
displayed.
Examples:
Dept_No,
Employee_Name
Examples
1.
The
following
example
shows
how
to
show
POP
information,
including
the
description:
pdadmin
sec_master>
pop
show
test
Protected
object
policy:
test
Description:
Test
POP
Warning:
no
Audit
level:
none
Quaility
of
protection:
none
Time
of
day
access:
sun,
mon,
tue,
wed,
thu,
fri,
sat:
anytime:
local
IP
Endpoint
Authentication
Method
Policy
Any
Other
Network
0
2.
The
following
example
shows
attribute
attr1
information
for
the
POP
named
pop1:
pdadmin
sec_master>
pop
show
pop1
attribute
attr
attr1
valueA
Chapter
1.
pdadmin
command
line
utility
111
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
pop
find
pop
list
112
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
rsrc
create
Creates
and
names
a
Web
server
single
signon
resource.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
rsrc
create
resource_name
rsrc
create
resource_name
–desc
description
Options
resource_name
Specifies
the
name
of
the
resource
to
be
created.
A
valid
resource
name
is
an
alphanumeric,
case-insensitive
string.
If
the
resource
is
a
GSO
resource,
certain
characters
are
not
allowed.
See
“Characters
disallowed
for
GSO
names”
on
page
281
for
the
list
of
these
characters.
Examples
of
resource
names:
engwebs01JonesData
–desc
description
Specifies
a
description
for
the
resource.
Descriptions
containing
a
space
must
be
enclosed
in
double
quotation
marks.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
description.
Examples
of
descriptions:
“Engineering
Web
server
–
Room
4807”,
“Printer
in
room
345,
Bldg
2”
Description
A
Web
resource
is
a
Web
server
that
serves
as
the
backend
of
a
WebSEAL
GSO-enabled
junction.
The
Web
resource
name
should
be
specified
with
the
–T
option
when
the
GSO-enabled
WebSEAL
junction
is
created.
Examples
1.
The
following
example,
entered
as
one
line,
creates
and
names
a
Web
resource
engwebs01with
an
associated
description
"Engineering
Web
server
–
Room
4807":
pdadmin
sec_master>
rsrc
create
engwebs01
–desc
"Engineering
Web
server
–
Room
4807"
2.
The
following
example,
entered
as
one
line,
creates
and
names
a
printer
resource
"Mary
Jones
Printer"
with
an
associated
description
"Printer
in
room
345,
Bldg
2":
pdadmin
sec_master>
rsrc
create
"Mary
Jones
Printer"
–desc
"Printer
in
room
345,
Bldg
2"
Chapter
1.
pdadmin
command
line
utility
113
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
rsrc
delete
114
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
rsrc
delete
Deletes
the
specified
single
signon
resource.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
rsrc
delete
resource_name
Options
resource_name
Specifies
the
name
of
the
resource
to
be
deleted.
The
resource
must
exist,
or
an
error
is
displayed.
Examples
of
resource
names:
engwebs01
and
JonesData
Examples
1.
The
following
example
deletes
the
named
resource
engwebs01:
pdadmin
sec_master>
rsrc
delete
engwebs01
2.
The
following
example
deletes
the
named
resource
"Mary
Jones
Printer":
pdadmin
sec_master>
rsrc
delete
"Mary
Jones
Printer"
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
rsrc
create
Chapter
1.
pdadmin
command
line
utility
115
rsrc
list
Returns
a
list
of
all
the
single
signon
resource
names.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
rsrc
list
Options
None.
Examples
The
following
example
returns
a
list
of
all
the
single
signon
Web
resource
names:
pdadmin
sec_master>
rsrc
list
Output
is
similar
to
the
following:
engwebs01
Mary
Jones
Printer
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
rsrc
create
116
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
rsrc
show
Displays
the
resource
information
for
the
named
resource.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
rsrc
show
resource_name
Options
resource_name
Specifies
the
name
of
the
resource
for
which
information
is
shown.
The
resource
must
exist,
or
an
error
is
displayed.
Examples
of
resource
names:
engwebs01
and
JonesData
Examples
1.
The
following
example
returns
information
for
the
specified
resource
engwebs01:
pdadmin
sec_master>
rsrc
show
engwebs01
Output
is
similar
to
the
following:
Web
Resource
Name:
engwebs01
Description:
Engineering
Web
server
-
Room
4807
2.
The
following
example
returns
information
for
the
specified
resource
"Mary
Jones
Printer":
pdadmin
sec_master>
rsrc
show
"Mary
Jones
Printer"
Output
is
similar
to
the
following:
Web
Resource
Name:
Mary
Jones
Printer
Description:
Printer
in
room
345,
Bldg
2
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
rsrc
list
Chapter
1.
pdadmin
command
line
utility
117
rsrccred
create
Creates
a
single
signon
credential.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
rsrccred
create
{resource_name|resource_group_name}
rsrcuser
resource_userid
rsrcpwd
resource_password
rsrctype
{web|group}
user
user_name
Options
resource_name|resource_group_name
Specifies
the
name
given
to
the
resource
or
resource
group
when
the
resource
or
resource
group
was
created.
The
resource
or
resource
group
must
already
exist
in
order
to
create
the
resource
credential.
If
the
resource
or
resource
group
does
not
exist
or
is
not
specified,
an
error
message
is
displayed.
Examples
of
resource
names:
engwebs01
and
"Mary
Jones
Printer"
rsrcuser
resource_userid
Specifies
the
unique
user
identification
(user
ID)
for
the
user
at
the
Web
server.
Examples
of
user
identifications:
,
4807ws01
and
userD4D
rsrcpwd
resource_password
Specifies
the
password
for
a
user
at
the
Web
server.
rsrctype
{web|group}
Specifies
whether
the
resource
type
named
is
web
(resource)
or
group
(resource
group).
user
user_name
Specifies
the
name
of
the
user
for
whom
the
resource
credential
information
applies.
If
the
user
does
not
exist
or
is
not
specified,
an
error
message
is
displayed.
Examples
of
user
names:
dlucas,
sec_master,
"Mary
Jones"
Description
A
resource
credential
is
a
credential
that
is
used
to
identify
a
user’s
authentication
information.
A
user’s
authentication
information
is
used
by
WebSEAL
when
accessing
a
backend
Web
resource
or
resource
group
through
a
GSO-enabled
junction
on
behalf
of
that
user.
For
example,
a
Tivoli
Access
Manager
user
named
dlucas
might
require
the
authentication
identity
4807ws01
and
the
password
pwd4lucas
when
accessing
the
engwebs01
backend
Web
resource
that
has
been
junctioned
through
WebSEAL.
A
resource
credential
can
be
created
with
this
authentication
information.
Then,
WebSEAL
automatically
uses
this
information
to
access
the
engwebs01
backend
server
whenever
the
user
dlucas
accesses
that
resource.
118
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Examples
1.
The
following
example,
entered
on
one
line,
creates
the
Web
resource
credential
named
engwebs01
for
the
resource
user
ID
4807ws01
and
password
pwd4lucas
given
to
user
dlucas:
pdadmin
sec_master>
rsrccred
create
engwebs01
rsrcuser
4807ws01
rsrcpwd
pwd4lucas
rsrctype
web
user
dlucas
2.
The
following
example,
entered
on
one
line,
creates
the
group
resource
credential
named
printerusers
for
the
resource
user
ID
userD4D
and
password
pwd4mjones
given
to
user
"Mary
Jones":
pdadmin
sec_master>
rsrccred
create
printerusers
rsrcuser
userD4D
rsrcpwd
pwd4mjones
rsrctype
group
user
"Mary
Jones"
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
rsrccred
delete
“rsrccred
modify”
on
page
123
Chapter
1.
pdadmin
command
line
utility
119
rsrccred
delete
Deletes
a
single
signon
credential.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
rsrccred
delete
{resource_name|resource_group_name}
rsrctype
{web|group}
user
user_name
Options
resource_name
Specifies
the
name
given
to
the
resource
or
resource
group
when
the
resource
was
created.
The
resource
or
resource
group
must
exist,
or
an
error
is
displayed.
Examples
of
resource
names:
engwebs01
and
"Mary
Jones
Printer"
rsrctype
{web|group}
Specifies
whether
the
resource
type
named
is
web
(resource)
or
group
(resource
group)
for
the
single
signon
resource
associated
with
the
credential.
The
type
of
resource
must
match
the
resource
type
assigned
when
the
resource
or
resource
group
was
first
created.
user
user_name
Specifies
the
name
of
the
user
for
whom
the
resource
credential
information
applies.
The
user
must
exist,
or
an
error
is
displayed.
Examples
of
user
names:
dlucas,
sec_master,
and
"Mary
Jones"
Examples
1.
The
following
example
deletes
the
resource
credential
information
for
the
given
resource
engwebs01,
resource
type
web,
and
user
name
dlucas:
pdadmin
sec_master>
rsrccred
delete
engwebs01
rsrctype
web
user
dlucas
2.
The
following
example,
entered
on
one
line,
deletes
the
resource
credential
information
for
the
given
resource
printerusers,
resource
type
group,
and
user
name
"Mary
Jones":
pdadmin
sec_master>
rsrccred
delete
printerusers
rsrctype
group
user
"Mary
Jones"
120
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
rsrccred
create
Chapter
1.
pdadmin
command
line
utility
121
rsrccred
list
user
Returns
the
list
of
single
signon
credentials
for
the
specified
user.
The
user
must
exist,
or
an
error
is
displayed.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
rsrccred
list
user
user_name
Options
user_name
Specifies
the
name
of
the
user
for
whom
the
resource
credential
information
applies.
The
user
must
exist,
or
an
error
is
displayed.
Examples
of
user
names:
dlucas,
sec_master
and
"Mary
Jones"
Examples
The
following
example
returns
the
list
of
single
signon
credentials
for
the
specified
user
dlucas:
pdadmin
sec_master>
rsrccred
list
user
dlucas
Output
is
similar
to
the
following:
Resource
name:
engwebs01
Resource
Type:
web
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
rsrccred
show
122
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
rsrccred
modify
Changes
a
single
signon
credential.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
rsrccred
modify
{resource_name|resource_group_name}
rsrctype
{web|group}
set
[–rsrcuser
new_resource_userid]
[–rsrcpwd
new_resource_password]
user
user_name
Options
resource_name
Specifies
the
name
given
to
the
resource
or
resource
group
when
the
resource
was
created.
The
resource
or
resource
group
must
exist,
or
an
error
is
displayed.
Examples
of
resource
names:
engwebs01
and
"Mary
Jones
Printer"
rsrctype
{web|group}
Specifies
whether
the
resource
type
named
is
web
(resource)
or
group
(resource
group)
for
the
single
signon
resource
associated
with
the
credential.
The
type
of
resource
must
match
the
resource
type
assigned
when
the
resource
or
resource
group
credential
was
first
created.
–rsrcuser
new_resource_userid
Specifies
the
new
unique
user
identification
(user
ID)
for
the
user
at
the
Web
server.
To
change
or
reset
the
resource
user
ID
of
the
user,
this
optional
command
must
be
preceded
by
a
dash
(–).
A
valid
new
resource
user
ID
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
not
allowed.
Examples
of
user
identifications:
4807ws01,
userD4D
–rsrcpwd
new_resource_password
Specifies
the
new
password
for
a
user
at
the
Web
server.
To
change
or
reset
the
password
information,
this
optional
command
must
be
preceded
by
a
dash
(–).
Specifying
this
option
without
specifying
the
–rsrcuser
option
clears
both
the
resource
user
ID
and
the
resource
password
from
the
resource
credential.
To
set
the
resource
password,
you
must
specify
both
the
resource
user
ID
and
the
resource
password.
user
user_name
Specifies
the
name
of
the
user
for
whom
the
resource
credential
information
applies.
The
user
must
exist,
or
an
error
is
displayed.
Examples
of
user
names:
dlucas,
sec_master,
and
"Mary
Jones"
Examples
1.
The
following
example,
entered
as
one
line,
modifies
the
password
of
the
user
dlucas
to
newrsrpw
for
the
specified
resource
engwebs01:
pdadmin
sec_master>
rsrccred
modify
engwebs01
rsrctype
web
set
-rsrcuser
4807ws01
-rsrcpwd
newrsrpw
user
dlucas
2.
The
following
example,
entered
as
one
line,
modifies
the
group
resource
user
ID
to
user888
for
the
specified
resource
printerusers:
pdadmin
sec_master>
rsrccred
modify
printerusers
rsrctype
group
set
-rsrcuser
user888
user
"Mary
Jones"
Chapter
1.
pdadmin
command
line
utility
123
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
rsrccred
create
124
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
rsrccred
show
Displays
the
attributes
of
a
single
signon
credential.
The
credential
identifier
is
composed
of
a
resource
name,
a
resource
type,
and
a
user
name.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
rsrccred
show
{resource_name|resource_group_name}
rsrctype
{web|group}
user
user_name
Options
resource_name
Specifies
the
name
of
the
single
signon
resource
or
resource
group
that
is
associated
with
the
credential.
The
resource
or
resource
group
must
exist,
or
an
error
is
displayed.
Examples
of
resource
names:
engwebs01
and
printerusers
rsrctype
{web|group}
Specifies
whether
the
resource
type
named
is
web
(resource)
or
group
(resource
group)
for
the
single
signon
resource
associated
with
the
credential.
The
type
of
resource
must
match
the
resource
type
assigned
when
the
resource
or
resource
group
was
first
created.
user
user_name
Specifies
the
name
of
the
user
associated
with
this
credential.
The
user
must
exist,
or
an
error
is
displayed.
Examples
of
user
names:
dlucas,
sec_master,
and
"Mary
Jones"
Examples
1.
The
following
example
displays
the
specified
single
signon
credential:
pdadmin
sec_master>
rsrccred
show
engwebs01
rsrctype
web
user
dlucas
Output
is
similar
to
the
following:
Resource
Name:
engwebs01
Resource
Type:
web
Resource
User
Id:
dlucas
2.
The
following
example
displays
the
specified
single
signon
credential:
pdadmin
sec_master>
rsrccred
show
user888
rsrctype
group
user
"Mary
Jones"
Output
is
similar
to
the
following:
Resource
Name:
printerusers
Resource
Type:
group
Resource
User
Id:
Mary
Jones
Chapter
1.
pdadmin
command
line
utility
125
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
rsrccred
list
user
126
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
rsrcgroup
create
Creates
and
names
a
resource
group.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
rsrcgroup
create
resource_group_name
[–desc
description]
Options
resource_group_name
Specifies
the
name
of
the
resource
group.
A
valid
resource
group
name
is
an
alphanumeric,
case-insensitive
string.
If
the
resource
is
a
GSO
resource,
certain
characters
are
not
allowed.
See
“Characters
disallowed
for
GSO
names”
on
page
281
for
the
list
of
these
characters.
Example
of
resource
group
names:
webs4807,
engwebs01,
IBMprinters
–desc
description
Specifies
an
description
to
identify
this
resource
group.
This
parameter
is
optional.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
description.
Examples
of
descriptions:
"Engineering
Web
server
–
Room
4807",
"Printer
in
room
345,
Bldg
2"
Description
You
can
use
a
resource
group
to
represent
a
set
of
backend
Web
servers
(resources)
when
the
signon
credential
for
the
set
of
Web
servers
is
the
same.
For
example,
if
the
user
dlucas
has
the
same
identity
for
backend
Web
servers
engwebs01
and
engwebs02,
these
resources
could
be
added
to
a
resource
group
called
webs4807.
Use
the
rsrcgroup
modify
command
to
add
the
resources
to
the
group.
Then,
you
can
create
a
single
signon
credential
for
the
webs4807
resource
group
for
dlucas.
Then,
that
single
signon
credential
can
be
used
to
access
all
the
backend
Web
servers
in
the
webs4807
group.
Examples
The
following
example
creates
and
names
a
Web
resource
group
IBMprinters:
pdadmin
sec_master>
rsrcgroup
create
IBMprinters
The
following
example
creates
and
names
a
Web
resource
group
named
webs4807
and
provides
a
description
("Web
servers,
Room
4807")
for
that
resource:
pdadmin
sec_master>
rsrcgroup
create
webs4807
–desc
"Web
servers,
Room
4807"
Chapter
1.
pdadmin
command
line
utility
127
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
rsrcgroup
delete
128
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
rsrcgroup
delete
Deletes
a
single
signon
resource
group.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
rsrcgroup
delete
resource_group_name
Options
resource_group_name
Specifies
the
name
of
the
resource
group.
The
resource
must
exist,
or
an
error
is
displayed.
Example
of
resource
group
names:
webs4807,
engwebs01,
IBMprinters
Examples
The
following
example
deletes
the
named
resource
group
and
its
associated
description
information:
pdadmin
sec_master>
rsrcgroup
delete
webs4807
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
rsrcgroup
create
Chapter
1.
pdadmin
command
line
utility
129
rsrcgroup
list
Displays
the
names
of
all
resource
groups
defined
in
the
user
registry.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
rsrcgroup
list
Options
None.
Examples
The
following
example
returns
a
list
of
all
single
signon
resource
group
names:
pdadmin
sec_master>
rsrcgroup
list
Output
is
similar
to
the
following:
webs4807
websbld3
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
rsrcgroup
show
130
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
rsrcgroup
modify
Adds
or
removes
a
single
signon
resource
to
or
from
a
single
signon
resource
group.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
rsrcgroup
modify
resource_group_name
add
rsrcname
resource_name
rsrcgroup
modify
resource_group_name
remove
rsrcname
resource_name
Options
resource_group_name
Specifies
the
name
of
the
resource
group
to
be
modified.
The
resource
must
exist,
or
an
error
is
displayed.
Example
of
resource
group
names:
webs4807,
engwebs01,
IBMprinters
add
rsrcname
resource_name
Adds
a
single
signon
resource
to
the
specified
single
signon
resource
group.
A
valid
resource
name
is
an
alphanumeric,
case-insensitive
string.
If
the
resource
is
a
GSO
resource,
certain
characters
are
not
allowed.
See
“Characters
disallowed
for
GSO
names”
on
page
281
for
the
list
of
these
characters.
Examples
of
resource
names:
engwebs01
and
"Mary
Jones
Printer"
remove
rsrcname
resource_name
Removes
a
single
signon
resource
from
the
specified
single
signon
resource
group.
Examples
of
resource
names:
engwebs01
and
"Mary
Jones
Printer"
Examples
1.
The
following
example
adds
the
resource
named
engwebs02
to
the
existing
Web
resource
group
webs4807:
pdadmin
sec_master>
rsrcgroup
modify
webs4807
add
rsrcname
engwebs02
2.
The
following
example
deletes
the
resource
named
engwebs02
from
the
existing
Web
resource
group
webs4807:
pdadmin
sec_master>
rsrcgroup
modify
webs4807
remove
rsrcname
engwebs02
Chapter
1.
pdadmin
command
line
utility
131
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
rsrcgroup
create
132
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
rsrcgroup
show
Displays
the
resource
group
information
for
the
specified
resource
group.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
rsrcgroup
show
resource_group_name
Options
resource_group_name
Specifies
the
name
of
the
resource
group.
Example
of
resource
group
names:
webs4807,
engwebs01,
and
IBMprinters
Description
The
resource
group
name,
the
resource
group
description,
and
a
list
of
all
resource
group
members
names
are
displayed.
The
resource
group
members
are
the
individual
Web
resources
(servers).
Examples
The
following
example
returns
the
specified
single
signon
resource
group
named
webs4807:
pdadmin
sec_master>
rsrcgroup
show
webs4807
Output
is
similar
to
the
following:
Resource
Group
Name:
webs4807
Description:
Web
servers,
Room
4807
Resource
Members:
engwebs01
engwebs02
engwebs03
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
rsrcgroup
list
Chapter
1.
pdadmin
command
line
utility
133
server
list
Lists
all
registered
Tivoli
Access
Manager
servers.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
server
list
Options
None.
Description
Lists
all
registered
Tivoli
Access
Manager
servers.
The
name
of
the
server
for
all
pdadmin
server
commands,
except
for
pdadmin
server
list,
must
be
entered
in
the
exact
format
as
displayed
in
the
output
of
this
command.
Examples
The
following
example
lists
all
registered
servers
if
the
Tivoli
Access
Manager
component
is
the
authorization
server:
pdadmin
sec_master>
server
list
Output
is
similar
to
the
following:
ivacld-topserver
ivacld-server2
ivacld-server3
ivacld-server4
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
server
listtasks
server
show
134
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
server
listtasks
Retrieves
the
list
of
tasks
(commands)
available
for
the
specified
installed
Tivoli
Access
Manager
server
or
server
instance.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
server
listtasks
server_name-host_name
Options
server_name-host_name
Specifies
the
name
of
the
installed
Tivoli
Access
Manager
server
or
server
instance.
You
must
specify
the
server_name
in
the
exact
format
as
displayed
in
the
output
of
the
pdadmin
server
list
command.
For
example,
if
the
configured
name
of
a
single
WebSEAL
server
is
default,
the
server_name
is
default-webseald
followed
by
-host_name.
The
full
server
name–host
name
is
default-webseald-cruz.dallas.ibm.com.
For
multiple
server
instances
on
the
same
machine,
if
the
configured
name
of
a
WebSEAL
server
instance
is
webseal2-webseald,
the
instance_name
is
followed
by
-host_name.
The
full
server
instance
name–host
name
is
webseal2-webseald-cruz.dallas.ibm.com.
Examples
v
The
following
example
displays
the
list
of
tasks
available
from
the
authorization
server:
pdadmin
sec_master>
server
listtasks
ivacld-mogman.admogman.com
Output
is
similar
to
the
following:
trace
set
component
level
[file
path=file|
other-log-agent-config]
trace
show
[component]
trace
list
[component]
stats
show
[component]
stats
list
stats
on
[component]
[interval]
[count]
[file
path=
file|other-log-agent-config]
stats
off
[component]
stats
reset
[component]
stats
get
[component]
Chapter
1.
pdadmin
command
line
utility
135
v
The
following
example
displays
the
list
of
tasks
available
from
the
WebSEAL
server
default-webseald-cruz:
pdadmin
sec_master
server
listtasks
default-webseald-cruz
Output
is
similar
to
the
following:
dynurl
update
jmt
load
jmt
clear
cache
flush
all
create
add
remove
delete
<junction
point>
list
show
<junction
point>
reload
terminate
all_sessions
<user_id>
terminate
session
<user_session_id>
refresh
all_sessions
<user_id>
help
command
trace
set
component
level
[file
path=file|
other-log-agent-config]
trace
show
[component]
trace
list
[component]
stats
show
[component]
stats
list
stats
on
[component][interval][count]
[file
path=
file|other-log-agent-config]
stats
off
[component]
stats
reset
[component]
stats
get
[component]
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
server
list
server
show
136
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
server
replicate
Notifies
the
installed
Tivoli
Access
Manager
authorization
server
or
server
instance
to
receive
database
updates.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
server
replicate
[–server
server_name-host_name]
Options
server_name-host_name
Specifies
the
name
of
the
installed
Tivoli
Access
Manager
server
or
server
instance.
You
must
specify
the
server_name
in
the
exact
format
as
displayed
in
the
output
of
the
pdadmin
server
list
command.
For
example,
if
the
configured
name
of
a
single
WebSEAL
server
is
default,
the
server_name
is
default-webseald
followed
by
-host_name.
The
full
server
name–host
name
is
default-webseald-cruz.dallas.ibm.com.
For
multiple
server
instances
on
the
same
machine,
if
the
configured
name
of
a
WebSEAL
server
instance
is
webseal2-webseald,
the
instance_name
is
followed
by
-host_name.
The
full
server
instance
name–host
name
is
webseal2-webseald-cruz.dallas.ibm.com.
Examples
The
following
is
an
example
of
this
command
when
specifying
the
server_name:
pdadmin
sec_master>
server
replicate
-server
ivacld-topserver
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
server
list
server
show
Chapter
1.
pdadmin
command
line
utility
137
server
show
Displays
the
properties
for
the
specified
installed
Tivoli
Access
Manager
server
or
server
instance.
The
server
must
exist,
or
an
error
is
displayed.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
server
show
server_name-host_name
Options
server_name-host_name
Specifies
the
name
of
the
installed
Tivoli
Access
Manager
server
or
server
instance.
You
must
specify
the
server_name
in
the
exact
format
as
displayed
in
the
output
of
the
pdadmin
server
list
command.
For
example,
if
the
configured
name
of
a
single
WebSEAL
server
is
default,
the
server_name
is
default-webseald
followed
by
-host_name.
The
full
server
name–host
name
is
default-webseald-cruz.dallas.ibm.com.
For
multiple
server
instances
on
the
same
machine,
if
the
configured
name
of
a
WebSEAL
server
instance
is
webseal2-webseald,
the
instance_name
is
followed
by
-host_name.
The
full
server
instance
name–host
name
is
webseal2-webseald-cruz.dallas.ibm.com.
Examples
1.
The
following
example
displays
the
specified
properties
for
the
authorization
server
(ivacld)
on
the
mogman
machine:
pdadmin
sec_master>
server
show
ivacld-mogman
Output
is
similar
to
the
following:
ivacld-mogman
Description:
ivacld/mogman
Hostname:
mogman
Principal:
ivacld/mogman
Administration
Request
Port:
7137
Listening
for
authorization
database
update
notifications:
yes
AZN
Administration
Services:
AZN_ADMIN_SVC_TRACE
2.
The
following
example
displays
the
properties
of
the
WebSEAL
server
default-webseald-cruz:
pdadmin
sec_master>
server
show
default-webseald-cruz
Output
is
similar
to
the
following:
default-webseald-cruz
Description:
default-webseald-cruz
Hostname:
cruz.dallas.ibm.com
Principal:
default-webseald/cruz
Administration
Request
Port:
7234
Listening
for
authorization
database
update
notifications:
yes
AZN
Administration
Services:
webseal-admin-svc
azn_admin_svc_trace
138
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
server
list
server
task
show
(WebSEAL)
Chapter
1.
pdadmin
command
line
utility
139
server
task
Sends
a
command
to
a
registered
installed
Tivoli
Access
Manager
server
or
server
instance.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
server
task
server_name-host_name
server_task
Options
server_name-host_name
Specifies
the
name
of
the
installed
Tivoli
Access
Manager
server
or
server
instance.
You
must
specify
the
server_name
in
the
exact
format
as
displayed
in
the
output
of
the
pdadmin
server
list
command.
For
example,
if
the
configured
name
of
a
single
WebSEAL
server
is
default,
the
server_name
is
default-webseald
followed
by
-host_name.
The
full
server
name–host
name
is
default-webseald-cruz.dallas.ibm.com.
For
multiple
server
instances
on
the
same
machine,
if
the
configured
name
of
a
WebSEAL
server
instance
is
webseal2-webseald,
the
instance_name
is
followed
by
-host_name.
The
full
server
instance
name–host
name
is
webseal2-webseald-cruz.dallas.ibm.com.
server_task
Specifies
the
task
(command)
being
sent
to
installed
Tivoli
Access
Manager
servers.
The
following
list
of
commands
can
be
performed
for
the
ivacld
and
the
pdmgrproxyd
servers,
but
not
the
ivmgrd
server.
help
command
Lists
detailed
help
for
the
specified
command,
such
as
the
command
syntax,
the
description,
and
the
valid
parameters.
or
more
information,
see
“help”
on
page
72.
stats
command
Provides
statistics
for
a
specified
component
using
special
stats
commands.
For
more
information,
see
“server
task
stats”
on
page
163.
trace
command
Provides
tracing
for
a
specified
component
using
special
trace
commands.
For
more
information,
see
“server
task
trace”
on
page
166.
command
Specifies
the
command
name.
Examples
The
following
is
an
example
of
the
output
after
sending
the
stats
list
command
to
the
authorization
server
ivacld-mogman.admogman.com:
pdadmin
sec_master>
server
task
ivacld-mogman.admogman.com
stats
list
Output
is
similar
to
the
following:
pd.ras.stats.monitor
pd.log.EventPool.queue
140
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
server
task
(WebSEAL)
Chapter
1.
pdadmin
command
line
utility
141
server
task
(WebSEAL)
Creates
and
manipulates
the
installed
Tivoli
Access
Manager
WebSEAL
server
or
server
instance
and
junctions
points.
This
command
is
available
only
if
you
have
the
Tivoli
Access
Manager
WebSEAL
product
installed.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
For
more
information
about
the
WebSEAL
server
tasks
and
junction
points,
see
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide.
Syntax
server
task
server_name-host_name
add
options
junction_point
server
task
server_name-host_name
show
junction_point
server
task
server_name-host_name
create
–t
type
options
junction_point
server
task
server_name-host_name
remove
–i
server_namejunction_point
server
task
server_name-host_name
server
task
delete
junction_point
server
task
server_name-host_name
cache
flush
all
server
task
server_name-host_name
dynurl
update
server
task
server_name-host_name
jmt
{load|clear}
server
task
server_name-host_name
list
server
task
server_name-host_name
reload
server
task
server_name-host_name
stats
command
server
task
server_name-host_name
trace
command
server
task
server_name-host_name
terminate
sessions
user_session_id
server
task
terminate
all_sessionsuser_id
server
task
refresh
all_sessions
user_id
server
task
help
command
Options
server_name-host_name
Specifies
the
name
of
the
installed
Tivoli
Access
Manager
WebSEAL
server
or
server
instance.
You
must
specify
the
server_name
in
the
exact
format
as
displayed
in
the
output
of
the
pdadmin
server
list
command.
For
example,
if
the
configured
name
of
a
single
WebSEAL
server
is
default,
the
server_name
is
default-webseald
followed
by
-host_name.
The
full
server
name–host
name
is
default-webseald-cruz.dallas.ibm.com.
For
multiple
server
instances
on
the
same
machine,
if
the
configured
name
of
a
WebSEAL
server
instance
is
webseal2-webseald,
the
instance_name
is
142
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
followed
by
-host_name.
The
full
server
instance
name–host
name
is
webseal2-webseald-cruz.dallas.ibm.com.
command
Specifies
the
command
name.
junction_point
Specifies
the
junction
point.
For
more
information
about
WebSEAL
junction
points,
see
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide.
options
Specifies
the
options
available
for
the
specific
server
task
command.
add
options
junction_point
Adds
a
server
to
an
existing
WebSEAL
junction
point.
For
more
information
on
the
options
available
for
this
command,
see
“server
task
add
(WebSEAL)”
on
page
146.
cache
flush
all
Flushes
the
HTML
document
cache.
create
–t
type
options
junction_point
Creates
a
new
junction
for
an
initial
server.
For
more
information
on
the
options
available
for
this
command,
see
“server
task
create
(WebSEAL)”
on
page
150.
delete
junction_point
Removes
the
specified
junction
point.
For
more
information,
see
“server
task
delete
(WebSEAL)”
on
page
157.
dynurl
update
Reloads
the
dynurl
configuration
file.
help
command
Lists
detailed
help
for
the
specified
command,
such
as
the
command
syntax,
the
description,
and
the
valid
parameters.
jmt
{load|clear}
Loads
or
clears
junction
mapping
table
data,
located
in
the
jmt.conf
file.
list
Lists
all
junction
points
on
this
server.
refresh
all_sessions
user_id
Refreshes
the
credential
for
all
sessions
that
are
associated
with
the
user
user_id.
reload
Reloads
the
junction
table
from
the
database.
remove
–i
server_name–host_name
junction_point
Removes
the
specified
server
from
a
junction
point.
For
more
information,
see
“server
task
remove
(WebSEAL)”
on
page
159.
show
junction_point
Displays
details
of
a
junction.
For
more
information,
see
“server
task
show
(WebSEAL)”
on
page
161.
stats
command
Provides
statistics
for
a
specified
component
using
special
stats
commands.
For
more
information,
see
“server
task
stats”
on
page
163.
Chapter
1.
pdadmin
command
line
utility
143
terminate
all_sessions
user_id
Terminates
all
user
sessions
specified
by
a
user
ID.
terminate
sessions
user_session_id
Terminates
a
user
session
specified
by
a
session
ID.
trace
command
Provides
tracing
for
a
specified
component
using
special
trace
commands.
For
more
information,
see
“server
task
trace”
on
page
166.
Authorization
sec_master
administrative
user
Examples
v
The
following
example
requests
help
for
the
server
task
remove
command
from
the
WebSEAL
server
default-webseald-cruz:
pdadmin
sec_master>
server
task
default-webseald-cruz
help
remove
v
The
following
example
flushes
all
Web
document
caches,
pdadmin
sec_master>
server
task
default-webseald-cruz
cache
flush
all
v
The
following
example
loads
the
jmt.conf
mapping
table
data
so
that
WebSEAL
has
knowledge
of
the
new
information.
This
file
does
not
exist
by
default
so
you
must
create
the
file
and
add
data.
pdadmin
sec_master>
server
task
default-webseald-cruz
jmt
load
Output
is
similar
to
the
following:
JMT
table
successfully
loaded.
v
The
following
example
requests
a
list
of
all
the
current
junctions
on
the
WebSEAL
server
named
default-webseald-cruz:
pdadmin
sec_master>
server
task
default-webseald-cruz
list
Output
is
similar
to
the
following:
/pubs
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
Note:
For
WebSEAL
server
task
commands,
the
return
code
will
be
0
when
the
command
is
sent
to
the
WebSEAL
server
without
errors.
However,
even
after
the
command
has
been
successfully
sent,
the
WebSEAL
server
might
not
be
able
to
successfully
complete
the
command
and
returns
an
error
message.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
144
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
See
also
server
task
server
task
add
(WebSEAL)
server
task
create
(WebSEAL)
server
task
delete
(WebSEAL)
server
task
remove
(WebSEAL)
server
task
show
(WebSEAL)
Chapter
1.
pdadmin
command
line
utility
145
server
task
add
(WebSEAL)
Adds
an
additional
installed
Tivoli
Access
Manager
WebSEAL
server
or
server
instance
to
an
existing
junction
point.
This
command
is
available
only
if
you
have
the
Tivoli
Access
Manager
WebSEAL
product
installed.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
For
more
information
about
how
to
add
servers
to
existing
junction
points,
see
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide.
Syntax
For
TCP
and
SSL
proxy
junctions:
server
task
server_name-host_name
add
–h
host_name
[–i]
[–p
port]
[–H
host_name]
[–P
port]
[–D
″dn″]
[–q
url]
[–u
uuid]
[–v
virtual_hostname]
[–w]
[–j]
junction_point
For
local,
TCP,
and
SSL
junctions:
pdadmin
–a
admin_id
–p
password
server
task
server_name-host_name
add
–h
host_name
[–D
″dn″
–i
–p
port
–q
url
–u
uuid
–v
virtual_hostname
–w]
junction_point
Options
server_name-host_name
Specifies
the
name
of
the
installed
Tivoli
Access
Manager
WebSEAL
server
or
server
instance.
You
must
specify
the
server_name
in
the
exact
format
as
displayed
in
the
output
of
the
pdadmin
server
list
command.
For
example,
if
the
configured
name
of
a
single
WebSEAL
server
is
default,
the
server_name
is
default-webseald
followed
by
-host_name.
The
full
server
name–host
name
is
default-webseald-cruz.dallas.ibm.com.
For
multiple
server
instances
on
the
same
machine,
if
the
configured
name
of
a
WebSEAL
server
instance
is
webseal2-webseald,
the
instance_name
is
followed
by
-host_name.
The
full
server
instance
name–host
name
is
webseal2-webseald-cruz.dallas.ibm.com.
–h
host_name
Specifies
the
DNS
host
name
or
IP
address
of
the
target
server.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
cruz.dallas.ibm.com
options
Specifies
the
optional
parameters
available
with
the
server
task
add
command.
These
options
include:
–D
″dn″
Specifies
the
distinguished
name
of
the
backend
server
certificate.
This
value,
matched
with
actual
certificate
DN
This
option
is
used
for
junctions
created
with
the
type
of
tcpproxy
or
sslproxy.
The
format
for
a
distinguished
name
is
similar
to:
"cn=ivacld/libra,cn=SecurityDaemons,secAuthority=Default"
–H
host_name
Specifies
the
DNS
host
name
or
IP
address
of
the
proxy
server.
