This appendix lists the parameters and accepted values that may be defined for Oracle Entitlements Server services using jps-config.xml, the configuration file used by Java EE containers. It is located in the $DOMAIN_HOME/config/fmwconfig directory. This appendix is comprised of the following sections.
The Policy Distribution Component is responsible for distributing policy objects and policies from the policy store to one or more Security Modules. It can distribute in a controlled-push mode, a controlled-pull mode, a non-controlled mode, or a mixed mode. Each mode entails different configurations.
Section A.1.1, "Policy Distribution Component Server Configuration"
Section A.1.2, "Policy Distribution Component Client Configuration"
Typically, configuration for the Policy Distribution Component to fetch policies and policy objects (in a scenario when it runs within Oracle Entitlements Server) is associated with the Policy Store configuration in the jps-config.xml file. Only in cases when data is pulled in a controlled manner (controlled-pull mode) is the Policy Distribution Component associated with the PDP Service configuration on the Security Module side. Table A-1 contains the configuration parameters.
Table A-1 Policy Distribution Server Configuration
| Parameter Name | Information | Console Name |
|---|---|---|
|
oracle.security.jps.pd.server.transactionalScope |
Defines the scope of the policy distribution as either to one Security Module or to all Security Modules. If distribution fails when it involves only one Security Module, it does not affect distributions to other Security Modules. Optional Accepted Values: All (default), One |
none |
|
oracle.security.jps.register.waiting.interval |
Defines the amount of time to delay policy distribution after a request for registration is received. Optional Accepted Values: time in seconds (default value is 0) |
none |
The Policy Distribution Component client is responsible for making policies available to the Security Module. Thus, the Policy Distribution Client configuration is always associated with the PDP Service configuration portion of the jps-config.xml file on the Security Module side. Configuration is different depending on the mode of distribution and the environment in which the Security Module is running. The following sections contain descriptions of the applicable configuration parameters.
Section A.1.2.3, "Policy Distribution Client Configuration (Controlled-Pull Mode)"
Section A.1.2.4, "Policy Distribution Client Configuration (Non-controlled Mode)"
Section A.1.2.5, "Policy Distribution Client Configuration (Mixed Mode)"
Table A-2 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in a Java Standard Edition (JSE) environment and is configured to distribute data in the controlled-push mode.
Table A-2 Policy Distribution Client Configuration, JSE, Controlled Push Mode
| Parameter Name | Information | Console Name |
|---|---|---|
|
oracle.security.jps.runtime.pd.client.policyDistributionMode |
Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution. Mandatory Accepted Value: controlled-push |
Policy Distribution Mode |
|
oracle.security.jps.runtime.pd.client.sm_name |
Defines the name of the Security Module. Mandatory Accepted Value: Name of the Security Module |
SM Name |
|
oracle.security.jps.runtime.pd.client.localpolicy.work_folder |
Defines the name of any directory in which local cache files are stored. If a value is not defined, a work directory will be created in the directory where Optional Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges. |
Local Policy Work Folder |
|
oracle.security.jps.runtime.pd.client.incrementalDistribution |
Defines whether the distribution is incremental or flush. Incremental distribution is when only new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store. Optional Accepted Values:
|
Incremental Distribution |
|
oracle.security.jps.runtime.pd.client.registrationRetryInterval |
When a Security Module starts, it registers itself with the Policy Distribution Component to ensure the local policy cache is up to date. If registration fails, it will retry each time this interval of time passes until successful. Optional Accepted Value: time in seconds (default value is 5) |
Registration Retry Interval |
|
oracle.security.jps.runtime.policyDistributionWaitTime |
If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires. Optional Accepted Value: time in seconds (default value is 60) |
Wait Distribution Time (seconds) |
|
oracle.security.jps.runtime.pd.client.RegistrationServerURL |
Defines the URL of the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts. Mandatory Accepted Value: URL |
Registration Server URL |
|
oracle.security.jps.runtime.pd.client.backupRegistrationServerURL |
Defines a backup URL for the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts if the primary URL (parameter above) is unavailable. Optional (although if not configured Oracle Entitlements Server failover will not work) Accepted Value: URL |
Backup Registration Server URL |
|
oracle.security.jps.runtime.pd.client.DistributionServicePort |
Defines the port to which a remote Policy Distributor will push policy updates. Mandatory Accepted Value: port number |
Distribution Service Port |
|
oracle.security.jps.pd.client.sslMode |
Defines whether communication between the Policy Distribution Component server and client will use the Secure Sockets Layer (SSL) protocol or not. Mandatory Accepted Values: none, two-way (default value) |
SSL Mode |
|
oracle.security.jps.pd.client.ssl.identityKeyStoreFileName |
Defines the name of the Identity Key Store file in which client certificates are stored. Used for SSL communication between the Security Module and the Policy Distribution Component. Mandatory Accepted Value: the name of the keystore file |
