The following sections describe the Oracle Fusion Middleware Infrastructure Security custom WLST commands in detail. Topics include:
For additional information about Oracle Platform Security Services, see Oracle Fusion Middleware Security Guide.
Note:
To use the Infrastructure Security custom WLST commands, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" in the Oracle Fusion Middleware Administrator's Guide.WLST security commands are divided into the following categories:
Table 4-1 WLST Command Categories
Command Category | Description |
---|---|
View and manage audit policies and the audit repository configuration |
|
View and manage wallets, JKS keystores, and SSL configuration for Oracle HTTP Server, Oracle WebCache, Oracle Internet Directory, and Oracle Virtual Directory components. |
|
View and manage configuration for Oracle Identity Federation |
|
For information on DIP tools, see "Directory Integration Platform Tools" in the Oracle Fusion Middleware User Reference for Oracle Identity Management |
|
Manage domain and credential domain stores and migrate domain policy store. |
|
Manage OAM-related components, such as authorization providers, identity asserters, and SSO providers. |
Use the WLST commands listed in Table 4-2 to view and manage audit policies and the audit repository configuration.
Use this command... | To... | Use with WLST... |
---|---|---|
Display the mBean name for a non-Java EE component. |
Online |
|
Display audit policy settings. |
Online |
|
Update audit policy settings. |
Online |
|
Display audit repository settings. |
Online |
|
Update audit repository settings. |
Online |
|
List audit events for one or all components. |
Online |
|
Export a component's audit configuration. |
Online |
|
Import a component's audit configuration. |
Online |
For more information, see the Oracle Fusion Middleware Security Guide.
Online command that displays the mbean name for non-Java EE components.
This command displays the mbean name for non-Java EE components given the instance name, component name, component type, and the name of the Oracle WebLogic Server on which the component's audit mbean is running. The mbean name is a required parameter to other audit WLST commands when managing a non-Java EE component.
getNonJavaEEAuditMBeanName(instName, compName, compType, svrName)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are ohs, oid, ovd, and WebCache. |
svrName |
Specifies the name of the Oracle WebLogic Server. |
Online command that displays the audit policy settings.
This command displays audit policy settings including the filter preset, special users, custom events, maximum log file size, and maximum log directory size. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.getAuditPolicy([mbeanName])
Argument | Definition |
---|---|
mbeanName |
Specifies the name of the component audit MBean for non-Java EE components. |
The following command displays the audit settings for a Java EE component:
wls:/mydomain/serverConfig> getAuditPolicy()
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)
FilterPreset:All
Max Log File Size:104857600
Max Log Dir Size:0
The following command displays the audit settings for MBean CSAuditProxyMBean
:
wls:/mydomain/serverConfig> getAuditPolicy(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean')
Online command that updates an audit policy.
Online command that configures the audit policy settings. You can set the filter preset, add or remove users, and add or remove custom events. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.setAuditPolicy([mbeanName],[filterPreset],[addSpecialUsers], [removeSpecialUsers],[addCustomEvents],[removeCustomEvents])
Argument | Definition |
---|---|
mbeanName |
Specifies the name of the component audit MBean for non-Java EE components. |
filterPreset |
Specifies the filter preset to be changed. |
addSpecialUsers |
Specifies the special users to be added. |
removeSpecialUsers |
Specifies the special users to be removed. |
addCustomEvents |
Specifies the custom events to be added. |
removeCustomEvents |
Specifies the custom events to be removed. |
The following interactive command sets audit policy to None
level, and adds users user2
and user3
while removing user1
from the policy:
wls:/mydomain/serverConfig> setAuditPolicy (filterPreset= 'None',addSpecialUsers='user2,user3',removeSpecialUsers='user1') wls:/mydomain/serverConfig> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:None Special Users:user2,user3 Max Log File Size:104857600 Max Log Dir Size:0
The following interactive command adds login events while removing logout events from the policy:
wls:/mydomain/serverConfig> setAuditPolicy(filterPreset= 'Custom',addCustomEvents='UserLogin',removeCustomEvents='UserLogout')
The following interactive command sets audit policy to a Low
level:
wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Low'); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:Low Max Log File Size:104857600 Max Log Dir Size:0
The following command sets a custom filter to audit the CheckAuthorization
event:
wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Custom', addCustomEvents='JPS:CheckAuthorization'); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:Custom Special Users:user1 Max Log File Size:104857600 Max Log Dir Size:0 Custom Events:JPS:CheckAuthorization
Online command that displays audit repository settings.
This command displays audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository configuration resides in opmn.xml). Also displays database configuration if the repository is a database type.
Online command that updates audit repository settings.
This command sets the audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository is configured by editing opmn.xml
).
setAuditRepository([switchToDB],[dataSourceName],[interval])
Argument | Definition |
---|---|
switchToDB |
If true , switches the repository from file to database. |
dataSourceName |
Specifies the name of the data source. |
interval |
Specifies intervals at which the audit loader kicks off. |
The following command switches from a file repository to a database repository:
wls:/IDMDomain/domainRuntime> setAuditRepository(switchToDB='true'); Already in Domain Runtime Tree Audit Repository Information updated wls:/IDMDomain/domainRuntime> getAuditRepository(); Already in Domain Runtime Tree JNDI Name:jdbc/AuditDB Interval:15 Repository Type:DB
The following interactive command changes audit repository to a specific database and sets the audit loader interval to 14 seconds:
wls:/mydomain/serverConfig> setAuditRepository(switchToDB='true',dataSourceName='jdbcAuditDB',interval='14')
Online command that displays a component's audit events.
This command displays a component's audit events and attributes. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter. Without a component type, all generic attributes applicable to all components are displayed.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.listAuditEvents([mbeanName],[componentType])
Argument | Definition |
---|---|
mbeanName |
Specifies the name of the component MBean. |
componentType |
Specifies the component type. |
The following command displays audit events for the Oracle Platform Security Services component:
wls:/IDMDomain/domainRuntime> listAuditEvents(componentType='JPS');
Already in Domain Runtime Tree
Common Attributes
ComponentType
Type of the component. For MAS integrated SystemComponents this is the componentType
InstanceId
Name of the MAS Instance, that this component belongs to
HostId
DNS hostname of originating host
HostNwaddr
IP or other network address of originating host
ModuleId
ID of the module that originated the message. Interpretation is unique within Component ID.
ProcessId
ID of the process that originated the message
The following command displays audit events for Oracle HTTP Server:
wls:/mydomain/serverConfig> listAuditEvents(componentType='ohs')
The following command displays all audit events:
wls:/IDMDomain/domainRuntime> listAuditEvents();
Already in Domain Runtime Tree
Components:
DIP
JPS
OIF
OWSM-AGENT
OWSM-PM-EJB
ReportsServer
WS-PolicyAttachment
WebCache
WebServices
Attributes applicable to all components:
ComponentType
InstanceId
HostId
HostNwaddr
ModuleId
ProcessId
OracleHome
HomeInstance
ECID
RID
...
Online command that exports a component's audit configuration.
This command exports the audit configuration to a file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.exportAuditConfig([mbeanName],fileName)
Argument | Definition |
---|---|
mbeanName |
Specifies the name of the non-Java EE component MBean. |
fileName |
Specifies the path and file name to which the audit configuration should be exported. |
The following interactive command exports the audit configuration for a component:
wls:/mydomain/serverConfig> exportAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following interactive command exports the audit configuration for a Java EE component; no mBean is specified:
wls:/mydomain/serverConfig> exportAuditConfig(fileName='/tmp/auditconfig')
Online command that imports a component's audit configuration.
This command imports the audit configuration from an external file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.importAuditConfig([mbeanName],fileName)
Argument | Definition |
---|---|
mbeanName |
Specifies the name of the non-Java EE component MBean. |
fileName |
Specifies the path and file name from which the audit configuration should be imported. |
The following interactive command imports the audit configuration for a component:
wls:/mydomain/serverConfig> importAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name='CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following interactive command imports the audit configuration for a component; no mBean is specified:
wls:/mydomain/serverConfig> importAuditConfig(fileName='/tmp/auditconfig')
Use the WLST commands listed in Table 4-3 to view and manage SSL configuration for Oracle Fusion Middleware components.
Table 4-3 WLST Commands for SSL Configuration
Use this command... | To... | Use with WLST... |
---|---|---|
Generate a certificate signing request in an Oracle wallet. |
Online |
|
Add a self-signed certificate to an Oracle wallet. |
Online |
|
Change the password to a JKS keystore. |
Online |
|
Change the password to an Oracle wallet. |
Online |
|
Set the SSL attributes for a component listener. |
Online |
|
Create a JKS keystore. |
Online |
|
Create an Oracle wallet. |
Online |
|
Delete a JKS keystore. |
Online |
|
Delete an Oracle wallet. |
Online |
|
Export a JKS keystore to a file. |
Online |
|
Export an object from a JKS keystore to a file. |
Online |
|
Export an Oracle wallet to a file. |
Online |
|
Export an object from an Oracle wallet to a file. |
Online |
|
Generate a key pair in a JKS keystore. |
Online |
|
Display a certificate or other object present in a JKS keystore. |
Online |
|
Display the SSL attributes for a component listener. |
Online |
|
Display a certificate or other object present in an Oracle wallet. |
Online |
|
Import a JKS keystore from a file. |
Online |
|
Import a certificate or other object from a file to a JKS keystore. |
Online |
|
Import an Oracle wallet from a file. |
Online |
|
Import a certificate or other object from a file to an Oracle wallet. |
Online |
|
List all objects present in a JKS keystore. |
Online |
|
List all JKS keystores configured for a component instance. |
Online |
|
List all objects present in an Oracle wallet. |
Online |
|
List all Oracle wallets configured for a component instance. |
Online |
|
Remove a certificate or other object from a component instance's JKS keystore. |
Online |
|
Remove a certificate or other object from a component instance's Oracle wallet. |
Online |
For more information, see the Oracle Fusion Middleware Administrator's Guide.
Online command that generates a certificate signing request in an Oracle wallet.
This command generates a certificate signing request in Base64 encoded PKCS#10 format in an Oracle wallet for a component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). To get a certificate signed by a certificate authority (CA), send the certificate signing request to your CA.
addCertificateRequest(instName, compName, compType, walletName, password, DN, keySize)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
DN |
Specifies the Distinguished Name of the key pair entry. |
keySize |
Specifies the key size in bits. |
The following command generates a certificate signing request with DN cn=www.acme.com
and key size 1024
in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> addCertificateRequest('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.acme.com', '1024')
Online command that adds a self-signed certificate.
This command creates a key pair and wraps it in a self-signed certificate in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Only keys based on the RSA algorithm are generated.
addSelfSignedCertificate(instName, compName, compType, walletName, password, DN, keySize)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
DN |
Specifies the Distinguished Name of the key pair entry. |
keySize |
Specifies the key size in bits. |
The following command adds a self-signed certificate with DN cn=www.acme.com
, key size 1024
to wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1:
wls:/mydomain/serverConfig> addSelfSignedCertificate('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.acme.com', '1024')
Online command that changes the keystore password.
This command changes the password of a Java Keystore (JKS) file for an Oracle Virtual Directory instance.
changeKeyStorePassword(instName, compName, compType, keystoreName, currPassword, newPassword)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the filename of the keystore. |
currPassword |
Specifies the current keystore password. |
newPassword |
Specifies the new keystore password. |
Online command that changes the password of an Oracle wallet.
This command changes the password of an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). This command is only applicable to password-protected wallets.
changeWalletPassword(instName, compName, compType, walletName,currPassword, newPassword)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
walletName |
Specifies the filename of the wallet. |
currPassword |
Specifies the current wallet password. |
newPassword |
Specifies the new wallet password. |
Online command that sets SSL attributes.
