This chapter provides detailed descriptions of custom WLST commands for infrastructure security, including command syntax, arguments and command examples.
The following sections describe the Oracle Fusion Middleware Infrastructure Security custom WLST commands in detail. Topics include:
For additional information about Oracle Platform Security Services, see Oracle Fusion Middleware Security Guide.
Note:
To use the Infrastructure Security custom WLST commands, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" in the Oracle Fusion Middleware Administrator's Guide.
WLST security commands are divided into the following categories:
Table 4-1 WLST Command Categories
| Command Category | Description |
|---|---|
|
View and manage audit policies and the audit repository configuration |
|
|
View and manage wallets, JKS keystores, and SSL configuration for Oracle HTTP Server, Oracle WebCache, Oracle Internet Directory, and Oracle Virtual Directory components. |
|
|
View and manage configuration for Oracle Identity Federation |
|
|
For information on DIP tools, see "Directory Integration Platform Tools" in the Oracle Fusion Middleware User Reference for Oracle Identity Management |
|
|
Manage domain and credential domain stores and migrate domain policy store. |
|
|
Manage OAM-related components, such as authorization providers, identity asserters, and SSO providers. |
Use the WLST commands listed in Table 4-2 to view and manage audit policies and the audit repository configuration.
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Display the mBean name for a non-Java EE component. |
Online |
|
|
Display audit policy settings. |
Online |
|
|
Update audit policy settings. |
Online |
|
|
Display audit repository settings. |
Online |
|
|
Update audit repository settings. |
Online |
|
|
List audit events for one or all components. |
Online |
|
|
Export a component's audit configuration. |
Online |
|
|
Import a component's audit configuration. |
Online |
|
|
Create an audit definitions view in the database. |
Online |
|
|
List components that can be audited. |
Online |
|
|
Registers audit definitions for a specified component in the audit store. |
Online |
|
|
Removes audit definitions of a specified component from the audit store. |
Online |
For more information, see the Oracle Fusion Middleware Security Guide.
Online command that displays the mbean name for non-Java EE components.
This command displays the mbean name for non-Java EE components given the instance name, component name, component type, and the name of the Oracle WebLogic Server on which the component's audit mbean is running. The mbean name is a required parameter to other audit WLST commands when managing a non-Java EE component.
getNonJavaEEAuditMBeanName(instName, compName, compType, svrName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are ohs, oid, ovd, and WebCache. |
|
|
Specifies the name of the Oracle WebLogic Server. |
Online command that displays the audit policy settings.
This command displays audit policy settings including the filter preset, special users, custom events, maximum log file size, and maximum log directory size. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
getAuditPolicy([mbeanName, componentType])
| Argument | Definition |
|---|---|
|
|
Specifies the name of the component audit MBean for non-Java EE components. |
|
|
Requests the audit policy for a specific component registered in the audit store. If not specified, the audit policy in |
The following command displays the audit settings for a Java EE component:
wls:/mydomain/serverConfig> getAuditPolicy()
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)
FilterPreset:All
Max Log File Size:104857600
Max Log Dir Size:0
The following command displays the audit settings for MBean CSAuditProxyMBean:
wls:/mydomain/serverConfig> getAuditPolicy(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean')
Online command that updates an audit policy.
Online command that configures the audit policy settings. You can set the filter preset, add or remove users, and add or remove custom events. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
setAuditPolicy([mbeanName],[filterPreset],[addSpecialUsers], [removeSpecialUsers],[addCustomEvents],[removeCustomEvents], [componentType], [maxDirSize], [maxFileSize], [andCriteria], [orCriteria], [componentEventsFile])
| Argument | Definition |
|---|---|
|
|
Specifies the name of the component audit MBean for non-Java EE components. |
|
|
Specifies the filter preset to be changed. |
|
|
Specifies the special users to be added. |
|
|
Specifies the special users to be removed. |
|
|
Specifies the custom events to be added. |
|
|
Specifies the custom events to be removed. |
|
|
Specifies the component definition type to be updated. If not specified, the audit configuration defined in jps-config.xml is modified. |
|
|
Specifies the maximum size of the log directory. |
|
|
Specifies the maximum size of the log file. |
|
|
Specifies the |
|
|
Specifies the |
|
|
Specifies a component definition file under the 11g Release 1 (11.1.1.6) metadata model. This parameter is required if you wish to create/update an audit policy in the audit store for an 11g Release 1 (11.1.1.6) metadata model component, and the filter preset level is set to “Custom”. |
The following interactive command sets audit policy to None level, and adds users user2 and user3 while removing user1 from the policy:
wls:/mydomain/serverConfig> setAuditPolicy (filterPreset= 'None',addSpecialUsers='user2,user3',removeSpecialUsers='user1') wls:/mydomain/serverConfig> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:None Special Users:user2,user3 Max Log File Size:104857600 Max Log Dir Size:0
The following interactive command adds login events while removing logout events from the policy:
wls:/mydomain/serverConfig> setAuditPolicy(filterPreset= 'Custom',addCustomEvents='UserLogin',removeCustomEvents='UserLogout')
The following interactive command sets audit policy to a Low level:
wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Low'); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:Low Max Log File Size:104857600 Max Log Dir Size:0
The following command sets a custom filter to audit the CheckAuthorization event:
wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Custom', addCustomEvents='JPS:CheckAuthorization'); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:Custom Special Users:user1 Max Log File Size:104857600 Max Log Dir Size:0 Custom Events:JPS:CheckAuthorization
Online command that displays audit repository settings.
This command displays audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository configuration resides in opmn.xml). Also displays database configuration if the repository is a database type.
Online command that updates audit repository settings.
This command sets the audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository is configured by editing opmn.xml).
setAuditRepository([switchToDB],[dataSourceName],[interval])
| Argument | Definition |
|---|---|
|
|
If |
|
|
Specifies the name of the data source. |
|
|
Specifies intervals at which the audit loader kicks off. |
The following command switches from a file repository to a database repository:
wls:/IDMDomain/domainRuntime> setAuditRepository(switchToDB='true'); Already in Domain Runtime Tree Audit Repository Information updated wls:/IDMDomain/domainRuntime> getAuditRepository(); Already in Domain Runtime Tree JNDI Name:jdbc/AuditDB Interval:15 Repository Type:DB
The following interactive command changes audit repository to a specific database and sets the audit loader interval to 14 seconds:
wls:/mydomain/serverConfig> setAuditRepository(switchToDB='true',dataSourceName='jdbcAuditDB',interval='14')
Online command that displays a component's audit events.
This command displays a component's audit events and attributes. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter. Without a component type, all generic attributes applicable to all components are displayed.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
listAuditEvents([mbeanName],[componentType])
| Argument | Definition |
|---|---|
|
|
Specifies the name of the component MBean. |
|
|
Specifies the component type to limit the list to all events of the component type. |
The following command displays audit events for the Oracle Platform Security Services component:
wls:/IDMDomain/domainRuntime> listAuditEvents(componentType='JPS');
Already in Domain Runtime Tree
Common Attributes
ComponentType
Type of the component. For MAS integrated SystemComponents this is the componentType
InstanceId
Name of the MAS Instance, that this component belongs to
HostId
DNS hostname of originating host
HostNwaddr
IP or other network address of originating host
ModuleId
ID of the module that originated the message. Interpretation is unique within Component ID.
ProcessId
ID of the process that originated the message
The following command displays audit events for Oracle HTTP Server:
wls:/mydomain/serverConfig> listAuditEvents(componentType='ohs')
The following command displays all audit events:
wls:/IDMDomain/domainRuntime> listAuditEvents();
Already in Domain Runtime Tree
Components:
DIP
JPS
OIF
OWSM-AGENT
OWSM-PM-EJB
ReportsServer
WS-PolicyAttachment
WebCache
WebServices
Attributes applicable to all components:
ComponentType
InstanceId
HostId
HostNwaddr
ModuleId
ProcessId
OracleHome
HomeInstance
ECID
RID
...
Online command that exports a component's audit configuration.
This command exports the audit configuration to a file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
exportAuditConfig([mbeanName],fileName, [componentType])
| Argument | Definition |
|---|---|
|
|
Specifies the name of the non-Java EE component MBean. |
|
|
Specifies the path and file name to which the audit configuration should be exported. |
|
|
Specifies that only events of the given component be exported to the file. If not specified, the audit configuration in |
The following interactive command exports the audit configuration for a component:
wls:/mydomain/serverConfig> exportAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following interactive command exports the audit configuration for a Java EE component; no mBean is specified:
wls:/mydomain/serverConfig> exportAuditConfig(fileName='/tmp/auditconfig')
Online command that imports a component's audit configuration.
This command imports the audit configuration from an external file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
importAuditConfig([mbeanName],fileName, [componentType])
| Argument | Definition |
|---|---|
|
|
Specifies the name of the non-Java EE component MBean. |
|
|
Specifies the path and file name from which the audit configuration should be imported. |
|
|
Specifies that only events of the given component be imported from the file. If not specified, the audit configuration in |
The following interactive command imports the audit configuration for a component:
wls:/mydomain/serverConfig> importAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name='CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following interactive command imports the audit configuration from a file; no mBean is specified:
wls:/mydomain/serverConfig> importAuditConfig(fileName='/tmp/auditconfig')
Creates a SQL script that can generate a view for audit in the database.
This command generates a SQL script that you can use to create a database view of the audit definitions of a specified component. The script is written to the specified file and also printed out to the console.
Upon execution, the result of the SQL script depends on the audit model at your site:
If using the 11.1.1.6.0 model, and the component is registered in the audit store, the script creates a view using the system component tables (IAU_COMMON, IAU_USERSESSION, IAU_AUDITSERVICE and IAU_CUSTOM) for the specified component.
If using the pre-11.1.1.6.0 model, the component is not registered in the audit store but its event definitions reside in the component_events.xml file (in the oracle_common/modules/oracle.iau_11.1.1/components/<componentType> dir), and the view is created using the IAU_BASE and component tables.
createAuditDBView(fileName, componentType)
| Argument | Definition |
|---|---|
|
|
Specifies the path and file name to which the SQL script is written. |
|
|
The component whose definitions are the basis of the view. |
Lists components that can be audited.
This command creates a list of the components that can be audited. It lists components registered in the audit store using both the 11.1.1.6.0 model and the pre-11.1.1.6.0 model.
listAuditComponents(fileName)
| Argument | Definition |
|---|---|
|
|
Specifies the path and file name to which the output is written. |
Registers the specified component in the audit store.
Adds the event definition and translation content for a specified component to the audit store. If you try to register using the pre-11.1.1.6.0 audit XML schema definition, it is upgraded to the 11.1.1.6.0 XML schema definition and then registered with the audit store.
registerAudit(xmlFile, [xlfFile], componentType, [mode=OVERWRITE|UPGRADE])
| Argument | Definition |
|---|---|
|
|
Specifies the Component Event definition file. |
|
|
Specifies the component xlf jar file. Optional. |
|
|
Specifies the component to be registered. |
|
|
OVERWRITE or UPGRADE. Default is UPGRADE. |
Removes the event definition and translation content for the specified component from the audit store.
Removes an existing event definition and translation content for a specified component or application from the audit store.
deregisterAudit(componentType)
| Argument | Definition |
|---|---|
|
|
Specifies the component whose definitions are to be removed. |
Use the WLST commands listed in Table 4-3 to view and manage SSL configuration for Oracle Fusion Middleware components.
Table 4-3 WLST Commands for SSL Configuration
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Generate a certificate signing request in an Oracle wallet. |
Online |
|
|
Add a self-signed certificate to an Oracle wallet. |
Online |
|
|
Change the password to a JKS keystore. |
Online |
|
|
Change the password to an Oracle wallet. |
Online |
|
|
Set the SSL attributes for a component listener. |
Online |
|
|
Create a JKS keystore. |
Online |
|
|
Create an Oracle wallet. |
Online |
|
|
Delete a JKS keystore. |
Online |
|
|
Delete an Oracle wallet. |
Online |
|
|
Export a JKS keystore to a file. |
Online |
|
|
Export an object from a JKS keystore to a file. |
Online |
|
|
Export an Oracle wallet to a file. |
Online |
|
|
Export an object from an Oracle wallet to a file. |
Online |
|
|
Generate a key pair in a JKS keystore. |
Online |
|
|
Display a certificate or other object present in a JKS keystore. |
Online |
|
|
Display the SSL attributes for a component listener. |
Online |
|
|
Display a certificate or other object present in an Oracle wallet. |
Online |
|
|
Import a JKS keystore from a file. |
Online |
|
|
Import a certificate or other object from a file to a JKS keystore. |
Online |
|
|
Import an Oracle wallet from a file. |
Online |
|
|
Import a certificate or other object from a file to an Oracle wallet. |
Online |
|
|
List all objects present in a JKS keystore. |
Online |
|
|
List all JKS keystores configured for a component instance. |
Online |
|
|
List all objects present in an Oracle wallet. |
Online |
|
|
List all Oracle wallets configured for a component instance. |
Online |
|
|
Remove a certificate or other object from a component instance's JKS keystore. |
Online |
|
|
Remove a certificate or other object from a component instance's Oracle wallet. |
Online |
For more information, see the Oracle Fusion Middleware Administrator's Guide.
Online command that generates a certificate signing request in an Oracle wallet.
This command generates a certificate signing request in Base64 encoded PKCS#10 format in an Oracle wallet for a component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). To get a certificate signed by a certificate authority (CA), send the certificate signing request to your CA.
addCertificateRequest(instName, compName, compType, walletName, password, DN, keySize)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
|
Specifies the name of the wallet file. |
|
|
Specifies the password of the wallet. |
|
|
Specifies the Distinguished Name of the key pair entry. |
|
|
Specifies the key size in bits. |
The following command generates a certificate signing request with DN cn=www.acme.com and key size 1024 in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> addCertificateRequest('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.acme.com', '1024')
Online command that adds a self-signed certificate.
This command creates a key pair and wraps it in a self-signed certificate in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Only keys based on the RSA algorithm are generated.
addSelfSignedCertificate(instName, compName, compType, walletName, password, DN, keySize)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
|
Specifies the name of the wallet file. |
|
|
Specifies the password of the wallet. |
|
|
Specifies the Distinguished Name of the key pair entry. |
|
|
Specifies the key size in bits. |
The following command adds a self-signed certificate with DN cn=www.acme.com, key size 1024 to wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> addSelfSignedCertificate('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.acme.com', '1024')
Online command that changes the keystore password.
This command changes the password of a Java Keystore (JKS) file for an Oracle Virtual Directory instance.
changeKeyStorePassword(instName, compName, compType, keystoreName, currPassword, newPassword)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid value is 'ovd'. |
|
|
Specifies the filename of the keystore. |
|
|
Specifies the current keystore password. |
|
|
Specifies the new keystore password. |
Online command that changes the password of an Oracle wallet.
This command changes the password of an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). This command is only applicable to password-protected wallets.
changeWalletPassword(instName, compName, compType, walletName,currPassword, newPassword)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
|
|
Specifies the filename of the wallet. |
|
|
Specifies the current wallet password. |
|
|
Specifies the new wallet password. |
Online command that sets SSL attributes.
This command sets the SSL attributes for a component listener. The attributes are specified in a properties file format (name=value). If a properties file is not provided, or it does not contain any SSL attributes, default attribute values are used. For component-specific SSL attribute value defaults, see the chapter "SSL Configuration in Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.
configureSSL(instName, compName, compType, listener, filePath)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are 'oid', 'ovd', ohs', and 'webcache'. |
|
|
Specifies the name of the component listener to be configured for SSL. |
|
|
Specifies the absolute path of the properties file containing the SSL attributes to set. |
The following command configures SSL attributes specified in the properties file /tmp/ssl.properties for Oracle Virtual Directory instance ovd1 in application server instance inst1, for listener listener1:
wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener1','/tmp/ssl.properties')
The following command configures SSL attributes without specifying a properties file. Since no file is provided, the default SSL attribute values are used:
wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener2')
Online command that creates a JKS keystore.
This command creates a Java keystore (JKS) for the specified Oracle Virtual Directory instance. For keystore file location and other information, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.
createKeyStore(instName, compName, compType, keystoreName, password)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid value is 'ovd'. |
|
|
Specifies the filename of the keystore file to be created. |
|
|
Specifies the keystore password. |
Online command that creates an Oracle wallet.
