Skip Headers
Oracle® Fusion Middleware WebLogic Scripting Tool Command Reference
11g Release 2 (11.1.2)

Part Number E28155-03
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

4 Infrastructure Security Custom WLST Commands

The following sections describe the Oracle Fusion Middleware Infrastructure Security custom WLST commands in detail. Topics include:

For additional information about Oracle Platform Security Services, see Oracle Fusion Middleware Security Guide.

Note:

To use the Infrastructure Security custom WLST commands, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" in the Oracle Fusion Middleware Administrator's Guide.

Overview of WSLT Security Commands

WLST security commands are divided into the following categories:

Table 4-1 WLST Command Categories

Command Category Description

Audit Configuration Commands

View and manage audit policies and the audit repository configuration

SSL Configuration Commands

View and manage wallets, JKS keystores, and SSL configuration for Oracle HTTP Server, Oracle WebCache, Oracle Internet Directory, and Oracle Virtual Directory components.

Oracle Access Management Identity Federation Commands

View and manage configuration for Oracle Access Management Identity Federation

Security Commands

Manage domain and credential domain stores and migrate domain policy store.

Oracle Access Management Access Manager Commands

Manage Access Manager-related components, such as authorization providers, identity asserters, and SSO providers.


Audit Configuration Commands

Use the WLST commands listed in Table 4-2 to view and manage audit policies and the audit repository configuration.

Table 4-2 WLST Audit Commands

Use this command... To... Use with WLST...

getNonJavaEEAuditMBeanName

Display the mBean name for a non-Java EE component.

Online

getAuditPolicy

Display audit policy settings.

Online

setAuditPolicy

Update audit policy settings.

Online

getAuditRepository

Display audit repository settings.

Online

setAuditRepository

Update audit repository settings.

Online

listAuditEvents

List audit events for one or all components.

Online

exportAuditConfig

Export a component's audit configuration.

Online

importAuditConfig

Import a component's audit configuration.

Online


For more information, see the Oracle Fusion Middleware Security Guide.

getNonJavaEEAuditMBeanName

Online command that displays the mbean name for non-Java EE components.

Description

This command displays the mbean name for non-Java EE components given the instance name, component name, component type, and the name of the Oracle WebLogic Server on which the component's audit mbean is running. The mbean name is a required parameter to other audit WLST commands when managing a non-Java EE component.

Syntax

getNonJavaEEAuditMBeanName(instName, compName, compType, svrName)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are ohs, oid, ovd, and WebCache.

svrName

Specifies the name of the Oracle WebLogic Server.


Example

The following interactive command displays the mBean name for an Oracle Internet Directory:

wls:/mydomain/serverConfig> getNonJavaEEAuditMBeanName(instName='inst1', compName='oid1', compType='oid', svrName='AdminServer')

getAuditPolicy

Online command that displays the audit policy settings.

Description

This command displays audit policy settings including the filter preset, special users, custom events, maximum log file size, and maximum log directory size. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

Syntax

getAuditPolicy([mbeanName, componentType])
Argument Definition

mbeanName

Specifies the name of the component audit MBean for non-Java EE components.

componentType

Requests the audit policy for a specific component registered in the audit store. If not specified, the audit policy in jps-config.xml is returned.


Examples

The following command displays the audit settings for a Java EE component:

wls:/mydomain/serverConfig> getAuditPolicy()
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)
 
FilterPreset:All
Max Log File Size:104857600
Max Log Dir Size:0

The following command displays the audit settings for MBean CSAuditProxyMBean:

wls:/mydomain/serverConfig> getAuditPolicy(on='oracle.security.audit.test:type=CSAuditMBean,
name=CSAuditProxyMBean')

setAuditPolicy

Online command that updates an audit policy.

Description

Online command that configures the audit policy settings. You can set the filter preset, add or remove users, and add or remove custom events. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

Syntax

setAuditPolicy([mbeanName],[filterPreset],[addSpecialUsers],
[removeSpecialUsers],[addCustomEvents],[removeCustomEvents], [componentType], [maxDirSize], [maxFileSize], [andCriteria], [orCriteria], [componentEventsFile])
Argument Definition

mbeanName

Specifies the name of the component audit MBean for non-Java EE components.

filterPreset

Specifies the filter preset to be changed.

addSpecialUsers

Specifies the special users to be added.

removeSpecialUsers

Specifies the special users to be removed.

addCustomEvents

Specifies the custom events to be added.

removeCustomEvents

Specifies the custom events to be removed.

componentType

Specifies the component definition type to be updated. If not specified, the audit configuration defined in jps-config.xml is modified.

maxDirSize

Specifies the maximum size of the log directory.

maxFileSize

Specifies the maximum size of the log file.

andCriteria

Specifies the and criteria in a custom filter preset definition.

orCriteria

Specifies the or criteria in a custom filter preset definition.

componentEventsFile

Specifies a component definition file under the 11g Release 1 (11.1.1.6) metadata model. This parameter is required if you wish to create/update an audit policy in the audit store for an 11g Release 1 (11.1.1.6) metadata model component, and the filter preset level is set to “Custom”.


Examples

The following interactive command sets audit policy to None level, and adds users user2 and user3 while removing user1 from the policy:

wls:/mydomain/serverConfig> setAuditPolicy (filterPreset=
'None',addSpecialUsers='user2,user3',removeSpecialUsers='user1')

wls:/mydomain/serverConfig> getAuditPolicy();
Already in Domain Runtime Tree

FilterPreset:None
Special Users:user2,user3
Max Log File Size:104857600
Max Log Dir Size:0

The following interactive command adds login events while removing logout events from the policy:

wls:/mydomain/serverConfig> setAuditPolicy(filterPreset=
'Custom',addCustomEvents='UserLogin',removeCustomEvents='UserLogout')
 

The following interactive command sets audit policy to a Low level:

wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Low');
Already in Domain Runtime Tree
Audit Policy Information updated successfully

wls:/IDMDomain/domainRuntime> getAuditPolicy();
Already in Domain Runtime Tree
FilterPreset:Low
Max Log File Size:104857600
Max Log Dir Size:0

The following command sets a custom filter to audit the CheckAuthorization event:

wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Custom', addCustomEvents='JPS:CheckAuthorization');
Already in Domain Runtime Tree
 
Audit Policy Information updated successfully
wls:/IDMDomain/domainRuntime> getAuditPolicy();
Already in Domain Runtime Tree
 
FilterPreset:Custom
Special Users:user1
Max Log File Size:104857600
Max Log Dir Size:0
Custom Events:JPS:CheckAuthorization

getAuditRepository

Online command that displays audit repository settings.

Description

This command displays audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository configuration resides in opmn.xml). Also displays database configuration if the repository is a database type.

Syntax

getAuditRepository 

Example

The following command displays audit repository configuration:

wls:/IDMDomain/domainRuntime> getAuditRepository()
Already in Domain Runtime Tree
 
Repository Type:File

setAuditRepository

Online command that updates audit repository settings.

Description

This command sets the audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository is configured by editing opmn.xml).

Syntax

setAuditRepository([switchToDB],[dataSourceName],[interval])
Argument Definition

switchToDB

If true, switches the repository from file to database.

dataSourceName

Specifies the name of the data source.

interval

Specifies intervals at which the audit loader kicks off.


Examples

The following command switches from a file repository to a database repository:

wls:/IDMDomain/domainRuntime> setAuditRepository(switchToDB='true');
Already in Domain Runtime Tree
 
Audit Repository Information updated
 
wls:/IDMDomain/domainRuntime> getAuditRepository();
Already in Domain Runtime Tree
 
JNDI Name:jdbc/AuditDB
Interval:15
Repository Type:DB

The following interactive command changes audit repository to a specific database and sets the audit loader interval to 14 seconds:

wls:/mydomain/serverConfig> setAuditRepository(switchToDB='true',dataSourceName='jdbcAuditDB',interval='14')

listAuditEvents

Online command that displays a component's audit events.

Description

This command displays a component's audit events and attributes. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter. Without a component type, all generic attributes applicable to all components are displayed.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

Syntax

listAuditEvents([mbeanName],[componentType])
Argument Definition

mbeanName

Specifies the name of the component MBean.

componentType

Specifies the component type to limit the list to all events of the component type.


Examples

The following command displays audit events for the Oracle Platform Security Services component:

wls:/IDMDomain/domainRuntime> listAuditEvents(componentType='JPS');
Already in Domain Runtime Tree
 
Common Attributes
ComponentType
Type of the component. For MAS integrated SystemComponents this is the componentType
InstanceId
Name of the MAS Instance, that this component belongs to
HostId
DNS hostname of originating host
HostNwaddr
IP or other network address of originating host
ModuleId
ID of the module that originated the message. Interpretation is unique within Component ID.
ProcessId
ID of the process that originated the message

The following command displays audit events for Oracle HTTP Server:

wls:/mydomain/serverConfig> listAuditEvents(componentType='ohs')

The following command displays all audit events:

wls:/IDMDomain/domainRuntime> listAuditEvents();
Already in Domain Runtime Tree
 
Components:
DIP
JPS
OIF
OWSM-AGENT
OWSM-PM-EJB
ReportsServer
WS-PolicyAttachment
WebCache
WebServices
Attributes applicable to all components:
ComponentType
InstanceId
HostId
HostNwaddr
ModuleId
ProcessId
OracleHome
HomeInstance
ECID
RID
...

exportAuditConfig

Online command that exports a component's audit configuration.

Description

This command exports the audit configuration to a file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

Syntax

exportAuditConfig([mbeanName],fileName, [componentType])
Argument Definition

mbeanName

Specifies the name of the non-Java EE component MBean.

fileName

Specifies the path and file name to which the audit configuration should be exported.

componentType

Specifies that only events of the given component be exported to the file. If not specified, the audit configuration in jps-config.xml is exported.


Examples

The following interactive command exports the audit configuration for a component:

wls:/mydomain/serverConfig> exportAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean,
name=CSAuditProxyMBean',fileName='/tmp/auditconfig')

The following interactive command exports the audit configuration for a Java EE component; no mBean is specified:

wls:/mydomain/serverConfig> exportAuditConfig(fileName='/tmp/auditconfig')

importAuditConfig

Online command that imports a component's audit configuration.

Description

This command imports the audit configuration from an external file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

Syntax

importAuditConfig([mbeanName],fileName, [componentType])
Argument Definition

mbeanName

Specifies the name of the non-Java EE component MBean.

fileName

Specifies the path and file name from which the audit configuration should be imported.

componentType

Specifies that only events of the given component be imported from the file. If not specified, the audit configuration in jps-config.xml is imported.


Examples

The following interactive command imports the audit configuration for a component:

wls:/mydomain/serverConfig> importAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean,
name='CSAuditProxyMBean',fileName='/tmp/auditconfig')

The following interactive command imports the audit configuration from a file; no mBean is specified:

wls:/mydomain/serverConfig> importAuditConfig(fileName='/tmp/auditconfig')

SSL Configuration Commands

Use the WLST commands listed in Table 4-3 to view and manage SSL configuration for Oracle Fusion Middleware components.

Table 4-3 WLST Commands for SSL Configuration

Use this command... To... Use with WLST...

addCertificateRequest

Generate a certificate signing request in an Oracle wallet.

Online

addSelfSignedCertificate

Add a self-signed certificate to an Oracle wallet.

Online

changeKeyStorePassword

Change the password to a JKS keystore.

Online

changeWalletPassword

Change the password to an Oracle wallet.

Online

configureSSL

Set the SSL attributes for a component listener.

Online

createKeyStore

Create a JKS keystore.

Online

createWallet

Create an Oracle wallet.

Online

deleteKeyStore

Delete a JKS keystore.

Online

deleteWallet

Delete an Oracle wallet.

Online

exportKeyStore

Export a JKS keystore to a file.

Online

exportKeyStoreObject

Export an object from a JKS keystore to a file.

Online

exportWallet

Export an Oracle wallet to a file.

Online

exportWalletObject

Export an object from an Oracle wallet to a file.

Online

generateKey

Generate a key pair in a JKS keystore.

Online

getKeyStoreObject

Display a certificate or other object present in a JKS keystore.

Online

getSSL

Display the SSL attributes for a component listener.

Online

getWalletObject

Display a certificate or other object present in an Oracle wallet.

Online

importKeyStore

Import a JKS keystore from a file.

Online

importKeyStoreObject

Import a certificate or other object from a file to a JKS keystore.

Online

importWallet

Import an Oracle wallet from a file.

Online

importWalletObject

Import a certificate or other object from a file to an Oracle wallet.

Online

listKeyStoreObjects

List all objects present in a JKS keystore.

Online

listKeyStores

List all JKS keystores configured for a component instance.

Online

listWalletObjects

List all objects present in an Oracle wallet.

Online

listWallets

List all Oracle wallets configured for a component instance.

Online

removeKeyStoreObject

Remove a certificate or other object from a component instance's JKS keystore.

Online

removeWalletObject

Remove a certificate or other object from a component instance's Oracle wallet.

Online


For more information, see the Oracle Fusion Middleware Administrator's Guide.

addCertificateRequest

Online command that generates a certificate signing request in an Oracle wallet.

Description

This command generates a certificate signing request in Base64 encoded PKCS#10 format in an Oracle wallet for a component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). To get a certificate signed by a certificate authority (CA), send the certificate signing request to your CA.

Syntax

addCertificateRequest(instName, compName, compType, walletName, password, DN, keySize)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.

walletName

Specifies the name of the wallet file.

password

Specifies the password of the wallet.

DN

Specifies the Distinguished Name of the key pair entry.

keySize

Specifies the key size in bits.


Example

The following command generates a certificate signing request with DN cn=www.acme.com and key size 1024 in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> addCertificateRequest('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.acme.com', '1024')

addSelfSignedCertificate

Online command that adds a self-signed certificate.

Description

This command creates a key pair and wraps it in a self-signed certificate in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Only keys based on the RSA algorithm are generated.

Syntax

addSelfSignedCertificate(instName, compName, compType, walletName, password, DN, keySize)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.

walletName

Specifies the name of the wallet file.

password

Specifies the password of the wallet.

DN

Specifies the Distinguished Name of the key pair entry.

keySize

Specifies the key size in bits.


Example

The following command adds a self-signed certificate with DN cn=www.acme.com, key size 1024 to wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> addSelfSignedCertificate('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.acme.com', '1024')

changeKeyStorePassword

Online command that changes the keystore password.

Description

This command changes the password of a Java Keystore (JKS) file for an Oracle Virtual Directory instance.

Syntax

changeKeyStorePassword(instName, compName, compType, keystoreName, currPassword, newPassword)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid value is 'ovd'.

keystoreName

Specifies the filename of the keystore.

currPassword

Specifies the current keystore password.

newPassword

Specifies the new keystore password.


Example

The following command changes the password of file keys.jks for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> changeKeyStorePassword('inst1', 'ovd1', 'ovd','keys.jks', 'currpassword', 'newpassword')

changeWalletPassword

Online command that changes the password of an Oracle wallet.

Description

This command changes the password of an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). This command is only applicable to password-protected wallets.

Syntax

changeWalletPassword(instName, compName, compType, walletName,currPassword, newPassword)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'.

walletName

Specifies the filename of the wallet.

currPassword

Specifies the current wallet password.

newPassword

Specifies the new wallet password.


Example

The following command changes the password for wallet1 from currpassword to newpassword for Oracle HTTP Server instance ohs1 in application server instance inst1:

wls:/mydomain/serverConfig> changeWalletPassword('inst1', 'ohs1', 'ohs','wallet1', 'currpassword', 'newpassword')

configureSSL

Online command that sets SSL attributes.

Description

This command sets the SSL attributes for a component listener. The attributes are specified in a properties file format (name=value). If a properties file is not provided, or it does not contain any SSL attributes, default attribute values are used. For component-specific SSL attribute value defaults, see the chapter "SSL Configuration in Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.

Syntax

configureSSL(instName, compName, compType, listener, filePath)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are 'oid', 'ovd', ohs', and 'webcache'.

listener

Specifies the name of the component listener to be configured for SSL.

filePath

Specifies the absolute path of the properties file containing the SSL attributes to set.


Examples

The following command configures SSL attributes specified in the properties file /tmp/ssl.properties for Oracle Virtual Directory instance ovd1 in application server instance inst1, for listener listener1:

wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener1','/tmp/ssl.properties')

The following command configures SSL attributes without specifying a properties file. Since no file is provided, the default SSL attribute values are used:

wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener2')

createKeyStore

Online command that creates a JKS keystore.

Description

This command creates a Java keystore (JKS) for the specified Oracle Virtual Directory instance. For keystore file location and other information, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.

Syntax

createKeyStore(instName, compName, compType, keystoreName, password)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid value is 'ovd'.

keystoreName

Specifies the filename of the keystore file to be created.

password

Specifies the keystore password.


Example

The following command creates JKS file keys.jks with password password for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> createKeyStore('inst1', 'ovd1', 'ovd','keys.jks', 'password')

createWallet

Online command that creates an Oracle wallet.

Description

This command creates an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Wallets can be of password-protected or auto-login type. For wallet details, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.

Syntax

createWallet(instName, compName, compType, walletName, password)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'.

walletName

Specifies the name of the wallet file to be created.

password

Specifies the wallet password.


Examples

The following command creates a wallet named wallet1 with password password, for Oracle HTTP Server instance ohs1 in application server instance inst1:

wls:/mydomain/serverConfig> createWallet('inst1', 'ohs1', 'ohs','wallet1', 'password')

The following command creates an auto-login wallet named wallet2 for Oracle WebCache instance wc1, in application server instance inst1:

wls:/mydomain/serverConfig> createWallet('inst1', 'wc1', 'webcache','wallet2', '')

deleteKeyStore

Online command that deletes a keystore.

Description

This command deletes a keystore for a specified Oracle Virtual Directory instance.

Syntax

deleteKeyStore(instName, compName, compType, keystoreName)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid value is 'ovd'.

keystoreName

Specifies the name of the keystore file to delete.


Example

The following command deletes JKS file keys.jks for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> deleteKeyStore('inst1', 'ovd1', 'ovd','keys.jks')

deleteWallet

Online command that deletes an Oracle wallet.

Description

This command deletes an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).

Syntax

deleteWallet(instName, compName, compType, walletName)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'.

walletName

Specifies the name of the wallet file to be deleted.


Example

The following command deletes a wallet named wallet1 for Oracle HTTP Server instance ohs1 in application server instance inst1:

wls:/mydomain/serverConfig> deleteWallet('inst1', 'ohs1', 'ohs','wallet1')

exportKeyStore

Online command that exports the keystore to a file.

Description

This command exports a keystore, configured for the specified Oracle Virtual Directory instance, to a file under the given directory. The exported filename is the same as the keystore name.

Syntax

exportKeyStore(instName, compName, compType, keystoreName, password, path)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid value is 'ovd'.

keystoreName

Specifies the name of the keystore file.

password

Specifies the password of the keystore.

path

Specifies the absolute path of the directory under which the keystore is exported.


Example

The following command exports the keystore keys.jks for Oracle Virtual Directory instance ovd1 to file keys.jks under /tmp:

wls:/mydomain/serverConfig> exportKeyStore('inst1', 'ovd1', 'ovd', 'keys.jks', 'password', '/tmp')

exportKeyStoreObject

Online command that exports an object from a keystore to a file.

Description

This command exports a certificate signing request, certificate/certificate chain, or trusted certificate present in a Java keystore (JKS) to a file for the specified Oracle Virtual Directory instance. The certificate signing request is generated before exporting the object. The alias specifies the object to be exported.

Syntax

exportKeyStoreObject(instName, compName, compType, keystoreName, password, type, path, alias)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid value is 'ovd'.

keystoreName

Specifies the name of the keystore file.

password

Specifies the password of the keystore.

type

Specifies the type of the keystore object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' and 'TrustedChain'.

path

Specifies the absolute path of the directory under which the object is exported as a file named base64.txt.

alias

Specifies the alias of the keystore object to be exported.


Examples

The following command generates and exports a certificate signing request from the key-pair indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1 in application server instance inst1. The certificate signing request is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'CertificateRequest', '/tmp','mykey')

The following command exports a certificate or certificate chain indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '/tmp','mykey')

The following command exports a trusted certificate indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. The trusted certificate is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '/tmp','mykey')

exportWallet

Online command that exports an Oracle wallet.

Description

This command exports an Oracle wallet, configured for a specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), to file(s) under the given directory. If the exported file is an auto-login only wallet, the file name is 'cwallet.sso'. If it is password-protected wallet, two files are created: 'ewallet.p12' and 'cwallet.sso'.

Syntax

exportWallet(instName, compName, compType, walletName,password, path)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'.

walletName

Specifies the name of the wallet file.

password

Specifies the password of the wallet.

path

Specifies the absolute path of the directory under which the object is exported.


Examples

The following command exports auto-login wallet wallet1 for Oracle Internet Directory instance oid1 to file cwallet.sso under /tmp:

wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet1','','/tmp')

The following command exports password-protected wallet wallet2 for Oracle Internet Directory instance oid1 to two files, ewallet.p12 and cwallet.sso, under /tmp:

wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp')

exportWalletObject

Online command that exports a certificate or other wallet object to a file.

Description

This command exports a certificate signing request, certificate, certificate chain or trusted certificate present in an Oracle wallet to a file for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be exported.

Syntax

exportWalletObject(instName, compName, compType, walletName, password, type, path, DN)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.

walletName

Specifies the name of the wallet file.

password

Specifies the password of the wallet.

type

Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedChain'.

path

Specifies the absolute path of the directory under which the object is exported as a file base64.txt.

DN

Specifies the Distinguished Name of the wallet object being exported.


Examples

The following command exports a certificate signing request with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate signing request is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 
'oid','wallet1', 'password', 'CertificateRequest', '/tmp','cn=www.acme.com')

The following command exports a certificate with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 
'oid','wallet1', 'password', 'Certificate', '/tmp','cn=www.acme.com')

The following command exports a trusted certificate with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The trusted certificate is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 
'oid','wallet1', 'password', 'TrustedCertificate', '/tmp','cn=www.acme.com')

The following command exports a certificate chain with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 
'oid','wallet1', 'password', 'TrustedChain', '/tmp','cn=www.acme.com')

generateKey

Online command that generates a key pair in a Java keystore.

Description

This command generates a key pair in a Java keystore (JKS) for Oracle Virtual Directory. It also wraps the key pair in a self-signed certificate. Only keys based on the RSA algorithm are generated.

Syntax

generateKey(instName, compName, compType, keystoreName, password, DN, keySize, alias, algorithm)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid value is 'ovd'.

keystoreName

Specifies the name of the keystore.

password

Specifies the password of the keystore.

DN

Specifies the Distinguished Name of the key pair entry.

keySize

Specifies the key size in bits.

alias

Specifies the alias of the key pair entry in the keystore.

algorithm

Specifies the key algorithm. Valid value is 'RSA'.


Examples

The following command generates a key pair with DN cn=www.acme.com, key size 1024, algorithm RSA and alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.acme.com', '1024', 'mykey', 'RSA')

The following command is the same as above, except it does not explicitly specify the key algorithm:

wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.acme.com', '1024', 'mykey')

getKeyStoreObject

Online command that shows details about a keystore object.

Description

This command displays a specific certificate or trusted certificate present in a Java keystore (JKS) for Oracle Virtual Directory. The keystore object is indicated by its index number, as given by the listKeyStoreObjects command. It shows the certificate details including DN, key size, algorithm, and other information.

Syntax

getKeyStoreObject(instName, compName, compType, keystoreName, password, type, index)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid value is 'ovd'.

keystoreName

Specifies the name of the keystore file.

password

Specifies the password of the keystore.

type

Specifies the type of the keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'.

index

Specifies the index number of the keystore object as returned by the listKeyStoreObjects command.


Examples

The following command shows a trusted certificate with index 1 present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '1')

The following command shows a certificate with index 1 present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '1')

getSSL

Online command that lists the configured SSL attributes.

Description

This command lists the configured SSL attributes for the specified component listener. For Oracle Internet Directory, the listener name is always sslport1.

Syntax

getSSL(instName, compName, compType, listener)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are 'ovd', 'oid', 'ohs', and 'webcache'.

listener

Specifies the name of the component listener.


Example

The following command shows the SSL attributes configured for Oracle Internet Directory instance oid1, in application server instance inst1, for listener sslport1:

wls:/mydomain/serverConfig> getSSL('inst1', 'oid1', 'oid', 'sslport1')

getWalletObject

Online command that displays information about a certificate or other object in an Oracle wallet.

Description

This command displays a specific certificate signing request, certificate or trusted certificate present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). The wallet object is indicated by its index number, as given by the listWalletObjects command. For certificates or trusted certificates, it shows the certificate details including DN, key size, algorithm and other data. For certificate signing requests, it shows the subject DN, key size and algorithm.

Syntax

getWalletObject(instName, compName, compType, walletName, password, type, index)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.

walletName

Specifies the name of the wallet file.

password

Specifies the password of the wallet.

type

Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'.

index

Specifies the index number of the wallet object as returned by the listWalletObjects command.


Examples

The following command shows certificate signing request details for the object with index 0 present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest', '0')

The following command shows certificate details for the object with index 0 present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'Certificate', '0')

The following command shows trusted certificate details for the object with index 0, present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate', '0')

importKeyStore

Online command that imports a keystore from a file.

Description

This command imports a Java keystore (JKS) from a file to the specified Oracle Virtual Directory instance for manageability. The component instance name must be unique.

Syntax

importKeyStore(instName, compName, compType, keystoreName, password, filePath)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid value is 'ovd'.

keystoreName

Specifies the name of the keystore being imported. This name must be unique for this component instance.

password

Specifies the password of the keystore.

filePath

Specifies the absolute path of the keystore file to be imported.


Example

The following command imports the keystore /tmp/keys.jks as file.jks into Oracle Virtual Directory instance ovd1. Subsequently, the keystore is managed through the name file.jks:

wls:/mydomain/serverConfig> importKeyStore('inst1', 'ovd1', 'ovd', 'file.jks',
'password', '/tmp/keys.jks')

importKeyStoreObject

Online command that imports an object from a file to a keystore.

Description

This command imports a certificate, certificate chain, or trusted certificate into a Java keystore (JKS) for Oracle Virtual Directory, assigning it the specified alias which must be unique in the keystore. If a certificate or certificate chain is being imported, the alias must match that of the corresponding key-pair.

Syntax

importKeyStoreObject(instName, compName, compType, keystoreName, password, type, filePath, alias)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid value is 'ovd'.

keystoreName

Specifies the name of the keystore.

password

Specifies the password of the keystore.

type

Specifies the type of the keystore object to be imported. Valid values are 'Certificate' and 'TrustedCertificate'.

filePath

Specifies the absolute path of the file containing the keystore object.

alias

Specifies the alias to assign to the keystore object to be imported.


Examples

The following command imports a certificate or certificate chain from file cert.txt into keys.jks, using alias mykey for Oracle Virtual Directory instance ovd1, in application server instance inst1. The file keys.jks must already have an alias mykey for a key-pair whose public key matches that in the certificate being imported:

wls:/mydomain/serverConfig> > importKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'Certificate','/tmp/cert.txt', 'mykey')

The following command imports a trusted certificate from file trust.txt into keys.jks using alias mykey1, for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> importKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'TrustedCertificate','/tmp/trust.txt', 'mykey1')

importWallet

Online command that imports an Oracle wallet from a file.

Description

This command imports an Oracle wallet from a file to the specified component instance (Oracle HTTP Server, Oracle WebCache, or Oracle Internet Directory) for manageability. If the wallet being imported is an auto-login wallet, the file path must point to cwallet.sso; if the wallet is password-protected, it must point to ewallet.p12. The wallet name must be unique for the component instance.

Syntax

importWallet(instName, compName, compType, walletName, password, filePath)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.

walletName

Specifies the name of the wallet being imported. The name must be unique for the component instance.

password

Specifies the password of the wallet.

filePath

Specifies the absolute path of the wallet file being imported.


Examples

The following command imports auto-login wallet file /tmp/cwallet.sso as wallet1 into Oracle Internet Directory instance oid1. Subsequently, the wallet is managed with the name wallet1. No password is passed since it is an auto-login wallet:

wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet1', '', '/tmp/cwallet.sso')

The following command imports password-protected wallet /tmp/ewallet.p12 as wallet2 into Oracle Internet Directory instance oid1. Subsequently, the wallet is managed with the name wallet2. The wallet password is passed as a parameter:

wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp/ewallet.p12')

importWalletObject

Online command that imports a certificate or other object into an Oracle wallet.

Description

This command imports a certificate, trusted certificate or certificate chain into an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache component or Oracle Internet Directory).When importing a certificate, use the same wallet file from which the certificate signing request was generated.

Syntax

importWalletObject(instName, compName, compType, walletName, password, type, filePath)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.

walletName

Specifies the name of the wallet file.

password

Specifies the password of the wallet.

type

Specifies the type of wallet object to be imported. Valid values are 'Certificate', 'TrustedCertificate' and 'TrustedChain'.

filePath

Specifies the absolute path of the file containing the wallet object.


Examples

The following command imports a certificate chain in PKCS#7 format from file chain.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedChain','/tmp/chain.txt')

The following command imports a certificate from file cert.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 
'password', 'Certificate','/tmp/cert.txt')

The following command imports a trusted certificate from file trust.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','/tmp/trust.txt')

listKeyStoreObjects

Online command that lists the contents of a keystore.

Description

This command lists all the certificates or trusted certificates present in a Java keystore (JKS) for Oracle Virtual Directory.

Syntax

listKeyStoreObjects(instName, compName, compType, keystoreName, password, type)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid value is 'ovd'.

keystoreName

Specifies the name of the keystore file.

password

Specifies the password of the keystore.

type

Specifies the type of keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'.


Examples

The following command lists all trusted certificates present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate')

The following command lists all certificates present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate')

listKeyStores

Online command that lists all the keystores for a component.

Description

This command lists all the Java keystores (JKS) configured for the specified Oracle Virtual Directory instance.

Syntax

listKeyStores(instName, compName, compType)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance

compType

Specifies the type of component. Valid value is 'ovd'.


Example

The following command lists all keystores for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> listKeyStores('inst1', 'ovd1', 'ovd')

listWalletObjects

Online command that lists all objects in an Oracle wallet.

Description

This command lists all certificate signing requests, certificates, or trusted certificates present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).

Syntax

listWalletObjects(instName, compName, compType, walletName, password, type)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.

walletName

Specifies the name of the wallet file.

password

Specifies the password of the wallet.

type

Specifies the type of wallet object to be listed. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'.


Examples

The following command lists all certificate signing requests in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> > listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest')

The following command lists all certificates in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'Certificate')

The following command lists all trusted certificates in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate')

listWallets

Online command that lists all wallets configured for a component instance.

Description

This command displays all the wallets configured for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), and identifies the auto-login wallets.

Syntax

listWallets(instName, compName, compType)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance

compType

Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.


Example

The following command lists all wallets for Oracle Internet Directory instance oid1 in application server instance inst1:

wls:/mydomain/serverConfig> listWallets('inst1', 'oid1', 'oid')

removeKeyStoreObject

Online command that removes an object from a keystore.

Description

This command removes a certificate request, certificate, trusted certificate, or all trusted certificates from a Java keystore (JKS) for Oracle Virtual Directory. Use an alias to remove a specific object; no alias is needed if all trusted certificates are being removed.

Syntax

removeKeyStoreObject(instName, compName, compType, keystoreName, password, type, alias)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid value is 'ovd'.

keystoreName

Specifies the name of the keystore file.

password

Specifies the password of the keystore.

type

Specifies the type of the keystore object to be removed. Valid values are 'Certificate', 'TrustedCertificate' or 'TrustedAll'.

alias

Specifies the alias of the keystore object to be removed.


