3 Policy and Credential WLST Commands

This chapter provides descriptions of custom WebLogic Scripting Tool (WLST) commands to administer policies and credentials for Oracle Access Management Access Manager, including command syntax, arguments and examples.

The following section lists the policy and credential WLST commands and contains links to the command reference details.

Policy and Credential Commands

Note:

The name of this section (now chapter) has been changed from previous versions of this book to more clearly reflect its contents. The commands and information remain the same.

Policy and Credential Commands

Use the WLST commands listed in Table 3-1 to operate on a domain policy or credential store, to migrate policies and credentials from a source repository to a target repository, and to import and export (credential) encryption keys.

Table 3-1 WLST Security Commands

Use this command...	To...	Use with WLST...
listAppStripes	List application stripes in policy store.	Online
createAppRole	Create a new application role.	Online
deleteAppRole	Remove an application role.	Online
grantAppRole	Add a principal to a role.	Online
revokeAppRole	Remove a principal from a role.	Online
listAppRoles	List all roles in an application.	Online
listAppRolesMembers	List all members in an application role.	Online
grantPermission	Create a new permission.	Online
revokePermission	Remove a permission.	Online
listPermissions	List all permissions granted to a principal.	Online
deleteAppPolicies	Remove all policies in an application.	Online
migrateSecurityStore	Migrate policies or credentials from a source repository to a target repository.	Offline
listCred (Deprecated)	Obtain the list of attribute values of a credential.	Online
updateCred	Modify the attribute values of a credential.	Online
createCred	Create a new credential.	Online
deleteCred	Remove a credential.	Online
modifyBootStrapCredential	Update bootstrap credential store.	Offline
addBootStrapCredential	Add a credential to the bootstrap credential store.	Offline
exportEncryptionKey	Export the domain encryption key to the file `ewallet.p12`.	Offline
importEncryptionKey	Import the encryption key in file `ewallet.p12` to the domain.	Offline
restoreEncryptionKey	Restore the domain encryption key as it was before the last importing.	Offline
reassociateSecurityStore	Reassociate policies and credentials to an LDAP repository.	Online
upgradeSecurityStore	Upgrade security data from data used with release 10.1.x to data used with release 11.	Offline
createResourceType	Create a new resource type.	Online
getResourceType	Fetch an existing resource type.	Online
deleteResourceType	Remove an existing resource type.	Online
createResource	Create a resource.	Online
deleteResource	Remove a resource.	Online
listResources	List resources in an application stripe.	Online
listResourceActions	List actions in a resource.	Online
createEntitlement	Create an entitlement.	Online
getEntitlement	List an entitlement.	Online
deleteEntitlement	Remove an entitlement.	Online
addResourceToEntitlement	Add a resource to an entitlement.	Online
revokeResourceFromEntitlement	Remove a resource from an entitlement	Online
listEntitlements	List entitlements in an application stripe.	Online
grantEntitlement	Create an entitlement.	Online
revokeEntitlement	Remove an entitlement.	Online
listEntitlement	List an entitlement.	Online
listResourceTypes	List resource types in an application stripe.	Online

createAppRole

Online command that creates a new application role.

Description

Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.

Syntax

createAppRole(appStripe, appRoleName)

Argument	Definition
appStripe	Specifies an application stripe.
appRoleName	Specifies a role name.

Example

The following invocation creates a new application role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> createAppRole(appStripe="myApp", appRoleName="myRole")

deleteAppRole

Online command that removes an application role.

Description

Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.

Syntax

createAppRole(appStripe, appRoleName)

Argument	Definition
appStripe	Specifies an application stripe.
appRoleName	Specifies a role name.

Example

The following invocation removes the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> createAppRole(appStripe="myApp", appRoleName="myRole")

grantAppRole

Online command that adds a principal to a role.

Description

Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.

Syntax

grantAppRole(appStripe, appRoleName,principalClass, principalName)

Argument	Definition
appStripe	Specifies an application stripe.
appRoleName	Specifies a role name.
principalClass	Specifies the fully qualified name of a class.
principalName	Specifies the principal name.

Example

The following invocation adds a principal to the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> grantAppRole(appStripe="myApp",  
appRoleName="myRole",principalClass="com.example.xyzPrincipal",
principalName="myPrincipal")

revokeAppRole

Online command that removes a principal from a role.

Description

Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.