SSL Identity Key Store File Name |
|
oracle.security.jps.pd.client.ssl.trustKeyStoreFileName |
Defines the name of the Trust Key Store file where Certificate Authority (CA) certificates are stored. Used for SSL communication between the Security Module and the Policy Distribution Component. Mandatory Accepted Value: the name of the identity key store file |
SSL Trust Key Store File Name |
|
oracle.security.jps.pd.client.ssl.identityKeyStoreKeyAlias |
Defines an Identity Key alias to identify the client certificate used for SSL communication between the Security Module and the Policy Distribution Component. Optional (if only one alias exists in the identity keystore there is no need to specify this value) Accepted Value: the identity key alias |
SSL Identity Key Store Key Alias |
|
oracle.security.jps.runtime.pd.client.SMinstanceType |
Defines the type of Security Module to which the Policy Distribution Component client is connecting. Mandatory Accepted Value: java (Other accepted values include wls, RMI and ws. Because this table covers the Java Security Module only, the value must be java.) |
Configured during OES Client installation only. |
|
oracle.security.jps.runtime.pd.client.localpolicy.JCEProviderName |
Defines which JCE provider will be used. Optional Accepted Values: SunJCE, JsafeJCE; no default value is defined. The value is case-sensitive. If no value is provided, the default JDK provider is used. |
|
|
oracle.security.jps.runtime.pd.client.localpolicy.CipherKeyLength |
Defines the key length used for the Cipher class available from the specified JCE provider. Optional Accepted Values: 128, 192, 256; default value is 128. |
|
|
oracle.security.jps.runtime.pd.client.localpolicy.CipherModePadding |
Defines a cipher algorithm name, mode and padding schema used for the Cipher class available from the specified JCE provider. It is not case-sensitive. The format should be: algorithm name/mode/padding Optional Accepted Values: default value is |
Table A-3 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in a Java Enterprise Edition (JEE) environment and is configured to distribute data in the controlled-push mode.
Table A-3 Policy Distribution Client Configuration, JEE, Controlled Push Mode
| Parameter Name | Information | Console Name |
|---|---|---|
|
oracle.security.jps.runtime.pd.client.policyDistributionMode |
Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution. Mandatory Accepted Value: controlled-push |
Policy Distribution Mode |
|
oracle.security.jps.runtime.pd.client.sm_name |
Defines the name of the Security Module. Mandatory Accepted Value: Name of the Security Module |
SM Name |
|
oracle.security.jps.runtime.pd.client.localpolicy.work_folder |
Defines the name of any directory in which local cache files are stored. If a value is not defined, a work directory will be created in the directory where Optional Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges. |
Local Policy Work Folder |
|
oracle.security.jps.runtime.pd.client.incrementalDistribution |
Defines whether the distribution is incremental or flush. Incremental distribution is when new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store. Optional Accepted Values:
|
Incremental Distribution |
|
oracle.security.jps.runtime.pd.client.registrationRetryInterval |
When a Security Module starts, it registers itself with the Policy Distribution Component to ensure the local policy cache is up to date. If registration fails, it will retry each time this interval of time passes until successful. Optional Accepted Value: time in seconds (default value is 5) |
Registration Retry Interval (seconds) |
|
oracle.security.jps.runtime.policyDistributionWaitTime |
If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires. Optional Accepted Value: time in seconds (default value is 60) |
Wait Distribution Time (seconds) |
|
oracle.security.jps.runtime.pd.client.RegistrationServerURL |
Defines the URL of the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts. Mandatory Accepted Value: URL |
Registration Server URL |
|
oracle.security.jps.runtime.pd.client.backupRegistrationServerURL |
Defines a backup URL for the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts if the primary URL (parameter above) is unavailable. Optional (although if not configured Oracle Entitlements Server failover will not work) Accepted Value: URL |
Backup Registration Server URL |
|
oracle.security.jps.runtime.pd.client.SMinstanceType |
Defines the type of Security Module to which the Policy Distribution Component client is connecting. Mandatory Accepted Values:
|
Configured during OES Client installation only. |
|
oracle.security.jps.runtime.pd.client.DistributionServiceURL |
Defines the URL to which the remote Policy Distributor will push policy updates. Mandatory Accepted Values: URL |
|
|
oracle.security.jps.runtime.pd.client.localpolicy.JCEProviderName |
Defines which JCE provider will be used. It is optional and case sensitive. Optional Accepted Values: SunJCE, JsafeJCE; no default value is defined. If no value is provided, the default JDK provider is used. |
|
|
oracle.security.jps.runtime.pd.client.localpolicy.CipherKeyLength |
Defines the key length used for the Cipher class available from the specified JCE provider. Optional Accepted Values: 128, 192, 256; default value is 128. |
|
|
oracle.security.jps.runtime.pd.client.localpolicy.CipherModePadding |
Defines a cipher algorithm name, mode and padding schema used for the Cipher class available from the specified JCE provider. It is not case-sensitive. The format should be: algorithm name/mode/padding Optional Accepted Values: default value is |
Table A-4 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in either a JEE or a JSE environment and is configured to distribute data in the controlled-pull mode.