This command creates an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Wallets can be of password-protected or auto-login type. For wallet details, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.
createWallet(instName, compName, compType, walletName, password)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
|
|
Specifies the name of the wallet file to be created. |
|
|
Specifies the wallet password. |
The following command creates a wallet named wallet1 with password password, for Oracle HTTP Server instance ohs1 in application server instance inst1:
wls:/mydomain/serverConfig> createWallet('inst1', 'ohs1', 'ohs','wallet1', 'password')
The following command creates an auto-login wallet named wallet2 for Oracle WebCache instance wc1, in application server instance inst1:
wls:/mydomain/serverConfig> createWallet('inst1', 'wc1', 'webcache','wallet2', '')
Online command that deletes a keystore.
deleteKeyStore(instName, compName, compType, keystoreName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid value is 'ovd'. |
|
|
Specifies the name of the keystore file to delete. |
Online command that deletes an Oracle wallet.
This command deletes an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).
deleteWallet(instName, compName, compType, walletName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
|
|
Specifies the name of the wallet file to be deleted. |
Online command that exports the keystore to a file.
This command exports a keystore, configured for the specified Oracle Virtual Directory instance, to a file under the given directory. The exported filename is the same as the keystore name.
exportKeyStore(instName, compName, compType, keystoreName, password, path)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid value is 'ovd'. |
|
|
Specifies the name of the keystore file. |
|
|
Specifies the password of the keystore. |
|
|
Specifies the absolute path of the directory under which the keystore is exported. |
Online command that exports an object from a keystore to a file.
This command exports a certificate signing request, certificate/certificate chain, or trusted certificate present in a Java keystore (JKS) to a file for the specified Oracle Virtual Directory instance. The certificate signing request is generated before exporting the object. The alias specifies the object to be exported.
exportKeyStoreObject(instName, compName, compType, keystoreName, password, type, path, alias)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid value is 'ovd'. |
|
|
Specifies the name of the keystore file. |
|
|
Specifies the password of the keystore. |
|
|
Specifies the type of the keystore object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' and 'TrustedChain'. |
|
|
Specifies the absolute path of the directory under which the object is exported as a file named base64.txt. |
|
|
Specifies the alias of the keystore object to be exported. |
The following command generates and exports a certificate signing request from the key-pair indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1 in application server instance inst1. The certificate signing request is exported under the directory /tmp:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'CertificateRequest', '/tmp','mykey')
The following command exports a certificate or certificate chain indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '/tmp','mykey')
The following command exports a trusted certificate indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. The trusted certificate is exported under the directory /tmp:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '/tmp','mykey')
Online command that exports an Oracle wallet.
This command exports an Oracle wallet, configured for a specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), to file(s) under the given directory. If the exported file is an auto-login only wallet, the file name is 'cwallet.sso'. If it is password-protected wallet, two files are created: 'ewallet.p12' and 'cwallet.sso'.
exportWallet(instName, compName, compType, walletName,password, path)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
|
|
Specifies the name of the wallet file. |
|
|
Specifies the password of the wallet. |
|
|
Specifies the absolute path of the directory under which the object is exported. |
The following command exports auto-login wallet wallet1 for Oracle Internet Directory instance oid1 to file cwallet.sso under /tmp:
wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet1','','/tmp')
The following command exports password-protected wallet wallet2 for Oracle Internet Directory instance oid1 to two files, ewallet.p12 and cwallet.sso, under /tmp:
wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp')
Online command that exports a certificate or other wallet object to a file.
This command exports a certificate signing request, certificate, certificate chain or trusted certificate present in an Oracle wallet to a file for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be exported.
exportWalletObject(instName, compName, compType, walletName, password, type, path, DN)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
|
Specifies the name of the wallet file. |
|
|
Specifies the password of the wallet. |
|
|
Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedChain'. |
|
|
Specifies the absolute path of the directory under which the object is exported as a file base64.txt. |
|
|
Specifies the Distinguished Name of the wallet object being exported. |
The following command exports a certificate signing request with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate signing request is exported under the directory /tmp:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'CertificateRequest', '/tmp','cn=www.acme.com')
The following command exports a certificate with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate', '/tmp','cn=www.acme.com')
The following command exports a trusted certificate with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The trusted certificate is exported under the directory /tmp:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate', '/tmp','cn=www.acme.com')
The following command exports a certificate chain with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedChain', '/tmp','cn=www.acme.com')
Online command that generates a key pair in a Java keystore.
This command generates a key pair in a Java keystore (JKS) for Oracle Virtual Directory. It also wraps the key pair in a self-signed certificate. Only keys based on the RSA algorithm are generated.
generateKey(instName, compName, compType, keystoreName, password, DN, keySize, alias, algorithm)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid value is 'ovd'. |
|
|
Specifies the name of the keystore. |
|
|
Specifies the password of the keystore. |
|
|
Specifies the Distinguished Name of the key pair entry. |
|
|
Specifies the key size in bits. |
|
|
Specifies the alias of the key pair entry in the keystore. |
|
|
Specifies the key algorithm. Valid value is 'RSA'. |
The following command generates a key pair with DN cn=www.acme.com, key size 1024, algorithm RSA and alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1 in application server instance inst1:
wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.acme.com', '1024', 'mykey', 'RSA')
The following command is the same as above, except it does not explicitly specify the key algorithm:
wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.acme.com', '1024', 'mykey')
Online command that shows details about a keystore object.
This command displays a specific certificate or trusted certificate present in a Java keystore (JKS) for Oracle Virtual Directory. The keystore object is indicated by its index number, as given by the listKeyStoreObjects command. It shows the certificate details including DN, key size, algorithm, and other information.
getKeyStoreObject(instName, compName, compType, keystoreName, password, type, index)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid value is 'ovd'. |
|
|
Specifies the name of the keystore file. |
|
|
Specifies the password of the keystore. |
|
|
Specifies the type of the keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'. |
|
|
Specifies the index number of the keystore object as returned by the |
The following command shows a trusted certificate with index 1 present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '1')
The following command shows a certificate with index 1 present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '1')
Online command that lists the configured SSL attributes.
This command lists the configured SSL attributes for the specified component listener. For Oracle Internet Directory, the listener name is always sslport1.
getSSL(instName, compName, compType, listener)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are 'ovd', 'oid', 'ohs', and 'webcache'. |
|
|
Specifies the name of the component listener. |
Online command that displays information about a certificate or other object in an Oracle wallet.
This command displays a specific certificate signing request, certificate or trusted certificate present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). The wallet object is indicated by its index number, as given by the listWalletObjects command. For certificates or trusted certificates, it shows the certificate details including DN, key size, algorithm and other data. For certificate signing requests, it shows the subject DN, key size and algorithm.
getWalletObject(instName, compName, compType, walletName, password, type, index)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
|
Specifies the name of the wallet file. |
|
|
Specifies the password of the wallet. |
|
|
Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'. |
|
|
Specifies the index number of the wallet object as returned by the |
The following command shows certificate signing request details for the object with index 0 present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest', '0')
The following command shows certificate details for the object with index 0 present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'Certificate', '0')
The following command shows trusted certificate details for the object with index 0, present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate', '0')
Online command that imports a keystore from a file.
This command imports a Java keystore (JKS) from a file to the specified Oracle Virtual Directory instance for manageability. The component instance name must be unique.
importKeyStore(instName, compName, compType, keystoreName, password, filePath)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid value is 'ovd'. |
|
|
Specifies the name of the keystore being imported. This name must be unique for this component instance. |
|
|
Specifies the password of the keystore. |
|
|
Specifies the absolute path of the keystore file to be imported. |
Online command that imports an object from a file to a keystore.
This command imports a certificate, certificate chain, or trusted certificate into a Java keystore (JKS) for Oracle Virtual Directory, assigning it the specified alias which must be unique in the keystore. If a certificate or certificate chain is being imported, the alias must match that of the corresponding key-pair.
importKeyStoreObject(instName, compName, compType, keystoreName, password, type, filePath, alias)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid value is 'ovd'. |
|
|
Specifies the name of the keystore. |
|
|
Specifies the password of the keystore. |
|
|
Specifies the type of the keystore object to be imported. Valid values are 'Certificate' and 'TrustedCertificate'. |
|
|
Specifies the absolute path of the file containing the keystore object. |
|
|
Specifies the alias to assign to the keystore object to be imported. |
The following command imports a certificate or certificate chain from file cert.txt into keys.jks, using alias mykey for Oracle Virtual Directory instance ovd1, in application server instance inst1. The file keys.jks must already have an alias mykey for a key-pair whose public key matches that in the certificate being imported:
wls:/mydomain/serverConfig> > importKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate','/tmp/cert.txt', 'mykey')
The following command imports a trusted certificate from file trust.txt into keys.jks using alias mykey1, for Oracle Virtual Directory instance ovd1 in application server instance inst1:
wls:/mydomain/serverConfig> importKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate','/tmp/trust.txt', 'mykey1')
Online command that imports an Oracle wallet from a file.
This command imports an Oracle wallet from a file to the specified component instance (Oracle HTTP Server, Oracle WebCache, or Oracle Internet Directory) for manageability. If the wallet being imported is an auto-login wallet, the file path must point to cwallet.sso; if the wallet is password-protected, it must point to ewallet.p12. The wallet name must be unique for the component instance.
importWallet(instName, compName, compType, walletName, password, filePath)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
|
Specifies the name of the wallet being imported. The name must be unique for the component instance. |
|
|
Specifies the password of the wallet. |
|
|
Specifies the absolute path of the wallet file being imported. |
The following command imports auto-login wallet file /tmp/cwallet.sso as wallet1 into Oracle Internet Directory instance oid1. Subsequently, the wallet is managed with the name wallet1. No password is passed since it is an auto-login wallet:
wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet1', '', '/tmp/cwallet.sso')
The following command imports password-protected wallet /tmp/ewallet.p12 as wallet2 into Oracle Internet Directory instance oid1. Subsequently, the wallet is managed with the name wallet2. The wallet password is passed as a parameter:
wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp/ewallet.p12')
Online command that imports a certificate or other object into an Oracle wallet.
This command imports a certificate, trusted certificate or certificate chain into an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache component or Oracle Internet Directory).When importing a certificate, use the same wallet file from which the certificate signing request was generated.
importWalletObject(instName, compName, compType, walletName, password, type, filePath)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
|
Specifies the name of the wallet file. |
|
|
Specifies the password of the wallet. |
|
|
Specifies the type of wallet object to be imported. Valid values are 'Certificate', 'TrustedCertificate' and 'TrustedChain'. |
|
|
Specifies the absolute path of the file containing the wallet object. |
The following command imports a certificate chain in PKCS#7 format from file chain.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedChain','/tmp/chain.txt')
The following command imports a certificate from file cert.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate','/tmp/cert.txt')
The following command imports a trusted certificate from file trust.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','/tmp/trust.txt')
Online command that lists the contents of a keystore.
This command lists all the certificates or trusted certificates present in a Java keystore (JKS) for Oracle Virtual Directory.
listKeyStoreObjects(instName, compName, compType, keystoreName, password, type)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid value is 'ovd'. |
|
|
Specifies the name of the keystore file. |
|
|
Specifies the password of the keystore. |
|
|
Specifies the type of keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'. |
The following command lists all trusted certificates present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:
wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate')
The following command lists all certificates present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:
wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate')
Online command that lists all the keystores for a component.
This command lists all the Java keystores (JKS) configured for the specified Oracle Virtual Directory instance.
listKeyStores(instName, compName, compType)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance |
|
|
Specifies the type of component. Valid value is 'ovd'. |
Online command that lists all objects in an Oracle wallet.
This command lists all certificate signing requests, certificates, or trusted certificates present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).
listWalletObjects(instName, compName, compType, walletName, password, type)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
|
Specifies the name of the wallet file. |
|
|
Specifies the password of the wallet. |
|
|
Specifies the type of wallet object to be listed. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'. |
The following command lists all certificate signing requests in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> > listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest')
The following command lists all certificates in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'Certificate')
The following command lists all trusted certificates in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate')
Online command that lists all wallets configured for a component instance.
This command displays all the wallets configured for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), and identifies the auto-login wallets.
listWallets(instName, compName, compType)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance |
|
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
Online command that removes an object from a keystore.
This command removes a certificate request, certificate, trusted certificate, or all trusted certificates from a Java keystore (JKS) for Oracle Virtual Directory. Use an alias to remove a specific object; no alias is needed if all trusted certificates are being removed.
removeKeyStoreObject(instName, compName, compType, keystoreName, password, type, alias)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid value is 'ovd'. |
|
|
Specifies the name of the keystore file. |
|
|
Specifies the password of the keystore. |
|
|
Specifies the type of the keystore object to be removed. Valid values are 'Certificate', 'TrustedCertificate' or 'TrustedAll'. |
|
|
Specifies the alias of the keystore object to be removed. |
The following command removes a certificate or certificate chain denoted by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate','mykey')
The following command removes a trusted certificate denoted by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate','mykey')
The following command removes all trusted certificates in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. Since no alias is required, the value None is passed for that parameter:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedAll',None)
Online command that removes a certificate or other object from an Oracle wallet.
This command removes a certificate signing request, certificate, trusted certificate or all trusted certificates from an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be removed.
removeWalletObject(instName, compName, compType, walletName, password, type, DN)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the application server instance. |
|
|
Specifies the name of the component instance. |
|
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
|
Specifies the name of the wallet file. |
|
|
Specifies the password of the wallet. |
|
|
Specifies the type of the keystore object to be removed. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedAll'. |
|
|
Specifies the Distinguished Name of the wallet object to be removed. |
The following command removes all trusted certificates from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. It is not necessary to provide a DN, so we pass null (denoted by None) for the DN parameter:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedAll',None)
The following command removes a certificate signing request indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'CertificateRequest','cn=www.acme.com')
The following command removes a certificate indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate','cn=www.acme.com')
The following command removes a trusted certificate indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','cn=www.acme.com')
Use the WLST commands listed in Table 4-4 to view and manage configuration for Oracle Identity Federation.
Table 4-4 WLST Commands for Oracle Identity Federation
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Add a configuration list entry to a map. |
Online |
|
|
Add a configuration map entry to a map. |
Online |
|
|
Add a configuration property list entry. |
Online |
|
|
Add a configuration property map entry to the map. |
Online |
|
|
Add a custom authentication engine. |
Online |
|
|
Add a custom SP engine. |
Online |
|
|
Add a federations list entry to the map. |
Online |
|
|
Add a federation map entry to the map. |
Online |
|
|
Add a federation property list entry. |
Online |
|
|
Add a federation property map entry. |
Online |
|
|
Delete a custom authentication engine. |
Online |
|
|
Delete a custom SP engine. |
Online |
|
|
Delete a provider from the federation. |
Online |
|
|
Delete a user from the federation. |
Online |
|
|
Change the message store to memory or RDBMS. |
Online |
|
|
Change a peer provider's description. |
Online |
|
|
Change the session store to memory or RDBMS. |
Online |
|
|
Create a configuration property list. |
Online |
|
|
Create a configuration property list in the map. |
Online |
|
|
Create a configuration property map. |
Online |
|
|
Create a nested configuration property map in a map. |
Online |
|
|
Create a federation property list. |
Online |
|
|
Create a federation property list in the map. |
Online |
|
|
Create a federation property map. |
Online |
|
|
Create a nested federation property map in a map. |
Online |
|
|
Create a peer provider entry. |
Online |
|
|
Retrieve a configuration list value from the map. |
Online |
|
|
Retrieve a configuration map value from the map. |
Online |
|
|
Retrieve a configuration property entry. |
Online |
|
|
Retrieve a configuration property list. |
Online |
|
|
Retrieve a configuration property map entry. |
Online |
|
|
Retrieve a federation list value from the map. |
Online |
|
|
Retrieve a federation map entry from a nested map. |
Online |
|
|
Retrieve a federation property. |
Online |
|
|
Retrieve the federation property list. |
Online |
|
|
Export all provider configuration properties to a text file. |
Script |
|
|
Set a provider's properties based on an input text file. |
Script |
|
|
Retrieve a federation property map entry. |
Online |
|
|
Display the list of custom authentication engines. |
Online |
|
|
Display the list of custom SP engines. |
Online |
|
|
Load metadata from a file. |
Online |
|
|
Display the current status of Oracle Identity Federation on the managed server. |
Online |
|
|
Delete a configuration list in the map. |
Online |
|
|
Delete a configuration map entry in the map. |
Online |
|
|
Delete a nested configuration map. |
Online |
|
|
Delete a configuration property. |
Online |
|
|
Delete a property list. |
Online |
|
|
Delete a property map. |
Online |
|
|
Delete an entry in the property map. |
Online |
|
|
Delete a federation list in the map. |
Online |
|
|
Delete a nested federation map. |
Online |
|
|
Delete a nested federation map entry. |
Online |
|
|
Delete a federation property. |
Online |
|
|
Delete a federation property list. |
Online |
|
|
Delete a federation property map. |
Online |
|
|
Delete a federation property map entry. |
Online |
|
|
Delete a peer provider entry. |
Online |
|
|
Set a configuration property. |
Online |
|
|
Define a custom authentication engine. |
Online |
|
|
Define a custom SP engine. |
Online |
|
|
Set a federation property. |
Online |
For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.
