Skip Headers
Oracle® Fusion Middleware Application Security Guide
11g Release 1 (11.1.1)

Part Number E10043-11
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

F OPSS System and Configuration Properties

This appendix documents OPSS system properties (set through the switch -D at server start) and configuration properties (set with elements <property> and <extendedProperty> in the configuration file jps-config.xml) in the following sections:

To manage server properties programmatically, use OPSS MBeans. For details and example, see Section E.2.3, "Programming with OPSS MBeans."

Note:

All OPSS configuration changes (manual or through JpsConfiguration MBean) require server restart to take effect.

OPSS data domain changes do not require server restart to take effect. Data changes include modifying an application policy and creating, deleting, or updating a credential.

F.1 OPSS System Properties

A system property that has been introduced or modified is not in effect until the server is restarted. In order to set a system property, the administrator must edit the setDomainEnv.sh shell script and add the property to the environment variable EXTRA_JAVA_PROPERTIES in that script.

Table F-1 lists the Java system properties available with OPSS.

Table F-1 Java System Properties Used by OPSS

Name Description

java.security.debug=access,failure

Notifies about a permission failure when the method JpsAuth.checkPermission is called inside a Subject.doAs block and the permission check fails.

Note that setting jps.auth.debug or jps.auth.debug.verbose is not enough to get a failure notification in this case.

Optional.

java.security.policy

Specifies the location of the Java security policy file.

jps.authz

Enables or disables the delegation of calls to JDK API AccessController.checkPermission, which reduces runtime and debugging overhead.

Optional.

Valid values: NULL, SM, ACC, and DEBUG_NULL.

No default value.

jps.auth.debug

Controls server logging output. Default value: FALSE. For details, see Section L.1.2.1, "jps.auth.debug."

Optional.

jps.auth.debug.verbose

Controls server logging output. Default value: FALSE. For details, see Section L.1.2.2, "jps.auth.debug.verbose."

Optional.

jps.combiner.optimize

Enables or disables the caching of a subject's protection domain.

Optional.

Valid values: TRUE, FALSE.

Default value: FALSE.

jps.combiner.optimize.lazyeval

Enables or disables the evaluation of a subject's protection domain when a check permission is triggered.

Optional.

Valid values: TRUE, FALSE.

Default value: FALSE.

jps.deployment.handler.disabled

Enables or disables the migration of policies and credentials for applications deployed on a WebLogic Server. Valid only for the WebLogic Server.

Set to TRUE to disable the migration of application policies and credentials for all applications deployed on the server regardless of the particular application settings in the application file weblogic-application.xml.

Optional.

Valid values: TRUE, FALSE.

Default value: FALSE.

jps.policystore.hybrid.mode

Enables or disables the hybrid mode.

The hybrid mode is used to facilitate the transition from the Sun java.security.Policy to the OPSS Java PolicyProvider. When the hybrid mode is enabled, the OPSS Java Policy Provider reads from both files, java.policy and system-jazn-data.xml.

Optional.

Valid values: TRUE, FALSE.

Default value: TRUE.

jps.subject.cache.ttl

Specifies the number of seconds after which group membership changes are in effect.

This value must be kept in sych with the value of the WebLogic authenticator Group Hierarchy Cache. If this last parameter value is changed, then jps.subject.cache.ttl must be reset to match the new Group Hierarchy Cache value.

Optional.

Valid values: any positive integer.

Default value: 60000

oracle.security.jps.config

Specifies the path to the domain configuration files jps-config.xml or jps-config-jse.xml. Paths specifications in those files can be absolute or relative to the location of the configuration file.

Required.

No default value.

oracle.deployed.app.dir

Specifies the path to the directory of a code source URL.

Optional.

No default value.

For an example of use, see <url>.

oracle.deployed.app.ext

Specifies the extension of code source URL.

Optional.

No default value.

For an example of use, see <url>.

oracle.security.jps.log.for.approle.substring

Logs the name of an application role that contains a specified substring; if the substring to match is unspecified, it logs all application role names.

Optional.

No default value.

For an example of use and further details, see Section L.1.2.3, "Debugging the Authorization Process."

oracle.security.jps.log.for.permeffect

Logs a grant that was granted or denied according to a specified value; if the value is unspecified, it logs all grants (regardless whether they were granted or denied).

Optional.

No default value.

For an example of use and further details, see Section L.1.2.3, "Debugging the Authorization Process."

oracle.security.jps.log.for.permclassname

Logs the name of the permission class that matches exactly a specified name; if the name to match is unspecified, it logs all permission class names.

Optional.

No default value.

For an example of use and further details, see Section L.1.2.3, "Debugging the Authorization Process."

oracle.security.jps.log.for.permtarget.substring

Logs the name of a permission target that contains a specified substring; if the substring to match is unspecified, it logs all permission targets.

Optional.

No default value.

For an example of use and further details, see Section L.1.2.3, "Debugging the Authorization Process."

oracle.security.jps.log.for.enterprise.principalname

Logs the name of the principal (enterprise user or enterprise role) that matches exactly a specified name; if the name to match is unspecified, it logs all principal names.

Optional.

No default value.

For an example of use and further details, see Section L.1.2.3, "Debugging the Authorization Process."

common.components.home

Specifies the location of the common components home.

Required for SE applications.

No default value.


F.2 OPSS Configuration Properties

This section describes the properties of various instances in the following sections:

F.2.1 Policy Store Properties

The policy store properties are described in the following sections:

F.2.1.1 Policy Store Configuration

The policy store provider class that can be used with LDAP-based or DB-based instances is the following:

oracle.seurity.jps.internal.policystore.ldap.LdapPolicyStoreProvider

Table F-2 describes the properties of policy store instances. The properties are listed in three blocks according to the kind of application they can be used in.

