Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service 11g Release 1 (11.1.1) Part Number E15478-06 |
|
|
PDF · Mobi · ePub |
For certain administrative tasks, the WebLogic Scripting Tool (WLST) provides custom commands that can be used as an alternative to the Oracle Access Manager Console. This appendix provides an introduction to WLST commands for Administrators. Details for each command, however, are outside the scope of this book.
Sections in this appendix include:
Become familiar with information in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
Custom WLST commands for OAM can be used for setting and managing OAM System Configuration only by Administrators.
The WebLogic Scripting Tool shares the same foundation layer with the Oracle Access Manager Console. WLST for Oracle Access Manager and Oracle Security Token Service is available within ORACLE_IDM.
Note:
To use the Infrastructure Security custom WLST commands, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" in the Oracle Fusion Middleware Administrator's Guide.OAM WLST commands are defined in the oamWlstCmd.py file in the following path:
<ORACLE_IDM>/common/wlst
The oamWlstCmd.py file refers to jar files available in:
<Oracle_IDM>/oam/server/lib/jmx
<Oracle_IDM>/oam/server/lib/wlst
Most WLST commands for OAM operate in both online and offline modes. Operational modes are described in Table F-1.
Table F-1 Operational Modes for WLST commands for OAM
Online Mode | Offline Mode |
---|---|
Connects to the Mbean Server running on the WebLogic AdminServer |
Method invocation happens locally in the WLST Shell |
The Mbean Server can be running remotely |
Requires the OAM Domain Home as a mandatory input |
Invokes OAM WLST Mbean methods, which are executed in the server |
N/A |
OAM WLST Mbeans return the result of the execution to the WLST commands. |
N/A |
Use the WLST commands listed in Table F-2 to manage Oracle Access Manager (OAM)-related components, such as authorization providers, identity asserters, and SSO providers, as well as to display metrics and deployment topology, manage Oracle Access Manager server and agent configuration and more.
See Also:
The section on Oracle Access Manager commands in the chapter "Infrastructure Security Custom WLST Commands" of the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.Table F-2 WLST Oracle Access Manager Commands
Use this command... | To... | Use with WLST... |
---|---|---|
listOAMAuthnProviderParams |
List the parameters set for an Oracle Access Manager authentication or identity assertion provider. |
Online |
createOAMIdentityAsserter |
Create a new identity asserter. |
Online |
updateOAMIdentityAsserter |
Update an existing identity asserter. |
Online |
createOAMAuthenticator |
Create a new authenticator. |
Online |
deleteOAMAuthnProvider |
Delete an existing authentication provider. |
Online |
updateOAMAuthenticator |
Update an existing authenticator. |
Online |
addOAMSSOProvider |
Add a new SSO provider. |
Online |
displayTopology |
List the details of deployed Oracle Access Manager Servers. |
Online Offline |
displayOamServer |
Display Oracle Access Manager Server configuration details. |
Online Offline |
createOamServer |
Create an entry for an Oracle Access Manager Server configuration. |
Online Offline |
editOamServer |
Edit the entry for an Oracle Access Manager Server configuration. |
Online Offline |
deleteOamServer |
Delete the named Oracle Access Manager Server configuration. |
Online Offline |
displayOssoAgent |
Display OSSO Agent configuration details. |
Online Offline |
editOssoAgent |
Edit OSSO Agent configuration details. |
Online Offline |
deleteOssoAgent |
Delete the named OSSO Agent configuration. |
Online Offline |
displayWebgateAgent |
Display 10g Webgate Agent configuration details. |
Online Offline |
editWebgateAgent |
Edit 10g Webgate Agent registration details. |
Online Offline |
deleteWebgateAgent |
Delete the named 10g Webgate Agent configuration. |
Online Offline |
changeLoggerSetting |
Change Logger Settings. |
Online Offline |
changeConfigDataEncryptionKey |
Regenerate the configuration data encryption key and re-encrypt data. |
Online Offline |
displayUserIdentityStore |
Display a user identity store registration. |
Online Offline |
editUserIdentityStore |
Edit a user identity store registration. |
Online Offline |
createUserIdentityStore |
Create a user identity store registration. Note: The roleAppdAdmin is removed as a part of multi-store support. WLST is restricted and cannot set a store as the System Store. |
Online Offline |
deleteUserIdentityStore |
Delete a user identity store registration. |
Online Offline |
configRequestCacheType |
Configure the SSO server request cache type. |
Online Offline |
