The following sections describe the Oracle Fusion Middleware Infrastructure Security custom WLST commands in detail. Topics include:
For additional information about Oracle Platform Security Services, see Oracle Fusion Middleware Security Guide.
To use the Infrastructure Security custom WLST commands on WebLogic Server, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" in the Oracle Fusion Middleware Administrator's Guide. To use the applicable Infrastructure Security custom WLST commands on a WebSphere Server, see the 3rd Party Integration Guide.
WLST security commands are divided into the following categories:
Table 4-1 WLST Command Categories
Command Category | Description |
---|---|
View and manage audit policies and the audit repository configuration |
|
View and manage wallets, JKS keystores, and SSL configuration for Oracle HTTP Server, Oracle WebCache, Oracle Internet Directory, and Oracle Virtual Directory components. |
|
View and manage configuration for Oracle Access Management Identity Federation |
|
Manage domain and credential domain stores and migrate domain policy store. |
|
Manage Access Manager-related components, such as authorization providers, identity asserters, and SSO providers. |
Use the WLST commands listed in Table 4-2 to view and manage audit policies and the audit repository configuration.
Use this command... | To... | Use with WLST... |
---|---|---|
Display the mBean name for a non-Java EE component. |
Online |
|
Display audit policy settings. |
Online |
|
Update audit policy settings. |
Online |
|
Display audit repository settings. |
Online |
|
Update audit repository settings. |
Online |
|
List audit events for one or all components. |
Online |
|
Export a component's audit configuration. |
Online |
|
Import a component's audit configuration. |
Online |
For more information, see the Oracle Fusion Middleware Security Guide.
Online command that displays the mbean name for non-Java EE components.
This command displays the mbean name for non-Java EE components given the instance name, component name, component type, and the name of the Oracle WebLogic Server on which the component's audit mbean is running. The mbean name is a required parameter to other audit WLST commands when managing a non-Java EE component.
getNonJavaEEAuditMBeanName(instName, compName, compType, svrName)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are ohs, oid, ovd, and WebCache. |
|
Specifies the name of the Oracle WebLogic Server. |
Online command that displays the audit policy settings.
This command displays audit policy settings including the filter preset, special users, custom events, maximum log file size, and maximum log directory size. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
getAuditPolicy([mbeanName, componentType])
Argument | Definition |
---|---|
|
Specifies the name of the component audit MBean for non-Java EE components. |
|
Requests the audit policy for a specific component registered in the audit store. If not specified, the audit policy in |
The following command displays the audit settings for a Java EE component:
wls:/mydomain/serverConfig> getAuditPolicy()
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)
FilterPreset:All
Max Log File Size:104857600
Max Log Dir Size:0
The following command displays the audit settings for MBean CSAuditProxyMBean
:
wls:/mydomain/serverConfig> getAuditPolicy(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean')
Online command that updates an audit policy.
Online command that configures the audit policy settings. You can set the filter preset, add or remove users, and add or remove custom events. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
setAuditPolicy([mbeanName],[filterPreset],[addSpecialUsers], [removeSpecialUsers],[addCustomEvents],[removeCustomEvents], [componentType], [maxDirSize], [maxFileSize], [andCriteria], [orCriteria], [componentEventsFile])
Argument | Definition |
---|---|
|
Specifies the name of the component audit MBean for non-Java EE components. |
|
Specifies the filter preset to be changed. |
|
Specifies the special users to be added. |
|
Specifies the special users to be removed. |
|
Specifies the custom events to be added. |
|
Specifies the custom events to be removed. |
|
Specifies the component definition type to be updated. If not specified, the audit configuration defined in jps-config.xml is modified. |
|
Specifies the maximum size of the log directory. |
|
Specifies the maximum size of the log file. |
|
Specifies the |
|
Specifies the |
|
Specifies a component definition file under the 11g Release 1 (11.1.1.6) metadata model. This parameter is required if you wish to create/update an audit policy in the audit store for an 11g Release 1 (11.1.1.6) metadata model component, and the filter preset level is set to “Custom”. |
The following interactive command sets audit policy to None
level, and adds users user2
and user3
while removing user1
from the policy:
wls:/mydomain/serverConfig> setAuditPolicy (filterPreset= 'None',addSpecialUsers='user2,user3',removeSpecialUsers='user1') wls:/mydomain/serverConfig> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:None Special Users:user2,user3 Max Log File Size:104857600 Max Log Dir Size:0
The following interactive command adds login events while removing logout events from the policy:
wls:/mydomain/serverConfig> setAuditPolicy(filterPreset= 'Custom',addCustomEvents='UserLogin',removeCustomEvents='UserLogout')
The following interactive command sets audit policy to a Low
level:
wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Low'); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:Low Max Log File Size:104857600 Max Log Dir Size:0
The following command sets a custom filter to audit the CheckAuthorization
event:
wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Custom', addCustomEvents='JPS:CheckAuthorization'); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:Custom Special Users:user1 Max Log File Size:104857600 Max Log Dir Size:0 Custom Events:JPS:CheckAuthorization
Online command that displays audit repository settings.
This command displays audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository configuration resides in opmn.xml). Also displays database configuration if the repository is a database type.
Online command that updates audit repository settings.
This command sets the audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository is configured by editing opmn.xml
).
setAuditRepository([switchToDB],[dataSourceName],[interval])
Argument | Definition |
---|---|
|
If |
|
Specifies the name of the data source. |
|
Specifies intervals at which the audit loader kicks off. |
The following command switches from a file repository to a database repository:
wls:/IDMDomain/domainRuntime> setAuditRepository(switchToDB='true'); Already in Domain Runtime Tree Audit Repository Information updated wls:/IDMDomain/domainRuntime> getAuditRepository(); Already in Domain Runtime Tree JNDI Name:jdbc/AuditDB Interval:15 Repository Type:DB
The following interactive command changes audit repository to a specific database and sets the audit loader interval to 14 seconds:
wls:/mydomain/serverConfig> setAuditRepository(switchToDB='true',dataSourceName='jdbcAuditDB',interval='14')
Online command that displays a component's audit events.
This command displays a component's audit events and attributes. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter. Without a component type, all generic attributes applicable to all components are displayed.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
listAuditEvents([mbeanName],[componentType])
Argument | Definition |
---|---|
|
Specifies the name of the component MBean. |
|
Specifies the component type to limit the list to all events of the component type. |
The following command displays audit events for the Oracle Platform Security Services component:
wls:/IDMDomain/domainRuntime> listAuditEvents(componentType='JPS');
Already in Domain Runtime Tree
Common Attributes
ComponentType
Type of the component. For MAS integrated SystemComponents this is the componentType
InstanceId
Name of the MAS Instance, that this component belongs to
HostId
DNS hostname of originating host
HostNwaddr
IP or other network address of originating host
ModuleId
ID of the module that originated the message. Interpretation is unique within Component ID.
ProcessId
ID of the process that originated the message
The following command displays audit events for Oracle HTTP Server:
wls:/mydomain/serverConfig> listAuditEvents(componentType='ohs')
The following command displays all audit events:
wls:/IDMDomain/domainRuntime> listAuditEvents();
Already in Domain Runtime Tree
Components:
DIP
JPS
OIF
OWSM-AGENT
OWSM-PM-EJB
ReportsServer
WS-PolicyAttachment
WebCache
WebServices
Attributes applicable to all components:
ComponentType
InstanceId
HostId
HostNwaddr
ModuleId
ProcessId
OracleHome
HomeInstance
ECID
RID
...
Online command that exports a component's audit configuration.
This command exports the audit configuration to a file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
exportAuditConfig([mbeanName],fileName, [componentType])
Argument | Definition |
---|---|
|
Specifies the name of the non-Java EE component MBean. |
|
Specifies the path and file name to which the audit configuration should be exported. |
|
Specifies that only events of the given component be exported to the file. If not specified, the audit configuration in |
The following interactive command exports the audit configuration for a component:
wls:/mydomain/serverConfig> exportAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following interactive command exports the audit configuration for a Java EE component; no mBean is specified:
wls:/mydomain/serverConfig> exportAuditConfig(fileName='/tmp/auditconfig')
Online command that imports a component's audit configuration.
This command imports the audit configuration from an external file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
importAuditConfig([mbeanName],fileName, [componentType])
Argument | Definition |
---|---|
|
Specifies the name of the non-Java EE component MBean. |
|
Specifies the path and file name from which the audit configuration should be imported. |
|
Specifies that only events of the given component be imported from the file. If not specified, the audit configuration in |
The following interactive command imports the audit configuration for a component:
wls:/mydomain/serverConfig> importAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name='CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following interactive command imports the audit configuration from a file; no mBean is specified:
wls:/mydomain/serverConfig> importAuditConfig(fileName='/tmp/auditconfig')
Use the WLST commands listed in Table 4-3 to view and manage SSL configuration for Oracle Fusion Middleware components.
Table 4-3 WLST Commands for SSL Configuration
Use this command... | To... | Use with WLST... |
---|---|---|
Generate a certificate signing request in an Oracle wallet. |
Online |
|
Add a self-signed certificate to an Oracle wallet. |
Online |
|
Change the password to a JKS keystore. |
Online |
|
Change the password to an Oracle wallet. |
Online |
|
Set the SSL attributes for a component listener. |
Online |
|
Create a JKS keystore. |
Online |
|
Create an Oracle wallet. |
Online |
|
Delete a JKS keystore. |
Online |
|
Delete an Oracle wallet. |
Online |
|
Export a JKS keystore to a file. |
Online |
|
Export an object from a JKS keystore to a file. |
Online |
|
Export an Oracle wallet to a file. |
Online |
|
Export an object from an Oracle wallet to a file. |
Online |
|
Generate a key pair in a JKS keystore. |
Online |
|
Display a certificate or other object present in a JKS keystore. |
Online |
|
Display the SSL attributes for a component listener. |
Online |
|
Display a certificate or other object present in an Oracle wallet. |
Online |
|
Import a JKS keystore from a file. |
Online |
|
Import a certificate or other object from a file to a JKS keystore. |
Online |
|
Import an Oracle wallet from a file. |
Online |
|
Import a certificate or other object from a file to an Oracle wallet. |
Online |
|
List all objects present in a JKS keystore. |
Online |
|
List all JKS keystores configured for a component instance. |
Online |
|
List all objects present in an Oracle wallet. |
Online |
|
List all Oracle wallets configured for a component instance. |
Online |
|
Remove a certificate or other object from a component instance's JKS keystore. |
Online |
|
Remove a certificate or other object from a component instance's Oracle wallet. |
Online |
For more information, see the Oracle Fusion Middleware Administrator's Guide.
Online command that generates a certificate signing request in an Oracle wallet.
This command generates a certificate signing request in Base64 encoded PKCS#10 format in an Oracle wallet for a component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). To get a certificate signed by a certificate authority (CA), send the certificate signing request to your CA.
addCertificateRequest(instName, compName, compType, walletName, password, DN, keySize)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the Distinguished Name of the key pair entry. |
|
Specifies the key size in bits. |
The following command generates a certificate signing request with DN cn=www.example.com
and key size 1024
in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> addCertificateRequest('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.example.com', '1024')
Online command that adds a self-signed certificate.
This command creates a key pair and wraps it in a self-signed certificate in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Only keys based on the RSA algorithm are generated.
addSelfSignedCertificate(instName, compName, compType, walletName, password, DN, keySize)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the Distinguished Name of the key pair entry. |
|
Specifies the key size in bits. |
The following command adds a self-signed certificate with DN cn=www.example.com
, key size 1024
to wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1:
wls:/mydomain/serverConfig> addSelfSignedCertificate('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.example.com', '1024')
Online command that changes the keystore password.
This command changes the password of a Java Keystore (JKS) file for an Oracle Virtual Directory instance.
changeKeyStorePassword(instName, compName, compType, keystoreName, currPassword, newPassword)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the file name of the keystore. |
|
Specifies the current keystore password. |
|
Specifies the new keystore password. |
Online command that changes the password of an Oracle wallet.
This command changes the password of an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). This command is only applicable to password-protected wallets.
changeWalletPassword(instName, compName, compType, walletName,currPassword, newPassword)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
|
Specifies the file name of the wallet. |
|
Specifies the current wallet password. |
|
Specifies the new wallet password. |
Online command that sets SSL attributes.
This command sets the SSL attributes for a component listener. The attributes are specified in a properties file format (name=value). If a properties file is not provided, or it does not contain any SSL attributes, default attribute values are used. For component-specific SSL attribute value defaults, see the chapter "SSL Configuration in Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.
configureSSL(instName, compName, compType, listener, filePath)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'oid', 'ovd', ohs', and 'webcache'. |
|
Specifies the name of the component listener to be configured for SSL. |
|
Specifies the absolute path of the properties file containing the SSL attributes to set. |
The following command configures SSL attributes specified in the properties file /tmp/ssl.properties
for Oracle Virtual Directory instance ovd1
in application server instance inst1
, for listener listener1
:
wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener1','/tmp/ssl.properties')
The following command configures SSL attributes without specifying a properties file. Since no file is provided, the default SSL attribute values are used:
wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener2')
Online command that creates a JKS keystore.
This command creates a Java keystore (JKS) for the specified Oracle Virtual Directory instance. For keystore file location and other information, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.
createKeyStore(instName, compName, compType, keystoreName, password)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the file name of the keystore file to be created. |
|
Specifies the keystore password. |
Online command that creates an Oracle wallet.
This command creates an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Wallets can be of password-protected or auto-login type. For wallet details, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.
createWallet(instName, compName, compType, walletName, password)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
|
Specifies the name of the wallet file to be created. |
|
Specifies the wallet password. |
The following command creates a wallet named wallet1
with password password
, for Oracle HTTP Server instance ohs1
in application server instance inst1
:
wls:/mydomain/serverConfig> createWallet('inst1', 'ohs1', 'ohs','wallet1', 'password')
The following command creates an auto-login wallet named wallet2
for Oracle WebCache instance wc1
, in application server instance inst1
:
wls:/mydomain/serverConfig> createWallet('inst1', 'wc1', 'webcache','wallet2', '')
Online command that deletes a keystore.
deleteKeyStore(instName, compName, compType, keystoreName)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore file to delete. |
Online command that deletes an Oracle wallet.
This command deletes an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).
deleteWallet(instName, compName, compType, walletName)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
|
Specifies the name of the wallet file to be deleted. |
Online command that exports the keystore to a file.
This command exports a keystore, configured for the specified Oracle Virtual Directory instance, to a file under the given directory. The exported file name is the same as the keystore name.
exportKeyStore(instName, compName, compType, keystoreName, password, path)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore file. |
|
Specifies the password of the keystore. |
|
Specifies the absolute path of the directory under which the keystore is exported. |
Online command that exports an object from a keystore to a file.
This command exports a certificate signing request, certificate/certificate chain, or trusted certificate present in a Java keystore (JKS) to a file for the specified Oracle Virtual Directory instance. The certificate signing request is generated before exporting the object. The alias specifies the object to be exported.
exportKeyStoreObject(instName, compName, compType, keystoreName, password, type, path, alias)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore file. |
|
Specifies the password of the keystore. |
|
Specifies the type of the keystore object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' and 'TrustedChain'. |
|
Specifies the absolute path of the directory under which the object is exported as a file named base64.txt. |
|
Specifies the alias of the keystore object to be exported. |
The following command generates and exports a certificate signing request from the key-pair indicated by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
in application server instance inst1
. The certificate signing request is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'CertificateRequest', '/tmp','mykey')
The following command exports a certificate or certificate chain indicated by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
. The certificate or certificate chain is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '/tmp','mykey')
The following command exports a trusted certificate indicated by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
. The trusted certificate is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '/tmp','mykey')
Online command that exports an Oracle wallet.
This command exports an Oracle wallet, configured for a specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), to file(s) under the given directory. If the exported file is an auto-login only wallet, the file name is 'cwallet.sso'. If it is password-protected wallet, two files are created: 'ewallet.p12' and 'cwallet.sso'.
exportWallet(instName, compName, compType, walletName,password, path)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the absolute path of the directory under which the object is exported. |
The following command exports auto-login wallet wallet1
for Oracle Internet Directory instance oid1
to file cwallet.sso
under /tmp
:
wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet1','','/tmp')
The following command exports password-protected wallet wallet2
for Oracle Internet Directory instance oid1
to two files, ewallet.p12
and cwallet.sso
, under /tmp
:
wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp')
Online command that exports a certificate or other wallet object to a file.
This command exports a certificate signing request, certificate, certificate chain or trusted certificate present in an Oracle wallet to a file for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be exported.
exportWalletObject(instName, compName, compType, walletName, password, type, path, DN)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedChain'. |
|
Specifies the absolute path of the directory under which the object is exported as a file base64.txt. |
|
Specifies the Distinguished Name of the wallet object being exported. |
The following command exports a certificate signing request with DN cn=www.example.com
in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
. The certificate signing request is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'CertificateRequest', '/tmp','cn=www.example.com')
The following command exports a certificate with DN cn=www.example.com
in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
. The certificate or certificate chain is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate', '/tmp','cn=www.example.com')
The following command exports a trusted certificate with DN cn=www.example.com
in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
. The trusted certificate is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate', '/tmp','cn=www.example.com')
The following command exports a certificate chain with DN cn=www.example.com
in wallet1
, for Oracle Internet Directory instance oid1,
in application server instance inst1
. The certificate or certificate chain is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedChain', '/tmp','cn=www.example.com')
Online command that generates a key pair in a Java keystore.
This command generates a key pair in a Java keystore (JKS) for Oracle Virtual Directory. It also wraps the key pair in a self-signed certificate. Only keys based on the RSA algorithm are generated.
generateKey(instName, compName, compType, keystoreName, password, DN, keySize, alias, algorithm)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore. |
|
Specifies the password of the keystore. |
|
Specifies the Distinguished Name of the key pair entry. |
|
Specifies the key size in bits. |
|
Specifies the alias of the key pair entry in the keystore. |
|
Specifies the key algorithm. Valid value is 'RSA'. |
The following command generates a key pair with DN cn=www.example.com
, key size 1024
, algorithm RSA
and alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
in application server instance inst1
:
wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.example.com', '1024', 'mykey', 'RSA')
The following command is the same as above, except it does not explicitly specify the key algorithm:
wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.example.com', '1024', 'mykey')
Online command that shows details about a keystore object.
This command displays a specific certificate or trusted certificate present in a Java keystore (JKS) for Oracle Virtual Directory. The keystore object is indicated by its index number, as given by the listKeyStoreObjects
command. It shows the certificate details including DN, key size, algorithm, and other information.
getKeyStoreObject(instName, compName, compType, keystoreName, password, type, index)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore file. |
|
Specifies the password of the keystore. |
|
Specifies the type of the keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'. |
|
Specifies the index number of the keystore object as returned by the |
The following command shows a trusted certificate with index 1
present in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '1')
The following command shows a certificate with index 1
present in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '1')
Online command that lists the configured SSL attributes.
This command lists the configured SSL attributes for the specified component listener. For Oracle Internet Directory, the listener name is always sslport1
.
getSSL(instName, compName, compType, listener)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ovd', 'oid', 'ohs', and 'webcache'. |
|
Specifies the name of the component listener. |
Online command that displays information about a certificate or other object in an Oracle wallet.
This command displays a specific certificate signing request, certificate or trusted certificate present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). The wallet object is indicated by its index number, as given by the listWalletObjects
command. For certificates or trusted certificates, it shows the certificate details including DN, key size, algorithm and other data. For certificate signing requests, it shows the subject DN, key size and algorithm.
getWalletObject(instName, compName, compType, walletName, password, type, index)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'. |
|
Specifies the index number of the wallet object as returned by the |
The following command shows certificate signing request details for the object with index 0
present in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest', '0')
The following command shows certificate details for the object with index 0
present in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'Certificate', '0')
The following command shows trusted certificate details for the object with index 0
, present in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate', '0')
Online command that imports a keystore from a file.
This command imports a Java keystore (JKS) from a file to the specified Oracle Virtual Directory instance for manageability. The component instance name must be unique.
importKeyStore(instName, compName, compType, keystoreName, password, filePath)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore being imported. This name must be unique for this component instance. |
|
Specifies the password of the keystore. |
|
Specifies the absolute path of the keystore file to be imported. |
Online command that imports an object from a file to a keystore.
This command imports a certificate, certificate chain, or trusted certificate into a Java keystore (JKS) for Oracle Virtual Directory, assigning it the specified alias which must be unique in the keystore. If a certificate or certificate chain is being imported, the alias must match that of the corresponding key-pair.
importKeyStoreObject(instName, compName, compType, keystoreName, password, type, filePath, alias)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore. |
|
Specifies the password of the keystore. |
|
Specifies the type of the keystore object to be imported. Valid values are 'Certificate' and 'TrustedCertificate'. |
|
Specifies the absolute path of the file containing the keystore object. |
|
Specifies the alias to assign to the keystore object to be imported. |
The following command imports a certificate or certificate chain from file cert.txt
into keys.jks
, using alias mykey
for Oracle Virtual Directory instance ovd1,
in application server instance inst1
. The file keys.jks
must already have an alias mykey
for a key-pair whose public key matches that in the certificate being imported:
wls:/mydomain/serverConfig> > importKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate','/tmp/cert.txt', 'mykey')
The following command imports a trusted certificate from file trust.txt
into keys.jks
using alias mykey1
, for Oracle Virtual Directory instance ovd1
in application server instance inst1
:
wls:/mydomain/serverConfig> importKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate','/tmp/trust.txt', 'mykey1')
Online command that imports an Oracle wallet from a file.
This command imports an Oracle wallet from a file to the specified component instance (Oracle HTTP Server, Oracle WebCache, or Oracle Internet Directory) for manageability. If the wallet being imported is an auto-login wallet, the file path must point to cwallet.sso
; if the wallet is password-protected, it must point to ewallet.p12
. The wallet name must be unique for the component instance.
importWallet(instName, compName, compType, walletName, password, filePath)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet being imported. The name must be unique for the component instance. |
|
Specifies the password of the wallet. |
|
Specifies the absolute path of the wallet file being imported. |
The following command imports auto-login wallet file /tmp/cwallet.sso
as wallet1
into Oracle Internet Directory instance oid1
. Subsequently, the wallet is managed with the name wallet1
. No password is passed since it is an auto-login wallet:
wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet1', '', '/tmp/cwallet.sso')
The following command imports password-protected wallet /tmp/ewallet.p12
as wallet2
into Oracle Internet Directory instance oid1
. Subsequently, the wallet is managed with the name wallet2
. The wallet password is passed as a parameter:
wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp/ewallet.p12')
Online command that imports a certificate or other object into an Oracle wallet.
This command imports a certificate, trusted certificate or certificate chain into an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache component or Oracle Internet Directory).When importing a certificate, use the same wallet file from which the certificate signing request was generated.
importWalletObject(instName, compName, compType, walletName, password, type, filePath)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the type of wallet object to be imported. Valid values are 'Certificate', 'TrustedCertificate' and 'TrustedChain'. |
|
Specifies the absolute path of the file containing the wallet object. |
The following command imports a certificate chain in PKCS#7 format from file chain.txt
into wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedChain','/tmp/chain.txt')
The following command imports a certificate from file cert.txt
into wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate','/tmp/cert.txt')
The following command imports a trusted certificate from file trust.txt
into wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','/tmp/trust.txt')
Online command that lists the contents of a keystore.
This command lists all the certificates or trusted certificates present in a Java keystore (JKS) for Oracle Virtual Directory.
listKeyStoreObjects(instName, compName, compType, keystoreName, password, type)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore file. |
|
Specifies the password of the keystore. |
|
Specifies the type of keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'. |
The following command lists all trusted certificates present in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate')
The following command lists all certificates present in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate')
Online command that lists all the keystores for a component.
This command lists all the Java keystores (JKS) configured for the specified Oracle Virtual Directory instance.
listKeyStores(instName, compName, compType)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance |
|
Specifies the type of component. Valid value is 'ovd'. |
Online command that lists all objects in an Oracle wallet.
This command lists all certificate signing requests, certificates, or trusted certificates present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).
listWalletObjects(instName, compName, compType, walletName, password, type)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the type of wallet object to be listed. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'. |
The following command lists all certificate signing requests in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> > listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest')
The following command lists all certificates in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'Certificate')
The following command lists all trusted certificates in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate')
Online command that lists all wallets configured for a component instance.
This command displays all the wallets configured for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), and identifies the auto-login wallets.
listWallets(instName, compName, compType)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
Online command that removes an object from a keystore.