Table F-2 Policy Store Properties

Name Description

The following properties are valid in both Java EE and Java SE applications

bootstrap.security.principal.key

The key for the password credentials to access the LDAP policy store, stored in the CSF store.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Required.

No default value.

The out-of-the-box value is bootstrap.

bootstrap.security.principal.map

The map for the password credentials to access the LDAP policy store, stored in the CSF store.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Required.

Default value: BOOTSTRAP_JPS.

oracle.security.jps.farm.name

The RDN format of the domain node in the LDAP policy store.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Required.

No default value.

oracle.security.jps.ldap.root.name

The RDN format of the root node in the LDAP policy store.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Required.

No default value.

ldap.url

The URL of the LDAP policy store, with the format ldap://host:port.

Valid in Java EE and Java SE applications.

Applies only to LDAP stores.

Required.

No default value.

policystore.type

The type of the LDAP policy store.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Required.

No default value.

Value examples: OID, DB_ORACLE.

oracle.security.jps.policystore.resourcetypeenforcementmode

Controls the throwing of exceptions if any of the following checks fail:

  • Verify that if two resource types share the same permission class, that permission must be either ResourcePermission or extend AbstractTypedPermission, and this last resource type cannot be created.

  • Verify that all permissions have resource types defined, and that the resource matcher permission class and the permission being granted match.

If set to Strict, when any of the above checks fail, the system throws an exception and the operation is aborted.

If set to Lenient, when any of the above checks fail, the system does not throw any exceptions, the operation continues without disruption, and any discrepancies encountered are logged in the log files.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Optional.

Default value: Lenient

Valid values: Strict, Lenient.

jps.change.notifier.file.delay

Indicates the frequency, in milliseconds, at which the system checks the domain files system-jazn-data.xml and cwallet.sso for changes. (milliseconds).

In production environments, it is recommended a frequency of about 10 min. (600000 milliseconds). In development environments, it is recommended a frequency of about 3 min. (180000 milliseconds).

Default value: 1000

The following properties are valid in Java EE applications only

datasource.jndi.name

The JNDI name of the JDBC data source instance.

Valid in Java EE applications only.

Applies to only DB stores.

Required.

No default value.

failover.retry.times

The number of retry attempts.

Valid in Java EE applications only.

Applies to only DB stores.

Optional.

Default value: 3

failover.retry.interval

The number of seconds between retry attempts.

Valid in Java EE applications only.

Applies to only DB stores.

Optional.

Default value: 15

weblogic.dbuser.map

weblogic.dbuser.key

Specify the credential's map and key for the Weblogic DB user/password. They apply only when oracle.security.jps.db.useWeblogicDBUserMapKey is true; in this case, both or none of them should be configured.

Valid in Java EE applications only.

Applies to only DB stores.

Optional.

Default value: none.

oracle.security.jps.db.useWeblogicDBUserMapKey

Specifies where to find the map and key for the WebLogic DB user/password. This property is automatically set when reassociating to a DB-based store.

Valid in Java EE applications only.

Applies to only DB stores.

Optional.

Valid values: true or false.

Default value: false.

If true, then the properties weblogic.dbuser.map and weblogic.dbuser.key specify the credential's map and key for the Weblogic DB user/password.

Otherwise, if false or not specified, then the properties bootstrap.security.principal.map and bootstrap.security.principal.key specify the credential's map and key for the weblogic DB user/password.

The following properties are valid in Java SE applications only

security.principal

The clear text name of the principal to use instead of the user name specified in the bootstrap. Not recommended.

Valid in Java SE applications only.

Applies to LDAP and DB stores.

Optional.

No default value.

security.credential

The clear text password for the security principal to use instead of the password specified in the bootstrap. Not recommended.

Valid in Java SE applications only.

Applies to LDAP and DB stores.

Optional.

No default value.

jdbc.driver

The JDBC driver.

Valid in Java SE applications only.

Applies to only DB stores.

Required.

No default value.

Value example: oracle.jdbc.driver.OracleDriver

jdbc.url

The URL of the JBDC.

Valid in Java SE applications only.

Applies to only DB stores.

Required.

No default value.

Value example: jdbc:oracle:thin:@xxx27.com:1345:asi102cn

eclipselink.jdbc.read-connections.min

The minimum number of connections allowed in the JDBC read connection pool.

Valid in Java SE applications only.

Applies to only DB stores.

Optional.

Default value: 5

eclipselink.jdbc.read-connections.max

The maximum number of connections allowed in the JDBC read connection pool.

Valid in Java SE applications only.

Applies to only DB stores.

Optional.

Default value: 20


Example 1

The following fragment illustrates the configuration of an LDAP-based policy store instance for a Java EE application:

<serviceInstance provider="ldap.policystore.provider" name="policystore.ldap">
     <property value="OID" name="policystore.type"/>
     <property value="bootstrap" name="bootstrap.security.principal.key"/>
     <property value="cn=wls-jrfServer" name="oracle.security.jps.farm.name"/>
     <property value="cn=jpsTestNode" name="oracle.security.jps.ldap.root.name"/>
     <property value="ldap://myHost.com:1234" name="ldap.url"/>
     <property value="STATIC" name="oracle.security.jps.policystore.rolemember.cache.type"/>
     <property value="FIFO" name="oracle.security.jps.policystore.rolemember.cache.strategy"/>
     <property value="1000" name="oracle.security.jps.policystore.rolemember.cache.size"/>
     <property value="true" name="oracle.security.jps.policystore.policy.lazy.load.enable"/>
     <property value="PERMISSION_FIFO" name="oracle.security.jps.policystore.policy.cache.strategy"/>
     <property value="1000" name="oracle.security.jps.policystore.policy.cache.size"/>
     <property value="true" name="oracle.security.jps.policystore.refresh.enable"/>
     <property value="43200000" name="oracle.security.jps.ldap.policystore.refresh.purge.timeout"/>
     <property value="600000" name="oracle.security.jps.ldap.policystore.refresh.interval"/>
</serviceInstance>

Example 2

The following fragment illustrates the configuration of an LDAP-based policy store instance for a Java SE application:

<serviceInstance name="policystore.oid" provider="policy.oid">
   <property value="OID" name="policystore.type"/>
   <property value="bootstrap" name="bootstrap.security.principal.key"/>
   <property name="ldap.url" value="ldap://myHost.com:1234"/>
   <property name="oracle.security.jps.ldap.root.name" value="cn=jpsNode"/>
   <property name="oracle.security.jps.farm.name" value="cn=domain1"/>
</serviceInstance>

For additional configurations samples for Java SE applications, see Section 23.1.2, "Configuring LDAP-Based Policy and Credential Stores."

