Skip Headers
Oracle® Fusion Middleware Administrator's Guide for Oracle Entitlements Server
11g Release 2 (11.1.2)

Part Number E27153-03
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

A Installation and Configuration Parameters

This Appendix lists the parameters and accepted values that may be defined for Oracle Entitlements Server services using jps-config.xml, the configuration file used by Java EE containers. It is located in the $DOMAIN_HOME/config/fmwconfig directory. This Appendix is comprised of the following sections:

A.1 Policy Distribution Configuration

The Policy Distribution Component is responsible for distributing policy objects and policies from the policy store to one or more Security Modules. It can distribute in a controlled-push mode, a controlled-pull mode, a non-controlled mode, or a mixed mode. Each mode entails different configurations.

A.1.1 Policy Distribution Component Server Configuration

Typically, configuration for the Policy Distribution Component to fetch policies and policy objects (in a scenario when it runs within Oracle Entitlements Server) is associated with the Policy Store configuration in the jps-config.xml file. Only in cases when data is pulled in a controlled manner (controlled-pull mode) is the Policy Distribution Component associated with the PDP Service configuration on the Security Module side. Table A-1 contains the configuration parameters.

Table A-1 Policy Distribution Server Configuration

Parameter Name Information Console Name

oracle.security.jps.pd.server.transactionalScope

Defines the scope of the policy distribution as either to one Security Module or to all Security Modules. If distribution fails when it involves only one Security Module, it does not affect distributions to other Security Modules.

Optional

Accepted Values: All (default), One

none

oracle.security.jps.register.waiting.interval

Defines the amount of time to delay policy distribution after a request for registration is received.

Optional

Accepted Values: time in seconds (default value is 0)

none


A.1.2 Policy Distribution Component Client Configuration

The Policy Distribution Component client is responsible for making policies available to the Security Module. Thus, the Policy Distribution Client configuration is always associated with the PDP Service configuration portion of the jps-config.xml file on the Security Module side. Configuration is different depending on the mode of distribution and the environment in which the Security Module is running. The following sections contain descriptions of the applicable configuration parameters.

A.1.2.1 Policy Distribution Component Client Java Standard Edition Configuration (Controlled Push Mode)

Table A-2 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in a Java Standard Edition (JSE) environment and is configured to distribute data in the controlled-push mode.

Table A-2 Policy Distribution Client Configuration, JSE, Controlled Push Mode

Parameter Name Information Console Name

oracle.security.jps.runtime.pd.client.policyDistributionMode

Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution.

Mandatory

Accepted Value: controlled-push

Policy Distribution Mode

oracle.security.jps.runtime.pd.client.sm_name

Defines the name of the Security Module.

Mandatory

Accepted Value: Name of the Security Module

SM Name

oracle.security.jps.runtime.pd.client.localpolicy.work_folder

Defines the name of any directory in which local cache files are stored. If a value is not defined, a work directory will be created in the directory where jps-config.xml is kept. If the applicable Security Module is created in a JRF domain, the server name will be used to create a sub directory under the specified or default work folder which will be used as the actual work folder.

Optional

Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges.

Local Policy Work Folder

oracle.security.jps.runtime.pd.client.incrementalDistribution

Defines whether the distribution is incremental or flush. Incremental distribution is when only new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store.

Optional

Accepted Values:

  • false (policy distribution is flush for this Security Module)

  • true (default value; policy distribution is incremental for this Security Module if the required change logs are kept in the policy store)

Incremental Distribution

oracle.security.jps.runtime.pd.client.registrationRetryInterval

When a Security Module starts, it registers itself with the Policy Distribution Component to ensure the local policy cache is up to date. If registration fails, it will retry each time this interval of time passes until successful.

Optional

Accepted Value: time in seconds (default value is 5)

Registration Retry Interval

oracle.security.jps.runtime.policyDistributionWaitTime

If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires.

Optional

Accepted Value: time in seconds (default value is 60)

Wait Distribution Time (seconds)

oracle.security.jps.runtime.pd.client.RegistrationServerURL

Defines the URL of the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts.

Mandatory

Accepted Value: URL

Registration Server URL

oracle.security.jps.runtime.pd.client.backupRegistrationServerURL

Defines a backup URL for the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts if the primary URL (parameter above) is unavailable.

Optional (although if not configured Oracle Entitlements Server failover will not work)

Accepted Value: URL

Backup Registration Server URL

oracle.security.jps.runtime.pd.client.DistributionServicePort

Defines the port to which a remote Policy Distributor will push policy updates.

Mandatory

Accepted Value: port number

Distribution Service Port

oracle.security.jps.pd.client.sslMode

Defines whether communication between the Policy Distribution Component server and client will use the Secure Sockets Layer (SSL) protocol or not.

Mandatory

Accepted Values: none, two-way (default value)

SSL Mode

oracle.security.jps.pd.client.ssl.identityKeyStoreFileName

Defines the name of the Identity Key Store file in which client certificates are stored. Used for SSL communication between the Security Module and the Policy Distribution Component.

Mandatory

Accepted Value: the name of the keystore file

SSL Identity Key Store File Name

oracle.security.jps.pd.client.ssl.trustKeyStoreFileName

Defines the name of the Trust Key Store file where Certificate Authority (CA) certificates are stored. Used for SSL communication between the Security Module and the Policy Distribution Component.

