Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Entitlements Server
11g Release 1 (11.1.1)

Part Number E14096-05
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

A Installation and Configuration Parameters

This Appendix lists the parameters and accepted values that may be defined for Oracle Entitlements Server services using jps-config.xml, the configuration file used by Java EE containers. It is located in the $DOMAIN_HOME/config/fmwconfig directory. This Appendix is comprised of the following sections:

A.1 Policy Distribution Configuration

The Policy Distribution Component is responsible for distributing policy objects and policies from the policy store to one or more Security Modules. It can distribute in a controlled-push mode, a controlled-pull mode and a non-controlled mode. Each mode entails different configurations.

A.1.1 Policy Distribution Component Server Configuration

Typically, configuration for the Policy Distribution Component (in a scenario when it runs within Oracle Entitlements Server) is associated with the Policy Store configuration in the jps-config.xml file to fetch policies and policy objects for distribution. Only in cases when data is pulled in a controlled manner (controlled-pull mode) is the Policy Distribution Component associated with the PDP Service configuration on the Security Module side. Table A-1 contains the configuration parameters.

Table A-1 Policy Distribution Server Configuration

Name Information

oracle.security.jps.pd.server.transactionalScope

Description: Defines the scope of the policy distribution as either to one Security Module or to all Security Modules. If distribution fails when it involves only one Security Module, it does not affect distributions to other Security Modules.

Optional

Accepted Values: All (default), One


A.1.2 Policy Distribution Component Client Configuration

The Policy Distribution Component client is responsible for making policies available to the Security Module. Thus, the Policy Distribution Client configuration is always associated with the PDP Service configuration portion of the jps-config.xml file on the Security Module side. Configuration is different depending on the mode of distribution and the environment in which the Security Module is running. The following sections contain descriptions of the applicable configuration parameters.

A.1.2.1 Policy Distribution Component Client Java Standard Edition Configuration (Controlled Push Mode)

Table A-2 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in a Java Standard Edition (JSE) environment and is configured to distribute data in the controlled-push mode.

Table A-2 Policy Distribution Client Configuration, JSE, Controlled Push Mode

Name Information

oracle.security.jps.runtime.pd.client.policyDistributionMode

Description: Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution.

Mandatory

Accepted Value: controlled-push

oracle.security.jps.runtime.pd.client.sm_name

Description: Defines the name of the Security Module.

Mandatory

Accepted Value: Name of the Security Module

oracle.security.jps.runtime.pd.client.localpolicy.work_folder

Description: Defines the name of any directory in which local cache files are stored. This directory must have read and write privileges.

Optional

Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges.

oracle.security.jps.runtime.pd.client.incrementalDistribution

Description: Defines whether the distribution is incremental or flush. Incremental distribution is when only new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store.

Optional

Accepted Values:

  • false (policy distribution is flush for this Security Module)

  • true (default value; policy distribution is incremental for this Security Module if the required change logs are kept in the policy store)

oracle.security.jps.runtime.pd.client.registrationRetryInterval

Description: When a Security Module starts, it registers itself with the Policy Distribution Component to ensure the local policy cache is up to date. If registration fails, it will retry each time this interval of time passes until successful.

Optional

Accepted Value: time in seconds (default value is 5)

oracle.security.jps.runtime.pd.client.waitDistributionTime

Description: If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires.

Optional

Accepted Value: time in seconds (default value is 60)

oracle.security.jps.runtime.pd.client.RegistrationServerURL

Description: Defines the URL of the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts.

Mandatory

Accepted Value: URL

oracle.security.jps.runtime.pd.client.backupRegistrationServerURL

Description: Defines a backup URL for the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts if the primary URL (parameter above) is unavailable.

Optional (although if not configured Oracle Entitlements Server failover will not work)

Accepted Value: URL

oracle.security.jps.runtime.pd.client.DistributionServicePort

Description: Defines the port to which a remote Policy Distributor will push policy updates.

