Fusion Middleware Documentation
Advanced Search


Infrastructure Security WLST Command Reference
Close Window

Table of Contents

Show All | Collapse

2 Infrastructure Security Custom WLST Commands

This chapter describes the Oracle Fusion Middleware Infrastructure Security WLST commands. It contains the following section:

For additional information about Oracle Platform Security Services (OPSS), see Securing Applications with Oracle Platform Security Services.

Note:

To use the Infrastructure Security custom WLST commands, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" section in the Administering Oracle Fusion Middleware.

2.1 Infrastructure Commands

The infrastructure WLST security commands are divided into the following categories:

Table 2-1 WLST Command Categories

Command Category Description

OPSS Security Store Commands

Manage domain and credential domain stores and migrate domain policy store.

Audit Configuration Commands

View and manage audit policies and the audit repository configuration.

OPSS Keystore Service Commands

Manage the OPSS keystore service.

Identity Directory Service Commands

Manage Identity Directory Service Entity Attributes, Entity Definitions, Relationships and default Operational configurations.

Library Oracle Virtual Directory (LibOVD) Commands

Manage Library Oracle Virtual Directory (LibOVD) LDAP and Join Adapters configuration. These commands act on the OVD configuration associated with a particular OPSS Context passed in as a parameter.


2.1.1 OPSS Security Store Commands

Use the WLST security commands listed in Table 2-2 to operate on a domain policy or credential store, to migrate policies and credentials from a source repository to a target repository, and to import and export (credential) encryption keys.

Table 2-2 WLST Security Commands

Use this command... To... Use with WLST...

addBootStrapCredential

Add a credential to the bootstrap credential store.

Offline

addResourceToEntitlement

Add a resource to an entitlement.

Online

createAppRole

Create a new application role.

Online

createCred

Create a new credential.

Online

createEntitlement

Create an entitlement.

Online

createResource

Create a resource.

Online

createResourceType

Create a new resource type.

Online

deleteAppPolicies

Remove all policies in an application.

Online

deleteAppRole

Remove an application role.

Online

deleteCred

Remove a credential.

Online

deleteEntitlement

Remove an entitlement.

Online

deleteResource

Remove a resource.

Online

deleteResourceType

Remove an existing resource type.

Online

exportEncryptionKey

Export the domain encryption key to the file ewallet.p12.

Offline

getEntitlement

List an entitlement.

Online

getResourceType

Fetch an existing resource type.

Online

grantAppRole

Add a principal to a role.

Online

grantEntitlement

Create an entitlement.

Online

grantPermission

Create a new permission.

Online

importEncryptionKey

Import the encryption key in file ewallet.p12 to the domain.

Offline

listAppRoles

List all roles in an application.

Online

listAppRolesMembers

List all members in an application role.

Online

listAppStripes

List application stripes in policy store.

Online

listCodeSourcePermissions

List permissions assigned to a source code in global policies.

Online

listEntitlement

List an entitlement.

Online

listEntitlements

List entitlements in an application stripe.

Online

listPermissions

List all permissions granted to a principal.

Online

listResourceActions

List actions in a resource.

Online

listResourceTypes

List resource types in an application stripe.

Online

listResources

List resources in an application stripe.

Online

listSecurityStoreInfo

List the type and location of the OPSS security store, and the user allowed to access it.

Offline

migrateSecurityStore

Migrate policies or credentials from a source repository to a target repository.

Offline

modifyBootStrapCredential

Update bootstrap credential store.

Offline

reassociateSecurityStore

Reassociate policies and credentials to an LDAP repository.

Online

restoreEncryptionKey

Restore the domain encryption key as it was before the last importing.

Offline

revokeAppRole

Remove a principal from a role.

Online

revokeEntitlement

Remove an entitlement.

Online

revokePermission

Remove a permission.

Online

revokeResourceFromEntitlement

Remove a resource from an entitlement.

Online

rollOverEncryptionKey

Replace the current domain encryption key with a new one.

Offline

updateCred

Modify the attribute values of a credential.

Online

updateTrustServiceConfig

Update the configuration of the trust service.

Online


2.1.1.1 addBootStrapCredential

Offline command that adds a credential to the bootstrap credential store.

2.1.1.1.1 Description

Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException.

2.1.1.1.2 Syntax
addBootStrapCredential(jpsConfigFile, map, key, username, password)
Argument Definition
jpsConfigFile  

Specifies the location of the file jps-config.xml relative to the location where the command is run.

map 

Specifies the map of the credential to add.

key 

Specifies the key of the credential to add.

username 

Specifies the name of the user in the credential to add.

password

Specifies the password of the user in the credential to add.


2.1.1.1.3 Example

The following invocation adds a credential to the bootstrap credential store:

wls:/mydomain/serverConfig> addBootStrapCredential(jpsConfigFile='./jps-config.xml', map='myMapName', key='myKeyName', username='myUser', password='myPassword')

2.1.1.2 addResourceToEntitlement

Online command that adds a resource with specified actions to an entitlement.

2.1.1.2.1 Description

Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.

2.1.1.2.2 Syntax
addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is located.

name  

Specifies the name of the entitlement to modify.

resourceName  

Specifies the name of the resource to add.

resourceType  

Specifies the type of the resource to add. The passed resource type must be present in the application stripe at the time this script is invoked.

actions  

Specifies the comma-separated list of actions for the added resource.


2.1.1.2.3 Example

The following invocation adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:

wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", 
name="myEntitlement", resourceName="myResource", resourceType="myResType", 
actions="view,edit")

2.1.1.3 createAppRole

Online command that creates a new application role.

2.1.1.3.1 Description

Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.

2.1.1.3.2 Syntax
createAppRole(appStripe, appRoleName)
Argument Definition
appStripe 

Specifies an application stripe.

appRoleName 

Specifies a role name.


2.1.1.3.3 Example

The following invocation creates a new application role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> createAppRole(appStripe="myApp", appRoleName="myRole")

2.1.1.4 createCred

Online command that creates a new credential in the domain credential store.

2.1.1.4.1 Description

Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.

2.1.1.4.2 Syntax

Optional arguments are enclosed in square brackets.

createCred(map, key, user, password, [desc])
Argument Definition
map  

Specifies a map name (folder).

key 

Specifies a key name.

user 

Specifies the credential user name.

password 

Specifies the credential password.

desc 

Specifies a string describing the credential.


2.1.1.4.3 Example

The following invocation creates a new password credential with the specified data:

wls:/mydomain/serverConfig> createCred(map="myMap, key="myKey", user="myUsr", 
password="myPassw", desc="updated usr name and passw to connect to app xyz")

2.1.1.5 createEntitlement

Online command that creates a new entitlement.

2.1.1.5.1 Description

Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement to add additional resources to an existing entitlement; use revokeResourceFromEntitlement to delete resources from an existing entitlement.

2.1.1.5.2 Syntax
createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is created.

name  

Specifies the name of the entitlement created.

resourceName  

Specifies the name of the one resource member of the entitlement created.

actions  

Specifies a comma-separated the list of actions for the resource resourceName.

displayName  

Specifies the display name of the resource created. Optional.

description  

Specifies the description of the entitlement created. Optional.


2.1.1.5.3 Example

The following invocation creates the entitlement myEntitlement with just the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> createEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", actions="read,write")

2.1.1.6 createResource

Online command that creates a new resource.

2.1.1.6.1 Description

Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.

2.1.1.6.2 Syntax
createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])
Argument Definition
appStripe  

Specifies the application stripe where the resource is created.

name  

Specifies the name of the resource created.

type  

Specifies the type of resource created. The passed resource type must be present in the application stripe at the time this script is invoked.

displayName  

Specifies the display name of the resource created. Optional.

description  

Specifies the description of the resource created. Optional.


2.1.1.6.3 Example

The following invocation creates the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> createResource(appStripe="myApplication", name="myResource", type="myResType", displayName="myNewResource")

2.1.1.7 createResourceType

Online command that creates a new resource type in the domain policy store within a given application stripe.

2.1.1.7.1 Description

Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. Optional arguments are enclosed in between square brackets; all other arguments are required. In the event of an error, the command returns a WLSTException.

2.1.1.7.2 Syntax

Optional arguments are enclosed in square brackets.

createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])
Argument Definition
appStripe  

Specifies the application stripe where to insert the resource type.

resourceTypeName 

Specifies the name of the resource type to insert.

displayName 

Specifies the name for the resource type used in UI gadgets.

description 

Specifies a brief description of the resource type.

provider 

Specifies the provider for the resource type.

matchere 

Specifies the class of the resource type. If unspecified, it defaults to oracle.security.jps.ResourcePermission.

actions 

Specifies the actions allowed on instances of the resource type.

delimeter 

Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','.


2.1.1.7.3 Example

The following invocation creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:

wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", 
resourceTypeName="resTypeName", displayName="displName", description="A resource
type", provider="Printer", matcher="com.printer.Printer",
actions="BWPrint;ColorPrint" [, delimeter=";"])

2.1.1.8 deleteAppPolicies

Online command that removes all policies with a given application stripe.

2.1.1.8.1 Description

Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException.

2.1.1.8.2 Syntax
deleteAppPolicies(appStripe)
Argument Definition
appStripe 

Specifies an application stripe. If not specified, the command works on system policies.


2.1.1.8.3 Example

The following invocation removes all policies of application myApp:

wls:/mydomain/serverConfig> deleteAppPolicies(appStripe="myApp")

2.1.1.9 deleteAppRole

Online command that removes an application role.

2.1.1.9.1 Description

Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.

2.1.1.9.2 Syntax
createAppRole(appStripe, appRoleName)
Argument Definition
appStripe 

Specifies an application stripe.

appRoleName 

Specifies a role name.


2.1.1.9.3 Example

The following invocation removes the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> deleteAppRole(appStripe="myApp", appRoleName="myRole")

2.1.1.10 deleteEntitlement

Online command that deletes an entitlement.

2.1.1.10.1 Description

Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.

2.1.1.10.2 Syntax
deleteEntitlement(appStripe="appStripeName", name="entitlementName")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is deleted.

name  

Specifies the name of the entitlement to delete.


2.1.1.10.3 Example

The following invocation deletes the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> deleteEntitlement(appStripe="myApplication", name="myEntitlement")

2.1.1.11 deleteCred

Online command that removes a credential in the domain credential store.

2.1.1.11.1 Description

Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException.

2.1.1.11.2 Syntax
deleteCred(map,key)
Argument Definition
map  

Specifies a map name (folder).

key 

Specifies a key name.


2.1.1.11.3 Example

The following invocation removes the credential with map name myMap and key name myKey:

wls:/mydomain/serverConfig> deleteCred(map="myApp",key="myKey")

2.1.1.12 deleteResource

Online command that deletes a resource.

2.1.1.12.1 Description

Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.

2.1.1.12.2 Syntax
deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")
Argument Definition
appStripe  

Specifies the application stripe where the resource is deleted.

name  

Specifies the name of the resource deleted.

type  

Specifies the type of resource deleted. The passed resource type must be present in the application stripe at the time this script is invoked.


2.1.1.12.3 Example

The following invocation deletes the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> deleteResource(appStripe="myApplication", name="myResource", type="myResType")

2.1.1.13 deleteResourceType

Online command that removes a resource type from the domain policy store within a given application stripe.

2.1.1.13.1 Description

Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.

2.1.1.13.2 Syntax
deleteResourceType(appStripe, resourceTypeName)
Argument Definition
appStripe  

Specifies the application stripe from where to remove the resource type.

resourceTypeName 

Specifies the name of the resource type to remove.


