3.7.3-AdministratorsGuide (1)

WebSphere DataPower SOA Appliances

Administrators Guide

Version 3.7.3

NoteBefore using this information and the product it supports, read the information in Notices and trademarks on page 191.

First Edition (May 2009)

This edition applies to version 3, release 7, modification 3 of IBM WebSphere DataPower SOA Appliances and to allsubsequent releases and modifications until otherwise indicated in new editions.

Copyright International Business Machines Corporation 2002, 2009.US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

ContentsPreface . . . . . . . . . . . . . . viiWho should read this document . . . . . . . viiHow this document is organized . . . . . . . viiPublications . . . . . . . . . . . . . . viii

Installation and upgrade documentation . . . viiiAdministration documentation . . . . . . viiiDevelopment documentation. . . . . . . . ixReference documentation . . . . . . . . . ixIntegration documentation . . . . . . . . ixProblem determination documentation . . . . xSupplemental documentation . . . . . . . . x

File naming guidelines . . . . . . . . . . . xObject naming guidelines . . . . . . . . . . xiTypeface conventions . . . . . . . . . . . xi

Part 1. Working with the WebGUI . . 1

Chapter 1. WebGUI basics . . . . . . . 3Objects on the appliance . . . . . . . . . . 3Working with objects . . . . . . . . . . . 3Accessing the WebGUI . . . . . . . . . . . 3Welcome screen . . . . . . . . . . . . . 3Common WebGUI conventions . . . . . . . . 4

Working with referenced objects . . . . . . . 4Working with lists of referenced objects . . . . 5

Viewing and editing local files during configuration 5Viewing local files . . . . . . . . . . . 6Editing local files . . . . . . . . . . . . 6

Common WebGUI tasks . . . . . . . . . . 6Applying and saving changes . . . . . . . 6Canceling changes . . . . . . . . . . . 6Resetting objects . . . . . . . . . . . . 7Deleting objects . . . . . . . . . . . . 7Exporting objects . . . . . . . . . . . . 7Viewing object-specific logs . . . . . . . . 7Viewing object status . . . . . . . . . . 8Cloning services . . . . . . . . . . . . 8Accessing probe captures . . . . . . . . . 9

Part 2. Controlling user access tothe appliance . . . . . . . . . . . 11

Chapter 2. Managing user access . . . 13Understanding RBM on the DataPower appliance 13Optimizing access on the DataPower appliance . . 14Capabilities of RBM . . . . . . . . . . . 14

Authenticating users . . . . . . . . . . 14Evaluating the access profile. . . . . . . . 15Authorizing access to resources. . . . . . . 15

Configuring RBM settings . . . . . . . . . 15RBM using custom authentication . . . . . . 16RBM using LDAP authentication . . . . . . 19RBM using local user authentication . . . . . 22RBM using RADIUS authentication . . . . . 24

RBM using SAF authentication . . . . . . . 26RBM using SPNEGO authentication . . . . . 28RBM using SSL user certificate . . . . . . . 31RBM using XML file authentication . . . . . 33

Defining the password policy . . . . . . . . 35Defining an LDAP Search Parameters object . . . 36Managing RBM access . . . . . . . . . . . 37

Defining the account policy . . . . . . . . 37Restoring RBM access from the command line. . 38Extending RBM access to the WebGUI only. . . 39Enabling the RBM admin-state from thecommand line . . . . . . . . . . . . 39Publishing an RBM XML file to anotherappliance . . . . . . . . . . . . . . 39Flushing the RBM cache . . . . . . . . . 40

Chapter 3. Using the builder to createan RBM policy file . . . . . . . . . . 41Using the RBM XML file . . . . . . . . . . 41RBM XML file for authentication and authorization 41RBM XML file for authentication . . . . . . . 43RBM XML file for authorization . . . . . . . 44

Chapter 4. Managing user groupaccounts . . . . . . . . . . . . . . 47Creating a group account . . . . . . . . . . 47Format of access policy . . . . . . . . . . 48Example of access policies . . . . . . . . . 48Controlling access to the command line . . . . . 48

Adding access to a command group . . . . . 49Removing access to a command group . . . . 49

Chapter 5. Using the Access Policybuilder . . . . . . . . . . . . . . . 51Elements of an access policy . . . . . . . . . 51Adding an access policy . . . . . . . . . . 52Example access profile that grants full access . . . 53Example access policy that uses wildcards . . . . 53Example access policy that grants user managementpermissions . . . . . . . . . . . . . . 53Editing an access profile . . . . . . . . . . 54Removing an access profile . . . . . . . . . 54

Chapter 6. Managing user accounts . . 55Creating a user account . . . . . . . . . . 55Resetting the admin password . . . . . . . . 56Migrating a user to a new group . . . . . . . 56Forcing a password change . . . . . . . . . 56Changing the password for the current user . . . 57Configuring SNMP V3 users. . . . . . . . . 57

Part 3. Managing the appliance . . . 61

Copyright IBM Corp. 2002, 2009 iii

Chapter 7. Securing communication . . 63Supported cryptographic formats . . . . . . . 63Working with keys and certificates . . . . . . 63

Creating key-certificate pairs . . . . . . . 63Generating keys and certificates . . . . . . 64Exporting keys and certificates . . . . . . . 65Importing keys and certificates . . . . . . . 66

Working with certificate revocation lists . . . . . 67Enabling CRL retrieval . . . . . . . . . 67Configuring CRL update policies . . . . . . 67

Defining Certificate Monitor objects . . . . . . 68

Chapter 8. Managing the applianceitself. . . . . . . . . . . . . . . . 71Ethernet and VLAN interfaces . . . . . . . . 71

Failover configurations . . . . . . . . . 71Configuring Ethernet interfaces . . . . . . . 72Configuring VLAN interfaces . . . . . . . 72Defining static routes . . . . . . . . . . 73Defining standby controls . . . . . . . . 73Removing an Ethernet interface from the network 74Initiating a packet-capture session . . . . . . 74

Configuring appliance-wide network settings . . . 74DNS Settings . . . . . . . . . . . . . . 76

Configuring the DNS service . . . . . . . 76Flushing the DNS hosts cache . . . . . . . 76

Host Alias . . . . . . . . . . . . . . . 77Working with local host aliases . . . . . . . 77Migrating configuration data . . . . . . . 77

NTP Service . . . . . . . . . . . . . . 78Managing the time on the appliance . . . . . . 79

Setting the local time and date . . . . . . . 79Setting the local time zone . . . . . . . . 79Creating a custom time zone . . . . . . . 79

Selecting the reboot configuration . . . . . . . 80Configuring throttle settings . . . . . . . . . 81Shutting down the appliance . . . . . . . . 82Controlling the locate LED (Type 9235) . . . . . 82

Activating the locate LED . . . . . . . . 82Deactivating the locate LED . . . . . . . . 83

