WLESblm.conf Reference

Configuration parameters for the Business Logic Manager (BLM) are stored in the WLESblm.conf file, located in the BEA_HOME/ales32-admin/config directory. In most cases, this configuration can be accomplished using the installation program and the Administration Console. However, you may want to change default configurations by editing the WLESblm.conf file. This section provides a reference to the WLESblm.conf parameters.

Required Parameters

The following required parameters are set when the Administration Server is installed. These configuration parameters are essential for the BLM to start; if you change any of these values, you must restart the server before the changes will take effect.

Table 5-1 Required Parameters
Parameter	Description	Default or Example Value
BLM.wlesadmin.domain	The enterprise domain on which BLM is running.	asi
BLM.wlesadmin.location	Location (Must be DEFAULT)	DEFAULT
BLM.wlesadmin. ASIPolicyARMEAddresses	The address of the ARME as a URL. The BLM directs authorization requests to this URL.	https://hostname:7012
BLM.wlesadmin. trustedPeerKeyStore	The file that contains the trusted Peer certificates in PEM format.	BEA_HOME/ales32-admin/ales32-shared/keys/peer.pem
BLM.wlesadmin. trustedCAKeyStore	The file that contains the trusted CA certificates in PEM format.	BEA_HOME/ales32-admin/ales32-shared/keys/trust.pem
BLM.wlesadmin.identityKeyStore	The file that contains the server's own certificate in PEM format.	BEA_HOME/ales32-admin/ales32-shared/keys/wles-admin.pem
BLM.wlesadmin.identityAlias	The alias that will be used to retrieve the identity private key	wles-admin
BLM.wlesadmin.passwordfile	Location of the password file that contains encrypted passwords indexed with an alias. The alias and the private key file are required to retrieve the password.	BEA_HOME/ales32-admin/ales32-shared/keys/password.xml
BLM.wlesadmin.passwordkeyfile	The password key is the master key that is required to retrieve any passwords from the password file.	BEA_HOME/ales32-admin/ales32-shared/keys/password.key
BLM.wlesadmin.configkeyfile	The config key is the master key that is required to decrypt any attributes set as sensitive in the database.	BEA_HOME/ales32-admin/ales32-shared/keys/config.key

Miscellaneous Configuration Parameters

The following optional parameters are set to default values during installation.

Table 5-2 Miscellaneous Configuration Parameters
Parameter	Description	Default or Example Value
BLM.wlesadmin.port	The BLM’s listening port. The BLM runs on HTTP/SOAP. The default value is the default SOAP port, 80.	80
BLM.wlesadmin. adminPolicyRoot	The admin policy root is created when you install the Administration Server. If, after installation, you make any change to the tree structure, you need to update this parameter as well. You do not need to change this parameter unless you are making changes to the security policies that protect the administration resources.	//app/policy/ASI/admin
BLM.wlesadmin. defaultdirectory	Used by BLM to locate the Administrator user when the user's directory is not provided by the BLM client at the time of making connection. This directory stores the administration server user and user groups that are used to boot the server and BLM API login. By default, admin user IDs are maintained in the asi admin directory and custom identities for application-related users would be stored in a directory other than the asi directory. You do not need to change this unless you are making changes to the default admin policy.	asi
BLM.wlesadmin. AuditWebserviceURL	The URL of the Web Service host to which BLM directs authorization audit events. You do not need to change this parameter unless you have changed the IP address and port on which the Audit Web Service runs.	https://127.0.0.1:7014
BLM.wlesadmin.AuditRetries	Number of times the server will try to send audit events to the Audit Web Service before giving up. This must be an integer greater than 0. If the server cannot connect to the Audit Web Service, no exception is thrown, but a debug message will note the failure.	2
BLM.wlesadmin.contextsize	When the BLM reaches a number of connections equal to the `contextsize` value, including the connections that have already timed out, the BLM will try to drop the timed-out connections that have not been accessed for a number of seconds equal to or greater than the `sessionTimeout` value. Set a lower value for more frequent clean-up as compared to default value of 40.	40
BLM.wlesadmin. sessionTimeout	When the BLM has a number of connections equal to the `contextsize` value, it will try to drop connections that have not been accessed for a number of seconds equal to or greater than the `sessionTimeout` value not been accessed for a number of seconds equal to or greater than the `sessionTimeout` value.	7200 seconds (2 hours)
BLM.wlesadmin. maxCollectionSize	The maximum number of entries in one collection. This limits the collection size used by the BLM process when dealing with collections such as collection of users, user groups, subjects, attributes, etc. For example, if you are listing the users in the identity directory user groups, the BLM would retrieve the first 500 users under the user group the first time, but the console would display a part of the 500 users and get the rest as the console user views them using the up and down arrows in the console. If you increase the value of `maxCollectionSize`, the result set would increase accordingly, thereby loading more users even though you may not list all the users. As a result the performance is more of a management time latency (administration time) and not a runtime evaluation latency, since the ARME caches the policy and user information locally rather than using the BLM for runtime authorization and role mapping decisions. If this value is set too large, it will reduce console and BLM performance and increase BLM memory usage.	500
BLM.wlesadmin. maxTreeSizeWithResourceNodes	The maximum number of app nodes with resource nodes to display in the object tree. This is just a display and fetch restriction; the subsequent 500 resources are fetched as the console user views them with the up and down arrows. If this value is set too large, it will reduce administration console and BLM performance and increase BLM memory usage.	500
BLM.wlesadmin. requestThreads	The size of the ASI thread pool size that handles client requests. This value should be increased only if the server that hosts the BLM server is able to handle that many threads without maxing out the CPU usage.	10
BLM.wlesadmin. masterSocketReadTimeoutMs	Timeout for the master socket on which server was reading a request. Determines how long to wait on the sockets with no input before timing out. This is used both to periodically check for a shutdown request, and to allow connections which have given up their thread to be watched and rescheduled.	1
BLM.wlesadmin. childSocketReadTimeoutMs	Timeout for the child socket on which server was reading a request. Determines how long to wait on the sockets with no input before timing out. This is used both to periodically check for a shutdown request, and to allow connections which have given up their thread to be watched and rescheduled.	1

