8 Security Token Service WLST Commands

This chapter provides descriptions of custom WebLogic Scripting Tool (WLST) commands for Oracle Access Management Security Token Service, including command syntax, arguments and examples.

The following section lists the Security Token Service WLST commands and contains links to the command reference details.

Security Token Service Commands

Security Token Service Commands

The Oracle Access Management Security Token Service (Security Token Service) WLST commands are divided into the following categories.

Partner Commands are related to tasks involving partners.
WS-Prefix to Relying Party Partner Mapping Commands are used to map a service URL, specified in the AppliesTo field of a WS-Trust RST request, to a partner of type Relying Party. The WS prefix string can be an exact service URL, or a URL with a parent path to the service URL. For example, if a mapping is defined to map a WS Prefix (http://test.com/service) to a Relying Party (RelyingPartyPartnerTest), then the following service URLs would be mapped to the Relying Party: http://test.com/service, http://test.com/service/calculatorService, http://test.com/service/shop/cart...
Partner Profiles Commands are related to tasks involving partner profiles.
Issuance Templates Commands are related to tasks involving issuance templates.
Validation Templates Commands are related to tasks involving validation templates.

Table 8-1 is divided into five sections and describes the various WLST commands in each of these categories. Use the WLST commands listed to manage the Security Token Service.

Table 8-1 WLST Commands for Security Token Service

Use this command...	To...	Use with WLST...
Partner Commands
getPartner	Retrieve a partner and print result.	Online
getAllRequesterPartners	Retrieve the names of Requester partners.	Online
getAllRelyingPartyPartners	Retrieve the names of all Relying Party partners.	Online
getAllIssuingAuthorityPartners	Retrieve the names of all Issuing Authority partners.	Online
isPartnerPresent	Query Security Token Service to determine whether or not the partner exists in the Partner store.	Online
createPartner	Create a new Partner entry.	Online
updatePartner	Update an existing Partner entry based on the provided information.	Online
deletePartner	Delete a partner entry.	Online
getPartnerUsernameTokenUsername	Retrieve the partner's username value.	Online
getPartnerUsernameTokenPassword	Retrieve the partner's password value.	Online
setPartnerUsernameTokenCredential	Set the username and password values of a partner entry.	Online
deletePartnerUsernameTokenCredential	Remove the username and password values from a partner entry.	Online
getPartnerSigningCert	Retrieve the Base64 encoded signing certificate for the partner.	Online
getPartnerEncryptionCert	Retrieve the Base64 encoded encryption certificate for the partner.	Online
setPartnerSigningCert	Upload the signing certificate to the partner entry.	Online
setPartnerEncryptionCert	Upload the encryption certificate to the partner entry.	Online
deletePartnerSigningCert	Remove the signing certificate from the partner entry.	Online Offline
deletePartnerEncryptionCert	Remove the encryption certificate from the partner entry.	Online Offline
getPartnerAllIdentityAttributes	Retrieve and display all Identity mapping attributes used to map a token to a requester partner.	Online Offline
getPartnerIdentityAttribute	Retrieve and display the identity mapping attribute.	Online Offline
setPartnerIdentityAttribute	Set the identity mapping attribute for a requester partner.	Online Offline
deletePartnerIdentityAttribute	Delete the identity mapping attribute for a requester partner.	Online Offline
Relying Party Partner Mapping Commands
getAllWSPrefixAndPartnerMappings	Retrieve and display all WS Prefixes.	Online Offline
getWSPrefixAndPartnerMapping	Retrieve and display the Relying Party Partner mapped to the specified wsprefix parameter.	Online Offline
createWSPrefixAndPartnerMapping	Create a new WS Prefix mapping to a Relying Partner.	Online Offline
deleteWSPrefixAndPartnerMapping	Delete an existing WS Prefix mapping to a Relying Partner.	Online Offline
Partner Profiles Commands
getAllPartnerProfiles	Retrieve the names of all the existing partner profiles.	Online
getPartnerProfile	Retrieve partner profile configuration data.	Online
createRequesterPartnerProfile	Create a new Requester Partner profile with default configuration data.	Online
createRelyingPartyPartnerProfile	Create a new Relying Party Partner profile with default configuration data.	Online
createIssuingAuthorityPartnerProfile	Create a new Issuing Authority Partner profile with default configuration data.	Online
deletePartnerProfile	Delete an existing partner profile.	Online
Issuance Template Commands
getAllIssuanceTemplates	Retrieve the names of all the existing Issuance Templates.	Online Offline
getIssuanceTemplate	Retrieve configuration data of a specific Issuance Template.	Online
createIssuanceTemplate	Create a new Issuance Template with default configuration data.	Online
deleteIssuanceTemplate	Delete an existing Issuance Template.	Online Offline
Validation Template Commands
getAllValidationTemplates	Retrieve the names of all the existing Validation Templates.	Online Offline
getValidationTemplate	Retrieve configuration data of a specific Validation Template.	Online Offline
createWSSValidationTemplate	Create a new WS Security Validation Template with default configuration data.	Online Offline
createWSTrustValidationTemplate	Create a new WS Trust Validation Template with default configuration data.	Online Offline
deleteValidationTemplate	Delete an existing Issuance Template.	Online Offline
configureOWSMAgentSTS	Modify configuration to allows MSAS/OWSM policies to work	Online

getPartner

Online command that retrieves the Partner entry and prints out the configuration for this partner.