Mandatory

Accepted Value: the name of the identity key store file

SSL Trust Key Store File Name

oracle.security.jps.pd.client.ssl.identityKeyStoreKeyAlias

Defines an Identity Key alias to identify the client certificate used for SSL communication between the Security Module and the Policy Distribution Component.

Optional (if only one alias exists in the identity keystore there is no need to specify this value)

Accepted Value: the identity key alias

SSL Identity Key Store Key Alias

oracle.security.jps.runtime.pd.client.SMinstanceType

Defines the type of Security Module to which the Policy Distribution Component client is connecting.

Mandatory

Accepted Value: java (Other accepted values include wls, RMI and ws. Because this table covers the Java Security Module only, the value must be java.)

Configured during OES Client installation only.

oracle.security.jps.runtime.pd.client.localpolicy.JCEProviderName

Defines which JCE provider will be used.

Optional

Accepted Values: SunJCE, JsafeJCE; no default value is defined. The value is case-sensitive. If no value is provided, the default JDK provider is used.

 

oracle.security.jps.runtime.pd.client.localpolicy.CipherKeyLength

Defines the key length used for the Cipher class available from the specified JCE provider.

Optional

Accepted Values: 128, 192, 256; default value is 128.

 

oracle.security.jps.runtime.pd.client.localpolicy.CipherModePadding

Defines a cipher algorithm name, mode and padding schema used for the Cipher class available from the specified JCE provider. It is not case-sensitive. The format should be:

algorithm name/mode/padding

Optional

Accepted Values: default value is AES/CBC/PKCS5Padding; others include AES/CBC/PKCS5Padding or AES/GCM/NoPadding.

 

A.1.2.2 Policy Distribution Component Client Java Enterprise Edition Container Configuration (Controlled Push Mode)

Table A-3 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in a Java Enterprise Edition (JEE) environment and is configured to distribute data in the controlled-push mode.

Table A-3 Policy Distribution Client Configuration, JEE, Controlled Push Mode

Parameter Name Information Console Name

oracle.security.jps.runtime.pd.client.policyDistributionMode

Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution.

Mandatory

Accepted Value: controlled-push

Policy Distribution Mode

oracle.security.jps.runtime.pd.client.sm_name

Defines the name of the Security Module.

Mandatory

Accepted Value: Name of the Security Module

SM Name

oracle.security.jps.runtime.pd.client.localpolicy.work_folder

Defines the name of any directory in which local cache files are stored. If a value is not defined, a work directory will be created in the directory where jps-config.xml is kept. If the applicable Security Module is created in a JRF domain, the server name will be used to create a sub directory under the specified or default work folder which will be used as the actual work folder.

Optional

Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges.

Local Policy Work Folder

oracle.security.jps.runtime.pd.client.incrementalDistribution

Defines whether the distribution is incremental or flush. Incremental distribution is when new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store.

Optional

Accepted Values:

  • false (policy distribution is flush for this Security Module)

  • true (default value; policy distribution is incremental for this Security Module if the required change logs are kept in the policy store)

Incremental Distribution

oracle.security.jps.runtime.pd.client.registrationRetryInterval

When a Security Module starts, it registers itself with the Policy Distribution Component to ensure the local policy cache is up to date. If registration fails, it will retry each time this interval of time passes until successful.

Optional

Accepted Value: time in seconds (default value is 5)

Registration Retry Interval (seconds)

oracle.security.jps.runtime.policyDistributionWaitTime

If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires.

Optional

Accepted Value: time in seconds (default value is 60)

Wait Distribution Time (seconds)

oracle.security.jps.runtime.pd.client.RegistrationServerURL

Defines the URL of the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts.

Mandatory

Accepted Value: URL

Registration Server URL

oracle.security.jps.runtime.pd.client.backupRegistrationServerURL

Defines a backup URL for the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts if the primary URL (parameter above) is unavailable.

Optional (although if not configured Oracle Entitlements Server failover will not work)

Accepted Value: URL

Backup Registration Server URL

oracle.security.jps.runtime.pd.client.SMinstanceType

Defines the type of Security Module to which the Policy Distribution Component client is connecting.

Mandatory

Accepted Values:

  • was

  • wls

Configured during OES Client installation only.

oracle.security.jps.runtime.pd.client.DistributionServiceURL

Defines the URL to which the remote Policy Distributor will push policy updates.

Mandatory

Accepted Values: URL

 

oracle.security.jps.runtime.pd.client.localpolicy.JCEProviderName

Defines which JCE provider will be used. It is optional and case sensitive.

Optional

Accepted Values: SunJCE, JsafeJCE; no default value is defined. If no value is provided, the default JDK provider is used.

 

oracle.security.jps.runtime.pd.client.localpolicy.CipherKeyLength

Defines the key length used for the Cipher class available from the specified JCE provider.

Optional

Accepted Values: 128, 192, 256; default value is 128.

 

oracle.security.jps.runtime.pd.client.localpolicy.CipherModePadding

Defines a cipher algorithm name, mode and padding schema used for the Cipher class available from the specified JCE provider. It is not case-sensitive. The format should be:

algorithm name/mode/padding

Optional

Accepted Values: default value is AES/CBC/PKCS5Padding; others include AES/CBC/PKCS5Padding or AES/GCM/NoPadding.

