This section provides detailed descriptions of custom WebLogic Scripting Tool (WLST) commands for Mobile Access Security Server (MSAS), including command syntax, arguments and command examples. These commands perform many of the same functions that you can complete using MSAS console.
The following topics describe the WLST commands for managing MSAS instances from the command line, including configuring identity store profiles, message security, and trusted issuers. Topics include:
Notes:
This chapter describes only the WLST commands supported by MSAS.
To learn more about configuring an MSAS using WLST, see "Configuring an MSAS Instance Using WLST" in Administering Mobile Security Access Server.
The WLST commands for managing MSAS must be executed from the IDM_HOME
/common/bin directory
directory of your Mobile Security Manager (MSM), for example /home/oracle/omsm/ORACLE_IDM/common/bin
. Before running these commands, ensure that the Administration Server for the MSM domain is running.
To display the help for the MSAS configuration, identity store, and repository management commands, connect to a running instance of the server and enter help('msasManage')
.
To display the help for resetWSMPolicyRepository
, session commands, and trusted issuer configuration commands, connect to a running instance of the server and enter help('wsmManage')
.
Use the commands listed in Table 9-1 to manage MSAS configurations and application metadata.
Note:
The MSAS configuration command definitions begin with "displayMSASConfiguration."Table 9-1 MSAS Configuration Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Display the MSAS configuration properties, and their values and groups, for a MSAS instance. |
Online |
|
Create or modify the configuration properties for a MSAS instance. |
Online |
|
Set the logger configuration for a MSAS instance to a specified level. |
Online |
|
Get logger configuration for a MSAS instance. |
Online |
|
List the logger configurations for a MSAS instance. |
Online |
Use these commands to manage an identity store profile, which is a logical representation of a user repository. The identity store configuration is stored in an Identity Profile Document in the MSAS Repository.
All identity store profile management commands must be performed in the context of a repository session. A repository session can only act on a single document.
Use the commands listed in Table 9-2 to manage MSAS identity store profiles.
Note:
The MSAS configuration command definitions begin with "createIdentityProfile."Table 9-2 Identity Profile Management Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Create a new identity store profile in a MSAS instance within a repository session. |
Online |
|
Display the contents of a specified identity store profile, or list the names of all identity profiles, in a MSAS instance. |
Online |
|
Select an identity store profile in a MSAS instance for modification within a repository session. |
Online |
|
Delete an identity store profile from a specified MSAS instance within a repository session. |
Online |
|
Set or update the directory information for an identity store profile in a MSAS instance within a repository session. |
Online |
|
Set or update the user information for an identity store profile in a MSAS instance within a repository session. |
Online |
|
Set or update the group information for an identity store profile for a MSAS instance within a repository session. |
Online |
Use the commands listed in Table 9-3 to manage the documents stored in the Oracle Repository. For additional information about upgrading or migrating documents in an Oracle Repository, see "Migrating Applications in the Repository" in Administering Mobile Security Access Server.
Note:
The MSAS configuration command definitions begin with "exportMSASAppMetadata."Table 9-3 Policy Repository Management Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Export MSAS application metadata from the repository to a specified ZIP archive. |
Online |
|
Import MSAS application metadata into the repository from a specified ZIP archive. |
Online |
|
Migrate physical host:port values for applications in a MSAS instance to a mapped host:port value. |
Online |
|
Delete the existing policies stored in the repository and refresh it with the latest set of predefined policies that are provided in the new installation of the Oracle MSAS software. |
Online |
Some MSAS WLST commands, such as those that modify repository documents and trusted token issuers need to be executed in the context of a session. Use the WLST commands listed in Table 9-4 to manage a session.
Note:
The MSAS configuration command definitions begin with "abortRepositorySession."Table 9-4 Session Management WLST Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Abort the current modification session, discarding any changes that were made during the session. |
Online |
|
Begin a session to modify the repository documents. |
Online |
|
Write the contents of the current session to the repository. |
Online |
|
Describe the contents of the current session. This will indicate either that the session is empty or list the name of the document that is being updated, along with the type of update (create, modify, or delete). |
Online |
Use the WLST commands listed in Table 9-5 to view and define trusted issuers, trusted distinguished name (DN) lists, and token attribute rule filters for trusted SAML or JWT signing certificates.
When using WLST to create, modify, and delete token issuer trust documents, you must execute the commands in the context of a session. Each session applies to a single trust document only.
Note:
To view the help for the WLST commands described in this section, connect to a running instance of the server and enterhelp('wsmManage')
.For additional information about using these commands, see "Configuring Trusted Issuers and DN Lists Using WLST" in Administering Mobile Security Access Server.
Note:
The MSAS configuration command definitions begin with "abortRepositorySession."Table 9-5 Token Issuer Trust Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Create a new token issuer trust document using the name provided. |
Online |
|
Delete the entry for the issuer, including the DN list in it. |
Online |
|
Delete a token attribute rule associated with a trusted DN. |
Online |
|
Delete the token issuer trust document, specified by the name argument, from the repository. |
Online |
|
Display the names of the DN lists associated with a specified issuer. |
Online |
|
Export the trust configuration (issuers, DNs, and token attribute rules) for all trusted issuers. |
Online |
|
Import the trust configuration (Issuers, DNs, and token attribute rules) for all trusted issuers. |
Online |
|
List the token issuer trust documents in the repository. |
Online |
|
Remove trusted issuers and associated configurations (DNs and token attribute rules). |
Online |
|
Select the token issuer trust document, identified by the name argument, to be modified in the session. |
Online |
|
Specify a trusted issuer with a DN list. |
Online |
|
Add, delete, or update token attribute rules for a given token signing certificate DN. |
Online |
|
Specify the DN of a token signing certificate and a list of trusted users. The name ID and the attribute can be mapped to another user ID. |
Online |
|
Sets or resets the display name of the Token Issuer Trust document currently selected in the session. |
Online |
Use the WLST diagnostic command to check the status of the Oracle components that are required for proper functioning of the product. The MSAS configuration command definition is "checkWSMStatus."