This command sets the SSL attributes for a component listener. The attributes are specified in a properties file format (name=value). If a properties file is not provided, or it does not contain any SSL attributes, default attribute values are used. For component-specific SSL attribute value defaults, see the chapter "SSL Configuration in Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.
configureSSL(instName, compName, compType, listener, filePath)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'oid', 'ovd', ohs', and 'webcache'. |
listener |
Specifies the name of the component listener to be configured for SSL. |
filePath |
Specifies the absolute path of the properties file containing the SSL attributes to set. |
The following command configures SSL attributes specified in the properties file /tmp/ssl.properties
for Oracle Virtual Directory instance ovd1
in application server instance inst1
, for listener listener1
:
wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener1','/tmp/ssl.properties')
The following command configures SSL attributes without specifying a properties file. Since no file is provided, the default SSL attribute values are used:
wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener2')
Online command that creates a JKS keystore.
This command creates a Java keystore (JKS) for the specified Oracle Virtual Directory instance. For keystore file location and other information, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.
createKeyStore(instName, compName, compType, keystoreName, password)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the filename of the keystore file to be created. |
password |
Specifies the keystore password. |
Online command that creates an Oracle wallet.
This command creates an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Wallets can be of password-protected or auto-login type. For wallet details, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.
createWallet(instName, compName, compType, walletName, password)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
walletName |
Specifies the name of the wallet file to be created. |
password |
Specifies the wallet password. |
The following command creates a wallet named wallet1
with password password
, for Oracle HTTP Server instance ohs1
in application server instance inst1
:
wls:/mydomain/serverConfig> createWallet('inst1', 'ohs1', 'ohs','wallet1', 'password')
The following command creates an auto-login wallet named wallet2
for Oracle WebCache instance wc1
, in application server instance inst1
:
wls:/mydomain/serverConfig> createWallet('inst1', 'wc1', 'webcache','wallet2', '')
Online command that deletes a keystore.
deleteKeyStore(instName, compName, compType, keystoreName)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore file to delete. |
Online command that deletes an Oracle wallet.
This command deletes an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).
deleteWallet(instName, compName, compType, walletName)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
walletName |
Specifies the name of the wallet file to be deleted. |
Online command that exports the keystore to a file.
This command exports a keystore, configured for the specified Oracle Virtual Directory instance, to a file under the given directory. The exported filename is the same as the keystore name.
exportKeyStore(instName, compName, compType, keystoreName, password, path)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore file. |
password |
Specifies the password of the keystore. |
path |
Specifies the absolute path of the directory under which the keystore is exported. |
Online command that exports an object from a keystore to a file.
This command exports a certificate signing request, certificate/certificate chain, or trusted certificate present in a Java keystore (JKS) to a file for the specified Oracle Virtual Directory instance. The certificate signing request is generated before exporting the object. The alias specifies the object to be exported.
exportKeyStoreObject(instName, compName, compType, keystoreName, password, type, path, alias)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore file. |
password |
Specifies the password of the keystore. |
type |
Specifies the type of the keystore object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' and 'TrustedChain'. |
path |
Specifies the absolute path of the directory under which the object is exported as a file named base64.txt. |
alias |
Specifies the alias of the keystore object to be exported. |
The following command generates and exports a certificate signing request from the key-pair indicated by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
in application server instance inst1
. The certificate signing request is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'CertificateRequest', '/tmp','mykey')
The following command exports a certificate or certificate chain indicated by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
. The certificate or certificate chain is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '/tmp','mykey')
The following command exports a trusted certificate indicated by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
. The trusted certificate is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '/tmp','mykey')
Online command that exports an Oracle wallet.
This command exports an Oracle wallet, configured for a specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), to file(s) under the given directory. If the exported file is an auto-login only wallet, the file name is 'cwallet.sso'. If it is password-protected wallet, two files are created: 'ewallet.p12' and 'cwallet.sso'.
exportWallet(instName, compName, compType, walletName,password, path)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
path |
Specifies the absolute path of the directory under which the object is exported. |
The following command exports auto-login wallet wallet1
for Oracle Internet Directory instance oid1
to file cwallet.sso
under /tmp
:
wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet1','','/tmp')
The following command exports password-protected wallet wallet2
for Oracle Internet Directory instance oid1
to two files, ewallet.p12
and cwallet.sso
, under /tmp
:
wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp')
Online command that exports a certificate or other wallet object to a file.
This command exports a certificate signing request, certificate, certificate chain or trusted certificate present in an Oracle wallet to a file for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be exported.
exportWalletObject(instName, compName, compType, walletName, password, type, path, DN)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs','oid', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
type |
Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedChain'. |
path |
Specifies the absolute path of the directory under which the object is exported as a file base64.txt. |
DN |
Specifies the Distinguished Name of the wallet object being exported. |
The following command exports a certificate signing request with DN cn=www.acme.com
in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
. The certificate signing request is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'CertificateRequest', '/tmp','cn=www.acme.com')
The following command exports a certificate with DN cn=www.acme.com
in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
. The certificate or certificate chain is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate', '/tmp','cn=www.acme.com')
The following command exports a trusted certificate with DN cn=www.acme.com
in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
. The trusted certificate is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate', '/tmp','cn=www.acme.com')
The following command exports a certificate chain with DN cn=www.acme.com
in wallet1
, for Oracle Internet Directory instance oid1,
in application server instance inst1
. The certificate or certificate chain is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedChain', '/tmp','cn=www.acme.com')
Online command that generates a key pair in a Java keystore.
This command generates a key pair in a Java keystore (JKS) for Oracle Virtual Directory. It also wraps the key pair in a self-signed certificate. Only keys based on the RSA algorithm are generated.
generateKey(instName, compName, compType, keystoreName, password, DN, keySize, alias, algorithm)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore. |
password |
Specifies the password of the keystore. |
DN |
Specifies the Distinguished Name of the key pair entry. |
keySize |
Specifies the key size in bits. |
alias |
Specifies the alias of the key pair entry in the keystore. |
algorithm |
Specifies the key algorithm. Valid value is 'RSA'. |
The following command generates a key pair with DN cn=www.acme.com
, key size 1024
, algorithm RSA
and alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
in application server instance inst1
:
wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.acme.com', '1024', 'mykey', 'RSA')
The following command is the same as above, except it does not explicitly specify the key algorithm:
wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.acme.com', '1024', 'mykey')
Online command that shows details about a keystore object.
This command displays a specific certificate or trusted certificate present in a Java keystore (JKS) for Oracle Virtual Directory. The keystore object is indicated by its index number, as given by the listKeyStoreObjects
command. It shows the certificate details including DN, key size, algorithm, and other information.
getKeyStoreObject(instName, compName, compType, keystoreName, password, type, index)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore file. |
password |
Specifies the password of the keystore. |
type |
Specifies the type of the keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'. |
index |
Specifies the index number of the keystore object as returned by the listKeyStoreObjects command. |
The following command shows a trusted certificate with index 1
present in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '1')
The following command shows a certificate with index 1
present in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '1')
Online command that lists the configured SSL attributes.
This command lists the configured SSL attributes for the specified component listener. For Oracle Internet Directory, the listener name is always sslport1
.
getSSL(instName, compName, compType, listener)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ovd', 'oid', 'ohs', and 'webcache'. |
listener |
Specifies the name of the component listener. |
Online command that displays information about a certificate or other object in an Oracle wallet.
This command displays a specific certificate signing request, certificate or trusted certificate present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). The wallet object is indicated by its index number, as given by the listWalletObjects
command. For certificates or trusted certificates, it shows the certificate details including DN, key size, algorithm and other data. For certificate signing requests, it shows the subject DN, key size and algorithm.
getWalletObject(instName, compName, compType, walletName, password, type, index)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
type |
Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'. |
index |
Specifies the index number of the wallet object as returned by the listWalletObjects command. |
The following command shows certificate signing request details for the object with index 0
present in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest', '0')
The following command shows certificate details for the object with index 0
present in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'Certificate', '0')
The following command shows trusted certificate details for the object with index 0
, present in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate', '0')
Online command that imports a keystore from a file.
This command imports a Java keystore (JKS) from a file to the specified Oracle Virtual Directory instance for manageability. The component instance name must be unique.
importKeyStore(instName, compName, compType, keystoreName, password, filePath)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore being imported. This name must be unique for this component instance. |
password |
Specifies the password of the keystore. |
filePath |
Specifies the absolute path of the keystore file to be imported. |
Online command that imports an object from a file to a keystore.
This command imports a certificate, certificate chain, or trusted certificate into a Java keystore (JKS) for Oracle Virtual Directory, assigning it the specified alias which must be unique in the keystore. If a certificate or certificate chain is being imported, the alias must match that of the corresponding key-pair.
importKeyStoreObject(instName, compName, compType, keystoreName, password, type, filePath, alias)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore. |
password |
Specifies the password of the keystore. |
type |
Specifies the type of the keystore object to be imported. Valid values are 'Certificate' and 'TrustedCertificate'. |
filePath |
Specifies the absolute path of the file containing the keystore object. |
alias |
Specifies the alias to assign to the keystore object to be imported. |
The following command imports a certificate or certificate chain from file cert.txt
into keys.jks
, using alias mykey
for Oracle Virtual Directory instance ovd1,
in application server instance inst1
. The file keys.jks
must already have an alias mykey
for a key-pair whose public key matches that in the certificate being imported:
wls:/mydomain/serverConfig> > importKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate','/tmp/cert.txt', 'mykey')
The following command imports a trusted certificate from file trust.txt
into keys.jks
using alias mykey1
, for Oracle Virtual Directory instance ovd1
in application server instance inst1
:
wls:/mydomain/serverConfig> importKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate','/tmp/trust.txt', 'mykey1')
Online command that imports an Oracle wallet from a file.
This command imports an Oracle wallet from a file to the specified component instance (Oracle HTTP Server, Oracle WebCache, or Oracle Internet Directory) for manageability. If the wallet being imported is an auto-login wallet, the file path must point to cwallet.sso
; if the wallet is password-protected, it must point to ewallet.p12
. The wallet name must be unique for the component instance.
importWallet(instName, compName, compType, walletName, password, filePath)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet being imported. The name must be unique for the component instance. |
password |
Specifies the password of the wallet. |
filePath |
Specifies the absolute path of the wallet file being imported. |
The following command imports auto-login wallet file /tmp/cwallet.sso
as wallet1
into Oracle Internet Directory instance oid1
. Subsequently, the wallet is managed with the name wallet1
. No password is passed since it is an auto-login wallet:
wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet1', '', '/tmp/cwallet.sso')
The following command imports password-protected wallet /tmp/ewallet.p12
as wallet2
into Oracle Internet Directory instance oid1
. Subsequently, the wallet is managed with the name wallet2
. The wallet password is passed as a parameter:
wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp/ewallet.p12')
Online command that imports a certificate or other object into an Oracle wallet.
This command imports a certificate, trusted certificate or certificate chain into an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache component or Oracle Internet Directory).When importing a certificate, use the same wallet file from which the certificate signing request was generated.
importWalletObject(instName, compName, compType, walletName, password, type, filePath)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
type |
Specifies the type of wallet object to be imported. Valid values are 'Certificate', 'TrustedCertificate' and 'TrustedChain'. |
filePath |
Specifies the absolute path of the file containing the wallet object. |
The following command imports a certificate chain in PKCS#7 format from file chain.txt
into wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedChain','/tmp/chain.txt')
The following command imports a certificate from file cert.txt
into wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate','/tmp/cert.txt')
The following command imports a trusted certificate from file trust.txt
into wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','/tmp/trust.txt')
Online command that lists the contents of a keystore.
This command lists all the certificates or trusted certificates present in a Java keystore (JKS) for Oracle Virtual Directory.
listKeyStoreObjects(instName, compName, compType, keystoreName, password, type)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore file. |
password |
Specifies the password of the keystore. |
type |
Specifies the type of keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'. |
The following command lists all trusted certificates present in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate')
The following command lists all certificates present in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate')
Online command that lists all the keystores for a component.