Logging Configuration Parameters

The following optional configuration parameters control OES logging behavior. Note that you may direct all logging entries to a single file. You can also direct logging entries to the stdout or stderr streams using the keywords stdout or stderr.

Table 5-3 Logging Configuration Parameters
Parameter	Description	Default or Example Value
BLM.wlesadmin.logLevel	Determines which events get logged. Valid values are integers from 0 to 63. The value is interpreted as a bitfield. Add the levels together to determine the value. The following log levels are defined: 0 (error) Always be log errors 1 (log) Enable log output. 2 (dbg) Enable debug output. 4 (eviction) Log any session eviction that takes place to free up idle connections. 8 (exceptions) Exceptions thrown by the BLM server. 16 (comTest calls) Server heartbeat calls to check that server is functioning correctly. 32 (soap calls) All IN/OUT SOAP messages at the transport level.	0
BLM.wlesadmin.logfile	Logging location.	BEA_HOME/ales32-admin/log/WLESblm.log
BLM.wlesadmin.errfile	Logging location for error log entries.	BEA_HOME/ales32-admin/log/WLESblm.log
BLM.wlesadmin.dbgfile	Logging location for debug log entries.	BEA_HOME/ales32-admin/log/WLESblm.log
BLM.wlesadmin.DbgOut	Logging location for C++ client debug entries, which do not have log levels assigned.	BEA_HOME/ales32-admin/log/WLESblm.log
BLM.wlesadmin. logShowDateTime	Include the date and time in the logging header. If enabled, the date and time the message was logged are prepended to the log message. 0 - disabled 1 - enabled	1
BLM.wlesadmin. logShowFileName	Include the file name and line number in the logging header. If enabled, the file name and line number causing the event being logged are prepended to the log message. 0 - disabled 1 - enabled	1
BLM.wlesadmin. logShowThread	Include the executing thread number in the logging header. If enabled, the executing thread number causing the event being logged are prepended to the log message. 0 - disabled 1 - enabled	1

Database Configuration Parameters

The following configuration parameters are set during installation. You do not need to change these values unless you change the database to which the BLM connects.