Command Category: MSAS Configuration Management
Use with WLST: Online
Displays the configuration properties, and their values and groups, for a MSAS instance. If a property is not defined in the MSAS instance's configuration document, then the default value defined for the product is displayed. If a MSAS instance name is not specified, or the specified MSAS instance does not exist, then the default values defined for the product are displayed.
displayMSASConfiguration(instanceName=None)
Argument | Definition |
---|---|
instanceName
|
Optional. The name of the MSAS instance associated with the configuration document from which property values are displayed. |
This example displays the MSAS configuration properties, including their values and groups, for an instance named MSAS-123456
.
wls:/mydomain/serverConfig> displayMSASConfiguration('MSAS-123456')
This example displays the default MSAS configuration properties.
wls:/mydomain/serverConfig> displayMSASConfiguration()
Command Category: MSAS Configuration Management
Use with WLST: Online
Sets the configuration properties in the configuration document associated with a MSAS instance. If the configuration document does not exist for the instance, it is created automatically. A new property with values and/or groups of values can be added inside the configuration document. The set of acceptable properties are determined by the default set of properties supported by the product. Specific property values or groups of values can also be removed from the configuration document. The configuration document is removed if it does not have any properties.
For additional information about using the setMSASConfiguration
command, see "Configuring an MSAS Instance Using WLST" in Administering Mobile Security Access Server.
setMSASConfiguration(instanceName,categoryName,propertyName,group=None,values=None)
Argument | Definition |
---|---|
instanceName
|
The name of the MSAS instance associated with the configuration document to be modified. |
categoryName
|
The category of the configuration property. This is verified with the default set of properties for acceptability. |
propertyName
|
The name of the configuration property. This is verified with the default set of properties for acceptability. |
groupName
|
Optional. The group containing the set of values to add in the configuration document. If the group exists, and this value is set to None , then the group is removed. |
propertyValues
|
Optional. The array of values to set for a property or group inside the configuration document. Default is None which refers to an empty array list |
Command Category: MSAS Configuration Management
Use with WLST: Online
Sets the logger configuration for a MSAS instance to a specified level (for example, WARNING
).
setMSASLogLevel(instanceName,logger,level)
Argument | Definition |
---|---|
instanceName
|
The name of the MSAS instance logging configuration to be modified. This option is required; there is no default value. |
logger
|
A logger name. The empty string denotes the root logger. This option is required; there is no default value. |
level
|
The level name. It has to be one of the following:
An empty string can be used to set the level to null (inherited from parent). This option is required; there is no default value. |
This example is setting a logging level of FINEST
for an MSAS logger named oracle.idm.gateway.grs
in an instance named MSAS-123456
.
wls:/mydomain/serverConfig> setMSASLogLevel('MSAS-123456','oracle.idm.gateway.grs','FINEST'])
This example is setting a logging level to null for an MSAS logger named oracle.idm.gateway.grs
in an instance named MSAS-123456
.
wls:/mydomain/serverConfig> setMSASLogLevel('MSAS-123456','oracle.idm.gateway.grs',''])
This example is setting a logging level of SEVERE
for the root logger in an instance named MSAS-123456
.
wls:/mydomain/serverConfig> setMSASLogLevel('MSAS-123456','','SEVERE'])
Command Category: MSAS Configuration Management
Use with WLST: Online
getMSASLogLevel(instanceName,logger)
Argument | Definition |
---|---|
instanceName
|
The MSAS instance name of the logging configuration. This option is required; there is no default value. |
logger
|
A logger name. The empty string denotes the root logger. This option is required; there is no default value. |
This example is getting the logging level for an MSAS logger named oracle.idm.gateway.grs
in an instance named MSAS-123456
.
wls:/mydomain/serverConfig> getMSASLogLevel('MSAS-123456','oracle.idm.gateway.grs')
This example is getting the logging level for the root MSAS logger in an instance named MSAS-123456
.
wls:/mydomain/serverConfig> getMSASLogLevel('MSAS-123456','oracle.idm.gateway.grs')
Command Category: MSAS Configuration Management
Use with WLST: Online
listMSASLoggers(instanceName)
Argument | Definition |
---|---|
instanceName
|
The MSAS instance name of the logging configuration. This option is required; there is no default value. |
Command Category: MSAS Configuration Management
Use with WLST: Online
Create a new identity store profile in a MSAS instance within a repository session. The identity store profile must be associated with a specified MSAS instance.
Issuing this command outside of a repository session will result in an error.
Notes:
This command only creates a new identity store profile for a MSAS instance. To use an identity store profile at runtime, the MSAS configuration must already be set, as described in setMSASConfiguration. After running setMSASConfiguration
, you must also restart the Oracle MSAS Management Server for the runtime to access the configured profile. For more information about restarting the management server, see "Managing MSAS Instances" in Administering Mobile Security Access Server.
You cannot create multiple identity store profiles in the same session. You must commit the session after creating a profile, and then start a new session to create another profile.
