C Configuration Parameters

This Appendix lists the parameters and accepted values that may be defined for Oracle Entitlements Server services using jps-config.xml, the configuration file used by Java EE containers. It is located in the $DOMAIN_HOME/config/fmwconfig directory. This Appendix is comprised of the following sections:

• Section C.1, "Policy Distribution Configuration"

• Section C.2, "Security Module Configuration"

• Section C.3, "PDP Proxy Configuration"

• Section C.4, "Policy Store Service Configuration"

C.1 Policy Distribution Configuration

The Policy Distribution Component is responsible for distributing policy objects and policies from the policy store to one or more Security Modules. It can distribute in a controlled-push mode, a controlled-pull mode and a non-controlled mode. Each mode entails different configurations.

• Section C.1.1, "Policy Distribution Component Server Configuration"

• Section C.1.2, "Policy Distribution Component Client Configuration"

C.1.1 Policy Distribution Component Server Configuration

Typically, configuration for the Policy Distribution Component (in a scenario when it runs within Oracle Entitlements Server) is associated with the Policy Store configuration in the jps-config.xml file to fetch policies and policy objects for distribution. Only in cases when data is pulled in a controlled manner (controlled-pull mode) is the Policy Distribution Component associated with the PDP Service configuration on the Security Module side. Table C-1 contains the configuration parameters.

Table C-1 Policy Distribution Server Configuration

Name	Information
oracle.security.jps.pd.server.transactionalScope	Description: Defines the scope of the policy distribution as either to one Security Module or to all Security Modules. If distribution fails when it involves only one Security Module, it does not affect distributions to other Security Modules. Optional Accepted Values: All (default), One

C.1.2 Policy Distribution Component Client Configuration

The Policy Distribution Component client is responsible for making policies available to the Security Module. Thus, the Policy Distribution Client configuration is always associated with the PDP Service configuration portion of the jps-config.xml file on the Security Module side. Configuration is different depending on the mode of distribution and the environment in which the Security Module is running. The following sections contain descriptions of the applicable configuration parameters.

• Section C.1.2.1, "Policy Distribution Component Client Java Standard Edition Configuration (Controlled Push Mode)"

• Section C.1.2.2, "Policy Distribution Component Client Java Enterprise Edition Container Configuration (Controlled Push Mode)"

• Section C.1.2.3, "Policy Distribution Client Configuration (Controlled Pull Mode)"

• Section C.1.2.4, "Policy Distribution Client Configuration (Non-controlled Mode)"

C.1.2.1 Policy Distribution Component Client Java Standard Edition Configuration (Controlled Push Mode)

Table C-2 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in a Java Standard Edition (JSE) environment and is configured to distribute data in the controlled-push mode.

Table C-2 Policy Distribution Client Configuration, JSE, Controlled Push Mode

Name	Information
oracle.security.jps.runtime.pd.client.policyDistributionMode	Description: Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution. Mandatory Accepted Value: controlled-push
oracle.security.jps.runtime.pd.client.sm_name	Description: Defines the name of the Security Module. Mandatory Accepted Value: Name of the Security Module
oracle.security.jps.runtime.pd.client.localpolicy.work_folder	Description: Defines the name of any directory in which local cache files are stored. This directory must have read and write privileges. Optional Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges.
oracle.security.jps.runtime.pd.client.incrementalDistribution	Description: Defines whether the distribution is incremental or flush. Incremental distribution is when only new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store. Optional Accepted Values: false (policy distribution is flush for this Security Module) true (default value; policy distribution is incremental for this Security Module if the required change logs are kept in the policy store)
oracle.security.jps.runtime.pd.client.registrationRetryInterval	Description: When a Security Module starts, it registers itself with the Policy Distribution Component to ensure the local policy cache is up to date. If registration fails, it will retry each time this interval of time passes until successful. Optional Accepted Value: time in seconds (default value is 5)
oracle.security.jps.runtime.pd.client.waitDistributionTime	Description: If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires. Optional Accepted Value: time in seconds (default value is 60)
oracle.security.jps.runtime.pd.client.RegistrationServerURL	Description: Defines the URL of the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts. Mandatory Accepted Value: URL
oracle.security.jps.runtime.pd.client.backupRegistrationServerURL	Description: Defines a backup URL for the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts if the primary URL (parameter above) is unavailable. Optional (although if not configured Oracle Entitlements Server failover will not work) Accepted Value: URL
oracle.security.jps.runtime.pd.client.DistributionServicePort	Description: Defines the port to which a remote Policy Distributor will push policy updates. Mandatory Accepted Value: port number
oracle.security.jps.pd.client.sslMode	Description: Defines whether communication between the Policy Distribution Component server and client will use the Secure Sockets Layer (SSL) protocol or not. Mandatory Accepted Values: none, two-way (default value)
oracle.security.jps.pd.client.ssl.identityKeyStoreFileName	Description: Defines the name of the Identity Key Store file in which client certificates are stored. Used for SSL communication between the Security Module and the Policy Distribution Component. Mandatory Accepted Value: the name of the keystore file
oracle.security.jps.pd.client.ssl.trustKeyStoreFileName	Description: Defines the name of the Trust Key Store file where Certificate Authority (CA) certificates are stored. Used for SSL communication between the Security Module and the Policy Distribution Component. Mandatory Accepted Value: the name of the identity key store file
oracle.security.jps.pd.client.ssl.identityKeyStoreKeyAlias	Description: Defines an Identity Key alias to identify the client certificate used for SSL communication between the Security Module and the Policy Distribution Component. Optional (if only one alias exists in the identity keystore there is no need to specify this value) Accepted Value: the identity key alias
oracle.security.jps.runtime.pd.client.SMinstanceType	Description: Defines the type of Security Module to which the Policy Distribution Component client is connecting. Mandatory Accepted Value: java (Other accepted values include wls, RMI and ws. Because this table covers the Java Security Module only, the value must be java.)

C.1.2.2 Policy Distribution Component Client Java Enterprise Edition Container Configuration (Controlled Push Mode)

Table C-3 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in a Java Enterprise Edition (JEE) environment and is configured to distribute data in the controlled-push mode.

Table C-3 Policy Distribution Client Configuration, JEE, Controlled Push Mode

Name	Information
oracle.security.jps.runtime.pd.client.policyDistributionMode	Description: Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution. Mandatory Accepted Value: controlled-push
oracle.security.jps.runtime.pd.client.sm_name	Description: Defines the name of the Security Module. Mandatory Accepted Value: Name of the Security Module
oracle.security.jps.runtime.pd.client.localpolicy.work_folder	Description: Defines the name of any directory in which local cache files are stored. This directory must have read and write privileges. Optional Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges.
oracle.security.jps.runtime.pd.client.incrementalDistribution	Description: Defines whether the distribution is incremental or flush. Incremental distribution is when new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store. Optional Accepted Values: false (policy distribution is flush for this Security Module) true (default value; policy distribution is incremental for this Security Module if the required change logs are kept in the policy store)
oracle.security.jps.runtime.pd.client.registrationRetryInterval	Description: When a Security Module starts, it registers itself with the Policy Distribution Component to ensure the local policy cache is up to date. If registration fails, it will retry each time this interval of time passes until successful. Optional Accepted Value: time in seconds (default value is 5)
oracle.security.jps.runtime.pd.client.waitDistributionTime	Description: If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires. Optional Accepted Value: time in seconds (default value is 60)
oracle.security.jps.runtime.pd.client.RegistrationServerURL	Description: Defines the URL of the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts. Mandatory Accepted Value: URL
oracle.security.jps.runtime.pd.client.backupRegistrationServerURL	Description: Defines a backup URL for the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts if the primary URL (parameter above) is unavailable. Optional (although if not configured Oracle Entitlements Server failover will not work) Accepted Value: URL
oracle.security.jps.runtime.pd.client.SMinstanceType	Description: Defines the type of Security Module to which the Policy Distribution Component client is connecting. Mandatory Accepted Values: was wls
oracle.security.jps.runtime.pd.client.DistributionServiceURL	Description: Defines the URL to which the remote Policy Distributor will push policy updates. Mandatory Accepted Values: URL

C.1.2.3 Policy Distribution Client Configuration (Controlled Pull Mode)

Table C-4 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in either a JEE or a JSE environment and is configured to distribute data in the controlled-pull mode.

