> Administration Reference > WLESblm.conf Reference

Administration Reference

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

WLESblm.conf Reference

Configuration parameters for the Business Logic Manager (BLM) are stored in the WLESblm.conf file, located in the BEA_HOME/ales26-admin/config directory. While in most cases configuring AquaLogic Enterprise Security can be accomplished using the installation program and the ALES Administration Console, there may be some cases in which you want to change default configurations by editing the WLESblm.conf file. This section provides a reference to the WLESblm.conf parameters.

 

Required Parameters

The following required parameters are set when the ALES Administration Server is installed. These configuration parameters are essential for the BLM to start; if you change any of these values, you must restart the server before the changes will take effect.

Table 3-1 Required Parameters
Parameter
Description
Default or Example Value
BLM.wlesadmin.domain
The enterprise domain on which BLM is running.
asi
BLM.wlesadmin.location
location (Must be DEFAULT)
DEFAULT
BLM.wlesadmin.
ASIPolicyARMEAddresses
The address of the ARME as a URL. The BLM directs authorization requests to this URL.
https://hostname:7012
BLM.wlesadmin.
trustedPeerKeyStore
The file that contains the trusted Peer certificates in PEM format.
D:/opt/bea/81/ales26-admin/ssl/peer.pem
BLM.wlesadmin.
trustedCAKeyStore
The file that contains the trusted CA certificates in PEM format.
D:/opt/bea/81/ales26-admin/ssl/trust.pem
BLM.wlesadmin.identityKeyStore
The file that contains the server's own certificate in PEM format.
D:/opt/bea/81/ales26-admin/ssl/wles-admin.pem
BLM.wlesadmin.identityAlias
The alias that will be used to retrieve the identity private key
wles-admin
BLM.wlesadmin.passwordfile
Location of the password file that contains encrypted passwords indexed with an alias. The alias and the private key file are required to retrieve the password.
D:/opt/bea/81/ales26-admin/ssl/password.xml
BLM.wlesadmin.passwordkeyfile
The password key is the master key that is required to retrieve any passwords from the password file.
D:/opt/bea/81/ales26-admin/ssl/password.key
BLM.wlesadmin.configkeyfile
The config key is the master key that is required to decrypt any attributes set as sensitive in the database.
D:/opt/bea/81/ales26-admin/ssl/config.key

 

Miscellaneous Configuration Parameters

The following optional parameters are set to default values during installation.