Online command that adds a property value to a map.
addConfigListEntryInMap(configName, mapname, listName, value, type)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
|
|
Specifies the name of the property to map to be changed in config.xml. |
|
|
Specifies the name of the list. |
|
|
Specifies the property value. |
|
|
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a nested map property entry in a map.
This command that adds a property name/value pair to a map nested inside a map in config.xml.
addConfigMapEntryInMap(configName, mapname, nestedMapName, propName, value, type)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
|
|
Specifies the name of the property map to be changed in config.xml. |
|
|
name of the nested property map to be changed. |
|
|
Specifies the name of the list. |
|
|
Specifies the property value. |
|
|
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a list property entry to config.xml.
addConfigPropertyListEntry(configName, listName, value, type)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
|
|
Specifies the name of the property list to be added in config.xml. |
|
|
Specifies the new property list value. The entered value is appended to the list. |
|
|
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a property name/value entry in a map in config.xml.
addConfigPropertyMapEntry(configName, mapName, propName, value, type)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
|
|
Specifies the name of the property map in config.xml. |
|
|
Specifies the name of the property map. |
|
|
Specifies the property map value to be added. |
|
|
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a custom authentication integration engine.
addCustomAuthnEngine(name, [enabled], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
| Argument | Definition |
|---|---|
|
|
Specifies the name of the custom engine. |
|
|
This flag specifies whether the engine is enabled (true) or not (false, default). |
|
|
Specifies the web context for the engine. |
|
|
Specifies the authentication relative path URL for the engine. |
|
|
Specifies the logout relative path URL for the engine. |
|
|
This flag is set true to enable logout for the engine, else false. |
Online command that adds a custom service provider (SP) engine.
addCustomSPEngine(name, [enabled, [authnMech], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
| Argument | Definition |
|---|---|
|
|
Specifies the name of the custom engine. |
|
|
This flag specifies whether the engine is enabled (true) or not (false). |
|
|
Specifies the authentication mechanism for the engine. |
|
|
Specifies the web context for the engine. |
|
|
Specifies the authentication relative path URL for the engine. |
|
|
Specifies the logout relative path URL for the engine. |
|
|
This flag is set true to enable logout for the engine, else false. |
Online command that adds a list property entry in a map.
addFederationListEntryInMap(providerID, mapname, listName, value, type)
| Argument | Definition |
|---|---|
|
|
Specifies the provider ID. |
|
|
Specifies the name of the property map to be changed in cot.xml. |
|
|
Specifies the name of the property list to be added to the map. |
|
|
Specifies the property list value to be added. The entered value is appended to the list. |
|
|
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a nested map property entry in a map.
addFederationMapEntryInMap(providerID, mapname, nestedMapName, propName, value, type)
| Argument | Definition |
|---|---|
|
|
Specifies the provider ID. |
|
|
Specifies the name of the property map to be changed in cot.xml. |
|
|
Specifies the name of the nested property map to be changed. |
|
|
Specifies the name of the property to be updated in the map. |
|
|
Specifies the property value to be added. The entered value is appended to the list. |
|
|
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a list property entry.
addFederationPropertyListEntry(providerID, listName, value, type)
| Argument | Definition |
|---|---|
|
|
Specifies the provider ID. |
|
|
Specifies the name of the property list to be updated. |
|
|
Specifies the property list value to be added. The entered value is appended to the list. |
|
|
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that a property name/value entry in a map.
addFederationPropertyMapEntry(providerID, mapName, propName, value, type)
| Argument | Definition |
|---|---|
|
|
Specifies the provider ID. |
|
|
Specifies the name of the property map to be changed in cot.xml. |
|
|
Specifies the name of the property to be added in the map. |
|
|
Specifies the property value to be added. The entered value is appended to the list. |
|
|
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that deletes a custom authentication integration engine from the configuration.
This command deletes a custom authentication integration engine in config.xml. You must provide the engine ID for an existing custom authentication engine in config.xml.
deleteCustomAuthnEngine(engineID)
| Argument | Definition |
|---|---|
|
|
Specifies the engine ID of an existing engine to be deleted. |
Online command that deletes a custom service provider (SP) integration engine from the configuration.
This command deletes a custom SP integration engine in config.xml. The EngineID for an existing custom SP engine in config.xml must be provided.
ddeleteCustomSPEngine(engineID)
| Argument | Definition |
|---|---|
|
|
Specifies the engine ID of an existing engine to be deleted. |
Online command that deletes federations for given provider.
deleteProviderFederation(providerID)
| Argument | Definition |
|---|---|
|
|
Specifies the ProviderID for the peer provider for which federation is to be deleted. |
Online command that deletes federations for given users.
deleteUserFederation([user1, ...])
| Argument | Definition |
|---|---|
|
|
Specifies a comma-separated list of users whose federations are to be deleted. At least one user must be specified. |
Online command that changes the message store between memory and RDBMS.
changeMessageStore(type, [jndiname])
| Argument | Definition |
|---|---|
|
|
Specifies the type of store, RDBMS or Memory. Default is Memory. |
|
|
Specifies the |
Online command that changes the peer provider description.
changePeerProviderDescription(providerID, description)
| Argument | Definition |
|---|---|
|
|
Specifies the provider ID. |
|
|
Specifies the provider description. |
Online command that changes the session store between memory and RDBMS.
changeSessionStore(type, [jndiname])
| Argument | Definition |
|---|---|
|
|
Specifies the type of store, RDBMS or Memory. Default is Memory. |
|
|
Specifies the jndi name to set for the store. Required if type is RDBMS. |
Online command that creates a property list.
createConfigPropertyList(configName, listName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
|
|
Specifies the property list name. |
Online command that creates a property list nested in the property map.
createConfigPropertyListInMap(configName, mapName, listName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
|
|
Specifies an existing property map to contain the nested list. |
|
|
Specifies the property list name. |
Online command that creates a property map.
createConfigPropertyMap(configName, mapName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
|
|
Specifies the property map to create. |
Online command that creates a property map.
createConfigPropertyMapInMap(configName, mapName, nestedMapName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
|
|
Specifies the name of an existing property map. |
|
|
Specifies the name of the property map to create nested inside mapName. |
Online command that creates a property list.
createFederationPropertyList(providerID, listName)
| Argument | Definition |
|---|---|
|
|
Specifies the provider ID. |
|
|
Specifies the name of the property list. |
Online command that creates a property list nested in a property map.
createFederationPropertyListInMap(providerID, mapName, listName)
| Argument | Definition |
|---|---|
|
|
Specifies the provider ID. |
|
|
Specifies an existing property map to contain the nested list. |
|
|
Specifies the name of the property list. |
Online command that creates a property map.
createFederationPropertyMap(providerID, mapName)
| Argument | Definition |
|---|---|
|
|
Specifies the provider ID. |
|
|
Specifies the name of the property map to be added to cot.xml. |
Online command that creates a nested property map.
createFederationPropertyMapInMap(providerID, mapName, nestedMapName)
| Argument | Definition |
|---|---|
|
|
Specifies the provider ID. |
|
|
Specifies the name of an existing property map. |
|
|
Specifies the name of the property map to be nested inside mapName in cot.xml. |
Online command that creates a peer provider property map entry.
createPeerProviderEntry(providerID, description, providerType, version)
| Argument | Definition |
|---|---|
|
|
Specifies the provider ID to be created. |
|
|
This is the description of the provider ID. |
|
|
Specifies the provider type of the peer provider to be created. |
|
|
Specifies the version of the peer provider to be created. |
Online command that returns a list nested in a map.
getConfigListValueInMap(configName, mapName, listName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be accessed. |
|
|
Specifies the name of the property map. |
|
|
Specifies the name of the list to be fetched from the map. |
Online command that returns a map property entry nested in a map.
getConfigMapEntryInMap(configName, mapname, nestedMapName, propName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be accessed. |
|
|
Specifies the name of the property map. |
|
|
Specifies the name of the nested property map. |
|
|
Specifies the name of the property to be fetched from the nested map. |
Online command that returns a property value.
getConfigProperty(configName, propName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be accessed. |
|
|
Specifies the name of the property to be fetched from the nested map. |
Online command that returns a property list.
getConfigPropertyList(configName, listName)
| Argument | Definition |
|---|---|
|
|
Specifies the configuration name. |
|
|
Specifies the name of the property list to be fetched from config.xml. |
Online command that returns a property value from a map.
getConfigPropertyMapEntry(configName, mapName, propName)
| Argument | Definition |
|---|---|
|
|
Specifies the configuration name (for example, idpsaml20, serverconfig, spsaml20, ...). |
|
|
Specifies the name of the property map. |
|
|
Specifies the name of the property to be fetched from the map in config.xml. |
Online command that returns a list value nested in a map.
getFederationListValueInMap(providerID, mapName, listName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the peer provider to be accessed. |
|
|
Specifies the name of the property map. |
|
|
Specifies the name of the list to be fetched from the map. |
Online command that returns a map property entry nested in a map.
getFederationMapEntryInMap(providerID, mapname, nestedMapName, propName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the peer provider to be accessed. |
|
|
Specifies the name of the property map. |
|
|
Specifies the name of the nested property map. |
|
|
Specifies the name of the property to be fetched from the nested map. |
Online command that returns a property value.
getFederationProperty(providerID, propName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the peer provider to be accessed. |
|
|
Specifies the name of the property to be fetched from cot.xml. |
Online command that returns a property list.
getFederationPropertyList(providerID, listName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the peer provider to be accessed. |
|
|
Specifies the name of the list to be fetched from the map. |
A WLST script that exports the properties of a provider.
A WLST script that extracts all the configuration properties of the specified provider and exports them to a text file. You can later use this file to set the same properties on another provider. Execute this command from a UNIX or Windows command shell prompt and not from the WLST command shell. This script is stored in ORACLE_HOME/fed/scripts.
extractproviderprops.py providerID filename
| Argument | Definition |
|---|---|
|
|
Specifies the name of the provider whose properties are to be extracted. |
|
|
Specifies the name of the text file to which the provider properties are extracted. |
When you execute the script, you are prompted for the WebLogic administrator credentials and the connection URL; for the latter, specify the Managed Server port, not the Administration Server port.
The format of the extract file is:
TYPE:NAME:PROPNAME:PROPVALUE:PROPTYPE
For example:
X:X:sendattribute:false:boolean MAP:attributelist/mailemail:datastore-attr:mail:string LIST:sendattributefornameid:unspecified::string
A WLST script that sets the properties of a provider using values from a text file.
A WLST script that sets the properties of a provider using values from a text file. Execute this command from a UNIX or Windows command shell prompt and not from the WLST command shell. This script is stored in ORACLE_HOME/fed/scripts.
The text file is generated by the extractproviderprops command.
setproviderprops.py providerID filename
| Argument | Definition |
|---|---|
|
|
Specifies the name of the provider whose properties are to be updated. |
|
|
Specifies the name of the input file from which to read the properties. |
When you execute the script, you are prompted for the WebLogic administrator credentials and the connection URL; for the latter, specify the Managed Server port, not the Administration Server port.
Online command that returns a property value from a map.
getFederationPropertyMapEntry(providerID, mapName, propName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the peer provider to be accessed. |
|
|
Specifies the name of the property map. |
|
|
Specifies the name of the property to be fetched from the nested map. |
Online command that returns a list of custom authentication integration engines.
This command returns a list of custom authentication integration engines from config.xml.
Online command that returns a list of custom SP integration engines.
This command returns a list of custom service provider (SP) integration engines from config.xml.
Online command that loads metadata from an input file.
loadMetadata(metadatafile,description)
| Argument | Definition |
|---|---|
|
|
Specifies the metadata file of the peer provider to be added or updated. |
|
|
This is a brief description of the peer provider to be loaded. |
Online command that reports the current status of the Oracle Identity Federation application in the managed server to which WLST is connected.
This command displays the current status of Oracle Identity Federation on the managed server.
loifStatus('serverurl', 'configfile', 'keyfile')
| Argument | Definition |
|---|---|
|
|
Specifies the URL of the managed server. |
|
|
This is a pre-defined user configuration file created with the WLST storeUserConfig command. |
|
|
This is a pre-defined key file created with the WLST storeUserConfig command |
The following command provides no arguments; WLST prompts you for the Oracle WebLogic Server username, password, and the managed server URL, then displays the federation server status:
wls:/mydomain/serverConfig> oifStatus()
The following command provides only the managed server URL; WLST prompts you for the Oracle WebLogic Server username and password:
wls:/mydomain/serverConfig> oifStatus('', '', 't3://localhost:7499')
The following command provides all arguments needed for WLST to display the federation server status:
wls:/mydomain/serverConfig> oifStatus('configfileA', 'keyfileB', 't3://localhost:7499')
Online command that removes a list property nested in a map.
removeConfigListInMap(configName, mapName, listName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be accessed. |
|
|
Specifies the name of the property map. |
|
|
Specifies the name of the list to be removed from the map. |
Online command that removes a map property nested in a map.
removeConfigMapEntryInMap(configName, mapname, nestedMapName, propName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be accessed. |
|
|
Specifies the name of the property map. |
|
|
Specifies the name of the nested property map. |
|
|
Specifies the name of the property to be removed from the nested map. |
Online command that removes a map property nested in a map.
removeConfigMapEntryInMap(configName, mapName, nestedMapName, propName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
|
|
Specifies the name of the property map. |
|
|
Specifies the name of the nested property map. |
|
|
Specifies the name of the property to be removed from the nested map. |
Online command that removes a configuration property.
removeConfigProperty(configName, propName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
|
|
Specifies the name of the property to be removed. |
Online command that removes a configuration property list.
removeConfigPropertyList(configName, listName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
|
|
Specifies the name of the property list to be removed. |
Online command that removes a property map.
removeConfigPropertyMap(configName, mapName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
|
|
Specifies the name of the property map to be removed. |
Online command that removes a property value from a map.
removeConfigPropertyMapEntry(configName, mapName, propName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
|
|
Specifies the name of the property map to be updated. |
|
|
Specifies the name of the property to be removed from the map. |
Online command that removes a property list in a map.
removeFederationListInMap(providerID, mapName, listName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the peer provider to be accessed. |
|
|
Specifies the name of the property map. |
|
|
Specifies the name of the property list to be removed. |
Online command that removes a nested map in a map.
removeFederationMapInMap(providerID, mapname, nestedMapName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the peer provider to be accessed. |
|
|
Specifies the name of the property map containing the nested map. |
|
|
Specifies the name of the nested property map to be removed. |
Online command that removes a nested map property entry in a map.