Example 3

The following fragment illustrates the configuration of DB-based stores (including an instance of a runtime service provider) for a Java EE application:

<jpsConfig>
...
  <propertySets>
    <!-- property set props.db.1 common to all DB services -->
    <propertySet name="props.db.1">
      <property name="datasource.jndi.name"  value="opssds"/>
      <property value="cn=farm" name="oracle.security.jps.farm.name"/>
      <property value="cn=jpsroot" name="oracle.security.jps.ldap.root.name"/>
      <property value="dsrc_lookup_key"  
                name="bootstrap.security.principal.key"/>
      <property value="credential_map" name="bootstrap.security.principal.map"/>
    </propertySet>
  </propertySets>
 
  <serviceProviders>
    <serviceProvider      class="oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider" 
     type="POLICY_STORE" name="rdbms.policystore.provider" >
       <description>RDBMS based PolicyStore provider</description>
    </serviceProvider>
 
    <serviceProvider type="KEY_STORE" name="keystore.provider"        class="oracle.security.jps.internal.keystore.KeyStoreProvider">
      <description>PKI Based Keystore Provider</description>
      <property name="provider.property.name" value="owsm"/>
    </serviceProvider>
 
    <serviceProvider name="pdp.service.provider" type="PDP"       class="oracle.security.jps.az.internal.runtime.provider.PDPServiceProvider">
      <description>OPSS Runtime Service provider</description>
    </serviceProvider>
  </serviceProviders>
 
  <serviceInstances>
    <serviceInstance name="policystore.rdbms"                      provider="rdbms.policystore.provider">
      <property value="DB_ORACLE" name="policystore.type"/>
      <propertySetRef ref = "props.db.1"/>
      <property name="session_expiration_sec" value="60"/>
      <property name="failover.retry.times"  value="5"/>
    </serviceInstance>    
 
    <serviceInstance name="credstore.rdbms" provider="rdbms.credstore.provider">
      <propertySetRef ref = "props.db.1"/>       
    </serviceInstance>
 
    <serviceInstance name="keystore.rdbms" provider="rdbms.keystore.provider">  
      <propertySetRef ref = "props.db.1"/>       
      <property name="keystore.provider.type"  value="db"/>
    </serviceInstance>
 
    <serviceInstance name="pdp.service" provider="pdp.service.provider">
      <property name="sm_configuration_name" value="permissionSm"/>
      <property name="work_folder" value="../../tempdir/permissionSm-work"/>
      <property name="authorization_cache_enabled" value="true"/>
      <property name="role_cache_enabled" value="true"/>
      <property name="session_eviction_capacity" value="500"/>
      <property name="session_eviction_percentage" value="10"/>
      <property name="session_expiration_sec" value="60"/>
      <property name="failover.retry.times"  value="5"/>
      <property name="failover.retry.interval" value="20"/>
      <property name="oracle.security.jps.policystore.purge.timeout",
                value="30000"/>
      <propertySetRef ref = "props.db.1"/>
    </serviceInstance>
  </serviceInstances>
 
  <jpsContexts default="default">
    <jpsContext name="default">
      <serviceInstanceRef ref="pdp.service"/>      
      <serviceInstanceRef ref="policystore.rdbms"/>      
      <serviceInstanceRef ref="credstore.rdbms"/>
      <serviceInstanceRef ref="keystore.rdbms"/>
    </jpsContext>
  </jpsContexts>
...
</jpsConfig>

Example 4

The following fragment illustrates the configuration of a DB-based policy store instance for a Java SE application:

<serviceInstance name="policystore.rdbms" provider="policy.rdbms">
  <property name="policystore.type" value="DB_ORACLE"/>
  <property name="jdbc.url" value="jdbc:oracle:thin:@xxx.com:1722:orcl"/>
  <property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/>
  <property name="bootstrap.security.principal.key" value="bootstrap_DWgpEJgXwhDIoLYVZ2OWd4R8wOA=" />
  <property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/>
  <property name="oracle.security.jps.farm.name" value="cn=view_steph.atz"/>
</serviceInstance>

For additional configurations samples for Java SE applications, see Section 23.1.3, "Configuring DB-Based OPSS Security Stores."

F.2.1.2 Runtime Policy Store Configuration

The runtime policy store provider class that can be used with LDAP- or DB-based instances is the following:

oracle.seurity.jps.az.internal.runtime.provider.PDPServiceProvider

Table F-3 lists the runtime properties of policy store instances.

Table F-3 Runtime Policy Store Properties

Name Description

oracle.security.jps.policystore.rolemember.cache.type

The type of the role member cache.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Optional.

Valid values:

  • STATIC - Cache objects are statically cached and can be cleaned explicitly only according the applied cache strategy, such as FIFO. The garbage collector does not clean a cache of this type.

  • SOFT - The cleaning of a cache of this type relies on the garbage collector when there is a memory crunch.

  • WEAK - The behavior of a cache of this type is similar to a cache of type SOFT, but the garbage collector cleans it more frequently.

Default value: STATIC.

oracle.security.jps.policystore.rolemember.cache.strategy

The type of strategy used in the role member cache.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Optional.