Table A-4 Policy Distribution Client Configuration, Controlled-Pull Mode
| Parameter Name | Information | Console Name |
|---|---|---|
|
oracle.security.jps.runtime.pd.client.policyDistributionMode |
Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution. Mandatory Accepted Value: controlled-pull |
Policy Distribution Mode |
|
oracle.security.jps.runtime.pd.client.sm_name |
Defines the name of the Security Module. Mandatory Accepted Value: the name of the Security Module |
SM Name |
|
oracle.security.jps.runtime.pd.client.localpolicy.work_folder |
Defines the name of any directory in which local cache files are stored. If a value is not defined, a work directory will be created in the directory where Optional Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges. |
Local Policy Work Folder |
|
oracle.security.jps.runtime.pd.client.incrementalDistribution |
Defines whether the distribution is incremental or flush. Incremental distribution is when new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store. Optional Accepted Values:
|
Incremental Distribution |
|
oracle.security.jps.runtime.policyDistributionWaitTime |
If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires. Optional Accepted Value: time in seconds (default value is 60) |
Wait Distribution Time (seconds) |
|
oracle.security.jps.pd.client.PollingTimerEnabled |
Enables a periodic check for policy updates in the Policy Store. Can be set to false to disable polling for environment when policies are not expected to be modified. Optional Accepted Values:
|
|
|
oracle.security.jps.pd.client.PollingTimerInterval |
Defines the interval of time in which the Policy Distribution Component will check for policy data changes. Optional Accepted Value: time in seconds (default value of 600) |
|
|
oracle.security.jps.ldap.root.name |
Defines the top (root) entry of the LDAP policy store directory information tree (DIT). Mandatory Accepted Value: the top (root) entry of the LDAP policy store directory information tree (DIT) |
LDAP Root Name |
|
oracle.security.jps.farm.name |
Defines the RDN format of the domain node in the LDAP policy store. Mandatory Accepted Value: name of the domain |
Farm Name |
|
jdbc.url |
Takes a URL that points to the database. Mandatory (if using Java Database Connectivity API to connect to policy store) Accepted Value: URL |
JDBC URL |
|
jdbc.driver |
Location of the driver if using Java Database Connectivity API to connect to an Apache Derby database. Mandatory Accepted Value: driver |
JDBC Driver |
|
datasource.jndi.name |
The JNDI name of the JDBC data source instance. The instance may correspond to a single source or multi-source datasource. Valid in only JEE applications. Applies only to database stores. Mandatory Accepted Value: name of JNDI data source; for example, |
Datasource JNDI Name |
|
security.principal |
The name of the user with access rights to the database. Mandatory Accepted Value: Database user name |
|
|
security.credential |
The password of the user with access rights to the database. Optional Accepted Value: Password associated with the database user in clear text; instead of storing the password in clear text, use |
|
|
bootstrap.security.principal.key |
The key for the password credentials to access the policy store. Credentials are stored in the Credential Store Framework (CSF) store. Mandatory Accepted Value: CSF credential key |
Bootstrap Security Principal Key |
|
bootstrap.security.principal.map |
The map for the password credentials to access the policy store. Credentials are stored in the CSF store. Mandatory Accepted Value: name of the CSF credential map |
Bootstrap Security Principal Map |
|
oracle.security.jps.runtime.pd.client.localpolicy.JCEProviderName |
Defines which JCE provider will be used. It is optional and case sensitive. Optional Accepted Values: SunJCE, JsafeJCE; no default value is defined. If no value is provided, the default JDK provider is used. |
|
|
oracle.security.jps.runtime.pd.client.localpolicy.CipherKeyLength |
Defines the key length used for the Cipher class available from the specified JCE provider. Optional Accepted Values: 128, 192, 256; default value is 128. |
|
|
oracle.security.jps.runtime.pd.client.localpolicy.CipherModePadding |
Defines a cipher algorithm name, mode and padding schema used for the Cipher class available from the specified JCE provider. It is not case-sensitive. The format should be: algorithm name/mode/padding Optional Accepted Values: default value is |
Table A-5 compiles the parameters for Policy Distribution Component client configuration when the Oracle Entitlements Server is running in either a JEE or a JSE environment and is configured to distribute data in the non-controlled mode.
