The following sections describe the Oracle Fusion Middleware Infrastructure Security custom WLST commands in detail. Topics include:
For additional information about Oracle Platform Security Services, see Oracle Fusion Middleware Security Guide.
To use the Infrastructure Security custom WLST commands on WebLogic Server, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" in the Oracle Fusion Middleware Administrator's Guide. To use the applicable Infrastructure Security custom WLST commands on a WebSphere Server, see the 3rd Party Integration Guide.
WLST security commands are divided into the following categories:
Table 4-1 WLST Command Categories
Command Category | Description |
---|---|
View and manage audit policies and the audit repository configuration |
|
View and manage wallets, JKS keystores, and SSL configuration for Oracle HTTP Server, Oracle WebCache, Oracle Internet Directory, and Oracle Virtual Directory components. |
|
View and manage configuration for Oracle Access Management Identity Federation |
|
Manage domain and credential domain stores and migrate domain policy store. |
|
Manage Access Manager-related components, such as authorization providers, identity asserters, and SSO providers. |
Use the WLST commands listed in Table 4-2 to view and manage audit policies and the audit repository configuration.
Use this command... | To... | Use with WLST... |
---|---|---|
Display the mBean name for a non-Java EE component. |
Online |
|
Display audit policy settings. |
Online |
|
Update audit policy settings. |
Online |
|
Display audit repository settings. |
Online |
|
Update audit repository settings. |
Online |
|
List audit events for one or all components. |
Online |
|
Export a component's audit configuration. |
Online |
|
Import a component's audit configuration. |
Online |
For more information, see the Oracle Fusion Middleware Security Guide.
Online command that displays the mbean name for non-Java EE components.
This command displays the mbean name for non-Java EE components given the instance name, component name, component type, and the name of the Oracle WebLogic Server on which the component's audit mbean is running. The mbean name is a required parameter to other audit WLST commands when managing a non-Java EE component.
getNonJavaEEAuditMBeanName(instName, compName, compType, svrName)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are ohs, oid, ovd, and WebCache. |
|
Specifies the name of the Oracle WebLogic Server. |
Online command that displays the audit policy settings.
This command displays audit policy settings including the filter preset, special users, custom events, maximum log file size, and maximum log directory size. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
getAuditPolicy([mbeanName, componentType])
Argument | Definition |
---|---|
|
Specifies the name of the component audit MBean for non-Java EE components. |
|
Requests the audit policy for a specific component registered in the audit store. If not specified, the audit policy in |
The following command displays the audit settings for a Java EE component:
wls:/mydomain/serverConfig> getAuditPolicy()
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)
FilterPreset:All
Max Log File Size:104857600
Max Log Dir Size:0
The following command displays the audit settings for MBean CSAuditProxyMBean
:
wls:/mydomain/serverConfig> getAuditPolicy(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean')
Online command that updates an audit policy.
Online command that configures the audit policy settings. You can set the filter preset, add or remove users, and add or remove custom events. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
setAuditPolicy([mbeanName],[filterPreset],[addSpecialUsers], [removeSpecialUsers],[addCustomEvents],[removeCustomEvents], [componentType], [maxDirSize], [maxFileSize], [andCriteria], [orCriteria], [componentEventsFile])
Argument | Definition |
---|---|
|
Specifies the name of the component audit MBean for non-Java EE components. |
|
Specifies the filter preset to be changed. |
|
Specifies the special users to be added. |
|
Specifies the special users to be removed. |
|
Specifies the custom events to be added. |
|
Specifies the custom events to be removed. |
|
Specifies the component definition type to be updated. If not specified, the audit configuration defined in jps-config.xml is modified. |
|
Specifies the maximum size of the log directory. |
|
Specifies the maximum size of the log file. |
|
Specifies the |
|
Specifies the |
|
Specifies a component definition file under the 11g Release 1 (11.1.1.6) metadata model. This parameter is required if you wish to create/update an audit policy in the audit store for an 11g Release 1 (11.1.1.6) metadata model component, and the filter preset level is set to ”Custom”. |
The following interactive command sets audit policy to None
level, and adds users user2
and user3
while removing user1
from the policy:
wls:/mydomain/serverConfig> setAuditPolicy (filterPreset= 'None',addSpecialUsers='user2,user3',removeSpecialUsers='user1') wls:/mydomain/serverConfig> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:None Special Users:user2,user3 Max Log File Size:104857600 Max Log Dir Size:0
The following interactive command adds login events while removing logout events from the policy:
wls:/mydomain/serverConfig> setAuditPolicy(filterPreset= 'Custom',addCustomEvents='UserLogin',removeCustomEvents='UserLogout')
The following interactive command sets audit policy to a Low
level:
wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Low'); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:Low Max Log File Size:104857600 Max Log Dir Size:0
The following command sets a custom filter to audit the CheckAuthorization
event:
wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Custom', addCustomEvents='JPS:CheckAuthorization'); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:Custom Special Users:user1 Max Log File Size:104857600 Max Log Dir Size:0 Custom Events:JPS:CheckAuthorization
Online command that displays audit repository settings.
This command displays audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository configuration resides in opmn.xml). Also displays database configuration if the repository is a database type.
Online command that updates audit repository settings.
This command sets the audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository is configured by editing opmn.xml
).
setAuditRepository([switchToDB],[dataSourceName],[interval])
Argument | Definition |
---|---|
|
If |
|
Specifies the name of the data source. |
|
Specifies intervals at which the audit loader kicks off. |
The following command switches from a file repository to a database repository:
wls:/IDMDomain/domainRuntime> setAuditRepository(switchToDB='true'); Already in Domain Runtime Tree Audit Repository Information updated wls:/IDMDomain/domainRuntime> getAuditRepository(); Already in Domain Runtime Tree JNDI Name:jdbc/AuditDB Interval:15 Repository Type:DB
The following interactive command changes audit repository to a specific database and sets the audit loader interval to 14 seconds:
wls:/mydomain/serverConfig> setAuditRepository(switchToDB='true',dataSourceName='jdbcAuditDB',interval='14')
Online command that displays a component's audit events.
This command displays a component's audit events and attributes. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter. Without a component type, all generic attributes applicable to all components are displayed.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
listAuditEvents([mbeanName],[componentType])
Argument | Definition |
---|---|
|
Specifies the name of the component MBean. |
|
Specifies the component type to limit the list to all events of the component type. |
The following command displays audit events for the Oracle Platform Security Services component:
wls:/IDMDomain/domainRuntime> listAuditEvents(componentType='JPS');
Already in Domain Runtime Tree
Common Attributes
ComponentType
Type of the component. For MAS integrated SystemComponents this is the componentType
InstanceId
Name of the MAS Instance, that this component belongs to
HostId
DNS hostname of originating host
HostNwaddr
IP or other network address of originating host
ModuleId
ID of the module that originated the message. Interpretation is unique within Component ID.
ProcessId
ID of the process that originated the message
The following command displays audit events for Oracle HTTP Server:
wls:/mydomain/serverConfig> listAuditEvents(componentType='ohs')
The following command displays all audit events:
wls:/IDMDomain/domainRuntime> listAuditEvents();
Already in Domain Runtime Tree
Components:
DIP
JPS
OIF
OWSM-AGENT
OWSM-PM-EJB
ReportsServer
WS-PolicyAttachment
WebCache
WebServices
Attributes applicable to all components:
ComponentType
InstanceId
HostId
HostNwaddr
ModuleId
ProcessId
OracleHome
HomeInstance
ECID
RID
...
Online command that exports a component's audit configuration.
This command exports the audit configuration to a file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
exportAuditConfig([mbeanName],fileName, [componentType])
Argument | Definition |
---|---|
|
Specifies the name of the non-Java EE component MBean. |
|
Specifies the path and file name to which the audit configuration should be exported. |
|
Specifies that only events of the given component be exported to the file. If not specified, the audit configuration in |
The following interactive command exports the audit configuration for a component:
wls:/mydomain/serverConfig> exportAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following interactive command exports the audit configuration for a Java EE component; no mBean is specified:
wls:/mydomain/serverConfig> exportAuditConfig(fileName='/tmp/auditconfig')
Online command that imports a component's audit configuration.
This command imports the audit configuration from an external file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
importAuditConfig([mbeanName],fileName, [componentType])
Argument | Definition |
---|---|
|
Specifies the name of the non-Java EE component MBean. |
|
Specifies the path and file name from which the audit configuration should be imported. |
|
Specifies that only events of the given component be imported from the file. If not specified, the audit configuration in |
The following interactive command imports the audit configuration for a component:
wls:/mydomain/serverConfig> importAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name='CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following interactive command imports the audit configuration from a file; no mBean is specified:
wls:/mydomain/serverConfig> importAuditConfig(fileName='/tmp/auditconfig')
Use the WLST commands listed in Table 4-3 to view and manage SSL configuration for Oracle Fusion Middleware components.
Table 4-3 WLST Commands for SSL Configuration
Use this command... | To... | Use with WLST... |
---|---|---|
Generate a certificate signing request in an Oracle wallet. |
Online |
|
Add a self-signed certificate to an Oracle wallet. |
Online |
|
Change the password to a JKS keystore. |
Online |
|
Change the password to an Oracle wallet. |
Online |
|
Set the SSL attributes for a component listener. |
Online |
|
Create a JKS keystore. |
Online |
|
Create an Oracle wallet. |
Online |
|
Delete a JKS keystore. |
Online |
|
Delete an Oracle wallet. |
Online |
|
Export a JKS keystore to a file. |
Online |
|
Export an object from a JKS keystore to a file. |
Online |
|
Export an Oracle wallet to a file. |
Online |
|
Export an object from an Oracle wallet to a file. |
Online |
|
Generate a key pair in a JKS keystore. |
Online |
|
Display a certificate or other object present in a JKS keystore. |
Online |
|
Display the SSL attributes for a component listener. |
Online |
|
Display a certificate or other object present in an Oracle wallet. |
Online |
|
Import a JKS keystore from a file. |
Online |
|
Import a certificate or other object from a file to a JKS keystore. |
Online |
|
Import an Oracle wallet from a file. |
Online |
|
Import a certificate or other object from a file to an Oracle wallet. |
Online |
|
List all objects present in a JKS keystore. |
Online |
|
List all JKS keystores configured for a component instance. |
Online |
|
List all objects present in an Oracle wallet. |
Online |
|
List all Oracle wallets configured for a component instance. |
Online |
|
Remove a certificate or other object from a component instance's JKS keystore. |
Online |
|
Remove a certificate or other object from a component instance's Oracle wallet. |
Online |
For more information, see the Oracle Fusion Middleware Administrator's Guide.
Online command that generates a certificate signing request in an Oracle wallet.
This command generates a certificate signing request in Base64 encoded PKCS#10 format in an Oracle wallet for a component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). To get a certificate signed by a certificate authority (CA), send the certificate signing request to your CA.
addCertificateRequest(instName, compName, compType, walletName, password, DN, keySize)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the Distinguished Name of the key pair entry. |
|
Specifies the key size in bits. |
The following command generates a certificate signing request with DN cn=www.example.com
and key size 1024
in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> addCertificateRequest('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.example.com', '1024')
Online command that adds a self-signed certificate.
This command creates a key pair and wraps it in a self-signed certificate in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Only keys based on the RSA algorithm are generated.
addSelfSignedCertificate(instName, compName, compType, walletName, password, DN, keySize)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the Distinguished Name of the key pair entry. |
|
Specifies the key size in bits. |
The following command adds a self-signed certificate with DN cn=www.example.com
, key size 1024
to wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1:
wls:/mydomain/serverConfig> addSelfSignedCertificate('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.example.com', '1024')
Online command that changes the keystore password.
This command changes the password of a Java Keystore (JKS) file for an Oracle Virtual Directory instance.
changeKeyStorePassword(instName, compName, compType, keystoreName, currPassword, newPassword)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the file name of the keystore. |
|
Specifies the current keystore password. |
|
Specifies the new keystore password. |
Online command that changes the password of an Oracle wallet.
This command changes the password of an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). This command is only applicable to password-protected wallets.
changeWalletPassword(instName, compName, compType, walletName,currPassword, newPassword)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
|
Specifies the file name of the wallet. |
|
Specifies the current wallet password. |
|
Specifies the new wallet password. |
Online command that sets SSL attributes.
This command sets the SSL attributes for a component listener. The attributes are specified in a properties file format (name=value). If a properties file is not provided, or it does not contain any SSL attributes, default attribute values are used. For component-specific SSL attribute value defaults, see the chapter "SSL Configuration in Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.
configureSSL(instName, compName, compType, listener, filePath)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'oid', 'ovd', ohs', and 'webcache'. |
|
Specifies the name of the component listener to be configured for SSL. |
|
Specifies the absolute path of the properties file containing the SSL attributes to set. |
The following command configures SSL attributes specified in the properties file /tmp/ssl.properties
for Oracle Virtual Directory instance ovd1
in application server instance inst1
, for listener listener1
:
wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener1','/tmp/ssl.properties')
The following command configures SSL attributes without specifying a properties file. Since no file is provided, the default SSL attribute values are used:
wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener2')
Online command that creates a JKS keystore.
This command creates a Java keystore (JKS) for the specified Oracle Virtual Directory instance. For keystore file location and other information, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.
createKeyStore(instName, compName, compType, keystoreName, password)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the file name of the keystore file to be created. |
|
Specifies the keystore password. |
Online command that creates an Oracle wallet.
This command creates an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Wallets can be of password-protected or auto-login type. For wallet details, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.
createWallet(instName, compName, compType, walletName, password)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
|
Specifies the name of the wallet file to be created. |
|
Specifies the wallet password. |
The following command creates a wallet named wallet1
with password password
, for Oracle HTTP Server instance ohs1
in application server instance inst1
:
wls:/mydomain/serverConfig> createWallet('inst1', 'ohs1', 'ohs','wallet1', 'password')
The following command creates an auto-login wallet named wallet2
for Oracle WebCache instance wc1
, in application server instance inst1
:
wls:/mydomain/serverConfig> createWallet('inst1', 'wc1', 'webcache','wallet2', '')
Online command that deletes a keystore.
deleteKeyStore(instName, compName, compType, keystoreName)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore file to delete. |
Online command that deletes an Oracle wallet.
This command deletes an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).
deleteWallet(instName, compName, compType, walletName)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
|
Specifies the name of the wallet file to be deleted. |
Online command that exports the keystore to a file.
This command exports a keystore, configured for the specified Oracle Virtual Directory instance, to a file under the given directory. The exported file name is the same as the keystore name.
exportKeyStore(instName, compName, compType, keystoreName, password, path)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore file. |
|
Specifies the password of the keystore. |
|
Specifies the absolute path of the directory under which the keystore is exported. |
Online command that exports an object from a keystore to a file.
This command exports a certificate signing request, certificate/certificate chain, or trusted certificate present in a Java keystore (JKS) to a file for the specified Oracle Virtual Directory instance. The certificate signing request is generated before exporting the object. The alias specifies the object to be exported.
exportKeyStoreObject(instName, compName, compType, keystoreName, password, type, path, alias)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore file. |
|
Specifies the password of the keystore. |
|
Specifies the type of the keystore object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' and 'TrustedChain'. |
|
Specifies the absolute path of the directory under which the object is exported as a file named base64.txt. |
|
Specifies the alias of the keystore object to be exported. |
The following command generates and exports a certificate signing request from the key-pair indicated by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
in application server instance inst1
. The certificate signing request is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'CertificateRequest', '/tmp','mykey')
The following command exports a certificate or certificate chain indicated by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
. The certificate or certificate chain is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '/tmp','mykey')
The following command exports a trusted certificate indicated by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
. The trusted certificate is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '/tmp','mykey')
Online command that exports an Oracle wallet.
This command exports an Oracle wallet, configured for a specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), to file(s) under the given directory. If the exported file is an auto-login only wallet, the file name is 'cwallet.sso'. If it is password-protected wallet, two files are created: 'ewallet.p12' and 'cwallet.sso'.
exportWallet(instName, compName, compType, walletName,password, path)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the absolute path of the directory under which the object is exported. |
The following command exports auto-login wallet wallet1
for Oracle Internet Directory instance oid1
to file cwallet.sso
under /tmp
:
wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet1','','/tmp')
The following command exports password-protected wallet wallet2
for Oracle Internet Directory instance oid1
to two files, ewallet.p12
and cwallet.sso
, under /tmp
:
wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp')
Online command that exports a certificate or other wallet object to a file.
This command exports a certificate signing request, certificate, certificate chain or trusted certificate present in an Oracle wallet to a file for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be exported.
exportWalletObject(instName, compName, compType, walletName, password, type, path, DN)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedChain'. |
|
Specifies the absolute path of the directory under which the object is exported as a file base64.txt. |
|
Specifies the Distinguished Name of the wallet object being exported. |
The following command exports a certificate signing request with DN cn=www.example.com
in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
. The certificate signing request is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'CertificateRequest', '/tmp','cn=www.example.com')
The following command exports a certificate with DN cn=www.example.com
in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
. The certificate or certificate chain is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate', '/tmp','cn=www.example.com')
The following command exports a trusted certificate with DN cn=www.example.com
in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
. The trusted certificate is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate', '/tmp','cn=www.example.com')
The following command exports a certificate chain with DN cn=www.example.com
in wallet1
, for Oracle Internet Directory instance oid1,
in application server instance inst1
. The certificate or certificate chain is exported under the directory /tmp
:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedChain', '/tmp','cn=www.example.com')
Online command that generates a key pair in a Java keystore.
This command generates a key pair in a Java keystore (JKS) for Oracle Virtual Directory. It also wraps the key pair in a self-signed certificate. Only keys based on the RSA algorithm are generated.
generateKey(instName, compName, compType, keystoreName, password, DN, keySize, alias, algorithm)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore. |
|
Specifies the password of the keystore. |
|
Specifies the Distinguished Name of the key pair entry. |
|
Specifies the key size in bits. |
|
Specifies the alias of the key pair entry in the keystore. |
|
Specifies the key algorithm. Valid value is 'RSA'. |
The following command generates a key pair with DN cn=www.example.com
, key size 1024
, algorithm RSA
and alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
in application server instance inst1
:
wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.example.com', '1024', 'mykey', 'RSA')
The following command is the same as above, except it does not explicitly specify the key algorithm:
wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.example.com', '1024', 'mykey')
Online command that shows details about a keystore object.
This command displays a specific certificate or trusted certificate present in a Java keystore (JKS) for Oracle Virtual Directory. The keystore object is indicated by its index number, as given by the listKeyStoreObjects
command. It shows the certificate details including DN, key size, algorithm, and other information.
getKeyStoreObject(instName, compName, compType, keystoreName, password, type, index)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore file. |
|
Specifies the password of the keystore. |
|
Specifies the type of the keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'. |
|
Specifies the index number of the keystore object as returned by the |
The following command shows a trusted certificate with index 1
present in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '1')
The following command shows a certificate with index 1
present in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '1')
Online command that lists the configured SSL attributes.
This command lists the configured SSL attributes for the specified component listener. For Oracle Internet Directory, the listener name is always sslport1
.
getSSL(instName, compName, compType, listener)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ovd', 'oid', 'ohs', and 'webcache'. |
|
Specifies the name of the component listener. |
Online command that displays information about a certificate or other object in an Oracle wallet.
This command displays a specific certificate signing request, certificate or trusted certificate present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). The wallet object is indicated by its index number, as given by the listWalletObjects
command. For certificates or trusted certificates, it shows the certificate details including DN, key size, algorithm and other data. For certificate signing requests, it shows the subject DN, key size and algorithm.
getWalletObject(instName, compName, compType, walletName, password, type, index)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'. |
|
Specifies the index number of the wallet object as returned by the |
The following command shows certificate signing request details for the object with index 0
present in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest', '0')
The following command shows certificate details for the object with index 0
present in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'Certificate', '0')
The following command shows trusted certificate details for the object with index 0
, present in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate', '0')
Online command that imports a keystore from a file.
This command imports a Java keystore (JKS) from a file to the specified Oracle Virtual Directory instance for manageability. The component instance name must be unique.
importKeyStore(instName, compName, compType, keystoreName, password, filePath)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore being imported. This name must be unique for this component instance. |
|
Specifies the password of the keystore. |
|
Specifies the absolute path of the keystore file to be imported. |
Online command that imports an object from a file to a keystore.
This command imports a certificate, certificate chain, or trusted certificate into a Java keystore (JKS) for Oracle Virtual Directory, assigning it the specified alias which must be unique in the keystore. If a certificate or certificate chain is being imported, the alias must match that of the corresponding key-pair.
importKeyStoreObject(instName, compName, compType, keystoreName, password, type, filePath, alias)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore. |
|
Specifies the password of the keystore. |
|
Specifies the type of the keystore object to be imported. Valid values are 'Certificate' and 'TrustedCertificate'. |
|
Specifies the absolute path of the file containing the keystore object. |
|
Specifies the alias to assign to the keystore object to be imported. |
The following command imports a certificate or certificate chain from file cert.txt
into keys.jks
, using alias mykey
for Oracle Virtual Directory instance ovd1,
in application server instance inst1
. The file keys.jks
must already have an alias mykey
for a key-pair whose public key matches that in the certificate being imported:
wls:/mydomain/serverConfig> > importKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate','/tmp/cert.txt', 'mykey')
The following command imports a trusted certificate from file trust.txt
into keys.jks
using alias mykey1
, for Oracle Virtual Directory instance ovd1
in application server instance inst1
:
wls:/mydomain/serverConfig> importKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate','/tmp/trust.txt', 'mykey1')
Online command that imports an Oracle wallet from a file.
This command imports an Oracle wallet from a file to the specified component instance (Oracle HTTP Server, Oracle WebCache, or Oracle Internet Directory) for manageability. If the wallet being imported is an auto-login wallet, the file path must point to cwallet.sso
; if the wallet is password-protected, it must point to ewallet.p12
. The wallet name must be unique for the component instance.
importWallet(instName, compName, compType, walletName, password, filePath)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet being imported. The name must be unique for the component instance. |
|
Specifies the password of the wallet. |
|
Specifies the absolute path of the wallet file being imported. |
The following command imports auto-login wallet file /tmp/cwallet.sso
as wallet1
into Oracle Internet Directory instance oid1
. Subsequently, the wallet is managed with the name wallet1
. No password is passed since it is an auto-login wallet:
wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet1', '', '/tmp/cwallet.sso')
The following command imports password-protected wallet /tmp/ewallet.p12
as wallet2
into Oracle Internet Directory instance oid1
. Subsequently, the wallet is managed with the name wallet2
. The wallet password is passed as a parameter:
wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp/ewallet.p12')
Online command that imports a certificate or other object into an Oracle wallet.
This command imports a certificate, trusted certificate or certificate chain into an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache component or Oracle Internet Directory).When importing a certificate, use the same wallet file from which the certificate signing request was generated.
importWalletObject(instName, compName, compType, walletName, password, type, filePath)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the type of wallet object to be imported. Valid values are 'Certificate', 'TrustedCertificate' and 'TrustedChain'. |
|
Specifies the absolute path of the file containing the wallet object. |
The following command imports a certificate chain in PKCS#7 format from file chain.txt
into wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedChain','/tmp/chain.txt')
The following command imports a certificate from file cert.txt
into wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate','/tmp/cert.txt')
The following command imports a trusted certificate from file trust.txt
into wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','/tmp/trust.txt')
Online command that lists the contents of a keystore.
This command lists all the certificates or trusted certificates present in a Java keystore (JKS) for Oracle Virtual Directory.
listKeyStoreObjects(instName, compName, compType, keystoreName, password, type)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore file. |
|
Specifies the password of the keystore. |
|
Specifies the type of keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'. |
The following command lists all trusted certificates present in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate')
The following command lists all certificates present in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate')
Online command that lists all the keystores for a component.
This command lists all the Java keystores (JKS) configured for the specified Oracle Virtual Directory instance.
listKeyStores(instName, compName, compType)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance |
|
Specifies the type of component. Valid value is 'ovd'. |
Online command that lists all objects in an Oracle wallet.
This command lists all certificate signing requests, certificates, or trusted certificates present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).
listWalletObjects(instName, compName, compType, walletName, password, type)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the type of wallet object to be listed. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'. |
The following command lists all certificate signing requests in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> > listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest')
The following command lists all certificates in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'Certificate')
The following command lists all trusted certificates in wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate')
Online command that lists all wallets configured for a component instance.
This command displays all the wallets configured for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), and identifies the auto-login wallets.
listWallets(instName, compName, compType)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
Online command that removes an object from a keystore.
This command removes a certificate request, certificate, trusted certificate, or all trusted certificates from a Java keystore (JKS) for Oracle Virtual Directory. Use an alias to remove a specific object; no alias is needed if all trusted certificates are being removed.
removeKeyStoreObject(instName, compName, compType, keystoreName, password, type, alias)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid value is 'ovd'. |
|
Specifies the name of the keystore file. |
|
Specifies the password of the keystore. |
|
Specifies the type of the keystore object to be removed. Valid values are 'Certificate', 'TrustedCertificate' or 'TrustedAll'. |
|
Specifies the alias of the keystore object to be removed. |
The following command removes a certificate or certificate chain denoted by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate','mykey')
The following command removes a trusted certificate denoted by alias mykey
in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate','mykey')
The following command removes all trusted certificates in keys.jks
, for Oracle Virtual Directory instance ovd1
, in application server instance inst1
. Since no alias is required, the value None
is passed for that parameter:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedAll',None)
Online command that removes a certificate or other object from an Oracle wallet.
This command removes a certificate signing request, certificate, trusted certificate or all trusted certificates from an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be removed.
removeWalletObject(instName, compName, compType, walletName, password, type, DN)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
|
Specifies the name of the wallet file. |
|
Specifies the password of the wallet. |
|
Specifies the type of the keystore object to be removed. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedAll'. |
|
Specifies the Distinguished Name of the wallet object to be removed. |
The following command removes all trusted certificates from wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
. It is not necessary to provide a DN, so we pass null (denoted by None
) for the DN parameter:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedAll',None)
The following command removes a certificate signing request indicated by DN cn=www.example.com
from wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'CertificateRequest','cn=www.example.com')
The following command removes a certificate indicated by DN cn=www.example.com
from wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate','cn=www.example.com')
The following command removes a trusted certificate indicated by DN cn=www.example.com
from wallet1
, for Oracle Internet Directory instance oid1
, in application server instance inst1
:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','cn=www.example.com')
Use the WLST security commands listed in Table 4-4 to operate on a domain policy or credential store, to migrate policies and credentials from a source repository to a target repository, and to import and export (credential) encryption keys.
Table 4-4 WLST Security Commands
Use this command... | To... | Use with WLST... |
---|---|---|
List application stripes in policy store. |
Online |
|
Create a new application role. |
Online |
|
Remove an application role. |
Online |
|
Add a principal to a role. |
Online |
|
Remove a principal from a role. |
Online |
|
List all roles in an application. |
Online |
|
List all members in an application role. |
Online |
|
Create a new permission. |
Online |
|
Remove a permission. |
Online |
|
List all permissions granted to a principal. |
Online |
|
Remove all policies in an application. |
Online |
|
Migrate policies or credentials from a source repository to a target repository. |
Offline |
|
Obtain the list of attribute values of a credential. |
Online |
|
Modify the attribute values of a credential. |
Online |
|
Create a new credential. |
Online |
|
Remove a credential. |
Online |
|
Update bootstrap credential store |
Offline |
|
Add a credential to the bootstrap credential store |
Offline |
|
Export the domain encryption key to the file |
Offline |
|
Import the encryption key in file |
Offline |
|
Restore the domain encryption key as it was before the last importing. |
Offline |
|
Reassociate policies and credentials to an LDAP repository |
Online |
|
Upgrade security data from data used with release 10.1.x to data used with release 11. |
Offline |
|
Create a new resource type. |
Online |
|
Fetch an existing resource type. |
Online |
|
Remove an existing resource type. |
Online |
|
Create a resource. |
Online |
|
Remove a resource. |
Online |
|
List resources in an application stripe. |
Online |
|
List actions in a resource. |
Online |
|
Create an entitlement. |
Online |
|
List an entitlement. |
Online |
|
Remove an entitlement. |
Online |
|
Add a resource to an entitlement. |
Online |
|
Remove a resource from an entitlement |
Online |
|
List entitlements in an application stripe. |
Online |
|
Create an entitlement. |
Online |
|
Remove an entitlement. |
Online |
|
List an entitlement. |
Online |
|
List resource types in an application stripe. |
Online |
Online command that creates a new application role.
Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException
.
createAppRole(appStripe, appRoleName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online command that removes an application role.
Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException
.
createAppRole(appStripe, appRoleName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online command that adds a principal to a role.
Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException
.
grantAppRole(appStripe, appRoleName,principalClass, principalName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
principalClass
|
Specifies the fully qualified name of a class. |
principalName
|
Specifies the principal name. |
Online command that removes a principal from a role.
Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException
.
revokeAppRole(appStripe, appRoleName, principalClass, principalName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
principalClass
|
Specifies the fully qualified name of a class. |
principalName
|
Specifies the principal name. |
Online command that lists all roles in an application.
Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException
.
Online command that lists all members in a role.
Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException
.
listAppRoleMembers(appStripe, appRoleName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online command that creates a new permission.
Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-delimited list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following invocation creates a new application permission (for the application with application stripe myApp
) with the specified data:
wls:/mydomain/serverConfig> grantPermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following invocation creates a new system permission with the specified data:
wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permTarget="/tmp/fileName.ext", permActions="read,write")
Online command that removes a permission.
Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-delimited list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following invocation removes the application permission (for the application with application stripe myApp
) with the specified data:
wls:/mydomain/serverConfig> revokePermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following invocation removes the system permission with the specified data:
wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permActions="read,write")
Online command that lists all permissions granted to a given principal.
Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
listPermissions([appStripe,] principalClass, principalName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
The following invocation lists all permissions granted to a principal by the policies of application myApp
:
wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")
The following invocation lists all permissions granted to a principal by system policies:
wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")
Online command that removes all policies with a given application stripe.
Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException
.
deleteAppPolicies(appStripe)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
Offline command that migrates identities, application-specific, system policies, a specific credential folder, or all credentials.
Migrates identities, application-specific, or system policies from a source repository to a target repository. Migrates a specific credential folder or all credentials.
The kinds of the repositories where the source and target data is stored is transparent to the command, and any combination of file-based and LDAP-based repositories is allowed (LDAP-repositories must use an OVD or an OID LDAP server only). In the event of an error, the command returns a WLSTException
.
The command syntax varies depending on the scope (system or application-specific or both) of the policies being migrated.
Optional arguments are enclosed in square brackets.
To migrate identities, use the following syntax:
migrateSecurityStore(type="idStore", configFile, src, dst, [dstLdifFile])
To migrate all policies (system and application-specific, for all applications) use the following syntax
migrateSecurityStore(type="policyStore", configFile, src, dst,[overWrite,][preserveAppRoleGuid])
To migrate just system policies, use the following syntax:
migrateSecurityStore(type="globalPolicies", configFile, src, dst, [overWrite])
To migrate just application-specific policies, for one application, use the following syntax:
migrateSecurityStore(type="appPolicies", configFile,src, dst, srcApp [,dstApp] [,overWrite] [,migrateIdStoreMapping][,preserveAppRoleGuid] [,mode])
To migrate all credentials, use the following syntax:
migrateSecurityStore(type="credStore", configFile, src, dst, [overWrite])
To migrate just one credential folder, use the following syntax:
migrateSecurityStore(type="folderCred", configFile,src, dst, [srcFolder,] [dstFolde,] [srcConfigFile,] [overWrite])
Argument | Definition |
---|---|
type
|
Specifies the type of policies migrates. To migrate identities, set it to To migrate all policies (system and application-specific, for all applications), set to To migrate just system policies, set to To migrate just application-specific policies, set to To migrate all credentials, set to To migrate just one credential folder, set to |
configFile
|
Specifies the location of a configuration file |
src
|
Specifies the name of a jps-context in the configuration file passed to the argument |
dst
|
Specifies the name of another jps-context in the configuration file passed to the argument |
srcApp
|
Specifies the name of the source application, that is, the application whose policies are being migrated. |
dstApp
|
Specifies the name of the target application, that is, the application whose policies are being written. If unspecified, it defaults to the name of the source application. |
srcFolder
|
Specifies the name of the folder from where credentials are migrated. This argument is optional. If unspecified, the credential store is assumed to have only one folder and the value of this argument defaults to the name of that folder. |
dstFolder
|
Specifies the folder to where the source credentials are migrated. This argument is optional and, if unspecified, defaults to the folder passed to |
srcConfigFile
|
Specifies the location of an alternate configuration file, and it is used in the special case in which credentials are not configured in the file passed to |
overWrite
|
Specifies whether data in the target matching data being migrated should be overwritten by or merged with the source data. Optional and false by default. Set to true to overwrite matching data; set to false to merge matching data. |
migrateIdStoreMapping
|
Specifies whether the migration of application policies should include or exclude the migration of enterprise policies. Optional and true by default. Set it to False to exclude enterprise policies from the migration of application policies. |
dstLdifFile
|
Specifies the location where the LDIF file will be created. Required only if destination is an LDAP-based identity store. Notice that the LDIF file is not imported into the LDAP server; the importing of the file LDIF should be done manually, after the file has been edited to account for the appropriate attributes required in your LDAP server. |
preserveAppRoleGuid
|
Specifies whether the migration of policies should preserve or recreate GUIDs. Optional and false, by default. Set to true to preserve GUIDs; set to false to recreated GUIDs. |
mode |
Specifies whether the migration should stop and signal an error upon encountering a duplicate principal or a duplicate permission in an application policy. Set to lax to allow the migration to continue upon encountering duplicate items, to migrate just one of the duplicated items, and to log a warning to this effect; set to strict to force the migration to stop upon encountering duplicate items. If unspecified, it defaults to strict. |
Note the following requirements about the passed arguments:
The file jps-config.xml
is found in the passed location.
The file jps-config.xml
includes the passed jps-contexts.
The source and the destination context names are distinct. From these two contexts, the command determines the locations of the source and the target repositories involved in the migration.