Syntax

revokeAppRole(appStripe, appRoleName, principalClass, principalName)

Argument	Definition
appStripe	Specifies an application stripe.
appRoleName	Specifies a role name.
principalClass	Specifies the fully qualified name of a class.
principalName	Specifies the principal name.

Example

The following invocation removes a principal to the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> revokeAppRole(appStripe="myApp", 
appRoleName="myRole",principalClass="com.example.xyzPrincipal", 
principalName="myPrincipal")

listAppRoles

Online command that lists all roles in an application.

Description

Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException.

Syntax

listAppRoles(appStripe)

Argument	Definition
appStripe	Specifies an application stripe.

Example

The following invocation returns all roles with application stripe myApp:

wls:/mydomain/serverConfig> listAppRoles(appStripe="myApp")

listAppRolesMembers

Online command that lists all members in a role.

Description

Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException.

Syntax

listAppRoleMembers(appStripe, appRoleName)

Argument	Definition
appStripe	Specifies an application stripe.
appRoleName	Specifies a role name.

Example

The following invocation returns all members in the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> listAppRoleMembers(appStripe="myApp", appRoleName="myRole")

grantPermission

Online command that creates a new permission.

Description

Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException.

Syntax

Optional arguments are enclosed in between square brackets.

grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])

Argument	Definition
appStripe	Specifies an application stripe. If not specified, the command works on system policies.
codeBaseURL	Specifies the URL of the code granted the permission.
principalClass	Specifies the fully qualified name of a class (grantee).
principalName	Specifies the name of the grantee principal.
permClass	Specifies the fully qualified name of the permission class.
permTarget	Specifies, when available, the name of the permission target. Some permissions may not include this attribute.
permActions	Specifies a comma-delimited list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class.

Examples

The following invocation creates a new application permission (for the application with application stripe myApp) with the specified data:

wls:/mydomain/serverConfig> grantPermission(appStripe="myApp",  
principalClass="my.custom.Principal",  principalName="manager",
permClass="java.security.AllPermission")

The following invocation creates a new system permission with the specified data:

wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager",   
permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", 
permTarget="/tmp/fileName.ext", permActions="read,write")

revokePermission

Online command that removes a permission.

Description

Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException.

Syntax

Optional arguments are enclosed in between square brackets.

revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])

Argument	Definition
appStripe	Specifies an application stripe. If not specified, the command works on system policies.
codeBaseURL	Specifies the URL of the code granted the permission.
principalClass	Specifies the fully qualified name of a class (grantee).
principalName	Specifies the name of the grantee principal.
permClass	Specifies the fully qualified name of the permission class.
permTarget	Specifies, when available, the name of the permission target. Some permissions may not include this attribute.
permActions	Specifies a comma-delimited list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class.

Examples

The following invocation removes the application permission (for the application with application stripe myApp) with the specified data:

wls:/mydomain/serverConfig> revokePermission(appStripe="myApp",  
principalClass="my.custom.Principal", principalName="manager", 
permClass="java.security.AllPermission")

The following invocation removes the system permission with the specified data:

wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager",  
permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", 
permActions="read,write")

listPermissions

Online command that lists all permissions granted to a given principal.

Description

Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException.

Syntax

Optional arguments are enclosed in between square brackets.

listPermissions([appStripe,] principalClass, principalName)

Argument	Definition
appStripe	Specifies an application stripe. If not specified, the command works on system policies.
principalClass	Specifies the fully qualified name of a class (grantee).
principalName	Specifies the name of the grantee principal.

Examples

The following invocation lists all permissions granted to a principal by the policies of application myApp:

wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")

The following invocation lists all permissions granted to a principal by system policies:

wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")

deleteAppPolicies

Online command that removes all policies with a given application stripe.

Description

Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException.

Syntax

deleteAppPolicies(appStripe)

Argument	Definition
appStripe	Specifies an application stripe. If not specified, the command works on system policies.

Example

The following invocation removes all policies of application myApp:

wls:/mydomain/serverConfig> deleteAppPolicies(appStripe="myApp")

migrateSecurityStore

Offline command that migrates identities, application-specific, system policies, a specific credential folder, or all credentials.

Description

Migrates identities, application-specific, or system policies from a source repository to a target repository. Migrates a specific credential folder or all credentials.

The kinds of the repositories where the source and target data is stored is transparent to the command, and any combination of file-based and LDAP-based repositories is allowed (LDAP-repositories must use an OVD or an OID LDAP server only). In the event of an error, the command returns a WLSTException.

