9 Environments Help

This chapter documents the Environments pages in the Mobile Security Access Server (MSAS) console and describes how to configure security for individual MSAS instances. To open this page from the Mobile Security Launch Pad, select Environments in the Mobile Security Access Server section.

This chapter contains the following topics:

Environments Page
MSAS Instances Summary Page
MSAS Instance Configuration Page

9.1 Environments Page

Use the Environments page to perform the following tasks in the MSAS environment:

View the total number of MSAS instances configured in the environment.
View the total number of applications deployed on the MSAS instances.
View the total number of URLs configured in the MSAS instances.
Navigate to the MSAS Instances Summary page to see summary information for each instance.
Navigate to the Mobile Security Access Server Applications Summary page to view summary details about each application.
Register a new MSAS instance with the MSM server.

The Environments page provides a high-level summary of the MSAS instances, applications, and URLs.

Element	Description
MSAS	Instances in the environment. Click to navigate to the MSAS Instances Summary page.
Instances	Total number of MSAS instances registered in the environment. Click to navigate to the MSAS Instances Summary page.
Applications	Total number of Mobile Security Access Server applications in all the MSAS instances in the environment. Click to navigate to the Mobile Security Access Server Applications Summary page.
URLs	Total number of URLs configured in all the MSAS applications in the environment.
Register Instance	Click to create a new logical MSAS instance and register the instance with the MSM server. When you register the instance you can configure it in the MSAS Instance Configuration page.
Display Name	Meaningful name that will be used to identify the instance in the console.
Name	Unique name used to identify the MSAS instance that adheres to the XML xs:NCName format using only valid NCName ASCII characters. For example, it must start with a letter or underscore (`_`), and cannot contain any space characters or colons (`:`). It must be unique within the MSAS environment. Non-ASCII characters are not supported. This field is required. The NCName format is defined in the W3C document Namespaces in XML 1.0 (Third Edition) at `http://www.w3.org/TR/REC-xml-names/#NT-NCName`
Description	Brief description of the instance.
OK	Save the new instance. The MSAS Instance Configuration page displays where you can provide configuration details.
Cancel	Exit the Register MSAS Instance dialog without registering the instance.

"Managing Mobile Security Access Server Instances" in Administering Oracle Mobile Security Access Server

9.2 MSAS Instances Summary Page

Use the MSAS Instances Summary page to perform the following tasks in the Mobile Security Access Server environment:

Search for instances in the environment. You also can use this field to filter the number of instances displayed on the page.
View summary details for all instances in the environment, including number of applications and URLs.
Navigate to the MSAS Instance Configuration page for each instance.
Navigate to the MSAS Applications Summary page for each instance.
Delete MSAS instances.

Element	Description
Search	Enter all or part of an MSAS instance name in the search field and click Search. You can use the search field to filter the number of instances displayed. Empty strings display all instances in the environment. Wildcards are not recognized and are treated as plain text. Searches are case-insensitive.
Instance name	Name of the instance that you specified when you created the instance. Click the instance name to access the MSAS Instance Configuration page.
X	Delete the instance from the environment. Click X, then in the Delete MSAS Instance window, click OK to delete the instance or Cancel to cancel the operation. When you delete the instance, all associated applications and URLs are also deleted.
Applications	Total number of applications configured in the instance. Click Applications to access the Applications Summary page for the instance.
URLs	Total number of URLs configured in all applications in the instance.
Configure	Click to access the MSAS Instance Configuration Page.
Synchronize	Synchronize the MSAS instance configuration with the MSAS runtime server. Typically, synchronization occurs at a user-specified polling interval. Clicking Synchronize forces immediate synchronization and avoids having to wait for the polling interval for the changes to take effect.
Show more	View additional instances in the environment. By default, ten instances are displayed. Each time you click Show More an additional five instances are shown. Note: You can adjust the screen width of the display area to view all of the instances. To do so, select the username in the upper right corner, then Screen Width, then the desired width.