This command removes a certificate request, certificate, trusted certificate, or all trusted certificates from a Java keystore (JKS) for Oracle Virtual Directory. Use an alias to remove a specific object; no alias is needed if all trusted certificates are being removed.
removeKeyStoreObject(instName, compName, compType, keystoreName, password, type, alias)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore file. |
|
Specifies the password of the keystore. |
|
Specifies the type of the keystore object to be removed. Valid values are 'Certificate', 'TrustedCertificate' or 'TrustedAll'. |
|
Specifies the alias of the keystore object to be removed. |
The following command removes a certificate or certificate chain denoted by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate','mykey')
The following command removes a trusted certificate denoted by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate','mykey')
The following command removes all trusted certificates in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
. Since no alias is required, the value None
is passed for that parameter:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedAll',None)
Online command that removes a certificate or other object from an Oracle wallet.
This command removes a certificate signing request, certificate, trusted certificate or all trusted certificates from an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be removed.
removeWalletObject(instName, compName, compType, walletName, password, type, DN)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the type of the keystore object to be removed. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedAll'. |
|
Specifies the Distinguished Name of the wallet object to be removed. |
The following command removes all trusted certificates from wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
. It is not necessary to provide a DN, so we pass null (denoted by None
) for the DN parameter:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedAll',None)
The following command removes a certificate signing request indicated by DN cn=www.example.com
from wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'CertificateRequest','cn=www.example.com')
The following command removes a certificate indicated by DN cn=www.example.com
from wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate','cn=www.example.com')
The following command removes a trusted certificate indicated by DN cn=www.example.com
from wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','cn=www.example.com')
Use the WLST security commands listed in Table 4-4 to operate on a domain policy or credential store, to migrate policies and credentials from a source repository to a target repository, and to import and export (credential) encryption keys.
Table 4-4 WLST Security Commands
Use this command... | To... | Use with WLST... |
---|---|---|
List application stripes in policy store. |
Online |
|
Create a new application role. |
Online |
|
Remove an application role. |
Online |
|
Add a principal to a role. |
Online |
|
Remove a principal from a role. |
Online |
|
List all roles in an application. |
Online |
|
List all members in an application role. |
Online |
|
Create a new permission. |
Online |
|
Remove a permission. |
Online |
|
List all permissions granted to a principal. |
Online |
|
Remove all policies in an application. |
Online |
|
Migrate policies or credentials from a source repository to a target repository. |
Offline |
|
Obtain the list of attribute values of a credential. |
Online |
|
Modify the attribute values of a credential. |
Online |
|
Create a new credential. |
Online |
|
Remove a credential. |
Online |
|
Update bootstrap credential store |
Offline |
|
Add a credential to the bootstrap credential store |
Offline |
|
Export the domain encryption key to the file |
Offline |
|
Import the encryption key in file |
Offline |
|
Restore the domain encryption key as it was before the last importing. |
Offline |
|
Reassociate policies and credentials to an LDAP repository |
Online |
|
Upgrade security data from data used with release 10.1.x to data used with release 11. |
Offline |
|
Create a new resource type. |
Online |
|
Fetch an existing resource type. |
Online |
|
Remove an existing resource type. |
Online |
|
Create a resource. |
Online |
|
Remove a resource. |
Online |
|
List resources in an application stripe. |
Online |
|
List actions in a resource. |
Online |
|
Create an entitlement. |
Online |
|
List an entitlement. |
Online |
|
Remove an entitlement. |
Online |
|
Add a resource to an entitlement. |
Online |
|
Remove a resource from an entitlement |
Online |
|
List entitlements in an application stripe. |
Online |
|
Create an entitlement. |
Online |
|
Remove an entitlement. |
Online |
|
List an entitlement. |
Online |
|
List resource types in an application stripe. |
Online |
Online command that creates a new application role.
Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException
.
createAppRole(appStripe, appRoleName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online command that removes an application role.
Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException
.
createAppRole(appStripe, appRoleName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online command that adds a principal to a role.
Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException
.
grantAppRole(appStripe, appRoleName,principalClass, principalName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
principalClass
|
Specifies the fully qualified name of a class. |
principalName
|
Specifies the principal name. |
Online command that removes a principal from a role.
Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException
.
revokeAppRole(appStripe, appRoleName, principalClass, principalName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
principalClass
|
Specifies the fully qualified name of a class. |
principalName
|
Specifies the principal name. |
Online command that lists all roles in an application.
Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException
.
Online command that lists all members in a role.
Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException
.
listAppRoleMembers(appStripe, appRoleName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online command that creates a new permission.
Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-delimited list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following invocation creates a new application permission (for the application with application stripe myApp
) with the specified data:
wls:/mydomain/serverConfig> grantPermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following invocation creates a new system permission with the specified data:
wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permTarget="/tmp/fileName.ext", permActions="read,write")
Online command that removes a permission.
Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-delimited list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following invocation removes the application permission (for the application with application stripe myApp
) with the specified data:
wls:/mydomain/serverConfig> revokePermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following invocation removes the system permission with the specified data:
wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permActions="read,write")
Online command that lists all permissions granted to a given principal.
Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
listPermissions([appStripe,] principalClass, principalName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
The following invocation lists all permissions granted to a principal by the policies of application myApp
:
wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")
The following invocation lists all permissions granted to a principal by system policies:
wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")
Online command that removes all policies with a given application stripe.
Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException
.
deleteAppPolicies(appStripe)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
Offline command that migrates identities, application-specific, system policies, a specific credential folder, or all credentials.
Migrates identities, application-specific, or system policies from a source repository to a target repository. Migrates a specific credential folder or all credentials.
The kinds of the repositories where the source and target data is stored is transparent to the command, and any combination of file-based and LDAP-based repositories is allowed (LDAP-repositories must use an OVD or an OID LDAP server only). In the event of an error, the command returns a WLSTException
.
The command syntax varies depending on the scope (system or application-specific or both) of the policies being migrated.
Optional arguments are enclosed in square brackets.
To migrate identities, use the following syntax:
migrateSecurityStore(type="idStore", configFile, src, dst, [dstLdifFile])
To migrate all policies (system and application-specific, for all applications) use the following syntax
migrateSecurityStore(type="policyStore", configFile, src, dst,[overWrite,][preserveAppRoleGuid])
To migrate just system policies, use the following syntax:
migrateSecurityStore(type="globalPolicies", configFile, src, dst, [overWrite])
To migrate just application-specific policies, for one application, use the following syntax:
migrateSecurityStore(type="appPolicies", configFile,src, dst, srcApp [,dstApp] [,overWrite] [,migrateIdStoreMapping][,preserveAppRoleGuid] [,mode])
To migrate all credentials, use the following syntax:
migrateSecurityStore(type="credStore", configFile, src, dst, [overWrite])
To migrate just one credential folder, use the following syntax:
migrateSecurityStore(type="folderCred", configFile,src, dst, [srcFolder,] [dstFolde,] [srcConfigFile,] [overWrite])
Argument | Definition |
---|---|
type
|
Specifies the type of policies migrates. To migrate identities, set it to To migrate all policies (system and application-specific, for all applications), set to To migrate just system policies, set to To migrate just application-specific policies, set to To migrate all credentials, set to To migrate just one credential folder, set to |
configFile
|
Specifies the location of a configuration file |
src
|
Specifies the name of a jps-context in the configuration file passed to the argument |
dst
|
Specifies the name of another jps-context in the configuration file passed to the argument |
srcApp
|
Specifies the name of the source application, that is, the application whose policies are being migrated. |
dstApp
|
Specifies the name of the target application, that is, the application whose policies are being written. If unspecified, it defaults to the name of the source application. |
srcFolder
|
Specifies the name of the folder from where credentials are migrated. This argument is optional. If unspecified, the credential store is assumed to have only one folder and the value of this argument defaults to the name of that folder. |
dstFolder
|
Specifies the folder to where the source credentials are migrated. This argument is optional and, if unspecified, defaults to the folder passed to |
srcConfigFile
|
Specifies the location of an alternate configuration file, and it is used in the special case in which credentials are not configured in the file passed to |
overWrite
|
Specifies whether data in the target matching data being migrated should be overwritten by or merged with the source data. Optional and false by default. Set to true to overwrite matching data; set to false to merge matching data. |
migrateIdStoreMapping
|
Specifies whether the migration of application policies should include or exclude the migration of enterprise policies. Optional and true by default. Set it to False to exclude enterprise policies from the migration of application policies. |
dstLdifFile
|
Specifies the location where the LDIF file will be created. Required only if destination is an LDAP-based identity store. Notice that the LDIF file is not imported into the LDAP server; the importing of the file LDIF should be done manually, after the file has been edited to account for the appropriate attributes required in your LDAP server. |
preserveAppRoleGuid
|
Specifies whether the migration of policies should preserve or recreate GUIDs. Optional and false, by default. Set to true to preserve GUIDs; set to false to recreated GUIDs. |
mode |
Specifies whether the migration should stop and signal an error upon encountering a duplicate principal or a duplicate permission in an application policy. Set to lax to allow the migration to continue upon encountering duplicate items, to migrate just one of the duplicated items, and to log a warning to this effect; set to strict to force the migration to stop upon encountering duplicate items. If unspecified, it defaults to strict. |
Note the following requirements about the passed arguments:
The file jps-config.xml
is found in the passed location.
The file jps-config.xml
includes the passed jps-contexts.
The source and the destination context names are distinct. From these two contexts, the command determines the locations of the source and the target repositories involved in the migration.
The following invocation illustrates the migration of the file-based policies of application PolicyServlet1
to file-based policies of application PolicyServlet2
, that does not stop on encountering duplicate principals or permissions, that migrates just one of duplicate items, and that logs a warning when duplicates are found:
wls:/mydomain/serverConfig> migrateSecurityStore(type="appPolicies", configFile="jps-congif.xml", src="default1", dst="context2", srcApp="PolicyServlet1", dstApp="PolicyServlet2", overWrite="true", mode="lax")
The above invocation assumes that:
The file jps-config.xml
is located in the directory where the command is run (current directory).
That file includes the following elements:
<serviceInstance name="policystore1.xml" provider="some.provider"> <property name="location" value="jazn-data1.xml"/> </serviceInstance> <serviceInstance name="policystore2.xml" provider="some.provider"> <property name="location" value="jazn-data2.xml"/> </serviceInstance> ... <jpsContext name="default1"> <serviceInstanceRef ref="policystore1.xml"/> ... </jpsContext> <jpsContext name="context2"> <serviceInstanceRef ref="policystore2.xml"/> ... </jpsContext>
The file-based policies for the two applications involved in the migration are defined in the files jazn-data1.xml
and jazn-data2.xml
, which are not shown but assumed located in the current directory.
The following invocation illustrates the migration of file-based credentials from one location to another:
wls:/mydomain/serverConfig> migrateSecurityStore(type="credStore", configFile="jps-congif.xml", src="default1", dst="context2")
The above invocation assumes that:
The file jps-config.xml
is located in the directory where the command is run (current directory).
That file includes the following elements:
<serviceInstance name="credstore1" provider="some.provider"> <property name="location" value="./credstore1/cwallet.sso"/> </serviceInstance> <serviceInstance name="credstore2" provider="some.provider"> <property name="location" value="./credstore2/cwallet.sso"/> </serviceInstance> ... <jpsContext name="default1"> <serviceInstanceRef ref="credstore1"/> ... </jpsContext> <jpsContext name="context2"> <serviceInstanceRef ref="credstore2"/> ... </jpsContext>
For detailed configuration examples to use with this command, see Oracle Fusion Middleware Security Guide.
Online command that returns the list of attribute values of a credential in the domain credential store.
Returns the list of attribute values of a credential in the domain credential store with given map name and key name. This command lists the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException
.
listCred(map, key)
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
Online command that modifies the type, user name, and password of a credential.
Modifies the type, user name, password, URL, and port number of a credential in the domain credential store with given map name and key name. This command can update the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
Optional arguments are enclosed in square brackets.
updateCred(map, key, user, password, [desc])
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
Online command that creates a new credential in the domain credential store.
Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
Optional arguments are enclosed in square brackets.
createCred(map, key, user, password, [desc])
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
Online command that removes a credential in the domain credential store.
Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException
.
deleteCred(map,key)
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
Offline command that updates a bootstrap credential store.
Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException
.
Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.
modifyBootStrapCredential(jpsConfigFile, username, password)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
username
|
Specifies the distinguished name of the user in the LDAP store. |
password
|
Specifies the password of the user. |
Suppose that in the LDAP store, the password of the user with distinguished name cn=orcladmin
has been changed to welcome1
, and that the configuration file jps-config.xml
is located in the current directory.Then the following invocation changes the password in the bootstrap credential store to welcome1
:
wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='welcome1')
Any output regarding the audit service can be disregarded.
Offline command that adds a credential to the bootstrap credential store.
Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException
.
addBootStrapCredential(jpsConfigFile, map, key, username, password)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
map
|
Specifies the map of the credential to add. |
key
|
Specifies the key of the credential to add. |
username
|
Specifies the name of the user in the credential to add. |
|
Specifies the password of the user in the credential to add. |
Offline command that extracts the encryption key from a domain's bootstrap wallet to the file ewallet.p12
.
Writes the domain's credential encryption key to the file ewallet.p12
. The password passed must be used to import data from that file with the command importEncryptionKey
.
exportEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
keyFilePath
|
Specifies the directory where the file |
keyFilePassword
|
Specifies the password to secure the file |
Offline command that imports keys from the specified ewallet.p12 file into the domain.
Imports encryption keys from the file ewallet.p12
into the domain. The password passed must be the same as that used to create the file with the command exportEncryptionKey
.
importEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
keyFilePath
|
Specifies the directory where the |
keyFilePassword
|
Specifies the password used when the file |
Offline command to restore the domain credential encryption key.
Restores the state of the domain bootstrap keys as it was before running importEncryptionKey.
restoreEncryptionKey(jpsConfigFile)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
Online command that migrates the policy and credential stores to an LDAP repository.
Migrates, within a give domain, both the policy store and the credential store to a target LDAP server repository. The only kinds of LDAP servers allowed are OID or OVD. This command also allows setting up a policy store shared by different domains (see optional argument join
below). In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
reassociateSecurityStore(domain, admin, password, ldapurl, servertype, jpsroot [, join] [,keyFilePath, keyFilePassword])
Argument | Definition |
---|---|
domain
|
Specifies the domain name where the reassociating takes place. |
admin
|
Specifies the administrator's user name on the LDAP server. The format is |
password
|
Specifies the password associated with the user specified for the argument |
ldapurl
|
Specifies the URI of the LDAP server. The format is |
servertype
|
Specifies the kind of the target LDAP server. The only valid types are OID or OVD. |
jpsroot
|
Specifies the root node in the target LDAP repository under which all data is migrated. The format is |
join
|
Specifies whether the domain is to share a policy store specified in some other domain. Optional. Set to true to share an existing policy store in another domain; set to false otherwise. If unspecified, it defaults to false. The use of this argument allows multiple WebLogic domains to point to the same logical policy store. |
keyFilePath
|
Specifies the directory where the |
keyFilePassword
|
Specifies the password used when the file |
The following invocation reassociates the domain policies and credentials to an LDAP Oracle Internet Directory server:
wls:/mydomain/serverConfig> reassociateSecurityStore(domain="myDomain", admin="cn=adminName", password="myPass",ldapurl="ldap://myhost.example.com:3060", servertype="OID", jpsroot="cn=testNode")
Suppose that you want some other domain (distinct from myDomain
, say otherDomain
) to share the policy store in myDomain
. Then you would invoke the command as follows:
wls:/mydomain/serverConfig> reassociateSecurityStore(domain="otherDomain", admin="cn=adminName", password="myPass", ldapurl="ldap://myhost.example.com:3060", servertype="OID", jpsroot="cn=testNode", join="true")
Offline command that migrates release 10.1.x security data to release 11 security data.
Migrates identity, policy, and credential data used in release 10.1.x to security data that can be used with release 11. The migration of each kind of data is performed with separate invocations of this command. In the event of an error, the command returns a WLSTException
.
The syntax varies according to the type of data being updated.
To upgrade 10.1.x XML identity data to 11 XML identity data, use the following syntax:
updateSecurityStore(type="xmlIdStore", jpsConfigFile, srcJaznDataFile, srcRealm, dst)
To upgrade a 10.1.x XML policy data to 11 XML policy data, use the following syntax:
updateSecurityStore(type="xmlPolicyStore", jpsConfigFile, srcJaznDataFile, dst)
To upgrade a 10.1.x OID LDAP-based policy data to 11 XML policy data, use the following syntax:
updateSecurityStore(type="oidPolicyStore", jpsConfigFile, srcJaznDataFile, dst)
To upgrade a 10.1.x XML credential data to 11 XML credential data, use the following syntax:
updateSecurityStore(type="xmlCredStore", jpsConfigFile, srcJaznDataFile, users, dst)
Argument | Definition |
---|---|
type
|
Specifies the kind of security data being upgraded. The only valid values are xmlIdStore, xmlPolicyStore, oidPolicyStore, and xmlCredStore. |
jpsConfigFile
|
Specifies the location of a configuration file |
srcJaznDataFile
|
Specifies the location of a 10.1.x jazn data file relative to the directory where the command is run. This argument is required if the specified |
srcJaznConfigFile
|
Specifies the location of a 10.1.x jazn configuration file relative to the directory where the command is run. This argument is required if the specified |
srcRealm
|
Specifies the name of the realm from which identities need be migrated. This argument is required if the specified |
users
|
Specifies a comma-delimited list of users each formatted as realmName/userName. This argument is required if the specified |
dst
|
Specifies the name of the jpsContext in the file passed to the argument jpsConfigFile where the destination store is configured. Optional. If unspecified, it defaults to the default context in the file passed in the argument jpsConfigFile. |
The following invocation migrates 10.1.3 file-based identities to an 11 file-based identity store:
wls:/mydomain/serverConfig> upgradeSecurityStore(type="xmlIdStore", jpsConfigFile="jps-config.xml", srcJaznDataFile="jazn-data.xml", srcRealm="jazn.com")
The following invocation migrates a 10.1.3 OID-based policy store to an 11 file-based policy store:
wls:/mydomain/serverConfig> upgradeSecurityStore(type="oidPolicyStore", jpsConfigFile="jps-config.xml", srcJaznDataFile="jazn-data.xml", dst="destinationContext)
Online command that creates a new resource type in the domain policy store within a given application stripe.
Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. Optional arguments are enclosed in between square brackets; all other arguments are required. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in square brackets.
createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where to insert the resource type. |
resourceTypeName
|
Specifies the name of the resource type to insert. |
displayName
|
Specifies the name for the resource type used in UI gadgets. |
description |
Specifies a brief description of the resource type. |
provider
|
Specifies the provider for the resource type. |
matchere
|
Specifies the class of the resource type. If unspecified, it defaults to |
actions
|
Specifies the actions allowed on instances of the resource type. |
delimeter
|
Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','. |
The following invocation creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:
wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", resourceTypeName="resTypeName", displayName="displName", description="A resource type", provider="Printer", matcher="com.printer.Printer", actions="BWPrint;ColorPrint" [, delimeter=";"])
Online command that fetches a resource type from the domain policy store within a given application stripe.
Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException
.
getResourceType(appStripe, resourceTypeName)
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe from where to fetch the resource type. |
resourceTypeName
|
Specifies the name of the resource type to fetch. |
Online command that removes a resource type from the domain policy store within a given application stripe.
Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException
.
deleteResourceType(appStripe, resourceTypeName)
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe from where to remove the resource type. |
resourceTypeName
|
Specifies the name of the resource type to remove. |
Online or offline command that lists the application stripes in the policy store.
This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.
If this command is used in offline mode after reassociating to a DB-based store, the configuration file produced by the reassociation must be manually edited as described in "Running listAppStripes after Reassociating to a DB-Based Store" in Oracle Fusion Middleware Security Guide.
listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])
Argument | Definition |
---|---|
configFile
|
Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store. |
regularExpression
|
Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *. |
The following (online) invocation returns the list of application stripes in the policy store:
wls:/mydomain/serverConfig> listAppStripes
The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:
wls:/mydomain/serverConfig> listAppStripes(configFile=" /home/myFile/jps-config.xml")
The following (online) invocation returns the list of application stripes that contain the prefix App:
wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")
Online command that creates a new resource.
Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.
createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resource is created. |
name
|
Specifies the name of the resource created. |
type
|
Specifies the type of resource created. The passed resource type must be present in the application stripe at the time this script is invoked. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the resource created. Optional. |
Online command that deletes a resource.
Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.
deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resource is deleted. |
name
|
Specifies the name of the resource deleted. |
type
|
Specifies the type of resource deleted. The passed resource type must be present in the application stripe at the time this script is invoked. |
Online command that lists resources in a specified application stripe.
If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.
listResources(appStripe="appStripeName" [,type="resTypeName"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resources are listed. |
type
|
Specifies the type of resource listed. The passed resource type must be present in the application stripe at the time this script is invoked. |
Online command that lists the resources and actions in an entitlement.
listResourceActions(appStripe="appStripeName", permSetName="entitlementName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement resides. |
permSetName
|
Specifies the name of the entitlement whose resources and actions to list. |
Online command that creates a new entitlement.
Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement
to add additional resources to an existing entitlement; use revokeResourceFromEntitlement
to delete resources from an existing entitlement.
createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
name
|
Specifies the name of the entitlement created. |
resourceName
|
Specifies the name of the one resource member of the entitlement created. |
actions
|
Specifies a comma-delimited the list of actions for the resource resourceName. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the entitlement created. Optional. |
Online command that gets an entitlement.
Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.
getEntitlement(appStripe="appStripeName", name="entitlementName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to access. |
Online command that deletes an entitlement.
Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.
deleteEntitlement(appStripe="appStripeName", name="entitlementName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
name
|
Specifies the name of the entitlement to delete. |
Online command that adds a resource with specified actions to an entitlement.
Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.
addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to add. |
resourceType
|
Specifies the type of the resource to add. The passed resource type must be present in the application stripe at the time this script is invoked. |
actions
|
Specifies the comma-delimited list of actions for the added resource. |
The following invocation adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:
wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Online command that removes a resource from an entitlement.
revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to remove. |
resourceType
|
Specifies the type of the resource to remove. |
actions
|
Specifies the comma-delimited list of actions to remove. |
The following invocation removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Online command that lists the entitlements in an application stripe.
Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.
listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe from where to list entitlements. |
resourceTypeName
|
Specifies the name of the type of the resources to list. Optional. |
resourceName
|
Specifies the name of resource to match. Optional. |
The following invocation lists all the entitlements in the stripe myApplication:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")
The following invocation lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName")
Online command that creates a new entitlement.
grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is granted. |
permSetName
|
Specifies the name of the entitlement created. |
The following invocation creates the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that deletes an entitlement.
Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.
revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is revoked. |
permSetName
|
Specifies the name of the entitlement deleted. |
The following invocation deleted the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that lists an entitlement in a specified application stripe.
If a principal name and a class are specified, it lists the entitlements that match the specified principal; otherwise, it lists all the entitlements.
listEntitlement(appStripe="appStripeName" [, principalName="principalName", principalClass="principalClass"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
principalName
|
Specifies the name of the principal to match. Optional. |
principalClass
|
Specifies the class of the principal to match. Optional. |
Use the WLST commands listed in Table 4-5 to manage Oracle Access Management Access Manager (Access Manager) related components, such as authorization providers, identity asserters, and SSO providers, as well as to display metrics and deployment topology, manage Access Manager server and agent configuration and logger settings.