Table 5-4 Database Configuration Parameters
Parameter	Description	Default or Example Value
BLM.wlesadmin. dbsystem	The database system used by the client. Valid values are: ORACLE92, ORACLE90, ORACLE81 SYBASE125, SYBASE120, SYBASE119 In addition, for backwards compatibility, the value ORACLE is treated as ORACLE81 and the value SYBASE is treated as SYBASE125.	ORACLE92
BLM.wlesadmin. dbserver	The database server name (the database service name for Oracle).	ASI.DB.EXAMPLE.COM
BLM.wlesadmin.dbname	Database name. This parameter is only applicable in Sybase and is ignored in Oracle.	sspolicy
BLM.wlesadmin. dbpolicyowner	Username of the policy owner. Generally, this will be the same as the `dblogin` user.
BLM.wlesadmin.dblogin	Database login ID. This user ID must be granted database permissions. Usually it is the schema (policy) owner which has all the permissions.
BLM.wlesadmin. dbpoolsize	Number of database connections in shared pool to be allocated for the BLM. Consult database administrator before setting this larger than 20, since there is typically a limited number of connections configured in the database server.	20
BLM.wlesadmin. dbconnidletimeout	If a database connection is idle for this number of seconds, it is disconnected. Use this is to make sure the BLM does not retain unused database connections for a long period.	600 seconds
BLM.wlesadmin.sqldebug	Enables or disables database SQL debugging (bit wise). In a production environment, set it to 0 or 1. In order for SQL debug logging to function, the BLM.wlesadmin.logLevel dbg bit must be set. 0 - hard database error 1 - soft database error (recoverable) 2 - SQL debugging 4 - Stored procedure debugging Add the levels together to come up with the value.	0
BLM.wlesadmin. fetchnumrows	Indicates how many delta elements should be returned from the database as part of the query resultset as opposed to loading all of the results at once. The subsequent get on the 1001th item would fetch the next 1000 results and so forth. To process the results, the collection configuration would take two passes with 500 items on the first and 500 on the next pass and so on. This value is a trade-off between latency during administration actions and latency at evaluation.	1000

CPP API Configuration Parameters

The following parameters relate to the CPP API used by the BLM to call the ARME for Authorization decisions.

Table 5-5 CPP API Parameters
Parameter	Description	Default or Example Value
BLM.wlesadmin.cacheEnabled	Is authorization caching enabled? 0 indicates disabled and 1 indicated enabled.	0
BLM.wlesadmin.cacheFileName	If authorization caching enabled, the cache is written to this file.	asiCpp.cache
BLM.wlesadmin.relocateRetries	Number of times the server will try to get a new reference to an ARME in case the current one becomes unavailable.	10
BLM.wlesadmin.relocateInterval	The interval between retries in milliseconds.	1000
BLM.wlesadmin.autoRelocateInterval	Setting this to anything but MS_INFINITE causes the server to automatically drop current ARME connection and try to establish a new connection after every interval in milliseconds.	MS_INFINITE
BLM.wlesadmin.reconnectRetries	Number of times the server will try the same connection before relocating and using another one.	1

Distribution Parameters

The following set of parameters are dependent on the ARME policy distribution and provisioning states. The BLM distribution component uses these timeout settings to communicate with ARME. Override timeouts as desired during the various distributed transaction phases.