This command removes a property name/value pair to a map nested inside a map in cot.xml.
removeFederationMapEntryInMap(providerID, mapname, nestedMapName, propName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the peer provider to be accessed. |
|
|
Specifies the name of the property map containing the nested map. |
|
|
Specifies the name of the nested property map. |
|
|
Specifies the name of the property to be removed from the nested map. |
Online command that removes a property value.
removeFederationProperty(providerID, propName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the peer provider to be updated. |
|
|
Specifies the name of the property to be removed. |
Online command that removes a property list entry.
removeFederationPropertyList(providerID, listName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the peer provider to be accessed. |
|
|
Specifies the name of the property list to be removed. |
Online command that removes a property map.
removeFederationPropertyMap(providerID, mapName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the peer provider to be accessed. |
|
|
Specifies the name of the property map to be removed. |
Online command that removes a property value from a map.
removeFederationPropertyMapEntry(providerID, mapName, propName)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the peer provider to be accessed. |
|
|
Specifies the name of the property map to be updated. |
|
|
Specifies the name of the property to be removed from the map. |
Online command that removes a peer provider entry.
removePeerProviderEntry(providerID)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the peer provider to be removed. |
Online command that sets a property value in config.xml.
setConfigProperty(configname, propName, value, type)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
|
|
Specifies the name of the property to be added/updated in config.xml. |
|
|
Specifies the property value. |
|
|
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that updates a custom authentication integration engine.
setCustomAuthnEngine(engineID, name, [enabled], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
| Argument | Definition |
|---|---|
|
|
Specifies the engine ID of an existing engine. |
|
|
Specifies the name of the custom engine. |
|
|
This flag specifies whether the engine is enabled (true) or not (false). |
|
|
Specifies the web context for the engine. |
|
|
Specifies the authentication relative path URL for the engine. |
|
|
Specifies the logout relative path URL for the engine. |
|
|
This flag is set true to enable logout for the engine, else false. |
Online command that updates a custom SP integration engine.
setCustomSPEngine(engineID, name, [enabled, [authnMech], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
| Argument | Definition |
|---|---|
|
|
Specifies the engine ID of an existing custom engine. |
|
|
Specifies the name of the custom engine. |
|
|
This flag specifies whether the engine is enabled (true) or not (false). |
|
|
Specifies the authentication mechanism for the engine. |
|
|
Specifies the web context for the engine. |
|
|
Specifies the authentication relative path URL for the engine. |
|
|
Specifies the logout relative path URL for the engine. |
|
|
This flag is set true to enable logout for the engine, else false. |
Online command that adds or updates a property value.
setFederationProperty(providerID, propName, value, type)
| Argument | Definition |
|---|---|
|
|
Specifies the name of the peer provider to be updated. |
|
|
Specifies the name of the property to be added/updated in cot.xml. |
|
|
Specifies the property value. |
|
|
Specifies the type of property, BOOLEAN or STRING or LONG. |
Some of the Directory Integration Platform (DIP) tools use WLST internally, and therefore, there are no custom WLST commands available to run from the WLST command prompt or to use within scripts. For information on DIP tools, see "Directory Integration Platform Tools" in the Oracle Fusion Middleware User Reference for Oracle Identity Management.
Use the WLST security commands listed in Table 4-5 to operate on a domain policy or credential store, to migrate policies and credentials from a source repository to a target repository, and to import and export (credential) encryption keys.
Table 4-5 WLST Security Commands
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
List the type and location of the OPSS security store, and the user allowed to access it. |
Offline |
|
|
List application stripes in policy store. |
Online |
|
|
List permissions assigned to a source code in global policies. |
Online |
|
|
Create a new application role. |
Online |
|
|
Remove an application role. |
Online |
|
|
Add a principal to a role. |
Online |
|
|
Remove a principal from a role. |
Online |
|
|
List all roles in an application. |
Online |
|
|
List all members in an application role. |
Online |
|
|
Create a new permission. |
Online |
|
|
Remove a permission. |
Online |
|
|
List all permissions granted to a principal. |
Online |
|
|
Remove all policies in an application. |
Online |
|
|
Migrate policies or credentials from a source repository to a target repository. |
Offline |
|
|
Modify the attribute values of a credential. |
Online |
|
|
Create a new credential. |
Online |
|
|
Remove a credential. |
Online |
|
|
Update bootstrap credential store |
Offline |
|
|
Add a credential to the bootstrap credential store. |
Offline |
|
|
Export the domain encryption key to the file |
Offline |
|
|
Import the encryption key in file |
Offline |
|
|
Restore the domain encryption key as it was before the last importing. |
Offline |
|
|
Create a new credential store encryption key. |
Offline |
|
|
Reassociate policies and credentials to an LDAP repository |
Online |
|
|
Upgrade security data from data used with release 10.1.x to data used with release 11. |
Offline |
|
|
Create a new resource type. |
Online |
|
|
Fetch an existing resource type. |
Online |
|
|
Remove an existing resource type. |
Online |
|
|
Create a resource. |
Online |
|
|
Remove a resource. |
Online |
|
|
List resources in an application stripe. |
Online |
|
|
List actions in a resource. |
Online |
|
|
Create an entitlement. |
Online |
|
|
List an entitlement. |
Online |
|
|
Remove an entitlement. |
Online |
|
|
Add a resource to an entitlement. |
Online |
|
|
Remove a resource from an entitlement |
Online |
|
|
List entitlements in an application stripe. |
Online |
|
|
Create an entitlement. |
Online |
|
|
Remove an entitlement. |
Online |
|
|
List resource types in an application stripe. |
Online |
|
|
Update the trust store configuration. |
Online |
Online command that creates a new application role.
Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.
createAppRole(appStripe, appRoleName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online command that removes an application role.
Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.
createAppRole(appStripe, appRoleName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online command that adds a principal to a role.
Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.
grantAppRole(appStripe, appRoleName,principalClass, principalName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
principalClass
|
Specifies the fully qualified name of a class. |
principalName
|
Specifies the principal name. |
Online command that removes a principal from a role.
Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.
revokeAppRole(appStripe, appRoleName, principalClass, principalName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
principalClass
|
Specifies the fully qualified name of a class. |
principalName
|
Specifies the principal name. |
Online command that lists all roles in an application.
Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException.
Online command that lists all members in a role.
Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException.
listAppRoleMembers(appStripe, appRoleName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online command that creates a new permission.
Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException.
Optional arguments are enclosed in between square brackets.
grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following invocation creates a new application permission (for the application with application stripe myApp) with the specified data:
wls:/mydomain/serverConfig> grantPermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following invocation creates a new system permission with the specified data:
wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permTarget="/tmp/fileName.ext", permActions="read,write")
Online command that removes a permission.
Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException.
Optional arguments are enclosed in between square brackets.
revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following invocation removes the application permission (for the application with application stripe myApp) with the specified data:
wls:/mydomain/serverConfig> revokePermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following invocation removes the system permission with the specified data:
wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permActions="read,write")
Online command that lists all permissions granted to a given principal.
Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException.
Optional arguments are enclosed in between square brackets.
listPermissions([appStripe,] principalClass, principalName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
The following invocation lists all permissions granted to a principal by the policies of application myApp:
wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")
The following invocation lists all permissions granted to a principal by system policies:
wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")
Online command that removes all policies with a given application stripe.
Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException.
deleteAppPolicies(appStripe)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
Offline command that migrates identities, application-specific, system policies, a specific credential folder, or all credentials.
Migrates identities, application-specific, or system policies from a source repository to a target repository. Migrates a specific credential folder or all credentials.
The kinds of the repositories where the source and target data is stored is transparent to the command, and any combination of file-based and LDAP-based repositories is allowed (LDAP-repositories must use an OVD or an OID LDAP server only). In the event of an error, the command returns a WLSTException.
The command syntax varies depending on the scope (system or application-specific or both) of the policies being migrated.
Optional arguments are enclosed in square brackets.
To migrate identities, use the following syntax:
migrateSecurityStore(type="idStore", configFile, src, dst, [dstLdifFile])
To migrate all policies (system and application-specific, for all applications) use the following syntax
migrateSecurityStore(type="policyStore", configFile, src, dst,[overWrite,][preserveAppRoleGuid])
To migrate just system policies, use the following syntax:
migrateSecurityStore(type="globalPolicies", configFile, src, dst, [overWrite])
To migrate just application-specific policies, for one application, use the following syntax:
migrateSecurityStore(type="appPolicies", configFile,src, dst, srcApp [,dstApp] [,overWrite] [,migrateIdStoreMapping][,preserveAppRoleGuid] [,mode])
To migrate all credentials, use the following syntax:
migrateSecurityStore(type="credStore", configFile, src, dst, [overWrite])
To migrate just one credential folder, use the following syntax:
migrateSecurityStore(type="folderCred", configFile,src, dst, [srcFolder,] [dstFolde,] [srcConfigFile,] [overWrite])
| Argument | Definition |
|---|---|
type
|
Specifies the type of policies migrates. To migrate identities, set it to To migrate all policies (system and application-specific, for all applications), set to To migrate just system policies, set to To migrate just application-specific policies, set to To migrate all credentials, set to To migrate just one credential folder, set to |
configFile
|
Specifies the location of a configuration file |
src
|
Specifies the name of a jps-context in the configuration file passed to the argument |
dst
|
Specifies the name of another jps-context in the configuration file passed to the argument |
srcApp
|
Specifies the name of the source application, that is, the application whose policies are being migrated. |
dstApp
|
Specifies the name of the target application, that is, the application whose policies are being written. If unspecified, it defaults to the name of the source application. |
srcFolder
|
Specifies the name of the folder from where credentials are migrated. This argument is optional. If unspecified, the credential store is assumed to have only one folder and the value of this argument defaults to the name of that folder. |
dstFolder
|
Specifies the folder to where the source credentials are migrated. This argument is optional and, if unspecified, defaults to the folder passed to |
srcConfigFile
|
Specifies the location of an alternate configuration file, and it is used in the special case in which credentials are not configured in the file passed to |
overWrite
|
Specifies whether data in the target matching data being migrated should be overwritten by or merged with the source data. Optional and false by default. Set to true to overwrite matching data; set to false to merge matching data. |
migrateIdStoreMapping
|
Specifies whether the migration of application policies should include or exclude the migration of enterprise policies. Optional and true by default. Set it to False to exclude enterprise policies from the migration of application policies. |
dstLdifFile
|
Specifies the location where the LDIF file will be created. Required only if destination is an LDAP-based identity store. Notice that the LDIF file is not imported into the LDAP server; the importing of the file LDIF should be done manually, after the file has been edited to account for the appropriate attributes required in your LDAP server. |
preserveAppRoleGuid
|
Specifies whether the migration of policies should preserve or recreate GUIDs. Optional and false, by default. Set to true to preserve GUIDs; set to false to recreated GUIDs. |
mode
|
Specifies whether the migration should stop and signal an error upon encountering a duplicate principal or a duplicate permission in an application policy. Set to lax to allow the migration to continue upon encountering duplicate items, to migrate just one of the duplicated items, and to log a warning to this effect; set to strict to force the migration to stop upon encountering duplicate items. If unspecified, it defaults to strict. |
Note the following requirements about the passed arguments:
The file jps-config.xml is found in the passed location.
The file jps-config.xml includes the passed jps-contexts.
The source and the destination context names are distinct. From these two contexts, the command determines the locations of the source and the target repositories involved in the migration.
The following invocation illustrates the migration of the file-based policies of application PolicyServlet1 to file-based policies of application PolicyServlet2, that does not stop on encountering duplicate principals or permissions, that migrates just one of duplicate items, and that logs a warning when duplicates are found:
wls:/mydomain/serverConfig> migrateSecurityStore(type="appPolicies", configFile="jps-congif.xml", src="default1", dst="context2", srcApp="PolicyServlet1", dstApp="PolicyServlet2", overWrite="true", mode="lax")
The above invocation assumes that:
The file jps-config.xml is located in the directory where the command is run (current directory).
That file includes the following elements:
<serviceInstance name="policystore1.xml" provider="some.provider"> <property name="location" value="jazn-data1.xml"/> </serviceInstance> <serviceInstance name="policystore2.xml" provider="some.provider"> <property name="location" value="jazn-data2.xml"/> </serviceInstance> ... <jpsContext name="default1"> <serviceInstanceRef ref="policystore1.xml"/> ... </jpsContext> <jpsContext name="context2"> <serviceInstanceRef ref="policystore2.xml"/> ... </jpsContext>
The file-based policies for the two applications involved in the migration are defined in the files jazn-data1.xml and jazn-data2.xml, which are not shown but assumed located in the current directory.
The following invocation illustrates the migration of file-based credentials from one location to another:
wls:/mydomain/serverConfig> migrateSecurityStore(type="credStore", configFile="jps-congif.xml", src="default1", dst="context2")
The above invocation assumes that:
The file jps-config.xml is located in the directory where the command is run (current directory).
That file includes the following elements:
<serviceInstance name="credstore1" provider="some.provider"> <property name="location" value="./credstore1/cwallet.sso"/> </serviceInstance> <serviceInstance name="credstore2" provider="some.provider"> <property name="location" value="./credstore2/cwallet.sso"/> </serviceInstance> ... <jpsContext name="default1"> <serviceInstanceRef ref="credstore1"/> ... </jpsContext> <jpsContext name="context2"> <serviceInstanceRef ref="credstore2"/> ... </jpsContext>
For detailed configuration examples to use with this command, see Oracle Fusion Middleware Security Guide.
Online command that modifies the type, user name, and password of a credential.
Modifies the type, user name, password, URL, and port number of a credential in the domain credential store with given map name and key name. This command can update the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.
Optional arguments are enclosed in square brackets.
updateCred(map, key, user, password, [desc])
| Argument | Definition |
|---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
Online command that creates a new credential in the domain credential store.
Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.
Optional arguments are enclosed in square brackets.
createCred(map, key, user, password, [desc])
| Argument | Definition |
|---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
Online command that removes a credential in the domain credential store.
Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException.
deleteCred(map,key)
| Argument | Definition |
|---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
Offline command that updates a bootstrap credential store.
Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException.
Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.
modifyBootStrapCredential(jpsConfigFile, username, password)
| Argument | Definition |
|---|---|
jpsConfigFile
|
Specifies the location of the file |
username
|
Specifies the distinguished name of the user in the LDAP store. |
password
|
Specifies the password of the user. |
Suppose that in the LDAP store, the password of the user with distinguished name cn=orcladmin has been changed to welcome1, and that the configuration file jps-config.xml is located in the current directory.Then the following invocation changes the password in the bootstrap credential store to welcome1:
wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='welcome1')
Any output regarding the audit service can be disregarded.
Offline command that adds a credential to the bootstrap credential store.
Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException.
addBootStrapCredential(jpsConfigFile, map, key, username, password)
| Argument | Definition |
|---|---|
jpsConfigFile
|
Specifies the location of the file |
map
|
Specifies the map of the credential to add. |
key
|
Specifies the key of the credential to add. |
username
|
Specifies the name of the user in the credential to add. |
|
|
Specifies the password of the user in the credential to add. |
Offline command that extracts the encryption key from a domain's bootstrap wallet to the file ewallet.p12.
Writes the domain's credential encryption key to the file ewallet.p12. The password passed must be used to import data from that file with the command importEncryptionKey.
exportEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
| Argument | Definition |
|---|---|
jpsConfigFile
|
Specifies the location of the file |
keyFilePath
|
Specifies the directory where the file |
keyFilePassword
|
Specifies the password to secure the file |
Offline command that imports keys from the specified ewallet.p12 file into the domain.
Imports encryption keys from the file ewallet.p12 into the domain. The password passed must be the same as that used to create the file with the command exportEncryptionKey.
importEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
| Argument | Definition |
|---|---|
jpsConfigFile
|
Specifies the location of the file |
keyFilePath
|
Specifies the directory where the |
keyFilePassword
|
Specifies the password used when the file |
Offline command to restore the domain credential encryption key.
Restores the state of the domain bootstrap keys as it was before running importEncryptionKey.
restoreEncryptionKey(jpsConfigFile)
| Argument | Definition |
|---|---|
jpsConfigFile
|
Specifies the location of the file |
Offline command to create a new domain credential encryption key.
Creates a new credential encryption key in the domain wallet. Note the following important points:
It should be executed from the administration server in the domain. No server restart is needed after invoking this script.
If the domain is the only domain accessing the security store, nothing else is required.
However, if two or more domains share the security store, the newly generated key should be exported from the domain where the script was run and imported into each of the other domains sharing the security store, using the scripts exportEncryptionKey and importEncryptionKey.
On the WebSphere platform, the script name is Opss.rollOverEncryptionKey.
rollOverEncryptionKey(jpsConfigFile)
| Argument | Definition |
|---|---|
jpsConfigFile
|
Specifies the location of the file |
Online command that migrates the policy and credential stores to an LDAP repository.