Valid values:

  • FIFO - The cache implements the first-in-first-out strategy.

  • NONE - All entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small.

Default value: FIFO.

oracle.security.jps.policystore.rolemember.cache.size

The number of the roles kept in the member cache.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Optional.

Default value: 1000.

oracle.security.jps.policystore.policy.lazy.load.enable

Enables or disables the policy lazy load.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Optional.

Valid values: TRUE, FALSE.

Default value: TRUE.

oracle.security.jps.policystore.policy.cache.strategy

The type of strategy used in the permission cache.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Optional.

Valid values:

  • PERMISSION_FIFO - The cache implements the first-in-first-out strategy.

  • NONE - All entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small.

Default value: PERMISSION_FIFO.

oracle.security.jps.policystore.policy.cache.size

The number of permissions kept in the permission cache.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Optional.

Default value: 1000.

oracle.security.jps.policystore.refresh.enable

Enables or disables the policy store refresh. If this property is set, then oracle.security.jps.ldap.cache.enable cannot be set.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Optional.

Valid values: TRUE, FALSE.

Default value: TRUE.

oracle.security.jps.ldap.cache.enable

Enables or disables the refresh of the cache. If this property is set, then oracle.security.jps.policystore.refresh.enable cannot be set.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Optional.

Valid values: TRUE, FALSE.

Default value: TRUE.

oracle.security.jps.policystore.purge.timeout

The time, in milliseconds, after which the policy store cache is purged.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Optional.

Default value: 43200000 (12 hours).

oracle.security.jps.ldap.policystore.refresh.interval

The interval, in milliseconds, at which the policy store is polled for changes.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Optional.

Default value: 600000 (10 minutes).

oracle.security.jps.policystore.refresh.permissions.invalidate.threshold

The number of user's permissions after which the permission cache is invalidated.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Optional.

Default value: 50.

oracle.security.jps.policystore.rolemember.cache.warmup.enable

Controls the way the ApplicationRole membership cache is created. If set to TRUE, the cache is created at server startup; otherwise, it is created on demand (lazy loading).

Set to TRUE when the number of users and groups is significantly higher than the number of application roles; set to FALSE otherwise, that is, when the number of application roles is very high.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Optional.

Valid values: TRUE, FALSE.

Default value: FALSE.

security.jps.runtime.pd.client.localpolicy.work_folder

The folder for temporary storage.

Valid in Java EE and Java SE applications.

Applies to XML, LDAP, and DB stores.

Optional.

Default value: the system temporary folder.

oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled

Specifies whether the authorization cache should be enabled.

Valid in Java EE and Java SE applications.

Applies to XML, LDAP, and DB stores.

Optional.

Valid values: TRUE, FALSE.

Default value: FALSE.

oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionPercentage

The percentage of sessions to drop when the eviction capacity is reached.

Valid in Java EE and Java SE applications.

Applies to XML, LDAP, and DB stores.

Optional.

Default value: 10

oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionCapacity

The maximum number of authorization and role mapping sessions to maintain. When the maximum is reached, old sessions are dropped and reestablished when needed.

Valid in Java EE and Java SE applications.

Applies to XML, LDAP, and DB stores.

Optional.

Default value: 500

oracle.security.jps.pdp.AuthotizationDecisionCacheTTL

The number of seconds during which session data is cached.

Valid in Java EE and Java SE applications.

Applies to XML, LDAP, and DB stores.

Optional.

Default value: 60

oracle.security.jps.policystore.resourcetypeenforcementmode

Controls the throwing of exceptions if any of the following checks fail:

  • Verify that if two resource types share the same permission class, that permission must be either ResourcePermission or extend AbstractTypedPermission, and this last resource type cannot be created.

  • Verify that all permissions have resource types defined, and that the resource matcher permission class and the permission being granted match.

If set to Strict, when any of the above checks fail, the system throws an exception and the operation is aborted.

If set to Lenient, when any of the above checks fail, the system does not throw any exceptions, the operation continues without disruption, and any discrepancies encountered are logged in the log files.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Optional.

Default value: Lenient

Valid values: Strict, Lenient.


F.2.2 Credential Store Properties

Table F-4 lists the properties of credential store instances. The properties are listed in two blocks according to the kind of application they can be used in.

Table F-4 Credential Store Properties

Name Description

The following properties are valid in Java EE applications only

bootstrap.security.principal.key

The key for the password credentials to access the LDAP credential store, stored in the CSF store.

Valid only in Java EE applications.

Applies to LDAP and DB stores.

Required.

No default value.

The out-of-the-box value is bootstrap.

bootstrap.security.principal.map

The map for the password credentials to access the LDAP credential store, stored in the CSF store.

Valid only in Java EE applications.

Applies to LDAP and DB stores.

Required.

Default value: BOOTSTRAP_JPS.

The following properties are valid in both Java EE and Java SE applications

oracle.security.jps.farm.name

The RDN format of the domain node in the LDAP credential store.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Required.

No default value.

oracle.security.jps.ldap.root.name

The RDN format of the root node in the LDAP policy store.

Valid in Java EE and Java SE applications.

Applies to LDAP and DB stores.

Required.

No default value.

ldap.url

Specifies the URL of the LDAP credential store using the format ldap://host:port.

Valid in Java EE and Java SE applications.

Applies only to LDAP stores.

Required.

No default value.

encrypt

Specifies whether to encrypt credentials.

Valid in Java EE and Java SE applications.

Applies only to file and LDAP stores.

Valid values: true, false.

Optional.

Default value: false.