"Managing Mobile Security Access Server Instances" in Administering Oracle Mobile Security Access Server

9.3 MSAS Instance Configuration Page

Use the MSAS Instance Configuration page to perform the following tasks on an MSAS instance:

View or modify general configuration information.
View or configure identity store profiles.
View or configure authentication settings for the instance, such as trusted issuers.
View or configure keystore and message security settings.
View or configure the connection between the Mobile Security Access Server and the Mobile Security Manager.
View or configure the authentication endpoints for the instance.
View or configure outbound message, proxy server, and server settings.

The MSAS Instance Configuration page is arranged in the following tabs:

General
Identity Store Profiles
Authentication
Message Security
Policy Access
Authentication Endpoints
System Settings

General

The General tab of the MSAS Instance Configuration page displays the instance name and description, the URL of the physical MSAS instance to which this logical instance is bound, the number of URLs and applications in the instance, and version data. You can modify the display name and the description for the instance. It also provides version information for the configuration.

Element	Description
Name	Unique identifier for the instance. This field is read-only.
Display Name	Meaningful name used to identify the instance in the user interface. This field is editable.
Description	Description of the instance. This field is editable.
MSAS URLs	URLs of the physical MSAS instances to which this logical instance is bound. For details about creating a physical MSAS instance, see "Configuring an MSAS Instance." A logical MSAS instance can be bound to more than one physical instance. How?
Host	Physical MSAS instance host.
Port	Physical MSAS instance port.
Stats	General statistics about the instance in read-only mode.
URLs	Total number of URLs added to all the applications in the MSAS instance.
Applications	Total number of applications in the MSAS instance.

Version Information

The Version Information section provides details about the version of the MSAS instance in read-only mode.

Element	Description
Version Number	Number of times the MSAS instance has been updated.
Last Updated	Timestamp of the last update to the MSAS instance.
Updated By	User who last updated the MSAS instance.

Identity Store Profiles

The Identity Store Profiles tab of the MSAS Instance Configuration page provides the ability to add an identity store profile to the MSAS instance, edit an existing profile, and set the default profile to be used by the instance. An identity store profile is a logical representation of a user repository. There can be multiple profiles associated with an MSAS instance, and one profile can be marked as the default against which all authentication and user profile queries will occur.

The Identity Store Profile table displays a list of the profiles defined in the MSAS instance.

Element	Description
Profile Name	Name of the identity profile unique in the MSAS instance.
Directory Info	Host and port of the server hosting the directory configured in the profile.

Perform the following actions for an identity store profile.

Action	Description
Add	Add identity store profiles to the MSAS instance.
Edit	Edit an existing identity store profile. Select the profile name in the table and click Edit to display the Identity Store Profile page where you can edit the fields as desired.
Remove	Remove the identity store profile from the MSAS instance. Select the profile name in the table and click Remove.
Set as default	Select the profile to use as the default. When set, all authentication and user profile queries will occur against the default identity store profile. Select the profile name in the table and click Set as default.

Use the Identity Store Profile page to define the identity store for the MSAS instance. You access this page using the Add or Edit actions on the Identity Store Profiles tab of the MSAS Instance Configuration page. It includes the following sections:

Directory Information
User
Group

Element	Description
Name	Name of the identity store profile.
Description	General description for the profile.

Directory Information

The Directory Information section enables you to set the directory type, hostname, and credential details for the identity store, and to test the connection to the identity store.

Element	Description
Directory Type	Type of directory. Supported types are: Active Directory OID (Oracle Internet Directory) ODSEE (Oracle Directory Server Enterprise Edition) OUD (Oracle Unified Directory) WLS_LDAP (Embedded LDAP in WebLogic Server)
Host Name	Host name of the server running the selected directory.
Port	Port used to access the selected directory.
Bind DN	DistinguishedName (DN) of the user to connect to the LDAP Directory.
Bind Password	Password to use to connect to the selected directory.
Confirm Password	Reenter the password to use to connect to the selected directory.
Base DN	LDAP Searchbase under which all users and groups are located in the LDAP directory. For example, `cn=ldap, dn=example, dc=com`.
SSL	If connecting using an SSL port, select this control to enable SSL.
Trust Store Type	Type of the trust store. For Mobile Security Access Server, the supported trust store is `KSS`. This field is read only.
Trust Store Path	Fully qualified path to the trust store. By default, this path is `kss://msas_id/ssltruststore`, where `msas_id` is the MSAS ID of the instance with which this identity store profile is associated. This field is read only.
Test Connection	After completing all the required fields, click Test Connection to test the connection to the directory.