Table 5-6 Distribution Parameters
Parameter	Description	Default or Example Value
BLM.wlesadmin. ARMECountRequiredToCommit	Defines the number of ARME instances within a ARME group that are required to successfully receive the new policy in order for the group to commit the policy. If this number isn't met , entire group is rolled back and stays on the existing policy. If the number is met, any ARME instance not successfully commiting the new policy is put into the unbound group. If fewer ARME instances are alive than this value, all ARME instances in the group must successfully receive the policy for the group to commit.	1
BLM.wlesadmin. ARMEPrepareToCommitTimeoutMS	Determines how long BLM waits for a ARME to finish the prepareToCommit stage of a policy distribution.	10800000 (3 hours)
BLM.wlesadmin. pendingARMEWaitMS	Determines how long BLM waits for new ARMEs to request a policy, before distributing in parallel to the unbound group. Each time a new ARME shows up, the BLM waits this long for one more to show up.	10000
BLM.wlesadmin. pendingARMEWaitMaxMS	Determines the maximum time BLM waits before distributing to the unbound group	120000
BLM.wlesadmin. ARMECommitTimeoutMS	Determines how long BLM waits for a ARME to finish the commit stage of a policy distribution.	300000 (5 minutes)
BLM.wlesadmin. ARMERollbackTimeoutMS	Determines how long BLM waits for a ARME to finish the potential rollback stage of a policy distribution.	300000 (5 minutes)
BLM.wlesadmin. ARMEDeltaTimeoutMS	Determines how long BLM waits for the ARME to finish the delta stage of a policy distribution.	300000 (5 minutes)
BLM.wlesadmin. ARMEBeginPolicyUpdateTimeoutMS	Determines long BLM waits for a BLE to finish the begin policy update stage of a policy distribution. Default is 5 minutes.	300000 (5 minutes)
BLM.wlesadmin.deltaSendNumRows	Indicates how many delta elements are to the servers by the BLM at one time. Increasing the number may improve performance, but increase overhead.	1000
BLM.wlesadmin.syncType	The synchronization level when committing a new policy. There are three levels; each level includes the previous levels: 0 - group, all instances in a group must be able to commit the new policy for any to commit. 1 - location, all groups in the location must be able to commit the new policy for any to commit. 2 - domain, all locations in the domain must be able to commit the new policy for any to commit.	1
PD.secondaryEnabled	Indicates whether a second server has been set-up to enable failover. This flag is used by the policy distributor. If set to true, the policy distributor on the primary server will temporarily give up control to the policy distributor on the second server to process the distribution request queue when the primary server detects that the network to the ARME is down.	False
PD.minFailedARMEDistributions	Defines the minimum number of ARME instances that is considered sufficient to indicate that the network from the local server to the ARMEs could be down when policies can not be distributed. When this number is exceeded, the policy distributor on the primary server will temporarily give up control (of processing the distribution request queue) to the second server if `PD.secondaryEnabled = true`. This value should be strictly greater than 1.	10
PD.networkDownWaitTimeout	Defines the time period (in milliseconds) for which the policy distributor on the primary server will give up control of processing the distribution request queue to a different (second) server if the network to the ARME instances is detected to be down. After this time period has lapsed, the primary server will resume control of processing the distribution queue.	600000 (10 minutes)
PD.lockUpdatePeriod	Defines the time period (in milliseconds) at which the policy distributor updates the DB lock entry while it holds the lock to indicate that the lock is active.	90000 (1.5 minutes)
PD.missedLockUpdates	Defines the number of missed updates of the DB lock entry that is considered sufficient to indicate that the lock is faulty. If the lock entry hasn't been updated for more than (PD.missedLockUpdates)(PD.lockUpdatePeriod) milliseconds, it will be removed. This value should be strictly greater than 1. Please ensure that the time (PD.missedLockUpdates)(PD.lockUpdatePeriod) is sufficiently large (at least ~5 minutes is suggested).	3
PD.lockRemoverMonitoringPeriod	Defines the time period (in milliseconds) at which the faulty lock remover thread will monitor the distribution lock DB entry to detect a faulty distribution lock (a lock left behind due to a server failure in the middle of a distribution) and remove it automatically. This value should be strictly greater than PD.lockUpdatePeriod.	180000 (3 minutes)

Default Timeout Parameters

The following parameters are default values for the underlying transport for client/server connections made by the BLM to the Administration Server.

Table 5-7 Default Timeout Parameters
Parameter	Description	Default or Example Value
BLM.wlesadmin. defaultSendTimeoutMs	When BLM sends a request, specifies the milliseconds to time out if it cannot send data.	10000
BLM.wlesadmin. defaultRecvTimeoutMs	When BLM makes a request to another server, specifies milliseconds to wait before disconnecting.	10000
BLM.wlesadmin. defaultConnectTimeoutMs	When the transport cannot connect to another server, specifies the milliseconds to wait before giving up.	10000

Override Timeout Parameters

The following timeout parameters are used by the BLM pool manager to override timeouts on its pool of BLM connections based on the activity performed.

Parameter	Description	Default or Example Value
BLM.wlesadmin.connectTimeout	When the transport cannot connect to the ARME, specifies the milliseconds to wait before giving up	10000
BLM.wlesadmin.sendTimeout	When BLM sends a request to the ARME, specifies the milliseconds to time out if it cannot send data.	10000
BLM.wlesadmin.requestTimeout	When a BLM makes request to the ARME, specifies milliseconds to wait before disconnecting.	10000
BLM.wlesadmin.relocateOnError	Controls whether to keep using the same connection (0) or relocate (1) if errors occur while communicating with the ARME.	1
BLM.wlesadmin.maxRetries	Maximum number of retries for the same ARME before relocation takes place	10

Administrative Reference