The following fragment illustrates the configuration of a credential store in a Java EE application:

<serviceInstance provider="ldap.credentialstore.provider" name="credstore.ldap">
    <property value="bootstrap" name="bootstrap.security.principal.key"/>
    <property value="cn=wls-jrfServer" name="oracle.security.jps.farm.name"/>
    <property value="cn=jpsTestNode" name="oracle.security.jps.ldap.root.name"/>
    <property value="ldap://myHost.com:1234" name="ldap.url"/>
    <property value="true" name="encrypt"/>
</serviceInstance>

F.2.3 LDAP Identity Store Properties

Table F-5 lists the properties of LDAP-based identity store instances. Extended properties are explicitly stated. User and Role API properties corresponding to a property are also stated.

Table F-5 LDAP-Based Identity Store Properties

Name Description

idstore.type

The type of the identity store.

Valid in Java SE and Java EE applications.

Required

Valid values:

OID - Oracle Internet Directory

OVD - Oracle Virtual Directory

ACTIVE_DIRECTORY - Microsoft Active Directory

IPLANET - Oracle Directory Server Enterprise Edition

EDIRECTORY - Novell eDirectory

OPEN_LDAP - OpenLdap

LIBOVD - Oracle Library OVD

CUSTOM - Any other type

If using a custom authenticator, the service instance configuration must include one of the following properties:

<property name="idstore.type" value="<your-idstore-type>" 
<property name="ADF_IM_FACTORY_CLASS" value="<your-IDM-FACTOY_CLASS_NAME>"

Corresponding User and Role API property: ADF_IM_FACTORY_CLASS

ldap.url

The LDAP URL value.

Valid in Java SE and Java EE applications.

Required.

No default value.

Value example: ldap://myServerName.com:1389.

Corresponding User and Role API property: ADF_IM_PROVIDER_URL

user.search.bases

The user search base for the LDAP server in DN format. Extended property.

Valid in Java SE and Java EE applications.

Required.

No default value.

Value example: cn=users,dc=us,dc=abc,dc=com

Corresponding User and Role API property: USER_SEARCH_BASES

group.search.bases

The group or enterprise search base for the LDAP server in DN format. Extended property.

Valid in Java SE and Java EE applications.

Required

No default value.

Value example: cn=groups,dc=us,dc=abc,dc=com

Corresponding User and Role API property: ROLE_SEARCH_BASES

idstore.config.provider

The idstore provider class.

Valid only in Java EE applications.

Required

The only supported value is:

oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider

group.create.bases

The base DNs used to create groups or enterprise roles. Extended property.

Valid in Java EE and Java SE applications.

Required to allow writing operations with the User and Role API. Otherwise, optional.

Value example of a single DN:

<extendedProperty>
 <name>group.create.bases</name>
 <values>
  <value>cn=groups,dc=us,dc=oracle,dc=com</value>
 </values>
</extendedProperty>

Corresponding User and Role API property: ROLE_CREATE_BASES

user.create.bases

The base DNs used to create users. Extended property.

Valid in Java EE and Java SE applications.

Required to allow writing operations with the User and Role API. Otherwise, optional.

Value example of a single DN:

<extendedProperty>
 <name>user.create.bases</name>
 <values>
  <value>cn=users,dc=us,dc=oracle,dc=com</value>
 </values>
</extendedProperty>

Corresponding User and Role API property: USER_CREATE_BASES

group.filter.object.classes

The fully qualified names of object classes used to search enterprise roles and groups. Extended property.

Valid in Java EE and Java SE applications.

Optional.

Value example: groupOfUniqueNames.

Corresponding User and Role API property: ROLE_FILTER_OBJECT_CLASSES

group.mandatory.attrs

The attributes that must be specified when creating enterprise roles or groups. Extended property.

Valid in Java EE and Java SE applications.

Optional.

Value example:

<extendedProperty>
 <name>group.mandatory.attrs</name>
 <values>
  <value>cn</value>
  <value>objectClass</value>
 </values>
</extendedProperty>

Corresponding User and Role API property: ROLE_MANDATORY_ATTRS

group.member.attrs

The attribute of a static role that specifies the distinguished names (DNs) of the members of an enterprise role or group. Extended property.

Valid in Java EE and Java SE applications.

Optional.

Value example:

<extendedProperty>
 <name>group.member.attrs</name>
 <values>
  <value>uniqueMember</value>
 </values>
</extendedProperty>

Corresponding User and Role API property: ROLE_MEMBER_ATTRS

group.object.classes

The fully qualified names of one or more schema object classes used to represent enterprise roles or groups. Extended property.

Valid in Java EE and Java SE applications.

Optional.

Value example:

<extendedProperty>
 <name>group.object.classes</name>
 <values>
  <value>top</value>
  <value>groupOfUniqueNames</value>
 </values>
</extendedProperty>

Corresponding User and Role API property: ROLE_OBJECT_CLASSES

group.selected.create.base

The base DNs for creating enterprise roles or groups.

Valid in Java EE and Java SE applications.

Optional.

Value example: cn=users,dc=us,dc=abc,dc=com (single DN)

Corresponding User and Role API property: ROLE_SELECTED_CREATEBASE

groupname.attr

The attribute that uniquely identifies the name of the enterprise role or group.

Valid in Java EE and Java SE applications.

Optional.

Value example: cn

Corresponding User and Role API property: ROLE_NAME_ATTR

group.selected.search.base

The base DNs for searching enterprise roles or groups.

Valid in Java EE and Java SE applications.

Optional.

Value example: cn=users,dc=us,dc=abc,dc=com (single DN)

max.search.filter.length

The maximum number of characters of the search filter.

Valid in Java EE and Java SE applications.

Optional.

Value: a positive integer.

Corresponding User and Role API property: MAX_SEARCHFILTER_LENGTH

search.type

The type of search to employ when the repository is queried.

Valid in Java EE and Java SE applications.

Optional.

Valid values: SIMPLE, PAGED, or VIRTUAL_LIST_VIEW.

Corresponding User and Role API property: IDENTITY_SEARCH_TYPE

user.filter.object.classes

The fully qualified names of object classes used to search users. Extended property.