Description

Retrieves the Partner entry and prints out the configuration for this partner.

Syntax

getPartner(partnerId)

Argument	Definition
partnerId	Specifies the partnerId: the ID of the partner.

Example

The following invocation retrieves the Partner entry and prints out the configuration for customPartner:

getPartner(partnerId="customPartner")

getAllRequesterPartners

Online command that retrieves Requester type partners.

Description

Retrieves Requester type partners.

Syntax

getAllRequesterPartners()

Example

The following invocation retrieves Requester type partners:

getAllRequesterPartners()

getAllRelyingPartyPartners

Online command that retrieves Relying Party partners.

Description

Retrieves the Relying Party partners.

Syntax

getAllRelyingPartyPartners()

Example

The following invocation retrieves Relying Party partners:

getAllRelyingPartyPartners()

getAllIssuingAuthorityPartners

Online command that retrieves Issuing Authority partners and prints out the result.

Description

Retrieves the Issuing Authority partners and prints out the result.

Syntax

getAllIssuingAuthorityPartners()

Example

The following invocation retrieves Issuing Authority partners and prints out the result:

getAllIssuingAuthorityPartners()

isPartnerPresent

Online command that queries the Security Token Service to determine whether or not the specified partner exists in the Partner store.

Description

Queries the Security Token Service to determine whether or not the specified partner exists in the Partner store, and prints out the result.

Syntax

isPartnerPresent(partnerId)

Argument	Definition
partnerId	Specifies the ID of the partner.

Example

The following invocation queries the Security Token Service to determine whether or not customPartner exists in the Partner store, and prints out the result:

isPartnerPresent(partnerId="customPartner")

createPartner

Online command that creates a new Partner entry.

Description

Creates a new Partner entry based on provided information. Displays a message indicating the result of the operation.

Syntax

createPartner(partnerId, partnerType, partnerProfileId, description,
bIsTrusted)

Argument	Definition
partnerId	Specifies the ID of the new partner to be created.
partnerType	Specifies the type of partner. Values can be one of the following: STS_REQUESTER for Requester STS_RELYING_PARTY for Relying Party STS_ISSUING_AUTHORITY for Issuing Authority
partnerProfileId	Specifies the profile ID to be attached to this partner. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry.
description	Specifies the optional description of this new partner entry.
bIsTrusted	A value that indicates whether or not this new partner is trusted. Value can be either: true for trusted false if not trusted

Example

The following invocation creates STS_Requestor partner, customPartner, custom-partnerprofile with a description (custom requester), with a trust value of true, displays a message indicating the result of the operation:

createPartner(partnerId="customPartner", partnerType="STS_REQUESTER",
partnerProfileId="custom-partnerprofile", description="custom requester",
bIsTrusted="true")

updatePartner

Online command that updates an existing Partner entry.

Description

Updates an existing Partner entry based on the provided information. Displays a message indicating the result of the operation.

Syntax

updatePartner(partnerId, partnerProfileId, description, bIsTrusted)

Argument	Definition
partnerId	Specifies the ID of the new partner to be updated.
partnerProfileId	Specifies the partner profile ID. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry.
description	Specifies the optional description f this new partner entry.
bIsTrusted	A value that indicates whether or not this new partner is trusted. Value can be either: true for trusted false if not trusted

Example

The following invocation updates customPartner with a new profile ID, (x509-wss-validtemp), description (custom requester with new profile id), and a trust value of false. A message indicates the result of the operation:

updatePartner(partnerId="customPartner", partnerProfileId="x509-wss-validtemp",
description="custom requester with new profile id", bIsTrusted="false")

deletePartner

Online command that deletes a partner entry from the Security Token Service.

Description

Deletes an existing Partner entry referenced by the partnerId parameter from the Security Token Service, and prints out the result of the operation.

Syntax

deletePartner(partnerId)

Argument	Definition
partnerId	Specifies the ID of the partner to be deleted.

Example

The following invocation deletes the customPartner partner entry referenced by the partnerId parameter from the Security Token Service, and prints out the result of the operation:

deletePartner(partnerId="customPartner")

getPartnerUsernameTokenUsername

Online command that retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation.

Description

Retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation, and displays the value.

Syntax

getPartnerUsernameTokenUsername(partnerId)

Argument	Definition
partnerId	Specifies the ID of the partner.