Generating an appliance certificate . . . . . . 83Configuring appliance settings . . . . . . . . 83Configuring NFS Settings. . . . . . . . . . 84

NFS Client Settings . . . . . . . . . . . 84NFS Dynamic Mounts . . . . . . . . . . 85NFS Static Mounts . . . . . . . . . . . 87

Using the iSCSI protocol (Type 9235) . . . . . . 89IQN and EUI formats . . . . . . . . . . 89Configuring and initializing an iSCSI volume . . 89Repairing an iSCSI volume . . . . . . . . 90Reference objects for iSCSI . . . . . . . . 91

Configuring SNMP Settings . . . . . . . . . 92Configuring global properties . . . . . . . 93Viewing MIBs . . . . . . . . . . . . 94Configuring subscriptions . . . . . . . . 94Configuring communities. . . . . . . . . 94Configuring recipients . . . . . . . . . . 95Configuring contexts . . . . . . . . . . 96

Chapter 9. Managing network access tothe appliance . . . . . . . . . . . . 97SSH access . . . . . . . . . . . . . . 97Telnet access . . . . . . . . . . . . . . 97WebGUI access . . . . . . . . . . . . . 98XML Management Interface . . . . . . . . 100

Services overview . . . . . . . . . . . 100Enabling interface services . . . . . . . . 101Changing default security and HTTP settings 102

SOAP interface . . . . . . . . . . . . . 102General structure of requests . . . . . . . 103General structure of responses. . . . . . . 103Available operations for requests . . . . . . 103Example request to view status . . . . . . 106Example request to compare configurations . . 107

WSDM interface . . . . . . . . . . . . 108Example request to view the number of clientrequests . . . . . . . . . . . . . . 110Example request to view active users . . . . 110Example request to view CPU usage. . . . . 111Example request to view appliance usage . . . 111Example request to view accepted connections 111

Chapter 10. Managing the firmwareimage. . . . . . . . . . . . . . . 113Applying a firmware image . . . . . . . . 113Rolling back an upgrade. . . . . . . . . . 113

Chapter 11. Managing files. . . . . . 115Directories on the appliance . . . . . . . . 115Launching the File Management utility . . . . . 117Displaying directory contents . . . . . . . . 117Creating a subdirectory . . . . . . . . . . 117Deleting a directory . . . . . . . . . . . 118Refreshing directory contents . . . . . . . . 118Uploading files from the workstation . . . . . 118Working with Java Key Stores . . . . . . . . 119

Required software . . . . . . . . . . . 119Granting permissions . . . . . . . . . . 119Types of key stores . . . . . . . . . . 119Uploading a file from a Java Key Store . . . . 119

Fetching files . . . . . . . . . . . . . 120Copying files . . . . . . . . . . . . . 120Renaming files . . . . . . . . . . . . . 121Moving files . . . . . . . . . . . . . . 121Viewing files . . . . . . . . . . . . . 122Editing files . . . . . . . . . . . . . . 122Deleting files . . . . . . . . . . . . . 122

Chapter 12. Managing auxiliary datastorage . . . . . . . . . . . . . . 123Configuring the compact flash. . . . . . . . 123Managing the file system on the compact flash . . 123

Initializing the file system . . . . . . . . 123Repairing the file system . . . . . . . . 124

Configuring the hard disk array . . . . . . . 124Managing the file system on the hard disk array 124

Initializing the file system . . . . . . . . 124Repairing the file system . . . . . . . . 125

iv IBM WebSphere DataPower SOA Appliances: Administrators Guide

Managing the RAID volume . . . . . . . . 125Activating the volume . . . . . . . . . 125Initializing the volume . . . . . . . . . 125Rebuilding the volume . . . . . . . . . 125Deleting the volume . . . . . . . . . . 126

Chapter 13. Managing theconfiguration of the appliance . . . . 127Managing domains . . . . . . . . . . . 127

The default domain . . . . . . . . . . 127Application domains . . . . . . . . . . 127Visible domains . . . . . . . . . . . 128Creating application domains . . . . . . . 128Restarting application domains . . . . . . 129Resetting application domains . . . . . . . 130

Creating Include Configuration File objects . . . 130Creating Import Configuration File objects . . . 131Backing up and exporting configuration data. . . 133

Backing up the entire appliance . . . . . . 133Backing up domains . . . . . . . . . . 134Exporting select objects . . . . . . . . . 135Copying or moving select objects . . . . . . 136

Managing configuration checkpoints . . . . . 138Defining number configuration checkpoints toallow . . . . . . . . . . . . . . . 138Saving configuration checkpoints . . . . . . 138Listing configuration checkpoints. . . . . . 139Rolling back to a configuration checkpoint . . 139Deleting configuration checkpoints . . . . . 139

Importing configuration data . . . . . . . . 140Managing changes in configuration data . . . . 141

Comparing configurations . . . . . . . . 142Reading the change report . . . . . . . . 143Reverting changes . . . . . . . . . . . 143

Chapter 14. Configuring deploymentpolicies . . . . . . . . . . . . . . 145Creating a Deployment Policy object . . . . . 145Using the deployment policy builder . . . . . 146Specifying the matching statement . . . . . . 147

Chapter 15. Managing logs . . . . . 149Types of log targets . . . . . . . . . . . 149Configuring log categories . . . . . . . . . 150Configuring log targets . . . . . . . . . . 150Setting event filters . . . . . . . . . . . 150Setting object filters . . . . . . . . . . . 151Setting IP address filters . . . . . . . . . . 152Setting event subscriptions . . . . . . . . . 152Viewing log files . . . . . . . . . . . . 153Configuring an email pager . . . . . . . . 153Using a Load Balancer Group as the remote host 154

Part 4. Referenced objects . . . . 155Chapter 16. Service objects . . . . . 157HTTP Service . . . . . . . . . . . . . 157SSL Proxy Service . . . . . . . . . . . . 158TCP Proxy Service. . . . . . . . . . . . 159

Chapter 17. Referenced objects . . . 161Access Control List . . . . . . . . . . . 161

Overview. . . . . . . . . . . . . . 161Creating an Access Control List object . . . . 162

Defining Certificate objects . . . . . . . . . 162Defining Identification Credentials objects . . . . 164Working with Kerberos objects . . . . . . . 164

Points to remember when using Kerberos . . . 165Kerberos KDC Server objects . . . . . . . 166Kerberos Keytab File objects . . . . . . . 166

Defining Key objects . . . . . . . . . . . 167Load Balancer Group . . . . . . . . . . . 168

Health of member servers . . . . . . . . 168Setting the health state with a variable . . . . 169Configuring Load Balancer Group objects . . . 169

Defining Profile objects . . . . . . . . . . 173RADIUS Settings . . . . . . . . . . . . 175

NAS-identifier . . . . . . . . . . . . 175Configuring RADIUS Settings . . . . . . . 175