2.1.1.13.3 Example

The following invocation removes the resource type myResType from the stripe myApplication:

wls:/mydomain/serverConfig> deleteResourceType(appStripe="myApplication", resourceTypeName="myResType")

2.1.1.14 exportEncryptionKey

Offline command that extracts the encryption key from a domain's bootstrap wallet to the file ewallet.p12.

2.1.1.14.1 Description

Writes the domain's credential encryption key to the file ewallet.p12. The password passed must be used to import data from that file with the command importEncryptionKey.

2.1.1.14.2 Syntax
exportEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument Definition
jpsConfigFile  

Specifies the location of the file jps-config.xml relative to the location where the command is run.

keyFilePath 

Specifies the directory where the file ewallet.p12 is created; note that the content of this file is encrypted and secured by the value passed to keyFilePassword.

keyFilePassword 

Specifies the password to secure the file ewallet.p12; note that this same password must be used when importing that file.


2.1.1.14.3 Example

The following invocation writes the file ewallet.p12 in the directory myDir:

exportEncryptionKey(jpsConfigFile="pathName", keyFilePath="myDir" ,keyFilePassword="password")

2.1.1.15 getEntitlement

Online command that gets an entitlement.

2.1.1.15.1 Description

Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.

2.1.1.15.2 Syntax
getEntitlement(appStripe="appStripeName", name="entitlementName")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is located.

name  

Specifies the name of the entitlement to access.


2.1.1.15.3 Example

The following invocation returns the information of the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> getEntitlement(appStripe="myApplication", name="myEntitlement")

2.1.1.16 getResourceType

Online command that fetches a resource type from the domain policy store within a given application stripe.

2.1.1.16.1 Description

Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.

2.1.1.16.2 Syntax
getResourceType(appStripe, resourceTypeName)
Argument Definition
appStripe  

Specifies the application stripe from where to fetch the resource type.

resourceTypeName 

Specifies the name of the resource type to fetch.


2.1.1.16.3 Example

The following invocation fetches the resource type myResType from the stripe myApplication:

wls:/mydomain/serverConfig> getResourceType(appStripe="myApplication", resourceTypeName="myResType")

2.1.1.17 grantAppRole

Online command that adds a principal to a role.

2.1.1.17.1 Description

Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.

2.1.1.17.2 Syntax
grantAppRole(appStripe, appRoleName,principalClass, principalName)
Argument Definition
appStripe 

Specifies an application stripe.

appRoleName 

Specifies a role name.

principalClass 

Specifies the fully qualified name of a class.

principalName 

Specifies the principal name.


2.1.1.17.3 Example

The following invocation adds a principal to the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> grantAppRole(appStripe="myApp",  
appRoleName="myRole",principalClass="com.example.xyzPrincipal",
principalName="myPrincipal")

2.1.1.18 grantEntitlement

Online command that creates a new entitlement.

2.1.1.18.1 Description

Creates a new entitlement with a specified principal in a specified application stripe.

2.1.1.18.2 Syntax
grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is created.

principalClass  

Specifies the class associated with the principal.

principalName  

Specifies the name of the principal to which the entitlement is granted.

permSetName  

Specifies the name of the entitlement created.


2.1.1.18.3 Example

The following invocation creates the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", 
principalClass="oracle.security.jps.service.policystore.ApplicationRole", 
principalName="myPrincipalName", permSetName="myEntitlement")

2.1.1.19 grantPermission

Online command that creates a new permission.

2.1.1.19.1 Description

Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException.

2.1.1.19.2 Syntax

Optional arguments are enclosed in between square brackets.

grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument Definition
appStripe 

Specifies an application stripe. If not specified, the command works on system policies.

codeBaseURL 

Specifies the URL of the code granted the permission.

principalClass 

Specifies the fully qualified name of a class (grantee).

principalName 

Specifies the name of the grantee principal.

permClass 

Specifies the fully qualified name of the permission class.

permTarget 

Specifies, when available, the name of the permission target. Some permissions may not include this attribute.

permActions 

Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class.


2.1.1.19.3 Examples

The following invocation creates a new application permission (for the application with application stripe myApp) with the specified data:

wls:/mydomain/serverConfig> grantPermission(appStripe="myApp",  
principalClass="my.custom.Principal",  principalName="manager",
permClass="java.security.AllPermission")

The following invocation creates a new system permission with the specified data:

wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager",   
permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", 
permTarget="/tmp/fileName.ext", permActions="read,write")

2.1.1.20 importEncryptionKey

Offline command that imports keys from the specified ewallet.p12 file into the domain.

2.1.1.20.1 Description

Imports encryption keys from the file ewallet.p12 into the domain. The password passed must be the same as that used to create the file with the command exportEncryptionKey.

2.1.1.20.2 Syntax
importEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument Definition
jpsConfigFile  

Specifies the location of the file jps-config.xml relative to the location where the command is run.

keyFilePath 

Specifies the directory where the ewallet.p12 is located.

keyFilePassword 

Specifies the password used when the file ewallet.p12 was generated.


2.1.1.20.3 Example
importEncryptionKey(jpsConfigFile="pathName", keyFilePath="dirloc" ,keyFilePassword="password")

2.1.1.21 listAppRoles

Online command that lists all roles in an application.

2.1.1.21.1 Description

Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException.

2.1.1.21.2 Syntax
listAppRoles(appStripe)
Argument Definition
appStripe 

Specifies an application stripe.


2.1.1.21.3 Example

The following invocation returns all roles with application stripe myApp:

wls:/mydomain/serverConfig> listAppRoles(appStripe="myApp")

2.1.1.22 listAppRolesMembers

Online command that lists all members in a role.

2.1.1.22.1 Description

Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException.

2.1.1.22.2 Syntax
listAppRoleMembers(appStripe, appRoleName)
Argument Definition
appStripe 

Specifies an application stripe.

appRoleName 

Specifies a role name.


2.1.1.22.3 Example

The following invocation returns all members in the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> listAppRoleMembers(appStripe="myApp", appRoleName="myRole")

2.1.1.23 listAppStripes

Online or offline command that lists the application stripes in the policy store.

2.1.1.23.1 Description

This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.

2.1.1.23.2 Syntax
listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])
Argument Definition
configFile  

Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store.

regularExpression 

Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *.


2.1.1.23.3 Examples

The following (online) invocation returns the list of application stripes in the policy store:

wls:/mydomain/serverConfig> listAppStripes

The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:

wls:/mydomain/serverConfig> listAppStripes(configFile=" 
/home/myFile/jps-config.xml")

The following (online) invocation returns the list of application stripes that contain the prefix App:

wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")

2.1.1.24 listCodeSourcePermissions

Online command that lists permissions assigned to a source code in global policies.

2.1.1.24.1 Description

This command allows listing codebase permissions in global policies.

2.1.1.24.2 Syntax
listCodeSourcePermissions([codeBase="codeUrl"])
Argument Definition
codeBaseURL

Specifies the name of the grantee codebase URL.


2.1.1.24.3 Examples

The following invocation returns the list permissions assigned to a code source in all global policies:

wls:/mydomain/serverConfig> listCodeSourcePermissions(codeBaseURL="file:/tmp/lib/myJars.jar")

2.1.1.25 listEntitlement

Online command that lists an entitlement in a specified application stripe.

2.1.1.25.1 Description

If a principal name and a class are specified, it lists the entitlements that match the specified principal; otherwise, it lists all the entitlements.

2.1.1.25.2 Syntax
listEntitlement(appStripe="appStripeName" [, principalName="principalName", principalClass="principalClass"])
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is deleted.

principalName  

Specifies the name of the principal to match. Optional.

principalClass  

Specifies the class of the principal to match. Optional.


2.1.1.25.3 Example

The following invocation lists all entitlements in the stripe myApplication:

wls:/mydomain/serverConfig> listEntitlement(appStripe="myApplication")

2.1.1.26 listEntitlements

Online command that lists the entitlements in an application stripe.

2.1.1.26.1 Description

Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.

2.1.1.26.2 Syntax
listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])
Argument Definition
appStripe  

Specifies the application stripe from where to list entitlements.

resourceTypeName  

Specifies the name of the type of the resources to list. Optional.

resourceName  

Specifies the name of resource to match. Optional.


2.1.1.26.3 Examples

The following invocation lists all the entitlements in the stripe myApplication:

wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")

The following invocation lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:

wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName") 

2.1.1.27 listPermissions

Online command that lists all permissions granted to a given principal.

2.1.1.27.1 Description

Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException.

2.1.1.27.2 Syntax

Optional arguments are enclosed in between square brackets.

listPermissions([appStripe,] principalClass, principalName)
Argument Definition
appStripe 

Specifies an application stripe. If not specified, the command works on system policies.

principalClass 

Specifies the fully qualified name of a class (grantee).

principalName 

Specifies the name of the grantee principal.


2.1.1.27.3 Examples

The following invocation lists all permissions granted to a principal by the policies of application myApp:

wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")
                

The following invocation lists all permissions granted to a principal by system policies:

wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")

2.1.1.28 listResourceActions

Online command that lists the resources and actions in an entitlement.

2.1.1.28.1 Description

Lists the resources and actions in an entitlement within an application stripe.

2.1.1.28.2 Syntax
listResourceActions(appStripe="appStripeName", permSetName="entitlementName")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement resides.

permSetName  

Specifies the name of the entitlement whose resources and actions to list.


2.1.1.28.3 Example

The following invocation lists the resources and actions of the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> listResourceActions(appStripe="myApplication", permSetName="myEntitlement")

2.1.1.29 listResources

Online command that lists resources in a specified application stripe.

2.1.1.29.1 Description

If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.

2.1.1.29.2 Syntax
listResources(appStripe="appStripeName" [,type="resTypeName"])
Argument Definition
appStripe  

Specifies the application stripe where the resources are listed.

type  

Specifies the type of resource listed. The passed resource type must be present in the application stripe at the time this script is invoked.


2.1.1.29.3 Example

The following invocation lists all resources of type myResType in the stripe myApplication:

wls:/mydomain/serverConfig> listResources(appStripe="myApplication", type="myResType")

2.1.1.30 listResourceTypes

Online command that lists resource types.

2.1.1.30.1 Description

Lists all the resource types in a specified application stripe.

2.1.1.30.2 Syntax
listResourceTypes(appStripe="appStripeName")
Argument Definition
appStripe  

Specifies the application stripe where the resource types are located.


2.1.1.30.3 Example

The following invocation lists all resource types in the stripe myApplication:

wls:/mydomain/serverConfig> listResourceTypes(appStripe="myApplication")

2.1.1.31 listSecurityStoreInfo

Offline command that lists the type, the location, and the administrative user of the domain security store.

2.1.1.31.1 Description

The script runs in offline mode and outputs the type of the OPSS security store (file, OID, or DB), its location, and the user allowed to access it (typically a security administrator).

2.1.1.31.2 Syntax
listSecurityStoreInfo(domainConfig="configFilePath")
Argument Definition
domainConfig  

Specifies the full absolute path to the OPSS configuration file jps-config.xml; the file jps-config-jse.xml is also expected to be in the passed directory.


2.1.1.31.3 Example

The following invocation returns the type, location, and administrative user of the OPSS policy store:

wls:/mydomain/serverConfig> listSecurityStoreInfo(domainConfig="/home/myConfigPathDirectory/config/fmwconfig")

2.1.1.32 migrateSecurityStore

Offline command that migrates identities, application-specific, system policies, a specific credential folder, or all credentials.