This command lists all the Java keystores (JKS) configured for the specified Oracle Virtual Directory instance.
listKeyStores(instName, compName, compType)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance |
compType |
Specifies the type of component. Valid value is 'ovd'. |
Online command that lists all objects in an Oracle wallet.
This command lists all certificate signing requests, certificates, or trusted certificates present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).
listWalletObjects(instName, compName, compType, walletName, password, type)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
type |
Specifies the type of wallet object to be listed. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'. |
The following command lists all certificate signing requests in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> > listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest')
The following command lists all certificates in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'Certificate')
The following command lists all trusted certificates in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate')
Online command that lists all wallets configured for a component instance.
This command displays all the wallets configured for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), and identifies the auto-login wallets.
listWallets(instName, compName, compType)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
Online command that removes an object from a keystore.
This command removes a certificate request, certificate, trusted certificate, or all trusted certificates from a Java keystore (JKS) for Oracle Virtual Directory. Use an alias to remove a specific object; no alias is needed if all trusted certificates are being removed.
removeKeyStoreObject(instName, compName, compType, keystoreName, password, type, alias)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore file. |
password |
Specifies the password of the keystore. |
type |
Specifies the type of the keystore object to be removed. Valid values are 'Certificate', 'TrustedCertificate' or 'TrustedAll'. |
alias |
Specifies the alias of the keystore object to be removed. |
The following command removes a certificate or certificate chain denoted by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate','mykey')
The following command removes a trusted certificate denoted by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate','mykey')
The following command removes all trusted certificates in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
. Since no alias is required, the value None
is passed for that parameter:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedAll',None)
Online command that removes a certificate or other object from an Oracle wallet.
This command removes a certificate signing request, certificate, trusted certificate or all trusted certificates from an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be removed.
removeWalletObject(instName, compName, compType, walletName, password, type, DN)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
type |
Specifies the type of the keystore object to be removed. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedAll'. |
DN |
Specifies the Distinguished Name of the wallet object to be removed. |
The following command removes all trusted certificates from wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
. It is not necessary to provide a DN, so we pass null (denoted by None
) for the DN parameter:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedAll',None)
The following command removes a certificate signing request indicated by DN cn=www.acme.com
from wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'CertificateRequest','cn=www.acme.com')
The following command removes a certificate indicated by DN cn=www.acme.com
from wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate','cn=www.acme.com')
The following command removes a trusted certificate indicated by DN cn=www.acme.com
from wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','cn=www.acme.com')
Use the WLST commands listed in Table 4-4 to view and manage configuration for Oracle Identity Federation.
Table 4-4 WLST Commands for Oracle Identity Federation
Use this command... | To... | Use with WLST... |
---|---|---|
Add a configuration list entry to a map. |
Online |
|
Add a configuration map entry to a map. |
Online |
|
Add a configuration property list entry. |
Online |
|
Add a configuration property map entry to the map. |
Online |
|
Add a custom authentication engine. |
Online |
|
Add a custom SP engine. |
Online |
|
Add a federations list entry to the map. |
Online |
|
Add a federation map entry to the map. |
Online |
|
Add a federation property list entry. |
Online |
|
Add a federation property map entry. |
Online |
|
Delete a custom authentication engine. |
Online |
|
Delete a custom SP engine. |
Online |
|
Delete a provider from the federation. |
Online |
|
Delete a user from the federation. |
Online |
|
Change the message store to memory or RDBMS. |
Online |
|
Change a peer provider's description. |
Online |
|
Change the session store to memory or RDBMS. |
Online |
|
Create a configuration property list. |
Online |
|
Create a configuration property list in the map. |
Online |
|
Create a configuration property map. |
Online |
|
Create a nested configuration property map in a map. |
Online |
|
Create a federation property list. |
Online |
|
Create a federation property list in the map. |
Online |
|
Create a federation property map. |
Online |
|
Create a nested federation property map in a map. |
Online |
|
Create a peer provider entry. |
Online |
|
Retrieve a configuration list value from the map. |
Online |
|
Retrieve a configuration map value from the map. |
Online |
|
Retrieve a configuration property entry. |
Online |
|
Retrieve a configuration property list. |
Online |
|
Retrieve a configuration property map entry. |
Online |
|
Retrieve a federation list value from the map. |
Online |
|
Retrieve a federation map entry from a nested map. |
Online |
|
Retrieve a federation property. |
Online |
|
Retrieve the federation property list. |
Online |
|
Export all provider configuration properties to a text file. |
Script |
|
Set a provider's properties based on an input text file. |
Script |
|
Retrieve a federation property map entry. |
Online |
|
Display the list of custom authentication engines. |
Online |
|
Display the list of custom SP engines. |
Online |
|
Load metadata from a file. |
Online |
|
Display the current status of Oracle Identity Federation on the managed server. |
Online |
|
Delete a configuration list in the map. |
Online |
|
Delete a configuration map entry in the map. |
Online |
|
Delete a nested configuration map. |
Online |
|
Delete a configuration property. |
Online |
|
Delete a property list. |
Online |
|
Delete a property map. |
Online |
|
Delete an entry in the property map. |
Online |
|
Delete a federation list in the map. |
Online |
|
Delete a nested federation map. |
Online |
|
Delete a nested federation map entry. |
Online |
|
Delete a federation property. |
Online |
|
Delete a federation property list. |
Online |
|
Delete a federation property map. |
Online |
|
Delete a federation property map entry. |
Online |
|
Delete a peer provider entry. |
Online |
|
Set a configuration property. |
Online |
|
Define a custom authentication engine. |
Online |
|
Define a custom SP engine. |
Online |
|
Set a federation property. |
Online |
For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.
Online command that adds a property value to a map.
addConfigListEntryInMap(configName, mapname, listName, value, type)
Argument | Definition |
---|---|
configname |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated. |
mapname |
Specifies the name of the property to map to be changed in config.xml. |
listname |
Specifies the name of the list. |
value |
Specifies the property value. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a nested map property entry in a map.
This command that adds a property name/value pair to a map nested inside a map in config.xml.
addConfigMapEntryInMap(configName, mapname, nestedMapName, propName, value, type)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated. |
mapname |
Specifies the name of the property map to be changed in config.xml. |
nestedMapName |
name of the nested property map to be changed. |
propName |
Specifies the name of the list. |
value |
Specifies the property value. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a list property entry to config.xml.
addConfigPropertyListEntry(configName, listName, value, type)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated. |
listName |
Specifies the name of the property list to be added in config.xml. |
value |
Specifies the new property list value. The entered value is appended to the list. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a property name/value entry in a map in config.xml.
addConfigPropertyMapEntry(configName, mapName, propName, value, type)
Argument | Definition |
---|---|
configname |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated. |
mapname |
Specifies the name of the property map in config.xml. |
propName |
Specifies the name of the property map. |
value |
Specifies the property map value to be added. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a custom authentication integration engine.
addCustomAuthnEngine(name, [enabled], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
Argument | Definition |
---|---|
name |
Specifies the name of the custom engine. |
enabled |
This flag specifies whether the engine is enabled (true) or not (false, default). |
webContext |
Specifies the web context for the engine. |
authnRelativePath |
Specifies the authentication relative path URL for the engine. |
logoutRelativePath |
Specifies the logout relative path URL for the engine. |
logoutEnabled |
This flag is set true to enable logout for the engine, else false. |
Online command that adds a custom service provider (SP) engine.
addCustomSPEngine(name, [enabled, [authnMech], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
Argument | Definition |
---|---|
name |
Specifies the name of the custom engine. |
enabled |
This flag specifies whether the engine is enabled (true) or not (false). |
authnMech |
Specifies the authentication mechanism for the engine. |
webContext |
Specifies the web context for the engine. |
authnRelativePath |
Specifies the authentication relative path URL for the engine. |
logoutRelativePath |
Specifies the logout relative path URL for the engine. |
logoutEnabled |
This flag is set true to enable logout for the engine, else false. |
Online command that adds a list property entry in a map.
addFederationListEntryInMap(providerID, mapname, listName, value, type)
Argument | Definition |
---|---|
providerID |
Specifies the provider ID. |
mapname |
Specifies the name of the property map to be changed in cot.xml. |
listName |
Specifies the name of the property list to be added to the map. |
value |
Specifies the property list value to be added. The entered value is appended to the list. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a nested map property entry in a map.
addFederationMapEntryInMap(providerID, mapname, nestedMapName, propName, value, type)
Argument | Definition |
---|---|
providerID |
Specifies the provider ID. |
mapname |
Specifies the name of the property map to be changed in cot.xml. |
nestedMapName |
Specifies the name of the nested property map to be changed. |
propName |
Specifies the name of the property to be updated in the map. |
value |
Specifies the property value to be added. The entered value is appended to the list. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a list property entry.
addFederationPropertyListEntry(providerID, listName, value, type)
Argument | Definition |
---|---|
providerID |
Specifies the provider ID. |
listName |
Specifies the name of the property list to be updated. |
value |
Specifies the property list value to be added. The entered value is appended to the list. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that a property name/value entry in a map.
addFederationPropertyMapEntry(providerID, mapName, propName, value, type)
Argument | Definition |
---|---|
providerID |
Specifies the provider ID. |
mapName |
Specifies the name of the property map to be changed in cot.xml. |
propName |
Specifies the name of the property to be added in the map. |
value |
Specifies the property value to be added. The entered value is appended to the list. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that deletes a custom authentication integration engine from the configuration.
This command deletes a custom authentication integration engine in config.xml. You must provide the engine ID for an existing custom authentication engine in config.xml.
deleteCustomAuthnEngine(engineID)
Argument | Definition |
---|---|
engineID |
Specifies the engine ID of an existing engine to be deleted. |
Online command that deletes a custom service provider (SP) integration engine from the configuration.
This command deletes a custom SP integration engine in config.xml. The EngineID for an existing custom SP engine in config.xml must be provided.
ddeleteCustomSPEngine(engineID)
Argument | Definition |
---|---|
engineID |
Specifies the engine ID of an existing engine to be deleted. |
Online command that deletes federations for given provider.
deleteProviderFederation(providerID)
Argument | Definition |
---|---|
providerID |
Specifies the ProviderID for the peer provider for which federation is to be deleted. |
Online command that deletes federations for given users.
deleteUserFederation([user1,..])