The following invocation illustrates the migration of the file-based policies of application PolicyServlet1
to file-based policies of application PolicyServlet2
, that does not stop on encountering duplicate principals or permissions, that migrates just one of duplicate items, and that logs a warning when duplicates are found:
wls:/mydomain/serverConfig> migrateSecurityStore(type="appPolicies", configFile="jps-congif.xml", src="default1", dst="context2", srcApp="PolicyServlet1", dstApp="PolicyServlet2", overWrite="true", mode="lax")
The above invocation assumes that:
The file jps-config.xml
is located in the directory where the command is run (current directory).
That file includes the following elements:
<serviceInstance name="policystore1.xml" provider="some.provider"> <property name="location" value="jazn-data1.xml"/> </serviceInstance> <serviceInstance name="policystore2.xml" provider="some.provider"> <property name="location" value="jazn-data2.xml"/> </serviceInstance> ... <jpsContext name="default1"> <serviceInstanceRef ref="policystore1.xml"/> ... </jpsContext> <jpsContext name="context2"> <serviceInstanceRef ref="policystore2.xml"/> ... </jpsContext>
The file-based policies for the two applications involved in the migration are defined in the files jazn-data1.xml
and jazn-data2.xml
, which are not shown but assumed located in the current directory.
The following invocation illustrates the migration of file-based credentials from one location to another:
wls:/mydomain/serverConfig> migrateSecurityStore(type="credStore", configFile="jps-congif.xml", src="default1", dst="context2")
The above invocation assumes that:
The file jps-config.xml
is located in the directory where the command is run (current directory).
That file includes the following elements:
<serviceInstance name="credstore1" provider="some.provider"> <property name="location" value="./credstore1/cwallet.sso"/> </serviceInstance> <serviceInstance name="credstore2" provider="some.provider"> <property name="location" value="./credstore2/cwallet.sso"/> </serviceInstance> ... <jpsContext name="default1"> <serviceInstanceRef ref="credstore1"/> ... </jpsContext> <jpsContext name="context2"> <serviceInstanceRef ref="credstore2"/> ... </jpsContext>
For detailed configuration examples to use with this command, see Oracle Fusion Middleware Security Guide.
Online command that returns the list of attribute values of a credential in the domain credential store.
Returns the list of attribute values of a credential in the domain credential store with given map name and key name. This command lists the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException
.
listCred(map, key)
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
Online command that modifies the type, user name, and password of a credential.
Modifies the type, user name, password, URL, and port number of a credential in the domain credential store with given map name and key name. This command can update the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
Optional arguments are enclosed in square brackets.
updateCred(map, key, user, password, [desc])
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
Online command that creates a new credential in the domain credential store.
Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
Optional arguments are enclosed in square brackets.
createCred(map, key, user, password, [desc])
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
Online command that removes a credential in the domain credential store.
Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException
.
deleteCred(map,key)
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
Offline command that updates a bootstrap credential store.
Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException
.
Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.
modifyBootStrapCredential(jpsConfigFile, username, password)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
username
|
Specifies the distinguished name of the user in the LDAP store. |
password
|
Specifies the password of the user. |
Suppose that in the LDAP store, the password of the user with distinguished name cn=orcladmin
has been changed to welcome1
, and that the configuration file jps-config.xml
is located in the current directory.Then the following invocation changes the password in the bootstrap credential store to welcome1
:
wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='welcome1')
Any output regarding the audit service can be disregarded.
Offline command that adds a credential to the bootstrap credential store.
Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException
.
addBootStrapCredential(jpsConfigFile, map, key, username, password)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
map
|
Specifies the map of the credential to add. |
key
|
Specifies the key of the credential to add. |
username
|
Specifies the name of the user in the credential to add. |
|
Specifies the password of the user in the credential to add. |
Offline command that extracts the encryption key from a domain's bootstrap wallet to the file ewallet.p12
.
Writes the domain's credential encryption key to the file ewallet.p12
. The password passed must be used to import data from that file with the command importEncryptionKey
.
exportEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
keyFilePath
|
Specifies the directory where the file |
keyFilePassword
|
Specifies the password to secure the file |
Offline command that imports keys from the specified ewallet.p12 file into the domain.
Imports encryption keys from the file ewallet.p12
into the domain. The password passed must be the same as that used to create the file with the command exportEncryptionKey
.
importEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
keyFilePath
|
Specifies the directory where the |
keyFilePassword
|
Specifies the password used when the file |
Offline command to restore the domain credential encryption key.
Restores the state of the domain bootstrap keys as it was before running importEncryptionKey.
restoreEncryptionKey(jpsConfigFile)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
Online command that migrates the policy and credential stores to an LDAP repository.
Migrates, within a give domain, both the policy store and the credential store to a target LDAP server repository. The only kinds of LDAP servers allowed are OID or OVD. This command also allows setting up a policy store shared by different domains (see optional argument join
below). In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
reassociateSecurityStore(domain, admin, password, ldapurl, servertype, jpsroot [, join] [,keyFilePath, keyFilePassword])
Argument | Definition |
---|---|
domain
|
Specifies the domain name where the reassociating takes place. |
admin
|
Specifies the administrator's user name on the LDAP server. The format is |
password
|
Specifies the password associated with the user specified for the argument |
ldapurl
|
Specifies the URI of the LDAP server. The format is |
servertype
|
Specifies the kind of the target LDAP server. The only valid types are OID or OVD. |
jpsroot
|
Specifies the root node in the target LDAP repository under which all data is migrated. The format is |
join
|
Specifies whether the domain is to share a policy store specified in some other domain. Optional. Set to true to share an existing policy store in another domain; set to false otherwise. If unspecified, it defaults to false. The use of this argument allows multiple WebLogic domains to point to the same logical policy store. |
keyFilePath
|
Specifies the directory where the |
keyFilePassword
|
Specifies the password used when the file |
The following invocation reassociates the domain policies and credentials to an LDAP Oracle Internet Directory server:
wls:/mydomain/serverConfig> reassociateSecurityStore(domain="myDomain", admin="cn=adminName", password="myPass",ldapurl="ldap://myhost.example.com:3060", servertype="OID", jpsroot="cn=testNode")
Suppose that you want some other domain (distinct from myDomain
, say otherDomain
) to share the policy store in myDomain
. Then you would invoke the command as follows:
wls:/mydomain/serverConfig> reassociateSecurityStore(domain="otherDomain", admin="cn=adminName", password="myPass", ldapurl="ldap://myhost.example.com:3060", servertype="OID", jpsroot="cn=testNode", join="true")
Offline command that migrates release 10.1.x security data to release 11 security data.
Migrates identity, policy, and credential data used in release 10.1.x to security data that can be used with release 11. The migration of each kind of data is performed with separate invocations of this command. In the event of an error, the command returns a WLSTException
.
The syntax varies according to the type of data being updated.
To upgrade 10.1.x XML identity data to 11 XML identity data, use the following syntax:
updateSecurityStore(type="xmlIdStore", jpsConfigFile, srcJaznDataFile, srcRealm, dst)
To upgrade a 10.1.x XML policy data to 11 XML policy data, use the following syntax:
updateSecurityStore(type="xmlPolicyStore", jpsConfigFile, srcJaznDataFile, dst)
To upgrade a 10.1.x OID LDAP-based policy data to 11 XML policy data, use the following syntax:
updateSecurityStore(type="oidPolicyStore", jpsConfigFile, srcJaznDataFile, dst)
To upgrade a 10.1.x XML credential data to 11 XML credential data, use the following syntax:
updateSecurityStore(type="xmlCredStore", jpsConfigFile, srcJaznDataFile, users, dst)
Argument | Definition |
---|---|
type
|
Specifies the kind of security data being upgraded. The only valid values are xmlIdStore, xmlPolicyStore, oidPolicyStore, and xmlCredStore. |
jpsConfigFile
|
Specifies the location of a configuration file |
srcJaznDataFile
|
Specifies the location of a 10.1.x jazn data file relative to the directory where the command is run. This argument is required if the specified |
srcJaznConfigFile
|
Specifies the location of a 10.1.x jazn configuration file relative to the directory where the command is run. This argument is required if the specified |
srcRealm
|
Specifies the name of the realm from which identities need be migrated. This argument is required if the specified |
users
|
Specifies a comma-delimited list of users each formatted as realmName/userName. This argument is required if the specified |
dst
|
Specifies the name of the jpsContext in the file passed to the argument jpsConfigFile where the destination store is configured. Optional. If unspecified, it defaults to the default context in the file passed in the argument jpsConfigFile. |
The following invocation migrates 10.1.3 file-based identities to an 11 file-based identity store:
wls:/mydomain/serverConfig> upgradeSecurityStore(type="xmlIdStore", jpsConfigFile="jps-config.xml", srcJaznDataFile="jazn-data.xml", srcRealm="jazn.com")
The following invocation migrates a 10.1.3 OID-based policy store to an 11 file-based policy store:
wls:/mydomain/serverConfig> upgradeSecurityStore(type="oidPolicyStore", jpsConfigFile="jps-config.xml", srcJaznDataFile="jazn-data.xml", dst="destinationContext)
Online command that creates a new resource type in the domain policy store within a given application stripe.
Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. Optional arguments are enclosed in between square brackets; all other arguments are required. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in square brackets.
createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where to insert the resource type. |
resourceTypeName
|
Specifies the name of the resource type to insert. |
displayName
|
Specifies the name for the resource type used in UI gadgets. |
description |
Specifies a brief description of the resource type. |
provider
|
Specifies the provider for the resource type. |
matchere
|
Specifies the class of the resource type. If unspecified, it defaults to |
actions
|
Specifies the actions allowed on instances of the resource type. |
delimeter
|
Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','. |
The following invocation creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:
wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", resourceTypeName="resTypeName", displayName="displName", description="A resource type", provider="Printer", matcher="com.printer.Printer", actions="BWPrint;ColorPrint" [, delimeter=";"])
Online command that fetches a resource type from the domain policy store within a given application stripe.
Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException
.
getResourceType(appStripe, resourceTypeName)
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe from where to fetch the resource type. |
resourceTypeName
|
Specifies the name of the resource type to fetch. |
Online command that removes a resource type from the domain policy store within a given application stripe.
Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException
.
deleteResourceType(appStripe, resourceTypeName)
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe from where to remove the resource type. |
resourceTypeName
|
Specifies the name of the resource type to remove. |
Online or offline command that lists the application stripes in the policy store.
This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.
If this command is used in offline mode after reassociating to a DB-based store, the configuration file produced by the reassociation must be manually edited as described in "Running listAppStripes after Reassociating to a DB-Based Store" in Oracle Fusion Middleware Security Guide.
listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])
Argument | Definition |
---|---|
configFile
|
Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store. |
regularExpression
|
Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *. |
The following (online) invocation returns the list of application stripes in the policy store:
wls:/mydomain/serverConfig> listAppStripes
The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:
wls:/mydomain/serverConfig> listAppStripes(configFile=" /home/myFile/jps-config.xml")
The following (online) invocation returns the list of application stripes that contain the prefix App:
wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")
Online command that creates a new resource.
Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.
createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resource is created. |
name
|
Specifies the name of the resource created. |
type
|
Specifies the type of resource created. The passed resource type must be present in the application stripe at the time this script is invoked. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the resource created. Optional. |
Online command that deletes a resource.
Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.
deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resource is deleted. |
name
|
Specifies the name of the resource deleted. |
type
|
Specifies the type of resource deleted. The passed resource type must be present in the application stripe at the time this script is invoked. |
Online command that lists resources in a specified application stripe.
If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.
listResources(appStripe="appStripeName" [,type="resTypeName"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resources are listed. |
type
|
Specifies the type of resource listed. The passed resource type must be present in the application stripe at the time this script is invoked. |
Online command that lists the resources and actions in an entitlement.
listResourceActions(appStripe="appStripeName", permSetName="entitlementName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement resides. |
permSetName
|
Specifies the name of the entitlement whose resources and actions to list. |
Online command that creates a new entitlement.
Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement
to add additional resources to an existing entitlement; use revokeResourceFromEntitlement
to delete resources from an existing entitlement.
createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
name
|
Specifies the name of the entitlement created. |
resourceName
|
Specifies the name of the one resource member of the entitlement created. |
actions
|
Specifies a comma-delimited the list of actions for the resource resourceName. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the entitlement created. Optional. |
Online command that gets an entitlement.
Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.
getEntitlement(appStripe="appStripeName", name="entitlementName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to access. |
Online command that deletes an entitlement.
Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.
deleteEntitlement(appStripe="appStripeName", name="entitlementName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
name
|
Specifies the name of the entitlement to delete. |
Online command that adds a resource with specified actions to an entitlement.
Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.
addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to add. |
resourceType
|
Specifies the type of the resource to add. The passed resource type must be present in the application stripe at the time this script is invoked. |
actions
|
Specifies the comma-delimited list of actions for the added resource. |
The following invocation adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:
wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Online command that removes a resource from an entitlement.
revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to remove. |
resourceType
|
Specifies the type of the resource to remove. |
actions
|
Specifies the comma-delimited list of actions to remove. |
The following invocation removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Online command that lists the entitlements in an application stripe.
Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.
listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe from where to list entitlements. |
resourceTypeName
|
Specifies the name of the type of the resources to list. Optional. |
resourceName
|
Specifies the name of resource to match. Optional. |
The following invocation lists all the entitlements in the stripe myApplication:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")
The following invocation lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName")
Online command that creates a new entitlement.
grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is granted. |
permSetName
|
Specifies the name of the entitlement created. |
The following invocation creates the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that deletes an entitlement.
Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.
revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is revoked. |
permSetName
|
Specifies the name of the entitlement deleted. |
The following invocation deleted the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that lists an entitlement in a specified application stripe.
If a principal name and a class are specified, it lists the entitlements that match the specified principal; otherwise, it lists all the entitlements.
listEntitlement(appStripe="appStripeName" [, principalName="principalName", principalClass="principalClass"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
principalName
|
Specifies the name of the principal to match. Optional. |
principalClass
|
Specifies the class of the principal to match. Optional. |
Use the WLST commands listed in Table 4-5 to manage Oracle Access Management Access Manager (Access Manager) related components, such as authorization providers, identity asserters, and SSO providers, as well as to display metrics and deployment topology, manage Access Manager server and agent configuration and logger settings.
Table 4-5 WLST Access Manager Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Enables and disables custom error and login pages. |
Online Offline |
|
Create a user identity store registration. |
Online Offline |
|
Edit a user identity store registration. |
Online Offline |
|
Delete a user identity store registration. |
Online Offline |
|
Display a user identity store registration. |
Online |
|
Create an entry for an Access Manager Server configuration. |
Online Offline |
|
Edit the entry for an Access Manager Server configuration. |
Online Offline |
|
Delete the named Access Manager Server configuration. |
Online Offline |
|
Display Access Manager Server configuration details. |
Online Offline |
|
Enable or disable the Persistent Login feature. |
Online |
|
Configure the Access Manager login page user preferences. |
Online |
|
Configure the SSO server request cache type. |
Online |
|
Display the SSO server request cache type entry. |
Online Offline |
|
Edit OSSO Agent configuration details. |
Online Offline |
|
Delete the named OSSO Agent configuration. |
Online Offline |
|
Display OSSO Agent configuration details. |
Online Offline |
|
Edit 10g WebGate Agent registration details. |
Online Offline |
|
Delete the named 10g WebGate Agent configuration. |
Online Offline |
|
Display WebGate Agent configuration details. |
Online Offline |
|
Export Access Manager policy data from a test (source) to an intermediate Access Manager file. |
Online |
|
Import Access Manager policy data from the Access Manager file specified. |
Online |
|
Import Access Manager policy changes from the Access Manager file specified. |
Online |
|
Migrate partners from the source Access Manager Server to the specified target Access Manager Server. |
Online |
|
Export the Access Manager partners from the source to the intermediate Access Manager file specified. |
Online |
|
Import the Access Manager partners from the intermediate Access Manager file specified. |
Online |
|
List the details of deployed Access Manager Servers. |
Online Offline |
|
Configure the Access Manager-Oracle Adaptive Access Manager basic integration. |
Online |
|
Register Identity Federation as Delegated Authentication Protocol (DAP) Partner. |
Online Offline |
|
Registers Identity Federation in IDP mode. |
||
Registers any third party as a Trusted Authentication Protocol (TAP) Partner. |
Online |
|
Disable the Coexist Mode. |
Online |
|
Enables Coexist Mode for the Access Manager agent (enabling the Access Manager 11g server to own the Obssocookie set by 10g WebGate). |
Online |
|
Disables Coexist Mode for the Access Manager agent (disabling the Access Manager 11g server from the Obssocookie set by 10g WebGate). |
Online |
|
Edit GITO configuration parameters. |
Online |
|
Edit an 11g WebGate registration. |
Online Offline |
|
Remove an 11g WebGate Agent registration. |
Online Offline |
|
Display an 11g WebGate Agent registration. |
Online Offline |
|
Display metrics of Access Manager Servers. |
Online Offline |
|
Update the Oracle Identity Manager configuration when integrated with Access Manager. |
Online |
|
Creates an Agent registration specific to Oracle Identity Manager when integrated with Access Manager. |
Online |
|
Updates OSSO Proxy response cookie settings. |
Online |
|
Deletes OSSO Proxy response cookie settings. |
Online |
|
Configures an identity store and external user store. |
Online |
|
Configures an identity store and external user store using values defined in a file. |
Online |
|
Migrates artifacts based on the specified artifact file. |
Online |
|
Displays the simple mode global passphrase in plain text from the system configuration. |
Online |
|
Exports selected Access Manager Partners to the intermediate Access Manager file specified. |
Online |
|
Migrates policies, authentication stores, and user stores from OSSO, OAM10g, OpenSSO, or AM 7.1 to OAM11g. |
Online |
|
Invokes the preSchemeUpgrade operation. |
Online |
|
Invokes the postSchemeUpgrade operation. |
Online |
|
Set to true and the Access Manager Server will redirect to the URLS specified in the WhiteListURL list only. |
Online |
|
Add, update or remove whitelist URL entries from configuration file. |
Online |
|
Enable Multi Data Centre Mode. |
Online |
|
Disable Multi Data Centre Mode. |
Online |
|
Set the Multi Data Centre Cluster name. |
Online |
|
Set the Multi Data Centre logout URLs. |
Online |
|
Add partner for Multi Data Centre. |
Online |
|
Remove partner from Multi Data Centre. |
Online |
Enables and disables custom error and login page configuration.
Adds a context path and page extension to oam-config.xml
that points to the WAR containing the custom Error and login pages:
<Setting Name="ssoengine" Type="htf:map"> <Setting Name="ErrorConfig" Type="htf:map"> <Setting Name="ErrorMode" Type="xsd:string">EXTERNAL</Setting> <Setting Name="CustomPageExtension" Type="xsd:string">jsp</Setting> <Setting Name="CustomPageContext" Type="xsd:string">/SampleApp</Setting> </Setting> </Setting>
updateCustomPages(pageExtension="<fileExtension>", context="<contextPath>")
Argument | Definition |
---|---|
context
|
Specifies the context path to the application; for example, /SampleApp. |
pageExtension
|
Has a default value of "jsp" but can be left blank. |
To enable the Custom Error page functionality, use updateCustomPages
with the context
and pageExtension
parameters. This will modify the oam-config.xml
file and enable the custom page functionality.
updateCustomPages(pageExtension ="jsp", context="/SampleApp")
To disable the Custom Error page functionality, use the command without parameters [updateCustomPages()
]. This will undo the modifications made when the command is run with parameters.
Creates an identity store registration in the Access Manager system configuration.
Creates an entry in the system configuration for a new user identity store registered with Access Manager. The scope of this command is an instance only; the scope is not an argument.
createUserIdentityStore(name="<Name>", principal="<Principal>", credential="<Credential>", type="<Type>", userAttr="<userAttr>", ldapProvider="<ldapProvider>", userSearchBase="<userSearchBase>", ldapUrl="<ldapUrl>", isPrimary="<isPrimary>", isSystem="<isSystem>", userIDProvider="<userIDProvider>", roleSecAdmin="<roleSecAdmin>", roleSysMonitor="<roleSysMonitor>", roleAppAdmin="<roleAppAdmin>", roleSysManager="<roleSysManager>", roleSecAdminGroups="<roleSecAdminGroups>", roleSecAdminUsers="<roleSecAdminUsers>", groupSearchBase="<groupSearchBase>", supplementaryReturnAttributes="<supplementaryReturnAttributes>", domainHome="<domainHome>")
Argument | Definition |
---|---|
name
|
Mandatory. Specifies the unique name of the LDAP identity store being created. Use only upper and lower case alpha characters and numbers. |
principal
|
Mandatory. Specifies the Principal Administrator of the LDAP identity store being created. For example, cn=Admin. |
credential
|
Mandatory. Specifies the password of the Principal for the LDAP identity store being created. |
type
|
Mandatory. Specifies the type of the LDAP identity store being created. For this command, the value would be LDAP. |
userAttr
|
Mandatory. Specifies the user attributes of the LDAP identity store being created. |
ldapProvider
|
Mandatory. Specifies the type of the LDAP identity store being created. The value might be ODSEE, AD, OID, OVD, SJS, OUD, and the like. This value is defined when a new user identity store is created using the Access Manager Administration Console and corresponds with Store Type in the user identity store. |
userSearchBase
|
Mandatory. Specifies the node under which user data is stored in the LDAP identity store being created. For example, |
groupSearchBase
|
Mandatory. Specifies the node under which group data is stored in the LDAP identity store being created. For example, |
ldapUrl
|
Mandatory. Specifies the URL of the server host (including port number) of the LDAP identity store being created. For example, |
isPrimary
|
Optional. Specifies whether the LDAP identity store being created is the primary identity store. Takes true or false as a value. |
isSystem
|
Optional. Specifies whether the LDAP identity store being created is the system store. Takes true or false as a value. |
userIDProvider
|
Optional. Specifies the underlying infrastructure with which to connect to the identity store. Only supported type is OracleUserRoleAPI. |
roleSecAdminGroups
|
Optional. Specifies one or more comma-delimited groups with Access Manager Console Administrator privilages. Needed if it is a System Store in which the IsSystem property is set to true. |
roleSecAdminUsers
|
Optional. Specifies one or more comma-delimited users with Access Manager Console Administrator privileges. Needed if it is a System Store in which the IsSystem property is set to true. |
roleSecAdmin
|
Optional. Specifies the Security Administrator of the LDAP identity store being created. |
roleSysMonitor
|
Optional. Specifies the System Monitor of the LDAP identity store being created. |
roleAppAdmin
|
Optional. Specifies the Application Administrator of the LDAP identity store being created. |
roleSysManager
|
Optional. Specifies the System Manager of the LDAP identity store being created. |
supplementaryReturnAttributes
|
Specifies a comma-delimited list of attributes that need to be retrieved as part of the User object. For example: ORCL_USR_ENC_FIRST_NAME,ORCL_USR_ENC_LAST_NAME,USR_USRNAME,ORCL_USR_CTY_CODE,ORCL_USR_LANG_CODE_S,ORCL_USR_JROLE_ID_S,ORCL_USR_IND_ID,ORCL_USR_COMP_REL_ID,ORCL_USR_ASCII_IND,ORCL_ORA_UCM_VER,ORCL_ORA_UCM_SRVC |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. |
The following example registers a new Oracle Internet Directory user identity store definition for use with Access Manager.
createUserIdentityStore(name="Name1", principal="Principal1", credential="Credential1", type="Type1", userAttr="userAttr1", ldapProvider="ldapProvider", userSearchBase="userSearchBase", ldapUrl="ldapUrl", isPrimary="isPrimary", isSystem="isSystem", userIDProvider="userIDProvider", roleSecAdmin="<roleSecAdmin>", roleSysMonitor="<roleSysMonitor>", roleAppAdmin="<roleAppAdmin>", roleSysManager="<roleSysManager>", roleSecAdminGroups="<roleSecAdminGroups>", roleSecAdminUsers="<roleSecAdminUsers>", groupSearchBase="groupSearchBase", supplementaryReturnAttributes="supplementaryReturnAttributes", domainHome="domainHome1")
Online and offline command that modifies an already defined identity store registration for Access Manager.
Changes one or more attributes of the user identity store registered with Access Manager. The scope of this command is an instance only; the scope is not an argument.
editUserIdentityStore(name="<Name>", [ principal="<Principal>", credential="<Credential>", type="<Type>", userAttr="<userAttr>", ldapProvider="<ldapProvider>", roleSecAdmin="<roleSecAdmin>", roleSysMonitor="<roleSysMonitor>", roleSysManager="<roleSysManager>" , roleAppAdmin="<roleAppAdmin>", roleSecAdminGroups="<roleSecAdminGroups>", roleSecAdminUsers="<roleSecAdminUsers>", userSearchBase="<userSearchBase>", ldapUrl="<ldapUrl>", isPrimary="<isPrimary>", isSystem="<isSystem>", userIDProvider="<userIDProvider>" , groupSearchBase="<groupSearchBase>", domainHome="<domainHome>", userFilterObjectClasses="<userFilterObjectClasses>", groupFilterObjectClasses="<groupFilterObjectClasses>", referralPolicy="<referralPolicy>", searchTimeLimit="<searchTimeLimit>", minConnections="<minConnections>", maxConnections="<maxConnections>", connectionWaitTimeout="<connectionWaitTimeout>", connectionRetryCount="<connectionRetryCount>", groupNameAttr="<groupNameAttr>", groupCacheEnabled="<groupCacheEnabled>", groupCacheSize="<groupCacheSize>", groupCacheTTL=<"groupCacheTTL>", supplementaryReturnAttributes="<supplementaryReturnAttributes>" )
Argument | Definition |
---|---|
name
|
Mandatory. Specifies the unique name of the LDAP identity store being modified. Use only upper and lower case alpha characters and numbers. |
principal
|
Specifies the Principal Administrator of the LDAP identity store being modified. For example, |
credential
|
Specifies the encrypted Password of the Principal Administrator for the LDAP identity store being modified. |
type
|
Specifies the type of the base identity store being modified. For this command, the value would be LDAP. |
userAttr
|
Mandatory. Specifies the user attributes of the LDAP identity store being modified. |
ldapProvider
|
Mandatory. Specifies the LDAP type of the LDAP identity store being registered. The value might be ODSEE, AD, OID, OVD, SJS, OUD, and the like. This value is defined when a new user identity store is created using the Access Manager Administration Console and corresponds with Store Type in the user identity store. |
roleSecAdminGroups
|
Optional. Specifies one or more comma-delimited groups with Access Manager Console Administrator privilages. Needed if it is a System Store in which the IsSystem proeprty is set to true. |
roleSecAdminUsers
|
Optional. Specifies one or more comma-delimited users with Access Manager Console Administrator privileges. Needed if it is a System Store in which the IsSystem proeprty is set to true. |
roleSecAdmin
|
Optional. Specifies the Security Administrator of the LDAP identity store being modified. |
roleSysMonitor
|
Optional. Specifies the System Monitor of the LDAP identity store being modified. |
roleAppAdmin
|
Optional. Specifies the Application Administrator of the LDAP identity store being modified. |
roleSysManager
|
Optional. Specifies the System Manager of the LDAP identity store being modified. |
userSearchBase
|
Mandatory. Specifies the node under which user data is stored in the LDAP identity store being modified. For example, |
groupSearchBase
|
Mandatory. Specifies the node under which user data is stored in the LDAP identity store being modified. For example, |
ldapUrl
|
Mandatory. Specifies the URL of the server host (including port number) of the LDAP identity store being modified. For example, |
isPrimary
|
Optional. Specifies whether the LDAP identity store being modified is the primary identity store. Takes true or false as a value. |
isSystem
|
Optional. Specifies whether the LDAP identity store being modified is the system store. Takes true or false as a value. |
userIDProvider
|
Optional. Specifies the underlying infrastructure with which to connect to the identity store. Only supported type is OracleUserRoleAPI. |
supplementaryReturnAttributes
|
Specifies a comma-delimited list of attributes that need to be retrieved as part of the User object. For example: ORCL_USR_ENC_FIRST_NAME,ORCL_USR_ENC_LAST_NAME,USR_USRNAME,ORCL_USR_CTY_CODE,ORCL_USR_LANG_CODE_S,ORCL_USR_JROLE_ID_S,ORCL_USR_IND_ID,ORCL_USR_COMP_REL_ID,ORCL_USR_ASCII_IND,ORCL_ORA_UCM_VER,ORCL_ORA_UCM_SRVC |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
userFilterObjectClasses
|
Mandatory. Specifies a list of user filter object classes (separated by semicolon). |
groupFilterObjectClasses
|
Specifies a list of group filter object classes (separated by semicolon). |
referralPolicy
|
Specifies an LDAP referral policy (either "follow", "ignore" or "throw"). |
searchTimeLimit
|
Specifies the time limit in seconds for an LDAP Search operation. |
minConnections
|
Specifies the minimum number of connections in the connection pool. |
maxConnections
|
Specifies the maximum number of connections in the connection pool. |
connectionWaitTimeout
|
Specifies the number of seconds to wait for obtaining a connection from the pool. |
connectionRetryCount
|
Specifies the number of attempts to retry when establishing a connection to the identity store. |
groupNameAttr
|
Specifies the name of the attribute to lookup the user groups. For example, |
groupCacheEnabled
|
A boolean that specifies whether to enable the LDAP group cache. Takes true or false as a value. |
groupCacheSize
|
Specifies the number of entries in the LDAP group cache. |
groupCacheTTL
|
Specifies the total time to live for each entry in the LDAP group cache. |
Online and offline command that removes an already defined identity store registration for Access Manager.
Deletes the identity store registration. The scope of this command is an instance only; the scope is not an argument.
deleteUserIdentityStore(name="<name>", domainHome="<domainHome>")
Argument | Definition |
---|---|
name
|
Mandatory. Specifies the name of the LDAP identity store registration to be removed. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online command that displays user identity store registration information.
Displays the information regarding the identity store registered with Access Manager. The scope of this command is an instance only; the scope is not an argument.
displayUserIdentityStore(name="<name>", domainHome="<domainHome>")
Argument | Definition |
---|---|
name
|
Mandatory. Specifies the name of the LDAP identity store registration to be displayed. |
domainhome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. |
Online and offline command that creates an Access Manager Server entry in the system configuration.
Creates an Access Manager Server registration. Details include the host, port, registration name, Access Manager Proxy port, server ID and, optionally, the OAM Proxy shared secret. The scope of this command is an instance only; the scope is not an argument.
createOAMServer(configurationProfile="<configurationProfile>", host="<host>",port="<port>", oamProxyPort="<0000>", oamProxyServerID="<oamProxyServerID>",siteName="<siteName>", domainHome="<domainHome>")
Argument | Definition |
---|---|
configurationProfile
|
Mandatory. Specifies the Configuration Profile of the OAM Server. The profile appears under Server Instances on the System Configuration tab in the Access Manager Administration Console. |
host
|
Mandatory. Specifies the name of the Access Manager Server host. |
port
|
Mandatory. Specifies the listening port of the Access Manager Server host. |
oamProxyPort
|
Mandatory. Specifies the proxy port of the Access Manager Server host. |
oamProxyServerID
|
Mandatory. Specifies the proxy server ID of the Access Manager Server host. The Access Manager Proxy name appears under the Access Manager Proxy sub tab of the server instance in the Access Manager Administration Console. |
siteName
|
Mandatory. Specifies the siteName/serverName for the instance. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
The following example creates a configuration for my_host
with listening port 15000
. The configuration entry in the Access Manager Administration Console will be oam_server1
. The Access Manager Proxy port is 3004 and the Access Manager Proxy Server ID is oamProxyServerID1
.
createOAMServer(configurationProfile="oam_server1", host="my_host", port="15000", oamProxyPort="3004", oamProxyServerID="oamProxyServerID1", siteName="siteName1", domainHome="domainHome1")
Online and offline command that enables you to modify the details of an Access Manager Server registration.
Modifies the specified parameter values of the registration for an Access Manager Server. Details may include the host, port, registration name, Access Manager Proxy port, server ID and, optionally, the Access Manager Proxy shared secret. The scope of this command is an instance only; the scope is not an argument.
editOAMServer(configurationProfile="<configurationProfile>", host="<host>",port="<port>", oamProxyPort="<0000>", oamProxyServerID="<oamProxyServerID>",siteName="<siteName>", domainHome="<domainHome>")
Argument | Definition |
---|---|
configurationProfile
|
Mandatory. Specifies the Configuration Profile of the Access Manager Server. The profile appears under Server Instances on the System Configuration tab in the Access Manager Administration Console. |
host
|
Mandatory. Specifies the name of the Access Manager Server host. |
port
|
Mandatory. Specifies the listening port of the Access Manager Server host. |
oamProxyPort
|
Mandatory. Specifies the proxy port of the Access Manager Server host. |
oamProxyServerID
|
Mandatory. Specifies the proxy server ID of the Access Manager Server host. The Access Manager Proxy name appears under the Access Manager Proxy sub tab of the server instance in the Access Manager Administration Console. |
siteName
|
Mandatory. Specifies the siteName/serverName for the instance. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
You can use any of the optional attributes to change current settings. The following invocation enables you to add the Access Manager Proxy Sever ID to the configuration entry oam_server1
.
editOAMServer(configurationProfile="oam_server1", host="my_host", port="15000", oamProxyPort="3004", oamProxyServerID="oamProxyServerID1", siteName="siteName1", domainHome="domainHome1")
Online and offline command that enables you to delete the specified Access Manager Server registration.
Deletes the specified Access Manager Server configuration. The scope of this command is an instance only; the scope is not an argument.
deleteOAMServer(host="<host>", port="<port>", domainHome="<domainHome>")
Argument | Definition |
---|---|
host
|
Mandatory. Specifies the name of the Access Manager Server host. |
port
|
Mandatory. Specifies the listening port of the Access Manager Server host. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that displays registration details for the specified Access Manager Server.