If an error occurs during the creation of an identity store profile, the profile must first be committed before it can be deleted.
createIdentityProfile(instanceName,Profilename,description=None)
Argument | Definition |
---|---|
instanceName
|
Name of the MSAS instance in which you want to create an identity store profile. |
ProfileName
|
Name of the new identity store profile. |
description
|
Optional. Description of the new identity store profile. |
Command Category: MSAS Configuration Management
Use with WLST: Online
Display the contents of a specified identity store profile in a MSAS instance, or list the names of all identity store profiles associated with a specified MSAS instance.
If this command is executed from an active session, session changes are also displayed. If this command is executed outside of active session, content from the repository is displayed.
displayIdentityProfile(instanceName,ProfileName=None)
Argument | Definition |
---|---|
instance
|
Name of the MSAS instance associated with the identity store profiles to be displayed. |
ProfileName
|
Optional. The name of the identity store profile to be displayed. If a name is not specified, then the names of the all available identity profiles for the MSAS instance are displayed. |
This example displays the contents of an identity store profile named identity-profile
in an instance named MSAS-123456
.
wls:/mydomain/serverConfig> displayIdentityProfile('MSAS-123456','identity-profile')
This example displays the names of the all available identity store profiles in the MSAS instance MSAS-123456
.
wls:/mydomain/serverConfig> displayIdentityProfile('MSAS-123456')
Command Category: MSAS Configuration Management
Use with WLST: Online
Select an identity store profile for modification in a MSAS instance within a repository session.
selectIdentityProfile(instanceName,ProfileName,description=None)
Argument | Definition |
---|---|
instanceName
|
Name of the MSAS instance associated with the identity store profile to be modified. |
ProfileName
|
Name of the identity store profile to be modified. |
Command Category: MSAS Configuration Management
Use with WLST: Online
Delete an identity store profile from a MSAS instance within a repository session.
Issuing this command outside of a repository session will result in an error.
Note:
You cannot both create and delete the same identity store profile in a single repository session. You must commit the session after creating a profile, and then start a new session in order to delete that profile.deleteIdentityProfile(instanceName,Profilename)
Argument | Definition |
---|---|
instanceName
|
Name of the MSAS instance associated with the identity store profile to be deleted. |
ProfileName
|
Name of the identity store profile to be deleted. |
Command Category: MSAS Configuration Management
Use with WLST: Online
Set or update the directory information for an identity store profile in a MSAS instance within a repository session. The secure
argument can be used to determine if the identity store connection should be made over SSL.
Before running this command, an identity store profile must be selected for modification or must be created in the current session.
setIdentityProfileDirectory(DirectoryType,hosts,bindDN,bindPass,baseDN,isSecure)
Argument | Definition |
---|---|
directoryType
|
Type of identity store profile directory. Supported types are:
|
hosts
|
Host port information of the directory in the form host:port . |
bindDN
|
The distinguished name of the user to be used for connecting to the directory. For example: CN=Administrator,CN=Users,DC=mycompany,DC=com. |
bindPass
|
Bind distinguished name (DN) password for accessing the directory. |
baseDN
|
Base distinguished name (DN) information of the directory. For example: DC=mycompany,DC=com |
isSecure
|
Flag (boolean) to indicate if the connection to the directory should be made over SSL. When set to true the connection is configured over SSL. |
This example creates an identity store profile directory with a type of OID
on a host named ['host.example.com:1234'], with bind distinguished name of cn=host,dn=oracle,dn=com
, using a password of welcome
, and a base distinguished name of cn=host,dn=oracle,dn=com
, which does not require an SSL connection because the secure
argument is false
.
wls:/mydomain/serverConfig> setIdentityProfileDirectory('OID',['host.example.com:1234'],'cn=host,dn=oracle,dn=com','welcome','cn=us,dn=oracle,dn=com',false)
This example creates an identity store profile directory that is identical to the one created in the previous example except that it requires an SSL connection to access the directory because the secure
argument is true
.
wls:/mydomain/serverConfig> setIdentityProfileDirectory('OID',['host.example.com:1234'],'cn=host,dn=oracle,dn=com','welcome','cn=us,dn=oracle,dn=com',true)
Command Category: MSAS Configuration Management
Use with WLST: Online
Set or update the user information for an identity store profile in a MSAS instance within a repository session.
Before running this command, an identity store profile must be selected for modification or must be created in the current session.
setIdentityProfileUser(baseDN,loginIDAttribute,objectClassNames))
Argument | Definition |
---|---|
baseDN
|
The base distinguished name (DN) used to create users. |
loginIDAttribute
|
The login identity of the user. |
objectClassNames
|
The fully-qualified names of one or more of LDAP object classes used to identify users. |
Command Category: MSAS Configuration Management
Use with WLST: Online
Set or update the group information for an identity store profile in a MSAS instance within a repository session.
Before running this command, an identity store profile must be selected for modification or must be created in current session.
setIdentityProfileGroup(baseDN,groupNameAttribute,objectClassNames)
Argument | Definition |
---|---|
baseDN
|
The base DNs used to create groups or enterprise roles. |
groupNameAttribute
|
The attribute that uniquely identifies the name of the enterprise role or group. |
objectClassNames
|
The fully-qualified names of one or more LDAP object classes used to represent enterprise roles or groups. |
This example creates an identity store profile user group with a base DN of cn=host,dn=oracle,dn=com
, with group name attribute of cn
, which is represented by a schema object class named groupofuniquenames
.