Table 3-2 Miscellaneous Configuration Parameters
Parameter
Description
Default or Example Value
BLM.wlesadmin.port
The BLM's listening port. The BLM runs on HTTP/SOAP. The default value is the default SOAP port, 80.
80
BLM.wlesadmin.
adminPolicyRoot
The admin policy root is created when you install the ALES Administration Server. If, after installation, you make any change to the tree structure, you need to update this parameter as well. You do not need to change this parameter unless you are making changes to the security policies that protect the ALES administration resources.
//app/policy/ASI/admin
BLM.wlesadmin.
defaultdirectory
This setting is used by BLM to locate the Administrator user when the user's directory is not provided by the BLM client at the time of making connection. This directory stores the administration server user and user groups that are used to boot the server and BLM API login. By default, ALES admin user IDs are maintained in the asi admin directory and custom identities for application-related users would be stored in a directory other than the asi directory. You do not need to change this unless you are making changes to the default admin policy.
asi
BLM.wlesadmin.
AuditWebserviceURL
The URL of the Web Service host to which BLM directs authorization audit events. You do not need to change this parameter unless you have changed the IP address and port on which the Audit Web Service runs.
https://127.0.0.1:7014
BLM.wlesadmin.AuditRetries
Number of times the server will try to send audit events to the Audit Web Service before giving up. This must be an integer greater than 0. If the server cannot connect to the Audit Web Service, no exception is thrown, but a debug message will note the failure.
2
BLM.wlesadmin.contextsize
When the BLM reaches a number of connections equal to the contextsize value, including the connections that have already timed out, the BLM will try to drop the timed-out connections that have not been accessed for a number of seconds equal to or greater than the sessionTimeout value. Set a lower value for more frequent clean-up as compared to default value of 40.
40
BLM.wlesadmin.
sessionTimeout
When the BLM has a number of connections equal to the contextsize value, it will try to drop connections that have not been accessed for a number of seconds equal to or greater than the sessionTimeout value not been accessed for a number of seconds equal to or greater than the sessionTimeout value.
7200 seconds (2 hours)
BLM.wlesadmin.
maxCollectionSize
The maximum number of entries in one collection. This limits the collection size used by the BLM process when dealing with collections such as collection of users, user groups, subjects, attributes, etc. For example, if you are listing the users in the identity directory user groups, the BLM would retrieve the first 500 users under the user group the first time, but the console would display a part of the 500 users and get the rest as the console user views them using the up and down arrows in the console. If you increase the value of maxCollectionSize, the result set would increase accordingly, thereby loading more users even though you may not list all the users.
As a result the performance is more of a management time latency (administration time) and not a runtime evaluation latency, since the ARME caches the policy and user information locally rather than using the BLM for runtime authorization and role mapping decisions.
If this value is set too large, it will reduce console and BLM performance and increase BLM memory usage.
500
BLM.wlesadmin.
maxTreeSizeWithResourceNodes
The maximum number of app nodes with resource nodes to display in the object tree. This is just a display and fetch restriction; the subsequent 500 resources are fetched as the console user views them with the up and down arrows. If this value is set too large, it will reduce administration console and BLM performance and increase BLM memory usage.
500
BLM.wlesadmin.
requestThreads
The size of the ASI thread pool size that handles client requests. This value should be increased only if the server that hosts the BLM server is able to handle that many threads without maxing out the CPU usage.
10
BLM.wlesadmin.
masterSocketReadTimeoutMs
Timeout for the master socket on which server was reading a request. Determines how long to wait on the sockets with no input before timing out. This is used both to periodically check for a shutdown request, and to allow connections which have given up their thread to be watched and rescheduled.
1
BLM.wlesadmin.
childSocketReadTimeoutMs
Timeout for the child socket on which server was reading a request. Determines how long to wait on the sockets with no input before timing out. This is used both to periodically check for a shutdown request, and to allow connections which have given up their thread to be watched and rescheduled.
1

 

Logging Configuration Parameters

The following optional configuration parameters control ALES logging behavior. Note that you may direct all logging entries to a single file. You can also direct logging entries to the stdout or stderr streams using the keywords stdout or stderr.

Table 3-3 Logging Configuration Parameters
Parameter
Description
Default or Example Value
BLM.wlesadmin.logLevel
Determines which events get logged. Valid values are integers from 0 to 63. The value is interpreted as a bitfield. Add the levels together to determine the value. The following log levels are defined:
0 (error) If errors are generated, then they will always be logged.
1 (log) Enable log output.
2 (dbg) Enable debug output.
4 (eviction) Log any session eviction that takes place to free up idle connections.
8 (exceptions) Exceptions thrown by the BLM server.
16 (comTest calls) Server heartbeat calls to check that server is functioning correctly.
32 (soap calls) All IN/OUT SOAP messages at the transport level.
0
BLM.wlesadmin.logfile
Logging location.
D:/opt/bea/81/ales26-admin/log/WLESblm.log
BLM.wlesadmin.errfile
Logging location for error log entries.
D:/opt/bea/81/ales26-admin/log/WLESblm.log
BLM.wlesadmin.dbgfile
Logging location for debug log entries.
D:/opt/bea/81/ales26-admin/log/WLESblm.log
BLM.wlesadmin.DbgOut
Logging location for C++ client debug entries, which do not have log levels assigned.
D:/opt/bea/81/ales26-admin/log/WLESblm.log
BLM.wlesadmin.
logShowDateTime
Include the date and time in the logging header. If enabled, the date and time the message was logged are prepended to the log message.
0 - disabled
1 - enabled
1
BLM.wlesadmin.
logShowFileName
Include the file name and line number in the logging header. If enabled, the file name and line number causing the event being logged are prepended to the log message.
0 - disabled
1 - enabled
1
BLM.wlesadmin.
logShowThread
Include the executing thread number in the logging header. If enabled, the executing thread number causing the event being logged are prepended to the log message.
0 - disabled
1 - enabled
1

 

Database Configuration Parameters

The following configuration parameters are set during installation. You do not need to change these values unless you change the database to which the BLM connects.