2.1.1.32.1 Description

Migrates security artifacts from a source repository to a target repository. For full details, see "Migrating with the Script migrateSecurityStore" section in Securing Applications with Oracle Platform Security Services.

2.1.1.33 modifyBootStrapCredential

Offline command that updates a bootstrap credential store.

2.1.1.33.1 Description

Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException.

Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.

2.1.1.33.2 Syntax
modifyBootStrapCredential(jpsConfigFile, username, password)
Argument Definition
jpsConfigFile  

Specifies the location of the file jps-config.xml relative to the location where the command is run.

username

Specifies the distinguished name of the user in the LDAP store.

password

Specifies the password of the user.


2.1.1.33.3 Example

Suppose that in the LDAP store, the password of the user with distinguished name cn=orcladmin has been changed to welcome1, and that the configuration file jps-config.xml is located in the current directory.Then the following invocation changes the password in the bootstrap credential store to welcome1:

wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='welcome1')

Any output regarding the audit service can be disregarded.

2.1.1.34 reassociateSecurityStore

Online command that migrates policies, credentials, audit metadata, and keys from an existing OPSS security store to a target OPSS security store.

2.1.1.34.1 Description

The script reassociateSecurityStore migrates the OPSS security store from a source to a target LDAP- or DB-based store, and it resets services in the files jps-config.xml and jps-config-jse.xml to the target repository. It also allows specifying that the OPSS security store be shared with that in a different domain (see optional argument join below). The OPSS binaries and the target policy store must have compatible versions.

For complete details and samples see Securing Applications with Oracle Platform Security Services.

2.1.1.35 restoreEncryptionKey

Offline command to restore the domain credential encryption key.

2.1.1.35.1 Description

Restores the state of the domain bootstrap keys as it was before running importEncryptionKey.

2.1.1.35.2 Syntax
restoreEncryptionKey(jpsConfigFile)
Argument Definition
jpsConfigFile  

Specifies the location of the file jps-config.xml relative to the location where the command is run.


2.1.1.35.3 Example
restoreEncryptionKey(jpsConfigFile="pathName")

2.1.1.36 revokeAppRole

Online command that removes a principal from a role.

2.1.1.36.1 Description

Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.

2.1.1.36.2 Syntax
revokeAppRole(appStripe, appRoleName, principalClass, principalName)
Argument Definition
appStripe 

Specifies an application stripe.

appRoleName 

Specifies a role name.

principalClass 

Specifies the fully qualified name of a class.

principalName 

Specifies the principal name.


2.1.1.36.3 Example

The following invocation removes a principal to the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> revokeAppRole(appStripe="myApp", 
appRoleName="myRole",principalClass="com.example.xyzPrincipal", 
principalName="myPrincipal")

2.1.1.37 revokeEntitlement

Online command that deletes an entitlement.

2.1.1.37.1 Description

Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.

2.1.1.37.2 Syntax
revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is deleted.

principalClass  

Specifies the class associated with the principal.

principalName  

Specifies the name of the principal to which the entitlement is revoked.

permSetName  

Specifies the name of the entitlement deleted.


2.1.1.37.3 Example

The following invocation deleted the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", 
principalClass="oracle.security.jps.service.policystore.ApplicationRole", 
principalName="myPrincipalName", permSetName="myEntitlement")

2.1.1.38 revokePermission

Online command that removes a permission.

2.1.1.38.1 Description

Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException.

2.1.1.38.2 Syntax

Optional arguments are enclosed in between square brackets.

revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument Definition
appStripe 

Specifies an application stripe. If not specified, the command works on system policies.

codeBaseURL 

Specifies the URL of the code granted the permission.

principalClass 

Specifies the fully qualified name of a class (grantee).

principalName 

Specifies the name of the grantee principal.

permClass 

Specifies the fully qualified name of the permission class.

permTarget 

Specifies, when available, the name of the permission target. Some permissions may not include this attribute.

permActions 

Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class.


2.1.1.38.3 Examples

The following invocation removes the application permission (for the application with application stripe myApp) with the specified data:

wls:/mydomain/serverConfig> revokePermission(appStripe="myApp",  
principalClass="my.custom.Principal", principalName="manager", 
permClass="java.security.AllPermission")

The following invocation removes the system permission with the specified data:

wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager",  
permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", 
permActions="read,write")

2.1.1.39 revokeResourceFromEntitlement

Online command that removes a resource from an entitlement.

2.1.1.39.1 Description

Removes a resource from an entitlement in a specified application stripe.

2.1.1.39.2 Syntax
revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is located.

name  

Specifies the name of the entitlement to modify.

resourceName  

Specifies the name of the resource to remove.

resourceType  

Specifies the type of the resource to remove.

actions  

Specifies the comma-separated list of actions to remove.


2.1.1.39.3 Example

The following invocation removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", 
resourceName="myResource", resourceType="myResType", actions="view,edit")

2.1.1.40 rollOverEncryptionKey

Offline command that changes the domain encryption key.

2.1.1.40.1 Description

This offline script replaces the current domain OPSS encryption key with a new one; the current key is not deleted but archived, since it is used to decrypt data that was encrypted using that key.

Note the following important points:

  • This command should be executed from the administration server in the domain.

  • If the domain is the only domain accessing the security store, nothing else is required.

  • However, if two or more domains share the security store, the newly generated key should be exported from the domain where the script was run and imported into each of the other domains sharing the security store, using the scripts exportEncryptionKey and importEncryptionKey.

2.1.1.40.2 Syntax
rollOVerEncryptionKey(jpsConfigFile="pathName")
Argument Definition

jpsConfigFile

Specifies the location of the file jps-config.xml; either relative to the location where the script is run, or the full path.


2.1.1.40.3 Example

The following invocation rolls over the encryption key:

wls:/mydomain/serverConfig> rollOverEncryptionKey(jpsConfigFile="myConfig")

2.1.1.41 updateCred

Online command that updates password credentials only.

2.1.1.41.1 Description

Updates password credentials only, that is, only the data encapsulated in credentials of type password. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.

2.1.1.41.2 Syntax

Optional arguments are enclosed in square brackets.

updateCred(map, key, user, password, [desc])
Argument Definition
map 

Specifies a map name (folder).

key 

Specifies a key name.

user 

Specifies the credential user name.

password 

Specifies the credential password.

desc 

Specifies a string describing the credential.


2.1.1.41.3 Example

The following invocation updates a password credential with the specified data:

wls:/mydomain/serverConfig> updateCred(map="myMap", key="myKey", user="myUsr", 
password="myPassw", desc="updated passw cred to connect to app xyz")

2.1.1.42 updateTrustServiceConfig

Online command that updates the configuration of the domain trust service service with the values passed in a property file.

2.1.1.42.1 Description

Updates the trust service domain configuration. In the event of an error, the command returns a WLSTException.

2.1.1.42.2 Syntax
updateTrustServiceConfig([providerName="<the provider name>",] 
                          propsFile="<path of properties file>")
Argument Definition
providerName 

Specifies the name of the trust service provider; optional; if unspecified, it defaults to trust.provider.embedded.

propsFile

Specifies the path to the file where the property values are set.


Here is a sample property file:

trust.keystoreType=KSS
trust.keyStoreName=kss://<stripeName>/<keystoreName>
trust.trustStoreName=kss://<stripeName>/<truststoreName>
trust.aliasName=<aliasName>
trust.issuerName=<aliasName>

Note that the list of specified properties differs according to the value of the property trust.keystoreType. The type can be KSS or JKS; if a property is set to the empty string, then that property is removed from the trust service configuration. For the list of available properties, see "Trust Service Properties" section in Securing Applications with Oracle Platform Security Services.

2.1.1.42.3 Example

The following invocation updates the trust store service with the specifications in the file myProps:

wls:/mydomain/serverConfig> updateTrustServiceConfig(providerName="myProvider", propsFile="myProps")

2.1.2 Audit Configuration Commands

Use the WLST commands listed in Table 2-3 to view and manage audit policies and the audit repository configuration.

Table 2-3 WLST Audit Commands

Use this command... To... Use with WLST...

getNonJavaEEAuditMBeanName

Display the mBean name for a non-Java EE component.

Online

getAuditPolicy

Display audit policy settings.

Online

setAuditPolicy

Update audit policy settings.

Online

getAuditRepository

Display audit repository settings.

Online

setAuditRepository

Update audit repository settings.

Online

listAuditEvents

List audit events for one or all components.

Online

exportAuditConfig

Export a component's audit configuration.

Online

importAuditConfig

Import a component's audit configuration.

Online

createAuditDBView

Create an audit definitions view in the database.

Online

listAuditComponents

List components that can be audited.

Online

registerAudit

Registers audit definitions for a specified component in the audit store.

Online

deregisterAudit

Removes audit definitions of a specified component from the audit store.

Online


For more information, see the Securing Applications with Oracle Platform Security Services.

2.1.2.1 getNonJavaEEAuditMBeanName

Online command that displays the mbean name for non-Java EE components.

2.1.2.1.1 Description

This command displays the mbean name for non-Java EE components given the instance name, component name, component type, and the name of the Oracle WebLogic Server on which the component's audit mbean is running. The mbean name is a required parameter to other audit WLST commands when managing a non-Java EE component.

2.1.2.1.2 Syntax
getNonJavaEEAuditMBeanName(instName, compName, compType, svrName)
Argument Definition

instName

Specifies the name of the application server instance.

compName

Specifies the name of the component instance.

compType

Specifies the type of component. Valid values are ohs, oid, ovd, and WebCache.

svrName

Specifies the name of the Oracle WebLogic Server.


2.1.2.1.3 Example

The following interactive command displays the mBean name for an Oracle Internet Directory:

wls:/mydomain/serverConfig> getNonJavaEEAuditMBeanName(instName='inst1', compName='oid1', compType='oid', svrName='AdminServer')

2.1.2.2 getAuditPolicy

Online command that displays the audit policy settings.

2.1.2.2.1 Description

This command displays audit policy settings including the filter preset, special users, custom events, and maximum log file size. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

2.1.2.2.2 Syntax
getAuditPolicy([mbeanName, componentType])
Argument Definition

mbeanName

Specifies the name of the component audit MBean for non-Java EE components.

componentType

Requests the audit policy for a specific component registered in the audit store. If not specified, the audit policy in jps-config.xml is returned.


2.1.2.2.3 Examples

The following command displays the audit settings for a Java EE component:

wls:/mydomain/serverConfig> getAuditPolicy()
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)
 
FilterPreset:All
Max Log File Size:104857600

The following command displays the audit settings for MBean CSAuditProxyMBean:

wls:/mydomain/serverConfig> getAuditPolicy(on='oracle.security.audit.test:type=CSAuditMBean,
name=CSAuditProxyMBean')

2.1.2.3 setAuditPolicy

Online command that updates an audit policy.

2.1.2.3.1 Description

Online command that configures the audit policy settings. You can set the filter preset, add or remove users, and add or remove custom events. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

2.1.2.3.2 Syntax
setAuditPolicy([mbeanName],[filterPreset],[addSpecialUsers],
[removeSpecialUsers],[addCustomEvents],[removeCustomEvents], [componentType], [maxDirSize], [maxFileSize], [andCriteria], [orCriteria], [componentEventsFile])
Argument Definition

mbeanName

Specifies the name of the component audit MBean for non-Java EE components.

filterPreset

Specifies the filter preset to be changed.

addSpecialUsers

Specifies the special users to be added.

removeSpecialUsers

Specifies the special users to be removed.

addCustomEvents

Specifies the custom events to be added.

removeCustomEvents

Specifies the custom events to be removed.

componentType

Specifies the component definition type to be updated. If not specified, the audit configuration defined in jps-config.xml is modified.

maxDirSize

This argument is not used.

maxFileSize

Specifies the maximum size of the log file.

andCriteria

Specifies the and criteria in a custom filter preset definition.

orCriteria

Specifies the or criteria in a custom filter preset definition.

componentEventsFile

Specifies a component definition file under the 11g Release 1 (11.1.1.6) metadata model. This parameter is required if you wish to create/update an audit policy in the audit store for an 11g Release 1 (11.1.1.6) metadata model component, and the filter preset level is set to ”Custom”.