Argument | Definition |
---|---|
user1 |
Specifies a comma-separated list of users whose federations are to be deleted. At least one user must be specified. |
Online command that changes the message store between memory and RDBMS.
changeMessageStore(type, [jndiname])
Argument | Definition |
---|---|
type |
Specifies the type of store, RDBMS or Memory. Default is Memory. |
jndiname |
Specifies the jndi name to set for the store. Required if type is RDBMS. |
Online command that changes the peer provider description.
changePeerProviderDescription(providerID, description)
Argument | Definition |
---|---|
providerID |
Specifies the provider ID. |
description |
Specifies the provider description. |
Online command that changes the session store between memory and RDBMS.
changeSessionStore(type, [jndiname])
Argument | Definition |
---|---|
type |
Specifies the type of store, RDBMS or Memory. Default is Memory. |
jndiname |
Specifies the jndi name to set for the store. Required if type is RDBMS. |
Online command that creates a property list.
createConfigPropertyList(configName, listName)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated. |
listName |
Specifies the property list name. |
Online command that creates a property list nested in the property map.
createConfigPropertyListInMap(configName, mapName, listName)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated. |
mapName |
Specifies an existing property map to contain the nested list. |
listName |
Specifies the property list name. |
Online command that creates a property map.
createConfigPropertyMap(configName, mapName)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated. |
mapName |
Specifies the property map to create. |
Online command that creates a property map.
createConfigPropertyMapInMap(configName, mapName, nestedMapName)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated. |
mapName |
Specifies the name of an existing property map. |
nestedMapName |
Specifies the name of the property map to create nested inside mapName. |
Online command that creates a property list.
createFederationPropertyList(providerID, listName)
Argument | Definition |
---|---|
providerID |
Specifies the provider ID. |
listName |
Specifies the name of the property list. |
Online command that creates a property list nested in a property map.
createFederationPropertyListInMap(providerID, mapName, listName)
Argument | Definition |
---|---|
providerID |
Specifies the provider ID. |
mapName |
Specifies an existing property map to contain the nested list. |
listName |
Specifies the name of the property list. |
Online command that creates a property map.
createFederationPropertyMap(providerID, mapName)
Argument | Definition |
---|---|
providerID |
Specifies the provider ID. |
mapName |
Specifies the name of the property map to be added to cot.xml. |
Online command that creates a nested property map.
createFederationPropertyMapInMap(providerID, mapName, nestedMapName)
Argument | Definition |
---|---|
providerID |
Specifies the provider ID. |
mapName |
Specifies the name of an existing property map. |
nestedMapName |
Specifies the name of the property map to be nested inside mapName in cot.xml. |
Online command that creates a peer provider property map entry.
createPeerProviderEntry(providerID, description, providerType, version)
Argument | Definition |
---|---|
providerID |
Specifies the provider ID to be created. |
description |
This is the description of the provider ID. |
providerType |
Specifies the provider type of the peer provider to be created. |
version |
Specifies the version of the peer provider to be created. |
Online command that returns a list nested in a map.
getConfigListValueInMap(configName, mapName, listName)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be accessed. |
mapName |
Specifies the name of the property map. |
listName |
Specifies the name of the list to be fetched from the map. |
Online command that returns a map property entry nested in a map.
getConfigMapEntryInMap(configName, mapname, nestedMapName, propName)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be accessed. |
mapname |
Specifies the name of the property map. |
nestedMapName |
Specifies the name of the nested property map. |
propName |
Specifies the name of the property to be fetched from the nested map. |
Online command that returns a property value.
getConfigProperty(configName, propName)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be accessed. |
propName |
Specifies the name of the property to be fetched from the nested map. |
Online command that returns a property list.
getConfigPropertyList(configName, listName)
Argument | Definition |
---|---|
configName |
Specifies the configuration name. |
listName |
Specifies the name of the property list to be fetched from config.xml. |
Online command that returns a property value from a map.
getConfigPropertyMapEntry(configName, mapName, propName)
Argument | Definition |
---|---|
configName |
Specifies the configuration name (for example, idpsaml20, serverconfig, spsaml20,..). |
mapName |
Specifies the name of the property map. |
propName |
Specifies the name of the property to be fetched from the map in config.xml. |
Online command that returns a list value nested in a map.
getFederationListValueInMap(providerID, mapName, listName)
Argument | Definition |
---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
mapName |
Specifies the name of the property map. |
listName |
Specifies the name of the list to be fetched from the map. |
Online command that returns a map property entry nested in a map.
getFederationMapEntryInMap(providerID, mapname, nestedMapName, propName)
Argument | Definition |
---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
mapName |
Specifies the name of the property map. |
nestedMapName |
Specifies the name of the nested property map. |
propName |
Specifies the name of the property to be fetched from the nested map. |
Online command that returns a property value.
getFederationProperty(providerID, propName)
Argument | Definition |
---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
propName |
Specifies the name of the property to be fetched from cot.xml. |
Online command that returns a property list.
getFederationPropertyList(providerID, listName)
Argument | Definition |
---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
listName |
Specifies the name of the list to be fetched from the map. |
A WLST script that exports the properties of a provider.
A WLST script that extracts all the configuration properties of the specified provider and exports them to a text file. You can later use this file to set the same properties on another provider. Execute this command from a UNIX or Windows command shell prompt and not from the WLST command shell. This script is stored in ORACLE_HOME
/fed/scripts
.
extractproviderprops.py providerID filename
Argument | Definition |
---|---|
providerID |
Specifies the name of the provider whose properties are to be extracted. |
filename |
Specifies the name of the text file to which the provider properties are extracted. |
When you execute the script, you are prompted for the WebLogic administrator credentials and the connection URL; for the latter, specify the Managed Server port, not the Administration Server port.
The format of the extract file is:
TYPE:NAME:PROPNAME:PROPVALUE:PROPTYPE
For example:
X:X:sendattribute:false:boolean MAP:attributelist/mailemail:datastore-attr:mail:string LIST:sendattributefornameid:unspecified::string
A WLST script that sets the properties of a provider using values from a text file.
A WLST script that sets the properties of a provider using values from a text file. Execute this command from a UNIX or Windows command shell prompt and not from the WLST command shell. This script is stored in ORACLE_HOME
/fed/scripts
.
The text file is generated by the extractproviderprops command.
setproviderprops.py providerID filename
Argument | Definition |
---|---|
providerID |
Specifies the name of the provider whose properties are to be updated. |
filename |
Specifies the name of the input file from which to read the properties. |
When you execute the script, you are prompted for the WebLogic administrator credentials and the connection URL; for the latter, specify the Managed Server port, not the Administration Server port.
Online command that returns a property value from a map.
getFederationPropertyMapEntry(providerID, mapName, propName)
Argument | Definition |
---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
mapName |
Specifies the name of the property map. |
propName |
Specifies the name of the property to be fetched from the nested map. |
Online command that returns a list of custom authentication integration engines.
This command returns a list of custom authentication integration engines from config.xml.
Online command that returns a list of custom SP integration engines.
This command returns a list of custom service provider (SP) integration engines from config.xml
.
Online command that loads metadata from an input file.
loadMetadata(metadatafile,description)
Argument | Definition |
---|---|
metadatafile |
Specifies the metadata file of the peer provider to be added or updated. |
description |
This is a brief description of the peer provider to be loaded. |
Online command that reports the current status of the Oracle Identity Federation application in the managed server to which WLST is connected.
This command displays the current status of Oracle Identity Federation on the managed server.
loifStatus('serverurl', 'configfile', 'keyfile')
Argument | Definition |
---|---|
serverurl |
Specifies the URL of the managed server. |
configfile |
This is a pre-defined user configuration file created with the WLST storeUserConfig command. |
keyfile |
This is a pre-defined key file created with the WLST storeUserConfig command |
The following command provides no arguments; WLST prompts you for the Oracle WebLogic Server username, password, and the managed server URL, then displays the federation server status:
wls:/mydomain/serverConfig> oifStatus()
The following command provides only the managed server URL; WLST prompts you for the Oracle WebLogic Server username and password:
wls:/mydomain/serverConfig> oifStatus('', '', 't3://localhost:7499')
The following command provides all arguments needed for WLST to display the federation server status:
wls:/mydomain/serverConfig> oifStatus('configfileA', 'keyfileB', 't3://localhost:7499')
Online command that removes a list property nested in a map.
removeConfigListInMap(configName, mapName, listName)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be accessed. |
mapName |
Specifies the name of the property map. |
listName |
Specifies the name of the list to be removed from the map. |
Online command that removes a map property nested in a map.
removeConfigMapEntryInMap(configName, mapname, nestedMapName, propName)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be accessed. |
mapName |
Specifies the name of the property map. |
nestedMapName |
Specifies the name of the nested property map. |
propName |
Specifies the name of the property to be removed from the nested map. |
Online command that removes a map property nested in a map.
removeConfigMapEntryInMap(configName, mapName, nestedMapName, propName)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated. |
mapName |
Specifies the name of the property map. |
nestedMapName |
Specifies the name of the nested property map. |
propName |
Specifies the name of the property to be removed from the nested map. |
Online command that removes a configuration property.
removeConfigProperty(configName, propName)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated. |
propName |
Specifies the name of the property to be removed. |
Online command that removes a configuration property list.
removeConfigPropertyList(configName, listName)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated. |
listName |
Specifies the name of the property list to be removed. |
Online command that removes a property map.
removeConfigPropertyMap(configName, mapName)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated. |
mapName |
Specifies the name of the property map to be removed. |
Online command that removes a property value from a map.
removeConfigPropertyMapEntry(configName, mapName, propName)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated. |
mapName |
Specifies the name of the property map to be updated. |
propName |
Specifies the name of the property to be removed from the map. |
Online command that removes a property list in a map.
removeFederationListInMap(providerID, mapName, listName)
Argument | Definition |
---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
mapName |
Specifies the name of the property map. |
listName |
Specifies the name of the property list to be removed. |
Online command that removes a nested map in a map.
removeFederationMapInMap(providerID, mapname, nestedMapName)
Argument | Definition |
---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
mapName |
Specifies the name of the property map containing the nested map. |
nestedMapName |
Specifies the name of the nested property map to be removed. |
Online command that removes a nested map property entry in a map.
This command removes a property name/value pair to a map nested inside a map in cot.xml.
removeFederationMapEntryInMap(providerID, mapname, nestedMapName, propName)
Argument | Definition |
---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
mapName |
Specifies the name of the property map containing the nested map. |
nestedMapName |
Specifies the name of the nested property map. |
propName |
Specifies the name of the property to be removed from the nested map. |
Online command that removes a property value.
removeFederationProperty(providerID, propName)
Argument | Definition |
---|---|
providerID |
Specifies the name of the peer provider to be updated. |
propName |
Specifies the name of the property to be removed. |
Online command that removes a property list entry.
removeFederationPropertyList(providerID, listName)
Argument | Definition |
---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
listName |
Specifies the name of the property list to be removed. |
Online command that removes a property map.
removeFederationPropertyMap(providerID, mapName)
Argument | Definition |
---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
mapName |
Specifies the name of the property map to be removed. |
Online command that removes a property value from a map.
removeFederationPropertyMapEntry(providerID, mapName, propName)
Argument | Definition |
---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
mapName |
Specifies the name of the property map to be updated. |
propName |
Specifies the name of the property to be removed from the map. |
Online command that removes a peer provider entry.
removePeerProviderEntry(providerID)
Argument | Definition |
---|---|
providerID |
Specifies the name of the peer provider to be removed. |
Online command that sets a property value in config.xml.
setConfigProperty(configname, propName, value, type)
Argument | Definition |
---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20,..) to be updated. |
propName |
Specifies the name of the property to be added/updated in config.xml. |
value |
Specifies the property value. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that updates a custom authentication integration engine.
setCustomAuthnEngine(engineID, name, [enabled], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
Argument | Definition |
---|---|
engineID |
Specifies the engine ID of an existing engine. |
name |
Specifies the name of the custom engine. |
enabled |
This flag specifies whether the engine is enabled (true) or not (false). |
webContext |
Specifies the web context for the engine. |
authnRelativePath |
Specifies the authentication relative path URL for the engine. |
logoutRelativePath |
Specifies the logout relative path URL for the engine. |
logoutEnabled |
This flag is set true to enable logout for the engine, else false. |
Online command that updates a custom SP integration engine.
setCustomSPEngine(engineID, name, [enabled, [authnMech], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
Argument | Definition |
---|---|
engineID |
Specifies the engine ID of an existing custom engine. |
name |
Specifies the name of the custom engine. |
enabled |
This flag specifies whether the engine is enabled (true) or not (false). |
authnMech |
Specifies the authentication mechanism for the engine. |
webContext |
Specifies the web context for the engine. |
authnRelativePath |
Specifies the authentication relative path URL for the engine. |
logoutRelativePath |
Specifies the logout relative path URL for the engine. |
logoutEnabled |
This flag is set true to enable logout for the engine, else false. |
Online command that adds or updates a property value.
setFederationProperty(providerID, propName, value, type)
Argument | Definition |
---|---|
providerID |
Specifies the name of the peer provider to be updated. |
propName |
Specifies the name of the property to be added/updated in cot.xml. |
value |
Specifies the property value. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Some of the Directory Integration Platform (DIP) tools use WLST internally, and therefore, there are no custom WLST commands available to run from the WLST command prompt or to use within scripts. For information on DIP tools, see "Directory Integration Platform Tools" in the Oracle Fusion Middleware User Reference for Oracle Identity Management.