Table A-5 Policy Distribution Client Configuration, Non-controlled Mode
| Parameter Name | Information | Console Name |
|---|---|---|
|
oracle.security.jps.runtime.pd.client.policyDistributionMode |
Specifies the mode of policy distribution. Non-controlled distribution is when the Security Module periodically retrieves policy data from a policy store (or from a component that serves as an intermediary between the two). Optional Accepted Value: non-controlled (default value) |
Policy Distribution Mode |
Table A-4 compiles the parameters for the Policy Distribution Component client configuration when the PDP is running in either a JEE or a JSE environment and is configured to distribute data in mixed mode. Mixed mode is a distribution combination of controlled-pull and uncontrolled mode.
Table A-6 Policy Distribution Client Configuration, Mixed Mode
| Parameter Name | Information | Console Name |
|---|---|---|
|
oracle.security.jps.runtime.pd.client.policyDistributionMode |
Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution. Mandatory Accepted Value: mixed |
Policy Distribution Mode |
|
oracle.security.jps.runtime.pd.client.sm_name |
Defines the name of the Security Module. Mandatory Accepted Value: the name of the Security Module |
SM Name |
|
oracle.security.jps.runtime.pd.client.localpolicy.work_folder |
Defines the name of any directory in which local cache files are stored. If a value is not defined, a work directory will be created in the directory where Optional Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges. |
Local Policy Work Folder |
|
oracle.security.jps.runtime.pd.client.incrementalDistribution |
Defines whether the distribution is incremental or flush. Incremental distribution is when new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store. Optional Accepted Values:
|
Incremental Distribution |
|
oracle.security.jps.runtime.policyDistributionWaitTime |
If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires. Optional Accepted Value: time in seconds (default value is 60) |
Wait Distribution Time (seconds) |
|
oracle.security.jps.pd.client.PollingTimerEnabled |
Enables a periodic check for policy updates in the Policy Store. Can be set to false to disable polling for environment when policies are not expected to be modified. Optional Accepted Values:
|
Polling Timer |
|
oracle.security.jps.pd.client.PollingTimerInterval |
Defines the interval of time in which the Policy Distribution Component will check for policy data changes. Optional Accepted Value: time in seconds (default value of 600) |
Polling Timer Interval |
|
oracle.security.jps.runtime.pd.client.localpolicy.JCEProviderName |
Defines which JCE provider will be used. It is optional and case sensitive. Optional Accepted Values: SunJCE, JsafeJCE; no default value is defined. If no value is provided, the default JDK provider is used. |
N/A |
|
oracle.security.jps.runtime.pd.client.localpolicy.CipherKeyLength |
Defines the key length used for the Cipher class available from the specified JCE provider. Optional Accepted Values: 128, 192, 256; default value is 128. |
N/A |
|
oracle.security.jps.runtime.pd.client.localpolicy.CipherModePadding |
Defines a cipher algorithm name, mode and padding schema used for the Cipher class available from the specified JCE provider. It is not case-sensitive. The format should be: algorithm name/mode/padding Optional Accepted Values: default value is |
N/A |
|
In Mixed Mode, the following nine properties should be configured for the Policy Store and not the Security Module. See Section A.4, "Policy Store Service Configuration." |
||
|
oracle.security.jps.ldap.root.name |
Defines the top (root) entry of the LDAP policy store directory information tree (DIT). Mandatory Accepted Value: the top (root) entry of the LDAP policy store directory information tree (DIT) |
LDAP Root Name |
|
oracle.security.jps.farm.name |
Defines the RDN format of the domain node in the LDAP policy store. Mandatory Accepted Value: name of the domain |
Farm Name |
|
jdbc.url |
Takes a URL that points to the database. Mandatory (if using Java Database Connectivity API to connect to policy store) Accepted Value: URL |
JDBC URL |
|
jdbc.driver |
Location of the driver if using Java Database Connectivity API to connect to an Apache Derby database. Mandatory Accepted Value: driver |
JDBC Driver |
|
datasource.jndi.name |
The JNDI name of the JDBC data source instance. The instance may correspond to a single source or multi-source datasource. Valid in only JEE applications. Applies only to database stores. Mandatory Accepted Value: name of JNDI data source; for example, |
Datasource JNDI Name |
|
security.principal |
The name of the user with access rights to the database. Mandatory Accepted Value: Database user name |
Username |
|
security.credential |
The password of the user with access rights to the database. Mandatory Accepted Value: Password associated with the database user |
Password |
|
bootstrap.security.principal.key |
The key for the password credentials to access the policy store. Credentials are stored in the Credential Store Framework (CSF) store. Mandatory Accepted Value: CSF credential key |
Bootstrap Security Principal Key |
|
bootstrap.security.principal.map |
The map for the password credentials to access the policy store. Credentials are stored in the CSF store. Mandatory Accepted Value: name of the CSF credential map |
Bootstrap Security Principal Map |
This section covers the configurations for the various types of Security Modules and their proxy clients.
Section A.2.3, "Web Services Security Module on WebLogic Server"
Section A.2.6, "WebLogic Server Security Module Discovery Mode"
Table A-7 compiles the parameters to configure the Java Security Module embedded in either a JSE or a JEE container.