2.1.2.3.3 Examples

The following interactive command sets audit policy to None level, and adds users user2 and user3 while removing user1 from the policy:

wls:/mydomain/serverConfig> setAuditPolicy (filterPreset=
'None',addSpecialUsers='user2,user3',removeSpecialUsers='user1')

wls:/mydomain/serverConfig> getAuditPolicy();
Already in Domain Runtime Tree

FilterPreset:None
Special Users:user2,user3
Max Log File Size:104857600
Max Log Dir Size:0

The following interactive command adds login events while removing logout events from the policy:

wls:/mydomain/serverConfig> setAuditPolicy(filterPreset=
'Custom',addCustomEvents='UserLogin',removeCustomEvents='UserLogout')
 

The following interactive command sets audit policy to a Low level:

wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Low');
Already in Domain Runtime Tree
Audit Policy Information updated successfully

wls:/IDMDomain/domainRuntime> getAuditPolicy();
Already in Domain Runtime Tree
FilterPreset:Low
Max Log File Size:104857600
Max Log Dir Size:0

The following command sets a custom filter to audit the CheckAuthorization event:

wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Custom', addCustomEvents='JPS:CheckAuthorization');
Already in Domain Runtime Tree
 
Audit Policy Information updated successfully
wls:/IDMDomain/domainRuntime> getAuditPolicy();
Already in Domain Runtime Tree
 
FilterPreset:Custom
Special Users:user1
Max Log File Size:104857600
Max Log Dir Size:0
Custom Events:JPS:CheckAuthorization

2.1.2.4 getAuditRepository

Online command that displays audit repository settings.

2.1.2.4.1 Description

This command displays audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository configuration resides in opmn.xml). Also displays database configuration if the repository is a database type.

2.1.2.4.2 Syntax
getAuditRepository 
2.1.2.4.3 Example

The following command displays audit repository configuration:

wls:/IDMDomain/domainRuntime> getAuditRepository()
Already in Domain Runtime Tree
 
Repository Type:File

2.1.2.5 setAuditRepository

Online command that updates audit repository settings.

2.1.2.5.1 Description

This command sets the audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository is configured by editing opmn.xml).

2.1.2.5.2 Syntax
setAuditRepository([switchToDB],[dataSourceName],[interval], [timezone])
Argument Definition

switchToDB

If true, switches the repository from file to database.

dataSourceName

Specifies the name of the data source.

interval

Specifies intervals at which the audit loader kicks off.

timezone

Specifies the timezone the audit loader uses to record the timestamps of the audit events. The valid values are "utc" and "local".


2.1.2.5.3 Examples

The following command switches from a file repository to a database repository:

wls:/IDMDomain/domainRuntime> setAuditRepository(switchToDB='true', dataSourceName='jdbc/AuditAppendDataSource');
Already in Domain Runtime Tree
 
Audit Repository Information updated
 
wls:/IDMDomain/domainRuntime> getAuditRepository();
Already in Domain Runtime Tree
 
JNDI Name:jdbc/AuditDB
Interval:15
Repository Type:DB

The following command changes audit repository to a specific database and sets the audit loader interval to 14 seconds:

wls:/mydomain/serverConfig> setAuditRepository(switchToDB='true',dataSourceName='jdbc/AuditAppendDataSource',
interval='14', timezone="utc")

The following command sets the timezone format for audit records to utc:

wls:/mydomain/serverConfig> setAuditRepository(switchToDB="true",dataSourceName="jdbc/AuditAppendDataSource",
interval="14", timezone="utc")

2.1.2.6 listAuditEvents

Online command that displays a component's audit events.

2.1.2.6.1 Description

This command displays a component's audit events and attributes. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter. Without a component type, all generic attributes applicable to all components are displayed.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

2.1.2.6.2 Syntax
listAuditEvents([mbeanName],[componentType])
Argument Definition

mbeanName

Specifies the name of the component MBean.

componentType

Specifies the component type to limit the list to all events of the component type.


2.1.2.6.3 Examples

The following command displays audit events for the Oracle Platform Security Services component:

wls:/IDMDomain/domainRuntime> listAuditEvents(componentType='JPS');
Already in Domain Runtime Tree
 
Common Attributes
ComponentType
Type of the component. For MAS integrated SystemComponents this is the componentType
InstanceId
Name of the MAS Instance, that this component belongs to
HostId
DNS hostname of originating host
HostNwaddr
IP or other network address of originating host
ModuleId
ID of the module that originated the message. Interpretation is unique within Component ID.
ProcessId
ID of the process that originated the message

The following command displays audit events for Oracle HTTP Server:

wls:/mydomain/serverConfig> listAuditEvents(componentType='ohs')

The following command displays all audit events:

wls:/IDMDomain/domainRuntime> listAuditEvents();
Already in Domain Runtime Tree
 
Components:
DIP
JPS
OIF
OWSM-AGENT
OWSM-PM-EJB
ReportsServer
WS-PolicyAttachment
WebCache
WebServices
Attributes applicable to all components:
ComponentType
InstanceId
HostId
HostNwaddr
ModuleId
ProcessId
OracleHome
HomeInstance
ECID
RID
...

2.1.2.7 exportAuditConfig

Online command that exports a component's audit configuration.

2.1.2.7.1 Description

This command exports the audit configuration to a file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

2.1.2.7.2 Syntax
exportAuditConfig([mbeanName],fileName, [componentType])
Argument Definition

mbeanName

Specifies the name of the non-Java EE component MBean.

fileName

Specifies the path and file name to which the audit configuration should be exported.

componentType

Specifies that only events of the given component be exported to the file. If not specified, the audit configuration in jps-config.xml is exported.


2.1.2.7.3 Examples

The following interactive command exports the audit configuration for a component:

wls:/mydomain/serverConfig> exportAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean,
name=CSAuditProxyMBean',fileName='/tmp/auditconfig')

The following interactive command exports the audit configuration for a Java EE component; no mBean is specified:

wls:/mydomain/serverConfig> exportAuditConfig(fileName='/tmp/auditconfig')

2.1.2.8 importAuditConfig

Online command that imports a component's audit configuration.

2.1.2.8.1 Description

This command imports the audit configuration from an external file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

2.1.2.8.2 Syntax
importAuditConfig([mbeanName],fileName, [componentType])
Argument Definition

mbeanName

Specifies the name of the non-Java EE component MBean.

fileName

Specifies the path and file name from which the audit configuration should be imported.

componentType

Specifies that only events of the given component be imported from the file. If not specified, the audit configuration in jps-config.xml is imported.


2.1.2.8.3 Examples

The following interactive command imports the audit configuration for a component:

wls:/mydomain/serverConfig> importAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean,
name='CSAuditProxyMBean',fileName='/tmp/auditconfig')

The following interactive command imports the audit configuration from a file; no mBean is specified:

wls:/mydomain/serverConfig> importAuditConfig(fileName='/tmp/auditconfig')

2.1.2.9 createAuditDBView

This command generates a SQL script that you can use to create a database view to query audit records from the database for a specific component.

2.1.2.9.1 Description

This command generates a SQL script that you can use to query the database for audit records. The script is written to the specified file and also printed out to the console. Executing the script creates a database view that you can use to run audit queries and reports.

Upon execution, the result of the SQL script depends on the audit model at your site:

  • If using the 11.1.1.6.0 model, and the component is registered in the audit store, the script creates a view using the system component tables (IAU_COMMON, IAU_USERSESSION, IAU_AUDITSERVICE and IAU_CUSTOM) for the specified component.

  • If using the pre-11.1.1.6.0 model, the component is not registered in the audit store but its event definitions reside in the component_events.xml file (in the oracle_common/modules/oracle.iau_11.1.1/components/componentType dir), and the view is created using the IAU_BASE and component tables.

2.1.2.9.2 Syntax
createAuditDBView(fileName, componentType)
Argument Definition

fileName

Specifies the path and file name to which the SQL script is written.

componentType

The component whose definitions are the basis of the view.


2.1.2.9.3 Example
wls:/mydomain/serverConfig> 
createAuditDBView(fileName="/tmp/JPSAuditView.sql", componentType="JPS")

2.1.2.10 listAuditComponents

Lists components that can be audited.

2.1.2.10.1 Description

This command creates a list of the components that can be audited. It lists components registered in the audit store using both the 11.1.1.6.0 model and the pre-11.1.1.6.0 model.

2.1.2.10.2 Syntax
listAuditComponents(fileName)
Argument Definition

fileName

Specifies the path and file name to which the output is written.


2.1.2.10.3 Example
listAuditComponents(fileName = "/tmp/complist.txt")

2.1.2.11 registerAudit

Registers the specified component in the audit store.

2.1.2.11.1 Description

Adds the event definition and translation content for a specified component to the audit store. If you try to register using the pre-11.1.1.6.0 audit XML schema definition, it is upgraded to the 11.1.1.6.0 XML schema definition and then registered with the audit store.

2.1.2.11.2 Syntax
registerAudit(xmlFile, [xlfFile], componentType, [mode=OVERWRITE|UPGRADE])
Argument Definition

xmlFile

Specifies the Component Event definition file.

xlfFile

Specifies the component xlf jar file. Optional.

componentType

Specifies the component to be registered.

mode

OVERWRITE or UPGRADE. Default is UPGRADE.


2.1.2.11.3 Example
wls:/mydomain/serverConfig>registerAudit(xmlFile="/tmp/comp.xml", 
xmlFile="/tmp/comp_xlf.jar", componentType="AuditApp", mode="UPGRADE")

2.1.2.12 deregisterAudit

Removes the event definition and translation content for the specified component from the audit store.

2.1.2.12.1 Description

Removes an existing event definition and translation content for a specified component or application from the audit store.

2.1.2.12.2 Syntax
deregisterAudit(componentType)
Argument Definition

componentType

Specifies the component whose definitions are to be removed.


2.1.2.12.3 Example
deregisterAudit(componentType="AuditApp")

2.1.3 OPSS Keystore Service Commands

This section contains commands used with the OPSS keystore service.

Note:

You need to acquire an OPSS handle to use keystore service commands; this handle is denoted by 'svc' in the discussion that follows. For details, see "Managing Keys and Certificates with the Keystore Service" section in Securing Applications with Oracle Platform Security Services.

Table 2-4 lists the WLST commands used to manage the keystore service.

Table 2-4 OPSS Keystore Service Commands

Use this Command... to...

changeKeyPassword

Change the password for a key.

changeKeyStorePassword

Change the password on a keystore.

createKeyStore

Create a keystore.

deleteKeyStore

Delete a keystore.

deleteKeyStoreEntry

Delete an entry in a keystore.

exportKeyStore

Export a keystore to file.

exportKeyStoreCertificate

Export a certificate to a file.

exportKeyStoreCertificateRequest

Export a certificate request to a file.

generateKeyPair

Generate a keypair.

generateSecretKey

Generate a secret key.

getKeyStoreCertificates

Get information about a certificate or trusted certificate.

getKeyStoreSecretKeyProperties

Get the secret key properties.

importKeyStore

Import a keystore from file.

importKeyStoreCertificate

Import a certificate or other object.

listExpiringCertificates

List certificates expiring in a specified period.

listKeyStoreAliases

List aliases in a keystore.

listKeyStores

List all the keystores in a stripe.

syncKeyStores

Synchronizes the keystores in the administration server with keystores in the security store.