Use the WLST security commands listed in Table 4-5 to operate on a domain policy or credential store, and to migrate policies and credentials from a source repository to a target repository.
Table 4-5 WLST Security Commands
Use this command... | To... | Use with WLST... |
---|---|---|
List application stripes in policy store. |
Online |
|
Create a new application role. |
Online |
|
Remove an application role. |
Online |
|
Add a principal to a role. |
Online |
|
Remove a principal from a role. |
Online |
|
List all roles in an application. |
Online |
|
List all members in an application role. |
Online |
|
Create a new permission. |
Online |
|
Remove a permission. |
Online |
|
List all permissions granted to a principal. |
Online |
|
Remove all policies in an application. |
Online |
|
Migrate policies or credentials from a source repository to a target repository. |
Offline |
|
Obtain the list of attribute values of a credential. |
Online |
|
Modify the attribute values of a credential. |
Online |
|
Create a new credential. |
Online |
|
Remove a credential. |
Online |
|
Update bootstrap credential store |
Offline |
|
Add a credential to the bootstrap credential store |
Offline |
|
Reassociate policies and credentials to an LDAP repository |
Online |
|
Upgrade security data from data used with release 10.1.x to data used with release 11. |
Offline |
|
Create a new resource type. |
Online |
|
Fetch an existing resource type. |
Online |
|
Remove an existing resource type. |
Online |
|
Create a resource. |
Online |
|
Remove a resource. |
Online |
|
List resources in an application stripe. |
Online |
|
List actions in a resource. |
Online |
|
Create an entitlement. |
Online |
|
List an entitlement. |
Online |
|
Remove an entitlement. |
Online |
|
Add a resource to an entitlement. |
Online |
|
Remove a resource from an entitlement |
Online |
|
List entitlements in an application stripe. |
Online |
|
Create an entitlement. |
Online |
|
Remove an entitlement. |
Online |
|
List an entitlement. |
Online |
|
List resource types in an application stripe. |
Online |
Online command that creates a new application role.
Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException
.
createAppRole(appStripe, appRoleName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online command that removes an application role.
Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException
.
createAppRole(appStripe, appRoleName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online command that adds a principal to a role.
Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException
.
grantAppRole(appStripe, appRoleName,principalClass, principalName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
principalClass
|
Specifies the fully qualified name of a class. |
principalName
|
Specifies the principal name. |
Online command that removes a principal from a role.
Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException
.
revokeAppRole(appStripe, appRoleName, principalClass, principalName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
principalClass
|
Specifies the fully qualified name of a class. |
principalName
|
Specifies the principal name. |
Online command that lists all roles in an application.
Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException
.
Online command that lists all members in a role.
Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException
.
listAppRoleMembers(appStripe, appRoleName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online command that creates a new permission.
Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following invocation creates a new application permission (for the application with application stripe myApp
) with the specified data:
wls:/mydomain/serverConfig> grantPermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following invocation creates a new system permission with the specified data:
wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permTarget="/tmp/fileName.ext", permActions="read,write")
Online command that removes a permission.
Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following invocation removes the application permission (for the application with application stripe myApp
) with the specified data:
wls:/mydomain/serverConfig> revokePermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following invocation removes the system permission with the specified data:
wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permActions="read,write")
Online command that lists all permissions granted to a given principal.
Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
listPermissions([appStripe,] principalClass, principalName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
The following invocation lists all permissions granted to a principal by the policies of application myApp
:
wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")
The following invocation lists all permissions granted to a principal by system policies:
wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")
Online command that removes all policies with a given application stripe.
Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException
.
deleteAppPolicies(appStripe)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
Offline command that migrates identities, application-specific, system policies, a specific credential folder, or all credentials.
Migrates identities, application-specific, or system policies from a source repository to a target repository. Migrates a specific credential folder or all credentials.
The kinds of the repositories where the source and target data is stored is transparent to the command, and any combination of file-based and LDAP-based repositories is allowed (LDAP-repositories must use an OVD or an OID LDAP server only). In the event of an error, the command returns a WLSTException
.
The command syntax varies depending on the scope (system or application-specific or both) of the policies being migrated.
Optional arguments are enclosed in square brackets.
To migrate identities, use the following syntax:
migrateSecurityStore(type="idStore", configFile, src, dst, [dstLdifFile])
To migrate all policies (system and application-specific, for all applications) use the following syntax
migrateSecurityStore(type="policyStore", configFile, src, dst,[overWrite,][preserveAppRoleGuid])
To migrate just system policies, use the following syntax:
migrateSecurityStore(type="globalPolicies", configFile, src, dst, [overWrite])
To migrate just application-specific policies, for one application, use the following syntax:
migrateSecurityStore(type="appPolicies", configFile,src, dst, srcApp [,dstApp] [,overWrite] [,migrateIdStoreMapping][,preserveAppRoleGuid] [,mode])
To migrate all credentials, use the following syntax:
migrateSecurityStore(type="credStore", configFile, src, dst, [overWrite])
To migrate just one credential folder, use the following syntax:
migrateSecurityStore(type="folderCred", configFile,src, dst, [srcFolder,] [dstFolde,] [srcConfigFile,] [overWrite])
Argument | Definition |
---|---|
type
|
Specifies the type of policies migrates.
To migrate identities, set it to To migrate all policies (system and application-specific, for all applications), set to To migrate just system policies, set to To migrate just application-specific policies, set to To migrate all credentials, set to To migrate just one credential folder, set to |
configFile
|
Specifies the location of a configuration file jps-config.xml relative to the directory where the command is run. The configuration file passed need not be an actual domain configuration file, but it can be assembled just to specify the source and destination repositories of the migration. |
src
|
Specifies the name of a jps-context in the configuration file passed to the argument configFile , where the source store is specified. |
dst
|
Specifies the name of another jps-context in the configuration file passed to the argument configFile , where the destination store is specified. |
srcApp
|
Specifies the name of the source application, that is, the application whose policies are being migrated. |
dstApp
|
Specifies the name of the target application, that is, the application whose policies are being written. If unspecified, it defaults to the name of the source application. |
srcFolder
|
Specifies the name of the folder from where credentials are migrated. This argument is optional. If unspecified, the credential store is assumed to have only one folder and the value of this argument defaults to the name of that folder. |
dstFolder
|
Specifies the folder to where the source credentials are migrated. This argument is optional and, if unspecified, defaults to the folder passed to srcFolder . |
srcConfigFile
|
Specifies the location of an alternate configuration file, and it is used in the special case in which credentials are not configured in the file passed to configFile . This argument is optional. If unspecified, it defaults to the value passed to configFile ; if specified, the value passed to configFile is ignored. |
overWrite
|
Specifies whether data in the target matching data being migrated should be overwritten by or merged with the source data. Optional and false by default. Set to true to overwrite matching data; set to false to merge matching data. |
migrateIdStoreMapping
|
Specifies whether the migration of application policies should include or exclude the migration of enterprise policies. Optional and true by default. Set it to False to exclude enterprise policies from the migration of application policies. |
dstLdifFile
|
Specifies the location where the LDIF file will be created. Required only if destination is an LDAP-based identity store. Notice that the LDIF file is not imported into the LDAP server; the importing of the file LDIF should be done manually, after the file has been edited to account for the appropriate attributes required in your LDAP server. |
preserveAppRoleGuid
|
Specifies whether the migration of policies should preserve or recreate GUIDs. Optional and false, by default. Set to true to preserve GUIDs; set to false to recreated GUIDs. |
mode | Specifies whether the migration should stop and signal an error upon encountering a duplicate principal or a duplicate permission in an application policy. Set to lax to allow the migration to continue upon encountering duplicate items, to migrate just one of the duplicated items, and to log a warning to this effect; set to strict to force the migration to stop upon encountering duplicate items. If unspecified, it defaults to strict. |
Note the following requirements about the passed arguments:
The file jps-config.xml
is found in the passed location.
The file jps-config.xml
includes the passed jps-contexts.
The source and the destination context names are distinct. From these two contexts, the command determines the locations of the source and the target repositories involved in the migration.
The following invocation illustrates the migration of the file-based policies of application PolicyServlet1
to file-based policies of application PolicyServlet2
, that does not stop on encountering duplicate principals or permissions, that migrates just one of duplicate items, and that logs a warning when duplicates are found:
wls:/mydomain/serverConfig> migrateSecurityStore(type="appPolicies", configFile="jps-congif.xml", src="default1", dst="context2", srcApp="PolicyServlet1", dstApp="PolicyServlet2", overWrite="true", mode="lax")
The above invocation assumes that:
The file jps-config.xml
is located in the directory where the command is run (current directory).
That file includes the following elements:
<serviceInstance name="policystore1.xml" provider="some.provider"> <property name="location" value="jazn-data1.xml"/> </serviceInstance> <serviceInstance name="policystore2.xml" provider="some.provider"> <property name="location" value="jazn-data2.xml"/> </serviceInstance> ... <jpsContext name="default1"> <serviceInstanceRef ref="policystore1.xml"/> ... </jpsContext> <jpsContext name="context2"> <serviceInstanceRef ref="policystore2.xml"/> ... </jpsContext>
The file-based policies for the two applications involved in the migration are defined in the files jazn-data1.xml
and jazn-data2.xml
, which are not shown but assumed located in the current directory.
The following invocation illustrates the migration of file-based credentials from one location to another:
wls:/mydomain/serverConfig> migrateSecurityStore(type="credStore", configFile="jps-congif.xml", src="default1", dst="context2")
The above invocation assumes that:
The file jps-config.xml
is located in the directory where the command is run (current directory).
That file includes the following elements:
<serviceInstance name="credstore1" provider="some.provider"> <property name="location" value="./credstore1/cwallet.sso"/> </serviceInstance> <serviceInstance name="credstore2" provider="some.provider"> <property name="location" value="./credstore2/cwallet.sso"/> </serviceInstance> ... <jpsContext name="default1"> <serviceInstanceRef ref="credstore1"/> ... </jpsContext> <jpsContext name="context2"> <serviceInstanceRef ref="credstore2"/> ... </jpsContext>
For detailed configuration examples to use with this command, see Oracle Fusion Middleware Security Guide.
Online command that returns the list of attribute values of a credential in the domain credential store.
Returns the list of attribute values of a credential in the domain credential store with given map name and key name. This command lists the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException
.
listCred(map, key)
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
Online command that modifies the type, user name, and password of a credential.
Modifies the type, user name, password, URL, and port number of a credential in the domain credential store with given map name and key name. This command can update the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
Optional arguments are enclosed in square brackets.
updateCred(map, key, user, password, [desc])
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
Online command that creates a new credential in the domain credential store.
Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
Optional arguments are enclosed in square brackets.
createCred(map, key, user, password, [desc])
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
Online command that removes a credential in the domain credential store.
Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException
.
deleteCred(map,key)
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
Offline command that updates a bootstrap credential store.
Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException
.
Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.
modifyBootStrapCredential(jpsConfigFile, username, password)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
username
|
Specifies the distinguished name of the user in the LDAP store. |
password | Specifies the password of the user. |
Suppose that in the LDAP store, the password of the user with distinguished name cn=orcladmin
has been changed to welcome1
, and that the configuration file jps-config.xml
is located in the current directory.Then the following invocation changes the password in the bootstrap credential store to welcome1
:
wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='welcome1')
Any output regarding the audit service can be disregarded.
Offline command that adds a credential to the bootstrap credential store.
Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException
.
addBootStrapCredential(jpsConfigFile, map, key, username, password)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
map
|
Specifies the map of the credential to add. |
key
|
Specifies the key of the credential to add. |
username
|
Specifies the name of the user in the credential to add. |
password | Specifies the password of the user in the credential to add. |
Online command that migrates the policy and credential stores to an LDAP repository.