Example

The following invocation retrieves the customPartner partner username value that will be used for UNT credentials partner validation or mapping operation, and displays the value:

getPartnerUsernameTokenUsername(partnerId="customPartner")

getPartnerUsernameTokenPassword

Online command that retrieves a partner's password value that will be used for UNT credentials partner validation or mapping operation.

Description

Retrieves a partner password value that will be used for UNT credentials partner validation or mapping operation, and displays the value.

Syntax

getPartnerUsernameTokenPassword(partnerId)

Argument	Definition
partnerId	Specifies the ID of the partner.

Example

The following invocation retrieves customPartner partner password value that will be used for UNT credentials partner validation or mapping operation, and displays the value:

getPartnerUsernameTokenPassword(partnerId="customPartner")

setPartnerUsernameTokenCredential

Online command that sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation.

Description

Sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation. Displays the result of the operation.

Syntax

setPartnerUsernameTokenCredential(partnerId, UTUsername, UTPassword)

Argument	Definition
partnerId	Specifies the ID of the partner.
UTUsername	Specifies the username value used for UNT credentials validation or mapping operations.
UTPassword	Specifies the username value used for UNT credentials validation or mapping operations.

Example

The following invocation sets the username and password values of the customPartner partner entry, and displays the result of the operation:

setPartnerUsernameTokenCredential(partnerId="customPartner", UTUsername="test", UTPassword="password")

deletePartnerUsernameTokenCredential

Online command that removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.

Description

Removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.

Syntax

deletePartnerUsernameTokenCredential(partnerId)

Argument	Definition
partnerId	Specifies the ID of the partner to be deleted.

Example

The following invocation removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation:

deletePartnerUsernameTokenCredential(partnerId="customPartner")

getPartnerSigningCert

Online command that retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.

Description

Retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.

Syntax

getPartnerSigningCert(partnerId)

Argument	Definition
partnerId	Specifies the ID of the partner.

Example

The following invocation retrieves Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string:

getPartnerSigningCert(partnerId="customPartner")

getPartnerEncryptionCert

Online command that retrieves the Base64 encoded encryption certificate, and displays its value as a Base64 encoded string.

Description

Retrieves the Base64 encoded encryption certificate for the partner referenced by the partnerId parameter, and displays its value as a Base64 encoded string.

Syntax

getPartnerEncryptionCert(partnerId)

Argument	Definition
partnerId	Specifies the ID of the partner.

Example

The following invocation retrieves the Base64 encoded encryption certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string:

getPartnerEncryptionCert(partnerId="customPartner")

setPartnerSigningCert

Online command that Uploads the provided certificate to the partner entry as the signing certificate. Displays the result of the operation.

Description

Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the signing certificate. The supported formats of the certificate are DER and PEM. Displays the result of the operation.

Syntax

setPartnerSigningCert(partnerId, certFile)

Argument	Definition
partnerId	Specifies the ID of the partner.
certFile	Specifies the location of the certificate on the local file system. Supported formats of the certificate are DER and PEM.

Example

The following invocation uploads the provided certificate to the partner entry customPartner as the signing certificate. Displays the result of the operation:

setPartnerSigningCert(partnerId="customPartner", certFile="/temp/signing_cert")

setPartnerEncryptionCert

Online command that Uploads the provided certificate to the partner entry as the encryption certificate. Displays the result of the operation.

Description

Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the encryption certificate. Displays the result of the operation.

Syntax

setPartnerEncryptionCert(partnerId, certFile)

Argument	Definition
partnerId	Specifies the ID of the partner.
certFile	Specifies the location of the certificate on the local filesystem. Supported formats of the certificate are DER and PEM.

Example

The following invocation uploads the provided certificate to the partner entry customPartner as the signing certificate. Displays the result of the operation:

setPartnerSigningCert(partnerId="customPartner", certFile="/temp/signing_cert")

deletePartnerSigningCert

Online command that removes the encryption certificate from the partner entry and displays the result of the operation.

Description

Removes the encryption certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.

Syntax

deletePartnerSigningCert(partnerId)

Argument	Definition
partnerId	Specifies the ID of the partner.

Example

The following invocation removes the encryption certificate from the partner entry, customPartner, and displays the result of the operation:

deletePartnerSigningCert(partnerId="customPartner")

deletePartnerEncryptionCert

Online command that removes the signing certificate from the partner entry and displays the result of the operation.

Description

Removes the signing certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.

Syntax

deletePartnerEncryptionCert(partnerId)

Argument	Definition
partnerId	Specifies the ID of the partner.

Example

The following invocation removes the signing certificate from the partner entry, customPartner, and displays the result of the operation:

deletePartnerEncryptionCert(partnerId="customPartner")

getPartnerAllIdentityAttributes

Online command that retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.

Description

Retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.

The identity mapping attributes only exist for partners of type Requester.