Table 4-5 WLST Access Manager Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Create a user identity store registration. |
Online Offline |
|
Edit a user identity store registration. |
Online Offline |
|
Delete a user identity store registration. |
Online Offline |
|
Display a user identity store registration. |
Online Offline |
|
Create an entry for an Access Manager Server configuration. |
Online Offline |
|
Edit the entry for an Access Manager Server configuration. |
Online Offline |
|
Delete the named Access Manager Server configuration. |
Online Offline |
|
Display Access Manager Server configuration details. |
Online Offline |
|
Configure the Access Manager login page user preferences. |
||
Configure the SSO server request cache type. |
Online |
|
Display the SSO server request cache type entry. |
Online Offline |
|
Edit OSSO Agent configuration details. |
Online Offline |
|
Delete the named OSSO Agent configuration. |
Online Offline |
|
Display OSSO Agent configuration details. |
Online Offline |
|
Edit 10g WebGate Agent registration details. |
Online Offline |
|
Delete the named 10g WebGate Agent configuration. |
Online Offline |
|
Display WebGate Agent configuration details. |
Online Offline |
|
Export Access Manager policy data from a test (source) to an intermediate Access Manager file. |
Online |
|
Import Access Manager policy data from the Access Manager file specified. |
Online |
|
Import Access Manager policy changes from the Access Manager file specified. |
Online |
|
Migrate partners from the source Access Manager Server to the specified target Access Manager Server. |
Online |
|
Export the Access Manager partners from the source to the intermediate Access Manager file specified. |
Online |
|
Import the Access Manager partners from the intermediate Access Manager file specified. |
Online |
|
List the details of deployed Access Manager Servers. |
Online Offline |
|
Configure the Access Manager-Oracle Adaptive Access Manager basic integration. |
Online |
|
Register Identity Federation as Delegated Authentication Protocol (DAP) Partner. |
Online Offline |
|
Registers Identity Federation in IDP mode. |
||
Registers any third party as a Trusted Authentication Protocol (TAP) Partner. |
Online |
|
Disable the Coexist Mode. |
Online |
|
Enables Coexist Mode for the Access Manager agent (enabling the Access Manager 11g server to own the Obssocookie set by 10g WebGate). |
Online |
|
Disables Coexist Mode for the Access Manager agent (disabling the Access Manager 11g server from the Obssocookie set by 10g WebGate). |
Online |
|
Edit GITO configuration parameters. |
Online |
|
Edit an 11g WebGate registration. |
Online Offline |
|
Remove an 11g WebGate Agent registration. |
Online Offline |
|
Display an 11g WebGate Agent registration. |
Online Offline |
|
Display metrics of Access Manager Servers. |
Online Offline |
|
Update the Oracle Identity Manager configuration when integrated with Access Manager. |
Online |
|
Creates an Agent registration specific to Oracle Identity Manager when integrated with Access Manager. |
Online |
|
Updates OSSO Proxy response cookie settings. |
Online |
|
Deletes OSSO Proxy response cookie settings. |
Online |
|
Configures an identity store and external user store. |
Online |
|
Configures an identity store and external user store using values defined in a file. |
Online |
|
Migrates artifacts based on the specified artifact file. |
Online |
|
Displays the simple mode global passphrase in plain text from the system configuration. |
Online |
|
Exports selected Access Manager Partners to the intermediate Access Manager file specified. |
Online |
|
Migrates policies, authentication stores, and user stores from OSSO, OAM10g, OpenSSO, or AM 7.1 to OAM11g. |
Online |
|
Invokes the preSchemeUpgrade operation. |
Online |
|
Invokes the postSchemeUpgrade operation. |
Online |
|
Set to true and the Access Manager Server will redirect to the URLS specified in the WhiteListURL list only. |
Online |
|
Add, update or remove whitelist URL entries from configuration file. |
Online |
|
Enable Multi Data Centre Mode. |
Online |
|
Disable Multi Data Centre Mode. |
Online |
|
Set the Multi Data Centre Cluster name. |
Online |
|
Set the Multi Data Centre logout URLs. |
Online |
|
Add partner for Multi Data Centre. |
Online |
|
Remove partner from Multi Data Centre. |
Online |
Creates an identity store registration in the Access Manager system configuration.
Creates an entry in the system configuration for a new user identity store registered with Access Manager. The scope of this command is an instance only; the scope is not an argument.
createUserIdentityStore(name="<Name>", principal="<Principal>", credential="<Credential>", type="<Type>", userAttr="<userAttr>", ldapProvider="<ldapProvider>", userSearchBase="<userSearchBase>", ldapUrl="<ldapUrl>", isPrimary="<isPrimary>", isSystem="<isSystem>", userIDProvider="<userIDProvider>", roleSecAdmin="<roleSecAdmin>", roleSysMonitor="<roleSysMonitor>", roleAppAdmin="<roleAppAdmin>", roleSysManager="<roleSysManager>", roleSecAdminGroups="<roleSecAdminGroups>", roleSecAdminUsers="<roleSecAdminUsers>", groupSearchBase="<groupSearchBase>", supplementaryReturnAttributes="<supplementaryReturnAttributes>", domainHome="<domainHome>")
Argument | Definition |
---|---|
name
|
Mandatory. Specifies the unique name of the LDAP identity store being created. Use only upper and lower case alpha characters and numbers. |
principal
|
Mandatory. Specifies the Principal Administrator of the LDAP identity store being created. For example, cn=Admin. |
credential
|
Mandatory. Specifies the password of the Principal for the LDAP identity store being created. |
type
|
Mandatory. Specifies the type of the LDAP identity store being created. For this command, the value would be LDAP. |
userAttr
|
Mandatory. Specifies the user attributes of the LDAP identity store being created. |
ldapProvider
|
Mandatory. Specifies the type of the LDAP identity store being created. The value might be ODSEE, AD, OID, OVD, SJS, OUD, and the like. This value is defined when a new user identity store is created using the Access Manager Administration Console and corresponds with Store Type in the user identity store. |
userSearchBase
|
Mandatory. Specifies the node under which user data is stored in the LDAP identity store being created. For example, |
groupSearchBase
|
Mandatory. Specifies the node under which group data is stored in the LDAP identity store being created. For example, |
ldapUrl
|
Mandatory. Specifies the URL of the server host (including port number) of the LDAP identity store being created. For example, |
isPrimary
|
Optional. Specifies whether the LDAP identity store being created is the primary identity store. Takes true or false as a value. |
isSystem
|
Optional. Specifies whether the LDAP identity store being created is the system store. Takes true or false as a value. |
userIDProvider
|
Optional. Specifies the underlying infrastructure with which to connect to the identity store. Only supported type is OracleUserRoleAPI. |
roleSecAdminGroups
|
Optional. Specifies one or more comma-delimited groups with Access Manager Console Administrator privilages. Needed if it is a System Store in which the IsSystem property is set to true. |
roleSecAdminUsers
|
Optional. Specifies one or more comma-delimited users with Access Manager Console Administrator privileges. Needed if it is a System Store in which the IsSystem property is set to true. |
roleSecAdmin
|
Optional. Specifies the Security Administrator of the LDAP identity store being created. |
roleSysMonitor
|
Optional. Specifies the System Monitor of the LDAP identity store being created. |
roleAppAdmin
|
Optional. Specifies the Application Administrator of the LDAP identity store being created. |
roleSysManager
|
Optional. Specifies the System Manager of the LDAP identity store being created. |
supplementaryReturnAttributes
|
Specifies a comma-delimited list of attributes that need to be retrieved as part of the User object. For example: ORCL_USR_ENC_FIRST_NAME,ORCL_USR_ENC_LAST_NAME,USR_USRNAME,ORCL_USR_CTY_CODE,ORCL_USR_LANG_CODE_S,ORCL_USR_JROLE_ID_S,ORCL_USR_IND_ID,ORCL_USR_COMP_REL_ID,ORCL_USR_ASCII_IND,ORCL_ORA_UCM_VER,ORCL_ORA_UCM_SRVC |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. |
The following example registers a new Oracle Internet Directory user identity store definition for use with Access Manager.
createUserIdentityStore(name="Name1", principal="Principal1", credential="Credential1", type="Type1", userAttr="userAttr1", ldapProvider="ldapProvider", userSearchBase="userSearchBase", ldapUrl="ldapUrl", isPrimary="isPrimary", isSystem="isSystem", userIDProvider="userIDProvider", roleSecAdmin="<roleSecAdmin>", roleSysMonitor="<roleSysMonitor>", roleAppAdmin="<roleAppAdmin>", roleSysManager="<roleSysManager>", roleSecAdminGroups="<roleSecAdminGroups>", roleSecAdminUsers="<roleSecAdminUsers>", groupSearchBase="groupSearchBase", supplementaryReturnAttributes="supplementaryReturnAttributes", domainHome="domainHome1")
Online and offline command that modifies an already defined identity store registration for Access Manager.
Changes one or more attributes of the user identity store registered with Access Manager. The scope of this command is an instance only; the scope is not an argument.
editUserIdentityStore(name="<Name>", [ principal="<Principal>", credential="<Credential>", type="<Type>", userAttr="<userAttr>", ldapProvider="<ldapProvider>", roleSecAdmin="<roleSecAdmin>", roleSysMonitor="<roleSysMonitor>", roleSysManager="<roleSysManager>" , roleAppAdmin="<roleAppAdmin>", roleSecAdminGroups="<roleSecAdminGroups>", roleSecAdminUsers="<roleSecAdminUsers>", userSearchBase="<userSearchBase>", ldapUrl="<ldapUrl>", isPrimary="<isPrimary>", isSystem="<isSystem>", userIDProvider="<userIDProvider>" , groupSearchBase="<groupSearchBase>", domainHome="<domainHome>", userFilterObjectClasses="<userFilterObjectClasses>", groupFilterObjectClasses="<groupFilterObjectClasses>", referralPolicy="<referralPolicy>", searchTimeLimit="<searchTimeLimit>", minConnections="<minConnections>", maxConnections="<maxConnections>", connectionWaitTimeout="<connectionWaitTimeout>", connectionRetryCount="<connectionRetryCount>", groupNameAttr="<groupNameAttr>", groupCacheEnabled="<groupCacheEnabled>", groupCacheSize="<groupCacheSize>", groupCacheTTL=<"groupCacheTTL>", supplementaryReturnAttributes="<supplementaryReturnAttributes>" )
Argument | Definition |
---|---|
name
|
Mandatory. Specifies the unique name of the LDAP identity store being modified. Use only upper and lower case alpha characters and numbers. |
principal
|
Specifies the Principal Administrator of the LDAP identity store being modified. For example, |
credential
|
Specifies the encrypted Password of the Principal Administrator for the LDAP identity store being modified. |
type
|
Specifies the type of the base identity store being modified. For this command, the value would be LDAP. |
userAttr
|
Mandatory. Specifies the user attributes of the LDAP identity store being modified. |
ldapProvider
|
Mandatory. Specifies the LDAP type of the LDAP identity store being registered. The value might be ODSEE, AD, OID, OVD, SJS, OUD, and the like. This value is defined when a new user identity store is created using the Access Manager Administration Console and corresponds with Store Type in the user identity store. |
roleSecAdminGroups
|
Optional. Specifies one or more comma-delimited groups with Access Manager Console Administrator privilages. Needed if it is a System Store in which the IsSystem proeprty is set to true. |
roleSecAdminUsers
|
Optional. Specifies one or more comma-delimited users with Access Manager Console Administrator privileges. Needed if it is a System Store in which the IsSystem proeprty is set to true. |
roleSecAdmin
|
Optional. Specifies the Security Administrator of the LDAP identity store being modified. |
roleSysMonitor
|
Optional. Specifies the System Monitor of the LDAP identity store being modified. |
roleAppAdmin
|
Optional. Specifies the Application Administrator of the LDAP identity store being modified. |
roleSysManager
|
Optional. Specifies the System Manager of the LDAP identity store being modified. |
userSearchBase
|
Mandatory. Specifies the node under which user data is stored in the LDAP identity store being modified. For example, |
groupSearchBase
|
Mandatory. Specifies the node under which user data is stored in the LDAP identity store being modified. For example, |
ldapUrl
|
Mandatory. Specifies the URL of the server host (including port number) of the LDAP identity store being modified. For example, |
isPrimary
|
Optional. Specifies whether the LDAP identity store being modified is the primary identity store. Takes true or false as a value. |
isSystem
|
Optional. Specifies whether the LDAP identity store being modified is the system store. Takes true or false as a value. |
userIDProvider
|
Optional. Specifies the underlying infrastructure with which to connect to the identity store. Only supported type is OracleUserRoleAPI. |
supplementaryReturnAttributes
|
Specifies a comma-delimited list of attributes that need to be retrieved as part of the User object. For example: ORCL_USR_ENC_FIRST_NAME,ORCL_USR_ENC_LAST_NAME,USR_USRNAME,ORCL_USR_CTY_CODE,ORCL_USR_LANG_CODE_S,ORCL_USR_JROLE_ID_S,ORCL_USR_IND_ID,ORCL_USR_COMP_REL_ID,ORCL_USR_ASCII_IND,ORCL_ORA_UCM_VER,ORCL_ORA_UCM_SRVC |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
userFilterObjectClasses
|
Mandatory. Specifies a list of user filter object classes (separated by semicolon). |
groupFilterObjectClasses
|
Specifies a list of group filter object classes (separated by semicolon). |
referralPolicy
|
Specifies an LDAP referral policy (either "follow", "ignore" or "throw"). |
searchTimeLimit
|
Specifies the time limit in seconds for an LDAP Search operation. |
minConnections
|
Specifies the minimum number of connections in the connection pool. |
maxConnections
|
Specifies the maximum number of connections in the connection pool. |
connectionWaitTimeout
|
Specifies the number of seconds to wait for obtaining a connection from the pool. |
connectionRetryCount
|
Specifies the number of attempts to retry when establishing a connection to the identity store. |
groupNameAttr
|
Specifies the name of the attribute to lookup the user groups. For example, |
groupCacheEnabled
|
A boolean that specifies whether to enable the LDAP group cache. Takes true or false as a value. |
groupCacheSize
|
Specifies the number of entries in the LDAP group cache. |
groupCacheTTL
|
Specifies the total time to live for each entry in the LDAP group cache. |
Online and offline command that removes an already defined identity store registration for Access Manager.
Deletes the identity store registration. The scope of this command is an instance only; the scope is not an argument.
deleteUserIdentityStore(name="<name>", domainHome="<domainHome>")
Argument | Definition |
---|---|
name
|
Mandatory. Specifies the name of the LDAP identity store registration to be removed. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that displays user identity store registration information.
Displays the information regarding the identity store registered with Access Manager. The scope of this command is an instance only; the scope is not an argument.
displayUserIdentityStore(name="<name>", domainHome="<domainHome>")
Argument | Definition |
---|---|
name
|
Mandatory. Specifies the name of the LDAP identity store registration to be displayed. |
domainhome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that creates an Access Manager Server entry in the system configuration.
Creates an Access Manager Server registration. Details include the host, port, registration name, Access Manager Proxy port, server ID and, optionally, the OAM Proxy shared secret. The scope of this command is an instance only; the scope is not an argument.
createOAMServer(configurationProfile="<configurationProfile>", host="<host>",port="<port>", oamProxyPort="<0000>", oamProxyServerID="<oamProxyServerID>",siteName="<siteName>", domainHome="<domainHome>")
Argument | Definition |
---|---|
configurationProfile
|
Mandatory. Specifies the Configuration Profile of the OAM Server. The profile appears under Server Instances on the System Configuration tab in the Access Manager Administration Console. |
host
|
Mandatory. Specifies the name of the Access Manager Server host. |
port
|
Mandatory. Specifies the listening port of the Access Manager Server host. |
oamProxyPort
|
Mandatory. Specifies the proxy port of the Access Manager Server host. |
oamProxyServerID
|
Mandatory. Specifies the proxy server ID of the Access Manager Server host. The Access Manager Proxy name appears under the Access Manager Proxy sub tab of the server instance in the Access Manager Administration Console. |
siteName
|
Mandatory. Specifies the siteName/serverName for the instance. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
The following example creates a configuration for my_host
with listening port 15000
. The configuration entry in the Access Manager Administration Console will be oam_server1
. The Access Manager Proxy port is 3004 and the Access Manager Proxy Server ID is oamProxyServerID1
.
createOAMServer(configurationProfile="oam_server1", host="my_host", port="15000", oamProxyPort="3004", oamProxyServerID="oamProxyServerID1", siteName="siteName1", domainHome="domainHome1")
Online and offline command that enables you to modify the details of an Access Manager Server registration.
Modifies the specified parameter values of the registration for an Access Manager Server. Details may include the host, port, registration name, Access Manager Proxy port, server ID and, optionally, the Access Manager Proxy shared secret. The scope of this command is an instance only; the scope is not an argument.
editOAMServer(configurationProfile="<configurationProfile>", host="<host>",port="<port>", oamProxyPort="<0000>", oamProxyServerID="<oamProxyServerID>",siteName="<siteName>", domainHome="<domainHome>")
Argument | Definition |
---|---|
configurationProfile
|
Mandatory. Specifies the Configuration Profile of the Access Manager Server. The profile appears under Server Instances on the System Configuration tab in the Access Manager Administration Console. |
host
|
Mandatory. Specifies the name of the Access Manager Server host. |
port
|
Mandatory. Specifies the listening port of the Access Manager Server host. |
oamProxyPort
|
Mandatory. Specifies the proxy port of the Access Manager Server host. |
oamProxyServerID
|
Mandatory. Specifies the proxy server ID of the Access Manager Server host. The Access Manager Proxy name appears under the Access Manager Proxy sub tab of the server instance in the Access Manager Administration Console. |
siteName
|
Mandatory. Specifies the siteName/serverName for the instance. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
You can use any of the optional attributes to change current settings. The following invocation enables you to add the Access Manager Proxy Sever ID to the configuration entry oam_server1
.
editOAMServer(configurationProfile="oam_server1", host="my_host", port="15000", oamProxyPort="3004", oamProxyServerID="oamProxyServerID1", siteName="siteName1", domainHome="domainHome1")
Online and offline command that enables you to delete the specified Access Manager Server registration.
Deletes the specified Access Manager Server configuration. The scope of this command is an instance only; the scope is not an argument.
deleteOAMServer(host="<host>", port="<port>", domainHome="<domainHome>")
Argument | Definition |
---|---|
host
|
Mandatory. Specifies the name of the Access Manager Server host. |
port
|
Mandatory. Specifies the listening port of the Access Manager Server host. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that displays registration details for the specified Access Manager Server.
Displays the registration details of the specified Access Manager Server, including the host, port, registration name, Access Manager Proxy port, server ID and, optionally, the Access Manager Proxy shared secret. The scope of this command is an instance only; the scope is not an argument.
displayOAMServer(host="<host>", port="<port>", domainHome="<domainHome>")
Argument | Definition |
---|---|
host
|
Mandatory. Specifies the name of the Access Manager Server host. |
port
|
Mandatory. Specifies the listening port of the Access Manager Server host. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Configures the Access Manager login page user preferences.
configOAMLoginPagePref(persistentCookie="true", persistentCookieLifetime=14, langPrefCookieDomain="oracle.com", langPrefOrder="serverOverrideLangPref, oamPrefsCookie, browserAcceptLanguage, defaultLanguage", serverOverrideLanguage="en", defaultLanguage="en", applicationSupportedLocales="en,fr")
Argument | Definition |
---|---|
persistentCookie
|
Mandatory. Boolean that defines whether the OAM_LANG_PREF cookie is persistent or non-persistent. Set to true or false. |
persistentCookieLifetime
|
Mandatory. Lifetime of the OAM_LANG_PREF cookie if persistent. |
langPrefCookieDomain
|
Mandatory. Defines the domain of the OAM_LANG_PREF cookie. |
langPrefOrder
|
Mandatory. Decides the order of language precedence. Must be formatted as in the syntax and example. The allowed value set is (serverOverrideLangPref,oamPrefsCookie,browserAcceptLanguage,defaultLanguage). "oamAppCookie,oamLocaleHeader, oamPrefsCookie, browserAcceptLanguage, serverOverrideLangPref" |
serverOverrideLanguage
|
The server side language of Access Manager. Must be defined in language codes and selected from OAM supported languages. Default value is en. |
defaultLanguage
|
The default language. |
applicationSupportedLocales
|
Supported languages defined in a comma-delimited list. Setting |
Table 4-6 Language Codes For Login Pages
Language Code | Language | Administrators |
---|---|---|
ar |
Arabic |
|
cs |
Czech |
|
da |
Danish |
|
de |
German |
German |
el |
Greek |
|
en |
English |
English |
es |
Spanish |
Spanish |
fi |
Finnish |
|
fr |
French |
French |
fr-CA |
Canadian French |
Canadian French |
he |
Hebrew |
|
hr |
Croatian |
|
hu |
Hungarian |
|
it |
Italian |
Italian |
ja |
Japanese |
Japanese |
ko |
Korean |
Korean |
nl |
Dutch |
|
no |
Norwegian |
|
pl |
Polish |
|
pt-BR |
Brazilian Portuguese |
Brazilian Portuguese |
pt |
Portuguese |
|
ro |
Romanian |
|
ru |
Russian |
|
sk |
Slovak |
|
sv |
Swedish |
|
th |
Thai |
|
tr |
Turkish |
|
zh-CN |
Simplified Chinese |
Simplified Chinese |
zh-TW |
Traditional Chinese |
Traditional Chinese |
configOAMLoginPagePref(persistentCookie="true", persistentCookieLifetime=14, langPrefCookieDomain="oracle.com", langPrefOrder="serverOverrideLangPref, oamPrefsCookie, browserAcceptLanguage, defaultLanguage", serverOverrideLanguage="en", defaultLanguage="en", applicationSupportedLocales="en,fr")
This next example allows an administrator to revert back to the default behavior in which no language list of values is displayed.
configOAMLoginPagePref(persistentCookie="true", persistentCookieLifetime=14,langPrefCookieDomain="example.com", langPrefOrder="serverOverrideLangPref,oamPrefsCookie,browserAcceptLanguage, defaultLanguage",serverOverrideLanguage="", defaultLanguage="en",applicationSupportedLocales="")
Online and offline command that defines the SSO server request cache type in the system configuration.
Defines the SSO server request cache type in the system configuration. The scope of this command is an instance only; the scope is not an argument.
configRequestCacheType(type="<requestCacheType>", domainHome="<domainHome>")
Argument | Definition |
---|---|
type
|
Mandatory. Specifies the request cache type. Takes a value of BASIC or COOKIE. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that displays the SSO server request cache type defined for the specified domain. The request cache type may be BASIC or COOKIE.
Displays the SSO server request cache type entry defined for the specified domain. The scope of this command is an instance only; the scope is not an argument.
displayRequestCacheType(domainHome="<domainHome>")
Argument | Definition |
---|---|
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that enables you to modify the details of an OpenSSO (OSSO) Agent registration in the system configuration.
Modifies OSSO Agent registration details including the Site Token, Success URL, Failure URL, Home URL, Logout URL, Start Date, End Date, Administrator ID, and Administrator Info. The scope of this command is an instance only; the scope is not an argument.
editOssoAgent(agentName="AgentName", partnerId = "<partnerId>", siteToken = "<siteToken>", siteName = "<siteName>", successUrl ="<successUrl>", failureUrl = "<failureUrl>", homeUrl="<homeUrl>", logoutUrl="<logoutUrl>", startDate = "<startDate>", endDate = "<endDate>", adminId = "<adminId>", adminInfo = "<AdminInfo>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the OSSO Agent entry to be modified. adminId=admin Id of OSSO agent <optional> adminInfo=admin Information of OSSO agent <optional> |
partnerId
|
Optional. Specifies the Agent Name of the OSSO agent instance. |
siteToken
|
Optional. Specifies the Application Token used by the partner when requesting authentication. |
siteName
|
Optional. Specifies the SiteName/ServerName for the OSSO agent instance. |
successUrl
|
Optional. Specifies the redirect URL to be used by the OSSO Agent if authentication is successful. |
failureUrl
|
Optional. Specifies the redirect URL to be used by the OSSO Agent if authentication fails. |
homeUrl
|
Optional. Specifies the redirect URL to be used for the Home page after authentication. |
logoutUrl
|
Optional. Specifies the redirect URL to be used when a user is logging out. |
startDate
|
Optional. Specifies the first month, day, and year for which login to the application is allowed by the server. |
endDate
|
Optional. Specifies the final month, day, and year for which login to the application is allowed by the server. |
adminId
|
Optional. Specifies the administrator login ID for the OSSO Agent. |
adminInfo
|
Optional. Specifies an administrator identifier for the OSSO Agent for tracking purpose. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
The following example changes the Administrator ID and information in the registration entry for OSSOAgent1
.
editOssoAgent(agentName = "OSSOAgent1", partnerId = "partnerId", siteToken = "siteToken", siteName = "siteName", successUrl="successUrl", failureUrl = "failureUrl", homeUrl="homeUrl", logoutUrl="logoutUrl", startDate = "2009-12-10", endDate = "2012-12-30", adminId = "345", adminInfo = "Agent11", domainHome="domainHome1")
Online and offline command that enables you to remove the specified OSSO Agent registration in the system configuration.
Removes the specified OSSO Agent registration in the system configuration. The scope of this command is an instance only; the scope is not an argument.
deleteOssoAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the OSSO Agent entry to be removed. |
domainhome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that displays the details of the specified OSSO Agent entry in the system configuration.
Displays the details of the specified OSSO Agent entry in the Access Manager Administration Console. The scope of this command is an instance only; the scope is not an argument.
displayOssoAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the OSSO Agent entry to be displayed. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that enables you to modify a Webgate 10g registration entry in the system configuration.
