4 Infrastructure Security Custom WLST Commands

The following sections describe the Oracle Fusion Middleware Infrastructure Security custom WLST commands in detail. Topics include:

For additional information about Oracle Platform Security Services, see Oracle Fusion Middleware Security Guide.

Note:

To use the Infrastructure Security custom WLST commands, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" in the Oracle Fusion Middleware Administrator's Guide.

Overview of WSLT Security Commands

WLST security commands are divided into the following categories:

Table 4-1 WLST Command Categories

Command Category Description

Audit Configuration Commands

View and manage audit policies and the audit repository configuration

SSL Configuration Commands

View and manage wallets, JKS keystores, and SSL configuration for Oracle HTTP Server, Oracle WebCache, Oracle Internet Directory, and Oracle Virtual Directory components.

Oracle Identity Federation Commands

View and manage configuration for Oracle Identity Federation

Directory Integration Platform Commands

For information on DIP tools, see "Directory Integration Platform Tools" in the Oracle Fusion Middleware User Reference for Oracle Identity Management

Security Commands

Manage domain and credential domain stores and migrate domain policy store.

Oracle Access Manager Commands

Manage OAM-related components, such as authorization providers, identity asserters, and SSO providers.


Audit Configuration Commands

Use the WLST commands listed in Table 4-2 to view and manage audit policies and the audit repository configuration.

Table 4-2 WLST Audit Commands

Use this command... To... Use with WLST...

getNonJavaEEAuditMBeanName

Display the mBean name for a non-Java EE component.

Online

getAuditPolicy

Display audit policy settings.

Online

setAuditPolicy

Update audit policy settings.

Online

getAuditRepository

Display audit repository settings.

Online

setAuditRepository

Update audit repository settings.

Online

listAuditEvents

List audit events for one or all components.

Online

exportAuditConfig

Export a component's audit configuration.

Online

importAuditConfig

Import a component's audit configuration.

Online


For more information, see the Oracle Fusion Middleware Security Guide.

getNonJavaEEAuditMBeanName

Online command that displays the mbean name for non-Java EE components.

Description

This command displays the mbean name for non-Java EE components given the instance name, component name, component type, and the name of the Oracle WebLogic Server on which the component's audit mbean is running. The mbean name is a required parameter to other audit WLST commands when managing a non-Java EE component.

Syntax

getNonJavaEEAuditMBeanName(instName, compName, compType, svrName)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are ohs, oid, ovd, and WebCache.
svrName Specifies the name of the Oracle WebLogic Server.

Example

The following interactive command displays the mBean name for an Oracle Internet Directory:

wls:/mydomain/serverConfig> getNonJavaEEAuditMBeanName(instName='inst1', compName='oid1', compType='oid', svrName='AdminServer')

getAuditPolicy

Online command that displays the audit policy settings.

Description

This command displays audit policy settings including the filter preset, special users, custom events, maximum log file size, and maximum log directory size. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

Syntax

getAuditPolicy([mbeanName])
Argument Definition
mbeanName Specifies the name of the component audit MBean for non-Java EE components.

Examples

The following command displays the audit settings for a Java EE component:

wls:/mydomain/serverConfig> getAuditPolicy()
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)
 
FilterPreset:All
Max Log File Size:104857600
Max Log Dir Size:0

The following command displays the audit settings for MBean CSAuditProxyMBean:

wls:/mydomain/serverConfig> getAuditPolicy(on='oracle.security.audit.test:type=CSAuditMBean,
name=CSAuditProxyMBean')

setAuditPolicy

Online command that updates an audit policy.

Description

Online command that configures the audit policy settings. You can set the filter preset, add or remove users, and add or remove custom events. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

Syntax

setAuditPolicy([mbeanName],[filterPreset],[addSpecialUsers],
[removeSpecialUsers],[addCustomEvents],[removeCustomEvents])
Argument Definition
mbeanName Specifies the name of the component audit MBean for non-Java EE components.
filterPreset Specifies the filter preset to be changed.
addSpecialUsers Specifies the special users to be added.
removeSpecialUsers Specifies the special users to be removed.
addCustomEvents Specifies the custom events to be added.
removeCustomEvents Specifies the custom events to be removed.

Examples

The following interactive command sets audit policy to None level, and adds users user2 and user3 while removing user1 from the policy:

wls:/mydomain/serverConfig> setAuditPolicy (filterPreset=
'None',addSpecialUsers='user2,user3',removeSpecialUsers='user1')

wls:/mydomain/serverConfig> getAuditPolicy();
Already in Domain Runtime Tree

FilterPreset:None
Special Users:user2,user3
Max Log File Size:104857600
Max Log Dir Size:0

The following interactive command adds login events while removing logout events from the policy:

wls:/mydomain/serverConfig> setAuditPolicy(filterPreset=
'Custom',addCustomEvents='UserLogin',removeCustomEvents='UserLogout')
 

The following interactive command sets audit policy to a Low level:

wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Low');
Already in Domain Runtime Tree
Audit Policy Information updated successfully

wls:/IDMDomain/domainRuntime> getAuditPolicy();
Already in Domain Runtime Tree
FilterPreset:Low
Max Log File Size:104857600
Max Log Dir Size:0

The following command sets a custom filter to audit the CheckAuthorization event:

wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Custom', addCustomEvents='JPS:CheckAuthorization');
Already in Domain Runtime Tree
 
Audit Policy Information updated successfully
wls:/IDMDomain/domainRuntime> getAuditPolicy();
Already in Domain Runtime Tree
 
FilterPreset:Custom
Special Users:user1
Max Log File Size:104857600
Max Log Dir Size:0
Custom Events:JPS:CheckAuthorization

getAuditRepository

Online command that displays audit repository settings.

Description

This command displays audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository configuration resides in opmn.xml). Also displays database configuration if the repository is a database type.

Syntax

getAuditRepository 

Example

The following command displays audit repository configuration:

wls:/IDMDomain/domainRuntime> getAuditRepository()
Already in Domain Runtime Tree
 
Repository Type:File

setAuditRepository

Online command that updates audit repository settings.

Description

This command sets the audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository is configured by editing opmn.xml).

Syntax

setAuditRepository([switchToDB],[dataSourceName],[interval])
Argument Definition
switchToDB If true, switches the repository from file to database.
dataSourceName Specifies the name of the data source.
interval Specifies intervals at which the audit loader kicks off.

Examples

The following command switches from a file repository to a database repository:

wls:/IDMDomain/domainRuntime> setAuditRepository(switchToDB='true');
Already in Domain Runtime Tree
 
Audit Repository Information updated
 
wls:/IDMDomain/domainRuntime> getAuditRepository();
Already in Domain Runtime Tree
 
JNDI Name:jdbc/AuditDB
Interval:15
Repository Type:DB

The following interactive command changes audit repository to a specific database and sets the audit loader interval to 14 seconds:

wls:/mydomain/serverConfig> setAuditRepository(switchToDB='true',dataSourceName='jdbcAuditDB',interval='14')

listAuditEvents

Online command that displays a component's audit events.

Description

This command displays a component's audit events and attributes. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter. Without a component type, all generic attributes applicable to all components are displayed.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

Syntax

listAuditEvents([mbeanName],[componentType])
Argument Definition
mbeanName Specifies the name of the component MBean.
componentType Specifies the component type.

Examples

The following command displays audit events for the Oracle Platform Security Services component:

wls:/IDMDomain/domainRuntime> listAuditEvents(componentType='JPS');
Already in Domain Runtime Tree
 
Common Attributes
ComponentType
Type of the component. For MAS integrated SystemComponents this is the componentType
InstanceId
Name of the MAS Instance, that this component belongs to
HostId
DNS hostname of originating host
HostNwaddr
IP or other network address of originating host
ModuleId
ID of the module that originated the message. Interpretation is unique within Component ID.
ProcessId
ID of the process that originated the message

The following command displays audit events for Oracle HTTP Server:

wls:/mydomain/serverConfig> listAuditEvents(componentType='ohs')

The following command displays all audit events:

wls:/IDMDomain/domainRuntime> listAuditEvents();
Already in Domain Runtime Tree
 
Components:
DIP
JPS
OIF
OWSM-AGENT
OWSM-PM-EJB
ReportsServer
WS-PolicyAttachment
WebCache
WebServices
Attributes applicable to all components:
ComponentType
InstanceId
HostId
HostNwaddr
ModuleId
ProcessId
OracleHome
HomeInstance
ECID
RID
...

exportAuditConfig

Online command that exports a component's audit configuration.

Description

This command exports the audit configuration to a file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

Syntax

exportAuditConfig([mbeanName],fileName)
Argument Definition
mbeanName Specifies the name of the non-Java EE component MBean.
fileName Specifies the path and file name to which the audit configuration should be exported.

Examples

The following interactive command exports the audit configuration for a component:

wls:/mydomain/serverConfig> exportAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean,
name=CSAuditProxyMBean',fileName='/tmp/auditconfig')

The following interactive command exports the audit configuration for a Java EE component; no mBean is specified:

wls:/mydomain/serverConfig> exportAuditConfig(fileName='/tmp/auditconfig')

importAuditConfig

Online command that imports a component's audit configuration.

Description

This command imports the audit configuration from an external file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

Syntax

importAuditConfig([mbeanName],fileName)
Argument Definition
mbeanName Specifies the name of the non-Java EE component MBean.
fileName Specifies the path and file name from which the audit configuration should be imported.

Examples

The following interactive command imports the audit configuration for a component:

wls:/mydomain/serverConfig> importAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean,
name='CSAuditProxyMBean',fileName='/tmp/auditconfig')

The following interactive command imports the audit configuration for a component; no mBean is specified:

wls:/mydomain/serverConfig> importAuditConfig(fileName='/tmp/auditconfig')

SSL Configuration Commands

Use the WLST commands listed in Table 4-3 to view and manage SSL configuration for Oracle Fusion Middleware components.

Table 4-3 WLST Commands for SSL Configuration

Use this command... To... Use with WLST...

addCertificateRequest

Generate a certificate signing request in an Oracle wallet.

Online

addSelfSignedCertificate

Add a self-signed certificate to an Oracle wallet.

Online

changeKeyStorePassword

Change the password to a JKS keystore.

Online

changeWalletPassword

Change the password to an Oracle wallet.

Online

configureSSL

Set the SSL attributes for a component listener.

Online

createKeyStore

Create a JKS keystore.

Online

createWallet

Create an Oracle wallet.

Online

deleteKeyStore

Delete a JKS keystore.

Online

deleteWallet

Delete an Oracle wallet.

Online

exportKeyStore

Export a JKS keystore to a file.

Online

exportKeyStoreObject

Export an object from a JKS keystore to a file.

Online

exportWallet

Export an Oracle wallet to a file.

Online

exportWalletObject

Export an object from an Oracle wallet to a file.

Online

generateKey

Generate a key pair in a JKS keystore.

Online

getKeyStoreObject

Display a certificate or other object present in a JKS keystore.

Online

getSSL

Display the SSL attributes for a component listener.

Online

getWalletObject

Display a certificate or other object present in an Oracle wallet.

Online

importKeyStore

Import a JKS keystore from a file.

Online

importKeyStoreObject

Import a certificate or other object from a file to a JKS keystore.

Online

importWallet

Import an Oracle wallet from a file.

Online

importWalletObject

Import a certificate or other object from a file to an Oracle wallet.

Online

listKeyStoreObjects

List all objects present in a JKS keystore.

Online

listKeyStores

List all JKS keystores configured for a component instance.

Online

listWalletObjects

List all objects present in an Oracle wallet.

Online

listWallets

List all Oracle wallets configured for a component instance.

Online

removeKeyStoreObject

Remove a certificate or other object from a component instance's JKS keystore.

Online

removeWalletObject

Remove a certificate or other object from a component instance's Oracle wallet.

Online


For more information, see the Oracle Fusion Middleware Administrator's Guide.

addCertificateRequest

Online command that generates a certificate signing request in an Oracle wallet.

Description

This command generates a certificate signing request in Base64 encoded PKCS#10 format in an Oracle wallet for a component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). To get a certificate signed by a certificate authority (CA), send the certificate signing request to your CA.

Syntax

addCertificateRequest(instName, compName, compType, walletName, password, DN, keySize)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
DN Specifies the Distinguished Name of the key pair entry.
keySize Specifies the key size in bits.

Example

The following command generates a certificate signing request with DN cn=www.acme.com and key size 1024 in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> addCertificateRequest('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.acme.com', '1024')

addSelfSignedCertificate

Online command that adds a self-signed certificate.

Description

This command creates a key pair and wraps it in a self-signed certificate in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Only keys based on the RSA algorithm are generated.

Syntax

addSelfSignedCertificate(instName, compName, compType, walletName, password, DN, keySize)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
DN Specifies the Distinguished Name of the key pair entry.
keySize Specifies the key size in bits.

Example

The following command adds a self-signed certificate with DN cn=www.acme.com, key size 1024 to wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> addSelfSignedCertificate('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.acme.com', '1024')

changeKeyStorePassword

Online command that changes the keystore password.

Description

This command changes the password of a Java Keystore (JKS) file for an Oracle Virtual Directory instance.

Syntax

changeKeyStorePassword(instName, compName, compType, keystoreName, currPassword, newPassword)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the filename of the keystore.
currPassword Specifies the current keystore password.
newPassword Specifies the new keystore password.

Example

The following command changes the password of file keys.jks for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> changeKeyStorePassword('inst1', 'ovd1', 'ovd','keys.jks', 'currpassword', 'newpassword')

changeWalletPassword

Online command that changes the password of an Oracle wallet.

Description

This command changes the password of an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). This command is only applicable to password-protected wallets.

Syntax

changeWalletPassword(instName, compName, compType, walletName,currPassword, newPassword)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'.
walletName Specifies the filename of the wallet.
currPassword Specifies the current wallet password.
newPassword Specifies the new wallet password.

Example

The following command changes the password for wallet1 from currpassword to newpassword for Oracle HTTP Server instance ohs1 in application server instance inst1:

wls:/mydomain/serverConfig> changeWalletPassword('inst1', 'ohs1', 'ohs','wallet1', 'currpassword', 'newpassword')

configureSSL

Online command that sets SSL attributes.

Description

This command sets the SSL attributes for a component listener. The attributes are specified in a properties file format (name=value). If a properties file is not provided, or it does not contain any SSL attributes, default attribute values are used. For component-specific SSL attribute value defaults, see the chapter "SSL Configuration in Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.

Syntax

configureSSL(instName, compName, compType, listener, filePath)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'oid', 'ovd', ohs', and 'webcache'.
listener Specifies the name of the component listener to be configured for SSL.
filePath Specifies the absolute path of the properties file containing the SSL attributes to set.

Examples

The following command configures SSL attributes specified in the properties file /tmp/ssl.properties for Oracle Virtual Directory instance ovd1 in application server instance inst1, for listener listener1:

wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener1','/tmp/ssl.properties')

The following command configures SSL attributes without specifying a properties file. Since no file is provided, the default SSL attribute values are used:

wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener2')

createKeyStore

Online command that creates a JKS keystore.

Description

This command creates a Java keystore (JKS) for the specified Oracle Virtual Directory instance. For keystore file location and other information, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.

Syntax

createKeyStore(instName, compName, compType, keystoreName, password)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the filename of the keystore file to be created.
password Specifies the keystore password.

Example

The following command creates JKS file keys.jks with password password for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> createKeyStore('inst1', 'ovd1', 'ovd','keys.jks', 'password')

createWallet

Online command that creates an Oracle wallet.

Description

This command creates an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Wallets can be of password-protected or auto-login type. For wallet details, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.

Syntax

createWallet(instName, compName, compType, walletName, password)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'.
walletName Specifies the name of the wallet file to be created.
password Specifies the wallet password.

Examples

The following command creates a wallet named wallet1 with password password, for Oracle HTTP Server instance ohs1 in application server instance inst1:

wls:/mydomain/serverConfig> createWallet('inst1', 'ohs1', 'ohs','wallet1', 'password')

The following command creates an auto-login wallet named wallet2 for Oracle WebCache instance wc1, in application server instance inst1:

wls:/mydomain/serverConfig> createWallet('inst1', 'wc1', 'webcache','wallet2', '')

deleteKeyStore

Online command that deletes a keystore.

Description

This command deletes a keystore for a specified Oracle Virtual Directory instance.

Syntax

deleteKeyStore(instName, compName, compType, keystoreName)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore file to delete.

Example

The following command deletes JKS file keys.jks for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> deleteKeyStore('inst1', 'ovd1', 'ovd','keys.jks')

deleteWallet

Online command that deletes an Oracle wallet.

Description

This command deletes an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).

Syntax

deleteWallet(instName, compName, compType, walletName)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'.
walletName Specifies the name of the wallet file to be deleted.

Example

The following command deletes a wallet named wallet1 for Oracle HTTP Server instance ohs1 in application server instance inst1:

wls:/mydomain/serverConfig> deleteWallet('inst1', 'ohs1', 'ohs','wallet1')

exportKeyStore

Online command that exports the keystore to a file.

Description

This command exports a keystore, configured for the specified Oracle Virtual Directory instance, to a file under the given directory. The exported filename is the same as the keystore name.

Syntax

exportKeyStore(instName, compName, compType, keystoreName, password, path)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore file.
password Specifies the password of the keystore.
path Specifies the absolute path of the directory under which the keystore is exported.

Example

The following command exports the keystore keys.jks for Oracle Virtual Directory instance ovd1 to file keys.jks under /tmp:

wls:/mydomain/serverConfig> exportKeyStore('inst1', 'ovd1', 'ovd', 'keys.jks', 'password', '/tmp')

exportKeyStoreObject

Online command that exports an object from a keystore to a file.

Description

This command exports a certificate signing request, certificate/certificate chain, or trusted certificate present in a Java keystore (JKS) to a file for the specified Oracle Virtual Directory instance. The certificate signing request is generated before exporting the object. The alias specifies the object to be exported.

Syntax

exportKeyStoreObject(instName, compName, compType, keystoreName, password, type, path, alias)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore file.
password Specifies the password of the keystore.
type Specifies the type of the keystore object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' and 'TrustedChain'.
path Specifies the absolute path of the directory under which the object is exported as a file named base64.txt.
alias Specifies the alias of the keystore object to be exported.

Examples

The following command generates and exports a certificate signing request from the key-pair indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1 in application server instance inst1. The certificate signing request is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'CertificateRequest', '/tmp','mykey')

The following command exports a certificate or certificate chain indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '/tmp','mykey')

The following command exports a trusted certificate indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. The trusted certificate is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '/tmp','mykey')

exportWallet

Online command that exports an Oracle wallet.

Description

This command exports an Oracle wallet, configured for a specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), to file(s) under the given directory. If the exported file is an auto-login only wallet, the file name is 'cwallet.sso'. If it is password-protected wallet, two files are created: 'ewallet.p12' and 'cwallet.sso'.

Syntax

exportWallet(instName, compName, compType, walletName,password, path)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
path Specifies the absolute path of the directory under which the object is exported.

Examples

The following command exports auto-login wallet wallet1 for Oracle Internet Directory instance oid1 to file cwallet.sso under /tmp:

wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet1','','/tmp')

The following command exports password-protected wallet wallet2 for Oracle Internet Directory instance oid1 to two files, ewallet.p12 and cwallet.sso, under /tmp:

wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp')

exportWalletObject

Online command that exports a certificate or other wallet object to a file.

Description

This command exports a certificate signing request, certificate, certificate chain or trusted certificate present in an Oracle wallet to a file for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be exported.

Syntax

exportWalletObject(instName, compName, compType, walletName, password, type, path, DN)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs','oid', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
type Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedChain'.
path Specifies the absolute path of the directory under which the object is exported as a file base64.txt.
DN Specifies the Distinguished Name of the wallet object being exported.

Examples

The following command exports a certificate signing request with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate signing request is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 
'oid','wallet1', 'password', 'CertificateRequest', '/tmp','cn=www.acme.com')

The following command exports a certificate with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 
'oid','wallet1', 'password', 'Certificate', '/tmp','cn=www.acme.com')

The following command exports a trusted certificate with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The trusted certificate is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 
'oid','wallet1', 'password', 'TrustedCertificate', '/tmp','cn=www.acme.com')

The following command exports a certificate chain with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 
'oid','wallet1', 'password', 'TrustedChain', '/tmp','cn=www.acme.com')

generateKey

Online command that generates a key pair in a Java keystore.

Description

This command generates a key pair in a Java keystore (JKS) for Oracle Virtual Directory. It also wraps the key pair in a self-signed certificate. Only keys based on the RSA algorithm are generated.

Syntax

generateKey(instName, compName, compType, keystoreName, password, DN, keySize, alias, algorithm)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore.
password Specifies the password of the keystore.
DN Specifies the Distinguished Name of the key pair entry.
keySize Specifies the key size in bits.
alias Specifies the alias of the key pair entry in the keystore.
algorithm Specifies the key algorithm. Valid value is 'RSA'.

Examples

The following command generates a key pair with DN cn=www.acme.com, key size 1024, algorithm RSA and alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.acme.com', '1024', 'mykey', 'RSA')

The following command is the same as above, except it does not explicitly specify the key algorithm:

wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.acme.com', '1024', 'mykey')

getKeyStoreObject

Online command that shows details about a keystore object.

Description

This command displays a specific certificate or trusted certificate present in a Java keystore (JKS) for Oracle Virtual Directory. The keystore object is indicated by its index number, as given by the listKeyStoreObjects command. It shows the certificate details including DN, key size, algorithm, and other information.

Syntax

getKeyStoreObject(instName, compName, compType, keystoreName, password, type, index)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore file.
password Specifies the password of the keystore.
type Specifies the type of the keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'.
index Specifies the index number of the keystore object as returned by the listKeyStoreObjects command.

Examples

The following command shows a trusted certificate with index 1 present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '1')

The following command shows a certificate with index 1 present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '1')

getSSL

Online command that lists the configured SSL attributes.

Description

This command lists the configured SSL attributes for the specified component listener. For Oracle Internet Directory, the listener name is always sslport1.

Syntax

getSSL(instName, compName, compType, listener)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ovd', 'oid', 'ohs', and 'webcache'.
listener Specifies the name of the component listener.