146
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
This
option
is
used
for
junctions
created
with
the
type
of
tcpproxy
or
sslproxy.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
cruzproxy.dallas.ibm.com
–i
Specifies
that
the
WebSEAL
server
treats
URLs
as
case
insensitive.
This
option
is
used
for
junctions
created
with
the
type
of
tcp
or
ssl.
–p
port
Specifies
the
TCP
port
of
the
backend
server.
The
default
value
is
80
for
TCP
junctions
and
443
for
SSL
junctions.
This
option
is
used
for
junctions
created
with
the
type
of
tcp
or
ssl.
–P
port
Specifies
the
TCP
port
of
the
proxy
server.
The
default
value
is
7138.
This
option
is
uised
for
junctions
created
with
the
type
of
tcpproxy
or
sslproxy.
For
port,
use
any
valid
port
number.
A
valid
port
number
is
any
positive
number
that
is
allowed
by
TCP/IP
and
that
is
not
currently
being
used
by
another
application.
It
is
recommended
that
you
use
the
default
port
number
value,
or
else
use
a
port
number
over
1000
currently
not
being
used.
–q
url
Specifies
the
relative
path
for
the
query_contents
script.
By
default,
Tivoli
Access
Manager
looks
for
query_contents
in
/cgi_bin/.
If
this
directory
is
different
or
the
query_contents
file
name
is
renamed,
use
this
option
to
indicate
to
WebSEAL
the
new
URL
to
the
file.
This
option
is
used
for
junctions
created
with
the
type
of
tcp
or
ssl.
–u
uuid
Specifies
the
UUID
of
a
backend
server
connected
to
WebSEAL
by
using
a
stateful
junction
(–s).
This
option
is
used
for
junctions
created
with
the
type
of
tcp
or
ssl.
–v
virtual_hostname
Specifies
the
virtual
host
name
represented
on
the
backend
server.
This
option
supports
a
virtual
host
setup
on
the
backend
server.
Use–v
when
the
backend
junction
server
expects
a
host
name
header
because
you
are
junctioning
to
one
virtual
instance
of
that
server.
The
default
HTTP
header
request
from
the
browser
does
not
know
that
the
backend
server
has
multiple
names
and
multiple
virtual
servers.
You
must
configure
WebSEAL
to
supply
that
extra
header
information
in
requests
destined
for
a
backend
server
set
up
as
a
virtual
host.
This
option
is
used
for
junctions
created
with
the
type
of
tcp
or
ssl.
Chapter
1.
pdadmin
command
line
utility
147
–w
Specifies
Microsoft
Windows
32–bit
(Win32)
file
system
support.
This
option
is
used
for
junctions
created
with
the
type
of
tcp
or
ssl.
–j
Specifies
scripting
support
for
junctions.
junction_point
Specifies
the
existing
junction
point
to
which
an
additional
server
is
added.
For
more
information
about
WebSEAL
junction
points,
see
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide.
Examples
v
The
following
example
displays
output
after
requesting
help
for
the
server
task
add
command
at
a
WebSEAL
server
named
default-webseald-potter.tivoli.com
pdadmin
sec_master>
server
task
default-webseald-potter.tivoli.com
help
add
Output
is
similar
to
the
following:
Command:
add
<options>
<junction
point>
Description:
Adds
an
additional
server
to
a
junction
Usage:
TCP
and
SSL
Junction
Flags
-i
Server
treats
URLs
as
case
insensitive.
-h
<hostname>
Target
host
(required
flag).
-p
<port>
TCP
port
of
server.
Default
is
80
for
TCP
junctions
443
for
SSL
junctions.
-H
<hostname>
Proxy
hostname.
-P
<port>
Port
of
proxy
server.
-D
<"DN">
The
Distinguished
Name
of
the
server
-q
<relative
url>
URL
for
query_contents
script.
-u
<UUID>
(stateful
junctions
only).
-v
<hostname>
Virtual
hostname
for
server.
-w
Win32
file
system
support.
-j
Scripting
support
for
junction.
Common
Flags
<junction
point>
Where
to
create
the
junction
v
The
following
example
creates
a
new
junction
for
the
WebSEAL
server
named
WS1
to
the
backend
server
named
APP1.
Then
adds
another
backend
server
named
APP2
to
the
same
junction
point:
pdadmin
sec_master>
server
task
webseald-WS1
create
-t
tcp
-h
APP1
-s
/mnt
pdadmin
sec_master>
server
task
webseald-WS1
add
-h
APP2
/mnt
Authorization
sec_master
administration
user
148
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
Note:
For
WebSEAL
server
task
commands,
the
return
code
will
be
0
when
the
command
is
sent
to
the
WebSEAL
server
without
errors.
However,
even
after
the
command
has
been
successfully
sent,
the
WebSEAL
server
might
not
be
able
to
successfully
complete
the
command
and
returns
an
error
message.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
server
task
(WebSEAL)
server
task
create
(WebSEAL)
server
task
delete
(WebSEAL)
server
task
remove
(WebSEAL)
server
task
show
(WebSEAL)
Chapter
1.
pdadmin
command
line
utility
149
server
task
create
(WebSEAL)
Creates
a
junction
point.
This
command
is
available
only
if
you
have
the
Tivoli
Access
Manager
WebSEAL
product
installed.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
For
more
information
about
how
to
create
junction
points,
see
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide.
Syntax
For
local
junctions:
server
task
server_name-host_name
create
–t
type
[options]
junction_point
For
non-local
junctions:
server
task
server_name-host_name
create
–t
type–h
host_name
[options]
junction_point
Options
server_name-host_name
Specifies
the
name
of
the
installed
Tivoli
Access
Manager
server
or
server
instance.
You
must
specify
the
server_name
in
the
exact
format
as
displayed
in
the
output
of
the
pdadmin
server
list
command.
For
example,
if
the
configured
name
of
a
single
WebSEAL
server
is
default,
the
server_name
is
default-webseald
followed
by
-host_name.
The
full
server
name–host
name
is
default-webseald-cruz.dallas.ibm.com.
For
multiple
server
instances
on
the
same
machine,
if
the
configured
name
of
a
WebSEAL
server
instance
is
webseal2-webseald,
the
instance_name
is
followed
by
-host_name.
The
full
server
instance
name–host
name
is
webseal2-webseald-cruz.dallas.ibm.com.
–t
type
Specifies
the
type
of
junction;
must
be
one
of
the
following
types:
v
tcp
v
tcpproxy
v
ssl
v
sslproxy
v
local
–h
host_name
Specifies
the
DNS
host
name
or
IP
address
of
the
target
server.
This
option
is
valid
only
for
non-local
junctions;
local
junctions
do
not
need
a
host
name.
Valid
values
for
host_name
include
any
valid
IP
host
name.
For
example:
host
=
cruz.dallas.ibm.com
150
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
options
Specifies
the
optional
parameters
available
with
the
server
task
create
command.
These
options
include:
–A
Enables
or
disables
lightweight
third-party
authentication
mechanism
(LTPA)
junctions.
The
-A
option
requires
-F
and
-Z
options.
Note
that
the
-A,
-F,
and
-Z
options
all
must
be
used
together.
This
option
is
valid
for
all
junctions
except
local.
–b
BA_value
Defines
how
the
WebSEAL
server
passes
the
HTTP
BA
authentication
information
to
the
backend
server.
One
of:
v
filter
(default)
v
ignore
v
supply
v
gso
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–B
Specifies
the
BA
header
information.
WebSEAL
uses
the
BA
header
information
to
authenticate
to
the
backend
server
and
to
provide
mutual
authentication
over
SSL.
This
option
requires
the
–U,
and
–W
options.
This
option
is
valid
only
with
junctions
created
with
the
type
of
ssl
or
sslproxy.
–c
id_type
Inserts
the
Tivoli
Access
Manager
client
identity
in
HTTP
headers
across
the
junction.
The
id_type
argument
can
include
any
combination
of
the
following
Tivoli
Access
Manager
HTTP
header
types:
v
{iv-user|iv-user-l}
v
iv-groups
v
iv-creds
v
all
The
header
types
must
be
comma
separated,
and
cannot
have
a
spaces
between
the
types.
For
example:
-c
iv_user,iv_groups
Specifying
—c
all
is
the
same
as
specifying:
—c
iv-user,iv-groups,iv-creds.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–C
Specifies
single-sign-on
from
a
front-end
WebSEAL
server
to
a
backend
WebSEAL
server.
The
-C
option
is
not
mutual
authentication.
This
option
is
valid
only
with
junctions
created
with
the
type
of
ssl
or
sslproxy.
–d
dir
Specifies
the
local
directory
to
the
junction.
This
option
is
required
if
the
junction
type
is
local.
This
option
is
valid
only
with
junctions
created
with
the
type
of
local.
Chapter
1.
pdadmin
command
line
utility
151
–D
″dn″
Specifies
the
distinguished
name
of
the
backend
server
certificate.
This
value,
matched
with
the
actual
certificate
DN
enhances
authentication
and
provides
mutual
authentication
over
SSL.
For
example,
the
certificate
for
www.mynewco.com
might
have
a
DN
of
"CN=WWW.MYNEWCO.COM,OU=Software,O=mynewco.com\,
Inc,L=Austin,
ST=Texas,C=US"
This
option
is
valid
only
with
junctions
created
with
the
type
of
ssl
or
sslproxy.
–e
Specifies
the
encoding
to
use
when
generating
HTTP
headers
for
junctions.
This
encoding
applies
to
headers
that
are
generated
with
both
the
–c
junction
option
and
tag-value.
Possible
values
for
encoding
are:
utf8_bin
WebSEAL
sends
the
headers
in
UTF-8.
utf8_uri
WebSEAL
sends
the
headers
in
UTF-8
but
URI
also
encodes
them.
This
behavior
is
the
default
behavior.
lcp_bin
WebSEAL
sends
the
headers
in
the
local
code
page
of
the
WebSEAL
server.
lcp_uri
WebSEAL
sends
the
headers
in
the
local
code
page
of
the
WebSEAL
server,
but
URI
also
encodes
them.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–f
Forces
the
replacement
of
an
existing
junction.
This
option
is
used
for
junctions
created
with
the
any
junction
type.
–F
keyfile
Specifies
the
location
of
the
keyfile
used
to
encrypt
LTPA
cookie
data.
The
-F
option
requires
-A
and
-Z
options.
Note
that
the
-A,
-F,
and
-Z
options
all
must
be
used
together.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–H
host_name
Specifies
the
DNS
host
name
or
IP
address
of
the
proxy
server.
The
–P
option
also
supports
proxy
server
junctions.
Valid
values
for
host_name
include
any
valid
IP
host
name.
For
example:
host
=
cruzproxy.dallas.ibm.com
This
option
is
valid
only
with
junctions
created
with
the
type
of
tcpproxy
or
sslproxy.
–i
Specifies
that
the
WebSEAL
junction
treat
URLs
as
case
insensitive.
152
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
To
correctly
authorize
requests
for
junctions
that
are
case
insensitive,
WebSEAL
does
the
authorization
check
on
a
lowercase
version
of
the
URL.
For
example,
a
Web
server
running
on
Windows
treats
requests
for
INDEX.HTM
and
index.htm
as
requests
for
the
same
file.
Junctions
to
such
a
Web
server
should
be
created
with
the
-i
[or
-w]
flags.
ACLs
or
POPs
that
are
attached
to
objects
beneath
the
junction
point
should
use
the
lower
case
object
name.
An
ACL
attached
to
/junction/index.htm
will
apply
to
all
of
the
following
requests
if
the
-i
or
-w
flags
are
used:
/junction/INDEX.HTM
/junction/index.htm
/junction/InDeX.HtM
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
Local
junctions
are
case
insensitive
only
on
Win32
platforms;
all
other
platforms
are
case
sensitive.
–j
Supplies
junction
identification
in
a
cookie
to
handle
script-generated
server-relative
URLs.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–k
Sends
WebSEAL
session
cookies
to
the
junction
server.
By
default,
cookies
are
removed
from
requests
that
are
sent
to
the
server.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–K
key_label
Specifies
the
key
label
of
the
client
personal
certificate
that
WebSEAL
should
present
to
the
backend
server.
Use
of
this
option
allows
the
junction
server
to
authenticate
the
WebSEAL
server
using
client
certificates.
This
option
is
valid
only
with
junctions
created
with
the
type
of
ssl
and
sslproxy
junctions.
–l
percent
Defines
the
soft
limit
for
consumption
of
worker
threads.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–L
percent
Defines
the
hard
limit
for
consumption
of
worker
threads.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–n
Specifies
that
no
modification
of
the
names
of
non-domain
cookies
are
to
be
made.
Use
when
client
side
scripts
depend
on
the
names
of
cookies.
By
default,
if
a
junction
is
listed
in
the
JMT
or
if
the
-j
junction
option
is
used,
WebSEAL
will
modify
the
names
of
non-domain
cookies
that
are
returned
from
the
junction
to
prepend
AMWEBJCT!junction_point.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–p
port
Specifies
the
TCP
port
of
the
backend
third-party
server.
The
default
value
is
80
for
TCP
junctions
and
443
for
SSL
junctions.
Chapter
1.
pdadmin
command
line
utility
153
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–P
port
Specifies
the
TCP
port
number
for
the
HTTP
proxy
server.
The
–P
option
is
required
when
the
–H
option
is
used.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–q
url
Specifies
the
relative
path
for
the
query_contents
script.
By
default,
Tivoli
Access
Manager
looks
for
the
query_contents
script
in
the
/cgi_bin/
directory.
If
this
directory
is
different
or
the
query_contents
file
name
is
renamed,
this
option
will
indicates
to
WebSEAL
the
new
URL
to
the
file.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–r
Inserts
the
incoming
IP
address
into
the
HTTP
header
across
the
junction.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–R
Allows
the
request
to
proceed
but
provides
the
rule
failure
reason
to
the
junction
in
an
HTTP
header.
If
the
–R
option
is
not
used
and
a
rule
failure
occurs,
WebSEAL
will
not
allow
the
request
to
proceed.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–s
Specifies
the
junction
support
stateful
applications.
By
default,
junctions
are
not
stateful.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–S
Specifies
the
location
of
the
forms
single
signon
configuration
file.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–T
{resource
|
resource
group}
Specifies
the
name
of
the
resource
or
resource
group.
This
option
is
required
only
when
the
–b
gso
option
is
used.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–u
uuid
Specifies
the
Universally
Unique
Identifier
(UUID)
of
a
backend
server
connected
to
WebSEAL
by
using
a
stateful
junction
(–s
option).
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
–U
user_name
Specifies
the
WebSEAL
server
user
name.
This
option
requires
the
–B,
and
–W
options.
WebSEAL
uses
the
BA
header
information
to
authenticate
to
the
backend
server
and
to
provide
mutual
authentication
over
SSL.
This
option
is
valid
only
with
junctions
created
with
the
type
of
ssl
or
sslproxy.
–v
virtual_hostname
Specifies
the
virtual
host
name
for
the
backend
server.
This
option
supports
multiple
virtual
hosts
being
served
from
the
same
web
server.
Use
–v
when
the
backend
junction
server
expects
a
host
name
header
different
from
the
DNS
name
of
the
server.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
154
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
–w
Specifies
Microsoft
Windows
32–bit
(Win32)
file
system
support.
This
option
provides
all
of
the
functionality
provided
by
the
–i
junction
option
but
disallows
requests
that
contain
file
names
that
might
be
interpreted
as
Win32
file
name
aliases.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
Local
junctions
prohibit
URLs
that
contain
Win32
file
name
aliases
on
Win32
but
allow
such
URLs
on
other
platforms.
–W
password
Specifies
the
WebSEAL
server
password.
This
option
requires
the
–B,
and
–U
options.
WebSEAL
uses
the
BA
header
information
to
authenticate
to
the
backend
server
and
to
provide
mutual
authentication
over
SSL.
This
option
is
valid
only
with
junctions
created
with
the
type
of
ssl
or
sslproxy.
–Z
keyfile_pwd
Specifies
the
password
of
the
keyfile
used
to
encrypt
LTPA
cookie
data.
The
-Z
option
requires
-A
and
-F
options.
Note
that
the
-A,
-F,
and
-Z
options
all
must
be
used
together.
This
option
is
valid
for
all
junctions
except
for
the
type
of
local.
junction_point
Specifies
the
location
where
you
want
the
junction
point
created.
For
more
information
about
WebSEAL
junction
points,
see
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide.
Description
For
more
information
about
gathering
statistics,
see
the
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide.
Examples
v
The
following
example
displays
the
output
when
you
send
the
pdadmin
server
task
command
to
a
WebSEAL
server
and
requests
more
online
information
about
the
create
task:
pdadmin
sec_master>
server
task
default-webseald-cruz.dallas.ibm.com
help
create
Output
is
similar
to
the
following:
Command:
create
-t
<type>
<options>
<junction
point>
Description:
Creates
a
new
junction
Usage:
create
-t
<type>
<options>
<junction
point>
TCP
and
SSL
Junction
Flags
.
.
.
Common
Flags
-t
<type>
Type
of
junction.
One
of:
tcp,
tcpproxy,
ssl,
sslproxy,
local.
-f
Force
the
creation:
overwrite
existing
junction.
-R
WebSEAL
will
send
the
Boolean
Rule
Header
to
these
junctions
when
a
rule
failure
reason
is
provided.
<junction
point>
Where
to
create
the
junction
Chapter
1.
pdadmin
command
line
utility
155
v
The
following
example,
entered
on
one
line,
creates
a
basic
WebSEAL
junction
/pubs
on
the
default-webseald-cruz
WebSEAL
server.
The
junction
type
is
TCP
and
the
host
name
is
doc.tivoli.com:
pdadmin
sec_master>
server
task
default-webseald-cruz
create
-t
tcp
-h
doc.tivoli.com
/pubs
Output
is
similar
to:
Created
junction
at
/pubs
v
The
following
example,
entered
on
one
line,
creates
a
new
local
junction
/
to
replace
the
current
junction
point.
The
–f
option
is
required
to
force
a
new
junction
that
overwrites
an
existing
junction
at
the
/tmp/docs
directory:
pdadmin
sec_master>
server
task
default-webseald-cruz
create
-t
local
-f
-d
/tmp/docs
/
Output
is
similar
to:
Created
junction
at
/
v
The
following
example,
entered
on
one
line,
limits
worker
thread
consumption
on
a
per-junction
basis.
The
–l
(soft
thread
limit)
and
–L
(hard
thread
limit)
options
allow
you
to
specify
limits
as
percent
values
on
the
specific
junction
/myjunction:
pdadmin>
server
task
default-webseald-cruz
create
-t
tcp
-h
cruz.dallas.ibm.com
-l
60
-L
80
/myjunction
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
Note:
For
WebSEAL
server
task
commands,
the
return
code
will
be
0
when
the
command
is
sent
to
the
WebSEAL
server
without
errors.
However,
even
after
the
command
has
been
successfully
sent,
the
WebSEAL
server
might
not
be
able
to
successfully
complete
the
command
and
returns
an
error
message.
1
The
command
failed.
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
server
task
(WebSEAL)
server
task
add
(WebSEAL)
server
task
delete
(WebSEAL)
server
task
remove
(WebSEAL)
server
task
show
(WebSEAL)
156
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
server
task
delete
(WebSEAL)
Deletes
a
junction
point.
This
command
is
available
only
if
you
have
the
Tivoli
Access
Manager
WebSEAL
product
installed.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
For
more
information
about
how
to
delete
junction
points,
see
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide.
Syntax
server
task
server_name-host_name
delete
junction_point
Options
server_name-host_name
Specifies
the
name
of
the
installed
Tivoli
Access
Manager
server
or
server
instance.
You
must
specify
the
server_name
in
the
exact
format
as
displayed
in
the
output
of
the
pdadmin
server
list
command.
For
example,
if
the
configured
name
of
a
single
WebSEAL
server
is
default,
the
server_name
is
default-webseald
followed
by
-host_name.
The
full
server
name–host
name
is
default-webseald-cruz.dallas.ibm.com.
For
multiple
server
instances
on
the
same
machine,
if
the
configured
name
of
a
WebSEAL
server
instance
is
webseal2-webseald,
the
instance_name
is
followed
by
-host_name.
The
full
server
instance
name–host
name
is
webseal2-webseald-cruz.dallas.ibm.com.
junction_point
Specifies
the
junction
point
to
be
deleted.
Examples
v
The
following
examples
displays
the
output
after
sending
the
pdadmin
server
task
help
command
to
a
WebSEAL
server
and
requesting
help
for
the
delete
task:
pdadmin
sec_master>
server
task
default-webseald-cruz.dallas.ibm.com
help
delete
Output
is
similar
to
the
following:
Command:
delete
<junction
point>
Description:
Deletes
a
junction
Usage:
delete
<junction
point>
v
The
following
example
deletes
the
junction
point
/pubs
from
the
WebSEAL
server
default-webseald-cruz.dallas.ibm.com:
pdadmin
sec_master>
server
task
default-webseald-cruz.dallas.ibm.com
delete
/pubs
Chapter
1.
pdadmin
command
line
utility
157
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
Note:
For
WebSEAL
server
task
commands,
the
return
code
will
be
0
when
the
command
is
sent
to
the
WebSEAL
server
without
errors.
However,
even
after
the
command
has
been
successfully
sent,
the
WebSEAL
server
might
not
be
able
to
successfully
complete
the
command
and
returns
an
error
message.
1
The
command
failed.
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
server
task
(WebSEAL)
server
task
add
(WebSEAL)
server
task
create
(WebSEAL)
server
task
remove
(WebSEAL)
server
task
show
(WebSEAL)
158
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
server
task
remove
(WebSEAL)
Removes
the
specified
installed
Tivoli
Access
Manager
WebSEAL
server
or
server
instance
from
a
junction
point.
This
command
is
available
only
if
you
have
the
Tivoli
Access
Manager
WebSEAL
product
installed.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
For
more
information
about
how
to
remove
a
server
from
a
junction
point,
see
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide.
Syntax
server
task
server_name-host_name
remove
–i
server_uuid
junction_point
Options
server_name-host_name
Specifies
the
name
of
the
installed
Tivoli
Access
Manager
WebSEAL
server
or
server
instance.
You
must
specify
the
server_name
in
the
exact
format
as
displayed
in
the
output
of
the
pdadmin
server
list
command.
For
example,
if
the
configured
name
of
a
single
WebSEAL
server
is
default,
the
server_name
is
default-webseald
followed
by
-host_name.
The
full
server
name–host
name
is
default-webseald-cruz.dallas.ibm.com.
For
multiple
server
instances
on
the
same
machine,
if
the
configured
name
of
a
WebSEAL
server
instance
is
webseal2-webseald,
the
instance_name
is
followed
by
-host_name.
The
full
server
instance
name–host
name
is
webseal2-webseald-cruz.dallas.ibm.com.
–i
server_uuid
Specifies
the
UUID
of
the
server
to
be
removed
from
the
junction
point.
See
the
server
task
show
(WebSEAL)
command
for
details
of
obtaining
the
UUID.
junction_point
Specifies
the
junction
point
from
which
the
server
is
removed.
–i
Examples
The
following
example
removes
the
junctioned
server
backappl
from
the
junction
point
/pubs.
First,
determine
the
UUID
of
the
server
to
be
removed
by
running
the
server
task
show
command:
pdadmin
sec_master>
server
task
default-webseald-cruz
show
/pubs
pdadmin
sec_master>
Junction
point:
/pubs
...
Server
1:
ID:
6fc3187a-ea1c-11d7-8f4e-09267e38aa77
Server
State:
running
Hostname:
backapp1.cruz.ibm.com
...
Chapter
1.
pdadmin
command
line
utility
159
Then
remove
the
server
from
the
junction:
pdadmin
sec_master>
server
task
default-webseald-cruz
remove
-i
6fc3187a-ea1c-11d7-8f4e-09267e38aa77
/pubs
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
Note:
For
WebSEAL
server
task
commands,
the
return
code
will
be
0
when
the
command
is
sent
to
the
WebSEAL
server
without
errors.
However,
even
after
the
command
has
been
successfully
sent,
the
WebSEAL
server
might
not
be
able
to
successfully
complete
the
command
and
returns
an
error
message.
1
The
command
failed.
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
server
task
(WebSEAL)
server
task
add
(WebSEAL)
server
task
create
(WebSEAL)
server
task
delete
(WebSEAL)
server
task
show
(WebSEAL)
160
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
server
task
show
(WebSEAL)
Displays
the
junction
point
information
for
the
specified
installed
Tivoli
Access
Manager
WebSEAL
server
or
server
instance.
The
server
must
exist,
or
an
error
is
displayed.
This
command
is
available
only
if
you
have
the
Tivoli
Access
Manager
WebSEAL
product
installed.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
For
more
information
about
how
to
remove
a
server
from
a
junction
point,
see
the
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide.
Syntax
server
task
server_name-host_name
show
junction_point
Options
server_name-host_name
Specifies
the
name
of
the
installed
Tivoli
Access
Manager
WebSEAL
server
or
server
instance.
You
must
specify
the
server_name
in
the
exact
format
as
displayed
in
the
output
of
the
pdadmin
server
list
command.
For
example,
if
the
configured
name
of
a
single
WebSEAL
server
is
default,
the
server_name
is
default-webseald
followed
by
-host_name.
The
full
server
name–host
name
is
default-webseald-cruz.dallas.ibm.com.
For
multiple
server
instances
on
the
same
machine,
if
the
configured
name
of
a
WebSEAL
server
instance
is
webseal2-webseald,
the
instance_name
is
followed
by
-host_name.
The
full
server
instance
name–host
name
is
webseal2-webseald-cruz.dallas.ibm.com.
junction_point
Specifies
the
junction
point
for
the
specified
WebSEAL
server.
Examples
The
following
example
shows
information
for
the
local
junction
point
/
at
the
/opt/pdweb/www/docs
directory
on
the
WebSEAL
server
default-webseald-cruz:
pdadmin
sec_master>
server
task
default-webseald-cruz
show
/
Output
is
similar
to:
Junction
point:
/
Type:
Local
Junction
hard
limit:
0
-
using
global
value
Junction
soft
limit:
0
-
using
global
value
Active
worker
threads:
0
Root
Directory:
/opt/pdweb/www/docs
.
.
.
Chapter
1.
pdadmin
command
line
utility
161
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
Note:
For
WebSEAL
server
task
commands,
the
return
code
will
be
0
when
the
command
is
sent
to
the
WebSEAL
server
without
errors.
However,
even
after
the
command
has
been
successfully
sent,
the
WebSEAL
server
might
not
be
able
to
successfully
complete
the
command
and
returns
an
error
message.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
server
task
(WebSEAL)
server
task
add
(WebSEAL)
server
task
create
(WebSEAL)
server
task
delete
(WebSEAL)
server
task
remove
(WebSEAL)
162
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
server
task
stats
Enables
the
gathering
of
statistical
information
for
an
installed
Tivoli
Access
Manager
server
or
server
instance.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
server
task
server_name–host_name
stats
on
component
[interval
[count]]
[file
path=file|other_log_agent_config]
server
task
server_name–host_name
stats
[get
|
off
|
reset
|
show]
[component]
server
task
server_name-host_name
stats
list
Options
server_name-host_name
Specifies
the
name
of
the
installed
Tivoli
Access
Manager
server
or
server
instance.
You
must
specify
the
server_name
in
the
exact
format
as
displayed
in
the
output
of
the
pdadmin
server
list
command.
For
example,
if
the
configured
name
of
a
single
WebSEAL
server
is
default,
the
server_name
is
default-webseald
followed
by
-host_name.
The
full
server
name–host
name
is
default-webseald-cruz.dallas.ibm.com.
For
multiple
server
instances
on
the
same
machine,
if
the
configured
name
of
a
WebSEAL
server
instance
is
webseal2-webseald,
the
instance_name
is
followed
by
-host_name.
The
full
server
instance
name–host
name
is
webseal2-webseald-cruz.dallas.ibm.com.
stats
get
[component]
Displays
the
current
values
of
statistics
being
gathered
for
all
enabled
components.
If
you
specify
the
optional
component
option,
displays
the
name
and
level
for
a
specific
enabled
component.
stats
list
[component]
Lists
all
components
available
to
gather
and
report
statistics.
If
you
specify
the
optional
component
option,
lists
a
specific
enabled
component.
If
the
specified
component
is
not
enabled,
no
output
is
displayed.
stats
off
[component]
Turns
off
statistics
gathering
for
all
components.
If
you
specify
the
optional
component
option,
disables
statistics
gathering
for
a
specific
enabled
component.
Note:
By
default,
the
pdweb.threads,
pdweb.doccache,
and
pdweb.jmt
components
are
always
enabled
and
cannot
be
disabled.
Chapter
1.
pdadmin
command
line
utility
163
stats
on
component
[interval
[count]]
[file
path=file|other_log_agent_config]
Turns
on
statistics
gathering
for
the
specified
component.
When
enabling
stats,
you
can
also
set
the
statistics
report
frequency,
the
count,
and
the
destination
for
output.
Options
are
as
follows:
component
Specifies
the
component
about
which
you
want
to
gather
statistics.
interval
Specifies
the
time
interval
between
reports
of
information.
This
results
in
statistics
being
sent
to
a
log
file.
When
this
option
is
specified,
statistics
are
sent,
by
default,
to
standard
out
of
the
WebSEAL
server,
which
is
the
WebSEAL
log
file.
You
can
specify
another
output
location
using
the
other_log_agent_config
argument.
If
interval
is
not
specified,
no
statistics
are
sent
to
any
log
file.
However,
the
statistic
component
is
still
enabled.
You
can
obtain
reports
dynamically
at
any
time
using
the
pdadmin
stats
get
command.
count
Specifies
the
number
of
reports
sent
to
a
log
file.
The
interval
option
is
required
if
using
the
count
option.
If
interval
is
specified
without
count,
the
duration
of
reporting
is
indefinite.
After
the
count
value
is
reached,
reporting
to
a
log
file
stops.
However,
the
statistic
component
is
still
enabled.
You
can
obtain
reports
dynamically
at
any
time
using
the
pdadmin
stats
get
command.
other_log_agent_config
Specifies
a
destination
for
the
statistics
information
gathered
for
the
specified
component.
For
more
information
about
event
logging,
see
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
stats
reset
[component]
—Resets
statistics
gathering
for
all
enabled
components.
If
you
specify
the
component
option,
resets
statistics
gathering
for
a
specific
enabled
component.
stats
show
[component]
Shows
the
name
and
level
for
components
with
statistics
gathering
turned
on.
If
you
specify
the
component
option,
also
shows
the
name
and
level
for
a
specific
enabled
component.
component
Specifies
the
component
about
which
you
want
to
gather
statistics.
Description
For
more
information
about
gathering
statistics,
see
the
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide.
164
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Examples
v
The
following
example
displays
the
output
after
sending
the
stats
list
command
to
the
authorization
server
ivacld-mogman.admogman.com:
pdadmin
sec_master>
server
task
ivacld-mogman.admogman.com
stats
list
Output
is
similar
to:
pd.ras.stats.monitor
pd.log.EventPool.queue
v
The
following
example,
entered
on
one
line,
turns
on
statistics
gathering
for
the
pd.log.EventPool.queue
component.
It
also
sets
the
statistics
report
frequency
30
days,
the
count,
and
the
output
destination:
pdadmin
sec_master>
server
task
ivacld-mogman.admogman.com
stats
on
pd.log.EventPool.queue
file=c:\myEPstats.log
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
server
task
server
task
trace
Chapter
1.
pdadmin
command
line
utility
165
server
task
trace
Enables
the
gathering
of
trace
information
for
components
of
installed
Tivoli
Access
Manager
servers
or
server
instances
that
support
debug
event
tracing.
The
content
of
trace
messages
is
generally
undocumented
and
is
intended
to
be
used
for
debugging
purposes
only.
The
format
and
content
of
trace
messages
might
vary
between
product
releases.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
server
task
server_name–host_name
trace
list
[component]
server
task
server_name–host_name
trace
set
component
level
[file
path=path|other_log_agent_config]
server
task
{server_name-host_name}
trace
show
[component]
Options
server_name-host_name
Specifies
the
name
of
the
installed
Tivoli
Access
Manager
server
or
server
instance.
You
must
specify
the
server
name
in
the
exact
format
as
displayed
in
the
output
of
the
pdadmin
server
list
command.
For
example,
if
the
configured
name
of
a
single
WebSEAL
server
is
default,
the
server_name
is
default-webseald
followed
by
-host_name.
The
full
server
name–host
name
is
default-webseald-cruz.dallas.ibm.com.
For
multiple
server
instances
on
the
same
machine,
if
the
configured
name
of
a
WebSEAL
server
instance
is
webseal2-webseald,
the
instance_name
is
followed
by
-host_name.
The
full
server
instance
name–host
name
is
webseal2-webseald-cruz.dallas.ibm.com.
trace
list
[component]
Lists
all
enabled
trace
components
available
to
gather
and
report
trace
information.
If
the
optional
component
option
is
specified,
lists
a
specific
component
that
is
enabled
(set)
for
tracing.
If
the
specified
component
is
not
enabled,
no
output
is
displayed.
trace
set
component
level
[file
path=file
|
other_log_agent_config]
Sets
the
trace
level
and
trace
message
destination
for
a
specific
component
and
its
subordinates.
The
level
option
values
are
1
through
9,
with
9
reporting
the
most
detailed
level
of
information
in
the
trace
output.
The
optional
file
path=path
or
other_log_agent_config
value
specifies
a
destination
for
the
trace
information
gathered
for
the
specified
component.
For
more
information
about
event
logging,
see
the
IBM
Tivoli
Access
Manager
Base
Administration
Guide.
trace
show
[component]
Shows
the
names
and
levels
for
all
enabled
trace
components.
If
the
optional
component
option
is
specified,
shows
the
name
and
level
for
the
specified
component.
Description
For
more
information
about
tracing
and
trace
components,
see
the
IBM
Tivoli
Access
Manager
for
e-business
Problem
Determination
Guide.
166
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Examples
1.
The
following
example,
entered
on
one
line,
enables
the
pdweb.debug
trace
component
to
level
2.
Then
displays
the
output
for
all
enabled
components.
Note
that
WebSEAL–specific
components
are
prefixed
with
pdweb.
pdadmin
sec_master>
server
task
webseald-instance_name
trace
set
pdweb.debug
2
pdadmin
sec_master>
server
task
webseald-instance_name
trace
show
Output
from
the
trace
show
command
is
similar
to:
pdweb.debug
2
2.
The
following
example
enables
the
pdwebpi.module.session-cookie
trace
component
to
level
9.
Then
displays
the
output
for
all
enabled
components.
Note
that
Web
Plug-in
server-specific
components
are
prefixed
with
pdwebpi.
pdadmin
sec_master>
server
task
pdwpi-tivoli.com
trace
set
pdwebpi.module.session-cookie
9
pdadmin
sec_master>
server
task
pdwpi-tivoli.com
trace
show
Output
from
the
trace
show
command
is
similar
to:
pdwebpi.module.session-cookie
9
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
server
task
server
task
stats
Chapter
1.
pdadmin
command
line
utility
167
user
create
Creates
a
Tivoli
Access
Manager
user.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
user
create
[–gsouser]
[–no-password-policy]
user_name
dn
cn
sn
password
[groups]
Options
–gsouser
Enables
the
user’s
global
signon
(GSO)
capabilities.
–no-password-policy
Indicates
that
password
policy
is
not
enforced
during
the
creation
of
the
user
account.
This
non-enforcement
has
no
effect
on
password
policy
enforcement
after
user
creation.
user_name
Specifies
the
name
for
the
user
being
created.
This
name
must
be
unique.
A
valid
user
name
is
an
alphanumeric,
case-insensitive
string.
If
the
user
is
a
GSO
user,
certain
characters
are
not
allowed.
See
“Characters
disallowed
for
GSO
names”
on
page
281
for
the
list
of
these
characters.
Note:
If
you
did
not
change
the
7–bit
checking
default
value
during
configuration
of
Sun
ONE,
you
must
turn
off
checking
so
that
non-ASCII
characters
can
be
stored
in
attributes.
Examples
of
user
names:
dlucas,
sec_master,
"Mary
Jones"
dn
Specifies
the
registry
identifier
assigned
to
the
user
being
created.