Examples

The following command removes a certificate or certificate chain denoted by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'Certificate','mykey')

The following command removes a trusted certificate denoted by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'TrustedCertificate','mykey')

The following command removes all trusted certificates in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. Since no alias is required, the value None is passed for that parameter:

wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'TrustedAll',None)

removeWalletObject

Online command that removes a certificate or other object from an Oracle wallet.

Description

This command removes a certificate signing request, certificate, trusted certificate or all trusted certificates from an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be removed.

Syntax

removeWalletObject(instName, compName, compType, walletName, password, type, DN)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.

walletName

Specifies the name of the wallet file.

password

Specifies the password of the wallet.

type

Specifies the type of the keystore object to be removed. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedAll'.

DN

Specifies the Distinguished Name of the wallet object to be removed.


Examples

The following command removes all trusted certificates from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. It is not necessary to provide a DN, so we pass null (denoted by None) for the DN parameter:

wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedAll',None)

The following command removes a certificate signing request indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'CertificateRequest','cn=www.acme.com')

The following command removes a certificate indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate','cn=www.acme.com')

The following command removes a trusted certificate indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','cn=www.acme.com')

Security Commands

Use the WLST security commands listed in Table 4-4 to operate on a domain policy or credential store, to migrate policies and credentials from a source repository to a target repository, and to import and export (credential) encryption keys.

Table 4-4 WLST Security Commands

Use this command... To... Use with WLST...

listAppStripes

List application stripes in policy store.

Online

createAppRole

Create a new application role.

Online

deleteAppRole

Remove an application role.

Online

grantAppRole

Add a principal to a role.

Online

revokeAppRole

Remove a principal from a role.

Online

listAppRoles

List all roles in an application.

Online

listAppRolesMembers

List all members in an application role.

Online

grantPermission

Create a new permission.

Online

revokePermission

Remove a permission.

Online

listPermissions

List all permissions granted to a principal.

Online

deleteAppPolicies

Remove all policies in an application.

Online

migrateSecurityStore

Migrate policies or credentials from a source repository to a target repository.

Offline

listCred

Obtain the list of attribute values of a credential.

Online

updateCred

Modify the attribute values of a credential.

Online

createCred

Create a new credential.

Online

deleteCred

Remove a credential.

Online

modifyBootStrapCredential

Update bootstrap credential store

Offline

addBootStrapCredential

Add a credential to the bootstrap credential store

Offline

exportEncryptionKey

Export the domain encryption key to the file ewallet.p12.

Offline

importEncryptionKey

Import the encryption key in file ewallet.p12 to the domain.

Offline

restoreEncryptionKey

Restore the domain encryption key as it was before the last importing.

Offline

reassociateSecurityStore

Reassociate policies and credentials to an LDAP repository

Online

upgradeSecurityStore

Upgrade security data from data used with release 10.1.x to data used with release 11.

Offline

createResourceType

Create a new resource type.

Online

getResourceType

Fetch an existing resource type.

Online

deleteResourceType

Remove an existing resource type.

Online

createResource

Create a resource.

Online

deleteResource

Remove a resource.

Online

listResources

List resources in an application stripe.

Online

listResourceActions

List actions in a resource.

Online

createEntitlement

Create an entitlement.

Online

getEntitlement

List an entitlement.

Online

deleteEntitlement

Remove an entitlement.

Online

addResourceToEntitlement

Add a resource to an entitlement.

Online

revokeResourceFromEntitlement

Remove a resource from an entitlement

Online

listEntitlements

List entitlements in an application stripe.

Online

grantEntitlement

Create an entitlement.

Online

revokeEntitlement

Remove an entitlement.

Online

listEntitlement

List an entitlement.

Online

listResourceTypes

List resource types in an application stripe.

Online


createAppRole

Online command that creates a new application role.

Description

Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.

Syntax

createAppRole(appStripe, appRoleName)
Argument Definition
appStripe 

Specifies an application stripe.

appRoleName 

Specifies a role name.


Example

The following invocation creates a new application role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> createAppRole(appStripe="myApp", appRoleName="myRole")

deleteAppRole

Online command that removes an application role.

Description

Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.

Syntax

createAppRole(appStripe, appRoleName)
Argument Definition
appStripe 

Specifies an application stripe.

appRoleName 

Specifies a role name.


Example

The following invocation removes the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> createAppRole(appStripe="myApp", appRoleName="myRole")

grantAppRole

Online command that adds a principal to a role.

Description

Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.

Syntax

grantAppRole(appStripe, appRoleName,principalClass, principalName)
Argument Definition
appStripe 

Specifies an application stripe.

appRoleName 

Specifies a role name.

principalClass 

Specifies the fully qualified name of a class.

principalName 

Specifies the principal name.


Example

The following invocation adds a principal to the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> grantAppRole(appStripe="myApp",  
appRoleName="myRole",principalClass="com.example.xyzPrincipal",
principalName="myPrincipal")

revokeAppRole

Online command that removes a principal from a role.

Description

Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.

Syntax

revokeAppRole(appStripe, appRoleName, principalClass, principalName)
Argument Definition
appStripe 

Specifies an application stripe.

appRoleName 

Specifies a role name.

principalClass 

Specifies the fully qualified name of a class.

principalName 

Specifies the principal name.


Example

The following invocation removes a principal to the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> revokeAppRole(appStripe="myApp", 
appRoleName="myRole",principalClass="com.example.xyzPrincipal", 
principalName="myPrincipal")

listAppRoles

Online command that lists all roles in an application.

Description

Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException.

Syntax

listAppRoles(appStripe)
Argument Definition
appStripe 

Specifies an application stripe.


Example

The following invocation returns all roles with application stripe myApp:

wls:/mydomain/serverConfig> listAppRoles(appStripe="myApp")

listAppRolesMembers

Online command that lists all members in a role.

Description

Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException.

Syntax

listAppRoleMembers(appStripe, appRoleName)
Argument Definition
appStripe 

Specifies an application stripe.

appRoleName 

Specifies a role name.


Example

The following invocation returns all members in the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> listAppRoleMembers(appStripe="myApp", appRoleName="myRole")

grantPermission

Online command that creates a new permission.

Description

Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException.

Syntax

Optional arguments are enclosed in between square brackets.

grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument Definition
appStripe 

Specifies an application stripe. If not specified, the command works on system policies.

codeBaseURL 

Specifies the URL of the code granted the permission.

principalClass 

Specifies the fully qualified name of a class (grantee).

principalName 

Specifies the name of the grantee principal.

permClass 

Specifies the fully qualified name of the permission class.

permTarget 

Specifies, when available, the name of the permission target. Some permissions may not include this attribute.

permActions 

Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class.


Examples

The following invocation creates a new application permission (for the application with application stripe myApp) with the specified data:

wls:/mydomain/serverConfig> grantPermission(appStripe="myApp",  
principalClass="my.custom.Principal",  principalName="manager",
permClass="java.security.AllPermission")

The following invocation creates a new system permission with the specified data:

wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager",   
permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", 
permTarget="/tmp/fileName.ext", permActions="read,write")

revokePermission

Online command that removes a permission.

Description

Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException.

Syntax

Optional arguments are enclosed in between square brackets.

revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument Definition
appStripe 

Specifies an application stripe. If not specified, the command works on system policies.

codeBaseURL 

Specifies the URL of the code granted the permission.

principalClass 

Specifies the fully qualified name of a class (grantee).

principalName 

Specifies the name of the grantee principal.

permClass 

Specifies the fully qualified name of the permission class.

permTarget 

Specifies, when available, the name of the permission target. Some permissions may not include this attribute.

permActions 

Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class.


Examples

The following invocation removes the application permission (for the application with application stripe myApp) with the specified data:

wls:/mydomain/serverConfig> revokePermission(appStripe="myApp",  
principalClass="my.custom.Principal", principalName="manager", 
permClass="java.security.AllPermission")

The following invocation removes the system permission with the specified data:

wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager",  
permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", 
permActions="read,write")

listPermissions

Online command that lists all permissions granted to a given principal.

Description

Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException.

Syntax

Optional arguments are enclosed in between square brackets.

listPermissions([appStripe,] principalClass, principalName)
Argument Definition
appStripe 

Specifies an application stripe. If not specified, the command works on system policies.

principalClass 

Specifies the fully qualified name of a class (grantee).

principalName 

Specifies the name of the grantee principal.


Examples

The following invocation lists all permissions granted to a principal by the policies of application myApp:

wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")
                

The following invocation lists all permissions granted to a principal by system policies:

wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")

deleteAppPolicies

Online command that removes all policies with a given application stripe.

Description

Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException.

Syntax

deleteAppPolicies(appStripe)
Argument Definition
appStripe 

Specifies an application stripe. If not specified, the command works on system policies.


Example

The following invocation removes all policies of application myApp:

wls:/mydomain/serverConfig> deleteAppPolicies(appStripe="myApp")

migrateSecurityStore

Offline command that migrates identities, application-specific, system policies, a specific credential folder, or all credentials.

Description

Migrates identities, application-specific, or system policies from a source repository to a target repository. Migrates a specific credential folder or all credentials.

The kinds of the repositories where the source and target data is stored is transparent to the command, and any combination of file-based and LDAP-based repositories is allowed (LDAP-repositories must use an OVD or an OID LDAP server only). In the event of an error, the command returns a WLSTException.

Syntax

The command syntax varies depending on the scope (system or application-specific or both) of the policies being migrated.

Optional arguments are enclosed in square brackets.

To migrate identities, use the following syntax:

migrateSecurityStore(type="idStore", configFile, src, dst, [dstLdifFile])
                     

To migrate all policies (system and application-specific, for all applications) use the following syntax

migrateSecurityStore(type="policyStore", configFile, src, 
dst,[overWrite,][preserveAppRoleGuid])

To migrate just system policies, use the following syntax:

migrateSecurityStore(type="globalPolicies", configFile, src, dst, [overWrite])

To migrate just application-specific policies, for one application, use the following syntax:

migrateSecurityStore(type="appPolicies", configFile,src, dst, srcApp 
[,dstApp] [,overWrite] [,migrateIdStoreMapping][,preserveAppRoleGuid] [,mode])

To migrate all credentials, use the following syntax:

migrateSecurityStore(type="credStore", configFile, src, dst, [overWrite])

To migrate just one credential folder, use the following syntax:

migrateSecurityStore(type="folderCred", configFile,src, dst, [srcFolder,]
[dstFolde,] [srcConfigFile,] [overWrite])
Argument Definition
type 

Specifies the type of policies migrates.

To migrate identities, set it to idStore.

To migrate all policies (system and application-specific, for all applications), set to policyStore.

To migrate just system policies, set to globalPolicies.

To migrate just application-specific policies, set to appPolicies.

To migrate all credentials, set to credStore.

To migrate just one credential folder, set to folderCred.

configFile  

Specifies the location of a configuration file jps-config.xml relative to the directory where the command is run. The configuration file passed need not be an actual domain configuration file, but it can be assembled just to specify the source and destination repositories of the migration.

src 

Specifies the name of a jps-context in the configuration file passed to the argument configFile, where the source store is specified.

dst 

Specifies the name of another jps-context in the configuration file passed to the argument configFile, where the destination store is specified.

srcApp 

Specifies the name of the source application, that is, the application whose policies are being migrated.

dstApp 

Specifies the name of the target application, that is, the application whose policies are being written. If unspecified, it defaults to the name of the source application.

srcFolder 

Specifies the name of the folder from where credentials are migrated. This argument is optional. If unspecified, the credential store is assumed to have only one folder and the value of this argument defaults to the name of that folder.

dstFolder 

Specifies the folder to where the source credentials are migrated. This argument is optional and, if unspecified, defaults to the folder passed to srcFolder.

srcConfigFile 

Specifies the location of an alternate configuration file, and it is used in the special case in which credentials are not configured in the file passed to configFile. This argument is optional. If unspecified, it defaults to the value passed to configFile; if specified, the value passed to configFile is ignored.

overWrite 

Specifies whether data in the target matching data being migrated should be overwritten by or merged with the source data. Optional and false by default. Set to true to overwrite matching data; set to false to merge matching data.

migrateIdStoreMapping 

Specifies whether the migration of application policies should include or exclude the migration of enterprise policies. Optional and true by default. Set it to False to exclude enterprise policies from the migration of application policies.

dstLdifFile

Specifies the location where the LDIF file will be created. Required only if destination is an LDAP-based identity store. Notice that the LDIF file is not imported into the LDAP server; the importing of the file LDIF should be done manually, after the file has been edited to account for the appropriate attributes required in your LDAP server.

preserveAppRoleGuid

Specifies whether the migration of policies should preserve or recreate GUIDs. Optional and false, by default. Set to true to preserve GUIDs; set to false to recreated GUIDs.

mode

Specifies whether the migration should stop and signal an error upon encountering a duplicate principal or a duplicate permission in an application policy. Set to lax to allow the migration to continue upon encountering duplicate items, to migrate just one of the duplicated items, and to log a warning to this effect; set to strict to force the migration to stop upon encountering duplicate items. If unspecified, it defaults to strict.


Note the following requirements about the passed arguments:

  • The file jps-config.xml is found in the passed location.

  • The file jps-config.xml includes the passed jps-contexts.

  • The source and the destination context names are distinct. From these two contexts, the command determines the locations of the source and the target repositories involved in the migration.

Example

The following invocation illustrates the migration of the file-based policies of application PolicyServlet1 to file-based policies of application PolicyServlet2, that does not stop on encountering duplicate principals or permissions, that migrates just one of duplicate items, and that logs a warning when duplicates are found:

wls:/mydomain/serverConfig> migrateSecurityStore(type="appPolicies",  
configFile="jps-congif.xml", src="default1", dst="context2",
srcApp="PolicyServlet1", dstApp="PolicyServlet2", overWrite="true", mode="lax")
                

The above invocation assumes that:

  • The file jps-config.xml is located in the directory where the command is run (current directory).

  • That file includes the following elements:

<serviceInstance name="policystore1.xml" provider="some.provider">
  <property name="location" value="jazn-data1.xml"/>
</serviceInstance>
<serviceInstance name="policystore2.xml" provider="some.provider">
  <property name="location" value="jazn-data2.xml"/>
</serviceInstance>
...
<jpsContext name="default1">
  <serviceInstanceRef ref="policystore1.xml"/>
  ...
</jpsContext>
<jpsContext name="context2">
  <serviceInstanceRef ref="policystore2.xml"/>
  ...
</jpsContext>

The file-based policies for the two applications involved in the migration are defined in the files jazn-data1.xml and jazn-data2.xml, which are not shown but assumed located in the current directory.

The following invocation illustrates the migration of file-based credentials from one location to another:

wls:/mydomain/serverConfig> migrateSecurityStore(type="credStore", configFile="jps-congif.xml", src="default1", dst="context2")
                

The above invocation assumes that:

  • The file jps-config.xml is located in the directory where the command is run (current directory).

  • That file includes the following elements:

<serviceInstance name="credstore1" provider="some.provider">
  <property name="location" value="./credstore1/cwallet.sso"/>
</serviceInstance>
<serviceInstance name="credstore2" provider="some.provider">
  <property name="location" value="./credstore2/cwallet.sso"/>
</serviceInstance>
...
<jpsContext name="default1">
  <serviceInstanceRef ref="credstore1"/>
  ...
</jpsContext>
<jpsContext name="context2">
  <serviceInstanceRef ref="credstore2"/>
  ...
</jpsContext>

For detailed configuration examples to use with this command, see Oracle Fusion Middleware Security Guide.

listCred

Online command that returns the list of attribute values of a credential in the domain credential store.

Description

Returns the list of attribute values of a credential in the domain credential store with given map name and key name. This command lists the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException.

Syntax

listCred(map, key)
Argument Definition
map 

Specifies a map name (folder).

key 

Specifies a key name.


Example

The following invocation returns all the information (such as user name, password, URL, port, and description) in the credential with map name myMap and key name myKey:

wls:/mydomain/serverConfig> listCred(map="myMap", key="myKey")

updateCred

Online command that modifies the type, user name, and password of a credential.

Description

Modifies the type, user name, password, URL, and port number of a credential in the domain credential store with given map name and key name. This command can update the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.

Syntax

Optional arguments are enclosed in square brackets.

updateCred(map, key, user, password, [desc])
Argument Definition
map 

Specifies a map name (folder).

key 

Specifies a key name.

user 

Specifies the credential user name.

password 

Specifies the credential password.

desc 

Specifies a string describing the credential.


Example

The following invocation updates a password credential with the specified data:

wls:/mydomain/serverConfig> updateCred(map="myMap", key="myKey", user="myUsr", 
password="myPassw", desc="updated passw cred to connect to app xyz")

createCred

Online command that creates a new credential in the domain credential store.

Description

Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.

Syntax

Optional arguments are enclosed in square brackets.

createCred(map, key, user, password, [desc])
Argument Definition
map  

Specifies a map name (folder).

key 

Specifies a key name.

user 

Specifies the credential user name.

password 

Specifies the credential password.

desc 

Specifies a string describing the credential.


Example

The following invocation creates a new password credential with the specified data:

wls:/mydomain/serverConfig> createCred(map="myMap, key="myKey", user="myUsr", 
password="myPassw", desc="updated usr name and passw to connect to app xyz")

deleteCred

Online command that removes a credential in the domain credential store.

Description

Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException.

Syntax

deleteCred(map,key)
Argument Definition
map  

Specifies a map name (folder).

key 

Specifies a key name.


Example

The following invocation removes the credential with map name myMap and key name myKey:

wls:/mydomain/serverConfig> deleteCred(map="myApp",key="myKey")

modifyBootStrapCredential

Offline command that updates a bootstrap credential store.

Description

Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException.

Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.

Syntax

modifyBootStrapCredential(jpsConfigFile, username, password)
Argument Definition
jpsConfigFile  

Specifies the location of the file jps-config.xml relative to the location where the command is run.

username

Specifies the distinguished name of the user in the LDAP store.

password

Specifies the password of the user.


Example

Suppose that in the LDAP store, the password of the user with distinguished name cn=orcladmin has been changed to welcome1, and that the configuration file jps-config.xml is located in the current directory.Then the following invocation changes the password in the bootstrap credential store to welcome1:

wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='welcome1')

Any output regarding the audit service can be disregarded.

addBootStrapCredential

Offline command that adds a credential to the bootstrap credential store.

Description

Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException.

Syntax

addBootStrapCredential(jpsConfigFile, map, key, username, password)
Argument Definition
jpsConfigFile  

Specifies the location of the file jps-config.xml relative to the location where the command is run.

map 

Specifies the map of the credential to add.

key 

Specifies the key of the credential to add.

username 

Specifies the name of the user in the credential to add.

password

Specifies the password of the user in the credential to add.


Example

The following invocation adds a credential to the bootstrap credential store:

wls:/mydomain/serverConfig> addBootStrapCredential(jpsConfigFile='./jps-config.xml', map='myMapName', key='myKeyName', username='myUser', password='myPassword')

exportEncryptionKey

Offline command that extracts the encryption key from a domain's bootstrap wallet to the file ewallet.p12.

Description

Writes the domain's credential encryption key to the file ewallet.p12. The password passed must be used to import data from that file with the command importEncryptionKey.

Syntax

exportEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument Definition
jpsConfigFile  

Specifies the location of the file jps-config.xml relative to the location where the command is run.

keyFilePath 

Specifies the directory where the file ewallet.p12 is created; note that the content of this file is encrypted and secured by the value passed to keyFilePassword.

keyFilePassword 

Specifies the password to secure the file ewallet.p12; note that this same password must be used when importing that file.


Example

The following invocation writes the file ewallet.p12 in the directory myDir:

exportEncryptionKey(jpsConfigFile="pathName", keyFilePath="myDir" ,keyFilePassword="password")

importEncryptionKey

Offline command that imports keys from the specified ewallet.p12 file into the domain.

Description

Imports encryption keys from the file ewallet.p12 into the domain. The password passed must be the same as that used to create the file with the command exportEncryptionKey.

Syntax

importEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument Definition
jpsConfigFile  

Specifies the location of the file jps-config.xml relative to the location where the command is run.

keyFilePath 

Specifies the directory where the ewallet.p12 is located.

keyFilePassword 

Specifies the password used when the file ewallet.p12 was generated.


Example

importEncryptionKey(jpsConfigFile="pathName", keyFilePath="dirloc" ,keyFilePassword="password")

restoreEncryptionKey

Offline command to restore the domain credential encryption key.

Description

Restores the state of the domain bootstrap keys as it was before running importEncryptionKey.

Syntax

restoreEncryptionKey(jpsConfigFile)
Argument Definition
jpsConfigFile  

Specifies the location of the file jps-config.xml relative to the location where the command is run.


Example

restoreEncryptionKey(jpsConfigFile="pathName")

reassociateSecurityStore

Online command that migrates the policy and credential stores to an LDAP repository.

Description

Migrates, within a give domain, both the policy store and the credential store to a target LDAP server repository. The only kinds of LDAP servers allowed are OID or OVD. This command also allows setting up a policy store shared by different domains (see optional argument join below). In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.

Syntax

reassociateSecurityStore(domain, admin, password, ldapurl, servertype, jpsroot [, join] [,keyFilePath, keyFilePassword])
Argument Definition
domain  

Specifies the domain name where the reassociating takes place.

admin 

Specifies the administrator's user name on the LDAP server. The format is cn=usrName.

password 

Specifies the password associated with the user specified for the argument admin.

ldapurl 

Specifies the URI of the LDAP server. The format is ldap//:host:port, if you are using a default port, or ldaps://host:port, if you are using a secure LDAP port. The secure port must be configured specially for this function and it is distinct from the default (non-secure) port.

servertype 

Specifies the kind of the target LDAP server. The only valid types are OID or OVD.

jpsroot 

Specifies the root node in the target LDAP repository under which all data is migrated. The format is cn=nodeName.

join

Specifies whether the domain is to share a policy store specified in some other domain. Optional. Set to true to share an existing policy store in another domain; set to false otherwise. If unspecified, it defaults to false. The use of this argument allows multiple WebLogic domains to point to the same logical policy store.

keyFilePath

Specifies the directory where the ewallet.p12 is located.

keyFilePassword

Specifies the password used when the file ewallet.p12 was generated.


Examples

The following invocation reassociates the domain policies and credentials to an LDAP Oracle Internet Directory server:

wls:/mydomain/serverConfig> reassociateSecurityStore(domain="myDomain", 
admin="cn=adminName", password="myPass",ldapurl="ldap://myhost.example.com:3060", 
servertype="OID", jpsroot="cn=testNode")

Suppose that you want some other domain (distinct from myDomain, say otherDomain) to share the policy store in myDomain. Then you would invoke the command as follows:

wls:/mydomain/serverConfig> reassociateSecurityStore(domain="otherDomain", 
admin="cn=adminName", password="myPass", ldapurl="ldap://myhost.example.com:3060", 
servertype="OID", jpsroot="cn=testNode", join="true")

upgradeSecurityStore

Offline command that migrates release 10.1.x security data to release 11 security data.

Description

Migrates identity, policy, and credential data used in release 10.1.x to security data that can be used with release 11. The migration of each kind of data is performed with separate invocations of this command. In the event of an error, the command returns a WLSTException.

Syntax

The syntax varies according to the type of data being updated.

To upgrade 10.1.x XML identity data to 11 XML identity data, use the following syntax:

updateSecurityStore(type="xmlIdStore", jpsConfigFile, srcJaznDataFile, srcRealm, dst)

To upgrade a 10.1.x XML policy data to 11 XML policy data, use the following syntax:

updateSecurityStore(type="xmlPolicyStore", jpsConfigFile, srcJaznDataFile, dst)

To upgrade a 10.1.x OID LDAP-based policy data to 11 XML policy data, use the following syntax:

updateSecurityStore(type="oidPolicyStore", jpsConfigFile, srcJaznDataFile, dst)

To upgrade a 10.1.x XML credential data to 11 XML credential data, use the following syntax:

updateSecurityStore(type="xmlCredStore", jpsConfigFile, srcJaznDataFile, users,  dst)
Argument Definition
type  

Specifies the kind of security data being upgraded. The only valid values are xmlIdStore, xmlPolicyStore, oidPolicyStore, and xmlCredStore.

jpsConfigFile 

Specifies the location of a configuration file jps-config.xml relative to the directory where the command is run. The target store of the upgrading is read from the context specified with the argument dst.

srcJaznDataFile 

Specifies the location of a 10.1.x jazn data file relative to the directory where the command is run. This argument is required if the specified type is xmlIdStore, xmlPolicyStore, or xmlCredStore.

srcJaznConfigFile 

Specifies the location of a 10.1.x jazn configuration file relative to the directory where the command is run. This argument is required if the specified type is oidPolicyStore.

srcRealm 

Specifies the name of the realm from which identities need be migrated. This argument is required if the specified type is xmlIdStore.

users 

Specifies a comma-separated list of users each formatted as realmName/userName. This argument is required if the specified type is xmlCredStore.

dst 

Specifies the name of the jpsContext in the file passed to the argument jpsConfigFile where the destination store is configured. Optional. If unspecified, it defaults to the default context in the file passed in the argument jpsConfigFile.


Examples

The following invocation migrates 10.1.3 file-based identities to an 11 file-based identity store:

wls:/mydomain/serverConfig> upgradeSecurityStore(type="xmlIdStore",  
jpsConfigFile="jps-config.xml", srcJaznDataFile="jazn-data.xml",
srcRealm="jazn.com")

The following invocation migrates a 10.1.3 OID-based policy store to an 11 file-based policy store:

wls:/mydomain/serverConfig> upgradeSecurityStore(type="oidPolicyStore", 
jpsConfigFile="jps-config.xml", srcJaznDataFile="jazn-data.xml",
dst="destinationContext)

createResourceType

Online command that creates a new resource type in the domain policy store within a given application stripe.

Description

Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. Optional arguments are enclosed in between square brackets; all other arguments are required. In the event of an error, the command returns a WLSTException.

Syntax

Optional arguments are enclosed in square brackets.

createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])
Argument Definition
appStripe  

Specifies the application stripe where to insert the resource type.

resourceTypeName 

Specifies the name of the resource type to insert.

displayName 

Specifies the name for the resource type used in UI gadgets.

description 

Specifies a brief description of the resource type.

provider 

Specifies the provider for the resource type.

matchere 

Specifies the class of the resource type. If unspecified, it defaults to oracle.security.jps.ResourcePermission.

actions 

Specifies the actions allowed on instances of the resource type.

delimeter 

Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','.


Example

The following invocation creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:

wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", 
resourceTypeName="resTypeName", displayName="displName", description="A resource
type", provider="Printer", matcher="com.printer.Printer",
actions="BWPrint;ColorPrint" [, delimeter=";"])

getResourceType

Online command that fetches a resource type from the domain policy store within a given application stripe.

Description

Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.

Syntax

getResourceType(appStripe, resourceTypeName)
Argument Definition
appStripe  

Specifies the application stripe from where to fetch the resource type.

resourceTypeName 

Specifies the name of the resource type to fetch.


Example

The following invocation fetches the resource type myResType from the stripe myApplication:

wls:/mydomain/serverConfig> getResourceType(appStripe="myApplication", resourceTypeName="myResType")

deleteResourceType

Online command that removes a resource type from the domain policy store within a given application stripe.

Description

Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.

Syntax

deleteResourceType(appStripe, resourceTypeName)
Argument Definition
appStripe  

Specifies the application stripe from where to remove the resource type.

resourceTypeName 

Specifies the name of the resource type to remove.


Example

The following invocation removes the resource type myResType from the stripe myApplication:

wls:/mydomain/serverConfig> deleteResourceType(appStripe="myApplication", resourceTypeName="myResType")

listAppStripes

Online or offline command that lists the application stripes in the policy store.

Description

This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.

If this command is used in offline mode after reassociating to a DB-based store, the configuration file produced by the reassociation must be manually edited as described in "Running listAppStripes after Reassociating to a DB-Based Store" in Oracle Fusion Middleware Security Guide.

Syntax

listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])
Argument Definition
configFile  

Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store.

regularExpression 

Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *.


Examples

The following (online) invocation returns the list of application stripes in the policy store:

wls:/mydomain/serverConfig> listAppStripes

The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:

wls:/mydomain/serverConfig> listAppStripes(configFile=" 
/home/myFile/jps-config.xml")

The following (online) invocation returns the list of application stripes that contain the prefix App:

wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")

createResource

Online command that creates a new resource.

Description

Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.

Syntax

createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])
Argument Definition
appStripe  

Specifies the application stripe where the resource is created.

name  

Specifies the name of the resource created.

type  

Specifies the type of resource created. The passed resource type must be present in the application stripe at the time this script is invoked.

displayName  

Specifies the display name of the resource created. Optional.

description  

Specifies the description of the resource created. Optional.


Example

The following invocation creates the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> createResource(appStripe="myApplication", name="myResource", type="myResType", displayName="myNewResource")

deleteResource

Online command that deletes a resource.

Description

Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.

Syntax

deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")
Argument Definition
appStripe  

Specifies the application stripe where the resource is deleted.

name  

Specifies the name of the resource deleted.

type  

Specifies the type of resource deleted. The passed resource type must be present in the application stripe at the time this script is invoked.


Example

The following invocation deletes the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> deleteResource(appStripe="myApplication", name="myResource", type="myResType")

listResources

Online command that lists resources in a specified application stripe.

Description

If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.

Syntax

listResources(appStripe="appStripeName" [,type="resTypeName"])
Argument Definition
appStripe  

Specifies the application stripe where the resources are listed.

type  

Specifies the type of resource listed. The passed resource type must be present in the application stripe at the time this script is invoked.


Example

The following invocation lists all resources of type myResType in the stripe myApplication:

wls:/mydomain/serverConfig> listResources(appStripe="myApplication", type="myResType")

listResourceActions

Online command that lists the resources and actions in an entitlement.

Description

Lists the resources and actions in an entitlement within an application stripe.

Syntax

listResourceActions(appStripe="appStripeName", permSetName="entitlementName")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement resides.

permSetName  

Specifies the name of the entitlement whose resources and actions to list.


Example

The following invocation lists the resources and actions of the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> listResourceActions(appStripe="myApplication", permSetName="myEntitlement")

createEntitlement

Online command that creates a new entitlement.

Description

Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement to add additional resources to an existing entitlement; use revokeResourceFromEntitlement to delete resources from an existing entitlement.

Syntax

createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is created.

name  

Specifies the name of the entitlement created.

resourceName  

Specifies the name of the one resource member of the entitlement created.

actions  

Specifies a comma-separated the list of actions for the resource resourceName.

displayName  

Specifies the display name of the resource created. Optional.

description  

Specifies the description of the entitlement created. Optional.


Example

The following invocation creates the entitlement myEntitlement with just the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> createEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", actions="read,write")

getEntitlement

Online command that gets an entitlement.

Description

Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.

Syntax

getEntitlement(appStripe="appStripeName", name="entitlementName")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is located.

name  

Specifies the name of the entitlement to access.


Example

The following invocation returns the information of the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> getEntitlement(appStripe="myApplication", name="myEntitlement")

deleteEntitlement

Online command that deletes an entitlement.

Description

Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.

Syntax

deleteEntitlement(appStripe="appStripeName", name="entitlementName")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is deleted.

name  

Specifies the name of the entitlement to delete.


Example

The following invocation deletes the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> deleteEntitlement(appStripe="myApplication", name="myEntitlement")

addResourceToEntitlement

Online command that adds a resource with specified actions to an entitlement.

Description

Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.