Enables you to modify a Webgate 10g registration entry in the system configuration. The scope of this command is an instance only; the scope is not an argument.
editWebgateAgent(agentName="<AgentName>", accessClientPasswd="<accessClientPassword >",state="<state>", preferredHost="<host>", aaaTimeOutThreshold="<aaaTimeoutThreshold >", security="<security>",primaryCookieDomain="<primaryCookieDomain>", maxConnections="<maxConnections>",maxCacheElems="<maxCacheElements >", cacheTimeout="<cacheTimeOut>", cookieSessionTime="<cookieSessionTime >", maxSessionTime="<maxSessionTime>", idleSessionTimeout="<idleSessionTimeout >",failoverThreshold="<failoverThreshold >", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent to be modified. |
accessClientPasswd
|
Optional. Specifies the access client password of WebGate Agent. |
state
|
Optional. Specifies whether the WebGate Agent is enabled or disabled with a value of either Enabled or Disabled, respectively. |
preferredHost
|
Optional. Specifies the preferred host of the WebGate Agent. This prevents security holes that can be created if a host's identifier is not included in the Host Identifiers list. For virtual hosting, you must use the Host Identifiers feature. |
aaaTimeOutThreshold
|
Optional. Specifies the number (in seconds) to wait for a response from the Access Manager run-time server. If this parameter is set, it is used as an application TCP/IP timeout instead of the default TCP/IP timeout. Default = -1 (default network TCP/IP timeout is used) |
security
|
Optional. Specifies the level of transport security to and from the Access Manager run-time server. Takes as a value either open, simple, or cert. |
primaryCookieDomain
|
Optional. Specifies the Web server domain on which the Access Manager Agent is deployed. For example, .acompany.com |
maxConnections
|
Optional. Specifies the maximum number of connections that this Access Manager Agent can establish with the Access Manager Server. This number must be the same as (or greater than) the number of connections that are actually associated with this agent. Default = 1 |
maxCacheElems
|
Optional. Specifies the maximum number of elements maintained in the cache. Cache elements are URLs or Authentication Schemes. The value of this setting refers to the maximum consolidated count for elements in both of these caches. Default = 10000 |
cacheTimeout
|
Optional. Specifies the amount of time cached information remains in the Access Manager Agent cache when the information is neither used nor referenced. Default = 1800 (seconds) |
cookieSessionTime
|
Optional. Specifies the amount of time that the ObSSOCookie persists. Default = 3600 (seconds) |
maxSessionTime
|
Optional. Specifies the maximum amount of time in seconds that a user's authentication session is valid regardless of their activity. At the expiration of this time, the user is re-challenged for authentication. This is a forced logout. A value of 0 disables this timeout setting. Default = 3600 (seconds) |
idleSessionTimeout
|
Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional. |
failoverThreshold
|
Optional. Specifies a number representing the point when this Access Manager Agent opens connections to a Secondary Access Manager Server. Default = 1 |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
You can alter any or all of the settings. Use the following example to change the Agent ID, state, maximum connections, Access Manager Server timeout, primary cookie domain, cache time out, cookie session timeout, maximum session timeout, idle session timeout, and failover threshold.
editWebgateAgent(agentName="WebgateAgent1", accessClientPasswd="welcome1", state="Enabled", preferredHost="141.144.168.148:2001", aaaTimeOutThreshold = "10", security="open", primaryCookieDomain="primaryCookieDomain", maxConnections="16", maxCacheElems="10000", cacheTimeout="1800", cookieSessionTime="3600", maxSessionTime="24", idleSessionTimeout="3600", failoverThreshold="1", domainHome="domainHome1")
Online and offline command that enables you to delete a Webgate_agent registration entry in the system configuration.
Removes the specified Webgate_agent registration entry from the system configuration. The scope of this command is an instance only; the scope is not an argument.
deleteWebgateAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent being deleted. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that displays a Webgate_agent registration entry.
Displays all details of the specified Webgate_agent registration entry in the Access Manager Administration Console. The scope of this command is an instance only; the scope is not an argument.
displayWebgateAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent being displayed. |
domainhome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online only command that exports Access Manager policy data from a test (source) environment to the intermediate Access Manager file specified.
Exports Access Manager policy data from a test (source) environment to the intermediate Access Manager file. The scope of this command is an instance only; the scope is not an argument.
exportPolicy(pathTempOAMPolicyFile="<absoluteFilePath>")
Argument | Definition |
---|---|
pathTempOAMPolicyFile
|
Mandatory. Specifies the absolute path to the temporary Access Manager file. |
Online only command that imports the Access Manager policy data from the specified Access Manager file.
Imports the Access Manager policy data from the specified Access Manager file. The scope of this command is an instance only; the scope is not an argument.
importPolicy(pathTempOAMPolicyFile="<absoluteFilePath>")
Argument | Definition |
---|---|
pathTempOAMPolicyFile
|
Mandatory. Specifies the absolute path to the temporary Access Manager file. |
Online only command that imports the Access Manager policy changes from the specified Access Manager file.
Imports the Access Manager policy changes from the specified Access Manager file. The scope of this command is an instance only; the scope is not an argument.
importPolicyDelta(pathTempOAMPolicyFile="<absoluteFilePath>")
Argument | Definition |
---|---|
pathTempOAMPolicyFile
|
Mandatory. Specifies the absolute path to the temporary Access Manager file. |
Online only command that migrates partners from the current (source) Access Manager Server to the specified (target) Access Manager Server.
Migrates partners from the current (source) Access Manager Server to the specified (target) Access Manager Server. The scope of this command is an instance only; the scope is not an argument.
migratePartnersToProd(prodServerHost="<host>", prodServerPort="<port>", prodServerAdminUser="<user>", prodServerAdminPwd="<passwd>")
Argument | Definition |
---|---|
|
Host name of the target Access Manager Server to which partners are to be migrated. |
|
Port of the target Access Manager Server to which partners are to be migrated. |
|
Administrator of the target Access Manager Server to which partners are to be migrated. |
|
Target Access Manager Server administrator's password. |
Online only command that exports Access Manager partners from the source to the Access Manager file specified.
Exports the Access Manager partners from the source to the Access Manager file specified. The scope of this command is an instance only; the scope is not an argument.
exportPartners(pathTempOAMPartnerFile="<absoluteFilePath>")
Argument | Definition |
---|---|
pathTempOAMPolicyFile
|
Mandatory. Specifies the absolute path to the temporary Access Manager file. |
Online only command that imports Access Manager partners from the specified Access Manager file.
Imports the Access Manager partners from the specified Access Manager file. The scope of this command is an instance only; the scope is not an argument.
importPartners(pathTempOAMPartnerFile="<absoluteFilePath>")
Argument | Definition |
---|---|
|
Mandatory. Specifies the path to the temporary Access Manager partner file. |
Online and offline command that displays information about all Access Manager Servers in a deployment.
displayTopology(domainHome="<domainHomeName>")
Argument | Definition |
---|---|
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online only command that configures the basic integration of Access Manager and Oracle Adaptive Access Manager (OAAM).
Configures the basic integration of Access Manager and OAAM. The scope of this command is an instance only; the scope is not an argument.
configureOAAMPartner(dataSourceName="<dataSourceName>", hostName="<hostName>", port="<port>", serviceName="<serviceName>", userName="<userName>", passWord="<passWord>", maxConnectionSize="<maxConnectionSize>", maxPoolSize="<maxPoolSize>", serverName="<serverName>")
Argument | Definition |
---|---|
|
Mandatory. Specifies the name of the data source to be created. |
|
Mandatory. Specifies the name of the database host. |
|
Mandatory. Specifies the database port number. |
|
Mandatory. Specifies the database service name. |
|
Mandatory. Specifies the OAAM schema name. |
|
Mandatory. Specifies the OAAM schema password. |
|
Optional. Specifies the maximum connection reserve time out size. |
|
Optional. Specifies the maximum size for the connection pool. |
|
Optional. Specifies the target server for the datasource. |
The following example configures a basic integration for Access Manager and OAAM.
configureOAAMPartner(dataSourceName="MyOAAMDS", hostName="host.example.com", port="1521", serviceName="sevice1", userName="username", passWord="password", maxConnectionSize=None, maxPoolSize=None, serverName="oam_server1")
Online and offline command that registers Oracle Access Management Identity Federation (Identity Federation) as a Delegated Authentication Protocol (DAP) Partner.
Registers Identity Federation as Delegated Authentication Protocol (DAP) Partner. The scope of this command is an instance only; the scope is not an argument.
registerOIFDAPPartner(keystoreLocation="/scratch/keystore" logoutURL="http://<oifhost>:<oifport>/fed/user/splooam11g? doneURL=http(s)://<oamhost>:<oamport>/oam/server/pages/logout.jsp", rolloverTime="nnn")
Argument | Definition |
---|---|
|
Mandatory. Specifies the location of the Keystore file (generated at the Identity Federation Server). |
|
Mandatory. Specifies the logout URL for the Identity Federation server. |
|
Optional. Specifies the amount of time in seconds for which the keys used to encrypt/decrypt SASSO tokens can be rolled over. |
Online and offline command that registers Identity Federation as a Delegated Authentication Protocol (DAP) Partner in IDP Mode.
Registers Identity Federation as Delegated Authentication Protocol (DAP) Partner in IDP Mode. The scope of this command is an instance only; the scope is not an argument.
registerOIFDAPPartnerIDPMode(logoutURL="http://<oifhost>:<oifport>/fed/user/sploosso?doneURL=http://<oamhost>:<oamport>/ngam/server/pages/logout.jsp")
Argument | Definition |
---|---|
|
Mandatory. Specifies the logout URL for the Identity Federation server. |
Registers any third party as a Trusted Authentication Protocol (TAP) Partner.
registerThirdPartyTAPPartner(partnerName="ThirdPartyTAPPartner", keystoreLocation="/scratch/DAPKeyStore/mykeystore.jks", password="test", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://thirdpartyserverhost:port/loginPage.jsp")
Argument | Definition |
---|---|
partnerName
|
Mandatory. Specifies the name of the partner. Can be any name used to identify the third party partner. |
keystoreLocation
|
Mandatory. Specifies the location of the keystore file. |
password
|
Mandatory. Specifies the password for the keystore file. |
|
Mandatory. Specifies the version of the Trusted Authentication Protocol. |
|
Optional. Specifies the TAPScheme name used to protect the resource - TAPScheme, out of the box. |
|
Optional. Specifes the TAP challenge URL to which the credential collector will be redirected. |
The following example illustrates the use of the parameters.
registerThirdPartyTAPPartner(partnerName = "ThirdPartyTAPPartner", keystoreLocation="/scratch/DAPKeyStore/mykeystore.jks", password="test", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://thirdpartyserverhost:port/loginPage.jsp")
Online command that disables Coexist Mode.
Disables Coexist Mode. The scope of this command is an instance only; the scope is not an argument. There are no arguments for this command.
Enables Coexist Mode for the Access Manager agent (enabling the Access Manager 11g server to own the Obssocookie set by 10g WebGate).
Enables Coexist Mode for the Access Manager agent. The scope of this command is an instance only; the scope is not an argument. There are no arguments for this command.
Disables Coexist Mode for the Access Manager agent.
Disables the Coexist Mode for the Access Manager agent. The scope of this command is an instance only; the scope is not an argument. There are no arguments for this command.
Online and offline command that edits GITO configuration parameters.
Edits GITO configuration parameters. The scope of this command is an instance only; the scope is not an argument.
editGITOValues(gitoEnabled="true", gitoCookieDomain=".abc.com", gitoCookieName="ABC", gitoVersion="v1.0", gitoTimeout="20", gitoSecureCookieEnabled="false", domainHome="/abc/def/ijk")
Argument | Definition |
---|---|
|
Allows (or denies) user to set GITO enabled property. Takes a value of true or false. |
|
Mandatory. Specifies the GITO cookie domain. |
|
Optional. Specifies the cookie name. |
|
Optional. Specifies the GITO version. Takes ONLY v1.0 or v3.0. |
|
Optional. Specifies the GITO timeout value. |
|
Optional. Enables the GITO cookie enabled property. Takes a value of true or false. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that edits an 11g Webgate_entry registration in the system configuration.
Edits an 11g Webgate_entry registration in the system configuration. The scope of this command is an instance only; the scope is not an argument.
editWebgate11gAgent(agentName="<AgentName>", accessClientPasswd="<accessClientPassword >",state="<state>", preferredHost="<host>", aaaTimeoutThreshold="<aaaTimeOutThreshold>", security="<security>",logOutUrls="<logOutUrls>", maxConnections="<maxConnections>",maxCacheElems="<maxCacheElements>", cacheTimeout="<cacheTimeOut>", logoutCallbackUrl="<logoutCallbackUrl >",maxSessionTime="<maxSessionTime>", logoutRedirectUrl="<logoutRedirectUrl >",failoverThreshold="<failoverThreshold>", tokenValidityPeriod="<tokenValidityPeriod>",logoutTargetUrlParamName="<logoutTargetUrlParamName>", domainHome="<domainHome>",allowManagementOperations="<allowManagementOperations>", allowTokenScopeOperations="<allowTokenScopeOperations>", allowMasterTokenRetrieval="<allowMasterTokenRetrieval>", allowCredentialCollectorOperations="<allowCredentialCollectorOperations>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the 11g WebGate Agent to be modified. |
accessClientPasswd
|
Optional. Specifies the unique client password for this WebGate Agent. |
state
|
Optional. Specifies whether the WebGate Agent is enabled or disabled with a value of either Enabled or Disabled, respectively. |
preferredHost
|
Optional. Specifies the preferred host of the WebGate Agent. This prevents security holes that can be created if a host's identifier is not included in the Host Identifiers list. For virtual hosting, you must use the Host Identifiers feature. |
aaaTimeoutThreshold
|
Optional. Specifies the number (in seconds) to wait for a response from the Access Manager run-time server. If this parameter is set, it is used as an application TCP/IP timeout instead of the default TCP/IP timeout. Default = -1 (default network TCP/IP timeout is used) |
security
|
Optional. Specifies the level of transport security to and from the Access Manager run-time server. Takes as a value either open, simple, or cert. |
logOutUrls
|
List of URLS that trigger the logout handler, which removes the ObSSOCookie. |
maxConnections
|
Optional. Specifies the maximum number of connections that this Access Manager Agent can establish with the Access Manager Server. This number must be the same as (or greater than) the number of connections that are actually associated with this agent. Default = 1 |
maxCacheElems
|
Optional. Specifies the maximum number of elements maintained in the cache. Cache elements are URLs or Authentication Schemes. The value of this setting refers to the maximum consolidated count for elements in both of these caches. Default = 10000 |
cacheTimeout
|
Optional. Specifies the amount of time cached information remains in the Access Manager Agent cache when the information is neither used nor referenced. Default = 1800 (seconds) |
logoutCallbackUrl
|
The URL to oam_logout_success, which clears cookies during the call back. By default, this is based on the Agent base URL supplied during agent registration. For example:
|
maxSessionTime
|
Optional. Specifies the maximum amount of time in seconds that a user's authentication session is valid regardless of their activity. At the expiration of this time, the user is re-challenged for authentication. This is a forced logout. A value of 0 disables this timeout setting. Default = 3600 (seconds) |
logoutRedirectUrl
|
Optional. Specifies the URL (absolute path) to the central logout page (logout.html). By default, this is based on the Access Manager Administration Console host name with a default port of 14200. |
failoverThreshold
|
Optional. Specifies a number representing the point when this Access Manager Agent opens connections to a Secondary Access Manager Server. Default = 1 |
tokenValidityPeriod
|
Optional. Specifies the amount of time in seconds that a user's authentication session remains valid without accessing any Access Manager Agent protected resources. |
logoutTargetUrlParamName
|
Optional. The value for this is the Logout Target URLto be invoked on logout and configured at the OPSS level. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
allowManagementOperations
|
Optional. Specifies the Set the flag for Allow Management Operations |
allowTokenScopeOperations
|
Optional. Specifies the Set the flag for Allow Token Scope Operations |
idleSessionTimeout
|
Optional. Specifies the |
allowMasterTokenRetrieval
|
Set flag for Allow Master Token Retrieval |
allowCredentialCollectorOperations
|
Set flag for Allow Credential Collector Operations |
The following example uses all mandatory and optional parameters.
editWebgate11gAgent(agentName="WebgateAgent1", accessClientPasswd="welcome1", state="Enabled", preferredHost="141.144.168.148:2001", aaaTimeoutThreshold="10", security="open", logOutUrls="http://host1.oracle.com:1234", maxConnections = "16", maxCacheElems="10000", cacheTimeout="1800", logoutCallbackUrl="http://host2.oracle.com:1234", maxSessionTime="24", logoutRedirectUrl="logoutRedirectUrl", failoverThreshold="1", tokenValidityPeriod="tokenValidityPeriod", logoutTargetUrlParamName="logoutTargetUrl", domainHome="domainHome1", allowManagementOperations="false", allowTokenScopeOperations="false", allowMasterTokenRetrieval="false", allowCredentialCollectorOperations="false")
Online and offline command that enables you to remove an 11g Webgate_agent entry in the system configuration.
Removes an 11g Webgate_agent entry in the system configuration. The scope of this command is an instance only; the scope is not an argument.
deleteWebgate11gAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the 11g WebGate Agent to be removed. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that enables you to display an 11g Webgate_agent registration entry.
Displays an 11g WebGate Agent registration entry. The scope of this command is an instance only; the scope is not an argument.
displayWebgate11gAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the 11g WebGate Agent to be modified. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that enables the display of metrics for Access Manager Servers.
Enables the display of metrics for Access Manager Servers. The scope of this command is an instance only; the scope is not an argument.
displayOAMMetrics(domainHome="<domainHomeName>")
Argument | Definition |
---|---|
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
DEPRECATED - Online only command that updates the Oracle Identity Manager configuration when integrated with Access Manager.
Updates the Identity Manager configuration in the system configuration. The scope of this command is an instance only; the scope is not an argument.
updateOIMHostPort(hostName="<host name>", port="<port number>", secureProtocol="true")
Argument | Definition |
---|---|
|
Name of the Identity Manager host. |
|
Port of the Identity Manager host. |
|
Takes a value of true or false depending on whether communication is through HTTP or HTTPS. |
DEPRECATED - Online only command that registers an agent profile specific to Oracle Identity Manager when integrated with Access Manager.
Creates an Agent profile specific to Oracle Identity Manager when integrated with Access Manager. The scope of this command is an instance only; the scope is not an argument.
configureOIM(oimHost="<OIM host>", oimPort="<port>", oimSecureProtocolEnabled="true | false", oimAccessGatePwd="<AccessGatePassword>", oimCookieDomain="<OIMCookieDomain>", oimWgId="<OIMWebgateID>", oimWgVersion="<OIMWebgateVersion>")
Argument | Definition |
---|---|
|
Name of the Oracle Identity Manager host. In the case of EDG, the front ending LBR hostname of the OIM Cluster. |
|
Port of the Oracle Identity Manager Managed Server. In the case of EDG, the front ending LBR port of the OIM Managed Server Cluster. |
|
Takes a value of true or false depending on whether communication is through HTTP or HTTPS. |
|
If provided, the agent password for Open mode. |
|
Domain in which the cookie is to be set . |
|
Agent registration name. |
|
Possible values are 10g or 11g. If not provided, default is 10g. |
Online and offline command that updates the OSSO Proxy response cookie settings.
Updates OSSO Proxy response cookie settings. The scope of this command is an instance only; the scope is not an argument.
updateOSSOResponseCookieConfig(cookieName="<cookieName>",cookieMaxAge="<cookie age in minutes>", isSecureCookie="true | false",cookieDomain="<domain of the cookie>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
|
Optional. Name of the cookie for which settings are updated. If not specified, the global setting is updated. |
|
Maximum age of a cookie in minutes. A negative value sets a session cookie. |
|
Boolean flag that specifies if cookie should be secure (sent over SSL channel). |
|
The domain of the cookie. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that deletes the OSSO Proxy response cookie settings in the system configuration.
Deletes the OSSO Proxy response cookie settings. The scope of this command is an instance only; the scope is not an argument.
deleteOSSOResponseCookieConfig(cookieName="<cookieName>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
|
Mandatory. Name of the cookie for which settings are being deleted. The global cookie setting cannot be deleted. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Configures the identity store and external user store.
configureOIM(oimHost="<OIM host>", oimPort="<port>", oimSecureProtocolEnabled="true | false", oimAccessGatePwd="<AccessGatePassword>", oimCookieDomain="<OIMCookieDomain>", oimWgId="<OIMWebgateID>", oimWgVersion="<OIMWebgateVersion>"), nameOfIdStore="<nameOfIdStore>", idStoreSecurityCredential="<idStoreSecurityCredential>", userSearchBase="<userSearchBase>", ldapUrl="<ldapUrl>", groupSearchBase="<groupSearchBase>", securityPrincipal="<securityPrincipal>", idStoreType="<idStoreType>", ldapProvider="<ldapProvider>", isPrimary="<isPrimary>", userIDProvider="<userIDProvider>", userNameAttr="<userNameAttr>"
Argument | Definition |
---|---|
|
Name of the Oracle Identity Manager host. In the case of EDG, the front ending LBR hostname of the OIM Cluster. |
|
Port of the Oracle Identity Manager Managed Server. In the case of EDG, the front ending LBR port of the OIM Managed Server Cluster. |
|
Takes a value of true or false depending on whether communication is through HTTP or HTTPS. |
|
If provided, the agent password for Open mode. |
|
Domain in which the cookie is to be set . |
|
Agent registration name. |
|
Possible values are 10g or 11g. If not provided, default is 10g. |
|
Mandatory. Specifies the name of the LDAP ID store to be created. |
|
Manadatory. Specifies the password of the Principal for the LDAP identity store being created. |
|
Manadatory. Specifies the node under which user data is stored in the LDAP identity store being created. |
|
Manadatory. Specifies the URL for the LDAP host (including port number) of the LDAP identity store being created. |
|
Mandatory. Specifies the node under which group data is stored in the LDAP identity store being created. |
|
Mandatory. Specifies the Principal Administrator of the LDAP identity store being created. |
|
Mandatory. Specifies the type of the LDAP identity store being created. |
|
Specifies the LDAP Provider type of the store being created. |
|
Optional. Specifies whether the LDAP identity store being registered is the primary identity store. Takes true or false as a value. |
|
Specifies the user Identity Provider for the store being created. |
|
Manadatory. Specifies the user attributes for the store. |
The following example illustrates this command.
configureOIM(oimHost="oracle.com", oimPort="7777", oimSecureProtocolEnabled="true", oimAccessGatePwd = "welcome", oimCookieDomain = "domain1", oimWgId="<OIM Webgate ID>", oimWgVersion="10g" nameOfIdStore="nameOfIdStore", idStoreSecurityCredential="idStoreSecurityCredential", userSearchBase="userSearchBase", ldapUrl="ldapUrl", groupSearchBase="groupSearchBase", securityPrincipal="securityPrincipal", idStoreType="idStoreType", ldapProvider="ldapProvider", isPrimary="true", userIDProvider="userIDProvider", userNameAttr="userNameAttr")
Configures the identity store and external user store using the values supplied in a properties file.
Configures the identity store and external user store using the values supplied in the specified properties file.
configAndCreateIdStoreUsingPropFile(path="<path_of_property_file>")
Argument | Definition |
---|---|
|
Path to the property file in which the values are defined. |
DEPRECATED - Migrates artifacts.
migrateArtifacts(path="<path_to_artifacts_file>", password="<password>", type="OutOfPlace|InPlace", isIncremental="true|false")
Argument | Definition |
---|---|
path
|
Location of the artifacts file |
password
|
Password used while generating original artifacts. |
type
|
Boolean that defines the type of migration and takes as a value InPlace or OutOfPlace |
|
Boolean that takes a value of true or false. If true, an incremental upgrade is done. |
Displays the simple mode global passphrase defined in the system configuration in plain text.
Online only command that displays the simple mode global passphrase in plain text. There are no arguments for this command.
Exports selected Access Manager Partners to the specified Access Manager file.
Exports selected Access Manager Partners to the specified Access Manager file specified.
exportSelectedPartners(pathTempOAMPartnerFile="<absoluteFilePath>", partnersNameList="<comma_separated_partner_names>")
Argument | Definition |
---|---|
|
Mandatory. The location of the file to which the information will be exported. |
|
Mandatory. Specifies a comma separated list of partner ids being exported. |
Online only command that migrates policies, authentication stores, and user stores from OSSO, OAM10g, OpenSSO, or AM 7.1 to OAM11g.
oamMigrate(oamMigrateType=<migrationType>, pathMigrationPropertiesFile="<absoluteFilePath>")
Argument | Definition |
---|---|
|
Mandatory. Specifies the type of migration being done. Takes one of the following as a value: OSSO | OpenSSO | OAM10g NOTE: OpenSSO applies to both SAML 7.1 and OpenSSO. |
|
Mandatory. Specifies the path to the file from which the necessary artifacts for migration are read. |
Online only command that invokes the preSchemeUpgrade operation.
preSchemeUpgrade (pathUpgradePropertiesFile="/middlewarehome/oam-upgrade.properties")
Argument | Definition |
---|---|
|
Mandatory. Specifies the path to the file from which the necessary system proeprties for upgrade are read. |
Invokes the postSchemeUpgrade operation.
postSchemeUpgrade (pathUpgradePropertiesFile="/middlewarehome/oam-upgrade.properties")
Argument | Definition |
---|---|
|
Mandatory. Specifies the path to the file from which the necessary system proeprties for upgrade are read. |
Sets the oamSetWhiteListMode
to true or false.