Migrates, within a give domain, both the policy store and the credential store to a target LDAP server repository. The only kinds of LDAP servers allowed are OID or OVD. This command also allows setting up a policy store shared by different domains (see optional argument join
below). In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
reassociateSecurityStore(domain, admin, password, ldapurl, servertype, jpsroot [, join])
Argument | Definition |
---|---|
domain
|
Specifies the domain name where the reassociating takes place. |
admin
|
Specifies the administrator's user name on the LDAP server. The format is cn=usrName . |
password
|
Specifies the password associated with the user specified for the argument admin . |
ldapurl
|
Specifies the URI of the LDAP server. The format is ldap//:host:port , if you are using a default port, or ldaps://host:port , if you are using a secure LDAP port. The secure port must be configured specially for this function and it is distinct from the default (non-secure) port. |
servertype
|
Specifies the kind of the target LDAP server. The only valid types are OID or OVD. |
jpsroot
|
Specifies the root node in the target LDAP repository under which all data is migrated. The format is cn=nodeName . |
join
|
Specifies whether the domain is to share a policy store specified in another domain. Optional. Set to true to share an existing policy store in another domain; set to false otherwise. The use of this argument allows multiple WebLogic domains to point to the same logical policy store. |
The following invocation reassociates the domain policies and credentials to an LDAP Oracle Internet Directory server:
wls:/mydomain/serverConfig> reassociateSecurityStore(domain="myDomain", admin="cn=adminName", password="myPass",ldapurl="ldap://myhost.example.com:3060", servertype="OID", jpsroot="cn=testNode")
Suppose that you want some other domain (distinct from myDomain
, say otherDomain
) to share the policy store in myDomain
. Then you would invoke the command as follows:
wls:/mydomain/serverConfig> reassociateSecurityStore(domain="otherDomain", admin="cn=adminName", password="myPass", ldapurl="ldap://myhost.example.com:3060", servertype="OID", jpsroot="cn=testNode", join="true")
Offline command that migrates release 10.1.x security data to release 11 security data.
Migrates identity, policy, and credential data used in release 10.1.x to security data that can be used with release 11. The migration of each kind of data is performed with separate invocations of this command. In the event of an error, the command returns a WLSTException
.
The syntax varies according to the type of data being updated.
To upgrade 10.1.x XML identity data to 11 XML identity data, use the following syntax:
updateSecurityStore(type="xmlIdStore", jpsConfigFile, srcJaznDataFile, srcRealm, dst)
To upgrade a 10.1.x XML policy data to 11 XML policy data, use the following syntax:
updateSecurityStore(type="xmlPolicyStore", jpsConfigFile, srcJaznDataFile, dst)
To upgrade a 10.1.x OID LDAP-based policy data to 11 XML policy data, use the following syntax:
updateSecurityStore(type="oidPolicyStore", jpsConfigFile, srcJaznDataFile, dst)
To upgrade a 10.1.x XML credential data to 11 XML credential data, use the following syntax:
updateSecurityStore(type="xmlCredStore", jpsConfigFile, srcJaznDataFile, users, dst)
Argument | Definition |
---|---|
type
|
Specifies the kind of security data being upgraded. The only valid values are xmlIdStore, xmlPolicyStore, oidPolicyStore, and xmlCredStore. |
jpsConfigFile
|
Specifies the location of a configuration file jps-config.xml relative to the directory where the command is run. The target store of the upgrading is read from the context specified with the argument dst . |
srcJaznDataFile
|
Specifies the location of a 10.1.x jazn data file relative to the directory where the command is run. This argument is required if the specified type is xmlIdStore, xmlPolicyStore, or xmlCredStore. |
srcJaznConfigFile
|
Specifies the location of a 10.1.x jazn configuration file relative to the directory where the command is run. This argument is required if the specified type is oidPolicyStore. |
srcRealm
|
Specifies the name of the realm from which identities need be migrated. This argument is required if the specified type is xmlIdStore. |
users
|
Specifies a comma-separated list of users each formatted as realmName/userName. This argument is required if the specified type is xmlCredStore. |
dst
|
Specifies the name of the jpsContext in the file passed to the argument jpsConfigFile where the destination store is configured. Optional. If unspecified, it defaults to the default context in the file passed in the argument jpsConfigFile. |
The following invocation migrates 10.1.3 file-based identities to an 11 file-based identity store:
wls:/mydomain/serverConfig> upgradeSecurityStore(type="xmlIdStore", jpsConfigFile="jps-config.xml", srcJaznDataFile="jazn-data.xml", srcRealm="jazn.com")
The following invocation migrates a 10.1.3 OID-based policy store to an 11 file-based policy store:
wls:/mydomain/serverConfig> upgradeSecurityStore(type="oidPolicyStore", jpsConfigFile="jps-config.xml", srcJaznDataFile="jazn-data.xml", dst="destinationContext)
Online command that creates a new resource type in the domain policy store within a given application stripe.
Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. Optional arguments are enclosed in between square brackets; all other arguments are required. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in square brackets.
createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where to insert the resource type. |
resourceTypeName
|
Specifies the name of the resource type to insert. |
displayName
|
Specifies the name for the resource type used in UI gadgets. |
description |
Specifies a brief description of the resource type. |
provider
|
Specifies the provider for the resource type. |
matchere
|
Specifies the class of the resource type. If unspecified, it defaults to oracle.security.jps.ResourcePermission . |
actions
|
Specifies the actions allowed on instances of the resource type. |
delimeter
|
Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','. |
The following invocation creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:
wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", resourceTypeName="resTypeName", displayName="displName", description="A resource type", provider="Printer", matcher="com.printer.Printer", actions="BWPrint;ColorPrint" [, delimeter=";"])
Online command that fetches a resource type from the domain policy store within a given application stripe.
Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException
.
getResourceType(appStripe, resourceTypeName)
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe from where to fetch the resource type. |
resourceTypeName
|
Specifies the name of the resource type to fetch. |
Online command that removes a resource type from the domain policy store within a given application stripe.
Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException
.
deleteResourceType(appStripe, resourceTypeName)
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe from where to remove the resource type. |
resourceTypeName
|
Specifies the name of the resource type to remove. |
Online or offline command that lists the application stripes in the policy store.
This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.
If this command is used in offline mode after reassociating to a DB-based store, the configuration file produced by the reassociation must be manually edited as described in "Running listAppStripes after Reassociating to a DB-Based Store" in Oracle Fusion Middleware Security Guide.
listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])
Argument | Definition |
---|---|
configFile
|
Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store. |
regularExpression
|
Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *. |
The following (online) invocation returns the list of application stripes in the policy store:
wls:/mydomain/serverConfig> listAppStripes
The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:
wls:/mydomain/serverConfig> listAppStripes(configFile=" /home/myFile/jps-config.xml")
The following (online) invocation returns the list of application stripes that contain the prefix App:
wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")
Online command that creates a new resource.
Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.
createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resource is created. |
name
|
Specifies the name of the resource created. |
type
|
Specifies the type of resource created. The passed resource type must be present in the appliction stripe at the time this script is invoked. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the resource created. Optional. |
Online command that deletes a resource.
Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.
deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resource is deleted. |
name
|
Specifies the name of the resource deleted. |
type
|
Specifies the type of resource deleted. The passed resource type must be present in the appliction stripe at the time this script is invoked. |
Online command that lists resources in a specified application stripe.
If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.
listResources(appStripe="appStripeName" [,type="resTypeName"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resources are listed. |
type
|
Specifies the type of resource listed. The passed resource type must be present in the appliction stripe at the time this script is invoked. |
Online command that lists the resources and actions in an entitlement.
listResourceActions(appStripe="appStripeName", permSetName="entitlementName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement resides. |
permSetName
|
Specifies the name of the entitlement whose resources and actions to list. |
Online command that creates a new entitlement.
Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement
to add additional resources to an existing entitlement; use revokeResourceFromEntitlement
to delete resources from an existing entitlement.
createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
name
|
Specifies the name of the entitlement created. |
resourceName
|
Specifies the name of the one resource member of the entitlement created. |
actions
|
Specifies a comma-separated the list of actions for the resource resourceName. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the the description of the entitlement created. Optional. |
Online command that gets an entitlement.
Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.
getEntitlement(appStripe="appStripeName", name="entitlementName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to access. |
Online command that deletes an entitlement.
Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.
deleteEntitlement(appStripe="appStripeName", name="entitlementName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
name
|
Specifies the name of the entitlement to delete. |
Online command that adds a resource with specified actions to an entitlement.
Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.
addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to add. |
resourceType
|
Specifies the type of the resource to add. The passed resource type must be present in the appliction stripe at the time this script is invoked. |
actions
|
Specifies the comma-separated list of actions for the added resource. |
The following invocation adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:
wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Online command that removes a resource from an entitlement.
revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to remove. |
resourceType
|
Specifies the type of the resource to remove. |
actions
|
Specifies the comma-separated list of actions to remove. |
The following invocation removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Online command that lists the entitlements in an application stripe.
Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.
listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe from where to list entitlements. |
resourceTypeName
|
Specifies the name of the type of the resources to list. Optional. |
resourceName
|
Specifies the name of resource to match. Optional. |
The following invocation lists all the entitlements in the stripe myApplication:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")
The following invocation lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName")
Online command that creates a new entitlement.
grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is granted. |
permSetName
|
Specifies the name of the entitlement created. |
The following invocation creates the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that deletes an entitlement.
Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.
revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is revoked. |
permSetName
|
Specifies the name of the entitlement deleted. |
The following invocation deleted the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that lists an entitlement in a specified application stripe.
If a principal name and a class are specified, it lists the entitlements that match the specified principal; otherwise, it lists all the entitlements.
listEntitlement(appStripe="appStripeName" [, principalName="principalName", principalClass="principalClass"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
principalName
|
Specifies the name of the pricipal to match. Optional. |
principalClass
|
Specifies the class of the principal to match. Optional. |
Use the WLST commands listed in Table 4-6 to manage Oracle Access Manager (OAM)-related components, such as authorization providers, identity asserters, and SSO providers, as well as to display metrics and deployment topology, manage Oracle Access Manager server and agent configuration and logger settings.
Table 4-6 WLST Oracle Access Manager Commands
Use this command... | To... | Use with WLST... |
---|---|---|
List the parameters set for an Oracle Access Manager authentication or identity assertion provider. |
Online |
|
Create a new identity asserter. |
Online |
|
Update an existing identity asserter. |
Online |
|
Create a new authenticator. |
Online |
|
Delete an existing authentication provider. |
Online |
|
Update an existing authenticator. |
Online |
|
Add a new SSO provider. |
Online |
|
List the details of deployed Oracle Access Manager Servers. |
Online Offline |
|
Display the performance metrics of an Oracle Access Manager Server and domain |
Online |
|
Display Oracle Access Manager Server configuration details. |
Online Offline |
|
Create an entry for an Oracle Access Manager Server configuration. |
Online Offline |
|
Edit the entry for an Oracle Access Manager Server configuration. |
Online Offline |
|
Delete the named Oracle Access Manager Server configuration. |
Online Offline |
|
Display OSSO Agent configuration details. |
Online Offline |
|
Edit OSSO Agent configuration details. |
Online Offline |
|
Delete the named OSSO Agent configuration. |
Online Offline |
|
Display WebGate Agent configuration details. |
Online Offline |
|
Edit 10g WebGate Agent registration details. |
Online Offline |
|
Delete the named 10g WebGate Agent configuration. |
Online Offline |
|
Change Logger Settings. |
Online Offline |
|
Regenerate the configuration data encryption key and re-encrypt data. |
Online Offline |
|
Display a user identity store registration. |
Online Offline |
|
Edit a user identity store registration. |
Online Offline |
|
Create a user identity store registration. |
Online Offline |
|
Delete a user identity store registration. |
Online Offline |
|
Configure the SSO server request cache type. |
Online Offline |
|
Display the SSO server request cache type entry. |
Online Offline |
|
Export Oracle Access Manager policy data from a test (source) to an intermediate Oracle Access Manager file. |
Online |
|
Import Oracle Access Manager policy data from the Oracle Access Manager file specified. |
Online |
|
Import Oracle Access Manager policy changes from the Oracle Access Manager file specified. |
Online |
|
Migrate partners from the source Oracle Access Manager Server to the specified target Oracle Access Manager Server. |
Online |
|
Export the Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified. |
Online |
|
Import the Oracle Access Manager partners from the intermediate Oracle Access Manager file specified. |
Online |
|
Configure the Oracle Access Manager-Oracle Adaptive Access Manager basic integration. |
Online |
|
Register Oracle Identity Federation as Delegated Authentication Protocol (DAP) Partner. |
Online Offline |
|
Enable the Coexist Mode. |
Online |
|
Disable the Coexist Mode. |
Online |
|
Edit GITO configuration parameters. |
Online Offline |
|
Edit an 11g WebGate registration. |
Online Offline |
|
Remove an 11g WebGate Agent registration. |
Online Offline |
|
Display an 11g WebGate Agent registration. |
Online Offline |
|
Display metrics of OAM Servers. |
Online Offline |
|
Update the Oracle Identity Manager configuration when integrated with Oracle Access Manager. |
Online Offline |
|
Creates an Agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager. |
Online |
|
Updates OSSO Proxy response cookie settings. |
Online Offline |
|
Deletes OSSO Proxy response cookie settings. |
Online Offline |
Online command that lists the values of the parameters in effect in a domain authenticator or identity asserter.