Table 3-4 Database Configuration Parameters
Parameter
Description
Default or Example Value
BLM.wlesadmin.
dbsystem
The database system used by the client. Valid values are:
ORACLE92, ORACLE90, ORACLE81
SYBASE125, SYBASE120, SYBASE119
In addition, for backwards compatibility, the value ORACLE is treated as ORACLE81 and the value SYBASE is treated as SYBASE125.
ORACLE92
BLM.wlesadmin.
dbserver
The database server name (the database service name for Oracle).
ASI.DB.EXAMPLE.COM
BLM.wlesadmin.dbname
Database name. This parameter is only applicable in Sybase and is ignored in Oracle.
sspolicy
BLM.wlesadmin.
dbpolicyowner
The user name of the policy owner. Generally, this will be the same as the dblogin user.
 
BLM.wlesadmin.dblogin
Database login ID. This user ID must be granted database permissions. Usually it is the schema (policy) owner which has all the permissions.
 
BLM.wlesadmin.
dbpoolsize
Number of database connections in shared pool to be allocated for the BLM. Consult with your database administrator before setting this to a number greater than 20, since there is typically a limited number of connections configured in the database server.
20
BLM.wlesadmin.
dbconnidletimeout
If a database connection has been idle for this number of seconds, it is disconnected. This is to make sure the BLM does not hold on to unused database connections for a long period.
600 seconds
BLM.wlesadmin.sqldebug
Enables or disables database SQL debugging (bit wise). In a production environment, set it to 0 or 1.
In order for SQL debug logging to function, the BLM.wlesadmin.logLevel dbg bit must be set.
0 - hard database error
1 - soft database error (recoverable)
2 - SQL debugging
4 - Stored procedure debugging
Add the levels together to come up with the value.
0
BLM.wlesadmin.
fetchnumrows
Indicates how many delta elements should be returned from the database as part of the query resultset as opposed to loading all of the results at once. The subsequent get on the 1001th item would fetch the next 1000 results and so forth. To process the results, the collection configuration would take two passes with 500 items on the first and 500 on the next pass and so on.
This value is a trade-off between latency during administration actions and latency at evaluation.
1000

 

CPP API Configuration Parameters

The following parameters relate to the CPP API used by the BLM to call the ARME for Authorization decisions.

Table 3-5 CPP API Parameters
Parameter
Description
Default or Example Value
BLM.wlesadmin.cacheEnabled
Is authorization caching enabled? 0 indicates disabled and 1 indicated enabled.
0
BLM.wlesadmin.cacheFileName
If authorization caching enabled, the cache is written to this file.
asiCpp.cache
BLM.wlesadmin.relocateRetries
Number of times the server will try to get a new reference to an ARME in case the current one becomes unavailable.
10
BLM.wlesadmin.relocateInterval
The interval between retries in milliseconds.
1000
BLM.wlesadmin.autoRelocateInterval
Setting this to anything other then MS_INFINITE causes the server to automatically drop current ARME connection and try to establish a new connection after every interval in milliseconds.
MS_INFINITE
BLM.wlesadmin.reconnectRetries
Number of times the server will try the same connection before relocating and using another one.
1

 

Distribution Parameters

The following set of parameters are dependent on the ARME policy distribution and provisioning states. The BLM distribution component uses these timeout settings to communicate with ARME. Override timeouts as desired during the various distributed transaction phases.