Syntax

The command syntax varies depending on the scope (system or application-specific or both) of the policies being migrated.

Optional arguments are enclosed in square brackets.

To migrate identities, use the following syntax:

migrateSecurityStore(type="idStore", configFile, src, dst, [dstLdifFile])

To migrate all policies (system and application-specific, for all applications) use the following syntax

migrateSecurityStore(type="policyStore", configFile, src, 
dst,[overWrite,][preserveAppRoleGuid])

To migrate just system policies, use the following syntax:

migrateSecurityStore(type="globalPolicies", configFile, src, dst, [overWrite])

To migrate just application-specific policies, for one application, use the following syntax:

migrateSecurityStore(type="appPolicies", configFile,src, dst, srcApp 
[,dstApp] [,overWrite] [,migrateIdStoreMapping][,preserveAppRoleGuid] [,mode])

To migrate all credentials, use the following syntax:

migrateSecurityStore(type="credStore", configFile, src, dst, [overWrite])

To migrate just one credential folder, use the following syntax:

migrateSecurityStore(type="folderCred", configFile,src, dst, [srcFolder,]
[dstFolde,] [srcConfigFile,] [overWrite])

Argument	Definition
type	Specifies the type of policies migrates. To migrate identities, set it to `idStore`. To migrate all policies (system and application-specific, for all applications), set to `policyStore`. To migrate just system policies, set to `globalPolicies`. To migrate just application-specific policies, set to `appPolicies`. To migrate all credentials, set to `credStore`. To migrate just one credential folder, set to `folderCred`.
configFile	Specifies the location of a configuration file `jps-config.xml` relative to the directory where the command is run. The configuration file passed need not be an actual domain configuration file, but it can be assembled just to specify the source and destination repositories of the migration.
src	Specifies the name of a jps-context in the configuration file passed to the argument `configFile`, where the source store is specified.
dst	Specifies the name of another jps-context in the configuration file passed to the argument `configFile`, where the destination store is specified.
srcApp	Specifies the name of the source application, that is, the application whose policies are being migrated.
dstApp	Specifies the name of the target application, that is, the application whose policies are being written. If unspecified, it defaults to the name of the source application.
srcFolder	Specifies the name of the folder from where credentials are migrated. This argument is optional. If unspecified, the credential store is assumed to have only one folder and the value of this argument defaults to the name of that folder.
dstFolder	Specifies the folder to where the source credentials are migrated. This argument is optional and, if unspecified, defaults to the folder passed to `srcFolder`.
srcConfigFile	Specifies the location of an alternate configuration file, and it is used in the special case in which credentials are not configured in the file passed to `configFile`. This argument is optional. If unspecified, it defaults to the value passed to `configFile`; if specified, the value passed to `configFile` is ignored.
overWrite	Specifies whether data in the target matching data being migrated should be overwritten by or merged with the source data. Optional and false by default. Set to true to overwrite matching data; set to false to merge matching data.
migrateIdStoreMapping	Specifies whether the migration of application policies should include or exclude the migration of enterprise policies. Optional and true by default. Set it to False to exclude enterprise policies from the migration of application policies.
dstLdifFile	Specifies the location where the LDIF file will be created. Required only if destination is an LDAP-based identity store. Notice that the LDIF file is not imported into the LDAP server; the importing of the file LDIF should be done manually, after the file has been edited to account for the appropriate attributes required in your LDAP server.
preserveAppRoleGuid	Specifies whether the migration of policies should preserve or recreate GUIDs. Optional and false, by default. Set to true to preserve GUIDs; set to false to recreated GUIDs.
mode	Specifies whether the migration should stop and signal an error upon encountering a duplicate principal or a duplicate permission in an application policy. Set to lax to allow the migration to continue upon encountering duplicate items, to migrate just one of the duplicated items, and to log a warning to this effect; set to strict to force the migration to stop upon encountering duplicate items. If unspecified, it defaults to strict.

Note the following requirements about the passed arguments:

The file jps-config.xml is found in the passed location.
The file jps-config.xml includes the passed jps-contexts.
The source and the destination context names are distinct. From these two contexts, the command determines the locations of the source and the target repositories involved in the migration.