 

A.1.2.3 Policy Distribution Client Configuration (Controlled Pull Mode)

Table A-4 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in either a JEE or a JSE environment and is configured to distribute data in the controlled-pull mode.

Table A-4 Policy Distribution Client Configuration, Controlled Pull Mode

Parameter Name Information Console Name

oracle.security.jps.runtime.pd.client.policyDistributionMode

Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution.

Mandatory

Accepted Value: controlled-pull

Policy Distribution Mode

oracle.security.jps.runtime.pd.client.sm_name

Defines the name of the Security Module.

Mandatory

Accepted Value: the name of the Security Module

SM Name

oracle.security.jps.runtime.pd.client.localpolicy.work_folder

Defines the name of any directory in which local cache files are stored. If a value is not defined, a work directory will be created in the directory where jps-config.xml is kept. If the applicable Security Module is created in a JRF domain, the server name will be used to create a sub directory under the specified or default work folder which will be used as the actual work folder.

Optional

Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges.

Local Policy Work Folder

oracle.security.jps.runtime.pd.client.incrementalDistribution

Defines whether the distribution is incremental or flush. Incremental distribution is when new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store.

Optional

Accepted Values:

  • false (policy distribution is flush for the Security Module)

  • true (default value; policy distribution is incremental for this Security Module if the required change logs are kept in the policy store)

Incremental Distribution

oracle.security.jps.runtime.policyDistributionWaitTime

If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires.

Optional

Accepted Value: time in seconds (default value is 60)

Wait Distribution Time (seconds)

oracle.security.jps.pd.client.PollingTimerEnabled

Enables a periodic check for policy updates in the Policy Store. Can be set to false to disable polling for environment when policies are not expected to be modified.

Optional

Accepted Values:

  • false

  • true (default value)

 

oracle.security.jps.pd.client.PollingTimerInterval

Defines the interval of time in which the Policy Distribution Component will check for policy data changes.

Optional

Accepted Value: time in seconds (default value of 600)

 

oracle.security.jps.ldap.root.name

Defines the top (root) entry of the LDAP policy store directory information tree (DIT).

Mandatory

Accepted Value: the top (root) entry of the LDAP policy store directory information tree (DIT)

LDAP Root Name

oracle.security.jps.farm.name

Defines the RDN format of the domain node in the LDAP policy store.

Mandatory

Accepted Value: name of the domain

Farm Name

jdbc.url

Takes a URL that points to the database.

Mandatory (if using Java Database Connectivity API to connect to policy store)

Accepted Value: URL

JDBC URL

jdbc.driver

Location of the driver if using Java Database Connectivity API to connect to an Apache Derby database.

Mandatory

Accepted Value: driver

JDBC Driver

datasource.jndi.name

The JNDI name of the JDBC data source instance. The instance may correspond to a single source or multi-source datasource. Valid in only JEE applications. Applies only to database stores.

Mandatory

Accepted Value: name of JNDI data source; for example, jdbc/APMDBDS.

Datasource JNDI Name

security.principal

The name of the user with access rights to the database.

Mandatory

Accepted Value: Database user name

 

security.credential

The password of the user with access rights to the database.

Optional

Accepted Value: Password associated with the database user in clear text; instead of storing the password in clear text, use bootstrap.security.principal.map.

 

bootstrap.security.principal.key

The key for the password credentials to access the policy store. Credentials are stored in the Credential Store Framework (CSF) store.

Mandatory

Accepted Value: CSF credential key

Bootstrap Security Principal Key

bootstrap.security.principal.map

The map for the password credentials to access the policy store. Credentials are stored in the CSF store.

Mandatory

Accepted Value: name of the CSF credential map

Bootstrap Security Principal Map

oracle.security.jps.runtime.pd.client.localpolicy.JCEProviderName

Defines which JCE provider will be used. It is optional and case sensitive.

Optional

Accepted Values: SunJCE, JsafeJCE; no default value is defined. If no value is provided, the default JDK provider is used.

 

oracle.security.jps.runtime.pd.client.localpolicy.CipherKeyLength

Defines the key length used for the Cipher class available from the specified JCE provider.

Optional

Accepted Values: 128, 192, 256; default value is 128.

 

oracle.security.jps.runtime.pd.client.localpolicy.CipherModePadding

Defines a cipher algorithm name, mode and padding schema used for the Cipher class available from the specified JCE provider. It is not case-sensitive. The format should be:

algorithm name/mode/padding

Optional

Accepted Values: default value is AES/CBC/PKCS5Padding; others include AES/CBC/PKCS5Padding or AES/GCM/NoPadding.

 

A.1.2.4 Policy Distribution Client Configuration (Non-controlled Mode)

Table A-5 compiles the parameters for Policy Distribution Component client configuration when the Oracle Entitlements Server is running in either a JEE or a JSE environment and is configured to distribute data in the non-controlled mode.

Table A-5 Policy Distribution Client Configuration, Non-controlled Mode

Parameter Name Information Console Name

oracle.security.jps.runtime.pd.client.policyDistributionMode

Specifies the mode of policy distribution. Non-controlled distribution is when the Security Module periodically retrieves policy data from a policy store (or from a component that serves as an intermediary between the two).