Valid in Java EE and Java SE applications.

Optional.

Value example: inetOrgPerson

Corresponding User and Role API property: USER_FILTER_OBJECT_CLASSES

user.login.attr

The login identity of the user.

Valid in Java EE and Java SE applications.

Optional.

Value example:

<property name="user.login.attr" value="mail"/>

Corresponding User and Role API property: USER_LOGIN_ATTR

user.mandatory.attrs

The attributes that must be specified when creating a user. Extended property.

Valid in Java EE and Java SE applications.

Optional.

Value example:

<extendedProperty>
 <name>user.mandatory.attrs</name>
 <values>
  <value>cn</value>
  <value>objectClass</value>
  <value>sn</value>
 </values>
</extendedProperty>

Corresponding User and Role API property: USER_MANDATORY_ATTRS

user.object.classes

The fully qualified names of the schema classes used to represent users. Extended property.

Valid in Java EE and Java SE applications.

Optional.

Corresponding User and Role API property: USER_OBJECT_CLASSES

username.attr

The LDAP attribute that uniquely identifies the name of the user.

Valid in Java EE and Java SE applications.

Optional.

Corresponding User and Role API property: USER_NAME_ATTR

ldap.host

The name of the system hosting the identity store.

Valid in Java EE and Java SE applications.

Optional.

subscriber.name

The default realm for the identity store.

Valid in Java EE and Java SE applications.

Optional.

Value example: dc=us,dc=oracle,dc=com.

Corresponding User and Role API property: ADF_IM_SUBSCRIBER_NAME

virtualize

Controls the authenticators where search and modifications are allowed; if set to TRUE, searching and modifying is available in all configured authenticators; otherwise, if set to FALSE, searching and modifying is available in only the first authenticator in the configured stack.

Set to TRUE if you intend to use the User and Role API to search or write information in all authenticators.

Valid in Java EE and Java SE applications.

Optional.

Valid values: TRUE or FALSE.

Default value: FALSE.

Value example:

  <property name="virtualize" value="true"/>


Note:

If the authenticator attribute username is changed (because, for example, of post-provisioning or migrating from a test to a production environment), then the identity store service parameter username.attr in the identity store service must also be changed accordingly. Those two values should be kept equal.

The following fragment illustrates the configuration of an LDAP-based identity store for a Java SE application:

<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
    <property name="idstore.type" value="OID"/>
    <property name="ldap.url" value="ldap://myHost.com:1234"/>
    <extendedProperty>
       <name>user.search.bases</name>
          <values>
             <value>cn=users,dc=us,dc=oracle,dc=com</value>
          </values>
    </extendedProperty>
    <extendedProperty>
       <name>group.search.bases</name>
          <values>
             <value>cn=groups,dc=us,dc=oracle,dc=com</value>
          </values>
    </extendedProperty>
</serviceInstance>

F.2.4 Properties Common to All LDAP-Based Instances

Table F-6 lists generic properties of LDAP-based stores that can be specified in any service instance.

In the case of an LDAP-based identity store service instance, to ensure that the User and Role API picks up the connection pool properties when it is using the JNDI connection factory, the identity store service instance must include the following property:

<property 
name="INITIAL_CONTEXT_FACTORY" value="com.sun.jndi.ldap.LdapCtxFactory"/>

Table F-6 Generic LDAP Properties

Name Description

connection.pool.authentication

Specifies the type of LDAP connection that the JNDI connection pool uses.

Valid in Java EE and Java SE applications.

Optional.

Values: none, simple, and DIGEST-MD5.

Default value: simple.

connection.pool.max.size

Specifies the maximum number of connections in the LDAP connection pool.

Valid in Java EE and Java SE applications.

Optional.

Value example: 30

connection.pool.min.size

Specifies the minimum number of connections in the LDAP connection pool.

Valid in Java EE and Java SE applications.

Optional.

Value example: 5

connection.pool.protocol

Specifies the protocol to use for the LDAP connection.

Valid in Java EE and Java SE applications.

Optional.

Values: plain, ssl.

Default value: plain.

connection.pool.provider.type

Specifies the connection pool to use.

Valid in Java EE and Java SE applications.

Optional.

Values: JNDI, IDM.

Default value: JNDI.

connection.pool.timeout

Specifies the number of milliseconds that an idle connection can remain in the pool; after timeout, the connection is closed and removed from the pool.

Valid in Java EE and Java SE applications.

Optional.

Default value: 300000 (5 minutes)

oracle.security.jps.ldap.max.retry

Specifies the maximum number of retry attempts if there are problems with the LDAP connection.

Valid in Java EE and Java SE applications.

Optional.

Value example: 5


The following fragment illustrates a configuration of several properties:

<jpsConfig ... >
   ...
   <!-- common properties used by all LDAPs -->
   <property name="oracle.security.jps.farm.name" value="cn=OracleFarmContainer"/>
   <property name="oracle.security.jps.ldap.root.name"
             value="cn=OracleJpsContainer"/>
   <property name="oracle.security.jps.ldap.max.retry" value="5"/>
   ...
</jpsConfig>

F.2.5 Anonymous and Authenticated Roles Properties

Table F-7 lists the properties that can be used to configure file-, LDAP-, or DB-based anonymous users, anonymous roles, and authenticated roles.

Table F-7 Anonymous and Authenticated Roles Properties

Name Description

anonymous.role.description

Specifies a description of the anonymous role.

Valid in Java EE and Java SE applications.

Optional.

No default value.

anonymous.role.name

Specifies the name of the principal in the anonymous role.

Valid in Java EE and Java SE applications.

Optional.

Default value: anonymous-role

anonymous.role.uniquename

Specifies the name of the anonymous role.

Valid in Java EE and Java SE applications.

Optional.

Default value: anonymous-role

anonymous.user.name

Specifies the name of the principal in the anonymous user.