Table 3-6 Distribution Parameters
Parameter
Description
Default or Example Value
BLM.wlesadmin.
ARMECountRequiredToCommit
Defines the number of ARME instances within a ARME group that are required to successfully receive the new policy in order for the group to commit the policy. If this number isn't met then the entire group will be rolled back and stay on the existing policy. If the number is met, then any ARME instance that did not successfully commit the new policy will be put into the unbound group. If fewer ARME instances are alive than this value, then all ARME instances in the group must successfully receive the policy for the group to commit.
1
BLM.wlesadmin.
ARMEPrepareToCommitTimeoutMS
Determines how long the BLM will wait for a ARME to finish the prepareToCommit stage of a policy distribution.
10800000 (3 hours)
BLM.wlesadmin.
pendingARMEWaitMS
Determines how long the BLM should wait for new ARMEs to request a policy, before distributing in parallel to the unbound group.Each time a new ARME shows up, the BLM will wait this long for one more to show up.
10000
BLM.wlesadmin.
pendingARMEWaitMaxMS
Determines the maximum amount of time the BLM will wait before distributing to the unbound group
120000
BLM.wlesadmin.
ARMECommitTimeoutMS
Determines how long the BLM will wait for a ARME to finish the commit stage of a policy distribution.
300000 (5 minutes)
BLM.wlesadmin.
ARMERollbackTimeoutMS
Determines how long the BLM will wait for a ARME to finish the potential rollback stage of a policy distribution.
300000 (5 minutes)
BLM.wlesadmin.
ARMEDeltaTimeoutMS
Determines how long the BLM will wait for the ARME to finish the delta stage of a policy distribution.
300000 (5 minutes)
BLM.wlesadmin.
ARMEBeginPolicyUpdateTimeoutMS
Determines how long the BLM will wait for a BLE to finish the begin policy update stage of a policy distribution. The default is 5 minutes
300000 (5 minutes)
BLM.wlesadmin.deltaSendNumRows
Indicates how many delta elements should be sent to the servers by the BLM at one time. Increasing the number may improve performance but will increase overhead.
1000
BLM.wlesadmin.syncType

Defines the desired level of synchronization when committing a new policy. There are three levels of synchronization; each level includes the previous levels:

0 - group, all instances in a group must be able to commit the new policy for any to commit.

1 - location, all groups in the location must be able to commit the new policy for any to commit.

2 - domain, all locations in the domain must be able to commit the new policy for any to commit.
1

 

Default Timeout Parameters

The following parameters are default values for the underlying transport for client/server connections made by the BLM to the ALES Administration Servers.

Table 3-7 Default Timeout Parameters
Parameter
Description
Default or Example Value
BLM.wlesadmin.
defaultSendTimeoutMs
When the BLM is sending a request, this transport timeout controls when, in milliseconds, to time out if it cannot send data.
10000
BLM.wlesadmin.
defaultRecvTimeoutMs
When the BLM has made a request to another server, this transport timeout controls how long to wait, in milliseconds, before disconnecting.
10000
BLM.wlesadmin.
defaultConnectTimeoutMs
When the transport cannot connect to another server, this transport timeout controls how long to wait in milliseconds before giving up.
10000

 

Override Timeout Parameters

The following timeout parameters are used by the BLM pool manager to override timeouts on its pool of BLM connections based on the activity performed.

Table 3-8 Override Timeout Parameters
Parameter
Description
Default or Example Value
BLM.wlesadmin.connectTimeout
When the transport cannot connect to the ARME, this transport timeout controls how long to wait in milliseconds before giving up
10000
BLM.wlesadmin.sendTimeout
When the BLM is sending a request to the ARME, this transport timeout controls when to timeout, in milliseconds, if it cannot send data
10000
BLM.wlesadmin.requestTimeout
When a request has been made by the BLM to the ARME, this transport timeout controls how long to wait, in milliseconds, before disconnecting
10000
BLM.wlesadmin.relocateOnError
Controls whether to keep using the same connection (0) or relocate (1) if errors occur while communicating with the ARME
1
BLM.wlesadmin.maxRetries
Maximum number of retries for the same ARME before relocation takes place
10


  Back to Top       Previous  Next