Sets the oamSetWhiteListMode
to true or false. If true, Access Manager redirects to the last URL requested by the consuming application only if it is configured as a white-list URL.
oamSetWhiteListMode(oamWhiteListMode="true|false")
Argument | Definition |
---|---|
|
Mandatory. Enables the Access Manager white list mode. |
Add, update or remove whitelist URL entries from the specified file.
oamWhiteListURLConfig(Name="xyz", Value="http://xyz.com:1234", Operation="Remove|Update")
Argument | Definition |
---|---|
|
Mandatory. A valid string representing the name (key) for this entry. |
|
Mandatory. A valid URL in the <protocol>://<host>:<port> format. If the port is not specified, default HTTP/HTTPS ports are assigned accordingly. |
|
Mandatory. Takes as a value Update or Remove. Not case sensitive. |
Online only command to enable Multi Data Centre Mode.
enableMultiDataCentreMode(propfile="<absoluteFilePath>")
Argument | Definition |
---|---|
|
Mandatory. Specifies the absolute path to a file from which the properties to enable multi data centre are read. |
Sets the Multi Data cluster name.
setMultiDataCentreClusterName(clusterName="MyCluster")
Argument | Definition |
---|---|
|
Mandatory. Specifies the name of the cluster. |
Sets the Multi Data Partner logout URLs.
setMultiDataCentreLogoutURLs (logoutURLs="http://<host>:<port>/logout.jsp,http://<host>:<port>/logout.jsp")
Argument | Definition |
---|---|
|
Mandatory. Specify a comma separated list of Multi Data Centre Partner logout URLs. |
Updates the Multi Data Partner logout URLs.
updateMultiDataCentreLogoutURLs (logoutURLs="http://<host>:<port>/logout.jsp,http://<host>:<port>/logout.jsp")
Argument | Definition |
---|---|
|
Mandatory. Specify a comma separated list of Multi Data Centre Partner logout URLs. |
Online command that adds a partner to Multi Data Centre.
Adds a partner to Multi Data Centre. This command is supported only in online mode and adds one partner at a time.
addPartnerForMultiDataCentre(propfile="<absoluteFilePath>")
Argument | Definition |
---|---|
|
Mandatory. Specifies the absolute path to a file that contains the agent information. |
Removes a partner from Multi Data Centre.
Removes a partner from Multi Data Centre. This command is supported only in online mode and removes one partner at a time.
removePartnerForMultiDataCentre(webgateid="<webgateId")
Argument | Definition |
---|---|
|
Mandatory. Specifies the ID of the partner to be deleted. |
This section lists commands to configure federation partners.
Table 4-7 WLST Access Manager Commands for Federation Partners
Use this command... | To... | Use with WLST... |
---|---|---|
Create an OpenID 2.0 IdP partner. |
Online |
|
Create a Google OpenID 2.0 IdP partner. |
Online |
|
Create a Yahoo OpenID 2.0 IdP partner. |
Online |
|
Create an IdP federation partner, including metadata, under the SAML 1.1 protocol. |
Online |
|
Create an IdP federation partner under the SAML 2.0 protocol. |
Online |
|
Create an IdP federation partner under the SAML 2.0 protocol without importing metadata. |
Online |
|
Configure an IdP partner attribute profile to specify whether incoming attributes that are not part of the profile should be ignored. |
Online |
|
Configure global federation logout for a SAML 2.0 federation partner. |
Online |
|
Configure the preferred binding for a SAML federation partner. |
Online |
|
Enable user self registration. |
Online |
|
Sets which attributes from the assertion should be used as email, first name, last name or username during self registration. |
Online |
|
Create an authentication scheme and module for an IdP partner. |
Online |
|
Create an IdP partner attribute profile for a federation partner. |
Online |
|
Delete an authentication scheme and module for an IdP partner. |
Online |
|
Delete a specific federation partner. |
Online |
|
Delete the encryption certificate of a federation partner. |
Online |
|
Delete the signing certificate of a federation partner. |
Online |
|
Delete the attribute profile of a federation partner. |
Online |
|
Delete an entry from the attribute profile of a federation partner. |
Online |
|
Delete a partner-specific property that was added to the partner's configuration. |
Online |
|
Display an IdP federation partner's attribute profile. |
Online |
|
List all IdP federation partners. |
Online |
|
Retrieve the encryption certificate for a federation partner. |
Online |
|
Retrieve the signing certificate for a federation partner |
Online |
|
Retrieve the HTTP basic authentication username for a federation partner. |
Online |
|
Retrieve a property for a federation partner. |
Online |
|
Check whether a partner is configured. |
Online |
|
List an IdP partner's attribute profiles. |
Online |
|
Set an IdP partner as the default identity provider for a federation single sign-on. |
Online |
|
Set the encryption certificate for a federation partner. |
Online |
|
Set the signing certificate for a federation partner. |
Online |
|
Set the attribute profile to use during federated single sign-on with an IdP partner. |
Online |
|
Set an entry in an IdP federation partner's profile. |
Online |
|
Update a federation partner's HTTP basic auth credential. |
Online |
|
Set the attribute used for assertion mapping for a federation partner. |
Online |
|
Set the attribute query used for assertion mapping for a federation partner. |
Online |
|
Set the assertion mapping nameID value for an IdP federation partner |
Online |
|
Update a federation partner's alias name. |
Online |
|
Set a federation partner's identity store and base DN. |
Online |
|
Update a federation partner's metadata. |
Online |
|
Update a property for a federation partner |
Online |
Note:
Some of the command examples in this section are specified with attributes in the key-value format and some are not. Oracle Identity Federation supports either but the key-value format should be used.
Creates an OpenID 2.0 IdP partner.
addOpenID20IdPFederationPartner(partnerName, idpSSOURL, discoveryURL, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
idpSSOURL
|
The initiate SSO URL of the IdP. Can be set to "" if the discovery URL is specified and intended to be used. |
discoveryURL
|
The OpenID discovery URL of the IdP. |
|
The description of the partner. Optional. |
Creates an IdP partner with the name google
.
Creates an IdP partner with the name google
using a discovery URL https://www.google.com/accounts/o8/id
.
Creates an IdP partner with the name yahoo
.
create an IdP partner with the name yahoo
using a discovery URL https://open.login.yahooapis.com/openid20/user_profile/xrds
.
Creates a SAML 1.1 IdP federation partner.
addSAML11IdPFederationPartner(partnerName,providerID, ssoURL, soapURL, succinctID, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
providerID
|
The providerID of the partner. |
ssoURL
|
The initiate SSO URL of the IdP. |
soapURL
|
The artifact resolution SOAP endpoint URL of the IdP. |
succinctID
|
The succinctID of the provider. |
|
The description of the partner. Optional. |
Creates a SAML 2.0 IdP Federation partner.
Creates a federation partner as an identity provider for Access Manager under the SAML 2.0 protocol, and loads the partner metadata from a file.
addSAML20IdPFederationPartner(partnerName, metadataFile, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
metadataFile
|
The location of the metadata file (full path). |
description
|
The description of the partner. Optional. |
Creates a SAML20 IdP federation partner without SAML 2.0 metadata.
addSAML20IdPFederationPartnerWithoutMetadata(partnerName, providerID, ssoURL, soapURL, succinctID, description)
Argument | Definition |
---|---|
partnerName
|
The name of the federation partner to be created. |
providerID
|
The providerID of the partner. |
ssoURL
|
The initiate SSO URL of the IdP. |
soapURL
|
The artifact resolution SOAP endpoint URL of the IdP. |
succinctID
|
The succinctID of the provider. |
description
|
The description of the partner. Optional. |
Configures an IdP partner attribute profile to process incoming attributes.
Configures an IdP partner attribute profile to process or ignore incoming attributes not defined in the profile.
configureIdPPartnerAttributeProfile(attrProfileID, ignoreUnmappedAttributes)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the IdP partner attribute profile to configure. |
ignoreUnmappedAttributes
|
Determines whether incoming attributes that are not defined in the profile should be ignored. Valid values are true (ignore) or (the default) false (process). |
Configures global federation logout for a SAML 2.0 partner.
configureSAML20Logout(partnerName, partnerType, enable, saml20LogoutRequestURL, saml20LogoutResponseURL, soapURL)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
Whether the partner is a service provider or identity provider. Valid values are sp, idp. |
enable
|
Enable or disable global logout for that partner. Valid values true (enable), false (disable) |
saml20LogoutRequestURL
|
The SAML 2.0 logout request service URL. Optional if the partner was created using metadata, or if logout is disabled. |
saml20LogoutResponseURL
|
The SAML 2.0 logout response service URL. This is optional if the partner was created using metadata, or if logout is disabled. |
soapURL
|
The SAML 2.0 SOAP Service URL. This is optional if the partner was created using metadata, if logout is disabled, or if SOAP logout is not supported. |
Specifies the binding for a SAML partner.
configureSAMLBinding(partnerName, partnerType, binding)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
Indicates whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
binding
|
The binding to use. Valid options are httppost for HTTP-POST binding, httpredirect for HTTP-Redirect/Artifact binding. |
Enables the user self-registration module.
configureUserSelfRegistration(<enabled>, <registrationURL>, <regDataRetrievalAuthnEnabled>, <regDataRetrievalAuthnUsername>, <regDataRetrievalAuthnPassword>, <partnerName>)
Argument | Definition |
---|---|
enabled
|
Indicates if the user self-registration module is enabled. Takes a value of true or false. |
registrationURL
|
The location to which the user will be redirected for self-registration. If partnerName is not specified, and if registrationURL is empty or missing, the current property will be unchanged. If partnerName is specified, and if registrationURL is empty or missing, this property will be removed from the partner's configuration. |
regDataRetrievalAuthnEnabled
|
Indicates if authentication of the registration page is enabled when contacting the server to retrieve registration data. |
regDataRetrievalAuthnUsername
|
Specifies the username the registration page will send to the server when retrieving the registration data from the server. |
regDataRetrievalAuthnPassword
|
Specifies the password the registration page will send to the server when retrieving the registration data from the server. |
partnerName
|
Indicates the IdP partner for which to enable user self-registration. If missing, the configuration operation will be global. |
Sets the attributes in an assertion that will be used as email, first name, last name and username.
Sets the attributes in an assertion that will be used as email, first name, last name and username.
configureUserSelfRegistration(<registrationAttrName>, <assertionAttrNames>, <partnerName>)
Argument | Definition |
---|---|
registrationAttrName
|
The self-registration page attribute to set. Can be one of the following values: email, firstname, lastname or username. |
assertionAttrNames
|
The possible attributes from the assertion that can be used to populate the self-registration page field specified as the registrationAttrName. |
partnerName
|
Indicates the IdP partner for which to configure user self-registration. If missing, the configuration operation will be global. |
Creates an authentication scheme that uses the OpenD IdP.
createAuthnSchemeAndModule(partnerName)
Argument | Definition |
---|---|
partnerName
|
The name of the partner for whom the scheme is to be created. |
Creates an IdP attribute profile.
Creates an IdP partner attribute profile that will contain name mapping rules used to process attributes in incoming SAML Assertions
createIdPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier of the IdP attribute profile. |
Deletes an authentication scheme for an IdP.
deleteAuthnSchemeAndModule(partnerName)
Argument | Definition |
---|---|
partnerName
|
The name of the partner whose scheme is to be deleted. |
Deletes a federation partner.
deleteFederationPartner(partnerName, partnerType)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be deleted. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Deletes the encryption certificate of a partner.
deleteFederationPartnerEncryptionCert(partnerName, partnerType)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner whose encryption certificate is to be deleted. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Deletes the signing certificate of a partner.
deleteFederationPartnerSigningCert(partnerName, partnerType)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner whose signing certificate is to be deleted. |
partnerType
|
Specifies whether the partner is a service provider or identity provider. Valid values are sp, idp. |
Deletes an IdP partner attribute profile.
deleteIdPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the IdP partner attribute profile. |
Deletes an IdP Partner Attribute Profile entry.
deleteIdPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the IdP partner attribute profile. |
messageAttributeName
|
The name of the attribute to delete, as it appears in the outgoing message. |
Deletes a partner property.
Deletes a partner-specific property. Use this command only for a property that was added to the partner's configuration.
deletePartnerProperty(partnerName,partnerType,propName)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
propName
|
The name of the configured property to be removed. |
Displays a partner attribute profile.
displayIdPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the IdP partner attribute profile to be displayed. |
Retrieves the encryption certificate for a partner.
Argument | Definition |
---|---|
partnerName
|
The ID of the partner for which the encryption certificate will be retrieved. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Retrieves the signing certificate for a partner.
Argument | Definition |
---|---|
partnerName
|
The ID of the partner for which the signing certificate will be retrieved. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Gets a partner's basic authentication username.
getIdPPartnerBasicAuthCredentialUsername(partnerName)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner for which the username will be retrieved and displayed. |
Retrieves a partner property.
getPartnerProperty(partnerName,partnerType,propName)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner for which the proeprty will be retrieved. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
propName
|
The name of the property to configure. |
Checks whether a partner is configured.
isFederationPartnerPresent(partnerName, partnerType)
Argument | Definition |
---|---|
partnerName
|
The partner ID. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Sets the IdP partner to serve as the default IdP for federated single sign-on (SSO).
If not set by the federation authentication plugin at run time, sets the IdP partner to serve as the default IdP during federated SSO.
setDefaultSSOIdPPartner(partnerName)
Argument | Definition |
---|---|
partnerName
|
ID of the partner which will serve as the default IdP for federated SSO. |
Sets the encryption certificate for a partner.
setFederationPartnerEncryptionCert(partnerName,partnerType,certFile)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated |
partnerType
|
The partner type. Valid values are idp, sp. |
certFile
|
The full path and name of file that stores the encryption certificate. Certificates can be in either PEM or DER format. |
Sets the signing certificate for a partner.
setFederationPartnerSigningCert(partnerName,partnerType,certFile)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
The partner type. Valid values are idp, sp. |
certFile
|
Specifies the full path and name of file that stores the signing certificate. Certificates can be in either PEM or DER format. |
Sets a partner attribute profile.
Sets the IdP partner attribute profile to use when performing a federation single sign-on with an IdP partner.
setIdPPartnerAttributeProfile(partnerName, attrProfileID)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
attrProfileID
|
The IdP partner attribute profile ID to be set. |
Sets the IdP federation partner profile.
setIdPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName, oamSessionAttributeName, requestFromIdP)
Argument | Definition |
---|---|
attrProfileID
|
The IdP partner attribute profile. |
messageAttributeName
|
The name of the message attribute. |
oamSessionAttributeName
|
The name of the attribute as it will appear in the Access Manager session. |
requestFromIdP
|
Determines whether this attribute should be requested from the IdP partner. Valid values are true, false. |
Sets a partner's basic authentication credentials.
setIdPPartnerBasicAuthCredential(partnerName,username,password)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
username
|
The user ID of the user. |
password
|
The password corresponding to the username. |
Sets a partner's assertion mapping attribute.
setIdPPartnerMappingAttribute(partnerName,assertionAttr,userstoreAttr)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
assertionAttr
|
The attribute name in the assertion used to map the user to the identity store. |
userstoreAttr
|
The name of the attribute in the identity store to which to map the assertion attribute value. |
Updates a partner for assertion mapping of user with attribute query.
Sets or updates a partner to specify the attribute query to map an assertion to the user store.
setIdPPartnerMappingAttributeQuery(partnerName,attrQuery)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated |
attrQuery
|
The attribute query to be used. The LDAP query can contain placeholders referencing the attributes in the SAML Assertion, as well as the NameID. An attribute from the SAML Assertion will be referenced by its name and surrounded by the % character; for example, if the attribute name is Userlastname, the attribute will be referenced as %Userlastname%. The NameID Value is referenced as %fed.nameidvalue%. |
Sets a partner's mapping nameID.
setIdPPartnerMappingNameID(partnerName,userstoreAttr)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
userstoreAttr
|
The attribute name in the identity store to which the assertion nameID is to be mapped. |
Sets a partner's alias.
setPartnerAlias(partnerName,partnerType,partnerAlias)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
Specifies the partner type. Valid values are sp or idp. |
partnerAlias
|
The partner's alias. |
Sets a partner's identity store and base DN.
setPartnerIDStoreAndBaseDN(partnerName,partnerType,storeName,searchBaseDN)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
The partner type. Valid values are sp or idp. |
storeName
|
The name of the identity store.If left blank, the Default OAM Identity Store will be used. (Optional) |
searchBaseDN
|
The search base DN for the LDAP. If left blank, the Search Base DN configured in the Identity Store will be used. (Optional) |
Updates partner metadata.
updatePartnerMetadata(partnerName,partnerType,metadataFile)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated |
partnerType
|
Specifies the partner type. Valid values are sp or idp. |
metadataFile
|
The location of the metadata file. Specify the complete path and name. |
Updates a partner property.
updatePartnerProperty(partnerName,partnerType,propName,propValue,type)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated |
partnerType
|
Specifies the partner type. Valid values are sp or idp. |
propName
|
The name of the property to configure. |
propValue
|
The property value to be set. |
type
|
The data type of the property. Valid values are string, long, or boolean. |
Use the WLST commands listed in Table 4-8 to manage Oracle Access Management Mobile and Social (Mobile and Social) configuration objects.
Table 4-8 WLST Mobile and Social Commands
Use this command... | To... | Use with WLST... |
---|---|---|
System Configuration Commands |
||
Retrieve system configuration data. |
Online |
|
Update system configuration data. |
Online |
|
RPApplication Commands |
||
Retrieves the RPApplication objects. |
Online |
|
Deletes the specified RPApplication object. |
Online |
|
Displays the specified RPApplication object. |
Online |
|
Creates a new RPApplication object. |
Online |
|
Updates values for a defined RPApplication object. |
Online |
|
ServiceProviderInterface Commands |
||
Retrieves the RPApplication objects. |
Online |
|
Deletes the specified RPApplication object. |
Online |
|
Displays the specified RPApplication object. |
Online |
|
Creates a new RPApplication object. |
Online |
|
Updates values for a defined RPApplication object. |
Online |
|
Internet Identity Provider Commands |
||
Retrieves the Internet Identity Provider objects. |
Online |
|
Deletes the specified Internet Identity Provider object. |
Online |
|
Displays the specified Internet Identity Provider object. |
Online |
|
Creates a new Internet Identity Provider object. |
Online |
|
Updates values for a defined Internet Identity Provider object. |
Online |
|
User Attribute Mapping Commands |
||
Retrieves the User Attribute Mapping objects. |
Online |
|
Deletes the specified User Attribute Mapping object. |
Online |
|
Displays the specified User Attribute Mapping object. |
Online |
|
Updates values for a defined User Attribute Mapping object. |
Online |
|
ServiceProvider Commands |
||
Create a ServiceProvider. |
Online |
|
Update a ServiceProvider |
Online |
|
Add a Relationship To a Service Provider. |
Online |
|
Remove a Relationship from a Service Provider. |
Online |
|
Get a ServiceProvider. |
Online |
|
Remove a ServiceProvider object. |
Online |
|
Display a ServiceProvider object. |
Online |
|
ServiceProfile Commands |
||
Create a service object. |
Online |
|
Update a service object. |
Online |
|
Remove a service object. |
Online |
|
Display a service object. |
Online |
|
Retrieve all the service objects. |
Online |
|
ApplicationProfile Commands |
||
List all ApplicationProfile objects. |
Online |
|
Create an ApplicationProfile. |
Online |
|
Update an ApplicationProfile. |
Online |
|
Remove an ApplicationProfile. |
Online |
|
Display an ApplicationProfile. |
Online |
|
ServiceDomain Commands |
||
Create a ServiceDomain. |
Online |
|
Update a ServiceDomain. |
Online |
|
Retrieve a ServiceDomain. |
Online |
|
Remove a ServiceDomain. |
Online |
|
Display a ServiceDomain. |
Online |
|
SecurityHandler Commands |
||
Create a SecurityHandlerPlugin. |
Online |
|
Update a SecurityHandlerPlugin. |
Online |
|
Retrieve a SecurityHandlerPlugin. |
Online |
|
Remove a SecurityHandlerPlugin. |
Online |
|
Display a SecurityHandlerPlugin. |
Online |
|
JailBreakingDetectionPolicy Commands |
||
Create a JailBreakingDetectionPolicy. |
Online |
|
Update a JailBreakingDetectionPolicy. |
Online |
|
Retrieve a JailBreakingDetectionPolicy. |
Online |
|
Remove a JailBreakingDetectionPolicy. |
Online |
|
Display a JailBreakingDetectionPolicy. |
Online |
replaceRPSystemConfig
replaceRPSystemConfig(hostURL, proxyProtocol, proxyHost, proxyPort, proxyUsername, proxyPassword, attributeList)
Table 4-9 replaceRPSystemConfig Arguments
Argument | Definition |
---|---|
|
The URL of the machine hosting the Mobile and Social server. |
|
The proxy protocol ( |
|
The URL of the proxy machine. |
|
The port of the proxy machine. |
|
Name of the user accessing the proxy. |
|
Password of the user accessing the proxy. |
|
List of attributes in the JSON format. [{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}] |
createRPApplication
createRPApplication(identityProviderNameList, sharedSecret, returnUrl, SPIBindingName, applicationAttributesList, userAttributeMappings, attributeList, mobileApplicationReturnUrl, name, description)
Table 4-10 createRPApplication Arguments
Argument | Definition |
---|---|
|
A List of Identity Providers |
|
The shared secret. |
|
The return URL. |
|
The SPI binding name. |
|
List of RPApplication attributes specified in the JSON format. [{name1:value1},{name2:value2}] |
|
List of User Attribute Mappings specified in the JSON format. [{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}] |
|
List of attributes specified in the JSON format. [{name1:value1},{name2:value2}] |
|
The return URL of the mobile application. |
|
Name of the object to be created. |
|
Description of the object to be created. |
createRPApplication('Yahoo,Facebook','mySecret','http://me.com','OAMServiceProviderInterface','[{pratname1:atval1},{pratname2:atval2}]','[{Yahoo:[{uid:email},{mail:email},{zip:postalCode},{country:country}]},{Facebook:[{uid:email},{mail:email},{zip:postalCode},{country:country}]}]','[{atname1:atval2},{atname2:atval2}]','/oam/server','myApp','new Application')
updateRPApplication
updateRPApplication(identityProviderNameList, sharedSecret, returnUrl, SPIBindingName, applicationAttributesList, userAttributeMappings, attributeList, mobileApplicationReturnUrl, name, description)
Table 4-11 updateRPApplication Arguments
Argument | Definition |
---|---|
|
A List of Identity Providers |
|
The shared secret. |
|
The return URL. |
|
The SPI binding name. |
|
List of RPApplication attributes specified in the JSON format. [{name1:value1},{name2:value2}] |
|
List of User Attribute Mappings specified in the JSON format. [{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}] |
|
List of attributes specified in the JSON format. [{name1:value1},{name2:value2}] |
|
The return URL of the mobile application. |
|
Name of the object to be created. |
|
Description of the object to be created. |
removeServiceProviderInterface
removeServiceProviderInterface(name)
where name is the name of the Service Provider interface object.
displayServiceProviderInterface
displayServiceProviderInterface(name)
where name is the name of the Service Provider interface object.
createServiceProviderInterface
createServiceProviderInterface(idpSelectorImpl, postIDPSelectorImpl, idpInteractionProviderImpl, registrationStatusCheckImpl, registrationTaskFlowProviderImpl, sessionCreationProviderImpl, attributeList, name, description)
Table 4-12 createServiceProviderInterface Arguments
Argument | Definition |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
List of attributes in JSON format. [{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}] |
|
Name of the object to be created. |
|
Description of the object to be created. |
updateServiceProviderInterface
updateServiceProviderInterface(idpSelectorImpl, postIDPSelectorImpl, idpInteractionProviderImpl, registrationStatusCheckImpl, registrationTaskFlowProviderImpl, sessionCreationProviderImpl, attributeList, name, description)
Table 4-13 updateServiceProviderInterface Arguments
Argument | Definition |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
List of attributes in JSON format. [{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}] |
|
Name of the object to be created. |
|
Description of the object to be created. |
removeInternetIdentityProvider
removeInternetIdentityProvider(name)
where name is the name of the Internet Identity Provider object.
displayInternetIdentityProvider
displayInternetIdentityProvider(name)
where name is the name of the Internet Identity Provider object.