Example

The following invocation illustrates the migration of the file-based policies of application PolicyServlet1 to file-based policies of application PolicyServlet2, that does not stop on encountering duplicate principals or permissions, that migrates just one of duplicate items, and that logs a warning when duplicates are found:

wls:/mydomain/serverConfig> migrateSecurityStore(type="appPolicies",  
configFile="jps-congif.xml", src="default1", dst="context2",
srcApp="PolicyServlet1", dstApp="PolicyServlet2", overWrite="true", mode="lax")

The above invocation assumes that:

The file jps-config.xml is located in the directory where the command is run (current directory).
That file includes the following elements:

<serviceInstance name="policystore1.xml" provider="some.provider">
  <property name="location" value="jazn-data1.xml"/>
</serviceInstance>
<serviceInstance name="policystore2.xml" provider="some.provider">
  <property name="location" value="jazn-data2.xml"/>
</serviceInstance>
...
<jpsContext name="default1">
  <serviceInstanceRef ref="policystore1.xml"/>
  ...
</jpsContext>
<jpsContext name="context2">
  <serviceInstanceRef ref="policystore2.xml"/>
  ...
</jpsContext>

The file-based policies for the two applications involved in the migration are defined in the files jazn-data1.xml and jazn-data2.xml, which are not shown but assumed located in the current directory.

The following invocation illustrates the migration of file-based credentials from one location to another:

wls:/mydomain/serverConfig> migrateSecurityStore(type="credStore", configFile="jps-congif.xml", src="default1", dst="context2")

The above invocation assumes that:

The file jps-config.xml is located in the directory where the command is run (current directory).
That file includes the following elements:

<serviceInstance name="credstore1" provider="some.provider">
  <property name="location" value="./credstore1/cwallet.sso"/>
</serviceInstance>
<serviceInstance name="credstore2" provider="some.provider">
  <property name="location" value="./credstore2/cwallet.sso"/>
</serviceInstance>
...
<jpsContext name="default1">
  <serviceInstanceRef ref="credstore1"/>
  ...
</jpsContext>
<jpsContext name="context2">
  <serviceInstanceRef ref="credstore2"/>
  ...
</jpsContext>

For detailed configuration examples to use with this command, see Oracle Fusion Middleware Security Guide.

listCred (Deprecated)

The listCred command has been deprecated. This functionality should be done using the Oracle Enterprise Manager Console. See the Oracle Enterprise Manager documentation for details. An example of how to retrieve the OAM Keystore and alias can be found in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

updateCred

Online command that modifies the type, user name, and password of a credential.

Description

Modifies the type, user name, password, URL, and port number of a credential in the domain credential store with given map name and key name. This command can update the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.

Syntax

Optional arguments are enclosed in square brackets.

updateCred(map, key, user, password, [desc])

Argument	Definition
map	Specifies a map name (folder).
key	Specifies a key name.
user	Specifies the credential user name.
password	Specifies the credential password.
desc	Specifies a string describing the credential.

Example

The following invocation updates a password credential with the specified data:

wls:/mydomain/serverConfig> updateCred(map="myMap", key="myKey", user="myUsr", 
password="myPassw", desc="updated passw cred to connect to app xyz")

createCred

Online command that creates a new credential in the domain credential store.

Description

Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.

Syntax

Optional arguments are enclosed in square brackets.

createCred(map, key, user, password, [desc])

Argument	Definition
map	Specifies a map name (folder).
key	Specifies a key name.
user	Specifies the credential user name.
password	Specifies the credential password.
desc	Specifies a string describing the credential.

Example

The following invocation creates a new password credential with the specified data:

wls:/mydomain/serverConfig> createCred(map="myMap, key="myKey", user="myUsr", 
password="myPassw", desc="updated usr name and passw to connect to app xyz")

deleteCred

Online command that removes a credential in the domain credential store.

Description

Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException.

Syntax

deleteCred(map,key)

Argument	Definition
map	Specifies a map name (folder).
key	Specifies a key name.

Example

The following invocation removes the credential with map name myMap and key name myKey:

wls:/mydomain/serverConfig> deleteCred(map="myApp",key="myKey")

modifyBootStrapCredential

Offline command that updates a bootstrap credential store.

Description

Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException.

Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.

Syntax

modifyBootStrapCredential(jpsConfigFile, username, password)

Argument	Definition
jpsConfigFile	Specifies the location of the file `jps-config.xml` relative to the location where the command is run.
username	Specifies the distinguished name of the user in the LDAP store.
password	Specifies the password of the user.

Example

Suppose that in the LDAP store, the password of the user with distinguished name cn=orcladmin has been changed to welcome1, and that the configuration file jps-config.xml is located in the current directory.Then the following invocation changes the password in the bootstrap credential store to welcome1:

wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='welcome1')

Any output regarding the audit service can be disregarded.

addBootStrapCredential

Offline command that adds a credential to the bootstrap credential store.

Description

Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException.

Syntax

addBootStrapCredential(jpsConfigFile, map, key, username, password)

Argument	Definition
jpsConfigFile	Specifies the location of the file `jps-config.xml` relative to the location where the command is run.
map	Specifies the map of the credential to add.
key	Specifies the key of the credential to add.
username	Specifies the name of the user in the credential to add.
`password`	Specifies the password of the user in the credential to add.

Example

The following invocation adds a credential to the bootstrap credential store:

wls:/mydomain/serverConfig> addBootStrapCredential(jpsConfigFile='./jps-config.xml', map='myMapName', key='myKeyName', username='myUser', password='myPassword')

exportEncryptionKey

Offline command that extracts the encryption key from a domain's bootstrap wallet to the file ewallet.p12.

Description

Writes the domain's credential encryption key to the file ewallet.p12. The password passed must be used to import data from that file with the command importEncryptionKey.

Syntax

exportEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)

Argument	Definition
jpsConfigFile	Specifies the location of the file `jps-config.xml` relative to the location where the command is run.
keyFilePath	Specifies the directory where the file `ewallet.p12` is created; note that the content of this file is encrypted and secured by the value passed to `keyFilePassword`.
keyFilePassword	Specifies the password to secure the file `ewallet.p12`; note that this same password must be used when importing that file.

Example

The following invocation writes the file ewallet.p12 in the directory myDir:

exportEncryptionKey(jpsConfigFile="pathName", keyFilePath="myDir" ,keyFilePassword="password")

importEncryptionKey

Offline command that imports keys from the specified ewallet.p12 file into the domain.

Description

Imports encryption keys from the file ewallet.p12 into the domain. The password passed must be the same as that used to create the file with the command exportEncryptionKey.

Syntax

importEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)

Argument	Definition
jpsConfigFile	Specifies the location of the file `jps-config.xml` relative to the location where the command is run.
keyFilePath	Specifies the directory where the `ewallet.p12` is located.
keyFilePassword	Specifies the password used when the file `ewallet.p12` was generated.

Example

importEncryptionKey(jpsConfigFile="pathName", keyFilePath="dirloc" ,keyFilePassword="password")

restoreEncryptionKey

Offline command to restore the domain credential encryption key.

Description

Restores the state of the domain bootstrap keys as it was before running importEncryptionKey.

Syntax

restoreEncryptionKey(jpsConfigFile)

Argument	Definition
jpsConfigFile	Specifies the location of the file `jps-config.xml` relative to the location where the command is run.

Example

restoreEncryptionKey(jpsConfigFile="pathName")

reassociateSecurityStore

Online command that migrates the policy and credential stores to an LDAP repository.

Description

Migrates, within a give domain, both the policy store and the credential store to a target LDAP server repository. The only kinds of LDAP servers allowed are OID or OVD. This command also allows setting up a policy store shared by different domains (see optional argument join below). In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.

Syntax

reassociateSecurityStore(domain, admin, password, ldapurl, servertype, jpsroot [, join] [,keyFilePath, keyFilePassword])

Argument	Definition
domain	Specifies the domain name where the reassociating takes place.
admin	Specifies the administrator's user name on the LDAP server. The format is `cn=usrName`.
password	Specifies the password associated with the user specified for the argument `admin`.
ldapurl	Specifies the URI of the LDAP server. The format is `ldap//:host:port`, if you are using a default port, or `ldaps://host:port`, if you are using a secure LDAP port. The secure port must be configured specially for this function and it is distinct from the default (non-secure) port.
servertype	Specifies the kind of the target LDAP server. The only valid types are OID or OVD.
jpsroot	Specifies the root node in the target LDAP repository under which all data is migrated. The format is `cn=nodeName`.
join	Specifies whether the domain is to share a policy store specified in some other domain. Optional. Set to true to share an existing policy store in another domain; set to false otherwise. If unspecified, it defaults to false. The use of this argument allows multiple WebLogic domains to point to the same logical policy store.
keyFilePath	Specifies the directory where the `ewallet.p12` is located.
keyFilePassword	Specifies the password used when the file `ewallet.p12` was generated.

Examples

The following invocation reassociates the domain policies and credentials to an LDAP Oracle Internet Directory server:

wls:/mydomain/serverConfig> reassociateSecurityStore(domain="myDomain", 
admin="cn=adminName", password="myPass",ldapurl="ldap://myhost.example.com:3060", 
servertype="OID", jpsroot="cn=testNode")

Suppose that you want some other domain (distinct from myDomain, say otherDomain) to share the policy store in myDomain. Then you would invoke the command as follows:

wls:/mydomain/serverConfig> reassociateSecurityStore(domain="otherDomain", 
admin="cn=adminName", password="myPass", ldapurl="ldap://myhost.example.com:3060", 
servertype="OID", jpsroot="cn=testNode", join="true")

upgradeSecurityStore

Offline command that migrates release 10.1.x security data to release 11 security data.

Description

Migrates identity, policy, and credential data used in release 10.1.x to security data that can be used with release 11. The migration of each kind of data is performed with separate invocations of this command. In the event of an error, the command returns a WLSTException.

Syntax

The syntax varies according to the type of data being updated.

To upgrade 10.1.x XML identity data to 11 XML identity data, use the following syntax:

updateSecurityStore(type="xmlIdStore", jpsConfigFile, srcJaznDataFile, srcRealm, dst)

To upgrade a 10.1.x XML policy data to 11 XML policy data, use the following syntax:

updateSecurityStore(type="xmlPolicyStore", jpsConfigFile, srcJaznDataFile, dst)

To upgrade a 10.1.x OID LDAP-based policy data to 11 XML policy data, use the following syntax:

updateSecurityStore(type="oidPolicyStore", jpsConfigFile, srcJaznDataFile, dst)

To upgrade a 10.1.x XML credential data to 11 XML credential data, use the following syntax:

updateSecurityStore(type="xmlCredStore", jpsConfigFile, srcJaznDataFile, users,  dst)

Argument	Definition
type	Specifies the kind of security data being upgraded. The only valid values are xmlIdStore, xmlPolicyStore, oidPolicyStore, and xmlCredStore.
jpsConfigFile	Specifies the location of a configuration file `jps-config.xml` relative to the directory where the command is run. The target store of the upgrading is read from the context specified with the argument `dst`.
srcJaznDataFile	Specifies the location of a 10.1.x jazn data file relative to the directory where the command is run. This argument is required if the specified `type` is xmlIdStore, xmlPolicyStore, or xmlCredStore.
srcJaznConfigFile	Specifies the location of a 10.1.x jazn configuration file relative to the directory where the command is run. This argument is required if the specified `type` is oidPolicyStore.
srcRealm	Specifies the name of the realm from which identities need be migrated. This argument is required if the specified `type` is xmlIdStore.
users	Specifies a comma-delimited list of users each formatted as realmName/userName. This argument is required if the specified `type` is xmlCredStore.
dst	Specifies the name of the jpsContext in the file passed to the argument jpsConfigFile where the destination store is configured. Optional. If unspecified, it defaults to the default context in the file passed in the argument jpsConfigFile.

Examples

The following invocation migrates 10.1.3 file-based identities to an 11 file-based identity store:

wls:/mydomain/serverConfig> upgradeSecurityStore(type="xmlIdStore",  
jpsConfigFile="jps-config.xml", srcJaznDataFile="jazn-data.xml",
srcRealm="jazn.com")

The following invocation migrates a 10.1.3 OID-based policy store to an 11 file-based policy store:

wls:/mydomain/serverConfig> upgradeSecurityStore(type="oidPolicyStore", 
jpsConfigFile="jps-config.xml", srcJaznDataFile="jazn-data.xml",
dst="destinationContext)

createResourceType

Online command that creates a new resource type in the domain policy store within a given application stripe.

Description

Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. Optional arguments are enclosed in between square brackets; all other arguments are required. In the event of an error, the command returns a WLSTException.

Syntax

Optional arguments are enclosed in square brackets.

createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])

Argument	Definition
appStripe	Specifies the application stripe where to insert the resource type.
resourceTypeName	Specifies the name of the resource type to insert.
displayName	Specifies the name for the resource type used in UI gadgets.
description	Specifies a brief description of the resource type.
provider	Specifies the provider for the resource type.
matchere	Specifies the class of the resource type. If unspecified, it defaults to `oracle.security.jps.ResourcePermission`.
actions	Specifies the actions allowed on instances of the resource type.
delimeter	Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','.

Example

The following invocation creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:

wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", 
resourceTypeName="resTypeName", displayName="displName", description="A resource
type", provider="Printer", matcher="com.printer.Printer",
actions="BWPrint;ColorPrint" [, delimeter=";"])

getResourceType

Online command that fetches a resource type from the domain policy store within a given application stripe.