wls:/mydomain/serverConfig> setIdentityProfileGroup('cn=group,dn=oracle,dc=com','cn',['groupofuniquenames'])
Command Category: MSAS Configuration Management
Use with WLST: Online
Exports MSAS application metadata from the repository into a specified ZIP archive. If the specified archive already exists, you can choose whether to merge the documents into the existing archive, overwrite the archive, or cancel the operation. By default, all metadata for MSAS applications in the current domain is exported to the archive. However, you can use a MSAS instance name and MSAS application name to export specific metadata for these MSAS applications in the repository.
exportMSASAppMetadata(archiveFileName,[instanceName=None],[applicationName=None],[includeShared='false'])
Argument | Definition |
---|---|
archiveFileName
|
Name of the ZIP archive. If the specified archive already exists, you can choose whether to overwrite the archive, merge the documents into the existing archive, or cancel the operation. During override, the original archive is backed up and a message describes the location of the backup archive. |
instanceName
|
Optional. The name of the MSAS instance from which you want to export the metadata of one or more MSAS applications. If no MSAS instance name is specified, but a valid MSAS application name is specified, then the metadata for all MSAS instances containing this MSAS application is exported. When neither the MSAS instance nor MSAS application name is specified, then the metadata for all the MSAS applications across all MSAS instances is exported.
A wildcard '%' is allowed. If this argument is set to |
applicationName
|
Optional. The name of the MSAS application for the metadata to be exported.
A wildcard '%' is allowed. If this argument is set to |
includeShared
|
Optional. Specifies whether a shared resource (such as a referenced policy) should be included with exported metadata. |
This example exports the metadata for all the MSAS applications across all MSAS instances into an archive named MSASApplications.zip
.
wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip')
This example also exports the metadata for all MSAS applications across all MSAS instances into the MSASApplications.zip
archive.
wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','',[''])
This example exports the metadata for all applications across all MSAS instances that begin with MSAS
into the MSASApplications.zip
archive.
wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','MSAS%')
This example exports the metadata for all applications that begin with virtual
on an instance named MSAS-123456
into the MSASApplications.zip
archive.
wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','MSAS-1234561',['virtual%'])
This example exports the metadata for an application named Virtual_Foo
on the MSAS-123456
instance into the MSASApplications.zip
archive.
wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','MSAS-1234561',['virtual_Foo'])
This example exports the metadata for all applications that begin with virtual
across all MSAS instances into the MSASApplications.zip
archive.
wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','',['virtual%'])
This example exports the metadata for all applications that begin with virtual
, including application's shared resources, on the MSAS-123456
instance into the MSASApplications.zip
archive.
wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','MSAS-1234561',['virtual%'],true)
Command Category: MSAS Configuration Management
Use with WLST: Online
Import MSAS application metadata into the repository from a specified ZIP archive. You can use the map
argument to provide the location of a file that describes how to map physical information from the source environment to the target environment. You can generate a new map file by setting the generateMapFile
argument to true
.
importMSASAppMetadata(archiveFileName,[mapFileName=None],[generateMapFlag='false'])
Argument | Definition |
---|---|
archiveFileName
|
Name of the ZIP archive to be imported. |
mapFileName
|
Optional. Location of a sample map file that describes how to map physical information from the source environment to the target environment.
You can generate a new map file by setting the |
generateMapFlag
|
Optional. Specify whether to generate a map file at the location specified by the mapFileName argument. No metadata is imported when this argument is set to true , only a map file is generated. The default is false . |
This example imports application metadata from the MSASartifacts.zip
archive without using a map file.
wls:/mydomain/serverConfig> importMSASAppMetadata('/tmp/MSASartifacts.zip')
This example collects all application metadata from the MSASartifacts.zip
archive and puts it into a map file named MSASMapfile.txt
. If the specified map file already exists, it will be overwritten.
wls:/mydomain/serverConfig> importMSASAppMetadata('/tmp/MSASartifacts.zip','/tmp/MSASmapfile.txt', true)
This example imports application metadata from the specified MSASartifacts.zip
archive according to the MSASmapfile.txt
map file.
wls:/mydomain/serverConfig> importMSASAppMetadata('/tmp/MSASartifacts.zip','/tmp/MSASmapfile.txt')
Command Category: MSAS Configuration Management
Use with WLST: Online
For applications in the repository that match the specified MSAS instance name and application name, replaces the source host:port values (for example, URLs to a back-end service) with host:port values, according to the source-to-target mapping in the specified mapFileName
. You can generate a new map file by setting the generateMapFlag
argument to true
.
migrateMSASAppHostports(instanceName,applicationName,mapFileName,[generateMapFlag='false'])
Argument | Definition |
---|---|
instanceName
|
Name of the MSAS instance. A wildcard is not accepted. |
applicationName
|
Name of MSAS application whose referenced back-end service host:port information needs to be migrated or replaced.
A wildcard '%' is allowed. If this argument is set to |
mapFileName
|
Location of a input map file that describes how to map source MSAS host:port values to a target host:port.