2.1.3.1 changeKeyPassword

Changes a key password.

2.1.3.1.1 Description

Changes the password for a key.

2.1.3.1.2 Syntax
changeKeyPassword(appStripe='stripe', name='keystore', password='password', 
alias='alias', currentkeypassword='currentkeypassword', 
newkeypassword='newkeypassword')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe containing the keystore.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

alias

Specifies the alias of the key entry whose password is changed.

currentkeypassword

Specifies the current key password.

newkeypassword

Specifies the new key password.


2.1.3.1.3 Example

This example changes the password on the key entry orakey:

changeKeyPassword(appStripe='system', name='keystore', password='password', 
alias='orakey', currentkeypassword='currentkeypassword', 
newkeypassword='newkeypassword')

2.1.3.2 changeKeyStorePassword

Changes the password of a keystore.

2.1.3.2.1 Description

Changes the password of the specified keystore.

2.1.3.2.2 Syntax
changeKeyStorePassword(appStripe='stripe', name='keystore', currentpassword='currentpassword', newpassword='newpassword')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe containing the keystore.

name

Specifies the name of the keystore.

currentpassword

Specifies the current keystore password.

newpassword

Specifies the new keystore password.


2.1.3.2.3 Example

This example changes the password for keystore2.

changeKeyStorePassword(appStripe='system', name='keystore2', 
currentpassword='currentpassword', newpassword='newpassword')

2.1.3.3 createKeyStore

This keystore service command creates a new keystore.

2.1.3.3.1 Description

Creates a new keystore on the given application stripe.

2.1.3.3.2 Syntax
createKeyStore(appStripe='stripe', name='keystore', password='password',permission=true|false)
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore is created.

name

Specifies the name of the new keystore.

password

Specifies the keystore password.

permission

This parameter is true if the keystore is protected by permission only, false if protected by both permission and password.


2.1.3.3.3 Example

This example creates a keystore named keystore1.

createKeyStore(appStripe='system', name='keystore1', password='password', permission=true)

2.1.3.4 deleteKeyStore

Deletes the named keystore.

2.1.3.4.1 Description

This keystore service command deletes a specified keystore.

2.1.3.4.2 Syntax
deleteKeyStore(appStripe='stripe', name='keystore', password='password')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore to be deleted.

password

Specifies the keystore password.


2.1.3.4.3 Example

This example deletes the keystore named keystore1.

deleteKeyStore(appStripe='system', name='keystore1', password='password')

2.1.3.5 deleteKeyStoreEntry

Deletes a keystore entry.

2.1.3.5.1 Description

This command deletes the specified entry in a keystore.

2.1.3.5.2 Syntax
deleteKeyStoreEntry(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

alias

Specifies the alias of the entry to be deleted.

keypassword

Specifies the key password of the entry to be deleted.


2.1.3.5.3 Example

This example deletes a keystore entry denoted by alias orakey.

deleteKeyStoreEntry(appStripe='system', name='keystore2', password='password', alias='orakey', keypassword='keypassword')

2.1.3.6 exportKeyStore

Exports a keystore to a file.

2.1.3.6.1 Description

Exports a keystore to the specified file.

2.1.3.6.2 Syntax
exportKeyStore(appStripe='stripe', name='keystore', password='password', 

aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', 
type='keystore-type', filepath='absolute_file_path')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

aliases

Comma separated list of aliases to be exported.

keypasswords

Comma separated list of the key passwords corresponding to aliases.

type

Exported keystore type. Valid values are 'JKS' or 'JCEKS'.

filepath

Absolute path of the file where keystore is exported.


2.1.3.6.3 Example

This example exports two aliases from the specified keystore.

exportKeyStore(appStripe='system', name='keystore2', 
password='password',aliases='orakey,seckey', 
keypasswords='keypassword1,keypassword2', 
type='JKS',filepath='/tmp/file.jks')

2.1.3.7 exportKeyStoreCertificate

Exports a certificate.

2.1.3.7.1 Description

Exports a certificate, trusted certificate or certificate chain.

2.1.3.7.2 Syntax
exportKeyStoreCertificate(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword', 
type='entrytype',filepath='absolute_file_path')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

alias

Specifies the alias of the entry to be exported.

keypassword

Specifies the key password.

type

Specifies the type of keystore entry to be exported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'.

filepath

Specifies the absolute path of the file where certificate, trusted certificate or certificate chain is exported.


2.1.3.7.3 Example

This example exports a certificate corresponding to the orakey alias:

exportKeyStoreCertificate(appStripe='system', name='keystore2', 
password='password', alias='orakey', keypassword='keypassword', 
type='Certificate', filepath='/tmp/cert.txt')

2.1.3.8 exportKeyStoreCertificateRequest

Exports a certificate request.

2.1.3.8.1 Description

Generates and exports a certificate request from a keystore.

2.1.3.8.2 Syntax
exportKeyStoreCertificateRequest(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword', 
filepath='absolute_file_path')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

alias

Specifies the entry's alias name.

keypassword

Specifies the key password.

filepath

Specifies the absolute path of the file where certificate request is exported.


2.1.3.8.3 Example

This example exports a certificate request corresponding to the orakey alias.

exportKeyStoreCertificateRequest(appStripe='system', name='keystore2', 
password='password', alias='orakey', keypassword='keypassword', 
filepath='/tmp/certreq.txt')

2.1.3.9 generateKeyPair

Generates a key pair in a keystore.

2.1.3.9.1 Description

Generates a key pair in a keystore and wraps it in a demo CA-signed certificate.

2.1.3.9.2 Syntax
generateKeyPair(appStripe='stripe', name='keystore', password='password', 
dn='distinguishedname', keysize='keysize', alias='alias', 
keypassword='keypassword')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

dn

Specifies the distinguished name of the certificate wrapping the key pair.

keysize

Specifies the key size.

alias

Specifies the alias of the key pair entry.

keypassword

Specifies the key password.


2.1.3.9.3 Example

This example generates a keypair in keystore2.

generateKeyPair(appStripe='system', name='keystore2', password='password', dn='cn=www.oracle.com', keysize='1024', alias='orakey', keypassword='keypassword')

2.1.3.10 generateSecretKey

Generates a secret key.

2.1.3.10.1 Description

Generates a symmetric key in a keystore.

2.1.3.10.2 Syntax
generateSecretKey(appStripe='stripe', name='keystore', password='password', 
algorithm='algorithm', keysize='keysize', alias='alias', 
keypassword='keypassword')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

algorithm

Specifies the symmetric key algorithm.

keysize

Specifies the key size.

alias

Specifies the alias of the key entry.

keypassword

Specifies the key password.


2.1.3.10.3 Example

This example generates a keypair with keysize 128 in keystore2.

generateSecretKey(appStripe='system', name='keystore2', password='password', 
algorithm='AES', keysize='128', alias='seckey', keypassword='keypassword')

2.1.3.11 getKeyStoreCertificates

Gets a certificate from the keystore.

2.1.3.11.1 Description

Retrieves information about a certificate or trusted certificate.

2.1.3.11.2 Syntax
getKeyStoreCertificates(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

alias

Specifies the alias of the certificate, trusted certificate or certificate chain to be displayed.

keypassword

Specifies the key password.


2.1.3.11.3 Example

This example gets certificates associated with keystore3.

getKeyStoreCertificates(appStripe='system', name='keystore3', password='password', alias='orakey', keypassword='keypassword')

2.1.3.12 getKeyStoreSecretKeyProperties

Retrieves secret key properties.

2.1.3.12.1 Description

Retrieves secret key properties like the algorithm.

2.1.3.12.2 Syntax
getKeyStoreSecretKeyProperties(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

alias

Specifies the alias of the secret key whose properties are displayed.

keypassword

Specifies the secret key password.


2.1.3.12.3 Example

This example gets properties for secret key seckey:

getKeyStoreSecretKeyProperties(appStripe='system', name='keystore3', 
password='password', alias='seckey', keypassword='keypassword')

2.1.3.13 importKeyStore

Imports a keystore from file.

2.1.3.13.1 Description

Imports a keystore from a system file.

2.1.3.13.2 Syntax
importKeyStore(appStripe='stripe', name='keystore', password='password', 
aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', 
type='keystore-type', permission=true|false, filepath='absolute_file_path')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

aliases  

Specifies the comma-separated aliases of the entries to be imported from file.

keypasswords  

Specifies the comma-separated passwords of the keys in file.

type  

Specifies the imported keystore type. Valid values are 'JKS' or 'JCEKS'.

filepath 

Specifies the absolute path of the keystore file to be imported.

permission 

Specifies true if keystore is protected by permission only, false if protected by both permission and password.


2.1.3.13.3 Example

This example imports a file to keystore2:

importKeyStore(appStripe='system', name='keystore2', 
password='password',aliases='orakey,seckey', keypasswords='keypassword1, 
keypassword2', type='JKS', permission=true, filepath='/tmp/file.jks')

2.1.3.14 importKeyStoreCertificate

Imports a certificate or other specified object.

2.1.3.14.1 Description

Imports a certificate, trusted certificate or certificate chain.

2.1.3.14.2 Syntax
importKeyStoreCertificate(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword', 
type='entrytype',filepath='absolute_file_path')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

alias  

Specifies the alias of the entry to be imported.

keypassword  

Specifies the key password of the newly imported entry.

type  

Specifies the type of keystore entry to be imported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'.

filepath  

Specifies the absolute path of the file from where certificate, trusted certificate or certificate chain is imported.


2.1.3.14.3 Example

This example imports a certificate into keystore2.

importKeyStoreCertificate(appStripe='system', name='keystore2', 
password='password', alias='orakey', keypassword='keypassword', 
type='Certificate', filepath='/tmp/cert.txt')

2.1.3.15 listExpiringCertificates

Lists expiring certificates.

2.1.3.15.1 Description

Lists expiring certificates and optionally renews them.

2.1.3.15.2 Syntax
listExpiringCertificates(days='days', autorenew=true|false)
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

days  

Specifies that the list should only include certificates within this many days from expiration.

autorenew  

Specifies true for automatically renewing expiring certificates, false for only listing them.


2.1.3.15.3 Example

This example lists certificates expiring within one year, and requests that they be renewed:

listExpiringCertificates(days='365', autorenew=true)

2.1.3.16 listKeyStoreAliases

Lists the aliases in a keystore.

2.1.3.16.1 Description

Lists the aliases in a keystore for a given type of entry.

2.1.3.16.2 Syntax

The syntax is as follows:

listKeyStoreAliases(appStripe='stripe', name='keystore', 
password='password', type='entrytype')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe where the keystore resides.

name

Specifies the name of the keystore.

password

Specifies the keystore password.

type

Specifies the type of entry for which aliases are listed. Valid values are 'Certificate', 'TrustedCertificate', 'SecretKey' or '*'.


2.1.3.16.3 Example

This example lists secret keys in keystore2:

listKeyStoreAliases(appStripe='system', name='keystore2', 
password='password', type='SecretKey')

2.1.3.17 listKeyStores

Lists all the keystores in a stripe.