Description

Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.

Syntax

getResourceType(appStripe, resourceTypeName)

Argument	Definition
appStripe	Specifies the application stripe from where to fetch the resource type.
resourceTypeName	Specifies the name of the resource type to fetch.

Example

The following invocation fetches the resource type myResType from the stripe myApplication:

wls:/mydomain/serverConfig> getResourceType(appStripe="myApplication", resourceTypeName="myResType")

deleteResourceType

Online command that removes a resource type from the domain policy store within a given application stripe.

Description

Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.

Syntax

deleteResourceType(appStripe, resourceTypeName)

Argument	Definition
appStripe	Specifies the application stripe from where to remove the resource type.
resourceTypeName	Specifies the name of the resource type to remove.

Example

The following invocation removes the resource type myResType from the stripe myApplication:

wls:/mydomain/serverConfig> deleteResourceType(appStripe="myApplication", resourceTypeName="myResType")

listAppStripes

Online or offline command that lists the application stripes in the policy store.

Description

This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.

If this command is used in offline mode after reassociating to a DB-based store, the configuration file produced by the reassociation must be manually edited as described in "Running listAppStripes after Reassociating to a DB-Based Store" in Oracle Fusion Middleware Security Guide.

Syntax

listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])

Argument	Definition
configFile	Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store.
regularExpression	Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *.

Examples

The following (online) invocation returns the list of application stripes in the policy store:

wls:/mydomain/serverConfig> listAppStripes

The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:

wls:/mydomain/serverConfig> listAppStripes(configFile=" 
/home/myFile/jps-config.xml")

The following (online) invocation returns the list of application stripes that contain the prefix App:

wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")

createResource

Online command that creates a new resource.

Description

Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.

Syntax

createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])

Argument	Definition
appStripe	Specifies the application stripe where the resource is created.
name	Specifies the name of the resource created.
type	Specifies the type of resource created. The passed resource type must be present in the application stripe at the time this script is invoked.
displayName	Specifies the display name of the resource created. Optional.
description	Specifies the description of the resource created. Optional.

Example

The following invocation creates the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> createResource(appStripe="myApplication", name="myResource", type="myResType", displayName="myNewResource")

deleteResource

Online command that deletes a resource.

Description

Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.

Syntax

deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")

Argument	Definition
appStripe	Specifies the application stripe where the resource is deleted.
name	Specifies the name of the resource deleted.
type	Specifies the type of resource deleted. The passed resource type must be present in the application stripe at the time this script is invoked.

Example

The following invocation deletes the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> deleteResource(appStripe="myApplication", name="myResource", type="myResType")

listResources

Online command that lists resources in a specified application stripe.

Description

If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.

Syntax

listResources(appStripe="appStripeName" [,type="resTypeName"])

Argument	Definition
appStripe	Specifies the application stripe where the resources are listed.
type	Specifies the type of resource listed. The passed resource type must be present in the application stripe at the time this script is invoked.

Example

The following invocation lists all resources of type myResType in the stripe myApplication:

wls:/mydomain/serverConfig> listResources(appStripe="myApplication", type="myResType")

listResourceActions

Online command that lists the resources and actions in an entitlement.

Description

Lists the resources and actions in an entitlement within an application stripe.

Syntax

listResourceActions(appStripe="appStripeName", permSetName="entitlementName")

Argument	Definition
appStripe	Specifies the application stripe where the entitlement resides.
permSetName	Specifies the name of the entitlement whose resources and actions to list.

Example

The following invocation lists the resources and actions of the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> listResourceActions(appStripe="myApplication", permSetName="myEntitlement")

createEntitlement

Online command that creates a new entitlement.

Description

Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement to add additional resources to an existing entitlement; use revokeResourceFromEntitlement to delete resources from an existing entitlement.

Syntax

createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])

Argument	Definition
appStripe	Specifies the application stripe where the entitlement is created.
name	Specifies the name of the entitlement created.
resourceName	Specifies the name of the one resource member of the entitlement created.
actions	Specifies a comma-delimited the list of actions for the resource resourceName.
displayName	Specifies the display name of the resource created. Optional.
description	Specifies the description of the entitlement created. Optional.

Example

The following invocation creates the entitlement myEntitlement with just the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> createEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", actions="read,write")

getEntitlement

Online command that gets an entitlement.

Description

Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.