Optional

Accepted Value: non-controlled (default value)

Policy Distribution Mode


A.1.2.5 Policy Distribution Client Configuration (Mixed Mode)

Table A-4 compiles the parameters for the Policy Distribution Component client configuration when the PDP is running in either a JEE or a JSE environment and is configured to distribute data in mixed mode. Mixed mode is a distribution combination of controlled-pull and uncontrolled mode.

Table A-6 Policy Distribution Client Configuration, Mixed Mode

Parameter Name Information Console Name

oracle.security.jps.runtime.pd.client.policyDistributionMode

Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution.

Mandatory

Accepted Value: mixed

Policy Distribution Mode

oracle.security.jps.runtime.pd.client.sm_name

Defines the name of the Security Module.

Mandatory

Accepted Value: the name of the Security Module

SM Name

oracle.security.jps.runtime.pd.client.localpolicy.work_folder

Defines the name of any directory in which local cache files are stored. If a value is not defined, a work directory will be created in the directory where jps-config.xml is kept. If the applicable Security Module is created in a JRF domain, the server name will be used to create a sub directory under the specified or default work folder which will be used as the actual work folder.

Optional

Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges.

Local Policy Work Folder

oracle.security.jps.runtime.pd.client.incrementalDistribution

Defines whether the distribution is incremental or flush. Incremental distribution is when new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store.

Optional

Accepted Values:

  • false (policy distribution is flush for the Security Module)

  • true (default value; policy distribution is incremental for this Security Module if the required change logs are kept in the policy store)

Incremental Distribution

oracle.security.jps.runtime.policyDistributionWaitTime

If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires.

Optional

Accepted Value: time in seconds (default value is 60)

Wait Distribution Time (seconds)

oracle.security.jps.pd.client.PollingTimerEnabled

Enables a periodic check for policy updates in the Policy Store. Can be set to false to disable polling for environment when policies are not expected to be modified.

Optional

Accepted Values:

  • false

  • true (default value)

Polling Timer

oracle.security.jps.pd.client.PollingTimerInterval

Defines the interval of time in which the Policy Distribution Component will check for policy data changes.

Optional

Accepted Value: time in seconds (default value of 600)

Polling Timer Interval

oracle.security.jps.runtime.pd.client.localpolicy.JCEProviderName

Defines which JCE provider will be used. It is optional and case sensitive.

Optional

Accepted Values: SunJCE, JsafeJCE; no default value is defined. If no value is provided, the default JDK provider is used.

N/A

oracle.security.jps.runtime.pd.client.localpolicy.CipherKeyLength

Defines the key length used for the Cipher class available from the specified JCE provider.

Optional

Accepted Values: 128, 192, 256; default value is 128.

N/A

oracle.security.jps.runtime.pd.client.localpolicy.CipherModePadding

Defines a cipher algorithm name, mode and padding schema used for the Cipher class available from the specified JCE provider. It is not case-sensitive. The format should be:

algorithm name/mode/padding

Optional

Accepted Values: default value is AES/CBC/PKCS5Padding; others include AES/CBC/PKCS5Padding or AES/GCM/NoPadding.

N/A

In Mixed Mode, the following nine properties should be configured for the Policy Store and not the Security Module. See Section A.4, "Policy Store Service Configuration."

oracle.security.jps.ldap.root.name

Defines the top (root) entry of the LDAP policy store directory information tree (DIT).

Mandatory

Accepted Value: the top (root) entry of the LDAP policy store directory information tree (DIT)

LDAP Root Name

oracle.security.jps.farm.name

Defines the RDN format of the domain node in the LDAP policy store.

Mandatory

Accepted Value: name of the domain

Farm Name

jdbc.url

Takes a URL that points to the database.

Mandatory (if using Java Database Connectivity API to connect to policy store)

Accepted Value: URL

JDBC URL

jdbc.driver

Location of the driver if using Java Database Connectivity API to connect to an Apache Derby database.

Mandatory

Accepted Value: driver

JDBC Driver

datasource.jndi.name

The JNDI name of the JDBC data source instance. The instance may correspond to a single source or multi-source datasource. Valid in only JEE applications. Applies only to database stores.

Mandatory

Accepted Value: name of JNDI data source; for example, jdbc/APMDBDS.

Datasource JNDI Name

security.principal

The name of the user with access rights to the database.

Mandatory

Accepted Value: Database user name

Username

security.credential

The password of the user with access rights to the database.

Mandatory

Accepted Value: Password associated with the database user

Password

bootstrap.security.principal.key

The key for the password credentials to access the policy store. Credentials are stored in the Credential Store Framework (CSF) store.

Mandatory

Accepted Value: CSF credential key

Bootstrap Security Principal Key

bootstrap.security.principal.map

The map for the password credentials to access the policy store. Credentials are stored in the CSF store.

Mandatory

Accepted Value: name of the CSF credential map

Bootstrap Security Principal Map


A.2 Security Module Configuration

This section covers the configurations for the various types of Security Modules and their proxy clients.

A.2.1 Java Security Module

Table A-7 compiles the parameters to configure the Java Security Module embedded in either a JSE or a JEE container.

