This appendix documents OPSS system properties (set through the switch -D at server start) and configuration properties (set with elements <property> and <extendedProperty> in the configuration file jps-config.xml) in the following sections:
To manage server properties programmatically, use OPSS MBeans. For details and example, see Section E.2.3, "Programming with OPSS MBeans."
Note:
All OPSS configuration changes (manual or through JpsConfiguration MBean) require server restart to take effect.OPSS data domain changes do not require server restart to take effect. Data changes include modifying an application policy and creating, deleting, or updating a credential.
A system property cannot be set without restarting the server. In order to set a system property the administrator must edit the setDomainEnv.sh shell script and add the property to the environment variable EXTRA_JAVA_PROPERTIES in that script.
Table F-1 lists the Java system properties available with OPSS.
Table F-1 Java System Properties Used by OPSS
| Name | Description |
|---|---|
|
|
This property, which is exposed in Identity Store service, specifies which part of the user's name the For XML file-based identity stores: If this property is set to For LDAP-based identity stores: If set to Default: |
|
|
Specifies the location of the OPSS policy file. |
|
|
When set to True, it specifies that the migration of credentials should overwrite existing credentials when the application is deployed or redeployed when the server is running in development mode. For details, see Section 15.4.5.3, "To Migrate Credentials with Overwriting." |
|
|
Increases server logging output. For details, see Section I.1.2.1, "jps.auth.debug." |
|
|
Increases server logging output. For details, see Section I.1.2.2, "jps.auth.debug.verbose." |
|
|
Indicates the frequency, in milliseconds, at which the system checks the domain files -Djps.change.notifier.file.delay=600000 In production environments, it is recommended a frequency of about 10 min. (600000 milliseconds). In development environments, it is recommended a frequency of about 3 min. (180000 milliseconds). |
|
|
Enables Java 2 policy. Values: boolean Default: |
|
|
Specifies whether the policy store is read-only. Values: boolean Default: |
|
|
Specifies whether application roles are recalculated on each request. Setting this flag to true has a significant impact on server performance. Values: boolean Default: false |
|
|
Specifies the factory class for creating OPSS context instances. Values: string Default: |
|
|
Specifies the full path to the domain configuration files Value: string |
|
|
Specifies the factory class for creating OPSS configuration instances. Values: string Default: |
This section describes the properties that can be set in the file jps-config.xml with the elements <property> or <extendedProperty>, in the following sections:
Table F-2 lists the properties that specify the location of LDAP- or file-based store instances.
Table F-2 Service Instance Properties
| Name | Property / Extended Property | Description |
|---|---|---|
|
Property |
For an LDAP-based identity store, policy store, or credential store service instance, this property specifies the URL to the directory server. Values: string Example:
<serviceInstance name="policystore.oid" provider="policy.oid">
...
<property name="ldap.url"
value="ldap://myoid.oracle.com:389"/>
...
</serviceInstance>
|
|
|
|
Property |
For a file-based identity store or policy store service instance, or a wallet-based credential store service instance, this property specifies the file path to the data store. Values: string Example 1: Wallet-based credential store <serviceInstance name="credstore" provider="credstoressp"> ... <property name="location" value="./" /> ... </serviceInstance> Example 2: File-based identity or policy store
<serviceInstance name="idstore.xml"
provider="idstore.xml.provider">
...
<property name="location" value="./system-jazn-data.xml" />
...
</serviceInstance>
|
Table F-3 lists the properties of file- and LDAP-based identity store instances.
Table F-3 Identity Store Properties
| Name | Property / Extended Property | Description |
|---|---|---|
|
Property |
Specifies the administrative user account. Values: string Default: |
|
|
Property |
Indicates the type of the identity store. Values:
|
|
|
Property |
Specifies the default realm for the identity store. Values: string Default for file-based identity store: Example 1: LDAP-based identity store
<serviceInstance name="idstore.ldap"
provider="idstore.ldap.provider">
<property name="subscriber.name"
value="dc=us,dc=oracle,dc=com"/>
...
</serviceInstance>
Example 2: File-based identity store
<serviceInstance name="idstore.xml"
provider="idstore.xml.provider">
<!-- Subscriber name must be defined for XML Identity Store -->
<property name="subscriber.name" value="jazn.com"/>
...