Syntax

getEntitlement(appStripe="appStripeName", name="entitlementName")

Argument	Definition
appStripe	Specifies the application stripe where the entitlement is located.
name	Specifies the name of the entitlement to access.

Example

The following invocation returns the information of the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> getEntitlement(appStripe="myApplication", name="myEntitlement")

deleteEntitlement

Online command that deletes an entitlement.

Description

Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.

Syntax

deleteEntitlement(appStripe="appStripeName", name="entitlementName")

Argument	Definition
appStripe	Specifies the application stripe where the entitlement is deleted.
name	Specifies the name of the entitlement to delete.

Example

The following invocation deletes the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> deleteEntitlement(appStripe="myApplication", name="myEntitlement")

addResourceToEntitlement

Online command that adds a resource with specified actions to an entitlement.

Description

Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.

Syntax

addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")

Argument	Definition
appStripe	Specifies the application stripe where the entitlement is located.
name	Specifies the name of the entitlement to modify.
resourceName	Specifies the name of the resource to add.
resourceType	Specifies the type of the resource to add. The passed resource type must be present in the application stripe at the time this script is invoked.
actions	Specifies the comma-delimited list of actions for the added resource.

Example

The following invocation adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:

wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", 
name="myEntitlement", resourceName="myResource", resourceType="myResType", 
actions="view,edit")

revokeResourceFromEntitlement

Online command that removes a resource from an entitlement.

Description

Removes a resource from an entitlement in a specified application stripe.

Syntax

revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")

Argument	Definition
appStripe	Specifies the application stripe where the entitlement is located.
name	Specifies the name of the entitlement to modify.
resourceName	Specifies the name of the resource to remove.
resourceType	Specifies the type of the resource to remove.
actions	Specifies the comma-delimited list of actions to remove.

Example

The following invocation removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", 
resourceName="myResource", resourceType="myResType", actions="view,edit")

listEntitlements

Online command that lists the entitlements in an application stripe.

Description

Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.

Syntax

listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])

Argument	Definition
appStripe	Specifies the application stripe from where to list entitlements.
resourceTypeName	Specifies the name of the type of the resources to list. Optional.
resourceName	Specifies the name of resource to match. Optional.

Examples

The following invocation lists all the entitlements in the stripe myApplication:

wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")

The following invocation lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:

wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName")

grantEntitlement

Online command that creates a new entitlement.

Description

Creates a new entitlement with a specified principal in a specified application stripe.

Syntax

grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")

Argument	Definition
appStripe	Specifies the application stripe where the entitlement is created.
principalClass	Specifies the class associated with the principal.
principalName	Specifies the name of the principal to which the entitlement is granted.
permSetName	Specifies the name of the entitlement created.

Example

The following invocation creates the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", 
principalClass="oracle.security.jps.service.policystore.ApplicationRole", 
principalName="myPrincipalName", permSetName="myEntitlement")

revokeEntitlement

Online command that deletes an entitlement.

Description

Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.

Syntax

revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")

Argument	Definition
appStripe	Specifies the application stripe where the entitlement is deleted.
principalClass	Specifies the class associated with the principal.
principalName	Specifies the name of the principal to which the entitlement is revoked.
permSetName	Specifies the name of the entitlement deleted.

Example

The following invocation deleted the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", 
principalClass="oracle.security.jps.service.policystore.ApplicationRole", 
principalName="myPrincipalName", permSetName="myEntitlement")

listEntitlement

Online command that lists an entitlement in a specified application stripe.

Description

If a principal name and a class are specified, it lists the entitlements that match the specified principal; otherwise, it lists all the entitlements.

Syntax

listEntitlement(appStripe="appStripeName" [, principalName="principalName", principalClass="principalClass"])

Argument	Definition
appStripe	Specifies the application stripe where the entitlement is deleted.
principalName	Specifies the name of the principal to match. Optional.
principalClass	Specifies the class of the principal to match. Optional.

Example

The following invocation lists all entitlements in the stripe myApplication:

wls:/mydomain/serverConfig> listEntitlement(appStripe="myApplication")

listResourceTypes

Online command that lists resource types.

Description

Lists all the resource types in a specified application stripe.

Syntax

listResourceTypes(appStripe="appStripeName")

Argument	Definition
appStripe	Specifies the application stripe where the resource types are located.

Example

The following invocation lists all resource types in the stripe myApplication:

wls:/mydomain/serverConfig> listEntitlement(appStripe="myApplication")