Table A-7 Java Security Module Configuration Parameters

Parameter Name Information Console Name

oracle.security.jps.policystore.rolemember.cache.type

Defines the role member cache type. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Values

  • SOFT (cleaning of a cache of this type relies on the garbage collector when there is a memory crunch)

  • WEAK (behavior of a cache of this type is similar to a cache of type SOFT but the garbage collector cleans it more frequently)

  • STATIC (default value; cache objects are statically cached and can be cleaned explicitly only according to the applied cache strategy, such as FIFO; the garbage collector does not clean a cache of this type)

Rolemember Cache Type

oracle.security.jps.policystore.rolemember.cache.strategy

Defines the type of strategy used in the role member cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Values

  • NONE (all entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small)

  • FIFO (default value; the cache implements the first-in-first-out strategy)

Rolemember Cache Strategy

oracle.security.jps.policystore.rolemember.cache.size

Defines the number of roles kept in the role member cache. Valid in J2EE and J2SE application. Applies to LDAP and database stores.

Optional

Accepted Value: number (default value is 1000)

Rolemember Cache Size

oracle.security.jps.policystore.rolemember.cache.warmup.enable

Controls the way the Application Role membership cache is created. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Values

  • true (the cache is created at server startup; use when the number of users and groups is significantly higher than the number of Application Roles)

  • false (default value; the cache is created on demand - lazy loading; use when the number of Application Roles is very high)

Rolemember Cache Warmup Enable

oracle.security.jps.policystore.policy.lazy.load.enable

Enables or disables the policy lazy load. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Values

  • false

  • true (default value)

Policy Lazy Load Enable

oracle.security.jps.policystore.policy.cache.strategy

Defines the type of strategy used in the permission cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Values

  • NONE (all entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small.)

  • PERMISSION_FIFO (default value; the cache implements the first-in-first-out strategy)

Policy Cache Strategy

oracle.security.jps.policystore.policy.cache.size

Defines the number of permissions kept in the permission cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Value: number (default value is 1000)

Policy Cache Size

oracle.security.jps.policystore.cache.updateable

Defines whether the policy cache is incrementally updated for management operations on policy data.

Optional

Accepted Values

  • false

  • true (default value)

Policy Cache Updatable

oracle.security.jps.policystore.refresh.enable

Enables or disables the policy store refresh. If this property is set, oracle.security.jps.ldap.cache.enable cannot be set. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Values:

  • false

  • true (default value)

Refresh Enable

oracle.security.jps.policystore.refresh.purge.timeout

Defines the time in milliseconds after which the policy store cache is purged. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Value: time in milliseconds; default value is 43200000 which equals 12 hours

Refresh Purge Timeout (milliseconds)

oracle.security.jps.ldap.policystore.refresh.interval

Defines the interval of time in which the policy store is polled for changes. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.

Optional

Accepted Value: time in milliseconds; default value is 600000 which equals 10 minutes

Refresh Purge Interval (milliseconds)

oracle.security.jps.pdp.missingAppPolicyQueryTTL

Defines the interval of time to avoid frequently querying a non-exist Application (ApplicationPolicy) object.

Optional

Accepted Value: time to live in milliseconds (default value is 60000)

Missing App Policy Query TTL

oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled

Specifies whether the authorization cache should be enabled. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores.

Optional

Accepted Values

  • false

  • true (default value)

Decision Cache Enabled

oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionCapacity

Defines the maximum number of authorization and role mapping sessions to maintain. When the maximum is reached, old sessions are dropped and reestablished when needed. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores.

Optional

Accepted Value: number (default value is 500)

Decision Cache Eviction Capacity

oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionPercentage

Defines the percentage of sessions to drop when the eviction capacity is reached. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores.

Optional

Accepted Value: number (default value is 10)

Decision Cache Eviction Percentage

oracle.security.jps.pdp.AuthorizationDecisionCacheTTL

Defines the number of seconds during which session data is cached. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores.

Optional

Accepted Value: time in seconds (default value is 60)

Decision Cache TTL (seconds)

oracle.security.jps.pdp.anonymousrole.enable

Specifies whether anonymous role has to be added to anonymous subject for policy matching.

Optional

Accepted Values

  • false

  • true (default value)

Anonymous Role Enable

oracle.security.jps.pdp.authenticatedrole.enable

Specifies whether authenticated role has to be added to authenticated subject for policy matching.

Optional

Accepted Values

  • false

  • true (default value)

Authenticated Role Enable

oracle.security.jps.pdp.ComputeAppRolesOnceOnBulkAtz

Specifies whether Application Roles should be computed only once within a single bulk authorization call. For example, if a client calls the checkBulkAuthorization() method and passes ten resources to it, the roles will be calculated once if the value is true or once for every individual resource (ten times) if the parameter is false.

Optional

Accepted Values

  • false

  • true (default value)

 

oracle.security.jps.pdp.AuthorizationPerUserDecisionCacheSize

Specifies the maximum number of authorization decisions cached for each Subject; if the second level decision cache size reaches this size, decisions are evicted from the cache.

Optional

Accepted Value: number of decisions (default value is 1000)

 

A.2.2 Web Services Security Module

Table A-8 compiles the parameters to configure the Web Services Security Module embedded in either a JSE or a JEE container.