2.1.3.17.1 Description

Lists all the keystores in the specified stripe.

2.1.3.17.2 Syntax
listKeyStores(appStripe='stripe')
Argument Definition
svc

Specifies the service command object obtained through a call to getOpssService().

appStripe

Specifies the name of the stripe whose keystores are listed.


2.1.3.17.3 Example

This example lists all keystores on all stripes.

listKeyStores(appStripe='*')

2.1.3.18 syncKeyStores

Synchronizes Oracle WebLogic Server and system keystores from the central repository to the domain config directory on the administration server.

2.1.3.18.1 Description

Synchronizes keystores in the central security store with those present in the domain directory.

2.1.3.18.2 Syntax
syncKeyStores() 

Note:

The svc argument does not apply to this command.

2.1.3.18.3 Example

The following command looks up the central repository for the "system" stripe and downloads its contents into the keystores.xml file under the DOMAIN_HOME/config/fmwconfig directory. It also downloads the contents of the domain trust store into the same file:

syncKeyStores() 

2.1.4 Identity Directory Service Commands

Use the WLST commands listed in Table 2-5 to manage Identity Directory Service Entity Attributes, Entity Definitions, Relationships and default Operational configurations.

Table 2-5 WLST Identity Directory Service Commands

Use this command... To... Use with WLST...

activateIDSConfigChanges

Reload the Identity Directory Service configuration.

Online

addAttributeInEntityConfig

Add a new attribute to the entity configuration.

Online

addAttributeRefForEntity

Add a new attribute to the specified entity.

Online

addEntity

Add a new entity to the entity configuration.

Online

addEntityRelation

Add a new entity relation to the entity configuration.

Online

addIdentityDirectoryService

Add a new Identity Directory Service to the configuration.

Online

addOperationConfig

Add a new operation configuration to the entity configuration.

Online

addPropertyForOperationConfig

Add a new property to a specified operation configuration.

Online

deleteAttributeInEntityConfig

Delete an attribute from an entity configuration.

Online

deleteEntity

Delete an entity from an entity configuration.

Online

deleteEntityRelation

Delete the specified entity relation.

Online

deleteIdentityDirectoryService

Delete the specified Identity Directory Service in the configuration.

Online

deleteOperationConfig

Delete operation configuration in an entity configuration.

Online

listAllAttributeInEntityConfig

List all attributes in the entity configuration.

Online

listAllEntityInEntityConfig

List all entities defined in the specified entity configuration.

Online

listAllIdentityDirectoryService

List all Identity Directory Services in the configuration.

Online

removeAttributeRefForEntity

Remove an attribute from the specified entity.

Online

removePropertyForOperationConfig

Remove a property for the specified operation configuration.

Online


2.1.4.1 activateIDSConfigChanges

activateIDSConfigChanges

2.1.4.1.1 Description

Reloads the Identity Directory Service configuration.

2.1.4.1.2 Syntax

activateIDSConfigChanges()

This command has no arguments.

2.1.4.1.3 Example

activateIDSConfigChanges()

2.1.4.2 addAttributeInEntityConfig

addAttributeInEntityConfig

2.1.4.2.1 Description

Adds a new attribute to the entity configuration.

2.1.4.2.2 Syntax

addAttributeInEntityConfig(name, datatype, description, readOnly, pwdAttr, appName)

Table 2-6 addAttributeInEntityConfig Arguments

Argument Definition

name

Name of the attribute to be added.

datatype

The attribute's type is defined as one of the following:

  • binary

  • boolean

  • datetime

  • double

  • integer

  • rfc822name

  • string

  • x500name

description

Description of the attribute to be added.

readOnly

Flag to specify whether the attribute is read only or can be modified.

pwdAttr

Flag to specify whether the attribute defines a password or not.

appName

Name of the Identity Directory Service.


2.1.4.2.3 Example

addAttributeInEntityConfig('commonname','string','common name',false,false,'userrole')

2.1.4.3 addAttributeRefForEntity

addAttributeRefForEntity

2.1.4.3.1 Description

Adds a new attribute to the specified entity.

2.1.4.3.2 Syntax

addAttributeRefForEntity(name, attrRefName, attrRefFilter, attrRefDefaultFetch, appName)

Table 2-7 addAttributeRefForEntity Arguments

Argument Definition

name

Name of the entity to which the attribute will be added.

attrRefName

Name of the attribute to be added to the entity.

attrRefFilter

The type of filter to be used with the attribute is defined as one of the following:

  • beginswith

  • contains

  • doesnotcontain

  • dynamic

  • endswith

  • equals

  • greaterequal

  • greaterthan

  • lessequal

  • lessthan

  • none

  • notequals

attrRefDefaultFetch

Flag to specify whether the attribute is fetched by default.

appName

Name of the Identity Directory Service.


2.1.4.3.3 Example

addAttributeRefForEntity('User','givenname','none','true','userrole')

2.1.4.4 addEntity

addEntity

2.1.4.4.1 Description

Adds a new entity to the entity configuration.

2.1.4.4.2 Syntax

addEntity(name, type, idAttr, create, modify, delete, search, attrRefNames, attrRefFilters, attrRefDefaultFetches, appName)

Table 2-8 addEntity Arguments

Argument Definition

name

Name of the entity to which the attribute will be added.

type

Name of the attribute to be added to the entity.

idAttr

Identity attribute of the entity to be added.

create

Flag to specify the create is allowed.

modify

Flag to specify the modify is allowed.

delete

Flag to specify the delete is allowed.

search

Flag to specify the search is allowed.

attrRefNames

Array of attribute names.

attrRefFilters

An array of filter type values is defined as one of the following:

  • beginswith

  • contains

  • doesnotcontain

  • dynamic

  • endswith

  • equals

  • greaterequal

  • greaterthan

  • lessequal

  • lessthan

  • none

  • notequals

attrRefDefaultFetches

Array of boolean strings (true, false).

appName

Name of the Identity Directory Service.


2.1.4.4.3 Example

addEntity('Group','group','commonname',true,true,true,true,'name|commonname','none|none','true|false','userrole')

2.1.4.5 addEntityRelation

addEntityRelation

2.1.4.5.1 Description

Add a new entity relation to the entity configuration.

2.1.4.5.2 Syntax

addEntityRelation(name, type, fromEntity, fromAttr, toEntity, toAttr, recursive, appName)

Table 2-9 addEntityRelation Arguments

Argument Definition

name

Name of the relation between the entities for the given attributes.

type

Type of the entity relation ("ManyToMany", "ManyToOne", "OneToMany", "OneToOne").

fromEntity

Name of the from entity.

fromAttr

Name of the from attribute.

toEntity

Name of the to entity.

toAttr

Name of the to attribute.

recursive

Flag to set the entity relationship as recursive.

appName

Name of the Identity Directory Service.


2.1.4.5.3 Example

addEntityRelation('manager', 'ManyToOne', 'User', 'manager', 'User', 'principal', false, 'userrole')

2.1.4.6 addIdentityDirectoryService

addIdentityDirectoryService

2.1.4.6.1 Description

Add a new IdentityStoreService to the Identity Directory Service configuration.

2.1.4.6.2 Syntax

addIdentityDirectoryService(name, description, propNames, propValues)

Table 2-10 addIdentityDirectoryService Arguments

Argument Definition

name

Name of the IdentityStoreService to be added.

description

Description of the IdentityStoreService.

propNames

An array of property names to be added to the IdentityStoreService configuration.

propValues

An array of values to be defined for the property names added to the IdentityStoreService configuration.


2.1.4.6.3 Example

addIdentityDirectoryService('userrole', 'user role', 'ovd.context|entity.config', 'default|userrole')

2.1.4.7 addOperationConfig

addOperationConfig

2.1.4.7.1 Description

Add a new operation configuration to the entity configuration.

2.1.4.7.2 Syntax

addOperationConfig(entityName, propNames, propValues, appName)

Table 2-11 addOperationConfig Arguments

Argument Definition

entityName

Name of the entity to which the operation configuration will be added.

propNames

An array of property names to be added to the operation configuration.

propValues

An array of property values for the properties added to the operation configuration.

appName

Name of the Identity Directory Service.


2.1.4.7.3 Example

addOperationConfig('User', 'entity.searchbase', 'cn=users,dc=oracle,dc=com', 'userrole')

2.1.4.8 addPropertyForOperationConfig

addPropertyForOperationConfig

2.1.4.8.1 Description

Add a new property to a specified operation configuration.

2.1.4.8.2 Syntax

addPropertyForOperationConfig(entityName, propName, propValue, appName)

Table 2-12 addPropertyForOperationConfig Arguments

Argument Definition

entityName

Name of the entity to which the operation configuration will be added.

propName

A property name to be added to the operation configuration.

propValue

A value for the property added to the operation configuration.

appName

Name of the Identity Directory Service.


2.1.4.8.3 Example

addPropertyForOperationConfig('User','entity.searchbase', 'cn=users,dc=oracle,dc=com', 'userrole')

2.1.4.9 deleteAttributeInEntityConfig

deleteAttributeInEntityConfig

2.1.4.9.1 Description

Delete an attribute from an entity configuration.

2.1.4.9.2 Syntax

deleteAttributeInEntityConfig(name, appName)

Table 2-13 addPropertyForOperationConfig Arguments

Argument Definition

name

Name of the attribute to be deleted.

appName

Name of the Identity Directory Service.


2.1.4.9.3 Example

deleteAttributeInEntityConfig('commonname', 'userrole')

2.1.4.10 deleteEntity

deleteEntity

2.1.4.10.1 Description

Delete an entity from an entity configuration.

2.1.4.10.2 Syntax

deleteEntity(name, appName)

Table 2-14 deleteEntity Arguments

Argument Definition

name

Name of the entity to be deleted.

appName

Name of the Identity Directory Service.


2.1.4.10.3 Example

deleteEntity('User', 'userrole')

2.1.4.11 deleteEntityRelation

deleteEntityRelation

2.1.4.11.1 Description

Delete the specified entity relation.

2.1.4.11.2 Syntax

deleteEntityRelation(name, appName)

Table 2-15 deleteEntityRelation Arguments

Argument Definition

name

Name of the relation between the entities for the given attributes.

appName

Name of the Identity Directory Service.


2.1.4.11.3 Example

deleteEntityRelation('manager', 'userrole')

2.1.4.12 deleteIdentityDirectoryService

deleteIdentityDirectoryService'

2.1.4.12.1 Description

Delete the specified IdentityStoreService in the Identity Directory Service configuration.

2.1.4.12.2 Syntax

deleteIdentityDirectoryService(name)

where name is the name of the IdentityStoreService configuration to be deleted.

2.1.4.12.3 Example

deleteIdentityDirectoryService('ids1')

2.1.4.13 deleteOperationConfig

deleteOperationConfig

2.1.4.13.1 Description

Delete operation configuration in an entity configuration.

2.1.4.13.2 Syntax

deleteOperationConfig(entityName, appName)

Table 2-16 deleteOperationConfig Arguments

Argument Definition

entityName

Name of the entity from which the operation configuration will be removed.

appName

Name of the Identity Directory Service.


2.1.4.13.3 Example

deleteOperationConfig('User','userrole')

2.1.4.14 listAllAttributeInEntityConfig

listAllAttributeInEntityConfig

2.1.4.14.1 Description

List all attributes in the entity configuration.

2.1.4.14.2 Syntax

listAllAttributeInEntityConfig(appName)

where appName is the name of the Identity Directory Service that contains the entity configuration from which the list of attributes is retrieved.