Example

The following command shows the SSL attributes configured for Oracle Internet Directory instance oid1, in application server instance inst1, for listener sslport1:

wls:/mydomain/serverConfig> getSSL('inst1', 'oid1', 'oid', 'sslport1')

getWalletObject

Online command that displays information about a certificate or other object in an Oracle wallet.

Description

This command displays a specific certificate signing request, certificate or trusted certificate present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). The wallet object is indicated by its index number, as given by the listWalletObjects command. For certificates or trusted certificates, it shows the certificate details including DN, key size, algorithm and other data. For certificate signing requests, it shows the subject DN, key size and algorithm.

Syntax

getWalletObject(instName, compName, compType, walletName, password, type, index)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
type Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'.
index Specifies the index number of the wallet object as returned by the listWalletObjects command.

Examples

The following command shows certificate signing request details for the object with index 0 present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest', '0')

The following command shows certificate details for the object with index 0 present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'Certificate', '0')

The following command shows trusted certificate details for the object with index 0, present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate', '0')

importKeyStore

Online command that imports a keystore from a file.

Description

This command imports a Java keystore (JKS) from a file to the specified Oracle Virtual Directory instance for manageability. The component instance name must be unique.

Syntax

importKeyStore(instName, compName, compType, keystoreName, password, filePath)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore being imported. This name must be unique for this component instance.
password Specifies the password of the keystore.
filePath Specifies the absolute path of the keystore file to be imported.

Example

The following command imports the keystore /tmp/keys.jks as file.jks into Oracle Virtual Directory instance ovd1. Subsequently, the keystore is managed through the name file.jks:

wls:/mydomain/serverConfig> importKeyStore('inst1', 'ovd1', 'ovd', 'file.jks',
'password', '/tmp/keys.jks')

importKeyStoreObject

Online command that imports an object from a file to a keystore.

Description

This command imports a certificate, certificate chain, or trusted certificate into a Java keystore (JKS) for Oracle Virtual Directory, assigning it the specified alias which must be unique in the keystore. If a certificate or certificate chain is being imported, the alias must match that of the corresponding key-pair.

Syntax

importKeyStoreObject(instName, compName, compType, keystoreName, password, type, filePath, alias)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore.
password Specifies the password of the keystore.
type Specifies the type of the keystore object to be imported. Valid values are 'Certificate' and 'TrustedCertificate'.
filePath Specifies the absolute path of the file containing the keystore object.
alias Specifies the alias to assign to the keystore object to be imported.

Examples

The following command imports a certificate or certificate chain from file cert.txt into keys.jks, using alias mykey for Oracle Virtual Directory instance ovd1, in application server instance inst1. The file keys.jks must already have an alias mykey for a key-pair whose public key matches that in the certificate being imported:

wls:/mydomain/serverConfig> > importKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'Certificate','/tmp/cert.txt', 'mykey')

The following command imports a trusted certificate from file trust.txt into keys.jks using alias mykey1, for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> importKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'TrustedCertificate','/tmp/trust.txt', 'mykey1')

importWallet

Online command that imports an Oracle wallet from a file.

Description

This command imports an Oracle wallet from a file to the specified component instance (Oracle HTTP Server, Oracle WebCache, or Oracle Internet Directory) for manageability. If the wallet being imported is an auto-login wallet, the file path must point to cwallet.sso; if the wallet is password-protected, it must point to ewallet.p12. The wallet name must be unique for the component instance.

Syntax

importWallet(instName, compName, compType, walletName, password, filePath)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet being imported. The name must be unique for the component instance.
password Specifies the password of the wallet.
filePath Specifies the absolute path of the wallet file being imported.

Examples

The following command imports auto-login wallet file /tmp/cwallet.sso as wallet1 into Oracle Internet Directory instance oid1. Subsequently, the wallet is managed with the name wallet1. No password is passed since it is an auto-login wallet:

wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet1', '', '/tmp/cwallet.sso')

The following command imports password-protected wallet /tmp/ewallet.p12 as wallet2 into Oracle Internet Directory instance oid1. Subsequently, the wallet is managed with the name wallet2. The wallet password is passed as a parameter:

wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp/ewallet.p12')

importWalletObject

Online command that imports a certificate or other object into an Oracle wallet.

Description

This command imports a certificate, trusted certificate or certificate chain into an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache component or Oracle Internet Directory).When importing a certificate, use the same wallet file from which the certificate signing request was generated.

Syntax

importWalletObject(instName, compName, compType, walletName, password, type, filePath)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
type Specifies the type of wallet object to be imported. Valid values are 'Certificate', 'TrustedCertificate' and 'TrustedChain'.
filePath Specifies the absolute path of the file containing the wallet object.

Examples

The following command imports a certificate chain in PKCS#7 format from file chain.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedChain','/tmp/chain.txt')

The following command imports a certificate from file cert.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 
'password', 'Certificate','/tmp/cert.txt')

The following command imports a trusted certificate from file trust.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','/tmp/trust.txt')

listKeyStoreObjects

Online command that lists the contents of a keystore.

Description

This command lists all the certificates or trusted certificates present in a Java keystore (JKS) for Oracle Virtual Directory.

Syntax

listKeyStoreObjects(instName, compName, compType, keystoreName, password, type)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore file.
password Specifies the password of the keystore.
type Specifies the type of keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'.

Examples

The following command lists all trusted certificates present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate')

The following command lists all certificates present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate')

listKeyStores

Online command that lists all the keystores for a component.

Description

This command lists all the Java keystores (JKS) configured for the specified Oracle Virtual Directory instance.

Syntax

listKeyStores(instName, compName, compType)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance
compType Specifies the type of component. Valid value is 'ovd'.

Example

The following command lists all keystores for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> listKeyStores('inst1', 'ovd1', 'ovd')

listWalletObjects

Online command that lists all objects in an Oracle wallet.

Description

This command lists all certificate signing requests, certificates, or trusted certificates present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).

Syntax

listWalletObjects(instName, compName, compType, walletName, password, type)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
type Specifies the type of wallet object to be listed. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'.

Examples

The following command lists all certificate signing requests in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> > listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest')

The following command lists all certificates in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'Certificate')

The following command lists all trusted certificates in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate')

listWallets

Online command that lists all wallets configured for a component instance.

Description

This command displays all the wallets configured for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), and identifies the auto-login wallets.

Syntax

listWallets(instName, compName, compType)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.

Example

The following command lists all wallets for Oracle Internet Directory instance oid1 in application server instance inst1:

wls:/mydomain/serverConfig> listWallets('inst1', 'oid1', 'oid')

removeKeyStoreObject

Online command that removes an object from a keystore.

Description

This command removes a certificate request, certificate, trusted certificate, or all trusted certificates from a Java keystore (JKS) for Oracle Virtual Directory. Use an alias to remove a specific object; no alias is needed if all trusted certificates are being removed.

Syntax

removeKeyStoreObject(instName, compName, compType, keystoreName, password, type, alias)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore file.
password Specifies the password of the keystore.
type Specifies the type of the keystore object to be removed. Valid values are 'Certificate', 'TrustedCertificate' or 'TrustedAll'.
alias Specifies the alias of the keystore object to be removed.

Examples

The following command removes a certificate or certificate chain denoted by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'Certificate','mykey')

The following command removes a trusted certificate denoted by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'TrustedCertificate','mykey')

The following command removes all trusted certificates in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. Since no alias is required, the value None is passed for that parameter:

wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'TrustedAll',None)

removeWalletObject

Online command that removes a certificate or other object from an Oracle wallet.

Description

This command removes a certificate signing request, certificate, trusted certificate or all trusted certificates from an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be removed.

Syntax

removeWalletObject(instName, compName, compType, walletName, password, type, DN)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
type Specifies the type of the keystore object to be removed. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedAll'.
DN Specifies the Distinguished Name of the wallet object to be removed.

Examples

The following command removes all trusted certificates from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. It is not necessary to provide a DN, so we pass null (denoted by None) for the DN parameter:

wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedAll',None)

The following command removes a certificate signing request indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'CertificateRequest','cn=www.acme.com')

The following command removes a certificate indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate','cn=www.acme.com')

The following command removes a trusted certificate indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','cn=www.acme.com')

Oracle Identity Federation Commands

Use the WLST commands listed in Table 4-4 to view and manage configuration for Oracle Identity Federation.

Table 4-4 WLST Commands for Oracle Identity Federation

Use this command... To... Use with WLST...

addConfigListEntryInMap

Add a configuration list entry to a map.

Online

addConfigMapEntryInMap

Add a configuration map entry to a map.

Online

addConfigPropertyListEntry

Add a configuration property list entry.

Online

addConfigPropertyMapEntry

Add a configuration property map entry to the map.

Online

addCustomAuthnEngine

Add a custom authentication engine.

Online

addCustomSPEngine

Add a custom SP engine.

Online

addFederationListEntryInMap

Add a federations list entry to the map.

Online

addFederationMapEntryInMap

Add a federation map entry to the map.

Online

addFederationPropertyListEntry

Add a federation property list entry.

Online

addFederationPropertyMapEntry

Add a federation property map entry.

Online

deleteCustomAuthnEngine

Delete a custom authentication engine.

Online

deleteCustomSPEngine

Delete a custom SP engine.

Online

deleteProviderFederation

Delete a provider from the federation.

Online

deleteUserFederation

Delete a user from the federation.

Online

changeMessageStore

Change the message store to memory or RDBMS.

Online

changePeerProviderDescription

Change a peer provider's description.

Online

changeSessionStore

Change the session store to memory or RDBMS.

Online

createConfigPropertyList

Create a configuration property list.

Online

createConfigPropertyListInMap

Create a configuration property list in the map.

Online

createConfigPropertyMap

Create a configuration property map.

Online

createConfigPropertyMapInMap

Create a nested configuration property map in a map.

Online

createFederationPropertyList

Create a federation property list.

Online

createFederationPropertyListInMap

Create a federation property list in the map.

Online

createFederationPropertyMap

Create a federation property map.

Online

createFederationPropertyMapInMap

Create a nested federation property map in a map.

Online

createPeerProviderEntry

Create a peer provider entry.

Online

getConfigListValueInMap

Retrieve a configuration list value from the map.

Online

getConfigMapEntryInMap

Retrieve a configuration map value from the map.

Online

getConfigProperty

Retrieve a configuration property entry.

Online

getConfigPropertyList

Retrieve a configuration property list.

Online

getConfigPropertyMapEntry

Retrieve a configuration property map entry.

Online

getFederationListValueInMap

Retrieve a federation list value from the map.

Online

getFederationMapEntryInMap

Retrieve a federation map entry from a nested map.

Online

getFederationProperty

Retrieve a federation property.

Online

getFederationPropertyList

Retrieve the federation property list.

Online

extractproviderprops

Export all provider configuration properties to a text file.

Script

setproviderprops

Set a provider's properties based on an input text file.

Script

getFederationPropertyMapEntry

Retrieve a federation property map entry.

Online

listCustomAuthnEngines

Display the list of custom authentication engines.

Online

listCustomSPEngines

Display the list of custom SP engines.

Online

loadMetadata

Load metadata from a file.

Online

oifStatus

Display the current status of Oracle Identity Federation on the managed server.

Online

removeConfigListInMap

Delete a configuration list in the map.

Online

removeConfigMapEntryInMap

Delete a configuration map entry in the map.

Online

removeConfigMapInMap

Delete a nested configuration map.

Online

removeConfigProperty

Delete a configuration property.

Online

removeConfigPropertyList

Delete a property list.

Online

removeConfigPropertyMap

Delete a property map.

Online

removeConfigPropertyMapEntry

Delete an entry in the property map.

Online

removeFederationListInMap

Delete a federation list in the map.

Online

removeFederationMapInMap

Delete a nested federation map.

Online

removeFederationMapEntryInMap

Delete a nested federation map entry.

Online

removeFederationProperty

Delete a federation property.

Online

removeFederationPropertyList

Delete a federation property list.

Online

removeFederationPropertyMap

Delete a federation property map.

Online

removeFederationPropertyMapEntry

Delete a federation property map entry.

Online

removePeerProviderEntry

Delete a peer provider entry.

Online

setConfigProperty

Set a configuration property.

Online

setCustomAuthnEngine

Define a custom authentication engine.

Online

setCustomSPEngine

Define a custom SP engine.

Online

setFederationProperty

Set a federation property.

Online


For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.

addConfigListEntryInMap

Online command that adds a property value to a map.

Description

This command adds a property value to a nested list inside a map in config.xml.

Syntax

addConfigListEntryInMap(configName, mapname, listName, value, type)
Argument Definition
configname Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated.
mapname Specifies the name of the property to map to be changed in config.xml.
listname Specifies the name of the list.
value Specifies the property value.
type Specifies the type of property, BOOLEAN or STRING or LONG.

Example

The following command adds valueA to a map list in server configuration:

wls:/mydomain/serverConfig> addConfigListEntryInMap('serverconfig','mymap','mylistA','valueA','string')

addConfigMapEntryInMap

Online command that adds a nested map property entry in a map.

Description

This command that adds a property name/value pair to a map nested inside a map in config.xml.

Syntax

addConfigMapEntryInMap(configName, mapname, nestedMapName, propName, value, type)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated.
mapname Specifies the name of the property map to be changed in config.xml.
nestedMapName name of the nested property map to be changed.
propName Specifies the name of the list.
value Specifies the property value.
type Specifies the type of property, BOOLEAN or STRING or LONG.

Example

The following command adds a boolean name/value pair to nestedmapB inside the map mymap.

wls:/mydomain/serverConfig> addConfigMapEntryInMap('serverconfig','mymap','nestedmapB','myvarB','true', 'boolean')

addConfigPropertyListEntry

Online command that adds a list property entry to config.xml.

Description

This command adds a property value to a list in config.xml.

Syntax

addConfigPropertyListEntry(configName, listName, value, type)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated.
listName Specifies the name of the property list to be added in config.xml.
value Specifies the new property list value. The entered value is appended to the list.
type Specifies the type of property, BOOLEAN or STRING or LONG.

Example

The following command adds a string value to mylistA.

wls:/mydomain/serverConfig> addConfigPropertyListEntry('serverconfig','mylistA','valueA','string')

addConfigPropertyMapEntry

Online command that adds a property name/value entry in a map in config.xml.

Description

This command adds a property name/value entry in a map in config.xml.

Syntax

addConfigPropertyMapEntry(configName, mapName, propName, value, type)
Argument Definition
configname Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated.
mapname Specifies the name of the property map in config.xml.
propName Specifies the name of the property map.
value Specifies the property map value to be added.
type Specifies the type of property, BOOLEAN or STRING or LONG.

Example

The following command adds valueA of string type to a map.

wls:/mydomain/serverConfig> addConfigPropertyMapEntry('serverconfig','mymapA','myvarA','valueA','string')

addCustomAuthnEngine

Online command that adds a custom authentication integration engine.

Description

This command adds a custom authentication integration engine to config.xml.

Syntax

addCustomAuthnEngine(name, [enabled], [webContext], [authnRelativePath],  [logoutRelativePath], [logoutEnabled])
Argument Definition
name Specifies the name of the custom engine.
enabled This flag specifies whether the engine is enabled (true) or not (false, default).
webContext Specifies the web context for the engine.
authnRelativePath Specifies the authentication relative path URL for the engine.
logoutRelativePath Specifies the logout relative path URL for the engine.
logoutEnabled This flag is set true to enable logout for the engine, else false.

Example

The following command defines an engine named test and enables it.

wls:/mydomain/serverConfig> addCustomAuthnEngine('test','true')

addCustomSPEngine

Online command that adds a custom service provider (SP) engine.

Description

This command adds a custom SP integration engine to config.xml.

Syntax

addCustomSPEngine(name, [enabled, [authnMech], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
Argument Definition
name Specifies the name of the custom engine.
enabled This flag specifies whether the engine is enabled (true) or not (false).
authnMech Specifies the authentication mechanism for the engine.
webContext Specifies the web context for the engine.
authnRelativePath Specifies the authentication relative path URL for the engine.
logoutRelativePath Specifies the logout relative path URL for the engine.
logoutEnabled This flag is set true to enable logout for the engine, else false.

Example

The following command adds an engine and gives it a disabled status.

addCustomSPEngine('new engine','false','oracle:fed:authentication:unspecified','webcontext')

addFederationListEntryInMap

Online command that adds a list property entry in a map.

Description

This command adds a property value to a nested list inside a map in cot.xml.

Syntax

addFederationListEntryInMap(providerID, mapname, listName, value, type)
Argument Definition
providerID Specifies the provider ID.
mapname Specifies the name of the property map to be changed in cot.xml.
listName Specifies the name of the property list to be added to the map.
value Specifies the property list value to be added. The entered value is appended to the list.
type Specifies the type of property, BOOLEAN or STRING or LONG.

Example

The following command adds a boolean property list to mymap.

wls:/mydomain/serverConfig> addFederationListEntryInMap('providerB','mymap','mylistB','true','boolean')

addFederationMapEntryInMap

Online command that adds a nested map property entry in a map.

Description

This command adds a property name/value pair to a map nested inside a map in cot.xml.

Syntax

addFederationMapEntryInMap(providerID, mapname, nestedMapName, propName, value, type)
Argument Definition
providerID Specifies the provider ID.
mapname Specifies the name of the property map to be changed in cot.xml.
nestedMapName Specifies the name of the nested property map to be changed.
propName Specifies the name of the property to be updated in the map.
value Specifies the property value to be added. The entered value is appended to the list.
type Specifies the type of property, BOOLEAN or STRING or LONG.

Example

The following command adds a value of type string to the myvarA property in a nested map.

wls:/mydomain/serverConfig> addFederationMapEntryInMap('providerA','mymap','nestedmapA','myvarA','valueA',
'string')

addFederationPropertyListEntry

Online command that adds a list property entry.

Description

This command adds a property value to a list in cot.xml.

Syntax

addFederationPropertyListEntry(providerID, listName, value, type)
Argument Definition
providerID Specifies the provider ID.
listName Specifies the name of the property list to be updated.
value Specifies the property list value to be added. The entered value is appended to the list.
type Specifies the type of property, BOOLEAN or STRING or LONG.

Example

The following command adds a value in string format to a specified property list.

wls:/mydomain/serverConfig> addFederationPropertyListEntry('providerA','mylistA','valueA','string')

addFederationPropertyMapEntry

Online command that a property name/value entry in a map.

Description

This command adds a property name/value pair to a map in cot.xml.

Syntax

addFederationPropertyMapEntry(providerID, mapName, propName, value, type)
Argument Definition
providerID Specifies the provider ID.
mapName Specifies the name of the property map to be changed in cot.xml.
propName Specifies the name of the property to be added in the map.
value Specifies the property value to be added. The entered value is appended to the list.
type Specifies the type of property, BOOLEAN or STRING or LONG.

Example

The following command adds boolean property myvarB to a map.

wls:/mydomain/serverConfig> addFederationPropertyMapEntry('providerA','mymapB','myvarB','true','boolean')

deleteCustomAuthnEngine

Online command that deletes a custom authentication integration engine from the configuration.

Description

This command deletes a custom authentication integration engine in config.xml. You must provide the engine ID for an existing custom authentication engine in config.xml.

Syntax

deleteCustomAuthnEngine(engineID)
Argument Definition
engineID Specifies the engine ID of an existing engine to be deleted.

Example

The following command deletes the authentication engine with ID id1234.

wls:/mydomain/serverConfig> deleteCustomAuthnEngine('id1234')

deleteCustomSPEngine

Online command that deletes a custom service provider (SP) integration engine from the configuration.

Description

This command deletes a custom SP integration engine in config.xml. The EngineID for an existing custom SP engine in config.xml must be provided.

Syntax

ddeleteCustomSPEngine(engineID)
Argument Definition
engineID Specifies the engine ID of an existing engine to be deleted.

Example

The following command deletes the engine with ID id1234.

wls:/mydomain/serverConfig> deleteCustomSPEngine('id1234')

deleteProviderFederation

Online command that deletes federations for given provider.

Description

This command deletes federations for given provider ID.

Syntax

deleteProviderFederation(providerID)
Argument Definition
providerID Specifies the ProviderID for the peer provider for which federation is to be deleted.

Example

The following command deletes providerA:

wls:/mydomain/serverConfig> deleteProviderFederation(providerA)

deleteUserFederation

Online command that deletes federations for given users.

Description

This command deletes federations for the given list of users.

Syntax

deleteUserFederation([user1,..])
Argument Definition
user1 Specifies a comma-separated list of users whose federations are to be deleted. At least one user must be specified.

Example

The following command deletes federations for three users:

wls:/mydomain/serverConfig> deleteUserFederation(['userA','userB','userC'])

changeMessageStore

Online command that changes the message store between memory and RDBMS.

Description

This command changes the message store to memory or RDBMS.

Syntax

changeMessageStore(type, [jndiname])
Argument Definition
type Specifies the type of store, RDBMS or Memory. Default is Memory.
jndiname Specifies the jndi name to set for the store. Required if type is RDBMS.

Example

The following command changes the message store to RDBMS:

wls:/mydomain/serverConfig> changeMessageStore('RDBMS','jdbc/mydb')

changePeerProviderDescription

Online command that changes the peer provider description.

Description

This command updates a peer provider description in cot.xml.

Syntax

changePeerProviderDescription(providerID, description)
Argument Definition
providerID Specifies the provider ID.
description Specifies the provider description.

Example

The following command updates the description of a provider:

wls:/mydomain/serverConfig> changePeerProviderDescription('providerA','new description')

changeSessionStore

Online command that changes the session store between memory and RDBMS.

Description

This command changes the session store to memory or RDBMS.

Syntax

changeSessionStore(type, [jndiname])
Argument Definition
type Specifies the type of store, RDBMS or Memory. Default is Memory.
jndiname Specifies the jndi name to set for the store. Required if type is RDBMS.

Example

The following command changes the session store to RDBMS.

wls:/mydomain/serverConfig> changeSessionStore('RDBMS','jdbc/mydb')

createConfigPropertyList

Online command that creates a property list.

Description

This command creates a property list in config.xml.

Syntax

createConfigPropertyList(configName, listName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated.
listName Specifies the property list name.

Example

The following command creates property list mylistA.

wls:/mydomain/serverConfig> createConfigPropertyList('serverconfig','mylistA')

createConfigPropertyListInMap

Online command that creates a property list nested in the property map.

Description

This command creates a property list, nested in the property map, in config.xml.

Syntax

createConfigPropertyListInMap(configName, mapName, listName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated.
mapName Specifies an existing property map to contain the nested list.
listName Specifies the property list name.

Example

The following command creates property list mylistA nested in a property map.

wls:/mydomain/serverConfig> createConfigPropertyListInMap('serverconfig','mymapA','mylistA')

createConfigPropertyMap

Online command that creates a property map.

Description

This command that creates a property map in config.xml.

Syntax

createConfigPropertyMap(configName, mapName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated.
mapName Specifies the property map to create.

Example

The following command creates property map mymapA:

wls:/mydomain/serverConfig> createConfigPropertyMap('serverconfig','mymapA')

createConfigPropertyMapInMap

Online command that creates a property map.

Description

This command that creates a property map in config.xml.

Syntax

createConfigPropertyMapInMap(configName, mapName, nestedMapName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated.
mapName Specifies the name of an existing property map.
nestedMapName Specifies the name of the property map to create nested inside mapName.

Example

The following command creates nested property map nestedmymapA:

wls:/mydomain/serverConfig> createConfigPropertyMapInMap('serverconfig','mymapA','nestedmapA')

createFederationPropertyList

Online command that creates a property list.

Description

This command creates a property list in cot.xml.

Syntax

createFederationPropertyList(providerID, listName)
Argument Definition
providerID Specifies the provider ID.
listName Specifies the name of the property list.

Example

The following command creates property list mylistA:

wls:/mydomain/serverConfig> createFederationPropertyList('providerA','mylistA')

createFederationPropertyListInMap

Online command that creates a property list nested in a property map.

Description

This command creates a property list, nested in a property map, in cot.xml.

Syntax

createFederationPropertyListInMap(providerID, mapName, listName)
Argument Definition
providerID Specifies the provider ID.
mapName Specifies an existing property map to contain the nested list.
listName Specifies the name of the property list.

Example

The following command creates nested property list mylistA:

wls:/mydomain/serverConfig> createFederationPropertyListInMap('providerA','mymapA','mylistA')

createFederationPropertyMap

Online command that creates a property map.

Description

This command that creates a property map in cot.xml.

Syntax

createFederationPropertyMap(providerID, mapName)
Argument Definition
providerID Specifies the provider ID.
mapName Specifies the name of the property map to be added to cot.xml.

Example

The following command creates property map mymapA:

wls:/mydomain/serverConfig> createFederationPropertyMap('providerA','mymapA')

createFederationPropertyMapInMap

Online command that creates a nested property map.

Description

This command that creates a property map, nested in another property map, in cot.xml.

Syntax

createFederationPropertyMapInMap(providerID, mapName, nestedMapName)
Argument Definition
providerID Specifies the provider ID.
mapName Specifies the name of an existing property map.
nestedMapName Specifies the name of the property map to be nested inside mapName in cot.xml.

Example

The following command creates nested property map nestedmapA:

wls:/mydomain/serverConfig> createFederationPropertyMapInMap('providerA','mymapA','nestedmapA')

createPeerProviderEntry

Online command that creates a peer provider property map entry.

Description

This command creates a peer provider as a Map property entry to cot.xml.

Syntax

createPeerProviderEntry(providerID, description, providerType, version)
Argument Definition
providerID Specifies the provider ID to be created.
description This is the description of the provider ID.
providerType Specifies the provider type of the peer provider to be created.
version Specifies the version of the peer provider to be created.

Example

The following command creates a SAML 2.0 service provider:

wls:/mydomain/serverConfig> createPeerProviderEntry('providerA','idp test','SP','SAML2.0')

getConfigListValueInMap

Online command that returns a list nested in a map.

Description

This command returns a list, nested in a map, from config.xml.

Syntax

getConfigListValueInMap(configName, mapName, listName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be accessed.
mapName Specifies the name of the property map.
listName Specifies the name of the list to be fetched from the map.

Example

The following command returns mylistA:

wls:/mydomain/serverConfig> getConfigListValueInMap('serverConfig','mymapA','mylistA')

getConfigMapEntryInMap

Online command that returns a map property entry nested in a map.

Description

This command returns a map property entry, nested in a map, from config.xml.

Syntax

getConfigMapEntryInMap(configName, mapname, nestedMapName, propName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be accessed.
mapname Specifies the name of the property map.
nestedMapName Specifies the name of the nested property map.
propName Specifies the name of the property to be fetched from the nested map.

Example

The following command returns property entry myvarA:

wls:/mydomain/serverConfig> getConfigMapEntryInMap('serverconfig','mymap','nestedmapA','myvarA')

getConfigProperty

Online command that returns a property value.

Description

This command returns a property value from config.xml.

Syntax

getConfigProperty(configName, propName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be accessed.
propName Specifies the name of the property to be fetched from the nested map.

Example

The following command returns property myvarA:

wls:/mydomain/serverConfig> getConfigProperty('serverconfig','myvarA')

getConfigPropertyList

Online command that returns a property list.

Description

This command returns a property list from config.xml.

Syntax

getConfigPropertyList(configName, listName)
Argument Definition
configName Specifies the configuration name.
listName Specifies the name of the property list to be fetched from config.xml.

Example

The following command returns mylistA:

wls:/mydomain/serverConfig> getConfigPropertyList('serverconfig','mylistA')

getConfigPropertyMapEntry

Online command that returns a property value from a map.

Description

This command returns a property value from a map in config.xml.

Syntax

getConfigPropertyMapEntry(configName, mapName, propName)
Argument Definition
configName Specifies the configuration name (for example, idpsaml20, serverconfig, spsaml20,..).
mapName Specifies the name of the property map.
propName Specifies the name of the property to be fetched from the map in config.xml.

Example

The following command returns property propA:

wls:/mydomain/serverConfig> getConfigPropertyMapEntry('serverconfig','mapA', 'propA')

getFederationListValueInMap

Online command that returns a list value nested in a map.

Description

This command returns a list value nested in a map from cot.xml.

Syntax

getFederationListValueInMap(providerID, mapName, listName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map.
listName Specifies the name of the list to be fetched from the map.

Example

The following command returns nested list mylistA:

wls:/mydomain/serverConfig> getFederationListValueInMap('providerA','mymapA','mylistA')

getFederationMapEntryInMap

Online command that returns a map property entry nested in a map.

Description

This command returns a map property entry, nested in a map, from cot.xml.

Syntax

getFederationMapEntryInMap(providerID, mapname, nestedMapName, propName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map.
nestedMapName Specifies the name of the nested property map.
propName Specifies the name of the property to be fetched from the nested map.

Example

The following command returns property entry myvarA:

wls:/mydomain/serverConfig> getFederationMapEntryInMap('providerA','mymap','nestedmapA','myvarA')

getFederationProperty

Online command that returns a property value.

Description

This command returns a property value from cot.xml.

Syntax

getFederationProperty(providerID, propName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
propName Specifies the name of the property to be fetched from cot.xml.

Example

The following command returns property myvarA:

wls:/mydomain/serverConfig> getFederationProperty('providerA','myvarA')

getFederationPropertyList

Online command that returns a property list.

Description

This command returns a property list from cot.xml.

Syntax

getFederationPropertyList(providerID, listName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
listName Specifies the name of the list to be fetched from the map.

Example

The following command returns list mylistA:

wls:/mydomain/serverConfig> getFederationPropertyList('providerA','mylistA')

extractproviderprops

A WLST script that exports the properties of a provider.

Description

A WLST script that extracts all the configuration properties of the specified provider and exports them to a text file. You can later use this file to set the same properties on another provider. Execute this command from a UNIX or Windows command shell prompt and not from the WLST command shell. This script is stored in ORACLE_HOME/fed/scripts.

Syntax

extractproviderprops.py providerID filename
Argument Definition
providerID Specifies the name of the provider whose properties are to be extracted.
filename Specifies the name of the text file to which the provider properties are extracted.

When you execute the script, you are prompted for the WebLogic administrator credentials and the connection URL; for the latter, specify the Managed Server port, not the Administration Server port.

File Format

The format of the extract file is:

TYPE:NAME:PROPNAME:PROPVALUE:PROPTYPE

For example:

X:X:sendattribute:false:boolean
MAP:attributelist/mailemail:datastore-attr:mail:string
LIST:sendattributefornameid:unspecified::string

setproviderprops

A WLST script that sets the properties of a provider using values from a text file.

Description

A WLST script that sets the properties of a provider using values from a text file. Execute this command from a UNIX or Windows command shell prompt and not from the WLST command shell. This script is stored in ORACLE_HOME/fed/scripts.

The text file is generated by the extractproviderprops command.

Syntax

setproviderprops.py providerID filename
Argument Definition
providerID Specifies the name of the provider whose properties are to be updated.
filename Specifies the name of the input file from which to read the properties.

When you execute the script, you are prompted for the WebLogic administrator credentials and the connection URL; for the latter, specify the Managed Server port, not the Administration Server port.

getFederationPropertyMapEntry

Online command that returns a property value from a map.

Description

This command returns a property value from a map in cot.xml.

Syntax

getFederationPropertyMapEntry(providerID, mapName, propName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map.
propName Specifies the name of the property to be fetched from the nested map.

Example

The following command returns property propA from a map:

wls:/mydomain/serverConfig> getFederationPropertyMapEntry('providerA','mapA', 'propA')

listCustomAuthnEngines

Online command that returns a list of custom authentication integration engines.

Description

This command returns a list of custom authentication integration engines from config.xml.

Syntax

listCustomAuthnEngines()

Example

The following command returns the list of all SP engines:

wls:/mydomain/serverConfig> listCustomAuthnEngines()

listCustomSPEngines

Online command that returns a list of custom SP integration engines.

Description

This command returns a list of custom service provider (SP) integration engines from config.xml.

Syntax

listCustomSPEngines()

Example

The following command returns the list of all SP integration engines:

wls:/mydomain/serverConfig> listCustomSPEngines()

loadMetadata

Online command that loads metadata from an input file.

Description

This command loads metadata from an input file into cot.xml.

Syntax

loadMetadata(metadatafile,description)
Argument Definition
metadatafile Specifies the metadata file of the peer provider to be added or updated.
description This is a brief description of the peer provider to be loaded.

Example

The following command loads metadata from the file metadatafile.xml:

wls:/mydomain/serverConfig> loadMetadata('/home/metadatafile.xml','some description')

oifStatus

Online command that reports the current status of the Oracle Identity Federation application in the managed server to which WLST is connected.

Description

This command displays the current status of Oracle Identity Federation on the managed server.

Syntax

loifStatus('serverurl', 'configfile', 'keyfile')
Argument Definition
serverurl Specifies the URL of the managed server.
configfile This is a pre-defined user configuration file created with the WLST storeUserConfig command.
keyfile This is a pre-defined key file created with the WLST storeUserConfig command

Example

The following command provides no arguments; WLST prompts you for the Oracle WebLogic Server username, password, and the managed server URL, then displays the federation server status:

wls:/mydomain/serverConfig> oifStatus()

The following command provides only the managed server URL; WLST prompts you for the Oracle WebLogic Server username and password:

wls:/mydomain/serverConfig> oifStatus('', '', 't3://localhost:7499')

The following command provides all arguments needed for WLST to display the federation server status:

wls:/mydomain/serverConfig> oifStatus('configfileA', 'keyfileB', 't3://localhost:7499')

removeConfigListInMap

Online command that removes a list property nested in a map.

Description

This command removes a list property nested in a map from config.xml.

Syntax

removeConfigListInMap(configName, mapName, listName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be accessed.
mapName Specifies the name of the property map.
listName Specifies the name of the list to be removed from the map.

Example

The following command removes the list property mylistA:

wls:/mydomain/serverConfig> removeConfigListInMap('serverConfig','mymapA','mylistA')

removeConfigMapEntryInMap

Online command that removes a map property nested in a map.

Description

This command removes a map property entry nested in a map from config.xml.

Syntax

removeConfigMapEntryInMap(configName, mapname, nestedMapName, propName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be accessed.
mapName Specifies the name of the property map.
nestedMapName Specifies the name of the nested property map.
propName Specifies the name of the property to be removed from the nested map.

Example

The following command removes the nested property myvarA:

wls:/mydomain/serverConfig> removeConfigMapEntryInMap('serverconfig','mymap','nestedmapA','myvarA')

removeConfigMapInMap

Online command that removes a map property nested in a map.

Description

This command removes a map property entry nested in a map from config.xml.

Syntax

removeConfigMapEntryInMap(configName, mapName, nestedMapName, propName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated.
mapName Specifies the name of the property map.
nestedMapName Specifies the name of the nested property map.
propName Specifies the name of the property to be removed from the nested map.

Example

The following command removes the nested property myvarA:

wls:/mydomain/serverConfig> removeConfigMapEntryInMap('serverconfig','mymap','nestedmapA','myvarA')

removeConfigProperty

Online command that removes a configuration property.

Description

This command removes a property from config.xml.

Syntax

removeConfigProperty(configName, propName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated.
propName Specifies the name of the property to be removed.

Example

The following command removes the property myvarA:

wls:/mydomain/serverConfig> removeConfigProperty('serverconfig','myvarA')

removeConfigPropertyList

Online command that removes a configuration property list.

Description

This command removes a property list from config.xml.

Syntax

removeConfigPropertyList(configName, listName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated.
listName Specifies the name of the property list to be removed.

Example

The following command removes the property list mylistA:

wls:/mydomain/serverConfig> removeConfigPropertyList('serverconfig','mylistA')

removeConfigPropertyMap

Online command that removes a property map.

Description

This command removes a property map in config.xml.

Syntax

removeConfigPropertyMap(configName, mapName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated.
mapName Specifies the name of the property map to be removed.

Example

The following command removes mapA:

wls:/mydomain/serverConfig> removeConfigPropertyMap('serverconfig','mapA')

removeConfigPropertyMapEntry

Online command that removes a property value from a map.

Description

This command removes a property value from a map in config.xml.

Syntax

removeConfigPropertyMapEntry(configName, mapName, propName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated.
mapName Specifies the name of the property map to be updated.
propName Specifies the name of the property to be removed from the map.

Example

The following command removes property propA:

wls:/mydomain/serverConfig> removeConfigPropertyMapEntry('serverconfig','mapA', 'propA')

removeFederationListInMap

Online command that removes a property list in a map.

Description

This command removes a property list in a map, in cot.xml.

Syntax

removeFederationListInMap(providerID, mapName, listName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map.
listName Specifies the name of the property list to be removed.

Example

The following command removes mylistA in mymapA:

wls:/mydomain/serverConfig> removeFederationListInMap('providerA','mymapA','mylistA')

removeFederationMapInMap

Online command that removes a nested map in a map.

Description

This command removes a property map nested inside a map in cot.xml.

Syntax

removeFederationMapInMap(providerID, mapname, nestedMapName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map containing the nested map.
nestedMapName Specifies the name of the nested property map to be removed.

Example

The following command removes nestedmapA in mymap:

wls:/mydomain/serverConfig> removeFederationMapInMap('providerA','mymap','nestedmapA')

removeFederationMapEntryInMap

Online command that removes a nested map property entry in a map.

Description

This command removes a property name/value pair to a map nested inside a map in cot.xml.

Syntax

removeFederationMapEntryInMap(providerID, mapname, nestedMapName, propName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map containing the nested map.
nestedMapName Specifies the name of the nested property map.
propName Specifies the name of the property to be removed from the nested map.

Example

The following command removes map property entry myvarA:

wls:/mydomain/serverConfig> removeFederationMapEntryInMap('providerA','mymap','nestedmapA','myvarA')

removeFederationProperty

Online command that removes a property value.

Description

This command removes a property entry in cot.xml.

Syntax

removeFederationProperty(providerID, propName)
Argument Definition
providerID Specifies the name of the peer provider to be updated.
propName Specifies the name of the property to be removed.

Example

The following command removes the provider property myvarA:

wls:/mydomain/serverConfig> removeFederationProperty('providerA','myvarA')

removeFederationPropertyList

Online command that removes a property list entry.

Description

This command removes a property list entry in cot.xml.

Syntax

removeFederationPropertyList(providerID, listName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
listName Specifies the name of the property list to be removed.

Example

The following command removes mylistA:

wls:/mydomain/serverConfig> removeFederationPropertyList('providerA','mylistA')

removeFederationPropertyMap

Online command that removes a property map.

Description

This command removes a property map in cot.xml.

Syntax

removeFederationPropertyMap(providerID, mapName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map to be removed.

Example

The following command removes a map:

wls:/mydomain/serverConfig> removeFederationPropertyMap('providerA','mapA')

removeFederationPropertyMapEntry

Online command that removes a property value from a map.

Description

This command removes a property value from a map in cot.xml.

Syntax

removeFederationPropertyMapEntry(providerID, mapName, propName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map to be updated.
propName Specifies the name of the property to be removed from the map.

Example

The following command removes property propA from a map:

wls:/mydomain/serverConfig> removeFederationPropertyMapEntry('providerA','mapA', 'propA')

removePeerProviderEntry

Online command that removes a peer provider entry.

Description

This command removes a peer provider entry from cot.xml.

Syntax

removePeerProviderEntry(providerID)
Argument Definition
providerID Specifies the name of the peer provider to be removed.

Example

The following command removes providerA:

wls:/mydomain/serverConfig> removePeerProviderEntry('providerA')

setConfigProperty

Online command that sets a property value in config.xml.

Description

This command adds or updates a property value in config.xml.

Syntax

setConfigProperty(configname, propName, value, type)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated.
propName Specifies the name of the property to be added/updated in config.xml.
value Specifies the property value.
type Specifies the type of property, BOOLEAN or STRING or LONG.

Example

The following command sets the property myvarA and its value in the server configuration:

wls:/mydomain/serverConfig> setConfigProperty('serverconfig','myvarA','myvalA','string')

setCustomAuthnEngine

Online command that updates a custom authentication integration engine.

Description

This command updates a custom authentication integration engine in config.xml.

Syntax

setCustomAuthnEngine(engineID, name, [enabled], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
Argument Definition
engineID Specifies the engine ID of an existing engine.
name Specifies the name of the custom engine.
enabled This flag specifies whether the engine is enabled (true) or not (false).
webContext Specifies the web context for the engine.
authnRelativePath Specifies the authentication relative path URL for the engine.
logoutRelativePath Specifies the logout relative path URL for the engine.
logoutEnabled This flag is set true to enable logout for the engine, else false.

Example

The following command updates the configuration of custom authentication engine abcdef:

wls:/mydomain/serverConfig> setCustomAuthnEngine('abcdef',
'custom one','false','oracle:fed:authentication:unspecified','webcontext')

setCustomSPEngine

Online command that updates a custom SP integration engine.

Description

This command updates an existing custom SP integration engine in config.xml.

Syntax

setCustomSPEngine(engineID, name, [enabled, [authnMech], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
Argument Definition
engineID Specifies the engine ID of an existing custom engine.
name Specifies the name of the custom engine.
enabled This flag specifies whether the engine is enabled (true) or not (false).
authnMech Specifies the authentication mechanism for the engine.
webContext Specifies the web context for the engine.
authnRelativePath Specifies the authentication relative path URL for the engine.
logoutRelativePath Specifies the logout relative path URL for the engine.
logoutEnabled This flag is set true to enable logout for the engine, else false.

Example

The following command sets the name and the enabled flag for the engine with ID engineID2:

wls:/mydomain/serverConfig> setCustomSPEngine('engineid2','test','true')

setFederationProperty

Online command that adds or updates a property value.

Description

This command adds a property entry or updates an existing entry in cot.xml.

Syntax

setFederationProperty(providerID, propName, value, type)
Argument Definition
providerID Specifies the name of the peer provider to be updated.
propName Specifies the name of the property to be added/updated in cot.xml.
value Specifies the property value.
type Specifies the type of property, BOOLEAN or STRING or LONG.

Example

The following command creates the property myvarA and sets its value:

wls:/mydomain/serverConfig> setFederationProperty('providerA','myvarA','myvalA','string')

Directory Integration Platform Commands

Some of the Directory Integration Platform (DIP) tools use WLST internally, and therefore, there are no custom WLST commands available to run from the WLST command prompt or to use within scripts. For information on DIP tools, see "Directory Integration Platform Tools" in the Oracle Fusion Middleware User Reference for Oracle Identity Management.

Security Commands

Use the WLST security commands listed in Table 4-5 to operate on a domain policy or credential store, and to migrate policies and credentials from a source repository to a target repository.

Table 4-5 WLST Security Commands

Use this command... To... Use with WLST...

listAppStripes

List application stripes in policy store.

Online

createAppRole

Create a new application role.

Online

deleteAppRole

Remove an application role.

Online

grantAppRole

Add a principal to a role.

Online

revokeAppRole

Remove a principal from a role.

Online

listAppRoles

List all roles in an application.

Online

listAppRolesMembers

List all members in an application role.

Online

grantPermission

Create a new permission.

Online

revokePermission

Remove a permission.

Online

listPermissions

List all permissions granted to a principal.

Online

deleteAppPolicies

Remove all policies in an application.

Online

migrateSecurityStore

Migrate policies or credentials from a source repository to a target repository.

Offline

listCred

Obtain the list of attribute values of a credential.

Online

updateCred

Modify the attribute values of a credential.

Online

createCred

Create a new credential.

Online

deleteCred

Remove a credential.

Online

modifyBootStrapCredential

Update bootstrap credential store

Offline

addBootStrapCredential

Add a credential to the bootstrap credential store

Offline

reassociateSecurityStore

Reassociate policies and credentials to an LDAP repository

Online

upgradeSecurityStore

Upgrade security data from data used with release 10.1.x to data used with release 11.

Offline

createResourceType

Create a new resource type.

Online

getResourceType

Fetch an existing resource type.

Online

deleteResourceType

Remove an existing resource type.

Online

createResource

Create a resource.

Online

deleteResource

Remove a resource.

Online

listResources

List resources in an application stripe.

Online

listResourceActions

List actions in a resource.

Online

createEntitlement

Create an entitlement.

Online

getEntitlement

List an entitlement.

Online

deleteEntitlement

Remove an entitlement.

Online

addResourceToEntitlement

Add a resource to an entitlement.

Online

revokeResourceFromEntitlement

Remove a resource from an entitlement

Online

listEntitlements

List entitlements in an application stripe.

Online

grantEntitlement

Create an entitlement.

Online

revokeEntitlement

Remove an entitlement.

Online

listEntitlement

List an entitlement.

Online

listResourceTypes

List resource types in an application stripe.

Online


createAppRole

Online command that creates a new application role.

Description

Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.

Syntax

createAppRole(appStripe, appRoleName)
Argument Definition
appStripe 
Specifies an application stripe.
appRoleName 
Specifies a role name.

Example

The following invocation creates a new application role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> createAppRole(appStripe="myApp", appRoleName="myRole")

deleteAppRole

Online command that removes an application role.

Description

Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.

Syntax

createAppRole(appStripe, appRoleName)
Argument Definition
appStripe 
Specifies an application stripe.
appRoleName 
Specifies a role name.

Example

The following invocation removes the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> createAppRole(appStripe="myApp", appRoleName="myRole")

grantAppRole

Online command that adds a principal to a role.

Description

Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.

Syntax

grantAppRole(appStripe, appRoleName,principalClass, principalName)
Argument Definition
appStripe 
Specifies an application stripe.
appRoleName 
Specifies a role name.
principalClass 
Specifies the fully qualified name of a class.
principalName 
Specifies the principal name.

Example

The following invocation adds a principal to the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> grantAppRole(appStripe="myApp",  
appRoleName="myRole",principalClass="com.example.xyzPrincipal",
principalName="myPrincipal")

revokeAppRole

Online command that removes a principal from a role.

Description

Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.

Syntax

revokeAppRole(appStripe, appRoleName, principalClass, principalName)
Argument Definition
appStripe 
Specifies an application stripe.
appRoleName 
Specifies a role name.
principalClass 
Specifies the fully qualified name of a class.
principalName 
Specifies the principal name.

Example

The following invocation removes a principal to the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> revokeAppRole(appStripe="myApp", 
appRoleName="myRole",principalClass="com.example.xyzPrincipal", 
principalName="myPrincipal")

listAppRoles

Online command that lists all roles in an application.

Description

Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException.

Syntax

listAppRoles(appStripe)
Argument Definition
appStripe 
Specifies an application stripe.

Example

The following invocation returns all roles with application stripe myApp:

wls:/mydomain/serverConfig> listAppRoles(appStripe="myApp")

listAppRolesMembers

Online command that lists all members in a role.

Description

Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException.

Syntax

listAppRoleMembers(appStripe, appRoleName)
Argument Definition
appStripe 
Specifies an application stripe.
appRoleName 
Specifies a role name.

Example

The following invocation returns all members in the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> listAppRoleMembers(appStripe="myApp", appRoleName="myRole")

grantPermission

Online command that creates a new permission.

Description

Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException.

Syntax

Optional arguments are enclosed in between square brackets.

grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument Definition
appStripe 
Specifies an application stripe. If not specified, the command works on system policies.
codeBaseURL 
Specifies the URL of the code granted the permission.
principalClass 
Specifies the fully qualified name of a class (grantee).
principalName 
Specifies the name of the grantee principal.
permClass 
Specifies the fully qualified name of the permission class.
permTarget 
Specifies, when available, the name of the permission target. Some permissions may not include this attribute.
permActions 
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class.

Examples

The following invocation creates a new application permission (for the application with application stripe myApp) with the specified data:

wls:/mydomain/serverConfig> grantPermission(appStripe="myApp",  
principalClass="my.custom.Principal",  principalName="manager",
permClass="java.security.AllPermission")

The following invocation creates a new system permission with the specified data:

wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager",   
permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", 
permTarget="/tmp/fileName.ext", permActions="read,write")

revokePermission

Online command that removes a permission.

Description

Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException.

Syntax

Optional arguments are enclosed in between square brackets.

revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument Definition
appStripe 
Specifies an application stripe. If not specified, the command works on system policies.
codeBaseURL 
Specifies the URL of the code granted the permission.
principalClass 
Specifies the fully qualified name of a class (grantee).
principalName 
Specifies the name of the grantee principal.
permClass 
Specifies the fully qualified name of the permission class.
permTarget 
Specifies, when available, the name of the permission target. Some permissions may not include this attribute.
permActions 
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class.

Examples

The following invocation removes the application permission (for the application with application stripe myApp) with the specified data:

wls:/mydomain/serverConfig> revokePermission(appStripe="myApp",  
principalClass="my.custom.Principal", principalName="manager", 
permClass="java.security.AllPermission")

The following invocation removes the system permission with the specified data:

wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager",  
permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", 
permActions="read,write")

listPermissions

Online command that lists all permissions granted to a given principal.

Description

Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException.

Syntax

Optional arguments are enclosed in between square brackets.

listPermissions([appStripe,] principalClass, principalName)
Argument Definition
appStripe 
Specifies an application stripe. If not specified, the command works on system policies.
principalClass 
Specifies the fully qualified name of a class (grantee).
principalName 
Specifies the name of the grantee principal.

Examples

The following invocation lists all permissions granted to a principal by the policies of application myApp:

wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")
                

The following invocation lists all permissions granted to a principal by system policies:

wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")

deleteAppPolicies

Online command that removes all policies with a given application stripe.

Description

Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException.

Syntax

deleteAppPolicies(appStripe)
Argument Definition
appStripe 
Specifies an application stripe. If not specified, the command works on system policies.

Example

The following invocation removes all policies of application myApp:

wls:/mydomain/serverConfig> deleteAppPolicies(appStripe="myApp")

migrateSecurityStore

Offline command that migrates identities, application-specific, system policies, a specific credential folder, or all credentials.

Description

Migrates identities, application-specific, or system policies from a source repository to a target repository. Migrates a specific credential folder or all credentials.

The kinds of the repositories where the source and target data is stored is transparent to the command, and any combination of file-based and LDAP-based repositories is allowed (LDAP-repositories must use an OVD or an OID LDAP server only). In the event of an error, the command returns a WLSTException.

Syntax

The command syntax varies depending on the scope (system or application-specific or both) of the policies being migrated.

Optional arguments are enclosed in square brackets.

To migrate identities, use the following syntax:

migrateSecurityStore(type="idStore", configFile, src, dst, [dstLdifFile])
                     

To migrate all policies (system and application-specific, for all applications) use the following syntax

migrateSecurityStore(type="policyStore", configFile, src, 
dst,[overWrite,][preserveAppRoleGuid])

To migrate just system policies, use the following syntax:

migrateSecurityStore(type="globalPolicies", configFile, src, dst, [overWrite])

To migrate just application-specific policies, for one application, use the following syntax:

migrateSecurityStore(type="appPolicies", configFile,src, dst, srcApp 
[,dstApp] [,overWrite] [,migrateIdStoreMapping][,preserveAppRoleGuid] [,mode])

To migrate all credentials, use the following syntax:

migrateSecurityStore(type="credStore", configFile, src, dst, [overWrite])

To migrate just one credential folder, use the following syntax:

migrateSecurityStore(type="folderCred", configFile,src, dst, [srcFolder,]
[dstFolde,] [srcConfigFile,] [overWrite])
Argument Definition
type 
Specifies the type of policies migrates.

To migrate identities, set it to idStore.

To migrate all policies (system and application-specific, for all applications), set to policyStore.

To migrate just system policies, set to globalPolicies.

To migrate just application-specific policies, set to appPolicies.

To migrate all credentials, set to credStore.

To migrate just one credential folder, set to folderCred.

configFile  
Specifies the location of a configuration file jps-config.xml relative to the directory where the command is run. The configuration file passed need not be an actual domain configuration file, but it can be assembled just to specify the source and destination repositories of the migration.
src 
Specifies the name of a jps-context in the configuration file passed to the argument configFile, where the source store is specified.
dst 
Specifies the name of another jps-context in the configuration file passed to the argument configFile, where the destination store is specified.
srcApp 
Specifies the name of the source application, that is, the application whose policies are being migrated.
dstApp 
Specifies the name of the target application, that is, the application whose policies are being written. If unspecified, it defaults to the name of the source application.
srcFolder 
Specifies the name of the folder from where credentials are migrated. This argument is optional. If unspecified, the credential store is assumed to have only one folder and the value of this argument defaults to the name of that folder.
dstFolder 
Specifies the folder to where the source credentials are migrated. This argument is optional and, if unspecified, defaults to the folder passed to srcFolder.
srcConfigFile 
Specifies the location of an alternate configuration file, and it is used in the special case in which credentials are not configured in the file passed to configFile. This argument is optional. If unspecified, it defaults to the value passed to configFile; if specified, the value passed to configFile is ignored.
overWrite 
Specifies whether data in the target matching data being migrated should be overwritten by or merged with the source data. Optional and false by default. Set to true to overwrite matching data; set to false to merge matching data.
migrateIdStoreMapping 
Specifies whether the migration of application policies should include or exclude the migration of enterprise policies. Optional and true by default. Set it to False to exclude enterprise policies from the migration of application policies.
dstLdifFile
Specifies the location where the LDIF file will be created. Required only if destination is an LDAP-based identity store. Notice that the LDIF file is not imported into the LDAP server; the importing of the file LDIF should be done manually, after the file has been edited to account for the appropriate attributes required in your LDAP server.
preserveAppRoleGuid
Specifies whether the migration of policies should preserve or recreate GUIDs. Optional and false, by default. Set to true to preserve GUIDs; set to false to recreated GUIDs.
mode Specifies whether the migration should stop and signal an error upon encountering a duplicate principal or a duplicate permission in an application policy. Set to lax to allow the migration to continue upon encountering duplicate items, to migrate just one of the duplicated items, and to log a warning to this effect; set to strict to force the migration to stop upon encountering duplicate items. If unspecified, it defaults to strict.

Note the following requirements about the passed arguments:

  • The file jps-config.xml is found in the passed location.

  • The file jps-config.xml includes the passed jps-contexts.

  • The source and the destination context names are distinct. From these two contexts, the command determines the locations of the source and the target repositories involved in the migration.

Example

The following invocation illustrates the migration of the file-based policies of application PolicyServlet1 to file-based policies of application PolicyServlet2, that does not stop on encountering duplicate principals or permissions, that migrates just one of duplicate items, and that logs a warning when duplicates are found:

wls:/mydomain/serverConfig> migrateSecurityStore(type="appPolicies",  
configFile="jps-congif.xml", src="default1", dst="context2",
srcApp="PolicyServlet1", dstApp="PolicyServlet2", overWrite="true", mode="lax")
                

The above invocation assumes that:

  • The file jps-config.xml is located in the directory where the command is run (current directory).

  • That file includes the following elements:

<serviceInstance name="policystore1.xml" provider="some.provider">
  <property name="location" value="jazn-data1.xml"/>
</serviceInstance>
<serviceInstance name="policystore2.xml" provider="some.provider">
  <property name="location" value="jazn-data2.xml"/>
</serviceInstance>
...
<jpsContext name="default1">
  <serviceInstanceRef ref="policystore1.xml"/>
  ...
</jpsContext>
<jpsContext name="context2">
  <serviceInstanceRef ref="policystore2.xml"/>
  ...
</jpsContext>

The file-based policies for the two applications involved in the migration are defined in the files jazn-data1.xml and jazn-data2.xml, which are not shown but assumed located in the current directory.

The following invocation illustrates the migration of file-based credentials from one location to another:

wls:/mydomain/serverConfig> migrateSecurityStore(type="credStore", configFile="jps-congif.xml", src="default1", dst="context2")
                

The above invocation assumes that:

  • The file jps-config.xml is located in the directory where the command is run (current directory).

  • That file includes the following elements:

<serviceInstance name="credstore1" provider="some.provider">
  <property name="location" value="./credstore1/cwallet.sso"/>
</serviceInstance>
<serviceInstance name="credstore2" provider="some.provider">
  <property name="location" value="./credstore2/cwallet.sso"/>
</serviceInstance>
...
<jpsContext name="default1">
  <serviceInstanceRef ref="credstore1"/>
  ...
</jpsContext>
<jpsContext name="context2">
  <serviceInstanceRef ref="credstore2"/>
  ...
</jpsContext>

For detailed configuration examples to use with this command, see Oracle Fusion Middleware Security Guide.

listCred

Online command that returns the list of attribute values of a credential in the domain credential store.

Description

Returns the list of attribute values of a credential in the domain credential store with given map name and key name. This command lists the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException.

Syntax

listCred(map, key)
Argument Definition
map 
Specifies a map name (folder).
key 
Specifies a key name.

Example

The following invocation returns all the information (such as user name, password, URL, port, and description) in the credential with map name myMap and key name myKey:

wls:/mydomain/serverConfig> listCred(map="myMap", key="myKey")

updateCred

Online command that modifies the type, user name, and password of a credential.

Description

Modifies the type, user name, password, URL, and port number of a credential in the domain credential store with given map name and key name. This command can update the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.

Syntax

Optional arguments are enclosed in square brackets.

updateCred(map, key, user, password, [desc])
Argument Definition
map 
Specifies a map name (folder).
key 
Specifies a key name.
user 
Specifies the credential user name.
password 
Specifies the credential password.
desc 
Specifies a string describing the credential.

Example

The following invocation updates a password credential with the specified data:

wls:/mydomain/serverConfig> updateCred(map="myMap", key="myKey", user="myUsr", 
password="myPassw", desc="updated passw cred to connect to app xyz")

createCred

Online command that creates a new credential in the domain credential store.

Description

Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.

Syntax

Optional arguments are enclosed in square brackets.

createCred(map, key, user, password, [desc])
Argument Definition
map  
Specifies a map name (folder).
key 
Specifies a key name.
user 
Specifies the credential user name.
password 
Specifies the credential password.
desc 
Specifies a string describing the credential.

Example

The following invocation creates a new password credential with the specified data:

wls:/mydomain/serverConfig> createCred(map="myMap, key="myKey", user="myUsr", 
password="myPassw", desc="updated usr name and passw to connect to app xyz")

deleteCred

Online command that removes a credential in the domain credential store.

Description

Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException.

Syntax

deleteCred(map,key)
Argument Definition
map  
Specifies a map name (folder).
key 
Specifies a key name.

Example

The following invocation removes the credential with map name myMap and key name myKey:

wls:/mydomain/serverConfig> deleteCred(map="myApp",key="myKey")

modifyBootStrapCredential

Offline command that updates a bootstrap credential store.

Description

Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException.

Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.

Syntax

modifyBootStrapCredential(jpsConfigFile, username, password)
Argument Definition
jpsConfigFile  
Specifies the location of the file jps-config.xml relative to the location where the command is run.
username 
Specifies the distinguished name of the user in the LDAP store.
password Specifies the password of the user.

Example

Suppose that in the LDAP store, the password of the user with distinguished name cn=orcladmin has been changed to welcome1, and that the configuration file jps-config.xml is located in the current directory.Then the following invocation changes the password in the bootstrap credential store to welcome1:

wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='welcome1')

Any output regarding the audit service can be disregarded.

addBootStrapCredential

Offline command that adds a credential to the bootstrap credential store.

Description

Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException.

Syntax

addBootStrapCredential(jpsConfigFile, map, key, username, password)
Argument Definition
jpsConfigFile  
Specifies the location of the file jps-config.xml relative to the location where the command is run.
map 
Specifies the map of the credential to add.
key 
Specifies the key of the credential to add.
username 
Specifies the name of the user in the credential to add.
password Specifies the password of the user in the credential to add.

Example

The following invocation adds a credential to the bootstrap credential store:

wls:/mydomain/serverConfig> addBootStrapCredential(jpsConfigFile='./jps-config.xml', map='myMapName', key='myKeyName', username='myUser', password='myPassword')

reassociateSecurityStore

Online command that migrates the policy and credential stores to an LDAP repository.

Description

Migrates, within a give domain, both the policy store and the credential store to a target LDAP server repository. The only kinds of LDAP servers allowed are OID or OVD. This command also allows setting up a policy store shared by different domains (see optional argument join below). In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.

Syntax

reassociateSecurityStore(domain, admin, password, ldapurl, servertype, jpsroot [, join])
Argument Definition
domain  
Specifies the domain name where the reassociating takes place.
admin 
Specifies the administrator's user name on the LDAP server. The format is cn=usrName.
password 
Specifies the password associated with the user specified for the argument admin.
ldapurl 
Specifies the URI of the LDAP server. The format is ldap//:host:port, if you are using a default port, or ldaps://host:port, if you are using a secure LDAP port. The secure port must be configured specially for this function and it is distinct from the default (non-secure) port.
servertype 
Specifies the kind of the target LDAP server. The only valid types are OID or OVD.
jpsroot 
Specifies the root node in the target LDAP repository under which all data is migrated. The format is cn=nodeName.
join
Specifies whether the domain is to share a policy store specified in another domain. Optional. Set to true to share an existing policy store in another domain; set to false otherwise. The use of this argument allows multiple WebLogic domains to point to the same logical policy store.

Examples

The following invocation reassociates the domain policies and credentials to an LDAP Oracle Internet Directory server:

wls:/mydomain/serverConfig> reassociateSecurityStore(domain="myDomain", 
admin="cn=adminName", password="myPass",ldapurl="ldap://myhost.example.com:3060", 
servertype="OID", jpsroot="cn=testNode")

Suppose that you want some other domain (distinct from myDomain, say otherDomain) to share the policy store in myDomain. Then you would invoke the command as follows:

wls:/mydomain/serverConfig> reassociateSecurityStore(domain="otherDomain", 
admin="cn=adminName", password="myPass", ldapurl="ldap://myhost.example.com:3060", 
servertype="OID", jpsroot="cn=testNode", join="true")

upgradeSecurityStore

Offline command that migrates release 10.1.x security data to release 11 security data.

Description

Migrates identity, policy, and credential data used in release 10.1.x to security data that can be used with release 11. The migration of each kind of data is performed with separate invocations of this command. In the event of an error, the command returns a WLSTException.

Syntax

The syntax varies according to the type of data being updated.

To upgrade 10.1.x XML identity data to 11 XML identity data, use the following syntax:

updateSecurityStore(type="xmlIdStore", jpsConfigFile, srcJaznDataFile, srcRealm, dst)

To upgrade a 10.1.x XML policy data to 11 XML policy data, use the following syntax:

updateSecurityStore(type="xmlPolicyStore", jpsConfigFile, srcJaznDataFile, dst)

To upgrade a 10.1.x OID LDAP-based policy data to 11 XML policy data, use the following syntax:

updateSecurityStore(type="oidPolicyStore", jpsConfigFile, srcJaznDataFile, dst)

To upgrade a 10.1.x XML credential data to 11 XML credential data, use the following syntax:

updateSecurityStore(type="xmlCredStore", jpsConfigFile, srcJaznDataFile, users,  dst)
Argument Definition
type  
Specifies the kind of security data being upgraded. The only valid values are xmlIdStore, xmlPolicyStore, oidPolicyStore, and xmlCredStore.
jpsConfigFile 
Specifies the location of a configuration file jps-config.xml relative to the directory where the command is run. The target store of the upgrading is read from the context specified with the argument dst.
srcJaznDataFile 
Specifies the location of a 10.1.x jazn data file relative to the directory where the command is run. This argument is required if the specified type is xmlIdStore, xmlPolicyStore, or xmlCredStore.
srcJaznConfigFile 
Specifies the location of a 10.1.x jazn configuration file relative to the directory where the command is run. This argument is required if the specified type is oidPolicyStore.
srcRealm 
Specifies the name of the realm from which identities need be migrated. This argument is required if the specified type is xmlIdStore.
users 
Specifies a comma-separated list of users each formatted as realmName/userName. This argument is required if the specified type is xmlCredStore.
dst 
Specifies the name of the jpsContext in the file passed to the argument jpsConfigFile where the destination store is configured. Optional. If unspecified, it defaults to the default context in the file passed in the argument jpsConfigFile.

Examples

The following invocation migrates 10.1.3 file-based identities to an 11 file-based identity store:

wls:/mydomain/serverConfig> upgradeSecurityStore(type="xmlIdStore",  
jpsConfigFile="jps-config.xml", srcJaznDataFile="jazn-data.xml",
srcRealm="jazn.com")

The following invocation migrates a 10.1.3 OID-based policy store to an 11 file-based policy store:

wls:/mydomain/serverConfig> upgradeSecurityStore(type="oidPolicyStore", 
jpsConfigFile="jps-config.xml", srcJaznDataFile="jazn-data.xml",
dst="destinationContext)

createResourceType

Online command that creates a new resource type in the domain policy store within a given application stripe.

Description

Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. Optional arguments are enclosed in between square brackets; all other arguments are required. In the event of an error, the command returns a WLSTException.

Syntax

Optional arguments are enclosed in square brackets.

createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])
Argument Definition
appStripe  
Specifies the application stripe where to insert the resource type.
resourceTypeName 
Specifies the name of the resource type to insert.
displayName 
Specifies the name for the resource type used in UI gadgets.
description 
Specifies a brief description of the resource type.
provider 
Specifies the provider for the resource type.
matchere 
Specifies the class of the resource type. If unspecified, it defaults to oracle.security.jps.ResourcePermission.
actions 
Specifies the actions allowed on instances of the resource type.
delimeter 
Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','.

Example

The following invocation creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:

wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", 
resourceTypeName="resTypeName", displayName="displName", description="A resource
type", provider="Printer", matcher="com.printer.Printer",
actions="BWPrint;ColorPrint" [, delimeter=";"])

getResourceType

Online command that fetches a resource type from the domain policy store within a given application stripe.

Description

Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.

Syntax

getResourceType(appStripe, resourceTypeName)
Argument Definition
appStripe  
Specifies the application stripe from where to fetch the resource type.
resourceTypeName 
Specifies the name of the resource type to fetch.

Example

The following invocation fetches the resource type myResType from the stripe myApplication:

wls:/mydomain/serverConfig> getResourceType(appStripe="myApplication", resourceTypeName="myResType")

deleteResourceType

Online command that removes a resource type from the domain policy store within a given application stripe.

Description

Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.

Syntax

deleteResourceType(appStripe, resourceTypeName)
Argument Definition
appStripe  
Specifies the application stripe from where to remove the resource type.
resourceTypeName 
Specifies the name of the resource type to remove.

Example

The following invocation removes the resource type myResType from the stripe myApplication:

wls:/mydomain/serverConfig> deleteResourceType(appStripe="myApplication", resourceTypeName="myResType")

listAppStripes

Online or offline command that lists the application stripes in the policy store.

Description

This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.

If this command is used in offline mode after reassociating to a DB-based store, the configuration file produced by the reassociation must be manually edited as described in "Running listAppStripes after Reassociating to a DB-Based Store" in Oracle Fusion Middleware Security Guide.

Syntax

listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])
Argument Definition
configFile  
Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store.
regularExpression 
Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *.

Examples

The following (online) invocation returns the list of application stripes in the policy store:

wls:/mydomain/serverConfig> listAppStripes

The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:

wls:/mydomain/serverConfig> listAppStripes(configFile=" 
/home/myFile/jps-config.xml")

The following (online) invocation returns the list of application stripes that contain the prefix App:

wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")

createResource

Online command that creates a new resource.

Description

Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.

Syntax

createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])
Argument Definition
appStripe  
Specifies the application stripe where the resource is created.
name  
Specifies the name of the resource created.
type  
Specifies the type of resource created. The passed resource type must be present in the application stripe at the time this script is invoked.
displayName  
Specifies the display name of the resource created. Optional.
description  
Specifies the description of the resource created. Optional.

Example

The following invocation creates the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> createResource(appStripe="myApplication", name="myResource", type="myResType", displayName="myNewResource")

deleteResource

Online command that deletes a resource.

Description

Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.

Syntax

deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")
Argument Definition
appStripe  
Specifies the application stripe where the resource is deleted.
name  
Specifies the name of the resource deleted.
type  
Specifies the type of resource deleted. The passed resource type must be present in the application stripe at the time this script is invoked.

Example

The following invocation deletes the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> deleteResource(appStripe="myApplication", name="myResource", type="myResType")

listResources

Online command that lists resources in a specified application stripe.

Description

If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.

Syntax

listResources(appStripe="appStripeName" [,type="resTypeName"])
Argument Definition
appStripe  
Specifies the application stripe where the resources are listed.
type  
Specifies the type of resource listed. The passed resource type must be present in the application stripe at the time this script is invoked.

Example

The following invocation lists all resources of type myResType in the stripe myApplication:

wls:/mydomain/serverConfig> listResources(appStripe="myApplication", type="myResType")

listResourceActions

Online command that lists the resources and actions in an entitlement.

Description

Lists the resources and actions in an entitlement within an application stripe.

Syntax

listResourceActions(appStripe="appStripeName", permSetName="entitlementName")
Argument Definition
appStripe  
Specifies the application stripe where the entitlement resides.
permSetName  
Specifies the name of the entitlement whose resources and actions to list.

Example

The following invocation lists the resources and actions of the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> listResourceActions(appStripe="myApplication", permSetName="myEntitlement")

createEntitlement

Online command that creates a new entitlement.

Description

Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement to add additional resources to an existing entitlement; use revokeResourceFromEntitlement to delete resources from an existing entitlement.

Syntax

createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is created.
name  
Specifies the name of the entitlement created.
resourceName  
Specifies the name of the one resource member of the entitlement created.
actions  
Specifies a comma-separated the list of actions for the resource resourceName.
displayName  
Specifies the display name of the resource created. Optional.
description  
Specifies the description of the entitlement created. Optional.

Example

The following invocation creates the entitlement myEntitlement with just the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> createEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", actions="read,write")

getEntitlement

Online command that gets an entitlement.

Description

Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.

Syntax

getEntitlement(appStripe="appStripeName", name="entitlementName")
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is located.
name  
Specifies the name of the entitlement to access.

Example

The following invocation returns the information of the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> getEntitlement(appStripe="myApplication", name="myEntitlement")

deleteEntitlement

Online command that deletes an entitlement.

Description

Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.

Syntax

deleteEntitlement(appStripe="appStripeName", name="entitlementName")
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is deleted.
name  
Specifies the name of the entitlement to delete.

Example

The following invocation deletes the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> deleteEntitlement(appStripe="myApplication", name="myEntitlement")

addResourceToEntitlement

Online command that adds a resource with specified actions to an entitlement.

Description

Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.

Syntax

addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is located.
name  
Specifies the name of the entitlement to modify.
resourceName  
Specifies the name of the resource to add.
resourceType  
Specifies the type of the resource to add. The passed resource type must be present in the application stripe at the time this script is invoked.
actions  
Specifies the comma-separated list of actions for the added resource.

Example

The following invocation adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:

wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", 
name="myEntitlement", resourceName="myResource", resourceType="myResType", 
actions="view,edit")

revokeResourceFromEntitlement

Online command that removes a resource from an entitlement.

Description

Removes a resource from an entitlement in a specified application stripe.

Syntax

revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is located.
name  
Specifies the name of the entitlement to modify.
resourceName  
Specifies the name of the resource to remove.
resourceType  
Specifies the type of the resource to remove.
actions  
Specifies the comma-separated list of actions to remove.

Example

The following invocation removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", 
resourceName="myResource", resourceType="myResType", actions="view,edit")

listEntitlements

Online command that lists the entitlements in an application stripe.

Description

Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.

Syntax

listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])
Argument Definition
appStripe  
Specifies the application stripe from where to list entitlements.
resourceTypeName  
Specifies the name of the type of the resources to list. Optional.
resourceName  
Specifies the name of resource to match. Optional.

Examples

The following invocation lists all the entitlements in the stripe myApplication:

wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")

The following invocation lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:

wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName") 

grantEntitlement

Online command that creates a new entitlement.

Description

Creates a new entitlement with a specified principal in a specified application stripe.

Syntax

grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is created.
principalClass  
Specifies the class associated with the principal.
principalName  
Specifies the name of the principal to which the entitlement is granted.
permSetName  
Specifies the name of the entitlement created.

Example

The following invocation creates the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")

revokeEntitlement

Online command that deletes an entitlement.

Description

Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.

Syntax

revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is deleted.
principalClass  
Specifies the class associated with the principal.
principalName  
Specifies the name of the principal to which the entitlement is revoked.
permSetName  
Specifies the name of the entitlement deleted.

Example

The following invocation deleted the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", 
principalClass="oracle.security.jps.service.policystore.ApplicationRole", 
principalName="myPrincipalName", permSetName="myEntitlement")

listEntitlement

Online command that lists an entitlement in a specified application stripe.

Description

If a principal name and a class are specified, it lists the entitlements that match the specified principal; otherwise, it lists all the entitlements.

Syntax

listEntitlement(appStripe="appStripeName" [, principalName="principalName", principalClass="principalClass"])
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is deleted.
principalName  
Specifies the name of the principal to match. Optional.
principalClass  
Specifies the class of the principal to match. Optional.

Example

The following invocation lists all entitlements in the stripe myApplication:

wls:/mydomain/serverConfig> listEntitlement(appStripe="myApplication")

listResourceTypes

Online command that lists resource types.

Description

Lists all the resource types in a specified application stripe.

Syntax

listResourceTypes(appStripe="appStripeName")
Argument Definition
appStripe  
Specifies the application stripe where the resource types are located.

Example

The following invocation lists all resource types in the stripe myApplication:

wls:/mydomain/serverConfig> listEntitlement(appStripe="myApplication")

Oracle Access Manager Commands

Use the WLST commands listed in Table 4-6 to manage Oracle Access Manager (OAM)-related components, such as authorization providers, identity asserters, and SSO providers, as well as to display metrics and deployment topology, manage Oracle Access Manager server and agent configuration and logger settings.

Table 4-6 WLST Oracle Access Manager Commands

Use this command... To... Use with WLST...

listOAMAuthnProviderParams

List the parameters set for an Oracle Access Manager authentication or identity assertion provider.

Online

createOAMIdentityAsserter

Create a new identity asserter.

Online

updateOAMIdentityAsserter

Update an existing identity asserter.

Online

createOAMAuthenticator

Create a new authenticator.

Online

deleteOAMAuthnProvider

Delete an existing authentication provider.

Online

updateOAMAuthenticator

Update an existing authenticator.

Online

addOAMSSOProvider

Add a new SSO provider.

Online

displayTopology

List the details of deployed Oracle Access Manager Servers.

Online

Offline

displayMetrics

Display the performance metrics of an Oracle Access Manager Server and domain

Online

displayOamServer

Display Oracle Access Manager Server configuration details.

Online

Offline

createOamServer

Create an entry for an Oracle Access Manager Server configuration.

Online

Offline

editOamServer

Edit the entry for an Oracle Access Manager Server configuration.

Online

Offline

deleteOamServer

Delete the named Oracle Access Manager Server configuration.

Online

Offline

displayOssoAgent

Display OSSO Agent configuration details.

Online

Offline

editOssoAgent

Edit OSSO Agent configuration details.

Online

Offline

deleteOssoAgent

Delete the named OSSO Agent configuration.

Online

Offline

displayWebgateAgent

Display WebGate Agent configuration details.

Online

Offline

editWebgateAgent

Edit 10g WebGate Agent registration details.

Online

Offline

deleteWebgateAgent

Delete the named 10g WebGate Agent configuration.

Online

Offline

changeLoggerSetting

Change Logger Settings.

Online

Offline

changeConfigDataEncryptionKey

Regenerate the configuration data encryption key and re-encrypt data.

Online

Offline

displayUserIdentityStore

Display a user identity store registration.

Online

Offline

editUserIdentityStore

Edit a user identity store registration.

Online

Offline

createUserIdentityStore

Create a user identity store registration.

Online

Offline

deleteUserIdentityStore

Delete a user identity store registration.

Online

Offline

configRequestCacheType

Configure the SSO server request cache type.

Online

Offline

displayRequestCacheType

Display the SSO server request cache type entry.

Online

Offline

exportPolicy

Export Oracle Access Manager policy data from a test (source) to an intermediate Oracle Access Manager file.

Online

importPolicy

Import Oracle Access Manager policy data from the Oracle Access Manager file specified.

Online

importPolicyDelta

Import Oracle Access Manager policy changes from the Oracle Access Manager file specified.

Online

migratePartnersToProd

Migrate partners from the source Oracle Access Manager Server to the specified target Oracle Access Manager Server.

Online

exportPartners

Export the Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified.

Online

importPartners

Import the Oracle Access Manager partners from the intermediate Oracle Access Manager file specified.

Online

configureOAAM

Configure the Oracle Access Manager-Oracle Adaptive Access Manager basic integration.

Online

registerOIFDAPPartner

Register Oracle Identity Federation as Delegated Authentication Protocol (DAP) Partner.

Online

Offline

enableCoexistMode

Enable the Coexist Mode.

Online

disableCoexistMode

Disable the Coexist Mode.

Online

editGITOValues

Edit GITO configuration parameters.

Online

Offline

editWebgate11gAgent

Edit an 11g WebGate registration.

Online

Offline

deleteWebgate11gAgent

Remove an 11g WebGate Agent registration.

Online

Offline

displayWebgate11gAgent

Display an 11g WebGate Agent registration.

Online

Offline

displayOAMMetrics

Display metrics of OAM Servers.

Online

Offline

updateOIMHostPort

Update the Oracle Identity Manager configuration when integrated with Oracle Access Manager.

Online

Offline

configureOIM

Creates an Agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager.

Online

updateOSSOResponseCookieConfig

Updates OSSO Proxy response cookie settings.

Online

Offline

deleteOSSOResponseCookieConfig

Deletes OSSO Proxy response cookie settings.

Online

Offline

displaySimpleModeGlobalPassphrase

Displays the simple mode global passphrase in plain text from the system configuration.

Online

exportSelectedPartners

Exports selected OAM Partners to the intermediate OAM file specified.

Online

migrateArtifacts

Migrates artifacts based on the input artifact file.

Online

registerThirdPartyTAPPartner

Registers any third party as a Trusted Authentication Protocol (TAP) Partner.

Online


listOAMAuthnProviderParams

Online command that lists the values of the parameters in effect in a domain authenticator or identity asserter.

Description

Lists the values of the parameters set for a given Oracle Access Manager authenticator or identity asserter. In the event of an error, the command returns a WLSTException.

Syntax

listOAMAuthnProviderParams(name)
Argument Definition
name 
Specifies the name of the authenticator or identity asserter.

Example

The following invocation lists the parameters and values set for the asserter named myIdAsserter:

listOAMAuthnProviderParams(name="myIdAsserter")

createOAMIdentityAsserter

Online command that creates an Oracle Access Manager identity asserter in the current domain.

Description

Creates an identity asserter with a given name in the current domain. Before executing this command, make sure that no Oracle Access Manager identity asserter is already configured in the current domain. In the event of an error, the command returns a WLSTException.

Syntax

createOAMIdentityAsserter(name)
Argument Definition
name 
Specifies the name of the new identity asserter. If no name is specified, it defaults to "OAMIdentityAsserter".

Example

The following invocation creates a new identity asserter named OAMIdentityAsserter:

createOAMIdentityAsserter(name="OAMIdentityAsserter")

updateOAMIdentityAsserter

Online command that updates the values of parameters of the Oracle Access Manager identity asserter in the current domain.

Description

Updates the value of given parameters of the domain Oracle Access Manager identity asserter. In the event of an error, the command returns a WLSTException.

Syntax

updateOAMIdentityAsserter(name, paramNameValueList)
Argument Definition
name 
Specifies the name of the Oracle Access Manager identity asserter whose parameter values to update.
paramNameValueList Specifies the comma-separated list of pairs of parameter name-value to be updated. The format of each pair is:
paramName="paramValue"

The parameter names that can be updated are the following only:

  • accessGateName—The name of the AccessGate used by the authenticator.

  • accessGatePwd—The password to the AccessGate used by the authenticator.

  • pAccessServer—The name of the primary access server. Values must have the format hostName:portNumber.

  • sAccessServer—The name of the secondary access server. Values must have the format hostName:portNumber.

  • transportSecurity—The mode of communication between AccessGate and OAM Access Server.

  • keystorePwd—The password to access the domain key store.

  • keystorePath—The absolute path of the JKS key store used for SSL communication between the authenticator and OAM Access Server.

  • simpleModePassphrase—The password shared by AccessGate and OAM Access Server in simple communication mode.

  • truststorePath —The absolute path of the JKS trust store used for SSL communication between the authenticator and OAM Access Server.

  • poolMaxConnections—The maximum number of connections in the OAM Server connection pool.

  • poolMinConnections—The minimum number of connections in the OAM Server connection pool.

  • ssoHeaderName—The SSO header name.

  • controlFlag—The JAAS control flag that sets up dependencies among all authenticators in the domain. Values can be only REQUIRED, SUFFICIENT, REQUISITE, or OPTIONAL.

  • appDomain—The name of the application domain.


Example

The following invocation updates the parameters accessGateName, accessGatePwd, pAccessServer, and ssoHeaderName in the Oracle Access Manager identity asserter named myIdAsserter:

updateOAMIdentityAsserter(name="myIdAsserter", 
accessGateName="OAM IAP AccessGate", accessGatePwd="welcome1", 
pAccessServer="myhost.domain.com:5543", ssoHeaderName="OAM_SSO_HEADER")

createOAMAuthenticator

Online command that creates an Oracle Access Manager authenticator in the current domain.

Description

Creates an Oracle Access Manager authenticator with a given name in the current domain. Before executing this command, make sure that no Oracle Access Manager authenticator is already configured in the default security domain. In the event of an error, the command returns a WLSTException.

Syntax

createOAMAuthenticator(name)
Argument Definition
name 
Specifies the name of the new authentication provider in the default domain. If no name is specified, it defaults to "OAMAuthenticator".

Example

The following invocation creates a new authentication provider named OAMAuthenticator:

createOAMAuthenticator(name="OAMAuthenticator")

deleteOAMAuthnProvider

Online command that deletes the OAM authenticator from the current domain.

Description

Deletes the OAM authenticator with a given name from the current domain. In the event of an error, the command returns a WLSTException.

Syntax

deleteOAMAuthnProvider(name)
Argument Definition
name 
Specifies the name of the authentication provider to delete.

Example

The following invocation deletes the authenticator myAuthenticator:

deleteOAMAuthnProvider(name="myAuthenticator")

updateOAMAuthenticator

Online command that updates the values of parameters of the Oracle Access Manager authenticator in the current domain.

Description

Updates the value of given parameters of the domain Oracle Access Manager authenticator. In the event of an error, the command returns a WLSTException.

Syntax

updateOAMAuthenticator(name, paramNameValueList)
Argument Definition
name 
Specifies the name of the Oracle Access Manager authenticator whose parameter values to update.
paramNameValueList Specifies the comma-separated list of pairs of parameter name-value to be updated. The format of each pair is
paramName='paramValue'

The only parameter names that can be updated are the following:

  • accessGateName—The name of the AccessGate used by the authenticator.

  • accessGatePwd—The password to the AccessGate used by the authenticator.

  • pAccessServer—The name of the primary access server. Values must have the format hostName:portNumber.

  • sAccessServer—The name of the secondary access server. Values must have the format hostName:portNumber.

  • transportSecurity—The mode of communication between AccessGate and OAM Access Server: open, simple, or cert.

  • keystorePwd—The password to access the domain key store.

  • keystorePath—The absolute path of the JKS key store used for SSL communication between the authenticator and OAM Access Server.

  • simpleModePassphrase—The password shared by AccessGate and OAM Access Server in simple communication mode.

  • truststorePath—The absolute path of the JKS trust store used for SSL communication between the authenticator and OAM Access Server.

  • poolMaxConnections—The maximum number of connections in the OAM Server connection pool.

  • poolMinConnections—The minimum number of connections in the OAM Server connection pool.

  • useRetNameAsPrincipal—Specifies whether the user name retrieved from the OAM authenticator should be used as the name of the Principal in the Subject.

  • controlFlag—The JAAS control flag that sets up dependencies among all authenticators in the domain. Values can be only REQUIRED, SUFFICIENT, REQUISITE, or OPTIONAL.

  • appDomain—The name of the application domain.


Example

The following invocation updates the parameters accessGateName, accessGatePwd, and pAccessServer in the Oracle Access Manager authenticator named myAuthenticator:

updateOAMAuthenticator(name="myAuthenticator", 
accessGateName="OAM AP AccessGate", accessGatePwd="welcome1",
pAccessServer="myhost.domain.com:5543")

addOAMSSOProvider

Online command that adds an Oracle Access Manager SSO provider with the given login URI, logout URI, and auto-login URI.

Description

Adds an SSO provider with the given login URI, logout URI, and auto-login URI. This command modifies the domain jps-config.xml by adding an Oracle Access Manager SSO service instance with the required properties. In the event of an error, the command returns a WLSTException.

Syntax

addOAMSSOProvider(loginuri, logouturi, autologinuri, beginimpuri, endimpuri)
Argument Definition
loginuri
Required. Specifies the URI of the login page and triggers SSO authentication.
logouturi Optional. Specifies the URI of the logout page and logs the signed-on user out. If unspecified, defaults to logouturi=NONE.

Set to "" to ensure that ADF security calls the OPSS logout service, which uses the implementation of the class OAMSSOServiceImpl to clear the cookie ObSSOCookie.

More generally, an ADF-secured web application that would like to clear cookies without logging out the user should use this setting.

autologinuri Required. Specifies the URI of the autologin page. Optional. If unspecified, it defaults to autologin=NONE.
beginimpuri Optional. Specifies the URI that triggers the impersonation SSO session.
endimpuri Optional. Specifies the URI that terminates the impersonation SSO session.

Example

The following invocation adds an SSO provider with the passed URIs; note the special behavior implied by the setting logouturi="" and the impersonation parameters, as explained in the above table:

addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication",
logouturi="/oamsso/logout.html",
beginimpuri="https://login.acme.com/impersonationInit.html"
endimpuri="https://login.acme.com/impersonationTerm.html")
autologin="/fooBar.cgi")

displayTopology

Online and offline command that displays the information about all the OAM Servers in a deployment.

Description

Lists the topology of deployed OAM Servers. There are no arguments for this command.

Syntax

displayTopology

Example

The following invocation lists the details of all deployed OAM Servers, as described above:

displayTopology

displayMetrics

Online command that displays the performance metrics of an OAM Server and domain.

Description

Displays the performance metrics of an OAM Server and domain specific to collectors, including host, process, and server names. There are no arguments for this command.

If none of the arguments are specified all the details of all the servers and collectors are displayed.

Syntax

displayMetrics()

Example

The following invocation lists all metrics specific to named collectors, as described above:

displayMetrics()

displayOamServer

Online and offline command that displays OAM Server registration details.

Description

Displays OAM Server registration details, including the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

displayOamServer(host,port)
Argument Definition
host
Mandatory. Specifies the name of the OAM Server host.
port
Mandatory. Specifies the listening port of the OAM Server host.
domainhome 
Offline mode: Mandatory

Online mode: Optional


Example

The following invocation lists all metrics specific to named collectors, as described above:

displayOamServer(host="my_host", port="15000", domainHome="domainHome1")

createOamServer

Online and offline command that creates an OAM Server entry in the system configuration.

Description

Creates an OAM Server registration, including the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.

The scope of this command is an instance, only. The scope is not an argument

Syntax

createOamServer(host,port, paramNameValueList)
Argument Definition
host
Mandatory. Specifies the name of the OAM Server host.
port
Mandatory. Specifies the listening port of the OAM Server host.
domainHome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Mandatory:

  • configurationProfile—The name of this instance registration, which appears under Server Instances on the System Configuration tab in the OAM Administration Console.

  • oamProxyPort—The listening port of this instance.

  • oamProxyServerID—The name of the OAM Proxy for this server instance, which will appear under the OAM Proxy sub tab of the server instance in the OAM Administration Console.

  • siteName—siteName/serverName for the instance.


Example

The following invocation creates a configuration for your_host with listening port 15000. The configuration entry in the Administration Console will be oam_server1. The OAM Proxy port is 3004 and the OAM Proxy Server ID is AccessServerConfigProxy:

createOamServer(host="my_host", port="15000", configurationProfile=
"oam_server1", oamProxyPort="3004", oamProxyServerID="ProxyID", 
siteName="siteName1",domainHome="domainHome1")

editOamServer

Online and offline command that enables you to edit OAM Server registration details.

Description

Edits the registration for an OAM Server, which can include the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

editOamServer(name, port, paramNameValueList)
Argument Definition
name
Mandatory. Specifies the name of the OAM Server host.
port
Mandatory. Specifies the port number of the OAM Server host.
domainHome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Mandatory:

  • configurationProfile—The name of this instance registration, which appears under Server Instances on the System Configuration tab in the OAM Administration Console.

  • oamProxyPort—The listening port of this instance.

  • oamProxyServerID—The name of the OAM Proxy for this server instance, which will appear under the OAM Proxy sub tab of the server instance in the OAM Administration Console.

  • siteName—siteName/serverName for the instance.


Example

You can use any of the optional attributes to change current settings. The following invocation enables you to add the OAM Proxy shared secret to the configuration entry oam_server1.

editOamServer(name="oam_server1", port="15000",configurationProfile=
"oam_server1", oamProxyPort="3004",oamProxyServerID="Proxy1", 
siteName="siteName1",domainHome="domainHome1")

deleteOamServer

Online and offline command that enables you to delete the named OAM Server registration.

Description

Deletes an entire OAM Server configuration.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

deleteOamServer(host,port)
Argument Definition
host
Mandatory. Specifies the name of the OAM Server host.
port
Mandatory. Specifies the listening port of the OAM Server host.
domainhome 
Offline mode: Mandatory

Online mode: Optional


Example

The following invocation enables you to delete the OAM Server registration for oam_server1 with listening port 15000.

deleteOamServer(host="oam_server1",port="15000",domainHome="domainHome1")

displayOssoAgent

Online and offline command that displays OSSO Agent configuration details.

Description

Displays OSSO Agent registration details, which also appear in the OAM Administration Console.

The scope of this command is an instance, only. The scope is not an argument

Syntax

displayOssoAgent(agentName)
Argument Definition
agentName
Mandatory. Specifies the name of the OSSO Agent.
domainhome 
Offline mode: Mandatory

Online mode: Optional


Example

The following invocation displays the OSSO Agent's registration information:

displayOssoAgent(agentName="OSSOAgent1",domainHome="domainHome1")

editOssoAgent

Online and offline command that enables you to edit an OSSO Agent registration.

Description

Changes OSSO Agent configuration details, including the Site Token, Success URL, Failure URL, Home URL, Logout URL, Start Date, End Date, Administrator ID, and Administrator Info.

The scope of this command is an instance, only. The scope is not an argument

Syntax

editOssoAgent(agentName,paramNameValueList)
Argument Definition
agentName
Mandatory. Specifies the name of the OSSO Agent.
domainhome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs to be updated. The format of each pair is:
paramName='paramValue'

Optional:

  • siteToken—The Application Token used by the partner when requesting authentication.

  • successUrl—The redirect URL to be used upon successful authentication.

  • failureUrl—The redirect URL to be used if authentication fails.

  • homeUrl—The redirect URL to be used for the Home page after authentication.

  • logoutUrl—The redirect URL to be used when logging out. This redirects the user to the global logout page on the server

  • startDate—First month, day, and year for which login to the application is allowed by the server.

  • endDate—Final month, day, and year for which login to the application is allowed by the server.

  • adminId—Administrator login ID for this mod_osso instance.

  • adminInfo—Administrator details for this mod_osso instance.


Example

The following invocation changes the Administrator ID and information in the registration entry for OSSOAgent1:

editOssoAgent(agentName="OSSOAgent1", siteToken="siteToken", 
successUrl="successUrl",failureUrl="failureUrl",homeUrl="homeUrl", 
logoutUrl="logoutUrl",startDate="2009-12-10", endDate="2012-12-30",  
adminId= 345", adminInfo="Agent11", domainHome="domainHome1") 

deleteOssoAgent

Online and offline command that enables you to delete an OSSO Agent registration.

Description

Removes an OSSO Agent configuration.

The scope of this command is an instance, only. The scope is not an argument

Syntax

deleteOssoAgent(agentName)
Argument Definition
agentName
Mandatory. Specifies the name of the OSSO Agent.
domainhome 
Offline mode: Mandatory

Online mode: Optional


Example

The following invocation removes the OSSO Agent named OSSOAgent1:

deleteOssoAgent(agentName="OSSOAgent1", domainHome="domainHome1")

displayWebgateAgent

Online and offline command that displays a 10g WebGate registration.

Description

Displays all 10g WebGate registration details, which can also be seen in the OAM Administration Console.

The scope of this command is an instance, only. The scope is not an argument

Syntax

displayWebgateAgent(agentName)
Argument Definition
agentName
Mandatory. Specifies the name of the WebGate Agent.
domainhome 
Offline mode: Mandatory

Online mode: Optional


Example

The following invocation displays registration information for my_WebGate:

displayWebgateAgent(agentName=)"my_Webgate", domainHome="domainHome1")

editWebgateAgent

Online and offline command that enables you to edit a 10g WebGate registration.

Description

Enables you to change 10g WebGate Agent registration details.

The scope of this command is an instance, only. The scope is not an argument

Syntax

editWebgateAgent(agentName,paramNameValueList)
Argument Definition
agentName
Mandatory. Specifies the name of the WebGate Agent.
domainhome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs to be updated. The format of each pair is:
paramName='paramValue'

Mandatory:

  • agentId—Name of the OAM Agent (WebGate).

Optional:

  • accessClientPassword—An optional password for this WebGate Agent.

  • state—Whether the OAM Agent is enabled or disabled.

  • preferredHost—Prevents security holes that can be created if a host's identifier is not included in the Host Identifiers list. For virtual hosting, you must use the Host Identifiers feature.

  • aaaTimeOutThreshold—Number (in seconds) to wait for a response from the OAM Run-time Server. If this parameter is set, it is used as an application TCP/IP timeout instead of the default TCP/IP timeout. Default = -1 (default network TCP/IP timeout is used).

  • security—Level of transport security to and from the OAM Run-time Server: open, simple, or cert.

  • primaryCookieDomain—The Web server domain on which the OAM Agent is deployed, for instance,.acompany.com.

  • maxConnections—The maximum number of connections that this OAM Agent can establish with the OAM Server. This number must be the same as (or greater than) the number of connections that are actually associated with this agent. Default = 1.

  • maxCacheElements—Number of elements maintained in the cache. Cache elements are URLs or Authentication Schemes. The value of this setting refers to the maximum consolidated count for elements in both of these caches. Default = 10000.

  • cacheTimeOut—Amount of time cached information remains in the OAM Agent cache when the information is neither used nor referenced. Default = 1800 (seconds).

  • cookieSessionTime—Amount of time that the ObSSOCookie persists. Default = 3600 (seconds)*.

  • maxSessionTime—Maximum amount of time, in seconds, that a user's authentication session is valid regardless of their activity. At the expiration of this time, the user is re-challenged for authentication. This is a forced logout. Default = 3600 (seconds). A value of 0 disables this timeout setting.

  • idleSessionTimeout—Amount of time in seconds that a user's authentication session remains valid without accessing any OAM Agent protected resources. Default = 3600 (seconds). A value of 0 disables this timeout setting.

  • failoverThreshold—Number representing the point when this OAM Agent opens connections to a Secondary OAM Server. Default = 1.


Example

You can alter any or all of the settings. Use the following invocation to change specific information in the WebGate Agent registration, including the Agent ID, state, maximum connections, OAM Server timeout, primary cookie domain, cache time out, cookie session timeout, maximum session timeout, idle session timeout, and failover threshold, as follows:

editWebgateAgent(agentName="my_WebGate", agentId="WebGate2", state=
"enabled", maxConnections="2", aaaTimeOutThreshold="2", 
primaryCookieDomain="adomain.com", cacheTimeOut="1200", 
cookieSessionTime=1500, maxSessionTime=1500, idleSessionTimeout=
"1500", failoverThreshold="25", domainHome="domainHome1")

deleteWebgateAgent

Online and offline command that enables you to delete a 10g WebGate Agent registration.

Description

Removes an 10g WebGate Agent registration.

The scope of this command is an instance, only. The scope is not an argument

Syntax

deleteWebgateAgent(agentName)
Argument Definition
agentName
Mandatory. Specifies the name of the WebGate Agent.
domainhome
Offline mode: Mandatory

Online mode: Optional


Example

The following invocation removes the WebGate Agent named my_WebGate:

deleteWebgateAgent(agentName="my_WebGate", domainHome="domainHome1")

changeLoggerSetting

Online and offline command that changes the logger level.

Description

Changes the level of one or more, or all, loggers.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

changeLoggerSetting (loggerName='', loggerLevel=''): 
Argument Definition
loggerName
Optional. Specifies the OAM logger name. Multiple OAM logger names can be specified, separated by commas, or you can use the wildcard (*) character to specify all OAM collectors, which is the default.
loggerLevel
SEVERE, WARNING, INFO, CONFIG, FINE.

Example

The following invocation changes the logger level to SEVERE:

changeLoggerSetting(loggerName=" ", loggerLevel=SEVERE)

changeConfigDataEncryptionKey

Offline command that regenerates the configuration data encryption key.

Description

Regenerates the configuration data encryption key, re-encrypts the configuration data using the new key, and outputs attribute information of the identity store.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

changePasswordEncKey (oldpassword='', newPassword='')
Argument Definition
oldPassword
Mandatory. Specifies the password that retrieves the current encryption key.
newPassword
Mandatory. Defines a new password that protects the newly generated encryption key.

Example

The following invocation changes the old and new password, regenerates the key, and re-encrypts the configuration data:

changePasswordEncKey(oldpassword="oldpassword", 
newPassword="newpassword")

displayUserIdentityStore

Online and offline command that displays user identity store registration information.

Description

Displays information of the user identity store registered with Oracle Access Manager.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

displayUserIdentityStore(name) 
Argument Definition
name
Mandatory. Specifies the name of the LDAP user identity store.
domainhome 
Offline mode: Mandatory

Online mode: Optional


Example

The following invocation displays registration details of the user identity store:

displayUserIdentityStore(name="ID_store1", domainHome="domainHome1")

editUserIdentityStore

Online and offline command that changes attributes of the user identity store for Oracle Access Manager.

Description

Changes one or more attributes of the user identity store registered with Oracle Access Manager.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

editUserIdentityStore(name,paramNameValueList)
Argument Definition
name
Mandatory. Specifies the unique name of the LDAP user identity store (only upper and lower case alpha characters and numbers).
domainhome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Include one or more of the following parameter name-value pairs, in addition to those in createUserIdentityStore, to change the OAM user identity store configuration:

  • userFilterObjectClasses—List of user filter object classes (separated by semi-colon).

  • groupFilterObjectClasses—List of group filter object classes (separated by semi-colon).

  • referralPolicy—LDAP referral policy (either "follow", "ignore" or "throw").

  • searchTimeLimit—Time limit in seconds for LDAP Search operation.

  • minConnections—Minimum number of connections in the connection pool.

  • maxConnections—Maximum number of connections in the connection pool.

  • connectionWaitTimeout—Number of seconds to wait for obtaining a connection from the pool.

  • connectionRetryCount—Number of attempts to establish a connection to identity store.

  • groupNameAttr—Name of the attribute to look up the user groups. For example:

    ou=people,ou=myrealm,dc=base_domain
    
  • groupCacheEnabled—Toggle (true/false) to enable LDAP group cache.

  • groupCacheSize—Number of entries in LDAP group cache.

  • groupCacheTTL—Total time to live for each entry of LDAP group cache.


Example

The following invocation changes the LDAP URL of the user identity store for OAM:

editUserIdentityStore(name="identity_store_name", 
LDAP_url="ldap://localhost:7003", domainHome="domaonHome1")

createUserIdentityStore

Online and offline command that creates a user identity store registration for Oracle Access Manager.

Description

Creates an entry for a new user identity store to be registered with Oracle Access Manager.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

createUserIdentityStore(name=,paramNameValueList)
Argument Definition
name
Mandatory. Specifies the unique name of the LDAP user identity store (only upper and lower case alpha characters and numbers).
domainhome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Mandatory:

  • name—The name for this user ID store.

  • principal—The login ID of the LDAP administrator. For example, cn=Admin.

  • credential—The password of the Principal, which is encrypted for security.

  • type—The type of the LDAP ID store to be created.

  • userAttr—User attributes of the store.

  • usersearchbase—The node under which user data is stored in the LDAP ID store to be created. For example: cn=users.

  • groupSearchBase—The node under which group data is stored in the LDAP ID store to be created. Mandatory Attribute. For example: cn=groups.

  • ldapUrl—The URL for the LDAP host, including port number of the LDAP ID store to be created. For example, ldap://localhost:7001.

Optional:

  • roleSecAdmin—Name of the Admin group with all privileges for LDAP ID store.

  • roleSysMonitor—Name of the Admin group with read-only privileges for LDAP ID store to be created.

  • roleSysManager— Name of the Admin group with day-to-day operational privileges for LDAP ID store to be created.

  • ldapProvider—A supported LDAP provider. For example, OVD.

  • isPrimary—The designation of the primary User Identity Store. Boolean field.

  • userIDProvider—User Identity Provider of the store to be created.

  • domainHome—Domain Home location.


Example

The following invocation creates a new Oracle Internet Directory user identity store definition for use with Oracle Access Manager:

createUserIdentityStore(name="Name1",principal="Principal1", 
credential="Credential1", type="OID", userAttr="userAttr1", 
ldapProvider="ldapProvider", roleSecAdmin="roleSecAdmin1",
roleSysMonitor="roleSysMonitor", roleSysManager="roleSysManager", 
roleAppAdmin="roleAppAdmin", userSearchBase="cn=users, 
ldapUrl="ldapUrl", isPrimary="isPrimary", userIDProvider="userIDProvider",
groupSearchBase="cn=groups",domainHome="domainHome1")

deleteUserIdentityStore

Online and offline command that removes a Oracle Access Manager user identity store registration.

Description

Deletes the user identity store registered with Oracle Access Manager.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

deleteUserIdentityStore(name) 
Argument Definition
name
Mandatory. Specifies the name of the LDAP user identity store to be removed.
domainhome 
Offline mode: Mandatory

Online mode: Optional


Example

The following invocation deletes the registration of the user identity store:

deleteUserIdentityStore(name="identity_store", domainHome="domainHome1")

configRequestCacheType

Online and offline command that configures the SSO server request cache type.

Description

Configures the SSO server request cache type.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

configRequestCacheType(type) 
Argument Definition
type
Mandatory. Specifies requestCacheType.

requestCacheType—The value of request cache type: BASIC or COOKIE.


Example

The following invocation identifies the request cache type as Cookie:

configRequestCacheType(type="COOKIE") 

displayRequestCacheType

Online and offline command that displays the SSO server request cache type.

Description

Displays the SSO server request cache type entry.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

displayRequestCacheType(domainHome)
Argument Definition
type
Mandatory. Specifies requestCacheType.

requestCacheType—The value of request cache type: BASIC or COOKIE.

domainhome 
Offline mode: Mandatory

Online mode: Optional


Example

The following invocation displays the request cache type.

displayRequestCacheType(domainHome="domainHome") 

exportPolicy

Online only command that exports OAM policy data from a test (source) environment to the intermediate Oracle Access Manager file specified.

Description

Exports OAM policy data from a test (source) environment to the intermediate Oracle Access Manager file.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

exportPolicy(pathTempOAMPolicyFile)
Argument Definition
pathTempOAMPolicyFile 
Mandatory. Specifies the path to the temporary Oracle Access Manager file.

Example

The following invocation specifies the path to the temporary file used when exporting policy data from a test (source) environment.

exportPolicy(pathTempOAMPolicyFile="oam_policy.xml") 

importPolicy

Online only command that imports the OAM policy data from the intermediate Oracle Access Manager file specified.

Description

Imports the OAM policy data from the intermediate Oracle Access Manager file specified.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

importPolicy(pathTempOAMPolicyFile)
Argument Definition
pathTempOAMPolicyFile Mandatory. Specifies the path to the temporary OAM file.

Example

The following invocation specifies the path to the temporary file used when importing policy data to a production (target).

importPolicy(pathTempOAMPolicyFile="oam_policy.xml") 

importPolicyDelta

Online only command that imports the OAM policy changes from the intermediate Oracle Access Manager file specified.

Description

Imports the OAM policy changes from the intermediate Oracle Access Manager file specified.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

importPolicyDelta(pathTempOAMPolicyFile)
Argument Definition
pathTempOAMPolicyFile Mandatory. Specifies the path to the temporary Oracle Access Manager file.

Example

The following invocation specifies the path to the temporary file used when importing only changed policy data to a production (target).

importPolicyDelta(pathTempOAMPolicyFile="oam_policy_delta.xml") 

migratePartnersToProd

Online only command that migrates partners from the current (source) OAM Server to the specified (target) OAM Server.

Description

Migrates partners from the current (source) OAM Server to the specified (target) OAM Server.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

migratePartnersToProd(prodServerHost,prodServerPort,prodServerAdminUser,prodServerAdminPwd)
Argument Definition
prodServerHost Host name of the target OAM Server to which partners are to be migrated.
prodServerPort Port of the target OAM Server to which partners are to be migrated.
prodServerAdminUser Administrator of the target OAM Server to which partners are to be migrated.
prodServerAdminPwd Target OAM Server administrator's password.

Example

The following invocation specifies the required information.

migratePartnersToProd(prodServerHost="host",prodServerPort="port", 
prodServerAdminUser="weblogic",prodServerAdminPwd="welcome")

exportPartners

Online only command that exports Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified.

Description

Exports the Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

exportPartners(pathTempOAMPartnerFile)
Argument Definition
pathTempOAMPartnerFile Mandatory. Specifies the path to the temporary Oracle Access Manager partner file.

Example

The following invocation specifies the path to the intermediate OAM partners file.

exportPartners(pathTempOAMPartnerFile="oam_partners.xml")

importPartners

Online only command that imports Oracle Access Manager partners from the intermediate Oracle Access Manager file specified.

Description

Imports the OAM partners from the intermediate Oracle Access Manager file specified.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

importPartners(pathTempOAMPartnerFile)
Argument Definition
pathTempOAMPartnerFile Mandatory. Specifies the path to the temporary OAM partner file.

Example

The following invocation specifies the path to the intermediate OAM partners file.

importPartners(pathTempOAMPartnerFile="oam_partners.xml")

configureOAAM

Online only command that configures the Oracle Access Manager-Oracle Adaptive Access Manager basic integration.

Description

Configures the OAM-OAAM basic integration.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

configureOAAM(dataSourceName,paramNameValueList)
Argument Definition
dataSourceName Name of the data source to be created
paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Mandatory:

  • hostName—The name of the database host.

  • port—Database port.

  • sid—The database sid (database identifier).

  • userName—OAAM schema name.

  • passWord—OAAM schema password.

Optional:

  • maxConnectionSize—Max connection reserve time out size.

  • maxPoolSize—Maximum size for connection pool.

  • serverName—Target server for the data source.


Example

The following invocation configures the Oracle Access Manager-Oracle Adaptive Access Manager basic integration.

configureOAAM(dataSourceName = "MyOAAMDS", hostName = "host.us.co.com", 
port = "1521", sid = "sid", userName = "username", passWord = "password", 
maxConnectionSize = None, maxPoolSize = None, serverName = "oam_server1")

registerOIFDAPPartner

Online and offline command that registers Oracle Identity Federation as a Delegated Authentication Protocol (DAP) Partner.

Description

Registers Oracle Identity Federation as Delegated Authentication Protocol (DAP) Partner.

The scope of this command is an instance only. The scope is not an argument.

Syntax

registerOIFDAPPartner()
Argument Definition
paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Mandatory:

Include the following parameter name-value pairs to create a new OAM user identity store configuration:

  • keystoreLocation—Location of the Keystore file (generated at the OIF Server.).

  • logoutURL—The OIF Server's logout URL.

Optional:

  • rolloverInterval—The Rollover Interval for the keys used to encrypt/decrypt SASSO Tokens.


Example

The following invocation illustrates use of all parameters.

registerOIFDAPPartner(keystoreLocation="/scratch/keystore", 
logoutURL="http://<oifhost>:<oifport>/fed/user/sploosso?doneURL=http://<oamhost>: 
<oam port>/ngam/server/pages/logout.jsp", rolloverTime="526")

enableCoexistMode

Online command that enables the Coexist Mode.

Description

Enables the Coexist Mode.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

enableCoexistMode()

Example

The following invocation enables the Coexist Mode.

enableCoexistMode

disableCoexistMode

Online command that disables the Coexist Mode.

Description

Disables the Coexist Mode.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

disableCoexistMode()

Example

The following invocation enables the Coexist Mode.

disableCoexistMode

editGITOValues

Online and offline command that edits GITO configuration parameters.

Description

Edits GITO configuration parameters.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

editGITOValues(gitoEnabled, paramNameValueList)
Argument Definition
gitoEnabled True (or false). Allows (or denies) user to set GITO enabled property.
domainhome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Mandatory:

Include the following parameter name-value pairs to create a new OAM user identity store configuration:

  • gitoCookieDomain—Allows user to set the GITO cookie domain entry.

Optional:

  • gitoCookieName—Allows user to set the GITO cookie name.

  • gitoVersion—Allows user to set the GITO version. Can be ONLY v1.0 or v3.0.

  • gitoTimeout—Allows user to set the GITO timeout value.

  • gitoSecureCookieEnabled—True (or false). Allows (or denies) user to set the GITO cookie enabled property.


Example

The following invocation edits GITO configuration parameters.

editGITOValues(gitoEnabled="true",gitoCookieDomain=".abc.com",gitoCookieName="ABC"
,gitoVersion="v1.0",gitoTimeout="20",gitoSecureCookieEnabled="false",domainHome="/
abc/def/ijk")\n

editWebgate11gAgent

Online and offline command that edits an 11g WebGate registration.

Description

Edits an 11g WebGate registration.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

editWebgate11gAgent(agentname, paramNameValueList)
Argument Definition
agentname Name of the registered OAM 11g WebGate agent to be edited.
domainhome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Optional:

accessClientPassword—Unique password for this WebGate

state—Specifies whether or the agent is enabled or disabled.

security—Level of communication security between the Agent and the OAM Server: Open, Simple, Cert.

aaaTimeOutThreshold—Number (in seconds) to wait for a response from the OAM Server.

logOutUrls—List of URLS that trigger the logout handler, which removes the ObSSOCookie.

maxConnections—The maximum number of connections that this OAM Agent can establish with the OAM Server.

maxCacheElements—Number of elements maintained in the cache.

cacheTimeout—Amount of time cached information remains in the OAM Agent cache when the information is neither used nor referenced. Default = 1800 (seconds).

logoutCallbackUrl —The URL to oam_logout_success, which clears cookies during the call back. By default, this is based on the Agent base URL supplied during agent registration. For example:

http://<host>:<port>

maxSessionTime—Maximum amount of time in seconds that a user's authentication session is valid, regardless of their activity.

logoutRedirectUrl—The URL (absolute path) to the central logout page (logout.html). By default, this is based on the OAM Administration Console host name with a default port of 14200.

failoverThreshold—Number representing the point when this OAM Agent opens connections to a Secondary OAM Server.

tokenValidityPeriod—Amount of time in seconds that a user's authentication session remains valid without accessing any OAM Agent protected resources.

logoutTargetUrlParamName—The value for this is name for the query parameter that the OPSS applications passes to WebGate during logout.


Example

The following invocation lists all mandatory and optional parameters.

editWebgate11gAgent(agentName="WebgateAgent1", accessClientPasswd = "welcome1", 
state = "Enabled", preferredHost="141.144.168.148:2001", aaaTimeoutThreshold="10",
security = "open", logOutUrls = "http://<host>:<port>", maxConnections = "16" 
maxCacheElems = "10000" , cacheTimeout = "1800", logoutCallbackUrl = 
"http://<host>:<port>", maxSessionTime = "24", logoutRedirectUrl =  
"logoutRedirectUrl", failoverThreshold = "1", tokenValidityPeriod="aPeriod" 
logoutTargetUrlParamName = "logoutTargetUrl", domainHome="domainHome1")

deleteWebgate11gAgent

Online and offline command that enables you to delete an 11g WebGate Agent registration.

Description

Removes an 11g WebGate Agent registration.

The scope of this command is an instance, only. The scope is not an argument

Syntax

deleteWebgate11gAgent(agentName)
Argument Definition
agentName
Mandatory. Specifies the name of the 11g WebGate Agent.
domainhome 
Offline mode: Mandatory

Online mode: Optional


Example

The following invocation removes the 11g WebGate Agent named my_11gWebGate:

deleteWebgate11gAgent(agentName="my_11gWebGate", domainHome="domainHome1")

displayWebgate11gAgent

Online and offline command that enables you to display an 11g WebGate Agent registration.

Description

Displays an 11g WebGate Agent registration.

The scope of this command is an instance, only. The scope is not an argument

Syntax

displayWebgate11gAgent(agentName)
Argument Definition
agentName
Mandatory. Specifies the name of the WebGate Agent.
domainhome 
Offline mode: Mandatory

Online mode: Optional


Example

The following invocation displays the WebGate Agent named my_11gWebGate:

displayWebgate11gAgent(agentName="my_11gWebGate", domainHome="domainHome1")

displayOAMMetrics

Online and offline command that enables the display of metrics of OAM Servers.

Description

Enables the display of metrics of OAM Servers.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

displayOAMMetrics(domainHome)
Argument Definition
domainhome 
Offline mode: Mandatory

Online mode: Optional


Example

The following invocation enables the display of metrics of OAM Servers.

displayOAMMetrics (domainHome=(domainHome1") 

updateOIMHostPort

Online only command that updates the Oracle Identity Manager configuration when integrated with Oracle Access Manager.

Description

Updates the Oracle Identity manager configuration in system configuration.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

updateOIMHostPort(hostname, port, secureProtocol)
Argument Definition
hostname Name of the Oracle Identity Manager host.
port Port of the Oracle Identity Manager host.
secureProtocol True or false.

Example

The following invocation illustrates this command.

updateOIMHostPort(hostName="OIM host", port="7777", secureProtocol="true") 

configureOIM

Online only command that creates an agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager.

Description

Creates an Agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

updateOIMHostPort(hostname, port, secureProtocol)
Argument Definition
hostname Name of the Oracle Identity Manager host.
port Port of the Oracle Identity Manager Managed Server.
oimSecureProtocolEnabled True or false (depending on HTTP or HTTPS).
oimAccessGatePwd If provided will be the agent password for Open mode
oimCookieDomain Domain to which the cookie is to be set
oimWgId Agent registration name.
oimWgVersion Possible values 10g or 11g. If not provided, default is 10g.

Example

The following invocation illustrates this command.

updateOIMHostPort(hostName="OIM host", port="7777", secureProtocol="true") 
configureOIM(oimHost="OIM host", oimPort="7777", oimSecureProtocolEnabled="true",
oimAccessGatePwd = "Access Gate Password", oimCookieDomain = "OIM Cookie Domain",
oimWgId="OIM Webgate ID", oimWgVersion="OIM Webgate Version")

updateOSSOResponseCookieConfig

Online and offline command that updates OSSO Proxy response cookie settings.

Description

Updates OSSO Proxy response cookie settings.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

updateOSSOResponseCookieConfig()
Argument Definition
domainhome 
Offline mode: Mandatory

Online mode: Optional

cookieName Optional. Name of the cookie for which settings are updated. If not specified, the global setting is updated.
cookieMaxAge Maximum age of a cookie in minutes. A negative value sets a session cookie.
isSecureCookie Boolean flag specifies if cookie should be secure (sent only over SSL channel).
cookieDomain The domain of the cookie.

Example

The following invocation illustrates this command.

updateOSSOResponseCookieConfig(cookieName = "<cookieName>",
cookieMaxAge = "<cookie age in minutes>", isSecureCookie = "true | false",
cookieDomain="<domain of the cookie>", domainHome = "<wls_domain_home_path>")

deleteOSSOResponseCookieConfig

Online and offline command that deletes OSSO Proxy response cookie settings.

Description

Deletes OSSO Proxy response cookie settings.

The scope of this command is an instance, only. The scope is not an argument.

Syntax

deleteOSSOResponseCookieConfig()
Argument Definition
domainhome
Offline mode: Mandatory

Online mode: Optional

cookieName Mandatory. Name of the cookie for which settings are deleted.

Example

The following invocation illustrates this command.

deleteOSSOResponseCookieConfig(cookieName = "<cookieName>",
cookieDomain="<domain of the cookie>", domainHome = "<wls_domain_home_path>")

displaySimpleModeGlobalPassphrase

Displays the simple mode global passphrase in plain text from the system configuration.

Description

Online only command that displays the simple mode global passphrase in plain text from the system configuration.

Syntax

displaySimpleModeGlobalPassphrase

There are no arguments for this command.

Example

The following invocation illustrates this command.

displaySimpleModeGlobalPassphrase

exportSelectedPartners

Exports selected OAM Partners.

Description

Exports selected OAM Partners to the intermediate OAM file specified.

Syntax

exportSelectedPartners
Argument Definition
pathTempOAMPartnerFile The temporary file containing partners to be migrated.
partnersNameList comma separated list of partner ids to be migrated

Example

The following invocation illustrates this command.

exportSelectedPartners (pathTempOAMPartnerFile="/exampleroot/parent/tempfile.extn"
partnersNameList="partner1,partner2"

migrateArtifacts

Migrates artifacts.

Description

Migrates artifacts based on the input artifact file.

Syntax

migrateArtifacts
Argument Definition
path
Location of the artifacts file is present
password 
Password used while generating original artifacts.
type 
InPlace or OutOfPlace
isIncremental true or false. If true, an incremental upgrade is done.

Example

The following invocation illustrates this command.

migrateArtifacts(path = "/exampleroot/parent/t", password = "password", type = 
"InPlace", isIncremental="false")

registerThirdPartyTAPPartner

Registers any third party as a Trusted Authentication Protocol (TAP) Partner.

Description

Registers any third party as a Trusted Authentication Protocol (TAP) Partner.

Syntax

registerThirdPartyTAPPartner
Argument Definition
path
Location of the artifacts file is present
password 
Password used while generating original artifacts.
partnerName 
Name of partner. Can be any name used for identifying the third party partner.
keystoreLocation 
The jceks file location.
password 
password
tapTokenVersion Version of the Trusted Authentication Protocol.
tapScheme Trusted Authentication Protocol Authn Scheme (TAPScheme, out of the box.)
tapRedirectUrl Third party access URL.

Example

registerThirdPartyTAPPartner (partnerName="ThirdPartyTAPPartner",keystoreLocation=
"/scratch/DAPKeyStore/mykeystore.jks",password="test",tapTokenVersion="v2.0",
tapScheme="TAPScheme",tapRedirectUrl="http://thirdpartyserverhost:port/
loginPage.jsp");

Oracle Security Token Service

Table 4-7 describes the various types of WLST commands available for the Oracle Security Token Service.

Table 4-7 WLST Oracle Security Token Service Command Groups

OSTS Command Type Description

Partner Commands

WLST commands related to tasks involving partners.

Relying Party Partner Mapping Commands

The WS Prefix to Relying Party Partner mappings are used to map a service URL, specified in the AppliesTo field of a WS-Trust RST request, to a partner of type Relying Party. The WS prefix string can be an exact service URL, or a URL with a parent path to the service URL. For example, if a mapping is defined to map a WS Prefix (http://test.com/service) to a Relying Party (RelyingPartyPartnerTest), then the following service URLs would be mapped to the Relying Party: http://test.com/service, http://test.com/service/calculatorService, http://test.com/service/shop/cart...

Partner Profiles Commands

WLST commands related to tasks involving partner profiles.

Issuance Templates Commands

WLST commands related to tasks involving issuance templates.

Validation Templates Commands

WLST commands related to tasks involving validation templates.


Use the WLST commands listed in Table 4-8 to manage Oracle Security Token Service

Table 4-8 WLST Commands Oracle Security Token Service

Use this command... To... Use with WLST...

Partner Commands

   

getPartner

Retrieve a partner and print result.

Online

getAllRequesterPartners

Retrieve the names of Requester partners.

Online

getAllRelyingPartyPartners

Retrieve the names of all Relying Party partners.

Online

getAllIssuingAuthorityPartners

Retrieve the names of all Issuing Authority partners.

Online

isPartnerPresent

Query OSTS to determine whether or not the partner exists in the Partner store.

Online

createPartner

Create a new Partner entry.

Online

updatePartner

Update an existing Partner entry based on the provided information.

Online

deletePartner

Delete a partner entry.

Online

getPartnerUsernameTokenUsername

Retrieve the partner's username value.

Online

getPartnerUsernameTokenPassword

Retrieve the partner's password value.

Online

setPartnerUsernameTokenCredential

Set the username and password values of a partner entry.

Online

deletePartnerUsernameTokenCredential

Remove the username and password values from a partner entry.

Online

getPartnerSigningCert

Retrieve the Base64 encoded signing certificate for the partner.

Online

getPartnerEncryptionCert

Retrieve the Base64 encoded encryption certificate for the partner.

Online

setPartnerSigningCert

Upload the signing certificate to the partner entry.

Online

setPartnerEncryptionCert

Upload the encryption certificate to the partner entry.

Online

deletePartnerSigningCert

Remove the signing certificate from the partner entry.

Online

Offline

deletePartnerEncryptionCert

Remove the encryption certificate from the partner entry.

Online

Offline

getPartnerAllIdentityAttributes

Retrieve and display all Identity mapping attributes used to map a token to a requester partner.

Online

Offline

getPartnerIdentityAttribute

Retrieve and display the identity mapping attribute.

Online

Offline

setPartnerIdentityAttribute

Set the identity mapping attribute for a requester partner.

Online

Offline

deletePartnerIdentityAttribute

Delete the identity mapping attribute for a requester partner.

Online

Offline

Relying Party Partner Mapping Commands

   

getAllWSPrefixAndPartnerMappings

Retrieve and display all WS Prefixes.

Online

Offline

getWSPrefixAndPartnerMapping

Retrieve and display the Relying Party Partner mapped to the specified wsprefix parameter.

Online

Offline

createWSPrefixAndPartnerMapping

Create a new WS Prefix mapping to a Relying Partner.

Online

Offline

deleteWSPrefixAndPartnerMapping

Delete an existing WS Prefix mapping to a Relying Partner.

Online

Offline

Partner Profiles Commands

   

getAllPartnerProfiles

Retrieve the names of all the existing partner profiles.

Online

getPartnerProfile

Retrieve partner profile configuration data.

Online

createRequesterPartnerProfile

Create a new Requester Partner profile with default configuration data.

Online

createRelyingPartyPartnerProfile

Create a new Relying Party Partner profile with default configuration data.

Online

createIssuingAuthorityPartnerProfile

Create a new Issuing Authority Partner profile with default configuration data.

Online

deletePartnerProfile

Delete an existing partner profile.

Online

Issuance Template Commands

   

getAllIssuanceTemplates

Retrieve the names of all the existing Issuance Templates.

Online

Offline

getIssuanceTemplate

Retrieve configuration data of a specific Issuance Template.

Online

createIssuanceTemplate

Create a new Issuance Template with default configuration data.

Online

deleteIssuanceTemplate

Delete an existing Issuance Template.

Online

Offline

Validation Template Commands

   

getAllValidationTemplates

Retrieve the names of all the existing Validation Templates.

Online

Offline

getValidationTemplate

Retrieve configuration data of a specific Validation Template.

Online

Offline

createWSSValidationTemplate

Create a new WS Security Validation Template with default configuration data.

Online

Offline

createWSTrustValidationTemplate

Create a new WS Trust Validation Template with default configuration data.

Online

Offline

deleteValidationTemplate

Delete an existing Issuance Template.

Online

Offline


getPartner

Online command that retrieves the Partner entry and prints out the configuration for this partner.

Description

Retrieves the Partner entry and prints out the configuration for this partner.

Syntax

getPartner(partnerId)
Argument Definition
partnerId
Specifies the partnerId: the ID of the partner.

Example

The following invocation retrieves the Partner entry and prints out the configuration for customPartner:

getPartner(partnerId="customPartner")

getAllRequesterPartners

Online command that retrieves Requester type partners.

Description

Retrieves Requester type partners.

Syntax

getAllRequesterPartners()

Example

The following invocation retrieves Requester type partners:

getAllRequesterPartners()

getAllRelyingPartyPartners

Online command that retrieves Relying Party partners.

Description

Retrieves the Relying Party partners.

Syntax

getAllRelyingPartyPartners()

Example

The following invocation retrieves Relying Party partners:

getAllRelyingPartyPartners()

getAllIssuingAuthorityPartners

Online command that retrieves Issuing Authority partners and prints out the result.

Description

Retrieves the Issuing Authority partners and prints out the result.

Syntax

getAllIssuingAuthorityPartners()

Example

The following invocation retrieves Issuing Authority partners and prints out the result:

getAllIssuingAuthorityPartners()

isPartnerPresent

Online command that queries OSTS to determine whether or not the specified partner exists in the Partner store.

Description

Queries OSTS to determine whether or not the specified partner exists in the Partner store, and prints out the result.

Syntax

isPartnerPresent(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner.

Example

The following invocation queries OSTS to determine whether or not customPartner exists in the Partner store, and prints out the result:

isPartnerPresent(partnerId="customPartner")

createPartner

Online command that creates a new Partner entry.

Description

Creates a new Partner entry based on provided information. Displays a message indicating the result of the operation.

Syntax

createPartner(partnerId, partnerType, partnerProfileId, description,
bIsTrusted)
Argument Definition
partnerId
Specifies the ID of the new partner to be created.
partnerType
Specifies the type of partner. Values can be one of the following:
  • STS_REQUESTER for Requester

  • STS_RELYING_PARTY for Relying Party

  • STS_ISSUING_AUTHORITY for Issuing Authority

partnerProfileId
Specifies the profile ID to be attached to this partner. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry.
description
Specifies the optional description of this new partner entry.
bIsTrusted
A value that indicates whether or not this new partner is trusted. Value can be either:
  • true for trusted

  • false if not trusted


Example

The following invocation creates STS_Requestor partner, customPartner, custom-partnerprofile with a description (custom requester), with a trust value of true, displays a message indicating the result of the operation:

createPartner(partnerId="customPartner", partnerType="STS_REQUESTER",
partnerProfileId="custom-partnerprofile", description="custom requester",
bIsTrusted="true")

updatePartner

Online command that updates an existing Partner entry.

Description

Updates an existing Partner entry based on the provided information. Displays a message indicating the result of the operation.

Syntax

updatePartner(partnerId, partnerProfileId, description, bIsTrusted)
Argument Definition
partnerId
Specifies the ID of the new partner to be updated.
partnerProfileId
Specifies the partner profile ID. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry.
description
Specifies the optional description f this new partner entry.
bIsTrusted
A value that indicates whether or not this new partner is trusted. Value can be either:
  • true for trusted

  • false if not trusted


Example

The following invocation updates customPartner with a new profile ID, (x509-wss-validtemp), description (custom requester with new profile id), and a trust value of false. A message indicates the result of the operation:

updatePartner(partnerId="customPartner", partnerProfileId="x509-wss-validtemp",
description="custom requester with new profile id", bIsTrusted="false")

deletePartner

Online command that deletes a partner entry from OSTS.

Description

Deletes an existing Partner entry referenced by the partnerId parameter from OSTS, and prints out the result of the operation.

Syntax

deletePartner(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner to be deleted.

Example

The following invocation deletes the customPartner partner entry referenced by the partnerId parameter from OSTS, and prints out the result of the operation:

deletePartner(partnerId="customPartner")

getPartnerUsernameTokenUsername

Online command that retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation.

Description

Retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation, and displays the value.

Syntax

getPartnerUsernameTokenUsername(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner.

Example

The following invocation retrieves the customPartner partner username value that will be used for UNT credentials partner validation or mapping operation, and displays the value:

getPartnerUsernameTokenUsername(partnerId="customPartner")

getPartnerUsernameTokenPassword

Online command that retrieves a partner's password value that will be used for UNT credentials partner validation or mapping operation.

Description

Retrieves a partner password value that will be used for UNT credentials partner validation or mapping operation, and displays the value.

Syntax

getPartnerUsernameTokenPassword(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner.

Example

The following invocation retrieves customPartner partner password value that will be used for UNT credentials partner validation or mapping operation, and displays the value:

getPartnerUsernameTokenPassword(partnerId="customPartner")

setPartnerUsernameTokenCredential

Online command that sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation.

Description

Sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation. Displays the result of the operation.

Syntax

setPartnerUsernameTokenCredential(partnerId, UTUsername, UTPassword)
Argument Definition
partnerId
Specifies the ID of the partner.
UTUsername
Specifies the username value used for UNT credentials validation or mapping operations.
UTPassword
Specifies the username value used for UNT credentials validation or mapping operations.

Example

The following invocation sets the username and password values of the customPartner partner entry, and displays the result of the operation:

setPartnerUsernameTokenCredential(partnerId="customPartner", UTUsername="test", UTPassword="password")

deletePartnerUsernameTokenCredential

Online command that removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.

Description

Removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.

Syntax

deletePartnerUsernameTokenCredential(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner to be deleted.

Example

The following invocation removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation:

deletePartnerUsernameTokenCredential(partnerId="customPartner")

getPartnerSigningCert

Online command that retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.

Description

Retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.

Syntax

getPartnerSigningCert(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner.

Example

The following invocation retrieves Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string:

getPartnerSigningCert(partnerId="customPartner")

getPartnerEncryptionCert

Online command that retrieves the Base64 encoded encryption certificate, and displays its value as a Base64 encoded string.

Description

Retrieves the Base64 encoded encryption certificate for the partner referenced by the partnerId parameter, and displays its value as a Base64 encoded string.

Syntax

getPartnerEncryptionCert(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner.

Example

The following invocation retrieves the Base64 encoded encryption certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string:

getPartnerEncryptionCert(partnerId="customPartner")

setPartnerSigningCert

Online command that Uploads the provided certificate to the partner entry as the signing certificate. Displays the result of the operation.

Description

Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the signing certificate. The supported formats of the certificate are DER and PEM. Displays the result of the operation.

Syntax

setPartnerSigningCert(partnerId, certFile)
Argument Definition
partnerId
Specifies the ID of the partner.
certFile
Specifies the location of the certificate on the local filesystem. Supported formats of the certificate are DER and PEM.

Example

The following invocation uploads the provided certificate to the partner entry customPartner as the signing certificate. Displays the result of the operation:

setPartnerSigningCert(partnerId="customPartner", certFile="/temp/signing_cert")

setPartnerEncryptionCert

Online command that Uploads the provided certificate to the partner entry as the encryption certificate. Displays the result of the operation.

Description

Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the encryption certificate. Displays the result of the operation.

Syntax

setPartnerEncryptionCert(partnerId, certFile)
Argument Definition
partnerId
Specifies the ID of the partner.
certFile
Specifies the location of the certificate on the local filesystem. Supported formats of the certificate are DER and PEM.

Example

The following invocation uploads the provided certificate to the partner entry customPartner as the signing certificate. Displays the result of the operation:

setPartnerSigningCert(partnerId="customPartner", certFile="/temp/signing_cert")

deletePartnerSigningCert

Online command that removes the encryption certificate from the partner entry and displays the result of the operation.

Description

Removes the encryption certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.

Syntax

deletePartnerSigningCert(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner.

Example

The following invocation removes the encryption certificate from the partner entry, customPartner, and displays the result of the operation:

deletePartnerSigningCert(partnerId="customPartner")

deletePartnerEncryptionCert

Online command that removes the signing certificate from the partner entry and displays the result of the operation.

Description

Removes the signing certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.

Syntax

deletePartnerEncryptionCert(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner.

Example

The following invocation removes the signing certificate from the partner entry, customPartner, and displays the result of the operation:

deletePartnerEncryptionCert(partnerId="customPartner")

getPartnerAllIdentityAttributes

Online command that retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.

Description

Retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.

The identity mapping attributes only exist for partners of type Requester.

Syntax

getPartnerAllIdentityAttributes(partnerId)
Argument Definition
partnerId
Specifies the ID of the Requester partner. Identity mapping attributes only exist for partners of type Requester

Example

The following invocation retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner: customPartner.

getPartnerAllIdentityAttributes(partnerId="customPartner")

getPartnerIdentityAttribute

Online command that retrieves and displays identity mapping attributes used to map a token or to map binding data to a requester partner.

Description

Retrieves and displays an identity mapping attribute used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.

The identity mapping attributes only exist for partners of type Requester.

Syntax

getPartnerIdentityAttribute(partnerId, identityAttributeName)
Argument Definition
partnerId
Specifies the ID of the Requester partner.
IdentityAttributeName
Specifies the name of the identity mapping attribute to retrieve and display. For example: httpbasicusername.

Example

The following invocation retrieves and displays one identityAttribute and its value as specified by identityAttributeName.

getPartnerIdentityAttribute(partnerId="customPartner", identityAttributeName="httpbasicusername")

setPartnerIdentityAttribute

Online command that sets the identity mapping attribute for the Requester partner.

Description

Set the identity mapping attribute specified by identityAttributeName for the partner of type requester specified by the partnerId parameter. These identity mapping attributes only exist for Requester partners. Displays the result of the operation.

Syntax

setPartnerIdentityAttribute(partnerId, identityAttributeName, 
identityAttributeValue)
Argument Definition
partnerId
Specifies the ID of the partner of type Requester.
identityAttributeName
Specifies the name of the identity mapping attribute to retrieve and display.
identityAttributeValue
Specifies the value of the identity mapping attribute to set.

Example

The following invocation sets the identity mapping attribute specified by identityAttributeName for the Requester partner of type requester specified by the partnerId parameter. Displays the result of the operation.

setPartnerIdentityAttribute(partnerId="customPartner", 
identityAttributeName="httpbasicusername",identityAttributeValue="test")

deletePartnerIdentityAttribute

Online command that deletes the identity mapping attribute.

Description

Deletes the identity mapping attribute specified by identityAttributeName.

The identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner, and they only exist for Requester partners.

Syntax

deletePartnerIdentityAttribute(partnerId, identityAttributeName)
Argument Definition
partnerId
Specifies the ID of the partner.
identityAttributeName
Specifies the name of the identity mapping attribute to delete.

Example

The following invocation deletes the identity mapping attribute specified by identityAttributeName for Requester partner customPartner.

deletePartnerIdentityAttribute(partnerId="customPartner", 
identityAttributeName="httpbasicusername")

getAllWSPrefixAndPartnerMappings

Online command that retrieves and displays all WS Prefixes to Relying Party Partner mappings.

Description

Retrieves and displays all WS Prefixes to Relying Party Partner mappings.

Syntax

getAllWSPrefixAndPartnerMappings() 

Example

The following invocation retrieves and displays theWS Prefixes.

getAllWSPrefixAndPartnerMappings() 

getWSPrefixAndPartnerMapping

Online command that retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.

Description

Retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.

Syntax

getWSPrefixAndPartnerMapping(wsprefix) 
Argument Definition
wsprefix
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form:

http_protocol://hostname_ip/path


Example

The following invocation retrieves nd displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.

getWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path")

createWSPrefixAndPartnerMapping

Online command that creates a new WS Prefix mapping to a Relying Partner.

Description

Creates a new WS Prefix mapping to a Relying Partner referenced by the partnerid parameter, and displays the result of the operation.

Syntax

createWSPrefixAndPartnerMapping(wsprefix, partnerid, description)
Argument Definition
wsprefix
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form:

http_protocol://hostname_ip/path

partnerId
Specifies the ID of the partner.
description
Specifies an optional description.

Example

The following invocation creates a new WS Prefix mapping to a Relying Partner Partner referenced by the partnerid parameter, and displays the result of the operation.

createWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path",
partnerid="customRPpartner", description="some description")

deleteWSPrefixAndPartnerMapping

Online command that deletes an existing mapping of WS Prefix to a Relying Partner Partner.

Description

Deletes an existing mapping of WS Prefix to a Relying Partner, and displays the result of the operation.

Syntax

deleteWSPrefixAndPartnerMapping(wsprefix)
Argument Definition
wsprefix
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form:

http_protocol://hostname_ip/path


Example

The following invocation deletes the existing mapping of WS Prefix to a Relying Partner, and displays the result of the operation.

deleteWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path")

getAllPartnerProfiles

Online command that retrieves the names of all the existing partner profiles and displays them.

Description

Retrieves the names of all the existing partner profiles and displays them.

Syntax

getAllPartnerProfiles()

Example

The following invocation retrieves the names of all the existing partner profiles and displays them.

getAllPartnerProfiles()

getPartnerProfile

Online command that retrieves the configuration data of a specific partner profile, and displays the content of the profile.

Description

Retrieves the configuration data of the partner profile referenced by the partnerProfileId parameter, and displays the content of the profile.

Syntax

getPartnerProfile(partnerProfileId)
Argument Definition
partnerProfileId
Specifies the name of the partner profile.

Example

The following invocation retrieves the configuration data of the partner profile referenced by the partnerProfileId parameter, and displays the content of the profile.

getPartnerProfile(partnerProfileId="custom-partnerprofile")

createRequesterPartnerProfile

Online command that creates a new requester partner profile with default configuration data.

Description

Creates a new requester partner profile with default configuration data, and displays the result of the operation.

Table 4-9 describes the default configuration created with this command.

Table 4-9 Default Configuration: createRequesterPartnerProfile

Element Description
Return Error for Missing Claims

Default: false

Allow Unmapped Claims

Default: false

Token Type Configuration

The Token Type Configuration table includes the following entries. There are no mappings of token type to WS-Trust Validation Template:

  • SAML 1.1 token type mapped to the following External URI:

    http://docs.oasis-open.org/wss/oasis-wss-saml-
    token-profile-1.1#SAMLV1.1
    

    The SAML 1.1 token type is not mapped to any WS-Trust Validation Template.

  • SAML 2.0 token type mapped to the following External URI:

    http://docs.oasis-open.org/wss/oasis-wss-saml-
    token-profile-1.1#SAMLV2.0
    

    The SAML 2.0 token type is not mapped to any WS-Trust Validation Template.

  • Username token type mapped to the following External URI:

    http://docs.oasis-open.org/wss/2004/01/oasis-
    200401-wss-username-token-profile-1.0#UsernameToken
    

    The Username token type is not mapped to any WS-Trust Validation Template.

Note: Token Type Configuration and token type to Validation Template mapping are both empty

Attribute Name Mapping

Default: The Attribute Name Mapping table is empty by default.


Syntax

createRequesterPartnerProfile(partnerProfileId, defaultRelyingPartyPPID, 
description)
Argument Definition
partnerProfileId
Specifies the name of the partner profile.
defaultRelyingPartyPPID
Specifies the relying party partner profile to use, if the AppliesTo field is missing from the RST or if it could not be mapped to a Relying Party Partner.
description
Specifies the optional description for this partner profile

Example

The following invocation creates a new requester partner profile with default configuration data, and displays the result of the operation. For default data descriptions, see Table 4-9.

createRequesterPartnerProfile(partnerProfileId="custom-partnerprofile",
defaultRelyingPartyPPID="rpPartnerProfileTest", description="custom
partner profile")

createRelyingPartyPartnerProfile

Online command that creates a new relying party partner profile with default configuration data.

Description

Creates a new relying party partner profile with default configuration data, and displays the result of the operation.

Table 4-10 describes the default configuration created with this command.

Table 4-10 Default Configuration: createRelyingPartyPartnerProfile

Element Description

Download Policy

Default: false

Allow Unmapped Claims

Default: false

Token Type Configuration

The Token Type Configuration will contain a single entry, with:

  • The token type set to the type of Issuance Template referenced by defaultIssuanceTemplateID

  • The Issuance template set to defaultIssuanceTemplateID

Note: For the token type of the issuance template referenced by defaultIssuanceTemplateID, it will be linked to the issuance template, while the other token types will not be linked to any issuance template.

If the issuance template referenced by defaultIssuanceTemplateID is of custom token type, the table will only contain one entry, with the custom token type, mapped to the custom token type as the external URI, and mapped to the issuance template referenced by defaultIssuanceTemplateID

Attribute Name Mapping

The Attribute Name Mapping table is empty be default.


Syntax

createRelyingPartyPartnerProfile(partnerProfileId, defaultIssuanceTemplateID, 
description)
Argument Definition
partnerProfileId
Specifies the name of the partner profile.
defaultIssuanceTemplateID
Specifies the default issuance template and token type to issue if no token type was specified in the RST.
description
Specifies the optional description for this partner profile

Example

The following invocation creates a new relying party partner profile with default configuration data, and displays the result of the operation.

createRelyingPartyPartnerProfile(partnerProfileId="custom-partnerprofile",
defaultIssuanceTemplateID="saml11-issuance-template", description="custom partner profile")

createIssuingAuthorityPartnerProfile

Online command that creates a new issuing authority partner profile with default configuration data.

Description

Creates a new issuing authority partner profile with the default configuration data in Table 4-11, and displays the result of the operation.

Table 4-11 Default Configuration: createIssuingAuthorityPartnerProfile

Element Description

Server Clockdrift

Default: 600 seconds

Token Mapping

The Token Mapping Section will be configured as follows:

  • Override Simple User Mapping: false

  • Override User NameID Mapping: false

  • Override Attribute Based User Mapping: false

  • Override Simple Partner Mapping: false

  • Override Partner NameID Mapping: false

Empty fields

  • simple user mapping

  • attribute based user mapping

  • simple partner mapping

Partner NameID Mapping

The Partner NameID Mapping table will be provisioned with the following entries as NameID format. However, without any data in the datastore column the issuance template referenced by defaultIssuanceTemplateID is of token type SAML 1.1, SAML 2.0, or Username.

The table will contain the following entries:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

User NameID Mapping

The User NameID Mapping table will be provisioned with the following entries as NameID format:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName, empty datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, dn set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, mail set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, empty datastore column

Attribute Mapping

The Attribute Value Mapping and Attribute Name Mapping table is empty be default.


Syntax

createIssuingAuthorityPartnerProfile(partnerProfileId, description)
Argument Definition
partnerProfileId
Specifies the name of the partner profile.
description
Specifies the optional description for this partner profile

Example

The following invocation a new issuing authority partner profile with default configuration data, and displays the result of the operation.

createIssuingAuthorityPartnerProfile(partnerProfileId="custom-partnerprofile"
description="custom partner profile")

deletePartnerProfile

Online command that deletes an partner profile referenced by the partnerProfileId parameter.

Description

Deletes an partner profile referenced by the partnerProfileId parameter, and displays the result of the operation.

Syntax

deletePartnerProfile(partnerProfileId) 
Argument Definition
partnerProfileId
Specifies the name of the partner profile to be removed.

Example

The following invocation deletes an partner profile referenced by the partnerProfileId parameter, and displays the result of the operation.

deletePartnerProfile(partnerProfileId="custom-partnerprofile")

getAllIssuanceTemplates

Online command that retrieves the names of all the existing issuance templates.

Description

Retrieves the names of all the existing issuance templates and displays them.

Syntax

getAllIssuanceTemplates 

Example

The following invocation retrieves the names of all the existing issuance templates and displays them.

getAllIssuanceTemplates

getIssuanceTemplate

Online command that retrieves the configuration data of a specific issuance template.

Description

Retrieves the configuration data of the issuance template referenced by the issuanceTemplateId parameter, and displays the content of the template.

Syntax

getIssuanceTemplate(issuanceTemplateId) 
Argument Definition
issuanceTemplateId
Specifies the name of the issuance template.

Example

The following invocation retrieves the configuration data of the issuance template referenced by the issuanceTemplateId parameter, and displays the content of the template.

getIssuanceTemplate(issuanceTemplateId="custom-issuancetemp")

createIssuanceTemplate

Online command that creates a new issuance template with default configuration data.

Description

Creates a new issuance template with default configuration data, and displays the result of the operation.

Table 4-12 describes the default configuration for this command.

Table 4-12 Default Configuration: createIssuanceTemplate

Token Type Description

Username

The issuance template will be created with the following default values:

  • Send Encrypted Token: false

  • NameID User Attribute: uid

  • NameID User Attribute Store: User Store

  • Password Attribute: (empty)

  • Include Nonce: true

  • Include Timestamp: true

SAML 1.1

or

SAML 2.0

The issuance template will be created with the following default values:

  • Send Encrypted Token: false

  • Assertion Issuer: OAM Hostname

  • NameID Format: Email Address

  • NameID User Attribute: mail

  • NameID User Attribute Store: User Store

  • NameID Qualifier: (empty)

  • Include Authn Statement: true

  • Include Attr Statement: true

  • Sign Assertion: true

  • Include Certificate in Signature: true

  • Send Encrypted NameID: false (SAML 2.0 only)

  • Default Subject Confirmation Method: Sender Vouches

  • Compute HOK Symmetric Key: true

  • HOK Symmetric Key Generation Algorithm: http://www.w3.org/2001/04/xmlenc#aes128-cbc

Empty tables: Attribute Name Mapping, Attribute Value Mapping and Attribute Value Filter

Custom Type

The issuance template will be created with the following default values:

  • Send Encrypted Token: false


Syntax

createIssuanceTemplate(issuanceTemplateId, tokenType, signingKeyId, 
description) 
Argument Definition
issuanceTemplateId
Specifies the name of the issuance template to be created.
tokenType
Possible values can be:
  • username: indicates that the token type is UsernameToken

  • saml11: indicates that the token type is a SAML 1.1 Assertion

  • saml20: indicates that the token type is a SAML 2.0 Assertion

  • <other>: in this case, the token type is assumed to be a custom token type, referenced by <other> (replace <other> by a value)

signingKeyId
Specifies the keyID referencing the key entry (defined in the STS General Settings UI section) that will be used to sign outgoing SAML Assertions. Only required when token type is saml11 or saml20.
description
An optional description.

Example

The following invocation creates a new issuance template with default configuration data, and displays the result of the operation.

createIssuanceTemplate(issuanceTemplateId="custom-issuancetemp", tokenType="saml20", signingKeyId="osts_signing", description="custom issuance template")

deleteIssuanceTemplate

Online command that deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.

Description

Deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.

Syntax

deleteIssuanceTemplate(issuanceTemplateId) 
Argument Definition
issuanceTemplateId
Specifies the name of the existing issuance template to be removed.

Example

The following invocation deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.

deleteIssuanceTemplate(issuanceTemplateId="custom-issuancetemp")

getAllValidationTemplates

Online command that retrieves the names of all the existing validation templates.

Description

Retrieves the names of all the existing validation templates and displays them.

Syntax

getAllValidationTemplates() 

Example

The following invocation retrieves the names of all the existing validation templates and displays them.

getAllValidationTemplates()

getValidationTemplate

Online command that retrieves the configuration data of a specific validation template, and displays the content of the template.

Description

Retrieves the configuration data of the validation template referenced by the validationTemplateId parameter, and displays the content of the template.

Syntax

getValidationTemplate(validationTemplateId) 
Argument Definition
validationTemplateId
Specifies the name of the existing validation template.

Example

The following invocation retrieves the configuration data of a specific validation template, and displays the content of the template.

getValidationTemplate(validationTemplateId="custom-wss-validtemp")

createWSSValidationTemplate

Online command that creates a new validation template with default configuration data.

Description

Creates a new validation template with default configuration data, and displays the result of the operation.

The WSS validation template is created with the values in Table 4-13, depending on the token type.

Table 4-13 Default Configuration: createWSSValidationTemplate

Token Type Description

Username

The validation template will be created with the following default values:

  • Timestamp Lifespan: 600 seconds

  • Enable Credential Validation: true

  • Validation Source: Partner

  • Token Mapping: Map token to Partner

  • Enable Simple Partner Mapping: true

  • Partner Datastore Attribute: username

SAML 1.1

or

SAML 2.0

The validation template will be created with the following default values:

  • Authentication Timeout: 3600 seconds

  • Timestamp Lifespan: 3600 seconds

The Token Mapping section will be created with the following default values:

  • Map token: Map token to Partner

  • Enable Simple User Mapping: false

  • Enable User NameID Mapping: false

  • Enable Attribute Based User Mapping: false

  • Enable Simple Partner Mapping: false

  • Enable Partner NameID Mapping: false

Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping

Also:

  • Partner Token Attribute: NameID

  • Partner Datastore Attribute: username

Partner NameID Mapping table will be provisioned with the following entries as NameID format, but without any data in the datastore column:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

User NameID Mapping table will be provisioned with the following entries as NameID format:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName, empty datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, dn set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, mail set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, empty datastore column

X.509

The Token Mapping section will be created with the following default values:

  • Map token: Map token to Partner

  • Enable Simple User Mapping: false

  • Enable Attribute Based User Mapping: false

  • Enable Simple Partner Mapping: true

Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping

Also:

  • Partner Token Attribute: DN

  • Partner Datastore Attribute: sslclientcertdn

Kerberos

The Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: true

  • Enable Attribute Based User Mapping: false

  • Enable Simple Partner Mapping: false

Empty fields: Partner Token Attribute, Partner Datastore Attribute and Attribute Based User Mapping

Also:

  • User Token Attribute: TPE_KERBEROS_PRINCIPAL_FULL

  • User Datastore Attribute: mail


Syntax

createWSSValidationTemplate(templateId, tokenType,
defaultRequesterPPID, description)
Argument Definition
templateId
Specifies the name of the name of the validation template to be created.
tokenType
Specifies the token type of the validation template. Possible values can be:
  • username: indicates that the token type is UsernameToken

  • saml11: indicates that the token type is a SAML 1.1 Assertion

  • saml20: indicates that the token type is a SAML 2.0 Assertion

  • x509: indicates that the token type is an X.509 certificate

  • kerberos: indicates that the token type is a Kerberos token

  • oam: indicates that the token type is OAM

defaultRequesterPPID
Specifies the Requester partner profile to use if OSTS is configured not to map the incoming message to a requester.
description
Specifies an optional description.

Example

The following invocation creates a new validation template with default configuration data, and displays the result of the operation.

createWSSValidationTemplate(templateId="custom-wss-validtemp", tokenType="custom",
defaultRequesterPPID="requesterPartnerProfileTest", description="custom validation 
template")

createWSTrustValidationTemplate

Online command that creates a new WS-Trust validation template with default configuration data.

Description

Creates a new WS-Trust validation template with default configuration data, and displays the result of the operation.

The WS-Trust validation template is created with the values in Table 4-14, depending on the token type.

Table 4-14 Default Configuration: createWSTrustValidationTemplate

Token Type Description

Username

The WS-Trust validation template will be created with the following default values:

  • Timestamp Lifespan: 600 seconds

  • Enable Credential Validation: false

  • Validation Source: User Store

  • Token Mapping: Map token to User

  • Enable Simple User Mapping: true

  • USer Datastore Attribute: uid

SAML 1.1

or

SAML 2.0

The WS-Trust validation template will be created with the following default values:

  • Authentication Timeout: 3600 seconds

  • Timestamp Lifespan: 3600 seconds

The Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: false

  • Enable User NameID Mapping: true

  • Enable Attribute Based User Mapping: false

Empty fields: User Datastore Attribute, Attribute Based User Mapping

User NameID Mapping table will be provisioned with the following entries as NameID format:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName, empty datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, dn set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, mail set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, empty datastore column

X.509

The WS-Trust Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: true

  • Enable Attribute Based User Mapping: false

  • Enable Simple Partner Mapping: true

  • User Token Attribute: CN

  • User Datastore Attribute: CN

  • Attribute Based User Mapping (empty)

Kerberos

The WS-Trust Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: true

  • Enable Attribute Based User Mapping: false

  • Attribute Based User Mapping (empty)

  • User Token Attribute: TPE_KERBEROS_PRINCIPAL_FULL

  • User Datastore Attribute: mail

OAM

The WS-Trust Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: true

  • Enable Attribute Based User Mapping: false

  • Attribute Based User Mapping (empty)

  • User Token Attribute: TPE_NAME_ID

  • User Datastore Attribute: uid

custom

The WS-Trust Token Mapping section will be created with the following default values:

  • Map token: Map token to None

  • Enable Simple User Mapping: false

  • Enable Attribute Based User Mapping: false

  • Attribute Based User Mapping (empty)

  • User Token Attribute: (empty)

  • User Datastore Attribute: (empty)


Syntax

createWSTrustValidationTemplate(templateId, tokenType, description)
Argument Definition
templateId
Specifies the name of the name of the WS-Trust validation template to be created.
tokenType
Specifies the token type of the WS-Trust validation template. Possible values can be:
  • username: indicates that the token type is UsernameToken

  • saml11: indicates that the token type is a SAML 1.1 Assertion

  • saml20: indicates that the token type is a SAML 2.0 Assertion

  • x509: indicates that the token type is an X.509 certificate

  • kerberos: indicates that the token type is a Kerberos token

  • oam: indicates that the token type is an Oracle Access Manager token, supported by default

  • <other>: in this case, the token type is assumed to be a custom token type, referenced by <other> (replace <other> by a value)

description
Specifies an optional description.

Example

The following invocation creates a new WS-Trust validation template with default configuration data, and displays the result of the operation.

createWSTrustValidationTemplate(templateId="custom-wss-validtemp", 
tokenType="custom", description="custom validation template")

deleteValidationTemplate

Online command that deletes a validation template.

Description

Deletes a validation template referenced by the validationTemplateId parameter, and displays the result of the operation.

Syntax

deleteValidationTemplate(validationTemplateId)
Argument Definition
validationTemplateId
Specifies the name of the validation template to be removed.

Example

The following invocation deletes a validation template referenced by the validationTemplateId parameter, and displays the result of the operation.

deleteValidationTemplate(validationTemplateId="custom-wss-validtemp")