User

The User Searchbase section enables you to set the user names, base DN, and object classes for the identity store profile.

Element	Description
Base DN	Container under which the users exist. For example, `cn=users,dn=example,dc=com`.
Login ID Attribute	Attribute that contains the users login ID. Typically this is `uid` or `mail` attribute in LDAP. In Active directory this refers to the `UserPrincipalName`.
Object Classes	Fully qualified names of the schema classes used to represent users. By default it is set to the standard LDAP objectclass `inetOrgPerson`.
Add	Click Add to add an object class and enter the value in the Object Class Name field.
Remove	Select an object class name from the table and click Remove to remove the name from the profile.

Group

The Group section enables you to set the group names, base DN, and object classes for the identity store profile.

Element	Description
Base DN	Searchbase for the group entries in the LDAP directory. For example, `cn=group,dn=example,dc=com`.
Group Name Attribute	Attribute that uniquely identifies the name of the group or role. For example, `cn`.
Object Classes	Fully qualified names of the schema classes used to represent groups. By default, this refers to the LDAP standard objectclass of `groupofuniquenames`. In Active Directory this is `group`.
Add	Click Add to add an object class and enter the value in the Object Class Name field.
Remove	Select an object class name from the table and click Remove to remove the name from the profile.

Authentication

The Authentication tab of the MSAS Instance Configuration page provides the ability to define the trusted issuers and clients for the MSAS instance. It includes the following sections:

SAML Trust
JWT Trust

SAML Trust

The SAML Trust section enables you to define SAML trusted issuers and a list of trusted distinguished names (DNs) for SAML signing certificates for trusted servers and clients. You can also define token attribute rules, which allow you to define additional security constraints for the trusted STS server and for the trusted SAML client.

The list of SAML issuers that you define on this page becomes the default list that is applicable to all applications in this MSAS instance.

This configuration option is optional; it is available for users that require more fine-grained control to associate each issuer with a list of one or more signing certificates. If you do not define a list of DNs for a trusted issuer, then MSAS allows signing by any certificate, as long as that certificate is trusted by the certificates present in the MSAS keystore.

Use the Trusted STS table to define a trusted DNs list for trusted STS servers. Use this list for SAML HOK and SAML bearer.

Use the Trusted Clients table to define a trusted DNs list for trusted clients. Use this list for SAML sender vouches.

Element	Description
Issuer Name	Name of the trusted issuer. The default value for the predefined SAML client policies is `www.oracle.com`.
Issuer DN	Trusted DN for the trusted issuer. Select the row containing the issuer for which you want to define the DN list and enter it here. Use a string that conforms to RFC 2253. For example, the trusted DN for the trusted issuer `www.oracle.com` is `CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US`.
Token Rules	Place your mouse over the icon to view the token rules configured for the DN in a pop-up window.

Perform the following actions to add or delete SAML trusted issuers and DNs, and to configure token rules.

Action	Description
View	Select the Columns and Reorder Columns... options in this menu to specify the columns that are visible and their order.
Add	Add a trusted issuer. Click Add to add a new row to the table and enter the trusted issuer and associated DN in the Issuer Name and Issuer DN fields.
Delete	Delete a trusted issuer. Select the row containing the issuer to be deleted and click Delete.
Configure Token Rule	Specify a token attribute rule for a trusted DN. Each rule has two parts: a name ID and an attributes part for user attributes that a DN for a signing certificate can assert. The name ID and the attribute can contain a filter with multiple value patterns. Select the row containing the DN for which you want to configure the rule and click Configure Token Rule. In the Token Rule window, add new rules, delete or edit existing rules as required.