2.1.4.14.3 Example

listAllAttributeInEntityConfig('userrole')

2.1.4.15 listAllEntityInEntityConfig

listAllEntityInEntityConfig

2.1.4.15.1 Description

List all entities defined in the specified entity configuration.

2.1.4.15.2 Syntax

listAllEntityInEntityConfig(appName)

where appName is the name of the Identity Directory Service that contains the entity configuration from which the list of entities is retrieved.

2.1.4.15.3 Example

listAllEntityInEntityConfig('userrole')

2.1.4.16 listAllIdentityDirectoryService

listAllIdentityDirectoryService

2.1.4.16.1 Description

List all IdentityStoreService in Identity Directory Service configuration.

2.1.4.16.2 Syntax

listAllIdentityDirectoryService()

This command has no arguments.

2.1.4.16.3 Example

listAllIdentityDirectoryService()

2.1.4.17 removeAttributeRefForEntity

removeAttributeRefForEntity

2.1.4.17.1 Description

Remove an attribute from the specified entity.

2.1.4.17.2 Syntax

removeAttributeRefForEntity(name, attrRefName, appName)

Table 2-17 removeAttributeRefForEntity Arguments

Argument Definition

name

Name of the entity from which the attribute will be removed.

attrRefName

The name of the attribute to be removed.

appName

Name of the Identity Directory Service.


2.1.4.17.3 Example

removeAttributeRefForEntity('User','givenname','userrole')

2.1.4.18 removePropertyForOperationConfig

removePropertyForOperationConfig

2.1.4.18.1 Description

Remove a property for the specified operation configuration.

2.1.4.18.2 Syntax

removePropertyForOperationConfig(entityName, propName, appName)

Table 2-18 removePropertyForOperationConfig Arguments

Argument Definition

entityName

Name of the entity to which the operation configuration will be added.

propName

A property name to be added to the operation configuration.

appName

Name of the Identity Directory Service.


2.1.4.18.3 Example

removePropertyForOperationConfig('User','entity.searchbase','userrole')

2.1.5 Library Oracle Virtual Directory (LibOVD) Commands

Use the WLST commands listed in Table 2-19 to manage Library Oracle Virtual Directory (LibOVD) LDAP and Join Adapters configuration. These commands act on the OVD configuration associated with a particular OPSS Context passed in as a parameter.

Table 2-19 WLST LibOVD Commands

Use this command... To... Use with WLST...

activateLibOVDConfigChanges

Reload the LibOVD configuration.

Online

addAttributeExclusionRule

Add a attribute exclusion rule.

Online

addAttributeRule

Add a new attribute mapping rule.

Online

addDomainExclusionRule

Add a domain exclusion rule.

Online

addDomainRule

Add a new domain mapping rule.

Online

addJoinRule

Add a join rule to an existing Join adapter for the OVD associated with the given OPSS context.

Online

addLDAPHost

Add a new remote host to an existing LDAP adapter.

Online

addMappingContext

Create a new mapping context.

Online

addPlugin

Add a plugin to an existing adapter or at the global level.

Online

addPluginParam

Add new parameter values to the existing adapter level plugin or global plugin.

Online

createJoinAdapter

Create a new Join adapter for the OVD associated with the given OPSS context.

Online

createLDAPAdapter

Create a new LDAP adapter for the OVD associated with the given OPSS context.

Online

deleteAdapter

Delete an existing adapter for the OVD associated with the given OPSS context.

Online

deleteAttributeExclusionRule

Delete a attribute exclusion rule.

Online

deleteAttributeRule

Delete a attribute mapping rule.

Online

deleteDomainExclusionRule

Delete a domain exclusion rule.

Online

deleteDomainRule

Delete a domain mapping rule.

Online

deleteMappingContext

Delete the specified mapping context.

Online

getAdapterDetails

Display the details of an existing adapter that is configured for the OVD associated with the given OPSS context.

Online

listAdapters

List the name and type of all adapters that are configured for this OVD associated with the given OPSS Context.

Online

listAllMappingContextIds

List all the mapping contexts.

Online

listAttributeRules

List all the attribute rules.

Online

listDomainRules

List all the domain rules.

Online

modifyLDAPAdapter

Modify the existing LDAP adapter configuration.

Online

removeJoinRule

Remove a join rule from a Join adapter configured for this OVD associated with the given OPSS Context.

Online

removeLDAPHost

Remove a remote host from an existing LDAP adapter configuration.

Online

removePlugin

Remove a plugin from an existing adapter or at global level.

Online

removePluginParam

Remove an existing parameter from a configured adapter level plugin or global plugin.

Online


2.1.5.1 activateLibOVDConfigChanges

activateLibOVDConfigChanges

2.1.5.1.1 Description

Reloads the libOVD configuration.

2.1.5.1.2 Syntax

activateLibOVDConfigChanges(contextName)

where contextName is the name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.

2.1.5.1.3 Example

activateLibOVDConfigChanges('default')

2.1.5.2 addAttributeExclusionRule

addAttributeExclusionRule

2.1.5.2.1 Description

Add an attribute exclusion rule.

2.1.5.2.2 Syntax

addAttributeExclusionRule(attribute, mappingContextId, contextName)

Table 2-20 addAttributeExclusionRule Arguments

Argument Definition

attribute

Name of the attribute to be added to the exclusion list.

mappingContextId

Name of the mapping context.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.2.3 Example

addAttributeExclusionRule('orgunit', 'IdsProfile1', 'ids')

2.1.5.3 addAttributeRule

addAttributeRule

2.1.5.3.1 Description

Add a new attribute mapping rule.

2.1.5.3.2 Syntax

addAttributeRule(srcAttrs, srcObjectClass, srcAttrType, dstAttr, dstObjectClass, dstAttrType, mappingExpression, direction, mappingContextId, contextName)

Table 2-21 addAttributeRule Arguments

Argument Definition

mappingContextId

Name of the mapping context.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.3.3 Example

addAttributeRule('lastname','','','sn','','','','Inbound','IdsProfile1','default')

2.1.5.4 addDomainExclusionRule

addDomainExclusionRule

2.1.5.4.1 Description

Add a domain exclusion rule.

2.1.5.4.2 Syntax

addDomainExclusionRule(domain, mappingContextId, contextName)

Table 2-22 addDomainExclusionRule Arguments

Argument Definition

domain

Distinguished name (DN) of the attribute to be added to the exclusion list.

mappingContextId

Name of the mapping context.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.4.3 Example

addDomainExclusionRule('cn=group,dc=oracle,dc=com','mappingContextId')

2.1.5.5 addDomainRule

addDomainRule

2.1.5.5.1 Description

Add a new domain mapping rule.

2.1.5.5.2 Syntax

addDomainRule(srcDomain, destDomain, domainConstructRule, mappingContextId, contextName)

Table 2-23 addDomainRule Arguments

Argument Definition

srcDomain

Container DN in the source.

destDomain

Container DN in the destination.

domainConstructRule

Domain mapping rule.

mappingContextId

Name of the mapping context.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.5.3 Example

addDomainRule('dc=oracle,dc=com', 'dc=oracle,dc=com', '', 'defaultContext', 'default')

2.1.5.6 addJoinRule

addJoinRule

2.1.5.6.1 Description

Adds a join rule to an existing Join adapter for the OVD associated with the specified OPSS context.

2.1.5.6.2 Syntax

addJoinRule(adapterName=<adapterName>, secondary=<secondary>, condition=<condition>, joinerType=<joinerType>, contextName=<contextName>)

Table 2-24 addJoinRule Arguments

Argument Definition

adapterName

Name of the Join adapter to be modified.

secondary

Name of the adapter to join to.

condition

The attribute(s) to join on.

joinerType

An optional parameter that defines the type of Join. Accepted values include Simple (default), Conditional, OneToMany or Shadow.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.6.3 Example

addJoinRule('join1','secondaryldap','cn=cn', 'Simple', 'default')

addJoinRule('join1','secondaryldap','cn=cn', 'Conditional', 'default')

addJoinRule(adapterName='join1', secondary='LDAP3', condition='uid=cn', JoinerType='OneToMany')

addJoinRule(adapterName='join1', secondary='LDAP2',condition='uid=cn', contextName='myContext')

2.1.5.7 addLDAPHost

addLDAPHost

2.1.5.7.1 Description

Adds a new remote host (host:port pair) to an existing LDAP adapter. By default, the new host is configured in Read-Write mode with percentage set to 100.

2.1.5.7.2 Syntax

addLDAPHost(adapterName=<adapterName>, host=<host>, port=<port>, contextName=<contextName>)

Table 2-25 addLDAPHost Arguments

Argument Definition

adapterName

Name of the Join adapter to be modified.

host

Remote LDAP host to which the LDAP adapter will communicate.

port

Remote LDAP host's port.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.7.3 Example

addLDAPHost(adapterName='ldap1', host='myhost.example.com', port=389)

addLDAPHost('ldap1', 'myhost.example.com','389', 'myContext')

2.1.5.8 addMappingContext

addMappingContext

2.1.5.8.1 Description

Create a new mapping context.

2.1.5.8.2 Syntax

addMappingContext(mappingContextId, contextName)

Table 2-26 addMappingContext Arguments

Argument Definition

mappingContextId

Name of the mapping context.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.8.3 Example

addMappingContext('defaultContext','context)

2.1.5.9 addPlugin

addPlugin

2.1.5.9.1 Description

Adds a plugin to an existing adapter, or at the global level. The "i"th key corresponds to "i"th value. The plugin is added to default chain.

2.1.5.9.2 Syntax

addPlugin(pluginName=<pluginName>, pluginClass=<pluginClass>, paramKeys=<paramKeys>, paramValues=<paramValues>, adapterName=<adapterName>, contextName=<contextName>)

Table 2-27 addPlugin Arguments

Argument Definition

pluginName

pluginName - Name of the plugin to be created.

pluginClass

Class of the plugin.

paramKeys

Init Param Keys separated by "|".

paramValues

Init Param Values separated by "|".

adapterName

Name of the adapter to be modified. If not specified, the plugin is added at the global level.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.9.3 Example

addPlugin(adapterName='ldap1', pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com')

addPlugin(pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com')

2.1.5.10 addPluginParam

addPluginParam

2.1.5.10.1 Description

Add new parameter values to the existing adapter level plugin or global plugin. If the parameter already exists, the new value is added to the existing set of values. The "i"th key corresponds to "i"th value.

2.1.5.10.2 Syntax

addPluginParam(pluginName=<pluginName>, paramKeys=<paramKeys>, paramValues=<paramValues>, adapterName=<adapterName>, contextName=<contextName>)

Table 2-28 addPluginParam Arguments

Argument Definition

pluginName

pluginName - Name of the plugin to be modified.

paramKeys

Init Param Keys separated by "|".

paramValues

Init Param Values separated by "|".

adapterName

Name of the adapter to be modified. If not specified, the global plugin is modified.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.10.3 Example

addPluginParam(adapterName='ldap1', pluginName='VirtualAttr', paramKeys='ReplaceAttribute | MatchFilter', paramValues='cn=%uid% | objectclass=person')

addPluginParam(pluginName='VirtualAttr', paramKeys='ReplaceAttribute | MatchFilter', par)

2.1.5.11 createJoinAdapter

createJoinAdapter

2.1.5.11.1 Description

Creates a new Join adapter for the OVD associated with the given OPSS context.