Displays the registration details of the specified Access Manager Server, including the host, port, registration name, Access Manager Proxy port, server ID and, optionally, the Access Manager Proxy shared secret. The scope of this command is an instance only; the scope is not an argument.
displayOAMServer(host="<host>", port="<port>", domainHome="<domainHome>")
Argument | Definition |
---|---|
host
|
Mandatory. Specifies the name of the Access Manager Server host. |
port
|
Mandatory. Specifies the listening port of the Access Manager Server host. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online command to enable or disable the Persistent Login feature.
configurePersistentLogin(enable="true/false", validityInDays="<#>", maxAuthnLevel="<#>", userAttribute="<userAttr>")
Argument | Definition |
---|---|
enable
|
Mandatory. Specify true or false. |
validityInDays
|
Mandatory. Specifies the number of days that the user login will be persisted for a particular browser instance or device. |
maxAuthnLevel
|
Mandatory. Specifies the maximum Authentication Level allowed after re-authenticating automatically through Persistent Login. |
userAttr
|
Mandatory. Specifies the user attribute with which Persistent Login properties will be stored. |
Online command that configures the Access Manager login page user preferences.
configOAMLoginPagePref(persistentCookie="true", persistentCookieLifetime=14, langPrefCookieDomain="oracle.com", langPrefOrder="serverOverrideLangPref, oamPrefsCookie, browserAcceptLanguage, defaultLanguage", serverOverrideLanguage="en", defaultLanguage="en", applicationSupportedLocales="en,fr")
Argument | Definition |
---|---|
persistentCookie
|
Mandatory. Boolean that defines whether the OAM_LANG_PREF cookie is persistent or non-persistent. Set to true or false. |
persistentCookieLifetime
|
Mandatory. Lifetime of the OAM_LANG_PREF cookie if persistent. |
langPrefCookieDomain
|
Mandatory. Defines the domain of the OAM_LANG_PREF cookie. |
langPrefOrder
|
Mandatory. Decides the order of language precedence. Must be formatted as in the syntax and example. The allowed value set is (serverOverrideLangPref,oamPrefsCookie,browserAcceptLanguage,defaultLanguage). "oamAppCookie,oamLocaleHeader, oamPrefsCookie, browserAcceptLanguage, serverOverrideLangPref" |
serverOverrideLanguage
|
The server side language of Access Manager. Must be defined in language codes and selected from OAM supported languages. Default value is en. |
defaultLanguage
|
The default language. |
applicationSupportedLocales
|
Supported languages defined in a comma-delimited list. Setting |
Table 4-6 Language Codes For Login Pages
Language Code | Language | Administrators |
---|---|---|
ar |
Arabic |
|
cs |
Czech |
|
da |
Danish |
|
de |
German |
German |
el |
Greek |
|
en |
English |
English |
es |
Spanish |
Spanish |
fi |
Finnish |
|
fr |
French |
French |
fr-CA |
Canadian French |
Canadian French |
he |
Hebrew |
|
hr |
Croatian |
|
hu |
Hungarian |
|
it |
Italian |
Italian |
ja |
Japanese |
Japanese |
ko |
Korean |
Korean |
nl |
Dutch |
|
no |
Norwegian |
|
pl |
Polish |
|
pt-BR |
Brazilian Portuguese |
Brazilian Portuguese |
pt |
Portuguese |
|
ro |
Romanian |
|
ru |
Russian |
|
sk |
Slovak |
|
sv |
Swedish |
|
th |
Thai |
|
tr |
Turkish |
|
zh-CN |
Simplified Chinese |
Simplified Chinese |
zh-TW |
Traditional Chinese |
Traditional Chinese |
configOAMLoginPagePref(persistentCookie="true", persistentCookieLifetime=14, langPrefCookieDomain="oracle.com", langPrefOrder="serverOverrideLangPref, oamPrefsCookie, browserAcceptLanguage, defaultLanguage", serverOverrideLanguage="en", defaultLanguage="en", applicationSupportedLocales="en,fr")
This next example allows an administrator to revert back to the default behavior in which no language list of values is displayed.
configOAMLoginPagePref(persistentCookie="true", persistentCookieLifetime=14,langPrefCookieDomain="example.com", langPrefOrder="serverOverrideLangPref,oamPrefsCookie,browserAcceptLanguage, defaultLanguage",serverOverrideLanguage="", defaultLanguage="en",applicationSupportedLocales="")
Online and offline command that defines the SSO server request cache type in the system configuration.
Defines the SSO server request cache type in the system configuration. The scope of this command is an instance only; the scope is not an argument.
configRequestCacheType(type="<requestCacheType>", domainHome="<domainHome>")
Argument | Definition |
---|---|
type
|
Mandatory. Specifies the request cache type. Takes a value of BASIC or COOKIE. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that displays the SSO server request cache type defined for the specified domain. The request cache type may be BASIC or COOKIE.
Displays the SSO server request cache type entry defined for the specified domain. The scope of this command is an instance only; the scope is not an argument.
displayRequestCacheType(domainHome="<domainHome>")
Argument | Definition |
---|---|
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that enables you to modify the details of an OpenSSO (OSSO) Agent registration in the system configuration.
Modifies OSSO Agent registration details including the Site Token, Success URL, Failure URL, Home URL, Logout URL, Start Date, End Date, Administrator ID, and Administrator Info. The scope of this command is an instance only; the scope is not an argument.
editOssoAgent(agentName="AgentName", partnerId = "<partnerId>", siteToken = "<siteToken>", siteName = "<siteName>", successUrl ="<successUrl>", failureUrl = "<failureUrl>", homeUrl="<homeUrl>", logoutUrl="<logoutUrl>", startDate = "<startDate>", endDate = "<endDate>", adminId = "<adminId>", adminInfo = "<AdminInfo>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the OSSO Agent entry to be modified. adminId=admin Id of OSSO agent <optional> adminInfo=admin Information of OSSO agent <optional> |
partnerId
|
Optional. Specifies the Agent Name of the OSSO agent instance. |
siteToken
|
Optional. Specifies the Application Token used by the partner when requesting authentication. |
siteName
|
Optional. Specifies the SiteName/ServerName for the OSSO agent instance. |
successUrl
|
Optional. Specifies the redirect URL to be used by the OSSO Agent if authentication is successful. |
failureUrl
|
Optional. Specifies the redirect URL to be used by the OSSO Agent if authentication fails. |
homeUrl
|
Optional. Specifies the redirect URL to be used for the Home page after authentication. |
logoutUrl
|
Optional. Specifies the redirect URL to be used when a user is logging out. |
startDate
|
Optional. Specifies the first month, day, and year for which login to the application is allowed by the server. |
endDate
|
Optional. Specifies the final month, day, and year for which login to the application is allowed by the server. |
adminId
|
Optional. Specifies the administrator login ID for the OSSO Agent. |
adminInfo
|
Optional. Specifies an administrator identifier for the OSSO Agent for tracking purpose. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
The following example changes the Administrator ID and information in the registration entry for OSSOAgent1
.
editOssoAgent(agentName = "OSSOAgent1", partnerId = "partnerId", siteToken = "siteToken", siteName = "siteName", successUrl="successUrl", failureUrl = "failureUrl", homeUrl="homeUrl", logoutUrl="logoutUrl", startDate = "2009-12-10", endDate = "2012-12-30", adminId = "345", adminInfo = "Agent11", domainHome="domainHome1")
Online and offline command that enables you to remove the specified OSSO Agent registration in the system configuration.
Removes the specified OSSO Agent registration in the system configuration. The scope of this command is an instance only; the scope is not an argument.
deleteOssoAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the OSSO Agent entry to be removed. |
domainhome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that displays the details of the specified OSSO Agent entry in the system configuration.
Displays the details of the specified OSSO Agent entry in the Access Manager Administration Console. The scope of this command is an instance only; the scope is not an argument.
displayOssoAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the OSSO Agent entry to be displayed. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that enables you to modify a Webgate 10g registration entry in the system configuration.
Enables you to modify a Webgate 10g registration entry in the system configuration. The scope of this command is an instance only; the scope is not an argument.
editWebgateAgent(agentName="<AgentName>", accessClientPasswd="<accessClientPassword >",state="<state>", preferredHost="<host>", aaaTimeOutThreshold="<aaaTimeoutThreshold >", security="<security>",primaryCookieDomain="<primaryCookieDomain>", maxConnections="<maxConnections>",maxCacheElems="<maxCacheElements >", cacheTimeout="<cacheTimeOut>", cookieSessionTime="<cookieSessionTime >", maxSessionTime="<maxSessionTime>", idleSessionTimeout="<idleSessionTimeout >",failoverThreshold="<failoverThreshold >", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent to be modified. |
accessClientPasswd
|
Optional. Specifies the access client password of WebGate Agent. |
state
|
Optional. Specifies whether the WebGate Agent is enabled or disabled with a value of either Enabled or Disabled, respectively. |
preferredHost
|
Optional. Specifies the preferred host of the WebGate Agent. This prevents security holes that can be created if a host's identifier is not included in the Host Identifiers list. For virtual hosting, you must use the Host Identifiers feature. |
aaaTimeOutThreshold
|
Optional. Specifies the number (in seconds) to wait for a response from the Access Manager run-time server. If this parameter is set, it is used as an application TCP/IP timeout instead of the default TCP/IP timeout. Default = -1 (default network TCP/IP timeout is used) |
security
|
Optional. Specifies the level of transport security to and from the Access Manager run-time server. Takes as a value either open, simple, or cert. |
primaryCookieDomain
|
Optional. Specifies the Web server domain on which the Access Manager Agent is deployed. For example, .acompany.com |
maxConnections
|
Optional. Specifies the maximum number of connections that this Access Manager Agent can establish with the Access Manager Server. This number must be the same as (or greater than) the number of connections that are actually associated with this agent. Default = 1 |
maxCacheElems
|
Optional. Specifies the maximum number of elements maintained in the cache. Cache elements are URLs or Authentication Schemes. The value of this setting refers to the maximum consolidated count for elements in both of these caches. Default = 10000 |
cacheTimeout
|
Optional. Specifies the amount of time cached information remains in the Access Manager Agent cache when the information is neither used nor referenced. Default = 1800 (seconds) |
cookieSessionTime
|
Optional. Specifies the amount of time that the ObSSOCookie persists. Default = 3600 (seconds) |
maxSessionTime
|
Optional. Specifies the maximum amount of time in seconds that a user's authentication session is valid regardless of their activity. At the expiration of this time, the user is re-challenged for authentication. This is a forced logout. A value of 0 disables this timeout setting. Default = 3600 (seconds) |
idleSessionTimeout
|
Specifies the location of the Domain Home. When Offline, a value is mandatory; when online, optional. |
failoverThreshold
|
Optional. Specifies a number representing the point when this Access Manager Agent opens connections to a Secondary Access Manager Server. Default = 1 |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
You can alter any or all of the settings. Use the following example to change the Agent ID, state, maximum connections, Access Manager Server timeout, primary cookie domain, cache time out, cookie session timeout, maximum session timeout, idle session timeout, and failover threshold.
editWebgateAgent(agentName="WebgateAgent1", accessClientPasswd="welcome1", state="Enabled", preferredHost="141.144.168.148:2001", aaaTimeOutThreshold = "10", security="open", primaryCookieDomain="primaryCookieDomain", maxConnections="16", maxCacheElems="10000", cacheTimeout="1800", cookieSessionTime="3600", maxSessionTime="24", idleSessionTimeout="3600", failoverThreshold="1", domainHome="domainHome1")
Online and offline command that enables you to delete a Webgate_agent registration entry in the system configuration.
Removes the specified Webgate_agent registration entry from the system configuration. The scope of this command is an instance only; the scope is not an argument.
deleteWebgateAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent being deleted. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that displays a Webgate_agent registration entry.
Displays all details of the specified Webgate_agent registration entry in the Access Manager Administration Console. The scope of this command is an instance only; the scope is not an argument.
displayWebgateAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent being displayed. |
domainhome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online only command that exports Access Manager policy data from a test (source) environment to the intermediate Access Manager file specified.
Exports Access Manager policy data from a test (source) environment to the intermediate Access Manager file. The scope of this command is an instance only; the scope is not an argument.
exportPolicy(pathTempOAMPolicyFile="<absoluteFilePath>")
Argument | Definition |
---|---|
pathTempOAMPolicyFile
|
Mandatory. Specifies the absolute path to the temporary Access Manager file. |
Online only command that imports the Access Manager policy data from the specified Access Manager file.
Imports the Access Manager policy data from the specified Access Manager file. The scope of this command is an instance only; the scope is not an argument.
importPolicy(pathTempOAMPolicyFile="<absoluteFilePath>")
Argument | Definition |
---|---|
pathTempOAMPolicyFile
|
Mandatory. Specifies the absolute path to the temporary Access Manager file. |
Online only command that imports the Access Manager policy changes from the specified Access Manager file.
Imports the Access Manager policy changes from the specified Access Manager file. The scope of this command is an instance only; the scope is not an argument.
importPolicyDelta(pathTempOAMPolicyFile="<absoluteFilePath>")
Argument | Definition |
---|---|
pathTempOAMPolicyFile
|
Mandatory. Specifies the absolute path to the temporary Access Manager file. |
Online only command that migrates partners from the current (source) Access Manager Server to the specified (target) Access Manager Server.
Migrates partners from the current (source) Access Manager Server to the specified (target) Access Manager Server. The scope of this command is an instance only; the scope is not an argument.
migratePartnersToProd(prodServerHost="<host>", prodServerPort="<port>", prodServerAdminUser="<user>", prodServerAdminPwd="<passwd>")
Argument | Definition |
---|---|
|
Host name of the target Access Manager Server to which partners are to be migrated. |
|
Port of the target Access Manager Server to which partners are to be migrated. |
|
Administrator of the target Access Manager Server to which partners are to be migrated. |
|
Target Access Manager Server administrator's password. |
Online only command that exports Access Manager partners from the source to the Access Manager file specified.
Exports the Access Manager partners from the source to the Access Manager file specified. The scope of this command is an instance only; the scope is not an argument.
exportPartners(pathTempOAMPartnerFile="<absoluteFilePath>")
Argument | Definition |
---|---|
pathTempOAMPolicyFile
|
Mandatory. Specifies the absolute path to the temporary Access Manager file. |
Online only command that imports Access Manager partners from the specified Access Manager file.
Imports the Access Manager partners from the specified Access Manager file. The scope of this command is an instance only; the scope is not an argument.
importPartners(pathTempOAMPartnerFile="<absoluteFilePath>")
Argument | Definition |
---|---|
|
Mandatory. Specifies the path to the temporary Access Manager partner file. |
Online and offline command that displays information about all Access Manager Servers in a deployment.
displayTopology(domainHome="<domainHomeName>")
Argument | Definition |
---|---|
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online only command that configures the basic integration of Access Manager and Oracle Adaptive Access Manager (OAAM).
Configures the basic integration of Access Manager and OAAM. The scope of this command is an instance only; the scope is not an argument.
configureOAAMPartner(dataSourceName="<dataSourceName>", hostName="<hostName>", port="<port>", serviceName="<serviceName>", userName="<userName>", passWord="<passWord>", maxConnectionSize="<maxConnectionSize>", maxPoolSize="<maxPoolSize>", serverName="<serverName>")
Argument | Definition |
---|---|
|
Mandatory. Specifies the name of the data source to be created. |
|
Mandatory. Specifies the name of the database host. |
|
Mandatory. Specifies the database port number. |
|
Mandatory. Specifies the database service name. |
|
Mandatory. Specifies the OAAM schema name. |
|
Mandatory. Specifies the OAAM schema password. |
|
Optional. Specifies the maximum connection reserve time out size. |
|
Optional. Specifies the maximum size for the connection pool. |
|
Optional. Specifies the target server for the datasource. |
The following example configures a basic integration for Access Manager and OAAM.
configureOAAMPartner(dataSourceName="MyOAAMDS", hostName="host.example.com", port="1521", serviceName="sevice1", userName="username", passWord="password", maxConnectionSize=None, maxPoolSize=None, serverName="oam_server1")
Online and offline command that registers Oracle Access Management Identity Federation (Identity Federation) as a Delegated Authentication Protocol (DAP) Partner.
Registers Identity Federation as Delegated Authentication Protocol (DAP) Partner. The scope of this command is an instance only; the scope is not an argument.
registerOIFDAPPartner(keystoreLocation="/scratch/keystore" logoutURL="http://<oifhost>:<oifport>/fed/user/splooam11g? doneURL=http(s)://<oamhost>:<oamport>/oam/server/pages/logout.jsp", rolloverTime="nnn")
Argument | Definition |
---|---|
|
Mandatory. Specifies the location of the Keystore file (generated at the Identity Federation Server). |
|
Mandatory. Specifies the logout URL for the Identity Federation server. |
|
Optional. Specifies the amount of time in seconds for which the keys used to encrypt/decrypt SASSO tokens can be rolled over. |
Online and offline command that registers Identity Federation as a Delegated Authentication Protocol (DAP) Partner in IDP Mode.
Registers Identity Federation as Delegated Authentication Protocol (DAP) Partner in IDP Mode. The scope of this command is an instance only; the scope is not an argument.
registerOIFDAPPartnerIDPMode(logoutURL="http://<oifhost>:<oifport>/fed/user/sploosso?doneURL=http://<oamhost>:<oamport>/ngam/server/pages/logout.jsp")
Argument | Definition |
---|---|
|
Mandatory. Specifies the logout URL for the Identity Federation server. |
Registers any third party as a Trusted Authentication Protocol (TAP) Partner.
registerThirdPartyTAPPartner(partnerName="ThirdPartyTAPPartner", keystoreLocation="/scratch/DAPKeyStore/mykeystore.jks", password="test", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://thirdpartyserverhost:port/loginPage.jsp")
Argument | Definition |
---|---|
partnerName
|
Mandatory. Specifies the name of the partner. Can be any name used to identify the third party partner. |
keystoreLocation
|
Mandatory. Specifies the location of the keystore file. |
password
|
Mandatory. Specifies the password for the keystore file. |
|
Mandatory. Specifies the version of the Trusted Authentication Protocol. |
|
Optional. Specifies the TAPScheme name used to protect the resource - TAPScheme, out of the box. |
|
Optional. Specifes the TAP challenge URL to which the credential collector will be redirected. |
The following example illustrates the use of the parameters.
registerThirdPartyTAPPartner(partnerName = "ThirdPartyTAPPartner", keystoreLocation="/scratch/DAPKeyStore/mykeystore.jks", password="test", tapTokenVersion="v2.0", tapScheme="TAPScheme", tapRedirectUrl="http://thirdpartyserverhost:port/loginPage.jsp")
Online command that disables Coexist Mode.
Disables Coexist Mode. The scope of this command is an instance only; the scope is not an argument. There are no arguments for this command.
Enables Coexist Mode for the Access Manager agent (enabling the Access Manager 11g server to own the Obssocookie set by 10g WebGate).
Enables Coexist Mode for the Access Manager agent. The scope of this command is an instance only; the scope is not an argument. There are no arguments for this command.
Disables Coexist Mode for the Access Manager agent.
Disables the Coexist Mode for the Access Manager agent. The scope of this command is an instance only; the scope is not an argument. There are no arguments for this command.
Online and offline command that edits GITO configuration parameters.
Edits GITO configuration parameters. The scope of this command is an instance only; the scope is not an argument.
editGITOValues(gitoEnabled="true", gitoCookieDomain=".abc.com", gitoCookieName="ABC", gitoVersion="v1.0", gitoTimeout="20", gitoSecureCookieEnabled="false", domainHome="/abc/def/ijk")
Argument | Definition |
---|---|
|
Allows (or denies) user to set GITO enabled property. Takes a value of true or false. |
|
Mandatory. Specifies the GITO cookie domain. |
|
Optional. Specifies the cookie name. |
|
Optional. Specifies the GITO version. Takes ONLY v1.0 or v3.0. |
|
Optional. Specifies the GITO timeout value. |
|
Optional. Enables the GITO cookie enabled property. Takes a value of true or false. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that edits an 11g Webgate_entry registration in the system configuration.
Edits an 11g Webgate_entry registration in the system configuration. The scope of this command is an instance only; the scope is not an argument.
editWebgate11gAgent(agentName="<AgentName>", accessClientPasswd="<accessClientPassword >",state="<state>", preferredHost="<host>", aaaTimeoutThreshold="<aaaTimeOutThreshold>", security="<security>",logOutUrls="<logOutUrls>", maxConnections="<maxConnections>",maxCacheElems="<maxCacheElements>", cacheTimeout="<cacheTimeOut>", logoutCallbackUrl="<logoutCallbackUrl >",maxSessionTime="<maxSessionTime>", logoutRedirectUrl="<logoutRedirectUrl >",failoverThreshold="<failoverThreshold>", tokenValidityPeriod="<tokenValidityPeriod>",logoutTargetUrlParamName="<logoutTargetUrlParamName>", domainHome="<domainHome>",allowManagementOperations="<allowManagementOperations>", allowTokenScopeOperations="<allowTokenScopeOperations>", allowMasterTokenRetrieval="<allowMasterTokenRetrieval>", allowCredentialCollectorOperations="<allowCredentialCollectorOperations>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the 11g WebGate Agent to be modified. |
accessClientPasswd
|
Optional. Specifies the unique client password for this WebGate Agent. |
state
|
Optional. Specifies whether the WebGate Agent is enabled or disabled with a value of either Enabled or Disabled, respectively. |
preferredHost
|
Optional. Specifies the preferred host of the WebGate Agent. This prevents security holes that can be created if a host's identifier is not included in the Host Identifiers list. For virtual hosting, you must use the Host Identifiers feature. |
aaaTimeoutThreshold
|
Optional. Specifies the number (in seconds) to wait for a response from the Access Manager run-time server. If this parameter is set, it is used as an application TCP/IP timeout instead of the default TCP/IP timeout. Default = -1 (default network TCP/IP timeout is used) |
security
|
Optional. Specifies the level of transport security to and from the Access Manager run-time server. Takes as a value either open, simple, or cert. |
logOutUrls
|
List of URLS that trigger the logout handler, which removes the ObSSOCookie. |
maxConnections
|
Optional. Specifies the maximum number of connections that this Access Manager Agent can establish with the Access Manager Server. This number must be the same as (or greater than) the number of connections that are actually associated with this agent. Default = 1 |
maxCacheElems
|
Optional. Specifies the maximum number of elements maintained in the cache. Cache elements are URLs or Authentication Schemes. The value of this setting refers to the maximum consolidated count for elements in both of these caches. Default = 10000 |
cacheTimeout
|
Optional. Specifies the amount of time cached information remains in the Access Manager Agent cache when the information is neither used nor referenced. Default = 1800 (seconds) |
logoutCallbackUrl
|
The URL to oam_logout_success, which clears cookies during the call back. By default, this is based on the Agent base URL supplied during agent registration. For example:
|
maxSessionTime
|
Optional. Specifies the maximum amount of time in seconds that a user's authentication session is valid regardless of their activity. At the expiration of this time, the user is re-challenged for authentication. This is a forced logout. A value of 0 disables this timeout setting. Default = 3600 (seconds) |
logoutRedirectUrl
|
Optional. Specifies the URL (absolute path) to the central logout page (logout.html). By default, this is based on the Access Manager Administration Console host name with a default port of 14200. |
failoverThreshold
|
Optional. Specifies a number representing the point when this Access Manager Agent opens connections to a Secondary Access Manager Server. Default = 1 |
tokenValidityPeriod
|
Optional. Specifies the amount of time in seconds that a user's authentication session remains valid without accessing any Access Manager Agent protected resources. |
logoutTargetUrlParamName
|
Optional. The value for this is the Logout Target URLto be invoked on logout and configured at the OPSS level. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
allowManagementOperations
|
Optional. Specifies the Set the flag for Allow Management Operations |
allowTokenScopeOperations
|
Optional. Specifies the Set the flag for Allow Token Scope Operations |
idleSessionTimeout
|
Optional. Specifies the |
allowMasterTokenRetrieval
|
Set flag for Allow Master Token Retrieval |
allowCredentialCollectorOperations
|
Set flag for Allow Credential Collector Operations |
The following example uses all mandatory and optional parameters.
editWebgate11gAgent(agentName="WebgateAgent1", accessClientPasswd="welcome1", state="Enabled", preferredHost="141.144.168.148:2001", aaaTimeoutThreshold="10", security="open", logOutUrls="http://host1.oracle.com:1234", maxConnections = "16", maxCacheElems="10000", cacheTimeout="1800", logoutCallbackUrl="http://host2.oracle.com:1234", maxSessionTime="24", logoutRedirectUrl="logoutRedirectUrl", failoverThreshold="1", tokenValidityPeriod="tokenValidityPeriod", logoutTargetUrlParamName="logoutTargetUrl", domainHome="domainHome1", allowManagementOperations="false", allowTokenScopeOperations="false", allowMasterTokenRetrieval="false", allowCredentialCollectorOperations="false")
Online and offline command that enables you to remove an 11g Webgate_agent entry in the system configuration.
Removes an 11g Webgate_agent entry in the system configuration. The scope of this command is an instance only; the scope is not an argument.
deleteWebgate11gAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the 11g WebGate Agent to be removed. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that enables you to display an 11g Webgate_agent registration entry.
Displays an 11g WebGate Agent registration entry. The scope of this command is an instance only; the scope is not an argument.
displayWebgate11gAgent(agentName="<AgentName>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
agentName
|
Mandatory. Specifies the name of the 11g WebGate Agent to be modified. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that enables the display of metrics for Access Manager Servers.
Enables the display of metrics for Access Manager Servers. The scope of this command is an instance only; the scope is not an argument.
displayOAMMetrics(domainHome="<domainHomeName>")
Argument | Definition |
---|---|
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
DEPRECATED - Online only command that updates the Oracle Identity Manager configuration when integrated with Access Manager.
Updates the Identity Manager configuration in the system configuration. The scope of this command is an instance only; the scope is not an argument.
updateOIMHostPort(hostName="<host name>", port="<port number>", secureProtocol="true")
Argument | Definition |
---|---|
|
Name of the Identity Manager host. |
|
Port of the Identity Manager host. |
|
Takes a value of true or false depending on whether communication is through HTTP or HTTPS. |
DEPRECATED - Online only command that registers an agent profile specific to Oracle Identity Manager when integrated with Access Manager.
Creates an Agent profile specific to Oracle Identity Manager when integrated with Access Manager. The scope of this command is an instance only; the scope is not an argument.
configureOIM(oimHost="<OIM host>", oimPort="<port>", oimSecureProtocolEnabled="true | false", oimAccessGatePwd="<AccessGatePassword>", oimCookieDomain="<OIMCookieDomain>", oimWgId="<OIMWebgateID>", oimWgVersion="<OIMWebgateVersion>")
Argument | Definition |
---|---|
|
Name of the Oracle Identity Manager host. In the case of EDG, the front ending LBR hostname of the OIM Cluster. |
|
Port of the Oracle Identity Manager Managed Server. In the case of EDG, the front ending LBR port of the OIM Managed Server Cluster. |
|
Takes a value of true or false depending on whether communication is through HTTP or HTTPS. |
|
If provided, the agent password for Open mode. |
|
Domain in which the cookie is to be set . |
|
Agent registration name. |
|
Possible values are 10g or 11g. If not provided, default is 10g. |
Online and offline command that updates the OSSO Proxy response cookie settings.
Updates OSSO Proxy response cookie settings. The scope of this command is an instance only; the scope is not an argument.
updateOSSOResponseCookieConfig(cookieName="<cookieName>",cookieMaxAge="<cookie age in minutes>", isSecureCookie="true | false",cookieDomain="<domain of the cookie>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
|
Optional. Name of the cookie for which settings are updated. If not specified, the global setting is updated. |
|
Maximum age of a cookie in minutes. A negative value sets a session cookie. |
|
Boolean flag that specifies if cookie should be secure (sent over SSL channel). |
|
The domain of the cookie. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Online and offline command that deletes the OSSO Proxy response cookie settings in the system configuration.
Deletes the OSSO Proxy response cookie settings. The scope of this command is an instance only; the scope is not an argument.
deleteOSSOResponseCookieConfig(cookieName="<cookieName>", domainHome="<domainHomeName>")
Argument | Definition |
---|---|
|
Mandatory. Name of the cookie for which settings are being deleted. The global cookie setting cannot be deleted. |
domainHome
|
Specifies the location for the Weblogic Server OR Cell Path for WebSphere. This parameter is mandatory for WebSphere. When Offline, a value is mandatory; when online, optional. |
Configures the identity store and external user store.
configureOIM(oimHost="<OIM host>", oimPort="<port>", oimSecureProtocolEnabled="true | false", oimAccessGatePwd="<AccessGatePassword>", oimCookieDomain="<OIMCookieDomain>", oimWgId="<OIMWebgateID>", oimWgVersion="<OIMWebgateVersion>"), nameOfIdStore="<nameOfIdStore>", idStoreSecurityCredential="<idStoreSecurityCredential>", userSearchBase="<userSearchBase>", ldapUrl="<ldapUrl>", groupSearchBase="<groupSearchBase>", securityPrincipal="<securityPrincipal>", idStoreType="<idStoreType>", ldapProvider="<ldapProvider>", isPrimary="<isPrimary>", userIDProvider="<userIDProvider>", userNameAttr="<userNameAttr>"
Argument | Definition |
---|---|
|
Name of the Oracle Identity Manager host. In the case of EDG, the front ending LBR hostname of the OIM Cluster. |
|
Port of the Oracle Identity Manager Managed Server. In the case of EDG, the front ending LBR port of the OIM Managed Server Cluster. |
|
Takes a value of true or false depending on whether communication is through HTTP or HTTPS. |
|
If provided, the agent password for Open mode. |
|
Domain in which the cookie is to be set . |
|
Agent registration name. |
|
Possible values are 10g or 11g. If not provided, default is 10g. |
|
Mandatory. Specifies the name of the LDAP ID store to be created. |
|
Manadatory. Specifies the password of the Principal for the LDAP identity store being created. |
|
Manadatory. Specifies the node under which user data is stored in the LDAP identity store being created. |
|
Manadatory. Specifies the URL for the LDAP host (including port number) of the LDAP identity store being created. |
|
Mandatory. Specifies the node under which group data is stored in the LDAP identity store being created. |
|
Mandatory. Specifies the Principal Administrator of the LDAP identity store being created. |
|
Mandatory. Specifies the type of the LDAP identity store being created. |
|
Specifies the LDAP Provider type of the store being created. |
|
Optional. Specifies whether the LDAP identity store being registered is the primary identity store. Takes true or false as a value. |
|
Specifies the user Identity Provider for the store being created. |
|
Manadatory. Specifies the user attributes for the store. |
The following example illustrates this command.
configureOIM(oimHost="oracle.com", oimPort="7777", oimSecureProtocolEnabled="true", oimAccessGatePwd = "welcome", oimCookieDomain = "domain1", oimWgId="<OIM Webgate ID>", oimWgVersion="10g" nameOfIdStore="nameOfIdStore", idStoreSecurityCredential="idStoreSecurityCredential", userSearchBase="userSearchBase", ldapUrl="ldapUrl", groupSearchBase="groupSearchBase", securityPrincipal="securityPrincipal", idStoreType="idStoreType", ldapProvider="ldapProvider", isPrimary="true", userIDProvider="userIDProvider", userNameAttr="userNameAttr")
Configures the identity store and external user store using the values supplied in a properties file.
Configures the identity store and external user store using the values supplied in the specified properties file.
configAndCreateIdStoreUsingPropFile(path="<path_of_property_file>")
Argument | Definition |
---|---|
|
Path to the property file in which the values are defined. |
DEPRECATED - Migrates artifacts.
migrateArtifacts(path="<path_to_artifacts_file>", password="<password>", type="OutOfPlace|InPlace", isIncremental="true|false")
Argument | Definition |
---|---|
path
|
Location of the artifacts file |
password
|
Password used while generating original artifacts. |
type
|
Boolean that defines the type of migration and takes as a value InPlace or OutOfPlace |
|
Boolean that takes a value of true or false. If true, an incremental upgrade is done. |
Displays the simple mode global passphrase defined in the system configuration in plain text.
Online only command that displays the simple mode global passphrase in plain text. There are no arguments for this command.
Exports selected Access Manager Partners to the specified Access Manager file.
Exports selected Access Manager Partners to the specified Access Manager file specified.
exportSelectedPartners(pathTempOAMPartnerFile="<absoluteFilePath>", partnersNameList="<comma_separated_partner_names>")
Argument | Definition |
---|---|
|
Mandatory. The location of the file to which the information will be exported. |
|
Mandatory. Specifies a comma separated list of partner ids being exported. |
Online only command that migrates policies, authentication stores, and user stores from OSSO, OAM10g, OpenSSO, or AM 7.1 to OAM11g.
oamMigrate(oamMigrateType=<migrationType>, pathMigrationPropertiesFile="<absoluteFilePath>")
Argument | Definition |
---|---|
|
Mandatory. Specifies the type of migration being done. Takes one of the following as a value: OSSO | OpenSSO | OAM10g NOTE: OpenSSO applies to both SAML 7.1 and OpenSSO. |
|
Mandatory. Specifies the path to the file from which the necessary artifacts for migration are read. |
Online only command that invokes the preSchemeUpgrade operation.
preSchemeUpgrade (pathUpgradePropertiesFile="/middlewarehome/oam-upgrade.properties")
Argument | Definition |
---|---|
|
Mandatory. Specifies the path to the file from which the necessary system proeprties for upgrade are read. |
Invokes the postSchemeUpgrade operation.
postSchemeUpgrade (pathUpgradePropertiesFile="/middlewarehome/oam-upgrade.properties")
Argument | Definition |
---|---|
|
Mandatory. Specifies the path to the file from which the necessary system proeprties for upgrade are read. |
Sets the oamSetWhiteListMode
to true or false.