Syntax

getPartnerAllIdentityAttributes(partnerId)

Argument	Definition
partnerId	Specifies the ID of the Requester partner. Identity mapping attributes only exist for partners of type Requester

Example

The following invocation retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner: customPartner.

getPartnerAllIdentityAttributes(partnerId="customPartner")

getPartnerIdentityAttribute

Online command that retrieves and displays identity mapping attributes used to map a token or to map binding data to a requester partner.

Description

Retrieves and displays an identity mapping attribute used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.

The identity mapping attributes only exist for partners of type Requester.

Syntax

getPartnerIdentityAttribute(partnerId, identityAttributeName)

Argument	Definition
partnerId	Specifies the ID of the Requester partner.
IdentityAttributeName	Specifies the name of the identity mapping attribute to retrieve and display. For example: `httpbasicusername`.

Example

The following invocation retrieves and displays one identityAttribute and its value as specified by identityAttributeName.

getPartnerIdentityAttribute(partnerId="customPartner", identityAttributeName="httpbasicusername")

setPartnerIdentityAttribute

Online command that sets the identity mapping attribute for the Requester partner.

Description

Set the identity mapping attribute specified by identityAttributeName for the partner of type requester specified by the partnerId parameter. These identity mapping attributes only exist for Requester partners. Displays the result of the operation.

Syntax

setPartnerIdentityAttribute(partnerId, identityAttributeName, 
identityAttributeValue)

Argument	Definition
partnerId	Specifies the ID of the partner of type Requester.
identityAttributeName	Specifies the name of the identity mapping attribute to retrieve and display.
identityAttributeValue	Specifies the value of the identity mapping attribute to set.

Example

The following invocation sets the identity mapping attribute specified by identityAttributeName for the Requester partner of type requester specified by the partnerId parameter. Displays the result of the operation.

setPartnerIdentityAttribute(partnerId="customPartner", 
identityAttributeName="httpbasicusername",identityAttributeValue="test")

deletePartnerIdentityAttribute

Online command that deletes the identity mapping attribute.

Description

Deletes the identity mapping attribute specified by identityAttributeName.

The identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner, and they only exist for Requester partners.

Syntax

deletePartnerIdentityAttribute(partnerId, identityAttributeName)

Argument	Definition
partnerId	Specifies the ID of the partner.
identityAttributeName	Specifies the name of the identity mapping attribute to delete.

Example

The following invocation deletes the identity mapping attribute specified by identityAttributeName for Requester partner customPartner.

deletePartnerIdentityAttribute(partnerId="customPartner", 
identityAttributeName="httpbasicusername")

getAllWSPrefixAndPartnerMappings

Online command that retrieves and displays all WS Prefixes to Relying Party Partner mappings.

Description

Retrieves and displays all WS Prefixes to Relying Party Partner mappings.

Syntax

getAllWSPrefixAndPartnerMappings()

Example

The following invocation retrieves and displays theWS Prefixes.

getAllWSPrefixAndPartnerMappings()

getWSPrefixAndPartnerMapping

Online command that retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.

Description

Retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.

Syntax

getWSPrefixAndPartnerMapping(wsprefix)

Argument	Definition
wsprefix	Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form: http_protocol://hostname_ip/path

Example

The following invocation retrieves nd displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.

getWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path")

createWSPrefixAndPartnerMapping

Online command that creates a new WS Prefix mapping to a Relying Partner.

Description

Creates a new WS Prefix mapping to a Relying Partner referenced by the partnerid parameter, and displays the result of the operation.

Syntax

createWSPrefixAndPartnerMapping(wsprefix, partnerid, description)

Argument	Definition
wsprefix	Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form: http_protocol://hostname_ip/path
partnerId	Specifies the ID of the partner.
description	Specifies an optional description.

Example

The following invocation creates a new WS Prefix mapping to a Relying Partner Partner referenced by the partnerid parameter, and displays the result of the operation.

createWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path",
partnerid="customRPpartner", description="some description")

deleteWSPrefixAndPartnerMapping

Online command that deletes an existing mapping of WS Prefix to a Relying Partner Partner.

Description

Deletes an existing mapping of WS Prefix to a Relying Partner, and displays the result of the operation.

Syntax

deleteWSPrefixAndPartnerMapping(wsprefix)

Argument	Definition
wsprefix	Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form: http_protocol://hostname_ip/path

Example

The following invocation deletes the existing mapping of WS Prefix to a Relying Partner, and displays the result of the operation.

deleteWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path")

getAllPartnerProfiles

Online command that retrieves the names of all the existing partner profiles and displays them.

Description

Retrieves the names of all the existing partner profiles and displays them.

Syntax

getAllPartnerProfiles()

Example

The following invocation retrieves the names of all the existing partner profiles and displays them.

getAllPartnerProfiles()

getPartnerProfile

Online command that retrieves the configuration data of a specific partner profile, and displays the content of the profile.