2.1.5.11.2 Syntax

createJoinAdapter(contextName=<contextName>, adapterName=<adapterName>, root=<root>, primaryAdapter=<primaryAdapter>, bindAdapter=<bindAdapter>)

Table 2-29 createJoinAdapter Arguments

Argument Definition

adapterName

Name of the Join adapter to be created.

mappingContextId

Virtual Namespace of the Join adapter.

primaryAdapter

Specifies the identifier of the primary adapter (the adapter searched first in the join operation).

root

 

bindAdapter

Specifies identifier of the bind adapter(s) (the adapter(s) whose proxy account is used to bind in the LDAP operation). By default, the primaryAdapter is set as bindAdapter.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.11.3 Example

createJoinAdapter('join1','dc=join','primaryldap','myldap', 'myContext')

createJoinAdapter(adapterName='join1', root='dc=join', primaryAdapter='myldap')

2.1.5.12 createLDAPAdapter

createLDAPAdapter

2.1.5.12.1 Description

Creates a new LDAP adapter for the OVD associated with the given OPSS context.

2.1.5.12.2 Syntax

createLDAPAdapter(adapterName=<adapterName>, root=<root>, host=<host>, port=<port>, remoteBase=<remoteBase>, isSecure=<true|false>, bindDN=<bindDN>, bindPasswd=<bindPasswd>, passCred=<passCred>, contextName=<contextName>)

Table 2-30 createLDAPAdapter Arguments

Argument Definition

adapterName

Name of the LDAP adapter to be created.

root

Virtual Namespace of the LDAP adapter.

host

Remote LDAP host with which the LDAP adapter will communicate.

port

Remote LDAP host's port number.

remoteBase

Location in the remote DIT to which root corresponds.

isSecure

An optional parameter that enables secure SSL/TLS connections to the remote hosts when defined as true. The default value is "false".

bindDN

Proxy BindDN used to communicate with Remote host. An optional parameter with default value "".

bindPasswd

Proxy BindPasswd used to communicate with Remote host. An optional parameter with default value "".

passCred

This optional parameter controls, what, if any, credentials the OVD will pass to the backend (remote host) LDAP server. Values can be Always (default), None or BindOnly.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.12.3 Example

createLDAPAdapter("testLDAP", "dc=us,dc=oracle,dc=com", "myhost.example.com", 3060, "dc=uk,dc=oid", false, "cn=testuser", "welcome1", "Always", "myContext")

createLDAPAdapter(adapterName='ldap1', root='dc=com', host='myhost.example.com', port=5566, remoteBase='dc=oid')

2.1.5.13 deleteAdapter

deleteAdapter

2.1.5.13.1 Description

Deletes an existing adapter for the OVD associated with the given OPSS context.

2.1.5.13.2 Syntax

deleteAdapter(adapterName=<adapterName>, contextName=<contextName>)

Table 2-31 deleteAdapter Arguments

Argument Definition

adapterName

Name of the Join adapter to be deleted.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.13.3 Example

deleteAdapter(adapterName='join1')deleteAdapter('join1', 'default'))

2.1.5.14 deleteAttributeExclusionRule

deleteAttributeExlusionRule

2.1.5.14.1 Description

Delete an attribute exclusion rule.

2.1.5.14.2 Syntax

deleteAttributeExclusionRule(attribute, mappingContextId, contextName)

Table 2-32 deleteAttributeExclusionRule Arguments

Argument Definition

attribute

Name of the attribute to be removed from the exclusion list.

mappingContextId

Name of the mapping context.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.14.3 Example

deleteAttributeExclusionRule('objectsid','mappingContextId')

2.1.5.15 deleteAttributeRule

deleteAttributeRule

2.1.5.15.1 Description

Delete an attribute mapping rule.

2.1.5.15.2 Syntax

deleteAttributeRule(srcAttrs, dstAttr, mappingContextId, contextName)

Table 2-33 deleteEntityRelation Arguments

Argument Definition

srcAttrs

 

dstAttr

 

mappingContextId

Name of the mapping context.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.15.3 Example

deleteAttributeRule('lastname','sn',mappingContextId)

2.1.5.16 deleteDomainExclusionRule

deleteDomainExclusionRule

2.1.5.16.1 Description

Delete a domain exclusion rule.

2.1.5.16.2 Syntax

deleteDomainExclusionRule(domain, mappingContextId, contextName)

Table 2-34 deleteEntityRelation Arguments

Argument Definition

domain

Distinguished Name of the container to be removed from the exclusion list.

mappingContextId

Name of the mapping context.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.16.3 Example

deleteDomainExclusionRule('cn=group,dc=oracle,dc=com','mappingContextId')

2.1.5.17 deleteDomainRule

deleteDomainRule

2.1.5.17.1 Description

Delete a domain mapping rule.

2.1.5.17.2 Syntax

deleteDomainRule(srcDomain, destDomain, mappingContextId, contextName)

Table 2-35 deleteDomainRule Arguments

Argument Definition

srcDomain

Container DN in source.

destDomain

Container DN in destination.

mappingContextId

Name of the mapping context.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.17.3 Example

deleteDomainRule(dc=oracle,dc=com','dc=oracle,dc=com', 'UserProfile1', 'default')

2.1.5.18 deleteMappingContext

deleteMappingContext

2.1.5.18.1 Description

Delete the specified mapping context.

2.1.5.18.2 Syntax

deleteMappingContext(mappingContextId, contextName)

Table 2-36 deleteMappingContext Arguments

Argument Definition

mappingContextId

Name of the mapping context.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.18.3 Example

deleteMappingContext('defaultContext','context)

2.1.5.19 getAdapterDetails

getAdapterDetails

2.1.5.19.1 Description

Displays the details of an existing adapter configured for the Oracle Virtual Directory associated with the specified OPSS context.

2.1.5.19.2 Syntax

getAdapterDetails(adapterName=<adapterName>, contextName=<contextName>)

Table 2-37 getAdapterDetails Arguments

Argument Definition

adapterName

Name of the adapter which contains the details to be displayed.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.19.3 Example

getAdapterDetails(adapterName='ldap1', contextName='default')

getAdapterDetails(adapterName='join1')

2.1.5.20 listAdapters

listAdapters

2.1.5.20.1 Description

Lists the name and type of all adapters that are configured for the Oracle Virtual Directory associated with the specified OPSS Context.

2.1.5.20.2 Syntax

listAdapters(contextName='contextName')

Table 2-38 listAdapters Arguments

Argument Definition

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.20.3 Example

listAdapters()

listAdapters(contextName='myContext')

2.1.5.21 listAllMappingContextIds

listAllMappingContextIds

2.1.5.21.1 Description

Lists the mapping contexts associated with the specified OPSS Context.

2.1.5.21.2 Syntax

listAllMappingContextIds(contextName)

Table 2-39 listAllMappingContextIds Arguments

Argument Definition

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.21.3 Example

listAllMappingContextIds('default')

2.1.5.22 listAttributeRules

listAttributeRules

2.1.5.22.1 Description

List all the attribute rules in the format SOURCE_ATTRIBUTE:DESTINATION_ATTRIBUTE:DIRECTION

2.1.5.22.2 Syntax

listAttributeRules(mappingContextId, contextName)

Table 2-40 listAttributeRules Arguments

Argument Definition

mappingContextId

Name of the mapping context.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.22.3 Example

listAttributeRules('defaultContext','default)

2.1.5.23 listDomainRules

listDomainRules

2.1.5.23.1 Description

List all the domain rules in the format of SOURCE_DOMAIN:DESTINATION_DOMAIN.

2.1.5.23.2 Syntax

listDomainRules(mappingContextId, contextName)

Table 2-41 listDomainRules Arguments

Argument Definition

mappingContextId

Name of the mapping context.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.23.3 Example

listDomainRules('defaultContext','default')

2.1.5.24 modifyLDAPAdapter

modifyLDAPAdapter

2.1.5.24.1 Description

This command is used to modify the following parameters defined in an existing LDAP Adapter:

  • Remote Base

  • Root

  • Secure

  • BindDN

  • BindPassword

  • PassCredentials

  • MaxPoolSize

2.1.5.24.2 Syntax

modifyLDAPAdapter(adapterName=<adapterName>, attribute=<attribute>, value=<value>, contextName=<contextName>)

Table 2-42 modifyLDAPAdapter Arguments

Argument Definition

attribute

Name of the attribute to be modified.

value

New value for the attribute.

adapterName

Name of the LDAP adapter to be modified.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.24.3 Example

modifyLDAPAdapter(adapterName='ldap1', attribute='Root', value='dc=us, dc=oracle, dc=com', contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='RemoteBase', value='dc=org')

modifyLDAPAdapter(adapterName='ldap1', attribute='PassCredentials', value='BindOnly')

modifyLDAPAdapter('ldap1', 'BindDN', 'cn=proxyuser,dc=com', 'mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='BindPassword', value='testwelcome123')

modifyLDAPAdapter(adapterName='ldap1', attribute='Secure', value=true)

modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolSize', value=500)

2.1.5.25 removeJoinRule

removeJoinRule

2.1.5.25.1 Description

Removes a join rule from a Join adapter configured for the Oracle Virtual Directory associated with the specified OPSS Context.

2.1.5.25.2 Syntax

removeJoinRule(adapterName=<adapterName>, secondary=<secondary>, contextName=<contextName>)

Table 2-43 removeJoinRule Arguments

Argument Definition

adapterName

Name of the Join adapter to be modified.

secondary

The join rules corresponding to this secondary adapter are removed from the join adapter.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.25.3 Example

removeJoinRule('join1','secondaryldap1', 'default')

removeJoinRule(adapterName='join1', secondary='LDAP3')

2.1.5.26 removeLDAPHost

removeLDAPHost

2.1.5.26.1 Description

Removes a remote host (host:port) from an existing LDAP adapter.

2.1.5.26.2 Syntax

removeLDAPHost(adapterName=<adapterName>, host=<host>, contextName=<contextName>)

Table 2-44 removeLDAPHost Arguments

Argument Definition

adapterName

Name of the LDAP adapter to be modified.

host

Location of a remote LDAP host with which the LDAP adapter will communicate.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.26.3 Example

removeLDAPHost(adapterName='ldap1', host='myhost.example.com')

removeLDAPHost('ldap1', 'myhost.example.com', 'myContext')

2.1.5.27 removePlugin

removePlugin

2.1.5.27.1 Description

Removes a plugin from an existing adapter, or at the global level.

2.1.5.27.2 Syntax

removePlugin(pluginName=<pluginName>, adapterName=<adapterName>, contextName=<contextName>)

Table 2-45 removePlugin Arguments

Argument Definition

pluginName

Name of the plugin to be removed.

adapterName

Name of the adapter to be modified. If not specified, the global plugin is removed.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.27.3 Example

removePlugin(adapterName='ldap1', pluginName='VirtualAttr')

removePlugin(pluginName='VirtualAttr')

2.1.5.28 removePluginParam

removePluginParam

2.1.5.28.1 Description

Removes an existing parameter from a configured adapter level plugin or global plugin. This removes all values of the particular parameter from the plugin.

2.1.5.28.2 Syntax

removePluginParam(pluginName=<pluginName>, paramKey=<paramKey>, adapterName=<adapterName>, contextName=<contextName>)

Table 2-46 removePluginParam Arguments

Argument Definition

pluginName

Name of the plugin to be modified.

paramKey

Parameter to be removed.

adapterName

Name of the adapter to be modified. If not specified, the global plugin is modified.

contextName

Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.


2.1.5.28.3 Example

removePluginParam(adapterName='ldap1', pluginName='VirtualAttr', paramKey='ReplaceAttribute')

removePluginParam(pluginName='VirtualAttr', paramKey='ReplaceAttribute')