Lists the values of the parameters set for a given Oracle Access Manager authenticator or identity asserter. In the event of an error, the command returns a WLSTException
.
listOAMAuthnProviderParams(name)
Argument | Definition |
---|---|
name
|
Specifies the name of the authenticator or identity asserter. |
Online command that creates an Oracle Access Manager identity asserter in the current domain.
Creates an identity asserter with a given name in the current domain. Before executing this command, make sure that no Oracle Access Manager identity asserter is already configured in the current domain. In the event of an error, the command returns a WLSTException
.
createOAMIdentityAsserter(name)
Argument | Definition |
---|---|
name
|
Specifies the name of the new identity asserter. If no name is specified, it defaults to "OAMIdentityAsserter". |
Online command that updates the values of parameters of the Oracle Access Manager identity asserter in the current domain.
Updates the value of given parameters of the domain Oracle Access Manager identity asserter. In the event of an error, the command returns a WLSTException
.
updateOAMIdentityAsserter(name, paramNameValueList)
Argument | Definition |
---|---|
name
|
Specifies the name of the Oracle Access Manager identity asserter whose parameter values to update. |
paramNameValueList | Specifies the comma-separated list of pairs of parameter name-value to be updated. The format of each pair is:
paramName="paramValue" The parameter names that can be updated are the following only:
|
The following invocation updates the parameters accessGateName, accessGatePwd,
pAccessServer
, and ssoHeaderName
in the Oracle Access Manager identity asserter named myIdAsserter
:
updateOAMIdentityAsserter(name="myIdAsserter", accessGateName="OAM IAP AccessGate", accessGatePwd="welcome1", pAccessServer="myhost.domain.com:5543", ssoHeaderName="OAM_SSO_HEADER")
Online command that creates an Oracle Access Manager authenticator in the current domain.
Creates an Oracle Access Manager authenticator with a given name in the current domain. Before executing this command, make sure that no Oracle Access Manager authenticator is already configured in the default security domain. In the event of an error, the command returns a WLSTException
.
createOAMAuthenticator(name)
Argument | Definition |
---|---|
name
|
Specifies the name of the new authentication provider in the default domain. If no name is specified, it defaults to "OAMAuthenticator". |
Online command that deletes the OAM authenticator from the current domain.
Deletes the OAM authenticator with a given name from the current domain. In the event of an error, the command returns a WLSTException
.
deleteOAMAuthnProvider(name)
Argument | Definition |
---|---|
name
|
Specifies the name of the authentication provider to delete. |
Online command that updates the values of parameters of the Oracle Access Manager authenticator in the current domain.
Updates the value of given parameters of the domain Oracle Access Manager authenticator. In the event of an error, the command returns a WLSTException
.
updateOAMAuthenticator(name, paramNameValueList)
Argument | Definition |
---|---|
name
|
Specifies the name of the Oracle Access Manager authenticator whose parameter values to update. |
paramNameValueList | Specifies the comma-separated list of pairs of parameter name-value to be updated. The format of each pair is
paramName='paramValue' The only parameter names that can be updated are the following:
|
The following invocation updates the parameters accessGateName, accessGatePwd,
and pAccessServer
in the Oracle Access Manager authenticator named myAuthenticator
:
updateOAMAuthenticator(name="myAuthenticator", accessGateName="OAM AP AccessGate", accessGatePwd="welcome1", pAccessServer="myhost.domain.com:5543")
Online command that adds an Oracle Access Manager SSO provider with the given login URI, logout URI, and auto-login URI.
Adds an SSO provider with the given login URI, logout URI, and auto-login URI. This command modifies the domain jps-config.xml
by adding an Oracle Access Manager SSO service instance with the required properties. In the event of an error, the command returns a WLSTException
.
addOAMSSOProvider(loginuri, logouturi, autologinuri, beginimpuri, endimpuri)
Argument | Definition |
---|---|
loginuri
|
Required. Specifies the URI of the login page and triggers SSO authentication. |
logouturi |
Optional. Specifies the URI of the logout page and logs the signed-on user out. If unspecified, defaults to logouturi=NONE .
Set to "" to ensure that ADF security calls the OPSS logout service, which uses the implementation of the class More generally, an ADF-secured web application that would like to clear cookies without logging out the user should use this setting. |
autologinuri |
Required. Specifies the URI of the autologin page. Optional. If unspecified, it defaults to autologin=NONE . |
beginimpuri |
Optional. Specifies the URI that triggers the impersonation SSO session. |
endimpuri |
Optional. Specifies the URI that terminates the impersonation SSO session. |
The following invocation adds an SSO provider with the passed URIs; note the special behavior implied by the setting logouturi=""
and the impersonation parameters, as explained in the above table:
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html", beginimpuri="https://login.acme.com/impersonationInit.html" endimpuri="https://login.acme.com/impersonationTerm.html") autologin="/fooBar.cgi")
Online and offline command that displays the information about all the OAM Servers in a deployment.
Online command that displays the performance metrics of an OAM Server and domain.
Displays the performance metrics of an OAM Server and domain specific to collectors, including host, process, and server names. There are no aguments for this command.
Online and offline command that displays OAM Server registration details.
Displays OAM Server registration details, including the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.
The scope of this command is an instance, only. The scope is not an argument.
displayOamServer(host,port)
Argument | Definition |
---|---|
host
|
Mandatory. Specifies the name of the OAM Server host. |
port
|
Mandatory. Specifies the listening port of the OAM Server host. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
Online and offline command that creates an OAM Server entry in the system configuration.
Creates an OAM Server registration, including the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.
The scope of this command is an instance, only. The scope is not an argument
createOamServer(host,port, paramNameValueList)
Argument | Definition |
---|---|
host
|
Mandatory. Specifies the name of the OAM Server host. |
port
|
Mandatory. Specifies the listening port of the OAM Server host. |
domainHome
|
Offline mode: Mandatory
Online mode: Optional |
paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Mandatory:
|
The following invocation creates a configuration for your_host
with listening port 15000
. The configuration entry in the Administration Console will be oam_server1
. The OAM Proxy port is 3004 and the OAM Proxy Server ID is AccessServerConfigProxy
:
createOamServer(host="my_host", port="15000", configurationProfile= "oam_server1", oamProxyPort="3004", oamProxyServerID="ProxyID", siteName="siteName1",domainHome="domainHome1")
Online and offline command that enables you to edit OAM Server registration details.
Edits the registration for an OAM Server, which can include the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.
The scope of this command is an instance, only. The scope is not an argument.
editOamServer(name, port, paramNameValueList)
Argument | Definition |
---|---|
name
|
Mandatory. Specifies the name of the OAM Server host. |
port
|
Mandatory. Specifies the port number of the OAM Server host. |
domainHome
|
Offline mode: Mandatory
Online mode: Optional |
paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Mandatory:
|
You can use any of the optional attributes to change current settings. The following invocation enables you to add the OAM Proxy shared secret to the configuration entry oam_server1
.
editOamServer(name="oam_server1", port="15000",configurationProfile= "oam_server1", oamProxyPort="3004",oamProxyServerID="Proxy1", siteName="siteName1",domainHome="domainHome1")
Online and offline command that enables you to delete the named OAM Server registration.
Deletes an entire OAM Server configuration.
The scope of this command is an instance, only. The scope is not an argument.
deleteOamServer(host,port)
Argument | Definition |
---|---|
host
|
Mandatory. Specifies the name of the OAM Server host. |
port
|
Mandatory. Specifies the listening port of the OAM Server host. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
Online and offline command that displays OSSO Agent configuration details.
Displays OSSO Agent registration details, which also appear in the OAM Administration Console.
The scope of this command is an instance, only. The scope is not an argument
displayOssoAgent(agentName)
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the OSSO Agent. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
Online and offline command that enables you to edit an OSSO Agent registration.
Changes OSSO Agent configuration details, including the Site Token, Success URL, Failure URL, Home URL, Logout URL, Start Date, End Date, Administrator ID, and Administrator Info.
The scope of this command is an instance, only. The scope is not an argument
editOssoAgent(agentName,paramNameValueList)
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the OSSO Agent. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
paramNameValueList | Specifies the comma-separated list of parameter name-value pairs to be updated. The format of each pair is:
paramName='paramValue' Optional:
|
The following invocation changes the Administrator ID and information in the registration entry for OSSOAgent1
:
editOssoAgent(agentName="OSSOAgent1", siteToken="siteToken", successUrl="successUrl",failureUrl="failureUrl",homeUrl="homeUrl", logoutUrl="logoutUrl",startDate="2009-12-10", endDate="2012-12-30", adminId= 345", adminInfo="Agent11", domainHome="domainHome1")
Online and offline command that enables you to delete an OSSO Agent registration.
Removes an OSSO Agent configuration.
The scope of this command is an instance, only. The scope is not an argument
deleteOssoAgent(agentName)
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the OSSO Agent. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
Online and offline command that displays a 10g WebGate registration.
Displays all 10g WebGate registration details, which can also be seen in the OAM Administration Console.
The scope of this command is an instance, only. The scope is not an argument
displayWebgateAgent(agentName)
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
Online and offline command that enables you to edit a 10g WebGate registration.
Enables you to change 10g WebGate Agent registration details.
The scope of this command is an instance, only. The scope is not an argument
editWebgateAgent(agentName,paramNameValueList)
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
paramNameValueList | Specifies the comma-separated list of parameter name-value pairs to be updated. The format of each pair is:
paramName='paramValue' Mandatory:
Optional:
|
You can alter any or all of the settings. Use the following invocation to change specific information in the WebGate Agent registration, including the Agent ID, state, maximum connections, OAM Server timeout, primary cookie domain, cache time out, cookie session timeout, maximum session timeout, idle session timeout, and failover threshold, as follows:
editWebgateAgent(agentName="my_WebGate", agentId="WebGate2", state= "enabled", maxConnections="2", aaaTimeOutThreshold="2", primaryCookieDomain="adomain.com", cacheTimeOut="1200", cookieSessionTime=1500, maxSessionTime=1500, idleSessionTimeout= "1500", failoverThreshold="25", domainHome="domainHome1")
Online and offline command that enables you to delete a 10g WebGate Agent registration.
Removes an 10g WebGate Agent registration.
The scope of this command is an instance, only. The scope is not an argument
deleteWebgateAgent(agentName)
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
Online and offline command that changes the logger level.
Changes the level of one or more, or all, loggers.