Syntax

addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is located.

name  

Specifies the name of the entitlement to modify.

resourceName  

Specifies the name of the resource to add.

resourceType  

Specifies the type of the resource to add. The passed resource type must be present in the application stripe at the time this script is invoked.

actions  

Specifies the comma-separated list of actions for the added resource.


Example

The following invocation adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:

wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", 
name="myEntitlement", resourceName="myResource", resourceType="myResType", 
actions="view,edit")

revokeResourceFromEntitlement

Online command that removes a resource from an entitlement.

Description

Removes a resource from an entitlement in a specified application stripe.

Syntax

revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is located.

name  

Specifies the name of the entitlement to modify.

resourceName  

Specifies the name of the resource to remove.

resourceType  

Specifies the type of the resource to remove.

actions  

Specifies the comma-separated list of actions to remove.


Example

The following invocation removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", 
resourceName="myResource", resourceType="myResType", actions="view,edit")

listEntitlements

Online command that lists the entitlements in an application stripe.

Description

Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.

Syntax

listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])
Argument Definition
appStripe  

Specifies the application stripe from where to list entitlements.

resourceTypeName  

Specifies the name of the type of the resources to list. Optional.

resourceName  

Specifies the name of resource to match. Optional.


Examples

The following invocation lists all the entitlements in the stripe myApplication:

wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")

The following invocation lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:

wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName") 

grantEntitlement

Online command that creates a new entitlement.

Description

Creates a new entitlement with a specified principal in a specified application stripe.

Syntax

grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is created.

principalClass  

Specifies the class associated with the principal.

principalName  

Specifies the name of the principal to which the entitlement is granted.

permSetName  

Specifies the name of the entitlement created.


Example

The following invocation creates the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", 
principalClass="oracle.security.jps.service.policystore.ApplicationRole", 
principalName="myPrincipalName", permSetName="myEntitlement")

revokeEntitlement

Online command that deletes an entitlement.

Description

Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.

Syntax

revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is deleted.

principalClass  

Specifies the class associated with the principal.

principalName  

Specifies the name of the principal to which the entitlement is revoked.

permSetName  

Specifies the name of the entitlement deleted.


Example

The following invocation deleted the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", 
principalClass="oracle.security.jps.service.policystore.ApplicationRole", 
principalName="myPrincipalName", permSetName="myEntitlement")

listEntitlement

Online command that lists an entitlement in a specified application stripe.

Description

If a principal name and a class are specified, it lists the entitlements that match the specified principal; otherwise, it lists all the entitlements.

Syntax

listEntitlement(appStripe="appStripeName" [, principalName="principalName", principalClass="principalClass"])
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is deleted.

principalName  

Specifies the name of the principal to match. Optional.

principalClass  

Specifies the class of the principal to match. Optional.


Example

The following invocation lists all entitlements in the stripe myApplication:

wls:/mydomain/serverConfig> listEntitlement(appStripe="myApplication")

listResourceTypes

Online command that lists resource types.

Description

Lists all the resource types in a specified application stripe.

Syntax

listResourceTypes(appStripe="appStripeName")
Argument Definition
appStripe  

Specifies the application stripe where the resource types are located.


Example

The following invocation lists all resource types in the stripe myApplication:

wls:/mydomain/serverConfig> listEntitlement(appStripe="myApplication")

Oracle Access Management Access Manager Commands

Use the WLST commands listed in Table 4-5 to manage Oracle Access Management Access Manager (Access Manager) related components, such as authorization providers, identity asserters, and SSO providers, as well as to display metrics and deployment topology, manage Access Manager server and agent configuration and logger settings.

Table 4-5 WLST Access Manager Commands

Use this command... To... Use with WLST...

createUserIdentityStore

Create a user identity store registration.

Online

editUserIdentityStore

Edit a user identity store registration.

Online

Offline

deleteUserIdentityStore

Delete a user identity store registration.

Online

displayUserIdentityStore

Display a user identity store registration.

Online

Offline

createOAMServer

Create an entry for an Access Manager Server configuration.

Online

editOAMServer

Edit the entry for an Access Manager Server configuration.

Online

Offline

deleteOAMServer

Delete the named Access Manager Server configuration.

Online

displayOAMServer

Display Access Manager Server configuration details.

Online

Offline

configRequestCacheType

Configure the SSO server request cache type.

Online

displayRequestCacheType

Display the SSO server request cache type entry.

Online

Offline

editOssoAgent

Edit OSSO Agent configuration details.

Online

deleteOssoAgent

Delete the named OSSO Agent configuration.

Online

Offline

displayOssoAgent

Display OSSO Agent configuration details.

Online

Offline

editWebgateAgent

Edit 10g WebGate Agent registration details.

Online

deleteWebgateAgent

Delete the named 10g WebGate Agent configuration.

Online

displayWebgateAgent

Display WebGate Agent configuration details.

Online

Offline

resetKeystorePassword

Set the .oamkeystore password.

Online

exportPolicy

Export Access Manager policy data from a test (source) to an intermediate Access Manager file.

Online

importPolicy

Import Access Manager policy data from the Access Manager file specified.

Online

importPolicyDelta

Import Access Manager policy changes from the Access Manager file specified.

Online

migratePartnersToProd

Migrate partners from the source Access Manager Server to the specified target Access Manager Server.

Online

exportPartners

Export the Access Manager partners from the source to the intermediate Access Manager file specified.

Online

importPartners

Import the Access Manager partners from the intermediate Access Manager file specified.

Online

displayTopology

List the details of deployed Access Manager Servers.

Online

Offline

configureOAAMPartner

Configure the Access Manager-Oracle Adaptive Access Manager basic integration.

Online

registerOIFDAPPartner

Register Identity Federation as Delegated Authentication Protocol (DAP) Partner.

Online

Offline

registerOIFDAPPartnerIDPMode

Registers Identity Federation in IDP mode.

 

registerThirdPartyTAPPartner

Registers any third party as a Trusted Authentication Protocol (TAP) Partner.

Online

disableCoexistMode

Disable the Coexist Mode.

Online

enableOamAgentCoexist

Enables Coexist Mode for the Access Manager agent (enabling the Access Manager 11g server to own the Obssocookie set by 10g WebGate).

Online

disableOamAgentCoexist

Disables Coexist Mode for the Access Manager agent (disabling the Access Manager 11g server from the Obssocookie set by 10g WebGate).

Online

editGITOValues

Edit GITO configuration parameters.

Online

editWebgate11gAgent

Edit an 11g WebGate registration.

Online

Offline

deleteWebgate11gAgent

Remove an 11g WebGate Agent registration.

Online

displayWebgate11gAgent

Display an 11g WebGate Agent registration.

Online

Offline

displayOAMMetrics

Display metrics of Access Manager Servers.

Online

updateOIMHostPort

Update the Oracle Identity Manager configuration when integrated with Access Manager.

Online

configureOIM

Creates an Agent registration specific to Oracle Identity Manager when integrated with Access Manager.

Online

updateOSSOResponseCookieConfig

Updates OSSO Proxy response cookie settings.

Online

deleteOSSOResponseCookieConfig

Deletes OSSO Proxy response cookie settings.

Online

configureAndCreateIdentityStore

Configures an identity store and external user store.

Online

configAndCreateUsingPropFile

Configures an identity store and external user store using values defined in a file.

Online

migrateArtifacts (deprecated)

Migrates artifacts based on the specified artifact file.

Online

displaySimpleModeGlobalPassphrase

Displays the simple mode global passphrase in plain text from the system configuration.

Online

exportSelectedPartners

Exports selected Access Manager Partners to the intermediate Access Manager file specified.

Online

oamMigrate

Migrates policies, authentication stores, and user stores from OSSO, OAM10g, OpenSSO, or AM 7.1 to OAM11g.

Online

preSchemeUpgrade

Invokes the preSchemeUpgrade operation.

Online

postSchemeUpgrade

Invokes the postSchemeUpgrade operation.

Online

oamSetWhiteListMode

Set to true and the Access Manager Server will redirect to the URLS specified in the WhiteListURL list only.

Online

oamWhiteListURLConfig

Add, update or remove whitelist URL entries from configuration file.

Online

enableMultiDataCentreMode

Enable Multi Data Centre Mode.

Online

disableMultiDataCentreMode

Disable Multi Data Centre Mode.

Online

setMultiDataCentreClusterName

Set the Multi Data Centre Cluster name.

Online

setMultiDataCentreLogoutURLs

Set the Multi Data Centre logout URLs.

Online

addPartnerForMultiDataCentre

Add partner for Multi Data Centre.

Online

removePartnerForMultiDataCentre

Remove partner from Multi Data Centre.

Online


createUserIdentityStore

Online and offline command that creates an identity store registration for Access Manager.

Description

Creates an entry in the system configuration for a new user identity store registered with Access Manager. The scope of this command is an instance only; the scope is not an argument.

Syntax

createUserIdentityStore(name="<Name>", principal="<Principal>", 
credential="<Credential>", type="<Type>", userAttr="<userAttr>", 
ldapProvider="<ldapProvider>", userSearchBase="<userSearchBase>", 
ldapUrl="<ldapUrl>", isPrimary="<isPrimary>", userIDProvider="<userIDProvider>", roleSecAdmin="<roleSecAdmin>", roleSecAdminGroups="<roleSecAdminGroups>", 
roleSecAdminUsers="<roleSecAdminUsers>", groupSearchBase="<groupSearchBase>", 
supplementaryReturnAttributes="<supplementaryReturnAttributes>", 
domainHome="<domainHome>")
Argument Definition
name

Mandatory. Specifies the unique name of the LDAP identity store (only upper and lower case alpha characters and numbers).

principal

Mandatory. Specifies the Principal Administrator of the LDAP identity store being registered. For example, cn=Admin.

credential

Mandatory. Specifies the password of the Principal Administrator for the LDAP identity store being registered.

type

Mandatory. Specifies the type of the base identity store being registered. For this command, the value would be LDAP.

userAttr

Mandatory. Specifies the user attributes of the LDAP identity store being registered.

ldapProvider

Mandatory. Specifies the type of the LDAP identity store being registered. The value might be ODSEE, AD, OID, OVD, SJS, OUD, and the like. This value is defined when a new user identity store is created using the Access Manager Administration Console and corresponds with Store Type in the user identity store.

userSearchBase

Mandatory. Specifies the node under which user data is stored in the LDAP identity store being registered. For example, cn=users.

groupSearchBase

Mandatory. Specifies the node under which user data is stored in the LDAP identity store being registered. For example, cn=groups.

ldapUrl

Mandatory. Specifies the URL of the server host (including port number) of the LDAP identity store being registered. For example, ldap://localhost:7001.

isPrimary

Optional. Specifies whether the LDAP identity store being registered is the primary identity store. Takes true or false as a value.

userIDProvider

Optional. Specifies the underlying infrastructure with which to connect to the IDStore. Only supported type is OracleUserRoleAPI.

roleSecAdminGroups

Optional. Specifies one or more comma-separated groups with Access Manager Console Administrator privilages. Needed if it is a System Store in which the IsSystem proeprty is set to true.

roleSecAdminUsers

Optional. Specifies one or more comma-separated users with Access Manager Console Administrator privileges. Needed if it is a System Store in which the IsSystem proeprty is set to true.

supplementaryReturnAttributes

Specifies a comma-separated list of attributes that need to be retrieved as part of the User object. For example: ORCL_USR_ENC_FIRST_NAME,ORCL_USR_ENC_LAST_NAME,USR_USRNAME,ORCL_USR_CTY_CODE,ORCL_USR_LANG_CODE_S,ORCL_USR_JROLE_ID_S,ORCL_USR_IND_ID,ORCL_USR_COMP_REL_ID,ORCL_USR_ASCII_IND,ORCL_ORA_UCM_VER,ORCL_ORA_UCM_SRVC

domainHome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example registers a new Oracle Internet Directory user identity store definition for use with Access Manager.

createUserIdentityStore(name="Name1",principal="Principal1", 
credential="Credential1", type="OID", userAttr="userAttr1", 
ldapProvider="ldapProvider", userSearchBase="cn=users, 
groupSearchBase="cn=groups", ldapUrl="ldap://localhost:7001", 
isPrimary="isPrimary", userIDProvider="userIDProvider", 
roleSecAdmin="Admin", roleSecAdminGroups="AdminGroup1", 
roleSecAdminUsers="AdminUser1", 
supplementaryReturnAttributes="supplementaryReturnAttributes", 
domainHome="domainHome1")

editUserIdentityStore

Online and offline command that modifies an already defined identity store registration for Access Manager.

Description

Changes one or more attributes of the user identity store registered with Access Manager. The scope of this command is an instance only; the scope is not an argument.

Syntax

editUserIdentityStore(name="<Name>", [ principal="<Principal>", 
credential="<Credential>", type="<Type>", userAttr="<userAttr>", 
ldapProvider="<ldapProvider>", roleSecAdmin="<roleSecAdmin>", 
roleSysMonitor="<roleSysMonitor>", roleSysManager="<roleSysManager>", 
roleAppAdmin="<roleAppAdmin>", roleSecAdminGroups="<roleSecAdminGroups>", 
roleSecAdminUsers="<roleSecAdminUsers>", userSearchBase="<userSearchBase>", 
ldapUrl="<ldapUrl>", isPrimary="<isPrimary>", userIDProvider="<userIDProvider>", 
groupSearchBase="<groupSearchBase>", domainHome="<domainHome>", 
userFilterObjectClasses="<userFilterObjectClasses>", 
groupFilterObjectClasses="<groupFilterObjectClasses>", 
referralPolicy="<referralPolicy>", searchTimeLimit="<searchTimeLimit>", 
minConnections="<minConnections>", maxConnections="<maxConnections>", connectionWaitTimeout="<connectionWaitTimeout>", 
connectionRetryCount="<connectionRetryCount>", groupNameAttr="<groupNameAttr>", 
groupCacheEnabled="<groupCacheEnabled>", groupCacheSize="<groupCacheSize>", 
groupCacheTTL=<"groupCacheTTL>", 
supplementaryReturnAttributes="<supplementaryReturnAttributes>" ])
Argument Definition
name

Mandatory. Specifies the unique name of the LDAP identity store being modified (only upper and lower case alpha characters and numbers).

principal

Specifies the Principal Administrator of the LDAP identity store being modified. For example, cn=Admin.

credential

Specifies the encrypted Password of the Principal Administrator for the LDAP identity store being modified.

type

Specifies the type of the base identity store being modified. For this command, the value would be LDAP.

userAttr

Mandatory. Specifies the user attributes of the LDAP identity store being registered.

ldapProvider

Mandatory. Specifies the LDAP type of the LDAP identity store being registered. The value might be ODSEE, AD, OID, OVD, SJS, OUD, and the like. This value is defined when a new user identity store is created using the Access Manager Administration Console and corresponds with Store Type in the user identity store.

roleSecAdminGroups

Optional. Specifies one or more comma-separated groups with Access Manager Console Administrator privilages. Needed if it is a System Store in which the IsSystem proeprty is set to true.

roleSecAdminUsers

Optional. Specifies one or more comma-separated users with Access Manager Console Administrator privileges. Needed if it is a System Store in which the IsSystem proeprty is set to true.

userSearchBase

Mandatory. Specifies the node under which user data is stored in the LDAP identity store being registered. For example, cn=users.

groupSearchBase

Mandatory. Specifies the node under which user data is stored in the LDAP identity store being registered. For example, cn=groups.

ldapUrl

Mandatory. Specifies the URL of the server host (including port number) of the LDAP identity store being registered. For example, ldap://localhost:7001.

isPrimary

Optional. Specifies whether the LDAP identity store being registered is the primary identity store. Takes true or false as a value.

userIDProvider

Optional. Specifies the underlying infrastructure with which to connect to the IDStore. Only supported type is OracleUserRoleAPI.

supplementaryReturnAttributes

Specifies a comma-separated list of attributes that need to be retrieved as part of the User object. For example: ORCL_USR_ENC_FIRST_NAME,ORCL_USR_ENC_LAST_NAME,USR_USRNAME,ORCL_USR_CTY_CODE,ORCL_USR_LANG_CODE_S,ORCL_USR_JROLE_ID_S,ORCL_USR_IND_ID,ORCL_USR_COMP_REL_ID,ORCL_USR_ASCII_IND,ORCL_ORA_UCM_VER,ORCL_ORA_UCM_SRVC

domainHome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.

userFilterObjectClasses

Mandatory. Specifies a list of group filter object classes (separated by semi-colon)

groupFilterObjectClasses 

Specifies a list of group filter object classes (separated by semi-colon).

referralPolicy 

Specifies an LDAP referral policy (either "follow", "ignore" or "throw").

searchTimeLimit 

Specifies the time limit in seconds for an LDAP Search operation.

minConnections 

Specifies the minimum number of connections in the connection pool.

maxConnections 

Specifies the maximum number of connections in the connection pool.

connectionWaitTimeout

Specifies the number of seconds to wait for obtaining a connection from the pool.

connectionRetryCount

Specifies the number of attempts to retry when establishing a connection to the identity store.

groupNameAttr

Specifies the name of the attribute to lookup the user groups. For example, ou=people,ou=myrealm,dc=base_domain.

groupCacheEnabled

A boolean that specifies whether to enable the LDAP group cache. Takes true or false as a value.

groupCacheSize

Specifies the number of entries in the LDAP group cache.

groupCacheTTL

Specifies the total time to live for each entry in the LDAP group cache.


Example

The following example changes the LDAP URL of the registered identity store.

editUserIdentityStore(name="identity_store_name", 
LDAP_url="ldap://localhost:7003", domainHome="domaonHome1")

deleteUserIdentityStore

Online and offline command that removes an already defined identity store registration for Access Manager.

Description

Deletes the identity store registration. The scope of this command is an instance only; the scope is not an argument.

Syntax

deleteUserIdentityStore(name="<name>", domainHome="<domainHome>") 
Argument Definition
name

Mandatory. Specifies the name of the LDAP identity store registration to be removed.

domainHome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example deletes the registration of the named identity store.

deleteUserIdentityStore(name="identity_store", domainHome="domainHome1")

displayUserIdentityStore

Online and offline command that displays user identity store registration information.

Description

Displays the information regarding the identity store registered with Access Manager. The scope of this command is an instance only; the scope is not an argument.

Syntax

displayUserIdentityStore(name="<name>", domainHome="<domainHome>") 
Argument Definition
name

Mandatory. Specifies the name of the LDAP identity store registration to be displayed.

domainhome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following invocation displays registration details of the user identity store:

displayUserIdentityStore(name="ID_store1", domainHome="domainHome1")

createOAMServer

Online and offline command that creates an Access Manager Server entry in the system configuration.

Description

Creates an Access Manager Server registration. Details include the host, port, registration name, Access Manager Proxy port, server ID and, optionally, the OAM Proxy shared secret. The scope of this command is an instance only; the scope is not an argument.

Syntax

createOAMServer(configurationProfile="<configurationProfile>", host="<host>",port="<port>", oamProxyPort="<0000>", oamProxyServerID="<oamProxyServerID>",siteName="<siteName>", domainHome="<domainHome>")
Argument Definition
configurationProfile

Mandatory. Specifies the Configuration Profile of the OAM Server. The profile appears under Server Instances on the System Configuration tab in the Access Manager Administration Console.

host

Mandatory. Specifies the name of the Access Manager Server host.

port

Mandatory. Specifies the listening port of the Access Manager Server host.

oamProxyPort

Mandatory. Specifies the proxy port of the Access Manager Server host.

oamProxyServerID

Mandatory. Specifies the proxy server ID of the Access Manager Server host. The Access Manager Proxy name appears under the Access Manager Proxy sub tab of the server instance in the Access Manager Administration Console.

siteName

Mandatory. Specifies the siteName/serverName for the instance.

domainHome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example creates a configuration for my_host with listening port 15000. The configuration entry in the Access Manager Administration Console will be oam_server1. The Access Manager Proxy port is 3004 and the Access Manager Proxy Server ID is oamProxyServerID1.

createOAMServer(configurationProfile="oam_server1", host="my_host",
port="15000", oamProxyPort="3004", oamProxyServerID="oamProxyServerID1",
siteName="siteName1", domainHome="domainHome1")

editOAMServer

Online and offline command that enables you to modify the details of an Access Manager Server registration.

Description

Modifies the specified parameter values of the registration for an Access Manager Server. Details may include the host, port, registration name, Access Manager Proxy port, server ID and, optionally, the Access Manager Proxy shared secret. The scope of this command is an instance only; the scope is not an argument.

Syntax

editOAMServer(configurationProfile="<configurationProfile>", host="<host>",port="<port>", oamProxyPort="<0000>", oamProxyServerID="<oamProxyServerID>",siteName="<siteName>", domainHome="<domainHome>")
Argument Definition
configurationProfile

Mandatory. Specifies the Configuration Profile of the Access Manager Server. The profile appears under Server Instances on the System Configuration tab in the Access Manager Administration Console.

host

Mandatory. Specifies the name of the Access Manager Server host.

port

Mandatory. Specifies the listening port of the Access Manager Server host.

oamProxyPort

Mandatory. Specifies the proxy port of the Access Manager Server host.

oamProxyServerID

Mandatory. Specifies the proxy server ID of the Access Manager Server host. The Access Manager Proxy name appears under the Access Manager Proxy sub tab of the server instance in the Access Manager Administration Console.

siteName

Mandatory. Specifies the siteName/serverName for the instance.

domainHome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

You can use any of the optional attributes to change current settings. The following invocation enables you to add the Access Manager Proxy Sever ID to the configuration entry oam_server1.

editOAMServer(configurationProfile="oam_server1", host="my_host",
port="15000", oamProxyPort="3004", oamProxyServerID="oamProxyServerID1",
siteName="siteName1", domainHome="domainHome1")

deleteOAMServer

Online and offline command that enables you to delete the specified Access Manager Server registration.

Description

Deletes the specified Access Manager Server configuration. The scope of this command is an instance only; the scope is not an argument.

Syntax

deleteOAMServer(host="<host>", port="<port>", domainHome="<domainHome>")
Argument Definition
host

Mandatory. Specifies the name of the Access Manager Server host.

port

Mandatory. Specifies the listening port of the Access Manager Server host.

domainHome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example enables you to delete the oam_server1 Access Manager Server registration with listening port 15000.

deleteOAMServer(host="oam_server1", port="15000", domainHome="domainHome1")

displayOAMServer

Online and offline command that displays registration details for the specified Access Manager Server.

Description

Displays the registration details of the specified Access Manager Server, including the host, port, registration name, Access Manager Proxy port, server ID and, optionally, the Access Manager Proxy shared secret. The scope of this command is an instance only; the scope is not an argument.

Syntax

displayOAMServer(host="<host>", port="<port>", domainHome="<domainHome>")
Argument Definition
host

Mandatory. Specifies the name of the Access Manager Server host.

port

Mandatory. Specifies the listening port of the Access Manager Server host.

domainHome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example will list all metrics specific to the my_host Access Manager Server.

displayOAMServer(host="my_host", port="15000", domainHome="domainHome1")

configRequestCacheType

Online and offline command that defines the SSO server request cache type in the system configuration.

Description

Defines the SSO server request cache type in the system configuration. The scope of this command is an instance only; the scope is not an argument.

Syntax

configRequestCacheType(type="<requestCacheType>", domainHome="<domainHome>") 
Argument Definition
type

Mandatory. Specifies the request cache type. Takes a value of BASIC or COOKIE.

domainHome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example identifies the request cache type as Cookie:

configRequestCacheType(type="COOKIE") 

displayRequestCacheType

Online and offline command that displays the SSO server request cache type defined for the specified domain. The request cache type may be BASIC or COOKIE.

Description

Displays the SSO server request cache type entry defined for the specified domain. The scope of this command is an instance only; the scope is not an argument.

Syntax

displayRequestCacheType(domainHome="<domainHome>")
Argument Definition
domainHome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example will display the request cache type (BASIC or COOKIE) defined for the specified domain home.

displayRequestCacheType(domainHome="domainHome1") 

editOssoAgent

Online and offline command that enables you to modify the details of an OpenSSO (OSSO) Agent registration in the system configuration.

Description

Modifies OSSO Agent registration details including the Site Token, Success URL, Failure URL, Home URL, Logout URL, Start Date, End Date, Administrator ID, and Administrator Info. The scope of this command is an instance only; the scope is not an argument.

Syntax

editOssoAgent(agentName="AgentName", siteToken="<siteToken>", 
successUrl="<successUrl>", failureUrl="<failureUrl>",homeUrl="<homeUrl>", logoutUrl="<logoutUrl>", startDate="<startDate>", 
endDate="<endDate>, adminId="<adminId>",adminInfo="<AdminInfo>", domainHome="<domainHomeName>")
Argument Definition
agentName

Mandatory. Specifies the name of the OSSO Agent entry to be modified.

adminId=admin Id of OSSO agent <optional>

adminInfo=admin Information of OSSO agent <optional>

siteToken

Optional. Specifies the Application Token used by the partner when requesting authentication.

successUrl

Optional. Specifies the redirect URL to be used by the OSSO Agent if authentication is successful.

failureUrl

Optional. Specifies the redirect URL to be used by the OSSO Agent if authentication fails.

homeUrl

Optional. Specifies the redirect URL to be used for the Home page after authentication.

logoutUrl

Optional. Specifies the redirect URL to be used when a user is logging out.

startDate

Optional. Specifies the first month, day, and year for which login to the application is allowed by the server.

endDate

Optional. Specifies the final month, day, and year for which login to the application is allowed by the server.

adminId

Optional. Specifies the administrator login ID for the OSSO Agent.

adminInfo

Optional. Specifies an administrator identifier for the OSSO Agent for tracking purpose.

domainHome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example changes the Administrator ID and information in the registration entry for OSSOAgent1.

editOssoAgent(agentName="OSSOAgent1", siteToken="siteToken", 
successUrl="successUrl", failureUrl="failureUrl", homeUrl="homeUrl", 
logoutUrl="logoutUrl", startDate="2009-12-10", endDate="2012-12-30",  
adminId= 345", adminInfo="Agent11", domainHome="domainHome1") 

deleteOssoAgent

Online and offline command that enables you to remove the specified OSSO Agent registration in the system configuration.

Description

Removes the specified OSSO Agent registration in the system configuration. The scope of this command is an instance only; the scope is not an argument.

Syntax

deleteOssoAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument Definition
agentName

Mandatory. Specifies the name of the OSSO Agent entry to be removed.

domainhome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example removes the OSSO Agent registration entry named OSSOAgent1.

deleteOssoAgent(agentName="OSSOAgent1", domainHome="domainHome1")

displayOssoAgent

Online and offline command that displays the details of the specified OSSO Agent entry in the system configuration.

Description

Displays the details of the specified OSSO Agent entry in the Access Manager Administration Console. The scope of this command is an instance only; the scope is not an argument.

Syntax

displayOssoAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument Definition
agentName

Mandatory. Specifies the name of the OSSO Agent entry to be displayed.

domainHome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example displays the OSSOAgent1 entry details.

displayOssoAgent(agentName="OSSOAgent1", domainHome="domainHome1")

editWebgateAgent

Online and offline command that enables you to modify a Webgate 10g registration entry in the system configuration.

Description

Enables you to modify a Webgate 10g registration entry in the system configuration. The scope of this command is an instance only; the scope is not an argument.

Syntax

editWebgateAgent(agentName="<AgentName>",
accessClientPasswd="<accessClientPassword >",state="<state>", preferredHost="<host>", 
aaaTimeoutThreshold="<aaaTimeOutThreshold >", security="<security>",primaryCookieDomain="<primaryCookieDomain>", maxConnections="<maxConnections>",maxCacheElems="<maxCacheElements >", cacheTimeout="<cacheTimeOut>", 
cookieSessionTime="<cookieSessionTime >", maxSessionTime="<maxSessionTime>",
idleSessionTimeout="<idleSessionTimeout >",failoverThreshold="<failoverThreshold >", domainHome="<domainHomeName>")
Argument Definition
agentName

Mandatory. Specifies the name of the WebGate Agent to be modified.

accessClientPasswd

Optional. Specifies the access client password of WebGate Agent.

state

Optional. Specifies whether the WebGate Agent is enabled or disabled with a value of either Enabled or Disabled, respectively.

preferredHost

Optional. Specifies the preferred host of the WebGate Agent. This prevents security holes that can be created if a host's identifier is not included in the Host Identifiers list. For virtual hosting, you must use the Host Identifiers feature.

aaaTimeoutThreshold

Optional. Specifies the number (in seconds) to wait for a response from the Access Manager runtime server. If this parameter is set, it is used as an application TCP/IP timeout instead of the default TCP/IP timeout. Default = -1 (default network TCP/IP timeout is used)

security

Optional. Specifies the level of transport security to and from the Access Manager runtime server. Takes as a value either open, simple, or cert.

primaryCookieDomain

Optional. Specifies the Web server domain on which the Access Manager Agent is deployed. For example, .acompany.com

maxConnections

Optional. Specifies the maximum number of connections that this Access Manager Agent can establish with the Access Manager Server. This number must be the same as (or greater than) the number of connections that are actually associated with this agent. Default = 1

maxCacheElems

Optional. Specifies the maximum number of elements maintained in the cache. Cache elements are URLs or Authentication Schemes. The value of this setting refers to the maximum consolidated count for elements in both of these caches. Default = 10000

cacheTimeout

Optional. Specifies the amount of time cached information remains in the Access Manager Agent cache when the information is neither used nor referenced. Default = 1800 (seconds)

cookieSessionTime

Optional. Specifies the amount of time that the ObSSOCookie persists. Default = 3600 (seconds)

maxSessionTime

Optional. Specifies the maximum amount of time in seconds that a user's authentication session is valid regardless of their activity. At the expiration of this time, the user is re-challenged for authentication. This is a forced logout. A value of 0 disables this timeout setting. Default = 3600 (seconds)

idleSessionTimeout

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.

failoverThreshold

Optional. Specifies a number representing the point when this Access Manager Agent opens connections to a Secondary Access Manager Server. Default = 1

domainhome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

You can alter any or all of the settings. Use the following example to change the Agent ID, state, maximum connections, Access Manager Server timeout, primary cookie domain, cache time out, cookie session timeout, maximum session timeout, idle session timeout, and failover threshold.

editWebgateAgent(agentName="WebgateAgent1", accessClientPasswd="welcome1",
state="Enabled", preferredHost="141.144.168.148:2001", aaaTimeoutThreshold = "10",
security="open", primaryCookieDomain="primaryCookieDomain", maxConnections="16",
maxCacheElems="10000", cacheTimeout="1800", cookieSessionTime="3600",
maxSessionTime="24", idleSessionTimeout="3600", failoverThreshold="1", 
domainHome="domainHome1")

deleteWebgateAgent

Online and offline command that enables you to delete a Webgate_agent registration entry in the system configuration.

Description

Removes the specified Webgate_agent registration entry from the system configuration. The scope of this command is an instance only; the scope is not an argument.

Syntax

deleteWebgateAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument Definition
agentName

Mandatory. Specifies the name of the WebGate Agent being deleted.

domainHome

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example removes the WebGate Agent named WebgateAgent1.

deleteWebgateAgent(agentName="WebgateAgent1", domainHome="domainHome1")

displayWebgateAgent

Online and offline command that displays a Webgate_agent registration entry.

Description

Displays all details of the specified Webgate_agent registration entry in the Access Manager Administration Console. The scope of this command is an instance only; the scope is not an argument.

Syntax

displayWebgateAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument Definition
agentName

Mandatory. Specifies the name of the WebGate Agent being displayed.

domainhome 

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example displays entry details for WebgateAgent1.

displayWebgateAgent(agentName="WebgateAgent1", domainHome="domainHome1")

resetKeystorePassword

Resets the system keystore (.oamkeystore) password (and any key entries with a password identical to the .oamkeystore password) to a new value.