Table A-8 Web Services Security Module Configuration Parameters

Parameter Name Information Console Name

oracle.security.jps.pdp.wssm.WSServiceRegistryPortNumber

Defines the port on which the Web Services Security Module listens.

Mandatory

Accepted Value: port number

 

oracle.security.jps.pdp.wssm.WSServiceRegistryHost

Defines the name of the server on which the Web Services Security Module is running.

Optional

Accepted Value: server name (default value is localhost)

 

oracle.security.jps.pdp.wssm.Protocol

Defines the transport protocol used between the Policy Distribution Component client and server.

Optional

Accepted Values

  • https

  • http (default value)

 

oracle.security.jps.pdp.sm.IdentityCacheEnabled

Specifies whether the identity cache is being used. If not set, no identity cache is used by default.

Optional

Accepted Value: true/false

 

oracle.security.jps.pdp.sm.IdentityMaxCacheSize

Specifies the maximum number of users for which information is cached. When the maximum is reached, old records are dropped and reestablished when needed.

Optional

Accepted Value: number

 

oracle.security.jps.pdp.sm.IdentityCacheEvictionPercentage

Specifies percentage of identities that must be evicted when cache has reached the maximum size.

Optional

Accepted Value: number indicating percentage

 

oracle.security.jps.pdp.sm.IdentityCachedEntryTTL

Specifies time-to-live of an identity cache record.

Optional

Accepted Value: time in seconds

 

oracle.security.jps.pdp.wssm.responseContext

Specifies whether to merge data from many AppContext responses into a single AppContext response.

Optional

Accepted Values

  • Merged

  • Unmerged (default value)

 

oracle.security.jps.pdp.wssm.ssl.identityKeyStoreFileName

Defines the name of the Identity Key Store file where client certificates are stored for the Web Services Security Module. Used for SSL communications between the remote client and the Web Services Security Module.

Optional

Accepted Value: name of the Identity Key Store file

 

oracle.security.jps.pdp.wssm.ssl.trustKeyStoreFileName

Defines the name of the Trust Key Store file in which CA certificates are stored. Used for SSL communications between the remote client and the Web Services Security Module.

Optional

Accepted Value: name of the Trust Key Store file

 

oracle.security.jps.pdp.wssm.ssl.identityKeyStoreKeyAlias

Specifies the Identity Key alias used to identify the Web Services Security Module client certificate used for SSL communication between the Web Services Security Module and the remote client.Acepted value: Idenity key alias

Optional

Accepted Value: Identity Key alias

 

oracle.security.jps.pdp.wssm.WSLoggingSoapHandlerEnabled

Enables the Web Services Security Module's EnvelopLoggingSOAPHandler, the web service SOAP message handler for logging.

Optional

Accepted Values

  • true

  • false (default value)

 

A.2.3 Web Services Security Module on WebLogic Server

Table A-9 compiles the parameters to configure the Web Services Security Module on a WebLogic Server.

Table A-9 Web Services Security Module on WebLogic Configuration Parameters

Parameter Name Information Console Name

oracle.security.jps.pdp.wssm.WSServiceRegistryPortNumber

Defines the port on which the Web Services Security Module listens.

Mandatory

Accepted Value: port number

 

oracle.security.jps.pdp.wssm.WSServiceRegistryHost

Defines the name of the server on which the Web Services Security Module is running.

Optional

Accepted Value: server name (default value is localhost)

 

oracle.security.jps.pdp.wssm.Protocol

Defines the transport protocol used between the Policy Distribution Component client and server.

Optional

Accepted Values

  • https

  • http (default value)

 

oracle.security.jps.pdp.wssm.WSServiceRegistryContextName

Specifies the context name for the Web service deployed on the WebLogic Server cache is being used. If not set, no identity cache is used by default.

Mandatory

Accepted Value: Ssmws

 

oracle.security.jps.pdp.sm.IdentityCacheEnabled

Specifies whether the identity cache is enabled. Enabled by default.

Optional

Accepted Value: true (default)/false

 

oracle.security.jps.pdp.sm.IdentityMaxCacheSize

Specifies the maximum size of the identity cache.

Optional

Accepted Value: number indicating size; default value is 20000

 

oracle.security.jps.pdp.sm.IdentityCacheEvictionPercentage

Specifies the percentage of identities that will be removed when the identity cache has reached its maximum size.

Optional

Accepted Value: 20 percent

 

oracle.security.jps.pdp.sm.IdentityCachedEntryTTL

Specifies the time-to-live (TTL) in seconds for an identity record in the identity cache.

Optional

Accepted Value: 3600 seconds (default)

 

oracle.security.jps.pdp.wssm.responseContext

Specifies whether the AppContext is returned as a single response or a merged set of data from all the AppContext responses.

Optional

Accepted Value: Merged/Unmerged (default)

 

oracle.security.jps.pdp.wssm.WSLoggingSoapHandlerEnabled

Enables the Web Services Security Module's EnvelopLoggingSOAPHandler, the web service SOAP message handler for logging.

Optional

Accepted Values

  • true

  • false (default value)

 

A.2.4 RMI Security Module

Table A-10 compiles the parameters to configure the RMI Security Module embedded in either a JSE or a JEE container.

Note:

Currently this configuration is for a standalone deployment. We need to add the Container based configuration later.