Table A-7 Java Security Module Configuration Parameters
| Parameter Name | Information | Console Name |
|---|---|---|
|
oracle.security.jps.policystore.rolemember.cache.type |
Defines the role member cache type. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Values
|
Rolemember Cache Type |
|
oracle.security.jps.policystore.rolemember.cache.strategy |
Defines the type of strategy used in the role member cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Values
|
Rolemember Cache Strategy |
|
oracle.security.jps.policystore.rolemember.cache.size |
Defines the number of roles kept in the role member cache. Valid in J2EE and J2SE application. Applies to LDAP and database stores. Optional Accepted Value: number (default value is 1000) |
Rolemember Cache Size |
|
oracle.security.jps.policystore.rolemember.cache.warmup.enable |
Controls the way the Application Role membership cache is created. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Values
|
Rolemember Cache Warmup Enable |
|
oracle.security.jps.policystore.policy.lazy.load.enable |
Enables or disables the policy lazy load. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Values
|
Policy Lazy Load Enable |
|
oracle.security.jps.policystore.policy.cache.strategy |
Defines the type of strategy used in the permission cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Values
|
Policy Cache Strategy |
|
oracle.security.jps.policystore.policy.cache.size |
Defines the number of permissions kept in the permission cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Value: number (default value is 1000) |
Policy Cache Size |
|
oracle.security.jps.policystore.cache.updateable |
Defines whether the policy cache is incrementally updated for management operations on policy data. Optional Accepted Values
|
Policy Cache Updatable |
|
oracle.security.jps.policystore.refresh.enable |
Enables or disables the policy store refresh. If this property is set, Optional Accepted Values:
|
Refresh Enable |
|
oracle.security.jps.policystore.refresh.purge.timeout |
Defines the time in milliseconds after which the policy store cache is purged. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Value: time in milliseconds; default value is 43200000 which equals 12 hours |
Refresh Purge Timeout (milliseconds) |
|
oracle.security.jps.ldap.policystore.refresh.interval |
Defines the interval of time in which the policy store is polled for changes. Valid in J2EE and J2SE applications. Applies to LDAP and database stores. Optional Accepted Value: time in milliseconds; default value is 600000 which equals 10 minutes |
Refresh Purge Interval (milliseconds) |
|
oracle.security.jps.pdp.missingAppPolicyQueryTTL |
Defines the interval of time to avoid frequently querying a non-exist Application ( Optional Accepted Value: time to live in milliseconds (default value is 60000) |
Missing App Policy Query TTL |
|
oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled |
Specifies whether the authorization cache should be enabled. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores. Optional Accepted Values
|
Decision Cache Enabled |
|
oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionCapacity |
Defines the maximum number of authorization and role mapping sessions to maintain. When the maximum is reached, old sessions are dropped and reestablished when needed. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores. Optional Accepted Value: number (default value is 500) |
Decision Cache Eviction Capacity |
|
oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionPercentage |
Defines the percentage of sessions to drop when the eviction capacity is reached. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores. Optional Accepted Value: number (default value is 10) |
Decision Cache Eviction Percentage |
|
oracle.security.jps.pdp.AuthorizationDecisionCacheTTL |
Defines the number of seconds during which session data is cached. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores. Optional Accepted Value: time in seconds (default value is 60) |
Decision Cache TTL (seconds) |
|
oracle.security.jps.pdp.anonymousrole.enable |
Specifies whether anonymous role has to be added to anonymous subject for policy matching. Optional Accepted Values
|
Anonymous Role Enable |
|
oracle.security.jps.pdp.authenticatedrole.enable |
Specifies whether authenticated role has to be added to authenticated subject for policy matching. Optional Accepted Values
|
Authenticated Role Enable |
|
oracle.security.jps.pdp.ComputeAppRolesOnceOnBulkAtz |
Specifies whether Application Roles should be computed only once within a single bulk authorization call. For example, if a client calls the Optional Accepted Values
|
|
|
oracle.security.jps.pdp.AuthorizationPerUserDecisionCacheSize |
Specifies the maximum number of authorization decisions cached for each Subject; if the second level decision cache size reaches this size, decisions are evicted from the cache. Optional Accepted Value: number of decisions (default value is 1000) |
Table A-8 compiles the parameters to configure the Web Services Security Module embedded in either a JSE or a JEE container.
