|Oracle® Fusion Middleware Administrator's Guide for Oracle Directory Integration Platform
11g Release 1 (11.1.1)
Part Number E10031-02
access control item (ACI)
An attribute that determines who has what type of access to what directory data. It contains a set of rules for structural access items, which pertain to entries, and content access items, which pertain to attributes. Access to both structural and content access items may be granted to one or more users or groups.
access control list (ACL)
The group of access directives that you define. The directives grant levels of access to specific data for specific clients, or groups of clients, or both.
access control policy point
An entry that contains security directives that apply downward to all entries at lower positions in the directory information tree (DIT).
A subtree on a directory server whose entries are under the control (schema, ACL, and collective attributes) of a single administrative authority.
advanced symmetric replication (ASR)
An agent transforms data from one of the formats supported by Oracle Directory Integration Platform into a format supported by the connected directory.
The process by which the directory authenticates a user without requiring a user name and password combination. Each anonymous user then exercises the privileges specified for anonymous users.
application program interface (API)
Programs to access the services of a specified application. For example, LDAP-enabled clients access directory information through programmatic calls available in the LDAP API.
An item of information that describes some aspect of an entry. An entry comprises a set of attributes, each of which belongs to an object class. Moreover, each attribute has both a type, which describes the kind of information in the attribute, and a value, which contains the actual data.
attribute configuration file
In an Oracle Directory Integration Platform environment, a file that specifies attributes in a connected directory.
An Oracle Internet Directory feature that ensures that no two specified attributes have the same value. It enables applications synchronizing with the enterprise directory to use attributes as unique keys.
The particular occurrence of information appearing in that entry. For example, the value for the
jobTitle attribute could be
The process of verifying the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.
Permission given to a user, program, or process to access an object or set of objects.
In an Oracle Directory Integration Platform environment, the directory that acts as the central repository. In an Oracle Directory Integration Platform environment, Oracle Internet Directory is the central directory.
An ITU x.509 v3 standard data structure that securely binds an identity to a public key. A certificate is created when an entity's public key is signed by a trusted identity: a certificate authority (CA). This certificate ensures that the entity's information is correct and that the public key actually belongs to that entity.
certificate authority (CA)
A trusted third party that certifies that other entities—users, databases, administrators, clients, servers—are who they say they are. The certificate authority verifies the user's identity and grants a certificate, signing it with the certificate authority's private key.
An ordered list of certificates containing an end-user or subscriber certificate and its certificate authority certificates.
In SSL, a set of authentication, encryption, and data integrity algorithms used for exchanging messages between network nodes. During an SSL handshake, the two nodes negotiate to see which cipher suite they will use when transmitting messages back and forth.
A collection of interconnected computers that are used as a single computing resource. Hardware clusters provide high availability and scalability.
The procedure to add a new DSA node to an existing replicating system by using the database copy procedure.
The ability to handle multiple requests simultaneously. Threads and processes are examples of concurrency mechanisms.
The total number of clients that have established a session with Oracle Internet Directory.
The number of operations that are being run on the directory from all of the concurrent clients. Note that this is not necessarily the same as the concurrent clients, because some of the clients may be keeping their sessions idle.
A specially formatted description of the destination for a network connection. A connect descriptor contains destination service and network route information.
The destination service is indicated by using its service name for the Oracle Database or its Oracle System Identifier (SID) for Oracle release 8.0 or version 7 databases. The network route provides, at a minimum, the location of the listener through use of a network address.
In an Oracle Directory Integration Platform environment, an information repository requiring full synchronization of data between Oracle Internet Directory and itself—for example, an Oracle human Resources database.
A connectivity solution that Oracle Directory Integration Platform uses for synchronization between Oracle Internet Directory and a connected directory. At a minimum, a connector consists of a directory integration profile containing all the configuration information required for synchronization.
A directory server that is the destination of replication updates. Sometimes called a slave.
Data Encryption Standard (DES)
A block cipher developed by IBM and the U.S. government in the 1970's as an official standard.
The guarantee that the contents of the message received were not altered from the contents of the original message sent.