</serviceInstance>
|
Table F-4 lists the properties of LDAP-based stores that can be specified in service instances. In the case of an LDAP-based identity store service instance, to ensure that the User and Role API picks up the connection pool properties when it is using the JNDI connection factory, the identiry store service instance must include the following property:
<property name="INITIAL_CONTEXT_FACTORY" value="com.sun.jndi.ldap.LdapCtxFactory"/>
| Name | Property / Extended Property | Description |
|---|---|---|
|
|
Property |
Specifies the type of LDAP connection that the JNDI connection pool uses. Values: none, simple, and DIGEST-MD5. Default: simple. |
|
|
Property |
Specifies the maximum number of connections in the LDAP connection pool. Values: integer Example: 30 |
|
Property |
Specifies the minimum number of connections in the LDAP connection pool. Values: integer Example: 5 |
|
|
Property |
Specifies the protocol to use for the LDAP connection. Values: plain, ssl. Default: plain. |
|
|
Property |
Specifies the connection pool to use. Values: JNDI, IDM. Default: JNDI. |
|
|
|
Property |
Specifies the number of milliseconds that an idle connection can remain in the pool; after timeout, the connection is closed and removed from the pool. Values: an integer in string form. Default: "300000" (5 minutes) |
|
|
Property |
Specifies the name of the node under the JPSContext node in the LDAP repository, as in illustrated in the following example: <property value="cn=wls-jrfServer" name="oracle.security.jps.farm.name"/> |
|
|
Property |
Specifies the name of the top-most node in the LDAP repository, as in illustrated in the following example: <property value="cn=jpsTestNode" name="oracle.security.jps.ldap.root.name"/> |
|
Property |
Specifies whether to enable or disable the LDAP cache. Values: |
|
|
Property |
Specifies the initial capacity of the hashmap. This value affects performance, so it is important to set it to a value too low. The caching service maintains a global hashmap (a Values: integer Default: 20 |
|
|
Property |
Specifies the load factor for the hashmap. This measures how full the cache is allowed to get before its capacity is automatically increased. This value affects overall performance, so it is important not to set it to value too close to 1. Values: a number between 0 and 1. Default: 0.7 |
|
|
Property |
Specifies the time (in milliseconds) an object remains in cache before being invalidated and removed. It is also the sleep-time for the daemon thread between each run looking for expired objects. Values: integer Default: 3600000 (one hour) |
|
|
Property |
Speciifes the maximum number of retry attempts if there are problems with the LDAP connection. Values: integer Example: 5 |
|
|
|
Property |
Speciifes the LDAP context root for OPSS. Values: string Default: |
|
|
Property |
Specifies the canonical path name of the topology node in MAS that represents the unmanaged LDAP server. Values: string Example: |
Example:
<jpsConfig ... >
...
<!-- These are various JPS common properties used for LDAP operations -->
<property name="oracle.security.jps.farm.name" value="cn=OracleFarmContainer"/>
<property name="oracle.security.jps.ldap.root.name"
value="cn=OracleJpsContainer"/>
<property name="oracle.security.jps.ldap.max.retry" value="5"/>
...
</jpsConfig>
Table F-5 lists the properties of just LDAP identity stores. See Identity Store Properties for a listing of properties that apply to both file-based and LDAP-based identity stores.
See Also:
<serviceInstance> for an example that uses some properties in this section
Table F-5 LDAP Identity Store Properties
| Name | Property / Extended Property | Description |
|---|---|---|
|
|
Extended property |
Specifies the base DNs in the LDAP directory for creating roles (groups). Values: strings Example: |
|
|
Extended property |
Specifies fully qualified names of object classes used for searching roles (groups). Values: strings |
|
|
Extended property |
Specifies the attributes that must be specified when creating a role (group) object. Values: strings |
|
Extended property |
Specifies the attribute of a static LDAP role object that specifies the distinguished names (DNs) of the members of the role. Values: strings Examples:
|
|
|
Extended property |
Specifies fully qualified names of one or more schema object classes used to represent roles (groups). Values: strings |
|
|
Extended property |
Specifies base DNs in the LDAP directory for searching roles (groups). Values: strings Example: |
|
|
|
Extended property |
Specifies base DNs in the LDAP directory for creating roles (groups). Values: strings Example: |
|
|
Extended property |
Specifies base DNs in the LDAP directory for searching roles (groups). Values: strings Example: |
|
Property |
Specifies the LDAP attribute that uniquely identifies the name of the role (group). Values: string Example: |
|
|
|
Property |
Specifies the maximum number of characters of the search filter for an identity store service, as illustrated in the following example: <property name="max.search.filter.length" value="500"/> Value: a positive integer |
|
|
Property |
Specifies the type of search to employ when the repository is queried. Values: SIMPLE, PAGED, VIRTUAL_LIST_VIEW For a description of these values, see the User and Role API javadoc. |
|
Property |
Specifies the password (obfuscated) of the LDAP user specified in If the password is stored in the credential store, then Values: string |
|
|
Property |
See the description for Values: string Example: orcladmin |
|
|
Property |
Specifies the alias for the LDAP user name. The key for the password is specified in If the password is stored in Values: string Example: JPS |
|
|
Property |
See the description for Values: string Example: ldap.credentials |
|
|
|
Extended property |
Specifies the base DNs in the LDAP directory for creating users. Values: strings Example: cn=users,dc=us,dc=abc,dc=com (single DN) |
|
|
Extended property |
Specifies fully qualified names of object classes used for searching users. Values: strings |
|
|
Property |
Specifies the login identity of the user. Values: string |
|
|
Extended property |
Specifies the attributes that must be specified when creating a user object. Values: strings |
|
Extended property |
Specifies fully qualified names of one or more schema object classes used to represent users. Values: strings |
|
|
Extended property |
Specifies base DNs in the LDAP directory for searching users. Values: strings Example: |
|
|
Property |
Specifies the LDAP attribute that uniquely identifies the name of the user. Values: string |
Table F-6 lists the properties of anonymous users, anonymous roles, and authenticated roles. Some of them may also be used to configure the anonymous service or an identity store login module.
Table F-6 Anonymous and Authenticated Roles Properties
| Name | Property / Extended Property | Description |
|---|---|---|
|
|
Property |
Provides a description for the anonymous role. Values: string Example: |
|
|
Property |
Specifies the principal name for the anonymous role. Values: string Default: |
|
|
Property |
Specifies the "unique name" for the anonymous role. Values: string Default: |
|
Property |
Specifies the principal name for the anonymous user. Values: string Default: |
|
|
|
Property |
Provides a description for the authenticated role. Values: string Example: |
|
|
Property |
Specifies the principal name for the role used for authenticated users. Values: string Default: |
|
|
Property |
Specifies the "unique name" for the authenticated role. Values: string Default: |
|
|
Property |
Specifies that after the user is authenticated, the anonymous role should be removed from the subject. Values: boolean Default: |
Table F-7 lists the properties of the policy provider framework .
Table F-7 Policy Provider Framework Properties
| Name | Property / Extended Property | Description |
|---|---|---|
|
|
Property |
Specifies the fully qualified class name of the permission that extends Values: string |
|
|
Property |
Specifies the attribute of a static LDAP role object that specifies the distinguished names (DNs) of the members of the role. Values: string Example: |
|
|
Property |
Specifies the name of the LDAP attribute that uniquely identifies the name of the role. Values: string Example: |
|
|
Property |
Specifies LDAP schema object classes that represent a role. If specifying multiple classes, separate the classes with a space. The default for Sun Java System Directory Server is Values: string Example: |
|
|
Property |
Specifies a list of space-delimited distinguished names (DN) in the LDAP directory that contains roles. Values: string Example: |
|
|
Property |
Specifies how deep in the LDAP directory tree to search for roles. Values: |
|
|
Property |
Indicates the type of policy store. Values:
|
The following example illustrates the configuration of a policy store service provider, an instance of that provider, using an Oracle Internet Directory, and its use in a jpscontext.
<jpsConfig ... >
...
<serviceProviders>
<serviceProvider type="POLICY_STORE" name="policystore.ldap.provider"
class= "oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider">
<description>LDAP-based PolicyStore</description>
<property name="policystore.type" value="OID"/>
<property name="connection.pool.max.size" value="30"/>
<property name="connection.pool.provider.type" value="IDM"/>
</serviceProvider>
</serviceProviders>
...
<serviceInstances>
<serviceInstance name="policystore.oid" provider="policystore.ldap.provider">
<property name="max.search.filter.length" value="4096"/>
<property name="security.principal" value="cn=orcladmin"/>
<property name="security.credential" value="password"/>
<property name="ldap.url" value="ldap://xyz.us.oracle.com:389"/>
<property name="policystore.jpsbase" value="cn=jps,cn=oraclecontext"/>
<property name="policystore.role.objectclass" value="orclrole"/>
<property name="policystore.role.searchbase" value="cn=roles"/>
<property name="policystore.role.searchscope" value="subtree"/>
<property name="policystore.role.nameattr" value="cn"/>
<property name="policystore.role.memberattr" value="uniquemember"/>
<property name="policystore.role.roleheirarchyattr" value="assignedRoles"/>
</serviceInstance>
</serviceInstances>
...
<jpsContexts default="default">
<jpsContext name="default">
<serviceInstanceRef ref="policystore.oid"/>
</jpsContext>
</jpsContexts>
</jpsConfig>
Table F-8 lists the properties that configure keystore services. To use encryption or signing, you must access a private key in the keystore and specify an alias and a password to retrieve the key, after providing first the password to access the keystore itself.
| Name | Property / Extended Property | Description |
|---|---|---|
|
|
Property |
For encryption, specifies the alias for the applicable key. Values: string Example: |
|
|
Property |
For encryption, specifies the password for the applicable key. Values: string Example: |
|
|
Property |
Specifies the password to access the keystore. Values: string Example: |
|
|
Property |
Specifies the path to the keystore file. Values: string Example: |
|
|
Property |
For signing, specifies the alias for the applicable key. Values: string Example: |
|
|
Property |
For signing, specifies the password for the applicable key. Values: string Example: |
|
|
Property |
Specifies the type of keystore, such as JKS or Oracle wallet. Values: string Example: |
Example
<serviceInstance
location="${oracle.instance}/config/JpsDataStore/JpsSystemStore/default-keystore.jks"
provider="keystore.provider" name="keystore">
<description>Default JKS Keystore Service</description>
<property value="JKS" name="keystore.type"/>
<property value="oracle.wsm.security" name="keystore.csf.map"/>
<property value="keystore-csf-key" name="keystore.pass.csf.key"/>
<property value="sign-csf-key" name="keystore.sig.csf.key"/>
<property value="enc-csf-key" name="keystore.enc.csf.key"/>
</serviceInstance>