displayRequestCacheType |
Display the SSO server request cache type entry. |
Online |
exportPolicy |
Export Oracle Access Manager policy data from a test (source) to an intermediate Oracle Access Manager file. |
Online |
importPolicy |
Import Oracle Access Manager policy data from the Oracle Access Manager file specified. |
Online |
importPolicyDelta |
Import Oracle Access Manager policy changes from the Oracle Access Manager file specified. |
Online |
exportPartners |
Export the Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified. |
Online |
importPartners |
Import the Oracle Access Manager partners from the intermediate Oracle Access Manager file specified. |
Online |
configureOAAM |
Configure the Oracle Access Manager-Oracle Adaptive Access Manager basic integration. |
Online |
registerOIFDAPPartner |
Register Oracle Identity Federation as Delegated Authentication Protocol (DAP) Partner. |
Online Offline |
enableCoexistMode |
Enable the Coexist Mode. |
Online |
disableCoexistMode |
Disable the Coexist Mode. |
Online |
editGITOValues |
Edit GITO configuration parameters. |
Online Offline |
editWebgate11gAgent |
Edit an 11g Webgate registration. |
Online |
deleteWebgate11gAgent |
Remove an 11g Webgate Agent registration. |
Online Offline |
displayWebgate11gAgent |
Display an 11g Webgate Agent registration. |
Online Offline |
displayOAMMetrics |
Display metrics of OAM Servers. |
Online |
updateOIMHostPort |
Update the Oracle Identity Manager configuration when integrated with Oracle Access Manager. |
Online Offline |
configureOIM |
Creates an Agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager. |
Online |
updateOSSOResponseCookieConfig |
Updates OSSO Proxy response cookie settings. |
Online Offline |
deleteOSSOResponseCookieConfig |
Deletes OSSO Proxy response cookie settings. |
Online Offline |
displaySimpleModeGlobalPassphrase |
Displays the simple mode global passphrase in plain text from the system configuration. |
Online |
exportSelectedPartners |
Exports selected OAM Partners to the intermediate OAM file specified. |
Online |
migrateArtifacts |
Migrates artifacts based on the input artifact file. |
Online |
registerThirdPartyTAPPartner |
Registers any third party as a Trusted Authentication Protocol (TAP) Partner. |
Online |
Use the WLST commands listed in Table F-3 to manage Oracle Security Token Service-related components.
See Also:
The section on Oracle Security Token Service commands in the chapter "Infrastructure Security Custom WLST Commands" of the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.Table F-3 WLST Commands Oracle Security Token Service
Use this command... | To... | Use with WLST... |
---|---|---|
putBooleanProperty putBooleanProperty("/stsglobal/ignoreunsupportedelements", "true") |
Ignore unsupported WS-Trust elements present in the RST. Default: true Note: A value of false, returns an error if unsupported WS-Trust elements are present in the RST. |
Online |
Partner Commands |
||
getPartner |
Retrieve a partner and print result. |
Online |
getAllRequesterPartners |
Retrieve the names of Requester partners. |
Online |
getAllRelyingPartyPartners |
Retrieve the names of all Relying Party partners. |
Online |
getAllIssuingAuthorityPartners |
Retrieve the names of all Issuing Authority partners. |
Online |
isPartnerPresent |
Query OSTS to determine whether or not the partner exists in the Partner store. |
Online |
createPartner |
Create a new Partner entry. |
Online |
updatePartner |
Update an existing Partner entry based on the provided information. |
Online |
deletePartner |
Delete a partner entry. |
Online |
getPartnerUsernameTokenUsername |
Retrieve the partner's username value. |
Online |
getPartnerUsernameTokenPassword |
Retrieve the partner's password value. |
Online |
setPartnerUsernameTokenCredential |
Set the username and password values of a partner entry. |
Online |
deletePartnerUsernameTokenCredential |
Remove the username and password values from a partner entry. |
Online |
getPartnerSigningCert |
Retrieve the Base64 encoded signing certificate for the partner. |
Online |
getPartnerEncryptionCert |
Retrieve the Base64 encoded encryption certificate for the partner. |
Online |
setPartnerSigningCert |
Upload the signing certificate to the partner entry. |
Online |
setPartnerEncryptionCert |
Upload the encryption certificate to the partner entry. |
Online |
deletePartnerSigningCert |
Remove the signing certificate from the partner entry. |
Online Offline |
deletePartnerEncryptionCert |
Remove the encryption certificate from the partner entry. |
Online Offline |
getPartnerAllIdentityAttributes |
Retrieve and display all Identity mapping attributes used to map a token to a requester partner. |
Online Offline |
getPartnerIdentityAttribute |