Table A-10 RMI Security Module Configuration Parameters

Parameter Name Information Console Name

oracle.security.jps.pdp.rmism.RMIRegistryPortNumber

Defines the port on which the RMI Security Module listens to the RMI server.

Mandatory

Accepted Value: port number.

 

oracle.security.jps.pdp.rmism.UseSSL

Defines whether the SSL protocol is used for secure communication between the RMI Security Module and RMI server.

Optional

Accepted Values

  • true

  • false (default)

 

oracle.security.jps.pdp.sm.IdentityCacheEnabled

Specifies whether the identity cache is being used. If not set, no identity cache is used by default.

Optional

Accepted Value: true/false

 

oracle.security.jps.pdp.sm.IdentityMaxCacheSize

Specifies the maximum number of users for which information is cached. When the maximum is reached, old records are dropped and reestablished when needed.

Optional

Accepted Value: number

 

oracle.security.jps.pdp.sm.IdentityCacheEvictionPercentage

Specifies percentage of identities that must be evicted when cache has reached the maximum size.

Optional

Accepted Value: number representing percentage

 

oracle.security.jps.pdp.sm.IdentityCachedEntryTTL

Specifies the time-to-live of an identity cache record.

Optional

Accepted Value: time in seconds

 

A.2.5 WebLogic Server Security Module

Table A-11 compiles the parameters to configure the WebLogic Server (WLS) Security Module embedded in a JEE container. These parameters are used only when the WLS Security Module is configured to be used as a PEP.

Table A-11 WebLogic Server Security Module Configuration Parameters

Parameter Name Information Console Name

UndefinedApplicationEffect

Specifies the effect (GRANT, DENY) that the provider must return if an application is not defined in the policy store.

Optional

Accepted Values

  • permit (default)

  • abstain

  • deny

Set in the WebLogic Server Administration Console; values are saved to config.xml in the WebLogic domain

NoApplicablePolicyEffect

Specifies the effect that the provider has to return if no applicable policies have been found.

Optional

Accepted Values

  • deny (default value represents a closed system)

  • abstain

  • permit (represents an open system)

Set in the WebLogic Server Administration Console; values are saved to config.xml in the WebLogic domain


A.2.6 WebLogic Server Security Module Discovery Mode

Table A-12 compiles the parameters to enable Discovery Mode. See Section 9.4.2, "Discovering WebLogic Server Resources" for more information.

Table A-12 WebLogic Server Discovery Mode Parameters

Parameter Name Information Console Name

oracle.security.jps.discoveryMode

By default, Discovery Mode is off.

Optional

Accepted Values

  • true

  • false

Only in jps-config.xml

oracle.security.jps.discoveredPolicyDir

Specifies the absolute path to the directory in which discovery results are defined.

Optional (Mandatory when Discovery Mode is enabled)

Accepted Value: absolute path to directory

Only in jps-config.xml

oracle.security.jps.discoveredResourceIsHierarchical

Specifies whether the resource is hierarchical.

Optional

Accepted Values

  • true

  • false

Only in jps-config.xml

oracle.security.jps.discoveredResourceNameDelimiter

Specifies the delimiter to separate the resource name.

Optional (Mandatory when resource is defined as Hierarchical)

Accepted Value: any valid resource name delimiter; when used with WLS SM and OSB SM, the value should be "/"

Only in jps-config.xml


A.3 PDP Proxy Client Configuration

This section contains information regarding configuration for the PDP Proxy Client available for the RMI and Web Services Security Module.

A.3.1 Web Services Security Module PDP Proxy Client

Table A-13 compiles the parameters to configure the Web Services Security Module PDP Proxy Client.

Table A-13 Web Services Proxy Client Configuration Parameters

Parameter Name Information Console Name

oracle.security.jps.pdp.PDPTransport

Specifies the underlying protocol to be used by Multi-protocol Security Module to communicate with Oracle Entitlements Server.

Mandatory

Accepted Values: no default value; XACML is always available in the Web Services Security Module.

  • WS

  • RMI

 

oracle.security.jps.pdp.proxy.PDPAddress

Specifies the host and port number of either the Web Services Security Module. For example, http://dadvml0134:9015

Optional

Accepted Value: a comma separated list of URIs (if more then one address is specified the first is conidered the primary, and the rest as backups)

 

oracle.security.jps.pdp.proxy.RequestTimeoutMilliSecs

Defines the interval of time in which an authorization request times out when the remote PDP (RMI or Web Services Security Module) is not responding.

Optional

Accepted Value: time in milliseconds (default value is 10000)

 

oracle.security.jps.pdp.proxy.FailureRetryCount

Specifies the number of attempts to make before attempting the alternate failover server.

Optional

Accepted Value: number (default value is 3)

 

oracle.security.jps.pdp.proxy.FailbackTimeoutMilliSecs

Specifies the interval of time after which a failed primary server is tried again for failover.

Optional

Accepted Value: time in milliseconds (default value is 180000)

 

oracle.security.jps.pdp.proxy.SynchronizationIntervalMilliSecs

Defines how often the PDP Proxy polls the PDP server in order to synchronize its state. For example, the interval is used to periodically check whether the authorization cache has to be flushed.

Optional

Accepted Value: time in milliseconds (default value is 60)

 

oracle.security.jps.pdp.proxy.wssm.ssl.identityKeyStoreFileName

Defines the name of the Identity Key Store file where client certificates for the Web Services Security Module are stored. Used for SSL communication between a client and the Web Services Security Module.