Sets the oamSetWhiteListMode
to true or false. If true, Access Manager redirects to the last URL requested by the consuming application only if it is configured as a white-list URL.
oamSetWhiteListMode(oamWhiteListMode="true|false")
Argument | Definition |
---|---|
|
Mandatory. Enables the Access Manager white list mode. |
Add, update or remove whitelist URL entries from the specified file.
oamWhiteListURLConfig(Name="xyz", Value="http://xyz.com:1234", Operation="Remove|Update")
Argument | Definition |
---|---|
|
Mandatory. A valid string representing the name (key) for this entry. |
|
Mandatory. A valid URL in the <protocol>://<host>:<port> format. If the port is not specified, default HTTP/HTTPS ports are assigned accordingly. |
|
Mandatory. Takes as a value Update or Remove. Not case sensitive. |
Online only command to enable Multi Data Centre Mode.
enableMultiDataCentreMode(propfile="<absoluteFilePath>")
Argument | Definition |
---|---|
|
Mandatory. Specifies the absolute path to a file from which the properties to enable multi data centre are read. |
Sets the Multi Data cluster name.
setMultiDataCentreClusterName(clusterName="MyCluster")
Argument | Definition |
---|---|
|
Mandatory. Specifies the name of the cluster. |
Sets the Multi Data Partner logout URLs.
setMultiDataCentreLogoutURLs (logoutURLs="http://<host>:<port>/logout.jsp,http://<host>:<port>/logout.jsp")
Argument | Definition |
---|---|
|
Mandatory. Specify a comma separated list of Multi Data Centre Partner logout URLs. |
Updates the Multi Data Partner logout URLs.
updateMultiDataCentreLogoutURLs (logoutURLs="http://<host>:<port>/logout.jsp,http://<host>:<port>/logout.jsp")
Argument | Definition |
---|---|
|
Mandatory. Specify a comma separated list of Multi Data Centre Partner logout URLs. |
Online command that adds a partner to Multi Data Centre.
Adds a partner to Multi Data Centre. This command is supported only in online mode and adds one partner at a time.
addPartnerForMultiDataCentre(propfile="<absoluteFilePath>")
Argument | Definition |
---|---|
|
Mandatory. Specifies the absolute path to a file that contains the agent information. |
Removes a partner from Multi Data Centre.
Removes a partner from Multi Data Centre. This command is supported only in online mode and removes one partner at a time.
removePartnerForMultiDataCentre(webgateid="<webgateId")
Argument | Definition |
---|---|
|
Mandatory. Specifies the ID of the partner to be deleted. |
This section lists commands to configure federation partners.
Table 4-7 WLST Access Manager Commands for Federation Partners
Use this command... | To... | Use with WLST... |
---|---|---|
Create an OpenID 2.0 IdP partner. |
Online |
|
Create an OpenID 2.0 SP partner. |
Online |
|
Create a Google OpenID 2.0 IdP partner. |
Online |
|
Create a Yahoo OpenID 2.0 IdP partner. |
Online |
|
Create an IdP federation partner, including metadata, under the SAML 1.1 protocol. |
Online |
|
Create an SP federation partner, including metadata, under the SAML 1.1 protocol. |
Online |
|
Create an IdP federation partner under the SAML 2.0 protocol. |
Online |
|
Create an SP federation partner under the SAML 2.0 protocol. |
Online |
|
Create an IdP federation partner under the SAML 2.0 protocol without importing metadata. |
Online |
|
Create an SP federation partner under the SAML 2.0 protocol without importing metadata. |
Online |
|
Configure an IdP partner attribute profile to specify whether incoming attributes that are not part of the profile should be ignored. |
Online |
|
Configure global federation logout for a SAML 2.0 federation partner. |
Online |
|
Configure the preferred binding for a SAML federation partner. |
Online |
|
Enable user self registration. |
Online |
|
Sets which attributes from the assertion should be used as email, first name, last name or username during self registration. |
Online |
|
Create an authentication scheme and module for an IdP partner. |
Online |
|
Create an IdP partner attribute profile for a federation partner. |
Online |
|
Create an SP partner attribute profile for a federation partner. |
Online |
|
Delete an authentication scheme and module for an IdP partner. |
Online |
|
Delete a specific federation partner. |
Online |
|
Delete the encryption certificate of a federation partner. |
Online |
|
Delete the signing certificate of a federation partner. |
Online |
|
Delete the attribute profile of an IdP federation partner. |
Online |
|
Delete the attribute profile of an SP federation partner. |
Online |
|
Delete an entry from the attribute profile of a federation partner. |
Online |
|
Delete an entry from the attribute profile of a federation partner. |
Online |
|
Delete a partner-specific property that was added to the partner's configuration. |
Online |
|
Display an IdP federation partner's attribute profile. |
Online |
|
Display an SP federation partner's attribute profile. |
Online |
|
List all IdP federation partners. |
Online |
|
Retrieve the encryption certificate for a federation partner. |
Online |
|
Retrieve the signing certificate for a federation partner |
Online |
|
Retrieve the HTTP basic authentication username for a federation partner. |
Online |
|
Retrieve a property for a federation partner. |
Online |
|
Retrieve a string property from a federation partner profile. |
Online |
|
Check whether a partner is configured. |
Online |
|
List an IdP partner's attribute profiles. |
Online |
|
List an SP partner's attribute profiles. |
Online |
|
Sets an OpenID partner as the default Federation IdP. |
Online |
|
Set an IdP partner as the default identity provider for a federation single sign-on. |
Online |
|
Set the encryption certificate for a federation partner. |
Online |
|
Set the signing certificate for a federation partner. |
Online |
|
Set the attribute profile to use during federated single sign-on with an IdP partner. |
Online |
|
Sets the default OAM Authentication Scheme. |
Online |
|
Set the attribute profile to use during federated single sign-on with an SP partner. |
Online |
|
Set an entry in an IdP federation partner's profile. |
Online |
|
Set an entry in an SP federation partner's profile. |
Online |
|
Update a federation partner's HTTP basic auth credential. |
Online |
|
Set the attribute used for assertion mapping for a federation partner. |
Online |
|
Set the attribute query used for assertion mapping for a federation partner. |
Online |
|
Set the assertion mapping nameID value for an IdP federation partner |
Online |
|
Update a federation partner's alias name. |
Online |
|
Set a federation partner's identity store and base DN. |
Online |
|
Configure an alternate Authentication Scheme. |
Online |
|
Configure a default Authentication Scheme. |
Online |
|
Configure the profile with a default Authentication Scheme. |
Online |
|
Configure the profile for an alternate Authentication Scheme. |
Online |
|
Update a federation partner's metadata. |
Online |
|
Update a property for a federation partner |
Online |
Note:
Some of the command examples in this section are specified with attributes in the key-value format and some are not. Oracle Identity Federation supports either but the key-value format should be used.
Creates an OpenID 2.0 IdP partner.
addOpenID20IdPFederationPartner(partnerName, idpSSOURL, discoveryURL, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
idpSSOURL
|
The initiate SSO URL of the IdP. Can be set to "" if the discovery URL is specified and intended to be used. |
discoveryURL
|
The OpenID discovery URL of the IdP. |
|
The description of the partner. Optional. |
Creates an OpenID 2.0 SP partner.
addOpenID20SPFederationPartner(partnerName, realm, ssoURL, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
realm
|
The realm for the SP (RP). |
ssoURL
|
The endpoint URL of the SP (RP). |
|
The description of the partner. Optional. |
Creates an IdP partner with the name google
.
Creates an IdP partner with the name google
using a discovery URL https://www.google.com/accounts/o8/id
.
Creates an IdP partner with the name yahoo
.
create an IdP partner with the name yahoo
using a discovery URL https://open.login.yahooapis.com/openid20/user_profile/xrds
.
Creates a SAML 1.1 IdP federation partner.
addSAML11IdPFederationPartner(partnerName,providerID, ssoURL, soapURL, succinctID, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
providerID
|
The providerID of the partner. |
ssoURL
|
The initiate SSO URL of the IdP. |
soapURL
|
The artifact resolution SOAP endpoint URL of the IdP. |
succinctID
|
The succinctID of the provider. |
|
The description of the partner. Optional. |
Creates a SAML 1.1 SP federation partner.
addSAML11SPFederationPartner(partnerName,providerID, ssoURL, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
providerID
|
The providerID of the partner. |
ssoURL
|
The initiate SSO URL of the IdP. |
|
The description of the partner. Optional. |
Creates a SAML 2.0 IdP Federation partner.
Creates a federation partner as an identity provider for Access Manager under the SAML 2.0 protocol, and loads the partner metadata from a file.
addSAML20IdPFederationPartner(partnerName, metadataFile, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
metadataFile
|
The location of the metadata file (full path). |
description
|
The description of the partner. Optional. |
Creates a SAML 2.0 SP Federation partner.
Creates a federation partner as a service provider for Access Manager under the SAML 2.0 protocol, and loads the partner metadata from a file.
addSAML20SPFederationPartner(partnerName, metadataFile, description)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be created. |
metadataFile
|
The location of the metadata file (full path). |
description
|
The description of the partner. Optional. |
Creates a SAML20 IdP federation partner without SAML 2.0 metadata.
addSAML20IdPFederationPartnerWithoutMetadata(partnerName, providerID, ssoURL, soapURL, succinctID, description)
Argument | Definition |
---|---|
partnerName
|
The name of the federation partner to be created. |
providerID
|
The providerID of the partner. |
ssoURL
|
The initiate SSO URL of the IdP. |
soapURL
|
The artifact resolution SOAP endpoint URL of the IdP. |
succinctID
|
The succinctID of the provider. |
description
|
The description of the partner. Optional. |
Creates a SAML20 SP federation partner without SAML 2.0 metadata.
addSAML20SPFederationPartnerWithoutMetadata(partnerName, providerID, ssoURL, description)
Argument | Definition |
---|---|
partnerName
|
The name of the federation partner to be created. |
providerID
|
The providerID of the partner. |
ssoURL
|
The initiate SSO URL of the IdP. |
description
|
The description of the partner. Optional. |
Configures an IdP partner attribute profile to process incoming attributes.
Configures an IdP partner attribute profile to process or ignore incoming attributes not defined in the profile.
configureIdPPartnerAttributeProfile(attrProfileID, ignoreUnmappedAttributes)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the IdP partner attribute profile to configure. |
ignoreUnmappedAttributes
|
Determines whether incoming attributes that are not defined in the profile should be ignored. Valid values are true (ignore) or (the default) false (process). |
Configures global federation logout for a SAML 2.0 partner.
configureSAML20Logout(partnerName, partnerType, enable, saml20LogoutRequestURL, saml20LogoutResponseURL, soapURL)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
Whether the partner is a service provider or identity provider. Valid values are sp, idp. |
enable
|
Enable or disable global logout for that partner. Valid values true (enable), false (disable) |
saml20LogoutRequestURL
|
The SAML 2.0 logout request service URL. Optional if the partner was created using metadata, or if logout is disabled. |
saml20LogoutResponseURL
|
The SAML 2.0 logout response service URL. This is optional if the partner was created using metadata, or if logout is disabled. |
soapURL
|
The SAML 2.0 SOAP Service URL. This is optional if the partner was created using metadata, if logout is disabled, or if SOAP logout is not supported. |
Specifies the binding for a SAML partner.
configureSAMLBinding(partnerName, partnerType, binding, ssoResponseBinding="httppost")
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be configured. |
partnerType
|
Indicates whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
binding
|
Specifies the binding to use for messages other than SSO responses (authentication requests, logout messages). Valid options are httppost for HTTP-POST binding and httpredirect for HTTP-Redirect binding. |
ssoResponseBinding
|
This optional attribute defines the binding to use for an SSO response. Valid options are httppost for HTTP-POST binding (the default value), httpredirect for HTTP-Redirect binding or artifact for Artifact binding. |
Enables the user self-registration module.
configureUserSelfRegistration(<enabled>, <registrationURL>, <regDataRetrievalAuthnEnabled>, <regDataRetrievalAuthnUsername>, <regDataRetrievalAuthnPassword>, <partnerName>)
Argument | Definition |
---|---|
enabled
|
Indicates if the user self-registration module is enabled. Takes a value of true or false. |
registrationURL
|
The location to which the user will be redirected for self-registration. If partnerName is not specified, and if registrationURL is empty or missing, the current property will be unchanged. If partnerName is specified, and if registrationURL is empty or missing, this property will be removed from the partner's configuration. |
regDataRetrievalAuthnEnabled
|
Indicates if authentication of the registration page is enabled when contacting the server to retrieve registration data. |
regDataRetrievalAuthnUsername
|
Specifies the username the registration page will send to the server when retrieving the registration data from the server. |
regDataRetrievalAuthnPassword
|
Specifies the password the registration page will send to the server when retrieving the registration data from the server. |
partnerName
|
Indicates the IdP partner for which to enable user self-registration. If missing, the configuration operation will be global. |
Sets the attributes in an assertion that will be used as email, first name, last name and username.
Sets the attributes in an assertion that will be used as email, first name, last name and username.
configureUserSelfRegistration(<registrationAttrName>, <assertionAttrNames>, <partnerName>)
Argument | Definition |
---|---|
registrationAttrName
|
The self-registration page attribute to set. Can be one of the following values: email, firstname, lastname or username. |
assertionAttrNames
|
The possible attributes from the assertion that can be used to populate the self-registration page field specified as the registrationAttrName. |
partnerName
|
Indicates the IdP partner for which to configure user self-registration. If missing, the configuration operation will be global. |
Creates an authentication scheme that uses an OpenD IdP.
Creates an authentication scheme that uses an OpenD IdP to protect resources in Access Manager.
createAuthnSchemeAndModule(partnerName)
Argument | Definition |
---|---|
partnerName
|
The name of the partner for whom the scheme is to be created. |
Creates an IdP attribute profile.
Creates an IdP partner attribute profile that will contain name mapping rules used to process attributes in incoming SAML Assertions
createIdPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier of the IdP attribute profile. |
Creates an SP attribute profile.
Creates an SP partner attribute profile that will contain name mapping rules used to process attributes in incoming SAML Assertions
createSPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier of the SP attribute profile. |
Deletes an authentication scheme for an IdP.
deleteAuthnSchemeAndModule(partnerName)
Argument | Definition |
---|---|
partnerName
|
The name of the partner whose scheme is to be deleted. |
Deletes a federation partner.
deleteFederationPartner(partnerName, partnerType)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be deleted. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Deletes the encryption certificate of a partner.
deleteFederationPartnerEncryptionCert(partnerName, partnerType)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner whose encryption certificate is to be deleted. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Deletes the signing certificate of a partner.
deleteFederationPartnerSigningCert(partnerName, partnerType)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner whose signing certificate is to be deleted. |
partnerType
|
Specifies whether the partner is a service provider or identity provider. Valid values are sp, idp. |
Deletes an IdP partner attribute profile.
deleteIdPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the IdP partner attribute profile. |
Deletes an SP partner attribute profile.
deleteSPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the SP partner attribute profile. |
Deletes an IdP Partner Attribute Profile entry.
deleteIdPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the IdP partner attribute profile. |
messageAttributeName
|
The name of the attribute to delete, as it appears in the outgoing message. |
Deletes an SP Partner Attribute Profile entry.
deleteSPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the IdP partner attribute profile. |
messageAttributeName
|
The name of the attribute to delete, as it appears in the outgoing message. |
Deletes a partner property.
See also Using WLST with SAML 1.1.
Deletes a partner-specific property. Use this command only for a property that was added to the partner's configuration.
deletePartnerProperty(partnerName,partnerType,propName)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. By replacing the value of <partnerName> with the partner ID and including the |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
propName
|
The name of the configured property to be removed. |
Displays a partner attribute profile.
displayIdPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the IdP partner attribute profile to be displayed. |
Displays an SP partner attribute profile.
displaySPPartnerAttributeProfile(attrProfileID)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the SP partner attribute profile to be displayed. |
Retrieves the encryption certificate for a partner.
Argument | Definition |
---|---|
partnerName
|
The ID of the partner for which the encryption certificate will be retrieved. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Retrieves the signing certificate for a partner.
Argument | Definition |
---|---|
partnerName
|
The ID of the partner for which the signing certificate will be retrieved. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Gets a partner's basic authentication username.
getIdPPartnerBasicAuthCredentialUsername(partnerName)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner for which the username will be retrieved and displayed. |
Retrieves a partner property.
getPartnerProperty(partnerName, partnerType, propName)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner for which the proeprty will be retrieved. By replacing the value of <partnerName> with the partner ID and including the |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
propName
|
The name of the property to configure. |
Retrieves a string property.
Retrieves a string property for a federation partner profile.
If a Partner does not have an Attribute Profile assigned to it, the default Attribute Profile (based on whether the partner is an IdP or SP) will be used. The defaultattributeprofileidp and defaultattributeprofilesp properties in the fedserverconfig file reference the default profiles.
getStringProperty("/fedserverconfig/<propertyName>")
Argument | Definition |
---|---|
propertyName
|
The name of the property to be retrieved. Default Partner Profiles are available after installation and the following properties reference them. Default property values can be retrieved by replacing propertyName with one of the following:
|
Checks whether a partner is configured.
isFederationPartnerPresent(partnerName, partnerType)
Argument | Definition |
---|---|
partnerName
|
The partner ID. |
partnerType
|
Specifies whether the partner is a service provider or an identity provider. Valid values are sp, idp. |
Puts a string value under a designated path in the OSTS configuration.
putStringProperty(path="/validationtemplates/username-wss-validation-template/StringNAME",value="TestString")
Argument | Definition |
---|---|
path
|
Path inside the configuration where the String property will be put. |
value
|
The string. |
Sets the IdP partner to serve as the default IdP for federated single sign-on (SSO).
If not set by the federation authentication plugin at run time, sets the IdP partner to serve as the default IdP during federated SSO.
setDefaultSSOIdPPartner(partnerName)
Argument | Definition |
---|---|
partnerName
|
ID of the partner which will serve as the default IdP for federated SSO. |
Sets the encryption certificate for a partner.
setFederationPartnerEncryptionCert(partnerName,partnerType,certFile)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated |
partnerType
|
The partner type. Valid values are idp, sp. |
certFile
|
The full path and name of file that stores the encryption certificate. Certificates can be in either PEM or DER format. |
Sets the signing certificate for a partner.
setFederationPartnerSigningCert(partnerName,partnerType,certFile)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
The partner type. Valid values are idp, sp. |
certFile
|
Specifies the full path and name of file that stores the signing certificate. Certificates can be in either PEM or DER format. |
Sets a partner attribute profile.
Sets the IdP partner attribute profile to use when performing a federation single sign-on with an IdP partner.
setIdPPartnerAttributeProfile(partnerName, attrProfileID)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
attrProfileID
|
The IdP partner attribute profile ID to be set. |
Sets the default OAM Authentication Scheme to be used to challenge a user.
setIdPDefaultScheme(authnScheme, appDomain, hostID, authzPolicy="ProtectedResourcePolicy")
Argument | Definition |
---|---|
authnScheme
|
The OAM Authentication Scheme. |
appDomain
|
Optional. The application domain in which the underlying policy components will be created. |
hostID
|
Optional. The HostID to be used when creating the underlying resource policy object. |
authzPolicy
|
Optional. The name of the Authorization Policy to be used to protect underlying resource policy object being created. |
Sets an SP partner attribute profile to an SP partner.
setSPPartnerAttributeProfile(partnerName, attrProfileID)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
attrProfileID
|
The ID of the SP partner attribute profile to be set. |
Sets the IdP federation partner profile.
setIdPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName, oamSessionAttributeName, requestFromIdP)
Argument | Definition |
---|---|
attrProfileID
|
The IdP partner attribute profile. |
messageAttributeName
|
The name of the message attribute. |
oamSessionAttributeName
|
The name of the attribute as it will appear in the Access Manager session. |
requestFromIdP
|
Determines whether this attribute should be requested from the IdP partner. Valid values are true, false. |
Sets the SP federation partner profile.
setSPPartnerAttributeProfileEntry(attrProfileID, messageAttributeName, value, alwaysSend)
Argument | Definition |
---|---|
attrProfileID
|
The identifier referencing the SP Partner Attribute Profile in which the entry will be set. |
messageAttributeName
|
The name of the attribute as it will appear in the outgoing message. |
value
|
Value of the attribute element. It can be a static string, user attribute, session attribute or a combination of those types. |
alwaysSend
|
Signifies whether or not this attribute should always be sent to the SP Partner. Valid values are true, false. If false it will only be sent if the SP Partner requests it (OpenID supports this). |
Sets a partner's basic authentication credentials.
setIdPPartnerBasicAuthCredential(partnerName,username,password)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
username
|
The user ID of the user. |
password
|
The password corresponding to the username. |
Sets a partner's assertion mapping attribute.
Specify that an attribute from the OpenID assertion received from the IdP be mapped to a given data store attribute in order to identify the user.
setIdPPartnerMappingAttribute(partnerName,assertionAttr,userstoreAttr)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
assertionAttr
|
The attribute name in the assertion used to map the user to the identity store. |
userstoreAttr
|
The name of the attribute in the identity store to which to map the assertion attribute value. |
Updates a partner for assertion mapping of user with attribute query.
Sets or updates a partner to specify the attribute query to map an assertion to the user store.
setIdPPartnerMappingAttributeQuery(partnerName,attrQuery)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated |
attrQuery
|
The attribute query to be used. The LDAP query can contain placeholders referencing the attributes in the SAML Assertion, as well as the NameID. An attribute from the SAML Assertion will be referenced by its name and surrounded by the % character; for example, if the attribute name is Userlastname, the attribute will be referenced as %Userlastname%. The NameID Value is referenced as %fed.nameidvalue%. |
Sets a partner's mapping nameID.
setIdPPartnerMappingNameID(partnerName,userstoreAttr)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
userstoreAttr
|
The attribute name in the identity store to which the assertion nameID is to be mapped. |
Sets a partner's alias.
setPartnerAlias(partnerName,partnerType,partnerAlias)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
Specifies the partner type. Valid values are sp or idp. |
partnerAlias
|
The partner's alias. |
Sets a partner's identity store and base DN.
setPartnerIDStoreAndBaseDN(partnerName,partnerType,storeName,searchBaseDN)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. |
partnerType
|
The partner type. Valid values are sp or idp. |
storeName
|
The name of the identity store.If left blank, the Default OAM Identity Store will be used. (Optional) |
searchBaseDN
|
The search base DN for the LDAP. If left blank, the Search Base DN configured in the Identity Store will be used. (Optional) |
Updates a partner by setting the NameID during assertion issuance.
setSPSAMLPartnerNameID(<partnerName>, <nameIDFormat>, <nameIDValue>)
Argument | Definition |
---|---|
partnerName
|
The name of the partner to be configured. |
nameIDFormat
|
The NameID format to be used. Possible values include:
|
|
Value of the NameID element. It can be a static string, user attribute, session attribute or a combination of those types. |
Updates partner metadata.
updatePartnerMetadata(partnerName,partnerType,metadataFile)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated |
partnerType
|
Specifies the partner type. Valid values are sp or idp. |
metadataFile
|
The location of the metadata file. Specify the complete path and name. |
Updates a partner property.
See also Using WLST with SAML 1.1.
updatePartnerProperty(partnerName,partnerType,propName,propValue,type)
Argument | Definition |
---|---|
partnerName
|
The ID of the partner to be updated. By replacing the value of <partnerName> with the partner ID and including the |
partnerType
|
Specifies the partner type. Valid values are sp or idp. |
propName
|
The name of the property to configure. |
propValue
|
The property value to be set. |
type
|
The data type of the property. Valid values are string, long, or boolean. |
The WLST commands in the following sections do not have applicable administrative fields for configuration in the Oracle Access Management Console. Administration for Authentication mappings and partner profiles are available using WLST commands only.
Note:
Identity Federation WLST commands take key-value pairs or only the value; Access Manager takes only key-value pairs. WLST examples in this document might be defined in either manner. This WLST example uses key-value pairs.
setIdPPartnerAttributeProfileEntry(attrProfileID="openid-idp-attribute-profile", messageAttributeName="http://axschema.org/namePerson", oamSessionAttributeName="name", requestFromIdP="true")
The following sections contain details on general commands for configuring features of Federation SSO.
Enable or disable the Federation Service AttributeRequester or AttributeResponder.
configureFederationService(<serviceType>,<enabled>)
Argument | Definition |
---|---|
serviceType
|
Takes as a value IDP, SP, AttributeResponder or AttributeRequester. |
enabled
|
Takes as a value either true or false. |
Enables and configures for the use of the federation store.
This will set the jndiname of the datastore to be used to store federation records and will set the store as a RDBMS.
setFederationStore (<enable>, <jndiname>)
Argument | Definition |
---|---|
enable
|
Enable or disable the Federation data store. |
jndiname
|
Indicates the JNDI name of the datastore. |
The following sections contain details on general commands for configuring features of Federation SSO.
Configure an IdP partner or an IdP partner profile for Force Authentication and/or IsPassive.
Configure an IdP partner or IdP partner profile for Force Authentication and/or IsPassive.
configureIdPAuthnRequest(<partner="">, <partnerProfile="">, <partnerType="">, <isPassive="false">, <forceAuthn="false">, <displayOnly="false">, <delete="false">)
Argument | Definition |
---|---|
partner
|
Indicates the IdP partner to be configured. partner and partnerProfile are exclusive, with one of the two required. |
partnerProfile
|
Indicates the IdP partner profile to be configured. partner and partnerProfile are exclusive, with one of the two required. |
partnerType
|
The type of partner (sp or idp). |
isPassive
|
Indicates if the IdP partner or IdP partner profile should be configured, so that the Authn Request message sent to the IdP will indicate that the IdP should not interact with the user during Federation SSO. True indicates that the IdP should not interact with the user. Optional. |
forceAuthn
|
Indicates if the IdP partner or IdP partner profile should be configured, so that the Authn Request message sent to the IdP will indicate that the IdP should challenge the user even if a valid session exists. True indicates that the user will be challenged. Optional. |
displayOnly
|
Indicates whether or not this command should display the Is Passive and Force Authn settings. Default is false. Optional. |
delete
|
Indicates whether or not this command should delete the Is Passive and Force Authn settings from the specified partner or partner profile. Default is false. Optional. |
A boolean indicating whether or not Authorization for Federation SSO should be enabled.
Enables or disables Authorization for Federation SSO. By default, the authorization feature for Federation SSO will be turned off.
Configure the Hashing algorithm used in digital signatures.
If the displayOnly and delete parameters are false, this command will set the algorithm.
configureFedDigitalSignature(<partner="">, <partnerProfile="">, <partnerType="">, <default="false">, <algorithm="SHA-256">, <displayOnly="false">, <delete="false">)
Argument | Definition |
---|---|
partner
|
The ID of the SP partner profile |
partnerProfile
|
The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped |
partnerType
|
The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped |
|
Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method |
|
Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level |
|
Optional. The application domain in which the underlying policy components will be created |
|
Optional. The HostID used when creating the underlying resource policy object |
Configure the signing and/or encryption key alias to be used for digital signature and encryption operations.
Configure the signing and/or encryption key alias to be used for digital signature and encryption operations.
configureFedSignEncKey(<partner="">, <partnerProfile="">, <partnerType="">, <default="false">, <signAlias="">, <encAlias="">, <displayOnly="false">, <delete="false">
Argument | Definition |
---|---|
partner
|
Indicates the partner for which the signing and/or encryption key alias is to be configured. partner, partnerProfile and default parameters are exclusive, with one of the three required |
partnerProfile
|
Indicates the partner profile for which the signing and/or encryption key alias is configured for. partner, partnerProfile and default parameters are exclusive, with one of the three required. |
partnerType
|
Indicates the partner type for which the signing and/or encryption key alias is to be configured. Required when specifying partner or partnerProfile. Valid values are sp or idp. |
|
Indicates the global default signing and/or encryption key alias to be configured. partner, partnerProfile and default parameters are exclusive, with one of the three required. |
|
The signing key alias. Required when setting the value. |
|
The encryption key alias. Required when setting the value. |
|
Indicates whether or not this command should display the signing and encryption key aliases. Default is false. Optional. |
|
Indicates whether or not this command should delete the signing and/or encryption key alias from the specified partner or partner profile. Default is false. Optional. |
All the Authentication Method/Scheme/Level mappings are configured using the WLST commands. This can be done either at the partner level or, if not defined at the partner level, at the partner profile level. The following sections have more details.
Configures the NameID to user store attribute mapping to be used during Attribute Sharing.
If displayOnly is true the command displays the NameID to userstore attribute mapping. Else if delete is true the command deletes the specified mapping. Else it sets the enabled flag to the given value and the sets a nameid to userstore attribute mapping.
configureAttributeSharingSPPartnerNameIDMapping(<partner="">, <partnerProfile="">, <enabled="true">, <nameidformat="">, <userStoreAttribute="">, <displayOnly="false">, <delete="false">)
Argument | Definition |
---|---|
partner
|
ID of the partner being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required. |
partnerProfile
|
Indicates the partner profile for which the mapping is being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required |
enabled
|
Boolean indicating if the nameID to userstore attribute mapping is enabled/disabled. Optional. Default value is true. |
|
The NameID format that is mapped to a userStoreAttribute. Optional. Needs to be specified for delete and create/update operations. If not specified for a display operation all the mappings for the specified partner or partnerprofile are displayed. Allowed NameID formats are:
If the format is set to any other value, the Assertion will be populated with that value. |
|
The userstore attribute to which the specified NameID Format is mapped. Optional. Needs to be specified only for a create or update operation. |
|
Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed. |
|
Indicates whether or not this command should delete NameID to userstore attribute mapping. Default is false. Optional. |
configureAttributeSharingSPPartnerNameIDMapping(partner="acme", nameidformat="orafed-emailaddress", userStoreAttribute="mail") configureAttributeSharingSPPartnerNameIDMapping(partnerProfile="saml20-idp-partner-profile", nameidformat="orafed-emailaddress", userStoreAttribute="mail") configureAttributeSharingSPPartnerNameIDMapping(partner="acme") configureAttributeSharingSPPartnerNameIDMapping(partner="acme", enabled="false") configureAttributeSharingSPPartnerNameIDMapping(partner="acme", displayOnly="true") configureAttributeSharingSPPartnerNameIDMapping(partner="acme", nameidformat="orafed-emailaddress", delete="true") configureAttributeSharingSPPartnerNameIDMapping(partner="acme", nameidformat="orafed-emailaddress", displayOnly="true")
Configures the default attribute sharing nameid and nameid format for the IdP Partner.
configureAttributeSharingIdPPartner(<partner="">, <partnerProfile="">,<nameidformat="">, <nameidattribute="">)
Argument | Definition |
---|---|
partner
|
ID of the partner being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required. |
partnerProfile
|
Indicates the partner profile for which the mapping is being configured. Optional. partner and partnerProfile parameters are exclusive, with one of the two required |
|
The NameID format that is mapped to a userStoreAttribute. Optional. Needs to be specified for delete and create/update operations. If not specified for a display operation all the mappings for the specified partner or partnerprofile are displayed. Allowed NameID formats are:
|
|
The attribute in the userstore that should be used as the nameid. Optional. |
|
Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed. |
Configures Attribute Sharing DN to IdP Mappings.
If displayOnly is set to true the configuration is displayed. If delete is set to true the command deletes a specified mapping; otherwise, a mapping is created or updated.
configureAttributeSharingUserDNToIdPPartnerMapping(<dn="">, <idp="">, <displayOnly="false">, <delete="false">)
Argument | Definition |
---|---|
dn
|
The DN string to map to the given IdP. Optional. Needs to be specified to delete a mapping and set a mapping. If specified for a display operation the mapping for this DN only is displayed. |
idp
|
The partner ID of the IdP to use as Attribute Authority for the given DN. Optional. Needs to be specified only when creating or updating a mapping. |
|
Indicates whether or not this command should display the NameID to userstore attribute mapping. Default is false. Optional. If set to true the mapping is displayed. If no NameID parameter is specified all the mappings are displayed. |
|
Indicates whether or not this command should delete NameID to userstore attribute mapping. Default is false. Optional. |
configureAttributeSharingUserDNToIdPPartnerMapping (dn="dc=us,dc=oracle, dc=com", displayOnly="true") configureAttributeSharingUserDNToIdPPartnerMapping(displayOnly="true") configureAttributeSharingUserDNToIdPPartnerMapping(dn="dc=us,dc=oracle,dc=com", delete="true") configureAttributeSharingUserDNToIdPPartnerMapping(dn="dc=us,dc=oracle,dc=com", idp="acme")
Configures the Attribute Sharing feature by setting a default attribute authority.
configureAttributeSharing(<defaultAttributeAuthority="">)
Argument | Definition |
---|---|
defaultAttributeAuthority
|
ID of the partner to use as the default Attribute Authority. Only used when this server is functioning in the SP mode. |
Removes the Attribute Sharing plug-in from the Authentication Module.
removeAttributeSharingFromAuthnModule(<authnModule>, <stepName="">)
Argument | Definition |
---|---|
authnModule
|
The name of the authnModule from which to delete Attribute Sharing plugin. |
stepName
|
The stepName of the Attribute Sharing plugin step to remove. Only needed if there is more than one attribute sharing step. Optional. |
Lists the Federated Authentication Method mappings for a specific Partner Profile.
configureAttributeSharingPlugin(<authnModule>, <stepName=None>, <nameIDVariable=None>, <idpVariable=None>, <defaultIdP=None>, <nameIDFormatVariable=None>, <defaultNameIDFormat=None>, <requestedAttributes=None>)
Argument | Definition |
---|---|
authnModule
|
The name of the authnModule from which to delete Attribute Sharing plugin. |
stepName
|
The stepName of the Attribute Sharing plugin step to remove. Only needed if there is more than one attribute sharing step. Optional. |
nameIDVariable
|
The name of the variable in the session or context that contains the nameID of the user. |
idpVariable
|
The name of the variable in the session or context that contains the idp name to which to send the attribute request. |
defaultIdP
|
The name of the default IdP to send the attribute request to if no IdP can be determined from the session or context. |
nameIDFormatVariable
|
The name of the variable in the session or context that contains the nameID format to use in the attribute request. |
defaultNameIDFormat
|
The default NameID format to use if no nameid format could be determined from the session or context. Allowed NameID formats are:
If the format is set to any other value, the Assertion will be populated with that value. |
requestedAttributes
|
The attributes to request from the IdP. This string is in the URL query string format. |
Inserts the attribute sharing step into the Authentication Module flow.