Table A-8 Web Services Security Module Configuration Parameters
| Parameter Name | Information | Console Name |
|---|---|---|
|
oracle.security.jps.pdp.wssm.WSServiceRegistryPortNumber |
Defines the port on which the Web Services Security Module listens. Mandatory Accepted Value: port number |
|
|
oracle.security.jps.pdp.wssm.WSServiceRegistryHost |
Defines the name of the server on which the Web Services Security Module is running. Optional Accepted Value: server name (default value is localhost) |
|
|
oracle.security.jps.pdp.wssm.Protocol |
Defines the transport protocol used between the Policy Distribution Component client and server. Optional Accepted Values
|
|
|
oracle.security.jps.pdp.sm.IdentityCacheEnabled |
Specifies whether the identity cache is being used. If not set, identity cache is used by default. Optional Accepted Value: true/false |
|
|
oracle.security.jps.pdp.sm.IdentityMaxCacheSize |
Specifies the maximum number of users for which information is cached. When the maximum is reached, old records are dropped and reestablished when needed. Optional Accepted Value: number |
|
|
oracle.security.jps.pdp.sm.IdentityCacheEvictionPercentage |
Specifies percentage of identities that must be evicted when cache has reached the maximum size. Optional Accepted Value: number indicating percentage |
|
|
oracle.security.jps.pdp.sm.IdentityCachedEntryTTL |
Specifies time-to-live of an identity cache record. Optional Accepted Value: time in seconds |
|
|
oracle.security.jps.pdp.wssm.responseContext |
Specifies whether to merge data from many AppContext responses into a single AppContext response. Optional Accepted Values
|
|
|
oracle.security.jps.pdp.wssm.ssl.identityKeyStoreFileName |
Defines the name of the Identity Key Store file where client certificates are stored for the Web Services Security Module. Used for SSL communications between the remote client and the Web Services Security Module. Optional Accepted Value: name of the Identity Key Store file |
|
|
oracle.security.jps.pdp.wssm.ssl.trustKeyStoreFileName |
Defines the name of the Trust Key Store file in which CA certificates are stored. Used for SSL communications between the remote client and the Web Services Security Module. Optional Accepted Value: name of the Trust Key Store file |
|
|
oracle.security.jps.pdp.wssm.ssl.identityKeyStoreKeyAlias |
Specifies the Identity Key alias used to identify the Web Services Security Module client certificate used for SSL communication between the Web Services Security Module and the remote client.Accepted value: Identity key alias Optional Accepted Value: Identity Key alias |
|
|
oracle.security.jps.pdp.wssm.WSLoggingSoapHandlerEnabled |
Enables the Web Services Security Module's EnvelopLoggingSOAPHandler, the web service SOAP message handler for logging. Optional Accepted Values
|
Table A-9 compiles the parameters to configure the Web Services Security Module on a WebLogic Server.
Table A-9 Web Services Security Module on WebLogic Configuration Parameters
| Parameter Name | Information | Console Name |
|---|---|---|
|
oracle.security.jps.pdp.wssm.WSServiceRegistryPortNumber |
Defines the port on which the Web Services Security Module listens. Mandatory Accepted Value: port number |
|
|
oracle.security.jps.pdp.wssm.WSServiceRegistryHost |
Defines the name of the server on which the Web Services Security Module is running. Optional Accepted Value: server name (default value is localhost) |
|
|
oracle.security.jps.pdp.wssm.Protocol |
Defines the transport protocol used between the Policy Distribution Component client and server. Optional Accepted Values
|
|
|
oracle.security.jps.pdp.wssm.WSServiceRegistryContextName |
Specifies the context name for the Web service deployed on the WebLogic Server cache is being used. If not set, no identity cache is used by default. Mandatory Accepted Value: Ssmws |
|
|
oracle.security.jps.pdp.sm.IdentityCacheEnabled |
Specifies whether the identity cache is enabled. Enabled by default. Optional Accepted Value: true (default)/false |
|
|
oracle.security.jps.pdp.sm.IdentityMaxCacheSize |
Specifies the maximum size of the identity cache. Optional Accepted Value: number indicating size; default value is 20000 |
|
|
oracle.security.jps.pdp.sm.IdentityCacheEvictionPercentage |
Specifies the percentage of identities that will be removed when the identity cache has reached its maximum size. Optional Accepted Value: 20 percent |
|
|
oracle.security.jps.pdp.sm.IdentityCachedEntryTTL |
Specifies the time-to-live (TTL) in seconds for an identity record in the identity cache. Optional Accepted Value: 3600 seconds (default) |
|
|
oracle.security.jps.pdp.wssm.responseContext |
Specifies whether the AppContext is returned as a single response or a merged set of data from all the AppContext responses. Optional Accepted Value: Merged/Unmerged (default) |
|
|
oracle.security.jps.pdp.wssm.WSLoggingSoapHandlerEnabled |
Enables the Web Services Security Module's EnvelopLoggingSOAPHandler, the web service SOAP message handler for logging. Optional Accepted Values
|
Table A-10 compiles the parameters to configure the RMI Security Module embedded in either a JSE or a JEE container.
Note:
This configuration is for a standalone deployment.