createInternetIdentityProvider
createInternetIdentityProvider(icon, protocolType, protocolAttributeList, providerImplClass, attributeList, name, description)
Table 4-14 createInternetIdentityProvider Arguments
Argument | Definition |
---|---|
|
Name of the icon. |
|
The protocol type is either |
|
A list of protocol attributes specified in JSON format. [{name1:value1},{name2:value2}] |
|
Implementation class for the provider. |
|
List of attributes specified in JSON format. [{name1:value1},{name2:value2}] |
|
Name of the provider to be created. |
|
Description of the provider to be created. |
createInternetIdentityProvider('myIcon','myType','[{pratname1:atval1},{pratname2:atval2}]','[{atname1:atval1},{atname2:atval2}]','class','myProvider','new Identity Provider')
Note:
createInternetIdentityProvider
can also be used within a script to create the provider configuration for Foursquare and Windows Live. The following example is a script for Foursquare. Update the username and password used to connect to the WebLogic Server and the consumer's key and secret values (between the quotes) before executing:
url = 't3://localhost:7001' username='xxxxxx' password='xxxxxx' connect(username,password,url) domainRuntime() print "Foursquare OAuth" print "---------------------" createInternetIdentityProvider( 'Foursquare.gif', 'OAuth', '[{oauth.authorization.url: "https://foursquare.com/oauth2/authorize"}, {oauth.accesstoken.url:"https://foursquare.com/oauth2/access_token"}, {oauth.profile.url: "https://api.foursquare.com/v2/users/self"}, {oauth.consumer.key:""}, {oauth.consumer.secret:""}, {oauth.rpinstance.name:""}, {oauth.rpinstance.url:""}]', '[{id:id}, {firstname:firstname}, {lastname:lastname}, {contact.email:contact.email}, {homecity:homecity}, {gender:gender}, {photo:photo}]', 'oracle.security.idaas.rp.oauth.provider.FoursquareImpl', 'Foursquare', 'Foursquare OAuth Provider') disconnect() exit()
updateInternetIdentityProvider
updateInternetIdentityProvider(icon, protocolType, protocolAttributeList, attributeList, providerImplClass, name, description)
Table 4-15 updateInternetIdentityProvider Arguments
Argument | Definition |
---|---|
|
Name of the icon. |
|
The protocol type is either |
|
A list of protocol attributes specified in JSON format. [{name1:value1},{name2:value2}] |
|
Implementation class for the provider. |
|
List of attributes specified in JSON format. [{name1:value1},{name2:value2}] |
|
Name of the provider to be updated. |
|
Description of the provider to be updated. |
removeUserAttributeMapping
removeUserAttributeMapping(name)
where name is the name of the User Attribute Mapping object.
displayUserAttributeMapping
displayUserAttributeMapping(name)
where name is the name of the User Attribute Mapping object.
updateUserAttributeMapping
updateUserAttributeMapping(application, idp, name, appProtocolAttributeList)
Table 4-16 updateUserAttributeMapping Arguments
Argument | Definition |
---|---|
|
Name of the application. |
|
Name of the identity provider. |
|
Name of the object to be created. |
|
List of protocol attributes in JSON format. [{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}] |
createServiceProvider
createServiceProvider(serviceProviderImpl, serviceProviderType, relationshipList, paramList, name, description)
Table 4-17 createServiceProvider Arguments
Argument | Definition |
---|---|
|
The service provider implementation. |
|
The type of service provider. Acceptable values include either |
|
The relationship for this Service Provider specified in JSON format:[{relationship:relname,description:descrip,directional1:{name:dirname,description:descrip,providerRelation:relname,entityURIAttrName:uri,scopeAllLevelAttrName:toTop},directional2:{name:dirname,description:descrip,providerRelation:relname,entityURIAttrName:uri,scopeAllLevelAttrName:toTop}}] |
|
The parameters for this Service Provider specified in JSON format:[{name1:value1},{name2:value2}...] |
|
Name of the service provider. |
|
Description of the service provider. |
createServiceProvider('oracle.security.idaas.rest.provider.token.MobileOAMTokenSer viceProvider', 'Authentication', '[]','[{OAM_VERSION:OAM_11G},{WEBGATE_ ID:accessgate-oic},{ENCRYPTED_PASSWORD:"password"},{DEBUG_VALUE:0},{TRANSPORT_ SECURITY:OPEN},{OAM_SERVER_1:"localhost:5575"},{OAM_SERVER_1_MAX_CONN:4},{OAM_ SERVER_2:"oam_server_2:5575"},{OAM_SERVER_2_MAX_CONN:4}]', 'MobileOAMAuthentication', 'Out Of The Box Mobile Oracle Access Manager (OAM) Authentication Service Provider')
updateServiceProvider
updateServiceProvider(serviceProviderImpl, serviceProviderType, relationshipList, paramList, name, description)
Table 4-18 updateServiceProvider Arguments
Argument | Definition |
---|---|
|
The service provider implementation |
|
The type of service provider - either Authorization, Authentication or UserProfile. |
|
The relationship for this service provider specified in JSON format: [{relationship:relname,description:descrip, directional1:{name:dirname,description:descrip,provider Relation:relname,entityURIAttrName:uri,scopeAllLevelAtt rName:toTop},directional2:{name:dirname,description:des crip,providerRelation:relname,entityURIAttrName:uri,sco peAllLevelAttrName:toTop}}] |
|
The parameters for this Service Provider specified in JSON format:
|
|
Name of the service provider. |
|
Description of the service provider. |
updateServiceProvider('oracle.security.idaas.rest.provider.cruds.ids. IDSCRUDSServiceProvider', 'UserProfile', '[{relationship:people_groups, directional1:{name:memberOf, providerRelation:user_memberOfGroup, entityURIAttrName:person-uri}, directional2:{name:members, providerRelation:groupMember_user,entityURIAttrName:group-uri }}, {relationship:people_manager, directional1:{name:manager,providerRelation:manager, entityURIAttrName:report-uri,scopeAllLevelAttrName:toTop}, directional2:{name:reports , providerRelation:reportee, qntityURIAttrName:manager-uri, scopeAllLevelAttrName:all}}, {relationship:groupMemberOf_groupMembers , directional1:{name:groupMemberOf, providerRelation:group_memberOfGroup,entityURIAttrName:member-uri}, directional2:{name:groupMembers, providerRelation:groupMember _group,entityURIAttrName:group-uri }},{relationship:personOwner_ownerOf, directional1:{name:ownerOf, providerRelation:user_ ownerOfGroup,entityURIAttrName:owner-uri}, directional2:{name:personOwner,providerRelation:groupOwner_ user,entityURIAttrName:group-uri}},{relationship:groupOwner_groupOwnerOf, directional1:{name:groupOwner, providerRelation:group_ ownerOfGroup,entityURIAttrName:group-uri}, directional2:{name:groupOwnerOf, providerRelation:groupOwner_group,entityURIAttrName:owner-uri }}]','[{oracle.ids.name:userrole},{accessControl:false}]', 'UserProfile', 'Out Of The Box User Profile Service Provider')
addRelationshipToServiceProvider
addRelationshipToServiceProvider(name, relationshipList)
Table 4-19 addRelationshipToServiceProvider Arguments
Argument | Definition |
---|---|
|
Name of the service provider. |
|
The relationship for this Service Provider specified in JSON format: [{relationship:relname,description:descrip,directional1: {name:dirname,description:descrip,providerRelation:relname, entityURIAttrName:uri,scopeAllLevelAttrName:toTop}, directional2:{name:dirname,description:descrip, providerRelation:relname,entityURIAttrName:uri, scopeAllLevelAttrName:toTop}}] |
addRelationshipToServiceProvider('idsprovider1','[{relationship:relname, description:descrip, directional1:{name:dirname,description:descrip, providerRelation:relname,entityURIAttrName:uri,scopeAllLevelAttrName:toTop}, directional2:{name:dirname,description:descrip, providerRelation:relname,entityURIAttrName:uri,scopeAllLevelAttrName:toTop}}]
removeRelationshipFromServiceProvider
getServiceProviders
getServiceProviders()
The following lines show sample output:
ServiceProvider: UserProfile1ServiceProvider: JWTAuthenticationServiceProvider: UserProfileServiceProvider: MobileOAMAuthenticationServiceProvider: OAMAuthenticationServiceProvider: MobileJWTAuthenticationServiceProvider: sampleauthzserviceproviderServiceProvider: InternetIdentityAuthenticationServiceProvider: OAMAuthorization
displayServiceProvider
displayServiceProvider('OAMAuthentication')
The following lines show sample output:
Displaying: ServiceProvider : OAMAuthenticationReadOnly = 0Description = Out Of The Box Oracle Access Manager (OAM) Authentication Token Service ProviderParam = ...eventProvider = 1objectName = com.oracle.idaas:name=OAMAuthentication,type=Xml.ServiceProvider,Xml=MobileServiceSystemMBean = 0ServiceProviderType = AuthenticationName = OAMAuthenticationConfigMBean = 1ServiceProviderImpl = oracle.security.idaas.rest.provider.token.OAMSDKTokenServiceProviderRelationship = array(javax.management.openmbean.CompositeData,[])eventTypes = array(java.lang.String,['jmx.attribute.change'])RestartNeeded = 0
createServiceProfile
createServiceProfile(serviceProvider, supportedTokenList, paramList, endPoint, name, description, enabled)
Table 4-21 createServiceProfile Arguments
Argument | Definition |
---|---|
|
Name of the service provider. |
|
A list of supported tokens specified in JSON format:
where |
|
A list of parameters for this Service specified in JSON format:
|
|
The service endpoint. |
|
Name of the service. |
|
Description of the service. |
|
Indicates if the service should be enabled or disabled. Boolean flag. |
updateServiceProfile
updateServiceProfile(serviceProvider, supportedTokenList, paramList, endPoint, name, description, enabled)
Table 4-22 updateServiceProfile Arguments
Argument | Definition |
---|---|
|
Name of the service provider. |
|
A list of supported tokens specified in JSON format:
where |
|
A list of parameters for this Service specified in JSON format:
|
|
The service endpoint. |
|
Name of the service. |
|
Description of the service. |
|
Indicates if the service should be enabled or disabled. Boolean flag. |
displayServiceProfile
displayServiceProfile('OAMAuthorization')
The following lines show sample output:
Displaying: ServiceProfile : OAMAuthorizationReadOnly = 0Enabled = 1Description = Out Of The Box Oracle Access Manager (OAM) Authorization Service ProviderParam = array(javax.management.openmbean.CompositeData,[])eventProvider = 1SystemMBean = 0objectName = com.oracle.idaas:name=OAMAuthorization,type=Xml.ServiceProfile,Xml=MobileServiceSupportedToken = array(java.lang.String,[])ServiceProviderType = AuthorizationServiceProviderName = OAMAuthorizationName = OAMAuthorizationConfigMBean = 1ServiceEndPoint = /oamauthorizationeventTypes = array(java.lang.String,['jmx.attribute.change'])RestartNeeded = 0
getServiceProfiles
getServiceProfiles()
The following lines show sample output:
ServiceProfile: UserProfile1ServiceProfile: OAMAuthenticatioServiceProfile: sampleauthzserviceServiceProfile: JWTAuthenticationServiceProfile: UserProfileServiceProfile: MobileOAMAuthenticationServiceProfile: OAMAuthenticationServiceProfile: MobileJWTAuthenticationServiceProfile: InternetIdentityAuthenticationServiceProfile: OAMAuthorizationServiceProfile: JWTAuthentication1
createApplicationProfile
createApplicationProfile(paramList, mobileAppProfileStr, name, description)
Table 4-23 createApplicationProfile Arguments
Argument | Definition |
---|---|
|
A list of parameters for this Service specified in JSON format:
|
|
The mobile app profile string specified in JSON format: [{clientAppConfigParam:[{name:value},{name:value}], jailBreakingDetectionPolicyName:name}] |
|
Name of the IDaaS Client. |
|
Description of the IDaaS Client. |
createApplicationProfile('[{Mobile.clientRegHandle.baseSecret:welcome1},]', '[{clientAppConfigParam:[{Mobileparam1:Mobileparam1Value}, {IOSURLScheme:"samplemobileapp1://"}, {AndroidPackage:oracle.android.samplemobileapp1}, {AndroidAppSignature:samplemobileapp1signature}], jailBreakingDetectionPolicyName:defaultJailBreakingDetectionPolicy}]', 'samplemobileapp1','Sample Mobile App 1')
createApplicationProfile('[{userId4BasicAuth:rest_client1}, {sharedSecret4BasicAuth:"9Qo9olLIl5gDwESYR0hOgw=="}, {signatureAlgorithm:SHA-1}]','','profileid1','OIC Application Profile 1')
updateApplicationProfile
updateApplicationProfile(paramList, mobileAppProfileStr, name, description)
Table 4-24 updateApplicationProfile Arguments
Argument | Definition |
---|---|
|
A list of parameters for this Service specified in JSON format:
|
|
The mobile app profile string specified in JSON format: [{clientAppConfigParam:[{name:value},{name:value}], jailBreakingDetectionPolicyName:name}] The value of clientAppConfigParam should match what is defined in the Administration Console on the "Application Profile Configuration Page." Items specified under the 'Configuration Settings' heading are set with the WLST 'clientAppConfigParam'. |
|
Name of the IDaaS (Identity as a Service) Client. |
|
Description of the IDaaS (Identity as a Service) Client. |
updateApplicationProfile('[{Mobile.clientRegHandle.baseSecret:welcome1}]',' [{clientAppConfigParam:[{ProfileCacheDuration:60}, {AuthenticationRetryCount:3},{AllowOfflineAuthentication:false}, {ClaimAttributes:"oracle:idm:claims:client:geolocation, oracle:idm:claims:client:imei,oracle:idm:claims:client:jailbroken, oracle:idm:claims:client:locale,oracle:idm:claims:client:macaddress, oracle:idm:claims:client:networktype,oracle:idm:claims:client:ostype, oracle:idm:claims:client:osversion,oracle:idm:claims:client:phonecarriername, oracle:idm:claims:client:phonenumber,oracle:idm:claims:client:sdkversion, oracle:idm:claims:client:udid,oracle:idm:claims:client:vpnenabled"}, {RPWebView:Embedded},{URLScheme:"exp://"}, {IOSBundleID:com.oraclecorp.internal.ExpenseReportApp}, {AndroidAppSignature:"xmlns:xsi=\ 'http://www.w3.org/2001/XMLSchema-instance\' xsi:nil=\'true\'"},{AndroidPackage:"xmlns:xsi=\' http://www.w3.org/2001/XMLSchema-instance\' xsi:nil=\'true\'"}], jailBreakingDetectionPolicyName:DefaultJailBreakingDetectionPolicy}]', 'ExpenseApp','OIC Test Expense Sample App')
removeApplicationProfile
removeApplicationProfile(name)
where name
is the name of the ApplicationProfile to be removed.
displayApplicationProfile
dislayApplicationProfile(name)
where name is the name
of the ApplicationProfile to be removed.
displayApplicationProfile('MobileAgent1')
The following lines show sample output:
Displaying: ApplicationProfile : MobileAgent1 ReadOnly = 0 ConfigMBean = 1 Name = MobileAgent1 MobileAppProfile = None Description = Mobile Agent App 1 Param = array(javax.management.openmbean.CompositeData,[javax.management.openmbean.Composi teDataSupport(compositeType=javax.management.openmbean.CompositeType(name=com.orac le.xmlns.idm.idaas.idaas_config_11_1_2_0_0.Attribute,items=((itemName=name, itemType=javax.management.openmbean.SimpleType(name=java.lang.String)), (itemName=secretValue,itemType=javax.management.openmbean.ArrayType(name=[Ljava. lang.Character;,dimension=1,elementType=javax.management.openmbean.SimpleType(name =java.lang.Character),primitiveArray=false)),(itemName=value,itemType=javax.manage ment.openmbean.SimpleType(name=java.lang.String)))),contents={name=Mobile.reauthnF orRegNewClientApp, secretValue=null, value=true}), javax.management.openmbean.CompositeDataSupport(compositeType=javax.management.ope nmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0. Attribute,items=((itemName=name,itemType=javax.management.openmbean.SimpleType(nam e=java.lang.String)),(itemName=secretValue,itemType=javax.management.openmbean.Arr ayType(name=[Ljava.lang.Character;,dimension=1,elementType=javax.management.openmb ean.SimpleType(name=java.lang.Character),primitiveArray=false)),(itemName=value,it emType=javax.management.openmbean.SimpleType(name=java.lang.String)))),contents={n ame=Mobile.clientRegHandle.baseSecret, secretValue=[Ljava.lang.Character;@11910bd, value=idaas.ApplicationProfile[MobileAgent1].param[Mobile.clientRegHandle.baseSecr et]})]) eventProvider = 1 SystemMBean = 0 objectName = com.oracle.idaas:name=MobileAgent1,type=Xml.ApplicationProfile,Xml=MobileService eventTypes = array(java.lang.String,['jmx.attribute.change']) RestartNeeded = 0
createServiceDomain
createServiceDomain(securityHandlerPlugin,serviceBindingList, clientAppBindingList,mobileAuthStyle,serviceDomainType,name,description)
Table 4-25 createServiceDomain Arguments
Argument | Definition |
---|---|
|
The name of the securityHandlerPlugin. |
|
A list of the ServiceBinding objects in the format: [{serviceName:UserProfile,allowRead:true, allowWrite:true},{serviceName:UserProfile1, allowRead:true,allowWrite:true, requiredToken:[{tokenService:JWTAuthentication, tokenType:{ACCESSTOKEN}}]}, {serviceName:usertokenserviceformobile, requiredToken:[{tokenService:mobilesecurityservice1, tokenType:{ACCESSTOKEN,CLIENTTOKEN}}]}, {serviceName:mobilesecurityservice1}, {serviceName:JWTAuthentication1}, {serviceName:OAMAuthorization}] |
|
A list of client applications specified in the format: [{appName:UserProfile,mobileBinding: [{SSOinclusion:true,SSOpriority:4}] |
|
Mobile Authentication Style. |
|
The type of service domain. |
|
Name of the ServiceDomain. |
|
Description of the ServiceDomain. |
createServiceDomain('JunitDebugSecurityHandlerPlugin','[{serviceName:UserProfile, allowRead:true,allowWrite:true},{serviceName:UserProfile1,allowRead:true, allowWrite:true,requiredToken:[{tokenService:JWTAuthentication1, tokenType:ACCESSTOKEN}]},{serviceName:JWTAuthentication},{serviceName:OAMAuthentication},{serviceName:JWTAuthentication1},{serviceName:OAMAuthorization, allowRead:true,allowWrite:false,requiredToken:[{tokenService:OAMAuthentication, tokenType:USERTOKEN}]}]','[{appName:MobileAgent1,mobileBinding: [{SSOinclusion:true,SSOpriority:1}]},{appName:MobileBusinessTestApp01, mobileBinding:[{SSOinclusion:true}]},{appName:MobileAgent2,mobileBinding: [{SSOinclusion:true,SSOpriority:2}]},{appName:MobileExpenseReport1, mobileBinding:[{SSOinclusion:false}]},{appName:profileid1}]','','DESKTOP', 'Default','DefaultService Domain ServiceBinding without any requiredToken')
updateServiceDomain
updateServiceDomain(securityHandlerPlugin, serviceBindingList, clientAppBindingList, mobileAuthStyle, serviceDomainType, name, description)
Table 4-26 createServiceDomain Arguments
Argument | Definition |
---|---|
|
The name of the SecurityHandlerPlugin. |
|
A list of the ServiceBinding objects in the format: [{serviceName:UserProfile,allowRead:true, allowWrite:true},{serviceName:UserProfile1, allowRead:true,allowWrite:true, requiredToken:[{tokenService:JWTAuthentication, tokenType:{ACCESSTOKEN}}]}, {serviceName:usertokenserviceformobile, requiredToken:[{tokenService:mobilesecurityservice1, tokenType:{ACCESSTOKEN,CLIENTTOKEN}}]}, {serviceName:mobilesecurityservice1}, {serviceName:JWTAuthentication1}, {serviceName:OAMAuthorization}] |
|
A list of client applications specified in the format: [{appName:UserProfile,mobileBinding: [{SSOinclusion:true,SSOpriority:4}] |
|
Mobile Authentication Style. |
|
The type of Service Domain. |
|
Name of the ServiceDomain. |
|
Description of the ServiceDomain. |
updateServiceDomain('JunitDebugSecurityHandlerPlugin','[{serviceName:UserProfile, allowRead:true,allowWrite:true},{serviceName:UserProfile1,allowRead:true, allowWrite:true,requiredToken:[{tokenService:JWTAuthentication1, tokenType:ACCESSTOKEN}]},{serviceName:JWTAuthentication}, {serviceName:OAMAuthentication},{serviceName:JWTAuthentication1}, {serviceName:OAMAuthorization,allowRead:true,allowWrite:false, requiredToken:[{tokenService:OAMAuthentication,tokenType:USERTOKEN}]}]', '[{appName:MobileAgent1,mobileBinding:[{SSOinclusion:true,SSOpriority:1}]}, {appName:MobileBusinessTestApp01,mobileBinding:[{SSOinclusion:true}]}, {appName:MobileAgent2,mobileBinding:[{SSOinclusion:true,SSOpriority:2}]}, {appName:MobileExpenseReport1,mobileBinding:[{SSOinclusion:false}]}, {appName:profileid1}]','','DESKTOP','Default', 'Default Service Domain ServiceBinding without any requiredToken')
getServiceDomains
getServiceDomain()
The following lines show sample output:
ServiceDomain: MobileServiceDomainUTRegServiceDomain: MobileRPServiceDomainServiceDomain: Contract1ServiceDomain: MobileJWTServiceDomainServiceDomain: MobileRPServiceDomainUTRegServiceDomain: MobileContractServiceDomain: DefaultServiceDomain: MobileServiceDomain
displayServiceDomain
displayServiceDomain('name')
The following lines show sample output:
Displaying: ServiceDomain : Contract1 ReadOnly = 0 Description = Service Domain 1 using HTTPBasic or Token based Client Token eventProvider = 1 SystemMBean = 0 objectName = com.oracle.idaas:name=Contract1,type=Xml.ServiceDomain,Xml=MobileService MobileAuthStyle = None ServiceBinding = array(javax.management.openmbean.CompositeData,[javax.management.openmbean. CompositeDataSupport(compositeType=javax.management.openmbean.CompositeType(name= com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0.TServiceBinding, items=((itemName=allowRead,itemType=javax.management.openmbean.SimpleType(name= java.lang.Boolean)),(itemName=allowWrite,itemType=javax.management.openmbean. SimpleType(name=java.lang.Boolean)),(itemName=requiredToken,itemType=javax.managem ent.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_ 0.TRequiredToken,items=((itemName=tokenService,itemType=javax.management.openmbean .SimpleType(name=java.lang.String)),(itemName=tokenType,itemType=javax.management. openmbean.ArrayType(name=[Ljava.lang.String;,dimension=1,elementType=javax.managem ent.openmbean.SimpleType(name=java.lang.String),primitiveArray=false))))),(itemNam e=serviceName,itemType=javax.management.openmbean.SimpleType(name=java.lang.String )))),contents={allowRead=true, allowWrite=true, requiredToken=javax.management.openmbean.CompositeDataSupport(compositeType=javax. management.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_ 11_1_2_0_0.TRequiredToken, items=((itemName=tokenService,itemType=javax.management.openmbean.SimpleType(name= java.lang.String)),(itemName=tokenType,itemType=javax.management.openmbean. ArrayType(name=[Ljava.lang.String;,dimension=1,elementType=javax.management. openmbean.SimpleType(name=java.lang.String),primitiveArray=false)))), contents={tokenService=JWTAuthentication, tokenType=[Ljava.lang.String;@d0fbf2}), serviceName=UserProfile}), javax.management.openmbean.CompositeDataSupport(compositeType=javax.management. openmbean.CompositeType(name= com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0.TServiceBinding, items=((itemName=allowRead,itemType=javax.management.openmbean.SimpleType(name= java.lang.Boolean)),(itemName=allowWrite,itemType=javax.management.openmbean. SimpleType(name=java.lang.Boolean)),(itemName=requiredToken,itemType= javax.management.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_ config_11_1_2_0_0.TRequiredToken, items=((itemName=tokenService,itemType=javax.management.openmbean.SimpleType(name= java.lang.String)),(itemName=tokenType,itemType=javax.management.openmbean. ArrayType(name=[Ljava.lang.String;,dimension=1,elementType=javax.management. openmbean.SimpleType(name=java.lang.String),primitiveArray=false))))), (itemName=serviceName,itemType=javax.management.openmbean.SimpleType(name= java.lang.String)))),contents={allowRead=null, allowWrite=null, requiredToken=null, serviceName=JWTAuthentication})])MobileCredLevelForRegApp = NoneServiceDomainType = DESKTOPName = Contract1ConfigMBean = 1 ClientAppBinding = array(javax.management.openmbean.CompositeData, [javax.management.openmbean.CompositeDataSupport(compositeType=javax.management. openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0 TApplicationBinding,items=((itemName=appName,itemType=javax.management.openmbean. SimpleType(name=java.lang.String)),(itemName=mobileBinding,itemType=javax. management.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas. idaas_config_11_1_2_0_0.TMobileBinding,items=((itemName=SSOinclusion, itemType=javax.management.openmbean.SimpleType(name=java.lang.Boolean)), (itemName=SSOpriority,itemType=javax.management.openmbean.SimpleType(name= java.lang.Short))))))),contents={appName=profileid1, mobileBinding=null}), javax.management.openmbean.CompositeDataSupport(compositeType=javax.management. openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0 .TApplicationBinding,items=((itemName=appName,itemType=javax.management.openmbean .SimpleType(name=java.lang.String)),(itemName=mobileBinding,itemType=javax.manage ment.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas .idaas_config_11_1_2_0_0.TMobileBinding,items= ((itemName=SSOinclusion,itemType=javax.management.openmbean.SimpleType(name= java.lang.Boolean)),(itemName=SSOpriority,itemType=javax.management.openmbean. SimpleType(name=java.lang.Short))))))),contents={appName=profileid2, mobileBinding=null})])SecurityHandlerPluginName = NoneeventTypes = array(java.lang.String,['jmx.attribute.change'])RestartNeeded = 0
createSecurityHandlerPlugin
updateSecurityHandlerPlugin
removeSecurityHandlerPlugin
removeSecurityHandlerPlugin(name)
where name
is the name of the SecurityHandlerPlugin to be removed.