Can also be used to remove the attribute sharing step from the Authentication Module flow.
insertAttributeSharingInToAuthnModule(<authnModule>, <fromStep=None>, <fromCond=None>, <toStep=None>, <toCond=None>, <stepName=None>)
Argument | Definition |
---|---|
authnModule
|
The name of the authnModule into which the Attribute Sharing plugin is inserted. |
fromStep
|
The name of the step after which the Attribute Sharing Step (or the step of given name) should be inserted. |
fromCond
|
The condition under which the Attribute Sharing (or step of given name) is called after the fromStep. It has to be one of OnSuccess, OnFailure or OnError. |
toStep
|
The name of the step to go to after the attribute sharing step (or step of given name). |
toCond
|
The condition under which the toStep is called after the Attribute Sharing step (or step of given name). |
stepName
|
The name of the step being added to the flow. |
All the Authentication Method/Scheme/Level mappings are configured using the WLST commands. This can be done either at the partner level or, if not defined at the partner level, at the partner profile level. The following sections have more details.
Provides a way to authenticate clients with an alternate Authentication Scheme.
Identity Federation evaluates an HTTP Header to determine if the alternate Authentication Scheme should be used for this Partner.
setSPPartnerAlternateScheme(<partner>, <enabled="true">, <httpHeaderName="">, <httpHeaderExpression="">, <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">, <remove="false">)
Argument | Definition |
---|---|
partner
|
The ID of the partner. |
enabled
|
Indicates whether or not Identity Federation should evaluate the HTTP Header sent by the client |
httpHeaderName
|
Required if enabled is true, the HTTP Header to evaluate. IMPORTANT: This is a global setting and will affect all partners. |
httpHeaderExpression
|
Required if enabled is true, this is the regular expression used to evaluate the value of the HTTP Header. |
authnScheme
|
Required if enabled is true, the alternate Authentication Scheme to be used instead of the default. |
|
Optional. The application domain in which the underlying policy components will be created |
|
Optional. The HostID used when creating the underlying resource policy object |
|
Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created. |
|
Optional. If set to true, removes the properties for the alternate scheme in the partner configuration. |
Note:
ince this operation creates policy objects, it is possible to specify the Application Domain (default: "IAM Suite"), the HostID (default "IAMSuiteAgent") and the Authorization Policy (default "Protected Resource Policy") to be used although the default values can be used.
In this example, Identity Federation is configured to enable the alternate Authentication Scheme at a partner level for the SP partner Acme because the user's browser sends the HTTP Header "User-Agent" with the iPhone string in it. The string triggers the BasicScheme for authentication rather than the default Authentication Scheme.
setSPPartnerAlternateScheme("acmeSP", "true", httpHeaderName="User-Agent", httpHeaderExpression=".*iPhone.*", authnScheme="BasicScheme")
Defines the default Authentication Scheme for the SP partner.
setSPPartnerDefaultScheme(<partner>, <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
partner
|
The ID of the partner. |
authnScheme
|
The OAM Authentication Scheme to be used. |
|
Optional. The application domain in which the underlying policy components will be created |
|
Optional. The HostID used when creating the underlying resource policy object |
|
Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created. |
Provides a way to authenticate clients with an alternate Authentication Scheme.
Identity Federation evaluates an HTTP Header to determine if the alternate Authentication Scheme should be used for partners assigned to this Partner Profile.
setSPPartnerProfileAlternateScheme(<partnerProfile>, <enabled="true">, <httpHeaderName="">, <httpHeaderExpression="">, <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">, <remove="false">)
Argument | Definition |
---|---|
partnerProfile
|
The ID of the partner profile. |
enabled
|
Indicates whether or not Identity Federation should evaluate the HTTP Header sent by the client |
httpHeaderName
|
Required if enabled is true, the HTTP Header to evaluate. IMPORTANT: This is a global setting and will affect all partners. |
httpHeaderExpression
|
Required if enabled is true, this is the regular expression used to evaluate the value of the HTTP Header. |
authnScheme
|
Required if enabled is true, the alternate Authentication Scheme to be used instead of the default. |
|
Optional. The application domain in which the underlying policy components will be created |
|
Optional. The HostID used when creating the underlying resource policy object |
|
Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created. |
Note:
ince this operation creates policy objects, it is possible to specify the Application Domain (default: "IAM Suite"), the HostID (default "IAMSuiteAgent") and the Authorization Policy (default "Protected Resource Policy") to be used although the default values can be used.
Sets the default OAM Authentication Scheme to be used to challenge a user for a specific SP Partner Profile.
Sets the default OAM Authentication Scheme to be used to challenge a user for a specific SP Partner Profile.
setSPPartnerProfileDefaultScheme(<partnerProfile>, <authnScheme="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
partnerProfile
|
The ID of the partner profile. |
authnScheme
|
The OAM Authentication Scheme to be used. |
|
Optional. The application domain in which the underlying policy components will be created |
|
Optional. The HostID used when creating the underlying resource policy object |
|
Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created. |
Defines a mapping between a Federated Authentication Method and an Access Manager Authentication Scheme for a specific SP Partner.
Maps a Federated Authentication Method to an Access Manager Authentication Scheme for an SP Partner.
addSPPartnerAuthnMethod(partner, authnMethod, authnScheme, isDefault="true", authnLevel="-1", appDomain="IAM Suite", hostID="IAMSuiteAgent", <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
partner
|
The ID of the SP partner. |
authnMethod
|
The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped |
authnScheme
|
The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped |
|
Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method |
|
Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level |
|
Optional. The application domain in which the underlying policy components will be created |
|
Optional. The HostID used when creating the underlying resource policy object |
|
Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created. |
Defines a mapping between a Federated Authentication Method to an Access Manager Authentication Scheme for a specific SP Partner Profile.
Maps a Federated Authentication Method to an Access Manager Authentication Scheme for an SP Partner Profile.
addSPPartnerProfileAuthnMethod(partnerProfile, authnMethod, authnScheme, isDefault="true", authnLevel="-1", appDomain="IAM Suite", hostID="IAMSuiteAgent", <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
partnerProfile
|
The ID of the SP partner profile |
authnMethod
|
The Federation Authentication Method to which the Access Manager Authentication Scheme will be mapped |
authnScheme
|
The Access Manager Authentication Scheme to which the Federated Authentication Method will be mapped |
|
Optional. Boolean indicating whether or not the specified Access Manager Authentication Scheme should be used to challenge the user when the SP requests the Federated Authentication Method |
|
Optional. Indicates the authentication level to be used in the mapping in cases when the session authentication level is different from the authentication scheme level |
|
Optional. The application domain in which the underlying policy components will be created |
hostID |
Optional. The HostID used when creating the underlying resource policy object |
|
Optional. The Authorization Policy Name that will be used to protect underlying resource policy object being created. |
Sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner.
addIdPPartnerAuthnMethod(partner, authnMethod, authnLevel)
Argument | Definition |
---|---|
partner
|
The ID of the SP partner profile |
authnMethod
|
The Federated Authentication Method |
authnLevel
|
The level to use to create the Access Manager user session during a Federation SSO flow for the specified Federated Authentication Method |
Sets the Authentication Level to use when creating a session for a Federated Authentication Method for a specific IdP Partner Profile.
Defines the level to which to which users from this IdP partner profile are authenticated.
addIdPPartnerProfileAuthnMethod(partnerProfile, authnMethod, authnLevel)
Argument | Definition |
---|---|
partnerProfile
|
The ID of the SP partner profile |
authnMethod
|
The Federated Authentication Method |
authnLevel
|
The level to use to create the Access Manager user session during a Federation SSO flow for the specified Federated Authentication Method |
Lists the Federated Authentication Method mappings for a specific Partner.
listPartnerAuthnMethods(partner, partnerType)
Argument | Definition |
---|---|
partner
|
The ID of the partner |
partnerType
|
The type of the partner (SP or IdP) |
Lists the Federated Authentication Method mappings for a specific Partner Profile.
listPartnerProfileAuthnMethods(partnerProfile, partnerType)
Argument | Definition |
---|---|
partnerProfile
|
The ID of the partner profile |
partnerType
|
The type of the partner (SP or IdP) |
Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner.
Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for the specified Partner.
removePartnerAuthnMethod(<partner>, <partnerType>, <authnMethod>)
Argument | Definition |
---|---|
partner
|
The ID of the partner |
partnerType
|
The type of the partner (SP or IdP) |
authnMethod
|
The Access Manager Authentication Scheme |
Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for a specific Partner.
Removes the mapping between a Federated Authentication Method and Access Manager Authentication Scheme for the specified Partner.
removePartnerProfileAuthnMethod(<partnerProfile>, <partnerType>, <authnMethod>)
Argument | Definition |
---|---|
partnerProfile
|
The ID of the partner profile |
partnerType
|
The type of the partner (SP or IdP) |
authnMethod
|
The Federated Authentication Method |
Sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner.
Sets the Federated Authentication Method that will be requested during Federation SSO for the specified IdP Partner.
setIdPPartnerRequestAuthnMethod(<partner>, <authnMethod>)
Argument | Definition |
---|---|
partner
|
The ID of the IdP partner |
authnMethod
|
The Federated Authentication Method |
Sets the Federated Authentication Method that will be requested during Federation SSO for a specific IdP Partner Profile.
Sets the Federated Authentication Method that will be requested during Federation SSO for the specified IdP Partner Profile.
setIdPPartnerProfileRequestAuthnMethod(<partnerProfile>, <authnMethod>)
Argument | Definition |
---|---|
partnerProfile
|
The ID of the IdP partner profile |
authnMethod
|
The Federated Authentication Method |
Configure the Identity Provider to use the proxied Federation Authentication Method when performing Federation SSO.
If the server acts as an SP with a remote IdP to authenticate the user, when acting as an Identity Provider in a different Federation SSO operation, the server can use the Federation Authentication Method sent by the remote Identity Provider. The server will send the proxied Federation Authentication Method for the list of specified Federation Authentication Schemes. The server will only send the proxied Federation Authentication Method if the Federation protocol used between the server and the Service Provider is the same Federation protocol as the one used between the server and the Identity Provider.
useProxiedFedAuthnMethod(<enabled="false">, <displayOnly="false">, <authnSchemeToAdd="">, <authnSchemeToRemove="">, <appDomain="IAM Suite">, <hostID="IAMSuiteAgent">, <authzPolicy="Protected Resource Policy">)
Argument | Definition |
---|---|
enabled
|
Indicates whether or not the proxied Federation Authentication Method should be used. Default is to disable the feature. Optional. |
displayOnly
|
Indicates whether or not this command should display the list of Federation Schemes for which the server should send the proxied Federation Authentication Method. Default is false. Optional. |
authnSchemeToAdd
|
The OAM Federation Authentication Scheme to be added to the list of schemes for which the server should send the proxied Federation Authentication Method. authnSchemeToAdd and authnSchemeToRemove parameters are exclusive. |
|
The OAM Federation Authentication Scheme to be removed from the list of schemes for which the server should send the proxied Federation Authentication Method. authnSchemeToAdd and authnSchemeToRemove parameters are exclusive. |
|
The application domain in which the underlying policy components will be created. Optional. |
|
The HostID that will be used when creating the underlying resource policy object. Optional. |
|
Optional. The Authorization Policy Name that will be used to protect the underlying resource policy object being created. |
All Partner Profile management is done using WLST commands. The following sections have more details on the specific commands.
Creates a Federation Partner Profile based on the specified existing one.
createFedPartnerProfileFrom(<newPartnerProfile>, <existingPartnerProfile>)
Argument | Definition |
---|---|
newPartnerProfile
|
The ID of the new partner profile. |
existingPartnerProfile
|
The ID of the existing partner profile |
Deletes the specified Federation Partner Profile.
deleteFedPartnerProfile(<PartnerProfile>)
Argument | Definition |
---|---|
PartnerProfile
|
The ID of the partner profile being deleted. |
Displays the properties defined in the specified Federation Partner Profile.
displayFedPartnerProfile(<PartnerProfile>)
Argument | Definition |
---|---|
PartnerProfile
|
The ID of the partner profile. |
Lists the partners bound to the specified Federation Partner Profile.
listFedPartnersForProfile(<PartnerProfile>)
Argument | Definition |
---|---|
PartnerProfile
|
The ID of the partner profile. |
Gets the ID of the Partner Profile bound to the specified partner.
getFedPartnerProfile(<partner>, <partnerType>)
Argument | Definition |
---|---|
partner
|
The ID of the partner. |
partnerType
|
The type of the partner (sp or idp). |
Sets the Federation Partner Profile ID for the specified partner.
Sets the partner profile for the specified partner profile based on the specified partner profile ID.
setFedPartnerProfile(<partner>, <partnerType>, <partnerProfile>)
Argument | Definition |
---|---|
partner
|
The ID of the partner. |
partnerType
|
The type of the partner (sp or idp). |
|
The ID of the partner profile. |
The following SAML 1.1 configuration parameters are not exposed through the Oracle Access Management Console. The values of these parameters can be modified using these WLST commands.
When an IDP partner is configured for SAML 1.1, the following URL is used by the SP to start the SSO process.
http://idphost:idpport/ssourl?TARGET=targeturl&providerid=http://spproviderid
By adding the following parameters to these WLST commands, the URL can be poulated with the applicable information.
The value held by idpinitiatedssoprovideridparam
is used by the peer provider to identify the provider ID of the SP.
updatePartnerProperty(partnerName, partnerType, "idpinitiatedssoprovideridparam","providerid", "string")
Argument | Definition |
---|---|
partnerName |
The ID of the partner |
partnerType |
Takes as a value either idp or sp |
propName |
Name of the property being configured or modified |
propValue |
The value of the property being configured. For an OIF peer IDP, the parameter name must be "providerid". Changing this property will change the parameter name used in the above URL. |
type |
The data type of the property value. Valid values are string, long, or boolean. |
Sets the target URL for the specified SP partner.
Identifies the target resource. The value held by idpinitiatedssotargetparam
is used by the peer provider to identify the desired resource; TARGET in the case of Oracle Identity Federation.
updatePartnerProperty(partnerName, partnerType, "idpinitiatedssotargetparam", "TARGET", "string")
Argument | Definition |
---|---|
partnerName |
The ID of the partner |
partnerType |
Takes as a value either idp or sp |
propName |
Name of the property being configured or modified |
propValue |
The location of the resource. The default value is |
type |
The data type of the property value. Valid values are string, long, or boolean. |
updatePartnerProperty(partnerName, "idp", "idpinitiatedssotargetparam", "TARGET", "string")
Note:
A certificate can be included in a SAML 1.1 signature. By replacing the value of <partnerName> with the partner ID and including the includecertinsignature
parameter, the certificate will be included with the signature. For example:
updatePartnerProperty("<partnerName>", "sp", "includecertinsignature", "true", "boolean") getPartnerProperty("<partnerName>", "sp", "includecertinsignature") deletePartnerProperty("<partnerName>", "sp", "includecertinsignature")
Use the WLST commands in this section to manage Oracle Access Management Mobile and Social (Mobile and Social) configuration objects.
For Mobile Services and Social Identity, refer to the commands listed in Table 4-8.
For OAuth Services, refer to the commands listed in Table 4-9.
Table 4-8 WLST Mobile and Social Commands for Mobile Services and Social Identity
Use this command... | To... | Use with WLST... |
---|---|---|
System Configuration Commands |
||
Retrieve system configuration data. |
Online |
|
Update system configuration data. |
Online |
|
RPApplication Commands |
||
Retrieves the RPApplication objects. |
Online |
|
Deletes the specified RPApplication object. |
Online |
|
Displays the specified RPApplication object. |
Online |
|
Creates a new RPApplication object. |
Online |
|
Updates values for a defined RPApplication object. |
Online |
|
ServiceProviderInterface Commands |
||
Retrieves the RPApplication objects. |
Online |
|
Deletes the specified RPApplication object. |
Online |
|
Displays the specified RPApplication object. |
Online |
|
Creates a new RPApplication object. |
Online |
|
Updates values for a defined RPApplication object. |
Online |
|
Social Identity Provider Commands |
||
Retrieves the Social Identity Provider objects. |
Online |
|
Deletes the specified Social Identity Provider object. |
Online |
|
Displays the specified Social Identity Provider object. |
Online |
|
Creates a new Social Identity Provider object. |
Online |
|
Updates values for a defined Social Identity Provider object. |
Online |
|
User Attribute Mapping Commands |
||
Retrieves the User Attribute Mapping objects. |
Online |
|
Deletes the specified User Attribute Mapping object. |
Online |
|
Displays the specified User Attribute Mapping object. |
Online |
|
Updates values for a defined User Attribute Mapping object. |
Online |
|
ServiceProvider Commands |
||
Create a ServiceProvider. |
Online |
|
Update a ServiceProvider |
Online |
|
Add a Relationship To a Service Provider. |
Online |
|
Remove a Relationship from a Service Provider. |
Online |
|
Get a ServiceProvider. |
Online |
|
Remove a ServiceProvider object. |
Online |
|
Display a ServiceProvider object. |
Online |
|
ServiceProfile Commands |
||
Create a service object. |
Online |
|
Update a service object. |
Online |
|
Remove a service object. |
Online |
|
Display a service object. |
Online |
|
Retrieve all the service objects. |
Online |
|
ApplicationProfile Commands |
||
List all ApplicationProfile objects. |
Online |
|
Create an ApplicationProfile. |
Online |
|
Update an ApplicationProfile. |
Online |
|
Remove an ApplicationProfile. |
Online |
|
Display an ApplicationProfile. |
Online |
|
ServiceDomain Commands |
||
Create a ServiceDomain. |
Online |
|
Update a ServiceDomain. |
Online |
|
Retrieve a ServiceDomain. |
Online |
|
Remove a ServiceDomain. |
Online |
|
Display a ServiceDomain. |
Online |
|
SecurityHandler Commands |
||
Create a SecurityHandlerPlugin. |
Online |
|
Update a SecurityHandlerPlugin. |
Online |
|
Retrieve a SecurityHandlerPlugin. |
Online |
|
Remove a SecurityHandlerPlugin. |
Online |
|
Display a SecurityHandlerPlugin. |
Online |
|
JailBreakingDetectionPolicy Commands |
||
Create a JailBreakingDetectionPolicy. |
Online |
|
Update a JailBreakingDetectionPolicy. |
Online |
|
Retrieve a JailBreakingDetectionPolicy. |
Online |
|
Remove a JailBreakingDetectionPolicy. |
Online |
|
Display a JailBreakingDetectionPolicy. |
Online |
Table 4-9 WLST Mobile and Social Commands for OAuth Services
Use this command... | To... | Use with WLST... |
---|---|---|
OAuth Identity Domain Commands |
||
Removes the specified OAuth Identity Domain. |
Online |
|
Creates a new OAuth Identity Domain. |
Online |
|
Updates an OAuth Identity Domain. |
Online |
|
OAuth System Configuration Commands |
||
Updates the OAuth System Configuration Defaults for the Identity Domain. |
Online |
|
OAuth System Component Commands |
||
Removes the specified OAuth System Component. |
Online |
|
Creates the specified OAuth System Component. |
Online |
|
Updates the specified OAuth System Component. |
Online |
|
OAuth Service Provider Commands |
||
This command will remove an OAuth Service Provider object. |
Online |
|
Creates an OAuth Service Provider |
Online |
|
Updates an OAuth Service Provider |
Online |
|
OAuth Client Commands |
||
Removes an OAuth client object. |
Online |
|
Creates an OAuth client object. |
Online |
|
Updates an OAuth client object. |
Online |
|
Service Profile Commands |
||
Removes a service profile. |
Online |
|
Creates a service profile. |
Online |
|
Updates a service profile. |
Online |
|
OAuth Adaptive Access Plug-in Commands |
||
Removes the specified OAuth Adaptive Access Plug-in. |
Online |
|
Creates the specified OAuth Adaptive Access Plug-in. |
Online |
|
Updates the specified OAuth Adaptive Access Plug-in. |
Online |
|
OAuth Token Attributes Plug-in Commands |
||
Removes the specified OAuth Token Attributes Plug-in. |
Online |
|
Creates the specified OAuth Token Attributes Plug-in. |
Online |
|
Updates the specified OAuth Token Attributes Plug-in. |
Online |
|
OAuth ResourceServer Interface Commands |
||
Removes an OAuth Resource Server Interface. |
Online |
|
Updates an OAuth Resource Server Interface. |
Online |
|
Creates an OAuth Resource Server Interface. |
Online |
|
OAuth Jail Breaking Detection Policy Commands |
||
Updates the specified OAuth Jail Breaking Detection Policy. |
Online |
|
OAuth ResourceServer Interface |
||
Removes an OAuth User Profile Resource Server Interface. |
Online |
|
Updates an OAuth User Profile Resource Server Interface |
Online |
|
Creates an OAuth User Profile Resource Server Interface. |
Online |
|
Get / Display Commands |
||
Gets all the existing OAuth Identity Domains. |
Online |
|
Display the specified OAuth Identity Domain. |
Online |
|
Display the specified OAuth system configuration. |
Online |
|
Gets all the existing OAuth System Components. |
Online |
|
Display the specified OAuth System Component. |
Online |
|
Gets all the existing OAuth Service Providers. |
Online |
|
Display the specified OAuth Service Provider. |
Online |
|
Gets all the existing OAuth Clients. |
Online |
|
Display the specified OAuth Client. |
Online |
|
Gets all the existing OAuth AdaptiveAccessPlugins. |
Online |
|
Display the specified OAuth AdaptiveAccessPlugin. |
Online |
|
Gets all the existing OAuth authorization plug-ins. |
Online |
|
Display the specified OAuth authorization plug-ins. |
Online |
|
Gets all the existing OAuth Token Attributes Plug-ins. |
Online |
|
Display the specified OAuth Token Attributes Plug-in. |
Online |
|
Gets all the existing OAuth ResourceServerInterfaces. |
Online |
|
Display the specified OAuth ResourceServerInterface. |
Online |
|
Gets all the existing OAuth UserProfile resource server plug-ins. |
Online |
|
Display the specified OAuth UserProfile resource server plug-in. |
Online |
|
Gets all the existing OAuth Service Profiles. |
Online |
|
Display the specified OAuth Service Profile. |
Online |
replaceRPSystemConfig
replaceRPSystemConfig(hostURL, proxyProtocol, proxyHost, proxyPort, proxyUsername, proxyPassword, attributeList)
Table 4-10 replaceRPSystemConfig Arguments
Argument | Definition |
---|---|
|
The URL of the machine hosting the Mobile and Social server. |
|
The proxy protocol ( |
|
The URL of the proxy machine. |
|
The port of the proxy machine. |
|
Name of the user accessing the proxy. |
|
Password of the user accessing the proxy. |
|
List of attributes in the JSON format. [{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}] |
createRPApplication
createRPApplication(identityProviderNameList, sharedSecret, returnUrl, SPIBindingName, applicationAttributesList, userAttributeMappings, attributeList, mobileApplicationReturnUrl, name, description)
Table 4-11 createRPApplication Arguments
Argument | Definition |
---|---|
|
A List of Identity Providers |
|
The shared secret. |
|
The return URL. |
|
The SPI binding name. |
|
List of RPApplication attributes specified in the JSON format. [{name1:value1},{name2:value2}] |
|
List of User Attribute Mappings specified in the JSON format. [{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}] |
|
List of attributes specified in the JSON format. [{name1:value1},{name2:value2}] |
|
The return URL of the mobile application. |
|
Name of the object to be created. |
|
Description of the object to be created. |
createRPApplication('Yahoo,Facebook','mySecret','http://me.com', 'OAMServiceProviderInterface','[{pratname1:atval1},{pratname2:atval2}]', '[{Yahoo:[{uid:email},{mail:email},{zip:postalCode},{country:country}]}, {Facebook:[{uid:email},{mail:email},{zip:postalCode},{country:country}]}]', '[{atname1:atval2},{atname2:atval2}]','/oam/server','myApp','new Application')
updateRPApplication
updateRPApplication(identityProviderNameList, sharedSecret, returnUrl, SPIBindingName, applicationAttributesList, userAttributeMappings, attributeList, mobileApplicationReturnUrl, name, description)
Table 4-12 updateRPApplication Arguments
Argument | Definition |
---|---|
|
A List of Identity Providers |
|
The shared secret. |
|
The return URL. |
|
The SPI binding name. |
|
List of RPApplication attributes specified in the JSON format. [{name1:value1},{name2:value2}] |
|
List of User Attribute Mappings specified in the JSON format. [{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}] |
|
List of attributes specified in the JSON format. [{name1:value1},{name2:value2}] |
|
The return URL of the mobile application. |
|
Name of the object to be created. |
|
Description of the object to be created. |
removeServiceProviderInterface
removeServiceProviderInterface(name)
where name is the name of the Service Provider interface object.
displayServiceProviderInterface
displayServiceProviderInterface(name)
where name is the name of the Service Provider interface object.
createServiceProviderInterface
createServiceProviderInterface(idpSelectorImpl, postIDPSelectorImpl, idpInteractionProviderImpl, registrationStatusCheckImpl, registrationTaskFlowProviderImpl, sessionCreationProviderImpl, attributeList, name, description)
Table 4-13 createServiceProviderInterface Arguments
Argument | Definition |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
List of attributes in JSON format. [{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}] |
|
Name of the object to be created. |
|
Description of the object to be created. |
updateServiceProviderInterface
updateServiceProviderInterface(idpSelectorImpl, postIDPSelectorImpl, idpInteractionProviderImpl, registrationStatusCheckImpl, registrationTaskFlowProviderImpl, sessionCreationProviderImpl, attributeList, name, description)
Table 4-14 updateServiceProviderInterface Arguments
Argument | Definition |
---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
List of attributes in JSON format. [{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}] |
|
Name of the object to be created. |
|
Description of the object to be created. |
removeInternetIdentityProvider
removeInternetIdentityProvider(name)
where name is the name of the Social Identity Provider object.
displayInternetIdentityProvider
displayInternetIdentityProvider(name)
where name is the name of the Social Identity Provider object.
createInternetIdentityProvider
createInternetIdentityProvider(icon, protocolType, protocolAttributeList, providerImplClass, attributeList, name, description)
Table 4-15 createInternetIdentityProvider Arguments
Argument | Definition |
---|---|
|
Name of the icon. |
|
The protocol type is either |
|
A list of protocol attributes specified in JSON format. [{name1:value1},{name2:value2}] |
|
Implementation class for the provider. |
|
List of attributes specified in JSON format. [{name1:value1},{name2:value2}] |
|
Name of the provider to be created. |
|
Description of the provider to be created. |
createInternetIdentityProvider('myIcon','myType','[{pratname1:atval1}, {pratname2:atval2}]','[{atname1:atval1},{atname2:atval2}]','class','myProvider', 'new Identity Provider')
Note:
createInternetIdentityProvider
can also be used within a script to create the provider configuration for Foursquare and Windows Live. The following example is a script for Foursquare. Update the username and password used to connect to the WebLogic Server and the consumer's key and secret values (between the quotes) before executing:
url = 't3://localhost:7001' username='xxxxxx' password='xxxxxx' connect(username,password,url) domainRuntime() print "Foursquare OAuth" print "---------------------" createInternetIdentityProvider( 'Foursquare.gif', 'OAuth', '[{oauth.authorization.url: "https://foursquare.com/oauth2/authorize"}, {oauth.accesstoken.url: "https://foursquare.com/oauth2/access_token"}, {oauth.profile.url: "https://api.foursquare.com/v2/users/self"}, {oauth.consumer.key:""}, {oauth.consumer.secret:""}, {oauth.rpinstance.name:""}, {oauth.rpinstance.url:""}]', '[{id:id}, {firstname:firstname}, {lastname:lastname}, {contact.email:contact.email}, {homecity:homecity}, {gender:gender}, {photo:photo}]', 'oracle.security.idaas.rp.oauth.provider.FoursquareImpl', 'Foursquare', 'Foursquare OAuth Provider') disconnect() exit()
updateInternetIdentityProvider
updateInternetIdentityProvider(icon, protocolType, protocolAttributeList, attributeList, providerImplClass, name, description)
Table 4-16 updateInternetIdentityProvider Arguments
Argument | Definition |
---|---|
|
Name of the icon. |
|
The protocol type is either |
|
A list of protocol attributes specified in JSON format. [{name1:value1},{name2:value2}] |
|
Implementation class for the provider. |
|
List of attributes specified in JSON format. [{name1:value1},{name2:value2}] |
|
Name of the provider to be updated. |
|
Description of the provider to be updated. |
removeUserAttributeMapping
removeUserAttributeMapping(name)
where name is the name of the User Attribute Mapping object.
displayUserAttributeMapping
displayUserAttributeMapping(name)
where name is the name of the User Attribute Mapping object.