Description

Keystores are randomly generated and configured by the Identity Manager/Access Manager/Security Token Service installer. This command:

  • Updates the .oamkeystore password.

  • Updates the key entries in the .oamkeystore which had the same password as the keystore.

  • Updates the Access Manager/Security Token Service/Identity Federation configuration to reflect the change.

  • Updates the amtruststore password if the keystore is protected by the same password as the .oamkeystore (default).

Syntax

resetKeystorePassword()

Follow this procedure to reset the .oamkeystore password.

  1. Enter the WSLT scripting environment.

  2. Use connect() to connect to the WebLogic Server Administration Server.

  3. Use domainRuntime() to navigate to the domain runtime tree.

  4. Execute resetKeystorePassword().

    There are no arguments.

  5. When prompted, enter and confirm the password.

exportPolicy

Online only command that exports Access Manager policy data from a test (source) environment to the intermediate Access Manager file specified.

Description

Exports Access Manager policy data from a test (source) environment to the intermediate Access Manager file. The scope of this command is an instance only; the scope is not an argument.

Syntax

exportPolicy(pathTempOAMPolicyFile="<absoluteFilePath>")
Argument Definition
pathTempOAMPolicyFile 

Mandatory. Specifies the absolute path to the temporary Access Manager file.


Example

The following example specifies the path to the tempfile.txt file used when exporting policy data from a test (source) environment.

exportPolicy(pathTempOAMPolicyFile="/exampleroot/parent/tempfile.txt") 

importPolicy

Online only command that imports the Access Manager policy data from the specified Access Manager file.

Description

Imports the Access Manager policy data from the specified Access Manager file. The scope of this command is an instance only; the scope is not an argument.

Syntax

importPolicy(pathTempOAMPolicyFile="<absoluteFilePath>")
Argument Definition
pathTempOAMPolicyFile 

Mandatory. Specifies the absolute path to the temporary Access Manager file.


Example

The following example specifies the path to the tempfile.txt file used when importing policy data to a production (target) environment.

importPolicy(pathTempOAMPolicyFile="/exampleroot/parent/tempfile.txt") 

importPolicyDelta

Online only command that imports the Access Manager policy changes from the specified Access Manager file.

Description

Imports the Access Manager policy changes from the specified Access Manager file. The scope of this command is an instance only; the scope is not an argument.

Syntax

importPolicyDelta(pathTempOAMPolicyFile="<absoluteFilePath>")
Argument Definition
pathTempOAMPolicyFile 

Mandatory. Specifies the absolute path to the temporary Access Manager file.


Example

The following example specifies the path to the tempfile_delta.txt file used when importing changed policy data to a production (target) environment.

importPolicyDelta(pathTempOAMPolicyFile="/exampleroot/parent/tempfile_delta.txt") 

migratePartnersToProd

Online only command that migrates partners from the current (source) Access Manager Server to the specified (target) Access Manager Server.

Description

Migrates partners from the current (source) Access Manager Server to the specified (target) Access Manager Server. The scope of this command is an instance only; the scope is not an argument.

Syntax

migratePartnersToProd(prodServerHost="<host>", prodServerPort="<port>", 
prodServerAdminUser="<user>", prodServerAdminPwd="<passwd>")
Argument Definition

prodServerHost

Host name of the target Access Manager Server to which partners are to be migrated.

prodServerPort

Port of the target Access Manager Server to which partners are to be migrated.

prodServerAdminUser

Administrator of the target Access Manager Server to which partners are to be migrated.

prodServerAdminPwd

Target Access Manager Server administrator's password.


Example

The following example specifies the required information for partner migration.

migratePartnersToProd(prodServerHost="myhost", prodServerPort="1234", 
prodServerAdminUser="weblogic", prodServerAdminPwd="welcome")

exportPartners

Online only command that exports Access Manager partners from the source to the Access Manager file specified.

Description

Exports the Access Manager partners from the source to the Access Manager file specified. The scope of this command is an instance only; the scope is not an argument.

Syntax

exportPartners(pathTempOAMPartnerFile="<absoluteFilePath>")
Argument Definition
pathTempOAMPolicyFile 

Mandatory. Specifies the absolute path to the temporary Access Manager file.


Example

The following example specifies the absolute path to the Access Manager partners file.

exportPartners(pathTempOAMPolicyFile="/exampleroot/parent/tempfile_partners.xml") 

importPartners

Online only command that imports Access Manager partners from the specified Access Manager file.

Description

Imports the Access Manager partners from the specified Access Manager file. The scope of this command is an instance only; the scope is not an argument.

Syntax

importPartners(pathTempOAMPartnerFile="<absoluteFilePath>")
Argument Definition

pathTempOAMPartnerFile

Mandatory. Specifies the path to the temporary Access Manager partner file.


Example

The following example specifies the absolute path to the Access Manager file from which the partners will be imported.

importPartners(pathTempOAMPolicyFile="/exampleroot/parent/tempfile_partners.xml") 

displayTopology

Online and offline command that displays information about all Access Manager Servers in a deployment.

Description

Lists the topology of deployed Access Manager Servers.

Syntax

displayTopology(domainHome="<domainHomeName>")
Argument Definition
domainHome

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example lists the details of all deployed Access Manager Servers in the specified domain home.

displayTopology(domainHome="domainHome1")

configureOAAMPartner

Online only command that configures the basic integration of Access Manager and Oracle Adaptive Access Manager (OAAM).

Description

Configures the basic integration of Access Manager and OAAM. The scope of this command is an instance only; the scope is not an argument.

Syntax

configureOAAMPartner(dataSourceName="<dataSourceName>", hostName="<hostName>", 
port="<port>", serviceName="<serviceName>", userName="<userName>", 
passWord="<passWord>", maxConnectionSize="<maxConnectionSize>", 
maxPoolSize="<maxPoolSize>", serverName="<serverName>")
Argument Definition

dataSourceName

Mandatory. Specifies the name of the data source to be created.

hostName

Mandatory. Specifies the name of the database host.

port

Mandatory. Specifies the database port number.

serviceName

Mandatory. Specifies the database service name.

userName

Mandatory. Specifies the OAAM schema name.

passWord

Mandatory. Specifies the OAAM schema password.

maxConnectionSize

Optional. Specifies the maximum connection reserve time out size.

maxPoolSize

Optional. Specifies the maximum size for the connection pool.

serverName

Optional. Specifies the target server for the datasource.


Example

The following example configures a basic integration for Access Manager and OAAM.

configureOAAMPartner(dataSourceName="MyOAAMDS", hostName="host.example.com", 
port="1521", serviceName="sevice1", userName="username", passWord="password", 
maxConnectionSize=None, maxPoolSize=None, serverName="oam_server1")

registerOIFDAPPartner

Online and offline command that registers Oracle Access Management Identity Federation (Identity Federation) as a Delegated Authentication Protocol (DAP) Partner.

Description

Registers Identity Federation as Delegated Authentication Protocol (DAP) Partner. The scope of this command is an instance only; the scope is not an argument.

Syntax

registerOIFDAPPartner(keystoreLocation="/scratch/keystore" 
logoutURL="http://<oifhost>:<oifport>/fed/user/splooam11g?
 doneURL=http(s)://<oamhost>:<oamport>/oam/server/pages/logout.jsp", 
rolloverTime="nnn")
Argument Definition

keystoreLocation

Mandatory. Specifies the location of the Keystore file (generated at the Identity Federation Server).

logoutURL

Mandatory. Specifies the logout URL for the Identity Federation server.

rolloverTime

Optional. Specifies the amount of time in seconds for which the keys used to encrypt/decrypt SASSO tokens can be rolled over.


Example

The following example illustrates the use of the parameters.

registerOIFDAPPartner(keystoreLocation="/scratch/keystore",
logoutURL="http(s)://oif.mycompany.com:1234/fed/user/splooam11g?

doneURL=http(s)://oam.mycompany.com:5678/oam/server/pages/logout.jsp", rolloverTime="500")

registerOIFDAPPartnerIDPMode

Online and offline command that registers Identity Federation as a Delegated Authentication Protocol (DAP) Partner in IDP Mode.

Description

Registers Identity Federation as Delegated Authentication Protocol (DAP) Partner in IDP Mode. The scope of this command is an instance only; the scope is not an argument.

Syntax

registerOIFDAPPartnerIDPMode(logoutURL="http://<oifhost>:<oifport>/fed/user/sploosso?doneURL=http://<oamhost>:<oamport>/ngam/server/pages/logout.jsp")
Argument Definition

logoutURL

Mandatory. Specifies the logout URL for the Identity Federation server.


Example

The following example illustrates the use of the logout URL parameter.

registerOIFDAPPartner(
logoutURL="http://oif.oracle.com:1234/fed/user/sploosso?
 doneURL=http://oam.oracle.com:5678/ngam/server/pages/logout.jsp")

registerThirdPartyTAPPartner

Registers any third party as a Trusted Authentication Protocol (TAP) Partner.

Description

Registers any third party as a Trusted Authentication Protocol (TAP) Partner.

Syntax

registerThirdPartyTAPPartner(partnerName="ThirdPartyTAPPartner", 
keystoreLocation="/scratch/DAPKeyStore/mykeystore.jks", 
password="test", tapTokenVersion="v2.0", tapScheme="TAPScheme", 
tapRedirectUrl="http://thirdpartyserverhost:port/loginPage.jsp")
Argument Definition
partnerName 

Mandatory. Specifies the name of the partner. Can be any name used to identify the third party partner.

keystoreLocation 

Mandatory. Specifies the location of the keystore file.

password 

Mandatory. Specifies the password for the keystore file.

tapTokenVersion

Mandatory. Specifies the version of the Trusted Authentication Protocol.

tapScheme

Optional. Specifies the TAPScheme name used to protect the resource - TAPScheme, out of the box.

tapRedirectUrl

Optional. Specifes the TAP challenge URL to which the credential collector will be redirected.


Example

The following example illustrates the use of the parameters.

registerThirdPartyTAPPartner(partnerName = "ThirdPartyTAPPartner", 
keystoreLocation="/scratch/DAPKeyStore/mykeystore.jks", 
password="test", tapTokenVersion="v2.0", tapScheme="TAPScheme", 
tapRedirectUrl="http://thirdpartyserverhost:port/loginPage.jsp")

disableCoexistMode

Online command that disables Coexist Mode.

Description

Disables Coexist Mode. The scope of this command is an instance only; the scope is not an argument. There are no arguments for this command.

Syntax

disableCoexistMode()

Example

The following example disables Coexist Mode.

disableCoexistMode()

enableOamAgentCoexist

Enables Coexist Mode for the Access Manager agent (enabling the Access Manager 11g server to own the Obssocookie set by 10g WebGate).

Description

Enables Coexist Mode for the Access Manager agent. The scope of this command is an instance only; the scope is not an argument. There are no arguments for this command.

Syntax

enableOamAgentCoexist()

Example

The following example enables the Coexist Mode.

enableOamAgentCoexist

disableOamAgentCoexist

Disables Coexist Mode for the Access Manager agent.

Description

Disables the Coexist Mode for the Access Manager agent. The scope of this command is an instance only; the scope is not an argument. There are no arguments for this command.

Syntax

disableOamAgentCoexist()

Example

The following invocation enables the Coexist Mode.

disableOamAgentCoexist

editGITOValues

Online and offline command that edits GITO configuration parameters.

Description

Edits GITO configuration parameters. The scope of this command is an instance only; the scope is not an argument.

Syntax

editGITOValues(gitoEnabled="true", gitoCookieDomain=".abc.com", 
gitoCookieName="ABC", gitoVersion="v1.0", gitoTimeout="20", 
gitoSecureCookieEnabled="false", domainHome="/abc/def/ijk")
Argument Definition

gitoEnabled

Allows (or denies) user to set GITO enabled property. Takes a value of true or false.

gitoCookieDomain

Mandatory. Specifies the GITO cookie domain.

gitoCookieName

Optional. Specifies the cookie name.

gitoVersion

Optional. Specifies the GITO version. Takes ONLY v1.0 or v3.0.

gitoTimeout

Optional. Specifies the GITO timeout value.

gitoSecureCookieEnabled

Optional. Enables the GITO cookie enabled property. Takes a value of true or false.

domainHome

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example edits the GITO configuration parameters.

editGITOValues(gitoEnabled="true", gitoCookieDomain=".abc.com", 
gitoCookieName="ABC", gitoVersion="v1.0", gitoTimeout="20", 
gitoSecureCookieEnabled="false", domainHome="/abc/def/ijk")

editWebgate11gAgent

Online and offline command that edits an 11g Webgate_entry registration in the system configuration.

Description

Edits an 11g Webgate_entry registration in the system configuration. The scope of this command is an instance only; the scope is not an argument.

Syntax

editWebgate11gAgent(agentName="<AgentName>", 
accessClientPasswd="<accessClientPassword >",state="<state>", preferredHost="<host>", 
aaaTimeoutThreshold="<aaaTimeOutThreshold>", security="<security>",logOutUrls="<logOutUrls>", maxConnections="<maxConnections>",maxCacheElems="<maxCacheElements>", cacheTimeout="<cacheTimeOut>", 
logoutCallbackUrl="<logoutCallbackUrl >",maxSessionTime="<maxSessionTime>", logoutRedirectUrl="<logoutRedirectUrl >",failoverThreshold="<failoverThreshold>",
tokenValidityPeriod="<tokenValidityPeriod>",logoutTargetUrlParamName="<logoutTargetUrlParamName>", domainHome="<domainHome>",allowManagementOperations="<allowManagementOperations>", 
allowTokenScopeOperations="<allowTokenScopeOperations>", 
allowMasterTokenRetrieval="<allowMasterTokenRetrieval>", 
allowCredentialCollectorOperations="<allowCredentialCollectorOperations>")
Argument Definition
agentName

Mandatory. Specifies the name of the 11g WebGate Agent to be modified.

accessClientPasswd

Optional. Specifies the unique client password for this WebGate Agent.

state

Optional. Specifies whether the WebGate Agent is enabled or disabled with a value of either Enabled or Disabled, respectively.

preferredHost

Optional. Specifies the preferred host of the WebGate Agent. This prevents security holes that can be created if a host's identifier is not included in the Host Identifiers list. For virtual hosting, you must use the Host Identifiers feature.

aaaTimeoutThreshold

Optional. Specifies the number (in seconds) to wait for a response from the Access Manager runtime server. If this parameter is set, it is used as an application TCP/IP timeout instead of the default TCP/IP timeout. Default = -1 (default network TCP/IP timeout is used)

security

Optional. Specifies the level of transport security to and from the Access Manager runtime server. Takes as a value either open, simple, or cert.

logOutUrls

List of URLS that trigger the logout handler, which removes the ObSSOCookie.

maxConnections

Optional. Specifies the maximum number of connections that this Access Manager Agent can establish with the Access Manager Server. This number must be the same as (or greater than) the number of connections that are actually associated with this agent. Default = 1

maxCacheElems

Optional. Specifies the maximum number of elements maintained in the cache. Cache elements are URLs or Authentication Schemes. The value of this setting refers to the maximum consolidated count for elements in both of these caches. Default = 10000

cacheTimeout

Optional. Specifies the amount of time cached information remains in the Access Manager Agent cache when the information is neither used nor referenced. Default = 1800 (seconds)

logoutCallbackUrl

The URL to oam_logout_success, which clears cookies during the call back. By default, this is based on the Agent base URL supplied during agent registration. For example:

http://<host>:<port>

maxSessionTime

Optional. Specifies the maximum amount of time in seconds that a user's authentication session is valid regardless of their activity. At the expiration of this time, the user is re-challenged for authentication. This is a forced logout. A value of 0 disables this timeout setting. Default = 3600 (seconds)

logoutRedirectUrl

Optional. Specifies the URL (absolute path) to the central logout page (logout.html). By default, this is based on the Access Manager Administration Console host name with a default port of 14200.

failoverThreshold

Optional. Specifies a number representing the point when this Access Manager Agent opens connections to a Secondary Access Manager Server. Default = 1

tokenValidityPeriod

Optional. Specifies the amount of time in seconds that a user's authentication session remains valid without accessing any Access Manager Agent protected resources.

logoutTargetUrlParamName

Optional. The value for this is the Logout Target URLto be invoked on logout and configured at the OPSS level.

domainHome

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.

allowManagementOperations

Optional. Specifies the Set the flag for Allow Management Operations

allowTokenScopeOperations

Optional. Specifies the Set the flag for Allow Token Scope Operations

idleSessionTimeout

Optional. Specifies the

allowMasterTokenRetrieval

Set flag for Allow Master Token Retrieval

allowCredentialCollectorOperations

Set flag for Allow Credential Collector Operations


Example

The following example uses all mandatory and optional parameters.

editWebgate11gAgent(agentName="WebgateAgent1", accessClientPasswd="welcome1",
state="Enabled", preferredHost="141.144.168.148:2001", aaaTimeoutThreshold="10",
security="open", logOutUrls="http://host1.oracle.com:1234", maxConnections = "16",
maxCacheElems="10000", cacheTimeout="1800", 
logoutCallbackUrl="http://host2.oracle.com:1234",
maxSessionTime="24", logoutRedirectUrl="logoutRedirectUrl", 
failoverThreshold="1", tokenValidityPeriod="tokenValidityPeriod",
logoutTargetUrlParamName="logoutTargetUrl", domainHome="domainHome1",
allowManagementOperations="false", allowTokenScopeOperations="false", 
allowMasterTokenRetrieval="false", allowCredentialCollectorOperations="false")

deleteWebgate11gAgent

Online and offline command that enables you to remove an 11g Webgate_agent entry in the system configuration.

Description

Removes an 11g Webgate_agent entry in the system configuration. The scope of this command is an instance only; the scope is not an argument.

Syntax

deleteWebgate11gAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument Definition
agentName

Mandatory. Specifies the name of the 11g WebGate Agent to be removed.

domainHome

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example removes the 11g Webgate_agent entry named my_11gWebGate.

deleteWebgate11gAgent(agentName="my_11gWebGate", domainHome="domainHome1")

displayWebgate11gAgent

Online and offline command that enables you to display an 11g Webgate_agent registration entry.

Description

Displays an 11g WebGate Agent registration entry. The scope of this command is an instance only; the scope is not an argument.

Syntax

displayWebgate11gAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument Definition
agentName

Mandatory. Specifies the name of the 11g WebGate Agent to be modified.

domainHome

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example displays the WebGate Agent named my_11gWebGate:

displayWebgate11gAgent(agentName="my_11gWebGate", domainHome="domainHome1")

displayOAMMetrics

Online and offline command that enables the display of metrics for Access Manager Servers.

Description

Enables the display of metrics for Access Manager Servers. The scope of this command is an instance only; the scope is not an argument.

Syntax

displayOAMMetrics(domainHome="<domainHomeName>")
Argument Definition
domainHome

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example displays the metrics for Access Manager Servers in the specified domain.

displayOAMMetrics(domainHome="domainHome1") 

updateOIMHostPort

DEPRECATED - Online only command that updates the Oracle Identity Manager configuration when integrated with Access Manager.

Description

Updates the Identity Manager configuration in the system configuration. The scope of this command is an instance only; the scope is not an argument.

Syntax

updateOIMHostPort(hostName="<host name>", port="<port number>", secureProtocol="true")
Argument Definition

hostName

Name of the Identity Manager host.

port

Port of the Identity Manager host.

secureProtocol

Takes a value of true or false depending on whether communication is via HTTP or HTTPS.


Example

The following example illustrates this command.

updateOIMHostPort(hostName="OIM.oracle.com", port="7777", secureProtocol="true") 

configureOIM

DEPRECATED - Online only command that registers an agent profile specific to Oracle Identity Manager when integrated with Access Manager.

Description

Creates an Agent profile specific to Oracle Identity Manager when integrated with Access Manager. The scope of this command is an instance only; the scope is not an argument.

Syntax

configureOIM(oimHost="<OIM host>", oimPort="<port>", 
oimSecureProtocolEnabled="true | false", oimAccessGatePwd="<AccessGatePassword>", 
oimCookieDomain="<OIMCookieDomain>", oimWgId="<OIMWebgateID>", 
oimWgVersion="<OIMWebgateVersion>")
Argument Definition

oimHost

Name of the Oracle Identity Manager host. In the case of EDG, the front ending LBR hostname of the OIM Cluster.

oimPort

Port of the Oracle Identity Manager Managed Server. In the case of EDG, the front ending LBR port of the OIM Managed Server Cluster.

oimSecureProtocolEnabled

Takes a value of true or false depending on whether communication is via HTTP or HTTPS.

oimAccessGatePwd

If provided, the agent password for Open mode.

oimCookieDomain

Domain in which the cookie is to be set .

oimWgId

Agent registration name.

oimWgVersion

Possible values are 10g or 11g. If not provided, default is 10g.


Example

The following example illustrates this command.

configureOIM(oimHost="oracle.com", oimPort="7777", oimSecureProtocolEnabled="true",
oimAccessGatePwd = "welcome", oimCookieDomain = "domain1",
oimWgId="<OIM Webgate ID>", oimWgVersion="10g")

updateOSSOResponseCookieConfig

Online and offline command that updates the OSSO Proxy response cookie settings.

Description

Updates OSSO Proxy response cookie settings. The scope of this command is an instance only; the scope is not an argument.

Syntax

updateOSSOResponseCookieConfig(cookieName="<cookieName>",cookieMaxAge="<cookie age in minutes>", isSecureCookie="true | false",cookieDomain="<domain of the cookie>", domainHome="<wls_domain_home_path>")
Argument Definition

cookieName

Optional. Name of the cookie for which settings are updated. If not specified, the global setting is updated.

cookieMaxAge

Maximum age of a cookie in minutes. A negative value sets a session cookie.

isSecureCookie

Boolean flag that specifies if cookie should be secure (sent over SSL channel).

cookieDomain

The domain of the cookie.

domainHome

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example illustrates this command.

updateOSSOResponseCookieConfig(cookieName = "ORASSO_AUTH_HINT",
cookieMaxAge = "525600", isSecureCookie = "false",
cookieDomain=".example.com", domainHome = "<domain_home>")

deleteOSSOResponseCookieConfig

Online and offline command that deletes the OSSO Proxy response cookie settings in the system configuration.

Description

Deletes the OSSO Proxy response cookie settings. The scope of this command is an instance only; the scope is not an argument.

Syntax

deleteOSSOResponseCookieConfig(cookieName="<cookieName>", 
domainHome="<wls_domain_home_path>")
Argument Definition

cookieName

Mandatory. Name of the cookie for which settings are being deleted. The global cookie setting cannot be deleted.

domainHome

Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional.


Example

The following example illustrates this command.

deleteOSSOResponseCookieConfig(cookieName="ORASSO_AUTH_HINT",
domainHome = "<domain_home>")

configureAndCreateIdentityStore

Configures the identity store and external user store.

Description

Configures the identity store and external user store using the values supplied.

Syntax

configureOIM(oimHost="<OIM host>", oimPort="<port>", 
oimSecureProtocolEnabled="true | false", oimAccessGatePwd="<AccessGatePassword>", 
oimCookieDomain="<OIMCookieDomain>", oimWgId="<OIMWebgateID>", 
oimWgVersion="<OIMWebgateVersion>"), nameOfIdStore="<nameOfIdStore>", 
idStoreSecurityCredential="<idStoreSecurityCredential>",
userSearchBase="<userSearchBase>", ldapUrl="<ldapUrl>", 
groupSearchBase="<groupSearchBase>", securityPrincipal="<securityPrincipal>", idStoreType="<idStoreType>", ldapProvider="<ldapProvider>",
isPrimary="<isPrimary>", userIDProvider="<userIDProvider>", 
userNameAttr="<userNameAttr>"
Argument Definition

oimHost

Name of the Oracle Identity Manager host. In the case of EDG, the front ending LBR hostname of the OIM Cluster.

oimPort

Port of the Oracle Identity Manager Managed Server. In the case of EDG, the front ending LBR port of the OIM Managed Server Cluster.

oimSecureProtocolEnabled

Takes a value of true or false depending on whether communication is via HTTP or HTTPS.

oimAccessGatePwd

If provided, the agent password for Open mode.

oimCookieDomain

Domain in which the cookie is to be set .

oimWgId

Agent registration name.

oimWgVersion

Possible values are 10g or 11g. If not provided, default is 10g.

nameOfIdStore

Mandatory. Specifies the name of the LDAP ID store to be created.

idStoreSecurityCredential

Manadatory. Specifies the password of the Principal for the LDAP identity store being created.

userSearchBase

Manadatory. Specifies the node under which user data is stored in the LDAP identity store being created.

ldapUrl

Manadatory. Specifies the URL for the LDAP host (including port number) of the LDAP identity store being created.

groupSearchBase

Mandatory. Specifies the node under which group data is stored in the LDAP identity store being created.

securityPrincipal

Mandatory. Specifies the Principal Administrator of the LDAP identity store being created.

idStoreType

Mandatory. Specifies the type of the LDAP identity store being created.

ldapProvider

Specifies the LDAP Provider type of the store being created.

isPrimary

Optional. Specifies whether the LDAP identity store being registered is the primary identity store. Takes true or false as a value.

userIDProvider

Specifies the user Identity Provider for the store being created.

userNameAttr

Manadatory. Specifies the user attributes for the store.


Example

The following example illustrates this command.

configureOIM(oimHost="oracle.com", oimPort="7777", oimSecureProtocolEnabled="true",
oimAccessGatePwd = "welcome", oimCookieDomain = "domain1",
oimWgId="<OIM Webgate ID>", oimWgVersion="10g"
nameOfIdStore="nameOfIdStore", 
idStoreSecurityCredential="idStoreSecurityCredential", 
userSearchBase="userSearchBase", ldapUrl="ldapUrl", 
groupSearchBase="groupSearchBase", securityPrincipal="securityPrincipal", idStoreType="idStoreType", ldapProvider="ldapProvider", isPrimary="true", userIDProvider="userIDProvider", userNameAttr="userNameAttr")

configAndCreateUsingPropFile

Configures the identity store and external user store using the values supplied in a properties file.

Description

Configures the identity store and external user store using the values supplied in the specified properties file.

Syntax

configAndCreateUsingPropFile(path="<path_of_property_file>")
Argument Definition

path

Path to the property file in which the values are defined.


Example

The following example illustrates this command.

configAndCreateUsingPropFile(path="/prop_file_directory/values.properties")

migrateArtifacts (deprecated)

Migrates artifacts.

Description

Migrates artifacts based on the values defined in the input artifact file.

Syntax

migrateArtifacts(path="<path_to_artifacts_file>", password="<password>", 
type="OutOfPlace|InPlace", isIncremental="true|false")
Argument Definition
path

Location of the artifacts file

password 

Password used while generating original artifacts.

type 

Boolean that defines the type of migration and takes as a value InPlace or OutOfPlace

isIncremental

Boolean that takes a value of true or false. If true, an incremental upgrade is done.


Example

The following example illustrates this command.

migrateArtifacts(path="/exampleroot/parent/t", password="welcome", 
type="InPlace", isIncremental="false")

displaySimpleModeGlobalPassphrase

Displays the simple mode global passphrase defined in the system configuration in plain text.

Description

Online only command that displays the simple mode global passphrase in plain text. There are no arguments for this command.

Syntax

displaySimpleModeGlobalPassphrase()

Example

The following example illustrates this command.

displaySimpleModeGlobalPassphrase()

exportSelectedPartners

Exports selected Access Manager Partners to the specified Access Manager file.

Description

Exports selected Access Manager Partners to the specified Access Manager file specified.

Syntax

exportSelectedPartners(pathTempOAMPartnerFile="<absoluteFilePath>", 
partnersNameList="<comma_separated_partner_names>")
Argument Definition

pathTempOAMPartnerFile

Mandatory. The location of the file to which the information will be exported.

partnersNameList

Mandatory. Specifies a comma separated list of partner ids being exported.


Example

The following example illustrates this command.

exportSelectedPartners(pathTempOAMPartnerFile="/exampleroot/parent/tempfile.extn"
partnersNameList="partner1,partner2")

oamMigrate

Online only command that migrates policies, authentication stores, and user stores from OSSO, OAM10g, OpenSSO, or AM 7.1 to OAM11g.

Description

Invokes the beginMigrate operation of the migration framework mbean.

Syntax

oamMigrate(oamMigrateType=<migrationType>, 
pathMigrationPropertiesFile="<absoluteFilePath>") 
Argument Definition

oamMigrateType

Mandatory. Specifies the type of migration being done. Takes one of the following as a value: OSSO | OpenSSO | OAM10g.

pathMigrationPropertiesFile

Mandatory. Specifies the path to the file from which the necessary artifacts for migration are read.


Example

The following example illustrates this command.

oamMigrate(oamMigrateType=OSSO,
pathMigrationPropertiesFile="/middlewarehome/oam-migrate.properties")

preSchemeUpgrade

Online only command that invokes the preSchemeUpgrade operation.

Description

Invokes the preSchemeUpgrade operation.

Syntax

preSchemeUpgrade
(pathUpgradePropertiesFile="/middlewarehome/oam-upgrade.properties")
Argument Definition

pathUpgradePropertiesFile

Mandatory. Specifies the path to the file from which the necessary system proeprties for upgrade are read.


Example

The following example illustrates this command.

preSchemeUpgrade(pathUpgradePropertiesFile="/exampleroot/parent/tempfile.extn")

postSchemeUpgrade

Invokes the postSchemeUpgrade operation.

Description

Invokes the postSchemeUpgrade operation.

Syntax

postSchemeUpgrade
(pathUpgradePropertiesFile="/middlewarehome/oam-upgrade.properties")
Argument Definition

pathUpgradePropertiesFile

Mandatory. Specifies the path to the file from which the necessary system proeprties for upgrade are read.


Example

The following example illustrates this command.

postSchemeUpgrade(pathUpgradePropertiesFile="/exampleroot/parent/tempfile.extn")

oamSetWhiteListMode

Sets the oamSetWhiteListMode to true or false.

Description

Sets the oamSetWhiteListMode to true or false. If true, Access Manager redirects to the last URL requested by the consuming application only if it is configured as a white-list URL.

Syntax

oamSetWhiteListMode(oamWhiteListMode="true|false")
Argument Definition

oamWhiteListMode

Mandatory. Enables the Access Manager white list mode.


Example

The following example illustrates this command.

oamSetWhiteListMode(oamWhiteListMode="true")

oamWhiteListURLConfig

Add, update or remove whitelist URL entries from the specified file.

Description

Add, update or remove whitelist URL entries from the specified file.

Syntax

oamWhiteListURLConfig(Name="xyz", Value="http://xyz.com:1234", 
Operation="Remove|Update")
Argument Definition

Name

Mandatory. A valid string representing the name (key) for this entry.

Value

Mandatory. A valid URL in the <protocol>://<host>:<port> format. If the port is not specified, default HTTP/HTTPS ports are assigned accordingly.

Operation

Mandatory. Takes as a value Update or Remove. Not case sensitive.


Example

The following example illustrates this command.

oamWhiteListURLConfig(Name="xyz", Value="http://xyz.com:1234", Operation="Update")

enableMultiDataCentreMode

Online only command to enable Multi Data Centre Mode.

Description

Enables Multi Data Centre Mode.

Syntax

enableMultiDataCentreMode(propfile="<absoluteFilePath>")
Argument Definition

propFile

Mandatory. Specifies the absolute path to a file from which the properties to enable multi data centre are read.


Example

The following example illustrates this command.

enableMultiDataCentre(propfile="/middlewarehome/oamMDCProperty.properties")

disableMultiDataCentreMode

Online only command to disable Multi Data Centre Mode.

Description

Disables Multi Data Centre Mode. This command has no arguments.