The
registry
identifier
must
be
known
before
a
new
user
account
can
be
created.
The
registry
identifier
must
be
unique
within
the
user
registry.
The
format
for
a
distinguished
name
is
similar
to:
"cn=Mary
Jones,ou=Austin,o=Tivoli,c=us"
cn
Specifies
the
common
name
assigned
to
the
user
being
created.
For
example:
"Mary"
sn
Specifies
the
surname
of
the
user
being
created.
For
example:
"Jones"
password
Specifies
the
password
set
for
the
new
user.
Passwords
must
adhere
to
the
password
policies
set
by
the
administrator.
groups
Specifies
a
list
of
groups
to
which
the
new
user
is
assigned.
The
format
of
the
group
list
is
a
parenthesized
list
of
group
names,
separated
by
spaces.
The
groups
must
exist,
or
an
error
is
displayed.
Examples
of
groups:
deptD4D
and
printerusers
168
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Description
A
user
is
a
registered
participant
of
the
secure
domain.
A
GSO
user
is
a
Tivoli
Access
Manager
user
that
additionally
has
the
authority
to
work
with
Web
resources,
such
as
a
Web
server.
When
an
LDAP-based
registry
is
used,
user
names
are
not
case
sensitive.
The
-no-password-policy
option
to
the
pdadmin
user
create
command
allows
the
administrator
to
create
the
user
with
an
initial
password
that
is
not
checked
by
the
existing
global
password
policies.
If
this
option
is
not
present
in
the
command,
the
password
provided
is
checked
against
the
global
password
policies.
In
this
case,
the
user
create
command
fails
if
the
password
is
invalid,
and
the
error
message
includes
information
on
what
conditions
were
not
met.
However,
if
the
administrator
applies
the
pdadmin
user
modify
password
command,
the
-no-password-policy
option
is
not
available.
Therefore,
the
modified
password
is
always
checked
against
the
global
password
policy
settings.
Examples
1.
The
following
example,
entered
as
one
line,
create
the
new
user
dlucas:
pdadmin
sec_master>
user
create
–gsouser
dlucas
"cn=Diana
Lucas,ou=Austin,o=Tivoli,c=US"
"Diana
Lucas"
Lucas
lucaspwd
2.
The
following
example,
entered
as
one
line,
create
the
new
user
maryj:
pdadmin
sec_master>
user
create
–gsouser
maryj
"cn=Mary
Jones,o=tivoli,c=us"
Mary
Jones
maryjpwd
To
make
the
user
accounts
valid,
you
must
use
the
pdadmin
user
modify
command
to
set
the
account-valid
flag
to
yes.
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
user
delete
user
import
user
modify
Chapter
1.
pdadmin
command
line
utility
169
user
delete
Deletes
the
specified
Tivoli
Access
Manager
user
and
optionally
deletes
the
user’s
information
in
the
user
registry.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
user
delete
[–registry]
user_name
Options
–registry
Deletes
the
user’s
information
from
the
user
registry.
If
this
option
is
not
specified,
the
registry
user
information
can
be
used
to
create
another
Tivoli
Access
Manager
user
by
using
the
pdadmin
user
import
command.
user_name
Specifies
the
name
of
the
account
to
be
deleted.
Any
resource
credentials
associated
with
a
user
account
are
automatically
removed
at
the
same
time
the
user
account
is
deleted.
The
user
must
exist,
or
an
error
is
displayed.
Examples
of
user
names:
dlucas,
sec_master,
and
"Mary
Jones"
Examples
The
following
example
deletes
the
dlucas
user:
pdadmin
sec_master>
user
delete
dlucas
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
user
create
user
import
170
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
user
import
Creates
a
Tivoli
Access
Manager
user
by
importing
user
data
that
already
exists
in
the
user
registry.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
user
import
[–gsouser]
user_name
dn
[group_name]
Options
–gsouser
Specifies
that
the
user
has
single
signon
capabilities.
user_name
Specifies
a
unique
Tivoli
Access
Manager
user
name.
This
user
is
created
from
information
that
already
exists
in
the
user
registry.
For
URAF-based
registries,
such
as
Domino
and
Active
Directory,
the
user
name
must
correspond
to
a
short
name
already
defined
for
the
user
being
imported
from
the
user
registry.
A
valid
user
name
is
an
alphanumeric,
case-insensitive
string.
If
the
user
is
a
GSO
user,
certain
characters
are
not
allowed.
See
“Characters
disallowed
for
GSO
names”
on
page
281
for
the
list
of
these
characters.
Examples
of
user
names:
dlucas,
sec_master,
"Mary
Jones"
dn
Specifies
the
registry
identifier
of
the
user
being
imported.
This
identifier
must
exist
in
the
user
registry
and
must
not
be
associated
with
another
user
in
the
same
Tivoli
Access
Manager
secure
domain.
The
format
for
a
distinguished
name
is
similar
to:
cn=Claude
Wright,ou=Austin,o=Tivoli,c=us
group_name
Specifies
an
optional
group
to
which
the
user
is
being
added.
The
group
must
exist,
or
an
error
is
displayed.
Examples
of
group
names:
Credit,
Sales,
and
Test-group
Description
Imported
user
accounts
are
created
invalid
by
default.
To
make
the
user
account
valid,
you
must
use
the
pdadmin
user
modify
command
to
set
the
account-valid
flag
to
yes.
Examples
The
following
example,
entered
on
one
line,
creates
the
user
mlucaser
by
importing
information
from
the
registry
user
cn=Mike
Lucaser,ou=Austin,o=Tivoli,c=US:
pdadmin
sec_master>
user
import
–gsouser
mlucaser
"cn=Mike
Lucaser,ou=Austin,o=Tivoli,c=US"
Chapter
1.
pdadmin
command
line
utility
171
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
user
create
user
modify
172
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
user
list
Lists
users
by
Tivoli
Access
Manager
user
name
or
by
registry
identifier.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
user
{list|list-dn}
pattern
max_return
Options
list
pattern
max_return
Specifies
the
pattern
for
the
principal
name.
The
pattern
can
include
a
mixture
of
wildcard
and
string
constants,
and
is
case
sensitive.
For
example:
*luca*
The
pattern
max_return
option
specifies
the
maximum
number
of
entries
that
are
found
and
returned
for
a
single
request.
Note
that
the
number
returned
is
also
governed
by
the
server
configuration,
which
specifies
the
maximum
number
of
results
that
can
be
returned
as
part
of
a
search
operation).
The
actual
maximum
returned
entries
is
the
minimum
number
of
results
between
the
pattern
max_return
and
the
configured
value
on
the
server,
which
is
taken
from
the
max-search-size=[0|num_entries]
parameter
in
the
[ldap]
stanza
of
the
ldap.conf
configuration
file.
For
a
discussion
of
how
to
limit
the
number
of
users
returned
from
the
pdadmin
user
list
command,
see
the
IBM
Tivoli
Access
Manager
for
e-business
Performance
Tuning
Guide.
list-dn
pattern
max_return
Specifies
the
pattern
for
the
common
name
(CN)
portion
of
the
user’s
registry
identifier
(excluding
the
cn=
component).
The
pattern
can
include
a
mixture
of
wildcard
and
string
constants,
and
is
case
sensitive
(for
example,
*luca*).
The
returned
list
are
users
which
are
defined
in
the
user
registry
but
are
not
necessarily
Tivoli
Access
Manager
users.
Users
that
are
not
Tivoli
Access
Manager
users
can
be
imported
into
Tivoli
Access
Manager
by
use
of
the
pdadmin
user
import
command.
Examples
1.
The
following
example
lists
the
users
matching
the
specified
pattern:
pdadmin
sec_master>
user
list
*luca*
2
Output
is
similar
to
the
following:
dlucas
mlucaser
Chapter
1.
pdadmin
command
line
utility
173
2.
The
following
example
lists
the
users
matching
the
specified
registry
identifier:
pdadmin
sec_master>
user
list-dn
*luca*
2
Output
is
similar
to
the
following:
cn=Diana
Lucas,ou=Austin,o=Tivoli,c=US
cn=Mike
Lucaser,ou=Austin,o=Tivoli,c=US
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
user
show
174
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
user
modify
Changes
various
user
account
attributes.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
user
modify
user_name
account-valid
{yes|no}
user
modify
user_name
description
description
user
modify
user_name
gsouser
{yes|no}
user
modify
user_name
password
password
user
modify
user_name
password-valid
{yes|no}
Options
account-valid
{yes|no}
Enables
or
disables
the
specified
user
account.
A
user
cannot
log
in
with
a
disabled
account.
description
description
Modifies
the
user
description.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
allowed.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
You
can
specify
an
empty
string
(″″)
to
clear
an
existing
description.
Example
of
description:
“Diana
Lucas,
Credit
Dept
HCUS”
gsouser
{yes|no}
Enables
or
disables
the
single
signon
capabilities
of
a
user.
Valid
values
are
yes
and
no.
password
password
Modifies
the
user
password.
The
new
password
must
comply
with
password
policies
in
effect.
password-valid
{yes|no}
Validates
or
invalidates
the
password
for
the
specified
user
account.
Valid
values
are
yes
and
no.
If
the
value
is
no,
the
password
will
appear
to
be
expired
and
the
user
will
be
unable
to
log
in
using
the
password
until
an
administrator
sets
the
valid
state
to
yes.
Or,
the
user
can
authenticate
using
another
method,
such
as
using
a
certificate.
Another
reason
a
user
might
not
be
able
to
authenticate
with
a
given
password
is
because
the
maximum
password
age
has
been
exceeded.
If
you
check
and
find
that
password-valid
is
currently
set
to
yes,
then
try
changing
the
value
for
the
pdadmin
policy
set
max-password-age
parameter.
Only
an
administrator
or
a
user
that
has
the
proper
authority
can
set
the
max-password-age
policy
on
a
user
account.
A
user
cannot
set
this
policy
on
his
own
account.
This
policy
sets
the
maximum
time,
Chapter
1.
pdadmin
command
line
utility
175
in
days,
that
a
password
will
be
valid.
Time
is
relative
to
the
last
time
the
password
was
changed.
When
you
change
the
value
for
password-valid
or
reset
pdadmin
policy
set
max-password-age,
the
user’s
password
does
not
have
to
be
changed.
If
you
reset
a
user’s
password,
the
password-valid
parameter
automatically
switches
to
back
to
yes,
and
the
max-password-age
parameter
resets
the
age
to
expire.
For
example,
if
the
maximum
password
age
is
set
to
30
days,
another
30
days
begins
from
the
time
you
reset
the
user’s
password.
user_name
Specifies
the
name
of
the
account
to
be
modified.
The
user
must
exist,
or
an
error
is
displayed.
A
valid
user
name
is
an
alphanumeric,
case-insensitive
string.
If
the
user
is
a
GSO
user,
certain
characters
are
not
allowed.
See
“Characters
disallowed
for
GSO
names”
on
page
281
for
the
list
of
these
characters.
Examples
of
user
names:
dlucas,
sec_master
and
"Mary
Jones"
Examples
1.
The
following
example
enables
the
specified
user
account:
pdadmin
sec_master>
user
modify
dlucas
account-valid
yes
2.
The
following
example,
entered
on
one
line,
modifies
the
description
of
a
user
account:
pdadmin
sec_master>
user
modify
dlucas
description
"Diana
Lucas,
Credit
Dept
HCUS"
3.
The
following
example
disables
the
user’s
single
signon
capabilities.
pdadmin
sec_master>
user
modify
dlucas
gsouser
no
4.
The
following
example
changes
the
password
for
a
user
account:
pdadmin
sec_master>
user
modify
dlucas
password
newpasswd
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
user
create
user
import
176
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
user
show
Displays
the
properties
of
the
specified
user.
Requires
authentication
(administrator
ID
and
password)
to
use
this
command.
Syntax
user
show
user_name
user
show-dn
dn
user
show-groups
user_name
Options
user_name
Specifies
the
name
of
the
user
to
display.
The
user
must
exist,
or
an
error
is
displayed.
Examples
of
user
names:
dlucas,
sec_master,
and
"Mary
Jones"
show-dn
dn
Displays
the
user
specified
by
the
user’s
identifier
in
the
user
registry.
The
returned
user
is
defined
in
the
user
registry,
but
it
is
not
necessarily
a
Tivoli
Access
Manager
user.
Users
that
are
not
Tivoli
Access
Manager
users
can
be
imported
into
Tivoli
Access
Manager
by
use
of
the
pdadmin
user
import
command.
The
format
for
a
distinguished
name
is
similar
to:
cn=Claude
Wright,ou=Austin,o=Tivoli,c=us
show-groups
user_name
Displays
the
groups
in
which
the
specified
user
is
a
member.
The
user
must
exist,
or
an
error
is
displayed.
Examples
of
user
names:
dlucas,
sec_master,
and
"Mary
Jones"
Examples
1.
The
following
example
displays
the
user
account
information
for
testuser:
pdadmin
sec_master>
user
show
testuser
Output
is
similar
to
the
following:
Login
ID:
testuser
LDAP
DN:
cn=testuser,o=tivoli,c=us
LDAP
CN:
test
LDAP
SN:
test
Description:
a
test
user
Is
SecUser:
yes
Is
GSO
user:
no
Account
valid:
no
Password
valid:
yes
Chapter
1.
pdadmin
command
line
utility
177
2.
The
following
example
displays
the
groups
of
which
the
specified
user
is
a
member:
pdadmin
sec_master>
user
show-groups
dlucas
Output
is
similar
to
the
following:
sales
credit
engineering
3.
The
following
example
provides
additional
information
about
the
user
when
specifying
the
registry
identifier:
pdadmin
sec_master>
user
show-dn
"cn=Diana
Lucas,ou=Austin,o=Tivoli,c=US"
Output
is
similar
to
the
following:
Login
ID:
dlucas
LDAP
dn:
cn=Diana
Lucas,ou=Austin,o=Tivoli
Inc,c=US
LDAP
cn:
Diana
Lucas
LDAP
sn:
Lucas
Description:
Diana
Lucas,
Credit
Dept
HCUS
IS
SecUser:
true
IS
GSO
user:
false
Account
valid:
true
Password
valid:
true
Authentication
mechanism:
Default:LDAP
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
the
pdadmin
command
provides
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
See
also
user
list
178
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Chapter
2.
Tivoli
Access
Manager
utilities
In
addition
to
the
pdadmin
command
utility,
Tivoli
Access
Manager
provides
the
following
utilities
for
your
use.
Table
16.
Tivoli
Access
Manager
utilities
Command
Description
amwebcfg
Configures,
unconfigures,
or
obtains
status
on
a
WebSEAL
server.
AMWLSConfigure
–action
config
Configures
Tivoli
Access
Manager
for
WebLogic
Server.
AMWLSConfigure
–action
unconfig
Unconfigures
Tivoli
Access
Manager
for
WebLogic
Server.
AMWLSConfigure
–action
create_realm
Creates
the
security
realm
in
WebLogic
Server.
AMWLSConfigure
–action
delete_realm
Deletes
the
security
realm
from
WebLogic
Server.
amwpmcfg
Configures
the
Tivoli
Access
Manager
Web
Portal
Manager
component.
bassslcfg
–chgpwd
Changes
the
key
database
password.
bassslcfg
–config
Configures
the
Tivoli
Access
Manager
runtime
to
allow
the
pdadmin
and
svrsslcfg
utilities
to
communicate
with
the
Tivoli
Access
Manager
policy
server
(pdmgrd).
Also
creates
a
new
key
and
stash
file.
bassslcfg
–getcacert
Downloads
the
root
CA
certificate
to
a
file.
bassslcfg
–getmgtdomain
Retrieves
the
management
domain
name
from
the
Tivoli
Access
Manager
policy
server
and
prints
to
standard
out
(stdout).
bassslcfg
–modify
Modifies
the
Tivoli
Access
Manager
policy
server
configuration.
bassslcfg
–ping
Pings
a
Tivoli
Access
Manager
server.
cdsso_key_gen
Generates
a
key
for
use
when
encrypting
and
decrypting
authentication
tokens
for
Tivoli
Access
Manager
WebSEAL’s
cross-domain
single
signon.
install_component
Uses
InstallShield
wizards
to
set
up
complete
Tivoli
Access
Manager
systems
in
the
secure
domain.
ivrgy_tool
Updates
the
Tivoli
Access
Manager
schema
on
the
specified
LDAP
server.
migrateEAR4
Migrates
security
policy
information
from
deployment
descriptors
(enterprise
archive
files)
to
Tivoli
Access
Manager
for
WebSphere
Application
Server
version
4.0.6.
migrateEAR5
Migrates
security
policy
information
from
deployment
descriptors
(enterprise
archive
files)
to
Tivoli
Access
Manager
for
WebSphere
Application
Server
version
5.0.2.
mgrsslcfg
–chgcert
Renews
the
SSL
certificate
of
the
manager.
mgrsslcfg
–chgpwd
Changes
the
key
database
password.
©
Copyright
IBM
Corp.
2001,
2003
179
Table
16.
Tivoli
Access
Manager
utilities
(continued)
mgrsslcfg
–config
Performs
full
configuration,
creating
new
key
and
stash
files
and
generating
new
certificates
for
the
Tivoli
Access
Manager
policy
server.
mgrsslcfg
–modify
Modifies
the
current
configuration.
pdbackup
Backs
up,
restores,
and
extracts
Tivoli
Access
Manager
data.
pdconfig
Configures
and
unconfigures
Tivoli
Access
Manager
components
except
the
Tivoli
Access
Manager
Java
runtime
component.
pdjrtecfg
Configures
the
Tivoli
Access
Manager
Java
runtime
component.
pd_start
Stops,
starts,
and
restarts
servers
on
UNIX
systems.
Also
displays
server
status.
pdwascfg
Configures
or
unconfigures
the
Tivoli
Access
Manager
for
WebSphere
Application
Server.
pdweb
Starts,
stops,
or
restarts
a
WebSEAL
server
or
displays
server
status.
pdwebpi
Provides
Tivoli
Access
Manager
Plug-in
for
Web
Servers
version
information.
Also,
determines
whether
to
run
Plug-in
for
Web
Servers
as
a
daemon
or
run
it
in
the
foreground.
pdwebpi_start
Starts,
restarts,
and
stops
the
Tivoli
Access
Manager
Plug-in
for
Web
Servers
process
on
UNIX
installations.
Also,
displays
the
status
of
all
Web
servers.
pdwpi-version
Lists
the
version
and
copyright
information
for
the
Tivoli
Access
Manager
Plug-in
for
Web
Servers
installation.
pdwpicfg
–action
config
Configures
the
Tivoli
Access
Manager
Plug-in
for
Web
Servers.
pdwpicfg
–action
unconfig
Unconfigures
the
Tivoli
Access
Manager
Plug-in
for
Web
Servers.
pdversion
Lists
the
current
version
of
Tivoli
Access
Manager
components
installed
on
the
system.
query_contents
Returns
the
contents
of
the
root
directory
of
a
Web
space
on
a
third-party
Web
server.
svrsslcfg
Configures
a
resource
manager
to
use
an
SSL
connection
for
communicating
with
the
Tivoli
Access
Manager
policy
server.
This
command
is
only
used
for
C
applications.
For
Java
programs,
use
the
Java
equivalent
(the
com.tivoli.pd.jcfg.SvrSslCfg
class).
svrsslcfg
–add_replica
Adds
an
authorization
server
replica.
svrsslcfg
–chg_replica
Changes
an
authorization
server
replica.
svrsslcfg
–chgcert
Renews
the
resource
manager
’s
SSL
certificate.
svrsslcfg
–chgport
Changes
the
listening
port
number.
svrsslcfg
–chgpwd
Changes
the
key
file
password.
svrsslcfg
–config
Performs
full
configuration
of
a
resource
manager.
svrsslcfg
–modify
Modifies
the
current
configuration.
svrsslcfg
–rmv_replica
Removes
a
replica
configuration.
svrsslcfg
–unconfig
Unconfigures
the
resource
manager.
180
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Table
16.
Tivoli
Access
Manager
utilities
(continued)
wesosm
Creates
and
maintains
the
Tivoli
Access
Manager
object
space
for
the
Edge
Server
plug-in.
wslstartwte
Manually
starts
the
Edge
Server
caching
proxy
and
loads
the
plug-in
for
Edge
Server
on
UNIX.
wslstopwte
Stops
the
Edge
Server
caching
proxy
on
UNIX
systems.
Chapter
2.
Tivoli
Access
Manager
utilities
181
amwebcfg
Configures,
unconfigures,
or
obtains
status
on
a
WebSEAL
server.
Syntax
amwebcfg
–action
config
–host
host_name
–listening_port
am_listening_port
–inst_name
instance_name
–nw_interface_yn
{yes|no}
–ip_address
ip_address
–ssl_yn
{yes|no}
–key_file
key_file
–key_file_pwd
key_file_pwd
–cert_label
cert_label
–ssl_port
ssl_port
–http_yn
{yes|no}
–http_port
http_port
–https_yn
{yes|no}
–https_port
https_port–doc_root
doc_root
amwebcfg
–action
config
–rspfile
response_file
amwebcfg
–action
config
–interactive
amwebcfg
–action
unconfig
–inst_name
instance_name
amwebcfg
–action
unconfig
–rspfile
response_file
amwebcfg
–action
unconfig
–interactive
amwebcfg
–operations
amwebcfg
–help
[options]
amwebcfg
–usage
amwebcfg
–?
Parameters
–action
{config
|
name
|
status
|
unconfig}
This
option
takes
one
of
the
following
arguments:
config
Configures
a
WebSEAL
server
instance.
name
Retrieves
the
Tivoli
Access
Manager
WebSEAL
package
name
and
returns
the
name
value
to
the
pdconfig
utility.
This
option
is
used
only
by
pdconfig.
Do
not
use
this
option
from
the
command
line.
status
Returns
the
status
value
to
the
pdconfig
utility.
This
option
is
used
only
by
pdconfig.
Do
not
use
this
option
from
the
command
line.
unconfig
Unconfigures
a
WebSEAL
server
instance.
–cert_label
cert_label
Specifies
the
LDAP
client
certificate
label.
This
option
is
used
only
when
SSL
communication
is
enabled
between
WebSEAL
and
an
LDAP
server
(–ssl_yn
yes).
Note
that
when
SSL
communication
is
enabled
between
WebSEAL
and
the
LDAP
server,
SSL
does
not
require
a
LDAP
client
certificate
label.
Thus
this
label
file
is
optional,
even
amwebcfg
is
called
with
–ssl_yn
yes.
When
the
client
label
is
not
specified,
SSL
uses
default
certificate
contained
in
the
keyfile.
Used
with
–action
config.
182
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
–doc_root
doc_root
Specifies
the
Web
document
root
directory.
The
directory
must
already
exist.
Used
with
–action
config
When
this
option
is
not
supplied
on
the
command
line,
amwebcfg
creates
a
default
directory.
The
default
directory
path
includes
the
instance
name,
prefixed
by
www-.
For
example,
when
the
instance
name
is
web1,
and
the
doc_root
is
not
specified
on
the
command
line,
the
following
directory
is
created:
UNIX:
opt/pdweb/www-web1/docs
Windows:
installation_directory\pdweb\www-web1\docs
When
the
first
WebSEAL
server
instance
is
configured,
and
the
default
server
instance
name
of
default
is
accepted,
and
no
value
for
doc-root
is
supplied,
amwebcfg
creates
the
following
Web
document
root
directory:
UNIX:
opt/pdweb/www-default/docs
Windows:
installation_directory\pdweb\www-default\docs
–help
[options]
Lists
each
option
and
a
one
line
description
of
it
when
specified
without
an
argument.
When
one
or
more
arguments
are
specified,
WebSEAL
lists
each
specified
option
and
a
one
line
description
of
it.
–host
host_name
Specifies
the
host
name
that
is
used
by
the
Tivoli
Access
Manager
policy
server
to
contact
a
WebSEAL
server.
This
option
is
required
for
–action
config.
When
this
option
is
not
specified
on
the
command
line,
amwebcfg
prompts
the
user
to
supply
the
value.
Valid
values
for
host_name
include
any
valid
IP
host
name.
For
example:
libra.dallas.ibm.com
–http_yn
{yes|no}
Specifies
whether
HTTP
access
is
allowed
to
the
WebSEAL
server
instance.
This
option
is
required
for
–action
config.
The
valid
Boolean
indicators
are
yes
or
no.
There
is
no
default
value.
When
this
option
is
not
specified
on
the
command
line,
amwebcfg
prompts
the
user
to
supply
the
value.
–http_port
http_port
Specifies
the
port
number
for
unsecure
HTTP
access.
The
default
port
is
80.
This
option
is
required
for
–action
config
when
http_yn
is
set
to
yes.
When
http_yn
is
set
to
yes,
and
this
option
is
not
specified
on
the
command
line,
amwebcfg
prompts
the
user
to
supply
the
value.
–https_yn
{yes|no}
Specifies
whether
HTTPS
access
is
allowed
to
the
WebSEAL
server
instance.
This
option
is
required
for
–action
config
The
valid
Boolean
indicators
are
yes
or
no.
There
is
no
default
value.
When
this
option
is
not
specified
on
the
command
line,
amwebcfg
prompts
the
user
to
supply
the
value.
Chapter
2.
Tivoli
Access
Manager
utilities
183
–https_port
https_port
Specifies
the
port
number
for
secure
HTTP
access.
The
default
port
is
443.
This
option
is
required
for
–action
config
when
https_yn
is
set
to
yes.
When
https_yn
is
set
to
yes
and
this
option
is
not
specified
on
the
command
line,
amwebcfg
prompts
the
user
to
supply
the
value.
–inst_name
instance_name
Specifies
the
name
of
the
WebSEAL
server
instance
as
a
string.
For
example,
web1.
This
string
does
not
include
the
host
name.
This
option
is
required
for
–action
config.
The
maximum
length
of
an
instance
name
is
20
characters.
The
following
characters
are
allowed:
v
Any
ASCII
character
(A-Z
or
a-z)
v
Period
(
.
)
v
Dash
(
–
)
v
Underscore
(
_
)
When
using
the
GUI
to
configure
the
first
WebSEAL
server
instance,
amwebcfg
supplies
an
default
instance
name
of
default.
This
instance
name
can
be
change
this
another
name
(for
example,
webseal1).
–interactive
Specifies
that
the
configuration
is
to
be
done
interactively
by
the
administrator.
WebSEAL
displays
a
text-based
menu
and
presents
a
series
of
prompts
to
obtain
the
necessary
configuration
information
from
the
administrator.
Note:
Interactive
mode
is
supported
only
on
UNIX.
When
the
option
–interactive
is
used
on
Windows
systems,
an
error
message
states
that
the
option
is
not
supported.
–ip_address
ip_address
Specifies
the
logical
network
interface,
which
is
the
IP
address
for
the
WebSEAL
server.
This
option
is
required
with
–action
config
only
when
–nw_interface_yn
is
set
to
yes.
When
–nw_interface_yn
is
set
to
yes
and
–ip_address
is
not
specified,
amwebcfg
prompts
the
user
to
supply
an
IP
address.
–key_file
key_file
Specifies
the
LDAP
SSL
key
file.
This
option
is
required
with
–action
config
only
when
SSL
communication
is
enabled
between
the
WebSEAL
server
and
an
LDAP
server.
–key_file_pwd
key_file_pwd
Specifies
the
LDAP
SSL
key
file
password.
This
option
is
required
with
–action
config
only
when
SSL
communication
is
enabled
between
the
WebSEAL
server
and
the
LDAP
server.
–listening_port
am_listening_port
Specifies
the
listening
port
number
for
the
Tivoli
Access
Manager
policy
server.
This
listening
port
is
the
port
on
which
the
WebSEAL
server
and
the
policy
server
communicate.
The
port
must
be
greater
than
1024,
and
must
be
available
for
use.
184
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
This
option
is
required
with
–action
config.
When
this
option
is
not
supplied
on
the
command
line,
amwebcfg
prompts
the
user
to
supply
a
value.
–nw_interface_yn
{yes|no}
Specifies
whether
to
use
a
logical
network
interface.
The
valid
Boolean
indicators
are
yes
or
no.
This
argument
is
required
with
–action
config
when
adding
an
additional
WebSEAL
server
instance.
There
is
no
default
value.
When
this
option
is
not
supplied
on
the
command
line,
amwebcfg
prompts
the
user
to
supply
a
value.
–operations
Prints
out
all
the
valid
command
line
options.
–rspfile
response_file
Provides
the
fully
qualified
path
and
file
name
for
the
WebSEAL
server
response
file
to
use
during
silent
configuration.
A
response
file
can
be
used
for
configuration
or
unconfiguration.
There
is
no
default
response
file
name.
The
response
file
contains
stanzas
and
option=value
pair
stanza
entries.
To
use
response
files,
see
the
procedures
in
the
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide.
–ssl_port
ssl_port
The
port
number
on
which
SSL
communication
takes
place
between
the
WebSEAL
server
and
the
LDAP
server.
The
default
port
is
636.
This
option
is
required
only
when
ssl_yn
is
set
to
yes
as
part
of
–action
config.
When
ssl_yn
is
set
to
yes
and
this
option
is
not
supplied
on
the
command
line,
amwebcfg
prompts
the
user
to
supply
a
value.
–ssl_yn
{yes|no}
Specifies
whether
to
enable
SSL
communication
between
the
WebSEAL
server
and
the
LDAP
server.
The
valid
Boolean
indicators
are
yes
or
no.
This
option
is
required
with
–action
config.
There
is
no
default
value.
When
this
option
is
not
supplied
on
the
command
line,
amwebcfg
prompts
the
user
to
supply
a
value.
–usage
Displays
the
usage
syntax
for
this
command.
Also
displays
an
example.
–?
Displays
the
usage
syntax
for
this
command.
Also
displays
an
example.
Comments
Use
amwebcfg
to
configure
a
WebSEAL
server
instance
from
the
command
line.
The
utility
can
be
run
in
interactive
mode,
command
line
mode,
or
response
file
mode.
In
interactive
mode,
the
user
is
prompted
to
supply
the
necessary
values.
In
command
line
mode,
all
options
can
be
specified
from
the
command
line.
The
utility
prompts
for
any
required
options
that
are
not
specified,
with
the
exception
of
certificate
labels
and
doc
roots.
These
options
receive
default
values
when
not
specified.
In
response
file
mode,
the
utility
obtains
the
necessary
options
from
the
response
file.
When
the
response
file
does
not
contain
a
necessary
option,
the
user
is
prompted
to
supply
it.
The
response
file
must
be
created
manually.
Chapter
2.
Tivoli
Access
Manager
utilities
185
Examples
v
The
following
example,
entered
as
one
continuous
command,
configures
a
WebSEAL
instance
with
SSL
communication
enabled
with
an
LDAP
server:
amwebcfg
–action
config
–inst_name
default
–host
diamond.subnet2.ibm.com
–listening_port
7234
–admin_id
sec_master
–admin_pwd
mypassw0rd
–ssl_yn
yes
–key_file
/tmp/client.kdb
–keyfile_pwd
mypassw0rd
–cert_label
ibm_cert
–ssl_port
636
–http_yn
yes
–http_port
80
–https_yn
yes
–https_port
443
–doc_root
/usr/docs
v
The
following
example,
entered
as
one
continuous
command,
configures
a
WebSEAL
instance
to
use
a
logical
network
interface,
and
to
not
enable
SSL
communication
with
an
LDAP
server:
amwebcfg
–action
config
–host
emerald.subnet2.ibm.com
–listening_port
7235
–inst_name
web1
–nw_interface_yn
yes
–ip_address
111.222.333.222
–admin_id
sec_master
–admin_pwd
mypassw0rd
–http_yn
yes
–http_port
81
–https_yn
yes
–https_port
444
v
The
following
example
unconfigures
the
default
WebSEAL
instance:
amwebcfg
-action
unconfig
-admin_id
sec_master
-admin_pwd
mypassw0rd
v
The
following
example,
entered
on
one
line,
unconfigures
a
WebSEAL
instance
named
web1:
amwebcfg
-action
unconfig
-inst_name
web1
-admin_id
sec_master
-admin_pwd
mypassw0rd
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdweb/bin/amwebcfg
v
On
Windows
systems:
c:\Program
Files\Tivoli\pdweb\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
186
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
AMWLSConfigure
–action
config
Configures
Tivoli
Access
Manager
for
WebLogic
Server.
Syntax
AMWLSConfigure
–action
config
–domain_admin
domain_admin
–domain_admin_pwd
domain_admin_password
–remote_acl_user
remote_acl_user
–sec_master_pwd
sec_master_pwd
–pdmgrd_host
pdmgrd_host
–pdacld_host
pdacld_host
[–deploy_extension
{true|false}]
[–wls_server_url
wls_server_url]
[–am_domain
am_domain]
[–pdmgrd_port
pdmgrd_port]
[–pdacld_port
pdacld_port]
[–amwls_home
amwls_home]
[–verbose
{true|false}]
Parameters
–am_domain
am_domain
Specifies
the
name
of
the
Tivoli
Access
Manager
domain.
The
default
domain
is
Default.
–amwls_home
amwls_home
Specifies
the
path
to
the
Tivoli
Access
Manager
for
WebLogic
Server
installation
directory.
–deploy_extension
{true|false}
Deploys
the
Tivoli
Access
Manager
Web
Logic
Server
version
5.1
console
extension
when
set
to
true.
The
default
value
is
true.
–domain_admin
domain_admin
Specifies
the
WebLogic
domain
administrator.
–domain_admin_pwd
domain_admin_password
Specifies
the
WebLogic
domain
administrator
password.
–pdacld_host
pdacld_host
Specifies
the
Tivoli
Access
Manager
authorization
server
host
name.
–pdacld_port
pdacld_port
Specifies
the
Tivoli
Access
Manager
authorization
server
port
number.
The
default
port
number
is
7136.
–pdmgrd_host
pdmgrd_host
Specifies
the
Tivoli
Access
Manager
policy
server
host
name.
–pdmgrd_port
pdmgrd_port
Specifies
the
Tivoli
Access
Manager
policy
server
port
number.
The
default
port
number
is
7135.
–remote_acl_user
remote_acl_user
Specifies
the
Tivoli
Access
Manager
principal
that
is
created
for
the
authorization
server.
–sec_master_pwd
sec_master_pwd
Specifies
the
Tivoli
Access
Manager
administrative
user
password
(the
administrative
user
is
normally
sec_master).
–verbose
{true|false}
Enables
verbose
output
when
set
to
true.
The
default
value
is
false.
–wls_server_url
wls_server_url
Specifies
the
URL
for
the
local
WebLogic
Server.
The
default
is
t3://localhost:7001
Chapter
2.
Tivoli
Access
Manager
utilities
187
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdwls/sbin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\pdwls\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
the
command
fails,
an
error
message
is
displayed.
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference
for
a
more
detailed
description
of
the
problem.
188
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
AMWLSConfigure
–action
unconfig
Unconfigures
Tivoli
Access
Manager
for
WebLogic
Server.
Syntax
AMWLSConfigure
–action
unconfig
–domain_admin_pwd
domain_admin_pwd
–sec_master_pwd
sec_master_pwd
[–verbose
{true|false}]
Parameters
–domain_admin_pwd
domain_admin_pwd
Specifies
the
Tivoli
Access
Manager
for
WebLogic
Server
domain
administrator
password.
–sec_master_pwd
sec_master_pwd
Specifies
the
Tivoli
Access
Manager
administrative
user
password
(usually
sec_master).
–verbose
{true|false}
Enables
verbose
output
when
set
to
true.
The
default
value
is
false.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdwls/sbin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\pdwls\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
the
command
fails,
an
error
message
is
displayed.
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference
for
a
more
detailed
description
of
the
problem.
Chapter
2.
Tivoli
Access
Manager
utilities
189
AMWLSConfigure
–action
create_realm
Creates
the
security
realm
in
WebLogic
Server.
Syntax
AMWLSConfigure
–action
create_realm
–realm_name
realm_name
–domain_admin_pwd
domain_admin_pwd
–user_dn_suffix
user_dn_suffix
–group_dn_suffix
group_dn_suffix
–admin_group
admin_group
[–user_dn_prefix
user_dn_prefix]
[–group_dn_prefix
group_dn_prefix]
[–sso_enabled
{true|false}]
[–sso_user
sso_user]
[–sso_pwd
sso_pwd]
[–verbose
{true|false}]
Parameters
–admin_group
admin_group
Specifies
the
Tivoli
Access
Manager
group
to
use
for
internal
configuration
purposes.