The process of converting the contents of an encrypted message (cipher text) back into its original readable format (plain text).
default knowledge reference
A knowledge reference that is returned when the base object is not in the directory, and the operation is performed in a naming context not held locally by the server. A default knowledge reference typically sends the user to a server that has more knowledge about the directory partitioning arrangement.
default identity management realm
In a hosted environment, one enterprise—for example, an application service provider—makes Oracle components available to multiple enterprises and stores information for them. In such hosted environments, the enterprise performing the hosting is called the default identity management realm, and the enterprises that are hosted are each associated with their own identity management realm in the DIT.
default realm location
An attribute in the root Oracle Context that identifies the root of the default identity management realm.
In a hosted environment, one enterprise—for example, an application service provider—makes Oracle components available to multiple other enterprises and stores information for them. In such an environment, a global administrator performs activities that span the entire directory. Other administrators—called delegated administrators—may exercise roles in specific identity management realms, or for specific applications.
directory information base (DIB)
The complete set of all information held in the directory. The DIB consists of entries that are related to each other hierarchically in a directory information tree (DIT).
directory information tree (DIT)
A hierarchical, tree-like structure consisting of the DNs of the entries.
directory integration profile
In an Oracle Directory Integration Platform environment, an entry in Oracle Internet Directory that describes how Oracle Directory Integration Platform communicates with external systems and what is communicated.
directory integration server
In an Oracle Directory Integration Platform environment, the server that drives the synchronization of data between Oracle Internet Directory and a connected directory.
directory naming context
See naming context.
directory provisioning profile
A special kind of directory integration profile that describes the nature of provisioning-related notifications that Oracle Directory Integration Platform sends to the directory-enabled applications.
directory server instance
A discrete invocation of a directory server. Different invocations of a directory server, each started with the same or different configuration set entries and startup flags, are said to be different directory server instances.
directory-specific entry (DSE)
An entry specific to a directory server. Different directory servers may hold the same DIT name, but have different contents—that is, the contents can be specific to the directory holding it. A DSE is an entry with contents specific to the directory server holding it.
directory synchronization profile
A special kind of directory integration profile that describes how synchronization is carried out between Oracle Internet Directory and an external system.
distinguished name (DN)
The unique name of a directory entry. It comprises all of the individual names of the parent entries back to the root.
DSA-specific entries. Different DSAs may hold the same DIT name, but have different contents. That is, the contents can be specific to the DSA holding it. A DSE is an entry with contents specific to the DSA holding it.
The process of disguising the contents of a message and rendering it unreadable (ciphertext) to anyone except for the intended recipient.
The building block of a directory, it contains information about an object of interest to directory users.
In an Oracle Directory Integration Platform environment, an agent that exports data out of Oracle Internet Directory.
export data file
In an Oracle Directory Integration Platform environment, the file that contains data exported by an export agent.
See export data file.
A directory integration agent that is independent of Oracle Directory Integration Platform. Oracle Directory Integration Platform does not provide scheduling, mapping, or error handling services for it. An external agent is typically used when a third party metadirectory solution is integrated with the Oracle Directory Integration Platform.
The process of failure recognition and recovery. In an Oracle Application Server Cold Failover Cluster (Infrastructure), an application running on one cluster node is transparently migrated to another cluster node. During this migration, clients accessing the service on the cluster see a momentary outage and may need to reconnect once the failover is complete.
Also called a point-to-point replication. A type of replication in which a supplier replicates directly to a consumer. That consumer can then replicate to one or more other consumers. The replication can be either full or partial.
A method of qualifying data, usually data that you are seeking. Filters are always expressed as DNs, for example:
In a hosted environment, one enterprise—for example, an application service provider—makes Oracle components available to multiple other enterprises and stores information for them. In such an environment, a global administrator performs activities that span the entire directory.
global unique identifier (GUID)
An identifier generated by the system and inserted into an entry when the entry is added to the directory. In a multimaster replicated environment, the GUID, not the DN, uniquely identifies an entry. The GUID of an entry cannot be modified by a user.
group search base
In the Oracle Internet Directory default DIT, the node in the identity management realm under which all the groups can be found.
One who is not an anonymous user, and, at the same time, does not have a specific user entry.
A number generated from a string of text with an algorithm. The hash value is substantially smaller than the text itself. Hash numbers are used for security and for faster access to data.