The scope of this command is an instance, only. The scope is not an argument.
changeLoggerSetting (loggerName='', loggerLevel=''):
Argument | Definition |
---|---|
loggerName
|
Optional. Specifies the OAM logger name. Multiple OAM logger names can be specified, separated by commas, or you can use the wildcard (*) character to specify all OAM collectors, which is the default. |
loggerLevel
|
SEVERE, WARNING, INFO, CONFIG, FINE. |
Offline command that regenerates the configuration data encryption key.
Regenerates the configuration data encryption key, re-encrypts the configuration data using the new key, and outputs attribute information of the identity store.
The scope of this command is an instance, only. The scope is not an argument.
changePasswordEncKey (oldpassword='', newPassword='')
Argument | Definition |
---|---|
oldPassword
|
Mandatory. Specifies the password that retrieves the current encryption key. |
newPassword
|
Mandatory. Defines a new password that protects the newly generated encryption key. |
Online and offline command that displays user identity store registration information.
Displays information of the user identity store registered with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
displayUserIdentityStore(name)
Argument | Definition |
---|---|
name
|
Mandatory. Specifies the name of the LDAP user identity store. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
Online and offline command that changes attributes of the user identity store for Oracle Access Manager.
Changes one or more attributes of the user identity store registered with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
editUserIdentityStore(name,paramNameValueList)
Argument | Definition |
---|---|
name
|
Mandatory. Specifies the unique name of the LDAP user identity store (only upper and lower case alpha characters and numbers). |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Include one or more of the following parameter name-value pairs, in addition to those in createUserIdentityStore, to change the OAM user identity store configuration:
|
Online and offline command that creates a user identity store registration for Oracle Access Manager.
Creates an entry for a new user identity store to be registered with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
createUserIdentityStore(name=,paramNameValueList)
Argument | Definition |
---|---|
name
|
Mandatory. Specifies the unique name of the LDAP user identity store (only upper and lower case alpha characters and numbers). |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Mandatory:
Optional:
|
The following invocation creates a new Oracle Internet Directory user identity store definition for use with Oracle Access Manager:
createUserIdentityStore(name="Name1",principal="Principal1", credential="Credential1", type="OID", userAttr="userAttr1", ldapProvider="ldapProvider", roleSecAdmin="roleSecAdmin1", roleSysMonitor="roleSysMonitor", roleSysManager="roleSysManager", roleAppAdmin="roleAppAdmin", userSearchBase="cn=users, ldapUrl="ldapUrl", isPrimary="isPrimary", userIDProvider="userIDProvider", groupSearchBase="cn=groups",domainHome="domainHome1")
Online and offline command that removes a Oracle Access Manager user identity store registration.
Deletes the user identity store registered with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
deleteUserIdentityStore(name)
Argument | Definition |
---|---|
name
|
Mandatory. Specifies the name of the LDAP user identity store to be removed. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
Online and offline command that configures the SSO server request cache type.
Configures the SSO server request cache type.
The scope of this command is an instance, only. The scope is not an argument.
configRequestCacheType(type)
Argument | Definition |
---|---|
type
|
Mandatory. Specifies requestCacheType .
|
Online and offline command that displays the SSO server request cache type.
Displays the SSO server request cache type entry.
The scope of this command is an instance, only. The scope is not an argument.
displayRequestCacheType(domainHome)
Argument | Definition |
---|---|
type
|
Mandatory. Specifies requestCacheType.
|
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
Online only command that exports OAM policy data from a test (source) environment to the intermediate Oracle Access Manager file specified.
Exports OAM policy data from a test (source) environment to the intermediate Oracle Access Manager file.
The scope of this command is an instance, only. The scope is not an argument.
exportPolicy(pathTempOAMPolicyFile)
Argument | Definition |
---|---|
pathTempOAMPolicyFile
|
Mandatory. Specifies the path to the temporary Oracle Access Manager file. |
Online only command that imports the OAM policy data from the intermediate Oracle Access Manager file specified.
Imports the OAM policy data from the intermediate Oracle Access Manager file specified.
The scope of this command is an instance, only. The scope is not an argument.
importPolicy(pathTempOAMPolicyFile)
Argument | Definition |
---|---|
pathTempOAMPolicyFile |
Mandatory. Specifies the path to the temporary OAM file. |
Online only command that imports the OAM policy changes from the intermediate Oracle Access Manager file specified.
Imports the OAM policy changes from the intermediate Oracle Access Manager file specified.
The scope of this command is an instance, only. The scope is not an argument.
importPolicyDelta(pathTempOAMPolicyFile)
Argument | Definition |
---|---|
pathTempOAMPolicyFile |
Mandatory. Specifies the path to the temporary Oracle Access Manager file. |
Online only command that migrates partners from the current (source) OAM Server to the specified (target) OAM Server.
Migrates partners from the current (source) OAM Server to the specified (target) OAM Server.
The scope of this command is an instance, only. The scope is not an argument.
migratePartnersToProd(prodServerHost,prodServerPort,prodServerAdminUser,prodServerAdminPwd)
Argument | Definition |
---|---|
prodServerHost |
Hostname of the target OAM Server to which partners are to be migrated. |
prodServerPort |
Port of the target OAM Server to which partners are to be migrated. |
prodServerAdminUser |
Administrator of the target OAM Server to which partners are to be migrated. |
prodServerAdminPwd |
Target OAM Server administrator's password. |
Online only command that exports Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified.
Exports the Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified.
The scope of this command is an instance, only. The scope is not an argument.
exportPartners(pathTempOAMPartnerFile)
Argument | Definition |
---|---|
pathTempOAMPartnerFile |
Mandatory. Specifies the path to the temporary Oracle Access Manager partner file. |
Online only command that imports Oracle Access Manager partners from the intermediate Oracle Access Manager file specified.
Imports the OAM partners from the intermediate Oracle Access Manager file specified.
The scope of this command is an instance, only. The scope is not an argument.
importPartners(pathTempOAMPartnerFile)
Argument | Definition |
---|---|
pathTempOAMPartnerFile |
Mandatory. Specifies the path to the temporary OAM partner file. |
Online only command that configures the Oracle Access Manager-Oracle Adaptive Access Manager basic integration.
Configures the OAM-OAAM basic integration.
The scope of this command is an instance, only. The scope is not an argument.
configureOAAM(dataSourceName,paramNameValueList)
Argument | Definition |
---|---|
dataSourceName |
Name of the data source to be created |
paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Mandatory:
Optional:
|
The following invocation configures the Oracle Access Manager-Oracle Adaptive Access Manager basic integration.
configureOAAM(dataSourceName = "MyOAAMDS", hostName = "host.us.co.com", port = "1521", sid = "sid", userName = "username", passWord = "password", maxConnectionSize = None, maxPoolSize = None, serverName = "oam_server1")
Online and offline command that registers Oracle Identity Federation as a Delegated Authentication Protocol (DAP) Partner.
Registers Oracle Identity Federation as Delegated Authentication Protocol (DAP) Partner.
The scope of this command is an instance only. The scope is not an argument.
registerOIFDAPPartner()
Argument | Definition |
---|---|
paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Mandatory: Include the following parameter name-value pairs to create a new OAM user identity store configuration:
Optional:
|
Online command that enables the Coexist Mode.
Enables the Coexist Mode.
The scope of this command is an instance, only. The scope is not an argument.
Online command that disables the Coexist Mode.
Disables the Coexist Mode.
The scope of this command is an instance, only. The scope is not an argument.
Online and offline command that edits GITO configuration parameters.
Edits GITO configuration parameters.
The scope of this command is an instance, only. The scope is not an argument.
editGITOValues(gitoEnabled, paramNameValueList)
Argument | Definition |
---|---|
gitoEnabled |
True (or false). Allows (or denies) user to set GITO enabled property. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Mandatory: Include the following parameter name-value pairs to create a new OAM user identity store configuration:
Optional:
|
Online and offline command that edits an 11g WebGate registration.
Edits an 11g WebGate registration.
The scope of this command is an instance, only. The scope is not an argument.
editWebgate11gAgent(agentname, paramNameValueList)
Argument | Definition |
---|---|
agentname |
Name of the registered OAM 11g WebGate agent to be edited. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Optional:
|
The following invocation lists all mandatory and optional parameters.
editWebgate11gAgent(agentName="WebgateAgent1", accessClientPasswd = "welcome1", state = "Enabled", preferredHost="141.144.168.148:2001", aaaTimeoutThreshold="10", security = "open", logOutUrls = "http://<host>:<port>", maxConnections = "16" maxCacheElems = "10000" , cacheTimeout = "1800", logoutCallbackUrl = "http://<host>:<port>", maxSessionTime = "24", logoutRedirectUrl = "logoutRedirectUrl", failoverThreshold = "1", tokenValidityPeriod="aPeriod" logoutTargetUrlParamName = "logoutTargetUrl", domainHome="domainHome1")
Online and offline command that enables you to delete an 11g WebGate Agent registration.
Removes an 11g WebGate Agent registration.
The scope of this command is an instance, only. The scope is not an argument
deleteWebgate11gAgent(agentName)
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the 11g WebGate Agent. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
Online and offline command that enables you to display an 11g WebGate Agent registration.
Displays an 11g WebGate Agent registration.
The scope of this command is an instance, only. The scope is not an argument
displayWebgate11gAgent(agentName)
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
Online and offline command that enables the display of metrics of OAM Servers.
Enables the display of metrics of OAM Servers.
The scope of this command is an instance, only. The scope is not an argument.
displayOAMMetrics(domainHome)
Argument | Definition |
---|---|
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
Online only command that updates the Oracle Identity Manager configuration when integrated with Oracle Access Manager.
Updates the Oracle Identity manager configuration in system configuration.
The scope of this command is an instance, only. The scope is not an argument.
updateOIMHostPort(hostname, port, secureProtocol)
Argument | Definition |
---|---|
hostname | Name of the Oracle Identity Manager host. |
port | Port of the Oracle Identity Manager host. |
secureProtocol | True or false. |
Online only command that creates an agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager.
Creates an Agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
updateOIMHostPort(hostname, port, secureProtocol)
Argument | Definition |
---|---|
hostname |
Name of the Oracle Identity Manager host. |
port |
Port of the Oracle Identity Manager Managed Server. |
oimSecureProtocolEnabled |
True or false (depending on HTTP or HTTPS). |
oimAccessGatePwd |
If provided will be the agent password for Open mode |
oimCookieDomain |
Domain to which the cookie is to be set |
oimWgId |
Agent registration name. |
oimWgVersion |
Possible values 10g or 11g. If not provided, default is 10g. |
The following invocation illustrates this command.
updateOIMHostPort(hostName="OIM host", port="7777", secureProtocol="true") configureOIM(oimHost="OIM host", oimPort="7777", oimSecureProtocolEnabled="true", oimAccessGatePwd = "Access Gate Password", oimCookieDomain = "OIM Cookie Domain", oimWgId="OIM Webgate ID", oimWgVersion="OIM Webgate Version")
Online and offline command that updates OSSO Proxy response cookie settings.
Updates OSSO Proxy response cookie settings.
The scope of this command is an instance, only. The scope is not an argument.
updateOSSOResponseCookieConfig()
Argument | Definition |
---|---|
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
cookieName |
Optional. Name of the cookie for which settings are updated. If not specified, the global setting is updated. |
cookieMaxAge |
Maximum age of a cookie in minutes. A negative value sets a session cookie. |
isSecureCookie |
Boolean flag specifies if cookie should be secure (sent only over SSL channel). |
cookieDomain |
The domain of the cookie. |
Online and offline command that deletes OSSO Proxy response cookie settings.
Deletes OSSO Proxy response cookie settings.
The scope of this command is an instance, only. The scope is not an argument.
deleteOSSOResponseCookieConfig()
Argument | Definition |
---|---|
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
cookieName |
Mandatory. Name of the cookie for which settings are deleted. |