Syntax

disableMultiDataCentreMode()

Example

The following example illustrates this command.

disableMultiDataCentreMode()

setMultiDataCentreClusterName

Sets the Multi Data cluster name.

Description

Sets the Multi Data cluster name.

Syntax

setMultiDataCentreClusterName(clusterName="MyCluster")
Argument Definition

clusterName

Mandatory. Specifies the name of the cluster.


Example

The following example illustrates this command.

postSchemeUpgrade(clusterName="MyCluster")

setMultiDataCentreLogoutURLs

Sets the Multi Data Partner logout URLs.

Description

Sets the Multi Data Partner logout URLs.

Syntax

setMultiDataCentreLogoutURLs
(logoutURLs="http://<host>:<port>/logout.jsp,http://<host>:<port>/logout.jsp")
Argument Definition

logoutURLs

Mandatory. Specify a comma separated list of Multi Data Centre Partner logout URLs.


Example

The following example illustrates this command.

setMultiDataCentreLogoutURLs(logoutURLs="http://localhost:6666/logout.jsp,http://localhost:8888/logout.jsp")

updateMultiDataCentreLogoutURLs

Updates the Multi Data Partner logout URLs.

Description

Updates the Multi Data Partner logout URLs.

Syntax

updateMultiDataCentreLogoutURLs
(logoutURLs="http://<host>:<port>/logout.jsp,http://<host>:<port>/logout.jsp")
Argument Definition

logoutURLs

Mandatory. Specify a comma separated list of Multi Data Centre Partner logout URLs.


Example

The following example illustrates this command.

updateMultiDataCentreLogoutURLs(logoutURLs="http://localhost:7777/logout.jsp,http://localhost:9999/logout.jsp")

addPartnerForMultiDataCentre

Online command that adds a partner to Multi Data Centre.

Description

Adds a partner to Multi Data Centre. This command is supported only in online mode and adds one partner at a time.

Syntax

addPartnerForMultiDataCentre(propfile="<absoluteFilePath>")
Argument Definition

propFile

Mandatory. Specifies the absolute path to a file that contains the agent information.


Example

The following example illustrates this command.

addPartnerForMultiDataCentre(propfile="/middlewarehome/partnerInfo.properties")

removePartnerForMultiDataCentre

Removes a partner from Multi Data Centre.

Description

Removes a partner from Multi Data Centre. This command is supported only in online mode and removes one partner at a time.

Syntax

removePartnerForMultiDataCentre(webgateid="<webgateId")
Argument Definition

webgateid

Mandatory. Specifies the ID of the partner to be deleted.


Example

The following example illustrates this command.

removePartnerForMultiDataCentre(webgateid="IAMSuite")

Oracle Access Management Identity Federation Commands

This section lists commands to configure federation partners.

Table 4-6 WLST Access Manager Commands for Federation Partners

Use this command... To... Use with WLST...

addOpenID20IdPFederationPartner

Create an OpenID 2.0 IdP partner.

Online

addOpenID20GoogleIdPFederationPartner()

Create a Google OpenID 2.0 IdP partner.

Online

addOpenID20YahooIdPFederationPartner()

Create a Yahoo OpenID 2.0 IdP partner.

Online

addSAML11IdPFederationPartner

Create an IdP federation partner, including metadata, under the SAML 1.1 protocol.

Online

addSAML20IdPFederationPartner

Create an IdP federation partner under the SAML 2.0 protocol.

Online

addSAML20IdPFederationPartnerWithoutMetadata

Create an IdP federation partner under the SAML 2.0 protocol without importing metadata.

Online

configureIdPPartnerAttributeProfile

Configure an IdP partner attribute profile to specify whether incoming attributes that are not part of the profile should be ignored.

Online

configureSAML20Logout

Configure global federation logout for a SAML 2.0 federation partner.

Online

configureSAMLBinding

Configure the preferred binding for a SAML federation partner.

Online

createAuthnSchemeAndModule

Create an authentication scheme and module for an IdP partner.

Online

createIdPPartnerAttributeProfile

Create an IdP partner attribute profile for a federation partner.

Online

deleteAuthnSchemeAndModule

Delete an authentication scheme and module for an IdP partner.

Online

deleteFederationPartner

Delete a specific federation partner.

Online

deleteFederationPartnerEncryptionCert

Delete the encryption certificate of a federation partner.

Online

deleteFederationPartnerSigningCert

Delete the signing certificate of a federation partner.

Online

deleteIdPPartnerAttributeProfile

Delete the attribute profile of a federation partner.

Online

deleteIdPPartnerAttributeProfileEntry

Delete an entry from the attribute profile of a federation partner.

Online

deletePartnerProperty

Delete a partner-specific property that was added to the partner's configuration.

Online

displayIdPPartnerAttributeProfile

Display an IdP federation partner's attribute profile.

Online

getAllFederationIdentityProviders

List all IdP federation partners.

Online

getFederationPartnerEncryptionCert

Retrieve the encryption certificate for a federation partner.

Online

getFederationPartnerSigningCert

Retrieve the signing certificate for a federation partner

Online

getIdPPartnerBasicAuthCredentialUsername

Retrieve the HTTP basic authentication username for a federation partner.

Online

getPartnerProperty

Retrieve a property for a federation partner.

Online

isFederationPartnerPresent

Check whether a partner is configured.

Online

listIdPPartnerAttributeProfileIDs

List an IdP partner's attribute profiles.

Online

setDefaultSSOIdPPartner

Set an IdP partner as the default identity provider for a federation single sign-on.

Online

setFederationPartnerEncryptionCert

Set the encryption certificate for a federation partner.

Online

setFederationPartnerSigningCert

Set the signing certificate for a federation partner.

Online

setIdPPartnerAttributeProfile

Set the attribute profile to use during federated single sign-on with an IdP partner.

Online

setIdPPartnerAttributeProfileEntry

Set an entry in an IdP federation partner's profile.

Online

setIdPPartnerBasicAuthCredential

Update a federation partner's HTTP basic auth credential.

Online

setIdPPartnerMappingAttribute

Set the attribute used for assertion mapping for a federation partner.

Online

setIdPPartnerMappingAttributeQuery

Set the attribute query used for assertion mapping for a federation partner.

Online

setIdPPartnerMappingNameID

Set the assertion mapping nameID value for an IdP federation partner

Online

setPartnerAlias

Update a federation partner's alias name.

Online

setPartnerIDStoreAndBaseDN

Set a federation partner's identity store and base DN.

Online

updatePartnerMetadata

Update a federation partner's metadata.

Online

updatePartnerProperty

Update a property for a federation partner

Online


addOpenID20IdPFederationPartner

Creates an OpenID 2.0 IdP partner.

Description

Creates an IdP partner under the OpenID 2.0 protocol.

Syntax

addOpenID20IdPFederationPartner(partnerName, idpSSOURL, discoveryURL, description) 
Argument Definition
partnerName

The name of the partner to be created.

idpSSOURL 

The initiate SSO URL of the IdP. Can be set to "" if the discovery URL is specified and intended to be used.

discoveryURL 

The OpenID discovery URL of the IdP.

description

The description of the partner. Optional.


Example

addOpenID20IdPFederationPartner("testpartner1", "", "http://host:port/discoveryurl", description="Test IdP1")

addOpenID20GoogleIdPFederationPartner()

Creates an IdP partner with the name google.

Description

Creates an IdP partner with the name google using a discovery URL https://www.google.com/accounts/o8/id.

Syntax

addOpenID20GoogleIdPFederationPartner()

Example

addOpenID20GoogleIdPFederationPartner()

addOpenID20YahooIdPFederationPartner()

Creates an IdP partner with the name yahoo.

Description

create an IdP partner with the name yahoo using a discovery URL https://open.login.yahooapis.com/openid20/user_profile/xrds.

Syntax

addOpenID20YahooIdPFederationPartner()

Example

addOpenID20YahooIdPFederationPartner()

addSAML11IdPFederationPartner

Creates a SAML 1.1 IdP federation partner.

Description

Creates a SAML 1.1 IdP federation partner.

Syntax

addSAML11IdPFederationPartner(partnerName,providerID, ssoURL,
soapURL, succinctID, description)
Argument Definition
partnerName

The name of the partner to be created.

providerID 

The providerID of the partner.

ssoURL 

The initiate SSO URL of the IdP.

soapURL 

The artifact resolution SOAP endpoint URL of the IdP.

succinctID 

The succinctID of the provider.

description

The description of the partner. Optional.


Example

addSAML11IdPFederationPartner(partnerName="partnerID",

providerID="providerA", ssoURL="http://host:port/saml11sso",
soapURL="http://host:port/soapurl", succinctID="1234", 

description="somedescription")

addSAML20IdPFederationPartner

Creates a SAML 2.0 IdP Federation partner.

Description

Creates a federation partner as an identity provider for Access Manager under the SAML 2.0 protocol, and loads the partner metadata from a file.

Syntax

addSAML20IdPFederationPartner(partnerName, metadataFile, description)
Argument Definition
partnerName

The name of the partner to be created.

metadataFile

The location of the metadata file (full path).

description

The description of the partner. Optional.


Example

addSAML20IdPFederationPartner(partnerName="partnerID", 

metadataFile="location_metadata_file", description="somedescription")

addSAML20IdPFederationPartnerWithoutMetadata

Creates a SAML20 IdP federation partner without SAML 2.0 metadata.

Description

Creates a SAML20 IdP federation partner without loading SAML 2.0 metadata.

Syntax

addSAML20IdPFederationPartnerWithoutMetadata(partnerName,
providerID, ssoURL, soapURL, succinctID, description)
Argument Definition
partnerName 

The name of the federation partner to be created.

providerID 

The providerID of the partner.

ssoURL 

The initiate SSO URL of the IdP.

soapURL 

The artifact resolution SOAP endpoint URL of the IdP.

succinctID 

The succinctID of the provider.

description 

The description of the partner. Optional.


Example

addSAML20IdPFederationPartnerWithoutMetadata(partnerName="partnerName", providerID="http://host:port", ssoURL="http://host:port/saml/sso", soapURL="http://host:port/saml/soap",description="some description")

configureIdPPartnerAttributeProfile

Configures an IdP partner attribute profile to process incoming attributes.

Description

Configures an IdP partner attribute profile to process or ignore incoming attributes not defined in the profile.

Syntax

configureIdPPartnerAttributeProfile(attrProfileID, ignoreUnmappedAttributes)
Argument Definition
attrProfileID 

The identifier referencing the IdP partner attribute profile to configure.

ignoreUnmappedAttributes  

Determines whether incoming attributes that are not defined in the profile should be ignored.

Valid values are true (ignore) or (the default) false (process).


Example

configureIdPPartnerAttributeProfile
attrProfileID="idp-attribute-profile", ignoreUnmappedAttributes="false")

configureSAML20Logout

Configures global federation logout for a SAML 2.0 partner.

Description

Configures global federation logout for a SAML 2.0 federation partner.

Syntax

configureSAML20Logout(partnerName, partnerType, enable,
saml20LogoutRequestURL, saml20LogoutResponseURL, soapURL)
Argument Definition
partnerName 

The ID of the partner to be updated.

partnerType 

Whether the partner is a service provider or identity provider.

Valid values are sp, idp.

enable  

Enable or disable global logout for that partner.

Valid values true (enable), false (disable)

saml20LogoutRequestURL  

The SAML 2.0 logout request service URL.

Optional if the partner was created using metadata, or if logout is disabled.

saml20LogoutResponseURL  

The SAML 2.0 logout response service URL.

This is optional if the partner was created using metadata, or if logout is disabled.

soapURL  

The SAML 2.0 SOAP Service URL. This is optional if the partner was created using metadata, if logout is disabled, or if SOAP logout is not supported.


Example

configureSAML20Logout(partnerName="partnerID", partnerType="sp", enable="true",
saml20LogoutRequestURL="http://host:port/saml/logoutrequest",
saml20LogoutResponseURL="http://host:port/saml/logoutresponse",
soapURL="http://host:port/saml/soap")

configureSAMLBinding

Specifies the binding for a SAML partner.

Description

Configures the preferred binding for a SAML Partner.

Syntax

configureSAMLBinding(partnerName, partnerType, binding)
Argument Definition
partnerName 

The ID of the partner to be updated.

partnerType 

Indicates whether the partner is a service provider or an identity provider.

Valid values are sp, idp.

binding

The binding to use.

Valid options are httppost for HTTP-POST binding, httpredirect for HTTP-Redirect/Artifact binding.


Example

configureSAMLBinding(partnerName="partnerID", 

partnerType="sp", binding="httppost")

createAuthnSchemeAndModule

Creates an authentication scheme that uses the OpenD IdP.

Description

Creates an authentication scheme that uses the OpenD IdP to protect resources in OAM.

Syntax

createAuthnSchemeAndModule(partnerName)
Argument Definition
partnerName

The name of the partner for whom the scheme is to be created.


Example

createAuthnSchemeAndModule("testpartner")

createIdPPartnerAttributeProfile

Creates an IdP attribute profile.

Description

Creates an IdP partner attribute profile that will contain name mapping rules used to process attributes in incoming SAML Assertions

Syntax

createIdPPartnerAttributeProfile(attrProfileID)
Argument Definition
attrProfileID

The identifier of the IdP attribute profile.


Example

createIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile")

deleteAuthnSchemeAndModule

Deletes an authentication scheme for an IdP.

Description

Deletes an authentication scheme for an IdP partner.

Syntax

deleteAuthnSchemeAndModule(partnerName)
Argument Definition
partnerName

The name of the partner whose scheme is to be deleted.


Example

deleteAuthnSchemeAndModule("testpartner")

deleteFederationPartner

Deletes a federation partner.

Description

Deletes a federation partner from Access Manager.

Syntax

deleteFederationPartner(partnerName, partnerType)
Argument Definition
partnerName 

The ID of the partner to be deleted.

partnerType 

Specifies whether the partner is a service provider or an identity provider.

Valid values are sp, idp.


Example

deleteFederationPartner(partnerName="partnerID", partnerType="idp")

deleteFederationPartnerEncryptionCert

Deletes the encryption certificate of a partner.

Description

Deletes the encryption certificate of a federation partner.

Syntax

deleteFederationPartnerEncryptionCert(partnerName, partnerType)
Argument Definition
partnerName 

The ID of the partner whose encryption certificate is to be deleted.

partnerType 

Specifies whether the partner is a service provider or an identity provider.

Valid values are sp, idp.


Example

deleteFederationPartnerEncryptionCert(partnerName="customPartner", partnerType="idp")

deleteFederationPartnerSigningCert

Deletes the signing certificate of a partner.

Description

Deletes the signing certificate of a federation partner.

Syntax

deleteFederationPartnerSigningCert(partnerName, partnerType)
Argument Definition
partnerName 

The ID of the partner whose signing certificate is to be deleted.

partnerType 

Specifies whether the partner is a service provider or identity provider.

Valid values are sp, idp.


Example

deleteFederationPartnerSigningCert(partnerName="customPartner",partnerType="idp")

deleteIdPPartnerAttributeProfile

Deletes an IdP partner attribute profile.

Description

Deletes an IdP partner attribute profile.

Syntax

deleteIdPPartnerAttributeProfile(attrProfileID)
Argument Definition
attrProfileID 

The identifier referencing the IdP partner attribute profile.


Example

deleteIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile")

deleteIdPPartnerAttributeProfileEntry

Deletes an IdP Partner Attribute Profile entry.

Description

Deletes an attribute from the attribute profile.

Syntax

deleteIdPPartnerAttributeProfileEntry(attrProfileID,
messageAttributeName)
Argument Definition
attrProfileID 

The identifier referencing the IdP partner attribute profile.

messageAttributeName

The name of the attribute to delete, as it appears in the outgoing message.


Example

deleteIdPPartnerAttributeProfileEntry(attrProfileID="idp-attribute-profile", 
messageAttributeName="first_name")

deletePartnerProperty

Deletes a partner property.

Description

Deletes a partner-specific property. Use this command only for a property that was added to the partner's configuration.

Syntax

deletePartnerProperty(partnerName,partnerType,propName)
Argument Definition
partnerName 

The ID of the partner to be updated.

partnerType 

Specifies whether the partner is a service provider or an identity provider.

Valid values are sp, idp.

propName 

The name of the configured property to be removed.


Example

deletePartnerProperty(partnerName="partner1025", partnerType="sp/idp", propName="includecertinsignature")

displayIdPPartnerAttributeProfile

Displays a partner attribute profile.

Description

Display the content of an IdP Partner Attribute Profile.

Syntax

displayIdPPartnerAttributeProfile(attrProfileID)
Argument Definition
attrProfileID 

The identifier referencing the IdP partner attribute profile to be displayed.


Example

displayIdPPartnerAttributeProfile(attrProfileID="idp-attribute-profile")

getAllFederationIdentityProviders

Lists all federation identity providers.

Description

Displays a list of all federation identity providers for Access Manager.

Syntax

getAllFederationIdentityProviders()

Example

getAllFederationIdentityProviders()

getFederationPartnerEncryptionCert

Retrieves the encryption certificate for a partner.

Description

Retrieves the encryption certificate for a federation partner.

Syntax


Argument Definition
partnerName 

The ID of the partner for which the encryption certificate will be retrieved.

partnerType 

Specifies whether the partner is a service provider or an identity provider.

Valid values are sp, idp.


Example

getFederationPartnerEncryptionCert(partnerName="customPartner",partnerType="idp")

getFederationPartnerSigningCert

Retrieves the signing certificate for a partner.

Description

Retrieves the signing certificate for a federation partner.

Syntax


Argument Definition
partnerName 

The ID of the partner for which the signing certificate will be retrieved.

partnerType 

Specifies whether the partner is a service provider or an identity provider.

Valid values are sp, idp.


Example

getFederationPartnerSigningCert(partnerName="partnerID1", partnerType="idp")

getIdPPartnerBasicAuthCredentialUsername

Gets a partner's basic authentication username.

Description

Retrieves the HTTP basic authentication username for a federation partner.

Syntax

getIdPPartnerBasicAuthCredentialUsername(partnerName)
Argument Definition
partnerName 

The ID of the partner for which the username will be retrieved and displayed.


Example

getIdPPartnerBasicAuthCredentialUsername(partnerName="partnerID5")

getPartnerProperty

Retrieves a partner property.

Description

Retrieves a property for a federation partner.

Syntax

getPartnerProperty(partnerName,partnerType,propName)
Argument Definition
partnerName 

The ID of the partner for which the proeprty will be retrieved.

partnerType 

Specifies whether the partner is a service provider or an identity provider.

Valid values are sp, idp.

propName 

The name of the property to configure.


Example

getPartnerProperty(partnerName="partnerID4", partnerType="sp", propName="providertrusted")

isFederationPartnerPresent

Checks whether a partner is configured.

Description

Checks whether the specified federation partner is defined in Access Manager.

Syntax

isFederationPartnerPresent(partnerName, partnerType)
Argument Definition
partnerName 

The partner ID.

partnerType 

Specifies whether the partner is a service provider or an identity provider.

Valid values are sp, idp.


Example

isFederationPartnerPresent(partnerABC, SP)

listIdPPartnerAttributeProfileIDs

Lists the IdP partner attribute profiles.

Description

List the identifiers of the existing IdP Partner Attribute Profiles.

Syntax

listIdPPartnerAttributeProfileIDs()

Example

listIdPPartnerAttributeProfileIDs()

setDefaultSSOIdPPartner

Sets the IdP partner to serve as the default IdP for federated single sign-on (SSO).

Description

If not set by the federation authentication plugin at runtime, sets the IdP partner to serve as the default IdP during federated SSO.

Syntax

setDefaultSSOIdPPartner(partnerName)
Argument Definition
partnerName 

ID of the partner which will serve as the default IdP for federated SSO.


Example

setDefaultSSOIdPPartner(partnerName="partner25")

setFederationPartnerEncryptionCert

Sets the encryption certificate for a partner.

Description

Sets the encryption certificate for a federation partner.

Syntax

setFederationPartnerEncryptionCert(partnerName,partnerType,certFile)
Argument Definition
partnerName 

The ID of the partner to be updated

partnerType

The partner type. Valid values are idp, sp.

certFile

The full path and name of file that stores the encryption certificate. Certificates can be in either PEM or DER format.


Example

setFederationPartnerEncryptionCert
(partnerName="customPartner",partnerType="idp",
certFile="/temp/encryption_cert")

setFederationPartnerSigningCert

Sets the signing certificate for a partner.

Description

Sets the signing certificate for a federation partner.

Syntax

setFederationPartnerSigningCert(partnerName,partnerType,certFile)
Argument Definition
partnerName 

The ID of the partner to be updated.

partnerType

The partner type. Valid values are idp, sp.

certFile

Specifies the full path and name of file that stores the signing certificate. Certificates can be in either PEM or DER format.


Example

setFederationPartnerSigningCert

(partnerName="customPartner", partnerType="idp", 

certFile="/temp/signing_cert")

setIdPPartnerAttributeProfile

Sets a partner attribute profile.

Description

Sets the IdP partner attribute profile to use when performing a federation single sign-on with an IdP partner.

Syntax

setIdPPartnerAttributeProfile(partnerName, attrProfileID)
Argument Definition
partnerName 

The ID of the partner to be updated.

attrProfileID 

The IdP partner attribute profile ID to be set.


Example

setIdPPartnerAttributeProfile(partnerName="partnerID5", attrProfileID="idp-attribute-profile")

setIdPPartnerAttributeProfileEntry

Sets the IdP federation partner profile.

Description

Update an entry in the IdP Partner Attribute Profile.

Syntax

setIdPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName,
oamSessionAttributeName, requestFromIdP)
Argument Definition
attrProfileID 

The IdP partner attribute profile.

messageAttributeName

The name of the message attribute.

oamSessionAttributeName

The name of the attribute as it will appear in the Access Manager session.

requestFromIdP 

Determines whether this attribute should be requested from the IdP partner.

Valid values are true, false.


Example

setIdPPartnerAttributeProfileEntry(attrProfileID="idp-attribute-profile", messageAttributeName="first_name",
oamSessionAttributeName="first_name", requestFromIdP="true")

setIdPPartnerBasicAuthCredential

Sets a partner's basic authentication credentials.

Description

Sets or updates a federation partner's HTTP basic authentication credentials.

Syntax

setIdPPartnerBasicAuthCredential(partnerName,username,password)
Argument Definition
partnerName 

The ID of the partner to be updated.

username

The user ID of the user.

password 

The password corresponding to the username.


Example

setIdPPartnerBasicAuthCredential(partnerName="partnerID4", username="user1")

setIdPPartnerMappingAttribute

Sets a partner's assertion mapping attribute.

Description

Sets the attribute used for assertion mapping for a federation partner.

Syntax

setIdPPartnerMappingAttribute(partnerName,assertionAttr,userstoreAttr)
Argument Definition
partnerName 

The ID of the partner to be updated.

assertionAttr 

The attribute name in the assertion used to map the user to the identity store.

userstoreAttr 

The name of the attribute in the identity store to which to map the assertion attribute value.


Example

setIdPPartnerMappingAttribute(partnerName="partnerID", 

assertionAttr="email", userstoreAttr="mail")

setIdPPartnerMappingAttributeQuery

Updates a partner for assertion mapping of user with attribute query.

Description

Sets or updates a partner to specify the attribute query to map an assertion to the user store.

Syntax

setIdPPartnerMappingAttributeQuery(partnerName,attrQuery)
Argument Definition
partnerName 

The ID of the partner to be updated

attrQuery 

The attribute query to be used. The LDAP query can contain placeholders referencing the attributes in the SAML Assertion, as well as the NameID. An attribute from the SAML Assertion will be referenced by its name and surrounded by the % character; for example, if the attribute name is Userlastname, the attribute will be referenced as %Userlastname%. The NameID Value is referenced as %fed.nameidvalue%.


Example

setIdPPartnerMappingAttributeQuery(partnerName="partnerID", 
attrQuery="(&(sn=%Userlastname%)(givenname=%Userfirstname%))")

setIdPPartnerMappingNameID

Sets a partner's mapping nameID.

Description

Sets the assertion mapping nameID value for an IdP federation partner.

Syntax

setIdPPartnerMappingNameID(partnerName,userstoreAttr)
Argument Definition
partnerName 

The ID of the partner to be updated.

userstoreAttr 

The attribute name in the identity store to which the assertion nameID is to be mapped.


Example

setIdPPartnerMappingNameID

(partnerName="partnerID", userstoreAttr="ldapattr")

setPartnerAlias

Sets a partner's alias.

Description

Sets or updates a federation partner's alias.

Syntax

setPartnerAlias(partnerName,partnerType,partnerAlias)
Argument Definition
partnerName 

The ID of the partner to be updated.

partnerType 

Specifies the partner type. Valid values are sp or idp.

partnerAlias

The partner's alias.


Example

setPartnerAlias(partnerName="partnerID", 
partnerType="sp", partnerAlias="tenant1")

setPartnerIDStoreAndBaseDN

Sets a partner's identity store and base DN.

Description

Sets or updates the identity store and base DN of a federation partner.

Syntax

setPartnerIDStoreAndBaseDN(partnerName,partnerType,storeName,searchBaseDN)
Argument Definition
partnerName 

The ID of the partner to be updated.

partnerType 

The partner type. Valid values are sp or idp.

storeName  

The name of the identity store.If left blank, the Default OAM Identity Store will be used. (Optional)

searchBaseDN  

The search base DN for the LDAP. If left blank, the Search Base DN configured in the Identity Store will be used. (Optional)


Example

setPartnerIDStoreAndBaseDN

(partnerName="partnerID", partnerType="sp/idp", storeName="testldap",
searchBaseDN="dc=company,dc=com")

updatePartnerMetadata

Updates partner metadata.

Description

Updates the metadata for a federation partner.

Syntax

updatePartnerMetadata(partnerName,partnerType,metadataFile)
Argument Definition
partnerName 

The ID of the partner to be updated

partnerType 

Specifies the partner type. Valid values are sp or idp.

metadataFile 

The location of the metadata file. Specify the complete path and name.


Example

updatePartnerMetadata(partnerName="partnerID", 

partnerType="sp", metadataFile="/common/idm/abc_metadata_file")

updatePartnerProperty

Updates a partner property.

Description

Configures or updates the specified property for a federation partner.

Syntax

updatePartnerProperty(partnerName,partnerType,propName,propValue,type)
Argument Definition
partnerName 

The ID of the partner to be updated

partnerType 

Specifies the partner type. Valid values are sp or idp.

propName 

The name of the property to configure.

propValue 

The property value to be set.

type

The data type of the property. Valid values are string, long, or boolean.


Example

updatePartnerProperty(partnerName="partnerID", partnerType="idp", 
propName="providertrusted",
propValue="true",type="boolean")

Oracle Access Management Mobile and Social Commands

Use the WLST commands listed in Table 4-7 to manage Oracle Access Management Mobile and Social (Mobile and Social) configuration objects.

Table 4-7 WLST Mobile and Social Commands

Use this command... To... Use with WLST...

System Configuration Commands

   

getRPSystemConfig

Retrieve system configuration data.

Online

replaceRPSystemConfig

Update system configuration data.

Online

RPApplication Commands

   

getRPApplications

Retrieves the RPApplication objects.

Online

removeRPApplication

Deletes the specified RPApplication object.

Online

displayRPApplication

Displays the specified RPApplication object.

Online

createRPApplication

Creates a new RPApplication object.

Online

updateRPApplication

Updates values for a defined RPApplication object.

Online

ServiceProviderInterface Commands

   

getServiceProviderInterfaces

Retrieves the RPApplication objects.

Online

removeServiceProviderInterface

Deletes the specified RPApplication object.

Online

displayServiceProviderInterface

Displays the specified RPApplication object.

Online

createServiceProviderInterface

Creates a new RPApplication object.

Online

updateServiceProviderInterface

Updates values for a defined RPApplication object.

Online

Internet Identity Provider Commands

   

getInternetIdentityProviders

Retrieves the Internet Identity Provider objects.

Online

removeInternetIdentityProvider

Deletes the specified Internet Identity Provider object.

Online

displayInternetIdentityProvider

Displays the specified Internet Identity Provider object.

Online

createInternetIdentityProvider

Creates a new Internet Identity Provider object.

Online

updateInternetIdentityProvider

Updates values for a defined Internet Identity Provider object.

Online

User Attribute Mapping Commands

   

getUserAttributeMappings

Retrieves the User Attribute Mapping objects.

Online

removeUserAttributeMapping

Deletes the specified User Attribute Mapping object.

Online

displayUserAttributeMapping

Displays the specified User Attribute Mapping object.

Online

updateUserAttributeMapping

Updates values for a defined User Attribute Mapping object.

Online

ServiceProvider Commands

   

createServiceProvider

Create a ServiceProvider.

Online

updateServiceProvider

Update a ServiceProvider

Online

addRelationshipToServiceProvider

Add a Relationship To a Service Provider.

Online

removeRelationshipFromServiceProvider

Remove a Relationship from a Service Provider.

Online

getServiceProviders

Get a ServiceProvider.

Online

removeServiceProvider

Remove a ServiceProvider object.

Online

displayServiceProvider

Display a ServiceProvider object.

Online

ServiceProfile Commands

   

createServiceProfile

Create a service object.

Online

updateServiceProfile

Update a service object.

Online

removeServiceProfile

Remove a service object.

Online

displayServiceProfile

Display a service object.

Online

getServiceProfiles

Retrieve all the service objects.

Online

ApplicationProfile Commands

   

getApplicationProfiles

List all ApplicationProfile objects.

Online

createApplicationProfile

Create an ApplicationProfile.

Online

updateApplicationProfile

Update an ApplicationProfile.

Online

removeApplicationProfile

Remove an ApplicationProfile.

Online

displayApplicationProfile

Display an ApplicationProfile.

Online

ServiceDomain Commands

   

createServiceDomain

Create a ServiceDomain.

Online

updateServiceDomain

Update a ServiceDomain.

Online

getServiceDomains

Retrieve a ServiceDomain.

Online

removeServiceDomain

Remove a ServiceDomain.

Online

displayServiceDomain

Display a ServiceDomain.

Online

SecurityHandler Commands

   

createSecurityHandlerPlugin

Create a SecurityHandlerPlugin.

Online

updateSecurityHandlerPlugin

Update a SecurityHandlerPlugin.

Online

getSecurityHandlerPlugins

Retrieve a SecurityHandlerPlugin.

Online

removeSecurityHandlerPlugin

Remove a SecurityHandlerPlugin.

Online

displaySecurityHandlerPlugin

Display a SecurityHandlerPlugin.

Online

JailBreakingDetectionPolicy Commands

   

createJailBreakingDetectionPolicy

Create a JailBreakingDetectionPolicy.

Online

updateJailBreakingDetectionPolicy

Update a JailBreakingDetectionPolicy.

Online

getJailBreakingDetectionPolicys

Retrieve a JailBreakingDetectionPolicy.

Online

removeJailBreakingDetectionPolicy

Remove a JailBreakingDetectionPolicy.

Online

displayJailBreakingDetectionPolicy

Display a JailBreakingDetectionPolicy.

Online


getRPSystemConfig

getRPSystemConfig

Description

Retrieves the system configuration information.

Syntax

getRPSystemConfig( )

This command has no arguments.

Example

getRPSystemConfig( )

replaceRPSystemConfig

replaceRPSystemConfig

Description

Replaces the value of a particular system configuration.

Syntax

replaceRPSystemConfig(hostURL, proxyProtocol, proxyHost, proxyPort, proxyUsername, proxyPassword, attributeList)

Table 4-8 replaceRPSystemConfig Arguments

Argument Definition

hostURL

The URL of the machine hosting the Mobile and Social server.

proxyProtocol

The proxy protocol (HTTP/HTTPS).

proxyHost

The URL of the proxy machine.

proxyPort

The port of the proxy machine.

proxyUsername

Name of the user accessing the proxy.

proxyPassword

Password of the user accessing the proxy.

attributeList

List of attributes in the JSON format.

[{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}]

Example

replaceRPSystemConfig('http://adc514.us.oracle.com:18001','http','www-proxy.us.oracle.com','80','proxyUser','proxyPass','[{idaas.rest.crudservice:http://adc514:18001/idaas_rest}]')

getRPApplications

getRPApplications

Description

Retrieves the RPApplication objects.

Syntax

getRPApplications( )

This command has no arguments.

Example

getRPApplications( )

removeRPApplication

removeRPApplication

Description

Removes the specified RPApplication object.

Syntax

removeRPApplication(name)

where name is the name of the RPApplication object.

Example

removeRPApplication('TestApp')

displayRPApplication

displayRPApplication

Description

Displays the specified RPApplication object.

Syntax

displayRPApplication(name)

where name is the name of the RPApplication object.

Example

displayRPApplication('TestApp')

createRPApplication

createRPApplication

Description

Creates a new RPApplication object.

Syntax

createRPApplication(identityProviderNameList, sharedSecret, returnUrl, SPIBindingName, applicationAttributesList, userAttributeMappings, attributeList, mobileApplicationReturnUrl, name, description)

Table 4-9 createRPApplication Arguments

Argument Definition

identityProviderNameList

A List of Identity Providers

sharedSecret

The shared secret.

returnUrl

The return URL.

SPIBindingName

The SPI binding name.

applicationAttributesList

List of RPApplication attributes.

userAttributeMappings

List of User Attribute Mappings specified in the JSON format.

[{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}]

attributeList

List of attributes in JSON format.

[{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}]

mobileApplicationReturnUrl

The return URL of the mobile application.

name

Name of the object to be created.

description

Description of the object to be created.


Example

createRPApplication('Yahoo,Facebook','mySecret','http://me.com','OAMServiceProviderInterface','[{pratname1:atval1},{pratname2:atval2}]','[{Yahoo:[{uid:email},{mail:email},{zip:postalCode},{country:country}]},{Facebook:[{uid:email},{mail:email},{zip:postalCode},{country:country}]}]','[{atname1:atval2},{atname2:atval2}]','/oam/server','myApp','new Application')

updateRPApplication

updateRPApplication

Description

Updates a particular value for an RPApplication object.

Syntax

updateRPApplication(identityProviderNameList, sharedSecret, returnUrl, SPIBindingName, applicationAttributesList, userAttributeMappings, attributeList, mobileApplicationReturnUrl, name, description)

Table 4-10 updateRPApplication Arguments

Argument Definition

identityProviderNameList

A List of Identity Providers

sharedSecret

The shared secret.

returnUrl

The return URL.

SPIBindingName

The SPI binding name.

applicationAttributesList

List of RPApplication attributes.

userAttributeMappings

List of User Attribute Mappings specified in the JSON format.

[{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}]

attributeList

List of attributes in JSON format.

[{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}]

mobileApplicationReturnUrl

The return URL of the mobile application.

name

Name of the object to be created.

description

Description of the object to be created.


Example

updateRPApplication('Facebook,Google','mySecret','http://me.com','OAMServiceProviderInterface','[{pratname1:atval1},{pratname2:atval2}]','userMap1,userMap2','[{atname1:atval2},{atname2:atval2}]','/oam/server','myApp','new Application')

getServiceProviderInterfaces

getServiceProviderInterfaces

Description

Retrieves the Service Provider interface objects.

Syntax

getServiceProviderInterfaces( )

This command has no arguments.

Example

getServiceProviderInterfaces( )

removeServiceProviderInterface

removeServiceProviderInterface

Description

Removes the specified Service Provider interface object.

Syntax

removeServiceProviderInterface(name)

where name is the name of the Service Provider interface object.

Example

removeServiceProviderInterface('TestApp')

displayServiceProviderInterface

displayServiceProviderInterface

Description

Displays the specified Service Provider interface object.

Syntax

displayServiceProviderInterface(name)

where name is the name of the Service Provider interface object.

Example

displayServiceProviderInterface('TestApp')

createServiceProviderInterface

createServiceProviderInterface

Description

Creates a new Service Provider interface object.

Syntax

createServiceProviderInterface(idpSelectorImpl, postIDPSelectorImpl, idpInteractionProviderImpl, registrationStatusCheckImpl, registrationTaskFlowProviderImpl, sessionCreationProviderImpl, attributeList, name, description)

Table 4-11 createServiceProviderInterface Arguments

Argument Definition

idpSelectorImpl

 

postIDPSelectorImpl

 

idpInteractionProviderImpl

 

registrationStatusCheckImpl

 

registrationTaskFlowProviderImpl

 

sessionCreationProviderImpl

 

attributeList

List of attributes in JSON format.

[{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}]

name

Name of the object to be created.

description

Description of the object to be created.


Example

createServiceProviderInterface('idp','postIDP','idpInteraction','regStatus','regTask','sessionPro','[{pratname1:atval1},{pratname2:atval2}]','mySPIBind','new SPI Binding')

updateServiceProviderInterface

updateServiceProviderInterface

Description

Updates a particular value for a Service Provider interface object.

Syntax

updateServiceProviderInterface(idpSelectorImpl, postIDPSelectorImpl, idpInteractionProviderImpl, registrationStatusCheckImpl, registrationTaskFlowProviderImpl, sessionCreationProviderImpl, attributeList, name, description)

Table 4-12 updateServiceProviderInterface Arguments

Argument Definition

idpSelectorImpl

 

postIDPSelectorImpl

 

idpInteractionProviderImpl

 

registrationStatusCheckImpl

 

registrationTaskFlowProviderImpl

 

sessionCreationProviderImpl

 

attributeList

List of attributes in JSON format.

[{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}]

name

Name of the object to be created.

description

Description of the object to be created.


Example

updateServiceProviderInterface('idp','postIDP','idpInteraction','regStatus','regTask','sessionPro','[{pratname1:atval1},{pratname2:atval2}]','mySPIBind','new SPI Binding')

getInternetIdentityProviders

getInternetIdentityProviders

Description

Retrieves the Internet Identity Provider objects.

Syntax

getInternetIdentityProviders( )

This command has no arguments.

Example

getInternetIdentityProviders( )

removeInternetIdentityProvider

removeInternetIdentityProvider

Description

Removes the specified Internet Identity Provider object.

Syntax

removeInternetIdentityProvider(name)

where name is the name of the Internet Identity Provider object.

Example

removeInternetIdentityProvider('TestApp')

displayInternetIdentityProvider

displayInternetIdentityProvider

Description

Displays the specified Internet Identity Provider object.

Syntax

displayInternetIdentityProvider(name)

where name is the name of the Internet Identity Provider object.

Example

displayInternetIdentityProvider('TestApp')

createInternetIdentityProvider

createInternetIdentityProvider

Description

Creates a new Internet Identity Provider object.

Syntax

createInternetIdentityProvider(icon, protocolType, protocolAttributeList, providerImplClass, attributeList, name, description)

Table 4-13 createInternetIdentityProvider Arguments

Argument Definition

icon

Name of the icon.

protocolType

The protocol used (HTTP/HTTPS).

protocolAttributeList

A list of protocol attributes in JSON format.

[{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}]

providerImplClass

Implementation class for the provider.

attributeList

List of attributes in JSON format.

[{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}]

name

Name of the object to be created.

description

Description of the object to be created.


Example

createInternetIdentityProvider('myIcon','myType','[{pratname1:atval1},{pratname2:atval2}]','[{atname1:atval1},{atname2:atval2}]','class','myProvider','new Identity Provider')

updateInternetIdentityProvider

updateInternetIdentityProvider

Description

Updates a particular value for an Internet Identity Provider object.

Syntax

updateInternetIdentityProvider(icon, protocolType, protocolAttributeList, attributeList, providerImplClass, name, description)

Table 4-14 updateInternetIdentityProvider Arguments

Argument Definition

icon

Name of the icon.

protocolType

The protocol used (HTTP/HTTPS).

protocolAttributeList

A list of protocol attributes in JSON format.

[{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}]

providerImplClass

Implementation class for the provider.

attributeList

List of attributes in JSON format.

[{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}]

name

Name of the object to be created.

description

Description of the object to be created.


Example

updateInternetIdentityProvider('myIcon','myType','[{pratname1:atval1},{pratname2:atval2}]','[{atname1:atval1},{atname2:atval2}]','class','myProvider','new Identity Provider')

getUserAttributeMappings

getUserAttributeMappings

Description

Retrieves the User Attribute Mapping objects.

Syntax

getUserAttributeMappings( )

This command has no arguments.

Example

getUserAttributeMappings( )

removeUserAttributeMapping

removeUserAttributeMapping

Description

Removes the specified User Attribute Mapping object.

Syntax

removeUserAttributeMapping(name)

where name is the name of the User Attribute Mapping object.

Example

removeUserAttributeMapping('TestApp')

displayUserAttributeMapping

displayUserAttributeMapping

Description

Displays the specified User Attribute Mapping object.

Syntax

displayUserAttributeMapping(name)

where name is the name of the User Attribute Mapping object.

Example

displayUserAttributeMapping('TestApp')

updateUserAttributeMapping

updateUserAttributeMapping

Description

Updates a particular value for a User Attribute Mapping object.

Syntax

updateUserAttributeMapping(application, idp, name, appProtocolAttributeList)

Table 4-15 updateUserAttributeMapping Arguments

Argument Definition

application

Name of the application.

idp

Name of the identity provider.

name

Name of the object to be created.

appProtocolAttributeList

List of protocol attributes in JSON format.

[{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}]

Example

updateUserAttributeMapping('myApp','myProvider','myMap','[{pratname1:atval1},{pratname2:atval2}]')

createServiceProvider

createServiceProvider

Description

Creates a Service Provider.

Syntax

createServiceProvider(serviceProviderImpl, serviceProviderType, relationshipList, paramList, name, description)

Table 4-16 createServiceProvider Arguments

Argument Definition

serviceProviderImpl

The service provider implementation.

serviceProviderType

The type of service provider. Acceptable values include either Authorization, Authentication, or UserProfile.

relationshipList

The relationship for this Service Provider specified in JSON format:[{relationship:relname,description:descrip,directional1:{name:dirname,description:descrip,providerRelation:relname,entityURIAttrName:uri,scopeAllLevelAttrName:toTop},directional2:{name:dirname,description:descrip,providerRelation:relname,entityURIAttrName:uri,scopeAllLevelAttrName:toTop}}]

paramList

The parameters for this Service Provider specified in JSON format:[{name1:value1},{name2:value2}...]

name

Name of the service provider.

description

Description of the service provider.


Example

createServiceProvider('oracle.security.idaas.rest.provider.token.MobileOAMTokenSer
viceProvider', 'Authentication', '[]','[{OAM_VERSION:OAM_11G},{WEBGATE_
ID:accessgate-oic},{ENCRYPTED_PASSWORD:"password"},{DEBUG_VALUE:0},{TRANSPORT_
SECURITY:OPEN},{OAM_SERVER_1:"localhost:5575"},{OAM_SERVER_1_MAX_CONN:4},{OAM_
SERVER_2:"oam_server_2:5575"},{OAM_SERVER_2_MAX_CONN:4}]',
'MobileOAMAuthentication', 'Out Of The Box Mobile Oracle Access Manager (OAM)
 Authentication Service Provider')

updateServiceProvider

updateServiceProvider

Description

Updates a Service Provider.

Syntax

updateServiceProvider(serviceProviderImpl, serviceProviderType, relationshipList, paramList, name, description)

Table 4-17 updateServiceProvider Arguments

Argument Definition

serviceProviderImpl

The service provider implementation

serviceProviderType

The type of service provider - either Authorization, Authentication or UserProfile.

relationshipList

The relationship for this service provider specified in JSON format:

[{relationship:relname,description:descrip,
directional1:{name:dirname,description:descrip,provider
Relation:relname,entityURIAttrName:uri,scopeAllLevelAtt
rName:toTop},directional2:{name:dirname,description:des
crip,providerRelation:relname,entityURIAttrName:uri,sco
peAllLevelAttrName:toTop}}]

paramList

The parameters for this Service Provider specified in JSON format:

[{name1:value1},{name2:value2}...]

name

Name of the service provider.

description

Description of the service provider.


Example

updateServiceProvider('oracle.security.idaas.rest.provider.cruds.ids.
IDSCRUDSServiceProvider', 'UserProfile', '[{relationship:people_groups,
directional1:{name:memberOf, providerRelation:user_memberOfGroup,
entityURIAttrName:person-uri}, directional2:{name:members,
providerRelation:groupMember_user,entityURIAttrName:group-uri }},
{relationship:people_manager, directional1:{name:manager,providerRelation:manager,
entityURIAttrName:report-uri,scopeAllLevelAttrName:toTop},
directional2:{name:reports , providerRelation:reportee,
qntityURIAttrName:manager-uri, scopeAllLevelAttrName:all}},
{relationship:groupMemberOf_groupMembers , directional1:{name:groupMemberOf,
providerRelation:group_memberOfGroup,entityURIAttrName:member-uri},
directional2:{name:groupMembers, providerRelation:groupMember
_group,entityURIAttrName:group-uri }},{relationship:personOwner_ownerOf,
directional1:{name:ownerOf, providerRelation:user_
ownerOfGroup,entityURIAttrName:owner-uri},
directional2:{name:personOwner,providerRelation:groupOwner_
user,entityURIAttrName:group-uri}},{relationship:groupOwner_groupOwnerOf,
directional1:{name:groupOwner, providerRelation:group_
ownerOfGroup,entityURIAttrName:group-uri}, directional2:{name:groupOwnerOf,
providerRelation:groupOwner_group,entityURIAttrName:owner-uri
}}]','[{oracle.ids.name:userrole},{accessControl:false}]', 'UserProfile', 'Out Of
The Box User Profile Service Provider')

addRelationshipToServiceProvider

addRelationshipToServiceProvider

Description

Adds a Relationship to a Service Provider.

Syntax

addRelationshipToServiceProvider(name, relationshipList)

Table 4-18 addRelationshipToServiceProvider Arguments

Argument Definition

name

Name of the service provider.

relationshipList

The relationship for this Service Provider specified in JSON format:

[{relationship:relname,description:descrip,directional1:
{name:dirname,description:descrip,providerRelation:relname,
entityURIAttrName:uri,scopeAllLevelAttrName:toTop},
directional2:{name:dirname,description:descrip,
providerRelation:relname,entityURIAttrName:uri,
scopeAllLevelAttrName:toTop}}]

Example

addRelationshipToServiceProvider('idsprovider1','[{relationship:relname,
description:descrip, directional1:{name:dirname,description:descrip,
providerRelation:relname,entityURIAttrName:uri,scopeAllLevelAttrName:toTop},
directional2:{name:dirname,description:descrip,
providerRelation:relname,entityURIAttrName:uri,scopeAllLevelAttrName:toTop}}]

removeRelationshipFromServiceProvider

removeRelationshipFromServiceProvider

Description

Removes a Relationship from a Service Provider.

Syntax

removeRelationshipFromServiceProvider

Table 4-19 removeRelationshipFromServiceProvider Arguments

Argument Definition

name

Name of the service domain.

relationshipList

The relationship name for this Service Provider.


Example

removeRelationshipFromServiceProvider('idsprovider1','relname')

getServiceProviders

getServiceProviders

Description

Get a service provider.

Syntax

getServiceProviders()

This command has no arguments.

Example

getServiceProviders()

The following lines show sample output:

ServiceProvider: UserProfile1ServiceProvider: JWTAuthenticationServiceProvider: UserProfileServiceProvider: MobileOAMAuthenticationServiceProvider: OAMAuthenticationServiceProvider: MobileJWTAuthenticationServiceProvider: sampleauthzserviceproviderServiceProvider: InternetIdentityAuthenticationServiceProvider: OAMAuthorization

removeServiceProvider

removeServiceProvider

Description

This command will remove a ServiceProvider object.

Syntax

removeServiceProvider(name)

where name is the name of the ServiceProvider object.

Example

removeServiceProvider('name')

displayServiceProvider

displayServiceProvider

Description

This command will display a ServiceProvider object.

Syntax

displayServiceProvider(name)

where name is the name of the ServiceProvider object.

Example

displayServiceProvider('OAMAuthentication')

The following lines show sample output:

Displaying: ServiceProvider : OAMAuthenticationReadOnly = 0Description = Out Of The Box Oracle Access Manager (OAM) Authentication Token Service ProviderParam = ...eventProvider = 1objectName = com.oracle.idaas:name=OAMAuthentication,type=Xml.ServiceProvider,Xml=MobileServiceSystemMBean = 0ServiceProviderType = AuthenticationName = OAMAuthenticationConfigMBean = 1ServiceProviderImpl = oracle.security.idaas.rest.provider.token.OAMSDKTokenServiceProviderRelationship = array(javax.management.openmbean.CompositeData,[])eventTypes = array(java.lang.String,['jmx.attribute.change'])RestartNeeded = 0

createServiceProfile

createServiceProfile

Description

Creates a service.

Syntax

createServiceProfile(serviceProvider, supportedTokenList, paramList, endPoint, name, description, enabled)

Table 4-20 createServiceProfile Arguments

Argument Definition

serviceProvider

Name of the service provider.

supportedTokenList

A list of supported tokens specified in JSON format:

{type,...}

where type is defined as CLIENTTOKEN or USERTOKEN or ACCESSTOKEN or CLIENTREGHANDLE.

paramList

A list of parameters for this Service specified in JSON format:

[{name1:value1},{name2:value2}...]

endPoint

The service endpoint.

name

Name of the service.

description

Description of the service.

enabled

Indicates if the service should be enabled or disabled. Boolean flag.


Example

createServiceProfile('OAMAuthentication','CLIENTTOKEN,ACCESSTOKEN,USERTOKEN','[]',
'/oamauthentication','OAMAuthentication','Out Of The Box Oracle Access Manager
(OAM) Authentication Token Service',true)

updateServiceProfile

updateServiceProfile

Description

Updates a service.

Syntax

updateServiceProfile(serviceProvider, supportedTokenList, paramList, endPoint, name, description, enabled)

Table 4-21 updateServiceProfile Arguments

Argument Definition

serviceProvider

Name of the service provider.

supportedTokenList

A list of supported tokens specified in JSON format:

{type,...}

where type is defined as CLIENTTOKEN or USERTOKEN or ACCESSTOKEN or CLIENTREGHANDLE.

paramList

A list of parameters for this Service specified in JSON format:

[{name1:value1},{name2:value2}...]

endPoint

The service endpoint.

name

Name of the service.

description

Description of the service.

enabled

Indicates if the service should be enabled or disabled. Boolean flag.


Example

updateServiceProfile('MobileJWTAuthentication','CLIENTREGHANDLE,
ACCESSTOKEN,USERTOKEN','[]','/mobilejwtauthentication','MobileJWTAuthentication',
'Out Of The Box Mobile Java Web Token (JWT) Authentication Service Provider',true)

removeServiceProfile

removeServiceProfile

Description

This command will remove a service object.

Syntax

removeServiceProfile(name)

where name is the name of the service to be removed.

Example

removeServiceProfile('myService')

displayServiceProfile

displayServiceProfile

Description

This command will display a service object.

Syntax

displayServiceProfile(name)

where name is the name of the service profile to be displayed.

Example

displayServiceProfile('OAMAuthorization')

The following lines show sample output:

Displaying: ServiceProfile : OAMAuthorizationReadOnly = 0Enabled = 1Description = Out Of The Box Oracle Access Manager (OAM) Authorization Service ProviderParam = array(javax.management.openmbean.CompositeData,[])eventProvider = 1SystemMBean = 0objectName = com.oracle.idaas:name=OAMAuthorization,type=Xml.ServiceProfile,Xml=MobileServiceSupportedToken = array(java.lang.String,[])ServiceProviderType = AuthorizationServiceProviderName = OAMAuthorizationName = OAMAuthorizationConfigMBean = 1ServiceEndPoint = /oamauthorizationeventTypes = array(java.lang.String,['jmx.attribute.change'])RestartNeeded = 0

getServiceProfiles

getServiceProfiles

Description

Gets all the service objects.

Syntax

getServiceProfiles()

This command has no arguments.

Example

getServiceProfiles()

The following lines show sample output:

ServiceProfile: UserProfile1ServiceProfile: OAMAuthenticatioServiceProfile: sampleauthzserviceServiceProfile: JWTAuthenticationServiceProfile: UserProfileServiceProfile: MobileOAMAuthenticationServiceProfile: OAMAuthenticationServiceProfile: MobileJWTAuthenticationServiceProfile: InternetIdentityAuthenticationServiceProfile: OAMAuthorizationServiceProfile: JWTAuthentication1

getApplicationProfiles

getApplicationProfiles

Description

List the ApplicationProfile objects.

Syntax

getApplicationProfiles()

This command has no arguments.

Example

getApplicationProfiles()

The following lines show sample output:

Contract: MobileExpenseReport1
Contract: MobileAgent2
Contract: MobileBusinessTestApp01
Contract: MobileAgent1
Contract: profileid1
Contract: samplemobileapp2
Contract: profileid2
Contract: samplemobileapp1

createApplicationProfile

createApplicationProfile

Description

Creates an ApplicationProfile.

Syntax

createApplicationProfile(paramList, mobileAppProfileStr, name, description)

Table 4-22 createApplicationProfile Arguments

Argument Definition

paramList

A list of parameters for this Service specified in JSON format:

[{name1:value1},{name2:value2}...]

mobileAppProfileStr

The mobile app profile string specified in JSON format:

[{clientAppConfigParam:[{name:value},{name:value}],
jailBreakingDetectionPolicyName:name}]

name

Name of the IDaaS Client.

description

Description of the IDaaS Client.


Example

createApplicationProfile('[{Mobile.clientRegHandle.baseSecret:welcome1},]',
'[{clientAppConfigParam:[{Mobileparam1:Mobileparam1Value},
{IOSURLScheme:"samplemobileapp1://"},
{AndroidPackage:oracle.android.samplemobileapp1},
{AndroidAppSignature:samplemobileapp1signature}],
jailBreakingDetectionPolicyName:defaultJailBreakingDetectionPolicy}]',
'samplemobileapp1','Sample Mobile App 1')
createApplicationProfile('[{userId4BasicAuth:rest_client1},
{sharedSecret4BasicAuth:"9Qo9olLIl5gDwESYR0hOgw=="},
{signatureAlgorithm:SHA-1}]','','profileid1','OIC Application Profile 1')

updateApplicationProfile

updateApplicationProfile

Description

Updates an ApplicationProfile.

Syntax

updateApplicationProfile(paramList, mobileAppProfileStr, name, description)

Table 4-23 updateApplicationProfile Arguments

Argument Definition

paramList

A list of parameters for this Service specified in JSON format:

[{name1:value1},{name2:value2}...]

mobileAppProfileStr

The mobile app profile string specified in JSON format:

[{clientAppConfigParam:[{name:value},{name:value}],
jailBreakingDetectionPolicyName:name}]

The value of clientAppConfigParam should match what is defined in the Administration Console on the "Application Profile Configuration Page." Items specified under the 'Configuration Settings' heading are set with the WLST 'clientAppConfigParam'.

name

Name of the IDaaS (Identity as a Service) Client.

description

Description of the IDaaS (Identity as a Service) Client.


Example

updateApplicationProfile('[{Mobile.clientRegHandle.baseSecret:welcome1}]','
[{clientAppConfigParam:[{ProfileCacheDuration:60},
{AuthenticationRetryCount:3},{AllowOfflineAuthentication:false},
{ClaimAttributes:"oracle:idm:claims:client:geolocation,
oracle:idm:claims:client:imei,oracle:idm:claims:client:jailbroken,
oracle:idm:claims:client:locale,oracle:idm:claims:client:macaddress,
oracle:idm:claims:client:networktype,oracle:idm:claims:client:ostype,
oracle:idm:claims:client:osversion,oracle:idm:claims:client:phonecarriername,
oracle:idm:claims:client:phonenumber,oracle:idm:claims:client:sdkversion,
oracle:idm:claims:client:udid,oracle:idm:claims:client:vpnenabled"},
{RPWebView:Embedded},{URLScheme:"exp://"},
{IOSBundleID:com.oraclecorp.internal.ExpenseReportApp},
{AndroidAppSignature:"xmlns:xsi=\
'http://www.w3.org/2001/XMLSchema-instance\' 
xsi:nil=\'true\'"},{AndroidPackage:"xmlns:xsi=\'
http://www.w3.org/2001/XMLSchema-instance\' xsi:nil=\'true\'"}],
jailBreakingDetectionPolicyName:DefaultJailBreakingDetectionPolicy}]',
'ExpenseApp','OIC Test Expense Sample App')

removeApplicationProfile

removeApplicationProfile

Description

This command removes an ApplicationProfile.

Syntax

removeApplicationProfile(name)

where name is the name of the ApplicationProfile to be removed.

Example

removeApplicationProfile('name')

displayApplicationProfile

displayApplicationProfile

Description

This command displays the specified ApplicationProfile.

Syntax

dislayApplicationProfile(name)

where name is the name of the ApplicationProfile to be removed.

Example

displayApplicationProfile('MobileAgent1')

The following lines show sample output:

Displaying: ApplicationProfile : MobileAgent1
ReadOnly = 0
ConfigMBean = 1
Name = MobileAgent1
MobileAppProfile = None
Description = Mobile Agent App 1
Param =
array(javax.management.openmbean.CompositeData,[javax.management.openmbean.Composi
teDataSupport(compositeType=javax.management.openmbean.CompositeType(name=com.orac
le.xmlns.idm.idaas.idaas_config_11_1_2_0_0.Attribute,items=((itemName=name,
itemType=javax.management.openmbean.SimpleType(name=java.lang.String)),
(itemName=secretValue,itemType=javax.management.openmbean.ArrayType(name=[Ljava.
lang.Character;,dimension=1,elementType=javax.management.openmbean.SimpleType(name
=java.lang.Character),primitiveArray=false)),(itemName=value,itemType=javax.manage
ment.openmbean.SimpleType(name=java.lang.String)))),contents={name=Mobile.reauthnF
orRegNewClientApp, secretValue=null, value=true}),
javax.management.openmbean.CompositeDataSupport(compositeType=javax.management.ope
nmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0.
Attribute,items=((itemName=name,itemType=javax.management.openmbean.SimpleType(nam
e=java.lang.String)),(itemName=secretValue,itemType=javax.management.openmbean.Arr
ayType(name=[Ljava.lang.Character;,dimension=1,elementType=javax.management.openmb
ean.SimpleType(name=java.lang.Character),primitiveArray=false)),(itemName=value,it
emType=javax.management.openmbean.SimpleType(name=java.lang.String)))),contents={n
ame=Mobile.clientRegHandle.baseSecret, secretValue=[Ljava.lang.Character;@11910bd,
value=idaas.ApplicationProfile[MobileAgent1].param[Mobile.clientRegHandle.baseSecr
et]})])
eventProvider = 1
SystemMBean = 0
objectName =
com.oracle.idaas:name=MobileAgent1,type=Xml.ApplicationProfile,Xml=MobileService
eventTypes = array(java.lang.String,['jmx.attribute.change'])
RestartNeeded = 0

createServiceDomain

createServiceDomain

Description

Creates a ServiceDomain.

Syntax

createServiceDomain(securityHandlerPlugin,serviceBindingList,
clientAppBindingList,mobileAuthStyle,serviceDomainType,name,description)

Table 4-24 createServiceDomain Arguments

Argument Definition

securityHandlerPlugin

The name of the securityHandlerPlugin.

serviceBindingList

A list of the ServiceBinding objects in the format:

[{serviceName:UserProfile,allowRead:true,
allowWrite:true},{serviceName:UserProfile1,
allowRead:true,allowWrite:true,
requiredToken:[{tokenService:JWTAuthentication,
tokenType:{ACCESSTOKEN}}]},
{serviceName:usertokenserviceformobile,
requiredToken:[{tokenService:mobilesecurityservice1,
tokenType:{ACCESSTOKEN,CLIENTTOKEN}}]},
{serviceName:mobilesecurityservice1},
{serviceName:JWTAuthentication1},
{serviceName:OAMAuthorization}]

clientAppBindingList

A list of client applications specified in the format:

[{appName:UserProfile,mobileBinding:
[{SSOinclusion:true,SSOpriority:4}]

mobileAuthStyle

Mobile Authentication Style.

serviceDomainType

The type of service domain.

name

Name of the ServiceDomain.

description

Description of the ServiceDomain.


Example

createServiceDomain('JunitDebugSecurityHandlerPlugin','[{serviceName:UserProfile,
allowRead:true,allowWrite:true},{serviceName:UserProfile1,allowRead:true,
allowWrite:true,requiredToken:[{tokenService:JWTAuthentication1,
tokenType:ACCESSTOKEN}]},{serviceName:JWTAuthentication},{serviceName:OAMAuthentication},{serviceName:JWTAuthentication1},{serviceName:OAMAuthorization,
allowRead:true,allowWrite:false,requiredToken:[{tokenService:OAMAuthentication,
tokenType:USERTOKEN}]}]','[{appName:MobileAgent1,mobileBinding:
[{SSOinclusion:true,SSOpriority:1}]},{appName:MobileBusinessTestApp01,
mobileBinding:[{SSOinclusion:true}]},{appName:MobileAgent2,mobileBinding:
[{SSOinclusion:true,SSOpriority:2}]},{appName:MobileExpenseReport1,
mobileBinding:[{SSOinclusion:false}]},{appName:profileid1}]','','DESKTOP',
'Default','DefaultService Domain ServiceBinding without any requiredToken')

updateServiceDomain

updateServiceDomain

Description

Updates a ServiceDomain.

Syntax

updateServiceDomain(securityHandlerPlugin, serviceBindingList, clientAppBindingList, mobileAuthStyle, serviceDomainType, name, description)

Table 4-25 createServiceDomain Arguments

Argument Definition

securityHandlerPlugin

The name of the SecurityHandlerPlugin.

serviceBindingList

A list of the ServiceBinding objects in the format:

[{serviceName:UserProfile,allowRead:true,
allowWrite:true},{serviceName:UserProfile1,
allowRead:true,allowWrite:true,
requiredToken:[{tokenService:JWTAuthentication,
tokenType:{ACCESSTOKEN}}]},
{serviceName:usertokenserviceformobile,
requiredToken:[{tokenService:mobilesecurityservice1,
tokenType:{ACCESSTOKEN,CLIENTTOKEN}}]},
{serviceName:mobilesecurityservice1},
{serviceName:JWTAuthentication1},
{serviceName:OAMAuthorization}]

clientAppBindingList

A list of client applications specified in the format:

[{appName:UserProfile,mobileBinding:
[{SSOinclusion:true,SSOpriority:4}]

mobileAuthStyle

Mobile Authentication Style.

serviceDomainType

The type of Service Domain.

name

Name of the ServiceDomain.

description

Description of the ServiceDomain.


Example

updateServiceDomain('JunitDebugSecurityHandlerPlugin','[{serviceName:UserProfile,
allowRead:true,allowWrite:true},{serviceName:UserProfile1,allowRead:true,
allowWrite:true,requiredToken:[{tokenService:JWTAuthentication1,
tokenType:ACCESSTOKEN}]},{serviceName:JWTAuthentication},
{serviceName:OAMAuthentication},{serviceName:JWTAuthentication1},
{serviceName:OAMAuthorization,allowRead:true,allowWrite:false,
requiredToken:[{tokenService:OAMAuthentication,tokenType:USERTOKEN}]}]',
'[{appName:MobileAgent1,mobileBinding:[{SSOinclusion:true,SSOpriority:1}]},
{appName:MobileBusinessTestApp01,mobileBinding:[{SSOinclusion:true}]},
{appName:MobileAgent2,mobileBinding:[{SSOinclusion:true,SSOpriority:2}]},
{appName:MobileExpenseReport1,mobileBinding:[{SSOinclusion:false}]},
{appName:profileid1}]','','DESKTOP','Default',
'Default Service Domain ServiceBinding without any requiredToken')

getServiceDomains

getServiceDomains

Description

Get a ServiceDomain.

Syntax

getServiceDomains()

This command has no arguments.

Example

getServiceDomain()

The following lines show sample output:

ServiceDomain: MobileServiceDomainUTRegServiceDomain: MobileRPServiceDomainServiceDomain: Contract1ServiceDomain: MobileJWTServiceDomainServiceDomain: MobileRPServiceDomainUTRegServiceDomain: MobileContractServiceDomain: DefaultServiceDomain: MobileServiceDomain

removeServiceDomain

removeServiceDomain

Description

Removes a ServiceDomain.

Syntax

removeServiceDomain(name)

where name is the name of the ServiceDomain to be removed.

Example

removeServiceDomain('name')

displayServiceDomain

displayServiceDomain

Description

Displays a ServiceDomain.

Syntax

displayServiceDomain(name)

Example

displayServiceDomain('name')

The following lines show sample output:

Displaying: ServiceDomain : Contract1
ReadOnly = 0
Description = Service Domain 1 using HTTPBasic or Token based Client Token
eventProvider = 1
SystemMBean = 0
objectName = com.oracle.idaas:name=Contract1,type=Xml.ServiceDomain,Xml=MobileService
MobileAuthStyle = None
ServiceBinding = array(javax.management.openmbean.CompositeData,[javax.management.openmbean.
CompositeDataSupport(compositeType=javax.management.openmbean.CompositeType(name=
com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0.TServiceBinding,
items=((itemName=allowRead,itemType=javax.management.openmbean.SimpleType(name=
java.lang.Boolean)),(itemName=allowWrite,itemType=javax.management.openmbean.
SimpleType(name=java.lang.Boolean)),(itemName=requiredToken,itemType=javax.managem
ent.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_
0.TRequiredToken,items=((itemName=tokenService,itemType=javax.management.openmbean
.SimpleType(name=java.lang.String)),(itemName=tokenType,itemType=javax.management.
openmbean.ArrayType(name=[Ljava.lang.String;,dimension=1,elementType=javax.managem
ent.openmbean.SimpleType(name=java.lang.String),primitiveArray=false))))),(itemNam
e=serviceName,itemType=javax.management.openmbean.SimpleType(name=java.lang.String
)))),contents={allowRead=true, allowWrite=true,
requiredToken=javax.management.openmbean.CompositeDataSupport(compositeType=javax.
management.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_
11_1_2_0_0.TRequiredToken,
items=((itemName=tokenService,itemType=javax.management.openmbean.SimpleType(name=
java.lang.String)),(itemName=tokenType,itemType=javax.management.openmbean.
ArrayType(name=[Ljava.lang.String;,dimension=1,elementType=javax.management.
openmbean.SimpleType(name=java.lang.String),primitiveArray=false)))),
contents={tokenService=JWTAuthentication, tokenType=[Ljava.lang.String;@d0fbf2}),
serviceName=UserProfile}),
javax.management.openmbean.CompositeDataSupport(compositeType=javax.management.
openmbean.CompositeType(name=
com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0.TServiceBinding,
items=((itemName=allowRead,itemType=javax.management.openmbean.SimpleType(name=
java.lang.Boolean)),(itemName=allowWrite,itemType=javax.management.openmbean.
SimpleType(name=java.lang.Boolean)),(itemName=requiredToken,itemType=
javax.management.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_
config_11_1_2_0_0.TRequiredToken,
items=((itemName=tokenService,itemType=javax.management.openmbean.SimpleType(name=
java.lang.String)),(itemName=tokenType,itemType=javax.management.openmbean.
ArrayType(name=[Ljava.lang.String;,dimension=1,elementType=javax.management.
openmbean.SimpleType(name=java.lang.String),primitiveArray=false))))),
(itemName=serviceName,itemType=javax.management.openmbean.SimpleType(name=
java.lang.String)))),contents={allowRead=null, allowWrite=null,
requiredToken=null, serviceName=JWTAuthentication})])MobileCredLevelForRegApp = NoneServiceDomainType = DESKTOPName = Contract1ConfigMBean = 1
ClientAppBinding =
array(javax.management.openmbean.CompositeData,
[javax.management.openmbean.CompositeDataSupport(compositeType=javax.management.
openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0
TApplicationBinding,items=((itemName=appName,itemType=javax.management.openmbean.
SimpleType(name=java.lang.String)),(itemName=mobileBinding,itemType=javax.
management.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.
idaas_config_11_1_2_0_0.TMobileBinding,items=((itemName=SSOinclusion,
itemType=javax.management.openmbean.SimpleType(name=java.lang.Boolean)),
(itemName=SSOpriority,itemType=javax.management.openmbean.SimpleType(name=
java.lang.Short))))))),contents={appName=profileid1, mobileBinding=null}),
javax.management.openmbean.CompositeDataSupport(compositeType=javax.management.
openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0
.TApplicationBinding,items=((itemName=appName,itemType=javax.management.openmbean
.SimpleType(name=java.lang.String)),(itemName=mobileBinding,itemType=javax.manage
ment.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas
.idaas_config_11_1_2_0_0.TMobileBinding,items=
((itemName=SSOinclusion,itemType=javax.management.openmbean.SimpleType(name=
java.lang.Boolean)),(itemName=SSOpriority,itemType=javax.management.openmbean.
SimpleType(name=java.lang.Short))))))),contents={appName=profileid2,
mobileBinding=null})])SecurityHandlerPluginName = NoneeventTypes = array(java.lang.String,['jmx.attribute.change'])RestartNeeded = 0

createSecurityHandlerPlugin

createSecurityHandlerPlugin

Description

Creates a SecurityHandlerPlugin.

Syntax

createSecurityHandlerPlugin(securityHandlerClass, paramList, name, description)

Table 4-26 createSecurityHandlerPlugin Arguments

Argument Definition

securityHandlerClass

Name of the security handler class.

paramList

A list of parameters.

name

Name of the SecurityHandlerPlugin.

description

Description of the SecurityHandlerPlugin.


Example

createSecurityHandlerPlugin('oracle.security.idaas.rest.provider.plugin.impl.DefaultMobileSecurityHandlerImpl','[{allowJailBrokenDevices:false},{requiredHardwareIds:MAC_ADDRESS},{requiredDeviceProfileAttrs:OSType OSVersion isJailBroken clientSDKVersion}]','DefaultSecurityHandlerPlugin','')

updateSecurityHandlerPlugin

updateSecurityHandlerPlugin

Description

Updates a SecurityHandlerPlugin.

Syntax

updateSecurityHandlerPlugin(securityHandlerClass, paramList, name, description)

Table 4-27 createSecurityHandlerPlugin Arguments

Argument Definition

securityHandlerClass

Name of the security handler class.

paramList

A list of parameters.

name

Name of the SecurityHandlerPlugin.

description

Description of the SecurityHandlerPlugin.


Example

updateSecurityHandlerPlugin('oracle.security.idaas.rest.provider.plugin.impl.DefaultMobileSecurityHandlerImpl','[{allowJailBrokenDevices:false},{requiredHardwareIds:MAC_ADDRESS},{requiredDeviceProfileAttrs:OSType OSVersion isJailBroken clientSDKVersion}]','DefaultSecurityHandlerPlugin','')

getSecurityHandlerPlugins

getSecurityHandlerPlugins

Description

Gets a SecurityHandlerPlugin.

Syntax

getSecurityHandlerPlugins()

This command has no arguments.

Example

getSecurityHandlerPlugins()

The following lines show sample output:

SecurityHandlerPlugin: JunitDebugSecurityHandlerPluginSecurityHandlerPlugin: OaamSecurityHandlerPluginSecurityHandlerPlugin: DefaultSecurityHandlerPlugin

removeSecurityHandlerPlugin

removeSecurityHandlerPlugin

Description

Removes a SecurityHandlerPlugin.

Syntax

removeSecurityHandlerPlugin(name)

where name is the name of the SecurityHandlerPlugin to be removed.

Example

removeSecurityHandlerPlugin('name')

displaySecurityHandlerPlugin

displaySecurityHandlerPlugin

Description

Displays a SecurityHandlerPlugin.

Syntax

displaySecrityHandlerPlugin(name)

where name is the name of the SecurityHandlerPlugin to be displayed.

Example

displaySecurityHandlerPlugin('name')

createJailBreakingDetectionPolicy

createJailBreakingDetectionPolicy

Description

Creates a JailBreakingDetectionPolicy.

Syntax

createJailBreakingDetectionPolicy(enabled, statementList, name)

Table 4-28 createJailBreakingDetectionPolicy Arguments

Argument Definition

enabled

Enabled.

statementList

A list of parameters.

name

Name of the JailBreakingDetectionPolicy.


Example

createJailBreakingDetectionPolicy(true,'[{minOSVersion:3.5,maxOSVersion:5.0,minClientSDKVersion:1.0,maxClientSDKVersion:1.0,policyExpirationDurationInSec:3600,autoCheckPeriodInMin:60,detectionLocation:[{filePath:"/root",success:true,action:exists},{filePath:"/opt",success:true,action:exists}]}]','defaultJailBreakingDetectionPolicy')

updateJailBreakingDetectionPolicy

updateJailBreakingDetectionPolicy

Description

Updates a JailBreakingDetectionPolicy.

Syntax

updateJailBreakingDetectionPolicy(enabled, statementList, name)

Table 4-29 updateJailBreakingDetectionPolicy Arguments

Argument Definition

enabled

Enabled.

statementList

A list of parameters.

name

Name of the JailBreakingDetectionPolicy.


Example

updateJailBreakingDetectionPolicy(true,'[{minOSVersion:3.5,maxOSVersion:5.0,minClientSDKVersion:1.0,maxClientSDKVersion:1.0,policyExpirationDurationInSec:3600,autoCheckPeriodInMin:60,detectionLocation:[{filePath:"/root",success:true,action:exists},{filePath:"/opt",success:true,action:exists}]}]','defaultJailBreakingDetectionPolicy')

getJailBreakingDetectionPolicys

getJailBreakingDetectionPolicys

Description

Gets the JailBreakingDetectionPolicy.

Syntax

getJailBreakingDetectionPolicys()

This command has no arguments.

Example

getJailBreakingDetectionPolicys()

The following lines show sample output:

JailBreakingDetectionPolicy: DefaultJailBreakingDetectionPolicy

removeJailBreakingDetectionPolicy

removeJailBreakingDetectionPolicy

Description

Removes a JailBreakingDetectionPolicy.

Syntax

removeJailBreakingDetectionPolicy(name)

where name is the name of the JailBreakingDetectionPolicy.

Example

removeJailBreakingDetectionPolicy('name')

displayJailBreakingDetectionPolicy

displayJailBreakingDetectionPolicy

Description

Displays a JailBreakingDetectionPolicy.

Syntax

displayJailBreakingDetectionPolicy(name)

where name is the name of the JailBreakingDetectionPolicy.

Example

displayJailBreakingDetectionPolicy('DefaultJailBreakingDetectionPolicy')

The following lines show sample output:

Displaying: JailBreakingDetectionPolicy : DefaultJailBreakingDetectionPolicy
ReadOnly = 0
ConfigMBean = 1
Name = DefaultJailBreakingDetectionPolicy
eventProvider = 1
SystemMBean = 0
objectName = com.oracle.idaas:name=DefaultJailBreakingDetectionPolicy,type=Xml.JailBreakingDetectionPolicy,Xml=MobileService
Enable = 1
JailBreakingDetectionPolicyStatement =
array(javax.management.openmbean.CompositeData,[javax.management.openmbean.
CompositeDataSupport(compositeType=javax.management.openmbean.CompositeType(name=
com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0.
TJailBreakingDetectionPolicyStatement,items=((itemName=autoCheckPeriodInMin,
itemType=javax.management.openmbean.SimpleType(name=java.lang.Long)),
(itemName=detectionLocation,itemType=javax.management.openmbean.ArrayType(name=
[Ljavax.management.openmbean.CompositeData;,dimension=1,elementType=
javax.management.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.
idaas_config_11_1_2_0_0.
TDetectionLocation,items=((itemName=action,itemType=javax.management.openmbean.
SimpleType(name=java.lang.String)),(itemName=filePath,itemType=javax.management.
openmbean.SimpleType(name=java.lang.String)),(itemName=success,itemType=javax.
management.openmbean.SimpleType(name=java.lang.Boolean)))),primitiveArray=false)),
(itemName=enable,itemType=javax.management.openmbean.SimpleType(name=java.lang.
Boolean)),(itemName=maxClientSDKVersion,itemType=javax.management.openmbean.
SimpleType(name=java.lang.String)),(itemName=maxOSVersion,itemType=javax.
management.openmbean.SimpleType(name=java.lang.String)),(itemName=
minClientSDKVersion,itemType=javax.management.openmbean.SimpleType(name=
java.lang.String)),
(itemName=minOSVersion,itemType=javax.management.openmbean.SimpleType(name=
java.lang.String)),(itemName=policyExpirationDurationInSec,itemType=javax.
management.openmbean.SimpleType(name=java.lang.Long)))),contents=
{autoCheckPeriodInMin=60,detectionLocation=[Ljavax.management.openmbean.
CompositeData;@2dc906,enable=true,maxClientSDKVersion=11.1.2.0.0,
maxOSVersion=null, minClientSDKVersion=11.1.2.0.0, minOSVersion=1.0,
policyExpirationDurationInSec=3600})])
eventTypes = array(java.lang.String,['jmx.attribute.change'])
RestartNeeded = 0

Oracle Access Management Security Token Service

Table 4-30 describes the various types of WLST commands available for the Oracle Access Management Security Token Service (Security Token Service).

Table 4-30 WLST Security Token Service Command Groups

OSTS Command Type Description

Partner Commands

WLST commands related to tasks involving partners.

Relying Party Partner Mapping Commands

The WS Prefix to Relying Party Partner mappings are used to map a service URL, specified in the AppliesTo field of a WS-Trust RST request, to a partner of type Relying Party. The WS prefix string can be an exact service URL, or a URL with a parent path to the service URL. For example, if a mapping is defined to map a WS Prefix (http://test.com/service) to a Relying Party (RelyingPartyPartnerTest), then the following service URLs would be mapped to the Relying Party: http://test.com/service, http://test.com/service/calculatorService, http://test.com/service/shop/cart...

Partner Profiles Commands

WLST commands related to tasks involving partner profiles.

Issuance Templates Commands

WLST commands related to tasks involving issuance templates.

Validation Templates Commands

WLST commands related to tasks involving validation templates.


Use the WLST commands listed in Table 4-31 to manage the Security Token Service.

Table 4-31 WLST Commands Security Token Service

Use this command... To... Use with WLST...

Partner Commands

   

getPartner

Retrieve a partner and print result.

Online

getAllRequesterPartners

Retrieve the names of Requester partners.

Online

getAllRelyingPartyPartners

Retrieve the names of all Relying Party partners.

Online

getAllIssuingAuthorityPartners

Retrieve the names of all Issuing Authority partners.

Online

isPartnerPresent

Query Security Token Service to determine whether or not the partner exists in the Partner store.

Online

createPartner

Create a new Partner entry.

Online

updatePartner

Update an existing Partner entry based on the provided information.

Online

deletePartner

Delete a partner entry.

Online

getPartnerUsernameTokenUsername

Retrieve the partner's username value.

Online

getPartnerUsernameTokenPassword

Retrieve the partner's password value.

Online

setPartnerUsernameTokenCredential

Set the username and password values of a partner entry.

Online

deletePartnerUsernameTokenCredential

Remove the username and password values from a partner entry.

Online

getPartnerSigningCert

Retrieve the Base64 encoded signing certificate for the partner.

Online

getPartnerEncryptionCert

Retrieve the Base64 encoded encryption certificate for the partner.

Online

setPartnerSigningCert

Upload the signing certificate to the partner entry.

Online

setPartnerEncryptionCert

Upload the encryption certificate to the partner entry.

Online

deletePartnerSigningCert

Remove the signing certificate from the partner entry.

Online

Offline

deletePartnerEncryptionCert

Remove the encryption certificate from the partner entry.

Online

Offline

getPartnerAllIdentityAttributes

Retrieve and display all Identity mapping attributes used to map a token to a requester partner.

Online

Offline

getPartnerIdentityAttribute

Retrieve and display the identity mapping attribute.

Online

Offline

setPartnerIdentityAttribute

Set the identity mapping attribute for a requester partner.

Online

Offline

deletePartnerIdentityAttribute

Delete the identity mapping attribute for a requester partner.

Online

Offline

Relying Party Partner Mapping Commands

   

getAllWSPrefixAndPartnerMappings

Retrieve and display all WS Prefixes.

Online

Offline

getWSPrefixAndPartnerMapping

Retrieve and display the Relying Party Partner mapped to the specified wsprefix parameter.

Online

Offline

createWSPrefixAndPartnerMapping

Create a new WS Prefix mapping to a Relying Partner.

Online

Offline

deleteWSPrefixAndPartnerMapping

Delete an existing WS Prefix mapping to a Relying Partner.

Online

Offline

Partner Profiles Commands

   

getAllPartnerProfiles

Retrieve the names of all the existing partner profiles.

Online

getPartnerProfile

Retrieve partner profile configuration data.

Online

createRequesterPartnerProfile

Create a new Requester Partner profile with default configuration data.

Online

createRelyingPartyPartnerProfile

Create a new Relying Party Partner profile with default configuration data.

Online

createIssuingAuthorityPartnerProfile

Create a new Issuing Authority Partner profile with default configuration data.

Online

deletePartnerProfile

Delete an existing partner profile.

Online

Issuance Template Commands

   

getAllIssuanceTemplates

Retrieve the names of all the existing Issuance Templates.

Online

Offline

getIssuanceTemplate

Retrieve configuration data of a specific Issuance Template.

Online

createIssuanceTemplate

Create a new Issuance Template with default configuration data.

Online

deleteIssuanceTemplate

Delete an existing Issuance Template.

Online

Offline

Validation Template Commands

   

getAllValidationTemplates

Retrieve the names of all the existing Validation Templates.

Online

Offline

getValidationTemplate

Retrieve configuration data of a specific Validation Template.

Online

Offline

createWSSValidationTemplate

Create a new WS Security Validation Template with default configuration data.

Online

Offline

createWSTrustValidationTemplate

Create a new WS Trust Validation Template with default configuration data.

Online

Offline

deleteValidationTemplate

Delete an existing Issuance Template.

Online

Offline


getPartner

Online command that retrieves the Partner entry and prints out the configuration for this partner.

Description

Retrieves the Partner entry and prints out the configuration for this partner.

Syntax

getPartner(partnerId)
Argument Definition
partnerId

Specifies the partnerId: the ID of the partner.


Example

The following invocation retrieves the Partner entry and prints out the configuration for customPartner:

getPartner(partnerId="customPartner")

getAllRequesterPartners

Online command that retrieves Requester type partners.

Description

Retrieves Requester type partners.

Syntax

getAllRequesterPartners()

Example

The following invocation retrieves Requester type partners:

getAllRequesterPartners()

getAllRelyingPartyPartners

Online command that retrieves Relying Party partners.

Description

Retrieves the Relying Party partners.

Syntax

getAllRelyingPartyPartners()

Example

The following invocation retrieves Relying Party partners:

getAllRelyingPartyPartners()

getAllIssuingAuthorityPartners

Online command that retrieves Issuing Authority partners and prints out the result.

Description

Retrieves the Issuing Authority partners and prints out the result.

Syntax

getAllIssuingAuthorityPartners()

Example

The following invocation retrieves Issuing Authority partners and prints out the result:

getAllIssuingAuthorityPartners()

isPartnerPresent

Online command that queries the Security Token Service to determine whether or not the specified partner exists in the Partner store.

Description

Queries the Security Token Service to determine whether or not the specified partner exists in the Partner store, and prints out the result.

Syntax

isPartnerPresent(partnerId)
Argument Definition
partnerId

Specifies the ID of the partner.


Example

The following invocation queries the Security Token Service to determine whether or not customPartner exists in the Partner store, and prints out the result:

isPartnerPresent(partnerId="customPartner")

createPartner

Online command that creates a new Partner entry.

Description

Creates a new Partner entry based on provided information. Displays a message indicating the result of the operation.

Syntax

createPartner(partnerId, partnerType, partnerProfileId, description,
bIsTrusted)
Argument Definition
partnerId

Specifies the ID of the new partner to be created.

partnerType

Specifies the type of partner. Values can be one of the following:

  • STS_REQUESTER for Requester

  • STS_RELYING_PARTY for Relying Party

  • STS_ISSUING_AUTHORITY for Issuing Authority

partnerProfileId

Specifies the profile ID to be attached to this partner. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry.

description

Specifies the optional description of this new partner entry.

bIsTrusted

A value that indicates whether or not this new partner is trusted. Value can be either:

  • true for trusted

  • false if not trusted


Example

The following invocation creates STS_Requestor partner, customPartner, custom-partnerprofile with a description (custom requester), with a trust value of true, displays a message indicating the result of the operation:

createPartner(partnerId="customPartner", partnerType="STS_REQUESTER",
partnerProfileId="custom-partnerprofile", description="custom requester",
bIsTrusted="true")

updatePartner

Online command that updates an existing Partner entry.

Description

Updates an existing Partner entry based on the provided information. Displays a message indicating the result of the operation.

Syntax

updatePartner(partnerId, partnerProfileId, description, bIsTrusted)
Argument Definition
partnerId

Specifies the ID of the new partner to be updated.

partnerProfileId

Specifies the partner profile ID. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry.

description

Specifies the optional description f this new partner entry.

bIsTrusted

A value that indicates whether or not this new partner is trusted. Value can be either:

  • true for trusted

  • false if not trusted


Example

The following invocation updates customPartner with a new profile ID, (x509-wss-validtemp), description (custom requester with new profile id), and a trust value of false. A message indicates the result of the operation:

updatePartner(partnerId="customPartner", partnerProfileId="x509-wss-validtemp",
description="custom requester with new profile id", bIsTrusted="false")

deletePartner

Online command that deletes a partner entry from the Security Token Service.

Description

Deletes an existing Partner entry referenced by the partnerId parameter from the Security Token Service, and prints out the result of the operation.

Syntax

deletePartner(partnerId)
Argument Definition
partnerId

Specifies the ID of the partner to be deleted.


Example

The following invocation deletes the customPartner partner entry referenced by the partnerId parameter from the Security Token Service, and prints out the result of the operation:

deletePartner(partnerId="customPartner")

getPartnerUsernameTokenUsername

Online command that retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation.

Description

Retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation, and displays the value.

Syntax

getPartnerUsernameTokenUsername(partnerId)
Argument Definition
partnerId

Specifies the ID of the partner.


Example

The following invocation retrieves the customPartner partner username value that will be used for UNT credentials partner validation or mapping operation, and displays the value:

getPartnerUsernameTokenUsername(partnerId="customPartner")

getPartnerUsernameTokenPassword

Online command that retrieves a partner's password value that will be used for UNT credentials partner validation or mapping operation.

Description

Retrieves a partner password value that will be used for UNT credentials partner validation or mapping operation, and displays the value.

Syntax

getPartnerUsernameTokenPassword(partnerId)
Argument Definition
partnerId

Specifies the ID of the partner.


Example

The following invocation retrieves customPartner partner password value that will be used for UNT credentials partner validation or mapping operation, and displays the value:

getPartnerUsernameTokenPassword(partnerId="customPartner")

setPartnerUsernameTokenCredential

Online command that sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation.

Description

Sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation. Displays the result of the operation.

Syntax

setPartnerUsernameTokenCredential(partnerId, UTUsername, UTPassword)
Argument Definition
partnerId

Specifies the ID of the partner.

UTUsername

Specifies the username value used for UNT credentials validation or mapping operations.

UTPassword

Specifies the username value used for UNT credentials validation or mapping operations.


Example

The following invocation sets the username and password values of the customPartner partner entry, and displays the result of the operation:

setPartnerUsernameTokenCredential(partnerId="customPartner", UTUsername="test", UTPassword="password")

deletePartnerUsernameTokenCredential

Online command that removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.

Description

Removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.

Syntax

deletePartnerUsernameTokenCredential(partnerId)
Argument Definition
partnerId

Specifies the ID of the partner to be deleted.


Example

The following invocation removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation:

deletePartnerUsernameTokenCredential(partnerId="customPartner")

getPartnerSigningCert

Online command that retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.

Description

Retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.

Syntax

getPartnerSigningCert(partnerId)
Argument Definition
partnerId

Specifies the ID of the partner.


Example

The following invocation retrieves Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string:

getPartnerSigningCert(partnerId="customPartner")

getPartnerEncryptionCert

Online command that retrieves the Base64 encoded encryption certificate, and displays its value as a Base64 encoded string.

Description

Retrieves the Base64 encoded encryption certificate for the partner referenced by the partnerId parameter, and displays its value as a Base64 encoded string.

Syntax

getPartnerEncryptionCert(partnerId)
Argument Definition
partnerId

Specifies the ID of the partner.


Example

The following invocation retrieves the Base64 encoded encryption certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string:

getPartnerEncryptionCert(partnerId="customPartner")

setPartnerSigningCert

Online command that Uploads the provided certificate to the partner entry as the signing certificate. Displays the result of the operation.

Description

Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the signing certificate. The supported formats of the certificate are DER and PEM. Displays the result of the operation.

Syntax

setPartnerSigningCert(partnerId, certFile)
Argument Definition
partnerId

Specifies the ID of the partner.

certFile

Specifies the location of the certificate on the local filesystem. Supported formats of the certificate are DER and PEM.


Example

The following invocation uploads the provided certificate to the partner entry customPartner as the signing certificate. Displays the result of the operation:

setPartnerSigningCert(partnerId="customPartner", certFile="/temp/signing_cert")

setPartnerEncryptionCert

Online command that Uploads the provided certificate to the partner entry as the encryption certificate. Displays the result of the operation.

Description

Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the encryption certificate. Displays the result of the operation.

Syntax

setPartnerEncryptionCert(partnerId, certFile)
Argument Definition
partnerId

Specifies the ID of the partner.

certFile

Specifies the location of the certificate on the local filesystem. Supported formats of the certificate are DER and PEM.


Example

The following invocation uploads the provided certificate to the partner entry customPartner as the signing certificate. Displays the result of the operation:

setPartnerSigningCert(partnerId="customPartner", certFile="/temp/signing_cert")

deletePartnerSigningCert

Online command that removes the encryption certificate from the partner entry and displays the result of the operation.

Description

Removes the encryption certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.

Syntax

deletePartnerSigningCert(partnerId)
Argument Definition
partnerId

Specifies the ID of the partner.


Example

The following invocation removes the encryption certificate from the partner entry, customPartner, and displays the result of the operation:

deletePartnerSigningCert(partnerId="customPartner")

deletePartnerEncryptionCert

Online command that removes the signing certificate from the partner entry and displays the result of the operation.

Description

Removes the signing certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.

Syntax

deletePartnerEncryptionCert(partnerId)
Argument Definition
partnerId

Specifies the ID of the partner.


Example

The following invocation removes the signing certificate from the partner entry, customPartner, and displays the result of the operation:

deletePartnerEncryptionCert(partnerId="customPartner")

getPartnerAllIdentityAttributes

Online command that retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.

Description

Retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.

The identity mapping attributes only exist for partners of type Requester.

Syntax

getPartnerAllIdentityAttributes(partnerId)
Argument Definition
partnerId

Specifies the ID of the Requester partner. Identity mapping attributes only exist for partners of type Requester


Example

The following invocation retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner: customPartner.

getPartnerAllIdentityAttributes(partnerId="customPartner")

getPartnerIdentityAttribute

Online command that retrieves and displays identity mapping attributes used to map a token or to map binding data to a requester partner.

Description

Retrieves and displays an identity mapping attribute used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.

The identity mapping attributes only exist for partners of type Requester.

Syntax

getPartnerIdentityAttribute(partnerId, identityAttributeName)
Argument Definition
partnerId

Specifies the ID of the Requester partner.

IdentityAttributeName

Specifies the name of the identity mapping attribute to retrieve and display. For example: httpbasicusername.


Example

The following invocation retrieves and displays one identityAttribute and its value as specified by identityAttributeName.

getPartnerIdentityAttribute(partnerId="customPartner", identityAttributeName="httpbasicusername")

setPartnerIdentityAttribute

Online command that sets the identity mapping attribute for the Requester partner.

Description

Set the identity mapping attribute specified by identityAttributeName for the partner of type requester specified by the partnerId parameter. These identity mapping attributes only exist for Requester partners. Displays the result of the operation.

Syntax

setPartnerIdentityAttribute(partnerId, identityAttributeName, 
identityAttributeValue)
Argument Definition
partnerId

Specifies the ID of the partner of type Requester.

identityAttributeName

Specifies the name of the identity mapping attribute to retrieve and display.

identityAttributeValue

Specifies the value of the identity mapping attribute to set.


Example

The following invocation sets the identity mapping attribute specified by identityAttributeName for the Requester partner of type requester specified by the partnerId parameter. Displays the result of the operation.

setPartnerIdentityAttribute(partnerId="customPartner", 
identityAttributeName="httpbasicusername",identityAttributeValue="test")

deletePartnerIdentityAttribute

Online command that deletes the identity mapping attribute.

Description

Deletes the identity mapping attribute specified by identityAttributeName.

The identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner, and they only exist for Requester partners.

Syntax

deletePartnerIdentityAttribute(partnerId, identityAttributeName)
Argument Definition
partnerId

Specifies the ID of the partner.

identityAttributeName

Specifies the name of the identity mapping attribute to delete.


Example

The following invocation deletes the identity mapping attribute specified by identityAttributeName for Requester partner customPartner.

deletePartnerIdentityAttribute(partnerId="customPartner", 
identityAttributeName="httpbasicusername")

getAllWSPrefixAndPartnerMappings

Online command that retrieves and displays all WS Prefixes to Relying Party Partner mappings.

Description

Retrieves and displays all WS Prefixes to Relying Party Partner mappings.

Syntax

getAllWSPrefixAndPartnerMappings() 

Example

The following invocation retrieves and displays theWS Prefixes.

getAllWSPrefixAndPartnerMappings() 

getWSPrefixAndPartnerMapping

Online command that retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.

Description

Retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.

Syntax

getWSPrefixAndPartnerMapping(wsprefix) 
Argument Definition
wsprefix

Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form:

http_protocol://hostname_ip/path


Example

The following invocation retrieves nd displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.

getWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path")

createWSPrefixAndPartnerMapping

Online command that creates a new WS Prefix mapping to a Relying Partner.

Description

Creates a new WS Prefix mapping to a Relying Partner referenced by the partnerid parameter, and displays the result of the operation.

Syntax

createWSPrefixAndPartnerMapping(wsprefix, partnerid, description)
Argument Definition
wsprefix

Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form:

http_protocol://hostname_ip/path

partnerId

Specifies the ID of the partner.

description

Specifies an optional description.


Example

The following invocation creates a new WS Prefix mapping to a Relying Partner Partner referenced by the partnerid parameter, and displays the result of the operation.

createWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path",
partnerid="customRPpartner", description="some description")

deleteWSPrefixAndPartnerMapping

Online command that deletes an existing mapping of WS Prefix to a Relying Partner Partner.