Migrates, within a give domain, both the policy store and the credential store to a target LDAP server repository. The only kinds of LDAP servers allowed are OID or OVD. This command also allows setting up a policy store shared by different domains (see optional argument join below). In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.
reassociateSecurityStore(domain, admin, password, ldapurl, servertype, jpsroot [, join] [,keyFilePath, keyFilePassword])
| Argument | Definition |
|---|---|
domain
|
Specifies the domain name where the reassociating takes place. |
admin
|
Specifies the administrator's user name on the LDAP server. The format is |
password
|
Specifies the password associated with the user specified for the argument |
ldapurl
|
Specifies the URI of the LDAP server. The format is |
servertype
|
Specifies the kind of the target LDAP server. The only valid types are OID or OVD. |
jpsroot
|
Specifies the root node in the target LDAP repository under which all data is migrated. The format is |
join
|
Specifies whether the domain is to share a policy store specified in some other domain. Optional. Set to true to share an existing policy store in another domain; set to false otherwise. If unspecified, it defaults to false. The use of this argument allows multiple WebLogic domains to point to the same logical policy store. |
keyFilePath
|
Specifies the directory where the |
keyFilePassword
|
Specifies the password used when the file |
The following invocation reassociates the domain policies and credentials to an LDAP Oracle Internet Directory server:
wls:/mydomain/serverConfig> reassociateSecurityStore(domain="myDomain", admin="cn=adminName", password="myPass",ldapurl="ldap://myhost.example.com:3060", servertype="OID", jpsroot="cn=testNode")
Suppose that you want some other domain (distinct from myDomain, say otherDomain) to share the policy store in myDomain. Then you would invoke the command as follows:
wls:/mydomain/serverConfig> reassociateSecurityStore(domain="otherDomain", admin="cn=adminName", password="myPass", ldapurl="ldap://myhost.example.com:3060", servertype="OID", jpsroot="cn=testNode", join="true")
Offline command that migrates release 10.1.x security data to release 11 security data.
Migrates identity, policy, and credential data used in release 10.1.x to security data that can be used with release 11. The migration of each kind of data is performed with separate invocations of this command. In the event of an error, the command returns a WLSTException.
The syntax varies according to the type of data being updated.
To upgrade 10.1.x XML identity data to 11 XML identity data, use the following syntax:
updateSecurityStore(type="xmlIdStore", jpsConfigFile, srcJaznDataFile, srcRealm, dst)
To upgrade a 10.1.x XML policy data to 11 XML policy data, use the following syntax:
updateSecurityStore(type="xmlPolicyStore", jpsConfigFile, srcJaznDataFile, dst)
To upgrade a 10.1.x OID LDAP-based policy data to 11 XML policy data, use the following syntax:
updateSecurityStore(type="oidPolicyStore", jpsConfigFile, srcJaznDataFile, dst)
To upgrade a 10.1.x XML credential data to 11 XML credential data, use the following syntax:
updateSecurityStore(type="xmlCredStore", jpsConfigFile, srcJaznDataFile, users, dst)
| Argument | Definition |
|---|---|
type
|
Specifies the kind of security data being upgraded. The only valid values are xmlIdStore, xmlPolicyStore, oidPolicyStore, and xmlCredStore. |
jpsConfigFile
|
Specifies the location of a configuration file |
srcJaznDataFile
|
Specifies the location of a 10.1.x jazn data file relative to the directory where the command is run. This argument is required if the specified |
srcJaznConfigFile
|
Specifies the location of a 10.1.x jazn configuration file relative to the directory where the command is run. This argument is required if the specified |
srcRealm
|
Specifies the name of the realm from which identities need be migrated. This argument is required if the specified |
users
|
Specifies a comma-separated list of users each formatted as realmName/userName. This argument is required if the specified |
dst
|
Specifies the name of the jpsContext in the file passed to the argument jpsConfigFile where the destination store is configured. Optional. If unspecified, it defaults to the default context in the file passed in the argument jpsConfigFile. |
The following invocation migrates 10.1.3 file-based identities to an 11 file-based identity store:
wls:/mydomain/serverConfig> upgradeSecurityStore(type="xmlIdStore", jpsConfigFile="jps-config.xml", srcJaznDataFile="jazn-data.xml", srcRealm="jazn.com")
The following invocation migrates a 10.1.3 OID-based policy store to an 11 file-based policy store:
wls:/mydomain/serverConfig> upgradeSecurityStore(type="oidPolicyStore", jpsConfigFile="jps-config.xml", srcJaznDataFile="jazn-data.xml", dst="destinationContext)
Online command that creates a new resource type in the domain policy store within a given application stripe.
Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. Optional arguments are enclosed in between square brackets; all other arguments are required. In the event of an error, the command returns a WLSTException.
Optional arguments are enclosed in square brackets.
createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where to insert the resource type. |
resourceTypeName
|
Specifies the name of the resource type to insert. |
displayName
|
Specifies the name for the resource type used in UI gadgets. |
description |
Specifies a brief description of the resource type. |
provider
|
Specifies the provider for the resource type. |
matchere
|
Specifies the class of the resource type. If unspecified, it defaults to |
actions
|
Specifies the actions allowed on instances of the resource type. |
delimeter
|
Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','. |
The following invocation creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:
wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", resourceTypeName="resTypeName", displayName="displName", description="A resource type", provider="Printer", matcher="com.printer.Printer", actions="BWPrint;ColorPrint" [, delimeter=";"])
Online command that fetches a resource type from the domain policy store within a given application stripe.
Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.
getResourceType(appStripe, resourceTypeName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe from where to fetch the resource type. |
resourceTypeName
|
Specifies the name of the resource type to fetch. |
Online command that removes a resource type from the domain policy store within a given application stripe.
Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.
deleteResourceType(appStripe, resourceTypeName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe from where to remove the resource type. |
resourceTypeName
|
Specifies the name of the resource type to remove. |
Offline command that lists the type, the location, and the administrative user of the domain security store.
The script runs in offline mode and outputs the type of the OPSS security store (file, OID, or DB), its location, and the user allowed to access it (typically a security administrator).
listSecurityStoreInfo(domainConfig="configFilePath")
| Argument | Definition |
|---|---|
domainConfig
|
Specifies the full absolute path to the OPSS configuration file jps-config.xml; the file jps-config-jse.xml is also expected to be in the passed directory. |
Online or offline command that lists the application stripes in the policy store.
This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.
If this command is used in offline mode after reassociating to a DB-based store, the configuration file produced by the reassociation must be manually edited as described in "Running listAppStripes after Reassociating to a DB-Based Store" in Oracle Fusion Middleware Security Guide.
listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])
| Argument | Definition |
|---|---|
configFile
|
Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store. |
regularExpression
|
Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *. |
The following (online) invocation returns the list of application stripes in the policy store:
wls:/mydomain/serverConfig> listAppStripes
The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:
wls:/mydomain/serverConfig> listAppStripes(configFile=" /home/myFile/jps-config.xml")
The following (online) invocation returns the list of application stripes that contain the prefix App:
wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")
Online command that lists permissions assigned to a source code in global policies.
listCodeSourcePermissions([codeBase="codeUrl"])
| Argument | Definition |
|---|---|
codeBaseURL
|
Specifies the name of the grantee codebase URL. |
Online command that creates a new resource.
Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.
createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the resource is created. |
name
|
Specifies the name of the resource created. |
type
|
Specifies the type of resource created. The passed resource type must be present in the application stripe at the time this script is invoked. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the resource created. Optional. |
Online command that deletes a resource.
Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.
deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the resource is deleted. |
name
|
Specifies the name of the resource deleted. |
type
|
Specifies the type of resource deleted. The passed resource type must be present in the application stripe at the time this script is invoked. |
Online command that lists resources in a specified application stripe.
If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.
listResources(appStripe="appStripeName" [,type="resTypeName"])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the resources are listed. |
type
|
Specifies the type of resource listed. The passed resource type must be present in the application stripe at the time this script is invoked. |
Online command that lists the resources and actions in an entitlement.
listResourceActions(appStripe="appStripeName", permSetName="entitlementName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement resides. |
permSetName
|
Specifies the name of the entitlement whose resources and actions to list. |
Online command that creates a new entitlement.
Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement to add additional resources to an existing entitlement; use revokeResourceFromEntitlement to delete resources from an existing entitlement.
createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
name
|
Specifies the name of the entitlement created. |
resourceName
|
Specifies the name of the one resource member of the entitlement created. |
actions
|
Specifies a comma-separated the list of actions for the resource resourceName. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the entitlement created. Optional. |
Online command that gets an entitlement.
Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.
getEntitlement(appStripe="appStripeName", name="entitlementName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to access. |
Online command that deletes an entitlement.
Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.
deleteEntitlement(appStripe="appStripeName", name="entitlementName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
name
|
Specifies the name of the entitlement to delete. |
Online command that adds a resource with specified actions to an entitlement.
Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.
addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to add. |
resourceType
|
Specifies the type of the resource to add. The passed resource type must be present in the application stripe at the time this script is invoked. |
actions
|
Specifies the comma-separated list of actions for the added resource. |
The following invocation adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:
wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Online command that removes a resource from an entitlement.
revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to remove. |
resourceType
|
Specifies the type of the resource to remove. |
actions
|
Specifies the comma-separated list of actions to remove. |
The following invocation removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Online command that lists the entitlements in an application stripe.
Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.
listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe from where to list entitlements. |
resourceTypeName
|
Specifies the name of the type of the resources to list. Optional. |
resourceName
|
Specifies the name of resource to match. Optional. |
The following invocation lists all the entitlements in the stripe myApplication:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")
The following invocation lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName")
Online command that creates a new entitlement.
grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is granted. |
permSetName
|
Specifies the name of the entitlement created. |
The following invocation creates the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that deletes an entitlement.
Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.
revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is revoked. |
permSetName
|
Specifies the name of the entitlement deleted. |
The following invocation deleted the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that lists resource types.
listResourceTypes(appStripe="appStripeName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the resource types are located. |
Online command that updates the domain trust service configuration values.
updateTrustServiceConfig([providerName="<the proverde name>",] propsFile="<path to the property file>")
| Argument | Definition |
|---|---|
providerName
|
Specifies the trust service provider name. Optional. If unspecified, it defaults to |
propsFile
|
Specifies the path to the property file. Required. |
The following invocation updates the trust service store with the values specified in the property file myProps:
wls:/mydomain/serverConfig> updateTrustServiceConfig(propsFile="myProps")
The following is a sample property file:
trust.keystoreType=KSS trust.keyStoreName=kss://<stripeName>/<keystoreName> trust.trustStoreName=kss://<stripeName>/<truststoreName> trust.aliasName=<aliasName> trust.issuerName=<aliasName>
The type can be KSS or JKS; if a property is set to the empty string, then that property is removed from the trust service configuration.
Use the WLST commands listed in Table 4-6 to manage Oracle Access Manager (OAM)-related components, such as authorization providers, identity asserters, and SSO providers, as well as to display metrics and deployment topology, manage Oracle Access Manager server and agent configuration and logger settings.
Table 4-6 WLST Oracle Access Manager Commands
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
List the parameters set for an Oracle Access Manager authentication or identity assertion provider. |
Online |
|
|
Create a new identity asserter. |
Online |
|
|
Update an existing identity asserter. |
Online |
|
|
Create a new authenticator. |
Online |
|
|
Delete an existing authentication provider. |
Online |
|
|
Update an existing authenticator. |
Online |
|
|
Add a new SSO provider. |
Online |
|
|
List the details of deployed Oracle Access Manager Servers. |
Online Offline |
|
|
Display the performance metrics of an Oracle Access Manager Server and domain |
Online |
|
|
Display Oracle Access Manager Server configuration details. |
Online Offline |
|
|
Create an entry for an Oracle Access Manager Server configuration. |
Online Offline |
|
|
Edit the entry for an Oracle Access Manager Server configuration. |
Online Offline |
|
|
Delete the named Oracle Access Manager Server configuration. |
Online Offline |
|
|
Display OSSO Agent configuration details. |
Online Offline |
|
|
Edit OSSO Agent configuration details. |
Online Offline |
|
|
Delete the named OSSO Agent configuration. |
Online Offline |
|
|
Display WebGate Agent configuration details. |
Online Offline |
|
|
Edit 10g WebGate Agent registration details. |
Online Offline |
|
|
Delete the named 10g WebGate Agent configuration. |
Online Offline |
|
|
Change Logger Settings. |
Online Offline |
|
|
Regenerate the configuration data encryption key and re-encrypt data. |
Online Offline |
|
|
Display a user identity store registration. |
Online Offline |
|
|
Edit a user identity store registration. |
Online Offline |
|
|
Create a user identity store registration. |
Online Offline |
|
|
Delete a user identity store registration. |
Online Offline |
|
|
Configure the SSO server request cache type. |
Online Offline |
|
|
Display the SSO server request cache type entry. |
Online Offline |
|
|
Export Oracle Access Manager policy data from a test (source) to an intermediate Oracle Access Manager file. |
Online |
|
|
Import Oracle Access Manager policy data from the Oracle Access Manager file specified. |
Online |
|
|
Import Oracle Access Manager policy changes from the Oracle Access Manager file specified. |
Online |
|
|
Migrate partners from the source Oracle Access Manager Server to the specified target Oracle Access Manager Server. |
Online |
|
|
Export the Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified. |
Online |
|
|
Import the Oracle Access Manager partners from the intermediate Oracle Access Manager file specified. |
Online |
|
|
Configure the Oracle Access Manager-Oracle Adaptive Access Manager basic integration. |
Online |
|
|
Register Oracle Identity Federation as Delegated Authentication Protocol (DAP) Partner. |
Online Offline |
|
|
Enable the Coexist Mode. |
Online |
|
|
Disable the Coexist Mode. |
Online |
|
|
Edit GITO configuration parameters. |
Online Offline |
|
|
Edit an 11g WebGate registration. |
Online Offline |
|
|
Remove an 11g WebGate Agent registration. |
Online Offline |
|
|
Display an 11g WebGate Agent registration. |
Online Offline |
|
|
Display metrics of OAM Servers. |
Online Offline |
|
|
Update the Oracle Identity Manager configuration when integrated with Oracle Access Manager. |
Online Offline |
|
|
Creates an Agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager. |
Online |
|
|
Updates OSSO Proxy response cookie settings. |
Online Offline |
|
|
Deletes OSSO Proxy response cookie settings. |
Online Offline |
|
|
Displays the simple mode global passphrase in plain text from the system configuration. |
Online |
|
|
Exports selected OAM Partners to the intermediate OAM file specified. |
Online |
|
|
Migrates artifacts based on the input artifact file. |
Online |
|
|
Registers any third party as a Trusted Authentication Protocol (TAP) Partner. |
Online |
Online command that lists the values of the parameters in effect in a domain authenticator or identity asserter.
Lists the values of the parameters set for a given Oracle Access Manager authenticator or identity asserter. In the event of an error, the command returns a WLSTException.
listOAMAuthnProviderParams(name)
| Argument | Definition |
|---|---|
name
|
Specifies the name of the authenticator or identity asserter. |
Online command that creates an Oracle Access Manager identity asserter in the current domain.
Creates an identity asserter with a given name in the current domain. Before executing this command, make sure that no Oracle Access Manager identity asserter is already configured in the current domain. In the event of an error, the command returns a WLSTException.
createOAMIdentityAsserter(name)
| Argument | Definition |
|---|---|
name
|
Specifies the name of the new identity asserter. If no name is specified, it defaults to "OAMIdentityAsserter". |
Online command that updates the values of parameters of the Oracle Access Manager identity asserter in the current domain.
Updates the value of given parameters of the domain Oracle Access Manager identity asserter. In the event of an error, the command returns a WLSTException.
updateOAMIdentityAsserter(name, paramNameValueList)
| Argument | Definition |
|---|---|
name
|
Specifies the name of the Oracle Access Manager identity asserter whose parameter values to update. |
|
paramNameValueList |
Specifies the comma-separated list of pairs of parameter name-value to be updated. The format of each pair is: paramName="paramValue" The parameter names that can be updated are the following only:
|
The following invocation updates the parameters accessGateName, accessGatePwd, pAccessServer, and ssoHeaderName in the Oracle Access Manager identity asserter named myIdAsserter:
updateOAMIdentityAsserter(name="myIdAsserter", accessGateName="OAM IAP AccessGate", accessGatePwd="welcome1", pAccessServer="myhost.domain.com:5543", ssoHeaderName="OAM_SSO_HEADER")
Online command that creates an Oracle Access Manager authenticator in the current domain.
Creates an Oracle Access Manager authenticator with a given name in the current domain. Before executing this command, make sure that no Oracle Access Manager authenticator is already configured in the default security domain. In the event of an error, the command returns a WLSTException.
createOAMAuthenticator(name)
| Argument | Definition |
|---|---|
name
|
Specifies the name of the new authentication provider in the default domain. If no name is specified, it defaults to "OAMAuthenticator". |
Online command that deletes the OAM authenticator from the current domain.
Deletes the OAM authenticator with a given name from the current domain. In the event of an error, the command returns a WLSTException.
deleteOAMAuthnProvider(name)
| Argument | Definition |
|---|---|
name
|
Specifies the name of the authentication provider to delete. |
Online command that updates the values of parameters of the Oracle Access Manager authenticator in the current domain.