displaySecurityHandlerPlugin
displaySecrityHandlerPlugin(name)
where name
is the name of the SecurityHandlerPlugin to be displayed.
createJailBreakingDetectionPolicy
createJailBreakingDetectionPolicy(true,'[{minOSVersion:3.5,maxOSVersion:5.0,minClientSDKVersion:1.0,maxClientSDKVersion:1.0,policyExpirationDurationInSec:3600,autoCheckPeriodInMin:60,detectionLocation:[{filePath:"/root",success:true,action:exists},{filePath:"/opt",success:true,action:exists}]}]','defaultJailBreakingDetectionPolicy')
updateJailBreakingDetectionPolicy
updateJailBreakingDetectionPolicy(true,'[{minOSVersion:3.5,maxOSVersion:5.0,minClientSDKVersion:1.0,maxClientSDKVersion:1.0,policyExpirationDurationInSec:3600,autoCheckPeriodInMin:60,detectionLocation:[{filePath:"/root",success:true,action:exists},{filePath:"/opt",success:true,action:exists}]}]','defaultJailBreakingDetectionPolicy')
removeJailBreakingDetectionPolicy
removeJailBreakingDetectionPolicy(name)
where name
is the name of the JailBreakingDetectionPolicy.
displayJailBreakingDetectionPolicy
displayJailBreakingDetectionPolicy(name)
where name
is the name of the JailBreakingDetectionPolicy.
displayJailBreakingDetectionPolicy('DefaultJailBreakingDetectionPolicy')
The following lines show sample output:
Displaying: JailBreakingDetectionPolicy : DefaultJailBreakingDetectionPolicy ReadOnly = 0 ConfigMBean = 1 Name = DefaultJailBreakingDetectionPolicy eventProvider = 1 SystemMBean = 0 objectName = com.oracle.idaas:name=DefaultJailBreakingDetectionPolicy,type=Xml.JailBreakingDetectionPolicy,Xml=MobileService Enable = 1 JailBreakingDetectionPolicyStatement = array(javax.management.openmbean.CompositeData,[javax.management.openmbean. CompositeDataSupport(compositeType=javax.management.openmbean.CompositeType(name= com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0. TJailBreakingDetectionPolicyStatement,items=((itemName=autoCheckPeriodInMin, itemType=javax.management.openmbean.SimpleType(name=java.lang.Long)), (itemName=detectionLocation,itemType=javax.management.openmbean.ArrayType(name= [Ljavax.management.openmbean.CompositeData;,dimension=1,elementType= javax.management.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas. idaas_config_11_1_2_0_0. TDetectionLocation,items=((itemName=action,itemType=javax.management.openmbean. SimpleType(name=java.lang.String)),(itemName=filePath,itemType=javax.management. openmbean.SimpleType(name=java.lang.String)),(itemName=success,itemType=javax. management.openmbean.SimpleType(name=java.lang.Boolean)))),primitiveArray=false)), (itemName=enable,itemType=javax.management.openmbean.SimpleType(name=java.lang. Boolean)),(itemName=maxClientSDKVersion,itemType=javax.management.openmbean. SimpleType(name=java.lang.String)),(itemName=maxOSVersion,itemType=javax. management.openmbean.SimpleType(name=java.lang.String)),(itemName= minClientSDKVersion,itemType=javax.management.openmbean.SimpleType(name= java.lang.String)), (itemName=minOSVersion,itemType=javax.management.openmbean.SimpleType(name= java.lang.String)),(itemName=policyExpirationDurationInSec,itemType=javax. management.openmbean.SimpleType(name=java.lang.Long)))),contents= {autoCheckPeriodInMin=60,detectionLocation=[Ljavax.management.openmbean. CompositeData;@2dc906,enable=true,maxClientSDKVersion=11.1.2.0.0, maxOSVersion=null, minClientSDKVersion=11.1.2.0.0, minOSVersion=1.0, policyExpirationDurationInSec=3600})]) eventTypes = array(java.lang.String,['jmx.attribute.change']) RestartNeeded = 0
Table 4-31 describes the various types of WLST commands available for the Oracle Access Management Security Token Service (Security Token Service).
Table 4-31 WLST Security Token Service Command Groups
OSTS Command Type | Description |
---|---|
Partner Commands |
WLST commands related to tasks involving partners. |
Relying Party Partner Mapping Commands |
The WS Prefix to Relying Party Partner mappings are used to map a service URL, specified in the AppliesTo field of a WS-Trust RST request, to a partner of type Relying Party. The WS prefix string can be an exact service URL, or a URL with a parent path to the service URL. For example, if a mapping is defined to map a WS Prefix (http://test.com/service) to a Relying Party (RelyingPartyPartnerTest), then the following service URLs would be mapped to the Relying Party: http://test.com/service, http://test.com/service/calculatorService, http://test.com/service/shop/cart... |
Partner Profiles Commands |
WLST commands related to tasks involving partner profiles. |
Issuance Templates Commands |
WLST commands related to tasks involving issuance templates. |
Validation Templates Commands |
WLST commands related to tasks involving validation templates. |
Use the WLST commands listed in Table 4-32 to manage the Security Token Service.
Table 4-32 WLST Commands Security Token Service
Use this command... | To... | Use with WLST... |
---|---|---|
Partner Commands |
||
Retrieve a partner and print result. |
Online |
|
Retrieve the names of Requester partners. |
Online |
|
Retrieve the names of all Relying Party partners. |
Online |
|
Retrieve the names of all Issuing Authority partners. |
Online |
|
Query Security Token Service to determine whether or not the partner exists in the Partner store. |
Online |
|
Create a new Partner entry. |
Online |
|
Update an existing Partner entry based on the provided information. |
Online |
|
Delete a partner entry. |
Online |
|
Retrieve the partner's username value. |
Online |
|
Retrieve the partner's password value. |
Online |
|
Set the username and password values of a partner entry. |
Online |
|
Remove the username and password values from a partner entry. |
Online |
|
Retrieve the Base64 encoded signing certificate for the partner. |
Online |
|
Retrieve the Base64 encoded encryption certificate for the partner. |
Online |
|
Upload the signing certificate to the partner entry. |
Online |
|
Upload the encryption certificate to the partner entry. |
Online |
|
Remove the signing certificate from the partner entry. |
Online Offline |
|
Remove the encryption certificate from the partner entry. |
Online Offline |
|
Retrieve and display all Identity mapping attributes used to map a token to a requester partner. |
Online Offline |
|
Retrieve and display the identity mapping attribute. |
Online Offline |
|
Set the identity mapping attribute for a requester partner. |
Online Offline |
|
Delete the identity mapping attribute for a requester partner. |
Online Offline |
|
Relying Party Partner Mapping Commands |
||
Retrieve and display all WS Prefixes. |
Online Offline |
|
Retrieve and display the Relying Party Partner mapped to the specified wsprefix parameter. |
Online Offline |
|
Create a new WS Prefix mapping to a Relying Partner. |
Online Offline |
|
Delete an existing WS Prefix mapping to a Relying Partner. |
Online Offline |
|
Partner Profiles Commands |
||
Retrieve the names of all the existing partner profiles. |
Online |
|
Retrieve partner profile configuration data. |
Online |
|
Create a new Requester Partner profile with default configuration data. |
Online |
|
Create a new Relying Party Partner profile with default configuration data. |
Online |
|
Create a new Issuing Authority Partner profile with default configuration data. |
Online |
|
Delete an existing partner profile. |
Online |
|
Issuance Template Commands |
||
Retrieve the names of all the existing Issuance Templates. |
Online Offline |
|
Retrieve configuration data of a specific Issuance Template. |
Online |
|
Create a new Issuance Template with default configuration data. |
Online |
|
Delete an existing Issuance Template. |
Online Offline |
|
Validation Template Commands |
||
Retrieve the names of all the existing Validation Templates. |
Online Offline |
|
Retrieve configuration data of a specific Validation Template. |
Online Offline |
|
Create a new WS Security Validation Template with default configuration data. |
Online Offline |
|
Create a new WS Trust Validation Template with default configuration data. |
Online Offline |
|
Delete an existing Issuance Template. |
Online Offline |
Online command that retrieves the Partner entry and prints out the configuration for this partner.
getPartner(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the partnerId: the ID of the partner. |
Online command that retrieves Issuing Authority partners and prints out the result.
Online command that queries the Security Token Service to determine whether or not the specified partner exists in the Partner store.
Queries the Security Token Service to determine whether or not the specified partner exists in the Partner store, and prints out the result.
Online command that creates a new Partner entry.
Creates a new Partner entry based on provided information. Displays a message indicating the result of the operation.
createPartner(partnerId, partnerType, partnerProfileId, description, bIsTrusted)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the new partner to be created. |
partnerType
|
Specifies the type of partner. Values can be one of the following:
|
partnerProfileId
|
Specifies the profile ID to be attached to this partner. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry. |
description
|
Specifies the optional description of this new partner entry. |
bIsTrusted
|
A value that indicates whether or not this new partner is trusted. Value can be either:
|
The following invocation creates STS_Requestor partner, customPartner, custom-partnerprofile
with a description (custom requester
), with a trust value of true
, displays a message indicating the result of the operation:
createPartner(partnerId="customPartner", partnerType="STS_REQUESTER", partnerProfileId="custom-partnerprofile", description="custom requester", bIsTrusted="true")
Online command that updates an existing Partner entry.
Updates an existing Partner entry based on the provided information. Displays a message indicating the result of the operation.
updatePartner(partnerId, partnerProfileId, description, bIsTrusted)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the new partner to be updated. |
partnerProfileId
|
Specifies the partner profile ID. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry. |
description
|
Specifies the optional description f this new partner entry. |
bIsTrusted
|
A value that indicates whether or not this new partner is trusted. Value can be either:
|
The following invocation updates customPartner
with a new profile ID, (x509-wss-validtemp
), description (custom requester with new profile id
), and a trust value of false
. A message indicates the result of the operation:
updatePartner(partnerId="customPartner", partnerProfileId="x509-wss-validtemp", description="custom requester with new profile id", bIsTrusted="false")
Online command that deletes a partner entry from the Security Token Service.
Deletes an existing Partner entry referenced by the partnerId
parameter from the Security Token Service, and prints out the result of the operation.
deletePartner(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner to be deleted. |
Online command that retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation.
Retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation, and displays the value.
getPartnerUsernameTokenUsername(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that retrieves a partner's password value that will be used for UNT credentials partner validation or mapping operation.
Retrieves a partner password value that will be used for UNT credentials partner validation or mapping operation, and displays the value.
getPartnerUsernameTokenPassword(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation.
Sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation. Displays the result of the operation.
setPartnerUsernameTokenCredential(partnerId, UTUsername, UTPassword)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
UTUsername
|
Specifies the username value used for UNT credentials validation or mapping operations. |
UTPassword
|
Specifies the username value used for UNT credentials validation or mapping operations. |
Online command that removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.
Removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.
deletePartnerUsernameTokenCredential(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner to be deleted. |
Online command that retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.
Retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.
getPartnerSigningCert(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that retrieves the Base64 encoded encryption certificate, and displays its value as a Base64 encoded string.
Retrieves the Base64 encoded encryption certificate for the partner referenced by the partnerId parameter, and displays its value as a Base64 encoded string.
getPartnerEncryptionCert(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that Uploads the provided certificate to the partner entry as the signing certificate. Displays the result of the operation.
Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the signing certificate. The supported formats of the certificate are DER and PEM. Displays the result of the operation.
setPartnerSigningCert(partnerId, certFile)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
certFile
|
Specifies the location of the certificate on the local filesystem. Supported formats of the certificate are DER and PEM. |
Online command that Uploads the provided certificate to the partner entry as the encryption certificate. Displays the result of the operation.
Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the encryption certificate. Displays the result of the operation.
setPartnerEncryptionCert(partnerId, certFile)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
certFile
|
Specifies the location of the certificate on the local filesystem. Supported formats of the certificate are DER and PEM. |
Online command that removes the encryption certificate from the partner entry and displays the result of the operation.
Removes the encryption certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.
deletePartnerSigningCert(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that removes the signing certificate from the partner entry and displays the result of the operation.
Removes the signing certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.
deletePartnerEncryptionCert(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.
Retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.
The identity mapping attributes only exist for partners of type Requester.
getPartnerAllIdentityAttributes(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the Requester partner. Identity mapping attributes only exist for partners of type Requester |
The following invocation retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner: customPartner
.
getPartnerAllIdentityAttributes(partnerId="customPartner")
Online command that retrieves and displays identity mapping attributes used to map a token or to map binding data to a requester partner.
Retrieves and displays an identity mapping attribute used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.
The identity mapping attributes only exist for partners of type Requester.
getPartnerIdentityAttribute(partnerId, identityAttributeName)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the Requester partner. |
IdentityAttributeName
|
Specifies the name of the identity mapping attribute to retrieve and display. For example: |
Online command that sets the identity mapping attribute for the Requester partner.
Set the identity mapping attribute specified by identityAttributeName
for the partner of type requester specified by the partnerId parameter. These identity mapping attributes only exist for Requester partners. Displays the result of the operation.
setPartnerIdentityAttribute(partnerId, identityAttributeName, identityAttributeValue)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner of type Requester. |
identityAttributeName
|
Specifies the name of the identity mapping attribute to retrieve and display. |
identityAttributeValue
|
Specifies the value of the identity mapping attribute to set. |
The following invocation sets the identity mapping attribute specified by identityAttributeName
for the Requester partner of type requester specified by the partnerId parameter. Displays the result of the operation.
setPartnerIdentityAttribute(partnerId="customPartner", identityAttributeName="httpbasicusername",identityAttributeValue="test")
Online command that deletes the identity mapping attribute.
Deletes the identity mapping attribute specified by identityAttributeName
.
The identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner, and they only exist for Requester partners.
deletePartnerIdentityAttribute(partnerId, identityAttributeName)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
identityAttributeName
|
Specifies the name of the identity mapping attribute to delete. |
Online command that retrieves and displays all WS Prefixes to Relying Party Partner mappings.
Online command that retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.
Retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.
getWSPrefixAndPartnerMapping(wsprefix)
Argument | Definition |
---|---|
wsprefix
|
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form: http_protocol://hostname_ip/path |
Online command that creates a new WS Prefix mapping to a Relying Partner.
Creates a new WS Prefix mapping to a Relying Partner referenced by the partnerid parameter, and displays the result of the operation.
createWSPrefixAndPartnerMapping(wsprefix, partnerid, description)
Argument | Definition |
---|---|
wsprefix
|
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form: http_protocol://hostname_ip/path |
partnerId
|
Specifies the ID of the partner. |
description
|
Specifies an optional description. |
The following invocation creates a new WS Prefix mapping to a Relying Partner Partner referenced by the partnerid parameter, and displays the result of the operation.
createWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path", partnerid="customRPpartner", description="some description")
Online command that deletes an existing mapping of WS Prefix to a Relying Partner Partner.
Deletes an existing mapping of WS Prefix to a Relying Partner, and displays the result of the operation.
deleteWSPrefixAndPartnerMapping(wsprefix)
Argument | Definition |
---|---|
wsprefix
|
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form: http_protocol://hostname_ip/path |
Online command that retrieves the names of all the existing partner profiles and displays them.
Online command that retrieves the configuration data of a specific partner profile, and displays the content of the profile.
Retrieves the configuration data of the partner profile referenced by the partnerProfileId parameter, and displays the content of the profile.
getPartnerProfile(partnerProfileId)
Argument | Definition |
---|---|
partnerProfileId
|
Specifies the name of the partner profile. |
Online command that creates a new requester partner profile with default configuration data.
Creates a new requester partner profile with default configuration data, and displays the result of the operation.
Table 4-33 describes the default configuration created with this command.
Table 4-33 Default Configuration: createRequesterPartnerProfile
Element | Description |
---|---|
Return Error for Missing Claims
|
Default: false |
Allow Unmapped Claims
|
Default: false |
Token Type Configuration
|
The Token Type Configuration table includes the following entries. There are no mappings of token type to WS-Trust Validation Template:
Note: Token Type Configuration and token type to Validation Template mapping are both empty |
Attribute Name Mapping
|
Default: The Attribute Name Mapping table is empty by default. |
createRequesterPartnerProfile(partnerProfileId, defaultRelyingPartyPPID, description)
Argument | Definition |
---|---|
partnerProfileId
|
Specifies the name of the partner profile. |
defaultRelyingPartyPPID
|
Specifies the relying party partner profile to use, if the AppliesTo field is missing from the RST or if it could not be mapped to a Relying Party Partner. |
description
|
Specifies the optional description for this partner profile |
The following invocation creates a new requester partner profile with default configuration data, and displays the result of the operation. For default data descriptions, see Table 4-33.
createRequesterPartnerProfile(partnerProfileId="custom-partnerprofile", defaultRelyingPartyPPID="rpPartnerProfileTest", description="custom partner profile")
Online command that creates a new relying party partner profile with default configuration data.
Creates a new relying party partner profile with default configuration data, and displays the result of the operation.
Table 4-34 describes the default configuration created with this command.
Table 4-34 Default Configuration: createRelyingPartyPartnerProfile
Element | Description |
---|---|
Download Policy |
Default: false |
Allow Unmapped Claims |
Default: false |
Token Type Configuration |
The Token Type Configuration will contain a single entry, with:
Note: For the token type of the issuance template referenced by defaultIssuanceTemplateID, it will be linked to the issuance template, while the other token types will not be linked to any issuance template. If the issuance template referenced by defaultIssuanceTemplateID is of custom token type, the table will only contain one entry, with the custom token type, mapped to the custom token type as the external URI, and mapped to the issuance template referenced by defaultIssuanceTemplateID |
Attribute Name Mapping |
The Attribute Name Mapping table is empty be default. |
createRelyingPartyPartnerProfile(partnerProfileId, defaultIssuanceTemplateID, description)
Argument | Definition |
---|---|
partnerProfileId
|
Specifies the name of the partner profile. |
defaultIssuanceTemplateID
|
Specifies the default issuance template and token type to issue if no token type was specified in the RST. |
description
|
Specifies the optional description for this partner profile |
The following invocation creates a new relying party partner profile with default configuration data, and displays the result of the operation.
createRelyingPartyPartnerProfile(partnerProfileId="custom-partnerprofile", defaultIssuanceTemplateID="saml11-issuance-template", description="custom partner profile")
Online command that creates a new issuing authority partner profile with default configuration data.
Creates a new issuing authority partner profile with the default configuration data in Table 4-35, and displays the result of the operation.
Table 4-35 Default Configuration: createIssuingAuthorityPartnerProfile
Element | Description |
---|---|
Server Clockdrift |
Default: 600 seconds |
Token Mapping |
The Token Mapping Section will be configured as follows:
Empty fields
|
Partner NameID Mapping |
The Partner NameID Mapping table will be provisioned with the following entries as NameID format. However, without any data in the datastore column the issuance template referenced by defaultIssuanceTemplateID is of token type SAML 1.1, SAML 2.0, or Username. The table will contain the following entries:
|
User NameID Mapping |
The User NameID Mapping table will be provisioned with the following entries as NameID format:
|
Attribute Mapping |
The Attribute Value Mapping and Attribute Name Mapping table is empty be default. |
createIssuingAuthorityPartnerProfile(partnerProfileId, description)
Argument | Definition |
---|---|
partnerProfileId
|
Specifies the name of the partner profile. |
description
|
Specifies the optional description for this partner profile |
Online command that deletes an partner profile referenced by the partnerProfileId parameter.
Deletes an partner profile referenced by the partnerProfileId parameter, and displays the result of the operation.
deletePartnerProfile(partnerProfileId)
Argument | Definition |
---|---|
partnerProfileId
|
Specifies the name of the partner profile to be removed. |
Online command that retrieves the names of all the existing issuance templates.
Online command that retrieves the configuration data of a specific issuance template.
Retrieves the configuration data of the issuance template referenced by the issuanceTemplateId parameter, and displays the content of the template.
getIssuanceTemplate(issuanceTemplateId)
Argument | Definition |
---|---|
issuanceTemplateId
|
Specifies the name of the issuance template. |
Online command that creates a new issuance template with default configuration data.
Creates a new issuance template with default configuration data, and displays the result of the operation.
Table 4-36 describes the default configuration for this command.
Table 4-36 Default Configuration: createIssuanceTemplate
Token Type | Description |
---|---|
Username |
The issuance template will be created with the following default values:
|
SAML 1.1 or SAML 2.0 |
The issuance template will be created with the following default values:
Empty tables: Attribute Name Mapping, Attribute Value Mapping and Attribute Value Filter |
Custom Type |
The issuance template will be created with the following default values:
|
createIssuanceTemplate(issuanceTemplateId, tokenType, signingKeyId, description)
Argument | Definition |
---|---|
issuanceTemplateId
|
Specifies the name of the issuance template to be created. |
tokenType
|
Possible values can be:
|
signingKeyId
|
Specifies the keyID referencing the key entry (defined in the STS General Settings UI section) that will be used to sign outgoing SAML Assertions. Only required when token type is saml11 or saml20. |
description
|
An optional description. |
Online command that deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.
Deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.
deleteIssuanceTemplate(issuanceTemplateId)
Argument | Definition |
---|---|
issuanceTemplateId
|
Specifies the name of the existing issuance template to be removed. |
Online command that retrieves the names of all the existing validation templates.
Online command that retrieves the configuration data of a specific validation template, and displays the content of the template.
Retrieves the configuration data of the validation template referenced by the validationTemplateId parameter, and displays the content of the template.
getValidationTemplate(validationTemplateId)
Argument | Definition |
---|---|
validationTemplateId
|
Specifies the name of the existing validation template. |
Online command that creates a new validation template with default configuration data.
Creates a new WSS validation template with default configuration data, and displays the result of the operation. The validation template is created using the values in Table 4-37, depending on the token type.
Table 4-37 Default Configuration: createWSSValidationTemplate
Token Type | Description |
---|---|
Username |
The validation template will be created with the following default values:
|
SAML 1.1 or SAML 2.0 |
The validation template will be created with the following default values:
The Token Mapping section will be created with the following default values:
Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping Also:
Partner NameID Mapping table will be provisioned with the following entries as NameID format, but without any data in the datastore column:
User NameID Mapping table will be provisioned with the following entries as NameID format:
|
X.509 |
The Token Mapping section will be created with the following default values:
Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping Also:
|
Kerberos |
The Token Mapping section will be created with the following default values:
Empty fields: Partner Token Attribute, Partner Datastore Attribute and Attribute Based User Mapping Also:
|
createWSSValidationTemplate(templateId, tokenType, defaultRequesterPPID, description)
Argument | Definition |
---|---|
templateId
|
Specifies the name of the name of the validation template to be created. |
tokenType
|
Specifies the token type of the validation template. Possible values can be:
|
defaultRequesterPPID
|
Specifies the Requester partner profile to use if OSTS is configured not to map the incoming message to a requester. |
description
|
Specifies an optional description. |
The following invocation creates a new validation template with default configuration data, and displays the result of the operation.
createWSSValidationTemplate(templateId="custom-wss-validtemp", tokenType="custom", defaultRequesterPPID="requesterPartnerProfileTest", description="custom validation template")
Online command that creates a new WS-Trust validation template with default configuration data.
