Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Entitlements Server
11g Release 2 (11.1.2)

Part Number E27153-03
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

B Configuring Attribute Retrievers Manually

As discussed in Section 1.3, "Overview of the Oracle Entitlements Server Architecture," the Policy Information Point (PIP) is a system entity that acts as a source for attribute values. Oracle Entitlements Server relies on an Attribute Retriever plug-in to get attribute values from one or more of these information stores. Predefined Attribute Retrievers are shipped with Oracle Entitlements Server. This chapter documents these predefined Attribute Retrievers and related configuration requirements. It contains the following sections.

Note:

See the Oracle Fusion Middleware Developer's Guide for Oracle Entitlements Server for information on custom Attribute Retrievers.

B.1 Understanding Predefined Attribute Retrievers

Oracle Entitlements Server contains predefined Attribute Retrievers that are used to connect to, and retrieve attribute values from, Lightweight Directory Access Protocol (LDAP) data stores and relational database management systems (RDBMS). These predefined Attribute Retrievers can handle one or more attributes defined in the system without additional programming. They also contain a caching feature and failover.

See Section B.2.3, "Configuring Individual Attributes for Predefined Attribute Retrievers" for configuration information.

B.2 Configuring the Predefined Attribute Retrievers

Configuration information for these Attribute Retrievers is defined in the jps-config.xml configuration file. You must configure two types of information: attribute query information and repository connection information

Note:

These predefined Attribute Retrievers can be configured with Oracle Database 11gR1, Oracle Internet Directory 11gR1, and Oracle Virtual Directory 11gR1.

The following sections contain information on the configuration parameters for each type of Attribute Retriever. As previously mentioned, these parameters are in the jps-config.xml, the configuration file (used by Java EE containers) located in the $DOMAIN_HOME/config/fmwconfig directory.

B.2.1 Configuring the LDAP Respository Attribute Retriever Parameters

Table B-1 documents the parameters that must be defined when using the LDAP Attribute Retriever. See Example B-5, "Using the Predefined LDAP Attribute Retriever" and Example B-10, "Configuring LDAP Failover" for sample configuration code.

Table B-1 LDAP Attribute Retriever Parameters

Name Usage

name

Description: The predefined Attribute Retriever's name

Mandatory

Accepted Value: String defining the Attribute Retriever service instance.

description

Description: A description of the predefined Attribute Retriever

Optional

Accepted Value: string

type

Description: The predefined Attribute Retriever's type

Manadatory

Accepted Value: LDAP_PIP

failed.server.retry.interval

Description: After communication with a primary repository has failed, this attribute defines the interval of time during which the backup repository is used before switching back to the primary repository.

Optional

Accepted Value: Takes a value equal to the number of seconds. Default value is 15.

bootstrap.security.principal.key

Description: Defines the key for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in JEE and JSE applications. Applies to LDAP and database stores. See Section B.4, "Setting Up PIP Connection Credentials."

Mandatory

Accepted Value: key name of the credential; for example, oes_sm_key.

bootstrap.security.principal.map

Description: Defines the map for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in JEE and JSE applications. Applies to LDAP and database stores. See Section B.4, "Setting Up PIP Connection Credentials."

Mandatory

Accepted Value: map name of the credential; for example, oes_sm_map.

ldap.url

Description: Defines the URL of the LDAP policy store. Valid in JEE and JSE applications and only applies to LDAP stores.

Mandatory

Accepted Value: URI of the LDAP policy store in the format ldap://host:port.


B.2.2 Configuring the Database Repository Attribute Retriever Parameters

Table B-2 documents the parameters that must be defined when using the RDBMS Attribute Retriever. See Example B-6, "Using the Predefined RDBMS Attribute Retriever with JDBC" and Example B-7, "Using the Predefined RDBMS Attribute Retriever with SQL" for sample configuration code.

Table B-2 RDBMS Attribute Retriever Parameters

Name Usage

name

Description: The predefined Attribute Retriever's name

Mandatory

Accepted Value: String defining the Attribute Retriever service instance.

description

Description: A description of the predefined Attribute Retriever

Optional

Accepted Value: string

type

Description: The predefined Attribute Retriever's type

Manadatory

Accepted Value: RDBMS_PIP

failed.server.retry.interval

Description: After the primary repository has failed, this attribute identifies the interval of time during which the backup repository is used before switching back to the primary repository.

Optional

Accepted Value: Takes a value equal to the number of seconds. Default value is 15.

bootstrap.security.principal.key

Description: Defines the key for the password credentials to access the database, stored in the CSF store. Valid in JEE and JSE applications. See Section B.4, "Setting Up PIP Connection Credentials."

Mandatory

Accepted Value: key name of the credential; for example, oes_sm_key.

bootstrap.security.principal.map

Description: Defines the map for the password credentials to access the database, stored in the CSF store. Valid in JEE and JSE applications. See Section B.4, "Setting Up PIP Connection Credentials."

Manadatory

Accepted Value: map name of the credential; for example, oes_sm_map.

jdbc.driver

Description: Location of the driver when using Java Database Connectivity (JDBC) API to connect to a database.

Mandatory: When using JDBC API to connect to database.

Accepted Value: oracle.jdbc.driver.OracleDriver, for example

jdbc.url

Description: Takes a URL that points to the database.

Mandatory: When using JDBC API to connect to database.

Accepted Value: A list of comma-delimited URLs. The first is treated as primary and so on. For example, jdbc:oracle:thin:@scl58116.domainexample.com:1521:orcl

datasource.jndi.name

Description: Data source JNDI name if you want the PIP instance working through data source rather than directly through JDBC. The data source scenario is supported on WebLogic Server and WebSphere Application Server only.

Mandatory: If you want the PIP instance working through data source rather than directly through JDBC.

Accepted Value: JNDI name of pre-defined data source object


B.2.3 Configuring Individual Attributes for Predefined Attribute Retrievers

Table B-3 documents the parameters to be defined for each attribute retrieved by the configured Attribute Retriever. See Example B-9, "Enabling an Attribute's Cache" for a sample configuration.

Table B-3 Configure Attributes to be Retrieved

Name Usage

name

Description: The name of the attribute as defined in the policy store. When using the LDAP predefined Attribute Retriever, the attribute name defined for Oracle Entitlements Server must be the same as the attribute name defined in the LDAP store. Currently, there is no name mapping functionality.

Mandatory

Accepted Value: Attribute name

query

Description: The SQL command or LDAP filter used for the query. Users can use a built-in and custom attributes in the query string. For example, the built-in attribute sys_user can be used to define a query such as select age from customers where name=%sys_user%;. The token is automatically replaced by its value before sending the query to the data store. Bi-directional dependency (where, for example, AttributeA's query string contains AttributeB and AttributeB's query string contains AttributeA) can also be detected and, in such cases, an exception is thrown.

Mandatory

Accepted Value: SQL command or LDAP filter.

search.base

Description: The LDAP search base.

Mandatory: For LDAP only.

Accepted Value: The DN of the search base object.

ttl

Description: The time-to-live in seconds of any cached attribute values when cached is enabled.

Optional

Accepted Value: Any integer; default value is 60 seconds if cache is enabled.

cached

Description: Enables the caching of attribute values.

Optional

Accepted Value: Default value is false.

ootb.pip.attr.type

Description: Should be set to OOTB_PIP_ATTRIBUTE.

Mandatory

Accepted Value: OOTB_PIP_ATTRIBUTE.

ootb.pip.ref

Description: Should be set to an OOTB PIP instance.

Mandatory

Accepted Value: The PIP service instance name defined in the <serviceInstance> section of jps-config.xml


B.3 Modifying jps-config.xml

To configure the predefined Attribute Retriever in jps-config.xml, modify the elements as described in each example in this section. Example B-3 is a sample jps-config.xml file. The examples following it illustrate the modifications that can be made.

Example B-3 Sample jps-config.xml File

<?xml version="1.0"?>
 
<jpsConfig xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="
http://xmlns.oracle.com/oracleas/schema/jps-config-11_0.xsd">
 
   <property name="oracle.security.jps.jaas.mode" value="off"/>
   <property name="oracle.security.jps.enterprise.user.class" 
    value="weblogic.security.principal.WLSUserImpl"/>
   <property name="oracle.security.jps.enterprise.role.class" 
    value="weblogic.security.principal.WLSGroupImpl"/>
 
<propertySets>
<!-- These are the global authenticated role properties -->
  <propertySet name="authenticated.role.properties">
     <property name="authenticated.role.name" value="authenticated-role"/>
     <property name="authenticated.role.uniquename" value="authenticated-role"/>
     <property name="authenticated.role.description" 
        value="This is the authenticated role used by identity store 
        service instance."/>
  </propertySet>
 
<!-- attribute defined for ldap retriever -->
  <propertySet name="ootb.pip.attribute.age.ldap">
     <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/>
     <property name="ootb.pip.ref" value="pip.service.ootb.ldap"/>
     <property name="name" value="oespipage"/>
     <property name="query" value="(cn=%SYS_USER%)"/>
     <property name="cached" value="true"/>
     <property name="ttl" value="60"/>
  </propertySet>
 
  <propertySet name="ootb.pip.attribute.age.based.on.myattr.ldap">
     <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/>
     <property name="ootb.pip.ref" value="pip.service.ootb.ldap"/>
     <property name="name" value="oespipage_myattr"/>
     <property name="query" value="(cn=%MyAttr%)"/>
     <property name="cached" value="true"/>
     <property name="ttl" value="60"/>
  </propertySet>
 
  <propertySet name="ootb.pip.attribute.gender.ldap">
     <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/>
     <property name="ootb.pip.ref" value="pip.service.ootb.ldap"/>
     <property name="name" value="oespipgender"/>
     <property name="query" value="(oespipage=%oespipage%)"/>
     <property name="cached" value="true"/>
     <property name="ttl" value="60"/>
  </propertySet>
 
<!-- attribute defined for rdbms retriever -->
  <propertySet name="ootb.pip.attribute.age.rdbms">
     <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/>
     <property name="ootb.pip.ref" value="pip.service.ootb.db"/>
     <property name="name" value="oespipage"/>
     <property name="query" value="select oespipage 
         from pip_info_store where username=%SYS_USER%"/>
     <property name="cached" value="true"/>
     <property name="ttl" value="60"/>
  </propertySet>
 
  <propertySet name="ootb.pip.attribute.age.based.on.myattr.rdbms">
     <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/>
     <property name="ootb.pip.ref" value="pip.service.ootb.db"/>
     <property name="name" value="oespipage_myattr"/>
     <property name="query" value="select oespipage 
         as oespipage_myattr from pip_info_store where username=%MyAttr%"/>
     <property name="cached" value="true"/>
     <property name="ttl" value="60"/>
  </propertySet>
 
  <propertySet name="ootb.pip.attribute.gender.rdbms">
     <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/>
     <property name="ootb.pip.ref" value="pip.service.ootb.db"/>
     <property name="name" value="oespipgender"/>
     <property name="query" value="select oespipgender 
          from pip_info_store where oespipage=%oespipage%"/>
      <property name="cached" value="true"/>
     <property name="ttl" value="60"/>
  </propertySet>
</propertySets>
 
<serviceProviders>
 
  <serviceProvider type="CREDENTIAL_STORE" name="credstoressp" 
       class="oracle.security.jps.internal.credstore.ssp.
              SspCredentialStoreProvider">
     <description>SecretStore-based CSF Provider</description>
  </serviceProvider>
 
  <serviceProvider class="oracle.security.jps.az.
        internal.runtime.provider.PIPServiceProvider" 
        name="pip.service.provider" type="PIP"/>
 
  <serviceProvider type="POLICY_STORE" name="policy.rdbms" 
        class="oracle.security.jps.internal.policystore.
        OPSSPolicyStoreProvider">
     <property name="policystore.type" value="DB_ORACLE"/>
     <description>DBMS based PolicyStore</description>
  </serviceProvider>
 
  <serviceProvider name="pdp.service.provider" type="PDP" 
         class="oracle.security.jps.az.internal.
         runtime.provider.PDPServiceProvider">
      <description>OPSS Runtime PDP Service Provider</description>
  </serviceProvider>
 
  <serviceProvider name="idstore.xml.provider" type="IDENTITY_STORE" 
         class="oracle.security.jps.internal.idstore.
         xml.XmlIdentityStoreProvider">
       <description>XML-based IdStore Provider</description>
  </serviceProvider>
 
  <serviceProvider name="jaas.login.provider" type="LOGIN" 
         class="oracle.security.jps.internal.
         login.jaas.JaasLoginServiceProvider">
       <description>This is Jaas Login Service Provider and is used 
         to configure login module service instances</description>
  </serviceProvider>
 
  <serviceProvider name="policy.xml" type="POLICY_STORE"
        class="oracle.security.jps.internal.
        policystore.xml.XmlPolicyStoreProvider">
     <description>XML-based PolicyStore</description>
</serviceProvider>
 
<serviceProvider type="POLICY_STORE" name="policy.oid"               
         class="oracle.security.jps.internal.
         policystore.ldap.LdapPolicyStoreProvider">
     <description>LDAP-based PolicyStore</description>
     <property name="policystore.type" value="OID"/>
     <property name="connection.pool.maxsize" value="30"/>
     <property name="connection.pool.provider.type" value="idmpool"/>
  </serviceProvider>
 
  <serviceProvider type="AUDIT" name="audit.provider" 
        class="oracle.security.jps.internal.audit.AuditProvider">
       <description>Audit Service</description>
  </serviceProvider>
</serviceProviders>
 
<serviceInstances>
 
  <serviceInstance name="credstore" provider="credstoressp" location="./">
          <description>File Based Credential Store Service Instance</description>
  </serviceInstance>
 
  <serviceInstance name="idstore.xml" provider="idstore.xml.provider">
<!-- Subscriber name must be defined for XML Identity Store -->
     <property name="subscriber.name" value="jazn.com"/>
<!-- This is the location of XML Identity Store -->
     <property name="location" value="./user-data.xml"/>
<!-- This property set defines the authenticated role -->
     <propertySetRef ref="authenticated.role.properties"/>
  </serviceInstance>
  <serviceInstance name="idstore.loginmodule" 
          provider="jaas.login.provider">
          <description>Identity Store Login Module</description>
     <property name="loginModuleClassName" value="oracle.security.jps.internal.
            jaas.module.idstore.IdStoreLoginModule"/>
     <property name="jaas.login.controlFlag" value="REQUIRED"/>
     <property name="debug" value="true"/>
     <property name="addAllRoles" value="true"/>
  </serviceInstance>
 
  <serviceInstance name="policystore.rdbms" provider="policy.rdbms">
        <property name="jdbc.url" 
           value="jdbc:oracle:thin:@scl58116.domainexample.com:1521:orcl"/>
        <property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/>
        <property name="bootstrap.security.principal.key" value="keyname"/>
        <property name="bootstrap.security.principal.map" value="mapname"/>
        <property name="oracle.security.jps.ldap.root.name" 
           value="cn=jpsTestNode"/>
        <property name="oracle.security.jps.farm.name" 
           value="cn=wcai_view_jing.atzsrg"/>
  </serviceInstance>
 
  <serviceInstance name="policystore.rdbms.ds" provider="policy.rdbms">
     <property name="oracle.security.jps.ldap.root.name" 
         value="cn=jpsTestNode"/>
     <property name="oracle.security.jps.farm.name" 
         value="cn=wcai_view_jing.atzsrg"/>
     <property value="atzsrgds" name="datasource.jndi.name"/>
  </serviceInstance>
 
  <serviceInstance name="pdp.service" provider="pdp.service.provider">
     <property name="oracle.security.jps.runtime.pd.client.sm_name" 
           value="${atzsrg.pdp.configuration_id}"/>
     <property name="oracle.security.jps.pdp.
           AuthorizationDecisionCacheEnabled" value="true"/>
     <property name="oracle.security.jps.pdp.
           AuthorizationDecisionCacheEvictionCapacity" value="500"/>
     <property name="oracle.security.jps.pdp.
           AuthorizationDecisionCacheEvictionPercentage" value="10"/>
     <property name="oracle.security.jps.pdp.
           AuthorizationDecisionCacheTTL" value="60"/>
     <property name="oracle.security.jps.ldap.
           policystore.refresh.interval" value="30000"/>
     <property name="oracle.security.jps.policystore.
           refresh.purge.timeout" value="600000"/> <!-- 10 minutes -->
     <property name="loading_attribute_backward_compatible" value="false"/>
<!-- Properties for controlled mode PD -->
     <property name="oracle.security.jps.runtime.
           pd.client.policyDistributionMode" value="non-controlled"/>
     <property name="oracle.security.jps.runtime.
           instance.name" value="${atzsrg.pdp.instance_name}"/>
  </serviceInstance>
 
  <serviceInstance name="policystore.oid" provider="policy.oid">
    <property name="max.search.filter.length" value="4096"/>
    <property name="bootstrap.security.principal.key" value="keyname"/>
    <property name="bootstrap.security.principal.map" value="mapname"/>
    <property name="ldap.url" value="ldap://scl58126.domainexample.com:3060"/>
    <property name="oracle.security.jps.ldap.root.name" 
       value="cn=jpsTestNode"/>
    <property name="oracle.security.jps.farm.name" 
       value="cn=wcai_view_jing.atzsrg"/>
    <property name="oracle.security.jps.policystore.resourcetypeenforcementmode" 
       value="Lenient"/>
  </serviceInstance>
 
  <serviceInstance name="policystore.xml" provider="policy.xml" 
              location="./system-jazn-data.xml"/>
 
  <serviceInstance name="user.authentication.loginmodule" 
              provider="jaas.login.provider">
         <description>User Authentication Login Module</description>
         <property name="loginModuleClassName" 
              value="oracle.security.jps.internal.
              jaas.module.authentication.JpsUserAuthenticationLoginModule"/>
         <property name="jaas.login.controlFlag" value="REQUIRED"/>
  </serviceInstance>
 
  <serviceInstance name="user.assertion.loginmodule" 
              provider="jaas.login.provider">
         <description>User Assertion Login Module</description>
         <property name="loginModuleClassName" 
              value="oracle.security.jps.internal.
              jaas.module.assertion.JpsUserAssertionLoginModule"/>
         <property name="jaas.login.controlFlag" value="REQUIRED"/>
  </serviceInstance>
 
  <serviceInstance name="pip.service.ootb.ldap" provider="pip.service.provider">
         <property name="type" value="LDAP_PIP"/>
         <property name="ldap.url" 
              value="ldap://scl58126.domainexample.com:3060"/>
         <property name="bootstrap.security.principal.key" value="keyname"/>
         <property name="bootstrap.security.principal.map" value="mapname"/>
         <property name="search.base" value="cn=pip_info_store,
              cn=wcai_view_jing.atzsrg,cn=JPSContext,cn=jpsTestNode"/>
         <property name="failed.server.retry.interval" value="10"/>
 </serviceInstance>
<!-- JPS Audit Service Instance-->
 <serviceInstance name="audit" provider="audit.provider">
         <property name="audit.filterPreset" value="None"/>
         <property name="audit.maxDirSize" value ="0"/>
         <property name="audit.maxFileSize" value ="104857600"/>
         <property name="audit.loader.jndi" value="jdbc/AuditDB"/>
         <property name="audit.loader.interval" value="15" />
         <property name="audit.loader.repositoryType" value="File" />
 </serviceInstance>
 
 <serviceInstance name="pip.service.ootb.db" provider="pip.service.provider">
         <property name="type" value="RDBMS_PIP"/>
         <property name="jdbc.url" 
              value="jdbc:oracle:thin:@scl58116.domainexample.com:1521:orcl"/>
         <property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/>
         <property name="bootstrap.security.principal.key" value="keyname"/>
         <property name="bootstrap.security.principal.map" value="mapname"/>
         <property name="failed.server.retry.interval" value="10"/>
 </serviceInstance>
 
 <serviceInstance name="pip.service.ootb.db.ds" provider="pip.service.provider">
         <property name="type" value="RDBMS_PIP"/>
         <property value="atzsrgds" name="datasource.jndi.name"/>
         <property name="failed.server.retry.interval" value="10"/>
 </serviceInstance>
 
</serviceInstances>
 
    <jpsContexts default="default">
        <jpsContext name="default">
            <serviceInstanceRef ref="policystore.oid"/>
            <serviceInstanceRef ref="pdp.service"/>
            <serviceInstanceRef ref="audit"/>
            <serviceInstanceRef ref="idstore.xml"/>
            <serviceInstanceRef ref="idstore.loginmodule"/>
            <serviceInstanceRef ref="pip.service.ootb.ldap"/>
            <serviceInstanceRef ref="pip.service.ootb.db"/>
        </jpsContext>
        <jpsContext name="smsec">
            <serviceInstanceRef ref="credstore"/>
        </jpsContext>
 
    </jpsContexts>
 
</jpsConfig>

Example B-4 illustrates how the serviceProvider element defines the use of a predefined Attribute Retriever by defining the internal Oracle Entitlements Server class.

Example B-4 Declaring the Predefined Attribute Retriever

<serviceProvider 
  class="oracle.security.jps.az.internal.runtime.provider.PIPServiceProvider" 
  name="pip.service.provider" type="PIP"/>

The following examples illustrate how to modify the serviceInstance element for the predefined Attribute Retriever being used.

Example B-5 illustrates how to modify the serviceInstance element when using the predefined LDAP Attribute Retriever.

Example B-5 Using the Predefined LDAP Attribute Retriever

<serviceInstance name="pip.service.ootb.ldap" provider="pip.service.provider">
   <property name="type" value="RDBMS_PIP"/>
   <property name="ldap.url" value="ldap://dadvmg0065.domainexample.com:3080"/>
   <property name="bootstrap.security.principal.key" value="keyname"/>
   <property name="bootstrap.security.principal.map" value="mapname"/>
   <property name="failed.server.retry.interval" value="10"/>
</serviceInstance>

The following two examples illustrate how to modify the serviceInstance element when using the predefined RDBMS Attribute Retriever. Example B-6 is when using Java Database Connectivity (JDBC) API.

Example B-6 Using the Predefined RDBMS Attribute Retriever with JDBC

<serviceInstance name="pip.service.ootb.db" provider="pip.service.provider">
    <property name="type" value="RDBMS_PIP"/>
    <property name="jdbc.url" 
     value="jdbc:oracle:thin:@scl58116.domainexample.com:1521:orcl"/>
    <property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/>
    <property name="bootstrap.security.principal.map" value="mapname"/>
    <property name="bootstrap.security.principal.key" value="keyname"/>
    <property name="failed.server.retry.interval" value="10"/>
</serviceInstance>

Example B-7 is when using a SQL database.

Example B-7 Using the Predefined RDBMS Attribute Retriever with SQL

<serviceInstance name="pip.service.ootb.db" provider="pip.service.provider">
    <property name="type" value="RDBMS_PIP"/>
    <property name="datasource.jndi.name" value="DB_RAC"/>
    <property name="failed.server.retry.interval" value="10"/>
</serviceInstance>

Example B-8 illustrates how to declare the predefined Attribute Retriever reference in the jpsContext element. This sample defines a predefined RDBMS Attribute Retriever.

Example B-8 Declaring the Predefined Attribute Retriever in jpsContext

<jpsContext name="default">
       <serviceInstanceRef ref="policystore.db"/>
       <serviceInstanceRef ref="pdp.service"/>
       <serviceInstanceRef ref="audit"/>
       <serviceInstanceRef ref="idstore.xml"/>
       <serviceInstanceRef ref="idstore.loginmodule"/>
       <serviceInstanceRef ref="pip.service.ootb.db"/>
</jpsContext>

Example B-9 illustrates how to configure the caching of a specific attribute value. Caching is enabled per attribute. In this example, the cache record is deleted after 60 seconds.

Example B-9 Enabling an Attribute's Cache

<propertySet name="ootb.pip.attribute.gender.ldap">
        <property name="ootb.pip.attr.type" value="OOTB_PIP_ATTRIBUTE"/>
        <property name="ootb.pip.ref" value="pip.service.ootb.ldap"/>
        <property name="name" value="oespipgender"/>
        <property name="query" value="(oespipage=%oespipage%)"/>
        <property name="cached" value="true"/>
        <property name="ttl" value="60"/>
</propertySet>

Example B-10 illustrates how to configure the failover behavior. In this example, the primary connection is ldap://dadvmg0065:3080 and the backup connection is ldap://scl58123:3060. The failed server retry interval is 10 seconds.

Example B-10 Configuring LDAP Failover

<serviceInstance name="pip.service.ootb.ldap" provider="pip.service.provider">
      <property name="type" value="LDAP_PIP"/>
      <property name="ldap.url" 
         value="ldap://dadvmg0065:3080,ldap://scl58123:3060"/>
      <property name="bootstrap.security.principal.key" value="keyname"/>
      <property name="bootstrap.security.principal.map" value="mapname"/>
      <property name="failed.server.retry.interval" value="10"/>
</serviceInstance>

B.4 Setting Up PIP Connection Credentials

As documented in Table B-1, "LDAP Attribute Retriever Parameters" and Table B-2, "RDBMS Attribute Retriever Parameters", the bootstrap.security.principal.key and bootstrap.security.principal.map parameters define the key and the map (respectively) to access the data store. Oracle Entitlements Server ships with oesPassword.sh which sets these LDAP and database connection credentials in the bootstrap credential store. The tool is located in the $OES_SM_INSTANCE_DIRECTORY/bin/ directory. Use the following command to run it.

./oesPassword.sh -setpass

It prompts for the security principal key name, the security principal map name, the username and associated password.

B.5 Updating the Database Password

For security reasons, the passwords configured for databases are periodically changed; thus, the Oracle Entitlements Server components (Administration Server and Security Modules) will need to be updated with the new password. The following information documents how this can be done.