Valid in Java EE and Java SE applications.

Optional.

Default value: anonymous

authenticated.role.description

Specifies a description of the authenticated role.

Valid in Java EE and Java SE applications.

Optional.

No default value.

authenticated.role.name

Specifies the name of the principal in authenticated user roles.

Valid in Java EE and Java SE applications.

Optional.

Default value: authenticated-role

authenticated.role.uniquename

Specifies the name of the authenticated role.

Valid in Java EE and Java SE applications.

Optional.

Default value: authenticated-role

remove.anonymous.role

Specifies whether the anonymous role should be removed from the subject after a user is authenticated.

Valid in Java EE and Java SE applications.

Optional.

Valid values: TRUE, FALSE.

Default value: FALSE.


F.2.6 Trust Service Properties

Table F-8 lists the properties that can be used to configure the trust service.

Table F-8 Trust Service Properties

Name Description

trust.keystoreType

Specifies the type of the trust service store: JKS or KSS.

Valid in Java EE and Java SE applications.

Optional.

Valid values: JKS of KSS.

Default: none.

When unspecified, if a KSS store is already provisioned, then the value is set to KSS; otherwise it is set to JKS.

trust.keyStoreName

Applies only when trust.keystoreType is set to KSS, and it specifies the store name with the format:

kss://<stripeName>/<keyStoreName>

Valid in Java EE and Java SE applications.

Optional.

Default: kss://opss/trustservice_ks.

trust.trustStoreName

Applies only when trust.keystoreType is set to KSS, and it specifies the store URL with the format:

kss://<stripeName>/<keyStoreName>

Valid in Java EE and Java SE applications.

Optional.

Default: kss://opss/trustservice_ts.

trust.aliasName

Specifies the alias to use to get an X.509 certificate and private key from the keystore.

Valid in Java EE and Java SE applications.

Optional.

Default: the name of the WLS domain of the WAS cell.

trust.issuerName

Specifies the name to be included in the token. It is used by the destination trust service to pick up and validate the token.

Valid in Java EE and Java SE applications.

Optional.

Default: the name of the WLS domain of the WAS cell.

trust.provider.className

Specifies the fully-qualified name of the trust provider class.

Valid in Java EE and Java SE applications.

Required.

Value: the only supported value is oracle.security.jps.internal.trust.provider.embedded.EmbeddedProviderImpl.

trust.clockSkew

Specifies, in seconds, the time-gap allowed when verifying time conditions.

Valid in Java EE and Java SE applications.

Optional.

Default: 0.

trust.token.validityPeriod

Specifies, in seconds, the time that a token remains valid after being issued.

Valid in Java EE and Java SE applications.

Required.

Default: none.

trust.csf.map

Specifies the map of the credential to access the keystore.

Valid in Java EE and Java SE applications.

Optional.

Default: the value of the keystore instance property keystore.csf.map.

trust.csf.keystorePass

Applies only when trust.keystoreType is set to JKS, and it specifies the key of the credential to access the private key (the map is set by trust.csf.map).

Valid in Java EE and Java SE applications.

Optional.

Default: the value of the keystore instance property keystore.pass.csf.key.

trust.csf.keyPass

Applies only when trust.keystoreType is set to JKS, and it specifies the key of the credential to acces the keystore (the map is set by trust.csf.map).

Valid in Java EE and Java SE applications.

Optional.

Default: the value of the keystore instance property keystore.sig.csf.key.

trust.token.includeCertificate

Specifies whether the SAML token includes a certificate.

Valid in Java EE and Java SE applications.

Required.

Valid values: true or false.

Default: false.


The following sample illustrates the configuration of a trust service:

<propertySet name="trust.provider.embedded">
  <property name="trust.provider.className" value="oracle.security.jps.internal.trust.provider.embedded.EmbeddedProviderImpl"/>
  <property name="trust.clockSkew" value="60"/>
  <property name="trust.token.validityPeriod" value="1800"/>
  <property name="trust.aliasName" value="orakey"/>
  <property name="trust.issuerName" value="orakey"/>
  <property name="trust.csf.map " value="my-csf-map"/>
  <property name="trust.csf.keystorePass" value="my-keystore-csf-key"/>
  <property name="trust.csf.keypass" value="my-signing-csf-key"/>
</propertySet>

F.2.7 Audit Service Properties

Table F-9 lists the properties used to configure the audit service:

Table F-9 Audit Service Properties

Property Description Required? Values Default Value

auditstore.type

The audit metadata store type.

yes

file, ldap, or db

file

audit.filterPreset

The level of auditing.

no

None, Low, Medium, or High

None

audit.customEvents

For Custom, a list of audit events that should be audited. The events must be qualified using the component type. Commas separate events and a semicolon separates component types.

Example:

JPS:CheckAuthorization, CreateCredential; OIF:UserLogin

no

   

audit.specialUsers

list of one or more users whose activity is always audited, even if filterPreset is None.

Usernames that contain commas must be escaped properly. For example, when using Fusion Middleware Control, specify three users like this - "admin, fmwadmin, cn=test\,cn=user\,ou:ST\,L=RS\,c=is\,"

In WLST, the backslash "\" should also be escaped. For example:

setAuditPolicy(addSpecialUsers="cn=orcladmin\\\,cn=com") 

For more information, see Section C.4.3, "setAuditPolicy".

no

   

audit.maxDirSize

Controls the size of the directory where the audit files will be written. Integer is in Bytes.

no

 

102400000

audit.maxFileSize

Controls the size of a bus stop file where audit events are written. Integer is in Bytes

no

 

104857600

audit.loader.interval

Controls the frequency with which audit loader uploads to database. Integer is in Seconds.

no

 

15 seconds

audit.loader
.repositoryType

Store type for the audit events. If type is Database (DB), also define audit.loader.jndi or JDBC property.

yes

File, Db

File

audit.loader.jndi

JNDI name of the data source in application servers for uploading audit events into database.

no

 

jdbc/AuditDB

audit.db.principal.map / audit.db.principal.key

The map and key for the JDBC user name and password credential in bootstrap credential store,when running in JavaSE, and repositoryType is DB.

no

   

audit.loader.jdbc.string

The JDBC string for JDBC connection when running in JavaSE, and repositoryType is DB.

no

   

audit.logDirectory

The base directory for bus-stop files.

required for JavaSE

 

jse

audit.timezone

Determines whether events are recorded in the Oracle WebLogic Server timestamp or in UTC. For details, see Section 13.4.

no

utc, local

utc

audit.change.scanning.
interval

In a distributed environment with LDAP- or DB-based audit store, the audit service monitors each OPSS running instance for changes in audit runtime policies, and dynamically re-loads any cached policies.