Mandatory

Accepted Value: port number

oracle.security.jps.pd.client.sslMode

Description: Defines whether communication between the Policy Distribution Component server and client will use the Secure Sockets Layer (SSL) protocol or not.

Mandatory

Accepted Values: none, two-way (default value)

oracle.security.jps.pd.client.ssl.identityKeyStoreFileName

Description: Defines the name of the Identity Key Store file in which client certificates are stored. Used for SSL communication between the Security Module and the Policy Distribution Component.

Mandatory

Accepted Value: the name of the keystore file

oracle.security.jps.pd.client.ssl.trustKeyStoreFileName

Description: Defines the name of the Trust Key Store file where Certificate Authority (CA) certificates are stored. Used for SSL communication between the Security Module and the Policy Distribution Component.

Mandatory

Accepted Value: the name of the identity key store file

oracle.security.jps.pd.client.ssl.identityKeyStoreKeyAlias

Description: Defines an Identity Key alias to identify the client certificate used for SSL communication between the Security Module and the Policy Distribution Component.

Optional (if only one alias exists in the identity keystore there is no need to specify this value)

Accepted Value: the identity key alias

oracle.security.jps.runtime.pd.client.SMinstanceType

Description: Defines the type of Security Module to which the Policy Distribution Component client is connecting.

Mandatory

Accepted Value: java (Other accepted values include wls, RMI and ws. Because this table covers the Java Security Module only, the value must be java.)


A.1.2.2 Policy Distribution Component Client Java Enterprise Edition Container Configuration (Controlled Push Mode)

Table A-3 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in a Java Enterprise Edition (JEE) environment and is configured to distribute data in the controlled-push mode.

Table A-3 Policy Distribution Client Configuration, JEE, Controlled Push Mode

Name Information

oracle.security.jps.runtime.pd.client.policyDistributionMode

Description: Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution.

Mandatory

Accepted Value: controlled-push

oracle.security.jps.runtime.pd.client.sm_name

Description: Defines the name of the Security Module.

Mandatory

Accepted Value: Name of the Security Module

oracle.security.jps.runtime.pd.client.localpolicy.work_folder

Description: Defines the name of any directory in which local cache files are stored. This directory must have read and write privileges.

Optional

Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges.

oracle.security.jps.runtime.pd.client.incrementalDistribution

Description: Defines whether the distribution is incremental or flush. Incremental distribution is when new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store.

Optional

Accepted Values:

  • false (policy distribution is flush for this Security Module)

  • true (default value; policy distribution is incremental for this Security Module if the required change logs are kept in the policy store)

oracle.security.jps.runtime.pd.client.registrationRetryInterval

Description: When a Security Module starts, it registers itself with the Policy Distribution Component to ensure the local policy cache is up to date. If registration fails, it will retry each time this interval of time passes until successful.

Optional

Accepted Value: time in seconds (default value is 5)

oracle.security.jps.runtime.pd.client.waitDistributionTime

Description: If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires.

Optional

Accepted Value: time in seconds (default value is 60)

oracle.security.jps.runtime.pd.client.RegistrationServerURL

Description: Defines the URL of the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts.

Mandatory

Accepted Value: URL

oracle.security.jps.runtime.pd.client.backupRegistrationServerURL

Description: Defines a backup URL for the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts if the primary URL (parameter above) is unavailable.

Optional (although if not configured Oracle Entitlements Server failover will not work)

Accepted Value: URL

oracle.security.jps.runtime.pd.client.SMinstanceType

Description: Defines the type of Security Module to which the Policy Distribution Component client is connecting.

Mandatory

Accepted Values:

  • was

  • wls

oracle.security.jps.runtime.pd.client.DistributionServiceURL

Description: Defines the URL to which the remote Policy Distributor will push policy updates.

Mandatory

Accepted Values: URL


A.1.2.3 Policy Distribution Client Configuration (Controlled Pull Mode)

Table A-4 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in either a JEE or a JSE environment and is configured to distribute data in the controlled-pull mode.

Table A-4 Policy Distribution Client Configuration, Controlled Pull Mode

Name Information

oracle.security.jps.runtime.pd.client.policyDistributionMode

Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution.

Mandatory

Accepted Value: controlled-pull

oracle.security.jps.runtime.pd.client.sm_name

Description: Defines the name of the Security Module.

Mandatory

Accepted Value: the name of the Security Module

oracle.security.jps.runtime.pd.client.localpolicy.work_folder

Description: Defines the name of any directory in which local cache files are stored. This directory must have read and write privileges.

Optional

Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges.

oracle.security.jps.runtime.pd.client.incrementalDistribution

Description: Defines whether the distribution is incremental or flush. Incremental distribution is when new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store.

Optional

Accepted Values:

  • false (policy distribution is flush for the Security Module)

  • true (default value; policy distribution is incremental for this Security Module if the required change logs are kept in the policy store)

oracle.security.jps.runtime.pd.client.waitDistributionTime

Description: If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires.

Optional

Accepted Value: time in seconds (default value is 60)

oracle.security.jps.runtime.pd.client.PollingTimerEnabled

Description: Enables a periodic check for policy updates in the Policy Store. Can be set to false to disable polling for environment when policies are not expected to be modified.

Optional

Accepted Values:

  • false

  • true (default value)

oracle.security.jps.runtime.pd.client.PollingTimerInterval

Description: Defines the interval of time in which the Policy Distribution Component will check for policy data changes.

Optional

Accepted Value: time in seconds (default value of 600)

oracle.security.jps.ldap.root.name

Description: Defines the top (root) entry of the LDAP policy store directory information tree (DIT).

Mandatory

Accepted Value: the top (root) entry of the LDAP policy store directory information tree (DIT)

oracle.security.jps.farm.name

Description: Defines the RDN format of the domain node in the LDAP policy store.

Mandatory

Accepted Value: name of the domain

jdbc.url

Description: Takes a URL that points to the database.

Mandatory (if using Java Database Connectivity API to connect to policy store)

Accepted Value: URL

jdbc.driver

Description: Location of the driver if using Java Database Connectivity API to connect to an Apache Derby database.

Mandatory

Accepted Value: driver

datasource.jndi.name

Description: The JNDI name of the JDBC data source instance. The instance may correspond to a single source or multi-source datasource. Valid in only JEE applications. Applies only to database stores.

Mandatory

Accepted Value: name of JNDI data source; for example, jdbc/APMDBDS.

bootstrap.security.principal.key

Description: The key for the password credentials to access the policy store. Credentials are stored in the Credential Store Framework (CSF) store.

Mandatory

Accepted Value: CSF credential key

bootstrap.security.principal.map

Description: The map for the password credentials to access the policy store. Credentials are stored in the CSF store.

Mandatory

Accepted Value: name of the CSF credential map


A.1.2.4 Policy Distribution Client Configuration (Non-controlled Mode)

Table A-5 compiles the parameters for Policy Distribution Component client configuration when the Oracle Entitlements Server is running in either a JEE or a JSE environment and is configured to distribute data in the non-controlled mode.

Table A-5 Policy Distribution Client COnfiguration, Non-controlled Mode

Name Information

oracle.security.jps.runtime.pd.client.policyDistributionMode

Description: Specifies the mode of policy distribution. Non-controlled distribution is when the Security Module periodically retrieves policy data from a policy store (or from a component that serves as an intermediary between the two).

Optional

Accepted Value: non-controlled (default value)


A.2 Security Module Configuration

This section covers the configurations for the various types of Security Modules and their proxy clients.

A.2.1 Java Security Module

Table A-6 compiles the parameters to configure the Java Security Module embedded in either a JSE or a JEE container.

Table A-6 Java Security Module Configuration Parameters

Name Information

oracle.security.jps.policystore.rolemember.cache.type

Description: Defines the role member cache type. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Values

  • SOFTHASH (cleaning of a cache of this type relies on the garbage collector when there is a memory crunch)

  • WEAK (behavior of a cache of this type is similar to a cache of type SOFT but the garbage collector cleans it more frequently)

  • STATIC (default value; cache objects are statically cached and can be cleaned explicitly only according to the applied cache strategy, such as FIFO; the garbage collector does not clean a cache of this type)

oracle.security.jps.policystore.rolemember.cache.strategy

Description: Defines the type of strategy used in the role member cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Values

  • NONE (all entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small)

  • FIFO (default value; the cache implements the first-in-first-out strategy)

oracle.security.jps.policystore.rolemember.cache.size

Description: Defines the number of roles kept in the role member cache. Valid in J2EE and J2SE application. Applies to LDAP and database stores.

Optional

Accepted Value: number (default value is 1000)

oracle.security.jps.policystore.rolemember.cache.warmup.enable

Description: Controls the way the Application Role membership cache is created. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Values

  • true (the cache is created at server startup; use when the number of users and groups is significantly higher than the number of Application Roles)

  • false (default value; the cache is created on demand - lazy loading; use when the number of Application Roles is very high)

oracle.security.jps.policystore.policy.lazy.load.enable

Description: Enables or disables the policy lazy load. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Values

  • false

  • true (default value)

oracle.security.jps.policystore.policy.cache.strategy

Description: Defines the type of strategy used in the permission cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Values

  • NONE (all entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small.)

  • PERMISSION_FIFO (default value; the cache implements the first-in-first-out strategy)

oracle.security.jps.policystore.policy.cache.size

Description: Defines the number of permissions kept in the permission cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Value: number (default value is 1000)

oracle.security.jps.policystore.policy.cache.updateable

Description: Defines whether the policy cache is incrementally updated for management operations on policy data.

Optional

Accepted Values

  • false

  • true (default value)

oracle.security.jps.policystore.refresh.enable

Description: Enables or disables the policy store refresh. If this property is set, oracle.security.jps.ldap.cache.enable cannot be set. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Values:

  • false

  • true (default value)

oracle.security.jps.policystore.refresh.purge.timeout

Description: Defines the time in milliseconds after which the policy store cache is purged. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Value: time in milliseconds; default value is 43200000 which equals 12 hours

oracle.security.jps.ldap.policystore.refresh.purge.interval

Description: Defines the interval of time in which the policy store is polled for changes. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Value: time in milliseconds; default value is 600000 which equals 10 minutes

oracle.security.jps.pdp.missingAppPolicyQueryTTL

Description: Defines the interval of time to avoid frequently querying a non-exist Application (ApplicationPolicy) object.

Optional

Accepted Value: time to live in milliseconds (default value is 60000)

oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled

Description: Specifies whether the authorization cache should be enabled. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores.

Optional

Accepted Values

  • false

  • true (default value)

oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionCapacity

Description: Defines the maximum number of authorization and role mapping sessions to maintain. When the maximum is reached, old sessions are dropped and reestablished when needed. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores.

Optional

Accepted Value: number (default value is 500)

oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionPercentage

Description: Defines the percentage of sessions to drop when the eviction capacity is reached. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores.

Optional

Accepted Value: number (default value is 10)

oracle.security.jps.pdp.AuthorizationDecisionCacheTTL

Description: Defines the number of seconds during which session data is cached. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores.

Optional

Accepted Value: time in seconds (default value is 60)

oracle.security.jps.pdp.anonymousrole.enable

Description: Specifies whether anonymous role has to be added to anonymous subject for policy matching.

Optional

Accepted Values

  • false

  • true (default value)

oracle.security.jps.pdp.authenticatedrole.enable

Description: Specifies whether authenticated role has to be added to authenticated subject for policy matching.

Optional

Accepted Values

  • false

  • true (default value)


A.2.2 Web Services Security Module

Table A-7 compiles the parameters to configure the Web Services Security Module embedded in either a JSE or a JEE container.

Table A-7 Web Services Security Module Configuration Parameters

Name Information

oracle.security.jps.pdp.wssm.WSServiceRegistryPortNumber

Description: Defines the port on which the Web Services Security Module listens.

Mandatory

Accepted Value: port number

oracle.security.jps.pdp.wssm.WSServiceRegistryHost

Description: Defines the name of the server on which the Web Services Security Module is running.

Optional

Accepted Value: server name (default value is localhost)

oracle.security.jps.pdp.wssm.Protocol

Description: Defines the transport protocol used between the Policy Distribution Component client and server.

Optional

Accepted Values

  • https

  • http (default value)

oracle.security.jps.pdp.sm.IdentityMaxCacheSize

Description: Specifies the maximum number of users for which information is cached. When the maximum is reached, old records are dropped and reestablished when needed.

Optional

Accepted Value: number

oracle.security.jps.pdp.sm.IdentityCacheEvictionPercentage

Description: Specifies percentage of identities that must be evicted when cache has reached the maximum size.

Optional

Accepted Value: number indicating percentage

oracle.security.jps.pdp.sm.IdentityCachedEntryTTL

Description: Specifies time-to-live of an identity cache record.

Optional

Accepted Value: time in seconds

oracle.security.jps.pdp.wssm.responseContext

Description: Specifies whether to merge data from many AppContext responses into a single AppContext response.

Optional

Accepted Values

  • Merged

  • Unmerged (default value)

oracle.security.jps.pdp.wssm.ssl.identityKeyStoreFileName

Description: Defines the name of the Identity Key Store file where client certificates are stored for the Web Services Security Module. Used for SSL communications between the remote client and the Web Services Security Module.

Optional

Accepted Value: name of the Identity Key Store file

oracle.security.jps.pdp.wssm.ssl.trustKeyStoreFileName

Description: Defines the name of the Trust Key Store file in which CA certificates are stored. Used for SSL communications between the remote client and the Web Services Security Module.

Optional

Accepted Value: name of the Trust Key Store file

oracle.security.jps.pdp.wssm.ssl.identityKeyStoreKeyAlias

Description: Specifies the Identity Key alias used to identify the Web Services Security Module client certificate used for SSL communication between the Web Services Security Module and the remote client.Acepted value: Idenity key alias

Optional

Accepted Value: Identity Key alias


A.2.3 RMI Security Module

Table A-8 compiles the parameters to configure the RMI Security Module embedded in either a JSE or a JEE container.

Note:

Currently this configuration is for a standalone deployment. We need to add the Container based configuration later.

Table A-8 RMI Security Module Configuration Parameters

Name Information

oracle.security.jps.pdp.rmism.RMIRegistryPortNumber

Description: Defines the port on which the RMI Security Module listens to the RMI server.

Mandatory

Accepted Value: port number.

oracle.security.jps.pdp.rmism.UseSSL

Description: Defines whether the SSL protocol is used for secure communication between the RMI Security Module and RMI server.

Optional

Accepted Values

  • true

  • false (default)

oracle.security.jps.pdp.sm.IdentityMaxCacheSize

Description: Specifies the maximum number of users for which information is cached. When the maximum is reached, old records are dropped and reestablished when needed.

Optional

Accepted Value: number

oracle.security.jps.pdp.sm.IdentityCacheEvictionPercentage

Description: Specifies percentage of identities that must be evicted when cache has reached the maximum size.

Optional

Accepted Value: number representing percentage

oracle.security.jps.pdp.sm.IdentityCachedEntryTTL

Description: Specifies the time-to-live of an identity cache record.

Optional

Accepted Value: time in seconds


A.2.4 WebLogic Server Security Module

Table A-9 compiles the parameters to configure the WebLogic Server (WLS) Security Module embedded in a JEE container. These parameters are used only when the WLS Security Module is configured to be used as a PEP.

Table A-9 WebLogic Server Security Module Configuration Parameters

Name Information

oracle.security.jps.pdp.wlssm.UndefinedApplicationEffect

Description: Specifies the effect that the provider has to return if an application is not defined in the policy store.

Optional

Accepted Values

  • permit

  • abstain

  • deny

oracle.security.jps.pdp.wlssm.NoApplicablePolicyEffect

Description: Specifies the effect that the provider has to return if no applicable policies have been found.

Optional

Accepted Values

  • permit (represents an open system)

  • abstain

  • deny (represents a closed system)


A.3 PDP Proxy Configuration

This section contains information regarding configuration for the Security Module proxies.

A.3.1 Web Services Security Module Proxy Client

Table A-10 compiles the parameters to configure the Web Services Security Module proxy client.

Table A-10 Web Services Proxy Client Configuration Parameters

Name Information

oracle.security.jps.pdp.PDPTransport

Description: Specifies the underlying protocol to be used by Multi-protocol Security Module to communicate with Oracle Entitlements Server.

Mandatory

Accepted Values: no default value; XACML is always available in the Web Services Security Module.

  • WS

  • RMI

oracle.security.jps.pdp.proxy.PDPAddress

Description: Specifies the host and port number of either the Web Services Security Module. For example, http://dadvml0134:9015

Optional

Accepted Value: a comma separated list of URIs (if more then one address is specified the first is conidered the primary, and the rest as backups)

oracle.security.jps.pdp.proxy.RequestTimeoutMilliSecs

Description: Defines the interval of time in which an authorization request times out when the remote PDP (RMI or Web Services Security Module) is not responding.

Optional

Accepted Value: time in milliseconds (default value is 10000)

oracle.security.jps.pdp.proxyFailureRetryCount

Description: Specifies the number of attempts to make before attempting the alternate failover server.

Optional

Accepted Value: number (default value is 3)

oracle.security.jps.pdp.proxy.FailbackTimeoutMilliSecs

Description: Specifies the interval of time after which a failed primary server is tried again for failover.

Optional

Accepted Value: time in milliseconds (default value is 180000)

oracle.security.jps.pdp.proxy.SynchronizationIntervalMilliSecs

Description: Defines how often the PDP Proxy polls the PDP server in order to synchronize its state. For example, the interval is used to periodically check whether the authorization cache has to be flushed.

Optional

Accepted Value: time in seconds (default value is 60)

oracle.security.jps.pdp.proxy.wssm.ssl.identityKeyStoreFileName

Description: Defines the name of the Identity Key Store file where client certificates for the Web Services Security Module are stored. Used for SSL communication between a client and the Web Services Security Module.

Optional

Accepted Value: name of the Identity Key Store file

oracle.security.jps.pdp.proxy.wssm.ssl.trustKeyStoreFileName

Description: Defines the name of the Trust Key Store file where CA certificates for Web Services Security Module are stored. Used for SSL communication between a client and the Web Services Security Module.

Optional

Accepted Value: the name of the Trust Key Store file.

oracle.security.jps.pdp.proxy.wssm.ssl.identityKeyStoreKeyAlias

Description: Specifies the alias name of the Web Services client certificate. Used for SSL communication between a client and the Web Services Security Module.

Optional

Accepted Value: alias of the identity key store (if only one alias exists in the identity key store, no need to specify this value)

oracle.security.jps.pdp.proxy.wssm.protocol

Description: Defines the transport protocol used between the Policy Distribution Component client and server.

Optional

Accepted Values

  • https

  • http (default value)


A.3.2 RMI Security Module Proxy Client

Table A-11 compiles the parameters to configure the RMI Security Module Proxy Client.

Table A-11 PDP RMI Proxy Client Configuration Parameters

Name Information

oracle.security.jps.pdp.PDPTransport

Description: Specifies the underlying protocol to be used by Multi-protocol Security Module to communicate with Oracle Entitlements Server.

Mandatory

Accepted Values: no default value; XACML is always available in the RMI Security Module.