updateUserAttributeMapping
updateUserAttributeMapping(application, idp, name, appProtocolAttributeList)
Table 4-17 updateUserAttributeMapping Arguments
Argument | Definition |
---|---|
|
Name of the application. |
|
Name of the identity provider. |
|
Name of the object to be created. |
|
List of protocol attributes in JSON format. [{idp:[{name:value},{name:value}],idp2:[{name:value},{name:value}]}] |
createServiceProvider
createServiceProvider(serviceProviderImpl, serviceProviderType, relationshipList, paramList, name, description)
Table 4-18 createServiceProvider Arguments
Argument | Definition |
---|---|
|
The service provider implementation. |
|
The type of service provider. Acceptable values include either |
|
The relationship for this Service Provider specified in JSON format:[{relationship:relname,description:descrip,directional1:{name:dirname,description:descrip,providerRelation:relname,entityURIAttrName:uri,scopeAllLevelAttrName:toTop},directional2:{name:dirname,description:descrip,providerRelation:relname,entityURIAttrName:uri,scopeAllLevelAttrName:toTop}}] |
|
The parameters for this Service Provider specified in JSON format:[{name1:value1},{name2:value2}...] |
|
Name of the service provider. |
|
Description of the service provider. |
createServiceProvider('oracle.security.idaas.rest.provider.token.MobileOAMTokenSer viceProvider', 'Authentication', '[]','[{OAM_VERSION:OAM_11G},{WEBGATE_ ID:accessgate-oic},{ENCRYPTED_PASSWORD:"password"},{DEBUG_VALUE:0},{TRANSPORT_ SECURITY:OPEN},{OAM_SERVER_1:"localhost:5575"},{OAM_SERVER_1_MAX_CONN:4},{OAM_ SERVER_2:"oam_server_2:5575"},{OAM_SERVER_2_MAX_CONN:4}]', 'MobileOAMAuthentication', 'Out Of The Box Mobile Oracle Access Manager (OAM) Authentication Service Provider')
updateServiceProvider
updateServiceProvider(serviceProviderImpl, serviceProviderType, relationshipList, paramList, name, description)
Table 4-19 updateServiceProvider Arguments
Argument | Definition |
---|---|
|
The service provider implementation |
|
The type of service provider - either Authorization, Authentication or UserProfile. |
|
The relationship for this service provider specified in JSON format: [{relationship:relname,description:descrip, directional1:{name:dirname,description:descrip,provider Relation:relname,entityURIAttrName:uri,scopeAllLevelAtt rName:toTop},directional2:{name:dirname,description:des crip,providerRelation:relname,entityURIAttrName:uri,sco peAllLevelAttrName:toTop}}] |
|
The parameters for this Service Provider specified in JSON format:
|
|
Name of the service provider. |
|
Description of the service provider. |
updateServiceProvider('oracle.security.idaas.rest.provider.cruds.ids. IDSCRUDSServiceProvider', 'UserProfile', '[{relationship:people_groups, directional1:{name:memberOf, providerRelation:user_memberOfGroup, entityURIAttrName:person-uri}, directional2:{name:members, providerRelation:groupMember_user,entityURIAttrName:group-uri }}, {relationship:people_manager, directional1:{name:manager,providerRelation:manager, entityURIAttrName:report-uri,scopeAllLevelAttrName:toTop}, directional2:{name:reports , providerRelation:reportee, qntityURIAttrName:manager-uri, scopeAllLevelAttrName:all}}, {relationship:groupMemberOf_groupMembers , directional1:{name:groupMemberOf, providerRelation:group_memberOfGroup,entityURIAttrName:member-uri}, directional2:{name:groupMembers, providerRelation:groupMember _group,entityURIAttrName:group-uri }},{relationship:personOwner_ownerOf, directional1:{name:ownerOf, providerRelation:user_ ownerOfGroup,entityURIAttrName:owner-uri}, directional2:{name:personOwner,providerRelation:groupOwner_ user,entityURIAttrName:group-uri}},{relationship:groupOwner_groupOwnerOf, directional1:{name:groupOwner, providerRelation:group_ ownerOfGroup,entityURIAttrName:group-uri}, directional2:{name:groupOwnerOf, providerRelation:groupOwner_group,entityURIAttrName:owner-uri }}]','[{oracle.ids.name:userrole},{accessControl:false}]', 'UserProfile', 'Out Of The Box User Profile Service Provider')
addRelationshipToServiceProvider
addRelationshipToServiceProvider(name, relationshipList)
Table 4-20 addRelationshipToServiceProvider Arguments
Argument | Definition |
---|---|
|
Name of the service provider. |
|
The relationship for this Service Provider specified in JSON format: [{relationship:relname,description:descrip,directional1: {name:dirname,description:descrip,providerRelation:relname, entityURIAttrName:uri,scopeAllLevelAttrName:toTop}, directional2:{name:dirname,description:descrip, providerRelation:relname,entityURIAttrName:uri, scopeAllLevelAttrName:toTop}}] |
addRelationshipToServiceProvider('idsprovider1','[{relationship:relname, description:descrip, directional1:{name:dirname,description:descrip, providerRelation:relname,entityURIAttrName:uri,scopeAllLevelAttrName:toTop}, directional2:{name:dirname,description:descrip, providerRelation:relname,entityURIAttrName:uri,scopeAllLevelAttrName:toTop}}]
removeRelationshipFromServiceProvider
getServiceProviders
getServiceProviders()
The following lines show sample output:
ServiceProvider: UserProfile1 ServiceProvider: JWTAuthentication ServiceProvider: UserProfile ServiceProvider: MobileOAMAuthentication ServiceProvider: OAMAuthentication ServiceProvider: MobileJWTAuthentication ServiceProvider: sampleauthzserviceprovider ServiceProvider: InternetIdentityAuthentication ServiceProvider: OAMAuthorization
displayServiceProvider
displayServiceProvider('OAMAuthentication')
The following lines show sample output:
Displaying: ServiceProvider : OAMAuthentication ReadOnly = 0 Description = Out Of The Box Oracle Access Manager (OAM) Authentication Token Service Provider Param = ... eventProvider = 1 objectName = com.oracle.idaas:name=OAMAuthentication,type=Xml.ServiceProvider,Xml=MobileService SystemMBean = 0 ServiceProviderType = Authentication Name = OAMAuthentication ConfigMBean = 1 ServiceProviderImpl = oracle.security.idaas.rest.provider.token.OAMSDKTokenServiceProvider Relationship = array(javax.management.openmbean.CompositeData,[]) eventTypes = array(java.lang.String,['jmx.attribute.change']) RestartNeeded = 0
createServiceProfile
createServiceProfile(serviceProvider, supportedTokenList, paramList, endPoint, name, description, enabled)
Table 4-22 createServiceProfile Arguments
Argument | Definition |
---|---|
|
Name of the service provider. |
|
A list of supported tokens specified in JSON format:
where |
|
A list of parameters for this Service specified in JSON format:
|
|
The service endpoint. |
|
Name of the service. |
|
Description of the service. |
|
Indicates if the service should be enabled or disabled. Boolean flag. |
updateServiceProfile
updateServiceProfile(serviceProvider, supportedTokenList, paramList, endPoint, name, description, enabled)
Table 4-23 updateServiceProfile Arguments
Argument | Definition |
---|---|
|
Name of the service provider. |
|
A list of supported tokens specified in JSON format:
where |
|
A list of parameters for this Service specified in JSON format:
|
|
The service endpoint. |
|
Name of the service. |
|
Description of the service. |
|
Indicates if the service should be enabled or disabled. Boolean flag. |
displayServiceProfile
displayServiceProfile('OAMAuthorization')
The following lines show sample output:
Displaying: ServiceProfile : OAMAuthorization ReadOnly = 0 Enabled = 1 Description = Out Of The Box Oracle Access Manager (OAM) Authorization Service Provider Param = array(javax.management.openmbean.CompositeData,[]) eventProvider = 1 SystemMBean = 0 objectName = com.oracle.idaas:name=OAMAuthorization,type=Xml.ServiceProfile,Xml=MobileService SupportedToken = array(java.lang.String,[]) ServiceProviderType = Authorization ServiceProviderName = OAMAuthorization Name = OAMAuthorization ConfigMBean = 1 ServiceEndPoint = /oamauthorization eventTypes = array(java.lang.String,['jmx.attribute.change']) RestartNeeded = 0
getServiceProfiles
getServiceProfiles()
The following lines show sample output:
ServiceProfile: UserProfile1 ServiceProfile: OAMAuthenticatio ServiceProfile: sampleauthzservice ServiceProfile: JWTAuthentication ServiceProfile: UserProfile ServiceProfile: MobileOAMAuthentication ServiceProfile: OAMAuthentication ServiceProfile: MobileJWTAuthentication ServiceProfile: InternetIdentityAuthentication ServiceProfile: OAMAuthorization ServiceProfile: JWTAuthentication1
createApplicationProfile
createApplicationProfile(paramList, mobileAppProfileStr, name, description)
Table 4-24 createApplicationProfile Arguments
Argument | Definition |
---|---|
|
A list of parameters for this Service specified in JSON format:
|
|
The mobile app profile string specified in JSON format: [{clientAppConfigParam:[{name:value},{name:value}], jailBreakingDetectionPolicyName:name}] |
|
Name of the IDaaS Client. |
|
Description of the IDaaS Client. |
createApplicationProfile('[{Mobile.clientRegHandle.baseSecret:welcome1},]', '[{clientAppConfigParam:[{Mobileparam1:Mobileparam1Value}, {IOSURLScheme:"samplemobileapp1://"}, {AndroidPackage:oracle.android.samplemobileapp1}, {AndroidAppSignature:samplemobileapp1signature}], jailBreakingDetectionPolicyName:defaultJailBreakingDetectionPolicy}]', 'samplemobileapp1','Sample Mobile App 1')
createApplicationProfile('[{userId4BasicAuth:rest_client1}, {sharedSecret4BasicAuth:"9Qo9olLIl5gDwESYR0hOgw=="}, {signatureAlgorithm:SHA-1}]','','profileid1','OIC Application Profile 1')
updateApplicationProfile
updateApplicationProfile(paramList, mobileAppProfileStr, name, description)
Table 4-25 updateApplicationProfile Arguments
Argument | Definition |
---|---|
|
A list of parameters for this Service specified in JSON format:
|
|
The mobile app profile string specified in JSON format: [{clientAppConfigParam:[{name:value},{name:value}], jailBreakingDetectionPolicyName:name}] The value of clientAppConfigParam should match what is defined in the Administration Console on the "Application Profile Configuration Page." Items specified under the 'Configuration Settings' heading are set with the WLST 'clientAppConfigParam'. |
|
Name of the IDaaS (Identity as a Service) Client. |
|
Description of the IDaaS (Identity as a Service) Client. |
updateApplicationProfile('[{Mobile.clientRegHandle.baseSecret:welcome1}]',' [{clientAppConfigParam:[{ProfileCacheDuration:60}, {AuthenticationRetryCount:3},{AllowOfflineAuthentication:false}, {ClaimAttributes:"oracle:idm:claims:client:geolocation, oracle:idm:claims:client:imei,oracle:idm:claims:client:jailbroken, oracle:idm:claims:client:locale,oracle:idm:claims:client:macaddress, oracle:idm:claims:client:networktype,oracle:idm:claims:client:ostype, oracle:idm:claims:client:osversion,oracle:idm:claims:client:phonecarriername, oracle:idm:claims:client:phonenumber,oracle:idm:claims:client:sdkversion, oracle:idm:claims:client:udid,oracle:idm:claims:client:vpnenabled"}, {RPWebView:Embedded},{URLScheme:"exp://"}, {IOSBundleID:com.oraclecorp.internal.ExpenseReportApp}, {AndroidAppSignature:"xmlns:xsi=\ 'http://www.w3.org/2001/XMLSchema-instance\' xsi:nil=\'true\'"},{AndroidPackage:"xmlns:xsi=\' http://www.w3.org/2001/XMLSchema-instance\' xsi:nil=\'true\'"}], jailBreakingDetectionPolicyName:DefaultJailBreakingDetectionPolicy}]', 'ExpenseApp','OIC Test Expense Sample App')
removeApplicationProfile
removeApplicationProfile(name)
where name
is the name of the ApplicationProfile to be removed.
displayApplicationProfile
dislayApplicationProfile(name)
where name is the name
of the ApplicationProfile to be removed.
displayApplicationProfile('MobileAgent1')
The following lines show sample output:
Displaying: ApplicationProfile : MobileAgent1 ReadOnly = 0 ConfigMBean = 1 Name = MobileAgent1 MobileAppProfile = None Description = Mobile Agent App 1 Param = array(javax.management.openmbean.CompositeData,[javax.management.openmbean.Composi teDataSupport(compositeType=javax.management.openmbean.CompositeType(name=com.orac le.xmlns.idm.idaas.idaas_config_11_1_2_0_0.Attribute,items=((itemName=name, itemType=javax.management.openmbean.SimpleType(name=java.lang.String)), (itemName=secretValue,itemType=javax.management.openmbean.ArrayType(name=[Ljava. lang.Character;,dimension=1,elementType=javax.management.openmbean.SimpleType(name =java.lang.Character),primitiveArray=false)),(itemName=value,itemType=javax.manage ment.openmbean.SimpleType(name=java.lang.String)))),contents={name=Mobile.reauthnF orRegNewClientApp, secretValue=null, value=true}), javax.management.openmbean.CompositeDataSupport(compositeType=javax.management.ope nmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0. Attribute,items=((itemName=name,itemType=javax.management.openmbean.SimpleType(nam e=java.lang.String)),(itemName=secretValue,itemType=javax.management.openmbean.Arr ayType(name=[Ljava.lang.Character;,dimension=1,elementType=javax.management.openmb ean.SimpleType(name=java.lang.Character),primitiveArray=false)),(itemName=value,it emType=javax.management.openmbean.SimpleType(name=java.lang.String)))),contents={n ame=Mobile.clientRegHandle.baseSecret, secretValue=[Ljava.lang.Character;@11910bd, value=idaas.ApplicationProfile[MobileAgent1].param[Mobile.clientRegHandle.baseSecr et]})]) eventProvider = 1 SystemMBean = 0 objectName = com.oracle.idaas:name=MobileAgent1,type=Xml.ApplicationProfile,Xml=MobileService eventTypes = array(java.lang.String,['jmx.attribute.change']) RestartNeeded = 0
createServiceDomain
createServiceDomain(securityHandlerPlugin,serviceBindingList, clientAppBindingList,mobileAuthStyle,serviceDomainType,name,description)
Table 4-26 createServiceDomain Arguments
Argument | Definition |
---|---|
|
The name of the securityHandlerPlugin. |
|
A list of the ServiceBinding objects in the format: [{serviceName:UserProfile,allowRead:true, allowWrite:true},{serviceName:UserProfile1, allowRead:true,allowWrite:true, requiredToken:[{tokenService:JWTAuthentication, tokenType:{ACCESSTOKEN}}]}, {serviceName:usertokenserviceformobile, requiredToken:[{tokenService:mobilesecurityservice1, tokenType:{ACCESSTOKEN,CLIENTTOKEN}}]}, {serviceName:mobilesecurityservice1}, {serviceName:JWTAuthentication1}, {serviceName:OAMAuthorization}] |
|
A list of client applications specified in the format: [{appName:UserProfile,mobileBinding: [{SSOinclusion:true,SSOpriority:4}] |
|
Mobile Authentication Style. |
|
The type of service domain. |
|
Name of the ServiceDomain. |
|
Description of the ServiceDomain. |
createServiceDomain('JunitDebugSecurityHandlerPlugin','[{serviceName:UserProfile, allowRead:true,allowWrite:true},{serviceName:UserProfile1,allowRead:true, allowWrite:true,requiredToken:[{tokenService:JWTAuthentication1, tokenType:ACCESSTOKEN}]},{serviceName:JWTAuthentication}, {serviceName:OAMAuthentication},{serviceName:JWTAuthentication1}, {serviceName:OAMAuthorization, allowRead:true,allowWrite:false,requiredToken:[{tokenService:OAMAuthentication, tokenType:USERTOKEN}]}]','[{appName:MobileAgent1,mobileBinding: [{SSOinclusion:true,SSOpriority:1}]},{appName:MobileBusinessTestApp01, mobileBinding:[{SSOinclusion:true}]},{appName:MobileAgent2,mobileBinding: [{SSOinclusion:true,SSOpriority:2}]},{appName:MobileExpenseReport1, mobileBinding:[{SSOinclusion:false}]},{appName:profileid1}]','','DESKTOP', 'Default','DefaultService Domain ServiceBinding without any requiredToken')
updateServiceDomain
updateServiceDomain(securityHandlerPlugin, serviceBindingList, clientAppBindingList, mobileAuthStyle, serviceDomainType, name, description)
Table 4-27 createServiceDomain Arguments
Argument | Definition |
---|---|
|
The name of the SecurityHandlerPlugin. |
|
A list of the ServiceBinding objects in the format: [{serviceName:UserProfile,allowRead:true, allowWrite:true},{serviceName:UserProfile1, allowRead:true,allowWrite:true, requiredToken:[{tokenService:JWTAuthentication, tokenType:{ACCESSTOKEN}}]}, {serviceName:usertokenserviceformobile, requiredToken:[{tokenService:mobilesecurityservice1, tokenType:{ACCESSTOKEN,CLIENTTOKEN}}]}, {serviceName:mobilesecurityservice1}, {serviceName:JWTAuthentication1}, {serviceName:OAMAuthorization}] |
|
A list of client applications specified in the format: [{appName:UserProfile,mobileBinding: [{SSOinclusion:true,SSOpriority:4}] |
|
Mobile Authentication Style. |
|
The type of Service Domain. |
|
Name of the ServiceDomain. |
|
Description of the ServiceDomain. |
updateServiceDomain('JunitDebugSecurityHandlerPlugin','[{serviceName:UserProfile, allowRead:true,allowWrite:true},{serviceName:UserProfile1,allowRead:true, allowWrite:true,requiredToken:[{tokenService:JWTAuthentication1, tokenType:ACCESSTOKEN}]},{serviceName:JWTAuthentication}, {serviceName:OAMAuthentication},{serviceName:JWTAuthentication1}, {serviceName:OAMAuthorization,allowRead:true,allowWrite:false, requiredToken:[{tokenService:OAMAuthentication,tokenType:USERTOKEN}]}]', '[{appName:MobileAgent1,mobileBinding:[{SSOinclusion:true,SSOpriority:1}]}, {appName:MobileBusinessTestApp01,mobileBinding:[{SSOinclusion:true}]}, {appName:MobileAgent2,mobileBinding:[{SSOinclusion:true,SSOpriority:2}]}, {appName:MobileExpenseReport1,mobileBinding:[{SSOinclusion:false}]}, {appName:profileid1}]','','DESKTOP','Default', 'Default Service Domain ServiceBinding without any requiredToken')
getServiceDomains
getServiceDomain()
The following lines show sample output:
ServiceDomain: MobileServiceDomainUTReg ServiceDomain: MobileRPServiceDomain ServiceDomain: Contract1 ServiceDomain: MobileJWTServiceDomain ServiceDomain: MobileRPServiceDomainUTReg ServiceDomain: MobileContract ServiceDomain: Default ServiceDomain: MobileServiceDomain
displayServiceDomain
displayServiceDomain('name')
The following lines show sample output:
Displaying: ServiceDomain : Contract1 ReadOnly = 0 Description = Service Domain 1 using HTTPBasic or Token based Client Token eventProvider = 1 SystemMBean = 0 objectName = com.oracle.idaas:name=Contract1,type=Xml.ServiceDomain,Xml=MobileService MobileAuthStyle = None ServiceBinding = array(javax.management.openmbean.CompositeData,[javax.management.openmbean. CompositeDataSupport(compositeType=javax.management.openmbean.CompositeType(name= com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0.TServiceBinding, items=((itemName=allowRead,itemType=javax.management.openmbean.SimpleType(name= java.lang.Boolean)),(itemName=allowWrite,itemType=javax.management.openmbean. SimpleType(name=java.lang.Boolean)),(itemName=requiredToken,itemType=javax.managem ent.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_ 0.TRequiredToken,items=((itemName=tokenService,itemType=javax.management.openmbean .SimpleType(name=java.lang.String)),(itemName=tokenType,itemType=javax.management. openmbean.ArrayType(name=[Ljava.lang.String;,dimension=1,elementType=javax.managem ent.openmbean.SimpleType(name=java.lang.String),primitiveArray=false))))),(itemNam e=serviceName,itemType=javax.management.openmbean.SimpleType(name=java.lang.String )))),contents={allowRead=true, allowWrite=true, requiredToken=javax.management.openmbean.CompositeDataSupport(compositeType=javax. management.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_ 11_1_2_0_0.TRequiredToken, items=((itemName=tokenService,itemType=javax.management.openmbean.SimpleType(name= java.lang.String)),(itemName=tokenType,itemType=javax.management.openmbean. ArrayType(name=[Ljava.lang.String;,dimension=1,elementType=javax.management. openmbean.SimpleType(name=java.lang.String),primitiveArray=false)))), contents={tokenService=JWTAuthentication, tokenType=[Ljava.lang.String;@d0fbf2}), serviceName=UserProfile}), javax.management.openmbean.CompositeDataSupport(compositeType=javax.management. openmbean.CompositeType(name= com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0.TServiceBinding, items=((itemName=allowRead,itemType=javax.management.openmbean.SimpleType(name= java.lang.Boolean)),(itemName=allowWrite,itemType=javax.management.openmbean. SimpleType(name=java.lang.Boolean)),(itemName=requiredToken,itemType= javax.management.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_ config_11_1_2_0_0.TRequiredToken, items=((itemName=tokenService,itemType=javax.management.openmbean.SimpleType(name= java.lang.String)),(itemName=tokenType,itemType=javax.management.openmbean. ArrayType(name=[Ljava.lang.String;,dimension=1,elementType=javax.management. openmbean.SimpleType(name=java.lang.String),primitiveArray=false))))), (itemName=serviceName,itemType=javax.management.openmbean.SimpleType(name= java.lang.String)))),contents={allowRead=null, allowWrite=null, requiredToken=null, serviceName=JWTAuthentication})]) MobileCredLevelForRegApp = None ServiceDomainType = DESKTOP Name = Contract1 ConfigMBean = 1 ClientAppBinding = array(javax.management.openmbean.CompositeData, [javax.management.openmbean.CompositeDataSupport(compositeType=javax.management. openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0 TApplicationBinding,items=((itemName=appName,itemType=javax.management.openmbean. SimpleType(name=java.lang.String)),(itemName=mobileBinding,itemType=javax. management.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas. idaas_config_11_1_2_0_0.TMobileBinding,items=((itemName=SSOinclusion, itemType=javax.management.openmbean.SimpleType(name=java.lang.Boolean)), (itemName=SSOpriority,itemType=javax.management.openmbean.SimpleType(name= java.lang.Short))))))),contents={appName=profileid1, mobileBinding=null}), javax.management.openmbean.CompositeDataSupport(compositeType=javax.management. openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0 .TApplicationBinding,items=((itemName=appName,itemType=javax.management.openmbean .SimpleType(name=java.lang.String)),(itemName=mobileBinding,itemType=javax.manage ment.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas .idaas_config_11_1_2_0_0.TMobileBinding,items= ((itemName=SSOinclusion,itemType=javax.management.openmbean.SimpleType(name= java.lang.Boolean)),(itemName=SSOpriority,itemType=javax.management.openmbean. SimpleType(name=java.lang.Short))))))),contents={appName=profileid2, mobileBinding=null})])SecurityHandlerPluginName = None eventTypes = array(java.lang.String,['jmx.attribute.change']) RestartNeeded = 0
createSecurityHandlerPlugin
createSecurityHandlerPlugin( 'oracle.security.idaas.rest.provider.plugin.impl. DefaultMobileSecurityHandlerImpl',' [{allowJailBrokenDevices:false},{requiredHardwareIds:MAC_ADDRESS}, {requiredDeviceProfileAttrs:OSType OSVersion isJailBroken clientSDKVersion}]', 'DefaultSecurityHandlerPlugin','')
updateSecurityHandlerPlugin
removeSecurityHandlerPlugin
removeSecurityHandlerPlugin(name)
where name
is the name of the SecurityHandlerPlugin to be removed.
displaySecurityHandlerPlugin
displaySecrityHandlerPlugin(name)
where name
is the name of the SecurityHandlerPlugin to be displayed.
createJailBreakingDetectionPolicy
createJailBreakingDetectionPolicy(true, '[{minOSVersion:3.5,maxOSVersion:5.0,minClientSDKVersion:1.0, maxClientSDKVersion:1.0,policyExpirationDurationInSec:3600, autoCheckPeriodInMin:60, detectionLocation:[{filePath:"/root",success:true,action:exists}, {filePath:"/opt",success:true,action:exists}]}]', 'defaultJailBreakingDetectionPolicy')
updateJailBreakingDetectionPolicy
updateJailBreakingDetectionPolicy(true,'[{minOSVersion:3.5,maxOSVersion:5.0,minClientSDKVersion:1.0,maxClientSDKVersion:1.0,policyExpirationDurationInSec:3600,autoCheckPeriodInMin:60,detectionLocation:[{filePath:"/root",success:true,action:exists},{filePath:"/opt",success:true,action:exists}]}]','defaultJailBreakingDetectionPolicy')
removeJailBreakingDetectionPolicy
removeJailBreakingDetectionPolicy(name)
where name
is the name of the JailBreakingDetectionPolicy.
displayJailBreakingDetectionPolicy
displayJailBreakingDetectionPolicy(name)
where name
is the name of the JailBreakingDetectionPolicy.
displayJailBreakingDetectionPolicy('DefaultJailBreakingDetectionPolicy')
The following lines show sample output:
Displaying: JailBreakingDetectionPolicy : DefaultJailBreakingDetectionPolicy ReadOnly = 0 ConfigMBean = 1 Name = DefaultJailBreakingDetectionPolicy eventProvider = 1 SystemMBean = 0 objectName = com.oracle.idaas:name=DefaultJailBreakingDetectionPolicy,type=Xml.JailBreakingDetectionPolicy,Xml=MobileService Enable = 1 JailBreakingDetectionPolicyStatement = array(javax.management.openmbean.CompositeData,[javax.management.openmbean. CompositeDataSupport(compositeType=javax.management.openmbean.CompositeType(name= com.oracle.xmlns.idm.idaas.idaas_config_11_1_2_0_0. TJailBreakingDetectionPolicyStatement,items=((itemName=autoCheckPeriodInMin, itemType=javax.management.openmbean.SimpleType(name=java.lang.Long)), (itemName=detectionLocation,itemType=javax.management.openmbean.ArrayType(name= [Ljavax.management.openmbean.CompositeData;,dimension=1,elementType= javax.management.openmbean.CompositeType(name=com.oracle.xmlns.idm.idaas. idaas_config_11_1_2_0_0. TDetectionLocation,items=((itemName=action,itemType=javax.management.openmbean. SimpleType(name=java.lang.String)),(itemName=filePath,itemType=javax.management. openmbean.SimpleType(name=java.lang.String)),(itemName=success,itemType=javax. management.openmbean.SimpleType(name=java.lang.Boolean)))),primitiveArray=false)), (itemName=enable,itemType=javax.management.openmbean.SimpleType(name=java.lang. Boolean)),(itemName=maxClientSDKVersion,itemType=javax.management.openmbean. SimpleType(name=java.lang.String)),(itemName=maxOSVersion,itemType=javax. management.openmbean.SimpleType(name=java.lang.String)),(itemName= minClientSDKVersion,itemType=javax.management.openmbean.SimpleType(name= java.lang.String)), (itemName=minOSVersion,itemType=javax.management.openmbean.SimpleType(name= java.lang.String)),(itemName=policyExpirationDurationInSec,itemType=javax. management.openmbean.SimpleType(name=java.lang.Long)))),contents= {autoCheckPeriodInMin=60,detectionLocation=[Ljavax.management.openmbean. CompositeData;@2dc906,enable=true,maxClientSDKVersion=11.1.2.0.0, maxOSVersion=null, minClientSDKVersion=11.1.2.0.0, minOSVersion=1.0, policyExpirationDurationInSec=3600})]) eventTypes = array(java.lang.String,['jmx.attribute.change']) RestartNeeded = 0
removeOAuthIdentityDomain
removeOAuthIdentityDomain(name )
where name
is the name of the OAuth Identity Domain to be removed.
createOAuthIdentityDomain
createOAuthIdentityDomain(name, description, allowMultRS, enableMobile, globalUID )
Table 4-32 createOAuthIdentityDomain Arguments
Argument | Definition |
---|---|
|
The name of the OAuth Identity Domain. |
|
A description of the OAuth Identity Domain. [Optional] |
|
Boolean set for allowing multiple resource servers. |
|
Boolean set that enables mobile parameters (used by UI console). |
|
Global unique identifier. [Optional] |
updateOAuthIdentityDomain
updateOAuthIdentityDomain(name, newName, description, allowMultRS, enableMobile
)
Table 4-33 updateOAuthIdentityDomain Arguments
Argument | Definition |
---|---|
|
The name of the OAuth Identity Domain. |
|
The new name of the OAuth Identity Domain. |
|
A description of the OAuth Identity Domain. [Optional] |
|
Boolean set for allowing multiple resource servers. |
|
Boolean set that enables mobile parameters (used by UI console). |
updateOAuthSystemConfig
updateOAuthSystemConfig(identityDomainName, proxyProtocol, proxyHost, proxyPort, proxyUser, minPool, maxPool, keepAlive, maxTokenSearchResult, paramList )
Table 4-34 updateOAuthSystemConfig Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The default HTTP protocol. Either HTTP or HTTPS. [optional] |
|
The default HTTP proxy host. [optional] |
|
The default HTTP proxy port. [optional] |
|
The default HTTP proxy user. [optional] |
|
The default Apple Push Notification minimum connection pool. |
|
The default Apple Push Notification maximum connection pool. |
|
The default Apple Push Notification keepAlive in seconds. |
|
The maximum token search result in seconds. |
|
A list of parameters specified in JSON format: |
removeOAuthSysComponent
createOAuthSysComponent
createOAuthSysComponent(identityDomainName, name, description, interClass, implClass, paramList)
Table 4-36 createOAuthSysComponent Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth system component. |
|
A description of the OAuth system component. [Optional] |
|
The interface class of the OAuth system component.
|
|
The implement class of the OAuth system component. |
|
A list of parameters specified in JSON format: |
createOAuthSysComponent('myDomain','DefaultUserConsentService','Default User Consent Service','oracle.security.idaas.oauth.consent.AuthorizationUserConsent','oracle.security.idaas.oauth.consent.impl.LDAPAuthorizationUserConsentImpl','[{uc.ldap.username.attr:uid},{uc.ldap.consent.attr:postaladdress},{uc.ldap.userprofile.service:"/UserProfile"}]')
updateOAuthSysComponent
updateOAuthSysComponent(identityDomainName, name, description, interClass, implClass, paramList)
Table 4-37 updateOAuthSysComponent Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth system component. |
|
A description of the OAuth system component. [Optional] |
|
The interface class of the OAuth system component.