You can generate a new map file by setting the If you specify a map file without setting the If you specify a map file without setting the |
generateMapFlag
|
Optional. Specify whether to generate a map file at the location specified by the mapFileName argument. No MSAS application metadata is modified when this argument is set to true , only a map file is generated. The default is false . |
This example collects all host:port values for the myApp
application on an instance named MSAS-1234
, and puts it into a newly-generated map file named generatedMapfile.txt
. (Note that if a specified map file already exists, it will be overwritten).
wls:/mydomain/serverConfig> migrateMSASAppHostports ('MSAS-1234','myApp','/tmp/generatedMapfile.txt',true)
This example migrates the host:port values for all applications that begin with myApp
on the MSAS-1234
instance according to the myMapfile.txt
map file.
wls:/mydomain/serverConfig> migrateMSASAppHostports('MSAS-1234', 'myApp%', '/tmp/myMapfile.txt')
The following migrates the host:port values for all applications on the MSAS-1234
instance according to the myMapfile.txt
map file.
wls:/mydomain/serverConfig> migrateMSASAppHostports('MSAS-1234', 'None', '/tmp/myMapfile.txt')
Command Category: Policy Repository Management
Use with WLST: Online
Caution:
This command will delete all MSAS artifacts, including registered MSAS application and configuration documents. Restarting the server would recover the seed MSAS documents in the repository but will not recover other user-created documents. Therefore, prior to running this command, Oracle recommends running the exportMSASAppMetadata command to back up all your MSAS metadata.Delete the existing policies stored in the repository and refresh it with the latest set of predefined policies that are provided in the new installation of the Oracle MSAS software. You can use the clearStore
argument to specify whether to delete all policies, including custom user policies, from the repository before loading the new predefined policies.
Note:
In order to reseed the repository with all Oracle MSAS predefined policies, you must restart the Mobile Security Manager (MSM) server after running theresetWSMPolicyRepository
command. For more information about restarting the MSM server, see "Starting or Stopping the Oracle Stack" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.resetWSMPolicyRepository([clearStore='false'])
Argument | Definition |
---|---|
clearStore='false' |
Policies to be deleted. Valid values are:
|
Command Category: Session
Use with WLST: Online
Abort the current Oracle Repository modification session, discarding any changes that were made to the repository during the session.
Command Category: Session
Use with WLST: Online
Begin a session to modify the Oracle Repository. A repository session can only act on a single document. An error will be displayed if there is already a current session.
Command Category: Session
Use with WLST: Online
Write the contents of the current session to the Oracle Repository. Messages are displayed that describe what was committed. An error will be displayed if there is no current session.
Command Category: Session
Use with WLST: Online
Describe the contents of the current session. This will either indicate that the session is empty or list the name of the document that is being updated, along with the type of update (create, modify, or delete). An error will be displayed if there is no current session.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Within a session, create a new token issuer trust document using the name provided. A display name can also be provided as the second argument.
You must start a session (beginWSMSession
) before creating or modifying any token issuer trust documents. If there is no current session or there is already an existing modification process, an error is displayed.
For more information on using this command, see "Configuring Trusted Issuers and DN Lists Using WLST" in Administering Mobile Security Access Server.
createWSMTokenIssuerTrustDocument(name, displayName)
Arguments | Definition |
---|---|
name |
Name of the document to be created. An error is thrown if a name is not provided If a document by this name already exists, then a new document will not be created. |
displayName |
Optional. Display name for the document. |
In the following example, the trust document named tokenissuertrustWLSbase_domain
is created, with a display name of wls_domain Trust Document
. In the second example, no display name is provided.
wls:/wls-domain/serverConfig> createWSMTokenIssuerTrustDocument("tokenissuertrustWLSbase_domain","wls_domain Trust Document") wls:/wls-domain/serverConfig> createWSMTokenIssuerTrustDocument("tokenissuertrustWLSbase_domain")
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Within a session, delete a trusted token issuer and its associated trusted DN list. Supported values for a SAML assertion or JWT token type are dns.sv
, dns.hok
, or dns.jwt
. This issuer must exist in the token issuer trust document selected in the session for modification. If no trusted key identifiers exist, then the issuer itself is deleted.
To delete a specified list of trusted key identifiers for an issuer, use selectWSMTokenIssuerTrustDocument.
You must start a session (beginWSMSession
) and select a token issuer trust document for modification before executing this command. If there is no current session or there is already an existing modification process, an error is displayed.
You cannot modify the default token issuer trust document.
deleteWSMTokenIssuerTrust(type, issuer)
Arguments | Definition |
---|---|
type |
The type of SAML assertion or JWT tokens the trusted issuer issues:
|
issuer |
The name of the issuer whose trusted DN list will be deleted (for example, SAML assertion or JWT token). The issuer will also be deleted. |
In the following example, the issuer www.yourCompany.com
and the DN list in the dns.sv
trusted SAML sender vouches client list for the issuer are deleted:
wls:/wls-domain/serverConfig> deleteWSMTokenIssuerTrust('dns.sv', 'www.yourCompany.com')
In the following example, the issuer www.yourCompany.com
and the DN list in the dns.jwt
trusted JWT token sender vouches client list for the issuer are deleted:
wls:/wls-domain/serverConfig> deleteWSMTokenIssuerTrust('dns.jwt ', 'www.yourCompany.com')
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Delete a token attribute rule associated with a trusted DN from the token issuer trust document.
To delete only the list of filter values for an attribute, use the setWSMTokenIssuerTrustAttributeFilter command.