  • WS

  • RMI

oracle.security.jps.pdp.proxy.PDPAddress

Description: Specifies the host and port number of the RMI Security Module. For example, rmi://localhost:9400

Mandatory

Accepted Value: a comma separated list of URIs (if more then one address is specified the first is conidered the primary, and the rest as backups)

oracle.security.jps.pdp.proxy.RequestTimeoutMilliSecs

Description: Defines the interval of time in which an authorization request times out when the remote PDP (RMI or Web Services Security Module) is not responding.

Optional

Accepted Value: time in milliseconds (default value is 10000)

oracle.security.jps.pdp.proxyFailureRetryCount

Description: Specifies the number of attempts to make before attempting the alternate failover server.

Optional

Accepted Value: number (default value is 3)

oracle.security.jps.pdp.proxy.FailbackTimeoutMilliSecs

Description: Specifies the interval of time after which a failed primary server is tried again for failover.

Optional

Accepted Value: time in milliseconds (default value is 180000)

oracle.security.jps.pdp.proxy.SynchronizationIntervalMilliSecs

Description: Defines how often the PDP Proxy polls the PDP server in order to synchronize its state. For example, the interval is used to periodically check whether the authorization cache has to be flushed.

Optional

Accepted Value: time in seconds (default value is 60)


A.4 Policy Store Service Configuration

Table A-12 compiles the configuration parameters for the Policy Store Service.

Table A-12 Policy Store Service Configuration Parameters

Name Information

ldap.url

Description: Defines the URL of the LDAP policy store. Valid in JEE and JSE applications and only applies to LDAP stores.

Mandatory

Accepted Value: URI of the LDAP policy store in the format ldap://host:port.

max.search.filter.length

Description: Defines the maximum length of a search filter.

Mandatory

Accepted Value: integer defining the maximum length of a search filter; for example, 1024

oracle.security.jps.ldap.root.name

Description: Defines the RDN format of the root node in the LDAP policy store. Valid in JEE and JSE applications. Applies to LDAP and database stores.

Mandatory

Accepted Value: root name of jps context; for example, cn=jpsroot.

oracle.security.jps.farm.name

Description: Defines the RDN format of the root node in the LDAP policy store. Valid in JEE and JSE applications. Applies to LDAP and database stores.

Mandatory

Accepted Value: farm name of the domain; for example, cn=base_domain.

oracle.security.jps.policystore.resourcetypeenforcementmode

Description: Controls the throwing of exceptions if any of the following checks fail:

  • Verify that if two resource types share the same permission class, that permission must be either ResourcePermission or extend AbstractTypedPermission, and this last resource type cannot be created.

  • Verify that all permissions have resource types defined, and that the resource matcher permission class and the permission being granted match.

Valid in JEE and JSE applications. Applies to LDAP and database stores.

Optional

Accepted Values

  • strict (when any of the above checks fail, the system throws an exception and the operation is aborted)

  • lenient (default value; when any of the above checks fail, the system does not throw any exceptions, the operation continues without disruption, and any discrepancies encountered are logged)

bootstrap.security.principal.key

Description: Defines the key for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in JEE and JSE applications. Applies to LDAP and database stores.

Mandatory

Accepted Value: the key name of the credential; for example, oes_sm_key. The out-of-the-box value is bootstrap.

bootstrap.security.principal.map

Description: Defines the map for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in JEE and JSE applications. Applies to LDAP and database stores.

Mandatory

Accepted Value: map name of the credential; for example, oes_sm_map. The default value is BOOTSTRAP_JPS.

jdbc.driver

Description: Defines the name of the JDBC driver.

Mandatory

Accepted Value: name of the JDBC driver.

datasource.jndi.name

Description: The JNDI name of the JDBC data source instance. The instance may correspond to a single source or multi-source datasource. Valid in only JEE applications. Applies only to database stores.

Mandatory

Accepted Value: name of JNDI data source; for example, jdbc/APMDBDS.

jdbc.url

Description: Defines the JDBC driver connection URL.

Mandatory

Accepted Value: the JDBC driver connection URL.

oracle.security.jps.pd.localMode

Description: Defines whether the policy store is running in local mode.

Mandatory

Accepted Values

  • true

  • false