Optional

Accepted Value: name of the Identity Key Store file

 

oracle.security.jps.pdp.proxy.wssm.ssl.trustKeyStoreFileName

Defines the name of the Trust Key Store file where CA certificates for Web Services Security Module are stored. Used for SSL communication between a client and the Web Services Security Module.

Optional

Accepted Value: the name of the Trust Key Store file.

 

oracle.security.jps.pdp.proxy.wssm.ssl.identityKeyStoreKeyAlias

Specifies the alias name of the Web Services client certificate. Used for SSL communication between a client and the Web Services Security Module.

Optional

Accepted Value: alias of the identity key store (if only one alias exists in the identity key store, no need to specify this value)

 

oracle.security.jps.pdp.proxy.wssm.protocol

Defines the transport protocol used between the Policy Distribution Component client and server.

Optional

Accepted Values

  • https

  • http (default value)

 

A.3.2 RMI Security Module PDP Proxy Client

Table A-14 compiles the parameters to configure the RMI Security Module PDP Proxy Client.

Table A-14 PDP RMI Proxy Client Configuration Parameters

Parameter Name Information Console Name

oracle.security.jps.pdp.PDPTransport

Specifies the underlying protocol to be used by Multi-protocol Security Module to communicate with Oracle Entitlements Server.

Mandatory

Accepted Values: no default value; XACML is always available in the RMI Security Module.

  • WS

  • RMI

 

oracle.security.jps.pdp.proxy.PDPAddress

Specifies the host and port number of the RMI Security Module. For example, rmi://localhost:9400

Mandatory

Accepted Value: a comma separated list of URIs (if more then one address is specified the first is conidered the primary, and the rest as backups)

 

oracle.security.jps.pdp.proxy.RequestTimeoutMilliSecs

Defines the interval of time in which an authorization request times out when the remote PDP (RMI or Web Services Security Module) is not responding.

Optional

Accepted Value: time in milliseconds (default value is 10000)

 

oracle.security.jps.pdp.proxy.FailureRetryCount

Specifies the number of attempts to make before attempting the alternate failover server.

Optional

Accepted Value: number (default value is 3)

 

oracle.security.jps.pdp.proxy.FailbackTimeoutMilliSecs

Specifies the interval of time after which a failed primary server is tried again for failover.

Optional

Accepted Value: time in milliseconds (default value is 180000)

 

oracle.security.jps.pdp.proxy.SynchronizationIntervalMilliSecs

Defines how often the PDP Proxy polls the PDP server in order to synchronize its state. For example, the interval is used to periodically check whether the authorization cache has to be flushed.

Optional

Accepted Value: time in milliseconds (default value is 60)

 

A.4 Policy Store Service Configuration

Table A-15 compiles the configuration parameters for the Policy Store Service.

Table A-15 Policy Store Service Configuration Parameters

Parameter Name Information Console Name

ldap.url

Defines the URL of the LDAP policy store. Valid in JEE and JSE applications and only applies to LDAP stores.

Mandatory

Accepted Value: URI of the LDAP policy store in the format ldap://host:port.

 

max.search.filter.length

Defines the maximum length of a search filter.

Mandatory

Accepted Value: integer defining the maximum length of a search filter; for example, 1024

 

oracle.security.jps.ldap.root.name

Defines the RDN format of the root node in the LDAP policy store. Valid in JEE and JSE applications. Applies to LDAP and database stores.

Mandatory

Accepted Value: root name of jps context; for example, cn=jpsroot.

 

oracle.security.jps.farm.name

Defines the RDN format of the root node in the LDAP policy store. Valid in JEE and JSE applications. Applies to LDAP and database stores.

Mandatory

Accepted Value: farm name of the domain; for example, cn=base_domain.

 

oracle.security.jps.policystore.resourcetypeenforcementmode

Controls the throwing of exceptions if any of the following checks fail:

  • Verify that if two resource types share the same permission class, that permission must be either ResourcePermission or extend AbstractTypedPermission, and this last resource type cannot be created.

  • Verify that all permissions have resource types defined, and that the resource matcher permission class and the permission being granted match.

Valid in JEE and JSE applications. Applies to LDAP and database stores.

Optional

Accepted Values

  • strict (when any of the above checks fail, the system throws an exception and the operation is aborted)

  • lenient (default value; when any of the above checks fail, the system does not throw any exceptions, the operation continues without disruption, and any discrepancies encountered are logged)

 

bootstrap.security.principal.key

Defines the key for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in JEE and JSE applications. Applies to LDAP and database stores.

Mandatory

Accepted Value: the key name of the credential; for example, oes_sm_key. The out-of-the-box value is bootstrap.

 

bootstrap.security.principal.map

Defines the map for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in JEE and JSE applications. Applies to LDAP and database stores.

Mandatory

Accepted Value: map name of the credential; for example, oes_sm_map. The default value is BOOTSTRAP_JPS.

 

jdbc.driver

Defines the name of the JDBC driver.

Mandatory

Accepted Value: name of the JDBC driver.

 

jdbc.url

Defines the JDBC driver connection URL.

Mandatory

Accepted Value: the JDBC driver connection URL.