You must start a session (beginWSMSession
) and select a token issuer trust document for modification before executing this command. If there is no current session or there is already an existing modification process, an error is displayed.
deleteWSMTokenIssuerTrustAttributeRule(dn)
Arguments | Description |
---|---|
dn |
The DN of the token signing certificate that identifies the rule to be deleted. |
In the following example, the token attribute rule associated with the 'CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
trusted DN is deleted.
wls:/wls-domain/serverConfig> deleteWSMTokenIssuerTrustAttributeRule('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US')
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Deletes the specified token issuer trust document permanently from the repository. The default token issuer trust document (oracle-default
) cannot be deleted.
deleteWSMTokenIssuerTrustDocument (name)
Arguments | Definition |
---|---|
name |
Name of the token issuer trust document to be deleted. |
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Display a trusted token issuer and its associated trusted DN list. Supported values for a SAML assertion or JWT token type are dns.hok
, dns.sv
, or dns.jwt
. The issuer
argument is optional. If the issuer and type is specified and exists in the trusted issuer list for the type, then the associated DN lists for the issuer is displayed. If issuer
is not set, then all trusted issuers of the given type are listed.
displayWSMTokenIssuerTrust(type, issuer)
Arguments | Definition |
---|---|
type |
The type of SAML assertion or JWT tokens the trusted issuer issues:
|
issuer |
Optional. The issuer whose trusted DN list is displayed (for example, SAML assertion or JWT token). If not set, the list of all the trusted issuers is displayed. |
In the following example, the DN lists in the dns.sv
trusted SAML sender vouches client list for the www.oracle.com
trusted issuer are displayed:
wls:/wls-domain/serverConfig>displayWSMTokenIssuerTrust('dns.sv', 'www.oracle.com')
In the following example, the names of all trusted SAML issuers associated with the dns.sv
trusted SAML sender vouches client list are displayed:
wls:/wls-domain/serverConfig>displayWSMTokenIssuerTrust('dns.sv', None)
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Export all the trust configurations (issuer, DNs, and token attribute rules) for all trusted issuers. The trust configuration will be exported to an XML file identified by the specified location. The trust configuration for the issuers specified in the exclude list will not be exported. If no argument is passed, the trust configuration for all trusted issuers will be exported.
exportWSMTokenIssuerTrustMetadata(trustFile,excludeIssuers=None)
Arguments | Definition |
---|---|
trustFile |
The location of the file where the exported metadata will be stored. |
excludeIssuers |
Optional. The list of issuers for which trust configuration should not be exported. |
In the following example, all trusted issuer configurations are exported to the specified XML file except for www.oracle.com
and www.yourcompany.com
, which have been excluded:
wls:/wls-domain/serverConfig>exportWSMTokenIssuerTrustMetadata(trustFile='/tmp/trustData.xml',['www.oracle.com','www.myissuer.com']) Starting Operation exportWSMTokenIssuerTrustMetadata ... Configuration for trusted issuers successfully exported.
In the following example, all specified trusted issuer configurations are exported to the specified XML file:
wls:/wls-domain/serverConfig>exportWSMTokenIssuerTrustMetadata(trustFile='/tmp/trustData.xml') Starting Operation exportWSMTokenIssuerTrustMetadata ... Configuration for trusted issuers successfully exported.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Import the trust configurations (issuers, DNs, and token attribute rules) for all trusted issuers. The trust configuration will be imported from an XML file identified by the specified location.
importWSMTokenIssuerTrustMetadata(trustFile)
Arguments | Definition |
---|---|
trustFile |
The location of the file where the imported metadata will be stored. |
In the following example, all trusted issuer configurations are imported from the specified XML file:
wls:/wls-domain/serverConfig>importWSMTokenIssuerTrustMetadata(trustFile='/tmp/trustData.xml') Starting Operation importWSMTokenIssuerTrustMetadata ... Configuration for trusted issuers successfully imported.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
When used without any arguments, this command lists all the token issuer trust documents in the repository. If the detail argument is set to true
, the display name and the status of the document are also displayed.
You can use the wildcard character (*) in combination with other characters. If no wildcard character is specified in the name argument, the document that matches the name argument exactly is displayed. If the detail
argument is set to true
, the contents of the document are listed.
This command can be executed inside and outside of a session.
listWSMTokenIssuerTrustDocuments(name=None, detail='false')
Arguments | Definition |
---|---|
name |
Optional. Name of the token issuer trust document. You can use wildcards with this argument. |
detail |
Optional. List the details for the requested document. The default is false . |
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Revokes trust by removing all trusted issuers and associated configurations (DNs and token attribute rules). The issuers specified in the optional exclude list will not be removed. If no argument is passed, then all trusted issuers and the associated configuration are removed.
revokeWSMTokenIssuerTrust(excludeIssuers=None)
Arguments | Definition |
---|---|
excludeIssuers |
Optional. The list of issuers for which trust configuration should not be removed. |
In the following example, all trusted issuer configurations are removed except for www.oracle.com
and www.yourcompany.com
, which have been excluded:
wls:/wls-domain/serverConfig>revokeWSMTokenIssuerTrust(['www.oracle.com','www.yourcompany.com']) Starting Operation revokeWSMTokenIssuerTrust ... Configuration for trusted issuers successfully removed.
In the following example, all trusted issuer configurations are removed:
wls:/wls-domain/serverConfig>revokeWSMTokenIssuerTrust() Starting Operation revokeWSMTokenIssuerTrust ... Configuration for trusted issuers successfully removed.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Selects the token issuer trust document, identified by the name argument, to be modified in the session. The name must match the value of the name attribute in the document.
You must start a session (beginWSMSession
) before executing this command. If there is no current session or there is already an existing modification process, an error is displayed.
You cannot modify the default token issuer trust document.
selectWSMTokenIssuerTrustDocument(name)
Argument | Definition |
---|---|
name |
Name of the document to modified in the session. An error is thrown if a name is not provided. |
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Configure a trusted token issuer and define trusted keys or a trusted DN list for the issuer. Supported values for a SAML assertion or JWT token type are dns.hok
, dns.sv
, or dns.jwt
. The trustedKeyIDs
argument is optional. If you do not set this argument, only the trusted issuer will be set for the specified type.