This property determines how frequently, in milliseconds, the service checks for any changes.

no

whole number greater than zero

60000 (60 seconds)


The following is an example of audit service configuration:

<serviceInstance name="audit" provider="audit.provider" location="./audit-store.xml">
   <property name="audit.filterPreset" value="Medium"/>
   <property name="audit.loader.jndi" value="jdbc/AuditDB"/>
   <property name="audit.loader.repositoryType" value="Db" />
   <property name="auditstore.type" value="file"/>
   <property name="audit.timezone" value="local" />
 </serviceInstance>

F.2.8 Keystore Service Properties

Table F-10 lists the properties used to configure the Keystore Service:

Table F-10 Keystore Service Properties

Property Description Required? Values Default

keystore.provider.type

Keystore repository type

Yes

file, ldap, db

file

keystore.file.path

Location of the file keystores.xml when file provider is configured

Yes, if a file-based keystore provider is configured.

-

./

ca.key.alias

Key alias within "system/castore" of the third party CA used for Keystore service instance

No

-

-

location

Location of the keystore; can be absolute or relative path.

Yes, if keystore.type is JKS.No, if keystore.type is PKCS11 or HSM (LunaSA)

Path to keystore

./default-keystore.jks

keystore.type

Type of keystore

Yes

JKS, PKCS11, Luna

JKS

keystore.csf.map

Credential store map name used by Oracle Web Services Manager.

Yes

Credential store map name

oracle.wsm.security

keystore.pass.csf.key

Credential store key that points to Keystore password.

Yes, for JKS and PKCS11. No, for HSM

Credential store csf key name

keystore-csf-key

keystore.sig.csf.key

Credential store key name that points to alias and password of signing key in keystore.For HSM, it is the direct key alias name rather than the credential store key name.

Yes

Credential store csf key name or, for HSM, the direct alias

sign-csf-key

keystore.enc.csf.key

Credential store key name that points to alias and password of encryption key in keystore.For HSM, it is the direct key alias name rather than the credential store key name.

Yes

Credential store csf key name or, for HSM, the direct alias

enc-csf-key


The following is an example of Keystore Service configuration for a file-based provider :

<serviceInstance name="keystore" provider="keystore.provider"          location="./default-keystore.jks">
   <description>Default JPS Keystore Service</description>
   <property name="keystore.provider.type" value="file"/>
   <property name="keystore.file.path" value="./"/>
   <property name="keystore.type" value="JKS"/>
   <property name="keystore.csf.map" value="oracle.wsm.security"/>
   <property name="keystore.pass.csf.key" value="keystore-csf-key"/>
   <property name="keystore.sig.csf.key" value="sign-csf-key"/>
   <property name="keystore.enc.csf.key" value="enc-csf-key"/>
 </serviceInstance>

The following is an example of Keystore Service configuration for an LDAP-based provider :

<serviceInstance name="keystore" provider="keystore.provider"       location="./default-keystore.jks">
   <description>Default JPS Keystore Service</description>
   <property name="keystore.provider.type" value="ldap"/>
   <property name="keystore.type" value="JKS"/>
   <property name="keystore.csf.map" value="oracle.wsm.security"/>
   <property name="keystore.pass.csf.key" value="keystore-csf-key"/>
   <property name="keystore.sig.csf.key" value="sign-csf-key"/>
   <property name="keystore.enc.csf.key" value="enc-csf-key"/>
<property value="bootstrap" name="bootstrap.security.principal.key"/>
<property value="cn=wls-jrfServer" name="oracle.security.jps.farm.name"/>
<property value="cn=jpsTestNode" name="oracle.security.jps.ldap.root.name"/>
<property value="ldap://myHost.com:1234" name="ldap.url"/>
</serviceInstance>

The following is an example of Keystore Service configuration for an RDBMS-based provider :

<propertySet name="props.db.1">
   <property name="jdbc.url" value="jdbc:oracle:thin:@host:port:sid"/>
   <property name="oracle.security.jps.farm.name" value="cn=farm"/>
   <property name="server.type" value="DB_ORACLE"/>
   <property name="oracle.security.jps.ldap.root.name" value="cn=jpsroot"/>
   <property name="jdbc.driver" value="oracle.jdbc.OracleDriver"/>
   <property name="bootstrap.security.principal.map" value="credendial_map"/>
   <property name="bootstrap.security.principal.key" value="credential_key"/>
</propertySet>
 
…
…
<serviceInstance name="keystore.rdbms" provider="keystore.provider"            location="./default-keystore.jks">  
   <propertySetRef ref = "props.db.1"/>       
   <property name="keystore.provider.type"  value="db"/>
   <property name="keystore.type" value="JKS"/>
   <property name="keystore.csf.map" value="oracle.wsm.security"/>
   <property name="keystore.pass.csf.key" value="keystore-csf-key"/>
   <property name="keystore.sig.csf.key" value="sign-csf-key"/>
   <property name="keystore.enc.csf.key" value="enc-csf-key"/>
</serviceInstance>