The process by which the complete security life cycle for network entities is managed in an organization. It typically refers to the management of an organization's application users, where steps in the security life cycle include account creation, suspension, privilege modification, and account deletion. The network entities managed can also include devices, processes, applications, or anything else that needs to interact in a networked environment. Entities managed by an identity management process can also include users outside of the organization, for example customers, trading partners, or Web services.
identity management realm
A collection of identities, all of which are governed by the same administrative policies. In an enterprise, all employees having access to the intranet may belong to one realm, while all external users who access the public applications of the enterprise may belong to another realm. An identity management realm is represented in the directory by a specific entry with a special object class associated with it.
identity management realm-specific Oracle Context
An Oracle Context contained in each identity management realm. It stores the following information:
User naming policy of the identity management realm—that is, how users are named and located
Mandatory authentication attributes
Location of groups in the identity management realm
Privilege assignments for the identity management realm—for example: who has privileges to add more users to the Realm.
Application specific data for that Realm including authorizations
In an Oracle Directory Integration Platform environment, an agent that imports data into Oracle Internet Directory.
import data file
In an Oracle Directory Integration Platform environment, the file containing the data imported by an import agent.
When an object class has been derived from another class, it also derives, or inherits, many of the characteristics of that other class. Similarly, an attribute subtype inherits the characteristics of its supertype.
The guarantee that the contents of the message received were not altered from the contents of the original message sent.
Internet Engineering Task Force (IETF)
The principal body engaged in the development of new Internet standard specifications. It is an international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet.
Internet Message Access Protocol (IMAP)
A protocol allowing a client to access and manipulate electronic mail messages on a server. It permits manipulation of remote message folders, also called mailboxes, in a way that is functionally equivalent to local mailboxes.
A string of bits used widely in cryptography, allowing people to encrypt and decrypt data; a key can be used to perform other mathematical operations as well. Given a cipher, a key determines the mapping of the plaintext to the ciphertext.
The time a client has to wait for a given directory operation to complete. Latency can be defined as wasted time. In networking discussions, latency is defined as the travel time of a packet from source to destination.
Lightweight Directory Access Protocol (LDAP)
A standard, extensible directory access protocol. It is a common language that LDAP clients and servers use to communicate. The framework of design conventions supporting industry-standard directory products, such as the Oracle Internet Directory.
LDAP Data Interchange Format (LDIF)
The set of standards for formatting an input file for any of the LDAP command-line utilities.
In an Oracle Application Server Cold Failover Cluster (Infrastructure), one or more disk groups and pairs of host names and IP addresses. It is mapped to a physical host in the cluster. This physical host impersonates the host name and IP address of the logical host
A security attack characterized by the third-party, surreptitious interception of a message. The third-party, the man-in-the-middle, decrypts the message, re-encrypts it (with or without alteration of the original message), and retransmits it to the originally-intended recipient—all without the knowledge of the legitimate sender and receiver. This type of security attack works only in the absence of authentication.
mapping rules file
In an Oracle Directory Integration Platform environment, the file that specifies mappings between Oracle Internet Directory attributes and those in a connected directory.
master definition site (MDS)
In replication, a master definition site is the Oracle Internet Directory database from which the administrator runs the configuration scripts.
In replication, a master site is any site other than the master definition site that participates in LDAP replication.
In a search or compare operation, determines equality between the attribute value sought and the attribute value stored. For example, matching rules associated with the
telephoneNumber attribute could cause "(650) 123-4567" to be matched with either "(650) 123-4567" or "6501234567" or both. When you create an attribute, you associate a matching rule with it.
A one-way hash function that produces a 128-bit hash, or message digest. If as little as a single bit value in the file is modified, the MD4 checksum for the file will change. Forgery of a file in a way that will cause MD4 to generate the same result as that for the original file is considered extremely difficult.
A directory solution that shares information between all enterprise directories, integrating them into one virtual directory. It centralizes administration, thereby reducing administrative costs. It synchronizes data among directories, thereby ensuring that it is consistent and up-to-date across the enterprise.
See shared server
Also called peer-to-peer or n-way replication, a type of replication that enables multiple sites, acting as equals, to manage groups of replicated data. In a multimaster replication environment, each node is both a supplier and a consumer node, and the entire directory is replicated on each node.
The attribute used to compose the RDN of a new user entry created through Oracle Delegated Administration Services or Oracle Internet Directory Java APIs. The default value for this is
A subtree that resides entirely on one server. It must be contiguous, that is, it must begin at an entry that serves as the top of the subtree, and extend downward to either leaf entries or knowledge references (also called referrals) to subordinate naming contexts. It can range in size from a single entry to the entire DIT.
net service name
A simple name for a service that resolves to a connect descriptor. Users initiate a connect request by passing a user name and password along with a net service name in a connect string for the service to which they wish to connect:
Depending on your needs, net service names can be stored in a variety of places, including:
Local configuration file,
tnsnames.ora, on each client
Oracle Names server
External naming service, such as NDS, NIS or CDS
The attribute used to uniquely identify a user in the entire directory. The default value for this is
uid. Applications use this to resolve a simple user name to the complete distinguished name. The user nickname attribute cannot have multiple values—that is, a given user cannot have multiple nicknames stored under the same attribute name.
A named group of attributes. When you want to assign attributes to an entry, you do so by assigning to that entry the object classes that hold those attributes.
All objects associated with the same object class share the same attributes.
OID Control Utility
A command-line tool for issuing run-server and stop-server commands. The commands are interpreted and executed by the OID Monitor process.
OID Database Password Utility
The utility used to change the password with which Oracle Internet Directory connects to an Oracle database.
The Oracle Internet Directory component that initiates, monitors, and terminates the Oracle directory server processes. It also controls the replication server if one is installed, and Oracle Directory Integration Platform.
A function that is easy to compute in one direction but quite difficult to reverse compute, that is, to compute in the opposite direction.
one-way hash function
A one-way function that takes a variable sized input and creates a fixed size output.
Oracle Call Interface (OCI)
An application programming interface (API) that enables you to create applications that use the native procedures or function calls of a third-generation language to access an Oracle database server and control all phases of SQL statement execution.
Oracle Delegated Administration Services
A set of individual, predefined services—called Oracle Delegated Administration Services units—for performing directory operations on behalf of a user. Oracle Internet Directory Self-Service Console makes it easier to develop and deploy administration solutions for both Oracle and third-party applications that use Oracle Internet Directory.
Oracle Directory Integration Platform
A component of Oracle Internet Directory. It is a framework developed to integrate applications around a central LDAP directory like Oracle Internet Directory.
Oracle Enterprise Manager Fusion Middleware Control
A separate Oracle product that combines a graphical console, agents, common services, and tools to provide an integrated and comprehensive systems management platform for managing Oracle products.
Oracle Identity Management
An infrastructure enabling deployments to manage centrally and securely all enterprise identities and their access to various applications in the enterprise.
Oracle Internet Directory
A general purpose directory service that enables retrieval of information about dispersed users and network resources. It combines Lightweight Directory Access Protocol (LDAP) Version 3 with the high performance, scalability, robustness, and availability of Oracle Database.
Oracle Net Services
The foundation of the Oracle family of networking products, allowing services and their client applications to reside on different computers and communicate. The main function of Oracle Net Services is to establish network sessions and transfer data between a client application and a server. Oracle Net Services is located on each computer in the network. Once a network session is established, Oracle Net Services acts as a data courier for the client and the server.
Oracle PKI certificate usages
Defines Oracle application types that a certificate supports.
Oracle Wallet Manager
A Java-based application that security administrators use to manage public-key security credentials on clients and servers.
Oracle Database Advanced Replication
A feature in the Oracle Database that enables database tables to be kept synchronized across two Oracle databases.
other information repository
In an Oracle Directory Integration Platform environment, in which Oracle Internet Directory serves as the central directory, any information repository except Oracle Internet Directory.
Also called multimaster replication or n-way replication. A type of replication that enables multiple sites, acting as equals, to manage groups of replicated data. In such a replication environment, each node is both a supplier and a consumer node, and the entire directory is replicated on each node.
A public-key encryption standard (PKCS). RSA Data Security, Inc. PKCS #12 is an industry standard for storing and transferring personal authentication credentials—typically in a format called a wallet.
Also called fan-out replication. A type of replication in which a supplier replicates directly to a consumer. That consumer can then replicate to one or more other consumers. The replication can be either full or partial.
In an Oracle Application Server Cold Failover Cluster (Infrastructure), the cluster node on which the application runs at any given time.
In public-key cryptography, this key is the secret key. It is primarily used for decryption, and it is also used for encryption with digital signatures.