Description

Deletes an existing mapping of WS Prefix to a Relying Partner, and displays the result of the operation.

Syntax

deleteWSPrefixAndPartnerMapping(wsprefix)
Argument Definition
wsprefix

Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form:

http_protocol://hostname_ip/path


Example

The following invocation deletes the existing mapping of WS Prefix to a Relying Partner, and displays the result of the operation.

deleteWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path")

getAllPartnerProfiles

Online command that retrieves the names of all the existing partner profiles and displays them.

Description

Retrieves the names of all the existing partner profiles and displays them.

Syntax

getAllPartnerProfiles()

Example

The following invocation retrieves the names of all the existing partner profiles and displays them.

getAllPartnerProfiles()

getPartnerProfile

Online command that retrieves the configuration data of a specific partner profile, and displays the content of the profile.

Description

Retrieves the configuration data of the partner profile referenced by the partnerProfileId parameter, and displays the content of the profile.

Syntax

getPartnerProfile(partnerProfileId)
Argument Definition
partnerProfileId

Specifies the name of the partner profile.


Example

The following invocation retrieves the configuration data of the partner profile referenced by the partnerProfileId parameter, and displays the content of the profile.

getPartnerProfile(partnerProfileId="custom-partnerprofile")

createRequesterPartnerProfile

Online command that creates a new requester partner profile with default configuration data.

Description

Creates a new requester partner profile with default configuration data, and displays the result of the operation.

Table 4-32 describes the default configuration created with this command.

Table 4-32 Default Configuration: createRequesterPartnerProfile

Element Description
Return Error for Missing Claims

Default: false

Allow Unmapped Claims

Default: false

Token Type Configuration

The Token Type Configuration table includes the following entries. There are no mappings of token type to WS-Trust Validation Template:

  • SAML 1.1 token type mapped to the following External URI:

    http://docs.oasis-open.org/wss/oasis-wss-saml-
    token-profile-1.1#SAMLV1.1
    

    The SAML 1.1 token type is not mapped to any WS-Trust Validation Template.

  • SAML 2.0 token type mapped to the following External URI:

    http://docs.oasis-open.org/wss/oasis-wss-saml-
    token-profile-1.1#SAMLV2.0
    

    The SAML 2.0 token type is not mapped to any WS-Trust Validation Template.

  • Username token type mapped to the following External URI:

    http://docs.oasis-open.org/wss/2004/01/oasis-
    200401-wss-username-token-profile-1.0#UsernameToken
    

    The Username token type is not mapped to any WS-Trust Validation Template.

Note: Token Type Configuration and token type to Validation Template mapping are both empty

Attribute Name Mapping

Default: The Attribute Name Mapping table is empty by default.


Syntax

createRequesterPartnerProfile(partnerProfileId, defaultRelyingPartyPPID, 
description)
Argument Definition
partnerProfileId

Specifies the name of the partner profile.

defaultRelyingPartyPPID

Specifies the relying party partner profile to use, if the AppliesTo field is missing from the RST or if it could not be mapped to a Relying Party Partner.

description

Specifies the optional description for this partner profile


Example

The following invocation creates a new requester partner profile with default configuration data, and displays the result of the operation. For default data descriptions, see Table 4-32.

createRequesterPartnerProfile(partnerProfileId="custom-partnerprofile",
defaultRelyingPartyPPID="rpPartnerProfileTest", description="custom
partner profile")

createRelyingPartyPartnerProfile

Online command that creates a new relying party partner profile with default configuration data.

Description

Creates a new relying party partner profile with default configuration data, and displays the result of the operation.

Table 4-33 describes the default configuration created with this command.

Table 4-33 Default Configuration: createRelyingPartyPartnerProfile

Element Description

Download Policy

Default: false

Allow Unmapped Claims

Default: false

Token Type Configuration

The Token Type Configuration will contain a single entry, with:

  • The token type set to the type of Issuance Template referenced by defaultIssuanceTemplateID

  • The Issuance template set to defaultIssuanceTemplateID

Note: For the token type of the issuance template referenced by defaultIssuanceTemplateID, it will be linked to the issuance template, while the other token types will not be linked to any issuance template.

If the issuance template referenced by defaultIssuanceTemplateID is of custom token type, the table will only contain one entry, with the custom token type, mapped to the custom token type as the external URI, and mapped to the issuance template referenced by defaultIssuanceTemplateID

Attribute Name Mapping

The Attribute Name Mapping table is empty be default.


Syntax

createRelyingPartyPartnerProfile(partnerProfileId, defaultIssuanceTemplateID, 
description)
Argument Definition
partnerProfileId

Specifies the name of the partner profile.

defaultIssuanceTemplateID

Specifies the default issuance template and token type to issue if no token type was specified in the RST.

description

Specifies the optional description for this partner profile


Example

The following invocation creates a new relying party partner profile with default configuration data, and displays the result of the operation.

createRelyingPartyPartnerProfile(partnerProfileId="custom-partnerprofile",
defaultIssuanceTemplateID="saml11-issuance-template", description="custom partner profile")

createIssuingAuthorityPartnerProfile

Online command that creates a new issuing authority partner profile with default configuration data.

Description

Creates a new issuing authority partner profile with the default configuration data in Table 4-34, and displays the result of the operation.

Table 4-34 Default Configuration: createIssuingAuthorityPartnerProfile

Element Description

Server Clockdrift

Default: 600 seconds

Token Mapping

The Token Mapping Section will be configured as follows:

  • Override Simple User Mapping: false

  • Override User NameID Mapping: false

  • Override Attribute Based User Mapping: false

  • Override Simple Partner Mapping: false

  • Override Partner NameID Mapping: false

Empty fields

  • simple user mapping

  • attribute based user mapping

  • simple partner mapping

Partner NameID Mapping

The Partner NameID Mapping table will be provisioned with the following entries as NameID format. However, without any data in the datastore column the issuance template referenced by defaultIssuanceTemplateID is of token type SAML 1.1, SAML 2.0, or Username.

The table will contain the following entries:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

User NameID Mapping

The User NameID Mapping table will be provisioned with the following entries as NameID format:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName, empty datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, dn set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, mail set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, empty datastore column

Attribute Mapping

The Attribute Value Mapping and Attribute Name Mapping table is empty be default.


Syntax

createIssuingAuthorityPartnerProfile(partnerProfileId, description)
Argument Definition
partnerProfileId

Specifies the name of the partner profile.

description

Specifies the optional description for this partner profile


Example

The following invocation a new issuing authority partner profile with default configuration data, and displays the result of the operation.

createIssuingAuthorityPartnerProfile(partnerProfileId="custom-partnerprofile"
description="custom partner profile")

deletePartnerProfile

Online command that deletes an partner profile referenced by the partnerProfileId parameter.

Description

Deletes an partner profile referenced by the partnerProfileId parameter, and displays the result of the operation.

Syntax

deletePartnerProfile(partnerProfileId) 
Argument Definition
partnerProfileId

Specifies the name of the partner profile to be removed.


Example

The following invocation deletes an partner profile referenced by the partnerProfileId parameter, and displays the result of the operation.

deletePartnerProfile(partnerProfileId="custom-partnerprofile")

getAllIssuanceTemplates

Online command that retrieves the names of all the existing issuance templates.

Description

Retrieves the names of all the existing issuance templates and displays them.

Syntax

getAllIssuanceTemplates 

Example

The following invocation retrieves the names of all the existing issuance templates and displays them.

getAllIssuanceTemplates

getIssuanceTemplate

Online command that retrieves the configuration data of a specific issuance template.

Description

Retrieves the configuration data of the issuance template referenced by the issuanceTemplateId parameter, and displays the content of the template.

Syntax

getIssuanceTemplate(issuanceTemplateId) 
Argument Definition
issuanceTemplateId

Specifies the name of the issuance template.


Example

The following invocation retrieves the configuration data of the issuance template referenced by the issuanceTemplateId parameter, and displays the content of the template.

getIssuanceTemplate(issuanceTemplateId="custom-issuancetemp")

createIssuanceTemplate

Online command that creates a new issuance template with default configuration data.

Description

Creates a new issuance template with default configuration data, and displays the result of the operation.

Table 4-35 describes the default configuration for this command.

Table 4-35 Default Configuration: createIssuanceTemplate

Token Type Description

Username

The issuance template will be created with the following default values:

  • Send Encrypted Token: false

  • NameID User Attribute: uid

  • NameID User Attribute Store: User Store

  • Password Attribute: (empty)

  • Include Nonce: true

  • Include Timestamp: true

SAML 1.1

or

SAML 2.0

The issuance template will be created with the following default values:

  • Send Encrypted Token: false

  • Assertion Issuer: Access Manager Hostname

  • NameID Format: Email Address

  • NameID User Attribute: mail

  • NameID User Attribute Store: User Store

  • NameID Qualifier: (empty)

  • Include Authn Statement: true

  • Include Attr Statement: true

  • Sign Assertion: true

  • Include Certificate in Signature: true

  • Send Encrypted NameID: false (SAML 2.0 only)

  • Default Subject Confirmation Method: Sender Vouches

  • Compute HOK Symmetric Key: true

  • HOK Symmetric Key Generation Algorithm: http://www.w3.org/2001/04/xmlenc#aes128-cbc

Empty tables: Attribute Name Mapping, Attribute Value Mapping and Attribute Value Filter

Custom Type

The issuance template will be created with the following default values:

  • Send Encrypted Token: false


Syntax

createIssuanceTemplate(issuanceTemplateId, tokenType, signingKeyId, 
description) 
Argument Definition
issuanceTemplateId

Specifies the name of the issuance template to be created.

tokenType

Possible values can be:

  • username: indicates that the token type is UsernameToken

  • saml11: indicates that the token type is a SAML 1.1 Assertion

  • saml20: indicates that the token type is a SAML 2.0 Assertion

  • <other>: in this case, the token type is assumed to be a custom token type, referenced by <other> (replace <other> by a value)

signingKeyId

Specifies the keyID referencing the key entry (defined in the STS General Settings UI section) that will be used to sign outgoing SAML Assertions. Only required when token type is saml11 or saml20.

description

An optional description.


Example

The following invocation creates a new issuance template with default configuration data, and displays the result of the operation.

createIssuanceTemplate(issuanceTemplateId="custom-issuancetemp", tokenType="saml20", signingKeyId="osts_signing", description="custom issuance template")

deleteIssuanceTemplate

Online command that deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.

Description

Deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.

Syntax

deleteIssuanceTemplate(issuanceTemplateId) 
Argument Definition
issuanceTemplateId

Specifies the name of the existing issuance template to be removed.


Example

The following invocation deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.

deleteIssuanceTemplate(issuanceTemplateId="custom-issuancetemp")

getAllValidationTemplates

Online command that retrieves the names of all the existing validation templates.

Description

Retrieves the names of all the existing validation templates and displays them.

Syntax

getAllValidationTemplates() 

Example

The following invocation retrieves the names of all the existing validation templates and displays them.

getAllValidationTemplates()

getValidationTemplate

Online command that retrieves the configuration data of a specific validation template, and displays the content of the template.

Description

Retrieves the configuration data of the validation template referenced by the validationTemplateId parameter, and displays the content of the template.

Syntax

getValidationTemplate(validationTemplateId) 
Argument Definition
validationTemplateId

Specifies the name of the existing validation template.


Example

The following invocation retrieves the configuration data of a specific validation template, and displays the content of the template.

getValidationTemplate(validationTemplateId="custom-wss-validtemp")

createWSSValidationTemplate

Online command that creates a new validation template with default configuration data.

Description

Creates a new WSS validation template with default configuration data, and displays the result of the operation. The validation template is created using the values in Table 4-36, depending on the token type.

Table 4-36 Default Configuration: createWSSValidationTemplate

Token Type Description

Username

The validation template will be created with the following default values:

  • Timestamp Lifespan: 600 seconds

  • Enable Credential Validation: true

  • Validation Source: Partner

  • Token Mapping: Map token to Partner

  • Enable Simple Partner Mapping: true

  • Partner Datastore Attribute: username

SAML 1.1

or

SAML 2.0

The validation template will be created with the following default values:

  • Authentication Timeout: 3600 seconds

  • Timestamp Lifespan: 3600 seconds

The Token Mapping section will be created with the following default values:

  • Map token: Map token to Partner

  • Enable Simple User Mapping: false

  • Enable User NameID Mapping: false

  • Enable Attribute Based User Mapping: false

  • Enable Simple Partner Mapping: false

  • Enable Partner NameID Mapping: false

Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping

Also:

  • Partner Token Attribute: NameID

  • Partner Datastore Attribute: username

Partner NameID Mapping table will be provisioned with the following entries as NameID format, but without any data in the datastore column:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

User NameID Mapping table will be provisioned with the following entries as NameID format:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName, empty datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, dn set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, mail set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, empty datastore column

X.509

The Token Mapping section will be created with the following default values:

  • Map token: Map token to Partner

  • Enable Simple User Mapping: false

  • Enable Attribute Based User Mapping: false

  • Enable Simple Partner Mapping: true

Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping

Also:

  • Partner Token Attribute: DN

  • Partner Datastore Attribute: sslclientcertdn

Kerberos

The Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: true

  • Enable Attribute Based User Mapping: false

  • Enable Simple Partner Mapping: false

Empty fields: Partner Token Attribute, Partner Datastore Attribute and Attribute Based User Mapping

Also:

  • User Token Attribute: TPE_KERBEROS_PRINCIPAL_FULL

  • User Datastore Attribute: mail


Syntax

createWSSValidationTemplate(templateId, tokenType,
defaultRequesterPPID, description)
Argument Definition
templateId

Specifies the name of the name of the validation template to be created.

tokenType

Specifies the token type of the validation template. Possible values can be:

  • username: indicates that the token type is UsernameToken

  • saml11: indicates that the token type is a SAML 1.1 Assertion

  • saml20: indicates that the token type is a SAML 2.0 Assertion

  • x509: indicates that the token type is an X.509 certificate

  • kerberos: indicates that the token type is a Kerberos token

  • oam: indicates that the token type is Access Manager

defaultRequesterPPID

Specifies the Requester partner profile to use if OSTS is configured not to map the incoming message to a requester.

description

Specifies an optional description.


Example

The following invocation creates a new validation template with default configuration data, and displays the result of the operation.

createWSSValidationTemplate(templateId="custom-wss-validtemp", tokenType="custom",
defaultRequesterPPID="requesterPartnerProfileTest", description="custom validation 
template")

createWSTrustValidationTemplate

Online command that creates a new WS-Trust validation template with default configuration data.

Description

Creates a new WS-Trust validation template with default configuration data, and displays the result of the operation. The WS-Trust validation template is created with the values in Table 4-37, depending on the token type.

Table 4-37 Default Configuration: createWSTrustValidationTemplate

Token Type Description

Username

The WS-Trust validation template will be created with the following default values:

  • Timestamp Lifespan: 600 seconds

  • Enable Credential Validation: false

  • Validation Source: User Store

  • Token Mapping: Map token to User

  • Enable Simple User Mapping: true

  • USer Datastore Attribute: uid

SAML 1.1

or

SAML 2.0

The WS-Trust validation template will be created with the following default values:

  • Authentication Timeout: 3600 seconds

  • Timestamp Lifespan: 3600 seconds

The Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: false

  • Enable User NameID Mapping: true

  • Enable Attribute Based User Mapping: false

Empty fields: User Datastore Attribute, Attribute Based User Mapping

User NameID Mapping table will be provisioned with the following entries as NameID format:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName, empty datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, dn set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, mail set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, empty datastore column

X.509

The WS-Trust Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: true

  • Enable Attribute Based User Mapping: false

  • Enable Simple Partner Mapping: true

  • User Token Attribute: CN

  • User Datastore Attribute: CN

  • Attribute Based User Mapping (empty)

Kerberos

The WS-Trust Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: true

  • Enable Attribute Based User Mapping: false

  • Attribute Based User Mapping (empty)

  • User Token Attribute: TPE_KERBEROS_PRINCIPAL_FULL

  • User Datastore Attribute: mail

OAM

The WS-Trust Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: true

  • Enable Attribute Based User Mapping: false

  • Attribute Based User Mapping (empty)

  • User Token Attribute: TPE_NAME_ID

  • User Datastore Attribute: uid

custom

The WS-Trust Token Mapping section will be created with the following default values:

  • Map token: Map token to None

  • Enable Simple User Mapping: false

  • Enable Attribute Based User Mapping: false

  • Attribute Based User Mapping (empty)

  • User Token Attribute: (empty)

  • User Datastore Attribute: (empty)


Syntax

createWSTrustValidationTemplate(templateId, tokenType, description)
Argument Definition
templateId

Specifies the name of the name of the WS-Trust validation template to be created.

tokenType

Specifies the token type of the WS-Trust validation template. Possible values can be:

  • username: indicates that the token type is UsernameToken

  • saml11: indicates that the token type is a SAML 1.1 Assertion

  • saml20: indicates that the token type is a SAML 2.0 Assertion

  • x509: indicates that the token type is an X.509 certificate

  • kerberos: indicates that the token type is a Kerberos token

  • oam: indicates that the token type is an Access Manager token, supported by default

  • <other>: in this case, the token type is assumed to be a custom token type, referenced by <other> (replace <other> by a value)

description

Specifies an optional description.


Example

The following invocation creates a new WS-Trust validation template with default configuration data, and displays the result of the operation.

createWSTrustValidationTemplate(templateId="custom-wss-validtemp", 
tokenType="custom", description="custom validation template")

deleteValidationTemplate

Online command that deletes a validation template.

Description

Deletes a validation template referenced by the validationTemplateId parameter, and displays the result of the operation.

Syntax

deleteValidationTemplate(validationTemplateId)
Argument Definition
validationTemplateId

Specifies the name of the validation template to be removed.


Example

The following invocation deletes a validation template referenced by the validationTemplateId parameter, and displays the result of the operation.

deleteValidationTemplate(validationTemplateId="custom-wss-validtemp") 

Oracle Keystore Service

This section contains commands used with the OPSS keystore service.

Note:

You need to acquire an OPSS handle to use keystore service commands. For details, see Managing Keys and Certificates with the Keystore Service in the Oracle Fusion Middleware Security Guide.

Table 4-38 lists the WLST commands used to manage the keystore service.

Table 4-38 OPSS Keystore Service Commands

Use this Command... to...

changeKeyPassword

Change the password for a key.

changeKeyStorePassword

Change the password on a keystore.

createKeyStore

Create a keystore.

deleteKeyStore

Delete a keystore.

deleteKeyStoreEntry

Delete an entry in a keystore.

exportKeyStore

Export a keystore to file.

exportKeyStoreCertificate

Export a certificate to a file.

exportKeyStoreCertificateRequest

Export a certificate request to a file.

generateKeyPair

Generate a keypair.

generateSecretKey

Generate a secret key.

getKeyStoreCertificates

Get information about a certificate or trusted certificate.

getKeyStoreSecretKeyProperties

Get the secret key properties.

importKeyStore

Import a keystore from file.

importKeyStoreCertificate

Import a certificate or other object.

listExpiringCertificates

List certificates expiring in a specified period.

listKeyStoreAliases

List aliases in a keystore.

listKeyStores

List all the keystores in a stripe.


changeKeyPassword

Changes a key password.

Description

Changes the password for a key.

Syntax

svc.changeKeyPassword(appStripe='stripe', name='keystore', password='password', 
alias='alias', currentkeypassword='currentkeypassword', 
newkeypassword='newkeypassword')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe containing the keystore

name

Specifies the name of the keystore

password

Specifies the keystore password

alias

Specifies the alias of the key entry whose password is changed

currentkeypassword

Specifies the current key password

newkeypassword

Specifies the new key password


Example

This example changes the password on the key entry orakey:

svc.changeKeyPassword(appStripe='system', name='keystore', password='password', 
alias='orakey', currentkeypassword='currentkeypassword', 
newkeypassword='newkeypassword')

changeKeyStorePassword

Changes the password of a keystore.

Description

Changes the password of the specified keystore.

Syntax

svc.changeKeyStorePassword(appStripe='stripe', name='keystore', currentpassword='currentpassword', newpassword='newpassword')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe containing the keystore

name

Specifies the name of the keystore

currentpassword

Specifies the current keystore password

newpassword

Specifies the new keystore password


Example

This example changes the password for keystore2.

svc.changeKeyStorePassword(appStripe='system', name='keystore2', 
currentpassword='currentpassword', newpassword='newpassword')

createKeyStore

This keystore service command creates a new keystore.

Description

Creates a new keystore on the given application stripe.

Syntax

svc.createKeyStore(appStripe='stripe', name='keystore', password='password',permission=true|false)
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore is created.

name

Specifies the name of the new keystore.

password

Specifies the keystore password.

permission

This parameter is true if the keystore is protected by permission only, false if protected by both permission and password.


Example

This example creates a keystore named keystore1.

svc.createKeyStore(appStripe='system', name='keystore1', password='password', permission=true)

deleteKeyStore

Deletes the named keystore.

Description

This keystore service command deletes a specified keystore.

Syntax

svc.deleteKeyStore(appStripe='stripe', name='keystore', password='password')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore to be deleted.

password

Specifies the keystore password.


Example

This example deletes the keystore named keystore1.

svc.deleteKeyStore(appStripe='system', name='keystore1', password='password')

deleteKeyStoreEntry

Deletes a keystore entry.

Description

This command deletes the specified entry in a keystore.

Syntax

svc.deleteKeyStoreEntry(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

alias

Specifies the alias of the entry to be deleted

keypassword

Specifies the key password of the entry to be deleted


Example

This example deletes a keystore entry denoted by alias orakey.

svc.deleteKeyStoreEntry(appStripe='system', name='keystore2', password='password', alias='orakey', keypassword='keypassword')

exportKeyStore

Exports a keystore to a file.

Description

Exports a keystore to the specified file.

Syntax

svc.exportKeyStore(appStripe='stripe', name='keystore', password='password', 


aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', 
type='keystore-type', filepath='absolute_file_path')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

aliases

Comma separated list of aliases to be exported.

keypasswords

Comma separated list of the key passwords correspo nding to aliases.

type

Exported keystore type. Valid values are 'JKS' or 'JCEKS'.

filepath

Absolute path of the file where keystore is exported.


Example

This example exports two aliases from the specified keystore.

svc.exportKeyStore(appStripe='system', name='keystore2', 
password='password',aliases='orakey,seckey', 
keypasswords='keypassword1,keypassword2', 
type='JKS',filepath='/tmp/file.jks')

exportKeyStoreCertificate

Exports a certificate.

Description

Exports a certificate, trusted certificate or certificate chain.

Syntax

svc.exportKeyStoreCertificate(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword', 
type='entrytype',filepath='absolute_file_path')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

alias

Specifies the alias of the entry to be exported

keypassword

Specifies the key password.

type

Specifies the type of keystore entry to be exported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'.

filepath

Specifies the absolute path of the file where certificate, trusted certificate or certificate chain is exported.


Example

This example exports a certificate corresponding to the orakey alias:

svc.exportKeyStoreCertificate(appStripe='system', name='keystore2', 
password='password', alias='orakey', keypassword='keypassword', 
type='Certificate', filepath='/tmp/cert.txt')

exportKeyStoreCertificateRequest

Exports a certificate request.

Description

Generates and exports a certificate request from a keystore.

Syntax

svc.exportKeyStoreCertificateRequest(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword', 
filepath='absolute_file_path')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

alias

Specifies the entry's alias name.

keypassword

Specifies the key password.

filepath

Specifies the absolute path of the file where certificate request is exported.


Example

This example exports a certificate request corresponding to the orakey alias.

svc.exportKeyStoreCertificateRequest(appStripe='system', name='keystore2', 
password='password', alias='orakey', keypassword='keypassword', 
filepath='/tmp/certreq.txt')

generateKeyPair

Generates a key pair in a keystore.

Description

Generates a key pair in a keystore and wraps it in a demo CA-signed certificate.

Syntax

svc.generateKeyPair(appStripe='stripe', name='keystore', password='password', 
dn='distinguishedname', keysize='keysize', alias='alias', 
keypassword='keypassword')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

dn

Specifies the distinguished name of the certificate wrapping the key pair.

keysize

Specifies the key size.

alias

Specifies the alias of the key pair entry.

keypassword

Specifies the key password.


Example

This example generates a keypair in keystore2.

svc.generateKeyPair(appStripe='system', name='keystore2', password='password', dn='cn=www.oracle.com', keysize='1024', alias='orakey', keypassword='keypassword')

generateSecretKey

Generates a secret key.

Description

Generates a symmetric key in a keystore.

Syntax

svc.generateSecretKey(appStripe='stripe', name='keystore', password='password', 
algorithm='algorithm', keysize='keysize', alias='alias', 
keypassword='keypassword')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

algorithm

Specifies the symmetric key algorithm.

keysize

Specifies the key size.

alias

Specifies the alias of the key entry.

keypassword

Specifies the key password.


Example

This example generates a keypair with keysize 128 in keystore2.

svc.generateSecretKey(appStripe='system', name='keystore2', password='password', 
algorithm='AES', keysize='128', alias='seckey', keypassword='keypassword')

getKeyStoreCertificates

Gets a certificate from the keystore.

Description

Retrieves information about a certificate or trusted certificate.

Syntax

svc.getKeyStoreCertificates(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

alias

Specifies the alias of the certificate, trusted certificate or certificate chain to be displayed.

keypassword

Specifies the key password.


Example

This example gets certificates associated with keystore3.

svc.getKeyStoreCertificates(appStripe='system', name='keystore3', password='password', alias='orakey', keypassword='keypassword')

getKeyStoreSecretKeyProperties

Retrieves secret key properties.

Description

Retrieves secret key properties like the algorithm.

Syntax

svc.getKeyStoreSecretKeyProperties(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

alias

Specifies the alias of the secret key whose properties are displayed.

keypassword

Specifies the secret key password.


Example

This example gets properties for secret key seckey:

svc.getKeyStoreSecretKeyProperties(appStripe='system', name='keystore3', 
password='password', alias='seckey', keypassword='keypassword')

importKeyStore

Imports a keystore from file.

Description

Imports a keystore from a system file.

Syntax

svc.importKeyStore(appStripe='stripe', name='keystore', password='password', 
aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', 
type='keystore-type', permission=true|false, filepath='absolute_file_path')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

aliases  

Specifies the comma-separated aliases of the entries to be imported from file.

keypasswords  

Specifies the comma-separated passwords of the keys in file.

type  

Specifies the imported keystore type. Valid values are 'JKS' or 'JCEKS'.

filepath 

Specifies the absolute path of the keystore file to be imported.

permission 

Specifies true if keystore is protected by permission only, false if protected by both permission and password.


Example

This example imports a file to keystore2:

svc.importKeyStore(appStripe='system', name='keystore2', 
password='password',aliases='orakey,seckey', keypasswords='keypassword1, 
keypassword2', type='JKS', permission=true, filepath='/tmp/file.jks')

importKeyStoreCertificate

Imports a certificate or other specified object.

Description

Imports a certificate, trusted certificate or certificate chain.

Syntax

svc.importKeyStoreCertificate(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword', 
type='entrytype',filepath='absolute_file_path')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

alias  

Specifies the alias of the entry to be imported.

keypassword  

Specifies the key password of the newly imported entry.

type  

Specifies the type of keystore entry to be imported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'.

filepath  

Specifies the absolute path of the file from where certificate, trusted certificate or certificate chain is imported.


Example

This example imports a certificate into keystore2.

svc.importKeyStoreCertificate(appStripe='system', name='keystore2', 
password='password', alias='orakey', keypassword='keypassword', 
type='Certificate', filepath='/tmp/cert.txt')

listExpiringCertificates

Lists expiring certificates.

Description

Lists expiring certificates and optionally renews them.

Syntax

svc.listExpiringCertificates(days='days', autorenew=true|false)
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

days  

Specifies that the list should only include certificates within this many days from expiration.

autorenew  

Specifies true for automatically renewing expiring certificates, false for only listing them.


Example

This example lists certificates expiring within one year, and requests that they be renewed:

svc.listExpiringCertificates(days='365', autorenew=true)

listKeyStoreAliases

Lists the aliases in a keystore.

Description

Lists the aliases in a keystore for a given type of entry.

Syntax

The syntax is as follows:

svc.listKeyStoreAliases(appStripe='stripe', name='keystore', 
password='password', type='entrytype')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

type

Specifies the type of entry for which aliases are listed. Valid values are 'Certificate', 'TrustedCertificate', 'SecretKey' or '*'.


Example

This example lists secret keys in keystore2:

svc.listKeyStoreAliases(appStripe='system', name='keystore2', 
password='password', type='SecretKey')

listKeyStores

Lists all the keystores in a stripe.

Description

Lists all the keystores in the specified stripe.

Syntax

svc.listKeyStores(appStripe='stripe')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe whose keystores are listed.


Example

This example lists all keystores on all stripes.

svc.listKeyStores(appStripe='*')

Identity Directory Service Commands

Use the WLST commands listed in Table 4-39 to manage Identity Directory Service Entity Attributes, Entity Definitions, Relationships and default Operational configurations.

Table 4-39 WLST Identity Directory Service Commands

Use this command... To... Use with WLST...

activateIDSConfigChanges

Reload the Identity Directory Service configuration

Online

addAttributeInEntityConfig

Add a new attribute to the entity configuration

Online

addAttributeRefForEntity

Add a new attribute to the specified entity

Online

addEntity

Add a new entity to the entity configuration

Online

addEntityRelation

Add a new entity relation to the entity configuration

Online

addIdentityDirectoryService

Add a new Identity Directory Service to the configuration

Online

addOperationConfig

Add a new operation configuration to the entity configuration

Online

addPropertyForOperationConfig

Add a new property to a specified operation configuration

Online

deleteAttributeInEntityConfig

Delete an attribute from an entity configuration

Online

deleteEntity

Delete an entity from an entity configuration

Online

deleteEntityRelation

Delete the specified entity relation

Online

deleteIdentityDirectoryService

Delete the specified Identity Directory Service in the configuration

Online

deleteOperationConfig

Delete operation configuration in an entity configuration

Online

listAllAttributeInEntityConfig

List all attributes in the entity configuration

Online

listAllEntityInEntityConfig

List all entities defined in the specified entity configuration

Online

listAllIdentityDirectoryService

List all Identity Directory Services in the configuration

Online

removeAttributeRefForEntity

Remove an attribute from the specified entity

Online

removePropertyForOperationConfig

Remove a property for the specified operation configuration

Online


activateIDSConfigChanges

activateIDSConfigChanges

Description

Reloads the Identity Directory Service configuration

Syntax

activateIDSConfigChanges()

This command has no arguments.

Example

activateIDSConfigChanges()

addAttributeInEntityConfig

addAttributeInEntityConfig

Description

Adds a new attribute to the entity configuration

Syntax

addAttributeInEntityConfig(name, datatype, description, readOnly, pwdAttr, appName)

Table 4-40 addAttributeInEntityConfig Arguments

Argument Definition

name

Name of the attribute to be added

datatype

The attribute's type is defined as one of the following:

  • binary

  • boolean

  • datetime

  • double

  • integer

  • rfc822name

  • string

  • x500name

description

Description of the attribute to be added

readOnly

Flag to specify whether the attribute is read only or can be modified

pwdAttr

Flag to specify whether the attribute defines a password or not

appName

Name of the Identity Directory Service


Example

addAttributeInEntityConfig('commonname','string','common name',false,false,'userrole')

addAttributeRefForEntity

addAttributeRefForEntity

Description

Adds a new attribute to the specified entity

Syntax

addAttributeRefForEntity(name, attrRefName, attrRefFilter, attrRefDefaultFetch, appName)

Table 4-41 addAttributeRefForEntity Arguments

Argument Definition

name