–domain_admin_pwd
domain_admin_pwd
Specifies
the
WebLogic
domain
administrator
password.
–group_dn_prefix
group_dn_prefix
Specifies
the
distinguished
name
(DN)
prefix
to
use
when
creating
groups.
–group_dn_suffix
group_dn_suffix
Specifies
the
distinguished
name
(DN)
suffix
to
use
when
creating
groups.
–realm_name
realm_name
Specifies
the
name
of
the
WLS
realm
being
created.
–sso_enabled
{true|false}
Enables
single
signon
support
when
set
to
true.
The
default
value
is
false.
–sso_pwd
sso_pwd
Specifies
the
password
for
the
single
signon
user
(sso_user).
–sso_user
sso_user
Specifies
the
user
for
creating
the
single
signon
trust
association
with
Tivoli
Access
Manager.
–user_dn_prefix
user_dn_prefix
Specifies
the
distinguished
name
(DN)
prefix
to
use
when
creating
users.
–user_dn_suffix
user_dn_suffix
Specifies
the
distinguished
name
(DN)
suffix
to
use
when
creating
users.
–verbose
{true|false}
Enables
verbose
output
when
set
to
true.
The
default
value
is
false.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdwls/sbin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\pdwls\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
190
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
the
command
fails,
an
error
message
is
displayed.
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference
for
a
more
detailed
description
of
the
problem.
Chapter
2.
Tivoli
Access
Manager
utilities
191
AMWLSConfigure
–action
delete_realm
Deletes
the
security
realm
from
WebLogic
Server.
Syntax
AMWLSConfigure
–action
delete_realm
–domain_admin_pwd
domain_admin_pwd
[–registry_clean
{true|false}]
[–verbose
{true|false}]
Parameters
–domain_admin_pwd
domain_admin_pwd
Specifies
the
WebLogic
domain
administrator
password.
–registry_clean
{true|false}
Removes
the
users
and
groups
that
were
created
during
configuration.
The
default
value
is
false.
–verbose
{true|false}
Enables
verbose
output
when
set
to
true.
The
default
value
is
false.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdwls/sbin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\pdwls\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
the
command
fails,
an
error
message
is
displayed.
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference
for
a
more
detailed
description
of
the
problem.
192
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
amwpmcfg
Configures,
unconfigures,
retrieves
the
package
name
for,
or
provides
status
for
Web
Portal
Manager.
Syntax
amwpmcfg
–action
config
–host
policy_server_host
[–port
policy_server_port]
–waspath
websphere_installation_path
[–admin_id
admin_id
–admin_pwd
admin_password]
amwpmcfg
–action
config
–interactive
amwebcfg
–action
config
–rspfile
response_file
amwebcfg
–action
unconfig
–rspfile
response_file
amwpmcfg
–action
unconfig
[–admin_id
admin_id
–admin_pwd
admin_password]
–host
policy_server_host
[–port
policy_server_port]
–waspath
websphere_installation_path
amwpmcfg
–action
unconfig
–interactive
[–admin_id
admin_id
–admin_pwd
admin_password
amwpmcfg
–action
status
[–admin_id
admin_id
–admin_pwd
admin_password]
amwpmcfg
–operations
amwpmcfg
–help
[options]
amwpmcfg
usage
amwpmcfg
–?
Parameters
–action
{config|name|status|unconfig}
Specifies
the
action
to
be
performed.
Actions
include:
config
Use
to
configure
the
Tivoli
Access
Manager
Web
Portal
Manager.
name
Retrieves
the
Tivoli
Access
Manager
Web
Portal
Manager
package
name
and
returns
the
name
value
to
the
pdconfig
utility.
This
option
is
used
only
by
pdconfig.
Do
not
use
this
option
from
the
command
line.
status
Use
to
determine
the
configuration
status
for
Tivoli
Access
Manager
Web
Portal
Manager
and
return
status
to
the
pdconfig
utility.
This
option
is
used
only
by
pdconfig.
Do
not
use
this
option
from
the
command
line.
unconfig
Use
to
unconfigure
the
Tivoli
Access
Manager
Web
Portal
Manager.
–a
admin_id
Logs
you
in
as
the
user
admin_id.
If
you
do
not
specify
this
option,
you
will
be
prompted.
–p
password
Specifies
the
password
for
the
user
admin_id.
If
you
do
not
specify
this
Chapter
2.
Tivoli
Access
Manager
utilities
193
option,
you
are
prompted
for
a
password.
This
option
cannot
be
used
unless
the
–action
config
or
–action
unconfig
option
is
used.
–host
policy_server_host
Specifies
the
Tivoli
Access
Manager
policy
server
host
name.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Example:
host
=
libra.dallas.ibm.com
–help
[option]
Provides
online
help
for
one
or
more
command
options
by
displaying
descriptions
of
the
valid
command
line
options.
–interactive
Specifies
the
interactive
mode,
using
a
graphical
interface
to
configure
the
Tivoli
Access
Manager
Web
Portal
Manager.
If
not
specified,
the
configuration
program
will
run
in
non-interactive
(silent)
mode.
–operations
Prints
out
all
the
valid
command
line
options.
–port
policy_server_port
Specifies
the
Tivoli
Access
Manager
policy
server
port
number.
The
default
value
is
7135
–rspfile
response_file
Provides
the
fully
qualified
path
and
file
name
for
the
Web
Portal
Manager
response
file
to
use
during
silent
configuration.
A
response
file
can
be
used
for
configuration
or
unconfiguration.
There
is
no
default
response
file
name.
The
response
file
contains
stanzas
and
option=value
pair
stanza
entries.
To
use
response
files,
see
the
procedures
in
the
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide.
–usage
Displays
the
usage
syntax
for
this
command.
Also
displays
an
example.
–waspath
websphere_installation_path
Specifies
the
path
to
the
IBM
WebSphere
Application
Server
directory.
The
websphere_installation_path
will
be
validated
by
checking
the
existence
of
the
/bin/wsadmin
script
file
and
the
/java/jre/lib/ext/PD.jar
file.
The
configuration
cannot
continue
if
the
required
version
of
WebSphere
Application
Server
is
not
installed.
–?
Displays
the
usage
syntax
for
this
command.
Also
displays
an
example.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
194
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
2.
Tivoli
Access
Manager
utilities
195
bassslcfg
–add_replica
Adds
an
authorization
server
replica.
Note:
This
command
option,
used
in
previous
version
of
Tivoli
Access
Manager
products,
is
deprecated.
Syntax
bassslcfg
–add_replica
–h
host_name
–p
port
–rreplica_rank
Parameters
–h
host_name
Specifies
the
TCP
host
name
of
a
server
replica.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
–p
server_port
Specifies
the
port
number
on
which
the
replica
server
listens
for
requests.
The
default
value
is
7136.
–r
replica_rank
Specifies
the
replica
order
of
preference
among
other
replicas.
The
default
value
is
10.
Replica
servers
with
higher
rankings
are
used
preferentially.
For
example,
a
resource
manager
contacts
a
replica
server
with
a
ranking
of
10
before
contacting
a
replica
server
with
a
ranking
of
9.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
196
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
bassslcfg
–chgpwd
Changes
the
key
database
password.
A
new
random
password
is
generated
and
saved
in
the
stash
file.
Syntax
bassslcfg
–chgpwd
–e
pwd_life
Parameters
–e
pwd_life
Sets
the
key
file
password
expiration
time
in
days.
This
parameter
is
required.
v
Specify
0
if
you
want
to
use
the
currently
configured
value.
v
Specify
7299
days
if
the
currently
configured
value
cannot
be
determined.
v
Otherwise,
valid
values
for
pwd_life
are
from
1
to
7299
days.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
2.
Tivoli
Access
Manager
utilities
197
bassslcfg
–chg_replica
Changes
a
Tivoli
Access
Manager
replica
server
attributes.
The
replica
host
name
is
used
to
identify
the
replica
server
and
cannot
be
changed
by
this
command.
Note:
This
command
option,
which
was
used
in
previous
version
of
Tivoli
Access
Manager
products,
is
deprecated.
Syntax
bassslcfg
–chg_replica
—h
host_name
[–p
server_port
–r
replica_rank]
Parameters
–h
host_name
Specifies
the
TCP
host
name
of
a
server
replica.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
–p
server_port
Specifies
the
port
number
on
which
the
replica
server
listens
for
requests.
The
default
value
is
7136
–r
replica_rank
Specifies
the
replica
order
of
preference
among
other
replicas.
The
default
value
is
10.
Replica
servers
with
higher
rankings
are
used
preferentially.
For
example,
a
resource
manager
contacts
a
replica
server
with
a
ranking
of
10
before
contacting
a
replica
server
with
a
ranking
of
9.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
198
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
bassslcfg
–config
Configures
the
Tivoli
Access
Manager
runtime
so
as
to
allow
the
pdadmin
and
svrsslcfg
utilities
to
communicate
with
the
Tivoli
Access
Manager
policy
server
(pdmgrd).
Also
creates
a
new
key
and
stash
file.
Syntax
bassslcfg
–config
–c
cert_file
–h
host_name
[–p
server_port]
[–e
pwd_life]
[–t
ssl_timeout]
[–d
primary_domain]
[–a
refresh_mode]
Parameters
–a
refresh_mode
Sets
the
key
file
password
ssl-auto-refresh
enabled
flag
in
the
pd.conf
configuration
file.
The
value
of
this
parameter
must
be
yes
or
no.
The
default
value
is
no.
–c
cert_file
Specifies
the
name
of
the
Tivoli
Access
Manager
policy
server
base64-encoded,
self-signed
certificate.
–d
domain
Specifies
the
local
domain
name.
This
domain
must
exist
and
an
the
administrator
ID
and
password
must
be
valid
for
this
domain.
If
not
specified,
the
local
domain
that
was
specified
during
Tivoli
Access
Manager
runtime
configuration
will
be
used.
The
local
domain
value
will
be
retrieved
from
the
configuration
file.
–e
pwd_life
Sets
the
key
file
password
expiration
time
in
days.
This
parameter
is
optional
and
defaults
to
7299
days
if
not
specified.
Valid
values
for
pwd_life
are
from
1
to
7299
days.
–h
host_name
Specifies
the
TCP
host
name
of
the
Tivoli
Access
Manager
policy
server.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
–p
server_port
Specifies
the
listening
port
number
of
the
Tivoli
Access
Manager
policy
server.
The
default
value
is
7135.
–t
ssl_timeout
Specifies
the
SSL
session
timeout
in
seconds.
You
can
specify
an
ssl_timeout
value
from
1
to
86400
(seconds).
The
default
value
is
7200.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Chapter
2.
Tivoli
Access
Manager
utilities
199
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
200
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
bassslcfg
–getcacert
Downloads
the
root
CA
certificate
to
a
file.
Syntax
bassslcfg
–getcacert
–c
cert_file
–h
host_name
[–p
server_port]
Parameters
–c
cert_file
Specifies
the
name
of
the
Tivoli
Access
Manager
policy
server
base-64
encoded,
self-signed
certificate.
–h
host_name
Specifies
the
TCP
host
name
of
the
Tivoli
Access
Manager
policy
server.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
–p
server_port
Specifies
the
listening
port
number
of
the
Tivoli
Access
Manager
policy
server.
The
default
value
is
7135.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
2.
Tivoli
Access
Manager
utilities
201
bassslcfg
–getmgtdomain
Retrieves
the
management
domain
name
from
the
Tivoli
Access
Manager
policy
server
and
prints
to
standard
out
(stdout).
Syntax
bassslcfg
–getmgtdomain
–h
host_name
[–p
port]
Parameters
–h
host_name
Specifies
the
TCP
host
name
of
the
Tivoli
Access
Manager
policy
server.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
–p
server_port
Specifies
the
listening
port
number
of
the
server.
The
default
value
is
7135.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
202
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
bassslcfg
–modify
Modifies
the
Tivoli
Access
Manager
policy
server
configuration.
Syntax
bassslcfg
–modify
[–h
host_name]
[–e
pwd_life]
[–p
server_port]
[–t
ssl_timeout]
[–d
primary_domain]
[–a
refresh_mode]
Parameters
–a
refresh_mode
Sets
the
key
file
password
ssl-auto-refresh
enabled
flag
in
the
pd.conf
configuration
file.
The
value
of
this
parameter
must
be
yes
or
no.
–d
domain
Specifies
the
local
domain
name.
A
valid
local
domain
name
is
an
alphanumeric,
case-sensitive
string.
String
characters
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
You
cannot
use
a
space
in
the
domain
name.
–e
pwd_life
Sets
the
key
file
password
expiration
time
in
days.
This
parameter
is
optional.
Valid
values
for
pwd_life
are
from
1
to
7299
days.
–h
host_name
Specifies
the
TCP
host
name
of
the
Tivoli
Access
Manager
policy
server.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
–p
server_port
Specifies
the
listening
port
number
of
the
Tivoli
Access
Manager
policy
server.
–t
ssl_timeout
Specifies
the
SSL
session
timeout
in
seconds.
You
can
specify
an
ssl_timeout
value
from
1
to
86400
(seconds).
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Chapter
2.
Tivoli
Access
Manager
utilities
203
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
204
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
bassslcfg
–ping
Pings
a
Tivoli
Access
Manager
server.
Syntax
bassslcfg
–ping
–h
host_name
[–p
server_port]
Parameters
–h
host_name
Specifies
the
TCP
host
name
of
the
Tivoli
Access
Manager
policy
server.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
–p
server_port
Specifies
the
listening
port
number
of
the
Tivoli
Access
Manager
server
that
you
want
to
ping.
The
default
value
is
7135,
which
is
the
default
listening
port
of
the
policy
server.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
2.
Tivoli
Access
Manager
utilities
205
bassslcfg
–rmv_replica
Removes
a
Tivoli
Access
Manager
replica
server.
The
host
name
identifies
the
replica
server
to
be
removed.
Note:
This
command
option,
which
was
used
in
previous
version
of
Tivoli
Access
Manager
products,
is
deprecated.
Syntax
bassslcfg
–rmv_replica
–h
host_name
Parameters
–h
host_name
Specifies
the
TCP
host
name
of
a
server
replica.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
206
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
cdsso_key_gen
Generates
a
key
for
use
when
encrypting
and
decrypting
authentication
tokens
for
Tivoli
Access
Manager
WebSEAL’s
cross-domain
single
signon.
Syntax
cdsso_key_gen
path
Parameters
path
Specifies
the
fully
qualified
path
to
the
key
file.
Comments
This
utility
generates
a
triple
DES
192
bit
key
file.
The
key
file
is
used
as
part
of
WebSEAL’s
cross-domain
single
signon
solution.
WebSEAL’s
cross-domain
single
signon
authentication
solution
makes
use
of
authentication
tokens.
Authentication
information
about
a
user
in
a
WebSEAL
domain
is
collected
by
the
built-in
single
signon
authentication
mechanism
library.
This
information
is
placed
in
a
token.
This
token
must
be
encoded
before
it
can
be
sent
to
a
second
WebSEAL
domain.
When
it
is
received
in
the
second
WebSEAL
domain,
the
token
is
decoded,
and
the
authentication
information
about
the
user
is
accessed.
The
tokens
are
encoded
by
use
of
a
key
file.
The
key
file
is
generated
by
the
cdsso_key_gen
utility.
When
a
key
file
has
been
generated,
it
must
be
manually
copied
to
each
WebSEAL
server
in
each
domain
that
participates
in
the
cross-domain
single
signon
solution.
Examples
cdsso_key_gen
/tmp/keyfile
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdwebrte/bin
v
On
Windows
systems:
C:\Program
Files\Tivoli\pdweb\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Chapter
2.
Tivoli
Access
Manager
utilities
207
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
208
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
install_component
Expedites
the
installation
and
configuration
of
Tivoli
Access
Manager
components.
Note:
If
you
use
Microsoft
Active
Directory
on
UNIX,
or
if
the
domain
of
the
policy
server
is
different
than
the
domain
of
the
local
machine,
IBM
Directory
Server
is
required
on
Tivoli
Access
Manager
systems.
The
easy
installation
executable
files
are
also
useful
if
you
want
to
add
a
Tivoli
Access
Manager
component
or
set
up
a
system
in
an
existing
domain.
All
prerequisite
products
and
Tivoli
Access
Manager
components
are
installed
and
configured
except
for
a
platform-specific
JRE,
which
must
be
installed
manually.
To
create
a
Tivoli
Access
Manager
runtime
easy
installation
response
file,
you
must
copy
a
template
provided
on
the
Tivoli
Access
Manager
CD
for
the
component
from
the
rspfile
directory
on
the
CD
ROM
drive
to
your
hard
drive
and
edit
its
values.
For
detailed
information,
including
step-by-step
scenarios,
see
the
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide.
Ensure
that
you
are
familiar
with
the
configuration
options
of
the
install_component
executable
files.
Before
running
the
install_component
command,
ensure
that
the
component
is
supported
on
your
platform.
Syntax
install_amacld
–options
response_file
[–silent]
install_amadk
–options
response_file
[–silent]
install_amjrte
–options
response_file
[–silent]
install_ammgr
–options
response_file
[–silent]
install_amproxy
–options
response_file
[–silent]
install_amrte
–options
response_file
[–silent]
install_amwpm
–options
response_file
[–silent]
install_ldap_server
–options
response_file
[–silent]
install_db2
–options
response_file
[–silent]
Parameters
install_amacld
Sets
up
a
Tivoli
Access
Manager
authorization
server
(pdacld)
system
with
the
following
software
packages:
v
IBM
Global
Security
Kit
v
IBM
Tivoli
Directory
Client
(if
needed
for
LDAP
or
Active
Directory
on
UNIX)
v
Tivoli
Access
Manager
runtime
component
v
Tivoli
Access
Manager
authorization
server
Chapter
2.
Tivoli
Access
Manager
utilities
209
install_amadk
Sets
up
a
Tivoli
Access
Manager
Application
Development
Kit
development
system
with
the
following
software
packages:
v
IBM
Global
Security
Kit
v
IBM
Tivoli
Directory
Client
(if
needed
for
LDAP
or
Active
Directory
on
UNIX)
v
Tivoli
Access
Manager
runtime
component
v
Tivoli
Access
Manager
Application
Development
Kit
install_amjrte
Sets
up
a
Java
Runtime
Environment
(JRE)
system
with
the
following
software
packages:
v
Tivoli
Access
Manager
Java
runtime
environment
component
(version
5.1)
install_ammgr
Sets
up
the
Tivoli
Access
Manager
policy
server
(pdmgrd)
system
with
the
following
software
packages:
v
IBM
Global
Security
Kit
v
IBM
Tivoli
Directory
Client
(if
needed
for
LDAP
on
UNIX)
v
Tivoli
Access
Manager
runtime
component
v
Tivoli
Access
Manager
policy
server
install_amproxy
Sets
up
the
Tivoli
Access
Manager
policy
proxy
server
(pdproxyd)
system
with
the
following
software
packages:
v
IBM
Global
Security
Kit
v
IBM
Tivoli
Directory
Client
v
Tivoli
Access
Manager
runtime
component
v
Tivoli
Access
Manager
policy
server
install_amrte
Sets
up
a
Tivoli
Access
Manager
runtime
system.
All
prerequisite
products
and
Tivoli
Access
Manager
components
are
installed
and
configured
except
for
a
platform-specific
JRE,
which
must
be
installed
manually.
Before
running
install_amrte,
ensure
that
the
install_amrteutility
is
supported
on
your
platform
and
that
you
are
familiar
with
its
configuration
options.
Sets
up
a
Tivoli
Access
Manager
runtime
system
with
the
following
software
packages:
v
IBM
Global
Security
Kit
v
IBM
Tivoli
Directory
Client
(if
needed
for
LDAP
or
Active
Directory
on
UNIX)
v
Tivoli
Access
Manager
runtime
component
v
zSeries
v
Linux
210
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
install_amwebadk
Sets
up
a
Tivoli
Access
Manager
Application
Development
Kit
development
system
with
the
following
software
packages:
v
IBM
Global
Security
Kit
v
IBM
Tivoli
Directory
Client
(if
needed
for
LDAP
or
Active
Directory
on
UNIX)
v
Tivoli
Access
Manager
runtime
component
v
Tivoli
Access
Manager
Application
Development
Kit
install_amwpm
Sets
up
the
Web
Portal
Manager
interface
with
the
following
software
packages:
v
IBM
WebSphere
Application
Server
(version
is
dependent
upon
the
platform
used)
v
Tivoli
Access
Manager
Java
runtime
component
v
Tivoli
Access
Manager
Web
Portal
Manager
install_db2
Sets
up
an
DB2
system
with
the
following
software
packages:
v
IBM
DB2
Note:
On
Solaris
only,
run
install_db2
from
IBM
Directory
Server
CD
#1,
then
run
install_ldap_server
from
IBM
Directory
Server
CD
#2.
install_ldap_server
Sets
up
an
IBM
Directory
server
system
with
the
following
software
packages:
v
IBM
Global
Security
Kit
v
IBM
Tivoli
Directory
Client
v
IBM
Tivoli
Directory
Server
Note:
You
cannot
use
the
install_ldap_server
executable
file
if
an
existing
version
of
IBM
Directory
Server
is
installed.
response_file
Specifies
a
response
file
to
perform
a
silent,
unattended
installation
of
Tivoli
Access
Manager
components.
To
use
response
files,
see
the
procedures
in
the
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide.
Comments
Tivoli
Access
Manager
easy
installation
files
are
supported
for
components
other
than
the
Base
component,
such
as:
v
install_amwls
v
install_amwas
v
install_amwebars
v
install_amweb
v
install_amwebadk
v
install_amwpi_ihs
v
install_amwpi_apache
v
install_amwpi_iplanet
v
install_amwpi_iis
v
install_amwsl
Chapter
2.
Tivoli
Access
Manager
utilities
211
The
install_ampfs
easy
installation
file
is
used
to
install
the
Provisioning
Fast
Start
collection
of
utilities
that
can
help
you
integrate
Tivoli
Access
Manager
with
Tivoli
Identity
Manager.
For
more
information,
refer
to
the
IBM
Tivoli
Access
Manager
for
e-business
IBM
Tivoli
Identity
Manager
Provisioning
Fast
Start
Guide.
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
non–zero
The
command
failed.
1003
A
reboot
of
the
system
is
required.
212
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
ivrgy_tool
Updates
the
Tivoli
Access
Manager
schema
on
the
specified
LDAP
server.
Normally
the
schema
is
automatically
updated
when
the
Tivoli
Access
Manager
policy
server
(pdmgrd)
is
configured.
When
migrating
an
existing
installation
of
Tivoli
Access
Manager,
the
schema
on
the
LDAP
server
must
be
upgraded
to
the
current
version
of
Tivoli
Access
Manager
using
this
utility.
Syntax
ivrgy_tool
–h
host_name
–p
port
–D
ldap_admin_dn
–w
ldap_admin_pwd
–d
[
–Z
–K
ldap-ssl-key-filename
–P
ldap-ssl-keyfile-password
[
–N
ldap-ssl-keyfile-label]]
schema
Parameters
–d
Indicates
verbose
mode.
–D
ldap_admin_dn
Specifies
the
distinguished
name
of
the
LDAP
administrator.
The
format
for
a
distinguished
name
is
similar
to:
cn=root
–h
host_name
Specifies
the
IP
address
or
host
name
of
the
LDAP
server.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
–K
ldap-ssl-key-filename
Specifies
the
fully
qualified
path
and
file
name
of
the
SSL
key
database.
This
parameter
is
required
only
if
the
–Z
is
specified.
Use
the
SSL
key
file
to
handle
certificates
that
are
used
in
LDAP
communication.
The
file
type
can
be
anything
but
the
extension
is
usually
.kdb.
Example
for
Windows:
C:\pd\keytab\ivmgrd.kdb
Example
for
UNIX:
/opt/PolicyDirector/keytab/ivmgrd.kdb
–N
ldap-ssl-keyfile-label
Specifies
the
label
name
of
the
client
certificate
in
the
SSL
key
database
that
is
sent
to
the
LDAP
server
if
the
LDAP
server
is
configured
to
perform
both
server
and
client
authentication
during
SSL
establishment.
This
parameter
is
optional.
This
parameter
is
only
valid
when
SSL
is
being
used
(indicated
by
using
the
–Z
flag)
and
when
the
LDAP
server
has
been
configured
to
require
client
authentication.
If
the
default
Tivoli
Access
Manager
key
database
is
being
used,
the
default
client
certificate
label
is
PDLDAP.
–p
port
Specifies
the
port
number
of
the
LDAP
server.
For
port,
use
the
LDAP
server-configured
port
number.
The
default
port
number
is
636
if
Secure
Sockets
Layer
(SSL)
is
used
and
389
if
SSL
is
not
used.
Chapter
2.
Tivoli
Access
Manager
utilities
213
–P
ldap-ssl-keyfile-password
Specifies
the
password
for
the
SSL
key
database.
This
parameter
is
required
only
if
the
–Z
option
is
specified.
Note:
The
password
associated
with
the
default
SSL
key
file
is
key4ssl.
–w
ldap_admin_pwd
Specifies
the
password
of
the
LDAP
administrator.
–Z
Indicates
that
SSL
is
used.
schema
Indicates
that
the
IBM
Directory
server
should
be
updated
with
the
Tivoli
Access
Manager
schema.
Only
use
this
parameter
when
migrating
a
version
of
IBM
Directory
server
prior
to
version
5.2.
Comments
The
Tivoli
Access
Manager
schema
is
defined
in
a
set
of
files.
The
files
relate
to
the
type
of
LDAP
server
that
is
being
used.
These
files
contain
the
Tivoli
Access
Manager
LDAP
schema:
v
secschema.def
—
used
for
the
IBM
Directory
Server
v
nsschema.def
—
used
for
the
Sun
ONE
Directory
Server
v
novschema.def
—
used
for
the
Novell
eDirectory
Server
These
files
are
installed
as
part
of
the
Tivoli
Access
Manager
runtime
and
are
used
as
input
to
the
automatic
schema
update
process
when
you
configure
Tivoli
Access
Manager
policy
server.
Note:
The
administrator
can
also
apply
and
update
the
schema
by
using
these
files
as
the
LDAP
Data
Interchange
Format
(LDIF)
input
to
an
IBM
Directory
ldapmodify
command.
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
is
provided.
214
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
migrateEAR4
Migrates
security
policy
information
from
deployment
descriptors
(enterprise
archive
files)
to
Tivoli
Access
Manager
for
WebSphere
Application
Server
version
4.0.6.
Syntax
migrateEAR4
–j
absolute_pathname_to_application_EAR_file
–c
URI
–a
admin_ID
–p
admin_pwd
–w
Websphere_admin_ID
–d
user_registry_domain_suffix
[–r
root_objectspace_name]
[–t
ssl_timeout]
[–e
enterprise_application_name]
Parameters
–a
admin_ID
Specifies
the
Tivoli
Access
Manager
administrative
user.
This
administrator
must
have
the
privileges
required
to
create
users,
objects,
and
ACLs.
For
example,
-a
sec_master.
This
parameter
is
optional.
When
the
parameter
is
not
specified,
the
user
is
prompted
to
supply
the
administrative
user
name
at
runtime.
–c
URI
Specifies
the
Uniform
Resource
Indicator
(URL)
location
of
the
PdPerm.properties
file
that
is
configured
by
the
pdwascfg
utility.
When
WebSphere
Application
Server
is
installed
in
the
default
location,
the
URI
is:
v
Solaris,
Linux,
HP-UX
file:///opt/WebSphere/AppServer/java/jre/PdPerm.properties
v
AIX
file:///usr/WebSphere/AppServer/java/jre/PdPerm.properties
v
Windows
–
WebSphere
Application
Server
4:
file:///c:\WebSphere\AppServer\java\jre\PdPerm.properties
–
WebSphere
Application
Server
5:
file///"c:\Program
Files\WebSphere\AppServer\java\jre\PdPerm.properties"
When
WebSphere
Application
Server
is
not
installed
in
the
default
location
on
Windows
systems,
use
%WAS_HOME%
to
indicate
the
installation
directory:
file:/%WAS_HOME%\java\jre\PdPerm.properties
–d
user_registry_domain_suffix
Specifies
the
domain
suffix
to
be
used
by
the
user
registry.
For
example,
for
LDAP
user
registries
this
is
the
domain
suffix,
such
as:
"o=ibm,c=us"
Note:
Windows
requires
the
domain
suffix
to
be
enclosed
within
quotes.
–e
enterprise_application_name
Specifies
the
application
name
so
that
installed
applications,
which
have
a
different
display
name
from
their
installed
name,
are
migrated
correctly.
If
this
option
is
not
specified,
the
utility
will
attempt
to
figure
out
the
application
name
by
using
either
the
.ear
file
or
the
.xml
file.
An
application
name
can
be
changed
at
application
deployment
or
later
through
the
WebSphere
console.
This
change
will
not
be
reflected
in
the
EAR
file.
When
the
EAR
file
is
not
modified
to
reflect
the
new
name,
the
wrong
Chapter
2.
Tivoli
Access
Manager
utilities
215
protected
objects
are
created.
Use
the
–e
option
to
specify
the
name
of
the
application
as
it
is
displayed
on
the
WebSphere
Application
Server
console.
–j
absolute_pathname_to_application_EAR_file
Specifies
the
Java
2
Enterprise
Edition
application
archive
file.
Optionally,
this
option
can
also
be
an
EAR
directory.
For
example,
-j
/tmp/test_application.EAR
–p
admin_pwd
Specifies
the
password
for
the
Tivoli
Access
Manager
administrative
user.
The
administrative
user
must
have
the
privileges
required
to
create
users,
objects,
and
ACLs.
For
example,
you
can
specify
the
password
for
the
-a
sec_master
administrative
user
as
-p
myPassword.
This
parameter
is
optional.
When
it
is
not
specified,
the
user
is
prompted
to
supply
the
password
for
the
administrative
user
name.
–r
root_objectspace_name
Specifies
the
root
object
space
name,
which
is
the
name
of
the
root
of
the
protected
object
namespace
hierarchy
that
will
be
created
for
WebSphere
Application
Server.
This
parameter
is
optional.
The
default
value
for
the
root
object
space
is
WebAppServer.
If
a
name
other
than
the
default
is
used,
the
PDWAS.properties
file
will
need
to
be
changed
to
access
the
correct
object
space.
The
action
group
name
matches
the
root
object
space
name.
Thus,
the
action
group
name
is
automatically
set
when
the
root
object
space
name
is
specified.
–t
ssl_timeout
Specifies
the
number
of
minutes
for
the
SSL
timeout.
This
parameter
is
used
to
disconnect
and
reconnect
the
SSL
context
between
the
Tivoli
Access
Manager
authorization
server
and
policy
server
before
the
default
connection
times
out.
The
default
is
60
minutes.
The
minimum
is
10
minutes.
The
maximum
should
not
exceed
the
Tivoli
Access
Manager
ssl-v3-timeout
value.
The
default
value
for
ssl-v3-timeout
is
120
minutes.
This
parameter
is
optional.
If
you
are
not
familiar
with
administration
of
this
value,
you
can
safely
use
the
default
value.
–w
WebSphere_admin_ID
Specifies
the
administrative
user
name
that
was
configured
in
WebSphere
Application
Server
security
user
registry
field
as
the
administrator.
Access
as
this
user
is
needed
to
create
or
update
the
Tivoli
Access
Manager
protected
object
space.
When
the
WebSphere
administrative
user
does
not
already
exist
in
the
protected
object
space,
it
is
created
or
imported.
In
this
case,
a
random
password
is
generated
for
the
user
and
the
account
is
set
to
invalid.
This
password
will
need
to
be
changed
to
something
known
and
the
account
set
to
valid.
A
protected
object
and
ACL
are
created.
The
administrative
user
is
added
to
group
pdwas-admin
with
the
following
ACL
attributes:
v
T
—
traverse
permission
v
i
—
invoke
permission
v
WebAppServer
—
the
action
group
name.
WebAppServer
is
the
default
name.
216
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Note
that
this
action
group
name
(and
the
matching
root
object
space)
can
be
overwritten
when
the
migration
utility
is
run
with
the
–r
option.
The
group
pdwas-admin
will
need
to
be
added
to
the
admin
role
if
migrating
the
admin.ear
file.
Comments
This
utility
migrates
security
policy
information
from
deployment
descriptors
(enterprise
archive
files)
to
Tivoli
Access
Manager
for
WebSphere.
The
utility
is
implemented
as
a
shell
script
on
UNIX
systems
and
as
a
batch
file
on
Windows
systems.
The
script
calls
the
Java
class
com.tivoli.pdas.migrate.Migrate.
The
script
is
dependent
on
finding
the
correct
environment
variables
for
the
location
of
prerequisite
software.
The
script
calls
Java
with
the
following
options:
v
–Dpdwas.lang.home
The
directory
containing
the
native
language
support
libraries
that
are
provided
with
Tivoli
Access
Manager
for
WebSphere.
These
are
located
in
a
subdirectory
under
the
Tivoli
Access
Manager
for
WebSphere
installation
directory.
For
example:
-Dpdwas.lang.home=%PDWAS_HOME%\java\nls
v
–cp
%CLASSPATH%
com.tivoli.pdwas.migrate.Migrate
CLASSPATH
must
be
set
correctly
for
your
Java
installation.
In
addition,
on
Windows,
both
the
–j
option
and
the
–c
option
can
reference
the
variable
%WAS_HOME%
to
determine
where
WebSphere
Application
Server
is
installed.
This
information
is
used
to:
v
Build
the
full
path
name
of
the
enterprise
archive
file.
v
Build
the
full
URI
path
name
to
the
location
of
the
PdPerm.properties
file:
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/amwas/bin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\amwas\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
the
command
fails,
an
error
message
is
displayed.
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference
for
a
more
detailed
description
of
the
problem.
Chapter
2.
Tivoli
Access
Manager
utilities
217
migrateEAR5
Migrates
security
policy
information
from
deployment
descriptors
(enterprise
archive
files)
to
Tivoli
Access
Manager
for
WebSphere
Application
Server
version
5.0.2.
Syntax
migrateEAR5
–j
path
–c
URI
–a
admin_ID
–p
admin_pwd
–w
Websphere_admin_user
–d
user_registry_domain_suffix
[–r
root_objectspace_name]
[–t
ssl_timeout]
[–e
enterprise_application_name]
Parameters
–a
admin_ID
Specifies
the
administrative
user
identifier.
The
administrative
use
must
have
the
privileges
required
to
create
users,
objects,
and
ACLs.
For
example,
-a
sec_master.
This
parameter
is
optional.
When
the
parameter
is
not
specified,
the
user
is
prompted
to
supply
the
administrative
user
name
at
runtime.
–c
URI
Specifies
the
Uniform
Resource
Indicator
(URI)
location
of
the
PdPerm.properties
file
that
is
configured
by
the
pdwascfg
utility.
When
WebSphere
Application
Server
is
installed
in
the
default
location,
the
URI
is:
v
Solaris,
Linux,
HP-UX
file:///opt/WebSphere/AppServer/java/jre/PDPerm.properties
v
AIX
file:///usr/WebSphere/AppServer/java/jre/PdPerm.properties
v
Windows
–
WebSphere
Application
Server
4:
file:/c:\WebSphere\AppServer\java\jre\PdPerm.properties
–
WebSphere
Application
Server
5:
file:///"c:\Program
Files\WebSphere\AppServer\java\jre\PdPerm.properties"
When
WebSphere
Application
Server
is
not
installed
in
the
default
location
on
Windows
systems,
use
%WAS_HOME%
to
indicate
the
installation
directory:
file:///%WAS_HOME%\java\jre\PdPerm.properties
–d
user_registry_domain_suffix
Specifies
the
domain
suffix
to
be
used
by
the
user
registry.
For
example,
for
LDAP
user
registries
this
is
the
domain
suffix,
such
as:
"o=ibm,c=us"
Note:
Windows
requires
the
domain
suffix
to
be
enclosed
within
quotes.
–e
enterprise_application_name
Specifies
the
application
name
so
that
installed
applications,
which
have
a
different
display
name
from
their
installed
name,
are
migrated
correctly.
If
this
option
is
not
specified,
the
utility
will
attempt
to
figure
out
the
application
name
by
using
either
the
.ear
file
or
the
.xml
file.
An
application
name
can
be
changed
at
application
deployment
or
later
through
the
WebSphere
console.
This
change
will
not
be
reflected
in
the
EAR
file.
When
the
EAR
file
is
not
modified
to
reflect
the
new
name,
the
wrong
218
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
protected
objects
are
created.
Use
the
–e
option
to
specify
the
name
of
the
application
as
it
is
displayed
on
the
WebSphere
Application
Server
console.
–j
path
Specifies
the
fully
qualified
path
and
file
name
of
the
Java
2
Enterprise
Edition
application
archive
file.
Optionally,
this
path
can
also
be
a
directory
of
an
expanded
enterprise
application.
For
example,
-j
/tmp/test_application.EAR
–p
admin_pwd
Specifies
the
password
for
the
Tivoli
Access
Manager
administrative
user.
The
administrative
user
must
have
the
privileges
required
to
create
users,
objects,
and
ACLs.
For
example,
you
can
specify
the
password
for
the
-a
sec_master
administrative
user
as
-p
myPassword.
This
parameter
is
optional.
When
it
is
not
specified,
the
user
is
prompted
to
supply
the
password
for
the
administrative
user
name.
–r
root_objectspace_name
Specifies
the
root
object
space
name
that
is
the
name
of
the
root
of
the
protected
object
namespace
hierarchy
that
will
be
created
for
WebSphere
Application
Server.
This
parameter
is
optional.
The
default
value
for
the
root
object
space
is
WebAppServer.
If
a
name
other
than
the
default
is
used,
then
the
PDWAS.properties
file
will
need
to
be
changed
to
access
the
correct
object
space.
The
action
group
name
matches
the
root
object
space
name.
Thus,
the
action
group
name
is
automatically
set
when
the
root
object
space
name
is
specified.
–t
ssl_timeout
Specifies
the
number
of
minutes
for
the
SSL
timeout.
This
parameter
is
used
to
disconnect
and
reconnect
the
SSL
context
between
the
Tivoli
Access
Manager
authorization
server
and
policy
server
before
the
default
connection
times
out.
The
default
is
60
minutes.
The
minimum
is
10
minutes.
The
maximum
should
not
exceed
the
Tivoli
Access
Manager
ssl-v3-timeout
value.
The
default
value
for
ssl-v3-timeout
is
120
minutes.
This
parameter
is
optional.
If
you
are
not
familiar
with
administration
of
this
value,
you
can
safely
use
the
default
value.
–w
WebSphere_admin_user
Specifies
the
user
name
that
was
configured
in
the
WebSphere
Application
Server
security
user
registry
field
as
the
administrator.
Access
permission
for
this
user
is
needed
to
create
or
update
the
Tivoli
Access
Manager
protected
object
space.
When
the
WebSphere
administrative
user
does
not
already
exist
in
the
protected
object
space,
it
is
created
or
imported.
In
this
case,
a
random
password
is
generated
for
the
user
and
the
account
is
set
to
invalid.
This
password
will
need
to
be
changed
to
something
known
and
the
account
set
to
valid.
A
protected
object
and
ACL
are
created.
The
administrative
user
is
added
to
group
pdwas-admin
with
the
following
ACL
attributes:
v
T
—
traverse
permission
v
i
—
invoke
permission
v
WebAppServer—
the
action
group
name.
WebAppServer
is
the
default
name.
Chapter
2.
Tivoli
Access
Manager
utilities
219
Note
that
this
action
group
name
(and
the
matching
root
object
space)
can
be
overwritten
when
the
migration
utility
is
run
with
the
–r
option.
Add
the
group
pdwas-admin
to
the
administrator
role
if
you
are
migrating
the
adminconsole.ear
file.
Comments
This
utility
migrates
security
policy
information
from
deployment
descriptors
(enterprise
archive
files)
to
Tivoli
Access
Manager
for
WebSphere.
The
utility
is
implemented
as
a
shell
script
on
UNIX
systems
and
as
a
batch
file
on
Windows
systems.
The
script
calls
the
Java
class
com.tivoli.pdas.migrate.Migrate.
The
script
is
dependent
on
finding
the
correct
environment
variables
for
the
location
of
prerequisite
software.
The
script
calls
Java
with
the
following
options:
v
–Dpdwas.lang.home
The
directory
containing
the
native
language
support
libraries
that
are
provided
with
Tivoli
Access
Manager
for
WebSphere.
These
are
located
in
a
subdirectory
under
the
Tivoli
Access
Manager
for
WebSphere
installation
directory.
For
example:
-Dpdwas.lang.home=%PDWAS_HOME%\java\nls
v
–cp
%CLASSPATH%
com.tivoli.pdwas.migrate.Migrate
CLASSPATH
must
be
set
correctly
for
your
Java
installation.
In
addition,
on
Windows,
both
the
–j
option
and
the
–c
option
can
reference
the
variable
%WAS_HOME%
to
determine
where
WebSphere
Application
Server
is
installed.
This
information
is
used
to:
v
Build
the
full
path
name
of
the
enterprise
archive
file.
v
Build
the
full
URI
path
name
to
the
location
of
the
PdPerm.properties
file:
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/amwas/bin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\amwas\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
the
command
fails,
an
error
message
is
displayed.
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference
for
a
more
detailed
description
of
the
problem.
220
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
mgrsslcfg
–chgcert
Renews
the
SSL
certificate
of
the
manager.
A
new
public-private
key
pair
and
certificate
are
created
and
stored
in
the
key
database.
Syntax
mgrsslcfg
–chgcert
–l
cert_life
Parameters
–l
cert_life
Sets
the
maximum
certificate
expiration
time
in
days.
The
actual
time
used
will
be
the
lesser
of
this
value
and
the
number
of
days
before
the
policy
server’s
CA
certificate
expires.
The
CA
certificate
lifetime
is
set
to
7300
days
at
initial
configuration
of
the
policy
server.
This
parameter
is
required.
v
Specify
0
to
use
the
currently
configured
value.
v
Specify
365
days
if
the
currently
configured
value
cannot
be
determined.
v
Otherwise,
valid
values
for
cert_life
are
from
1
to
7299
days.
Comments
Stop
the
Tivoli
Access
Manager
policy
server
before
running
this
command.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
2.
Tivoli
Access
Manager
utilities
221
mgrsslcfg
–chgpwd
Changes
the
key
database
password.
A
new
random
password
is
generated
and
saved
in
the
stash
file.
Syntax
mgrsslcfg
–chgpwd
–e
pwd_life
Parameters
–e
pwd_life
Sets
the
key
file
password
expiration
time
in
days.
This
parameter
is
required.
v
Specify
0
with
–chgpwd
to
use
the
currently
configured
value.
v
Specify
183
days
if
the
currently
configured
value
cannot
be
determined.
v
Otherwise,
valid
values
for
pwd_life
are
from
1
to
7299
days.
Comments
Stop
the
Tivoli
Access
Manager
policy
server
before
running
this
command.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
222
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
mgrsslcfg
–config
Performs
full
configuration,
creating
new
key
and
stash
files
and
generating
new
certificates
for
the
Tivoli
Access
Manager
policy
server.
Syntax
mgrsslcfg
–config
[–e
pwd_life]
[–l
cert_life]
[–t
ssl_timeout]
[–D
{yes|no}]
{–a
refresh_mode]
Parameters
–a
refresh_mode
Sets
the
key
file
password
ssl-auto-refresh
enabled
flag
in
the
pd.conf
configuration
file.
The
value
of
this
parameter
must
be
yes
or
no.
The
default
value
is
yes.
–D
{yes|no}
Deprecated.
Specifies
whether
hosts
can
download
the
secure
domain’s
CA
certificate.
If
you
specify
no,
you
must
copy
or
transfer
the
pdcacert.b64
file
to
subsequent
hosts
in
order
to
configure
a
Tivoli
Access
Manager
runtime.
The
default
value
is
no.
–e
pwd_life
Sets
the
key
file
password
expiration
time
in
days.
This
parameter
is
optional
and
defaults
to
183
days
if
not
specified.
Otherwise,
valid
values
for
pwd_life
are
from
1
to
7299
days.
–l
cert_life
Sets
the
maximum
certificate
expiration
time
in
days.
The
actual
time
used
will
be
the
lesser
of
this
value
and
the
number
of
days
before
the
policy
server’s
CA
certificate
expires.
The
CA
certificate
lifetime
is
set
to
7300
days
at
initial
configuration
of
the
policy
server.
This
parameter
is
optional
and
defaults
to
365
days
if
not
specified.
Otherwise,
the
value
must
be
1
to
7299
days.
–t
ssl_timeout
Specifies
the
SSL
session
timeout
in
seconds.
You
can
specify
an
ssl_timeout
value
from
1
to
86400
(seconds).
The
default
value
is
7200.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Chapter
2.
Tivoli
Access
Manager
utilities
223
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
224
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
mgrsslcfg
–modify
Modifies
the
current
configuration.
Syntax
mgrsslcfg
–modify
[–e
pwd_life]
[–l
cert_life]
[–t
ssl_timeout]
[–D
{yes|no}]
[–a
refresh_mode]
Parameters
–a
refresh_mode
Sets
the
key
file
password
ssl-auto-refresh
enabled
flag
in
the
pd.conf
configuration
file.
The
value
of
this
parameter
must
be
yes
or
no.
–D
{yes|no}
Deprecated.
Enables
downloading
of
the
secure
domain’s
CA
certificate.
If
no
is
specified,
you
must
manually
copy
the
pdcacert.b64
file
to
subsequent
hosts
before
configuring
the
Tivoli
Access
Manager
runtime
component.
–e
pwd_life
Sets
the
key
file
password
expiration
time
in
days.
Valid
values
for
pwd_life
are
from
1
to
7299
days.
–l
cert_life
Sets
the
maximum
certificate
expiration
time
in
days.
The
actual
time
used
will
be
the
lesser
of
this
value
and
the
number
of
days
before
the
policy
server’s
CA
certificate
expires.
The
CA
certificate
lifetime
is
set
to
7300
days
at
initial
configuration
of
the
policy
server.
This
parameter
is
optional.
The
value
must
be
1
to
7299
days.
–t
ssl_timeout
Specifies
the
SSL
session
timeout
in
seconds.
The
ssl_timeout
value
must
be
in
the
range
1
to
86400
seconds.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
2.
Tivoli
Access
Manager
utilities
225
pdbackup
Backs
up,
restores,
and
extracts
Tivoli
Access
Manager
data.
Syntax
pdbackup
–action
backup
–list
path_to_list_file
[–path
path]
[–file
filename]
pdbackup
–action
restore
–file
filename
[–path
path]
pdbackup
–action
extract
–file
filename
–path
path
pdbackup
–usage
pdbackup
–?
Parameters
Note
that
you
can
shorten
an
option
name,
but
the
abbreviation
must
be
unambiguous.
For
example,
you
can
type
–a
for
–action
or
–l
for
–list.
However,
values
for
options
cannot
be
shortened.
–action
[backup|restore|extract]
Specifies
to
backup,
restore,
or
extract
data.
–file
filename
Specifies
one
of
the
following:
v
If
specified
with
the
–a
backup
option,
specifies
a
file
name
other
than
the
list_filename_date.time[.tar|.dar]
default
file
name.
The
default
name
of
the
archive
file
is
the
name
of
the
list
that
is
used
and
includes
a
date
and
time
stamp.
For
example:
–
UNIX
/var/PolicyDirector/pdbackup/list_filename_date.time.tar
–
Windows
C:\Program
Files\Tivoli\PolicyDirector\pdbackup\
list_filename_date.time.dar
v
If
specified
with
the
–a
restore
option,
specifies
the
name
and
fully
qualified
path
of
the
archive
file
to
restore.
There
is
no
default
path.
This
option
is
required
when
using
the
–a
restore
option.
v
If
specified
with
the
–a
extract
option,
specifies
the
name
and
fully
qualified
path
of
the
archive
file
to
extract.
There
is
no
default
path.
This
option
is
required
when
using
the
–a
extract
option.
–list
path_to_list_file
Specifies
the
fully
qualified
path
to
either
the
archive
or
service
list
file
(an
ASCII
file
containing
various
stanzas).
This
option
is
required
when
using
the
–a
backup
option.
Both
the
path
and
list
file
name
depend
on
the
component.
Each
component
can
have
its
own
list
in
its
own
directory.
v
On
UNIX
systems,
the
normal
path
is
as
follows:
/opt/PolicyDirector/etc/pdbackup.lst
v
On
Windows
systems,
the
normal
path
is
as
follows:
C:\Program
Files\Tivoli\PolicyDirector\etc\pdbackup.lst
–path
path
Specifies
an
alternate
directory
in
which
to
place
the
list
file,
such
as:
226
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
v
If
specified
with
the
–a
backup
option,
specifies
the
path
where
you
want
backup
files
stored.
If
you
do
not
specify
a
path
when
using
the
–a
backup
option,
the
default
path
is
one
of
the
following:
–
On
UNIX
systems,
the
default
path
is
as
follows:
/var/PolicyDirector/pdbackup/
–
On
Windows
systems,
the
default
path
is
as
follows:
amrte_install_dir\pdbackup\
where
amrte_install_dir
specifies
the
directory
where
the
Tivoli
Access
Manager
runtime
is
installed.v
If
specified
with
the
–a
restore
option
on
UNIX
systems
only,
indicates
to
restore
archived
files
in
the
specified
path.
By
default,
the
restore
path
is
on
the
directory
used
when
backing
up
data.
On
Windows
systems,
the
restore
process
does
not
support
the
–p
option.
v
If
specified
with
the
–a
extract
option,
specifies
the
directory
name
where
you
want
extracted
files
stored.
There
is
no
default
path.
The
–p
option
is
required
when
using
the
–a
extract
option.
–usage
Displays
the
usage
syntax
for
this
command.
Also
displays
an
example.
–?
Displays
the
usage
syntax
for
this
command.
Also
displays
an
example.
Comments
Use
the
pdbackup
command
to
back
up
and
restore
Tivoli
Access
Manager
data.
As
an
alternative
to
a
restore
action,
you
can
extract
all
archived
files
into
a
single
directory.
This
command
is
most
commonly
used
in
three
scenarios:
v
Back
up,
restore,
and
extract
of
Tivoli
Access
Manager
Base
component
files.
v
Back
up,
restore,
and
extract
of
Tivoli
Access
Manager
WebSEAL
component
files.
v
Back
up,
restore,
and
extract
of
Tivoli
Access
Manager
Web
server
component
files
Note
that
only
three
scenarios
are
discussed.
However,
you
can
back
up,
restore,
and
extract
any
Tivoli
Access
Manager
Base
component
files,
and
any
Tivoli
Access
Manager
server
files.
Backup
of
Tivoli
Access
Manager
files
The
backup
action
obtains
the
backup
list
file
name
to
archive
from
the
argument
to
the
–file
option.
The
date
and
time
reflect
the
creation
time
of
the
file.
When
an
service
list
file’s
name
is
not
specified,
a
default
service
list
file
name
is
automatically
used.
For
these
scenarios,
the
component-specific
backup
list
files
are
shown
in
table
Table
17
on
page
228.
The
backup
list
file
is
located
in
the
pdbackup
directory
under
the
Tivoli
Access
Manager
installation
directory.
You
can
use
the
–path
option
to
specify
an
alternate
directory
in
which
to
place
the
backup
list
file.
The
following
table
show
the
backup
list
file’s
location
when
Tivoli
Access
Manager
is
installed
in
the
component’s
default
installation
directory.
Chapter
2.
Tivoli
Access
Manager
utilities
227
Table
17.
Backup
list
files
Tivoli
Access
Manager
Base
UNIX
/var/PolicyDirector/pdbackup/pdbackup.lst_ddmmmyyyy.hh_mm.tar
Windows
amrte_install_dir\pdbackup\pdbackup.lst_ddmmmyyyy.hh_mm.dar
Tivoli
Access
Manager
WebSEAL
UNIX
/var/pdweb/pdbackup/amwebbackup.lst_ddmmmyyyy.hh_mm.tar
Windows
amrte_install_dir\PDweb\pdbackup\amwebbackup.lst_ddmmmyyyy.hh_mm.dar
Tivoli
Access
Manager
Plug-in
for
Web
Servers
UNIX
/var/pdwebpi/pdbackup/pdwebpi.lst_ddmmmyyyy.hh_mm.tar
Windows
amrte_install_dir\PDwebpi\pdbackup\pdwebpi.lst_ddmmmyyyy.hh_mm.dar
For
example,
a
representative
Tivoli
Access
Manager
Base
component
backup
list
file
name
for
UNIX
would
be
backup.lst_14Oct2003.11_22.tar.
Backup
of
Tivoli
Access
Manager
service
information
files
The
backup
action
also
creates
a
service
list
file
name.
The
backup
action
obtains
the
service
list
file
name
to
archive
from
the
argument
to
the
–file
option.
The
date
and
time
reflect
the
creation
time
of
the
service
list
file.
When
an
service
list
file’s
name
is
not
specified,
a
default
service
list
file
name
is
automatically
used.
For
these
scenarios,
the
component-specific
backup
list
files
are
shown
in
table
Table
18.
The
location
of
the
service
list
file
can
be
specified
using
the
–path
option.
If
the
location
is
not
specified,
a
default
location
is
used.
The
service
list
files
are
also
located
in
the
etc
directory
under
the
Tivoli
Access
Manager
component’s
installation
directory.
The
following
table
show
the
service
list
file’s
location
when
Tivoli
Access
Manager
is
installed
in
the
component’s
default
installation
directory.
Table
18.
Service
file
list
(pdinfo)
Service
file
lists
Tivoli
Access
Manager
Base
UNIX
/opt/PolicyDirector/etc/pdinfo.lst_ddmmmyyyy.hh_mm.tar
Windows
C:\Program
Files\Tivoli\PolicyDirector\etc\pdinfo.lst_ddmmmyyyy.hh_mm.dar
Tivoli
Access
ManagerWebSEAL
UNIX
/opt/pdweb/etc/pdinfo-amwebbackup.lst_ddmmmyyyy.hh_mm.tar
Windows
C:\Program
Files\Tivoli\PolicyDirector\etc\pdinfo-amwebbackup.lst_ddmmmyyyy.hh_mm.dar
Tivoli
Access
Manager
Plug-in
for
Web
Servers
UNIX
/opt/pdweb/etc/opt/pdwebpi/etc/pdinfo-pdwebpi.lst_ddmmmyyyy.hh_mm.tar
Windows
C:\Program
Files\Tivoli\PDWebpi\etc\pdinfo-pdwebpi.lst_ddmmmyyyy.hh_mm.dar
228
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
For
example,
a
representative
Tivoli
Access
Manager
Base
component
service
list
file
name
for
UNIT
would
be
pdinfo.lst_14Oct2003.11_22.tar.
Restore
of
Tivoli
Access
Manager
files
When
files
are
restored,
the
files
are
placed
into
a
directory
hierarchy.
The
location
of
the
hierarchy
is
as
follows:
v
UNIX
Archived
files
are
restored
by
default
to
the
root
directory.
You
can
use
the
–path
to
specify
an
alternative
directory.On
UNIX
systems,
unless
you
specify
the
option,
which
enables
you
to
restore
files
to
a
specific
directory
tree.
v
Windows
Archived
files
are
restored
to
their
original
directory.
The
–path
option
is
not
available.
Extract
of
Tivoli
Access
Manager
files
Use
pdbackup
to
extract
files
from
the
backup
archive.
Files
are
placed
into
a
single
directory.
Files
are
not
placed
into
a
directory
tree
structure.
Use
the
–file
option
to
specify
the
name
and
fully
qualified
path
of
the
archive
file
to
extract.
Use
the
–path
option
to
specify
the
directory
where
the
extracted
files
are
placed.
Note:
Windows
registry
keys
are
not
updated
with
the
–a
extract
option.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/bin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Examples
Backup
of
Tivoli
Access
Manager
Base
v
This
example
backs
up
by
using
default
values
for
the
archive
files:
UNIX
pdbackup
-a
backup
-list
/opt/PolicyDirector/etc/pdbackup.1st
Windows
pdbackup
-a
backup
-list
installation_dir\etc\pdbackup.1st
Note:
The
shortened
form
of
pdbackup
-a
backup
-l
is
also
acceptable.
Example
archive
file
created
by
this
command:
Chapter
2.
Tivoli
Access
Manager
utilities
229
UNIX:
/var/PolicyDirector/pdbackup/pdbackup.lst_15dec2003.10_41.tar
Windows
\installation_dir\pdbackup\pdbackup.lst_15dec2003.10_41.dar
v
This
example
backs
up
by
specifying
an
alternative
location
for
the
archive
files:
The
following
example
performs
a
back
up,
creating
the
default
archive
file
in
the
/var/backup
directory
(UNIX)
or
C:\pdback
(Windows):
UNIX
pdbackup
-a
backup
-list
/opt/PolicyDirector/etc/pdbackup.1st
-p
/var/backup
Windows
pdbackup
-a
backup
-list
installation_dir\etc\pdbackup.1st
-path
c:\pdback
v
This
example
backs
up
by
specifying
an
alternative
name
for
the
archive
file:
The
following
example
performs
a
back
up,
creating
a
file
named
pdarchive.tar
(UNIX)
or
pdarchive.dar
(Windows).
The
file
is
located
in
the
default
archive
directory.
UNIX
pdbackup
-a
backup
-list
/opt/PolicyDirector/etc/pdbackup.1st
-f
pdarchive
Windows
pdbackup
-a
backup
-list
base_dir\etc\pdbackup.1st
-f
pdarchive
The
default
archive
extension
(.tar
for
UNIX,
.dar
for
Windows)
is
appended
to
the
pdarchive
file
name.
This
file
is
stored
in
the
default
archive
directory
/var/PolicyDirector/pdbackup
(UNIX)
or
installation_dir\pdbackup
(Windows).
Backup
of
Tivoli
Access
Manager
WebSEAL
v
This
example
backs
up
by
using
default
values
for
the
archive
files:
UNIX
pdbackup
-a
backup
-list
/opt/pdweb/etc/amwebbackup.1st
Windows
pdbackup
-a
backup
-list
installation_dir\etc\amwebbackup.1st
Example
archive
file
created
by
this
command:
UNIX:
/var/PolicyDirector/pdbackup/amwebbackup.lst_15dec2003.10_41.tar
Windows
\installation_dir\pdbackup\amwebbackup.lst_15dec2003.10_41.dar
v
This
example
backs
up
by
specifying
an
alternative
location
for
the
archive
files:
The
following
example
performs
a
back
up,
creating
the
default
archive
file
in
the
/var/backup
directory
(UNIX)
or
C:\pdback
(Windows):
UNIX
pdbackup
-a
backup
-list
/opt/pdweb/etc/amwebbackup.1st
-p
/var/backup
Windows
pdbackup
-a
backup
-list
installation_dir\etc\amwebbackup.1st
-path
c:\pdback
v
This
example
backs
up
by
specifying
an
alternative
name
for
the
archive
file:
The
following
example
performs
a
back
up,
creating
a
file
named
amwebarchive.tar
(UNIX)
or
amwebarchive.dar
(Windows).
The
file
is
located
in
the
default
archive
directory.
230
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
UNIX
pdbackup
-a
backup
-list
/opt/pdweb/etc/amwebbackup.1st
-f
amwebarchive
Windows
pdbackup
-a
backup
-list
base_dir\etc\amwebbackup.1st
-f
amwebarchive
The
default
archive
extension
(.tar
for
UNIX,
.dar
for
Windows)
is
appended
to
the
pdarchive
file
name.
This
file
is
stored
in
the
default
archive
directory
/var/PolicyDirector/pdbackup
(UNIX)
or
installation_dir\pdbackup
(Windows).
Backup
of
Tivoli
Access
Manager
Plug-in
for
Web
Servers
v
This
example
backs
up
by
using
default
values
for
the
archive
files:
UNIX
pdbackup
-a
backup
-list
/opt/pdwebpi/etc/pdwebpi.lst
Windows
pdbackup
-a
backup
-list
install-dir\etc\pdwebpi.lst
Example
archive
file
created
by
this
command:
UNIX:
/var/PolicyDirector/pdbackup/pdinfo-pdwebpi_15dec2003.10_41.tar
Windows
\installation_dir\pdbackup\pdinfo-pdwebpi_15dec2003.10_41.dar
v
This
example
backs
up
by
specifying
an
alternative
location
for
the
archive
files:
The
following
example
performs
a
back
up,
creating
the
default
archive
file
in
the
/var/backup
directory
(UNIX)
or
C:\pdback
(Windows):
UNIX
pdbackup
-a
backup
-list
/opt/pdweb/etc/pdwebpi.lst
-p
/var/backup
Windows
pdbackup
-a
backup
-list
installation_dir\etc\pdwebpi.lst
-path
c:\pdback
v
This
example
backs
up
by
specifying
an
alternative
name
for
the
archive
file:
The
following
example
performs
a
back
up,
creating
a
file
named
amwebarchive.tar
(UNIX)
or
amwebarchive.dar
(Windows).
The
file
is
located
in
the
default
archive
directory.
UNIX
pdbackup
-a
backup
-list
/opt/pdweb/etc/pdwebpi.lst
-f
amwebarchive
Windows
pdbackup
-a
backup
-list
base_dir\etc\pdwebpi.lst
-f
amwebarchive
The
default
archive
extension
(.tar
for
UNIX,
.dar
for
Windows)
is
appended
to
the
pdarchive
file
name.
This
file
is
stored
in
the
default
archive
directory
/var/PolicyDirector/pdbackup
(UNIX)
or
installation_dir\pdbackup
(Windows).
Restore
of
Tivoli
Access
Manager
Base
v
This
example
restores
the
contents
of
the
archive
file
when
the
archive
file
is
stored
in
the
default
location:
UNIX
pdbackup
-a
restore
-f
/var/PolicyDirector/pdbackup/
pdbackup.1st_15dec2003.07_24.tar
Chapter
2.
Tivoli
Access
Manager
utilities
231
Windows
pdbackup
-a
restore
-f
base_dir\pdbackup\
pdbackup.1st_15dec2003.07_24.dar
v
This
example
restores
the
contents
of
the
archive
file
when
the
archive
file
is
stored
in
the
non-default
location,
such
as
/var/pdback
(UNIX)
or
\pdbackup
(Windows):
UNIX
pdbackup
-a
restore
-f
/var/pdback/pdbackup.1st_15dec2003.07_25.tar
Windows
pdbackup
-a
restore
-f
h:\pdbackup\
pdbackup.1st_15dec2003.07_25.dar
v
(UNIX
only)
This
example
restores
the
contents
of
an
archive
file,
when
the
archive
file
is
stored
in
the
non-default
location
/var/pdback.
Place
the
restored
directory
hierarchy
under
the
directory
/pdtest:
pdbackup
-a
restore
-p
pdtest
-f
/var/pdback
/pdbackup.1st_15dec2003.07_25.tar
Restore
of
Tivoli
Access
Manager
WebSEAL
v
This
example
restores
the
contents
of
the
archive
file,
when
the
archive
file
is
stored
in
the
default
location:
UNIX
pdbackup
-a
restore
-f
/var/PolicyDirector/pdbackup/
amwebbackup.1st_15dec2003.07_24.tar
Windows
pdbackup
-a
restore
-f
base_dir\pdbackup\
amwebbackup.1st_15dec2003.07_24.dar
v
(UNIX
only)
This
example
restores
the
contents
of
an
archive
file,
when
the
archive
file
is
stored
in
the
non-default
location
/var/pdback.
Place
the
restored
directory
hierarchy
under
the
directory
/amwebtest:
pdbackup
-a
restore
-p
amwebtest
-f
/var/pdback/
amwebbackup.1st_15dec2003.07_25.tar
Restore
of
Tivoli
Access
Manager
Plug-in
for
Web
Servers
v
This
example
restores
the
contents
of
the
archive
file,
when
the
archive
file
is
stored
in
the
default
location:
UNIX
pdbackup
-a
restore
-f
/var/PolicyDirector/pdbackup/
pdinfo-pdwebpi.lst_15dec2003.07_24.tar
Windows
pdbackup
-a
restore
-f
install_directory\pdbackup\
pdinfo-pdwebpi.lst_15dec2003.07_24.dar
v
(UNIX
only)
This
example
restores
the
contents
of
an
archive
file,
when
the
archive
file
is
stored
in
the
non-default
location
/var/pdback.
Place
the
restored
directory
hierarchy
under
the
directory
/amwebtest:
pdbackup
-a
restore
-p
amwebtest
-f
/var/pdback/
pdinfo-pdwebpi.lst_15dec2003.07_25.tar
Extract
of
Tivoli
Access
Manager
Base
This
example
extracts
the
contents
of
an
archive
file
from
/var/pdbackup
(UNIX)
or
C:\pdback
(Windows)
to
a
directory
named
pdextract.
232
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
UNIX
pdbackup
-a
extract
-p
pdextract
-f
/var/pdbackup/
pdbackup.1st_15dec2003.07_25.tar
Windows
pdbackup
-a
extract
-p
e:\pdextract
-f
c:\pdback\
pdbackup.1st_15dec2003.07_25.dar
When
the
pdextract
directory
does
not
exist,
it
is
automatically
created.
Extract
of
Tivoli
Access
Manager
WebSEAL
This
example
extracts
the
contents
of
an
archive
file
from
/var/pdbackup
(UNIX)
or
C:\pdback
(Windows)
to
a
directory
named
amwebextract.
UNIX
pdbackup
-a
extract
-p
amwebextract
-f
/var/pdbackup/
pdbackup.1st_15dec2003.07_25.tar
Windows
pdbackup
-a
extract
-p
e:\amwebextract
-f
c:\pdback\
pdbackup.1st_15dec2003.07_25.dar
When
the
amwebextract
directory
does
not
exist,
it
is
automatically
created.
Extract
of
Tivoli
Access
Manager
Plug-in
for
Web
Servers
This
example
extracts
the
contents
of
an
archive
file
from
/var/pdbackup
(UNIX)
or
C:\pdback
(Windows)
to
a
directory
named
amwebextract.
UNIX
pdbackup
-a
extract
-p
amwebextract
-f
/var/pdbackup/
pdinfo-pdwebpi.lst_15dec2003.07_25.tar
Windows
pdbackup
-a
extract
-p
e:\amwebextract
-f
c:\pdback\
pdinfo-pdwebpi.lst_15dec2003.07_25.dar
When
the
amwebextract
directory
does
not
exist,
it
is
automatically
created.
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
2.
Tivoli
Access
Manager
utilities
233
pdconfig
Presents
an
interactive
menu
to
configure
and
unconfigure
Tivoli
Access
Manager
components.
See
the
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide
for
step-by-step
instructions
on
how
to
use
this
utility.
Syntax
pdconfig
Parameters
None.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/bin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
234
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
pdjrtecfg
Configures
the
Tivoli
Access
Manager
Java
runtime
component.
The
Tivoli
Access
Manager
Java
runtime
component
enables
Java
applications
to
manage
and
use
Tivoli
Access
Manager
security.
Syntax
pdjrtecfg
–action
config
–host
policy_server_host
[–port
policy_server_port]
[–java_home
jre_home]
[–domain
domain_name]
[–config_type
full]
[–enable_tcd
[–tcd
path]]
pdjrtecfg
–action
config
[–config_type
standalone]
pdjrtecfg
–action
config
–interactive
pdjrtecfg
–action
config
–rspfile
response_file
pdjrtecfg
–action
unconfig
–rspfile
response_file
pdjrtecfg
–action
unconfig
[–java_home
{jre_home|
all}]
[–remove_common_jars]
pdjrtecfg
–action
unconfig
–interactive
pdjrtecfg
–action
status
[–java_home
jre_home]
pdjrtecfg
–action
name
pdjrtecfg
–operations
pdjrtecfg
–help
[options]
pdjrtecfg
–usage
pdjrtecfg
–?
Parameters
–action
{config|name|status|unconfig}
Specifies
the
action
to
be
performed.
Actions
include:
config
Use
to
configure
the
Tivoli
Access
Manager
Java
runtime
component.
name
Retrieves
the
Tivoli
Access
Manager
Java
runtime
component
package
name
and
returns
the
name
value
to
the
pdconfig
utility.
This
option
is
used
only
by
pdconfig.
Do
not
use
this
option
from
the
command
line.
status
Determines
and
returns
the
Tivoli
Access
Manager
Java
runtime
component
configuration
status
information
to
the
pdconfig
utility.
This
option
is
used
only
by
pdconfig.
Do
not
use
this
option
from
the
command
line.
unconfig
Use
to
unconfigure
the
Tivoli
Access
Manager
Java
runtime
component.
Chapter
2.
Tivoli
Access
Manager
utilities
235
–config_type
{full|standalone}
Specifies
the
configuration
mode.
Valid
values
are:
full
Specifies
the
configuration
mode
where
the
Tivoli
Access
Manager
Java
runtime
component
configuration
program
requires
Tivoli
Access
Manager
policy
server
information
to
run.
This
default
value
is
full.
standalone
Specifies
the
configuration
mode
where
the
Tivoli
Access
Manager
Java
runtime
component
configuration
program
does
not
require
Tivoli
Access
Manager
policy
server
information
to
run.
This
mode
lets
you
use
Tivoli
Access
Manager
Java
APIs
without
requiring
a
Tivoli
Access
Manager
policy
server.
–domain
domain
Specifies
the
local
domain
name
for
the
Java
runtime
component
being
configured.
A
local
domain
is
a
Tivoli
Access
Manager
secure
domain
that
is
used
by
programs
when
no
explicit
domain
is
specified.
If
this
option
is
not
specified,
the
local
domain
will
default
to
the
management
domain.
–enable_tcd
[–tcd
path]
Enables
Tivoli
Common
Directory
(TCD)
logging,
if
not
already
enabled,
and
specifies
the
fully
qualified
path
location
to
use
for
common
logging.
When
TCD
is
enabled,
all
Tivoli
Access
Manager
message
log
files
will
be
placed
in
this
common
directory
location.
–help
[options]
Provides
online
help
for
one
or
more
command
options
by
displaying
descriptions
of
the
valid
command
line
options.
Alternatively,
provides
online
help
about
a
specific
command
line
option.
–host
policy_server_host
Specifies
the
Tivoli
Access
Manager
policy
server
host
name.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
–interactive
Specifies
the
interactive
mode,
in
which
the
user
is
prompted
for
configuration
information
to
configure
the
Tivoli
Access
Manager
Java
runtime
component.
If
not
specified,
the
configuration
program
will
run
in
non-interactive
(silent)
mode.
Note:
Configuration
of
a
Sun
JRE
version
1.4
will
fail
if
you
use
pdjrtecfg
–interactive
(interactive
mode)
or
the
pdconfig
utility,
and
if
the
JRE
being
used
to
do
the
configuration
is
the
same
Sun
JRE
version
1.4
that
is
being
configured.
You
must
configure
using
the
pdjrtecfg
utility
in
non-interactive
mode,
or
run
a
JRE
different
from
the
Sun
JRE
version
1.4
being
configured.
Note
that
configuration
of
an
IBM
runtime
environment
version
1.4
will
work
when
using
pdjrtecfg
–interactive
(interactive
mode)
or
the
pdconfig
utility.
–java_home
jre_path
Specifies
the
fully-qualified
path
to
the
Java
runtime
component
(such
as
the
directory
ending
in
JRE).
If
–java_home
is
not
specified,
the
current
JRE
will
be
used.
For
example:
236
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
c:\Program
Files\IBM\JAVA13\JRE
During
unconfiguration
(–action
unconfig),
you
can
specify
the
all
option,
which
unconfigures
all
configured
JREs.
–operations
Prints
out
all
the
valid
command
line
options.
–port
policy_server_port
Specifies
the
Tivoli
Access
Manager
policy
server
port
number.
The
default
value
is
7135.
–remove_common_jars
During
unconfiguration
only,
specifies
to
delete
other
IBM
related
JAR
files,
such
as
logging
and
security
JAR
files.
Any
JAR
that
existed
in
the
JRE
prior
to
Tivoli
Access
Manager
Java
runtime
component
configuration
is
not
deleted,
regardless
of
whether
or
not
the
–remove_common_jars
option
is
specified.
–rspfile
response_file
Provides
the
fully
qualified
path
and
file
name
for
the
Java
runtime
component
response
file
to
use
during
silent
installation.
A
response
file
can
be
used
for
configuration
or
unconfiguration.
There
is
no
default
response
file
name.
The
response
file
contains
stanzas
and
option=value
pair
stanza
entries.
To
use
response
files,
see
the
procedures
in
the
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide.
–usage
Displays
the
usage
syntax
for
this
command.
Also
displays
an
example.
–?
Displays
the
usage
syntax
for
this
command.
Also
displays
an
example.
Comments
This
command
copies
Tivoli
Access
Manager
Java
libraries
to
a
library
extensions
directory
that
exists
for
a
Java
runtime
that
has
already
been
installed
on
the
system.
Using
this
command
does
not
overwrite
JAR
files
that
already
exist
in
the
jre_home\lib\ext
directory,
except
the
PD.jar
file,
which
is
overwritten
if
the
file
exists.
You
can
install
more
than
one
Java
runtime
on
a
given
machine.
The
pdjrtecfg
command
can
be
used
to
configure
the
Tivoli
Access
Manager
Java
runtime
independently
to
each
of
the
JREs.
Note:
Make
sure
that
you
use
the
pdjrtecfg
utility
and
not
the
PdJrteCfg
Java
class
directly.
Examples
1.
The
following
example
configures
the
Tivoli
Access
Manager
Java
runtime
component:
pdjrtecfg
-action
config
-host
sys123.acme.com
-port
7135
-java_home
E:\apps\IBM\Java131\jre
2.
The
following
example
unconfigures
the
Tivoli
Access
Manager
Java
runtime
component:
pdjrtecfg
-action
unconfig
-java_home
E:\apps\IBM\Java131\jre
-remove_common_jars
Chapter
2.
Tivoli
Access
Manager
utilities
237
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/sbin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
238
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
pd_start
Stops,
starts,
and
restarts
servers
on
UNIX
systems.
Also
displays
server
status.
Note:
On
Windows
systems,
use
the
Services
folder.
Syntax
pd_start
start
[server_name
]
pd_start
stop
[server_name
]
pd_start
restart
[server_name
]
pd_start
status
[server_name
]
Parameters
restart
Restarts
all
configured
Tivoli
Access
Manager
servers.
start
Starts
all
Tivoli
Access
Manager
servers
not
currently
running
on
the
local
system.
status
Displays
the
state
of
all
configured
Tivoli
Access
Manager
servers
(running
or
stopped).
stop
Stops
all
Tivoli
Access
Manager
servers
not
currently
running
on
the
local
system.
Comments
Server
processes
are
normally
enabled
and
disabled
through
automated
scripts
that
run
at
system
startup
and
shutdown.
In
a
UNIX
environment,
you
can
also
use
the
pd_start
executable
file
to
manually
start
and
stop
the
server
processes.
This
technique
is
useful
when
you
need
to
customize
an
installation
or
when
you
need
to
perform
troubleshooting
tasks.
You
can
only
use
pd_start
to
start
and
stop
servers
on
the
local
machine.
Availability
This
command
is
located
in
the
following
default
installation
directory
on
UNIX
systems:
/opt/PolicyDirector/bin/
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir/bin/).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
2.
Tivoli
Access
Manager
utilities
239
pdversion
Lists
the
current
version
of
Tivoli
Access
Manager
components
installed
on
the
system.
Syntax
pdversion
[–key
key1,
key2...keyX]
[–separator
delimiter_character]
Parameters
–key
key1,
key2...keyX
Specifies
the
component
or
components
for
which
the
current
version
will
be
presented.
Possible
values
are
as
follows:
v
amacld
v
amadk
v
ampfs
v
amjrte
v
ammgr
v
amproxy
v
amrte
v
amwas
v
amweb
v
amwebars
v
amwebadk
v
amwpi
v
amwls
v
amwsl
v
amwpm
–separator
delimiter_character
Specifies
the
separator
that
is
used
delimits
the
description
of
the
component
from
the
version
of
the
component
in
the
displayed
output.
Examples
v
>
pdversion
IBM
Tivoli
Access
Manager
Runtime
5.1.0.0
IBM
Tivoli
Access
Manager
Policy
Server
5.1.0.0
IBM
Tivoli
Access
Manager
Web
Portal
Manager
Not
Installed
IBM
Tivoli
Access
Manager
Application
Developer
Kit
5.1.0.0
IBM
Tivoli
Access
Manager
Authorization
Server
5.1.0.0
IBM
Tivoli
Access
Manager
Java
Runtime
Enviornment
Not
Installed
v
The
following
example
lists
the
Access
Manager
Runtime
package
(PDRTE)
for
the
IBM
Tivoli
Access
Manager
Runtime
component
and
specifies
the
delimiter
character
of
X
to
separate
the
component
description
from
the
version
of
the
component
>
pdversion
-key
pdrte
-separator
X
The
output
displays
as:
IBM
Tivoli
Access
Manager
RuntimeX5.1.0.0
240
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/bin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
2.
Tivoli
Access
Manager
utilities
241
pdwascfg
Configures
or
unconfigures
the
Tivoli
Access
Manager
for
WebSphere
Application
Server.
Syntax
pdwascfg
–action
{configWAS4|configWAS5}
–remote_acl_user
user
–sec_master_pwd
password
–was_home
was_home_dir
–pdmgrd_host
policy_server_hostname
–pdacld_host
authorization_server_hostname[–amwas_home
amwas_install_path]
[–pdmgrd_port
policy_server_port]
[–pdacld_port
authorization_server_port]
[–embedded
{true|false}]
[–action_type
{all|local|remote}]
[–am_domain
was_domain]
[–cfg_url
pdjrte_config_file_URL]
[–key_url
pdjrte_keystore_URL
]
[–verbose
{true|false}]
pdwascfg
–action
{unconfigWAS4|unconfigWAS5}
–remote_acl_user
user
–sec_master_pwd
password
–was_home
was_install
path
–pdmgrd_host
policy_server_hostname
–pdacld_host
authorization_server_hostname
pdwascfg
–help
[
options]
Parameters
–action
{configWAS4|configWAS5}
Specifies
the
action
for
this
command
to
perform.
Configures
the
Tivoli
Access
Manager
for
WebSphere
Application
Server.
–action
{unconfigWAS4|unconfigWAS5}
Specifies
the
action
for
this
command
to
perform.
Unconfigures
the
Tivoli
Access
Manager
for
WebSphere
Application
Server.
–action_type
{all|local|remote}
Specifies
the
level
of
configuration
required.
Possible
values
are:
all,
local,
or
remote.
The
local
option
performs
only
configuration
changes
required
on
the
local
machine
(meaning
no
SvrSslCfg).
The
remote
option
performs
only
configuration
changes
required
on
the
remote
machine
(meaning
SvrSslCfg).
The
command
defaults
to
all.
–am_domain
was_domain
Specifies
the
Tivoli
Access
Manager
domain
for
Tivoli
Access
Manager
for
WebSphere.
The
Tivoli
Access
Manager
authentication
server
(pdacld)
must
be
in
the
domain,
and
the
domain
must
exist
in
the
Tivoli
Access
Manager
protected
object
space.
–amwas_home
amwas_install_path
Specifies
the
location
of
the
Tivoli
Access
Manager
for
WebSphere
installation
when
Tivoli
Access
Manager
for
WebSphere
is
not
installed
in
the
default
location.
Use
this
parameter
with
the
–action
{configWAS4|configWAS5}
or
–action
{unconfigWAS4|unconfigWAS5}
options.
Note:
The
–amwas_home
option
does
not
need
to
be
specified
as
part
of
the
pdwascfg
command
when
Tivoli
Access
Manager
for
WebSphere
is
installed
in
the
default
location.
–cfg_url
pdjrte_config_file_url
Specifies
the
location
of
the
PDJrte
properties
file.
This
file
is
created
during
configuration
and
removed
during
unconfiguration
if
the
option
-action_type
remote
or
-action_type
all
is
also
specified.
242
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
–embedded
{true|false}
Specifies
that
this
product
is
packaged
with
WebSphere
when
set
to
true.
The
default
value
is
false.
–help
[options]
Lists
the
command
option
name
and
a
short
description.
If
one
or
more
options
are
specified,
it
lists
each
option
and
a
short
description.
–key_url
pdjrte_keystore_url
Specifies
the
location
of
the
PDJrte
key
store
file.
This
file
is
created
during
configuration
and
removed
during
unconfiguration
if
the
option
-action_type
remote
or
-action_type
all
is
also
specified.
–pdacld_host
authorization_server_hostname
Contains
the
host
name
of
the
Tivoli
Access
Manager
authorization
server.
Use
this
parameter
with
the
–action
{configWAS4|configWAS5}
or
–action
{unconfigWAS4|unconfigWAS5}
options.
–pdacld_port
authorization_server_port
Specifies
the
port
number
of
the
Tivoli
Access
Manager
authorization
server
only
if
it
has
been
configured
to
be
different
from
the
standard
port.
Use
this
parameter
with
the
–action
{configWAS4|configWAS5}
or
–action
{unconfigWAS4|unconfigWAS5}
options.
Note
that
pdmgrd_port
must
also
be
specified
if
this
option
is
used.
–pdmgrd_host
policy_server_hostname
Contains
the
host
name
of
the
Tivoli
Access
Manager
policy
server.
Use
this
parameter
with
the
–action
{configWAS4|configWAS5}
or
–action
{unconfigWAS4|unconfigWAS5}
options.
–pdmgrd_port
policy_server_port
Specifies
the
port
number
of
the
Tivoli
Access
Manager
policy
server
only
if
it
has
been
configured
to
be
different
from
the
standard
port.
Use
this
parameter
with
the
–action
{configWAS4|configWAS5}
or
–action
{unconfigWAS4|unconfigWAS5}
options.
–remote_acl_user
user
Specifies
the
user
name
of
the
remote
acl
user.
This
parameter
is
used
for
the
SSL
connection
with
the
Tivoli
Access
Manager
authorization
server.
The
user
should
not
exist
in
the
registry.
Use
this
parameter
with
the
–action
{configWAS4|configWAS5}
or
–action
{unconfigWAS4|unconfigWAS5}
options.
For
example:
-remote_acl_user
pdpermadmin
–sec_master_pwd
password
Specifies
the
password
of
the
administrative
user
(the
administrative
user
is
normally
sec_master).
Use
this
parameter
with
the
–action
{configWAS4|configWAS5}
or
–action
{unconfigWAS4|unconfigWAS5}
options.
–verbose
{true|false}
Enables
verbose
output
when
set
to
true;
otherwise,
disables
verbose
output.
The
default
value
is
false.
–was_home
was_home_dir
Specifies
the
fully
qualified
path
to
the
home
directory
of
the
WebSphere
Application
Server
installation.
Use
this
parameter
with
the
–action
{configWAS4|configWAS5}
or
–action
{unconfigWAS4|unconfigWAS5}
options.
For
example,
c:\WebSphere\AppServer
Chapter
2.
Tivoli
Access
Manager
utilities
243
Comments
The
pdwascfg
utility
is
implemented
as
a
shell
script
on
UNIX
systems
and
a
batch
file
on
Windows
systems.
When
invoked
with
action
config,
the
utility
completes
the
following
tasks:
v
Configures
WebSphere
to
use
Tivoli
Access
Manager
for
WebSphere.
v
Calls
the
Java
class
com.tivoli.mts.SvrSslCfg
to
configure
the
SSL
communication
between
the
Tivoli
Access
Manager
for
WebSphere
authorization
component
and
both
the
policy
server
and
the
authorization
server.
v
Creates
a
user
identity
for
the
Tivoli
Access
Manager
for
WebSphere
classes
on
the
host
system.
The
script
is
dependent
on
finding
the
correct
environment
variables
for
the
location
of
prerequisite
software.
Set
the
environment
variable
%WAS_HOME%
to
the
WebSphere
Application
Server
installation
directory.
Set
%PDWAS_HOME%
to
the
directory
location
of
the
Tivoli
Access
Manager
for
WebSphere
installation
directory.
The
pdwascfg
command
file
calls
Java
with
the
following
options:
v
–Dpdwas.lang.home
The
directory
containing
the
native
language
support
libraries
that
are
provided
with
Tivoli
Access
Manager
for
WebSphere.
These
are
located
in
a
subdirectory
under
the
Tivoli
Access
Manager
for
WebSphere
installation
directory.
For
example:
-Dpdwas.lang.home=%PDWAS_HOME%\java\nls
v
–Dpdwas.home
The
home
(installation)
directory
for
Tivoli
Access
Manager
for
WebSphere.
For
example:
-Dpdwas.home=%PDWAS_HOME%
Note:
This
environment
variable
is
set
only
when
a
new
command
window
has
been
opened
after
installing
Tivoli
Access
Manager
for
WebSphere.
v
–Dwas.home
The
home
(installation)
directory
for
WebSphere
Application
Server.
For
example:
-Dwas.home=%WAS_HOME%
Sample
Java
command,
as
built
by
pdwascfg:
java
-Dpdwas.lang.home=%PDWAS_HOME%\java\nls
-Dpdwas.home=%PDWAS_HOME%
-Dwas.home=%WAS_HOME%
PDWAScfg
-action
configWAS5
-remote_acl_user
pdpermadmin
-sec_master_pwd
myPassword
-was_home
c:\WebSphere\AppServer
-pdmgrd_host
pdmgrserver.mysubnet.ibm.com
-pdacld_host
pdacldserver.mysubnet.ibm.com
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/amwas/sbin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\amwas\sbin\
244
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
the
command
fails,
an
error
message
is
displayed.
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference
for
a
more
detailed
description
of
the
problem.
Chapter
2.
Tivoli
Access
Manager
utilities
245
pdweb
Starts,
stops,
or
restarts
a
WebSEAL
server
or
displays
server
status
on
UNIX
systems.
Syntax
pdweb
start
[WebSEAL_server_instance_name
]
pdweb
stop
[WebSEAL_server_instance_name
]
pdweb
restart
[WebSEAL_server_instance_name
]
pdweb
status
[WebSEAL_server_instance_name
]
Parameters
start
Specifies
a
WebSEAL
server
to
start.
The
instance
name
argument
is
optional.
When
no
instance
name
is
supplied,
all
instances
are
started.
stop
Specifies
a
WebSEAL
server
to
stop.
The
instance
name
argument
is
optional.
When
no
instance
name
is
supplied,
all
instances
are
stopped.
restart
Specifies
a
WebSEAL
server
to
restart.
The
instance
name
argument
is
optional.
When
no
instance
name
is
supplied,
all
instances
are
restarted.
status
Displays
the
status
of
all
WebSEAL
servers.
WebSEAL_server_instance_name
Specifies
the
name
of
the
WebSEAL
server
instance
in
the
format
server_name–host_name.
For
example,
for
a
single
WebSEAL
server,
server_name
is
default-webseald.
For
multiple
WebSEAL
instances
on
the
same
machine,
server_name
is
the
configured
name
of
the
WebSEAL
server
instance
followed
by
-webseald.
For
example,
if
the
configured
name
of
a
WebSEAL
instance
is
webseal2,
the
server_name
is
as
follows:
webseal2-webseald.
The
maximum
length
of
an
instance
name
is
20
characters.
The
following
characters
are
allowed:
v
Any
ASCII
character
(A-Z
or
a-z)
v
Period
(
.
)
v
Dash
(
–
)
v
Underscore
(
_
)
Comments
The
pdweb
command
is
supported
only
on
UNIX
systems.
You
can
substitute
the
pdweb_start
command
for
the
pdweb
command.
Note:
On
Windows
systems,
you
can
use
the
net
command
to
start
and
stop
WebSEAL
servers.
246
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Examples
v
This
example
starts
the
initial
WebSEAL
server
and
all
configured
server
instances:
#
/usr/bin/pdweb
start
v
This
example
starts
a
specific
server
instance
only:
#
/usr/bin/pdweb
start
webseal3
v
This
example
restarts
all
configured
WebSEAL
server
instances:
#
/usr/bin/pdweb
restart
v
This
example
stops
all
configured
WebSEAL
server
instances:
#
/usr/bin/pdweb
stop
v
This
example
stops
a
specific
server
instance
only:
#
/usr/bin/pdweb
stop
webseal3
v
This
example
shows
the
status
of
all
configured
servers:
#
/opt/PolicyDirector/bin/pdweb
status
Access
Manager
Servers
Server
Enabled
Running
------------------------------------------
webseald
yes
yes
webseald-webseal2
yes
yes
webseald-webseal3
yes
yes
Availability
This
command
is
located
in
the
following
default
directory:
v
On
UNIX
systems:
/opt/pdweb/bin/pdweb_start
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir/bin/).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
2.
Tivoli
Access
Manager
utilities
247
pdwebpi
Provides
Tivoli
Access
Manager
Plug-in
for
Web
Servers
version
information.
Also,
determines
whether
to
run
Plug-in
for
Web
Servers
as
a
daemon
or
run
it
in
the
foreground.
Syntax
pdwebpi
[–foreground]
[–version]
Parameters
–foreground
Runs
the
Plug-in
for
Web
Servers
binary
in
the
foreground
as
opposed
to
running
as
a
daemon.
–version
Provides
version
information
for
the
Plug-in
for
Web
Servers
installation.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdwebpi/bin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\pdwebpi\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
248
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
pdwebpi_start
Starts,
restarts,
and
stops
the
Tivoli
Access
Manager
Plug-in
for
Web
Servers
process
on
UNIX
installations.
Note
that
the
Plug-in
for
Web
Servers
is
automatically
started
and
stopped
when
the
Tivoli
Access
Manager
base
product
is
started
or
stopped.
Also,
displays
the
status
of
all
Web
servers.
Note:
If
needed,
the
pdwebpi_start
command
can
be
used
to
control
the
Plug-in
for
Web
Servers
independently
of
the
Tivoli
Access
Manager
base
product.
Syntax
pdwebpi_start
start
pdwebpi_start
stop
pdwebpi_start
restart
pdwebpi_start
status
Parameters
pdwebpi_start
{start|stop|restart|status}
where:
start
Starts
the
Plug-in
for
Web
Servers
process
on
UNIX
installations.
stop
Stops
the
Plug-in
for
Web
Servers
process
on
UNIX
installations
restart
Stops
and
then
restarts
the
Plug-in
for
Web
Servers
process
on
UNIX
installations
status
Provides
status
information
of
the
Plug-in
for
Web
Servers
on
UNIX
installations.
Comments
To
start
and
stop
plug-in
Windows
installations,
identify
the
Plug-in
for
Web
Servers
process
in
the
Services
Control
Panel
and
use
the
appropriate
control
buttons.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdwebpi/sbin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\pdwebpi\sbin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
sbin
directory
under
the
installation
directory
(for
example,
install_dir\sbin\).
Chapter
2.
Tivoli
Access
Manager
utilities
249
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
An
error
occurred.
250
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
pdwpi-version
Lists
the
version
and
copyright
information
for
the
Tivoli
Access
Manager
Plug-in
for
Web
Servers
installation.
Syntax
pdwpi-version
[–h]
[–V]
[–l
|
binary
[binary
...
]]
Parameters
–h
Displays
a
help
or
usage
message.
–l
Specifies
long
list,
which
lists
the
versions
of
all
binaries,
not
just
the
package
version.
–V
Displays
the
version
information
for
the
pdwpi-version
binary.
binary
[binary]
Displays
version
information
for
specified
binaries,
or
for
all
files
if
no
binary
files
are
specified.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdwebpi/bin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\pdwebpi\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
An
error
occurred.
Chapter
2.
Tivoli
Access
Manager
utilities
251
pdwpicfg
–action
config
Configures
the
Tivoli
Access
Manager
Plug-in
for
Web
Servers.
Syntax
pdwpicfg
–action
config
–admin_id
admin_id
–admin_pwd
admin_pwd
–auth_port
authorization_port_number
–web_server
{iis|iplanet|ihs|apache}
–iis_filter
{yes|no}
–web_directory
server_install_directory
–vhosts
virtual_host_id
–ssl_enable
{yes|no}
–keyfile
keyfile
–key_pwd
key_password
–key_label
key_label
–ssl_port
ssl_port_number
pdwpicfg
–action
config
–interactive
{yes|no}
pdwpicfg
–action
config
–rspfile
response_file
pdwpicfg
–operations
pdwpicfg
–help
[
options]
pdwpicfg
–usage
pdwpicfg
–?
Parameters
–admin_id
admin_id
Specifies
the
administration
user
identifier
(the
administrative
user
is
normally
sec_master).
–admin_pwd
admin_pwd
Specifies
the
password
for
the
administrative
user
admin_id.
–auth_port
authorization_port_number
Specifies
the
port
number
of
the
authorization
server.
The
default
port
number
value
is
7237.
–help
[options]
Lists
the
option
name
and
a
short
description.
If
one
or
more
options
are
specified,
it
lists
each
option
and
a
short
description.
–interactive
{yes|no}
Enables
interactive
mode
for
the
command
if
yes;
otherwise,
disables
interactive
mode
for
the
command.
The
default
value
is
yes.
–iis_filter
{yes|no}
Enables
the
Internet
Information
Server
(IIS)
filtering
if
yes;
otherwise,
disables
the
IIS
filtering.
–keyfile
keyfile
Specifies
the
LDAP
SSL
key
file.
There
is
no
default
value.
Specify
this
option
when
you
are
not
running
the
command
in
interactive
mode
and
when
you
have
enabled
SSL
between
the
Plug-in
for
Web
Servers
and
LDAP.
–key_label
key_label
Specifies
the
LDAP
SSL
key
label.
There
is
no
default
value.
Specify
this
option
when
you
are
not
running
the
command
in
interactive
mode
and
when
you
have
enabled
SSL
between
the
Plug-in
for
Web
Servers
and
LDAP.
252
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
–key_pwd
key_password
Specifies
the
LDAP
SSL
key
file
password.
–operations
Lists
each
of
the
option
names
one
after
another
with
no
description.
–rspfile
response_file
Provides
the
fully
qualified
path
and
file
name
for
the
Plug-in
for
Web
Servers
response
file
to
use
during
silent
installation.
A
response
file
can
be
used
for
configuration
or
unconfiguration.
There
is
no
default
response
file
name.
The
response
file
contains
stanzas
and
option=value
pair
stanza
entries.
To
use
response
files,
see
the
procedures
in
the
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide.
–ssl_enable
{yes|no}
Enables
SSL
communications
with
LDAP
if
yes;
otherwise,
disables
SSL
communications
with
LDAP.
The
default
value
is
yes.
–ssl_port
ssl_port_number
Specifies
the
LDAP
SSL
port.
The
default
port
number
value
is
636.
–usage
Displays
the
usage
syntax
for
this
command.
Also
displays
an
example.
–vhosts
virtual_host_id
Specifies
the
virtual
hosts
that
are
to
be
protected.
The
value
should
be
in
the
format
of
a
comma
separated
list
of
virtual
host
IDs.
There
should
be
no
spaces
between
the
virtual
host
IDs.
–web_directory
server_install_directory
Specifies
the
Web
server
installation
directory.
–web_server
{iis|iplanet|ihs|apache}
Specifies
the
Web
server
type
on
which
the
Plug-in
for
Web
Servers
is
to
be
installed.
The
choices
are:
iis
for
Internet
Information
Server,
iplanet
for
Sun
ONE
Server,
ihs
for
IBM
HTTP
Server
,
or
apache
for
the
Apache
Server.
This
option
defaults
to
the
type
and
location
of
the
configured
Web
server.
–?
Displays
the
usage
syntax
for
this
command.
Also
displays
an
example.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdwebpi/bin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\pdwebpi\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Chapter
2.
Tivoli
Access
Manager
utilities
253
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
254
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
pdwpicfg
–action
unconfig
Unconfigures
the
Tivoli
Access
Manager
Plug-in
for
Web
Servers.
Syntax
pdwpicfg
–action
unconfig
–admin_id
admin_id
–admin_pwd
admin_pwd
–force
{yes|no}
–remove
{none|acls|objspace|all}
–vhosts
virtual_host_id
pdwpicfg
–action
unconfig
–interactive
{yes|no}
pdwpicfg
–action
unconfig
–rspfile
response_file
pdwpicfg
–operations
pdwpicfg
–help
[
options]
pdwpicfg
–usage
pdwpicfg
–?
Parameters
–admin_id
admin_id
Specifies
the
administration
user
identifier
(the
administrative
user
is
normally
sec_master).
–admin_pwd
admin_pwd
Specifies
the
password
for
the
administrative
user
admin_id.
–force
{yes|no}
Forces
the
unconfiguration
process
to
proceed
even
if
the
policy
server
cannot
be
contacted.
The
default
value
is
no.
–help
[options]
Lists
the
option
name
and
a
short
description.
If
one
or
more
options
are
specified,
it
lists
each
option
and
a
short
description.
–interactive
{yes|no}
Enables
interactive
mode
for
the
command
if
yes;
otherwise,
disables
interactive
mode
for
the
command.
The
default
value
is
yes.
–operations
Lists
each
of
the
option
names
one
after
another
with
no
description.
–remove
{none|acls|objspace|all}
Specifies
whether
to
remove
the
object
space
or
the
ACLs
or
both
as
part
of
the
unconfiguration
process.
The
default
value
is
none.
–rspfile
response_file
Provides
the
fully
qualified
path
and
file
name
for
the
Plug-in
for
Web
Servers
response
file
to
use
during
silent
installation.
A
response
file
can
be
used
for
configuration
or
unconfiguration.
There
is
no
default
response
file
name.
The
response
file
contains
stanzas
and
option=value
pair
stanza
entries.
To
use
response
files,
see
the
procedures
in
the
IBM
Tivoli
Access
Manager
for
e-business
Web
Security
Installation
Guide.
–usage
Displays
the
usage
syntax
for
this
command.
Also
displays
an
example.
Chapter
2.
Tivoli
Access
Manager
utilities
255
–vhosts
virtual_host_id
Specifies
the
identifiers
of
the
virtual
hosts
that
are
to
be
unconfigured.
The
value
can
be
in
the
format
of
a
comma
separated
list
of
virtual
host
IDs.
There
should
be
no
spaces
between
the
virtual
host
IDs.
–?
Displays
the
usage
syntax
for
this
command.
Also
displays
an
example.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdwebpi/bin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\pdwebpi\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x14c012f2).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
256
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
query_contents
Returns
the
contents
of
the
root
directory
of
a
Web
space
on
a
third-party
Web
server.
Syntax
query_contents
dirlist=installation_directory/cgi-bin/query_contents
?dirlist=
Parameters
None.
Comments
Returns
the
contents
of
the
specified
Web
space
on
a
third-party
Web
server.
The
contents
are
used
to
construct
a
protected
object
space
for
use
by
Tivoli
Access
Manager
administrators.
The
query_contents
utility
is
distributed
with
WebSEAL.
The
typical
usage
of
the
utility
is
to
copy
it
to
a
junctioned
backend
Web
server
and
execute
it
there.
The
utility
returns
a
list
of
the
hierarchy
of
files
that
need
to
be
protected
by
Tivoli
Access
Manager.
This
list
enables
the
Tivoli
Access
Manager
administrative
GUI
(Web
Portal
Manager)
to
display
to
the
administrator
a
list
of
resources
to
be
managed.
The
utility
is
provided
on
UNIX
as
a
shell
script,
query_contents.sh.
On
Windows,
it
is
provided
as
an
executable
file,
query_contents.exe.
WebSEAL
also
includes
source
to
the
utility,
a
sample
configuration
file,
and
an
HTML
help
file.
Administrators
can
use
these
files
to
configure
query_contents
and,
when
needed,
to
modify
its
behavior.
Administrators
should
review
the
documentation
on
WebSEAL
junctions
and
query_contents
before
using
this
utility.
For
more
information
,
see
IBM
Tivoli
Access
Manager
for
e-business
WebSEAL
Administration
Guide.
Examples
This
example
displays
the
contents
of
a
Web
space
hierarchy.
http://server_name/cgi-bin/query_contents?dirlist=/
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdweb/query_contents/query_contents.sh
v
On
Windows
systems:
c:\Program
Files\Tivoli\pdweb\query_contents\query_contents.exe
Chapter
2.
Tivoli
Access
Manager
utilities
257
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
258
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
svrsslcfg
–add_replica
Adds
an
authorization
server
replica
to
a
resource
manager’s
configuration.
A
resource
manager
can
contact
a
replica
server
to
perform
authorization
decisions.
Syntax
svrsslcfg
–add_replica
–f
cfg_file
–h
host_name
[–p
server_port]
[–k
replica_rank]
Parameters
–f
cfg_file
Specifies
the
configuration
file
path
and
name.
A
file
name
should
be
an
absolute
file
name
(fully
qualified
file
name)
to
be
valid.
For
example:
UNIX
/opt/PolicyDirector/etc/activedir.conf
Windows
C:\Program
Files\Tivoli\Policy
Director\etc\activedir.conf
–h
host_name
Specifies
the
TCP
host
name
of
an
authorization
server
replica.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
–p
server_port
Specifies
the
port
number
on
which
the
replica
server
listens
for
requests.
The
default
value
is
7136.
–k
replica_rank
Specifies
the
replica
order
of
preference
among
other
replicas.
The
default
value
is
10.
Replica
servers
with
higher
rankings
are
used
preferentially.
For
example,
a
resource
manager
contacts
a
replica
server
with
a
ranking
of
10
before
contacting
a
replica
server
with
a
ranking
of
9.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/bin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Chapter
2.
Tivoli
Access
Manager
utilities
259
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
260
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
svrsslcfg
–chg_replica
Changes
replica
server
attributes.
The
replica
host
name
is
used
to
identify
the
replica
server
and
cannot
be
changed
by
this
action.
Syntax
svrsslcfg
–chg_replica
–f
cfg_file
–h
host_name
[–p
server_port]
[–k
replica_rank]
Parameters
–f
cfg_file
Specifies
the
configuration
file
path
and
name.
A
file
name
should
be
an
absolute
file
name
(fully
qualified
file
name)
to
be
valid.
For
example:
UNIX
/opt/PolicyDirector/etc/activedir.conf
Windows
C:\Program
Files\Tivoli\Policy
Director\etc\activedir.conf
–h
host_name
Specifies
the
TCP
host
name
of
an
authorization
server
replica.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
–p
server_port
Specifies
the
port
number
on
which
the
replica
server
listens
for
requests.
The
default
value
is
7136
–k
replica_rank
Specifies
the
replica
order
of
preference
among
other
replicas.
The
default
value
is
10.
Replica
servers
with
higher
rankings
are
used
preferentially.
For
example,
a
resource
manager
contacts
a
replica
server
with
a
ranking
of
10
before
contacting
a
replica
server
with
a
ranking
of
9.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/bin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Chapter
2.
Tivoli
Access
Manager
utilities
261
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
262
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
svrsslcfg
–chgcert
Renews
the
resource
manager’s
SSL
certificate.
Syntax
svrsslcfg
–chgcert
–f
cfg_file
–n
appl_name
[–P
admin_pwd]
[–A
admin_id]
Parameters
–A
admin_id
Specifies
the
Tivoli
Access
Manager
administrator
name.
The
default
is
sec_master.
The
ID
is
an
alphanumeric,
case-insensitive
string.
The
minimum
and
maximum
lengths
of
the
ID,
if
there
are
limits,
are
imposed
by
the
underlying
registry.
See
Appendix
B,
“User
registry
differences,”
on
page
285.
–f
cfg_file
Specifies
the
configuration
file
path
and
name.
A
file
name
should
be
an
absolute
file
name
(fully
qualified
file
name)
to
be
valid.
For
example:
UNIX
/opt/PolicyDirector/etc/activedir.conf
Windows
C:\Program
Files\Tivoli\Policy
Director\etc\activedir.conf
–n
appl_name
Deprecated.
For
previous
versions,
specifies
the
name
of
the
application.
The
name
is
combined
with
the
host
name
to
create
unique
names
for
Tivoli
Access
Manager
objects
created
for
your
application.
The
following
names
are
reserved
for
Tivoli
Access
Manager
applications:
ivacld,
secmgrd,
ivnet,
and
ivweb.
–P
admin_pwd
Specifies
the
Tivoli
Access
Manager
administrator
password.
If
this
option
is
not
specified,
the
administrator
is
prompted.
Comments
Stop
the
Tivoli
Access
Manager
policy
server
before
running
this
command.
The
certificate
renewal
process
is
as
follows:
v
When
an
initial
request
for
a
certificate
is
made,
a
new
public/private
key
pair
is
generated
for
the
resource
manager
along
with
the
certificate
request.
The
certificate
request,
which
contains
the
resource
manager’s
new
public
key,
is
sent
to
the
Tivoli
Access
Manager
policy
server
(pdmgrd).
The
Tivoli
Access
Manager
policy
server
signs
the
request
and
sends
the
newly
signed
certificate
back
to
the
resource
manager.
The
resource
manager
stores
the
signed
certificate
in
a
secure
keystore
and
also
stores
the
resource
manager’s
new
private
key.
The
lifetime
of
the
new
certificate
is
determined
by
the
Tivoli
Access
Manager
policy
server’s
ssl-cert-life
parameter
in
the
ivmgrd.conf
configuration
file.
This
parameter
determines
the
number-of-days
value
for
the
lifetime
of
a
certificate.
Any
issued
or
renewed
certificates
must
use
this
value.
The
default
value
is
365
days.
v
A
resource
manager’s
certificate
must
be
renewed
if
it
has
expired
or
if
it
has
been
compromised.
Also,
it
must
be
renewed
to
adhere
to
any
changes
in
the
security
policy.
If
both
the
certificate
and
the
password
to
the
key
database
file
that
contains
the
certificate
expire,
the
password
must
be
refreshed
first.
Chapter
2.
Tivoli
Access
Manager
utilities
263
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/bin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
264
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
svrsslcfg
–chgport
Changes
a
resource
manager’s
listening
port
number.
Syntax
svrsslcfg
–chgport
–f
cfg_file
–r
port_number
Parameters
–f
cfg_file
Specifies
the
configuration
file
path
and
name.
A
file
name
should
be
an
absolute
file
name
(fully
qualified
file
name)
to
be
valid.
For
example:
UNIX
/opt/PolicyDirector/etc/activedir.conf
Windows
C:\Program
Files\Tivoli\Policy
Director\etc\activedir.conf
–r
port_number
Sets
the
listening
port
number
for
the
server.
A
value
of
0
may
be
specified
only
if
the
[aznapi-admin-services]
stanza
in
the
configuration
file
is
empty.
Comments
Stop
the
Tivoli
Access
Manager
policy
server
before
running
this
command.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/bin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
2.
Tivoli
Access
Manager
utilities
265
svrsslcfg
–chgpwd
Changes
a
resource
manager’s
key
file
password.
Syntax
svrsslcfg
–chgpwd
–f
cfg_file
–e
pwd_life
Parameters
–e
pwd_life
Sets
the
key
file
password
expiration
time
in
days.
This
parameter
is
required.
v
Specify
0
to
use
the
currently
configured
value.
v
Specify
183
days
if
the
currently
configured
value
cannot
be
determined.
v
Otherwise,
valid
values
for
pwd_life
are
from
1
to
7299
days.
–f
cfg_file
Specifies
the
configuration
file
path
and
name.
A
file
name
should
be
an
absolute
file
name
(fully
qualified
file
name)
to
be
valid.
For
example:
UNIX
/opt/PolicyDirector/etc/activedir.conf
Windows
C:\Program
Files\Tivoli\Policy
Director\etc\activedir.conf
Comments
Stop
the
Tivoli
Access
Manager
policy
server
before
running
this
command.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/bin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
266
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
svrsslcfg
–config
Performs
full
configuration
of
a
resource
manager.
Syntax
svrsslcfg
–config
–f
cfg_file
–d
kdb_dir
–n
appl_name
–s
server_mode–r
port_number
–P
admin_pwd
[–S
server_pwd]
[–A
admin_id]
[–t
ssl_timeout]
[–e
pwd_life]
[–l
listening_mode]
[–a
refresh_mode]
[–C
cert_file]
[–h
host_name]
[–ologin_domain]
[–g
group_list]
[–D
description]
Parameters
–a
refresh_mode
Sets
the
certificate
and
key
file
password
auto-refresh
enabled
flag
in
the
configuration
file.
The
default
value
is
yes.
–A
admin_id
Specifies
the
Tivoli
Access
Manager
administrator
name.
If
this
option
is
not
specified,
sec_master
is
the
default.
A
valid
administrative
ID
is
an
alphanumeric,
case-sensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
You
cannot
use
a
space
in
the
administrative
ID.
For
example,
for
U.S.
English
the
valid
characters
are
the
letters
a-Z,
the
numbers
0-9,
a
period
(
.
),
an
underscore
(
_
),
a
plus
sign
(+),
a
hyphen
(
-
),
an
at
sign
(
@
),
an
ampersand
(
&
),
and
an
asterisk
(
*
).
The
minimum
and
maximum
lengths
of
the
administrative
ID,
if
there
are
limits,
are
imposed
by
the
underlying
registry.
See
Appendix
B,
“User
registry
differences,”
on
page
285.
–C
cert_file
Specifies
the
fully
qualified
name
of
the
file
containing
the
base-64
encoded
SSL
certificate
used
when
the
server
authenticates
directly
with
the
user
registry.
–d
kdb_dir
Specifies
the
directory
that
is
to
contain
the
key
files
for
the
server.
A
valid
directory
name
is
determined
by
the
operating
system.
Do
not
use
relative
directory
names.
For
example:
UNIX
/opt/PolicyDirector/keytab/ivmgrd.kbd
Windows
C:\Program
Files\Tivoli\Policy
Director\keytab\ivmgrd.kbd
Make
sure
that
server
user
(for
example,
ivmgr)
or
all
users
have
permission
to
access
the
.kdb
file
and
the
folder
that
contains
the
.kdb
file.
–D
description
Specifies
a
description
for
the
application.
A
valid
description
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
allowed.
If
the
description
contains
a
space,
ensure
that
you
enclose
the
description
in
double
quotation
marks.
–e
pwd_life
Sets
the
key
file
password
expiration
time
in
days.
This
parameter
is
optional
and
defaults
to
183
days
if
not
specified.
Otherwise,
valid
values
for
pwd_life
are
from
1
to
7299
days.
–n
appl_name
Deprecated.
For
previous
versions,
specifies
the
name
of
the
application.
The
name
is
combined
with
the
host
name
to
create
Chapter
2.
Tivoli
Access
Manager
utilities
267
unique
names
for
Tivoli
Access
Manager
objects
created
for
your
application.
The
following
names
are
reserved
for
Tivoli
Access
Manager
applications:
ivacld,
secmgrd,
ivnet,
and
ivweb.
–f
cfg_file
Specifies
the
configuration
file
path
and
name.
A
file
name
should
be
an
absolute
file
name
(fully
qualified
file
name)
to
be
valid.
For
example:
UNIX
/opt/PolicyDirector/etc/activedir.conf
Windows
C:\Program
Files\Tivoli\Policy
Director\etc\activedir.conf
–g
group_list
Specifies
a
list
of
groups
to
which
this
server
should
be
added.
The
following
names
are
not
permitted
in
this
list:
ivacld_servers
and
remote_acl_users.
The
list
of
names
must
be
separated
by
commas
with
no
white
space.
If
a
group
name
contains
a
space,
the
entire
list
must
be
enclosed
in
double
quotation
marks.
–h
host_name
Specifies
the
TCP
host
name
used
by
the
Tivoli
Access
Manager
policy
server
to
contact
this
server.
This
name
is
saved
in
the
configuration
file
using
the
azn-app-host
key.
The
default
is
the
local
host
name
returned
by
the
operating
system.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
–l
listening_mode
Sets
the
listening-enabled
flag
in
the
configuration
file.
The
value
of
this
option
must
be
yes
or
no.
If
not
specified,
the
default
is
no.
A
value
of
yes
requires
that
the
–r
option
have
non-zero
value.
–o
login_domain
Specifies
the
domain
name
for
the
domain
to
which
this
server
is
configured.
This
domain
must
exist
and
an
the
administrator
ID
and
password
must
be
valid
for
this
domain.
If
not
specified,
the
local
domain
that
was
specified
during
Tivoli
Access
Manager
runtime
configuration
will
be
used.
The
local
domain
value
will
be
retrieved
from
the
configuration
file.
A
valid
domain
name
is
an
alphanumeric,
case-sensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
You
cannot
use
a
space
in
the
domain
name.
For
example,
for
U.S.
English
the
valid
characters
for
domain
names
are
the
letters
a-Z,
the
numbers
0-9,
a
period
(
.
),
an
underscore
(
_
),
a
plus
sign
(+),
a
hyphen
(
-
),
an
at
sign
(
@
),
an
ampersand
(
&
),
and
an
asterisk
(
*
).
The
minimum
and
maximum
lengths
of
the
domain
name,
if
there
are
limits,
are
imposed
by
the
underlying
registry.
See
Appendix
B,
“User
registry
differences,”
on
page
285.
–P
admin_pwd
Specifies
the
Tivoli
Access
Manager
administrator
password.
This
is
a
required
option.
If
this
option
is
not
specified,
the
password
is
read
from
standard
input.
268
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
–r
port_number
Sets
the
listening
port
number
for
the
server.
This
is
a
required
option.
A
value
of
0
may
be
specified
only
if
the
[aznapi-admin-services]
stanza
in
the
configuration
file
is
empty.
–s
server_mode
Specifies
the
mode
in
which
the
application
will
operate.
This
value
must
be
either
local
or
remote.
–S
server_pwd
Specifies
the
server’s
password.
This
option
is
required.
A
password
is
created
by
the
system
and
the
configuration
file
is
updated
with
the
password
created
by
the
system.
It
is
saved
as
an
obfuscated
value
using
the
pd-user-pwd
stanza
entry
in
the
[aznapi-configuration]
stanza
in
the
configuration
file
specified
with
the
–f
parameter.
If
this
option
is
not
specified,
the
server
password
will
be
read
from
standard
input.
–t
ssl_timeout
Specifies
the
SSL
session
timeout
in
seconds.
The
ssl_timeout
value
must
be
in
the
range
1–86400.
The
default
value
is
7200.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/bin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
2.
Tivoli
Access
Manager
utilities
269
svrsslcfg
–modify
Changes
a
resource
manager’s
current
configuration.
Syntax
svrsslcfg
–modify
–f
cfg_file
[–t
ssl_timeout]
[–C
cert_file]
[–l
listening_mode]
Parameters
–C
cert_file
Specify
the
fully
qualified
name
of
the
file
containing
the
base-64
encoded
SSL
certificate
used
when
the
server
authenticates
directly
with
the
user
registry.
–f
cfg_file
Specifies
the
configuration
file
path
and
name.
A
file
name
should
be
an
absolute
file
name
(fully
qualified
file
name)
to
be
valid.
For
example:
UNIX
/opt/PolicyDirector/etc/activedir.conf
Windows
C:\Program
Files\Tivoli\Policy
Director\etc\activedir.conf
–l
listening_mode
Sets
the
listening-enabled
flag
in
the
configuration
file.
Values
are
yes
and
no.
A
value
of
yes
requires
that
the
listening
port
number
in
the
configuration
file
be
non-zero.
–t
ssl_timeout
Specifies
the
SSL
session
timeout
in
seconds.
The
ssl_timeout
value
must
be
in
the
range
1–86400.
Comments
Stop
the
Tivoli
Access
Manager
policy
server
before
running
this
command.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/bin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
270
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
svrsslcfg
–rmv_replica
Removes
an
authorization
server
replica
from
a
resource
manager’s
configuration.
Syntax
svrsslcfg
–rmv_replica
–f
cfg_file
–h
host_name
Parameters
–f
cfg_file
Specifies
the
configuration
file
path
and
name.
A
file
name
should
be
an
absolute
file
name
(fully
qualified
file
name)
to
be
valid.
For
example:
UNIX
/opt/PolicyDirector/etc/activedir.conf
Windows
C:\Program
Files\Tivoli\Policy
Director\etc\activedir.conf
–h
host_name
Specifies
the
TCP
host
name
of
an
authorization
server
replica.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/bin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
2.
Tivoli
Access
Manager
utilities
271
svrsslcfg
–unconfig
Unconfigures
a
resource
manager.
The
key
files
are
deleted
and
the
server
is
removed
from
the
user
registry
and
Tivoli
Access
Manager
database.
Syntax
svrsslcfg
–unconfig
–f
cfg_file
–n
appl_name
[–P
admin_pwd]
[–A
admin_id]
[–h
host_name]
[–o
login_domain]
Parameters
–A
admin_id
Specifies
the
name
of
the
Tivoli
Access
Manager
administrator
user.
The
default
administrative
user
is
sec_master.
–f
cfg_file
Specifies
the
configuration
path
and
file
name.
A
file
name
should
be
an
absolute
file
name
(fully
qualified
file
name)
to
be
valid.
For
example:
UNIX
/opt/PolicyDirector/etc/activedir.conf
Windows
C:\Program
Files\Tivoli\Policy
Director\etc\activedir.conf
–h
host_name
Specifies
the
TCP
host
name
used
by
the
Tivoli
Access
Manager
policy
server
to
contact
this
server.
If
not
specified,
these
parameter
value
is
retrieved
from
the
configuration
file.
The
default
value
will
be
used
only
if
a
value
cannot
be
determined
from
the
configuration
file.
The
default
is
the
local
host
name
returned
by
the
operating
system.
Valid
values
for
host_name
include
any
valid
IP
host
name.
Examples:
host
=
libra
host
=
libra.dallas.ibm.com
–n
appl_name
specifies
the
name
of
the
application.
The
name
is
combined
with
the
host
name
to
create
unique
names
for
Tivoli
Access
Manager
objects
created
for
your
application.
The
following
names
are
reserved
for
Tivoli
Access
Manager
applications:
ivacld,
secmgrd,
ivnet,
and
ivweb.
–o
login_domain
Specifies
the
domain
name
for
the
domain
to
which
this
server
is
configured.
This
domain
must
exist
and
an
the
administrator
ID
and
password
must
be
valid
for
this
domain.
If
not
specified,
the
local
domain
that
was
specified
during
Tivoli
Access
Manager
runtime
configuration
will
be
used.
The
local
domain
value
will
be
retrieved
from
the
configuration
file.
–P
admin_pwd
Specifies
the
password
for
the
Tivoli
Access
Manager
administrator
user
(admin_id).
If
this
option
is
not
specified,
the
password
is
read
from
standard
in
(stdin).
272
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Authorization
This
command
fails
only
if
you
are
not
authorized
to
run
the
command
or
the
Tivoli
Access
Manager
policy
server
could
not
be
contacted.
This
command
is
designed
to
clean
up
partial
or
damaged
configurations
and
so
that
errors
for
missing
or
invalid
information
are
not
reported.
Comments
Stop
the
server
application
before
running
this
command.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
On
UNIX
systems:
/opt/PolicyDirector/bin/
v
On
Windows
systems:
c:\Program
Files\Tivoli\Policy
Director\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
a
command
fails,
a
description
of
the
error
and
an
error
status
code
in
hexadecimal
format
is
provided
(for
example,
0x15c3a00c).
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference.
This
reference
provides
a
list
of
the
Tivoli
Access
Manager
error
messages
by
decimal
or
hexadecimal
codes.
Chapter
2.
Tivoli
Access
Manager
utilities
273
wesosm
Creates
and
maintains
the
Tivoli
Access
Manager
object
space
for
the
Edge
Server
plug-in.
Syntax
wesosm
–start
[–infile
input_file]
[–logging
[log_file]
[–clean][–force
[
branch]]
[–fast]
wesosm
–stop
[–infile
input_file]
[–logging
[log_file]
[–clean][–force
[
branch]]
[–fast]
wesosm
–run
[–infile
input_file]
[–logging
[log_file]
[–clean][–force
[
branch]]
[–fast]
wesosm
–file
[–infile
input_file]
[–logging
[log_file]
[–clean][–force
[
branch]]
[–fast]
wesosm
–skiperrors
wesosm
–verbose
Parameters
–clean
Removes
all
entries
from
the
object
space
underneath
/ESproxy,
which
are
not
found
in
the
configuration
file,
osdef.conf.
Be
careful
when
using
this
option
because
any
attached
ACLs
are
lost
when
object
space
entries
are
deleted.
–fast
Compares
only
the
object
names
and
does
not
compare
the
types
when
checking
for
differences
between
the
Tivoli
Access
Manager
object
space
and
the
Web
server’s
file
system.
The
Tivoli
Access
Manager
object
type
indicates
whether
the
object
space
entry
is
a
file
or
directory.
For
example,
if
an
existing
file
on
the
Web
server
is
changed
to
a
directory
but
the
name
remains
the
same,
the
utility
does
not
detect
this
when
this
parameter
is
specified.
–file
[output_file]
Starts
the
object
space
manager
to
update
the
object
space
once
and
then
terminates
the
utility.
Rather
than
updating
the
Tivoli
Access
Manager
object
space,
the
object
space
information
is
written
to
the
specified
file.
–force
[branch]
Forces
the
utility
to
initially
update
the
object
space,
before
waiting
on
an
interval
for
the
next
update,
when
starting
the
object
space
manager
as
a
daemon.
If
specified,
only
the
indicated
branch
in
the
object
space
is
updated.
Wild
cards
can
be
used
to
specify
the
branch.
–infile
input_file
Indicates
the
location
of
the
configuration
file,
osdef.conf,
that
is
used
to
update
the
object
space.
–logging
[log_file]
Indicates
if
the
object
space
manager
should
log
object
space
updates
to
a
log
file.
If
no
log
file
is
specified,
the
default
log
file
wesosm.log
is
used.
–run
Starts
the
object
space
manager
to
update
the
object
space
once
and
then
terminates
the
utility.
274
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
–skiperrors
Does
not
terminate
if
it
encounters
an
error
updating
the
Tivoli
Access
Manager
object
space
when
updating
the
object
space.
This
is
useful
if
the
object
space
contains
invalid
entries
in
it.
–start
Starts
the
object
space
manager
as
a
daemon.
The
daemon
installs
itself
in
memory
to
update
the
object
space
on
intervals,
as
configured
in
the
osdef.conf
configuration
file.
This
ensures
that
the
object
space
is
kept
in
synchronization
with
the
content
on
the
corresponding
Web
server.
–stop
Stops
the
object
space
manager
daemon.
The
daemon
removes
itself
from
memory
and
ceases
to
perform
further
updates
to
the
object
space.
–verbose
When
updating
the
object
space,
displays
information
about
the
exact
entries
that
are
created,
deleted,
and
modified
in
the
object
space.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdweb-lite/bin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\pdweb-lite\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
the
command
fails,
an
error
message
is
displayed.
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference
for
a
more
detailed
description
of
the
problem.
Chapter
2.
Tivoli
Access
Manager
utilities
275
wslstartwte
Manually
starts
the
Edge
Server
caching
proxy
and
loads
the
plug-in
for
Edge
Server
on
UNIX.
Syntax
wslstartwte
Parameters
None.
Comments
To
start
the
plug-in
for
Edge
Server
on
Windows,
use
the
IBM
Caching
proxy
service.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdweb-lite/bin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\pdweb-lite\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
the
command
fails,
an
error
message
is
displayed.
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference
for
a
more
detailed
description
of
the
problem.
276
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
wslstopwte
Stops
the
Edge
Server
caching
proxy
on
UNIX
systems.
Syntax
wslstopwte
Parameters
None.
Comments
To
stop
the
plug-in
for
Edge
Server
on
Windows,
use
the
IBM
Caching
proxy
service.
Availability
This
command
is
located
in
the
following
default
installation
directories:
v
UNIX
systems:
/opt/pdweb-lite/bin/
v
On
Windows
systems:
C:\Program
Files\Tivoli\pdweb-lite\bin\
When
an
installation
directory
other
than
the
default
is
selected,
this
utility
is
located
in
the
bin
directory
under
the
installation
directory
(for
example,
install_dir\bin\).
Return
codes
The
following
exit
status
codes
can
be
returned:
0
The
command
completed
successfully.
1
The
command
failed.
When
the
command
fails,
an
error
message
is
displayed.
Refer
to
the
IBM
Tivoli
Access
Manager
Error
Message
Reference
for
a
more
detailed
description
of
the
problem.
Chapter
2.
Tivoli
Access
Manager
utilities
277
278
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Appendix
A.
Disallowed
characters
and
passwords
limitations
When
specifying
Tivoli
Access
Manager
user
names,
group
names,
distinguished
names,
names
for
POPs,
ACLs,
and
authorization
rules,
domain
names,
and
so
forth,
certain
characters
might
be
disallowed.
Some
factors
that
affect
which
characters
are
allowed
are
restrictions
of
the
underlying
user
registry,
server
restrictions,
and
operating
system
restrictions.
This
appendix
describes:
1.
“Password
policies”
2.
“Character
limitations
for
passwords
and
user
names”
on
page
280
3.
“Characters
allowed
for
secure
domain
names”
on
page
280
4.
“Characters
disallowed
for
user
and
group
name”
on
page
281
5.
“Characters
disallowed
for
distinguished
names”
on
page
281
6.
“Characters
disallowed
for
GSO
names”
on
page
281
7.
“Characters
disallowed
for
authorization
rules”
on
page
281
8.
“Characters
disallowed
for
access
control
lists
names”
on
page
282
9.
“Characters
disallowed
for
protected
object
policy
names”
on
page
282
Password
policies
You
can
change
global
user
settings,
such
as
password
policies,
login-failure
policies,
access
policies,
and
account
expiration
policies.
Additionally,
you
can
override
global
password
policies
by
setting
individual
password
policies
for
the
specified
user.
For
example,
you
can
change
a
password
policy
so
that
the
password
policy
is
set
only
for
a
specific
user
and
overrides
any
password
policy
that
is
set
globally
for
all
users.
Using
Web
Portal
Manager
or
the
pdadmin
command,
you
can
provides
these
types
of
global
password
policies
for
all
users:
v
Minimum
length
allowed
for
a
password
v
Maximum
age
allowed
for
a
password
v
Minimum
number
of
alphanumeric
characters
allowed
in
a
password
v
Minimum
number
of
non-alphanumeric
characters
allowed
in
a
password
v
Maximum
number
of
repeated
characters
allowed
in
a
password
v
Whether
spaces
are
allowed
in
the
password
By
default,
passwords
must
contain:
v
A
minimum
of
eight
alphanumeric
characters,
with
a
minimum
of
one
number
and
four
letters.
v
A
maximum
of
two
repeated
characters.
The
valid
range
for
minimum
and
maximum
numbers
can
be
any
number.
However,
a
reasonable
number
should
be
used
for
the
task
you
are
wanting
to
perform.
For
example,
a
minimum
password
length
should
be
long
enough
to
protect
your
system
but
not
so
short
as
to
make
it
easy
for
someone
to
determine
your
password
by
trying
different
combinations.
©
Copyright
IBM
Corp.
2001,
2003
279
Character
limitations
for
passwords
and
user
names
There
are
password
characters
that
are
valid,
but
must
be
treated
differently
when
using
the
pdadmin
utility.
These
special
characters
have
special
meaning
to
the
utility.
Enclose
the
password
or
user
name
in
double
quotation
marks
(
″
)
to
escape
the
special
character
when
setting
or
changing
user
passwords
(pdadmin
user
modify)
or
when
logging
in
(pdadmin
login).
Otherwise,
you
will
receive
an
error
message.
To
escape
the
double
quotation
mark
special
character,
enclose
the
password
or
user
name
in
double
quotation
marks
and
use
the
backslash
(
\
)
escape
character.
For
example,
to
escape
the
password
abc"123,
type
the
string
"abc\"123"
in
the
pdadmin
command
when
typing
the
password
using
the
–p
option.
When
the
interactive
pdadmin
login
command
is
used,
no
double
quotation
marks
and
escape
character
are
needed.
The
following
special
characters
either
should
not
be
used
or
they
should
be
escaped
when
using
the
pdadmin
command:
pound
sign
(
#
)
left
parentheses
(
right
parentheses
)
comma
(
,
)
double
quotation
marks
(
"
)
Avoid
using
these
characters
as
the
first
character
in
the
password
when
setting
or
modifying
the
password
(pdadmin
user
modify
command):
pound
sign
(
#
)
left
brace
(
{
)
hyphen
(
-
)
Characters
allowed
for
secure
domain
names
A
valid
local
domain
name
is
an
alphanumeric,
case-sensitive
string.
String
characters
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
The
following
characters,
numbers
and
special
characters
can
be
used
for
secure
domain
names
when
using
the
pdadmin
command
or
Web
Portal
Manager.
For
example,
for
U.S.
English,
secure
domain
names
can
contain:
letters
a
-
z
letters
A
-
Z
numbers
0
-
9
period
(
.
)
underscore
(
_
)
plus
sign
(
+
)
hyphen
(
-
)
at
sign
(
@
)
ampersand
(
&
)
asterisk
(
*
)
You
cannot
use
a
space
in
the
domain
name.
The
minimum
and
maximum
lengths
of
the
domain
name,
if
there
are
limits,
are
imposed
by
the
underlying
registry.
See
Appendix
B,
“User
registry
differences,”
on
page
285.
280
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Characters
disallowed
for
user
and
group
name
Special
characters
can
be
treated
differently
by
the
different
user
registries.
Avoid
this
character
in
user
and
group
names
that
are
defined
by
using
distinguished
name
strings:
forward
slash
(
/
)
If
Microsoft
Active
Directory
is
the
user
registry,
care
must
be
taken
with
user
and
group
names
that
contain
this
character:
period
(
.
)
Characters
disallowed
for
distinguished
names
The
following
characters
are
treated
differently
by
the
different
user
registries.
In
general,
you
can
use
special
characters
within
a
distinguished
name
(DN).
However,
certain
special
characters
require
an
additional
escape
character
(??????).
The
following
special
characters
must
be
escaped
when
used
in
a
distinguished
name:
plus
sign
(
+
)
backslash
(
|
)
semicolon
(
;
)
comma
(
,
)
Characters
disallowed
for
GSO
names
You
cannot
use
the
following
characters
to
create
a
global
signon
(GSO)
user
name,
GSO
resource
name,
or
GSO
resource
group
name:
!
"
#
&
(
)
*
+
,
;
:
<
>
=
@
\
|
Although
it
is
possible
to
use
most
of
these
characters
for
other
LDAP-related
data,
such
as
the
common
name
(CN),
distinguished
name
(DN),
and
short
name
(SN)
of
a
user,
these
characters
have
special
meaning
in
LDAP
DN
syntax
and
filters.
Before
using
any
of
these
characters
in
user
and
group
names,
consult
the
documentation
for
your
user
registry
to
determine
the
effect
of
special
characters.
Characters
disallowed
for
authorization
rules
These
characters
cannot
be
used
in
the
name
of
an
authorization
rule
when
using
the
pdadmin
command
or
Web
Portal
Manager:
exclamation
point
(
!
)
double
quotation
marks
(
"
)
pound
sign
(
#
)
ampersand
(
&
)
left
parentheses
(
right
parentheses
)
asterisk
(
*
)
plus
sign
(
+
)
comma
(
,
)
semicolon
(
;
)
colon
(
:
)
less
than
symbol
(
<
)
greater
than
symbol
(
>
)
equal
sign
(
=
)
Appendix
A.
Disallowed
characters
and
passwords
limitations
281
at
sign
(
@
)
backslash
(
\
)
vertical
bar
(
|
)
A
valid
authorization
rule
name
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
not
allowed.
Characters
disallowed
for
access
control
lists
names
These
characters
cannot
be
used
in
the
name
of
an
access
control
list
(ACL)
policy
when
using
the
pdadmin
command
or
Web
Portal
Manager:
exclamation
point
(
!
)
double
quotation
marks
(
"
)
pound
sign
(
#
)
ampersand
(
&
)
left
parentheses
(
right
parentheses
)
asterisk
(
*
)
plus
sign
(
+
)
comma
(
,
)
semicolon
(
;
)
colon
(
:
)
less
than
symbol
(
<
)
greater
than
symbol
(
>
)
equal
sign
(
=
)
at
sign
(
@
)
backslash
(
\
)
forward
slash
(
/
)
vertical
bar
(
|
)
period
(
.
)
A
valid
ACL
policy
name
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
not
allowed.
Characters
disallowed
for
protected
object
policy
names
These
characters
cannot
be
used
in
the
name
of
a
protected
object
policy
(POP)
when
using
the
pdadmin
command
or
Web
Portal
Manager:
exclamation
point
(
!
)
double
quotation
marks
(
"
)
pound
sign
(
#
)
ampersand
(
&
)
left
parentheses
(
right
parentheses
)
asterisk
(
*
)
plus
sign
(
+
)
comma
(
,
)
semicolon
(
;
)
colon
(
:
)
less
than
symbol
(
<
)
greater
than
symbol
(
>
)
equal
sign
(
=
)
at
sign
(
@
)
backslash
(
\
)
forward
slash
(
/
)
vertical
bar
(
|
)
period
(
.
)
282
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
A
valid
POP
name
is
an
alphanumeric,
case-insensitive
string.
String
values
are
expected
to
be
characters
that
are
part
of
the
local
code
set.
Spaces
are
not
allowed.
Appendix
A.
Disallowed
characters
and
passwords
limitations
283
284
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Appendix
B.
User
registry
differences
The
following
user
registry
differences
are
known
to
exist
in
this
version
of
IBM
Tivoli
Access
Manager
(Tivoli
Access
Manager.)
1.
When
Tivoli
Access
Manager
is
using
either
Microsoft
Active
Directory
or
a
Lotus
Domino
server
as
its
user
registry,
only
a
single
domain
is
supported.
Use
an
LDAP
user
registry
if
you
wish
to
take
advantage
of
the
multi-domain
support
in
Tivoli
Access
Manager.
2.
Tivoli
Access
Manager
does
not
support
cross
domain
group
membership
or
universal
groups
when
using
Microsoft
Active
Directory
as
its
user
registry.
Importing
such
groups
into
Tivoli
Access
Manager
is
not
supported.
3.
When
the
Tivoli
Access
Manager
policy
server
is
using
either
Microsoft
Active
Directory
or
a
Lotus
Domino
server
as
its
user
registry,
existing
Tivoli
SecureWay
Policy
Director,
Version
3.8
clients
are
not
able
to
connect
to
the
policy
server.
Either
use
a
different
user
registry
or
upgrade
the
clients
to
Tivoli
Access
Manager.
4.
Users
created
in
a
Lotus
Domino
server
or
Microsoft
Active
Directory
user
registry
are
automatically
given
the
capability
to
own
single
signon
credentials
and
this
capability
can
not
be
removed.
When
using
an
LDAP
user
registry,
this
capability
must
be
explicitly
granted
to
a
user
and
subsequently
can
be
removed.
5.
Leading
and
trailing
blanks
in
user
names
and
group
names
are
ignored
when
using
LDAP
or
Microsoft
Active
Directory
as
the
user
registry
in
an
Tivoli
Access
Manager
secure
domain.
However,
when
using
a
Lotus
Domino
server
as
a
user
registry,
leading
and
trailing
blanks
are
significant.
To
ensure
that
processing
is
consistent
regardless
of
what
user
registry
is
being
used,
define
users
and
groups
in
the
user
registry
without
leading
or
trailing
blanks
in
their
names.
6.
The
forward
slash
character
(/)
should
be
avoided
in
user
and
group
names
defined
using
distinguished
name
strings.
The
forward
slash
character
is
treated
differently
in
different
user
registries:
Lotus
Domino
server
Users
and
groups
can
not
be
created
with
names
using
a
distinguished
name
string
containing
a
forward
slash
character.
To
avoid
the
problem,
either
do
not
use
a
forward
slash
character
or
define
the
user
without
using
the
distinguished
name
designation:
pdadmin
user
create
myuser
username/locinfo
test
test
testpwd
instead
of
using
this
one:
pdadmin
user
create
myuser
cn=username/o=locinfo
test
test
testpwd
Microsoft
Active
Directory
Users
and
groups
can
be
created
with
names
using
a
distinguished
name
string
containing
a
forward
slash
character.
However,
subsequent
operations
on
the
object
might
fail
as
some
Active
Directory
functions
interpret
the
forward
slash
character
as
a
separator
between
the
object
name
and
the
host
name.
To
avoid
the
problem,
do
not
use
a
forward
slash
character
to
define
the
user.
7.
When
using
a
multi-domain
Microsoft
Active
Directory
user
registry,
multiple
users
and
groups
can
be
defined
with
the
same
short
name
as
long
as
they
©
Copyright
IBM
Corp.
2001,
2003
285
reside
in
different
domains.
However,
the
full
name
of
the
user
or
group,
including
the
domain
suffix,
must
always
be
specified
to
Tivoli
Access
Manager.
8.
When
using
iPlanet
Version
5.0
as
the
user
registry,
a
user
that
is
created,
added
to
a
group,
and
then
deleted
from
the
user
registry
retains
its
group
membership.
If
a
user
with
the
same
name
is
created
at
some
later
time,
the
new
user
automatically
inherits
the
old
group
membership
and
might
be
given
inappropriate
permissions.
It
is
strongly
recommended
that
the
user
be
removed
from
all
groups
before
the
user
is
deleted.
This
problem
does
not
occur
when
using
the
other
supported
user
registries.
9.
Attempting
to
add
a
single
duplicate
user
to
a
group
does
not
produce
an
error
when
an
LDAP
user
registry
is
being
used.
However,
an
error
is
properly
reflected
when
using
Lotus
Domino
server
or
Microsoft
Active
Directory.
10.
The
Tivoli
Access
Manager
authorization
API
provides
a
credentials
attribute
entitlements
service.
This
service
is
used
to
retrieve
user
attributes
from
a
user
registry.
When
this
service
is
used
with
an
LDAP
user
registry,
the
retrieved
attributes
can
be
either
string
or
binary
data.
However,
when
this
service
is
used
with
a
Microsoft
Active
Directory
or
Lotus
Domino
user
registry,
the
retrieved
attributes
can
be
either
string,
binary
or
integer
data.
11.
The
maximum
lengths
of
various
names
associated
with
Tivoli
Access
Manager
vary
depending
on
the
user
registry
being
used.
See
Table
19
for
a
comparison
of
the
maximum
lengths
allowed
and
the
recommended
maximum
length
to
use
to
ensure
compatibility
with
all
the
user
registries
supported
by
Tivoli
Access
Manager.
Table
19.
Maximum
lengths
for
names
based
on
user
registry
Maximum
length
of:
LDAP
Microsoft
Active
Directory
Lotus
Domino
server
Recommended
maximum
value
First
name
(LDAP
CN)
256
64
960
64
Middle
name
128
64
65535
64
Last
name
(surname)
128
64
960
64
Registry
UID
(LDAP
DN)
1024
2048
255
This
value
is
user
registry-specific
and
must
be
changed
when
changing
user
registries.
Tivoli
Access
Manager
user
identity
256
2048
-
1
-
length_of_
domain_name
200
-
4
-
length_of_
domain_name
This
value
is
user
registry-specific
and
must
be
changed
when
changing
user
registries.
User
password
unlimited
256
unlimited
256
User
description
1024
1024
1024
1024
Group
name
256
256
Group
description
1024
1024
1024
1024
286
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Table
19.
Maximum
lengths
for
names
based
on
user
registry
(continued)
Maximum
length
of:
LDAP
Microsoft
Active
Directory
Lotus
Domino
server
Recommended
maximum
value
Single
signon
resource
name
240
256
256
240
Single
signon
resource
description
1024
1024
1024
1024
Single
signon
user
ID
240
256
256
240
Single
signon
password
unlimited
256
unlimited
256
Single
signon
group
name
240
256
256
240
Single
signon
group
description
1024
1024
1024
1024
Action
name
1
1
1
1
Action
description,
action
type
unlimited
unlimited
unlimited
Object
name,
object
space
name,
ACL
name,
POP
name
unlimited
unlimited
unlimited
Object
description,
object
space
description,
ACL
description,
POP
description
unlimited
unlimited
unlimited
Even
though
some
names
can
be
of
unlimited
length,
excessive
lengths
can
result
in
policy
that
is
difficult
to
manage
and
might
result
in
poor
system
performance.
Choose
maximum
values
that
are
logical
for
your
environment.
Appendix
B.
User
registry
differences
287
288
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Appendix
C.
Notices
This
information
was
developed
for
products
and
services
offered
in
the
U.S.A.
IBM
may
not
offer
the
products,
services,
or
features
discussed
in
this
document
in
other
countries.
Consult
your
local
IBM
representative
for
information
on
the
products
and
services
currently
available
in
your
area.
Any
reference
to
an
IBM
product,
program,
or
service
is
not
intended
to
state
or
imply
that
only
that
IBM
product,
program,
or
service
may
be
used.
Any
functionally
equivalent
product,
program,
or
service
that
does
not
infringe
any
IBM
intellectual
property
right
may
be
used
instead.
However,
it
is
the
user’s
responsibility
to
evaluate
and
verify
the
operation
of
any
non-IBM
product,
program,
or
service.
IBM
may
have
patents
or
pending
patent
applications
covering
subject
matter
described
in
this
document.
The
furnishing
of
this
document
does
not
give
you
any
license
to
these
patents.
You
can
send
license
inquiries,
in
writing,
to:
IBM
Director
of
Licensing
IBM
Corporation
North
Castle
Drive
Armonk,
NY
10504-1785
U.S.A.
For
license
inquiries
regarding
double-byte
(DBCS)
information,
contact
the
IBM
Intellectual
Property
Department
in
your
country
or
send
inquiries,
in
writing,
to:
IBM
World
Trade
Asia
Corporation
Licensing
2-31
Roppongi
3-chome,
Minato-ku
Tokyo
106,
Japan
The
following
paragraph
does
not
apply
to
the
United
Kingdom
or
any
other
country
where
such
provisions
are
inconsistent
with
local
law:
INTERNATIONAL
BUSINESS
MACHINES
CORPORATION
PROVIDES
THIS
PUBLICATION
″AS
IS″
WITHOUT
WARRANTY
OF
ANY
KIND,
EITHER
EXPRESS
OR
IMPLIED,
INCLUDING,
BUT
NOT
LIMITED
TO,
THE
IMPLIED
WARRANTIES
OF
NON-INFRINGEMENT,
MERCHANTABILITY
OR
FITNESS
FOR
A
PARTICULAR
PURPOSE.
Some
states
do
not
allow
disclaimer
of
express
or
implied
warranties
in
certain
transactions,
therefore,
this
statement
may
not
apply
to
you.
This
information
could
include
technical
inaccuracies
or
typographical
errors.
Changes
are
periodically
made
to
the
information
herein;
these
changes
will
be
incorporated
in
new
editions
of
the
publication.
IBM
may
make
improvements
and/or
changes
in
the
product(s)
and/or
the
program(s)
described
in
this
publication
at
any
time
without
notice.
Any
references
in
this
information
to
non-IBM
Web
sites
are
provided
for
convenience
only
and
do
not
in
any
manner
serve
as
an
endorsement
of
those
Web
sites.
The
materials
at
those
Web
sites
are
not
part
of
the
materials
for
this
IBM
product
and
use
of
those
Web
sites
is
at
your
own
risk.
IBM
may
use
or
distribute
any
of
the
information
you
supply
in
any
way
it
believes
appropriate
without
incurring
any
obligation
to
you.
©
Copyright
IBM
Corp.
2001,
2003
289
Licensees
of
this
program
who
wish
to
have
information
about
it
for
the
purpose
of
enabling:
(i)
the
exchange
of
information
between
independently
created
programs
and
other
programs
(including
this
one)
and
(ii)
the
mutual
use
of
the
information
which
has
been
exchanged,
should
contact:
IBM
Corporation
2Z4A/101
11400
Burnet
Road
Austin,
TX
78758
U.S.A.
Such
information
may
be
available,
subject
to
appropriate
terms
and
conditions,
including
in
some
cases,
payment
of
a
fee.