Creates a new WS-Trust validation template with default configuration data, and displays the result of the operation. The WS-Trust validation template is created with the values in Table 4-38, depending on the token type.
Table 4-38 Default Configuration: createWSTrustValidationTemplate
Token Type | Description |
---|---|
Username |
The WS-Trust validation template will be created with the following default values:
|
SAML 1.1 or SAML 2.0 |
The WS-Trust validation template will be created with the following default values:
The Token Mapping section will be created with the following default values:
Empty fields: User Datastore Attribute, Attribute Based User Mapping User NameID Mapping table will be provisioned with the following entries as NameID format:
|
X.509 |
The WS-Trust Token Mapping section will be created with the following default values:
|
Kerberos |
The WS-Trust Token Mapping section will be created with the following default values:
|
OAM |
The WS-Trust Token Mapping section will be created with the following default values:
|
custom |
The WS-Trust Token Mapping section will be created with the following default values:
|
createWSTrustValidationTemplate(templateId, tokenType, description)
Argument | Definition |
---|---|
templateId
|
Specifies the name of the name of the WS-Trust validation template to be created. |
tokenType
|
Specifies the token type of the WS-Trust validation template. Possible values can be:
|
description
|
Specifies an optional description. |
Online command that deletes a validation template.
Deletes a validation template referenced by the validationTemplateId parameter, and displays the result of the operation.
deleteValidationTemplate(validationTemplateId)
Argument | Definition |
---|---|
validationTemplateId
|
Specifies the name of the validation template to be removed. |
This section contains commands used with the OPSS keystore service.
Note:
You need to acquire an OPSS handle to use keystore service commands. For details, see Managing Keys and Certificates with the Keystore Service in the Oracle Fusion Middleware Security Guide.
Table 4-39 lists the WLST commands used to manage the keystore service.
Table 4-39 OPSS Keystore Service Commands
Use this Command... | to... |
---|---|
Change the password for a key. |
|
Change the password on a keystore. |
|
Create a keystore. |
|
Delete a keystore. |
|
Delete an entry in a keystore. |
|
Export a keystore to file. |
|
Export a certificate to a file. |
|
Export a certificate request to a file. |
|
Generate a keypair. |
|
Generate a secret key. |
|
Get information about a certificate or trusted certificate. |
|
Get the secret key properties. |
|
Import a keystore from file. |
|
Import a certificate or other object. |
|
List certificates expiring in a specified period. |
|
List aliases in a keystore. |
|
List all the keystores in a stripe. |
Changes a key password.
svc.changeKeyPassword(appStripe='stripe', name='keystore', password='password', alias='alias', currentkeypassword='currentkeypassword', newkeypassword='newkeypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe containing the keystore |
name
|
Specifies the name of the keystore |
password
|
Specifies the keystore password |
alias
|
Specifies the alias of the key entry whose password is changed |
currentkeypassword
|
Specifies the current key password |
newkeypassword
|
Specifies the new key password |
Changes the password of a keystore.
svc.changeKeyStorePassword(appStripe='stripe', name='keystore', currentpassword='currentpassword', newpassword='newpassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe containing the keystore |
name
|
Specifies the name of the keystore |
currentpassword
|
Specifies the current keystore password |
newpassword
|
Specifies the new keystore password |
This keystore service command creates a new keystore.
svc.createKeyStore(appStripe='stripe', name='keystore', password='password',permission=true|false)
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore is created. |
name
|
Specifies the name of the new keystore. |
password
|
Specifies the keystore password. |
permission
|
This parameter is true if the keystore is protected by permission only, false if protected by both permission and password. |
Deletes the named keystore.
svc.deleteKeyStore(appStripe='stripe', name='keystore', password='password')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore to be deleted. |
password
|
Specifies the keystore password. |
Deletes a keystore entry.
svc.deleteKeyStoreEntry(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be deleted |
keypassword
|
Specifies the key password of the entry to be deleted |
Exports a keystore to a file.
svc.exportKeyStore(appStripe='stripe', name='keystore', password='password', aliases='comma-delimited-aliases', keypasswords='comma-delimited-keypasswords', type='keystore-type', filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
aliases
|
Comma separated list of aliases to be exported. |
keypasswords
|
Comma separated list of the key passwords correspo nding to aliases. |
type
|
Exported keystore type. Valid values are 'JKS' or 'JCEKS'. |
filepath
|
Absolute path of the file where keystore is exported. |
Exports a certificate.
svc.exportKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be exported |
keypassword
|
Specifies the key password. |
type
|
Specifies the type of keystore entry to be exported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'. |
filepath
|
Specifies the absolute path of the file where certificate, trusted certificate or certificate chain is exported. |
Exports a certificate request.
svc.exportKeyStoreCertificateRequest(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the entry's alias name. |
keypassword
|
Specifies the key password. |
filepath
|
Specifies the absolute path of the file where certificate request is exported. |
Generates a key pair in a keystore.
svc.generateKeyPair(appStripe='stripe', name='keystore', password='password', dn='distinguishedname', keysize='keysize', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
dn
|
Specifies the distinguished name of the certificate wrapping the key pair. |
keysize
|
Specifies the key size. |
alias
|
Specifies the alias of the key pair entry. |
keypassword
|
Specifies the key password. |
Generates a secret key.
svc.generateSecretKey(appStripe='stripe', name='keystore', password='password', algorithm='algorithm', keysize='keysize', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
algorithm
|
Specifies the symmetric key algorithm. |
keysize
|
Specifies the key size. |
alias
|
Specifies the alias of the key entry. |
keypassword
|
Specifies the key password. |
Gets a certificate from the keystore.
svc.getKeyStoreCertificates(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the certificate, trusted certificate or certificate chain to be displayed. |
keypassword
|
Specifies the key password. |
Retrieves secret key properties.
svc.getKeyStoreSecretKeyProperties(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the secret key whose properties are displayed. |
keypassword
|
Specifies the secret key password. |
Imports a keystore from file.
svc.importKeyStore(appStripe='stripe', name='keystore', password='password', aliases='comma-delimited-aliases', keypasswords='comma-delimited-keypasswords', type='keystore-type', permission=true|false, filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
aliases
|
Specifies the comma-delimited aliases of the entries to be imported from file. |
keypasswords
|
Specifies the comma-delimited passwords of the keys in file. |
type
|
Specifies the imported keystore type. Valid values are 'JKS' or 'JCEKS'. |
filepath
|
Specifies the absolute path of the keystore file to be imported. |
permission
|
Specifies true if keystore is protected by permission only, false if protected by both permission and password. |
Imports a certificate or other specified object.
svc.importKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be imported. |
keypassword
|
Specifies the key password of the newly imported entry. |
type
|
Specifies the type of keystore entry to be imported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'. |
filepath
|
Specifies the absolute path of the file from where certificate, trusted certificate or certificate chain is imported. |
Lists expiring certificates.
svc.listExpiringCertificates(days='days', autorenew=true|false)
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
days
|
Specifies that the list should only include certificates within this many days from expiration. |
autorenew
|
Specifies true for automatically renewing expiring certificates, false for only listing them. |
Lists the aliases in a keystore.
The syntax is as follows:
svc.listKeyStoreAliases(appStripe='stripe', name='keystore', password='password', type='entrytype')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
type
|
Specifies the type of entry for which aliases are listed. Valid values are 'Certificate', 'TrustedCertificate', 'SecretKey' or '*'. |
Use the WLST commands listed in Table 4-40 to manage Identity Directory Service Entity Attributes, Entity Definitions, Relationships and default Operational configurations.
Table 4-40 WLST Identity Directory Service Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Reload the Identity Directory Service configuration |
Online |
|
Add a new attribute to the entity configuration |
Online |
|
Add a new attribute to the specified entity |
Online |
|
Add a new entity to the entity configuration |
Online |
|
Add a new entity relation to the entity configuration |
Online |
|
Add a new Identity Directory Service to the configuration |
Online |
|
Add a new operation configuration to the entity configuration |
Online |
|
Add a new property to a specified operation configuration |
Online |
|
Delete an attribute from an entity configuration |
Online |
|
Delete an entity from an entity configuration |
Online |
|
Delete the specified entity relation |
Online |
|
Delete the specified Identity Directory Service in the configuration |
Online |
|
Delete operation configuration in an entity configuration |
Online |
|
List all attributes in the entity configuration |
Online |
|
List all entities defined in the specified entity configuration |
Online |
|
List all Identity Directory Services in the configuration |
Online |
|
Remove an attribute from the specified entity |
Online |
|
Remove a property for the specified operation configuration |
Online |
addAttributeInEntityConfig
addAttributeInEntityConfig(name, datatype, description, readOnly, pwdAttr, appName)
Table 4-41 addAttributeInEntityConfig Arguments
Argument | Definition |
---|---|
name |
Name of the attribute to be added |
datatype |
The attribute's type is defined as one of the following:
|
description |
Description of the attribute to be added |
readOnly |
Flag to specify whether the attribute is read only or can be modified |
pwdAttr |
Flag to specify whether the attribute defines a password or not |
appName |
Name of the Identity Directory Service |
addAttributeRefForEntity
addAttributeRefForEntity(name, attrRefName, attrRefFilter, attrRefDefaultFetch, appName)
Table 4-42 addAttributeRefForEntity Arguments
Argument | Definition |
---|---|
name |
Name of the entity to which the attribute will be added |
attrRefName |
Name of the attribute to be added to the entity |
attrRefFilter |
The type of filter to be used with the attribute is defined as one of the following:
|
attrRefDefaultFetch |
Flag to specify whether the attribute is fetched by default |
appName |
Name of the Identity Directory Service |
addEntity
addEntity(name, type, idAttr, create, modify, delete, search, attrRefNames, attrRefFilters, attrRefDefaultFetches, appName)
Table 4-43 addEntity Arguments
Argument | Definition |
---|---|
name |
Name of the entity to which the attribute will be added |
type |
Name of the attribute to be added to the entity |
idAttr |
Identity attribute of the entity to be added |
create |
Flag to specify the create is allowed |
modify |
Flag to specify the modify is allowed |
delete |
Flag to specify the delete is allowed |
search |
Flag to specify the search is allowed |
attrRefNames |
Array of attribute names |
attrRefFilters |
An array of filter type values is defined as one of the following:
|
attrRefDefaultFetches |
Array of boolean strings (true, false) |
appName |
Name of the Identity Directory Service |
addEntityRelation
addEntityRelation(name, type, fromEntity, fromAttr, toEntity, toAttr, recursive, appName)
Table 4-44 addEntityRelation Arguments
Argument | Definition |
---|---|
name |
Name of the relation between the entities for the given attributes |
type |
Type of the entity relation ("ManyToMany", "ManyToOne", "OneToMany", "OneToOne") |
fromEntity |
Name of the from entity |
fromAttr |
Name of the from attribute |
toEntity |
Name of the to entity |
toAttr |
Name of the to attribute |
recursive |
Flag to set the entity relationship as recursive |
appName |
Name of the Identity Directory Service |
addIdentityDirectoryService
addIdentityDirectoryService(name, description, propNames, propValues)
Table 4-45 addIdentityDirectoryService Arguments
Argument | Definition |
---|---|
name |
Name of the IdentityStoreService to be added |
description |
Description of the IdentityStoreService |
propNames |
An array of property names to be added to the IdentityStoreService configuration |
propValues |
An array of values to be defined for the property names added to the IdentityStoreService configuration |
addOperationConfig
addOperationConfig(entityName, propNames, propValues, appName)
Table 4-46 addOperationConfig Arguments
Argument | Definition |
---|---|
entityName |
Name of the entity to which the operation configuration will be added |
propNames |
An array of property names to be added to the operation configuration |
propValues |
An array of property values for the properties added to the operation configuration |
appName |
Name of the Identity Directory Service |
addPropertyForOperationConfig
addPropertyForOperationConfig(entityName, propName, propValue, appName)
Table 4-47 addPropertyForOperationConfig Arguments
Argument | Definition |
---|---|
entityName |
Name of the entity to which the operation configuration will be added |
propName |
A property name to be added to the operation configuration |
propValue |
A value for the property added to the operation configuration |
appName |
Name of the Identity Directory Service |
deleteAttributeInEntityConfig
deleteIdentityDirectoryService
'
Delete the specified IdentityStoreService in the Identity Directory Service configuration
deleteIdentityDirectoryService(name)
where name is the name of the IdentityStoreService configuration to be deleted.
listAllAttributeInEntityConfig
listAllAttributeInEntityConfig(appName)
where appName is the name of the Identity Directory Service that contains the entity configuration from which the list of attributes is retrieved.
listAllEntityInEntityConfig
listAllEntityInEntityConfig(appName)
where appName is the name of the Identity Directory Service that contains the entity configuration from which the list of entities is retrieved.
removeAttributeRefForEntity
Use the WLST commands listed in Table 4-54 to manage Library Oracle Virtual Directory (LibOVD) LDAP and Join Adapters configuration. These commands act on the OVD configuration associated with a particular OPSS Context passed in as a parameter.
Table 4-54 WLST LibOVD Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Reload the LibOVD configuration |
Online |
|
Add a attribute exclusion rule |
Online |
|
Add a new attribute mapping rule |
Online |
|
Add a domain exclusion rule |
Online |
|
Add a new domain mapping rule |
Online |
|
Add a join rule to an existing Join adapter for the OVD associated with the given OPSS context |
Online |
|
Add a new remote host to an existing LDAP adapter |
Online |
|
Create a new mapping context |
Online |
|
Add a plugin to an existing adapter or at the global level |
Online |
|
Add new parameter values to the existing adapter level plugin or global plugin |
Online |
|
Create a new Join adapter for the OVD associated with the given OPSS context |
Online |
|
Create a new LDAP adapter for the OVD associated with the given OPSS context |
Online |
|
Delete an existing adapter for the OVD associated with the given OPSS context |
Online |
|
Delete a attribute exclusion rule |
Online |
|
Delete a attribute mapping rule |
Online |
|
Delete a domain exclusion rule |
Online |
|
Delete a domain mapping rule |
Online |
|
Delete the specified mapping context |
Online |
|
Display the details of an existing adapter that is configured for the OVD associated with the given OPSS context |
Online |
|
List the name and type of all adapters that are configured for this OVD associated with the given OPSS Context |
Online |
|
List all the mapping contexts |
Online |
|
List all the attribute rules |
Online |
|
List all the domain rules |
Online |
|
Modify the existing LDAP adapter configuration |
Online |
|
Remove a join rule from a Join adapter configured for this OVD associated with the given OPSS Context |
Online |
|
Remove a remote host from an existing LDAP adapter configuration |
Online |
|
Remove a plugin from an existing adapter or at global level |
Online |
|
Remove an existing parameter from a configured adapter level plugin or global plugin |
Online |
activateLibOVDConfigChanges
activateLibOVDConfigChanges(contextName)
where contextName
is the name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.
addAttributeExclusionRule
addAttributeExclusionRule(attribute, mappingContextId, contextName)
Table 4-55 addAttributeExclusionRule Arguments
Argument | Definition |
---|---|
attribute |
Name of the attribute to be added to the exclusion list |
mappingContextId |
Name of the mapping context |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
addAttributeRule
addAttributeRule(srcAttrs, srcObjectClass, srcAttrType, dstAttr, dstObjectClass, dstAttrType, mappingExpression, direction, mappingContextId, contextName)
addDomainExclusionRule
addDomainExclusionRule(domain, mappingContextId, contextName)
Table 4-57 addDomainExclusionRule Arguments
Argument | Definition |
---|---|
domain |
Distinguished name (DN) of the attribute to be added to the exclusion list |
mappingContextId |
Name of the mapping context |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
addDomainRule
addDomainRule(srcDomain, destDomain, domainConstructRule, mappingContextId, contextName)
Table 4-58 deleteEntityRelation Arguments
Argument | Definition |
---|---|
srcDomain |
|
destDomain |
|
domainConstructRule |
Name of the attribute to be added to the exclusion list |
mappingContextId |
Name of the mapping context |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
addJoinRule
Adds a join rule to an existing Join adapter for the OVD associated with the specified OPSS context.
addJoinRule(adapterName=<adapterName>, secondary=<secondary>, condition=<condition>, joinerType=<joinerType>, contextName=<contextName>)
Table 4-59 addJoinRule Arguments
Argument | Definition |
---|---|
adapterName |
Name of the Join adapter to be modified |
secondary |
Name of the adapter to join to |
condition |
The attribute(s) to join on |
joinerType |
An optional parameter that defines the type of Join. Accepted values include Simple (default), Conditional, OneToMany or Shadow. |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
addJoinRule('join1','secondaryldap','cn=cn', 'Simple', 'default')addJoinRule('join1','secondaryldap','cn=cn', 'Conditional', 'default')addJoinRule(adapterName='join1', secondary='LDAP3', condition='uid=cn', JoinerType='OneToMany')addJoinRule(adapterName='join1', secondary='LDAP2',condition='uid=cn', contextName='myContext')
addLDAPHost
Adds a new remote host (host:port pair) to an existing LDAP adapter. By default, the new host is configured in Read-Write mode with percentage set to 100.
addLDAPHost(adapterName=<adapterName>, host=<host>, port=<port>, contextName=<contextName>)
Table 4-60 addLDAPHost Arguments
Argument | Definition |
---|---|
adapterName |
Name of the Join adapter to be modified |
host |
Remote LDAP host to which the LDAP adapter will communicate |
port |
Remote LDAP host's port |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
addPlugin
Adds a plugin to an existing adapter, or at the global level. The "i"th key corresponds to "i"th value. The plugin is added to default chain.
addPlugin(pluginName=<pluginName>, pluginClass=<pluginClass>, paramKeys=<paramKeys>, paramValues=<paramValues>, adapterName=<adapterName>, contextName=<contextName>)
Table 4-62 addPlugin Arguments
Argument | Definition |
---|---|
pluginName |
pluginName - Name of the plugin to be created |
pluginClass |
Class of the plugin |
paramKeys |
Init Param Keys separated by "|" |
paramValues |
Init Param Values separated by "|" |
adapterName |
Name of the adapter to be modified. If not specified, the plugin is added at the global level. |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
addPlugin(adapterName='ldap1', pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com')addPlugin(pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com'))
addPluginParam
Add new parameter values to the existing adapter level plugin or global plugin. If the parameter already exists, the new value is added to the existing set of values. The "i"th key corresponds to "i"th value.
addPluginParam(pluginName=<pluginName>, paramKeys=<paramKeys>, paramValues=<paramValues>, adapterName=<adapterName>, contextName=<contextName>)
Table 4-63 addPluginParam Arguments
Argument | Definition |
---|---|
pluginName |
pluginName - Name of the plugin to be modified |
paramKeys |
Init Param Keys separated by "|" |
paramValues |
Init Param Values separated by "|" |
adapterName |
Name of the adapter to be modified. If not specified, the global plugin is modified. |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
createJoinAdapter
createJoinAdapter(contextName=<contextName>, adapterName=<adapterName>, root=<root>, primaryAdapter=<primaryAdapter>, bindAdapter=<bindAdapter>)
Table 4-64 createJoinAdapter Arguments
Argument | Definition |
---|---|
adapterName |
Name of the Join adapter to be created |
mappingContextId |
Virtual Namespace of the Join adapter |
primaryAdapter |
Specifies the identifier of the primary adapter (the adapter searched first in the join operation) |
root |
|
bindAdapter |
Specifies identifier of the bind adapter(s) (the adapter(s) whose proxy account is used to bind in the LDAP operation). By default, the primaryAdapter is set as bindAdapter. |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
createLDAPAdapter
createLDAPAdapter(adapterName=<adapterName>, root=<root>, host=<host>, port=<port>, remoteBase=<remoteBase>, isSecure=<true|false>, bindDN=<bindDN>, bindPasswd=<bindPasswd>, passCred=<passCred>, contextName=<contextName>)
Table 4-65 createLDAPAdapter Arguments
Argument | Definition |
---|---|
adapterName |
Name of the LDAP adapter to be created |
root |
Virtual Namespace of the LDAP adapter |
host |
Remote LDAP host with which the LDAP adapter will communicate |
port |
Remote LDAP host's port number |
remoteBase |
Location in the remote DIT to which root corresponds. |
isSecure |
An optional parameter that enables secure SSL/TLS connections to the remote hosts when defined as true. The default value is "false". |
bindDN |
Proxy BindDN used to communicate with Remote host. An optional parameter with default value "". |
bindPasswd |
Proxy BindPasswd used to communicate with Remote host. An optional parameter with default value "". |
passCred |
Ths optional parameter controls, what, if any, credentials the OVD will pass to the backend (remote host) LDAP server. Values can be Always (default), None or BindOnly. |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
deleteAdapter
deleteAttributeExlusionRule
deleteAttributeExclusionRule(attribute, mappingContextId, contextName)
Table 4-67 deleteAttributeExclusionRule Arguments
Argument | Definition |
---|---|
attribute |
Name of the attribute to be removed from the exclusion list |
mappingContextId |
Name of the mapping context |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
deleteAttributeRule
deleteDomainExclusionRule
deleteDomainExclusionRule(domain, mappingContextId, contextName)
Table 4-69 deleteEntityRelation Arguments
Argument | Definition |
---|---|
domain |
Distinguished Name of the container to be removed from the exclusion list |
mappingContextId |
Name of the mapping context |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
deleteDomainRule
deleteMappingContext
getAdapterDetails
Displays the details of an existing adapter configured for the Oracle Virtual Directory associated with the specified OPSS context.
getAdapterDetails(adapterName=<adapterName>, contextName=<contextName>)
Table 4-72 getAdapterDetails Arguments
Argument | Definition |
---|---|
adapterName |
Name of the adapter which contains the details to be displayed |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
listAdapters
Lists the name and type of all adapters that are configured for the Oracle Virtual Directory associated with the specified OPSS Context.
listAttributeRules
List all the attribute rules in the format SOURCE_ATTRIBUTE
:DESTINATION_ATTRIBUTE
:DIRECTION
modifyLDAPAdapter
This command is used to modify the following parameters defined in an existing LDAP Adapter:
Remote Base
Root
Secure
BindDN
BindPassword
PassCredentials
MaxPoolSize
modifyLDAPAdapter(adapterName=<adapterName>, attribute=<attribute>, value=<value>, contextName=<contextName>)
Table 4-77 modifyLDAPAdapter Arguments
Argument | Definition |
---|---|
attribute |
Name of the attribute to be modifed |
value |
New value for the attribute |
adapterName |
Name of the LDAP adapter to be modified |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
modifyLDAPAdapter(adapterName='ldap1', attribute='Root', value='dc=us, dc=oracle, dc=com', contextName='mydefault')modifyLDAPAdapter(adapterName='ldap1', attribute='RemoteBase', value='dc=org')modifyLDAPAdapter(adapterName='ldap1', attribute='PassCredentials', value='BindOnly')modifyLDAPAdapter('ldap1', 'BindDN', 'cn=proxyuser,dc=com', 'mydefault')modifyLDAPAdapter(adapterName='ldap1', attribute='BindPassword', value='testwelcome123')modifyLDAPAdapter(adapterName='ldap1', attribute='Secure', value=true)modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolSize', value=500)
removeJoinRule
Removes a join rule from a Join adapter configured for the Oracle Virtual Directory associated with the specified OPSS Context.
removeJoinRule(adapterName=<adapterName>, secondary=<secondary>, contextName=<contextName>)
Table 4-78 removeJoinRule Arguments
Argument | Definition |
---|---|
adapterName |
Name of the Join adapter to be modified |
secondary |
The join rules corresponding to this secondary adapter are removed from the join adapter |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
removeLDAPHost
removeLDAPHost(adapterName=<adapterName>, host=<host>, contextName=<contextName>)
Table 4-79 removeLDAPHost Arguments
Argument | Definition |
---|---|
adapterName |
Name of the LDAP adapter to be modified |
host |
Location of a remote LDAP host with which the LDAP adapter will communicate |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
removePlugin
removePlugin(pluginName=<pluginName>, adapterName=<adapterName>, contextName=<contextName>)
Table 4-80 removePlugin Arguments
Argument | Definition |
---|---|
pluginName |
Name of the plugin to be removed |
adapterName |
Name of the adapter to be modified. If not specified, the global plugin is removed. |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
removePluginParam
Removes an existing parameter from a configured adapter level plugin or global plugin. This removes all values of the particular parameter from the plugin.
removePluginParam(pluginName=<pluginName>, paramKey=<paramKey>, adapterName=<adapterName>, contextName=<contextName>)
Table 4-81 removePluginParam Arguments
Argument | Definition |
---|---|
pluginName |
Name of the plugin to be modified |
paramKey |
Parameter to be removed |
adapterName |
Name of the adapter to be modified. If not specified, the global plugin is modified. |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |