A Installation and Configuration Parameters

This appendix lists the parameters and accepted values that may be defined for Oracle Entitlements Server services using jps-config.xml, the configuration file used by Java EE containers. It is located in the $DOMAIN_HOME/config/fmwconfig directory. This appendix is comprised of the following sections.

A.1 Policy Distribution Configuration

The Policy Distribution Component is responsible for distributing policy objects and policies from the policy store to one or more Security Modules. It can distribute in a controlled-push mode, a controlled-pull mode, a non-controlled mode, or a mixed mode. Each mode entails different configurations.

A.1.1 Policy Distribution Component Server Configuration

Typically, configuration for the Policy Distribution Component to fetch policies and policy objects (in a scenario when it runs within Oracle Entitlements Server) is associated with the Policy Store configuration in the jps-config.xml file. Only in cases when data is pulled in a controlled manner (controlled-pull mode) is the Policy Distribution Component associated with the PDP Service configuration on the Security Module side. Table A-1 contains the configuration parameters.

Table A-1 Policy Distribution Server Configuration

Parameter Name Information Console Name


Defines the scope of the policy distribution as either to one Security Module or to all Security Modules. If distribution fails when it involves only one Security Module, it does not affect distributions to other Security Modules.


Accepted Values: All (default), One



Defines the amount of time to delay policy distribution after a request for registration is received.


Accepted Values: time in seconds (default value is 0)


A.1.2 Policy Distribution Component Client Configuration

The Policy Distribution Component client is responsible for making policies available to the Security Module. Thus, the Policy Distribution Client configuration is always associated with the PDP Service configuration portion of the jps-config.xml file on the Security Module side. Configuration is different depending on the mode of distribution and the environment in which the Security Module is running. The following sections contain descriptions of the applicable configuration parameters.

A.1.2.1 Policy Distribution Component Client Java Standard Edition Configuration (Controlled Push Mode)

Table A-2 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in a Java Standard Edition (JSE) environment and is configured to distribute data in the controlled-push mode.

Table A-2 Policy Distribution Client Configuration, JSE, Controlled Push Mode

Parameter Name Information Console Name


Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution.


Accepted Value: controlled-push

Policy Distribution Mode


Defines the name of the Security Module.


Accepted Value: Name of the Security Module

SM Name


Defines the name of any directory in which local cache files are stored. If a value is not defined, a work directory will be created in the directory where jps-config.xml is kept. If the applicable Security Module is created in a JRF domain, the server name will be used to create a sub directory under the specified or default work folder which will be used as the actual work folder.


Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges.

Local Policy Work Folder


Defines whether the distribution is incremental or flush. Incremental distribution is when only new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store.


Accepted Values:

  • false (policy distribution is flush for this Security Module)

  • true (default value; policy distribution is incremental for this Security Module if the required change logs are kept in the policy store)

Incremental Distribution


When a Security Module starts, it registers itself with the Policy Distribution Component to ensure the local policy cache is up to date. If registration fails, it will retry each time this interval of time passes until successful.


Accepted Value: time in seconds (default value is 5)

Registration Retry Interval


If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires.


Accepted Value: time in seconds (default value is 60)

Wait Distribution Time (seconds)


Defines the URL of the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts.


Accepted Value: URL

Registration Server URL


Defines a backup URL for the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts if the primary URL (parameter above) is unavailable.

Optional (although if not configured Oracle Entitlements Server failover will not work)

Accepted Value: URL

Backup Registration Server URL


Defines the port to which a remote Policy Distributor will push policy updates.


Accepted Value: port number

Distribution Service Port


Defines whether communication between the Policy Distribution Component server and client will use the Secure Sockets Layer (SSL) protocol or not.


Accepted Values: none, two-way (default value)

SSL Mode


Defines the name of the Identity Key Store file in which client certificates are stored. Used for SSL communication between the Security Module and the Policy Distribution Component.


Accepted Value: the name of the keystore file

SSL Identity Key Store File Name


Defines the name of the Trust Key Store file where Certificate Authority (CA) certificates are stored. Used for SSL communication between the Security Module and the Policy Distribution Component.


Accepted Value: the name of the identity key store file

SSL Trust Key Store File Name


Defines an Identity Key alias to identify the client certificate used for SSL communication between the Security Module and the Policy Distribution Component.

Optional (if only one alias exists in the identity keystore there is no need to specify this value)

Accepted Value: the identity key alias

SSL Identity Key Store Key Alias


Defines the type of Security Module to which the Policy Distribution Component client is connecting.


Accepted Value: java (Other accepted values include wls, RMI and ws. Because this table covers the Java Security Module only, the value must be java.)

Configured during OES Client installation only.


Defines which JCE provider will be used.


Accepted Values: SunJCE, JsafeJCE; no default value is defined. The value is case-sensitive. If no value is provided, the default JDK provider is used.



Defines the key length used for the Cipher class available from the specified JCE provider.


Accepted Values: 128, 192, 256; default value is 128.



Defines a cipher algorithm name, mode and padding schema used for the Cipher class available from the specified JCE provider. It is not case-sensitive. The format should be:

algorithm name/mode/padding


Accepted Values: default value is AES/CBC/PKCS5Padding; others include AES/CBC/PKCS5Padding or AES/GCM/NoPadding.


A.1.2.2 Policy Distribution Component Client Java Enterprise Edition Container Configuration (Controlled Push Mode)

Table A-3 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in a Java Enterprise Edition (JEE) environment and is configured to distribute data in the controlled-push mode.

Table A-3 Policy Distribution Client Configuration, JEE, Controlled Push Mode

Parameter Name Information Console Name


Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution.


Accepted Value: controlled-push

Policy Distribution Mode


Defines the name of the Security Module.


Accepted Value: Name of the Security Module

SM Name


Defines the name of any directory in which local cache files are stored. If a value is not defined, a work directory will be created in the directory where jps-config.xml is kept. If the applicable Security Module is created in a JRF domain, the server name will be used to create a sub directory under the specified or default work folder which will be used as the actual work folder.


Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges.

Local Policy Work Folder


Defines whether the distribution is incremental or flush. Incremental distribution is when new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store.


Accepted Values:

  • false (policy distribution is flush for this Security Module)

  • true (default value; policy distribution is incremental for this Security Module if the required change logs are kept in the policy store)

Incremental Distribution


When a Security Module starts, it registers itself with the Policy Distribution Component to ensure the local policy cache is up to date. If registration fails, it will retry each time this interval of time passes until successful.


Accepted Value: time in seconds (default value is 5)

Registration Retry Interval (seconds)


If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires.


Accepted Value: time in seconds (default value is 60)

Wait Distribution Time (seconds)


Defines the URL of the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts.


Accepted Value: URL

Registration Server URL


Defines a backup URL for the Oracle Entitlements Server Administration Server. Used by the Security Module to register itself with Oracle Entitlements Server when it starts if the primary URL (parameter above) is unavailable.

Optional (although if not configured Oracle Entitlements Server failover will not work)

Accepted Value: URL

Backup Registration Server URL


Defines the type of Security Module to which the Policy Distribution Component client is connecting.


Accepted Values:

  • was

  • wls

Configured during OES Client installation only.


Defines the URL to which the remote Policy Distributor will push policy updates.


Accepted Values: URL



Defines which JCE provider will be used. It is optional and case sensitive.


Accepted Values: SunJCE, JsafeJCE; no default value is defined. If no value is provided, the default JDK provider is used.



Defines the key length used for the Cipher class available from the specified JCE provider.


Accepted Values: 128, 192, 256; default value is 128.



Defines a cipher algorithm name, mode and padding schema used for the Cipher class available from the specified JCE provider. It is not case-sensitive. The format should be:

algorithm name/mode/padding


Accepted Values: default value is AES/CBC/PKCS5Padding; others include AES/CBC/PKCS5Padding or AES/GCM/NoPadding.


A.1.2.3 Policy Distribution Client Configuration (Controlled-Pull Mode)

Table A-4 compiles the parameters for the Policy Distribution Component client configuration when the Oracle Entitlements Server is running in either a JEE or a JSE environment and is configured to distribute data in the controlled-pull mode.

Table A-4 Policy Distribution Client Configuration, Controlled-Pull Mode

Parameter Name Information Console Name


Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution.


Accepted Value: controlled-pull

Policy Distribution Mode


Defines the name of the Security Module.


Accepted Value: the name of the Security Module

SM Name


Defines the name of any directory in which local cache files are stored. If a value is not defined, a work directory will be created in the directory where jps-config.xml is kept. If the applicable Security Module is created in a JRF domain, the server name will be used to create a sub directory under the specified or default work folder which will be used as the actual work folder.


Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges.

Local Policy Work Folder


Defines whether the distribution is incremental or flush. Incremental distribution is when new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store.


Accepted Values:

  • false (policy distribution is flush for the Security Module)

  • true (default value; policy distribution is incremental for this Security Module if the required change logs are kept in the policy store)

Incremental Distribution


If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires.


Accepted Value: time in seconds (default value is 60)

Wait Distribution Time (seconds)


Enables a periodic check for policy updates in the Policy Store. Can be set to false to disable polling for environment when policies are not expected to be modified.


Accepted Values:

  • false

  • true (default value)



Defines the interval of time in which the Policy Distribution Component will check for policy data changes.


Accepted Value: time in seconds (default value of 600)



Defines the top (root) entry of the LDAP policy store directory information tree (DIT).


Accepted Value: the top (root) entry of the LDAP policy store directory information tree (DIT)

LDAP Root Name


Defines the RDN format of the domain node in the LDAP policy store.


Accepted Value: name of the domain

Farm Name


Takes a URL that points to the database.

Mandatory (if using Java Database Connectivity API to connect to policy store)

Accepted Value: URL



Location of the driver if using Java Database Connectivity API to connect to an Apache Derby database.


Accepted Value: driver

JDBC Driver


The JNDI name of the JDBC data source instance. The instance may correspond to a single source or multi-source data source. Valid in only JEE applications. Applies only to database stores.


Accepted Value: name of JNDI data source; for example, jdbc/APMDBDS.

Data source JNDI Name


The name of the user with access rights to the database.


Accepted Value: Database user name



The password of the user with access rights to the database.


Accepted Value: Password associated with the database user in clear text; instead of storing the password in clear text, use bootstrap.security.principal.map.



The key for the password credentials to access the policy store. Credentials are stored in the Credential Store Framework (CSF) store.


Accepted Value: CSF credential key

Bootstrap Security Principal Key


The map for the password credentials to access the policy store. Credentials are stored in the CSF store.


Accepted Value: name of the CSF credential map

Bootstrap Security Principal Map


Defines which JCE provider will be used. It is optional and case sensitive.


Accepted Values: SunJCE, JsafeJCE; no default value is defined. If no value is provided, the default JDK provider is used.



Defines the key length used for the Cipher class available from the specified JCE provider.


Accepted Values: 128, 192, 256; default value is 128.



Defines a cipher algorithm name, mode and padding schema used for the Cipher class available from the specified JCE provider. It is not case-sensitive. The format should be:

algorithm name/mode/padding


Accepted Values: default value is AES/CBC/PKCS5Padding; others include AES/CBC/PKCS5Padding or AES/GCM/NoPadding.


A.1.2.4 Policy Distribution Client Configuration (Non-controlled Mode)

Table A-5 compiles the parameters for Policy Distribution Component client configuration when the Oracle Entitlements Server is running in either a JEE or a JSE environment and is configured to distribute data in the non-controlled mode.

Table A-5 Policy Distribution Client Configuration, Non-controlled Mode

Parameter Name Information Console Name


Specifies the mode of policy distribution. Non-controlled distribution is when the Security Module periodically retrieves policy data from a policy store (or from a component that serves as an intermediary between the two).


Accepted Value: non-controlled (default value)

Policy Distribution Mode

A.1.2.5 Policy Distribution Client Configuration (Mixed Mode)

Table A-4 compiles the parameters for the Policy Distribution Component client configuration when the PDP is running in either a JEE or a JSE environment and is configured to distribute data in mixed mode. Mixed mode is a distribution combination of controlled-pull and uncontrolled mode.

Table A-6 Policy Distribution Client Configuration, Mixed Mode

Parameter Name Information Console Name


Specifies the mode of policy distribution. Controlled distribution is initiated by the Policy Distribution Component, ensuring that the Security Module receives policy data that has been created or modified since the last distribution.


Accepted Value: mixed

Policy Distribution Mode


Defines the name of the Security Module.


Accepted Value: the name of the Security Module

SM Name


Defines the name of any directory in which local cache files are stored. If a value is not defined, a work directory will be created in the directory where jps-config.xml is kept. If the applicable Security Module is created in a JRF domain, the server name will be used to create a sub directory under the specified or default work folder which will be used as the actual work folder.


Accepted Value: The name of any directory in which local cache files will be stored. This directory must have read and write privileges.

Local Policy Work Folder


Defines whether the distribution is incremental or flush. Incremental distribution is when new and modified data is distributed. Flush distribution is when the Policy Distribution Component notifies the Security Module to cleanup locally stored policies in preparation for a complete re-distribution of all policy objects in the policy store.


Accepted Values:

  • false (policy distribution is flush for the Security Module)

  • true (default value; policy distribution is incremental for this Security Module if the required change logs are kept in the policy store)

Incremental Distribution


If this value is defined and not equal to zero, it specifies the amount of time that a Security Module will wait for initial policy distribution to happen. During this wait period, authorization requests are blocked until either the initial policy distribution completes or the configured period expires.


Accepted Value: time in seconds (default value is 60)

Wait Distribution Time (seconds)


Enables a periodic check for policy updates in the Policy Store. Can be set to false to disable polling for environment when policies are not expected to be modified.


Accepted Values:

  • false

  • true (default value)

Polling Timer


Defines the interval of time in which the Policy Distribution Component will check for policy data changes.


Accepted Value: time in seconds (default value of 600)

Polling Timer Interval


Defines which JCE provider will be used. It is optional and case sensitive.


Accepted Values: SunJCE, JsafeJCE; no default value is defined. If no value is provided, the default JDK provider is used.



Defines the key length used for the Cipher class available from the specified JCE provider.


Accepted Values: 128, 192, 256; default value is 128.



Defines a cipher algorithm name, mode and padding schema used for the Cipher class available from the specified JCE provider. It is not case-sensitive. The format should be:

algorithm name/mode/padding


Accepted Values: default value is AES/CBC/PKCS5Padding; others include AES/CBC/PKCS5Padding or AES/GCM/NoPadding.


In Mixed Mode, the following nine properties should be configured for the Policy Store and not the Security Module. See Section A.4, "Policy Store Service Configuration."


Defines the top (root) entry of the LDAP policy store directory information tree (DIT).


Accepted Value: the top (root) entry of the LDAP policy store directory information tree (DIT)

LDAP Root Name


Defines the RDN format of the domain node in the LDAP policy store.


Accepted Value: name of the domain

Farm Name


Takes a URL that points to the database.

Mandatory (if using Java Database Connectivity API to connect to policy store)

Accepted Value: URL



Location of the driver if using Java Database Connectivity API to connect to an Apache Derby database.


Accepted Value: driver

JDBC Driver


The JNDI name of the JDBC data source instance. The instance may correspond to a single source or multi-source data source. Valid in only JEE applications. Applies only to database stores.


Accepted Value: name of JNDI data source; for example, jdbc/APMDBDS.

Data source JNDI Name


The name of the user with access rights to the database.


Accepted Value: Database user name



The password of the user with access rights to the database.


Accepted Value: Password associated with the database user



The key for the password credentials to access the policy store. Credentials are stored in the Credential Store Framework (CSF) store.


Accepted Value: CSF credential key

Bootstrap Security Principal Key


The map for the password credentials to access the policy store. Credentials are stored in the CSF store.


Accepted Value: name of the CSF credential map

Bootstrap Security Principal Map

A.2 Security Module Configuration

This section covers the configurations for the various types of Security Modules and their proxy clients.

A.2.1 Java Security Module

Table A-7 compiles the parameters to configure the Java Security Module embedded in either a JSE or a JEE container.

Table A-7 Java Security Module Configuration Parameters

Parameter Name Information Console Name


Defines the role member cache type. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.


Accepted Values

  • SOFT (cleaning of a cache of this type relies on the garbage collector when there is a memory crunch)

  • WEAK (behavior of a cache of this type is similar to a cache of type SOFT but the garbage collector cleans it more frequently)

  • STATIC (default value; cache objects are statically cached and can be cleaned explicitly only according to the applied cache strategy, such as FIFO; the garbage collector does not clean a cache of this type)

Rolemember Cache Type


Defines the type of strategy used in the role member cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.


Accepted Values

  • NONE (all entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small)

  • FIFO (default value; the cache implements the first-in-first-out strategy)

Rolemember Cache Strategy


Defines the number of roles kept in the role member cache. Valid in J2EE and J2SE application. Applies to LDAP and database stores.


Accepted Value: number (default value is 1000)

Rolemember Cache Size


Controls the way the Application Role membership cache is created. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.


Accepted Values

  • true (the cache is created at server startup; use when the number of users and groups is significantly higher than the number of Application Roles)

  • false (default value; the cache is created on demand - lazy loading; use when the number of Application Roles is very high)

Rolemember Cache Warmup Enable


Enables or disables the policy lazy load. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.


Accepted Values

  • false

  • true (default value)

Policy Lazy Load Enable


Defines the type of strategy used in the permission cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.


Accepted Values

  • NONE (all entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small.)

  • PERMISSION_FIFO (default value; the cache implements the first-in-first-out strategy)

Policy Cache Strategy


Defines the number of permissions kept in the permission cache. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.


Accepted Value: number (default value is 1000)

Policy Cache Size


Defines whether the policy cache is incrementally updated for management operations on policy data.


Accepted Values

  • false

  • true (default value)

Policy Cache Updatable


Enables or disables the policy store refresh. If this property is set, oracle.security.jps.ldap.cache.enable cannot be set. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.


Accepted Values:

  • false

  • true (default value)

Refresh Enable


Defines the time in milliseconds after which the policy store cache is purged. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.


Accepted Value: time in milliseconds; default value is 43200000 which equals 12 hours

Refresh Purge Timeout (milliseconds)


Defines the interval of time in which the policy store is polled for changes. Valid in J2EE and J2SE applications. Applies to LDAP and database stores.


Accepted Value: time in milliseconds; default value is 600000 which equals 10 minutes

Refresh Purge Interval (milliseconds)


Defines the interval of time to avoid frequently querying a non-exist Application (ApplicationPolicy) object.


Accepted Value: time to live in milliseconds (default value is 60000)

Missing App Policy Query TTL


Specifies whether the authorization cache should be enabled. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores.


Accepted Values

  • false

  • true (default value)

Decision Cache Enabled


Defines the maximum number of authorization and role mapping sessions to maintain. When the maximum is reached, old sessions are dropped and reestablished when needed. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores.


Accepted Value: number (default value is 500)

Decision Cache Eviction Capacity


Defines the percentage of sessions to drop when the eviction capacity is reached. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores.


Accepted Value: number (default value is 10)

Decision Cache Eviction Percentage


Defines the number of seconds during which session data is cached. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and database stores.


Accepted Value: time in seconds (default value is 60)

Decision Cache TTL (seconds)


Specifies whether anonymous role has to be added to anonymous subject for policy matching.


Accepted Values

  • false

  • true (default value)

Anonymous Role Enable


Specifies whether authenticated role has to be added to authenticated subject for policy matching.


Accepted Values

  • false

  • true (default value)

Authenticated Role Enable


Specifies whether Application Roles should be computed only once within a single bulk authorization call. For example, if a client calls the checkBulkAuthorization() method and passes ten resources to it, the roles will be calculated once if the value is true or once for every individual resource (ten times) if the parameter is false.


Accepted Values

  • false

  • true (default value)



Specifies the maximum number of authorization decisions cached for each Subject; if the second level decision cache size reaches this size, decisions are evicted from the cache.


Accepted Value: number of decisions (default value is 1000)


A.2.2 Web Services Security Module

Table A-8 compiles the parameters to configure the Web Services Security Module embedded in either a JSE or a JEE container.

Table A-8 Web Services Security Module Configuration Parameters

Parameter Name Information Console Name


Defines the port on which the Web Services Security Module listens.


Accepted Value: port number



Defines the name of the server on which the Web Services Security Module is running.


Accepted Value: server name (default value is localhost)



Defines the transport protocol used between the Policy Distribution Component client and server.


Accepted Values

  • https

  • http (default value)



Specifies whether the identity cache is being used. The default value is true. If not set, identity cache is used by default.


Accepted Value: true/false



Specifies the maximum number of users for which information is cached. When the maximum is reached, old records are dropped and reestablished when needed.


Accepted Value: number



Specifies percentage of identities that must be evicted when cache has reached the maximum size.


Accepted Value: number indicating percentage



Specifies time-to-live of an identity cache record.


Accepted Value: time in seconds



Specifies whether to merge data from many AppContext responses into a single AppContext response.


Accepted Values

  • Merged

  • Unmerged (default value)



Defines the name of the Identity Key Store file where client certificates are stored for the Web Services Security Module. Used for SSL communications between the remote client and the Web Services Security Module.


Accepted Value: name of the Identity Key Store file



Defines the name of the Trust Key Store file in which CA certificates are stored. Used for SSL communications between the remote client and the Web Services Security Module.


Accepted Value: name of the Trust Key Store file



Specifies the Identity Key alias used to identify the Web Services Security Module client certificate used for SSL communication between the Web Services Security Module and the remote client.Accepted value: Identity key alias


Accepted Value: Identity Key alias



Enables the Web Services Security Module's EnvelopLoggingSOAPHandler, the web service SOAP message handler for logging.


Accepted Values

  • true

  • false (default value)


A.2.3 Web Services Security Module on WebLogic Server

Table A-9 compiles the parameters to configure the Web Services Security Module on a WebLogic Server.

Table A-9 Web Services Security Module on WebLogic Configuration Parameters

Parameter Name Information Console Name


Defines the port on which the Web Services Security Module listens.


Accepted Value: port number



Defines the name of the server on which the Web Services Security Module is running.


Accepted Value: server name (default value is localhost)



Defines the transport protocol used between the Policy Distribution Component client and server.


Accepted Values

  • https

  • http (default value)



Specifies the context name for the Web service deployed on the WebLogic Server cache is being used. If not set, no identity cache is used by default.


Accepted Value: Ssmws



Specifies whether the identity cache is enabled. Enabled by default.


Accepted Value: true (default)/false



Specifies the maximum size of the identity cache.


Accepted Value: number indicating size; default value is 20000



Specifies the percentage of identities that will be removed when the identity cache has reached its maximum size.


Accepted Value: 20 percent



Specifies the time-to-live (TTL) in seconds for an identity record in the identity cache.


Accepted Value: 3600 seconds (default)



Specifies whether the AppContext is returned as a single response or a merged set of data from all the AppContext responses.


Accepted Value: Merged/Unmerged (default)



Enables the Web Services Security Module's EnvelopLoggingSOAPHandler, the web service SOAP message handler for logging.


Accepted Values

  • true

  • false (default value)


A.2.4 RMI Security Module

Table A-10 compiles the parameters to configure the RMI Security Module embedded in either a JSE or a JEE container.


This configuration is for a standalone deployment.

Table A-10 RMI Security Module Configuration Parameters

Parameter Name Information Console Name


Defines the port on which the RMI Security Module listens to the RMI server.


Accepted Value: port number.



Defines whether the SSL protocol is used for secure communication between the RMI Security Module and RMI server.


Accepted Values

  • true

  • false (default)



Specifies whether the identity cache is being used. If not set, no identity cache is used by default.


Accepted Value: true/false



Specifies the maximum number of users for which information is cached. When the maximum is reached, old records are dropped and reestablished when needed.


Accepted Value: number



Specifies percentage of identities that must be evicted when cache has reached the maximum size.


Accepted Value: number representing percentage



Specifies the time-to-live of an identity cache record.


Accepted Value: time in seconds


A.2.5 WebLogic Server Security Module

Table A-11 compiles the parameters to configure the WebLogic Server (WLS) Security Module embedded in a JEE container. These parameters are used only when the WLS Security Module is configured to be used as a PEP.

Table A-11 WebLogic Server Security Module Configuration Parameters

Parameter Name Information Console Name


Specifies the effect (GRANT, DENY) that the provider must return if an application is not defined in the policy store.


Accepted Values

  • permit (default)

  • abstain

  • deny

Set in the WebLogic Server Administration Console; values are saved to config.xml in the WebLogic domain


Specifies the effect that the provider has to return if no applicable policies have been found.


Accepted Values

  • deny (default value represents a closed system)

  • abstain

  • permit (represents an open system)

Set in the WebLogic Server Administration Console; values are saved to config.xml in the WebLogic domain

A.2.6 WebLogic Server Security Module Discovery Mode

Table A-12 compiles the parameters to enable Discovery Mode. See Section 9.4.2, "Discovering WebLogic Server Resources" for more information.

Table A-12 WebLogic Server Discovery Mode Parameters

Parameter Name Information Console Name


By default, Discovery Mode is off.


Accepted Values

  • true

  • false

Only in jps-config.xml


Specifies the absolute path to the directory in which discovery results are defined.

Optional (Mandatory when Discovery Mode is enabled)

Accepted Value: absolute path to directory

Only in jps-config.xml


Specifies whether the resource is hierarchical.


Accepted Values

  • true

  • false

Only in jps-config.xml


Specifies the delimiter to separate the resource name.

Optional (Mandatory when resource is defined as Hierarchical)

Accepted Value: any valid resource name delimiter; when used with WLS SM and OSB SM, the value should be "/"

Only in jps-config.xml

A.3 PDP Proxy Client Configuration

This section contains information regarding configuration for the PDP Proxy Client available for the RMI and Web Services Security Module.

A.3.1 Web Services Security Module PDP Proxy Client

Table A-13 compiles the parameters to configure the Web Services Security Module PDP Proxy Client.

Table A-13 Web Services Proxy Client Configuration Parameters

Parameter Name Information Console Name


Specifies the underlying protocol to be used by Multi-protocol Security Module to communicate with Oracle Entitlements Server.


Accepted Values: no default value; XACML is always available in the Web Services Security Module.

  • WS

  • RMI



Specifies the host and port number of either the Web Services Security Module. For example, http://dadvml0134:9015


Accepted Value: a comma separated list of URIs (if more then one address is specified the first is considered the primary, and the rest as backups)



Defines the interval of time in which an authorization request times out when the remote PDP (RMI or Web Services Security Module) is not responding.


Accepted Value: time in milliseconds (default value is 10000)



Specifies the number of attempts to make before attempting the alternate failover server.


Accepted Value: number (default value is 3)



Specifies the interval of time after which a failed primary server is tried again for failover.


Accepted Value: time in milliseconds (default value is 180000)



Defines how often the PDP Proxy polls the PDP server in order to synchronize its state. For example, the interval is used to periodically check whether the authorization cache has to be flushed.


Accepted Value: time in milliseconds (default value is 60)



Defines the name of the Identity Key Store file where client certificates for the Web Services Security Module are stored. Used for SSL communication between a client and the Web Services Security Module.


Accepted Value: name of the Identity Key Store file



Defines the name of the Trust Key Store file where CA certificates for Web Services Security Module are stored. Used for SSL communication between a client and the Web Services Security Module.


Accepted Value: the name of the Trust Key Store file.



Specifies the alias name of the Web Services client certificate. Used for SSL communication between a client and the Web Services Security Module.


Accepted Value: alias of the identity key store (if only one alias exists in the identity key store, no need to specify this value)



Defines the transport protocol used between the Policy Distribution Component client and server.


Accepted Values

  • https

  • http (default value)


A.3.2 RMI Security Module PDP Proxy Client

Table A-14 compiles the parameters to configure the RMI Security Module PDP Proxy Client.

Table A-14 PDP RMI Proxy Client Configuration Parameters

Parameter Name Information Console Name


Specifies the underlying protocol to be used by Multi-protocol Security Module to communicate with Oracle Entitlements Server.


Accepted Values: no default value; XACML is always available in the RMI Security Module.

  • WS

  • RMI



Specifies the host and port number of the RMI Security Module. For example, rmi://localhost:9400


Accepted Value: a comma separated list of URIs (if more then one address is specified the first is considered the primary, and the rest as backups)



Defines the interval of time in which an authorization request times out when the remote PDP (RMI or Web Services Security Module) is not responding.


Accepted Value: time in milliseconds (default value is 10000)



Specifies the number of attempts to make before attempting the alternate failover server.


Accepted Value: number (default value is 3)



Specifies the interval of time after which a failed primary server is tried again for failover.


Accepted Value: time in milliseconds (default value is 180000)



Defines how often the PDP Proxy polls the PDP server in order to synchronize its state. For example, the interval is used to periodically check whether the authorization cache has to be flushed.


Accepted Value: time in milliseconds (default value is 60)


A.4 Policy Store Service Configuration

Table A-15 compiles the configuration parameters for the Policy Store Service.

Table A-15 Policy Store Service Configuration Parameters

Parameter Name Information Console Name


Defines the URL of the LDAP policy store. Valid in JEE and JSE applications and only applies to LDAP stores.


Accepted Value: URI of the LDAP policy store in the format ldap://host:port.



Defines the maximum length of a search filter.


Accepted Value: integer defining the maximum length of a search filter; for example, 1024



Defines the RDN format of the root node in the LDAP policy store. Valid in JEE and JSE applications. Applies to LDAP and database stores.


Accepted Value: root name of jps context; for example, cn=jpsroot.



Defines the RDN format of the root node in the LDAP policy store. Valid in JEE and JSE applications. Applies to LDAP and database stores.


Accepted Value: farm name of the domain; for example, cn=base_domain.



Controls the throwing of exceptions if any of the following checks fail:

  • Verify that if two resource types share the same permission class, that permission must be either ResourcePermission or extend AbstractTypedPermission, and this last resource type cannot be created.

  • Verify that all permissions have resource types defined, and that the resource matcher permission class and the permission being granted match.

Valid in JEE and JSE applications. Applies to LDAP and database stores.


Accepted Values

  • strict (when any of the above checks fail, the system throws an exception and the operation is aborted)

  • lenient (default value; when any of the above checks fail, the system does not throw any exceptions, the operation continues without disruption, and any discrepancies encountered are logged)



Defines the key for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in JEE and JSE applications. Applies to LDAP and database stores.


Accepted Value: the key name of the credential; for example, oes_sm_key. The out-of-the-box value is bootstrap.



Defines the map for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in JEE and JSE applications. Applies to LDAP and database stores.


Accepted Value: map name of the credential; for example, oes_sm_map. The default value is BOOTSTRAP_JPS.



Defines the name of the JDBC driver.


Accepted Value: name of the JDBC driver.



Defines the JDBC driver connection URL.


Accepted Value: the JDBC driver connection URL.