This command can be used to specify the DN list associated with a trusted token issuer, update the list, or delete the list. See the following examples.
setWSMTokenIssuerTrust(type, issuer, trustedKeyIDs)
Argument | Definition |
---|---|
issuer |
The name of the trusted issuer, for example www.oracle.com . |
type |
The type of SAML assertion or JWT tokens the trusted issuer issues:
|
trustedKeyIDs |
Optional. An array of DNs for token signing certificates associated with the issuer for the specified type. This is a comma-separated list with the format ['CN=name1', 'CN=name2', 'CN=name3', ...] . If you enter an empty set ([] ) the list of DN values will be deleted for the issuer. |
In the following example, CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US'
is set as a DN in the dns.sv
DN list for the www.oracle.com
trusted issuer:
wls:/wls-domain/serverConfig>setWSMTokenIssuerTrust('dns.sv', 'www.oracle.com', ['CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US'])
In the following example, the name CN=orcladmin, OU=Doc, O=Oracle, C=US'
in added to the dns.sv
DN list for the www.oracle.com
trusted issuer:
wls:/wls-domain/serverConfig>setWSMTokenIssuerTrust('dns.sv','www.oracle.com', ['CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US', 'CN=orcladmin, OU=Doc, O=Oracle, C=US'])
In the following example, the list of DN values in the dns.sv
DN list is removed from the www.oracle.com
trusted issuer:
wls:/wls-domain/serverConfig>setWSMTokenIssuerTrust('dns.sv', 'www.oracle.com', [])
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Specify token attribute filtering rules for a trusted DN list. For each trusted DN configured for an issuer, a token attribute filtering rule can be configured and applied. Each rule has two parts: a name ID and an attributes part for attributes in a SAML assertion or a JWT token. The name ID and each attribute can contain a filter with multiple value patterns.
To remove the list of filters for an attribute for the signing certificate, use an empty set ([]) for the value of filters
.
Note:
You must first use thesetWSMTokenIssuerTrust
command to configure a list of trusted DN names for an issuer.setWSMTokenIssuerTrustAttributeFilter(dn, attrName, filters)
Argument | Definition |
---|---|
dn |
The DN of the token signing certificate. The DN as the identifier of the token attribute rule where modifications would be done. |
attrName |
The name of the user attribute for which the filtering will be applied. The value can be as follows:
|
filters |
Optional. List of filters for the attribute. The list has the format ['value1 ', 'value2 ', 'value3 , ... . Each value can be an exact name or a name pattern with a wildcard character "* ".
When |
In the following example, the name ID yourTrustedUser
is set as a trusted user for the weblogic
trusted DN:
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustAttributeFilter('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US','name-id', ['yourTrustedUser'])
In the following example, the name IDs jdoe
is added to the list of trusted users for the weblogic
trusted DN:
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustAttributeFilter('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US','name-id', ['yourTrustedUser', 'jdoe'])
In the following example, the list of trusted users for the weblogic
trusted DN is removed:
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustAttributeFilter('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US', 'name-id', [])
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Specify token attribute mapping rules for a trusted DN list. For each trusted DN configured for a token issuer, a token attribute mapping rule can be configured and applied. Each rule has two parts: a name ID and an attributes part for attributes associated with a SAML assertion or a JWT token.
For a trusted DN, a token attribute mapping rule sets the mapping for the value of an attribute as specified by the attrName
argument. The userAttribute
argument is optional and indicates the local user attribute it corresponds to. The userMappingAttribute
argument is optional and indicates the user attribute to be used in the system to authenticate the users. If the attribute as identified by attrName
exists for a token attribute rule for the DN, the mapping is overwritten by the new value.
For example, in federated environments, where the user subject ID (for example, mail
) in the token is different from the user attribute (for example, uid
) for authenticating the same user, the name ID and each attribute can map the local user attribute for the subject name ID to the local user attribute to authenticate a trusted user.
Note:
You must first use thesetWSMTokenIssuerTrust
command to configure a list of trusted DN names for an issuer.setTokenIssuerTrustAttributeMapping(dn, attrName, userAttribute=None, userMappingAttribute=None)
Arguments | Description |
---|---|
dn |
The trusted DN of a token signing certificate. |
attrName |
The name of the use attribute for which the mapping will be applied The value can be as follows:
|
userAttribute |
Optional. The local name of the user attribute in the local identity store that the subject name ID corresponds to. The value can be as follows:
|
userMappingAttribute |
Optional. The value of the local name of the user attribute in the local identity store that the subject name ID maps to for authentication. The value can be as follows:
|
In the following example, the mail
attribute for the Subject ID in the token is mapped to the uid
attribute.
wls:/base_domain/serverConfig>setTokenIssuerTrustAttributeMapping('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US', 'name-id', 'mail', 'uid') Starting Operation setWSMTokenIssuerTrustAttributeMapping ... The token attribute mapping are successfully set
In the following example, the local user attribute for the Subject ID in the token is mapped to the uid
attribute.
wls:/base_domain/serverConfig>setTokenIssuerTrustAttributeMapping('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US', 'name-id', '', 'uid')
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Sets or resets the display name of the Token Issuer Trust document currently selected in the session.
You must start a session (beginWSMSession
) before creating or modifying any token issuer trust documents. If there is no current session or there is already an existing modification process, an error is displayed.
setWSMTokenIssuerTrustDisplayName("displayName")
Arguments | Definition |
---|---|
displayName |
Name to be set as a display name for the document currently selected for modification in the session. |
Command Category: Diagnostic
Use with WLST: Online
Check the status of the Oracle components that are required for proper functioning of the product. The Oracle components that are checked are the policy manager (wsm-pm
), the agent (agent
), and the credential store and keystore configuration. The status of the components can be checked together or individually.