Updates the value of given parameters of the domain Oracle Access Manager authenticator. In the event of an error, the command returns a WLSTException.
updateOAMAuthenticator(name, paramNameValueList)
| Argument | Definition |
|---|---|
name
|
Specifies the name of the Oracle Access Manager authenticator whose parameter values to update. |
|
paramNameValueList |
Specifies the comma-separated list of pairs of parameter name-value to be updated. The format of each pair is paramName='paramValue' The only parameter names that can be updated are the following:
|
The following invocation updates the parameters accessGateName, accessGatePwd, and pAccessServer in the Oracle Access Manager authenticator named myAuthenticator:
updateOAMAuthenticator(name="myAuthenticator", accessGateName="OAM AP AccessGate", accessGatePwd="welcome1", pAccessServer="myhost.domain.com:5543")
Online command that adds an Oracle Access Manager SSO provider with the given login URI, logout URI, and auto-login URI.
Adds an SSO provider with the given login URI, logout URI, and auto-login URI. This command modifies the domain jps-config.xml by adding an Oracle Access Manager SSO service instance with the required properties. In the event of an error, the command returns a WLSTException.
addOAMSSOProvider(loginuri, logouturi, autologinuri, beginimpuri, endimpuri)
| Argument | Definition |
|---|---|
loginuri
|
Required. Specifies the URI of the login page and triggers SSO authentication. |
|
|
Optional. Specifies the URI of the logout page and logs the signed-on user out. If unspecified, defaults to Set to "" to ensure that ADF security calls the OPSS logout service, which uses the implementation of the class More generally, an ADF-secured web application that would like to clear cookies without logging out the user should use this setting. |
|
|
Required. Specifies the URI of the autologin page. Optional. If unspecified, it defaults to |
|
|
Optional. Specifies the URI that triggers the impersonation SSO session. |
|
|
Optional. Specifies the URI that terminates the impersonation SSO session. |
The following invocation adds an SSO provider with the passed URIs; note the special behavior implied by the setting logouturi="" and the impersonation parameters, as explained in the above table:
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html", beginimpuri="https://login.acme.com/impersonationInit.html" endimpuri="https://login.acme.com/impersonationTerm.html") autologin="/fooBar.cgi")
Online and offline command that displays the information about all the OAM Servers in a deployment.
Online command that displays the performance metrics of an OAM Server and domain.
Displays the performance metrics of an OAM Server and domain specific to collectors, including host, process, and server names. There are no arguments for this command.
If none of the arguments are specified all the details of all the servers and collectors are displayed.
Online and offline command that displays OAM Server registration details.
Displays OAM Server registration details, including the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.
The scope of this command is an instance, only. The scope is not an argument.
displayOamServer(host,port)
| Argument | Definition |
|---|---|
host
|
Mandatory. Specifies the name of the OAM Server host. |
port
|
Mandatory. Specifies the listening port of the OAM Server host. |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
Online and offline command that creates an OAM Server entry in the system configuration.
Creates an OAM Server registration, including the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.
The scope of this command is an instance, only. The scope is not an argument
createOamServer(host,port, paramNameValueList)
| Argument | Definition |
|---|---|
host
|
Mandatory. Specifies the name of the OAM Server host. |
port
|
Mandatory. Specifies the listening port of the OAM Server host. |
domainHome
|
Offline mode: Mandatory Online mode: Optional |
|
paramNameValueList |
Specifies the comma-separated list of parameter name-value pairs. The format of each pair is: paramName='paramValue' Mandatory:
|
The following invocation creates a configuration for your_host with listening port 15000. The configuration entry in the Administration Console will be oam_server1. The OAM Proxy port is 3004 and the OAM Proxy Server ID is AccessServerConfigProxy:
createOamServer(host="my_host", port="15000", configurationProfile= "oam_server1", oamProxyPort="3004", oamProxyServerID="ProxyID", siteName="siteName1",domainHome="domainHome1")
Online and offline command that enables you to edit OAM Server registration details.
Edits the registration for an OAM Server, which can include the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.
The scope of this command is an instance, only. The scope is not an argument.
editOamServer(name, port, paramNameValueList)
| Argument | Definition |
|---|---|
name
|
Mandatory. Specifies the name of the OAM Server host. |
port
|
Mandatory. Specifies the port number of the OAM Server host. |
domainHome
|
Offline mode: Mandatory Online mode: Optional |
|
paramNameValueList |
Specifies the comma-separated list of parameter name-value pairs. The format of each pair is: paramName='paramValue' Mandatory:
|
You can use any of the optional attributes to change current settings. The following invocation enables you to add the OAM Proxy shared secret to the configuration entry oam_server1.
editOamServer(name="oam_server1", port="15000",configurationProfile= "oam_server1", oamProxyPort="3004",oamProxyServerID="Proxy1", siteName="siteName1",domainHome="domainHome1")
Online and offline command that enables you to delete the named OAM Server registration.
Deletes an entire OAM Server configuration.
The scope of this command is an instance, only. The scope is not an argument.
deleteOamServer(host,port)
| Argument | Definition |
|---|---|
host
|
Mandatory. Specifies the name of the OAM Server host. |
port
|
Mandatory. Specifies the listening port of the OAM Server host. |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
Online and offline command that displays OSSO Agent configuration details.
Displays OSSO Agent registration details, which also appear in the OAM Administration Console.
The scope of this command is an instance, only. The scope is not an argument
displayOssoAgent(agentName)
| Argument | Definition |
|---|---|
agentName
|
Mandatory. Specifies the name of the OSSO Agent. |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
Online and offline command that enables you to edit an OSSO Agent registration.
Changes OSSO Agent configuration details, including the Site Token, Success URL, Failure URL, Home URL, Logout URL, Start Date, End Date, Administrator ID, and Administrator Info.
The scope of this command is an instance, only. The scope is not an argument
editOssoAgent(agentName,paramNameValueList)
| Argument | Definition |
|---|---|
agentName
|
Mandatory. Specifies the name of the OSSO Agent. |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
|
paramNameValueList |
Specifies the comma-separated list of parameter name-value pairs to be updated. The format of each pair is: paramName='paramValue' Optional:
|
The following invocation changes the Administrator ID and information in the registration entry for OSSOAgent1:
editOssoAgent(agentName="OSSOAgent1", siteToken="siteToken", successUrl="successUrl",failureUrl="failureUrl",homeUrl="homeUrl", logoutUrl="logoutUrl",startDate="2009-12-10", endDate="2012-12-30", adminId= 345", adminInfo="Agent11", domainHome="domainHome1")
Online and offline command that enables you to delete an OSSO Agent registration.
Removes an OSSO Agent configuration.
The scope of this command is an instance, only. The scope is not an argument
deleteOssoAgent(agentName)
| Argument | Definition |
|---|---|
agentName
|
Mandatory. Specifies the name of the OSSO Agent. |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
Online and offline command that displays a 10g WebGate registration.
Displays all 10g WebGate registration details, which can also be seen in the OAM Administration Console.
The scope of this command is an instance, only. The scope is not an argument
displayWebgateAgent(agentName)
| Argument | Definition |
|---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent. |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
Online and offline command that enables you to edit a 10g WebGate registration.
Enables you to change 10g WebGate Agent registration details.
The scope of this command is an instance, only. The scope is not an argument
editWebgateAgent(agentName,paramNameValueList)
| Argument | Definition |
|---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent. |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
|
paramNameValueList |
Specifies the comma-separated list of parameter name-value pairs to be updated. The format of each pair is: paramName='paramValue' Mandatory:
Optional:
|
You can alter any or all of the settings. Use the following invocation to change specific information in the WebGate Agent registration, including the Agent ID, state, maximum connections, OAM Server timeout, primary cookie domain, cache time out, cookie session timeout, maximum session timeout, idle session timeout, and failover threshold, as follows:
editWebgateAgent(agentName="my_WebGate", agentId="WebGate2", state= "enabled", maxConnections="2", aaaTimeOutThreshold="2", primaryCookieDomain="adomain.com", cacheTimeOut="1200", cookieSessionTime=1500, maxSessionTime=1500, idleSessionTimeout= "1500", failoverThreshold="25", domainHome="domainHome1")
Online and offline command that enables you to delete a 10g WebGate Agent registration.
Removes an 10g WebGate Agent registration.
The scope of this command is an instance, only. The scope is not an argument
deleteWebgateAgent(agentName)
| Argument | Definition |
|---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent. |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
Online and offline command that changes the logger level.
Changes the level of one or more, or all, loggers.
The scope of this command is an instance, only. The scope is not an argument.
changeLoggerSetting (loggerName='', loggerLevel=''):
| Argument | Definition |
|---|---|
loggerName
|
Optional. Specifies the OAM logger name. Multiple OAM logger names can be specified, separated by commas, or you can use the wildcard (*) character to specify all OAM collectors, which is the default. |
loggerLevel
|
SEVERE, WARNING, INFO, CONFIG, FINE. |
Offline command that regenerates the configuration data encryption key.
Regenerates the configuration data encryption key, re-encrypts the configuration data using the new key, and outputs attribute information of the identity store.
The scope of this command is an instance, only. The scope is not an argument.
changePasswordEncKey (oldpassword='', newPassword='')
| Argument | Definition |
|---|---|
oldPassword
|
Mandatory. Specifies the password that retrieves the current encryption key. |
newPassword
|
Mandatory. Defines a new password that protects the newly generated encryption key. |
Online and offline command that displays user identity store registration information.
Displays information of the user identity store registered with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
displayUserIdentityStore(name)
| Argument | Definition |
|---|---|
name
|
Mandatory. Specifies the name of the LDAP user identity store. |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
Online and offline command that changes attributes of the user identity store for Oracle Access Manager.
Changes one or more attributes of the user identity store registered with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
editUserIdentityStore(name,paramNameValueList)
| Argument | Definition |
|---|---|
name
|
Mandatory. Specifies the unique name of the LDAP user identity store (only upper and lower case alpha characters and numbers). |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
|
paramNameValueList |
Specifies the comma-separated list of parameter name-value pairs. The format of each pair is: paramName='paramValue' Include one or more of the following parameter name-value pairs, in addition to those in createUserIdentityStore, to change the OAM user identity store configuration:
|
Online and offline command that creates a user identity store registration for Oracle Access Manager.
Creates an entry for a new user identity store to be registered with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
createUserIdentityStore(name=,paramNameValueList)
| Argument | Definition |
|---|---|
name
|
Mandatory. Specifies the unique name of the LDAP user identity store (only upper and lower case alpha characters and numbers). |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
|
paramNameValueList |
Specifies the comma-separated list of parameter name-value pairs. The format of each pair is: paramName='paramValue' Mandatory:
Optional:
|
The following invocation creates a new Oracle Internet Directory user identity store definition for use with Oracle Access Manager:
createUserIdentityStore(name="Name1",principal="Principal1", credential="Credential1", type="OID", userAttr="userAttr1", ldapProvider="ldapProvider", roleSecAdmin="roleSecAdmin1", roleSysMonitor="roleSysMonitor", roleSysManager="roleSysManager", roleAppAdmin="roleAppAdmin", userSearchBase="cn=users, ldapUrl="ldapUrl", isPrimary="isPrimary", userIDProvider="userIDProvider", groupSearchBase="cn=groups",domainHome="domainHome1")
Online and offline command that removes a Oracle Access Manager user identity store registration.
Deletes the user identity store registered with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
deleteUserIdentityStore(name)
| Argument | Definition |
|---|---|
name
|
Mandatory. Specifies the name of the LDAP user identity store to be removed. |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
Online and offline command that configures the SSO server request cache type.
Configures the SSO server request cache type.
The scope of this command is an instance, only. The scope is not an argument.
configRequestCacheType(type)
| Argument | Definition |
|---|---|
type
|
Mandatory. Specifies
|
Online and offline command that displays the SSO server request cache type.
Displays the SSO server request cache type entry.
The scope of this command is an instance, only. The scope is not an argument.
displayRequestCacheType(domainHome)
| Argument | Definition |
|---|---|
type
|
Mandatory. Specifies requestCacheType.
|
domainhome
|
Offline mode: Mandatory Online mode: Optional |
Online only command that exports OAM policy data from a test (source) environment to the intermediate Oracle Access Manager file specified.
Exports OAM policy data from a test (source) environment to the intermediate Oracle Access Manager file.
The scope of this command is an instance, only. The scope is not an argument.
exportPolicy(pathTempOAMPolicyFile)
| Argument | Definition |
|---|---|
pathTempOAMPolicyFile
|
Mandatory. Specifies the path to the temporary Oracle Access Manager file. |
Online only command that imports the OAM policy data from the intermediate Oracle Access Manager file specified.
Imports the OAM policy data from the intermediate Oracle Access Manager file specified.
The scope of this command is an instance, only. The scope is not an argument.
importPolicy(pathTempOAMPolicyFile)
| Argument | Definition |
|---|---|
|
|
Mandatory. Specifies the path to the temporary OAM file. |
Online only command that imports the OAM policy changes from the intermediate Oracle Access Manager file specified.
Imports the OAM policy changes from the intermediate Oracle Access Manager file specified.
The scope of this command is an instance, only. The scope is not an argument.
importPolicyDelta(pathTempOAMPolicyFile)
| Argument | Definition |
|---|---|
|
|
Mandatory. Specifies the path to the temporary Oracle Access Manager file. |
Online only command that migrates partners from the current (source) OAM Server to the specified (target) OAM Server.
Migrates partners from the current (source) OAM Server to the specified (target) OAM Server.
The scope of this command is an instance, only. The scope is not an argument.
migratePartnersToProd(prodServerHost,prodServerPort,prodServerAdminUser,prodServerAdminPwd)
| Argument | Definition |
|---|---|
|
|
Host name of the target OAM Server to which partners are to be migrated. |
|
|
Port of the target OAM Server to which partners are to be migrated. |
|
|
Administrator of the target OAM Server to which partners are to be migrated. |
|
|
Target OAM Server administrator's password. |
Online only command that exports Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified.
Exports the Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified.
The scope of this command is an instance, only. The scope is not an argument.
exportPartners(pathTempOAMPartnerFile)
| Argument | Definition |
|---|---|
|
|
Mandatory. Specifies the path to the temporary Oracle Access Manager partner file. |
Online only command that imports Oracle Access Manager partners from the intermediate Oracle Access Manager file specified.
Imports the OAM partners from the intermediate Oracle Access Manager file specified.
The scope of this command is an instance, only. The scope is not an argument.
importPartners(pathTempOAMPartnerFile)
| Argument | Definition |
|---|---|
|
|
Mandatory. Specifies the path to the temporary OAM partner file. |
Online only command that configures the Oracle Access Manager-Oracle Adaptive Access Manager basic integration.
Configures the OAM-OAAM basic integration.
The scope of this command is an instance, only. The scope is not an argument.
configureOAAM(dataSourceName,paramNameValueList)
| Argument | Definition |
|---|---|
|
|
Name of the data source to be created |
|
paramNameValueList |
Specifies the comma-separated list of parameter name-value pairs. The format of each pair is: paramName='paramValue' Mandatory:
Optional:
|
The following invocation configures the Oracle Access Manager-Oracle Adaptive Access Manager basic integration.
configureOAAM(dataSourceName = "MyOAAMDS", hostName = "host.us.co.com", port = "1521", sid = "sid", userName = "username", passWord = "password", maxConnectionSize = None, maxPoolSize = None, serverName = "oam_server1")
Online and offline command that registers Oracle Identity Federation as a Delegated Authentication Protocol (DAP) Partner.
Registers Oracle Identity Federation as Delegated Authentication Protocol (DAP) Partner.
The scope of this command is an instance only. The scope is not an argument.
registerOIFDAPPartner()
| Argument | Definition |
|---|---|
|
paramNameValueList |
Specifies the comma-separated list of parameter name-value pairs. The format of each pair is: paramName='paramValue' Mandatory: Include the following parameter name-value pairs to create a new OAM user identity store configuration:
Optional:
|
Online command that enables the Coexist Mode.
Enables the Coexist Mode.
The scope of this command is an instance, only. The scope is not an argument.
Online command that disables the Coexist Mode.
Disables the Coexist Mode.
The scope of this command is an instance, only. The scope is not an argument.
Online and offline command that edits GITO configuration parameters.
Edits GITO configuration parameters.
The scope of this command is an instance, only. The scope is not an argument.
editGITOValues(gitoEnabled, paramNameValueList)
| Argument | Definition |
|---|---|
|
|
True (or false). Allows (or denies) user to set GITO enabled property. |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
|
paramNameValueList |
Specifies the comma-separated list of parameter name-value pairs. The format of each pair is: paramName='paramValue' Mandatory: Include the following parameter name-value pairs to create a new OAM user identity store configuration:
Optional:
|
Online and offline command that edits an 11g WebGate registration.
