Contents

Trusted access control commands· 1

api-access-mode· 1

app-url-level 1

connection-count 2

connection-limit max· 3

description· 4

display trusted-access api-id-url 4

display trusted-access controller 5

display trusted-access permitted-record· 6

display trusted-api-proxy· 8

display trusted-api-proxy statistics· 10

display trusted-app-proxy· 12

display trusted-app-proxy statistics· 14

lb-limit-policy· 16

lb-policy· 17

local-service url 18

parameter 18

peer-service url 19

port 20

protection-policy· 21

proxy ip address· 22

proxy ipv6 address· 22

rate-limit connection· 23

reset trusted-access permitted-record· 24

reset trusted-api-proxy statistics· 24

reset trusted-app-proxy statistics· 25

service enable (trusted access controller view) 25

service enable (trusted app proxy/trusted api proxy view) 26

ssl-client-policy (trusted access controller view) 26

ssl-client-policy (trusted app proxy/trusted api proxy view) 27

ssl-server-policy (trusted access controller view) 28

ssl-server-policy (trusted app proxy/trusted api proxy view) 29

trusted-access-controller (trusted app proxy/trusted api proxy view) 29

trusted-access controller (system view) 30

trusted-api-proxy· 31

trusted-app-proxy· 32

Trusted access control commands

 

 

api-access-mode

Use api-access-mode to specify the API access mode.

Use undo api-access-mode to restore the default.

Syntax

api-access-mode { app-initiated | user-initiated }

undo api-access-mode

Default

The application-initiated API access mode is adopted.

Views

Trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

app-initiated: Specifies the application-initiated API access mode.

user-initiated: Specifies the user-initiated API access mode.

Usage guidelines

The trusted API proxy carries different tokens based on the specified API access mode when performing authorization with the trusted access controller. You must specify the correct API access mode according to the network environment as follows:

·     Application-initiated API access mode—Applies to the network environment where the front end and backend are separated. In this mode, the trusted API proxy carries both the user token and application token when performing API authorization with the trusted access controller. The trusted access controller verifies the API access permission for both the associated user and application.

·     User-initiated API access mode—Applies to the network environment where the front end and backend are not separated. In this mode, the trusted API proxy carries only the user token when performing API authorization with the trusted access controller. The trusted access controller verifies the API access permission for only the associated user.

Examples

# Specify the user-initiated API access mode for HTTP trusted API proxy api.

<Sysname> system-view

[Sysname] trusted-api-proxy api type http

[Sysname-tip-http-api] api-access-mode user-initiated

app-url-level

Use app-url-level to specify the URL resource path extraction scope for application authorization.

Use undo app-url-level to restore the default.

Syntax

app-url-level level

undo app-url-level

Default

Only the domain name section of URLs is extracted for application authorization.

Views

Trusted access proxy view

Predefined user roles

network-admin

context-admin

Parameters

level: Specifies the sections (separated by forwarded slashes) to extract from URLs for application authorization. The value range for the level argument is 0 to 10. Value 0 represents the domain name section of URLs.

Usage guidelines

The trusted access proxy extracts a specific portion from URLs in user requests to perform application authorization with the IAM trusted access controller.

Use this command to specify the portion (domain name section plus the specified resource path sections) to extract from URLs. Suppose a user attempts to access application URL www.test.com/aaa/bbb/ccc/ddd/default=eee.

·     If you set the value for the level argument to 0, the trusted access proxy extracts www.test.com from the URL to perform application authorization.

·     If you set the value for the level argument to 3, the trusted access proxy extracts www.test.com/aaa/bbb/ccc from the URL to perform application authorization.

Typically, you only need to use the default setting for this command to implement application permission control because each application has a unique domain name.

If multiple applications use the same domain name, specify a URL resource path extraction scope with the command to extract the associated portions from the application URLs for application authorization.

Examples

# Specify the level-3 URL resource path extraction scope for HTTP trusted application proxy app.

<Sysname> system-view

[Sysname] trusted-app-proxy app type http

[Sysname-tap-http-app] app-url-level 3

connection-count

Use connection-count to specify the maximum number of connections between the device and the IAM trusted access controller.

Use undo connection-count to restore the default.

Syntax

connection-count count

undo connection-count

Default

The device can establish a maximum of one connection to the IAM trusted access controller.

Views

IAM trusted access controller view

Predefined user roles

network-admin

context-admin

Parameters

count: Specifies the maximum number of connections between the device and the IAM trusted access controller, in the range of 1 to 20.

Usage guidelines

By default, the device can establish a maximum of one connection to the IAM trusted access controller. When a large number of authentication and authorization requests exist, the IAM trusted access controller might fail to respond the requests in time, affecting user experience. You can configure this command to increase the concurrent connection count between the device and IAM trusted access controller, reduce the authentication and authorization delay, and improve user experience.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the maximum number of connections as 5 between trusted application controller c1 and the IAM trusted access controller.

<Sysname> system-view

[Sysname] trusted-access-controller c1 type iam

[Sysname-tac-iam-c1]connection-count 5

connection-limit max

Use connection-limit max to configure the maximum number of connections for the trusted proxy.

Use undo connection-limit max to restore the default.

Syntax

connection-limit max max-number

undo connection-limit

Default

The maximum number of connections is 0 (not limited) for the trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

max-number: Specifies the maximum number of connections, in the range of 0 to 4294967295. The value 0 means the maximum number of connections is not limited for the trusted proxy.

Examples

# Configure the maximum number of connections as 10000 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] connection-limit max 10000

description

Use description to configure a description for the trusted access controller.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for the trusted access controller.

Views

IAM trusted access controller view

Predefined user roles

network-admin

context-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 127 characters.

Examples

# Configure the description iam server for IAM trusted access controller tac.

<Sysname> system-view

[Sysname] trusted-access controller tac type iam

[Sysname-tac-iam-tac] description iam server

Related commands

display trusted-access controller

display trusted-access api-id-url

Use display trusted-access api-id-url to display API ID-to-URL mappings.

Syntax

display trusted-access api-id-url [ name controller-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

name controller-name: Specifies a trusted access controller by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays API ID-to-URL mappings for all trusted access controllers.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays API ID-to-URL mappings for all member devices.

Usage guidelines

The device maps URLs in API requests to API IDs of shorter length to reduce resource consumption on the IAM server. Upon receiving an API authorization request, the device maps the API URL in the request to an API ID before forwarding the request to the trusted access controller. After the authorization is complete, the device maps the API ID in the authorization result to an API URL before sending the result to the user.

Examples

# Display API ID-to-URL mappings.

<Sysname> display trusted-access api-id-url

Slot 2:

    API ID       URL

    888          http://888.com

    666          http://666.com

display trusted-access controller

Use display trusted-access controller to display trusted access controller information.

Syntax

display trusted-access controller [ name controller-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

name controller-name: Specifies a trusted access controller by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays information about all trusted access controllers.

Examples

# Display information about all trusted access controllers.

<Sysname> display trusted-access controller

Trusted access controller: tac

  Description:

  Type: IAM

  State: Active

  Local service URL: http://10.153.10.120:80

  Peer service URL: http://10.153.10.121:80

  SSL client policy: scp

  SSL server policy: ssp

  Connection count: 1

  Slot 1:

    Peer service state: Active

    Serial ID: 38ad-be93-e0c4-0008-0100

  Slot 2:

    Peer service state: Inactive

    Serial ID: 38ad-be93-e0c4-0010-0100

Table 1 Command output

Field	Description
Trusted access controller	Name of the trusted access controller.
Description	Description of the trusted access controller.
Type	Type of the trusted access controller. Only IAM is supported in the current software version.
State	State of the trusted access controller: ·     Active—The trusted access controller is available. ·     Inactive—The trusted access controller is not available although it is enabled. ·     Inactive(disabled)—The trusted access controller is not available because it is disabled.
Serial ID	Serial ID that identifies the trusted proxy device.
Connection count	Maximum number of connections between the device and the IAM trusted access controller.

 

display trusted-access permitted-record

Use display trusted-access permitted-record to display user authorization success records.

Syntax

display trusted-access permitted-record { api-auth | app-auth } user { brief | user-name } [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

api-auth: Specifies API authorization success records.

app-auth: Specifies application authorization success records.

user: Displays authorization success records for the specified user.

brief: Displays brief authorization success records for all users.

user-name: Specifies a user by username, a case-sensitive string of 1 to 63 characters.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays user authorization success records for all member devices.

Usage guidelines

Use this command to view the URLs that have been authorized as permitted.

If an access request is permitted by the trusted access controller in an authorization, the associated application URL or API URL is added as an authorization success record. Before this record expires, the associated resource is available for matching requests through a lookup. If the record expires, authorization is required for the access requests on the trusted access controller.

Examples

# Display authorization success records for user test.

<Sysname> display trusted-access permitted-record app-auth user test

Slot 1:

  Username: test

  Created at: 2020-04-15 14:34:54

  Application access list:

    Application URL        Time of last access

    test.iam.com/aaa/      2020-04-15 14:34:54

    test.iam.com/bbb/

 

# Display brief authorization success records for all users.

<Sysname> display trusted-access record app-auth user brief

Slot 1:

  Total users: 1

    Username                                 Creation time

    test                                     2020-04-15 14:34:54

    test1                                    2020-04-15 14:37:21

Table 2 Command output

Field	Description
Created at	Time when the user authorization success record was created.
Total users	Total number of users that have been successfully authorized.
Time of last access	Most recent time when the application URL or API URL was accessed.

 

display trusted-api-proxy

Use display trusted-api-proxy to display trusted API proxy information.

Syntax

display trusted-api-proxy [ brief | name trusted-proxy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

brief: Displays brief trusted API proxy information. If you do not specify this keyword, the command displays detailed trusted API proxy information.

name trusted-proxy-name: Specifies a trusted API proxy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays information about all trusted API proxies.

Examples

# Display brief information about all trusted API proxies.

<Sysname> display trusted-api-proxy brief

Trusted API proxy  State        Type      Proxy address       Port

api                Active       HTTP      172.40.0.10/32      80

                                          1::1/128

api2               Inactive     HTTP      --                  80

                   (disabled)

# Display detailed information about all trusted API proxies.

<Sysname> display trusted-api-proxy

Trusted API proxy: api

  Type: HTTP

  State: Active

  Proxy IPv4 address: 172.40.0.10/32

  Proxy IPv6 address: 1::1/128

  Port: 80

  LB policy: api

  LB limit-policy: lmitp

  TCP parameter profile: tcp

  HTTP parameter profile: p1

  Connection limit: 10000

  Rate limit:

    Connections: 10000

  SSL server policy: ssp

  SSL client policy: scp

  IAM trusted access controller: tac

  API access mode: App-initiated

 

Trusted API proxy: api2

  Type: HTTP

  State: Inactive    (disabled)

  IPv4 address: --

  IPv6 address: --

  Port: 80

  LB policy:

  LB limit-policy:

  Connection limit: --

  Rate limit:

    Connections: --

  SSL server policy:

  SSL client policy:

  IAM trusted access controller: tac

  API access mode: App-initiated

Table 3 Command output

Field	Description
Trusted API proxy	Name of the trusted API proxy.
State	State of the trusted API proxy: ·     Active—The trusted API proxy is available. ·     Inactive—The trusted API proxy is not available although the proxy is enabled. ·     Inactive (disabled)—The trusted API proxy is not available because it is disabled.
Type	Type of the trusted API proxy. Only HTTP is supported in the current software version.
Proxy IPv4 address	IPv4 address and mask length of the trusted API proxy.
Proxy IPv6 address	IPv6 address and prefix length of the trusted API proxy.
Port	Port number of the trusted API proxy.
LB policy	LB policy used by the trusted API proxy.
LB limit-policy	LB connection limit policy used by the trusted API proxy.
TCP parameter profile	TCP parameter profile used by the trusted API proxy. This field is displayed only when the TCP parameter profile is configured.
TCP parameter profile (client-side)	Client-side TCP parameter profile used by the trusted API proxy. This field is displayed only when the client-side TCP parameter profile is configured.
TCP parameter profile (server-side)	Server-side TCP parameter profile used by the trusted API proxy. This field is displayed only when the server-side TCP parameter profile is configured.
HTTP parameter profile	HTTP parameter profile used by the trusted API proxy. This field is displayed only when the HTTP parameter profile is configured.
DPI application profile	DPI application profile used by the trusted API proxy. This field is displayed only when a DPI application profile has been specified.
Connection limit	Maximum number of connections for the trusted API proxy.
Rate limit	Connection rate limit setting for the trusted API proxy.
Connections	Maximum connection rate for the trusted API proxy.
SSL server policy	Name of the SSL server policy. This field is displayed only for an HTTP trusted API proxy.
SSL client policy	Name of the SSL client policy. This field is displayed only for an HTTP trusted API proxy.
HTTP protection policy	HTTP protection policy used by the trusted API proxy.
IAM trusted access controller	Name of the IAM trusted access controller used by the trusted API proxy.
API access mode	API access mode: App-initiated or User-initiated.

 

display trusted-api-proxy statistics

Use display trusted-api-proxy statistics to display trusted API proxy statistics.

Syntax

display trusted-api-proxy statistics [ name trusted-proxy-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

name trusted-proxy-name: Specifies a trusted API proxy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays statistics for all trusted API proxies.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays trusted API proxy statistics for all member devices.

Examples

# Display statistics for trusted API proxy api.

<Sysname> display trusted-api-proxy statistics name api

Trusted API proxy: api

  Total connections: 979

  Active connections: 618

  Max connections: 661

    Recorded at 11:02:49 on Tue May 21 2019

  Connections per second: 146

  Max connections per second: 156

    Recorded at 11:02:49 on Tue May 21 2019

  Client input: 333332 bytes

  Client output: 472054 bytes

  Throughput: 4088 bps

  Inbound throughput: 1214 bps

  Outbound throughput: 2874 bps

  Max throughput: 4368 bps

    Recorded at 11:02:49 on Tue May 21 2019

  Max inbound throughput: 1214 bps

    Recorded at 11:02:49 on Tue May 21 2019

  Max outbound throughput: 3154 bps

    recorded at 11:02:49 on Tue May 21 2019

  Received packets: 979

  Sent packets: 0

  Dropped packets: 0

  Received requests: 0

  Dropped requests: 0

  Sent responses: 0

  Dropped responses: 0

  Authentication permitted requests: 0

  Authentication denied requests: 0

Table 4 Command output

Field	Description
Trusted API proxy	Name of the trusted API proxy.
Client input	Traffic received from clients in bytes.
Client output	Traffic sent to clients in bytes.
Throughput	Total packet throughput in bps.
Inbound throughput	Total inbound packet throughput in bps.
Outbound throughput	Total outbound packet throughput in bps.
Max throughput	Maximum packet throughput in bps.
Max inbound throughput	Maximum inbound packet throughput in bps.
Max outbound throughput	Maximum outbound packet throughput in bps.
Received packets	Number of received packets.
Sent packets	Number of packets sent by the trusted API proxy to clients.
Dropped packets	Number of dropped packets.
Received requests	Number of received HTTP requests. This field is displayed only for an HTTP trusted API proxy.
Dropped requests	Number of dropped HTTP requests. This field is displayed only for an HTTP trusted API proxy.
Sent responses	Number of sent HTTP responses. This field is displayed only for an HTTP trusted API proxy.
Dropped responses	Number of dropped HTTP responses. This field is displayed only for an HTTP trusted API proxy.
Authentication permitted requests	Number of requests that are permitted in authorization.
Authentication denied requests	Number of requests that are denied in authorization.

 

display trusted-app-proxy

Use display trusted-app-proxy to display trusted application proxy information.

Syntax

display trusted-app-proxy [ brief | name trusted-proxy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

brief: Displays brief trusted application proxy information. If you do not specify this keyword, the command displays detailed trusted application proxy information.

name trusted-proxy-name: Specifies a trusted application proxy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays information about all trusted application proxies.

Examples

# Display brief information about all trusted application proxies.

<Sysname> display trusted-app-proxy brief

Trusted App proxy  State        Type      Proxy address       Port

app                Active       HTTP      172.40.0.10/32      80

                                          1::1/128

app2               Inactive     HTTP      --                  80

                   (disabled)

# Display detailed information about all trusted application proxies.

<Sysname> display trusted-app-proxy

Trusted application proxy: app

  Type: HTTP

  State: Active

  Proxy IPv4 address: 172.40.0.10/32

  Proxy IPv6 address: 1::1/128

  Port: 80

  LB policy: app

  LB limit-policy: a

  TCP parameter profile: tcp

  HTTP parameter profile: p1

  Connection limit: 10000

  Rate limit:

    Connections: 10000

  SSL server policy: ssp

  SSL client policy: scp

  IAM trusted access controller: tac

  Application URL level: 0

 

Trusted application proxy: app2

  Type: HTTP

  State: Inactive    (disabled)

    Proxy IPv4 address: --

    Proxy IPv6 address: --

  Port: 80

  LB policy:

  LB limit-policy:

  Connection limit: --

  Rate limit:

    Connections: --

  SSL server policy:

  SSL client policy:

  IAM trusted access controller: tac

  Application URL level: 0

Table 5 Command output

Field		Description
Trusted application proxy		Name of the trusted application proxy.
State		State of the trusted application proxy: ·     Active—The trusted application proxy is available. ·     Inactive—The trusted application proxy is not available although the proxy is enabled. ·     Inactive (disabled)—The trusted application proxy is not available because it is disabled.
Type		Type of the trusted application proxy. Only HTTP is supported in the current software version.
Proxy IPv4 address		IPv4 address and mask length of the trusted application proxy.
Proxy IPv6 address		IPv6 address and prefix length of the trusted application proxy.
Port		Port number of the trusted application proxy.
LB policy		LB policy used by the trusted application proxy.
LB limit-policy		LB connection limit policy used by the trusted application proxy.
TCP parameter profile		TCP parameter profile used by the trusted application proxy. This field is displayed only when the TCP parameter profile is configured.
TCP parameter profile (client-side)		Client-side TCP parameter profile used by the trusted application proxy. This field is displayed only when the client-side TCP parameter profile is configured.
HTTP parameter profile	HTTP parameter profile used by the trusted application proxy. This field is displayed only when the HTTP parameter profile is configured.
TCP parameter profile (server-side)		Server-side TCP parameter profile used by the trusted application proxy. This field is displayed only when the server-side TCP parameter profile is configured.
DPI application profile		DPI application profile used by the trusted application proxy. This field is displayed only when a DPI application profile has been specified.
External authentication app-policy		External application authentication policy used by the trusted application proxy.
Connection limit		Maximum number of connections for the trusted application proxy.
Rate limit		Connection rate limit setting for the trusted application proxy.
Connections		Maximum connection rate for the trusted application proxy.
SSL server policy		Name of the SSL server policy. This field is displayed only for an HTTP trusted application proxy.
SSL client policy		Name of the SSL client policy. This field is displayed only for an HTTP trusted application proxy.
HTTP protection  policy		HTTP protection policy used by the trusted application proxy. This field is displayed only when the HTTP protection policy is configured.
IAM trusted access controller		Name of the IAM trusted access controller used by the trusted application proxy.
Application URL level		URL resource path extraction scope for application authorization.

 

display trusted-app-proxy statistics

Use display trusted-app-proxy statistics to display trusted application proxy statistics.

Syntax

display trusted-app-proxy statistics [ name trusted-proxy-name ] [ slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

context-admin

context-operator

Parameters

name trusted-proxy-name: Specifies a trusted application proxy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command displays statistics for all trusted application proxies.

slot slot-number: Specifies an IRF member device by its member ID. If you do not specify a member device, this command displays trusted application proxy statistics for all member devices.

Examples

# Display statistics for trusted application proxy app.

<Sysname> display trusted-app-proxy statistics name app

Trusted application proxy: app

  Total connections: 979

  Active connections: 618

  Max connections: 661

    Recorded at 11:02:49 on Tue May 21 2019

  Connections per second: 146

  Max connections per second: 156

    Recorded at 11:02:49 on Tue May 21 2019

  Client input: 333332 bytes

  Client output: 472054 bytes

  Throughput: 4088 bps

  Inbound throughput: 1214 bps

  Outbound throughput: 2874 bps

  Max throughput: 4368 bps

    Recorded at 11:02:49 on Tue May 21 2019

  Max inbound throughput: 1214 bps

    Recorded at 11:02:49 on Tue May 21 2019

  Max outbound throughput: 3154 bps

    Recorded at 11:02:49 on Tue May 21 2019

  Received packets: 979

  Sent packets: 0

  Dropped packets: 0

  Received requests: 0

Authentication permitted requests: 0

  Authentication denied requests: 0

  Redirected requests for login: 4

  Redirected requests for re-authentication: 0

Table 6 Command output

Field	Description
Trusted application proxy	Name of the trusted API proxy.
Client input	Traffic received from clients in bytes.
Client output	Traffic sent to clients in bytes.
Throughput	Total packet throughput in bps.
Inbound throughput	Inbound packet throughput in bps.
Outbound throughput	Outbound packet throughput in bps.
Max throughput	Maximum total packet throughput in bps.
Max inbound throughput	Maximum inbound packet throughput in bps.
Max outbound throughput	Maximum outbound packet throughput in bps.
Received packets	Number of received packets.
Sent packets	Number of packets sent by the trusted application proxy to clients.
Dropped packets	Number of dropped packets.
Received requests	Number of received HTTP requests. This field is displayed only for an HTTP trusted application proxy.
Dropped requests	Number of dropped HTTP requests. This field is displayed only for an HTTP trusted application proxy.
Sent responses	Number of sent HTTP responses. This field is displayed only for an HTTP trusted application proxy.
Dropped responses	Number of dropped HTTP responses. This field is displayed only for an HTTP trusted application proxy.
Authentication permitted requests	Number of requests that are permitted in authorization.
Authentication denied requests	Number of requests that are denied in authorization.
Redirected requests for login	Number of requests redirected to the login page.
Redirected requests for re-authentication	Number of requests redirected to the reauthentication page.

 

Related commands

reset trusted-app-proxy statistics

lb-limit-policy

Use lb-limit-policy to specify an LB connection limit policy for the trusted proxy.

Use undo lb-limit-policy to restore the default.

Syntax

lb-limit-policy policy-name

undo lb-limit-policy

Default

No LB connection limit policy is specified for a trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies an LB connection limit policy by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Use this command to limit the number of connections for traffic matching a trusted proxy.

The LB connection limit policy takes effect only on newly created sessions. Existing sessions are not affected. For more information about LB connection limit policies, see server load balancing configuration in Load Balancing Configuration Guide.

Examples

# Specify LB connection limit policy llp for HTTP trusted application policy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] lb-limit-policy llp

Related commands

loadbalance limit-policy (Load Balancing Command Reference)

lb-policy

Use lb-policy to specify an LB policy for the trusted proxy.

Use undo lb-policy to restore the default.

Syntax

lb-policy policy-name

undo lb-policy

Default

No LB policy is specified for a trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies an LB policy by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

This command enables the trusted proxy to perform load balancing for packets matching the specified LB policy.

You can specify only a general or HTTP LB policy for an HTTP trusted proxy.

For more information about LB policies, see server load balancing configuration in Load Balancing Configuration Guide.

Examples

# Specify LB policy lbp1 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] lb-policy lbp1

Related commands

lb-policy (Load Balancing Command Reference)

local-service url

Use local-service url to specify the local service URL used to collaborate with the trusted access controller.

Use undo local-service url to restore the default.

Syntax

local-service url service-url

undo local-service url

Default

No local service URL is specified.

Views

IAM trusted access controller view

Predefined user roles

network-admin

context-admin

Parameters

service-url: Specifies a local service URL, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The local service URL is used to collaborate with the trusted access controller. The trusted access controller can notify the device of events such as user offline and user permission changes through the local service URL.

The local service URL must be in the format of protocol type://server IP address:port number.

·     The protocol type is HTTP or HTTPS.

·     The server IP address must be an IPv4 address.

You cannot specify the same local service URL for different trusted access controllers on a device.

Examples

# Configure local service URL https://10.153.10.120:443 for IAM trusted access controller tac.

<Sysname> system-view

[Sysname] trusted-access controller tac type iam

[Sysname-tac-iam-tac] local-service url https://10.153.10.120:443

Related commands

display trusted-access controller

peer-service url

parameter

Use parameter to specify a parameter profile for the trusted proxy.

Use undo parameter to remove the parameter profile from the trusted proxy.

Syntax

parameter { http | tcp } profile-name [ client-side | server-side ]

undo parameter { http | tcp } [ client-side | server-side ]

Default

No parameter profile is specified for a trusted proxy.

Views

Trusted application proxy view

Trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

http: Specifies an HTTP parameter profile.

tcp: Specifies a TCP parameter profile.

profile-name: Specifies a parameter profile by its name, a case-insensitive string of 1 to 63 characters.

client-side: Specifies a client-side TCP parameter profile. This keyword is supported only by TCP parameter profiles.

server-side: Specifies a server-side TCP parameter profile. This keyword is supported only by TCP parameter profiles.

Usage guidelines

A parameter profile is used to analyze, process, and optimize traffic received by the trusted proxy. The trusted proxy uses the settings in the parameter profile to process matching traffic.

If you specify a client-side TCP parameter profile for the trusted proxy, the system optimizes and processes TCP connections between the client and the device. If you specify a server-side TCP parameter profile for the trusted proxy, the system optimizes and processes TCP connections between the device and the server.

If you do not specify the client-side or server-side keyword, you configure a TCP parameter profile for both the client side and server side. Only TCP parameter profiles can be configured for the client side and server side, respectively.

For more information about parameter profiles, see server load balancing configuration in Load Balancing Configuration Guide.

Examples

# Specify TCP parameter profile pp for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] parameter tcp pp

Related commands

parameter-profile (Load Balancing Command Reference)

peer-service url

Use peer-service url to specify the peer service URL used for providing trusted access control services.

Use undo peer-service url to restore the default.

Syntax

peer-service url service-url

undo peer-service url

Default

No peer service URL is specified.

Views

IAM trusted access controller view

Predefined user roles

network-admin

context-admin

Parameters

service-url: Specifies a peer service URL, a case-insensitive string of 1 to 255 characters.

Usage guidelines

The device uses the peer service URL to perform registration and authorization with the trusted access controller.

The peer service URL must be in the format of protocol type://server IP address:port number.

·     The protocol type is HTTP or HTTPS.

·     The server IP address must be an IPv4 address.

Examples

# Configure peer service URL http://10.153.10.121:80 for IAM trusted access controller tac.

<Sysname> system-view

[Sysname] trusted-access controller tac type iam

[Sysname-tac-iam-tac] peer-service url https://10.153.10.120:443

port

Use port to configure the port number for the trusted proxy.

Use undo port to restore the default.

Syntax

port port-number

undo port

Default

The port number is 80 for a trusted proxy

Views

Trusted application proxy view

Trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

port-number: Specifies a port number in the range of 1 to 65535.

Usage guidelines

Use this command to configure port number used for providing trusted application proxy or trusted API proxy services.

If the trusted proxy uses an SSL policy, you must specify a non-default port number for it (a typical example is 443).

Examples

# Configure port 8080 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] port 8080

protection-policy

Use protection-policy to specify a HTTP protection policy for the trusted proxy.

Use undo protection-policy to restore the default.

Syntax

protection-policy http policy-name

undo protection-policy http

Default

No protection policy is specified for a trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

http: Specifies an HTTP protection policy.

policy-name: Specifies a protection policy by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Use this command to protect URLs specified in an HTTP protection policy in order to prevent the application and API servers from being overwhelmed by a large number of forged requests.

For more information about HTTP protection policies, see server load balancing configuration in Load Balancing Configuration Guide.

Examples

# Specify HTTP protection policy p1 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] protection-policy http p1

Related commands

display trusted-api-proxy

display trusted-app-proxy

loadbalance protection-policy (Load Balancing Command Reference)

proxy ip address

Use proxy ip address to configure the IP address for the trusted proxy.

Use undo proxy ip address to restore the default.

Syntax

proxy ip address ipv4-address

undo proxy ip address

Default

No IP address is configured for a trusted proxy.

Views

Trusted application proxy view

Trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

ipv4-address: Specifies an IPv4 address. The IPv4 address cannot be a loopback address, multicast address, broadcast address, or an address in the format of 0.X.X.X.

Usage guidelines

Use this command to configure the IPv4 address used for providing trusted application proxy or trusted API proxy services.

Examples

# Configure IPv4 address 1.1.1.1 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] proxy ip address 1.1.1.1

proxy ipv6 address

Use proxy ipv6 address to configure the IPv6 address for the trusted proxy.

Use undo proxy ipv6 address to restore the default.

Syntax

proxy ipv6 address ipv6-address

undo proxy ipv6 address

Default

No IPv6 address is configured for a trusted proxy.

Views

Trusted application proxy view

Trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

ipv6-address: Specifies an IPv6 address. The IPv6 address cannot be a loopback address, multicast address, link-local address, or an all-zero address.

Usage guidelines

Use this command to configure the IPv6 address used for providing trusted application proxy or trusted API proxy services.

Examples

# Configure IPv6 address 1001::1 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] proxy ip address 1001::1

rate-limit connection

Use rate-limit connection to configure the maximum connection rate for the trusted proxy.

Use undo rate-limit connection to restore the default.

Syntax

rate-limit connection connection-rate

undo rate-limit connection

Default

The maximum connection rate is 0 (not limited) for the trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

connection-rate: Specifies the maximum connection rate in the range of 0 to 4294967295. The value 0 means the maximum connection rate is not limited for the trusted proxy.

Examples

# Configure the maximum connection rate as 10000 for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] rate-limit connection 10000

reset trusted-access permitted-record

Use reset trusted-access permitted-record to clear user authorization success records.

Syntax

reset trusted-access permitted-record { api-auth | app-auth } user user-name

Views

User view

Predefined user roles

network-admin

context-admin

Parameters

api-auth: Specifies API authorization success records.

app-auth: Specifies application authorization success records.

user user-name: Specifies a user by username, a case-sensitive string of 1 to 63 characters.

Examples

# Clear application authorization success records for user test.

<Sysname> reset trusted-access permitted-record app-auth user test

Related commands

display trusted-access permitted-record

reset trusted-api-proxy statistics

Use reset trusted-api-proxy statistics to clear trusted API proxy statistics.

Syntax

reset trusted-api-proxy statistics [ trusted-proxy-name ]

Views

User view

Predefined user roles

network-admin

context-admin

Parameters

trusted-proxy-name: Specifies a trusted API proxy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command clear statistics for all trusted API proxies.

Examples

# Clear statistics for all trusted API proxies.

<Sysname> reset trusted-api-proxy statistics

Related commands

display trusted-api-proxy statistics

reset trusted-app-proxy statistics

Use reset trusted-app-proxy statistics to clear trusted application proxy statistics.

Syntax

reset trusted-app-proxy statistics [ trusted-proxy-name ]

Views

User view

Predefined user roles

network-admin

context-admin

Parameters

trusted-proxy-name: Specifies a trusted application proxy by its name, a case-insensitive string of 1 to 63 characters. If you do not specify this option, the command clear statistics for all trusted application proxies.

Examples

# Clear statistics for all trusted application proxies.

<Sysname> reset trusted-app-proxy statistics

Related commands

display trusted-app-proxy statistics

service enable (trusted access controller view)

Use service enable to enable the trusted access controller.

Use undo service enable to disable the trusted access controller.

Syntax

service enable

undo service enable

Default

The trusted access controller is disabled.

Views

IAM trusted access controller view

Predefined user roles

network-admin

context-admin

Examples

# Enable trusted access controller tac.

<Sysname> system-view

[Sysname] trusted-access controller tac type iam

[Sysname-tac-iam-tac] service enable

service enable (trusted app proxy/trusted api proxy view)

Use service enable to enable the trusted proxy.

Use undo service enable to disable the trusted proxy.

Syntax

service enable

undo service enable

Default

The trusted proxy is disabled.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Examples

# Enable HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] service enable

ssl-client-policy (trusted access controller view)

Use ssl-client-policy to specify an SSL client policy used for establishing an SSL connection to the trusted access controller.

Use undo ssl-client-policy to restore the default.

Syntax

ssl-client-policy policy-name

undo ssl-client-policy

Default

No SSL client policy is specified for establishing an SSL connection to the trusted access controller.

Views

IAM trusted access controller view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

This command is required if the peer service URL type is HTTPs. When the device acts as an SSL client, you can specify an SSL client policy to encrypt registration and authorization traffic sent to the trusted access controller.

For modification of the SSL client policy for a trusted access controller take effect, you must delete and then specify the policy again for the trusted access controller. For more information about SSL policies, see SSL configuration in Security Configuration Guide.

The device does not support SSL client policies using the exp_rsa_des_cbc_sha, exp_rsa_rc2_md5, exp_rsa_rc4_md5, or rsa_des_cbc_sha encryption suite.

Examples

# Specify SSL client policy scp for IAM trusted access controller tac.

<Sysname> system-view

[Sysname] trusted-access controller tac type iam

[Sysname-tac-iam-tac]  ssl-client-policy scp

Related commands

peer-service url

ssl client-policy (Security Command Reference)

ssl-client-policy (trusted app proxy/trusted api proxy view)

Use ssl-client-policy to specify an SSL client policy for the trusted proxy to encrypt the traffic exchanged with the SSL server.

Use undo ssl-client-policy to restore the default.

Syntax

ssl-client-policy policy-name

undo ssl-client-policy policy-name

Default

No SSL client policy is specified for a trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies an SSL client policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

After modifying the SSL client policy for a trusted proxy, you must disable and then enable the trusted proxy for the modification to take effect. To disable the trusted proxy, use the undo service enable command in trusted proxy view. To enable the trusted proxy, use the service enable command in trusted proxy view.

The device does not support SSL client policies using the exp_rsa_des_cbc_sha, exp_rsa_rc2_md5, exp_rsa_rc4_md5, or rsa_des_cbc_sha encryption suite.

Examples

# Specify SSL client policy scp for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] ssl-client-policy scp

Related commands

ssl client-policy (Security Command Reference)

ssl-server-policy (trusted access controller view)

Use ssl-server-policy to specify an SSL server policy used for establishing an SSL connection to the trusted access controller.

Use undo ssl-server-policy to restore the default.

Syntax

ssl-server-policy policy-name

undo ssl-server-policy

Default

No SSL server policy is specified for establishing an SSL connection to the trusted access controller.

Views

IAM trusted access controller view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

This command is required if the local service URL type is HTTPs. Use this command to encrypt information such as user offline and user permission changes sent by trusted access controller.

For modification of the SSL server policy for a trusted access controller take effect, you must delete and then specify the policy again for the trusted access controller. For more information about SSL policies, see SSL configuration in Security Configuration Guide.

The device does not support SSL server policies using the exp_rsa_des_cbc_sha, exp_rsa_rc2_md5, exp_rsa_rc4_md5, or rsa_des_cbc_sha encryption suite.

Examples

# Specify SSL server policy ssp for IAM trusted access controller tac.

<Sysname> system-view

[Sysname] trusted-access controller tac type iam

[Sysname-tac-iam-tac] ssl-server-policy ssp

Related commands

local-service url

ssl server-policy (Security Command Reference)

ssl-server-policy (trusted app proxy/trusted api proxy view)

Use ssl-server-policy to specify an SSL server policy for the trusted proxy to encrypt the traffic exchanged with the SSL client.