Note:
The Policy Manager (wsm-pm
) application must be deployed and running for the check status tool to function correctly.checkWSMStatus([component=None],[address=None],[verbose=true])
Arguments | Description |
---|---|
component |
Optional. All checks will be performed if no value is specified. Valid options are:
|
address |
Optional. The HTTP URL of the host running the Policy Manager wsm-pm application. This value is required for checking enforcement through an agent component, for example,
checkWSMStatus('agent', 'http://localhost:7001') The address is not required in the WebLogic Server domain where auto-discovery is present. |
verbose |
Optional. If the value of this flag is true , then the detailed messages (including stack trace, if any) are displayed. Default is false . |
In the following example, the checkWSMStatus
command is run without arguments. The status of the credential store, policy manager, and enforcement agent is returned.
wls:/base_domain/serverConfig> checkWSMStatus()
Credential Store Configuration:
PASSED.
Message(s):
keystore.pass.csf.key : Property is configured and its value is "keystore-csf-key".
Description: The "keystore.pass.csf.key" property points to the CSF alias that is mapped to the username and password of the keystore. Only the password is used; username is redundant in the case of the keystore.
keystore-csf-key : Credentials configured.
keystore.sig.csf.key : Property is configured and its value is "sign-csf-key".
Description: The "keystore.sig.csf.key" property points to the CSF alias that is mapped to the username and password of the private key that is used for signing.
sign-csf-key : Credentials configured.
Sign Key : Key configured.
Alias - orakey
Sign Certificate : Certificate configured.
Alias - CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
Expiry - June 28, 2020 11:17:12 AM PDT
keystore.enc.csf.key : Property is configured and its value is "enc-csf-key".
Description: The "keystore.enc.csf.key" property points to the CSF alias that is mapped to the username and password of the private key that is used for decryption.
enc-csf-key : Credentials configured.
Encrypt Key : Key configured.
Alias - orakey
Encrypt Certificate : Certificate configured.
Alias - CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
Expiry - June 28, 2020 11:17:12 AM PDT
Policy Manager:
PASSED.
Message(s):
OWSM Policy Manager connection state is OK.
OWSM Policy Manager connection URL is "host.example.com:1234".
Enforcement Agent:
PASSED.
Message(s):
Enforcement is successful.
Service URL: http://host.example.com:7001/Diagnostic/DiagnosticService?wsdl
In the following example, the credential store key keystore-csf-key
is deleted and the checkWSMStatus
command is rerun for the credential store credstore
. The status check fails because the csf-key keystore-csf-key
is not present in the credential store:
wls:/base_domain/serverConfig> deleteCred(map="oracle.wsm.security", key="keystore-csf-key")
wls:/base_domain/serverConfig> checkWSMStatus('credstore')
Credential Store Configuration:
FAILED.
Message(s):
keystore.pass.csf.key : Property is configured and its value is "keystore-csf-key".
Description: The "keystore.pass.csf.key" property points to the CSF alias that is mapped to the username and password of the keystore. Only the password is used; username is redundant in the case of the keystore.
keystore-csf-key : Credentials not configured.
Credential Store Diagnostic Messages:
Message(s):
The csf-key keystore-csf-key is not present in the credential store.
Perform the following steps to update the credential store (using WLST commands):-
1. connect()
2. createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore-csf-key", password="<keystore-password>", desc="Keystore Password CSF Key")
NOTE:- All the above commands are based on the Domain level configurations. The actual csf key may be overridden at runtime due to config override. See Documentation for more details.
In the following example, the csf-key keystore-csf-key
is configured and the checkWSMStatus
command is rerun. The configuration check passes.
wls:/base_domain/serverConfig> createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore-csf-key", password="welcome1", desc="Keystore Password CSF Key")
Already in Domain Runtime Tree
wls:/base_domain/serverConfig> checkWSMStatus('credstore')
Credential Store Configuration:
PASSED.
Message(s):
keystore.pass.csf.key : Property is configured and its value is "keystore-csf-key".
Description: The "keystore.pass.csf.key" property points to the CSF alias that is mapped to the username and password of the keystore. Only the password is used; username is redundant in the case of the keystore.
keystore-csf-key : Credentials configured.
keystore.sig.csf.key : Property is configured and its value is "sign-csf-key".
Description: The "keystore.sig.csf.key" property points to the CSF alias that is mapped to the username and password of the private key that is used for signing.
sign-csf-key : Credentials configured.
Sign Key : Key configured.
Alias - orakey
Sign Certificate : Certificate configured.
Alias - CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
Expiry - June 28, 2020 11:17:12 AM PDT
keystore.enc.csf.key : Property is configured and its value is "enc-csf-key".
Description: The "keystore.enc.csf.key" property points to the CSF alias that is mapped to the username and password of the private key that is used for decryption.
enc-csf-key : Credentials configured.
Encrypt Key : Key configured.
Alias - orakey
Encrypt Certificate : Certificate configured.
Alias - CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
Expiry - June 28, 2020 11:17:12 AM PDT
true
The following example checks the enforcement status of the agent component at the URL http://localhost:7001
.
wls:/test_domain1/serverConfig> checkWSMStatus('agent','http://localhost:7001')
Enforcement Agent:
Note: Enforcement might succeed if OWSM Policy Manager is down due to policy caching. For such scenarios wsm-pm test must be run prior to this test.
PASSED.
Message(s):
Enforcement is successful.
Service URL: http://localhost:7001/Diagnostic/DiagnosticService?wsdl