JWT Trust

The JWT Trust section enables you to define JWT trusted issuers and a list of trusted distinguished names (DNs) for JWT signing certificates. You can also define token attribute rules, which allow you to define additional security constraints for the trusted issuer.

The list of trusted issuers that you define on this page becomes the default list that is applicable to all applications in this MSAS instance.

Use the Trusted Issuer table to define a trusted DNs list for trusted JWT Issuers.

Element	Description
Issuer Name	Name of the trusted issuer. The default value for the predefined JWT client policies is `www.oracle.com`.
Issuer DN	Trusted DN for the trusted issuer. Select the row containing the issuer for which you want to define the DN list and enter it here. Use a string that conforms to RFC 2253. For example, the trusted DN for the trusted issuer `www.oracle.com` is `CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US`.
Token Rules	Place your mouse over the icon to view the token rules configured for the DN in a pop-up window.

Perform the following actions to add or delete JWT trusted issuers and DNs, and to configure token rules.

Action	Description
View	Select the Columns and Reorder Columns... options in this menu to specify the columns that are visible and their order.
Add	Add a trusted issuer. Click Add to add a new row to the table and enter the trusted issuer and associated DN in the Issuer Name and Issuer DN fields.
Delete	Delete a trusted issuer. Select the row containing the issuer to be deleted and click Delete.
Configure Token Rule	Specify a token attribute rule for a trusted DN. Each rule has two parts: a name ID and an attributes part for user attributes that a DN for a signing certificate can assert. The name ID and the attribute can contain a filter with multiple value patterns. Select the row containing the DN for which you want to configure the rule and click Configure Token Rule. In the Token Rule window, add new rules, delete or edit existing rules as required.

Message Security

The Message Security tab of the MSAS Instance Configuration page provides the ability to configure the message protection settings required for the environment. It includes the following sections:

Key Store
Security Settings

Key Store

The Keystore section enables you to select the signature and encryption aliases for the default KSS keystore.

Element	Description
Key Store	Keystore to be used with the MSAS instance. For Mobile Security Access Server, the supported keystore is `KSS`. You cannot change the keystore type.
Path	The KSS URI that points to the location of the keystore in KSS. By default, this path is `kss://msas_id/keystore` where `msas_id` is the ID of the MSAS instance with which the keystore is associated and `keystore` is the stripeID. This field is read only.
Sign Alias	Alias of the key used to sign the messages. This value must match the value in the keystore. Press Click to Add to add a signature alias using the Private Key for Signing window.
Generate Keypair	Click to generate a keypair to use for the signature key.
Alias	Alias of the keypair entry.
Distinguished Name	Distinguished name of the certificate wrapping the keypair.
Algorithm	Symmetric key algorithm. The default is RSA.
Key Size	RSA key size. The default is 1024 bytes.
Generate Keypair	Use this action to generate the keypair using the information provided. The keypair is added to the Pick a key table.
Import from Keystore	Click to import a signature keypair and alias from the keystore.
Choose File	Use this action to select a keypair to be imported from the file system.
Keystore Password	Password for the keystore from which the signature key will be imported.
Alias	Alias of the keypair to be imported.
Alias Password	Alias password for the keypair to be imported.
Import	Use this action to import the selected keypair into the keystore. It is added to the Pick a key table.
Pick a key	List of the signature alias keys available. Select the alias from the table and click OK.
Encrypt Alias	Alias of the key used to encrypt the messages. This value must match the value in the keystore.
Generate Keypair	Click to generate a keypair to use for the encryption key.
Alias	Alias of the keypair entry.
Distinguished Name	Distinguished name of the certificate wrapping the keypair.
Algorithm	Symmetric key algorithm. The default is RSA.
Key Size	RSA key size. The default is 1024 bytes.
Generate Keypair	Use this action to generate the keypair using the information provided. The keypair is added to the Pick a key table.
Import from Keystore	Click to import an encryption keypair and alias from the keystore.
Choose File	Use this action to select a keypair to be imported from the file system.
Keystore Password	Password for the keystore from which the keypair key will be imported.
Alias	Alias of the keypair to be imported.
Alias Password	Alias password for the keypair to be imported.
Import	Use this action to import the selected keypair into the keystore. It is added to the Pick a key table.
Pick a key	List of the encryption keys available. Select the alias from the table and click OK.