Use undo ssl-server-policy to restore the default.

Syntax

ssl-server-policy policy-name

undo ssl-server-policy

Default

No SSL server policy is specified for a trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

policy-name: Specifies an SSL server policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

After modifying the SSL server policy for a trusted proxy, you must disable and then enable the trusted proxy for the modification to take effect. To disable the trusted proxy, use the undo service enable command in trusted proxy view. To enable the trusted proxy, use the service enable command in trusted proxy view.

The device does not support SSL server policies using the exp_rsa_des_cbc_sha, exp_rsa_rc2_md5, exp_rsa_rc4_md5, or rsa_des_cbc_sha encryption suite.

Examples

# Specify SSL server policy ssp for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] ssl-server-policy ssp

Related commands

ssl server-policy (Security Command Reference)

trusted-access-controller (trusted app proxy/trusted api proxy view)

Use trusted-access-controller to specify a trusted access controller for the trusted proxy.

Use undo trusted-access-controller to restore the default.

Syntax

trusted-access-controller iam controller-name

undo trusted-access-controller

Default

No trusted access controller is specified for a trusted proxy.

Views

HTTP trusted application proxy view

HTTP trusted API proxy view

Predefined user roles

network-admin

context-admin

Parameters

iam: Specifies an IAM trusted access controller.

controller-name: Specifies a trusted access controller by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

Use this command to enable a trusted application proxy or trusted API proxy to use a trusted access controller for implementing access control on traffic accessing the trusted proxy.

Examples

# Specify IAM trusted access controller tac for HTTP trusted application proxy app3.

<Sysname> system-view

[Sysname] trusted-app-proxy app3 type http

[Sysname-tap-http-app3] trusted-access-controller iam tac

Related commands

display trusted-api-proxy

display trusted-app-proxy

trusted-access controller

trusted-access controller (system view)

Use trusted-access controller to create a trusted access controller and enter trusted access controller view, or enter the view of an existing trusted access controller.

Use undo trusted-access controller to delete the specified trusted access controller.

Syntax

trusted-access controller controller-name type iam

undo trusted-access controller controller-name

Default

No trusted access controllers exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

controller-name: Specifies a trusted access controller by its name, a case-insensitive string of 1 to 63 characters.

type: Specifies the trusted access controller type. The controller type is not required when you enter the view of an existing trusted access controller. To specify the controller type, make sure it is the same as the one you specified upon creating the controller.

iam: Specifies the trusted access controller type as IAM.

Usage guidelines

This command allows the device to send user requests to the IAM trusted access controller for authentication and authorization. For users that have passed the authentication, the IAM trusted access controller validates user permissions to the requested resources.

Examples

# Create IAM trusted access controller tac and enter its view.

<Sysname> system-view

[Sysname] trusted-access controller tac type iam

[Sysname-tac-iam-tac]

trusted-api-proxy

Use trusted-api-proxy to create a trusted API proxy and enter trusted API proxy view, or enter the view of an existing trusted API proxy.

Use undo  trusted-api-proxy to delete the specified trusted API proxy.

Syntax

trusted-api-proxy proxy-name type http

undo trusted-api-proxy proxy-name

Default

No trusted API proxies exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

proxy-name: Specifies a trusted API proxy by its name, a case-insensitive string of 1 to 63 characters.

type http: Specifies the trusted API proxy type. Only HTTP is supported in the current software version. To create a trusted API proxy, you must specify the proxy type. The proxy type is not required when you enter the view of an existing trusted API proxy. To specify the proxy type, make sure it is the same as the one you specified upon creating the trusted API proxy.

Usage guidelines

The trusted API proxy sends matching API requests to the trusted access controller for authentication and authorization. The trusted access controller will return the authentication and authorization results to the device to implement user access permission control.

Examples

# Create HTTP trusted API proxy p2 and enter its view.

<Sysname> system-view

[Sysname] trusted-api-proxy p2 type http

[Sysname-tip-http-p2]

Related commands

display trusted-api-proxy

trusted-app-proxy

Use trusted-app-proxy to create a trusted application proxy and enter trusted application proxy view, or enter the view of an existing trusted application proxy.

Use undo trusted-app-proxy to delete the specified trusted application proxy.

Syntax

trusted-app-proxy proxy-name type http

undo trusted-app-proxy proxy-name

Default

No trusted application proxies exist.

Views

System view

Predefined user roles

network-admin

context-admin

Parameters

proxy-name: Specifies a trusted application proxy by its name, a case-insensitive string of 1 to 63 characters.

type http: Specifies the trusted application proxy type. Only HTTP is supported in the current software version. To create a trusted application proxy, you must specify the proxy type. The proxy type is not required when you enter the view of an existing trusted application proxy. To specify the proxy type, make sure it is the same as the one you specified upon creating the trusted application proxy.

Usage guidelines

The trusted application proxy sends matching application requests to the trusted access controller for authentication and authorization. The trusted access controller will return the authentication and authorization results to the device to implement user access permission control.

Examples

# Create HTTP trusted application proxy p1 and enter its view.

<Sysname> system-view

[Sysname] trusted-app-proxy p1 type http

[Sysname-tap-http-p1]

Related commands

display trusted-app-proxy