Retrieve and display the identity mapping attribute. |
Online Offline |
setPartnerIdentityAttribute |
Set the identity mapping attribute for a requester partner. |
Online Offline |
deletePartnerIdentityAttribute |
Delete the identity mapping attribute for a requester partner. |
Online Offline |
Relying Party Partner Mapping Commands |
||
getAllWSPrefixAndPartnerMappings |
Retrieve and display all WS Prefixes. |
Online Offline |
getWSPrefixAndPartnerMapping |
Retrieve and display the Relying Party Partner mapped to the specified wsprefix parameter. |
Online Offline |
createWSPrefixAndPartnerMapping |
Create a new WS Prefix mapping to a Relying Partner. |
Online Offline |
deleteWSPrefixAndPartnerMapping |
Delete an existing WS Prefix mapping to a Relying Partner. |
Online Offline |
Partner Profiles Commands |
||
getAllPartnerProfiles |
Retrieve the names of all the existing partner profiles. |
Online |
getPartnerProfile |
Retrieve partner profile configuration data. |
Online |
createRequesterPartnerProfile |
Create a new Requester Partner profile with default configuration data. |
Online |
createRelyingPartyPartnerProfile |
Create a new Relying Party Partner profile with default configuration data. |
Online |
createIssuingAuthorityPartnerProfile |
Create a new Issuing Authority Partner profile with default configuration data. |
Online |
deletePartnerProfile |
Delete an existing partner profile. |
Online |
Issuance Template Commands |
||
getAllIssuanceTemplates |
Retrieve the names of all the existing Issuance Templates. |
Online Offline |
getIssuanceTemplate |
Retrieve configuration data of a specific Issuance Template. |
Online |
createIssuanceTemplate |
Create a new Issuance Template with default configuration data. |
Online |
deleteIssuanceTemplate |
Delete an existing Issuance Template. |
Online Offline |
Validation Template Commands |
||
getAllValidationTemplates |
Retrieve the names of all the existing Validation Templates. |
Online Offline |
getValidationTemplate |
Retrieve configuration data of a specific Validation Template. |
Online Offline |
createWSSValidationTemplate |
Create a new WS Security Validation Template with default configuration data. |
Online Offline |
createWSTrustValidationTemplate |
Create a new WS Trust Validation Template with default configuration data. |
Online Offline |
deleteValidationTemplate |
Delete an existing Issuance Template. |
Online Offline |
Administrators can use the following procedure as a guide for using WLST commands for Oracle Access Manager or Oracle Security Token Service operations. Included here are several operations:
See Also:
The chapter "Infrastructure Security Custom WLST Commands" of the Oracle Fusion Middleware WebLogic Scripting Tool Command ReferenceUse the following procedure for general information when you are starting the WLST shell.
To run WLST commands for OAM operations
Ensure that the OAM AdminServer is running.
Set up the environment for WLST by running the following command:
DOMAIN_HOME/bin/setDomainEnv.sh
Go to the ORACLE_HOME path: <Oracle_IDM>/common/bin.
Execute the appropriate command to enter the WLST shell.
Linux: wlst.sh Windows: wlst.cmd
Execute help commands, as needed: help('oam') to list available OAM WLST commands.
Note:
You can also use the "help('oamap')" and "help('oamapsso')" commands to display additional commands.OAM WLST: help('oam') Specific Command: wlst.cmd
Connect to your domain. For example:
wls:/base_domain/serverConfig> connect()
Enter the WebLogic Administration username and password, and enter the URL for the Administration Server in the following format:
Please enter your username Please enter your password Please enter your server URL : t3://OAMHOST1.mycompany.com:7001 wls:/base_domain/serverConfig>
Offline Mode: Provide 'domainHome' as an input to the command.
Online Mode: Connect to the Mbean server using the command 'connect ()'
Check the chapter "Infrastructure Security Custom WLST Commands" of the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference for full details.
In high availability configurations, the Request Cache type must be changed from BASIC to COOKIE using Infrastructure Security custom WLST commands.
See Also:
OAM_REQ cookie in Table 11-4, "SSO Cookies"
To change the Request Cache Type in a high-availability environment
Log in to the WLST shell and connect to your domain as described in "Starting the WLST Shell and Logging In".
Run the following command to configure the request cache type for a high-availability deployment as COOKIE:
wls:/base_domain/serverConfig> configRequestCacheType(type="COOKIE")
Validate that the command worked using the following command:
wls:/base_domain/serverConfig> displayRequestCacheType()
Restart the OAM Servers.