Security Settings

The Security Settings section enables you to tune security policy enforcement by adjusting the default message timestamp skews between system clocks. You can also set the message expiration time.

Element Description

Element	Description
Clock Skew	Tolerance of time differences, in seconds, between client and server machines. For example, when timestamps are sent across in a message to a service that follows a different time zone, this property allows for a tolerance. The default value is 360,000 milliseconds (6 minutes). Enter a new value in the field or click the up/down arrows to increase or decrease the default value.] You should configure this property to: Increase the clock skew when the client and service are running on different systems and their system clocks are not in-sync, which could result in the service rejecting messages from the client, with an error indicating the timestamp validation failed. Increasing clock skew accounts for the difference in clocks between the client and the service. Decrease the clock skew if you want to narrow the window in which the service is willing to accept messages from clients to avoid replay attacks.
Client Clock Skew	Tolerance of time, in seconds, that is used to calculate the `NotBefore` and `NotOnOrAfter` conditions for SAML or JWT token generation. Together, these conditions define the lower and upper boundaries to limit the validity of the token. The default is `0`. Enter a new value in the field or click the up/down arrows to increase or decrease the default value.]
Message Expiration Time	Duration of time, in seconds, before a message expires after its creation. This property is used in cases where a timestamp is sent across in the token to verify if the timestamp has expired or not. The default value is 300,000 milliseconds (5 minutes). Enter a new value in the field or click the up/down arrows to increase or decrease the default value. You should configure this property to: Increase the message expiration time to ensure that the message is valid for a longer duration than the default time. Decrease the message expiration time to ensure that message is valid for a shorter duration than the default time.

Clock Skew

Tolerance of time differences, in seconds, between client and server machines. For example, when timestamps are sent across in a message to a service that follows a different time zone, this property allows for a tolerance. The default value is 360,000 milliseconds (6 minutes). Enter a new value in the field or click the up/down arrows to increase or decrease the default value.]

You should configure this property to:

Increase the clock skew when the client and service are running on different systems and their system clocks are not in-sync, which could result in the service rejecting messages from the client, with an error indicating the timestamp validation failed. Increasing clock skew accounts for the difference in clocks between the client and the service.
Decrease the clock skew if you want to narrow the window in which the service is willing to accept messages from clients to avoid replay attacks.

Client Clock Skew Tolerance of time, in seconds, that is used to calculate the NotBefore and NotOnOrAfter conditions for SAML or JWT token generation. Together, these conditions define the lower and upper boundaries to limit the validity of the token. The default is 0. Enter a new value in the field or click the up/down arrows to increase or decrease the default value.]

Message Expiration Time

Duration of time, in seconds, before a message expires after its creation. This property is used in cases where a timestamp is sent across in the token to verify if the timestamp has expired or not. The default value is 300,000 milliseconds (5 minutes). Enter a new value in the field or click the up/down arrows to increase or decrease the default value.

You should configure this property to:

Increase the message expiration time to ensure that the message is valid for a longer duration than the default time.
Decrease the message expiration time to ensure that message is valid for a shorter duration than the default time.

Policy Access

The Policy Access tab of the MSAS Instance Configuration page provides the ability to configure the cache refresh time. It includes the following sections:

Cache Management

Cache Management

The Cache Management section provides the ability to configure the cache refresh time.

Element	Description
Cache Refresh Time	Number of milliseconds to wait between cache refreshes. The default is 86,400,000 milliseconds (24 hours). Enter a new value in the field or click the up/down arrows to increase or decrease the default value.
Failure Retry Delay	Reserved for future use.
User Record Delay	Reserved for future use.
Failure Retry Count	Reserved for future use.
Missing Documents Retry Delay	Reserved for future use.
Initial Cache Refresh	Reserved for future use.

Authentication Endpoints

The Authentication Endpoints tab of the MSAS Instance Configuration page provides the ability to configure the KINIT/PKINIT and OAUTH2 endpoints, and the Crypto service. It includes the following sections:

KINIT & PKINIT
OAuth2 Confidential Client
OAuth2 Mobile Client
Crypto Service

KINIT & PKINIT

The KINIT and PKINIT section of the Authentication Endpoints tab enables you to configure the properties of the Kerberos krb5.conf file, which is required for Kerberos Password Authentication (KINIT) and Public Key Cryptography for Initial Authentication (PKINIT) to work. The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and administration daemons for the Kerberos realms of interest, the default realm, default domain, default encryption types, and for Kerberos applications, and mappings of host names onto Kerberos realms. The values entered here will be stored in the MSAS repository.

It includes the following sections:

Realms
Domains
Encryption
Logging
PKINIT Trust anchors

Realms The KINIT & PKINIT Realms section provides the ability to add, edit, and delete Kerberos realms. You must specify one realm as the default realm.

The Realms table displays a list of the realms defined in the MSAS instance.

Element	Description
Realm Name	Name of the Kerberos realm.
Default	Flag indicating the default realm.

Perform the following actions for Kerberos realms.

Action	Description
Add	Add a Kerberos realm to the MSAS instance. Click Add to display the Realm page. In the Realm page, complete the fields, click OK, then click Apply.
Name	Realm names can consist of any ASCII string. The realm name must match the REALM name defined during the Active Directory setup.
KDC host	Host for the KDC server running the realm specified in the Name field.
KDC port	Optional port of the KDC server running the realm specified in the Name field.
Default Domain	Enter the name of the default domain in the field or select a default domain from the menu.
Edit	Edit an existing Kerberos realm. Select the realm name in the table and click Edit to display the Realm page where you can edit the fields as desired.
Remove	Delete the Kerberos realm from the MSAS instance. Select the realm name in the table and click Remove.
Set as default	Select the realm to use as the default. Select the realm name in the table and click Set as default.

Domains The KINIT & PKINIT Domains section provides the ability to add and delete DNS domains in the MSAS instance.

The Domains table displays a list of the domains defined in the realm.

Element	Description
Domain	DNS domain name
Realm	Kerberos realm associated with the domain.

Perform the following actions for a domain.

Action	Description
Add	Add a DNS domain to the MSAS instance. Click Add and enter the name of the domain in the Domain field. Typically, the domain name is in lower case, for example `example.com`. Select the associated Realm from the menu, then click Apply.
Remove	Remove the domain from the MSAS instance. Select the domain name in the table and click Remove, then click Apply.

Encryption The KINIT & PKINIT Encryption section provides the ability to specify the type of Kerberos encryption the client must use when making requests to the KDC.

Element	Description
default TKT enctypes	Supported list of session key encryption types that the client should request when making an AS-REQ, in order of preference from highest to lowest. Select the encryption type from the menu.
default TGS enctypes	Supported list of session key encryption types that the client should request when making a TGS-REQ, in order of preference from highest to lowest. Select the encryption type from the menu.

Logging The KINIT & PKINIT Logging section provides the ability to configure logging location for the Kerberos and KCM messages.