Table A-10 RMI Security Module Configuration Parameters
| Parameter Name | Information | Console Name |
|---|---|---|
|
oracle.security.jps.pdp.rmism.RMIRegistryPortNumber |
Defines the port on which the RMI Security Module listens to the RMI server. Mandatory Accepted Value: port number. |
|
|
oracle.security.jps.pdp.rmism.UseSSL |
Defines whether the SSL protocol is used for secure communication between the RMI Security Module and RMI server. Optional Accepted Values
|
|
|
oracle.security.jps.pdp.sm.IdentityCacheEnabled |
Specifies whether the identity cache is being used. If not set, no identity cache is used by default. Optional Accepted Value: true/false |
|
|
oracle.security.jps.pdp.sm.IdentityMaxCacheSize |
Specifies the maximum number of users for which information is cached. When the maximum is reached, old records are dropped and reestablished when needed. Optional Accepted Value: number |
|
|
oracle.security.jps.pdp.sm.IdentityCacheEvictionPercentage |
Specifies percentage of identities that must be evicted when cache has reached the maximum size. Optional Accepted Value: number representing percentage |
|
|
oracle.security.jps.pdp.sm.IdentityCachedEntryTTL |
Specifies the time-to-live of an identity cache record. Optional Accepted Value: time in seconds |
Table A-11 compiles the parameters to configure the WebLogic Server (WLS) Security Module embedded in a JEE container. These parameters are used only when the WLS Security Module is configured to be used as a PEP.
See Section 1.3.2, "The Policy Decision Point and the Policy Enforcement Point" for contextual information.
See Section 9.4, "Securing WebLogic Server Resources" to enable the WebLogic Server Security Module.
Table A-11 WebLogic Server Security Module Configuration Parameters
| Parameter Name | Information | Console Name |
|---|---|---|
|
UndefinedApplicationEffect |
Specifies the effect (GRANT, DENY) that the provider must return if an application is not defined in the policy store. Optional Accepted Values
|
Set in the WebLogic Server Administration Console; values are saved to config.xml in the WebLogic domain |
|
NoApplicablePolicyEffect |
Specifies the effect that the provider has to return if no applicable policies have been found. Optional Accepted Values
|
Set in the WebLogic Server Administration Console; values are saved to config.xml in the WebLogic domain |
Table A-12 compiles the parameters to enable Discovery Mode. See Section 9.4.2, "Discovering WebLogic Server Resources" for more information.
Table A-12 WebLogic Server Discovery Mode Parameters
| Parameter Name | Information | Console Name |
|---|---|---|
|
oracle.security.jps.discoveryMode |
By default, Discovery Mode is off. Optional Accepted Values
|
Only in |
|
oracle.security.jps.discoveredPolicyDir |
Specifies the absolute path to the directory in which discovery results are defined. Optional (Mandatory when Discovery Mode is enabled) Accepted Value: absolute path to directory |
Only in |
|
oracle.security.jps.discoveredResourceIsHierarchical |
Specifies whether the resource is hierarchical. Optional Accepted Values
|
Only in |
|
oracle.security.jps.discoveredResourceNameDelimiter |
Specifies the delimiter to separate the resource name. Optional (Mandatory when resource is defined as Hierarchical) Accepted Value: any valid resource name delimiter; when used with WLS SM and OSB SM, the value should be "/" |
Only in |
This section contains information regarding configuration for the PDP Proxy Client available for the RMI and Web Services Security Module.
Table A-13 compiles the parameters to configure the Web Services Security Module PDP Proxy Client.
Table A-13 Web Services Proxy Client Configuration Parameters
| Parameter Name | Information | Console Name |
|---|---|---|
|
oracle.security.jps.pdp.PDPTransport |
Specifies the underlying protocol to be used by Multi-protocol Security Module to communicate with Oracle Entitlements Server. Mandatory Accepted Values: no default value; XACML is always available in the Web Services Security Module.