Description

Retrieves the configuration data of the partner profile referenced by the partnerProfileId parameter, and displays the content of the profile.

Syntax

getPartnerProfile(partnerProfileId)

Argument	Definition
partnerProfileId	Specifies the name of the partner profile.

Example

The following invocation retrieves the configuration data of the partner profile referenced by the partnerProfileId parameter, and displays the content of the profile.

getPartnerProfile(partnerProfileId="custom-partnerprofile")

createRequesterPartnerProfile

Online command that creates a new requester partner profile with default configuration data.

Description

Creates a new requester partner profile with default configuration data, and displays the result of the operation.

Table 8-2 describes the default configuration created with this command.

Table 8-2 Default Configuration: createRequesterPartnerProfile

Element	Description
Return Error for Missing Claims	Default: false
Allow Unmapped Claims	Default: false
Token Type Configuration	The Token Type Configuration table includes the following entries. There are no mappings of token type to WS-Trust Validation Template: SAML 1.1 token type mapped to the following External URI: http://docs.oasis-open.org/wss/oasis-wss-saml- token-profile-1.1#SAMLV1.1 The SAML 1.1 token type is not mapped to any WS-Trust Validation Template. SAML 2.0 token type mapped to the following External URI: http://docs.oasis-open.org/wss/oasis-wss-saml- token-profile-1.1#SAMLV2.0 The SAML 2.0 token type is not mapped to any WS-Trust Validation Template. Username token type mapped to the following External URI: http://docs.oasis-open.org/wss/2004/01/oasis- 200401-wss-username-token-profile-1.0#UsernameToken The Username token type is not mapped to any WS-Trust Validation Template. Note: Token Type Configuration and token type to Validation Template mapping are both empty
Attribute Name Mapping	Default: The Attribute Name Mapping table is empty by default.

Syntax

createRequesterPartnerProfile(partnerProfileId, defaultRelyingPartyPPID, 
description)

Argument	Definition
partnerProfileId	Specifies the name of the partner profile.
defaultRelyingPartyPPID	Specifies the relying party partner profile to use, if the AppliesTo field is missing from the RST or if it could not be mapped to a Relying Party Partner.
description	Specifies the optional description for this partner profile

Example

The following invocation creates a new requester partner profile with default configuration data, and displays the result of the operation. For default data descriptions, see Table 8-2.

createRequesterPartnerProfile(partnerProfileId="custom-partnerprofile",
defaultRelyingPartyPPID="rpPartnerProfileTest", description="custom
partner profile")

createRelyingPartyPartnerProfile

Online command that creates a new relying party partner profile with default configuration data.

Description

Creates a new relying party partner profile with default configuration data, and displays the result of the operation.

Table 8-3 describes the default configuration created with this command.

Table 8-3 Default Configuration: createRelyingPartyPartnerProfile

Element	Description
Download Policy	Default: false
Allow Unmapped Claims	Default: false
Token Type Configuration	The Token Type Configuration will contain a single entry, with: The token type set to the type of Issuance Template referenced by defaultIssuanceTemplateID The Issuance template set to defaultIssuanceTemplateID Note: For the token type of the issuance template referenced by defaultIssuanceTemplateID, it will be linked to the issuance template, while the other token types will not be linked to any issuance template. If the issuance template referenced by defaultIssuanceTemplateID is of custom token type, the table will only contain one entry, with the custom token type, mapped to the custom token type as the external URI, and mapped to the issuance template referenced by defaultIssuanceTemplateID
Attribute Name Mapping	The Attribute Name Mapping table is empty be default.

Syntax

createRelyingPartyPartnerProfile(partnerProfileId, defaultIssuanceTemplateID, 
description)

Argument	Definition
partnerProfileId	Specifies the name of the partner profile.
defaultIssuanceTemplateID	Specifies the default issuance template and token type to issue if no token type was specified in the RST.
description	Specifies the optional description for this partner profile

Example

The following invocation creates a new relying party partner profile with default configuration data, and displays the result of the operation.

createRelyingPartyPartnerProfile(partnerProfileId="custom-partnerprofile",
defaultIssuanceTemplateID="saml11-issuance-template", description="custom partner profile")

createIssuingAuthorityPartnerProfile

Online command that creates a new issuing authority partner profile with default configuration data.

Description

Creates a new issuing authority partner profile with the default configuration data in Table 8-4, and displays the result of the operation.