Adding SSH known hosts . . . . . . . . . 176Defining SSL Proxy Profile objects . . . . . . 177

Creating a forward (or client) proxy . . . . . 177Creating a reverse (or server) proxy . . . . . 177Creating a two-way proxy . . . . . . . . 178

Working with Validation Credentials objects . . . 179Creating for non-expiring, non-password-protected certificates . . . . . . . . . . 179Creating for select certificates . . . . . . . 179

z/OS NSS Client . . . . . . . . . . . . 181Creating the z/OS NSS Client . . . . . . . 182

Appendix A. User interfacecustomization . . . . . . . . . . . 183Aspects that can be customized . . . . . . . 183Markup supported for the XML file . . . . . . 183Structure of the XML file . . . . . . . . . 185Command line prompt extension definition . . . 186Example messages for WebGUI sessions . . . . 186

Example pre-login message. . . . . . . . 186Example post-login message . . . . . . . 186Example appliance messages . . . . . . . 186

Example messages for command line sessions . . 187Example pre-login message. . . . . . . . 187Example post-login message . . . . . . . 187Example appliance message . . . . . . . 187

Template of the custom user interface file . . . . 188

Appendix B. Getting help andtechnical assistance . . . . . . . . 189Searching knowledge bases . . . . . . . . . 189Getting a fix . . . . . . . . . . . . . . 189Contacting IBM Support. . . . . . . . . . 190

Notices and trademarks . . . . . . . 191Trademarks . . . . . . . . . . . . . . 191

Index . . . . . . . . . . . . . . . 193

Contents v

vi IBM WebSphere DataPower SOA Appliances: Administrators Guide

PrefaceIBM WebSphere DataPower SOA Appliances are purpose-built, easy-to-deployNetwork appliances that simplify, help secure, and accelerate your XML and WebServices deployments while extending your SOA infrastructure. These appliancesoffer an innovative, pragmatic approach to harness the power of SOA whilesimultaneously enabling you to leverage the value of your existing application,security, and Networking infrastructure investments.

Who should read this documentThis document is intended for administrators of who are responsible for theconfiguration and maintenance of the DataPower appliance. Administrators shouldhave the following knowledge:v Network architecture and conceptsv Internet and transport protocolsv Lightweight Directory Access Protocol (LDAP) and directory servicesv Authentication and authorizationv XML and XSLT

Administrators should also be familiar with SSL protocol, key exchange (publicand private), digital signatures, cryptographic algorithms, and certificateauthorities.

The types of administrators who will work on the appliance include the followingbroad roles which are found in a typical Enterprise organization:v A single administrator with the admin account who manages day-to-dayoperations.

v System administrators who manage access to all objects except Networkinterfaces.

v Network administrators who manage Network connectivity and real timeoperational data for the appliance.

v Account administrators who manage users and user groups.v Access administrators who manage access to all resources, access policies, RoleBased Management (RBM), cryptographic keys, authentication, andauthorization.

v Lifecycle administrators who manage simple appliance and domain backups, aswell as lifecycle migration of primary objects.

How this document is organizedThis document is organized across the following broad concepts:v Part 1, Working with the WebGUIDiscusses basic access to the WebGUI and common tasks that are performedfrom the WebGUI.

v Part 2, Controlling user access to the applianceFocuses on user and group accounts, Role Based Management (RBM), remoteaccess to the appliance, access policies, SNMP V3 user accounts, and settings forRADIUS servers.

Copyright IBM Corp. 2002, 2009 vii

v Part 3, Managing the applianceDetails network connectivity and utilities, file management, general andadvanced configuration settings, log management, and the XML ManagementInterface, which manages lifecycle tasks.

v Part 4, Referenced objectsThis part details configuring primary and secondary service objects from theobject view. Configuring service objects in this view allows users to buildcomprehensive objects with the most granular control possible.

PublicationsThe IBM WebSphere DataPower library is organized into the following categories:v Installation and upgrade documentationv Administration documentationv Development documentation on page ixv Reference documentation on page ixv Integration documentation on page ixv Problem determination documentation on page xv Supplemental documentation on page x

Installation and upgrade documentationv IBM WebSphere DataPower SOA Appliances: 9003: Installation GuideProvides instructions for installing and powering up the Type 7993 (9003)appliance, creating a startup configuration script, and placing the appliance inoperation.

v IBM WebSphere DataPower SOA Appliances: Type 9235: Installation GuideProvides instructions for installing and powering up the Type 9235 appliance,creating a startup configuration script, and placing the appliance in operation.

v IBM WebSphere DataPower SOA Appliances: Type 9235: Hardware ProblemDetermination and Service Guide

Provides information about diagnosing and troubleshooting hardware problems,ordering consumable replacement parts, and replacing parts.

v IBM WebSphere DataPower SOA Appliances: Upgrade and Rollback Guide: Generation2 Firmware

Provides instructions for upgrading Generation 2 firmware and for rolling backfirmware upgrades.

Administration documentationv IBM WebSphere DataPower SOA Appliances: Appliance OverviewProvides an introduction and understanding of the IBM Websphere DataPowerSOA appliances.

v IBM WebSphere DataPower SOA Appliances: Administrators GuideProvides instructions for using the DataPower GUI for managing user access,network access, appliance configuration and system configuration of theappliance.

v IBM WebSphere DataPower SOA Appliances: Hardware Security Module GuideA user guide for using a Hardware Security Module (HSM) installed in theappliance.

viii IBM WebSphere DataPower SOA Appliances: Administrators Guide

Development documentationv IBM WebSphere DataPower SOA Appliances: XSL Accelerator Developers GuideProvides instructions for using the WebGUI to configure XSL Proxy and XSLCo-Processor services.

v IBM WebSphere DataPower SOA Appliances: XML Firewall Developers GuideProvides instructions for using the WebGUI to configure XML Firewall services.

v IBM WebSphere DataPower SOA Appliances: Web Application Firewall DevelopersGuide

Provides instructions for using the WebGUI to configure Web ApplicationFirewall services.

v IBM WebSphere DataPower SOA Appliances: Multi-Protocol Gateway DevelopersGuide

Provides instructions for using the WebGUI to configure Multiple-ProtocolGateway services.

v IBM WebSphere DataPower SOA Appliances: Web Service Proxy Developers GuideProvides instructions for using the WebGUI to configure Web Service Proxyservices.

v IBM WebSphere DataPower SOA Appliances: B2B Gateway Developers GuideProvides instructions for using the WebGUI to configure B2B Gateway services.

v IBM WebSphere DataPower SOA Appliances: Low Latency Messaging DevelopersGuide

Provides instructions for using the WebGUI to configure a DataPower appliancefor low latency messaging.

Reference documentationv Product-specific documentation for using commands from the command line.The documentation is specific to each of the following products. Each documentprovides an alphabetical listing of all commands with syntactical and functionaldescriptions. IBM WebSphere DataPower XML Accelerator XA35: Command Reference IBM WebSphere DataPower XML Security Gateway XS40: Command Reference IBM WebSphere DataPower XML Integration Appliance XI50: Command Reference IBM WebSphere DataPower B2B Appliance XB60: Command Reference IBM WebSphere DataPower Low Latency Appliance XM70: Command Reference

v IBM WebSphere DataPower SOA Appliances: Extension Elements and FunctionsCatalog

Provides programming information about the usage of DataPower XSLTextension elements and extension functions.

Integration documentationThe following documents are available for managing the integration of relatedproducts that can be associated with the DataPower appliance:v Integrating with ITCAMProvides concepts for integrating the DataPower appliance with IBM TivoliComposite Application Management for SOA.

v IBM WebSphere DataPower SOA Appliances: Integrating with WebSphereTransformation Extender

Preface ix

Provides concepts for integrating the DataPower appliance with WebSphereTransformer Extender.

v IBM WebSphere DataPower SOA Appliances: Integrating with WebSphere MQExplains the concepts and common use patterns for connecting DataPowerservices to WebSphere MQ systems.

Problem determination documentationv IBM WebSphere DataPower SOA Appliances: Problem Determination GuideProvides troubleshooting and debugging tools.

Supplemental documentationv Understanding Web Services PolicyProvides conceptual information about how the DataPower appliance can useWeb Services Policy (WS-Policy).

v Understanding WS-AddressingProvides conceptual information about how the DataPower appliance can useWS-Addressing.

v Understanding LTPAProvides conceptual information about how the DataPower appliance can useLightweight Third Party Authentication.

v Understanding SPNEGOProvides conceptual information about how the DataPower appliance can useSPNEGO.

v Optimizing through StreamingProvides conceptual information about and procedures for optimizing theDataPower appliance through streaming.

v Securing the Last MileProvides conceptual information about and procedures for understanding theDataPower appliance while securing the last mile.

v Configuring the DoD PKIProvides conceptual information about and procedures for configuring theDataPower appliance with Department of Defense Public Key Infrastructure.

File naming guidelinesThe maximum length for a file name can be approximately 4128 characters. Thename of the base file can be up to 128 characters in length. The base file is the partafter the name of the DataPower directory. Examples of directories are local:,store:, and temporary:.

If the directory (or domain) supports subdirectories, the path to the file can have alength of 4000 characters. When you create a domain, its name is the base filename in several DataPower directories when viewed from the default domain.

The following characters are valid in directory and file names:v a through zv A through Zv 0 through 9v _ (underscore)

x IBM WebSphere DataPower SOA Appliances: Administrators Guide

v - (dash)v . (period)

Note: Names cannot contain two consecutive periods (..).

Object naming guidelinesThe object name must be unique in the object namespace. The following charactersare valid in when specifying the name for an object:v a through zv A through Zv 0 through 9v _ (underscore)v - (dash)v . (period)

Note: Names cannot contain two consecutive periods (..).

Typeface conventionsThe following typeface conventions are used in the documentation:

bold Identifies commands, programming keywords, and GUI controls.

italics Identifies words and phrases used for emphasis and user-suppliedvariables.

monospacedIdentifies user-supplied input or computer output.

Preface xi

xii IBM WebSphere DataPower SOA Appliances: Administrators Guide

Part 1. Working with the WebGUIChapter 1. WebGUI basics . . . . . . . . . 3Objects on the appliance . . . . . . . . . . 3Working with objects . . . . . . . . . . . 3Accessing the WebGUI . . . . . . . . . . . 3Welcome screen . . . . . . . . . . . . . 3Common WebGUI conventions . . . . . . . . 4

Working with referenced objects . . . . . . . 4Working with lists of referenced objects . . . . 5

Viewing and editing local files during configuration 5Viewing local files . . . . . . . . . . . 6Editing local files . . . . . . . . . . . . 6

Common WebGUI tasks . . . . . . . . . . 6Applying and saving changes . . . . . . . 6Canceling changes . . . . . . . . . . . 6Resetting objects . . . . . . . . . . . . 7Deleting objects . . . . . . . . . . . . 7Exporting objects . . . . . . . . . . . . 7Viewing object-specific logs . . . . . . . . 7

Viewing log files from the catalog . . . . . 7Viewing log files from the configuration screen 7

Viewing object status . . . . . . . . . . 8Cloning services . . . . . . . . . . . . 8Accessing probe captures . . . . . . . . . 9

Copyright IBM Corp. 2002, 2009 1

2 IBM WebSphere DataPower SOA Appliances: Administrators Guide

Chapter 1. WebGUI basicsThe WebGUI is the primary interface for managing the appliance itself and forconfiguring objects.

Objects on the applianceObjects that can be configured on the appliance range from simple to complex. Anobject is any entity that you configure on the appliance. During configuration, anobject can reference another object that can, in turn, reference another object. Forexample, the configuration of a service references an instance of the XML Managerobject that references an instance of the User Agent object. The flexibility inconfiguration and association of referenced object allow you to meet yourbusiness-processing criteria and security requirements.

Working with objectsWhen configuring services on the appliance, the WebGUI provides an object viewand a service view. You can use either view to create or edit the service.

Service viewWorking in the service view allows less-than-expert level users to buildbasic, generic objects.

Object viewWorking in the object view allows expert-level users to build specific,complex and highly detailed objects.

Accessing the WebGUITo use the WebGUI, the Web Management Interface must be configured. Thisinterface was defined during the initial firmware setup (during applianceinstallation) or afterward with the web-mgmt command.

To access the WebGUI, use the following procedure:1. Direct your browser to the WebGUI login screen. Use the IP address and port

number assigned during the configuration of the Web Management interface.The address uses the HTTPS protocol and has the https://address:portformat.

2. In the login fields, specify an account name and password.3. From the Domain list, select the domain to which to log in.4. Click Login.

After verifying credentials, the WebGUI displays the Control Panel.

Welcome screenAfter successfully logging in, the WebGUI displays its Welcome screen. Visibility ofobjects in the WebGUI is controlled by a combination of the Role-basedmanagement (RBM) object and whether the administrator is in the default domainor an application domain.


This screen is separated into the following areas:v The banner shows details about the administrator who logged in to theappliance and contains the following controls: The Domain list that allows the administrator to switch domains. The Save Config button that allows the administrator to persist configuration

changes. The Logout button that allows the administrator to end the WebGUI session.

v The navigation bar along the left side provides access to related configurationsuites and to related management suites. This area contains the followingmenus: The Control Panel returns the administrator to the Welcome screen. The Status menu provides access to logs and status providers. The Services menu provides access to service configuration objects and

objects referenced by service objects. When the administrator selects the item,the WebGUI displays the service view for the object.

The Network menu provide access to network configuration objects. Theseobjects are to define the network in which the appliance connects. Many ofthese objects are available in the default domain.

The Administration menu provides access to managing access to theappliance as well as general appliance settings. Many of these objects areavailable in the default domain.

The Objects menu provides access to service configuration objects and objectsreferenced by service objects. When the administrator selects the item, theWebGUI displays the object view for the object.

v The dashboard that is separated into the following areas: The top area contains icons to access top-level objects for the appliance. The middle area contains icons to access monitoring and troubleshooting

utilities. The bottom area contains icons to access file management and administration

utilities.When you click any icon on the dashboard or select any item from the menu,the WebGUI replaces the dashboard with the details for the selected item.

Common WebGUI conventionsIn addition to the standard interface controls, the WebGUI uses custom controls tohelp during the configuration of objects. These controls generally pertain todefining referenced objects.

Working with referenced objectsWhen using the WebGUI to create and modify objects, the configuration screenmight display an input field to select a referenced object. Figure 1 illustrates thistype of input field.

When the WebGUI displays this type of input field, you can specify the referencedobject in the following ways:v Select the name of an existing referenced object from the list.

Figure 1. Input field for referenced objects


v Use the + button to create a new referenced object. When created, the input fieldcontains the name of the newly created referenced object.

v Use the ... button to modify the referenced object whose name is in the inputfield. When modified, the input field retains the name of the referenced object.

When you click the + button or ... button, the WebGUI launches a new windowthat displays the configuration screen for that type of object.

Working with lists of referenced objectsWhen using the WebGUI to create or modify objects, the configuration screenmight display an input list to define a group of referenced objects. The input forthis configuration item is the list of referenced objects. Figure 2 illustrates this typeof input list.

When the WebGUI displays this type of list, you can manage referenced objects inthe following ways:v Select the name of an existing referenced object from the list. Click Add to add itto the list of referenced objects.

v Use the + button to create a new referenced object. When created, the input fieldcontains the name of the new referenced object. Click Add to add it to the list ofreferenced objects.

v Use the ... button to modify the referenced object whose name is in the inputfield. When modified, the input field retains the name of the referenced object.Click Add to add it to the list of referenced objects.

v Select the name of a referenced object from the list (either the input field or thelist of referenced objects). Click Delete to remove it from the list of referencedobjects.

When you click the + button or ... button, the WebGUI launches a new windowthat displays the configuration screen for that type of object.

Viewing and editing local files during configurationAs you use the WebGUI to select a local file during configuration, theconfiguration screen might display the View and Edit buttons beside the selectionlists.

Working with files in this way has the following advantages:v Ensure that the file is the one that you wantv Ability to edit the file to address errors found while defining a configurationv Use a single session instead of opening another session to manage files throughthe File Management utility

You cannot view or edit remote files.

Figure 2. Input list for referenced objects

Chapter 1. WebGUI basics 5

Viewing local filesTo view a local file, use the following procedure:1. Select the file from the lists.2. Click View to open the file editor in view mode.3. Review the file.4. Click Cancel.

Editing local filesThe edited file overwrites the original file.

To edit a local file, use the following procedure:1. Select the file from the lists.2. Click Edit to open the file editor in edit mode.3. Edit the file as required.4. Click Submit to save changes.5. Click Close.

Common WebGUI tasksThe majority of objects provide the following common tasks. Not all of these tasksare available to all objects.v Applying and saving configuration changesv Canceling changes before saving to the running configurationv Resetting changes to an objectv Deleting an objectv Exporting the configuration of an objectv Viewing object-specific logsv Viewing object statusv Cloning a servicev Accessing probe captures

Applying and saving changesAs you use the WebGUI to manage object and service configurations, click Applyto save these changes to the running configuration. Changes that are made to therunning configuration take effect immediately, but are not persisted to the startupconfiguration. During an appliance restart these changes are lost.

To retain applied changes across an appliance restart, click Save Config. Thechanges are saved to the startup configuration. The startup or persistentconfiguration is persisted across an appliance restart. By default, the appliancereads the startup configuration from the auto-config.cfg file.

Canceling changesAs you use the WebGUI to manage objects, click Cancel to not save the currentchanges to the running configuration. If you click Cancel, you return to objectcatalog and lose all changes.


Resetting objectsIndependent of whether the settings are saved to the configuration, you can resetan object to its default configuration.

Use the following procedure to revert changes to a specific object:1. Display the catalog for the object. The catalog lists the available instances of

this object.2. Click the name of the object for which to reset to display the configuration

screen.3. Click Undo.4. Follow the prompts.

Deleting objectsYou might want to delete objects that are no longer needed. If no other objectdepends on the object to be deleted, you can delete it at any time. Because aDataPower service is a top-level object, you can delete it at any time. Conversely,you cannot delete an object that is active and that is in use by a higher-level object.

Use the following procedure to delete an object:1. Display the catalog for the object. The catalog lists the available instances of

this object.2. Click the name of the object to delete to display the configuration screen.3. Click Delete.4. Follow the prompts.

Deleting an object deletes that object only. Deleting an object does not delete anyreferenced object.

Exporting objectsUse the following procedure to export an object:1. Display the catalog for the object. The catalog lists the available instances of

this object.2. Click the name of the object to export to display the configuration screen.3. Click Export.4. Follow the prompts.

Viewing object-specific logsInstead of filtering the log for the default log or a configured log target, you canview log messages that are specific to an object.

Viewing log files from the catalogTo view object-specific logs from the catalog, use the following procedure:1. Display the catalog for the object. The catalog lists the available instances of

this object.2. Click the magnifying glass icon.

Viewing log files from the configuration screenTo view object-specific logs from the configuration screen, click View Logs.


Viewing object statusYou can view the status of an object and all its referenced objects to help determinewhy a configuration object is in a down state. When you view the object status, theWebGUI opens a new window. This window provides the ability to show or hideunused properties.v To show the unused properties, click Show.v If the display lists unused properties, click Hide to hide these properties. Hidingunused properties is the default behavior.

When viewing the object status, the window provides the following information:v The name of the instance and its type with a control to collapse (hide) or expand(show) referenced objects

v Its configuration state: New, Modified, or Savedv It operational state: up or downv Its administrative state: enabled or disabledv Details about the detected error, if applicablev A link (magnifying glass icon) to view the logs for this object

Use the following procedure to view the status for an object:1. Display the catalog for the object. The catalog lists the available instances of

this object.2. Click the name of the object to view to display the configuration screen.3. Click View Status.

Cloning servicesYou might want to create a service that is similar to an existing service. Forexample, you need two equivalent services, but each service communicates with adifferent remote server. In these cases, you can create a clone of an existing serviceand edit the clone. The cloning process can expedite the creation of a similarservice.

Use the following procedure to clone a server:1. Display the catalog for the service. The catalog lists the available instances of

this service.2. Click the name of the service to clone to display the configuration screen.3. Click Clone.4. When the screen refreshes, specify the name of the clone.5. Specify the Ethernet interface that the service monitors for incoming client

requests in the Device Address field. Use the default address (0.0.0.0) to specifyall interfaces.

6. Specify the Ethernet port that the service monitors for incoming client requestsin the Device Port field.

7. As necessary, edit the other properties.8. Click Apply to save the object to the running configuration.9. Optionally, click Save Config to save the object to the startup configuration.


Accessing probe capturesAfter enabling the probe, defining the triggers, and sending transactions thatmatch the conditions defined by the triggers, you can view the capturedtransactions.

Use the following procedure to access probe captures:1. Display the catalog for the service object. The catalog lists the available

instances of this object.2. Click the name of the service for which to view the probe captures to display

the configuration screen.3. Click Show Probe.4. Click the magnifying glass icon to view details about that captured

transactions.

For complete details about using the probe, refer to the IBM WebSphere DataPowerSOA Appliances: Problem Determination Guide.


Part 2. Controlling user access to the applianceChapter 2. Managing user access . . . . . . 13Understanding RBM on the DataPower appliance 13Optimizing access on the DataPower appliance . . 14Capabilities of RBM . . . . . . . . . . . 14

Authenticating users . . . . . . . . . . 14Evaluating the access profile. . . . . . . . 15Authorizing access to resources. . . . . . . 15

Configuring RBM settings . . . . . . . . . 15RBM using custom authentication . . . . . . 16RBM using LDAP authentication . . . . . . 19RBM using local user authentication . . . . . 22RBM using RADIUS authentication . . . . . 24RBM using SAF authentication . . . . . . . 26RBM using SPNEGO authentication . . . . . 28RBM using SSL user certificate . . . . . . . 31RBM using XML file authentication . . . . . 33

Defining the password policy . . . . . . . . 35Defining an LDAP Search Parameters object . . . 36Managing RBM access . . . . . . . . . . . 37

Defining the account policy . . . . . . . . 37Restoring RBM access from the command line. . 38Extending RBM access to the WebGUI only. . . 39Enabling the RBM admin-state from thecommand line . . . . . . . . . . . . 39Publishing an RBM XML file to anotherappliance . . . . . . . . . . . . . . 39Flushing the RBM cache . . . . . . . . . 40

Chapter 3. Using the builder to create an RBMpolicy file. . . . . . . . . . . . . . . 41Using the RBM XML file . . . . . . . . . . 41RBM XML file for authentication and authorization 41RBM XML file for authentication . . . . . . . 43RBM XML file for authorization . . . . . . . 44

Chapter 4. Managing user group accounts . . . 47Creating a group account . . . . . . . . . . 47Format of access policy . . . . . . . . . . 48Example of access policies . . . . . . . . . 48Controlling access to the command line . . . . . 48

Adding access to a command group . . . . . 49Removing access to a command group . . . . 49

Chapter 5. Using the Access Policy builder . . . 51Elements of an access policy . . . . . . . . . 51Adding an access policy . . . . . . . . . . 52Example access profile that grants full access . . . 53Example access policy that uses wildcards . . . . 53Example access policy that grants user managementpermissions . . . . . . . . . . . . . . 53Editing an access profile . . . . . . . . . . 54Removing an access profile . . . . . . . . . 54

Chapter 6. Managing user accounts . . . . . 55Creating a user account . . . . . . . . . . 55

Resetting the admin password . . . . . . . . 56Migrating a user to a new group . . . . . . . 56Forcing a password change . . . . . . . . . 56Changing the password for the current user . . . 57Configuring SNMP V3 users. . . . . . . . . 57


Chapter 2. Managing user accessThe DataPower appliance manages access through role-based management (RBM).RBM provides a flexible and integrated means to control whether an authenticateduser has the necessary privileges to access resources through access policies.

Settings on the DataPower RBM policy provide the facility to define a globalpassword policy for locally-defined users.

Understanding RBM on the DataPower applianceRBM controls the relationships between authenticated users and resources. Theuser logs in to the DataPower appliance. The user is authenticated either by aremote authentication system or by the DataPower appliance. The RBM policydetermines whether to allow an authenticated user to access specific resources.v When authentication uses a remote authentication system, such as an LDAPserver, RBM extracts the identity of the authenticated user, maps the identity toa credential, and determines whether to authorize access to the resource basedon the credential. If a problem occurs during remote authentication, RBM canuse one or more locally-defined fallback users.Figure 3 illustrates the basic components of RBM and their relationships.

v When authentication is local, authentication is by user name and password. Thegroup in which the user is a member determines whether to authorize access tothe resource. Users who are not members of a group are not under RBM control.

The RBM policy uses access profiles to determine authorization to resources. Anaccess profile is made up of one or more access policies. Each access policy defineswhich privileges to provide to a single resource. An access policy can use wildcardcharacters in regular expressions to define the same set of privileges to multipleresources.

Because RBM distances access policies from individual users, you can modify anaccess profile that affects a collection of users instead of modifying each userindividually. For example, you can modify the access profile in a user group tochange resource authorization for all members of that group. Alternatively, you canchange the access profile associated with a credential to modify all users who mapto that credential.

Figure 3. RBM processing with remote authentication


Optimizing access on the DataPower applianceTo maximize access control and to adhere to best practices, complete the followinghigh-level procedures:1. Define the global RBM policy. For information, refer to Configuring RBM

settings on page 15.2. Define the global password policy for locally-defined user accounts. For

information, refer to Defining the password policy on page 35.3. Create groups. For information, refer to Creating a group account on page 47.4. Create an access profile for each group. For information, refer to Chapter 5,

Using the Access Policy builder, on page 51.5. Create users who are members of groups. For information, refer to Chapter 6,

Managing user accounts, on page 55.

Capabilities of RBMRole-based management consists of the following capabilities:v Authenticating usersv Evaluating the access profilev Enforcing access to resources

Authenticating usersExtract the user identity from the access request and authenticate the user identitythat is presented. One of the following methods can be used for userauthentication:

CustomAn external programmatic method.

LDAP serverAn external authentication system.

Local userLocally configured user account.

RADIUS serverAn external authentication system.

SAF An external authentication system. This method is available on allappliances except for XML Accelerator XA35 and Low Latency ApplianceXM70 appliances.

SPNEGOAn external Windows Integrated Authentication system. This method isavailable on all appliances except for XML Accelerator XA35 appliances.

SSL user certificateAn SSL certificate from a connection peer.

XML fileA file that contains authentication information.

Note: When using an external authentication system, the mapping method todetermine the access profile must be a local resource.


Evaluating the access profileThe access profile defines the set of privileges for one or more resources on theDataPower appliance. Resources can be as broad as an XML Firewall or as specificas the ability to only configure user profiles that start with the letters foo (as infoo_one). Privileges for a resource can be one or more of the following:v Readv Writev Addv Deletev Execute

A bundle of access rights (also termed access policies) constitutes an access profile.An access profile can originate from any of the following credential mappingsources:

CustomAn external programmatic method.

Local user groupLocally configured user group.

XML fileA file that defines access profiles.

Table 1 lists the supported credential mapping methods for each userauthentication method.

Table 1. Authentication methods and supported credential mapping methods

Authentication method

Mapping Credentials method

Local user group XML file Custom

Custom No Yes Yes

LDAP No Yes Yes

Local user Yes Yes Yes

RADIUS No Yes Yes

SAF No Yes Yes

SPNEGO No Yes Yes

SSL user credential No Yes Yes

XML file Yes Yes Yes

Authorizing access to resourcesAfter the user is authenticated and the access profile is evaluated, the DataPowerappliance enforces the established access profile. For example, the WebGUI will notdisplay any resource to which the user has no access, and the command line willnot recognize commands for any resource to which the user has no access.

Configuring RBM settingsThe overview of the steps to configure role-based management is as follows:1. Select Administration Access RBM Settings to display the RBM Settings

(Main) screen.

Chapter 2. Managing user access 15

2. Specify whether to enforce the RBM policy for both the WebGUI and thecommand line or to enforce the RBM policy for the WebGUI only.

3. Specify whether to allow or restrict access by the admin account to the serialport.

4. Select the authentication method.

Table 2. Authentication method and configuration stepsAuthentication method Configuration steps

Custom Create a style sheet. Store the file in a local directory, or stageit on an accessible file server.

LDAP Configure an LDAP server for authentication.

Local user Use the New User Account wizard to create new users, oruse the Manage User Accounts panel to modify an existinguser.

RADIUS Configure a RADIUS server.

SAF Configure a z/OS NSS Client object for authentication withan NSS server.

SPNEGO Configure a Kerberos keytab to decrypt the client Kerberosticket.

SSL user certificate Assign a Validation Credentials for authentication.

XML file Create XML authentication file with the RBM Policy Editor.Store the file in a local directory, or stage it on an accessiblefile server.

5. Define a local user account on the appliance, if necessary, as a fallback userwhen using a remote authentication method.

6. Select the credential mapping method for evaluating access profiles.7. Save the changes to the running configuration.

Note: The change takes affect immediately. At this point, the new settings coulddisable access to the DataPower appliance for any user who does not havean active session (WebGUI, command line, Telnet, or serial port connection).In other words, the changes could disable future access through any of thefollowing methods:v Any user who attempts to access the appliance through the WebGUIv Any user who attempts to access the appliance through the command linev Any user who attempts to access the appliance through a Telnet sessionv Any user who attempts to access the appliance through the serial portconnection (WebGUI or command line)

Refer to Restoring RBM access from the command line on page 38 formore information.

8. Optionally save the changes to the startup configuration.

RBM using custom authentication1. Select Administration Access RBM Settings to display the RBM Settings

(Main) screen.2. Retain the default value for the Admin State toggle.3. Specify a descriptive object-specific summary in the Comment field.4. Use the Enforce RBM on CLI toggle to specify which access approaches the

RBM policy enforces.


on Applies the RBM policy to both WebGUI and command line access.

off (Default) Applies the RBM policy to WebGUI access only. The definedRBM policy but does not apply to command line access.

5. Use the Restrict Admin Login toggle to specify whether to allow or restrictaccess by the admin account.

on Restricts command line access by the admin account to serial portaccess only.

off (Default) Allows access by the admin account to all access methods.6. Define the user authentication method:

a. Click the Authentication tab.b. Select custom from the User Authentication Method list. The screen

refreshes.c. Specify the URL of the custom style sheet for user authentication in the

Custom URL field.d. Select whether to use local user accounts as fallback users from the Local

Login As Fallback list. With fallback users, locally-defined users can log into the appliance if the authentication method fails or in the event of anetwork outage that affects the primary login authentication (for example,the remote authentication server is down).

disabledIndicates that no local user can log in.

all usersIndicates that all local users can log in.

specific users(Default) Indicates that only specified local users can log in.

Note: Local users must be members of local user groups. Each local usermust also be defined in the remote authentication server. Thepassword for each local user must match the credentials for a userof the exact same name on the remote server.

e. When the Local Login As Fallback property is specific users, add specificlocally-defined, fallback users:1) Select a local user from the Fallback User list.2) Click Add.Repeat the previous process for each fallback user.

f. Select the desired caching mode from the Authentication Cache Mode list.Absolute

Caches authentication results for a period of time in theAuthentication Cache Lifetime field.

DisabledCaching is disabled. The DataPower appliance authenticates eachaccess request but does not cache results.

Maximum(Default) Compares the explicit TTL to the TTL in the response, ifany, and caches authentication results for the maximum of the twovalues.


MinimumCompares the explicit TTL to the TTL in the response, if any, andcaches authentication results for the minimum of the two values.

g. Specify an explicit TTL, in seconds, for cached authentication results in theAuthentication Cache Lifetime field. The default is 600.

7. Define the mapping credentials method:a. Click the Credentials tab.b. From the Mapping Credentials Method list, select the method to evaluate

access profiles.v When custom, specify the URL of the custom style sheet in theMapping Custom URL field.

v When xmlfile, specify the URL of the RBM policy file in the MappingRBM Policy URL field. Refer to Chapter 3, Using the builder to createan RBM policy file, on page 41 for details.

Note: Although available, local usergroup is not a valid selection.c. When the Mapping Credentials Method is local usergroup or xmlfile, use

the Search LDAP for Group Name toggle to control whether to performan LDAP search to retrieve the users group.

Note: When the credential mapping method is custom, the WebGUI doesnot display this toggle.

on Enables an LDAP search for the users group. The authenticatedDN of the user along with the LDAP Search Parameters will beused as part of an LDAP search to retrieve the users group.

off (Default) Disables an LDAP search for the users group. Theauthenticated identity of the user (DN or user group of local user)will be used directly as the input credential.

When enabled, the screen refreshes with LDAP-specific fields:1) Specify the IP address or host name of the LDAP server in the

Credentials Server Host field.2) Specify the port number of the LDAP server in the Credentials Server

Port field.3) Select an SSL Proxy Profile to establish a secure connection to the

LDAP server from the LDAP SSL Proxy Profile list. Retain the defaultvalue to use a non-SSL connection. Refer to Defining SSL Proxy Profileobjects on page 177 for more information.

4) Optionally select a Load Balancer Group from the LDAP LoadBalancer Group list. If selected, LDAP queries will be load-balanced inaccordance with the group settings. This setting overrides the settingsfor the Credentials Server Host and Credentials Server Port fields.Refer to Load Balancer Group on page 168 for more information.

5) Specify the distinguished name (DN) for the LDAP bind operation inthe LDAP Bind DN field.

6) Specify the password for the specified DN in the LDAP BindPassword field.

7) Again, specify the password for the specified DN in the LDAP BindPassword field for confirmation.

8) Select the LDAP Search Parameters from the LDAP Search Parameterslist. The LDAP Search Parameters object serves as a container for theparameters that are used to perform an LDAP search operation to


retrieve the group name (DN or attribute value) based on thedistinguished name of the authenticated user.

8. If you defined local fallback users, optionally define the password policy.Refer to Defining the password policy on page 35 for more information.

9. Click Apply to save the changes to the running configuration.10. Optionally, click Save Config to save the object to the startup configuration.

RBM using LDAP authenticationLDAP-based implementations require an X.500 DN (for example,cn=Alice,dc=datapower,dc=com) and a password. When configuring LDAP forauthentication, it is typical to create a base DN (such as dc=datapower,dc=com) andthen create one entry under this base for each user.

To make LDAP authentication more usable, RBM provides the LDAP suffix. Set theLDAP suffix to the base name under which user entries are found. Unless theLDAP suffix is an empty string, an X.500-compliant DN is built as follows:v Prepending cn= to the user namev Appending a comma followed by the value of the LDAP suffix

For example, if the LDAP suffix is dc=datapower,dc=com and the user name isAlice, the DN is mapped as cn=Alice,dc=datapower,dc=com.1. Select Administration Access RBM Settings to display the RBM Settings








a. Click the Authentication tab.b. Select LDAP from the User Authentication Method list. The screen

refreshes.1) Specify the host name or IP address of the LDAP server in the

Authentication Server Host field.2) Specify the port number on the server in the Authentication Server

Port field.3) Select the LDAP version from the LDAP Version list.4) Select an SSL Proxy Profile to establish a secure connection to the

LDAP server from the LDAP SSL Proxy Profile list. Retain the defaultvalue to use a non-SSL connection. Refer toDefining SSL Proxy Profileobjects on page 177 for more information.


5) Select a Load Balancer Group from the LDAP Load Balancer Grouplist. If selected, LDAP queries will be load-balanced in accordance withthe group settings.

6) Use the Search LDAP for DN toggle to control whether to perform anLDAP search to retrieve the users DN.

on Enables an LDAP search for the users DN. The login name ofthe user along with the LDAP Search Parameters will be usedas part of an LDAP search to retrieve the users DN.

off (Default) Disables an LDAP search for the users DN. The loginname of the user along with the LDAP prefix and the LDAPsuffix will be used to construct the users DN.

v If Search LDAP for DN set to on:a) Specify the distinguished name (DN) for the LDAP bind

operation in the LDAP Bind DN field.b) Specify the password for the specified DN in the LDAP Bind

Password field.c) Again, specify the password for the specified DN in the LDAP

Bind Password field for confirmation.d) Select the LDAP Search Parameters from the LDAP Search

Parameters list.The LDAP Search Parameters object serves as a container for theparameters that are used to perform an LDAP search operationto retrieve the users DN.

v If Search LDAP for DN set to off:a) Specify an LDAP prefix in the LDAP Prefix field.b) Specify an LDAP suffix in the LDAP Suffix field.

c. Select whether to use local user accounts as fallback users from the LocalLogin As Fallback list. With fallback users, locally-defined users can log into the appliance if the authentication method fails or in the event of anetwork outage that affects the primary login authentication (for example,the remote authentication server is down).





d. When the Local Login As Fallback property is specific users, add specificlocally-defined, fallback users:1) Select a local user from the Fallback User list.2) Click Add.Repeat the previous process for each fallback user.

e. Select the desired caching mode from the Authentication Cache Mode list.


AbsoluteCaches authentication results for a period of time in theAuthentication Cache Lifetime field.




f. Specify an explicit TTL, in seconds, for cached authentication results in theAuthentication Cache Lifetime field. The default is 600.













4) Optionally select a Load Balancer Group from the LDAP LoadBalancer Group list. If selected, LDAP queries will be load-balanced inaccordance with the group settings. This setting overrides the settings


for the Credentials Server Host and Credentials Server Port fields.Refer to Load Balancer Group on page 168 for more information.




8) Select the LDAP Search Parameters from the LDAP Search Parameterslist. The LDAP Search Parameters object serves as a container for theparameters that are used to perform an LDAP search operation toretrieve the group name (DN or attribute value) based on thedistinguished name of the authenticated user.



RBM using local user authentication1. Select Administration Access RBM Settings to display the RBM Settings








a. Click the Authentication tab.b. Select local user from the User Authentication Method list if it is not

already selected. The screen refreshes if you changed the authenticationmethod.

c. Select the desired caching mode from the Authentication Cache Mode list.






d. Specify an explicit TTL, in seconds, for cached authentication results in theAuthentication Cache Lifetime field. The default is 600.



v When local usergroup, RBM uses the access profiles that are associatedwith the user's group. Refer to Creating a group account on page 47for information.


c. When the Mapping Credentials Method is local usergroup or xmlfile, usethe Search LDAP for Group Name toggle to control whether to performan LDAP search to retrieve the users group.














8. Optionally define the password policy. Refer to Defining the passwordpolicy on page 35 for more information.


RBM using RADIUS authentication1. Select Administration Access RBM Settings to display the RBM Settings








a. Click the Authentication tab.b. Select radius from the User Authentication Method list.c. Select whether to use local user accounts as fallback users from the Local






d. When the Local Login As Fallback property is specific users, add specificlocally-defined, fallback users:


1) Select a local user from the Fallback User list.2) Click Add.Repeat the previous process for each fallback user.

e. Select the desired caching mode from the Authentication Cache Mode list.





f. Specify an explicit TTL, in seconds, for cached authentication results in theAuthentication Cache Lifetime field. The default is 600.












LDAP server from the LDAP SSL Proxy Profile list. Retain the default


value to use a non-SSL connection. Refer to Defining SSL Proxy Profileobjects on page 177 for more information.








RBM using SAF authentication1. Select Administration Access RBM Settings to display the RBM Settings








a. Click the Authentication tab.b. Select saf from the User Authentication Method list. The screen refreshes.c. Select a z/OS NSS client from the z/OS NSS Client Configuration list.

Refer to z/OS NSS Client on page 181 for more details.d. Select whether to use local user accounts as fallback users from the Local
















RBM using SPNEGO authenticationThis method is available on all appliances except for XML Accelerator XA35.1. Select Administration Access RBM Settings to display the RBM Settings









a. Click the Authentication tab.b. Select spnego from the User Authentication Method list. The screen

refreshes.c. Select a Kerberos keytab file from the Kerberos Keytab list.d. Select whether to use local user accounts as fallback users from the Local













7. Define the mapping credentials method:a. Click the Credentials tab.


b. From the Mapping Credentials Method list, select the method to evaluateaccess profiles.v When custom, specify the URL of the custom style sheet in theMapping Custom URL field.

















9. Click Apply to save the chang

Documents

3.7.3-AdministratorsGuide (1)