Edits an 11g WebGate registration.
The scope of this command is an instance, only. The scope is not an argument.
editWebgate11gAgent(agentname, paramNameValueList)
| Argument | Definition |
|---|---|
|
|
Name of the registered OAM 11g WebGate agent to be edited. |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
|
paramNameValueList |
Specifies the comma-separated list of parameter name-value pairs. The format of each pair is: paramName='paramValue' Optional:
|
The following invocation lists all mandatory and optional parameters.
editWebgate11gAgent(agentName="WebgateAgent1", accessClientPasswd = "welcome1", state = "Enabled", preferredHost="141.144.168.148:2001", aaaTimeoutThreshold="10", security = "open", logOutUrls = "http://<host>:<port>", maxConnections = "16" maxCacheElems = "10000" , cacheTimeout = "1800", logoutCallbackUrl = "http://<host>:<port>", maxSessionTime = "24", logoutRedirectUrl = "logoutRedirectUrl", failoverThreshold = "1", tokenValidityPeriod="aPeriod" logoutTargetUrlParamName = "logoutTargetUrl", domainHome="domainHome1")
Online and offline command that enables you to delete an 11g WebGate Agent registration.
Removes an 11g WebGate Agent registration.
The scope of this command is an instance, only. The scope is not an argument
deleteWebgate11gAgent(agentName)
| Argument | Definition |
|---|---|
agentName
|
Mandatory. Specifies the name of the 11g WebGate Agent. |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
Online and offline command that enables you to display an 11g WebGate Agent registration.
Displays an 11g WebGate Agent registration.
The scope of this command is an instance, only. The scope is not an argument
displayWebgate11gAgent(agentName)
| Argument | Definition |
|---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent. |
domainhome
|
Offline mode: Mandatory Online mode: Optional |
Online and offline command that enables the display of metrics of OAM Servers.
Enables the display of metrics of OAM Servers.
The scope of this command is an instance, only. The scope is not an argument.
displayOAMMetrics(domainHome)
| Argument | Definition |
|---|---|
domainhome
|
Offline mode: Mandatory Online mode: Optional |
Online only command that updates the Oracle Identity Manager configuration when integrated with Oracle Access Manager.
Updates the Oracle Identity manager configuration in system configuration.
The scope of this command is an instance, only. The scope is not an argument.
updateOIMHostPort(hostname, port, secureProtocol)
| Argument | Definition |
|---|---|
|
|
Name of the Oracle Identity Manager host. |
|
|
Port of the Oracle Identity Manager host. |
|
|
True or false. |
Online only command that creates an agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager.
Creates an Agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
updateOIMHostPort(hostname, port, secureProtocol)
| Argument | Definition |
|---|---|
|
|
Name of the Oracle Identity Manager host. |
|
|
Port of the Oracle Identity Manager Managed Server. |
|
|
True or false (depending on HTTP or HTTPS). |
|
|
If provided will be the agent password for Open mode |
|
|
Domain to which the cookie is to be set |
|
|
Agent registration name. |
|
|
Possible values 10g or 11g. If not provided, default is 10g. |
The following invocation illustrates this command.
updateOIMHostPort(hostName="OIM host", port="7777", secureProtocol="true") configureOIM(oimHost="OIM host", oimPort="7777", oimSecureProtocolEnabled="true", oimAccessGatePwd = "Access Gate Password", oimCookieDomain = "OIM Cookie Domain", oimWgId="OIM Webgate ID", oimWgVersion="OIM Webgate Version")
Online and offline command that updates OSSO Proxy response cookie settings.
Updates OSSO Proxy response cookie settings.
The scope of this command is an instance, only. The scope is not an argument.
updateOSSOResponseCookieConfig()
| Argument | Definition |
|---|---|
domainhome
|
Offline mode: Mandatory Online mode: Optional |
|
|
Optional. Name of the cookie for which settings are updated. If not specified, the global setting is updated. |
|
|
Maximum age of a cookie in minutes. A negative value sets a session cookie. |
|
|
Boolean flag specifies if cookie should be secure (sent only over SSL channel). |
|
|
The domain of the cookie. |
Online and offline command that deletes OSSO Proxy response cookie settings.
Deletes OSSO Proxy response cookie settings.
The scope of this command is an instance, only. The scope is not an argument.
deleteOSSOResponseCookieConfig()
| Argument | Definition |
|---|---|
domainhome
|
Offline mode: Mandatory Online mode: Optional |
|
|
Mandatory. Name of the cookie for which settings are deleted. |
Displays the simple mode global passphrase in plain text from the system configuration.
Online only command that displays the simple mode global passphrase in plain text from the system configuration.
Exports selected OAM Partners.
exportSelectedPartners
| Argument | Definition |
|---|---|
|
|
The temporary file containing partners to be migrated. |
|
|
comma separated list of partner ids to be migrated |
Migrates artifacts.
migrateArtifacts
| Argument | Definition |
|---|---|
path
|
Location of the artifacts file is present |
password
|
Password used while generating original artifacts. |
type
|
InPlace or OutOfPlace |
|
|
true or false. If true, an incremental upgrade is done. |
Registers any third party as a Trusted Authentication Protocol (TAP) Partner.
registerThirdPartyTAPPartner
| Argument | Definition |
|---|---|
path
|
Location of the artifacts file is present |
password
|
Password used while generating original artifacts. |
partnerName
|
Name of partner. Can be any name used for identifying the third party partner. |
keystoreLocation
|
The jceks file location. |
password
|
password |
|
|
Version of the Trusted Authentication Protocol. |
|
|
Trusted Authentication Protocol Authn Scheme (TAPScheme, out of the box.) |
|
|
Third party access URL. |
Table 4-7 describes the various types of WLST commands available for the Oracle Security Token Service.
Table 4-7 WLST Oracle Security Token Service Command Groups
| OSTS Command Type | Description |
|---|---|
|
Partner Commands |
WLST commands related to tasks involving partners. |
|
Relying Party Partner Mapping Commands |
The WS Prefix to Relying Party Partner mappings are used to map a service URL, specified in the AppliesTo field of a WS-Trust RST request, to a partner of type Relying Party. The WS prefix string can be an exact service URL, or a URL with a parent path to the service URL. For example, if a mapping is defined to map a WS Prefix (http://test.com/service) to a Relying Party (RelyingPartyPartnerTest), then the following service URLs would be mapped to the Relying Party: http://test.com/service, http://test.com/service/calculatorService, http://test.com/service/shop/cart... |
|
Partner Profiles Commands |
WLST commands related to tasks involving partner profiles. |
|
Issuance Templates Commands |
WLST commands related to tasks involving issuance templates. |
|
Validation Templates Commands |
WLST commands related to tasks involving validation templates. |
Use the WLST commands listed in Table 4-8 to manage Oracle Security Token Service
Table 4-8 WLST Commands Oracle Security Token Service
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Partner Commands |
||
|
Retrieve a partner and print result. |
Online |
|
|
Retrieve the names of Requester partners. |
Online |
|
|
Retrieve the names of all Relying Party partners. |
Online |
|
|
Retrieve the names of all Issuing Authority partners. |
Online |
|
|
Query OSTS to determine whether or not the partner exists in the Partner store. |
Online |
|
|
Create a new Partner entry. |
Online |
|
|
Update an existing Partner entry based on the provided information. |
Online |
|
|
Delete a partner entry. |
Online |
|
|
Retrieve the partner's username value. |
Online |
|
|
Retrieve the partner's password value. |
Online |
|
|
Set the username and password values of a partner entry. |
Online |
|
|
Remove the username and password values from a partner entry. |
Online |
|
|
Retrieve the Base64 encoded signing certificate for the partner. |
Online |
|
|
Retrieve the Base64 encoded encryption certificate for the partner. |
Online |
|
|
Upload the signing certificate to the partner entry. |
Online |
|
|
Upload the encryption certificate to the partner entry. |
Online |
|
|
Remove the signing certificate from the partner entry. |
Online Offline |
|
|
Remove the encryption certificate from the partner entry. |
Online Offline |
|
|
Retrieve and display all Identity mapping attributes used to map a token to a requester partner. |
Online Offline |
|
|
Retrieve and display the identity mapping attribute. |
Online Offline |
|
|
Set the identity mapping attribute for a requester partner. |
Online Offline |
|
|
Delete the identity mapping attribute for a requester partner. |
Online Offline |
|
|
Relying Party Partner Mapping Commands |
||
|
Retrieve and display all WS Prefixes. |
Online Offline |
|
|
Retrieve and display the Relying Party Partner mapped to the specified wsprefix parameter. |
Online Offline |
|
|
Create a new WS Prefix mapping to a Relying Partner. |
Online Offline |
|
|
Delete an existing WS Prefix mapping to a Relying Partner. |
Online Offline |
|
|
Partner Profiles Commands |
||
|
Retrieve the names of all the existing partner profiles. |
Online |
|
|
Retrieve partner profile configuration data. |
Online |
|
|
Create a new Requester Partner profile with default configuration data. |
Online |
|
|
Create a new Relying Party Partner profile with default configuration data. |
Online |
|
|
Create a new Issuing Authority Partner profile with default configuration data. |
Online |
|
|
Delete an existing partner profile. |
Online |
|
|
Issuance Template Commands |
||
|
Retrieve the names of all the existing Issuance Templates. |
Online Offline |
|
|
Retrieve configuration data of a specific Issuance Template. |
Online |
|
|
Create a new Issuance Template with default configuration data. |
Online |
|
|
Delete an existing Issuance Template. |
Online Offline |
|
|
Validation Template Commands |
||
|
Retrieve the names of all the existing Validation Templates. |
Online Offline |
|
|
Retrieve configuration data of a specific Validation Template. |
Online Offline |
|
|
Create a new WS Security Validation Template with default configuration data. |
Online Offline |
|
|
Create a new WS Trust Validation Template with default configuration data. |
Online Offline |
|
|
Delete an existing Issuance Template. |
Online Offline |
Online command that retrieves the Partner entry and prints out the configuration for this partner.
getPartner(partnerId)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the partnerId: the ID of the partner. |
Online command that retrieves Issuing Authority partners and prints out the result.
Online command that queries OSTS to determine whether or not the specified partner exists in the Partner store.
Queries OSTS to determine whether or not the specified partner exists in the Partner store, and prints out the result.
Online command that creates a new Partner entry.
Creates a new Partner entry based on provided information. Displays a message indicating the result of the operation.
createPartner(partnerId, partnerType, partnerProfileId, description, bIsTrusted)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the new partner to be created. |
partnerType
|
Specifies the type of partner. Values can be one of the following:
|
partnerProfileId
|
Specifies the profile ID to be attached to this partner. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry. |
description
|
Specifies the optional description of this new partner entry. |
bIsTrusted
|
A value that indicates whether or not this new partner is trusted. Value can be either:
|
The following invocation creates STS_Requestor partner, customPartner, custom-partnerprofile with a description (custom requester), with a trust value of true, displays a message indicating the result of the operation:
createPartner(partnerId="customPartner", partnerType="STS_REQUESTER", partnerProfileId="custom-partnerprofile", description="custom requester", bIsTrusted="true")
Online command that updates an existing Partner entry.
Updates an existing Partner entry based on the provided information. Displays a message indicating the result of the operation.
updatePartner(partnerId, partnerProfileId, description, bIsTrusted)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the new partner to be updated. |
partnerProfileId
|
Specifies the partner profile ID. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry. |
description
|
Specifies the optional description f this new partner entry. |
bIsTrusted
|
A value that indicates whether or not this new partner is trusted. Value can be either:
|
The following invocation updates customPartner with a new profile ID, (x509-wss-validtemp), description (custom requester with new profile id), and a trust value of false. A message indicates the result of the operation:
updatePartner(partnerId="customPartner", partnerProfileId="x509-wss-validtemp", description="custom requester with new profile id", bIsTrusted="false")
Online command that deletes a partner entry from OSTS.
Deletes an existing Partner entry referenced by the partnerId parameter from OSTS, and prints out the result of the operation.
deletePartner(partnerId)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner to be deleted. |
Online command that retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation.
Retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation, and displays the value.
getPartnerUsernameTokenUsername(partnerId)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that retrieves a partner's password value that will be used for UNT credentials partner validation or mapping operation.
Retrieves a partner password value that will be used for UNT credentials partner validation or mapping operation, and displays the value.
getPartnerUsernameTokenPassword(partnerId)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation.
Sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation. Displays the result of the operation.
setPartnerUsernameTokenCredential(partnerId, UTUsername, UTPassword)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner. |
UTUsername
|
Specifies the username value used for UNT credentials validation or mapping operations. |
UTPassword
|
Specifies the username value used for UNT credentials validation or mapping operations. |
Online command that removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.
Removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.
deletePartnerUsernameTokenCredential(partnerId)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner to be deleted. |
Online command that retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.
Retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.
getPartnerSigningCert(partnerId)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that retrieves the Base64 encoded encryption certificate, and displays its value as a Base64 encoded string.
Retrieves the Base64 encoded encryption certificate for the partner referenced by the partnerId parameter, and displays its value as a Base64 encoded string.
getPartnerEncryptionCert(partnerId)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that Uploads the provided certificate to the partner entry as the signing certificate. Displays the result of the operation.
Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the signing certificate. The supported formats of the certificate are DER and PEM. Displays the result of the operation.
setPartnerSigningCert(partnerId, certFile)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner. |
certFile
|
Specifies the location of the certificate on the local filesystem. Supported formats of the certificate are DER and PEM. |
Online command that Uploads the provided certificate to the partner entry as the encryption certificate. Displays the result of the operation.
Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the encryption certificate. Displays the result of the operation.
setPartnerEncryptionCert(partnerId, certFile)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner. |
certFile
|
Specifies the location of the certificate on the local filesystem. Supported formats of the certificate are DER and PEM. |
Online command that removes the encryption certificate from the partner entry and displays the result of the operation.
Removes the encryption certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.
deletePartnerSigningCert(partnerId)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that removes the signing certificate from the partner entry and displays the result of the operation.
Removes the signing certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.
deletePartnerEncryptionCert(partnerId)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.
Retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.
The identity mapping attributes only exist for partners of type Requester.
getPartnerAllIdentityAttributes(partnerId)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the Requester partner. Identity mapping attributes only exist for partners of type Requester |
The following invocation retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner: customPartner.
getPartnerAllIdentityAttributes(partnerId="customPartner")
Online command that retrieves and displays identity mapping attributes used to map a token or to map binding data to a requester partner.
Retrieves and displays an identity mapping attribute used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.
The identity mapping attributes only exist for partners of type Requester.
getPartnerIdentityAttribute(partnerId, identityAttributeName)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the Requester partner. |
IdentityAttributeName
|
Specifies the name of the identity mapping attribute to retrieve and display. For example: |
Online command that sets the identity mapping attribute for the Requester partner.
Set the identity mapping attribute specified by identityAttributeName for the partner of type requester specified by the partnerId parameter. These identity mapping attributes only exist for Requester partners. Displays the result of the operation.
setPartnerIdentityAttribute(partnerId, identityAttributeName, identityAttributeValue)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner of type Requester. |
identityAttributeName
|
Specifies the name of the identity mapping attribute to retrieve and display. |
identityAttributeValue
|
Specifies the value of the identity mapping attribute to set. |
The following invocation sets the identity mapping attribute specified by identityAttributeName for the Requester partner of type requester specified by the partnerId parameter. Displays the result of the operation.
setPartnerIdentityAttribute(partnerId="customPartner", identityAttributeName="httpbasicusername",identityAttributeValue="test")
Online command that deletes the identity mapping attribute.
Deletes the identity mapping attribute specified by identityAttributeName.
The identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner, and they only exist for Requester partners.
deletePartnerIdentityAttribute(partnerId, identityAttributeName)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner. |
identityAttributeName
|
Specifies the name of the identity mapping attribute to delete. |
Online command that retrieves and displays all WS Prefixes to Relying Party Partner mappings.
Online command that retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.
Retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.
getWSPrefixAndPartnerMapping(wsprefix)
| Argument | Definition |
|---|---|
wsprefix
|
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form: http_protocol://hostname_ip/path |
Online command that creates a new WS Prefix mapping to a Relying Partner.