Table 8-4 Default Configuration: createIssuingAuthorityPartnerProfile

Element	Description
Server Clockdrift	Default: 600 seconds
Token Mapping	The Token Mapping Section will be configured as follows: Override Simple User Mapping: false Override User NameID Mapping: false Override Attribute Based User Mapping: false Override Simple Partner Mapping: false Override Partner NameID Mapping: false Empty fields simple user mapping attribute based user mapping simple partner mapping
Partner NameID Mapping	The Partner NameID Mapping table will be provisioned with the following entries as NameID format. However, without any data in the datastore column the issuance template referenced by defaultIssuanceTemplateID is of token type SAML 1.1, SAML 2.0, or Username. The table will contain the following entries: urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
User NameID Mapping	The User NameID Mapping table will be provisioned with the following entries as NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName, empty datastore column urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, dn set in the datastore column urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, mail set in the datastore column urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, empty datastore column urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos, empty datastore column urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, empty datastore column
Attribute Mapping	The Attribute Value Mapping and Attribute Name Mapping table is empty be default.

Syntax

createIssuingAuthorityPartnerProfile(partnerProfileId, description)

Argument	Definition
partnerProfileId	Specifies the name of the partner profile.
description	Specifies the optional description for this partner profile

Example

The following invocation a new issuing authority partner profile with default configuration data, and displays the result of the operation.

createIssuingAuthorityPartnerProfile(partnerProfileId="custom-partnerprofile"
description="custom partner profile")

deletePartnerProfile

Online command that deletes an partner profile referenced by the partnerProfileId parameter. (See Advanced Identity Federation Commands for information regarding SAML 1.1.)

Description

Deletes an partner profile referenced by the partnerProfileId parameter, and displays the result of the operation.

Syntax

deletePartnerProfile(partnerProfileId)

Argument	Definition
partnerProfileId	Specifies the name of the partner profile to be removed.

Example

The following invocation deletes an partner profile referenced by the partnerProfileId parameter, and displays the result of the operation.

deletePartnerProfile(partnerProfileId="custom-partnerprofile")

getAllIssuanceTemplates

Online command that retrieves the names of all the existing issuance templates.

Description

Retrieves the names of all the existing issuance templates and displays them.

Syntax

getAllIssuanceTemplates

Example

The following invocation retrieves the names of all the existing issuance templates and displays them.

getAllIssuanceTemplates

getIssuanceTemplate

Online command that retrieves the configuration data of a specific issuance template.

Description

Retrieves the configuration data of the issuance template referenced by the issuanceTemplateId parameter, and displays the content of the template.

Syntax

getIssuanceTemplate(issuanceTemplateId)

Argument	Definition
issuanceTemplateId	Specifies the name of the issuance template.

Example

The following invocation retrieves the configuration data of the issuance template referenced by the issuanceTemplateId parameter, and displays the content of the template.

getIssuanceTemplate(issuanceTemplateId="custom-issuancetemp")

createIssuanceTemplate

Online command that creates a new issuance template with default configuration data.

Description

Creates a new issuance template with default configuration data, and displays the result of the operation.

Table 8-5 describes the default configuration for this command.

Table 8-5 Default Configuration: createIssuanceTemplate

Token Type Description

Token Type	Description
Username	The issuance template will be created with the following default values: Send Encrypted Token: false NameID User Attribute: uid NameID User Attribute Store: User Store Password Attribute: (empty) Include Nonce: true Include Timestamp: true
SAML 1.1 or SAML 2.0	The issuance template will be created with the following default values: Send Encrypted Token: false Assertion Issuer: Access Manager Hostname NameID Format: Email Address NameID User Attribute: mail NameID User Attribute Store: User Store NameID Qualifier: (empty) Include Authn Statement: true Include Attr Statement: true Sign Assertion: true Include Certificate in Signature: true Send Encrypted NameID: false (SAML 2.0 only) Default Subject Confirmation Method: Sender Vouches Compute HOK Symmetric Key: true HOK Symmetric Key Generation Algorithm: `http://www.w3.org/2001/04/xmlenc#aes128-cbc` Empty tables: Attribute Name Mapping, Attribute Value Mapping and Attribute Value Filter
Custom Type	The issuance template will be created with the following default values: Send Encrypted Token: false

Username

The issuance template will be created with the following default values:

Send Encrypted Token: false
NameID User Attribute: uid
NameID User Attribute Store: User Store
Password Attribute: (empty)
Include Nonce: true
Include Timestamp: true

SAML 1.1

SAML 2.0

The issuance template will be created with the following default values:

Send Encrypted Token: false
Assertion Issuer: Access Manager Hostname
NameID Format: Email Address
NameID User Attribute: mail
NameID User Attribute Store: User Store
NameID Qualifier: (empty)
Include Authn Statement: true
Include Attr Statement: true
Sign Assertion: true
Include Certificate in Signature: true
Send Encrypted NameID: false (SAML 2.0 only)
Default Subject Confirmation Method: Sender Vouches
Compute HOK Symmetric Key: true
HOK Symmetric Key Generation Algorithm: http://www.w3.org/2001/04/xmlenc#aes128-cbc

Empty tables: Attribute Name Mapping, Attribute Value Mapping and Attribute Value Filter

Custom Type

The issuance template will be created with the following default values:

Send Encrypted Token: false

Syntax

createIssuanceTemplate(issuanceTemplateId, tokenType, signingKeyId, 
description)

Argument	Definition
issuanceTemplateId	Specifies the name of the issuance template to be created.
tokenType	Possible values can be: username: indicates that the token type is UsernameToken saml11: indicates that the token type is a SAML 1.1 Assertion saml20: indicates that the token type is a SAML 2.0 Assertion <other>: in this case, the token type is assumed to be a custom token type, referenced by <other> (replace <other> by a value)
signingKeyId	Specifies the keyID referencing the key entry (defined in the STS General Settings UI section) that will be used to sign outgoing SAML Assertions. Only required when token type is saml11 or saml20.
description	An optional description.