|
|
|
oracle.security.jps.pdp.proxy.PDPAddress |
Specifies the host and port number of either the Web Services Security Module. For example, Optional Accepted Value: a comma separated list of URIs (if more then one address is specified the first is considered the primary, and the rest as backups) |
|
|
oracle.security.jps.pdp.proxy.RequestTimeoutMilliSecs |
Defines the interval of time in which an authorization request times out when the remote PDP (RMI or Web Services Security Module) is not responding. Optional Accepted Value: time in milliseconds (default value is 10000) |
|
|
oracle.security.jps.pdp.proxy.FailureRetryCount |
Specifies the number of attempts to make before attempting the alternate failover server. Optional Accepted Value: number (default value is 3) |
|
|
oracle.security.jps.pdp.proxy.FailbackTimeoutMilliSecs |
Specifies the interval of time after which a failed primary server is tried again for failover. Optional Accepted Value: time in milliseconds (default value is 180000) |
|
|
oracle.security.jps.pdp.proxy.SynchronizationIntervalMilliSecs |
Defines how often the PDP Proxy polls the PDP server in order to synchronize its state. For example, the interval is used to periodically check whether the authorization cache has to be flushed. Optional Accepted Value: time in milliseconds (default value is 60) |
|
|
oracle.security.jps.pdp.proxy.wssm.ssl.identityKeyStoreFileName |
Defines the name of the Identity Key Store file where client certificates for the Web Services Security Module are stored. Used for SSL communication between a client and the Web Services Security Module. Optional Accepted Value: name of the Identity Key Store file |
|
|
oracle.security.jps.pdp.proxy.wssm.ssl.trustKeyStoreFileName |
Defines the name of the Trust Key Store file where CA certificates for Web Services Security Module are stored. Used for SSL communication between a client and the Web Services Security Module. Optional Accepted Value: the name of the Trust Key Store file. |
|
|
oracle.security.jps.pdp.proxy.wssm.ssl.identityKeyStoreKeyAlias |
Specifies the alias name of the Web Services client certificate. Used for SSL communication between a client and the Web Services Security Module. Optional Accepted Value: alias of the identity key store (if only one alias exists in the identity key store, no need to specify this value) |
|
|
oracle.security.jps.pdp.proxy.wssm.protocol |
Defines the transport protocol used between the Policy Distribution Component client and server. Optional Accepted Values
|
Table A-14 compiles the parameters to configure the RMI Security Module PDP Proxy Client.
Table A-14 PDP RMI Proxy Client Configuration Parameters
| Parameter Name | Information | Console Name |
|---|---|---|
|
oracle.security.jps.pdp.PDPTransport |
Specifies the underlying protocol to be used by Multi-protocol Security Module to communicate with Oracle Entitlements Server. Mandatory Accepted Values: no default value; XACML is always available in the RMI Security Module.
|
|
|
oracle.security.jps.pdp.proxy.PDPAddress |
Specifies the host and port number of the RMI Security Module. For example, Mandatory Accepted Value: a comma separated list of URIs (if more then one address is specified the first is conidered the primary, and the rest as backups) |
|
|
oracle.security.jps.pdp.proxy.RequestTimeoutMilliSecs |
Defines the interval of time in which an authorization request times out when the remote PDP (RMI or Web Services Security Module) is not responding. Optional Accepted Value: time in milliseconds (default value is 10000) |
|
|
oracle.security.jps.pdp.proxy.FailureRetryCount |
Specifies the number of attempts to make before attempting the alternate failover server. Optional Accepted Value: number (default value is 3) |
|
|
oracle.security.jps.pdp.proxy.FailbackTimeoutMilliSecs |
Specifies the interval of time after which a failed primary server is tried again for failover. Optional Accepted Value: time in milliseconds (default value is 180000) |
|
|
oracle.security.jps.pdp.proxy.SynchronizationIntervalMilliSecs |
Defines how often the PDP Proxy polls the PDP server in order to synchronize its state. For example, the interval is used to periodically check whether the authorization cache has to be flushed. Optional Accepted Value: time in milliseconds (default value is 60) |
Table A-15 compiles the configuration parameters for the Policy Store Service.
Table A-15 Policy Store Service Configuration Parameters
| Parameter Name | Information | Console Name |
|---|---|---|
|
ldap.url |
Defines the URL of the LDAP policy store. Valid in JEE and JSE applications and only applies to LDAP stores. Mandatory Accepted Value: URI of the LDAP policy store in the format |
|
|
max.search.filter.length |
Defines the maximum length of a search filter. Mandatory Accepted Value: integer defining the maximum length of a search filter; for example, 1024 |
|
|
oracle.security.jps.ldap.root.name |
Defines the RDN format of the root node in the LDAP policy store. Valid in JEE and JSE applications. Applies to LDAP and database stores. Mandatory Accepted Value: root name of jps context; for example, |
|
|
oracle.security.jps.farm.name |
Defines the RDN format of the root node in the LDAP policy store. Valid in JEE and JSE applications. Applies to LDAP and database stores. Mandatory Accepted Value: farm name of the domain; for example, |
|
|
oracle.security.jps.policystore.resourcetypeenforcementmode |
Controls the throwing of exceptions if any of the following checks fail:
Valid in JEE and JSE applications. Applies to LDAP and database stores. Optional Accepted Values
|
|
|
bootstrap.security.principal.key |
Defines the key for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in JEE and JSE applications. Applies to LDAP and database stores. Mandatory Accepted Value: the key name of the credential; for example, |
|
|
bootstrap.security.principal.map |
Defines the map for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in JEE and JSE applications. Applies to LDAP and database stores. Mandatory Accepted Value: map name of the credential; for example, |
|
|
jdbc.driver |
Defines the name of the JDBC driver. Mandatory Accepted Value: name of the JDBC driver. |
|
|
jdbc.url |
Defines the JDBC driver connection URL. Mandatory Accepted Value: the JDBC driver connection URL. |