An application or process that translates Oracle-specific provisioning events to external or third-party application-specific events.
Applications in an environment where user and group information is centralized in Oracle Internet Directory. These applications are typically interested in changes to that information in Oracle Internet Directory.
A kind of user typically employed in an environment with a middle tier, such as a firewall. In this environment, the end user authenticates to the middle tier. The middle tier then logs into the directory on the end user's behalf. A proxy user has the privilege to switch identities and, once it has logged in to the directory, switches to the end user's identity. It then performs operations on the end user's behalf, using the authorization appropriate to that particular end user.
In public-key cryptography, this key is made public to all; it is primarily used for encryption, but it can be used for verifying signatures.
The process in which the sender of a message encrypts the message with the public key of the recipient. Upon delivery, the message is decrypted by the recipient using the recipient's private key.
public/private key pair
A mathematically related set of two numbers where one is called the private key and the other is called the public key. Public keys are typically made widely available, while private keys are available only to their owners. Data encrypted with a public key can only be decrypted with its associated private key and vice versa. Data encrypted with a public key cannot be decrypted with the same public key.
realm search base
An attribute in the root Oracle Context that identifies the entry in the DIT that contains all identity management realms. This attribute is used when mapping a simple realm name to the corresponding entry in the directory.
Information that a directory server provides to a client and which points to other servers the client must contact to find the information it is requesting.
See also knowledge reference.
A structured collection of data that stores data in tables consisting of one or more rows, each containing the same set of columns. Oracle makes it very easy to link the data in multiple tables. This is what makes Oracle a relational database management system, or RDBMS. It stores data in two or more tables, and enables you to define relationships among the tables. The link is based on one or more fields common to both tables.
An entry containing runtime information associated with invocations of Oracle directory servers, called a directory server instance. Registry entries are stored in the directory itself, and remain there until the corresponding directory server instance stops.
relative distinguished name (RDN)
The local, most granular-level entry name. It has no other qualifying entry names that would serve to uniquely address the entry. In the example,
cn=Smith,o=acme,c=US, the RDN is
remote master site (RMS)
In a replicated environment, any site, other than the master definition site (MDS), that participates in Oracle Database Advanced Replication.
A special directory entry that represents the replication relationship among the directory servers in a directory replication group (DRG).
root directory specific entry
An entry storing operational information about the directory. The information is stored in a number of attributes.
Root Oracle Context
In the Oracle Identity Management infrastructure, the Root Oracle Context is an entry in Oracle Internet Directory containing a pointer to the default identity management realm in the infrastructure. It also contains information on how to locate an identity management realm given a simple name of the realm.
The ability of a system to provide throughput in proportion to, and limited only by, available hardware resources.
In an Oracle Application Server Cold Failover Cluster (Infrastructure), the cluster node to which an application is moved during a failover.
Secure Hash Algorithm (SHA)
An algorithm that takes a message of less than 264 bits in length and produces a 160-bit message digest. The algorithm is slightly slower than MD5, but the larger message digest makes it more secure against brute-force collision and inversion attacks.
Secure Socket Layer (SSL)
An industry standard protocol designed by Netscape Communications Corporation for securing network connections. SSL provides authentication, encryption, and data integrity using public key infrastructure (PKI).
The time between the initiation of a request and the completion of the response to the request.
A key for symmetric-key cryptosystems that is used for the duration of one message or communication session.
A server that is configured to allow many user processes to share very few server processes, so the number of users that can be supported is increased. With shared server configuration, many user processes connect to a dispatcher. The dispatcher directs multiple incoming network session requests to a common queue. An idle shared server process from a shared pool of server processes picks up a request from the queue. This means a small pool of server processes can server a large amount of clients. Contrast with dedicated server.
The process by which the client identifies itself to the server by means of a DN and a password which are not encrypted when sent over the network. In the simple authentication option, the server verifies that the DN and password sent by the client match the DN and password stored in the directory.
Simple Authentication and Security Layer (SASL)
A method for adding authentication support to connection-based protocols. To use this specification, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating a security layer for subsequent protocol interactions. The command has a required argument identifying a SASL mechanism.
single key-pair wallet
smart knowledge reference
A knowledge reference that is returned when the knowledge reference entry is in the scope of the search. It points the user to the server that stores the requested information.
specific administrative area
Administrative areas control:
Access control administration
Collective attribute administration
A specific administrative area controls one of these aspects of administration. A specific administrative area is part of an autonomous administrative area.