Example

The following invocation creates a new issuance template with default configuration data, and displays the result of the operation.

createIssuanceTemplate(issuanceTemplateId="custom-issuancetemp", tokenType="saml20", signingKeyId="osts_signing", description="custom issuance template")

deleteIssuanceTemplate

Online command that deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.

Description

Deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.

Syntax

deleteIssuanceTemplate(issuanceTemplateId)

Argument	Definition
issuanceTemplateId	Specifies the name of the existing issuance template to be removed.

Example

The following invocation deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.

deleteIssuanceTemplate(issuanceTemplateId="custom-issuancetemp")

getAllValidationTemplates

Online command that retrieves the names of all the existing validation templates.

Description

Retrieves the names of all the existing validation templates and displays them.

Syntax

getAllValidationTemplates()

Example

The following invocation retrieves the names of all the existing validation templates and displays them.

getAllValidationTemplates()

getValidationTemplate

Online command that retrieves the configuration data of a specific validation template, and displays the content of the template.

Description

Retrieves the configuration data of the validation template referenced by the validationTemplateId parameter, and displays the content of the template.

Syntax

getValidationTemplate(validationTemplateId)

Argument	Definition
validationTemplateId	Specifies the name of the existing validation template.

Example

The following invocation retrieves the configuration data of a specific validation template, and displays the content of the template.

getValidationTemplate(validationTemplateId="custom-wss-validtemp")

createWSSValidationTemplate

Online command that creates a new validation template with default configuration data.

Description

Creates a new WSS validation template with default configuration data, and displays the result of the operation. The validation template is created using the values in Table 8-6, depending on the token type.

Table 8-6 Default Configuration: createWSSValidationTemplate

Token Type	Description
Username	The validation template will be created with the following default values: Timestamp Lifespan: 600 seconds Enable Credential Validation: true Validation Source: Partner Token Mapping: Map token to Partner Enable Simple Partner Mapping: true Partner Datastore Attribute: username
SAML 1.1 or SAML 2.0	The validation template will be created with the following default values: Authentication Timeout: 3600 seconds Timestamp Lifespan: 3600 seconds The Token Mapping section will be created with the following default values: Map token: Map token to Partner Enable Simple User Mapping: false Enable User NameID Mapping: false Enable Attribute Based User Mapping: false Enable Simple Partner Mapping: false Enable Partner NameID Mapping: false Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping Also: Partner Token Attribute: NameID Partner Datastore Attribute: username Partner NameID Mapping table will be provisioned with the following entries as NameID format, but without any data in the datastore column: urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos urn:oasis:names:tc:SAML:2.0:nameid-format:persistent User NameID Mapping table will be provisioned with the following entries as NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName, empty datastore column urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, dn set in the datastore column urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, mail set in the datastore column urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, empty datastore column urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos, empty datastore column urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, empty datastore column
X.509	The Token Mapping section will be created with the following default values: Map token: Map token to Partner Enable Simple User Mapping: false Enable Attribute Based User Mapping: false Enable Simple Partner Mapping: true Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping Also: Partner Token Attribute: DN Partner Datastore Attribute: sslclientcertdn
Kerberos	The Token Mapping section will be created with the following default values: Map token: Map token to User Enable Simple User Mapping: true Enable Attribute Based User Mapping: false Enable Simple Partner Mapping: false Empty fields: Partner Token Attribute, Partner Datastore Attribute and Attribute Based User Mapping Also: User Token Attribute: TPE_KERBEROS_PRINCIPAL_FULL User Datastore Attribute: mail

Syntax

createWSSValidationTemplate(templateId, tokenType,
defaultRequesterPPID, description)

Argument	Definition
templateId	Specifies the name of the name of the validation template to be created.
tokenType	Specifies the token type of the validation template. Possible values can be: username: indicates that the token type is UsernameToken saml11: indicates that the token type is a SAML 1.1 Assertion saml20: indicates that the token type is a SAML 2.0 Assertion x509: indicates that the token type is an X.509 certificate kerberos: indicates that the token type is a Kerberos token oam: indicates that the token type is Access Manager
defaultRequesterPPID	Specifies the Requester partner profile to use if OSTS is configured not to map the incoming message to a requester.
description	Specifies an optional description.