Creates a new WS Prefix mapping to a Relying Partner referenced by the partnerid parameter, and displays the result of the operation.
createWSPrefixAndPartnerMapping(wsprefix, partnerid, description)
| Argument | Definition |
|---|---|
wsprefix
|
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form: http_protocol://hostname_ip/path |
partnerId
|
Specifies the ID of the partner. |
description
|
Specifies an optional description. |
The following invocation creates a new WS Prefix mapping to a Relying Partner Partner referenced by the partnerid parameter, and displays the result of the operation.
createWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path", partnerid="customRPpartner", description="some description")
Online command that deletes an existing mapping of WS Prefix to a Relying Partner Partner.
Deletes an existing mapping of WS Prefix to a Relying Partner, and displays the result of the operation.
deleteWSPrefixAndPartnerMapping(wsprefix)
| Argument | Definition |
|---|---|
wsprefix
|
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form: http_protocol://hostname_ip/path |
Online command that retrieves the names of all the existing partner profiles and displays them.
Online command that retrieves the configuration data of a specific partner profile, and displays the content of the profile.
Retrieves the configuration data of the partner profile referenced by the partnerProfileId parameter, and displays the content of the profile.
getPartnerProfile(partnerProfileId)
| Argument | Definition |
|---|---|
partnerProfileId
|
Specifies the name of the partner profile. |
Online command that creates a new requester partner profile with default configuration data.
Creates a new requester partner profile with default configuration data, and displays the result of the operation.
Table 4-9 describes the default configuration created with this command.
Table 4-9 Default Configuration: createRequesterPartnerProfile
| Element | Description |
|---|---|
Return Error for Missing Claims
|
Default: false |
Allow Unmapped Claims
|
Default: false |
Token Type Configuration
|
The Token Type Configuration table includes the following entries. There are no mappings of token type to WS-Trust Validation Template:
Note: Token Type Configuration and token type to Validation Template mapping are both empty |
Attribute Name Mapping
|
Default: The Attribute Name Mapping table is empty by default. |
createRequesterPartnerProfile(partnerProfileId, defaultRelyingPartyPPID, description)
| Argument | Definition |
|---|---|
partnerProfileId
|
Specifies the name of the partner profile. |
defaultRelyingPartyPPID
|
Specifies the relying party partner profile to use, if the AppliesTo field is missing from the RST or if it could not be mapped to a Relying Party Partner. |
description
|
Specifies the optional description for this partner profile |
The following invocation creates a new requester partner profile with default configuration data, and displays the result of the operation. For default data descriptions, see Table 4-9.
createRequesterPartnerProfile(partnerProfileId="custom-partnerprofile", defaultRelyingPartyPPID="rpPartnerProfileTest", description="custom partner profile")
Online command that creates a new relying party partner profile with default configuration data.
Creates a new relying party partner profile with default configuration data, and displays the result of the operation.
Table 4-10 describes the default configuration created with this command.
Table 4-10 Default Configuration: createRelyingPartyPartnerProfile
| Element | Description |
|---|---|
|
Download Policy |
Default: false |
|
Allow Unmapped Claims |
Default: false |
|
Token Type Configuration |
The Token Type Configuration will contain a single entry, with:
Note: For the token type of the issuance template referenced by defaultIssuanceTemplateID, it will be linked to the issuance template, while the other token types will not be linked to any issuance template. If the issuance template referenced by defaultIssuanceTemplateID is of custom token type, the table will only contain one entry, with the custom token type, mapped to the custom token type as the external URI, and mapped to the issuance template referenced by defaultIssuanceTemplateID |
|
Attribute Name Mapping |
The Attribute Name Mapping table is empty be default. |
createRelyingPartyPartnerProfile(partnerProfileId, defaultIssuanceTemplateID, description)
| Argument | Definition |
|---|---|
partnerProfileId
|
Specifies the name of the partner profile. |
defaultIssuanceTemplateID
|
Specifies the default issuance template and token type to issue if no token type was specified in the RST. |
description
|
Specifies the optional description for this partner profile |
The following invocation creates a new relying party partner profile with default configuration data, and displays the result of the operation.
createRelyingPartyPartnerProfile(partnerProfileId="custom-partnerprofile", defaultIssuanceTemplateID="saml11-issuance-template", description="custom partner profile")
Online command that creates a new issuing authority partner profile with default configuration data.
Creates a new issuing authority partner profile with the default configuration data in Table 4-11, and displays the result of the operation.
Table 4-11 Default Configuration: createIssuingAuthorityPartnerProfile
| Element | Description |
|---|---|
|
Server Clockdrift |
Default: 600 seconds |
|
Token Mapping |
The Token Mapping Section will be configured as follows:
Empty fields
|
|
Partner NameID Mapping |
The Partner NameID Mapping table will be provisioned with the following entries as NameID format. However, without any data in the datastore column the issuance template referenced by defaultIssuanceTemplateID is of token type SAML 1.1, SAML 2.0, or Username. The table will contain the following entries:
|
|
User NameID Mapping |
The User NameID Mapping table will be provisioned with the following entries as NameID format:
|
|
Attribute Mapping |
The Attribute Value Mapping and Attribute Name Mapping table is empty be default. |
createIssuingAuthorityPartnerProfile(partnerProfileId, description)
| Argument | Definition |
|---|---|
partnerProfileId
|
Specifies the name of the partner profile. |
description
|
Specifies the optional description for this partner profile |
Online command that deletes an partner profile referenced by the partnerProfileId parameter.
Deletes an partner profile referenced by the partnerProfileId parameter, and displays the result of the operation.
deletePartnerProfile(partnerProfileId)
| Argument | Definition |
|---|---|
partnerProfileId
|
Specifies the name of the partner profile to be removed. |
Online command that retrieves the names of all the existing issuance templates.
Online command that retrieves the configuration data of a specific issuance template.
Retrieves the configuration data of the issuance template referenced by the issuanceTemplateId parameter, and displays the content of the template.
getIssuanceTemplate(issuanceTemplateId)
| Argument | Definition |
|---|---|
issuanceTemplateId
|
Specifies the name of the issuance template. |
Online command that creates a new issuance template with default configuration data.
Creates a new issuance template with default configuration data, and displays the result of the operation.
Table 4-12 describes the default configuration for this command.
Table 4-12 Default Configuration: createIssuanceTemplate
| Token Type | Description |
|---|---|
|
Username |
The issuance template will be created with the following default values:
|
|
SAML 1.1 or SAML 2.0 |
The issuance template will be created with the following default values:
Empty tables: Attribute Name Mapping, Attribute Value Mapping and Attribute Value Filter |
|
Custom Type |
The issuance template will be created with the following default values:
|
createIssuanceTemplate(issuanceTemplateId, tokenType, signingKeyId, description)
| Argument | Definition |
|---|---|
issuanceTemplateId
|
Specifies the name of the issuance template to be created. |
tokenType
|
Possible values can be:
|
signingKeyId
|
Specifies the keyID referencing the key entry (defined in the STS General Settings UI section) that will be used to sign outgoing SAML Assertions. Only required when token type is saml11 or saml20. |
description
|
An optional description. |
Online command that deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.
Deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.
deleteIssuanceTemplate(issuanceTemplateId)
| Argument | Definition |
|---|---|
issuanceTemplateId
|
Specifies the name of the existing issuance template to be removed. |
Online command that retrieves the names of all the existing validation templates.
Online command that retrieves the configuration data of a specific validation template, and displays the content of the template.
Retrieves the configuration data of the validation template referenced by the validationTemplateId parameter, and displays the content of the template.
getValidationTemplate(validationTemplateId)
| Argument | Definition |
|---|---|
validationTemplateId
|
Specifies the name of the existing validation template. |
Online command that creates a new validation template with default configuration data.
Creates a new validation template with default configuration data, and displays the result of the operation.
The WSS validation template is created with the values in Table 4-13, depending on the token type.
Table 4-13 Default Configuration: createWSSValidationTemplate
| Token Type | Description |
|---|---|
|
Username |
The validation template will be created with the following default values:
|
|
SAML 1.1 or SAML 2.0 |
The validation template will be created with the following default values:
The Token Mapping section will be created with the following default values:
Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping Also:
Partner NameID Mapping table will be provisioned with the following entries as NameID format, but without any data in the datastore column:
User NameID Mapping table will be provisioned with the following entries as NameID format:
|
|
X.509 |
The Token Mapping section will be created with the following default values:
Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping Also:
|
|
Kerberos |
The Token Mapping section will be created with the following default values:
Empty fields: Partner Token Attribute, Partner Datastore Attribute and Attribute Based User Mapping Also:
|
createWSSValidationTemplate(templateId, tokenType, defaultRequesterPPID, description)
| Argument | Definition |
|---|---|
templateId
|
Specifies the name of the name of the validation template to be created. |
tokenType
|
Specifies the token type of the validation template. Possible values can be:
|
defaultRequesterPPID
|
Specifies the Requester partner profile to use if OSTS is configured not to map the incoming message to a requester. |
description
|
Specifies an optional description. |
The following invocation creates a new validation template with default configuration data, and displays the result of the operation.
createWSSValidationTemplate(templateId="custom-wss-validtemp", tokenType="custom", defaultRequesterPPID="requesterPartnerProfileTest", description="custom validation template")
Online command that creates a new WS-Trust validation template with default configuration data.
Creates a new WS-Trust validation template with default configuration data, and displays the result of the operation.
The WS-Trust validation template is created with the values in Table 4-14, depending on the token type.
Table 4-14 Default Configuration: createWSTrustValidationTemplate
| Token Type | Description |
|---|---|
|
Username |
The WS-Trust validation template will be created with the following default values:
|
|
SAML 1.1 or SAML 2.0 |
The WS-Trust validation template will be created with the following default values:
The Token Mapping section will be created with the following default values:
Empty fields: User Datastore Attribute, Attribute Based User Mapping User NameID Mapping table will be provisioned with the following entries as NameID format:
|
|
X.509 |
The WS-Trust Token Mapping section will be created with the following default values:
|
|
Kerberos |
The WS-Trust Token Mapping section will be created with the following default values:
|
|
OAM |
The WS-Trust Token Mapping section will be created with the following default values:
|
|
custom |
The WS-Trust Token Mapping section will be created with the following default values:
|
createWSTrustValidationTemplate(templateId, tokenType, description)
| Argument | Definition |
|---|---|
templateId
|
Specifies the name of the name of the WS-Trust validation template to be created. |
tokenType
|
Specifies the token type of the WS-Trust validation template. Possible values can be:
|
description
|
Specifies an optional description. |
Online command that deletes a validation template.
Deletes a validation template referenced by the validationTemplateId parameter, and displays the result of the operation.
deleteValidationTemplate(validationTemplateId)
| Argument | Definition |
|---|---|
validationTemplateId
|
Specifies the name of the validation template to be removed. |
This section contains commands used with the OPSS keystore service.
Note:
You need to acquire an OPSS handle to use keystore service commands. For details, see Managing Keys and Certificates with the Keystore Service in the Oracle Fusion Middleware Security Guide.
Table 4-15 lists the WLST commands used to manage the keystore service.
Table 4-15 OPSS Keystore Service Commands
| Use this Command... | to... |
|---|---|
|
Change the password for a key. |
|
|
Change the password on a keystore. |
|
|
Create a keystore. |
|
|
Delete a keystore. |
|
|
Delete an entry in a keystore. |
|
|
Export a keystore to file. |
|
|
Export a certificate to a file. |
|
|
Export a certificate request to a file. |
|
|
Generate a keypair. |
|
|
Generate a secret key. |
|
|
Get information about a certificate or trusted certificate. |
|
|
Get the secret key properties. |
|
|
Import a keystore from file. |
|
|
Import a certificate or other object. |
|
|
List certificates expiring in a specified period. |
|
|
List aliases in a keystore. |
|
|
List all the keystores in a stripe. |
Changes a key password.
svc.changeKeyPassword(appStripe='stripe', name='keystore', password='password', alias='alias', currentkeypassword='currentkeypassword', newkeypassword='newkeypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe containing the keystore |
name
|
Specifies the name of the keystore |
password
|
Specifies the keystore password |
alias
|
Specifies the alias of the key entry whose password is changed |
currentkeypassword
|
Specifies the current key password |
newkeypassword
|
Specifies the new key password |
Changes the password of a keystore.
svc.changeKeyStorePassword(appStripe='stripe', name='keystore', currentpassword='currentpassword', newpassword='newpassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe containing the keystore |
name
|
Specifies the name of the keystore |
currentpassword
|
Specifies the current keystore password |
newpassword
|
Specifies the new keystore password |
This keystore service command creates a new keystore.
svc.createKeyStore(appStripe='stripe', name='keystore', password='password',permission=true|false)
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore is created. |
name
|
Specifies the name of the new keystore. |
password
|
Specifies the keystore password. |
permission
|
This parameter is true if the keystore is protected by permission only, false if protected by both permission and password. |
Deletes the named keystore.
svc.deleteKeyStore(appStripe='stripe', name='keystore', password='password')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore to be deleted. |
password
|
Specifies the keystore password. |
Deletes a keystore entry.
svc.deleteKeyStoreEntry(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be deleted |
keypassword
|
Specifies the key password of the entry to be deleted |
Exports a keystore to a file.
svc.exportKeyStore(appStripe='stripe', name='keystore', password='password', aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', type='keystore-type', filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
aliases
|
Comma separated list of aliases to be exported. |
keypasswords
|
Comma separated list of the key passwords correspo nding to aliases. |
type
|
Exported keystore type. Valid values are 'JKS' or 'JCEKS'. |
filepath
|
Absolute path of the file where keystore is exported. |
Exports a certificate.
svc.exportKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be exported |
keypassword
|
Specifies the key password. |
type
|
Specifies the type of keystore entry to be exported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'. |
filepath
|
Specifies the absolute path of the file where certificate, trusted certificate or certificate chain is exported. |
Exports a certificate request.
svc.exportKeyStoreCertificateRequest(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the entry's alias name. |
keypassword
|
Specifies the key password. |
filepath
|
Specifies the absolute path of the file where certificate request is exported. |
Generates a key pair in a keystore.
svc.generateKeyPair(appStripe='stripe', name='keystore', password='password', dn='distinguishedname', keysize='keysize', alias='alias', keypassword='keypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
dn
|
Specifies the distinguished name of the certificate wrapping the key pair. |
keysize
|
Specifies the key size. |
alias
|
Specifies the alias of the key pair entry. |
keypassword
|
Specifies the key password. |
Generates a secret key.
svc.generateSecretKey(appStripe='stripe', name='keystore', password='password', algorithm='algorithm', keysize='keysize', alias='alias', keypassword='keypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
algorithm
|
Specifies the symmetric key algorithm. |
keysize
|
Specifies the key size. |
alias
|
Specifies the alias of the key entry. |
keypassword
|
Specifies the key password. |
Gets a certificate from the keystore.
svc.getKeyStoreCertificates(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the certificate, trusted certificate or certificate chain to be displayed. |
keypassword
|
Specifies the key password. |
Retrieves secret key properties.
svc.getKeyStoreSecretKeyProperties(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the secret key whose properties are displayed. |
keypassword
|
Specifies the secret key password. |
Imports a keystore from file.
svc.importKeyStore(appStripe='stripe', name='keystore', password='password', aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', type='keystore-type', permission=true|false, filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
aliases
|
Specifies the comma-separated aliases of the entries to be imported from file. |
keypasswords
|
Specifies the comma-separated passwords of the keys in file. |
type
|
Specifies the imported keystore type. Valid values are 'JKS' or 'JCEKS'. |
filepath
|
Specifies the absolute path of the keystore file to be imported. |
permission
|
Specifies true if keystore is protected by permission only, false if protected by both permission and password. |
Imports a certificate or other specified object.
svc.importKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be imported. |
keypassword
|
Specifies the key password of the newly imported entry. |
type
|
Specifies the type of keystore entry to be imported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'. |
filepath
|
Specifies the absolute path of the file from where certificate, trusted certificate or certificate chain is imported. |
Lists expiring certificates.
svc.listExpiringCertificates(days='days', autorenew=true|false)
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
days
|
Specifies that the list should only include certificates within this many days from expiration. |
autorenew
|
Specifies true for automatically renewing expiring certificates, false for only listing them. |
Lists the aliases in a keystore.
The syntax is as follows:
svc.listKeyStoreAliases(appStripe='stripe', name='keystore', password='password', type='entrytype')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
type
|
Specifies the type of entry for which aliases are listed. Valid values are 'Certificate', 'TrustedCertificate', 'SecretKey' or '*'. |