An object class derived from another object class. The object class from which it is derived is called its superclass.
A type of entry containing information applicable to a group of entries in a subtree. The information can be of these types:
Access control policy points
Subentries are located immediately below the root of an administrative area.
A knowledge reference pointing downward in the DIT to a naming context that starts immediately below an entry.
A specific type of subentry containing schema information.
An attribute with one or more options, in contrast to that same attribute without the options. For example, a
cn) attribute with American English as an option is a subtype of the
cn) attribute without that option. Conversely, the
cn) attribute without an option is the supertype of the same attribute with an option.
A special directory administrator who typically has full access to directory information.
The object class from which another object class is derived. For example, the object class
person is the superclass of the object class
organizationalPerson. The latter, namely,
organizationalPerson, is a subclass of
person and inherits the attributes contained in
A knowledge reference pointing upward to a DSA that holds a naming context higher in the DIT than all the naming contexts held by the referencing DSA.
An attribute without options, in contrast to the same attribute with one or more options. For example, the
cn) attribute without an option is the supertype of the same attribute with an option. Conversely, a
cn) attribute with American English as an option is a subtype of the
cn) attribute without that option.
In replication, the server that holds the master copy of the naming context. It supplies updates from the master copy to the consumer server.
System Global Area (SGA)
A group of shared memory structures that contains data and control information for one Oracle Database instance. If multiple users are concurrently connected to the same instance, the data in the instance SGA is shared among the users. Consequently, the SGA is sometimes referred to as the shared global area. The combination of the background processes and memory buffers is called an Oracle instance.
system operational attribute
An attribute holding information that pertains to the operation of the directory itself. Some operational information is specified by the directory to control the server, for example, the timestamp for an entry. Other operational information, such as access information, is defined by administrators and is used by the directory program in its processing.
The number of requests processed by Oracle Internet Directory for each unit of time. This is typically represented as operations per second.
Transport Layer Security (TLS)
A protocol providing communications privacy over the Internet. The protocol enables client/server applications to communicate in a way that prevents eavesdropping, tampering, or message forgery.
A third-party identity that is qualified with a level of trust. The trust is used when an identity is being validated as the entity it claims to be. Typically, the certificate authorities you trust issue user certificates.
See trusted certificate.
The 16-bit encoding of Unicode.The Latin-1 characters are the first 256 code points in this standard.
A type of universal character set, a collection of 64K characters encoded in a 16-bit space. It encodes nearly every character in most existing character set standard, covering most written scripts used in the world. It is owned and defined by Unicode Inc. Unicode is canonical encoding which means its value can be passed to different locales. It does not guarantee a round-trip conversion between it and every Oracle character set without information loss.
user search base
In the Oracle Internet Directory default DIT, the node in the identity management realm under which all the users are placed.
UTC (Coordinated Universal Time)
The standard time common to every place in the world. Formerly, and widely called Greenwich Mean Time (GMT) and World Time, UTC nominally reflects the mean solar time along the Earth's prime meridian. UTC is indicated by a z at the end of the value, for example, 200011281010z.
A variable-width, 8-bit encoding of Unicode that uses sequences of 1, 2, 3, or 4 bytes for each character. Characters from 0-127 (the 7-bit ASCII characters) are encoded with one byte, characters from 128-2047 require two bytes, characters from 2048-65535 require three bytes, and characters beyond 65535 require four bytes. The Oracle character set name for this is AL32UTF8 (for the Unicode 3.1 standard).
virtual host name
In an Oracle Application Server Cold Failover Cluster (Infrastructure), the host name corresponding to this virtual IP address.
virtual IP address
In an Oracle Application Server Cold Failover Cluster (Infrastructure), each physical node has its own physical IP address and physical host name. To present a single system image to the outside world, the cluster uses a dynamic IP address that can be moved to any physical node in the cluster. This is called the virtual IP address.
An abstraction used to store and manage security credentials for an individual entity. It implements the storage and retrieval of credentials for use with various cryptographic services. A wallet resource locator (WRL) provides all the necessary information to locate the wallet.