Example

The following invocation creates a new validation template with default configuration data, and displays the result of the operation.

createWSSValidationTemplate(templateId="custom-wss-validtemp", tokenType="custom",
defaultRequesterPPID="requesterPartnerProfileTest", description="custom validation 
template")

createWSTrustValidationTemplate

Online command that creates a new WS-Trust validation template with default configuration data.

Description

Creates a new WS-Trust validation template with default configuration data, and displays the result of the operation. The WS-Trust validation template is created with the values in Table 8-7, depending on the token type.

Table 8-7 Default Configuration: createWSTrustValidationTemplate

Token Type	Description
Username	The WS-Trust validation template will be created with the following default values: Timestamp Lifespan: 600 seconds Enable Credential Validation: false Validation Source: User Store Token Mapping: Map token to User Enable Simple User Mapping: true USer Datastore Attribute: uid
SAML 1.1 or SAML 2.0	The WS-Trust validation template will be created with the following default values: Authentication Timeout: 3600 seconds Timestamp Lifespan: 3600 seconds The Token Mapping section will be created with the following default values: Map token: Map token to User Enable Simple User Mapping: false Enable User NameID Mapping: true Enable Attribute Based User Mapping: false Empty fields: User Datastore Attribute, Attribute Based User Mapping User NameID Mapping table will be provisioned with the following entries as NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName, empty datastore column urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, dn set in the datastore column urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, mail set in the datastore column urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, empty datastore column urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos, empty datastore column urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, empty datastore column
X.509	The WS-Trust Token Mapping section will be created with the following default values: Map token: Map token to User Enable Simple User Mapping: true Enable Attribute Based User Mapping: false Enable Simple Partner Mapping: true User Token Attribute: CN User Datastore Attribute: CN Attribute Based User Mapping (empty)
Kerberos	The WS-Trust Token Mapping section will be created with the following default values: Map token: Map token to User Enable Simple User Mapping: true Enable Attribute Based User Mapping: false Attribute Based User Mapping (empty) User Token Attribute: TPE_KERBEROS_PRINCIPAL_FULL User Datastore Attribute: mail
OAM	The WS-Trust Token Mapping section will be created with the following default values: Map token: Map token to User Enable Simple User Mapping: true Enable Attribute Based User Mapping: false Attribute Based User Mapping (empty) User Token Attribute: TPE_NAME_ID User Datastore Attribute: uid
custom	The WS-Trust Token Mapping section will be created with the following default values: Map token: Map token to None Enable Simple User Mapping: false Enable Attribute Based User Mapping: false Attribute Based User Mapping (empty) User Token Attribute: (empty) User Datastore Attribute: (empty)

Syntax

createWSTrustValidationTemplate(templateId, tokenType, description)

Argument	Definition
templateId	Specifies the name of the name of the WS-Trust validation template to be created.
tokenType	Specifies the token type of the WS-Trust validation template. Possible values can be: username: indicates that the token type is UsernameToken saml11: indicates that the token type is a SAML 1.1 Assertion saml20: indicates that the token type is a SAML 2.0 Assertion x509: indicates that the token type is an X.509 certificate kerberos: indicates that the token type is a Kerberos token oam: indicates that the token type is an Access Manager token, supported by default <other>: in this case, the token type is assumed to be a custom token type, referenced by <other> (replace <other> by a value)
description	Specifies an optional description.

Example

The following invocation creates a new WS-Trust validation template with default configuration data, and displays the result of the operation.

createWSTrustValidationTemplate(templateId="custom-wss-validtemp", 
tokenType="custom", description="custom validation template")

deleteValidationTemplate

Online command that deletes a validation template.

Description

Deletes a validation template referenced by the validationTemplateId parameter, and displays the result of the operation.

Syntax

deleteValidationTemplate(validationTemplateId)

Argument	Definition
validationTemplateId	Specifies the name of the validation template to be removed.

Example

The following invocation deletes a validation template referenced by the validationTemplateId parameter, and displays the result of the operation.

deleteValidationTemplate(validationTemplateId="custom-wss-validtemp")

configureOWSMAgentSTS

Online command required to allow custom Mobile Security Access Server (MSAS)/Oracle Web Services Manager (OWSM) policies to work.

Description

Online command modifies the Security Token Service configuration to allow custom MSAS/OWSM policies to work.

Syntax

configureOWSMAgentSTS(<type>, <server="soa_server1">)

Argument	Definition
type	The type can be 'classpath' or 'policymanager'. If OWSM policy manager service has to be seeded with STS policy, then pass in 'policymanager'. Otherwise, use 'password' and STS policies are picked from sts_policies.jar.
`server`	Optional. If type=policymanager, enter the WLS managed server name where the OWSM Document Manager MBean is deployed.

Example

configureOWSMAgentSTS("policymanager", server="omsm_server1")