The
licensed
program
described
in
this
document
and
all
licensed
material
available
for
it
are
provided
by
IBM
under
terms
of
the
IBM
Customer
Agreement,
IBM
International
Program
License
Agreement
or
any
equivalent
agreement
between
us.
Information
concerning
non-IBM
products
was
obtained
from
the
suppliers
of
those
products,
their
published
announcements
or
other
publicly
available
sources.
IBM
has
not
tested
those
products
and
cannot
confirm
the
accuracy
of
performance,
compatibility
or
any
other
claims
related
to
non-IBM
products.
Questions
on
the
capabilities
of
non-IBM
products
should
be
addressed
to
the
suppliers
of
those
products.
All
statements
regarding
IBM’s
future
direction
or
intent
are
subject
to
change
or
withdrawal
without
notice,
and
represent
goals
and
objectives
only.
This
information
contains
examples
of
data
and
reports
used
in
daily
business
operations.
To
illustrate
them
as
completely
as
possible,
the
examples
include
the
names
of
individuals,
companies,
brands,
and
products.
All
of
these
names
are
fictitious
and
any
similarity
to
the
names
and
addresses
used
by
an
actual
business
enterprise
is
entirely
coincidental.
If
you
are
viewing
this
information
softcopy,
the
photographs
and
color
illustrations
may
not
appear.
Trademarks
The
following
terms
are
trademarks
or
registered
trademarks
of
International
Business
Machines
Corporation
in
the
United
States,
other
countries,
or
both:
AIX
DB2
IBM
IBM
logo
OS/390
SecureWay
Tivoli
Tivoli
logo
Universal
Database
WebSphere
zSeries
z/OS
290
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Lotus
and
Domino
are
trademarks
of
International
Business
Machines
Corporation
and
Lotus
Development
Corporation
in
the
United
States,
other
countries,
or
both.
Java
and
all
Java-based
trademarks
and
logos
are
trademarks
or
registered
trademarks
of
Sun
Microsystems,
Inc.
in
the
United
States
and
other
countries.
Microsoft
and
Windows
are
trademarks
of
Microsoft
Corporation
in
the
United
States,
other
countries,
or
both.
Java
and
all
Java-based
trademarks
and
logos
are
trademarks
or
registered
trademarks
of
Sun
Microsystems,
Inc.
in
the
United
States
and
other
countries.
UNIX
is
a
registered
trademark
of
The
Open
Group
in
the
United
States
and
other
countries.
Other
company,
product,
or
service
names
may
be
trademarks
or
service
marks
of
others.
Appendix
C.
Notices
291
292
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Glossary
A
access
control.
In
computer
security,
the
process
of
ensuring
that
the
resources
of
a
computer
system
can
be
accessed
only
by
authorized
users
in
authorized
ways.
access
control
list
(ACL).
In
computer
security,
a
list
that
is
associated
with
an
object
that
identifies
all
the
subjects
that
can
access
the
object
and
their
access
rights.
For
example,
an
access
control
list
is
a
list
that
is
associated
with
a
file
that
identifies
the
users
who
can
access
the
file
and
identifies
the
users’
access
rights
to
that
file.
access
permission.
The
access
privilege
that
applies
to
the
entire
object.
action.
An
access
control
list
(ACL)
permission
attribute.
See
also
access
control
list.
ACL.
See
access
control
list.
administration
service.
An
authorization
API
runtime
plug-in
that
can
be
used
to
perform
administration
requests
on
a
Tivoli
Access
Manager
resource
manager
application.
The
administration
service
will
respond
to
remote
requests
from
the
pdadmin
command
to
perform
tasks,
such
as
listing
the
objects
under
a
particular
node
in
the
protected
object
tree.
Customers
may
develop
these
services
using
the
authorization
ADK.
attribute
list.
A
linked
list
that
contains
extended
information
that
is
used
to
make
authorization
decisions.
Attribute
lists
consist
of
a
set
of
name
=
value
pairs.
authentication.
(1)
In
computer
security,
verification
of
the
identity
of
a
user
or
the
user’s
eligibility
to
access
an
object.
(2)
In
computer
security,
verification
that
a
message
has
not
been
altered
or
corrupted.
(3)
In
computer
security,
a
process
that
is
used
to
verify
the
user
of
an
information
system
or
of
protected
resources.
See
also
multi-factor
authentication,
network-based
authentication,
and
step-up
authentication.
authorization.
(1)
In
computer
security,
the
right
granted
to
a
user
to
communicate
with
or
make
use
of
a
computer
system.
(2)
The
process
of
granting
a
user
either
complete
or
restricted
access
to
an
object,
resource,
or
function.
authorization
rule.
See
rule.
authorization
service
plug-in.
A
dynamically
loadable
library
(DLL
or
shared
library)
that
can
be
loaded
by
the
Tivoli
Access
Manager
authorization
API
runtime
client
at
initialization
time
in
order
to
perform
operations
that
extend
a
service
interface
within
the
Authorization
API.
The
service
interfaces
that
are
currently
available
include
Administration,
External
Authorization,
Credentials
modification,
Entitlements
and
PAC
manipulation
interfaces.
Customers
may
develop
these
services
using
the
authorization
ADK.
B
BA.
See
basic
authentication.
basic
authentication.
A
method
of
authentication
that
requires
the
user
to
enter
a
valid
user
name
and
password
before
access
to
a
secure
online
resource
is
granted.
bind.
To
relate
an
identifier
to
another
object
in
a
program;
for
example,
to
relate
an
identifier
to
a
value,
an
address
or
another
identifier,
or
to
associate
formal
parameters
and
actual
parameters.
blade.
A
component
that
provides
application-specific
services
and
components.
business
entitlement.
The
supplemental
attribute
of
a
user
credential
that
describes
the
fine-grained
conditions
that
can
be
used
in
the
authorization
of
requests
for
resources.
C
CA.
See
certificate
authority.
CDAS.
See
Cross
Domain
Authentication
Service.
CDMF.
See
Cross
Domain
Mapping
Framework.
certificate.
In
computer
security,
a
digital
document
that
binds
a
public
key
to
the
identity
of
the
certificate
owner,
thereby
enabling
the
certificate
owner
to
be
authenticated.
A
certificate
is
issued
by
a
certificate
authority.
certificate
authority
(CA).
An
organization
that
issues
certificates.
The
certificate
authority
authenticates
the
certificate
owner’s
identity
and
the
services
that
the
owner
is
authorized
to
use,
issues
new
certificates,
renews
existing
certificates,
and
revokes
certificates
belonging
to
users
who
are
no
longer
authorized
to
use
them.
CGI.
See
common
gateway
interface.
©
Copyright
IBM
Corp.
2001,
2003
293
cipher.
Encrypted
data
that
is
unreadable
until
it
has
been
converted
into
plain
data
(decrypted)
with
a
key.
common
gateway
interface
(CGI).
An
Internet
standard
for
defining
scripts
that
pass
information
from
a
Web
server
to
an
application
program,
through
an
HTTP
request,
and
vice
versa.
A
CGI
script
is
a
CGI
program
that
is
written
in
a
scripting
language,
such
as
Perl.
configuration.
(1)
The
manner
in
which
the
hardware
and
software
of
an
information
processing
system
are
organized
and
interconnected.
(2)
The
machines,
devices,
and
programs
that
make
up
a
system,
subsystem,
or
network.
connection.
(1)
In
data
communication,
an
association
established
between
functional
units
for
conveying
information.
(2)
In
TCP/IP,
the
path
between
two
protocol
applications
that
provides
reliable
data
stream
delivery
service.
In
the
Internet,
a
connection
extends
from
a
TCP
application
on
one
system
to
a
TCP
application
on
another
system.
(3)
In
system
communications,
a
line
over
which
data
can
be
passed
between
two
systems
or
between
a
system
and
a
device.
container
object.
A
structural
designation
that
organizes
the
object
space
into
distinct
functional
regions.
cookie.
Information
that
a
server
stores
on
a
client
machine
and
accesses
during
subsequent
sessions.
Cookies
allow
servers
to
remember
specific
information
about
clients.
credentials.
Detailed
information,
acquired
during
authentication,
that
describes
the
user,
any
group
associations,
and
other
security-related
identity
attributes.
Credentials
can
be
used
to
perform
a
multitude
of
services,
such
as
authorization,
auditing,
and
delegation.
credentials
modification
service.
An
authorization
API
runtime
plug-in
which
can
be
used
to
modify
a
Tivoli
Access
Manager
credential.
Credentials
modification
services
developed
externally
by
customers
are
limited
to
performing
operation
to
add
and
remove
from
the
credentials
attribute
list
and
only
to
those
attributes
that
are
considered
modifiable.
cross
domain
authentication
service
(CDAS).
A
WebSEAL
service
that
provides
a
shared
library
mechanism
that
allows
you
to
substitute
the
default
WebSEAL
authentication
mechanisms
with
a
custom
process
that
returns
a
Tivoli
Access
Manager
identity
to
WebSEAL.
See
also
WebSEAL.
cross
domain
mapping
framework
(CDMF).
A
programming
interface
that
allows
a
developer
to
customize
the
mapping
of
user
identities
and
the
handling
of
user
attributes
when
WebSEAL
e-Community
SSO
function
are
used.
D
daemon.
A
program
that
runs
unattended
to
perform
continuous
or
periodic
systemwide
functions,
such
as
network
control.
Some
daemons
are
triggered
automatically
to
perform
their
task;
others
operate
periodically.
directory
schema.
The
valid
attribute
types
and
object
classes
that
can
appear
in
a
directory.
The
attribute
types
and
object
classes
define
the
syntax
of
the
attribute
values,
which
attributes
must
be
present,
and
which
attributes
may
be
present
for
the
directory.
distinguished
name
(DN).
The
name
that
uniquely
identifies
an
entry
in
a
directory.
A
distinguished
name
is
made
up
of
attribute:value
pairs,
separated
by
commas.
digital
signature.
In
e-commerce,
data
that
is
appended
to,
or
is
a
cryptographic
transformation
of,
a
data
unit
and
that
enables
the
recipient
of
the
data
unit
to
verify
the
source
and
integrity
of
the
unit
and
to
recognize
potential
forgery.
DN.
See
distinguished
name.
domain.
(1)
A
logical
grouping
of
users,
systems,
and
resources
that
share
common
services
and
usually
function
with
a
common
purpose.
(2)
That
part
of
a
computer
network
in
which
the
data
processing
resources
are
under
common
control.
See
also
domain
name.
domain
name.
In
the
Internet
suite
of
protocols,
a
name
of
a
host
system.
A
domain
name
consists
of
a
sequence
of
subnames
that
are
separated
by
a
delimiter
character.
For
example,
if
the
fully
qualified
domain
name
(FQDN)
of
a
host
system
is
as400.rchland.vnet.ibm.com,
each
of
the
following
is
a
domain
name:
as400.rchland.vnet.ibm.com,
vnet.ibm.com,
ibm.com.
E
EAS.
See
External
Authorization
Service.
encryption.
In
computer
security,
the
process
of
transforming
data
into
an
unintelligible
form
in
such
a
way
that
the
original
data
either
cannot
be
obtained
or
can
be
obtained
only
by
using
a
decryption
process.
entitlement.
A
data
structure
that
contains
externalized
security
policy
information.
Entitlements
contain
policy
data
or
capabilities
that
are
formatted
in
a
way
that
is
understandable
to
a
specific
application.
entitlement
service.
An
authorization
API
runtime
plug-in
which
can
be
used
to
return
entitlements
from
an
external
source
for
a
principal
or
set
of
conditions.
Entitlements
are
normally
application
specific
data
that
will
be
consumed
by
the
resource
manager
application
294
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
in
some
way
or
added
to
the
principal’s
credentials
for
use
further
on
in
the
authorization
process.
Customers
may
develop
these
services
using
the
authorization
ADK.
external
authorization
service.
An
authorization
API
runtime
plug-in
that
can
be
used
to
make
application
or
environment
specific
authorization
decisions
as
part
of
the
Tivoli
Access
Manager
authorization
decision
chain.
Customers
may
develop
these
services
using
the
authorization
ADK.
F
file
transfer
protocol
(FTP).
In
the
Internet
suite
of
protocols,
an
application
layer
protocol
that
uses
Transmission
Control
Protocol
(TCP)
and
Telnet
services
to
transfer
bulk-data
files
between
machines
or
hosts.
G
global
signon
(GSO).
A
flexible
single
sign-on
solution
that
enables
the
user
to
provide
alternative
user
names
and
passwords
to
the
back-end
Web
application
server.
Global
signon
grants
users
access
to
the
computing
resources
they
are
authorized
to
use
—
through
a
single
login.
Designed
for
large
enterprises
consisting
of
multiple
systems
and
applications
within
heterogeneous,
distributed
computing
environments,
GSO
eliminates
the
need
for
users
to
manage
multiple
user
names
and
passwords.
See
also
single
signon.
GSO.
See
global
signon.
H
host.
A
computer
that
is
connected
to
a
network
(such
as
the
Internet
or
an
SNA
network)
and
provides
an
access
point
to
that
network.
Also,
depending
on
the
environment,
the
host
may
provide
centralized
control
of
the
network.
The
host
can
be
a
client,
a
server,
or
both
a
client
and
a
server
simultaneously.
HTTP.
See
Hypertext
Transfer
Protocol.
hypertext
transfer
protocol
(HTTP).
In
the
Internet
suite
of
protocols,
the
protocol
that
is
used
to
transfer
and
display
hypertext
documents.
I
Internet
protocol
(IP).
In
the
Internet
suite
of
protocols,
a
connectionless
protocol
that
routes
data
through
a
network
or
interconnected
networks
and
acts
as
an
intermediary
between
the
higher
protocol
layers
and
the
physical
network.
Internet
suite
of
protocols.
A
set
of
protocols
developed
for
use
on
the
Internet
and
published
as
Requests
for
Comments
(RFCs)
through
the
Internet
Engineering
Task
Force
(IETF).
interprocess
communication
(IPC).
(1)
The
process
by
which
programs
communicate
data
to
each
other
and
synchronize
their
activities.
Semaphores,
signals,
and
internal
message
queues
are
common
methods
of
interprocess
communication.
(2)
A
mechanism
of
an
operating
system
that
allows
processes
to
communicate
with
each
other
within
the
same
computer
or
over
a
network.
IP.
See
Internet
Protocol.
IPC.
See
Interprocess
Communication.
J
junction.
An
HTTP
or
HTTPS
connection
between
a
front-end
WebSEAL
server
and
a
back-end
Web
application
server.
WebSEAL
uses
a
junction
to
provide
protective
services
on
behalf
of
the
back-end
server.
K
key.
In
computer
security,
a
sequence
of
symbols
that
is
used
with
a
cryptographic
algorithm
for
encrypting
or
decrypting
data.
See
private
key
and
public
key.
key
database
file.
See
key
ring.
key
file.
See
key
ring.
key
pair.
In
computer
security,
a
public
key
and
a
private
key.
When
the
key
pair
is
used
for
encryption,
the
sender
uses
the
public
key
to
encrypt
the
message,
and
the
recipient
uses
the
private
key
to
decrypt
the
message.
When
the
key
pair
is
used
for
signing,
the
signer
uses
the
private
key
to
encrypt
a
representation
of
the
message,
and
the
recipient
uses
the
public
key
to
decrypt
the
representation
of
the
message
for
signature
verification.
key
ring.
In
computer
security,
a
file
that
contains
public
keys,
private
keys,
trusted
roots,
and
certificates.
L
LDAP.
See
Lightweight
Directory
Access
Protocol.
lightweight
directory
access
protocol
(LDAP).
An
open
protocol
that
(a)
uses
TCP/IP
to
provide
access
to
directories
that
support
an
X.500
model
and
(b)
does
not
incur
the
resource
requirements
of
the
more
complex
X.500
Directory
Access
Protocol
(DAP).
Applications
that
use
LDAP
(known
as
directory-enabled
applications)
can
use
the
directory
as
a
common
data
store
and
for
retrieving
information
about
people
or
services,
such
as
addresses,
public
keys,
or
service-specific
configuration
parameters.
LDAP
was
originally
specified
in
RFC
Glossary
295
1777.
LDAP
version
3
is
specified
in
RFC
2251,
and
the
IETF
continues
work
on
additional
standard
functions.
Some
of
the
IETF-defined
standard
schemas
for
LDAP
are
found
in
RFC
2256.
lightweight
third
party
authentication
(LTPA).
An
authentication
framework
that
allows
single
sign-on
across
a
set
of
Web
servers
that
fall
within
an
Internet
domain.
LTPA.
See
lightweight
third
party
authentication.
M
management
domain.
The
default
domain
in
which
Tivoli
Access
Manager
enforces
security
policies
for
authentication,
authorization,
and
access
control.
This
domain
is
created
when
the
policy
server
is
configured.
See
also
domain.
management
server.
Obsolete.
See
policy
server.
metadata.
Data
that
describes
the
characteristics
of
stored
data.
migration.
The
installation
of
a
new
version
or
release
of
a
program
to
replace
an
earlier
version
or
release.
multi-factor
authentication.
A
protected
object
policy
(POP)
that
forces
a
user
to
authenticate
using
two
or
more
levels
of
authentication.
For
example,
the
access
control
on
a
protected
resource
can
require
that
the
users
authenticate
with
both
user
name/password
and
user
name/token
passcode.
See
also
protected
object
policy.
multiplexing
proxy
agent
(MPA).
A
gateway
that
accommodates
multiple
client
access.
These
gateways
are
sometimes
known
as
Wireless
Access
Protocol
(WAP)
gateways
when
clients
access
a
secure
domain
using
a
WAP.
Gateways
establish
a
single
authenticated
channel
to
the
originating
server
and
tunnel
all
client
requests
and
responses
through
this
channel.
N
network-based
authentication.
A
protected
object
policy
(POP)
that
controls
access
to
objects
based
on
the
internet
protocol
(IP)
address
of
the
user.
See
also
protected
object
policy.
P
PAC.
See
privilege
attribute
certificate.
permission.
The
ability
to
access
a
protected
object,
such
as
a
file
or
directory.
The
number
and
meaning
of
permissions
for
an
object
are
defined
by
the
access
control
list
(ACL).
See
also
access
control
list.
policy.
A
set
of
rules
that
are
applied
to
managed
resources.
policy
server.
The
Tivoli
Access
Manager
server
that
maintains
the
location
information
about
other
servers
in
the
secure
domain.
polling.
The
process
by
which
databases
are
interrogated
at
regular
intervals
to
determine
if
data
needs
to
be
transmitted.
POP.
See
protected
object
policy.
portal.
An
integrated
Web
site
that
dynamically
produces
a
customized
list
of
Web
resources,
such
as
links,
content,
or
services,
available
to
a
specific
user,
based
on
the
access
permissions
for
the
particular
user.
privilege
attribute
certificate.
A
digital
document
that
contains
a
principal’s
authentication
and
authorization
attributes
and
a
principal’s
capabilities.
privilege
attribute
certificate
service.
An
authorization
API
runtime
client
plug-in
which
translates
a
PAC
of
a
predetermined
format
in
to
a
Tivoli
Access
Manager
credential,
and
vice-versa.
These
services
could
also
be
used
to
package
or
marshall
a
Tivoli
Access
Manager
credential
for
transmission
to
other
members
of
the
secure
domain.
Customers
may
develop
these
services
using
the
authorization
ADK.
See
also
privilege
attribute
certificate.
protected
object.
The
logical
representation
of
an
actual
system
resource
that
is
used
for
applying
ACLs
and
POPs
and
for
authorizing
user
access.
See
also
protected
object
policy
and
protected
object
space.
protected
object
policy
(POP).
A
type
of
security
policy
that
imposes
additional
conditions
on
the
operation
permitted
by
the
ACL
policy
to
access
a
protected
object.
It
is
the
responsibility
of
the
resource
manager
to
enforce
the
POP
conditions.
See
also
access
control
list,
protected
object,
and
protected
object
space.
protected
object
space.
The
virtual
object
representation
of
actual
system
resources
that
is
used
for
applying
ACLs
and
POPs
and
for
authorizing
user
access.
See
also
protected
object
and
protected
object
policy.
private
key.
In
computer
security,
a
key
that
is
known
only
to
its
owner.
Contrast
with
public
key.
public
key.
In
computer
security,
a
key
that
is
made
available
to
everyone.
Contrast
with
private
key.
Q
quality
of
protection.
The
level
of
data
security,
determined
by
a
combination
of
authentication,
integrity,
and
privacy
conditions.
296
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
R
registry.
The
datastore
that
contains
access
and
configuration
information
for
users,
systems,
and
software.
replica.
A
server
that
contains
a
copy
of
the
directory
or
directories
of
another
server.
Replicas
back
up
servers
in
order
to
enhance
performance
or
response
times
and
to
ensure
data
integrity.
resource
object.
The
representation
of
an
actual
network
resource,
such
as
a
service,
file,
and
program.
response
file.
A
file
that
contains
a
set
of
predefined
answers
to
questions
asked
by
a
program
and
that
is
used
instead
of
entering
those
values
one
at
a
time.
role
activation.
The
process
of
applying
the
access
permissions
to
a
role.
role
assignment.
The
process
of
assigning
a
role
to
a
user,
such
that
the
user
has
the
appropriate
access
permissions
for
the
object
defined
for
that
role.
routing
file.
An
ASCII
file
that
contains
commands
that
control
the
configuration
of
messages.
RSA
encryption.
A
system
for
public-key
cryptography
used
for
encryption
and
authentication.
It
was
invented
in
1977
by
Ron
Rivest,
Adi
Shamir,
and
Leonard
Adleman.
The
system’s
security
depends
on
the
difficulty
of
factoring
the
product
of
two
large
prime
numbers.
rule.
One
or
more
logical
statements
that
enable
the
event
server
to
recognize
relationships
among
events
(event
correlation)
and
to
execute
automated
responses
accordingly.
run
time.
The
time
period
during
which
a
computer
program
is
executing.
A
runtime
environment
is
an
execution
environment.
S
scalability.
The
ability
of
a
network
system
to
respond
to
increasing
numbers
of
users
who
access
resources.
schema.
The
set
of
statements,
expressed
in
a
data
definition
language,
that
completely
describe
the
structure
of
a
database.
In
a
relational
database,
the
schema
defines
the
tables,
the
fields
in
each
table,
and
the
relationships
between
fields
and
tables.
secure
sockets
layer
(SSL).
A
security
protocol
that
provides
communication
privacy.
SSL
enables
client/server
applications
to
communicate
in
a
way
that
is
designed
to
prevent
eavesdropping,
tampering,
and
message
forgery.
SSL
was
developed
by
Netscape
Communications
Corp.
and
RSA
Data
Security,
Inc.
security
management.
The
management
discipline
that
addresses
an
organization’s
ability
to
control
access
to
applications
and
data
that
are
critical
to
its
success.
self-registration.
The
process
by
which
a
user
can
enter
required
data
and
become
a
registered
Tivoli
Access
Manager
user,
without
the
involvement
of
an
administrator.
service.
Work
performed
by
a
server.
A
service
can
be
a
simple
request
for
data
to
be
sent
or
stored
(as
with
file
servers,
HTTP
servers,
servers,
and
finger
servers),
or
it
can
be
more
complex
work
such
as
that
of
servers
or
process
servers.
silent
installation.
An
installation
that
does
not
send
messages
to
the
console
but
instead
stores
messages
and
errors
in
log
files.
Also,
a
silent
installation
can
use
response
files
for
data
input.
See
also
response
file.
single
signon
(SSO).
The
ability
of
a
user
to
logon
once
and
access
multiple
applications
without
having
to
logon
to
each
application
separately.
See
also
global
signon.
SSL.
See
Secure
Sockets
Layer.
SSO.
See
Single
Signon.
step-up
authentication.
A
protected
object
policy
(POP)
that
relies
on
a
preconfigured
hierarchy
of
authentication
levels
and
enforces
a
specific
level
of
authentication
according
to
the
policy
set
on
a
resource.
The
step-up
authentication
POP
does
not
force
the
user
to
authenticate
using
multiple
levels
of
authentication
to
access
any
given
resource
but
requires
the
user
to
authenticate
at
a
level
at
least
as
high
as
that
required
by
the
policy
protecting
a
resource.
suffix.
A
distinguished
name
that
identifies
the
top
entry
in
a
locally
held
directory
hierarchy.
Because
of
the
relative
naming
scheme
used
in
Lightweight
Directory
Access
Protocol
(LDAP),
this
suffix
applies
to
every
other
entry
within
that
directory
hierarchy.
A
directory
server
can
have
multiple
suffixes,
each
identifying
a
locally
held
directory
hierarchy.
T
token.
(1)
In
a
local
area
network,
the
symbol
of
authority
passed
successively
from
one
data
station
to
another
to
indicate
the
station
temporarily
in
control
of
the
transmission
medium.
Each
data
station
has
an
opportunity
to
acquire
and
use
the
token
to
control
the
medium.
A
token
is
a
particular
message
or
bit
pattern
that
signifies
permission
to
transmit.
(2)
In
local
area
networks
(LANs),
a
sequence
of
bits
passed
from
one
device
to
another
along
the
transmission
medium.
When
the
token
has
data
appended
to
it,
it
becomes
a
frame.
Glossary
297
trusted
root.
In
the
Secure
Sockets
Layer
(SSL),
the
public
key
and
associated
distinguished
name
of
a
certificate
authority
(CA).
U
uniform
resource
identifier
(URI).
The
character
string
used
to
identify
content
on
the
Internet,
including
the
name
of
the
resource
(a
directory
and
file
name),
the
location
of
the
resource
(the
computer
where
the
directory
and
file
name
exist),
and
how
the
resource
can
be
accessed
(the
protocol,
such
as
HTTP).
An
example
of
a
URI
is
a
uniform
resource
locator,
or
URL.
uniform
resource
locator
(URL).
A
sequence
of
characters
that
represent
information
resources
on
a
computer
or
in
a
network
such
as
the
Internet.
This
sequence
of
characters
includes
(a)
the
abbreviated
name
of
the
protocol
used
to
access
the
information
resource
and
(b)
the
information
used
by
the
protocol
to
locate
the
information
resource.
For
example,
in
the
context
of
the
Internet,
these
are
abbreviated
names
of
some
protocols
used
to
access
various
information
resources:
http,
ftp,
gopher,
telnet,
and
news;
and
this
is
the
URL
for
the
IBM
home
page:
http://www.ibm.com.
URI.
See
uniform
resource
identifier.
URL.
See
uniform
resource
locator.
user.
Any
person,
organization,
process,
device,
program,
protocol,
or
system
that
uses
a
service
provided
by
others.
user
registry.
See
registry.
V
virtual
hosting.
The
capability
of
a
Web
server
that
allows
it
to
appear
as
more
than
one
host
to
the
Internet.
W
Web
Portal
Manager
(WPM).
A
Web-based
graphical
application
used
to
manage
Tivoli
Access
Manager
Base
and
WebSEAL
security
policy
in
a
secure
domain.
An
alternative
to
the
pdadmin
command
line
interface,
this
GUI
enables
remote
administrator
access
and
enables
administrators
to
create
delegated
user
domains
and
assign
delegate
administrators
to
these
domains.
WebSEAL.
A
Tivoli
Access
Manager
blade.
WebSEAL
is
a
high
performance,
multi-threaded
Web
server
that
applies
a
security
policy
to
a
protected
object
space.
WebSEAL
can
provide
single
sign-on
solutions
and
incorporate
back-end
Web
application
server
resources
into
its
security
policy.
WPM.
See
Web
Portal
Manager.
298
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
Index
Aaccess
control
list
(ACL)
commandsacl
attach
10,
16
acl
create
10,
17
acl
delete
10,
18
acl
detach
10,
19
acl
find
10,
20
acl
list
10,
21
acl
modify
10,
22
acl
show
10,
27
actiongroup
31
action
commandsaction
create
11,
28
action
delete
11,
30
action
group
11,
31
action
list
11,
32
add,
server
task
command
(WebSEAL)
146
AMWLSConfigure
-action
config
187
AMWLSConfigure
-action
create_realm
190
AMWLSConfigure
-action
delete
realm
192
AMWLSConfigure
-action
unconfig
189
amwpmcfg
utility
193
attachaccess
control
list
(ACL)
16
protected
object
policy
(POP)
102
authorization
rule
commandsauthzrule
attach
11
authzrule
create
11
authzrule
delete
11
authzrule
detach
11
authzrule
find
11
authzrule
list
11
authzrule
modify
11
authzrule
show
11
Bback
up
data
226
bassslcfgadd
replica
196
change
password
197
change
replica
198
configure
199
get
certificate
201
get
management
domain
202
modify
203
ping
205
remove
replica
206
Ccdsso_key_gen
utility
207
command
modesinteractive
3
multiple
5
single
2
command
option
processing
9
config
commands
11
modify
45
context
commandscontext
show
12
createaccess
control
list
(ACL)
17
actions
28
group
61
object
80
object
space
93
protected
object
policy
(POP)
103
rsrc
113
rsrccred
118
rsrcgroup
127
user
168
create,
server
task
command
(WebSEAL)
150
Ddelete
access
control
list
(ACL)
18
actions
30
group
63
object
82
objectspace
command
95
protected
object
policy
(POP)
104
rsrc
115
rsrccred
120
rsrcgroup
129
user
170
delete,
server
task
command
(WebSEAL)
157
detachaccess
control
list
(ACL)
19
protected
object
policy
(POP)
105
disallowed
characters,
GSO
commands
281
domain
commandsdomain
create
12
domain
delete
12
domain
list
12
domain
modify
12
domain
show
12
domain
login,
local
or
other
9
Eexists
object
78,
83
extract
data
226
Ffind
access
control
list
(ACL)
20
protected
object
policy
(POP)
106
Ggroup
commandsgroup
create
12,
61
group
delete
12,
63
group
import
12,
64
©
Copyright
IBM
Corp.
2001,
2003
299
group
commands
(continued)group
list
12,
66
group
modify
12,
68
group
show
12,
70
GSO
commandsdisallowed
characters
281
Iimport
group
64
user
171
interactive
command
mode
2,
3
ivrgy_tool
utility
213
Llist
access
control
list
(ACL)
21
actions
32
group
66
object
84
objectspace
command
96
protected
object
policy
(POP)
107
server
tasks
135
servers
134
login
command
13
logout
commands
13
Mmgrsslcfg
change
certificate
221
change
password
222
configure
223
modify
225
migrateEAR4
utility
215
migrateEAR5
utility
218
modifyaccess
control
list
(ACL)
22
config
commands
45
group
68
object
88
protected
object
policy
(POP)
108
rsrccred
123
rsrcgroup
131
user
175
multiple
command
mode
2,
5
Oobject
listandshow
86
object
commandsobject
create
13,
80
object
delete
13,
82
object
exists
78,
83
object
list
13,
84
object
listandshow
13,
86
object
modify
13,
88
object
show
13,
91
object
space
commandsobjectspace
create
13,
93
objectspace
delete
13,
95
objectspace
list
13
objectspace
commandsobjectspace
list
96
Ppd_start
utility
239
pdadmincommand
option
processing
9
help
72
login
74
modes
2
utility
1
pdadmin
utilitiesexit
command
line
mode
60
logout
77
quit
command
line
mode
60
show
error
message
58
pdbackup
utility
226
pdconfig
utility
234
pdinfo
command
(deprecated)
226
pdinfo
utility
(deprecated)see
pdbackup
command
226
pdjrtecfgconfigures
Java
runtime
component
235
pdversion
utility
240
pdwascfg
utility
242
pdweb
utility
182,
246,
257
pdweb_start
utility
246
pdwebpi
248
pdwebpi_start
249
pdwpi-version
251
pdwpicfg
-action
config
252
pdwpicfg
-action
unconfig
255
policy
commandspolicy
get
14,
97
policy
set
14,
99
protected
object
policy
(POP)
commandspop
attach
14,
102
pop
create
14,
103
pop
delete
14,
104
pop
detach
14,
105
pop
find
14,
106
pop
list
14,
107
pop
modify
14,
108
pop
show
14,
111
Rrelated
publications
x
remove,
server
task
command
(WebSEAL)
159
replicate
server
137
resource
commandsrsrc
create
14,
113
rsrc
delete
14,
115
rsrc
list
14,
116
rsrc
show
14,
117
rsrccred
create
14,
118
rsrccred
delete
14,
120
rsrccred
list
user
14,
122
rsrccred
modify
14,
123
rsrccred
show
14,
125
rsrcgroup
create
14,
127
rsrcgroup
delete
14,
129
rsrcgroup
list
14,
130
rsrcgroup
modify
14,
131
rsrcgroup
show
14,
133
300
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
restore
data
226
rsrclist
116
rsrccredlist
user
122
rsrcgrouplist
130
Sserver
commandsadmin
show
conf
33
server
list
15,
134
server
list
of
tasks
15
server
listtasks
135
server
replicate
15,
137
server
show
15,
138
server
task
15,
140
server
task
(WebSEAL)
142
server
task
add
(WebSEAL)
146
server
task
create
(WebSEAL)
150
server
task
delete
(WebSEAL)
157
server
task
remove
(WebSEAL)
159
server
task
show
(WebSEAL)
161
server
task
stats
163
server
task
trace
166
server
list
command
134
server
listtasks
command
135
server
replicate
command
137
server
show
command
138
server
task
command
140
server
task
commandsadd
command
(WebSEAL)
146
create
command
(WebSEAL)
150
delete
command
(WebSEAL)
157
introduction
(WebSEAL)
142
remove
command
(WebSEAL)
159
show
command
163
show
command
(WebSEAL)
161
trace
command
166
showaccess
control
list
(ACL)
27
group
70
objectlistandshow
91
protected
object
policy
(POP)
111
rsrc
117
rsrccred
125
rsrcgroup
133
server
138
server
task
command
(WebSEAL)
161
user
177
single
command
mode
2
special
disallowed
characters
281
stats,
server
task
command
163
svrsslcfgadd
replica
259
change
certificate
263
change
password
266
change
port
265
change
replica
261
configure
267
modify
270
remove
replica
271
unconfigure
272
Ttrace,
server
task
command
166
Uuser
list
173
user
commandsuser
create
15,
168
user
delete
15,
170
user
import
15,
171
user
list
15,
173
user
modify
15,
175
user
show
15,
177
user
registrydifferences
285
maximum
values
286,
287
utilitiesAMWLSConfigure
-action
config
187
AMWLSConfigure
-action
create_realm
190
AMWLSConfigure
-action
delete
realm
192
AMWLSConfigure
-action
unconfig
189
amwpmcfg
193
bassslcfg
–add_replica
196
bassslcfg
–chg_replica
198
bassslcfg
–chgpwd
197
bassslcfg
–config
199
bassslcfg
–getcacert
201
bassslcfg
–getmgtdomain
202
bassslcfg
–modify
203
bassslcfg
–ping
205
bassslcfg
–rmv_replica
206
cdsso_key_gen
207
install
component
executable
files
209
install_amrte
210
ivrgy_tool
213
mgrsslcfg
–chgcert
221
mgrsslcfg
–chgpwd
222
mgrsslcfg
–config
223
mgrsslcfg
–modify
225
migrateEAR4
215
migrateEAR5
218
pd_start
239
pdbackup
226
pdconfig
234
pdinfo
(deprecated)
226
pdinfo
(deprecated),
see
pdbackup
226
pdjrtecfg
235
pdversion
240
pdwascfg
242
pdweb
182,
246,
257
pdweb_start
246
pdwebpi
248
pdwebpi_start
249
pdwpi-version
251
pdwpicfg
-action
config
252
pdwpicfg
-action
unconfig
255
svrsslcfg
–add_replica
259
svrsslcfg
–chg_replica
261
svrsslcfg
–chgcert
263
svrsslcfg
–chgport
265
svrsslcfg
–chgpwd
266
svrsslcfg
–config
267
svrsslcfg
–modify
270
svrsslcfg
–rmv_replica
271
svrsslcfg
–unconfig
272
Index
301
utilities
(continued)wesosm
274
wslstartwte
276
wslstopwte
277
WWeb
Portal
Managerconfigure
using
amwpmcfg
utility
193
wesosm
utility
274
wslstartwte
utility
276
wslstopwte
utility
277
302
IBM
Tivoli
Access
Manager
for
e-business:
Command
Reference
����
Printed
in
USA
SC32-1354-00