|
|
The implement class of the OAuth system component. |
|
A list of parameters specified in JSON format: |
updateOAuthSysComponent('myDomain','DefaultUserConsentService','Default User Consent Service','oracle.security.idaas.oauth.consent.AuthorizationUserConsent','oracle.security.idaas.oauth.consent.impl.LDAPAuthorizationUserConsentImpl','[{uc.ldap.username.attr:uid},{uc.ldap.consent.attr:postaladdress},{uc.ldap.userprofile.service:"/UserProfile"}]')
removeOAuthServiceProvider
createOAuthServiceProvider
createOAuthServiceProvider(identityDomainName, name, description, implClass, paramList)
Table 4-39 createOAuthServiceProvider Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth service provider. |
|
A description of the OAuth service provider. [Optional] |
|
The implement class of the OAuth service provider. |
|
A list of parameters specified in JSON format: |
createOAuthServiceProvider('myDomain','OAuthServiceProvider','OAuth Service Provider','oracle.security.idaas.oauth.token.jwtimpl.OAuthProvider', '[{oam.OAM_VERSION_disabled:OAM_11G},{oam.WEBGATE_ID:accessgate-oic},{oam.ENCRYPTED_PASSWORD:""},{oam.DEBUG_VALUE:0},{oam.TRANSPORT_SECURITY:OPEN},{oam.OAM_SERVER_1:"localhost:5575"},{oam.OAM_SERVER_1_MAX_CONN:4},{oam.OAM_SERVER_2:"oam_server_2:5575"},{oam.OAM_SERVER_2_MAX_CONN:4},{oam.AuthNURLForUID:"wl_authen://sample_ldap_no_pwd_protected_res"}]')
updateOAuthServiceProvider
updateOAuthServiceProvider(identityDomainName, name, description, implClass, paramList)
Table 4-40 updateOAuthServiceProvider Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth service provider. |
|
A description of the OAuth service provider. [Optional] |
|
The implement class of the OAuth service provider. |
|
A list of parameters specified in JSON format: |
updateOAuthServiceProvider('myDomain','OAuthServiceProvider','OAuth Service Provider','oracle.security.idaas.oauth.token.jwtimpl.OAuthProvider', '[{oam.OAM_VERSION_disabled:OAM_11G},{oam.WEBGATE_ID:accessgate-oic},{oam.ENCRYPTED_PASSWORD:"welcome"},{oam.DEBUG_VALUE:0},{oam.TRANSPORT_SECURITY:OPEN},{oam.OAM_SERVER_1:"localhost:5575"},{oam.OAM_SERVER_1_MAX_CONN:4},{oam.OAM_SERVER_2:"oam_server_2:5575"},{oam.OAM_SERVER_2_MAX_CONN:4},{oam.AuthNURLForUID:"wl_authen://sample_ldap_no_pwd_protected_res"}]')
updateOAuthServiceProviderParam
updateOAuthServiceProviderParam(identityDomainName, name, param, newvalue)
Table 4-41 updateOAuthServiceProviderParam Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth service provider. |
|
The parameter to update: |
|
New value for the parameter. |
createOAuthClient
createOAuthClient(identityDomainName, name, description, globalUID, secret, allowTokenAttrRetrieval, httpRedirectURIList, paramList, mobileRedirectURIList, mobileParams, claimList, minPool, maxPool, keepAlive, production, gcmAppSetting, scopeRequiresUserConsent, scopeInvokeUserConsent, allowAllScopes, resourceServerScopes, scopes, grantTypes, clientType)
Table 4-43 createOAuthClient Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth client. |
|
A description of the OAuth Client. |
|
Global unique identifier. [Optional] |
|
The secret key. |
|
Boolean to enable/disable token attribute retrieval. |
|
The list of one or more redirect URIs specified in JSON format:
|
|
A list of parameters specified in JSON format:
|
|
List of one or more mobile redirect URIs. [Optional] |
|
A list of parameters specified in JSON format: |
|
A list of claim attributes. [Optional] |
|
The default Apple Push Notification minimum connection pool. [Optional] |
|
The default Apple Push Notification maximum connection pool. [Optional] |
|
The default Apple Push Notification keepAlive in seconds. [Optional] |
|
A Boolean to set production or development mode. [Optional] |
|
Google Restricted Package name. [Optional] |
|
Boolean |
|
Boolean |
|
Boolean |
|
List of resource server scopes. Use this argument to select the resource server scope name prefix, for example |
|
List of scopes. Use this argument to select a specific scope name, for example: |
|
[Optional] List of grant types:
|
|
Type of client: Either |
createOAuthClient('myDomain','sampleOAuthMobileClient', 'sample client app','1234567890','quiet','true', '[{"http://localhost:7005:/base_domain/domainRuntime":false}]','[{par1:val1}]', '','[{mobpar1:mobval1}]', 'oracle:idm:claims:client:geolocation,oracle:idm:claims:client:imei, oracle:idm:claims:client:jailbroken,oracle:idm:claims:client:locale, oracle:idm:claims:client:macaddress,oracle:idm:claims:client:networktype, oracle:idm:claims:client:ostype,oracle:idm:claims:client:osversion, oracle:idm:claims:client:phonecarriername,oracle:idm:claims:client:phonenumber, oracle:idm:claims:client:sdkversion,oracle:idm:claims:client:udid, oracle:idm:claims:client:vpnenabled,oracle:idm:claims:client:fingerprint', '1','3','300','false','gcm','true','false','true','','', 'authorization_code,client_credentials','MOBILE_CLIENT')
updateOAuthClient
updateOAuthClient(identityDomainName, name, description, secret, allowTokenAttrRetrieval, httpRedirectURIList, paramList, mobileRedirectURIList, mobileParams, claimList, minPool, maxPool, keepAlive, production, gcmAppSetting, scopeRequiresUserConsent, scopeInvokeUserConsent, allowAllScopes, resourceServerScopes, scopes, grantTypes, clientType)
Table 4-44 updateOAuthClient Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth client. |
|
A description of the OAuth Client. |
|
The secret key. |
allowTokenAttrRetrieval |
Boolean to enable/disable token attribute retrieval. |
|
The list of one or more redirect URIs specified in JSON format:
|
|
A list of parameters specified in JSON format:
|
|
List of one or more mobile redirect URIs. [Optional] |
|
A list of parameters specified in JSON format: |
|
A list of claim attributes. [Optional] |
|
The default Apple Push Notification minimum connection pool. [Optional] |
|
The default Apple Push Notification maximum connection pool. [Optional] |
|
The default Apple Push Notification keepAlive in seconds. [Optional] |
|
A Boolean to set production or development mode. [Optional] |
|
Google Restricted Package name. [Optional] |
|
Boolean |
|
Boolean |
|
Boolean |
|
List of resource server scopes. [Optional] |
|
List of scopes. [Optional] |
|
[Optional] List of grant types:
|
|
Type of client: Either |
updateOAuthClient('myDomain','sampleOAuthMobileClient', 'sample client app','quiet', '[{"http://localhost:7005:/base_domain/domainRuntime":false}]', '[{par1:val1}]','','[{mobpar1:mobval1}]','oracle:idm:claims:client:geolocation, oracle:idm:claims:client:imei,oracle:idm:claims:client:jailbroken, oracle:idm:claims:client:locale,oracle:idm:claims:client:macaddress, oracle:idm:claims:client:networktype,oracle:idm:claims:client:ostype, oracle:idm:claims:client:osversion,oracle:idm:claims:client:phonecarriername, oracle:idm:claims:client:phonenumber,oracle:idm:claims:client:sdkversion, oracle:idm:claims:client:udid,oracle:idm:claims:client:vpnenabled, oracle:idm:claims:client:fingerprint','1','3','300','false','gcm','true','false', 'true','','','authorization_code,client_credentials','MOBILE_CLIENT')
updateOAuthClientParam
updateOAuthClient(identityDomainName, name, param, newvalue)
Table 4-45 updateOAuthClientParam Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth client. |
|
The parameter to update: |
|
New value for the parameter. |
removeOAuthServiceProfile
createOAuthServiceProfile
createOAuthServiceProfile(identityDomainName, name, description, adAccessPlugin, tokenAttrPlugin, clientPlugin, pluginMode, resourceServerProfilePlugin, authzUserConsentPlugin, allResourceServerInterfaces, resourceServers, allClients, clientAppBindings, preferredHardwareIdList, androidSender, androidSecurityLevel, iosSecurityLevel, otherSecurityLevel, consentServiceProtection, clientRegRequiresUserConsent, serviceProvider, endpoint, serviceEnable, mobilePreAuthzExpire, mobilePreAuthzEnable, authzExpire, authzEnable, clientExpire, clientEnable, clientRefreshExpire, clientRefreshEnable, userExpire, userEnable, userRefreshExpire, userRefreshEnable, accessExpire, accessEnable, accessRefreshExpire, accessRefreshEnable, paramList, mobParamList, userAuthenticator, tokenStatic, tokenDynamic)
Table 4-47 createOAuthServiceProfile Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth system component. |
|
A description of the OAuth Service Profile. [Optional] |
|
Adaptive Access Plug-in. [Optional] |
|
Token Attribute Plugin. [Optional] |
|
The name of the client plug-in. |
|
Client plug-in mode. Either ALL_LOCAL_STORAGE or ALL_PLUGIN_DELEGATION. |
|
Resource server profile plug-in. |
|
Authorization user consent plug-in. |
|
Boolean that specifies whether the service profile can contain generic (false) interfaces. |
|
List of resource servers. |
|
Boolean that specifies is the service profile applies to all clients. |
|
[Optional] List of client application bindings specified in JSON format:
|
|
List of Hardware IDs separated by commas. |
|
GCM sender ID. [Optional] |
|
Android security level: HIGH or MEDIUM or LOW. |
|
iOS security level: HIGH or MEDIUM or LOW. |
|
Other security level: HIGH or MEDIUM or LOW. |
|
Service Protection Mode: OAM or JWT_IDS or JWT_OAM. |
|
Boolean that specifies if client registration requires user consent. |
|
Service provider. |
|
Service endpoint. |
|
Boolean that enables or disables the service profile. Either true or false. |
|
Mobile pre-authorization code expiration length (in seconds). [Optional] |
|
Boolean that enables or disables the mobile pre-authorization code. [Optional] Either true or false. |
|
Authorization code expiration (in seconds). [Optional] |
|
Boolean that enables or disables the authorization code. [Optional] Either true or false. |
|
Client token authorization code expiration (in seconds). [Optional] |
|
Boolean that enables or disables the client token. [Optional] Either true or false. |
|
Client refresh token expiration (in seconds). [Optional] |
|
Boolean that enables or disables the client refresh token. [Optional] |
|
User token expiration (in seconds). [Optional] |
|
Boolean that enables or disables the user token. [Optional] |
|
User refresh token expiration (in seconds). [Optional] |
|
Boolean that enables or disables the user refresh token. [Optional] |
|
Access token expiration (in seconds). |
|
Boolean access token enable. |
|
Access refresh token expiration (in seconds). |
|
Boolean access refresh Token enable. |
|
A list of parameters specified in JSON format:
|
|
A list of mobile client parameters specified in JSON format:
|
|
User Authenticator. Either IDS or OAM. |
|
[Optional] Static token attribute specified in JSON format:
|
|
Dynamic token attribute list. [Optional] |
createOAuthServiceProfile('myDomain', 'OAuthServiceProfile', 'OAuth Service Profile','sampleSecurityPlugin','defaultTokenAttrPlugin', 'DefaultClientSecurityManager','ALL_LOCAL_STORAGE', 'DefaultResourceServerProfilePlugin','AuthzUserConsentPlugin', 'false','sampleResourceServerInterface','false', '[{client:sampleOAuthClient,role:SSOAgent,priority:45,param:[{param1:val1}, {param2:val2}]},{client:sampleOwsmOAuthClient,role:SSOAgent,priority:45, param:[{param1:val1},{param2:val2}]}]','','GoogleCloudMessaging','HIGH','MEDIUM', 'LOW','OAM','true','OAuthServiceProvider','/oauthserv','true','150','false', '900','true','28800','true','604800','true','28800','true','0','false','3600', 'true','28800','true','[{oracle.id.name:userrole},{jwt.CryptoScheme:RS512}, {jwt.issuer:www.oracle.example.com}]','[{mobileParamName:mobileParamValue}]', 'OAM','[{attr1:val1}]','attr1,attr2,attr3')
updateOAuthServiceProfile
updateOAuthServiceProfile(identityDomainName, name, description, adAccessPlugin, tokenAttrPlugin, clientPlugin, pluginMode, resourceServerProfilePlugin, authzUserConsentPlugin, allResourceServerInterfaces, resourceServers, allClients, clientAppBindings, preferredHardwareIdList,androidSender, androidSecurityLevel, iosSecurityLevel, otherSecurityLevel, consentServiceProtection, clientRegRequiresUserConsent, serviceProvider, endpoint, serviceEnable, mobilePreAuthzExpire, mobilePreAuthzEnable, authzExpire, authzEnable, clientExpire, clientEnable, clientRefreshExpire, clientRefreshEnable, userExpire, userEnable, userRefreshExpire, userRefreshEnable, accessExpire, accessEnable, accessRefreshExpire, accessRefreshEnable, paramList, mobParamList, userAuthenticator, tokenStatic, tokenDynamic)
Table 4-48 updateOAuthServiceProfile Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth service profile. |
|
A description of the OAuth service profile. [Optional] |
|
Adaptive Access Plug-in. [Optional] |
|
Token Attribute Plugin. [Optional] |
|
The name of the client plug-in. |
|
Client plug-in mode. Either ALL_LOCAL_STORAGE or ALL_PLUGIN_DELEGATION. |
|
Resource server profile plug-in. |
|
Authorization user consent plug-in. |
|
Boolean that specifies whether the service profile can contain generic (false) interfaces. |
|
List of resource servers. |
|
Boolean that specifies is the service profile applies to all clients. |
|
[Optional] List of client application bindings specified in JSON format:
|
|
List of Hardware IDs separated by commas. |
|
GCM sender ID. [Optional] |
|
Android security level: HIGH or MEDIUM or LOW. |
|
iOS security level: HIGH or MEDIUM or LOW. |
|
Other security level: HIGH or MEDIUM or LOW. |
|
Service Protection Mode: OAM or JWT_IDS or JWT_OAM. |
|
Boolean that specifies if client registration requires user consent. |
|
Service provider. |
|
Service endpoint. |
|
Boolean that enables or disables the service profile. Either true or false. |
|
Mobile pre-authorization code expiration length (in seconds). [Optional] |
|
Boolean that enables or disables the mobile pre-authorization code. [Optional] Either true or false. |
|
Authorization code expiration (in seconds). [Optional] |
|
Boolean that enables or disables the authorization code. [Optional] Either true or false. |
|
Client token authorization code expiration (in seconds). [Optional] |
|
Boolean that enables or disables the client token. [Optional] Either true or false. |
|
Client refresh token expiration (in seconds). [Optional] |
|
Boolean that enables or disables the client refresh token. [Optional] |
|
User token expiration (in seconds). [Optional] |
|
Boolean that enables or disables the user token. [Optional] |
|
User refresh token expiration (in seconds). [Optional] |
|
Boolean that enables or disables the user refresh token. [Optional] |
|
Access token expiration (in seconds). |
|
Boolean access token enable. |
|
Access refresh token expiration (in seconds). |
|
Boolean access refresh Token enable. |
|
A list of parameters specified in JSON format:
|
|
A list of mobile client parameters specified in JSON format:
|
|
User Authenticator. Either IDS or OAM. |
|
[Optional] Static token attribute specified in JSON format:
|
|
Dynamic token attribute list. [Optional] |
updateOAuthServiceProfile('myDomain', 'OAuthServiceProfile', 'OAuth Service Profile','sampleSecurityPlugin','defaultTokenAttrPlugin','DefaultClientSecurityManager','ALL_LOCAL_STORAGE','DefaultResourceServerProfilePlugin','AuthzUserConsentPlugin','false','sampleResourceServerInterface','false','[{client:sampleOAuthClient,role:SSOAgent,priority:45,param:[{param1:val1},{param2:val2}]},{client:sampleOwsmOAuthClient,role:SSOAgent,priority:45,param:[{param1:val1},{param2:val2}]}]','oracle:idm:claims:client:iosidforvendor,oracle:idm:claims:client:macaddress,oracle:idm:claims:client:imei','GoogleCloudMessaging','HIGH','MEDIUM','LOW','OAM','true','OAuthServiceProvider','/oauthserv','true','150','false','900','true','28800','true','604800','true','28800','true','0','false','3600','true','28800','true','[{oracle.id.name:userrole},{jwt.CryptoScheme:RS512},{jwt.issuer:www.oracle.example.com}]','[{mobileParamName:mobileParamValue}]','OAM','[{attr1:val1}]','attr1,attr2,attr3')
updateOAuthServiceProfileParam
updateOAuthServiceProfileParam(identityDomainName, name, param, newvalue)
Table 4-49 updateOAuthServiceProfile Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth service provider. |
|
The parameter to update: |
|
New value for the parameter. |
removeOAuthAdaptiveAccessPlugin
createOAuthAdaptiveAccessPlugin
createOAuthAdaptiveAccessPlugin(identityDomainName, name, description, implClass, paramList)
Table 4-51 createOAuthAdaptiveAccessPlugin Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth plug-in. |
|
A description of the OAuth plug-in. [Optional] |
|
The implement class of the OAuth plug-in. |
|
A list of parameters specified in JSON format: |
updateOAuthAdaptiveAccessPlugin
updateOAuthAdaptiveAccessPlugin(identityDomainName, name, description, implClass, paramList)
Table 4-52 createOAuthAdaptiveAccessPlugin Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth plug-in. |
|
A description of the OAuth plug-in. [Optional] |
|
The implement class of the OAuth plug-in. |
|
A list of parameters specified in JSON format: |
removeOAuthTokenAttributesPlugin
createOAuthTokenAttributesPlugin
createOAuthTokenAttributesPlugin(identityDomainName, name, description,implClass, paramList)
Table 4-54 createOAuthTokenAttributesPlugin Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth plug-in. |
|
A description of the OAuth plug-in. [Optional] |
|
The implement class of the OAuth plug-in. |
|
A list of parameters specified in JSON format: |
updateOAuthTokenAttributesPlugin
updateOAuthTokenAttributesPlugin(identityDomainName, name, description, implClass, paramList)
Table 4-55 updateOAuthTokenAttributesPlugin Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth plug-in. |
|
A description of the OAuth plug-in. [Optional] |
|
The implement class of the OAuth plug-in. |
|
A list of parameters specified in JSON format: |
removeOAuthResourceServerInterface
updateOAuthResourceServerInterface
updateOAuthResourceServerInterface(identityDomainName, name, description, secret, allowTokenAttrRetrieval, namespacePrefix, audienceClaim, scopeList, offlineScope, authzUserConsentPluginRef, overriddenAuthzExpire, overriddenAuthzEnable, overriddenAccessExpire, overriddenAccessEnable, overriddenAccessRefreshExpire, overriddenAccessRefreshEnable, tokenStatic, tokenDynamic)
Table 4-57 updateOAuthResourceServerInterface Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth resource server interface. |
|
A description of the OAuth resource server interface. |
|
The secret key. |
|
Boolean that enables/disables token attribute retrieval. |
|
A namespace prefix. [Optional] |
|
Audience claim URI. [Optional] |
|
A list of parameters specified in JSON format:
|
|
Offline scope. [Optional] |
|
Authorization UserConsent plug-in reference. |
|
Overridden authorization code expiration (in seconds). |
|
Boolean that enables/disables the authorization override option. |
|
Overridden access token expiration (in seconds). |
|
Boolean that enables/disables the access token override option. |
|
Overridden access refresh token expiration (in seconds). |
|
Boolean that enables/disables the access refresh override option. |
|
A list of static token attributes specified in JSON format: |
|
Dynamic token attribute list. |
updateOAuthResourceServerInterface('myDomain','sampleResourceServerInterface','sample portal content resource server','secret','true','namespaceprefix.','audienceClaim','[{scopeName:samplePortalContentServer.portal.read,includedInDefault:false,userOffline:false,requiresConsent:true,scopeDesc:[{en-us:read portal content}]},{scopeName:samplePortalContentServer.portal.write,includedInDefault:false,userOffline:false,requiresConsent:true,scopeDesc:[{en-us:write portal content}]}]','offlineScope','AuthzUserConsentPlugin','1200','false','7200','false','28801','false','[]','')
updateOAuthResourceServerInterfaceParam
updateOAuthResourceServerInterfaceParam(identityDomainName, name, param, newvalue)
Table 4-58 updateOAuthResourceServerInterface Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth resource server interface. |
|
The parameter to update: [ |
|
New value for the parameter. |
createOAuthResourceServerInterface
createOAuthResourceServerInterface(identityDomainName, name, description, globalUID, secret, allowTokenAttrRetrieval, namespacePrefix, audienceClaim, scopeList, offlineScope, authzUserConsentPluginRef, overriddenAuthzExpire, overriddenAuthzEnable, overriddenAccessExpire, overriddenAccessEnable, overriddenAccessRefreshExpire, overriddenAccessRefreshEnable, tokenStatic, tokenDynamic)
Table 4-59 createOAuthResourceServerInterface Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth resource server interface. |
|
A description of the OAuth resource server interface. |
|
Global unique identifier. [Optional] |
|
The secret key. |
|
Boolean that enables/disables token attribute retrieval. |
|
A namespace prefix. [Optional] |
|
Audience claim URI. [Optional] |
|
A list of parameters specified in JSON format:
|
|
Offline scope. [Optional] |
|
Authorization UserConsent plug-in reference. |
|
Overridden authorization code expiration (in seconds). |
|
Boolean that enables/disables the authorization override option. |
|
Overridden access token expiration (in seconds). |
|
Boolean that enables/disables the access token override option. |
|
Overridden access refresh token expiration (in seconds). |
|
Boolean that enables/disables the access refresh override option. |
|
A list of static token attributes specified in JSON format: |
|
Dynamic token attribute list. |
createOAuthResourceServerInterface('myDomain','sampleResourceServerInterface', 'sample portal content resource server','','secret','true','namespaceprefix.', 'audienceClaim','[{scopeName:samplePortalContentServer.portal.read, includedInDefault:false,userOffline:false,requiresConsent:true, scopeDesc:[{en-us:read portal content}]}, {scopeName:samplePortalContentServer.portal.write, includedInDefault:false,userOffline:false,requiresConsent:true, scopeDesc:[{en-us:write portal content}]}]', 'offlineScope','AuthzUserConsentPlugin','1200','false','7200','false','28801', 'false','[]','')
updateOAuthJailBreakingDetectionPolicy
updateOAuthJailBreakingDetectionPolicy(identityDomainName, name, enabled, policyStatements)
Table 4-60 updateOAuthJailBreakingDetectionPolicy Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the jail breaking detection policy. |
|
Boolean that enables/disables the jail breaking detection policy. |
|
A list of policy statements specified in JSON format:
|
removeOAuthUserProfileResourceServer
updateOAuthUserProfileResourceServer
updateOAuthUserProfileResourceServer(identityDomainName, resName, resDesc, secret, namespacePrefix, authzPluginRef, scopeList, offlineScope, authzExpire, authzEnable, accessExpire, accessEnable, accessRefreshExpire, accessRefreshEnable, tokenStatic, tokenDynamic, endpoint, enabled, subResource, paramList)
Table 4-62 updateOAuthUserProfileResourceServer Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
resName |
The name of the OAuth resource server interface. |
|
A description of the OAuth resource server interface. |
|
The secret key. |
|
A namespace prefix. |
|
Authorization plug-in reference. |
|
A list of parameters specified in JSON format:
|
|
Offline scope. [Optional] |
|
Authorization code expiration (in seconds) |
|
Boolean that enables/disables the authorization code option. |
|
Access token expiration (in seconds). |
|
Boolean that enables/disables the access token option. |
|
Access refresh token expiration (in seconds). |
|
Boolean that enables/disables the access refresh option. |
|
A list of static token attributes specified in JSON format: |
|
Dynamic token attribute list. |
|
Service endpoint. |
|
Boolean to enable/disable. |
|
Specified in JSON format:
|
|
A list of parameters specified in JSON format: |
updateOAuthUserProfileResourceServer('myDomain','userProfile', 'Out Of The Box User Profile Resource Server','welcome1', '[{scopeName:userProfile.users.read,includedInDefault:false,userOffline:false, requiresConsent:false,scopeDesc:[{en-us:read any user default profile}]}, {scopeName:userProfile.users.write,includedInDefault:false,userOffline:false, requiresConsent:false,scopeDesc:[{en-us:write any user default profile}]}, {scopeName:userProfile.group.read,includedInDefault:false,userOffline:false, requiresConsent:false,scopeDesc:[{en-us:read any group default profile}]}, {scopeName:userProfile.group.write,includedInDefault:false,userOffline:false, requiresConsent:false,scopeDesc:[{en-us:write any group default profile}]}, {scopeName:userProfile.me.read,includedInDefault:false,userOffline:false, requiresConsent:true,scopeDesc:[{en-us:read my default profile}]}, {scopeName:userProfile.me.write,includedInDefault:false,userOffline:false, requiresConsent:true,scopeDesc:[{en-us:write my default profile}]}, {scopeName:userProfile.me.password,includedInDefault:false,userOffline:false, requiresConsent:true,scopeDesc:[{en-us:write my default password}]}]', 'namespace','userrole','defaultPlugin','900','true','604800','true','28800', 'true','/myuserprofile','false','[{accessControl:false}, {adminGroup:"cn=Administrators,ou=groups,ou=myrealm,dc=base_domain"}, {selfEdit:true}]','[{endpoint:"/me", enabled:true,implClass:oracle.security.idaas.oauth.jaxrs.Me, entities:[{attributes:"",relationship:[{name:people_groups, endpoint:memberOf,srcEntity:person-uri,destEntity:group-uri,scopeNames:""}, {name:people_manager,endpoint:manager,srcEntity:report-uri, destEntity:manager-uri,scopeNames:""}]}],binding:[{method:"GET", allow:true,scope:myscope,addScope:[{name:userProfile.me.read,attr:"uid,mail, description,commonname,firstname,lastname"},{name:userProfile.me.password, attr:password}]},{method:"POST,PUT,DELETE",allow:true,scope:myscope, addScope:[{name:userProfile.me.write,attr:"uid,mail,description,commonname, firstname,lastname"},{name:userProfile.me.password,attr:password}]}],param:[]}, {endpoint:"/users",enabled:true,implClass:oracle. security.idaas.oauth.jaxrs.Users,entities:[{attributes:"", relationship:[{name:people_groups,endpoint:memberOf,srcEntity:person-uri, destEntity:group-uri,scopeNames:""},{name:people_manager,endpoint:manager, srcEntity:report-uri,destEntity:manager-uri,scopeNames:""}]}], binding:[{method:"GET",allow:true,scope:myscope, addScope:[{name:userProfile.users.read,attr:"uid,mail,description,commonname, firstname,lastname"}]},{method:"POST,PUT,DELETE",allow:true,scope:myscope, addScope:[{name:userProfile.users.write,attr:"uid,mail,description,commonname, firstname,lastname"}]}],param:[]},{endpoint:"/groups",enabled:true, implClass:oracle.security.idaas.oauth.jaxrs.Groups,entities:[{attributes:"", relationship:[{name:groups_people,endpoint:memberOf,srcEntity:group-uri, destEntity:person-uri,scopeNames:""}]}],binding:[{method:"GET",allow:true, scope:myscope,addScope:[{name:userProfile.group.read,attr:"name,description"}]}, {method:"POST,PUT,DELETE",allow:true,scope:myscope, addScope:[{name:userProfile.group . write,attr:"name,description"}]}], param:[]}]','[{param1:val1},{param2:val2}]','attr1,attr2')
createOAuthUserProfileResourceServer
createOAuthUserProfileResourceServer(identityDomainName, resName, resDesc, globalUID, secret, scopeList, namespacePrefix, idsName, authzPluginRef, authzExpire, authzEnable, accessExpire, accessEnable, accessRefreshExpire, accessRefreshEnable, endpoint, enabled, paramList, subResourceList, tokenStatic, tokenDynamic)
Table 4-63 createOAuthUserProfileResourceServer Arguments
Argument | Definition |
---|---|
|
The name of the OAuth identity domain. |
|
The name of the OAuth resource server interface. |
|
A description of the OAuth resource server interface. |
|
Global unique identifier. (Optional) |
|
The secret key. |
|
A list of parameters specified in JSON format:
|
|
A namespace prefix. |
|
The identity directory service name. |
|
Authorization plug-in reference. |
|
Authorization code expiration (in seconds) |
|
Boolean that enables/disables the authorization code option. |
|
Access token expiration (in seconds). |
|
Boolean that enables/disables the access token option. |
|
Access refresh token expiration (in seconds). |
|
Boolean that enables/disables the access refresh option. |
|
Service endpoint. |
|
Boolean to enable/disable. |
|
A list of parameters specified in JSON format: |
|
Specified in JSON format:
|
|
A list of static token attributes specified in JSON format: |
|
Dynamic token attribute list. |
createOAuthUserProfileResourceServer('myDomain','userProfile', 'Out Of The Box User Profile Resource Server','555888','welcome1', '[{scopeName:userProfile.users.read,includedInDefault:false,userOffline:false, requiresConsent:false,scopeDesc:[{en-us:read any user default profile}]}, {scopeName:userProfile.users.write,includedInDefault:false,userOffline:false, requiresConsent:false,scopeDesc:[{en-us:write any user default profile}]}, {scopeName:userProfile.group.read,includedInDefault:false,userOffline:false, requiresConsent:false,scopeDesc:[{en-us:read any group default profile}]}, {scopeName:userProfile.group.write,includedInDefault:false,userOffline:false, requiresConsent:false,scopeDesc:[{en-us:write any group default profile}]}, {scopeName:userProfile.me.read,includedInDefault:false,userOffline:false, requiresConsent:true,scopeDesc:[{en-us:read my default profile}]}, {scopeName:userProfile.me.write,includedInDefault:false,userOffline:false, requiresConsent:true,scopeDesc:[{en-us:write my default profile}]}, {scopeName:userProfile.me.password,includedInDefault:false,userOffline:false, requiresConsent:true,scopeDesc:[{en-us:write my default password}]}]', 'namespace','userrole','defaultPlugin','900','true','604800','true','28800', 'true','/myuserprofile','false','[{accessControl:false}, {adminGroup:"cn=Administrators,ou=groups,ou=myrealm,dc=base_domain"}, {selfEdit:true}]','[{endpoint:"/me",enabled:true, implClass:oracle.security.idaas.oauth.jaxrs.Me,entities:[{attributes:"", relationship:[{name:people_groups,endpoint:memberOf,srcEntity:person-uri, destEntity:group-uri,scopeNames:""},{name:people_manager,endpoint:manager, srcEntity:report-uri,destEntity:manager-uri,scopeNames:""}]}], binding:[{method:"GET",allow:true,scope:myscope, addScope:[{name:userProfile.me.read,attr:"uid,mail,description,commonname, firstname,lastname"},{name:userProfile.me.password,attr:password}]}, {method:"POST,PUT,DELETE",allow:true,scope:myscope, addScope:[{name:userProfile.me.write,attr:"uid,mail,description,commonname, firstname,lastname"},{name:userProfile.me.password,attr:password}]}],param:[]}, {endpoint:"/users",enabled:true, implClass:oracle.security.idaas.oauth.jaxrs.Users,entities:[{attributes:"", relationship:[{name:people_groups,endpoint:memberOf,srcEntity:person-uri, destEntity:group-uri,scopeNames:""},{name:people_manager,endpoint:manager, srcEntity:report-uri,destEntity:manager-uri,scopeNames:""}]}], binding:[{method:"GET",allow:true,scope:myscope, addScope:[{name:userProfile.users.read,attr:"uid,mail,description,commonname, firstname,lastname"}]},{method:"POST,PUT,DELETE",allow:true,scope:myscope, addScope:[{name:userProfile.users.write,attr:"uid,mail,description,commonname, firstname,lastname"}]}],param:[]},{endpoint:"/groups",enabled:true, implClass:oracle.security.idaas.oauth.jaxrs.Groups, entities:[{attributes:"",relationship:[{name:groups_people,endpoint:memberOf, srcEntity:group-uri,destEntity:person-uri,scopeNames:""}]}], binding:[{method:"GET",allow:true,scope:myscope, addScope:[{name:userProfile.group.read,attr:"name,description"}]}, {method:"POST,PUT,DELETE",allow:true,scope:myscope, addScope:[{name:userProfile.group.write,attr: "name,description"}]}], param:[]}]','[{param1:val1},{param2:val2}]','attr1,attr2')
displayOAuthServiceProvider
getOAuthAdaptiveAccessPlugins
displayOAuthAdaptiveAccessPlugin
getOAuthTokenAttributesPlugins
displayOAuthTokenAttributesPlugin
getOAuthResourceServerInterfaces
displayOAuthResourceServerInterface
getOAuthUserProfileResourceServers
displayOAuthUserProfileResourceServer
Table 4-84 describes the various types of WLST commands available for the Oracle Access Management Security Token Service (Security Token Service).
Table 4-84 WLST Security Token Service Command Groups
OSTS Command Type | Description |
---|---|
Partner Commands |
WLST commands related to tasks involving partners. |
Relying Party Partner Mapping Commands |
The WS Prefix to Relying Party Partner mappings are used to map a service URL, specified in the AppliesTo field of a WS-Trust RST request, to a partner of type Relying Party. The WS prefix string can be an exact service URL, or a URL with a parent path to the service URL. For example, if a mapping is defined to map a WS Prefix (http://test.com/service) to a Relying Party (RelyingPartyPartnerTest), then the following service URLs would be mapped to the Relying Party: http://test.com/service, http://test.com/service/calculatorService, http://test.com/service/shop/cart... |
Partner Profiles Commands |
WLST commands related to tasks involving partner profiles. |
Issuance Templates Commands |
WLST commands related to tasks involving issuance templates. |
Validation Templates Commands |
WLST commands related to tasks involving validation templates. |
Use the WLST commands listed in Table 4-85 to manage the Security Token Service.
Table 4-85 WLST Commands Security Token Service
Use this command... | To... | Use with WLST... |
---|---|---|
Partner Commands |
||
Retrieve a partner and print result. |
Online |
|
Retrieve the names of Requester partners. |
Online |
|
Retrieve the names of all Relying Party partners. |
Online |
|
Retrieve the names of all Issuing Authority partners. |
Online |
|
Query Security Token Service to determine whether or not the partner exists in the Partner store. |
Online |
|
Create a new Partner entry. |
Online |
|
Update an existing Partner entry based on the provided information. |
Online |
|
Delete a partner entry. |
Online |
|
Retrieve the partner's username value. |
Online |
|
Retrieve the partner's password value. |
Online |
|
Set the username and password values of a partner entry. |
Online |
|
Remove the username and password values from a partner entry. |
Online |
|
Retrieve the Base64 encoded signing certificate for the partner. |
Online |
|
Retrieve the Base64 encoded encryption certificate for the partner. |
Online |
|
Upload the signing certificate to the partner entry. |
Online |
|
Upload the encryption certificate to the partner entry. |
Online |
|
Remove the signing certificate from the partner entry. |
Online Offline |
|
Remove the encryption certificate from the partner entry. |
Online Offline |
|
Retrieve and display all Identity mapping attributes used to map a token to a requester partner. |
Online Offline |
|
Retrieve and display the identity mapping attribute. |
Online Offline |
|
Set the identity mapping attribute for a requester partner. |
Online Offline |
|
Delete the identity mapping attribute for a requester partner. |
Online Offline |
|
Relying Party Partner Mapping Commands |
||
Retrieve and display all WS Prefixes. |
Online Offline |
|
Retrieve and display the Relying Party Partner mapped to the specified wsprefix parameter. |
Online Offline |
|
Create a new WS Prefix mapping to a Relying Partner. |
Online Offline |
|
Delete an existing WS Prefix mapping to a Relying Partner. |
Online Offline |
|
Partner Profiles Commands |
||
Retrieve the names of all the existing partner profiles. |
Online |
|
Retrieve partner profile configuration data. |
Online |
|
Create a new Requester Partner profile with default configuration data. |
Online |
|
Create a new Relying Party Partner profile with default configuration data. |
Online |
|
Create a new Issuing Authority Partner profile with default configuration data. |
Online |
|
Delete an existing partner profile. |
Online |
|
Issuance Template Commands |
||
Retrieve the names of all the existing Issuance Templates. |
Online Offline |
|
Retrieve configuration data of a specific Issuance Template. |
Online |
|
Create a new Issuance Template with default configuration data. |
Online |
|
Delete an existing Issuance Template. |
Online Offline |
|
Validation Template Commands |
||
Retrieve the names of all the existing Validation Templates. |
Online Offline |
|
Retrieve configuration data of a specific Validation Template. |
Online Offline |
|
Create a new WS Security Validation Template with default configuration data. |
Online Offline |
|
Create a new WS Trust Validation Template with default configuration data. |
Online Offline |
|
Delete an existing Issuance Template. |
Online Offline |
Online command that retrieves the Partner entry and prints out the configuration for this partner.
getPartner(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the partnerId: the ID of the partner. |
Online command that retrieves Issuing Authority partners and prints out the result.
Online command that queries the Security Token Service to determine whether or not the specified partner exists in the Partner store.
Queries the Security Token Service to determine whether or not the specified partner exists in the Partner store, and prints out the result.
Online command that creates a new Partner entry.
Creates a new Partner entry based on provided information. Displays a message indicating the result of the operation.
createPartner(partnerId, partnerType, partnerProfileId, description, bIsTrusted)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the new partner to be created. |
partnerType
|
Specifies the type of partner. Values can be one of the following:
|
partnerProfileId
|
Specifies the profile ID to be attached to this partner. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry. |
description
|
Specifies the optional description of this new partner entry. |
bIsTrusted
|
A value that indicates whether or not this new partner is trusted. Value can be either:
|
The following invocation creates STS_Requestor partner, customPartner, custom-partnerprofile
with a description (custom requester
), with a trust value of true
, displays a message indicating the result of the operation:
createPartner(partnerId="customPartner", partnerType="STS_REQUESTER", partnerProfileId="custom-partnerprofile", description="custom requester", bIsTrusted="true")
Online command that updates an existing Partner entry.
Updates an existing Partner entry based on the provided information. Displays a message indicating the result of the operation.
updatePartner(partnerId, partnerProfileId, description, bIsTrusted)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the new partner to be updated. |
partnerProfileId
|
Specifies the partner profile ID. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry. |
description
|
Specifies the optional description f this new partner entry. |
bIsTrusted
|
A value that indicates whether or not this new partner is trusted. Value can be either:
|
The following invocation updates customPartner
with a new profile ID, (x509-wss-validtemp
), description (custom requester with new profile id
), and a trust value of false
. A message indicates the result of the operation:
updatePartner(partnerId="customPartner", partnerProfileId="x509-wss-validtemp", description="custom requester with new profile id", bIsTrusted="false")
Online command that deletes a partner entry from the Security Token Service.
Deletes an existing Partner entry referenced by the partnerId
parameter from the Security Token Service, and prints out the result of the operation.
deletePartner(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner to be deleted. |
Online command that retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation.
Retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation, and displays the value.
getPartnerUsernameTokenUsername(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that retrieves a partner's password value that will be used for UNT credentials partner validation or mapping operation.
Retrieves a partner password value that will be used for UNT credentials partner validation or mapping operation, and displays the value.
getPartnerUsernameTokenPassword(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation.
Sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation. Displays the result of the operation.
setPartnerUsernameTokenCredential(partnerId, UTUsername, UTPassword)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
UTUsername
|
Specifies the username value used for UNT credentials validation or mapping operations. |
UTPassword
|
Specifies the username value used for UNT credentials validation or mapping operations. |
Online command that removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.
Removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.
deletePartnerUsernameTokenCredential(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner to be deleted. |
Online command that retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.
Retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.
getPartnerSigningCert(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that retrieves the Base64 encoded encryption certificate, and displays its value as a Base64 encoded string.
Retrieves the Base64 encoded encryption certificate for the partner referenced by the partnerId parameter, and displays its value as a Base64 encoded string.
getPartnerEncryptionCert(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that Uploads the provided certificate to the partner entry as the signing certificate. Displays the result of the operation.
Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the signing certificate. The supported formats of the certificate are DER and PEM. Displays the result of the operation.
setPartnerSigningCert(partnerId, certFile)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
certFile
|
Specifies the location of the certificate on the local filesystem. Supported formats of the certificate are DER and PEM. |
Online command that Uploads the provided certificate to the partner entry as the encryption certificate. Displays the result of the operation.
Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the encryption certificate. Displays the result of the operation.
setPartnerEncryptionCert(partnerId, certFile)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
certFile
|
Specifies the location of the certificate on the local filesystem. Supported formats of the certificate are DER and PEM. |
Online command that removes the encryption certificate from the partner entry and displays the result of the operation.
Removes the encryption certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.
deletePartnerSigningCert(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that removes the signing certificate from the partner entry and displays the result of the operation.
Removes the signing certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.
deletePartnerEncryptionCert(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
Online command that retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.
Retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.
The identity mapping attributes only exist for partners of type Requester.
getPartnerAllIdentityAttributes(partnerId)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the Requester partner. Identity mapping attributes only exist for partners of type Requester |
The following invocation retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner: customPartner
.
getPartnerAllIdentityAttributes(partnerId="customPartner")
Online command that retrieves and displays identity mapping attributes used to map a token or to map binding data to a requester partner.
Retrieves and displays an identity mapping attribute used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.
The identity mapping attributes only exist for partners of type Requester.
getPartnerIdentityAttribute(partnerId, identityAttributeName)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the Requester partner. |
IdentityAttributeName
|
Specifies the name of the identity mapping attribute to retrieve and display. For example: |
Online command that sets the identity mapping attribute for the Requester partner.
Set the identity mapping attribute specified by identityAttributeName
for the partner of type requester specified by the partnerId parameter. These identity mapping attributes only exist for Requester partners. Displays the result of the operation.
setPartnerIdentityAttribute(partnerId, identityAttributeName, identityAttributeValue)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner of type Requester. |
identityAttributeName
|
Specifies the name of the identity mapping attribute to retrieve and display. |
identityAttributeValue
|
Specifies the value of the identity mapping attribute to set. |
The following invocation sets the identity mapping attribute specified by identityAttributeName
for the Requester partner of type requester specified by the partnerId parameter. Displays the result of the operation.
setPartnerIdentityAttribute(partnerId="customPartner", identityAttributeName="httpbasicusername",identityAttributeValue="test")
Online command that deletes the identity mapping attribute.
Deletes the identity mapping attribute specified by identityAttributeName
.
The identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner, and they only exist for Requester partners.
deletePartnerIdentityAttribute(partnerId, identityAttributeName)
Argument | Definition |
---|---|
partnerId
|
Specifies the ID of the partner. |
identityAttributeName
|
Specifies the name of the identity mapping attribute to delete. |
Online command that retrieves and displays all WS Prefixes to Relying Party Partner mappings.
Online command that retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.
Retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.
getWSPrefixAndPartnerMapping(wsprefix)
Argument | Definition |
---|---|
wsprefix
|
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form: http_protocol://hostname_ip/path |
Online command that creates a new WS Prefix mapping to a Relying Partner.
Creates a new WS Prefix mapping to a Relying Partner referenced by the partnerid parameter, and displays the result of the operation.
createWSPrefixAndPartnerMapping(wsprefix, partnerid, description)
Argument | Definition |
---|---|
wsprefix
|
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form: http_protocol://hostname_ip/path |
partnerId
|
Specifies the ID of the partner. |
description
|
Specifies an optional description. |
The following invocation creates a new WS Prefix mapping to a Relying Partner Partner referenced by the partnerid parameter, and displays the result of the operation.
createWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path", partnerid="customRPpartner", description="some description")
Online command that deletes an existing mapping of WS Prefix to a Relying Partner Partner.
Deletes an existing mapping of WS Prefix to a Relying Partner, and displays the result of the operation.
deleteWSPrefixAndPartnerMapping(wsprefix)
Argument | Definition |
---|---|
wsprefix
|
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form: http_protocol://hostname_ip/path |
Online command that retrieves the names of all the existing partner profiles and displays them.
Online command that retrieves the configuration data of a specific partner profile, and displays the content of the profile.
Retrieves the configuration data of the partner profile referenced by the partnerProfileId parameter, and displays the content of the profile.
getPartnerProfile(partnerProfileId)
Argument | Definition |
---|---|
partnerProfileId
|
Specifies the name of the partner profile. |
Online command that creates a new requester partner profile with default configuration data.
Creates a new requester partner profile with default configuration data, and displays the result of the operation.
Table 4-86 describes the default configuration created with this command.
Table 4-86 Default Configuration: createRequesterPartnerProfile
Element | Description |
---|---|
Return Error for Missing Claims
|
Default: false |
Allow Unmapped Claims
|
Default: false |
Token Type Configuration
|
The Token Type Configuration table includes the following entries. There are no mappings of token type to WS-Trust Validation Template:
Note: Token Type Configuration and token type to Validation Template mapping are both empty |
Attribute Name Mapping
|
Default: The Attribute Name Mapping table is empty by default. |
createRequesterPartnerProfile(partnerProfileId, defaultRelyingPartyPPID, description)
Argument | Definition |
---|---|
partnerProfileId
|
Specifies the name of the partner profile. |
defaultRelyingPartyPPID
|
Specifies the relying party partner profile to use, if the AppliesTo field is missing from the RST or if it could not be mapped to a Relying Party Partner. |
description
|
Specifies the optional description for this partner profile |
The following invocation creates a new requester partner profile with default configuration data, and displays the result of the operation. For default data descriptions, see Table 4-86.
createRequesterPartnerProfile(partnerProfileId="custom-partnerprofile", defaultRelyingPartyPPID="rpPartnerProfileTest", description="custom partner profile")
Online command that creates a new relying party partner profile with default configuration data.
Creates a new relying party partner profile with default configuration data, and displays the result of the operation.
Table 4-87 describes the default configuration created with this command.
Table 4-87 Default Configuration: createRelyingPartyPartnerProfile
Element | Description |
---|---|
Download Policy |
Default: false |
Allow Unmapped Claims |
Default: false |
Token Type Configuration |
The Token Type Configuration will contain a single entry, with:
Note: For the token type of the issuance template referenced by defaultIssuanceTemplateID, it will be linked to the issuance template, while the other token types will not be linked to any issuance template. If the issuance template referenced by defaultIssuanceTemplateID is of custom token type, the table will only contain one entry, with the custom token type, mapped to the custom token type as the external URI, and mapped to the issuance template referenced by defaultIssuanceTemplateID |
Attribute Name Mapping |
The Attribute Name Mapping table is empty be default. |
createRelyingPartyPartnerProfile(partnerProfileId, defaultIssuanceTemplateID, description)
Argument | Definition |
---|---|
partnerProfileId
|
Specifies the name of the partner profile. |
defaultIssuanceTemplateID
|
Specifies the default issuance template and token type to issue if no token type was specified in the RST. |
description
|
Specifies the optional description for this partner profile |
The following invocation creates a new relying party partner profile with default configuration data, and displays the result of the operation.
createRelyingPartyPartnerProfile(partnerProfileId="custom-partnerprofile", defaultIssuanceTemplateID="saml11-issuance-template", description="custom partner profile")
Online command that creates a new issuing authority partner profile with default configuration data.
Creates a new issuing authority partner profile with the default configuration data in Table 4-88, and displays the result of the operation.
Table 4-88 Default Configuration: createIssuingAuthorityPartnerProfile
Element | Description |
---|---|
Server Clockdrift |
Default: 600 seconds |
Token Mapping |
The Token Mapping Section will be configured as follows:
Empty fields
|
Partner NameID Mapping |
The Partner NameID Mapping table will be provisioned with the following entries as NameID format. However, without any data in the datastore column the issuance template referenced by defaultIssuanceTemplateID is of token type SAML 1.1, SAML 2.0, or Username. The table will contain the following entries:
|
User NameID Mapping |
The User NameID Mapping table will be provisioned with the following entries as NameID format:
|
Attribute Mapping |
The Attribute Value Mapping and Attribute Name Mapping table is empty be default. |
createIssuingAuthorityPartnerProfile(partnerProfileId, description)
Argument | Definition |
---|---|
partnerProfileId
|
Specifies the name of the partner profile. |
description
|
Specifies the optional description for this partner profile |
Online command that deletes an partner profile referenced by the partnerProfileId parameter. (See also Using WLST with SAML 1.1.)
Deletes an partner profile referenced by the partnerProfileId parameter, and displays the result of the operation.
deletePartnerProfile(partnerProfileId)
Argument | Definition |
---|---|
partnerProfileId
|
Specifies the name of the partner profile to be removed. |
Online command that retrieves the names of all the existing issuance templates.
Online command that retrieves the configuration data of a specific issuance template.
Retrieves the configuration data of the issuance template referenced by the issuanceTemplateId parameter, and displays the content of the template.
getIssuanceTemplate(issuanceTemplateId)
Argument | Definition |
---|---|
issuanceTemplateId
|
Specifies the name of the issuance template. |
Online command that creates a new issuance template with default configuration data.
Creates a new issuance template with default configuration data, and displays the result of the operation.
Table 4-89 describes the default configuration for this command.
Table 4-89 Default Configuration: createIssuanceTemplate
Token Type | Description |
---|---|
Username |
The issuance template will be created with the following default values:
|
SAML 1.1 or SAML 2.0 |
The issuance template will be created with the following default values:
Empty tables: Attribute Name Mapping, Attribute Value Mapping and Attribute Value Filter |
Custom Type |
The issuance template will be created with the following default values:
|
createIssuanceTemplate(issuanceTemplateId, tokenType, signingKeyId, description)
Argument | Definition |
---|---|
issuanceTemplateId
|
Specifies the name of the issuance template to be created. |
tokenType
|
Possible values can be:
|
signingKeyId
|
Specifies the keyID referencing the key entry (defined in the STS General Settings UI section) that will be used to sign outgoing SAML Assertions. Only required when token type is saml11 or saml20. |
description
|
An optional description. |
Online command that deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.
Deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.
deleteIssuanceTemplate(issuanceTemplateId)
Argument | Definition |
---|---|
issuanceTemplateId
|
Specifies the name of the existing issuance template to be removed. |
Online command that retrieves the names of all the existing validation templates.
Online command that retrieves the configuration data of a specific validation template, and displays the content of the template.
Retrieves the configuration data of the validation template referenced by the validationTemplateId parameter, and displays the content of the template.
getValidationTemplate(validationTemplateId)
Argument | Definition |
---|---|
validationTemplateId
|
Specifies the name of the existing validation template. |
Online command that creates a new validation template with default configuration data.
Creates a new WSS validation template with default configuration data, and displays the result of the operation. The validation template is created using the values in Table 4-90, depending on the token type.
Table 4-90 Default Configuration: createWSSValidationTemplate
Token Type | Description |
---|---|
Username |
The validation template will be created with the following default values:
|
SAML 1.1 or SAML 2.0 |
The validation template will be created with the following default values:
The Token Mapping section will be created with the following default values:
Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping Also:
Partner NameID Mapping table will be provisioned with the following entries as NameID format, but without any data in the datastore column:
User NameID Mapping table will be provisioned with the following entries as NameID format:
|
X.509 |
The Token Mapping section will be created with the following default values:
Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping Also:
|
Kerberos |
The Token Mapping section will be created with the following default values:
Empty fields: Partner Token Attribute, Partner Datastore Attribute and Attribute Based User Mapping Also:
|
createWSSValidationTemplate(templateId, tokenType, defaultRequesterPPID, description)
Argument | Definition |
---|---|
templateId
|
Specifies the name of the name of the validation template to be created. |
tokenType
|
Specifies the token type of the validation template. Possible values can be:
|
defaultRequesterPPID
|
Specifies the Requester partner profile to use if OSTS is configured not to map the incoming message to a requester. |
description
|
Specifies an optional description. |
The following invocation creates a new validation template with default configuration data, and displays the result of the operation.
createWSSValidationTemplate(templateId="custom-wss-validtemp", tokenType="custom", defaultRequesterPPID="requesterPartnerProfileTest", description="custom validation template")
Online command that creates a new WS-Trust validation template with default configuration data.
Creates a new WS-Trust validation template with default configuration data, and displays the result of the operation. The WS-Trust validation template is created with the values in Table 4-91, depending on the token type.
Table 4-91 Default Configuration: createWSTrustValidationTemplate
Token Type | Description |
---|---|
Username |
The WS-Trust validation template will be created with the following default values:
|
SAML 1.1 or SAML 2.0 |
The WS-Trust validation template will be created with the following default values:
The Token Mapping section will be created with the following default values:
Empty fields: User Datastore Attribute, Attribute Based User Mapping User NameID Mapping table will be provisioned with the following entries as NameID format:
|
X.509 |
The WS-Trust Token Mapping section will be created with the following default values:
|
Kerberos |
The WS-Trust Token Mapping section will be created with the following default values:
|
OAM |
The WS-Trust Token Mapping section will be created with the following default values:
|
custom |
The WS-Trust Token Mapping section will be created with the following default values:
|
createWSTrustValidationTemplate(templateId, tokenType, description)
Argument | Definition |
---|---|
templateId
|
Specifies the name of the name of the WS-Trust validation template to be created. |
tokenType
|
Specifies the token type of the WS-Trust validation template. Possible values can be:
|
description
|
Specifies an optional description. |
Online command that deletes a validation template.
Deletes a validation template referenced by the validationTemplateId parameter, and displays the result of the operation.
deleteValidationTemplate(validationTemplateId)
Argument | Definition |
---|---|
validationTemplateId
|
Specifies the name of the validation template to be removed. |
This section contains commands used with the OPSS keystore service.
Note:
You need to acquire an OPSS handle to use keystore service commands. For details, see Managing Keys and Certificates with the Keystore Service in the Oracle Fusion Middleware Security Guide.
Table 4-92 lists the WLST commands used to manage the keystore service.
Table 4-92 OPSS Keystore Service Commands
Use this Command... | to... |
---|---|
Change the password for a key. |
|
Change the password on a keystore. |
|
Create a keystore. |
|
Delete a keystore. |
|
Delete an entry in a keystore. |
|
Export a keystore to file. |
|
Export a certificate to a file. |
|
Export a certificate request to a file. |
|
Generate a keypair. |
|
Generate a secret key. |
|
Get information about a certificate or trusted certificate. |
|
Get the secret key properties. |
|
Import a keystore from file. |
|
Import a certificate or other object. |
|
List certificates expiring in a specified period. |
|
List aliases in a keystore. |
|
List all the keystores in a stripe. |
Changes a key password.
svc.changeKeyPassword(appStripe='stripe', name='keystore', password='password', alias='alias', currentkeypassword='currentkeypassword', newkeypassword='newkeypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe containing the keystore |
name
|
Specifies the name of the keystore |
password
|
Specifies the keystore password |
alias
|
Specifies the alias of the key entry whose password is changed |
currentkeypassword
|
Specifies the current key password |
newkeypassword
|
Specifies the new key password |
Changes the password of a keystore.
svc.changeKeyStorePassword(appStripe='stripe', name='keystore', currentpassword='currentpassword', newpassword='newpassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe containing the keystore |
name
|
Specifies the name of the keystore |
currentpassword
|
Specifies the current keystore password |
newpassword
|
Specifies the new keystore password |
This keystore service command creates a new keystore.
svc.createKeyStore(appStripe='stripe', name='keystore', password='password',permission=true|false)
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore is created. |
name
|
Specifies the name of the new keystore. |
password
|
Specifies the keystore password. |
permission
|
This parameter is true if the keystore is protected by permission only, false if protected by both permission and password. |
Deletes the named keystore.
svc.deleteKeyStore(appStripe='stripe', name='keystore', password='password')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore to be deleted. |
password
|
Specifies the keystore password. |
Deletes a keystore entry.
svc.deleteKeyStoreEntry(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be deleted |
keypassword
|
Specifies the key password of the entry to be deleted |
Exports a keystore to a file.
svc.exportKeyStore(appStripe='stripe', name='keystore', password='password', aliases='comma-delimited-aliases', keypasswords='comma-delimited-keypasswords', type='keystore-type', filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
aliases
|
Comma separated list of aliases to be exported. |
keypasswords
|
Comma separated list of the key passwords correspo nding to aliases. |
type
|
Exported keystore type. Valid values are 'JKS' or 'JCEKS'. |
filepath
|
Absolute path of the file where keystore is exported. |
Exports a certificate.
svc.exportKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be exported |
keypassword
|
Specifies the key password. |
type
|
Specifies the type of keystore entry to be exported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'. |
filepath
|
Specifies the absolute path of the file where certificate, trusted certificate or certificate chain is exported. |
Exports a certificate request.
svc.exportKeyStoreCertificateRequest(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the entry's alias name. |
keypassword
|
Specifies the key password. |
filepath
|
Specifies the absolute path of the file where certificate request is exported. |
Generates a key pair in a keystore.
svc.generateKeyPair(appStripe='stripe', name='keystore', password='password', dn='distinguishedname', keysize='keysize', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
dn
|
Specifies the distinguished name of the certificate wrapping the key pair. |
keysize
|
Specifies the key size. |
alias
|
Specifies the alias of the key pair entry. |
keypassword
|
Specifies the key password. |
Generates a secret key.
svc.generateSecretKey(appStripe='stripe', name='keystore', password='password', algorithm='algorithm', keysize='keysize', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
algorithm
|
Specifies the symmetric key algorithm. |
keysize
|
Specifies the key size. |
alias
|
Specifies the alias of the key entry. |
keypassword
|
Specifies the key password. |
Gets a certificate from the keystore.
svc.getKeyStoreCertificates(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the certificate, trusted certificate or certificate chain to be displayed. |
keypassword
|
Specifies the key password. |
Retrieves secret key properties.
svc.getKeyStoreSecretKeyProperties(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the secret key whose properties are displayed. |
keypassword
|
Specifies the secret key password. |
Imports a keystore from file.
svc.importKeyStore(appStripe='stripe', name='keystore', password='password', aliases='comma-delimited-aliases', keypasswords='comma-delimited-keypasswords', type='keystore-type', permission=true|false, filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
aliases
|
Specifies the comma-delimited aliases of the entries to be imported from file. |
keypasswords
|
Specifies the comma-delimited passwords of the keys in file. |
type
|
Specifies the imported keystore type. Valid values are 'JKS' or 'JCEKS'. |
filepath
|
Specifies the absolute path of the keystore file to be imported. |
permission
|
Specifies true if keystore is protected by permission only, false if protected by both permission and password. |
Imports a certificate or other specified object.
svc.importKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be imported. |
keypassword
|
Specifies the key password of the newly imported entry. |
type
|
Specifies the type of keystore entry to be imported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'. |
filepath
|
Specifies the absolute path of the file from where certificate, trusted certificate or certificate chain is imported. |
Lists expiring certificates.
svc.listExpiringCertificates(days='days', autorenew=true|false)
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
days
|
Specifies that the list should only include certificates within this many days from expiration. |
autorenew
|
Specifies true for automatically renewing expiring certificates, false for only listing them. |
Lists the aliases in a keystore.
The syntax is as follows:
svc.listKeyStoreAliases(appStripe='stripe', name='keystore', password='password', type='entrytype')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
type
|
Specifies the type of entry for which aliases are listed. Valid values are 'Certificate', 'TrustedCertificate', 'SecretKey' or '*'. |
Use the WLST commands listed in Table 4-93 to manage Identity Directory Service Entity Attributes, Entity Definitions, Relationships and default Operational configurations.
Table 4-93 WLST Identity Directory Service Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Reload the Identity Directory Service configuration |
Online |
|
Add a new attribute to the entity configuration |
Online |
|
Add a new attribute to the specified entity |
Online |
|
Add a new entity to the entity configuration |
Online |
|
Add a new entity relation to the entity configuration |
Online |
|
Add a new Identity Directory Service to the configuration |
Online |
|
Add a new operation configuration to the entity configuration |
Online |
|
Add a new property to a specified operation configuration |
Online |
|
Delete an attribute from an entity configuration |
Online |
|
Delete an entity from an entity configuration |
Online |
|
Delete the specified entity relation |
Online |
|
Delete the specified Identity Directory Service in the configuration |
Online |
|
Delete operation configuration in an entity configuration |
Online |
|
List all attributes in the entity configuration |
Online |
|
List all entities defined in the specified entity configuration |
Online |
|
List all Identity Directory Services in the configuration |
Online |
|
Remove an attribute from the specified entity |
Online |
|
Remove a property for the specified operation configuration |
Online |
addAttributeInEntityConfig
addAttributeInEntityConfig(name, datatype, description, readOnly, pwdAttr, appName)
Table 4-94 addAttributeInEntityConfig Arguments
Argument | Definition |
---|---|
name |
Name of the attribute to be added |
datatype |
The attribute's type is defined as one of the following:
|
description |
Description of the attribute to be added |
readOnly |
Flag to specify whether the attribute is read only or can be modified |
pwdAttr |
Flag to specify whether the attribute defines a password or not |
appName |
Name of the Identity Directory Service |
addAttributeRefForEntity
addAttributeRefForEntity(name, attrRefName, attrRefFilter, attrRefDefaultFetch, appName)
Table 4-95 addAttributeRefForEntity Arguments
Argument | Definition |
---|---|
name |
Name of the entity to which the attribute will be added |
attrRefName |
Name of the attribute to be added to the entity |
attrRefFilter |
The type of filter to be used with the attribute is defined as one of the following:
|
attrRefDefaultFetch |
Flag to specify whether the attribute is fetched by default |
appName |
Name of the Identity Directory Service |
addEntity
addEntity(name, type, idAttr, create, modify, delete, search, attrRefNames, attrRefFilters, attrRefDefaultFetches, appName)
Table 4-96 addEntity Arguments
Argument | Definition |
---|---|
name |
Name of the entity to which the attribute will be added |
type |
Name of the attribute to be added to the entity |
idAttr |
Identity attribute of the entity to be added |
create |
Flag to specify the create is allowed |
modify |
Flag to specify the modify is allowed |
delete |
Flag to specify the delete is allowed |
search |
Flag to specify the search is allowed |
attrRefNames |
Array of attribute names |
attrRefFilters |
An array of filter type values is defined as one of the following:
|
attrRefDefaultFetches |
Array of boolean strings (true, false) |
appName |
Name of the Identity Directory Service |
addEntityRelation
addEntityRelation(name, type, fromEntity, fromAttr, toEntity, toAttr, recursive, appName)
Table 4-97 addEntityRelation Arguments
Argument | Definition |
---|---|
name |
Name of the relation between the entities for the given attributes |
type |
Type of the entity relation ("ManyToMany", "ManyToOne", "OneToMany", "OneToOne") |
fromEntity |
Name of the from entity |
fromAttr |
Name of the from attribute |
toEntity |
Name of the to entity |
toAttr |
Name of the to attribute |
recursive |
Flag to set the entity relationship as recursive |
appName |
Name of the Identity Directory Service |
addIdentityDirectoryService
addIdentityDirectoryService(name, description, propNames, propValues)
Table 4-98 addIdentityDirectoryService Arguments
Argument | Definition |
---|---|
name |
Name of the IdentityStoreService to be added |
description |
Description of the IdentityStoreService |
propNames |
An array of property names to be added to the IdentityStoreService configuration |
propValues |
An array of values to be defined for the property names added to the IdentityStoreService configuration |
addOperationConfig
addOperationConfig(entityName, propNames, propValues, appName)
Table 4-99 addOperationConfig Arguments
Argument | Definition |
---|---|
entityName |
Name of the entity to which the operation configuration will be added |
propNames |
An array of property names to be added to the operation configuration |
propValues |
An array of property values for the properties added to the operation configuration |
appName |
Name of the Identity Directory Service |
addPropertyForOperationConfig
addPropertyForOperationConfig(entityName, propName, propValue, appName)
Table 4-100 addPropertyForOperationConfig Arguments
Argument | Definition |
---|---|
entityName |
Name of the entity to which the operation configuration will be added |
propName |
A property name to be added to the operation configuration |
propValue |
A value for the property added to the operation configuration |
appName |
Name of the Identity Directory Service |
deleteAttributeInEntityConfig
deleteIdentityDirectoryService
'
Delete the specified IdentityStoreService in the Identity Directory Service configuration
deleteIdentityDirectoryService(name)
where name is the name of the IdentityStoreService configuration to be deleted.
listAllAttributeInEntityConfig
listAllAttributeInEntityConfig(appName)
where appName is the name of the Identity Directory Service that contains the entity configuration from which the list of attributes is retrieved.
listAllEntityInEntityConfig
listAllEntityInEntityConfig(appName)
where appName is the name of the Identity Directory Service that contains the entity configuration from which the list of entities is retrieved.
removeAttributeRefForEntity
Use the WLST commands listed in Table 4-107 to manage Library Oracle Virtual Directory (LibOVD) LDAP and Join Adapters configuration. These commands act on the OVD configuration associated with a particular OPSS Context passed in as a parameter.
Table 4-107 WLST LibOVD Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Reload the LibOVD configuration |
Online |
|
Add a attribute exclusion rule |
Online |
|
Add a new attribute mapping rule |
Online |
|
Add a domain exclusion rule |
Online |
|
Add a new domain mapping rule |
Online |
|
Add a join rule to an existing Join adapter for the OVD associated with the given OPSS context |
Online |
|
Add a new remote host to an existing LDAP adapter |
Online |
|
Create a new mapping context |
Online |
|
Add a plugin to an existing adapter or at the global level |
Online |
|
Add new parameter values to the existing adapter level plugin or global plugin |
Online |
|
Create a new Join adapter for the OVD associated with the given OPSS context |
Online |
|
Create a new LDAP adapter for the OVD associated with the given OPSS context |
Online |
|
Delete an existing adapter for the OVD associated with the given OPSS context |
Online |
|
Delete a attribute exclusion rule |
Online |
|
Delete a attribute mapping rule |
Online |
|
Delete a domain exclusion rule |
Online |
|
Delete a domain mapping rule |
Online |
|
Delete the specified mapping context |
Online |
|
Display the details of an existing adapter that is configured for the OVD associated with the given OPSS context |
Online |
|
List the name and type of all adapters that are configured for this OVD associated with the given OPSS Context |
Online |
|
List all the mapping contexts |
Online |
|
List all the attribute rules |
Online |
|
List all the domain rules |
Online |
|
Modify the existing LDAP adapter configuration |
Online |
|
Remove a join rule from a Join adapter configured for this OVD associated with the given OPSS Context |
Online |
|
Remove a remote host from an existing LDAP adapter configuration |
Online |
|
Remove a plugin from an existing adapter or at global level |
Online |
|
Remove an existing parameter from a configured adapter level plugin or global plugin |
Online |
activateLibOVDConfigChanges
activateLibOVDConfigChanges(contextName)
where contextName
is the name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.
addAttributeExclusionRule
addAttributeExclusionRule(attribute, mappingContextId, contextName)
Table 4-108 addAttributeExclusionRule Arguments
Argument | Definition |
---|---|
attribute |
Name of the attribute to be added to the exclusion list |
mappingContextId |
Name of the mapping context |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
addAttributeRule
addAttributeRule(srcAttrs, srcObjectClass, srcAttrType, dstAttr, dstObjectClass, dstAttrType, mappingExpression, direction, mappingContextId, contextName)
addDomainExclusionRule
addDomainExclusionRule(domain, mappingContextId, contextName)
Table 4-110 addDomainExclusionRule Arguments
Argument | Definition |
---|---|
domain |
Distinguished name (DN) of the attribute to be added to the exclusion list |
mappingContextId |
Name of the mapping context |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
addDomainRule
addDomainRule(srcDomain, destDomain, domainConstructRule, mappingContextId, contextName)
Table 4-111 deleteEntityRelation Arguments
Argument | Definition |
---|---|
srcDomain |
|
destDomain |
|
domainConstructRule |
Name of the attribute to be added to the exclusion list |
mappingContextId |
Name of the mapping context |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
addJoinRule
Adds a join rule to an existing Join adapter for the OVD associated with the specified OPSS context.
addJoinRule(adapterName=<adapterName>, secondary=<secondary>, condition=<condition>, joinerType=<joinerType>, contextName=<contextName>)
Table 4-112 addJoinRule Arguments
Argument | Definition |
---|---|
adapterName |
Name of the Join adapter to be modified |
secondary |
Name of the adapter to join to |
condition |
The attribute(s) to join on |
joinerType |
An optional parameter that defines the type of Join. Accepted values include Simple (default), Conditional, OneToMany or Shadow. |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
addJoinRule('join1','secondaryldap','cn=cn', 'Simple', 'default')addJoinRule('join1','secondaryldap','cn=cn', 'Conditional', 'default')addJoinRule(adapterName='join1', secondary='LDAP3', condition='uid=cn', JoinerType='OneToMany')addJoinRule(adapterName='join1', secondary='LDAP2',condition='uid=cn', contextName='myContext')
addLDAPHost
Adds a new remote host (host:port pair) to an existing LDAP adapter. By default, the new host is configured in Read-Write mode with percentage set to 100.
addLDAPHost(adapterName=<adapterName>, host=<host>, port=<port>, contextName=<contextName>)
Table 4-113 addLDAPHost Arguments
Argument | Definition |
---|---|
adapterName |
Name of the Join adapter to be modified |
host |
Remote LDAP host to which the LDAP adapter will communicate |
port |
Remote LDAP host's port |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
addPlugin
Adds a plugin to an existing adapter, or at the global level. The "i"th key corresponds to "i"th value. The plugin is added to default chain.
addPlugin(pluginName=<pluginName>, pluginClass=<pluginClass>, paramKeys=<paramKeys>, paramValues=<paramValues>, adapterName=<adapterName>, contextName=<contextName>)
Table 4-115 addPlugin Arguments
Argument | Definition |
---|---|
pluginName |
pluginName - Name of the plugin to be created |
pluginClass |
Class of the plugin |
paramKeys |
Init Param Keys separated by "|" |
paramValues |
Init Param Values separated by "|" |
adapterName |
Name of the adapter to be modified. If not specified, the plugin is added at the global level. |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
addPlugin(adapterName='ldap1', pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com')addPlugin(pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com'))
addPluginParam
Add new parameter values to the existing adapter level plugin or global plugin. If the parameter already exists, the new value is added to the existing set of values. The "i"th key corresponds to "i"th value.
addPluginParam(pluginName=<pluginName>, paramKeys=<paramKeys>, paramValues=<paramValues>, adapterName=<adapterName>, contextName=<contextName>)
Table 4-116 addPluginParam Arguments
Argument | Definition |
---|---|
pluginName |
pluginName - Name of the plugin to be modified |
paramKeys |
Init Param Keys separated by "|" |
paramValues |
Init Param Values separated by "|" |
adapterName |
Name of the adapter to be modified. If not specified, the global plugin is modified. |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
createJoinAdapter
createJoinAdapter(contextName=<contextName>, adapterName=<adapterName>, root=<root>, primaryAdapter=<primaryAdapter>, bindAdapter=<bindAdapter>)
Table 4-117 createJoinAdapter Arguments
Argument | Definition |
---|---|
adapterName |
Name of the Join adapter to be created |
mappingContextId |
Virtual Namespace of the Join adapter |
primaryAdapter |
Specifies the identifier of the primary adapter (the adapter searched first in the join operation) |
root |
|
bindAdapter |
Specifies identifier of the bind adapter(s) (the adapter(s) whose proxy account is used to bind in the LDAP operation). By default, the primaryAdapter is set as bindAdapter. |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
createLDAPAdapter
createLDAPAdapter(adapterName=<adapterName>, root=<root>, host=<host>, port=<port>, remoteBase=<remoteBase>, isSecure=<true|false>, bindDN=<bindDN>, bindPasswd=<bindPasswd>, passCred=<passCred>, contextName=<contextName>)
Table 4-118 createLDAPAdapter Arguments
Argument | Definition |
---|---|
adapterName |
Name of the LDAP adapter to be created |
root |
Virtual Namespace of the LDAP adapter |
host |
Remote LDAP host with which the LDAP adapter will communicate |
port |
Remote LDAP host's port number |
remoteBase |
Location in the remote DIT to which root corresponds. |
isSecure |
An optional parameter that enables secure SSL/TLS connections to the remote hosts when defined as true. The default value is "false". |
bindDN |
Proxy BindDN used to communicate with Remote host. An optional parameter with default value "". |
bindPasswd |
Proxy BindPasswd used to communicate with Remote host. An optional parameter with default value "". |
passCred |
Ths optional parameter controls, what, if any, credentials the OVD will pass to the backend (remote host) LDAP server. Values can be Always (default), None or BindOnly. |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
deleteAdapter
deleteAttributeExlusionRule
deleteAttributeExclusionRule(attribute, mappingContextId, contextName)
Table 4-120 deleteAttributeExclusionRule Arguments
Argument | Definition |
---|---|
attribute |
Name of the attribute to be removed from the exclusion list |
mappingContextId |
Name of the mapping context |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
deleteAttributeRule
deleteDomainExclusionRule
deleteDomainExclusionRule(domain, mappingContextId, contextName)
Table 4-122 deleteEntityRelation Arguments
Argument | Definition |
---|---|
domain |
Distinguished Name of the container to be removed from the exclusion list |
mappingContextId |
Name of the mapping context |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
deleteDomainRule
deleteMappingContext
getAdapterDetails
Displays the details of an existing adapter configured for the Oracle Virtual Directory associated with the specified OPSS context.
getAdapterDetails(adapterName=<adapterName>, contextName=<contextName>)
Table 4-125 getAdapterDetails Arguments
Argument | Definition |
---|---|
adapterName |
Name of the adapter which contains the details to be displayed |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
listAdapters
Lists the name and type of all adapters that are configured for the Oracle Virtual Directory associated with the specified OPSS Context.
listAttributeRules
List all the attribute rules in the format SOURCE_ATTRIBUTE
:DESTINATION_ATTRIBUTE
:DIRECTION
modifyLDAPAdapter
This command is used to modify the following parameters defined in an existing LDAP Adapter:
Remote Base
Root
Secure
BindDN
BindPassword
PassCredentials
MaxPoolSize
modifyLDAPAdapter(adapterName=<adapterName>, attribute=<attribute>, value=<value>, contextName=<contextName>)
Table 4-130 modifyLDAPAdapter Arguments
Argument | Definition |
---|---|
attribute |
Name of the attribute to be modifed |
value |
New value for the attribute |
adapterName |
Name of the LDAP adapter to be modified |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
modifyLDAPAdapter(adapterName='ldap1', attribute='Root', value='dc=us, dc=oracle, dc=com', contextName='mydefault')modifyLDAPAdapter(adapterName='ldap1', attribute='RemoteBase', value='dc=org')modifyLDAPAdapter(adapterName='ldap1', attribute='PassCredentials', value='BindOnly')modifyLDAPAdapter('ldap1', 'BindDN', 'cn=proxyuser,dc=com', 'mydefault')modifyLDAPAdapter(adapterName='ldap1', attribute='BindPassword', value='testwelcome123')modifyLDAPAdapter(adapterName='ldap1', attribute='Secure', value=true)modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolSize', value=500)
removeJoinRule
Removes a join rule from a Join adapter configured for the Oracle Virtual Directory associated with the specified OPSS Context.
removeJoinRule(adapterName=<adapterName>, secondary=<secondary>, contextName=<contextName>)
Table 4-131 removeJoinRule Arguments
Argument | Definition |
---|---|
adapterName |
Name of the Join adapter to be modified |
secondary |
The join rules corresponding to this secondary adapter are removed from the join adapter |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
removeLDAPHost
removeLDAPHost(adapterName=<adapterName>, host=<host>, contextName=<contextName>)
Table 4-132 removeLDAPHost Arguments
Argument | Definition |
---|---|
adapterName |
Name of the LDAP adapter to be modified |
host |
Location of a remote LDAP host with which the LDAP adapter will communicate |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
removePlugin
removePlugin(pluginName=<pluginName>, adapterName=<adapterName>, contextName=<contextName>)
Table 4-133 removePlugin Arguments
Argument | Definition |
---|---|
pluginName |
Name of the plugin to be removed |
adapterName |
Name of the adapter to be modified. If not specified, the global plugin is removed. |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |
removePluginParam
Removes an existing parameter from a configured adapter level plugin or global plugin. This removes all values of the particular parameter from the plugin.
removePluginParam(pluginName=<pluginName>, paramKey=<paramKey>, adapterName=<adapterName>, contextName=<contextName>)
Table 4-134 removePluginParam Arguments
Argument | Definition |
---|---|
pluginName |
Name of the plugin to be modified |
paramKey |
Parameter to be removed |
adapterName |
Name of the adapter to be modified. If not specified, the global plugin is modified. |
contextName |
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default |