Table C-4 Policy Distribution Client Configuration, Controlled Pull Mode

Name	Information
oracle.security.jps.runtime.pd.client.policyDistributionMode	Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution. Mandatory Accepted Value: controlled-pull
oracle.security.jps.runtime.pd.client.sm_name	Description: Defines the name of the Security Module. Mandatory Accepted Value: the name of the Security Module
oracle.security.jps.runtime.pd.client.localpolicy.work_folder	Description: Defines the name of any directory in which local cache files are stored. This directory must have read and write privileges. Optional Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges.
oracle.security.jps.runtime.pd.client.incrementalDistribution	Description: Defines whether the distribution is incremental or flush. Incremental distribution is when new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store. Optional Accepted Values: false (policy distribution is flush for the Security Module) true (default value; policy distribution is incremental for this Security Module if the required change logs are kept in the policy store)
oracle.security.jps.runtime.pd.client.waitDistributionTime	Description: If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires. Optional Accepted Value: time in seconds (default value is 60)
oracle.security.jps.runtime.pd.client.PollingTimerEnabled	Description: Enables a periodic check for policy updates in the Policy Store. Can be set to false to disable polling for environment when policies are not expected to be modified. Optional Accepted Values: false true (default value)
oracle.security.jps.runtime.pd.client.PollingTimerInterval	Description: Defines the interval of time in which the Policy Distribution Component will check for policy data changes. Optional Accepted Value: time in seconds (default value of 600)
oracle.security.jps.ldap.root.name	Description: Defines the top (root) entry of the LDAP policy store directory information tree (DIT). Mandatory Accepted Value: the top (root) entry of the LDAP policy store directory information tree (DIT)
oracle.security.jps.farm.name	Description: Defines the RDN format of the domain node in the LDAP policy store. Mandatory Accepted Value: name of the domain
jdbc.url	Description: Takes a URL that points to the database. Mandatory (if using Java Database Connectivity API to connect to policy store) Accepted Value: URL
jdbc.driver	Description: Location of the driver if using Java Database Connectivity API to connect to an Apache Derby database. Mandatory Accepted Value: driver
datasource.jndi.name	Description: The JNDI name of the JDBC data source instance. The instance may correspond to a single source or multi-source datasource. Valid in only JEE applications. Applies only to database stores. Mandatory Accepted Value: name of JNDI data source; for example, jdbc/APMDBDS.
bootstrap.security.principal.key	Description: The key for the password credentials to access the policy store. Credentials are stored in the Credential Store Framework (CSF) store. Mandatory Accepted Value: CSF credential key
bootstrap.security.principal.map	Description: The map for the password credentials to access the policy store. Credentials are stored in the CSF store. Mandatory Accepted Value: name of the CSF credential map

C.1.2.4 Policy Distribution Client Configuration (Non-controlled Mode)

Table C-5 compiles the parameters for Policy Distribution Component client configuration when the Oracle Entitlements Server is running in either a JEE or a JSE environment and is configured to distribute data in the non-controlled mode.

Table C-5 Policy Distribution Client COnfiguration, Non-controlled Mode

Name	Information
oracle.security.jps.runtime.pd.client.policyDistributionMode	Description: Specifies the mode of policy distribution. Non-controlled distribution is when the Security Module initiates the periodic retrieval of policy data from a policy store (or from a component that serves as an intermediary between the two). Optional Accepted Value: non-controlled (default value)

C.2 Security Module Configuration

This section covers the configurations for the various types of Security Modules and their proxy clients.

• Section C.2.1, "Java Security Module"

• Section C.2.2, "Web Services Security Module"

• Section C.2.3, "RMI Security Module"

• Section C.2.4, "WebLogic Server Security Module"

C.2.1 Java Security Module

Table C-6 compiles the parameters to configure the Java Security Module embedded in either a JSE or a JEE container.

Table C-6 Java Security Module Configuration Parameters

Name	Information
oracle.security.jps.policystore.rolemember.cache.type	Description: Defines the role member cache type. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Values SOFTHASH (cleaning of a cache of this type relies on the garbage collector when there is a memory crunch) WEAK (behavior of a cache of this type is similar to a cache of type SOFT but the garbage collector cleans it more frequently) STATIC (default value; cache objects are statically cached and can be cleaned explicitly only according to the applied cache strategy, such as FIFO; the garbage collector does not clean a cache of this type)
oracle.security.jps.policystore.rolemember.cache.strategy	Description: Defines the type of strategy used in the role member cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Values NONE (all entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small) FIFO (default value; the cache implements the first-in-first-out strategy)
oracle.security.jps.policystore.rolemember.cache.size	Description: Defines the number of roles kept in the role member cache. Valid in J2EE and J2SE application. Applies to LDAP and database stores. Optional Accepted Value: number (default value is 1000)
oracle.security.jps.policystore.rolemember.cache.warmup.enable	Description: Controls the way the Application Role membership cache is created. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Values true (the cache is created at server startup; use when the number of users and groups is significantly higher than the number of Application Roles) false (default value; the cache is created on demand - lazy loading; use when the number of Application Roles is very high)
oracle.security.jps.policystore.policy.lazy.load.enable	Description: Enables or disables the policy lazy load. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Values false true (default value)
oracle.security.jps.policystore.policy.cache.strategy	Description: Defines the type of strategy used in the permission cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Values NONE (all entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small.) PERMISSION_FIFO (default value; the cache implements the first-in-first-out strategy)
oracle.security.jps.policystore.policy.cache.size	Description: Defines the number of permissions kept in the permission cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Value: number (default value is 1000)
oracle.security.jps.policystore.policy.cache.updateable	Description: Defines whether the policy cache is incrementally updated for management operations on policy data. Optional Accepted Values false true (default value)
oracle.security.jps.policystore.refresh.enable	Description: Enables or disables the policy store refresh. If this property is set, oracle.security.jps.ldap.cache.enable cannot be set. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Values: false true (default value)
oracle.security.jps.policystore.refresh.purge.timeout	Description: Defines the time in milliseconds after which the policy store cache is purged. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Value: time in milliseconds; default value is 43200000 which equals 12 hours
oracle.security.jps.ldap.policystore.refresh.purge.interval	Description: Defines the interval of time in which the policy store is polled for changes. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Value: time in milliseconds; default value is 600000 which equals 10 minutes
oracle.security.jps.pdp.missingAppPolicyQueryTTL	Description: Defines the interval of time to avoid frequently querying a non-exist Application (ApplicationPolicy) object. Optional Accepted Value: time to live in milliseconds (default value is 60000)
oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled	Description: Specifies whether the authorization cache should be enabled. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores. Optional Accepted Values false true (default value)
oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionCapacity	Description: Defines the maximum number of authorization and role mapping sessions to maintain. When the maximum is reached, old sessions are dropped and reestablished when needed. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores. Optional Accepted Value: number (default value is 500)
oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionPercentage	Description: Defines the percentage of sessions to drop when the eviction capacity is reached. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores. Optional Accepted Value: number (default value is 10)
oracle.security.jps.pdp.AuthorizationDecisionCacheTTL	Description: Defines the number of seconds during which session data is cached. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores. Optional Accepted Value: time in seconds (default value is 60)
oracle.security.jps.pdp.anonymousrole.enable	Description: Specifies whether anonymous role has to be added to anonymous subject for policy matching. Optional Accepted Values false true (default value)
oracle.security.jps.pdp.authenticatedrole.enable	Description: Specifies whether authenticated role has to be added to authenticated subject for policy matching. Optional Accepted Values false true (default value)

C.2.2 Web Services Security Module

Table C-7 compiles the parameters to configure the Web Services Security Module embedded in either a JSE or a JEE container.

Table C-7 Web Services Security Module Configuration Parameters

Name	Information
oracle.security.jps.pdp.wssm.WSServiceRegistryPortNumber	Description: Defines the port on which the Web Services Security Module listens. Mandatory Accepted Value: port number
oracle.security.jps.pdp.wssm.WSServiceRegistryHost	Description: Defines the name of the server on which the Web Services Security Module is running. Optional Accepted Value: server name (default value is localhost)
oracle.security.jps.pdp.wssm.Protocol	Description: Defines the transport protocol used between the Policy Distribution Component client and server. Optional Accepted Values https http (default value)
oracle.security.jps.pdp.sm.IdentityMaxCacheSize	Description: Specifies the maximum number of users for which information is cached. When the maximum is reached, old records are dropped and reestablished when needed. Optional Accepted Value: number
oracle.security.jps.pdp.sm.IdentityCacheEvictionPercentage	Description: Specifies percentage of identities that must be evicted when cache has reached the maximum size. Optional Accepted Value: number indicating percentage
oracle.security.jps.pdp.sm.IdentityCachedEntryTTL	Description: Specifies time-to-live of an identity cache record. Optional Accepted Value: time in seconds
oracle.security.jps.pdp.wssm.responseContext	Description: Specifies whether to merge data from many AppContext responses into a single AppContext response. Optional Accepted Values Merged Unmerged (default value)
oracle.security.jps.pdp.wssm.ssl.identityKeyStoreFileName	Description: Defines the name of the Identity Key Store file where client certificates are stored for the Web Services Security Module. Used for SSL communications between the remote client and the Web Services Security Module. Optional Accepted Value: name of the Identity Key Store file
oracle.security.jps.pdp.wssm.ssl.trustKeyStoreFileName	Description: Defines the name of the Trust Key Store file in which CA certificates are stored. Used for SSL communications between the remote client and the Web Services Security Module. Optional Accepted Value: name of the Trust Key Store file
oracle.security.jps.pdp.wssm.ssl.identityKeyStoreKeyAlias	Description: Specifies the Identity Key alias used to identify the Web Services Security Module client certificate used for SSL communication between the Web Services Security Module and the remote client.Acepted value: Idenity key alias Optional Accepted Value: Identity Key alias

C.2.3 RMI Security Module

Table C-8 compiles the parameters to configure the RMI Security Module embedded in either a JSE or a JEE container.

Note:

Currently this configuration is for a standalone deployment. We need to add the Container based configuration later.

Table C-8 RMI Security Module Configuration Parameters

Name	Information
oracle.security.jps.pdp.rmism.RMIRegistryPortNumber	Description: Defines the port on which the RMI Security Module listens to the RMI server. Mandatory Accepted Value: port number.
oracle.security.jps.pdp.rmism.UseSSL	Description: Defines whether the SSL protocol is used for secure communication between the RMI Security Module and RMI server. Optional Accepted Values true false (default)
oracle.security.jps.pdp.sm.IdentityMaxCacheSize	Description: Specifies the maximum number of users for which information is cached. When the maximum is reached, old records are dropped and reestablished when needed. Optional Accepted Value: number
oracle.security.jps.pdp.sm.IdentityCacheEvictionPercentage	Description: Specifies percentage of identities that must be evicted when cache has reached the maximum size. Optional Accepted Value: number representing percentage
oracle.security.jps.pdp.sm.IdentityCachedEntryTTL	Description: Specifies the time-to-live of an identity cache record. Optional Accepted Value: time in seconds

C.2.4 WebLogic Server Security Module

Table C-9 compiles the parameters to configure the WebLogic Server (WLS) Security Module embedded in a JEE container. These parameters are used only when the WLS Security Module is configured to be used as a PEP.

• See Oracle Fusion Middleware Administrator's Guide for Oracle Entitlements Server for architectural details ragarding the Security Module.

• See Section 13.1, "Integrating with WebLogic Server" to enable the WebLogic Server Security Module.

Table C-9 WebLogic Server Security Module Configuration Parameters

Name	Information
oracle.security.jps.pdp.wlssm.UndefinedApplicationEffect	Description: Specifies the effect that the provider has to return if an application is not defined in the policy store. Optional Accepted Values permit abstain deny
oracle.security.jps.pdp.wlssm.NoApplicablePolicyEffect	Description: Specifies the effect that the provider has to return if no applicable policies have been found. Optional Accepted Values permit (represents an open system) abstain deny (represents a closed system)

C.3 PDP Proxy Configuration

This section contains information regarding configuration for the Security Module proxies.

• Section C.3.1, "Web Services Security Module Proxy Client"

• Section C.3.2, "RMI Security Module Proxy Client"

C.3.1 Web Services Security Module Proxy Client

Table C-10 compiles the parameters to configure the Web Services Security Module proxy client.

Table C-10 Web Services Proxy Client Configuration Parameters

Name	Information
oracle.security.jps.pdp.PDPTransport	Description: Specifies the underlying protocol to be used by Multi-protocol Security Module to communicate with Oracle Entitlements Server. Mandatory Accepted Values: no default value; XACML is always available in the Web Services Security Module. WS RMI
oracle.security.jps.pdp.proxy.PDPAddress	Description: Specifies the host and port number of either the Web Services Security Module. For example, http://dadvml0134:9015 Optional Accepted Value: a comma separated list of URIs (if more then one address is specified the first is conidered the primary, and the rest as backups)
oracle.security.jps.pdp.proxy.RequestTimeoutMilliSecs	Description: Defines the interval of time in which an authorization request times out when the remote PDP (RMI or Web Services Security Module) is not responding. Optional Accepted Value: time in milliseconds (default value is 10000)
oracle.security.jps.pdp.proxyFailureRetryCount	Description: Specifies the number of attempts to make before attempting the alternate failover server. Optional Accepted Value: number (default value is 3)
oracle.security.jps.pdp.proxy.FailbackTimeoutMilliSecs	Description: Specifies the interval of time after which a failed primary server is tried again for failover. Optional Accepted Value: time in milliseconds (default value is 180000)
oracle.security.jps.pdp.proxy.SynchronizationIntervalMilliSecs	Description: Defines how often the PDP Proxy polls the PDP server in order to synchronize its state. For example, the interval is used to periodically check whether the authorization cache has to be flushed. Optional Accepted Value: time in seconds (default value is 60)
oracle.security.jps.pdp.proxy.wssm.ssl.identityKeyStoreFileName	Description: Defines the name of the Identity Key Store file where client certificates for the Web Services Security Module are stored. Used for SSL communication between a client and the Web Services Security Module. Optional Accepted Value: name of the Identity Key Store file
oracle.security.jps.pdp.proxy.wssm.ssl.trustKeyStoreFileName	Description: Defines the name of the Trust Key Store file where CA certificates for Web Services Security Module are stored. Used for SSL communication between a client and the Web Services Security Module. Optional Accepted Value: the name of the Trust Key Store file.
oracle.security.jps.pdp.proxy.wssm.ssl.identityKeyStoreKeyAlias	Description: Specifies the alias name of the Web Services client certificate. Used for SSL communication between a client and the Web Services Security Module. Optional Accepted Value: alias of the identity key store (if only one alias exists in the identity key store, no need to specify this value)
oracle.security.jps.pdp.proxy.wssm.protocol	Description: Defines the transport protocol used between the Policy Distribution Component client and server. Optional Accepted Values https http (default value)

C.3.2 RMI Security Module Proxy Client

Table C-11 compiles the parameters to configure the RMI Security Module Proxy Client.

Table C-11 PDP RMI Proxy Client Configuration Parameters

Name	Information
oracle.security.jps.pdp.PDPTransport	Description: Specifies the underlying protocol to be used by Multi-protocol Security Module to communicate with Oracle Entitlements Server. Mandatory Accepted Values: no default value; XACML is always available in the RMI Security Module. WS RMI
oracle.security.jps.pdp.proxy.PDPAddress	Description: Specifies the host and port number of the RMI Security Module. For example, rmi://localhost:9400 Mandatory Accepted Value: a comma separated list of URIs (if more then one address is specified the first is conidered the primary, and the rest as backups)
oracle.security.jps.pdp.proxy.RequestTimeoutMilliSecs	Description: Defines the interval of time in which an authorization request times out when the remote PDP (RMI or Web Services Security Module) is not responding. Optional Accepted Value: time in milliseconds (default value is 10000)
oracle.security.jps.pdp.proxyFailureRetryCount	Description: Specifies the number of attempts to make before attempting the alternate failover server. Optional Accepted Value: number (default value is 3)
oracle.security.jps.pdp.proxy.FailbackTimeoutMilliSecs	Description: Specifies the interval of time after which a failed primary server is tried again for failover. Optional Accepted Value: time in milliseconds (default value is 180000)
oracle.security.jps.pdp.proxy.SynchronizationIntervalMilliSecs	Description: Defines how often the PDP Proxy polls the PDP server in order to synchronize its state. For example, the interval is used to periodically check whether the authorization cache has to be flushed. Optional Accepted Value: time in seconds (default value is 60)

C.4 Policy Store Service Configuration

Table C-12 compiles the configuration parameters for the Policy Store Service.

Table C-12 Policy Store Service Configuration Parameters

Name	Information
ldap.url	Description: Defines the URL of the LDAP policy store. Valid in JEE and JSE applications and only applies to LDAP stores. Mandatory Accepted Value: URI of the LDAP policy store in the format ldap://host:port.
max.search.filter.length	Description: Defines the maximum length of a search filter. Mandatory Accepted Value: integer defining the maximum length of a search filter; for example, 1024
oracle.security.jps.ldap.root.name	Description: Defines the RDN format of the root node in the LDAP policy store. Valid in JEE and JSE applications. Applies to LDAP and database stores. Mandatory Accepted Value: root name of jps context; for example, cn=jpsroot.
oracle.security.jps.farm.name	Description: Defines the RDN format of the root node in the LDAP policy store. Valid in JEE and JSE applications. Applies to LDAP and database stores. Mandatory Accepted Value: farm name of the domain; for example, cn=base_domain.
oracle.security.jps.policystore.resourcetypeenforcementmode	Description: Controls the throwing of exceptions if any of the following checks fail: Verify that if two resource types share the same permission class, that permission must be either ResourcePermission or extend AbstractTypedPermission, and this last resource type cannot be created. Verify that all permissions have resource types defined, and that the resource matcher permission class and the permission being granted match. Valid in JEE and JSE applications. Applies to LDAP and database stores. Optional Accepted Values strict (when any of the above checks fail, the system throws an exception and the operation is aborted) lenient (default value; when any of the above checks fail, the system does not throw any exceptions, the operation continues without disruption, and any discrepancies encountered are logged)
bootstrap.security.principal.key	Description: Defines the key for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in JEE and JSE applications. Applies to LDAP and database stores. Mandatory Accepted Value: the key name of the credential; for example, oes_sm_key. The out-of-the-box value is bootstrap.
bootstrap.security.principal.map	Description: Defines the map for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in JEE and JSE applications. Applies to LDAP and database stores. Mandatory Accepted Value: map name of the credential; for example, oes_sm_map. The default value is BOOTSTRAP_JPS.
jdbc.driver	Description: Defines the name of the JDBC driver. Mandatory Accepted Value: name of the JDBC driver.
datasource.jndi.name	Description: The JNDI name of the JDBC data source instance. The instance may correspond to a single source or multi-source datasource. Valid in only JEE applications. Applies only to database stores. Mandatory Accepted Value: name of JNDI data source; for example, jdbc/APMDBDS.
jdbc.url	Description: Defines the JDBC driver connection URL. Mandatory Accepted Value: the JDBC driver connection URL.
oracle.security.jps.pd.localMode	Description: Defines whether the policy store is running in local mode. Mandatory Accepted Values true false