Element	Description
krb5	Select the log location to be used for the Kerberos configuration. Supported options are: STDERR—Log messages using the standard error stream. File—Log messages to a specified file. Select File, then enter the log file location in the empty field.
KCM	Select the log location to be used for the Kerberos Cache Manager (KCM). Supported options are: STDERR - Log messages using the standard error stream. File—Log messages to a specified file. Select File, then enter the log file location in the empty field.
Edit Policy	Use this action to open the URL Policy Configuration page for the KINIT endpoint. It displays the internal policies attached to the on-request and on-response subjects. You can use this page to view details about the endpoint and attached policies.
On-Request	The Http Kerberos password Authentication Service Policy is attached On-Request. This internal policy enables the Kerberos password authentication. Select the policy name, or click the Options menu icon then Edit, to view the policy details and configure policy overrides. Optionally, click the Overrides tab to configure property overrides or to add a `keystore.sig.csf.key` to the keystore. To add a key, press Click to add to generate a keypair, or to import a key from a keystore. Then pick the key from the table and click OK. Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies.
On-Response	The Http Session Token Issue Policy is attached On-Response. This policy issues a session token with the authenticated user ID to the client. Select the policy name, or click the Options menu icon then Edit, to view the policy details and configure policy overrides. Optionally, click the Overrides tab to configure property overrides or to add a `keystore.sig.csf.key` or `keystore.enc.csf.key` to the keystore. To add keys, press Click to add to generate a keypair, or import a key from a keystore. Then pick the key from the table and click OK. Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies.

PKINIT Trust anchors Use the KINIT & PKINIT PKINIT Trust anchors section to enable the use of trust anchors for PKINIT authentication. PKINIT trust anchors are stored in the keystore.

Element	Description
Enable	Select this action to enable the use of PKINIT anchors to trust the authority issuing the KDC certificate, then select the trusted certificate from the table, or import a certificate into the truststore. The certificate you select must be the first certificate in the certificate chain. MSAS will automatically fetch the complete chain using the selected certificate as the starting point.
Truststore Location	Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. Only KSS keystores are supported. This field is read only.
Choose File	Use this action to select a certificate to be imported from the file system.
Alias	Alias of the PKINIT trust certificate to be imported.
Import	Use this action to import the selected certificate into the truststore. It is added to the trusted certificate table.
Select	Select the certificate to set the alias for the PKINIT trust anchor.
X	To delete a certificate, click X in the row of the certificate to be deleted. In the Delete Key window, click Yes to confirm the deletion.
Edit Policy	Use this action to open the URL Policy Configuration page for the PKINIT endpoint. It displays the internal policies attached to the on-request and on-response endpoints. You can use this page to view details about the endpoint and attached policies.
On-Request	The Http Kerberos PKI Authentication Service Policy is attached On-Request. This internal policy enables Kerberos PKI authentication. Select the policy name, or click the Options menu icon then Edit, to view the policy details and configure policy overrides. Optionally, click the Overrides tab to configure property overrides or to add a `keystore.sig.csf.key` to the keystore for signing the outbound message. To add a key, press Click to add to generate a keypair, or import a key from a JKS keystore. Then pick the key from the table and click OK. Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies.
On-Response	The Http Session Token Issue Policy is attached On-Response. This policy issues a session token with the authenticated user ID to the client. Select the policy name, or click the Options menu icon then Edit, to view the policy details and configure policy overrides. Optionally, click the Overrides tab to configure property overrides or to add a `keystore.sig.csf.key` or `keystore.enc.csf.key` to the keystore for signing the outbound message. To add keys, press Click to add to generate a keypair, or import a key from a JKS keystore. Then pick the key from the table and click OK. Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies.

OAuth2 Confidential Client

Use the OAuth2 Confidential Client section of the Authentication Endpoints tab to specify the OAuth2 endpoint and specify the client ID and secret in the Credential Store Framework (CSF) for the OAuth2 confidential client.

Element	Description
Endpoint	OAuth Service Profile Endpoint to which the MSAS server creates JWT User Token and OAM Tokens for OAuth2 Confidential Client Authentication flow.
Edit Policy	Use this action to open the URL Policy Configuration page for the endpoint. It displays the internal policies attached to the on-request and on-response subjects. You can use this page to view details about the endpoint and attached policies.
On-Request	The Http OAuth2 Confidential Client Over SSL Policy is attached On-Request. This internal policy performs OAuth2 Confidential Client Authentication and creates OAuth and OAM tokens. Select the policy name, or click the Options menu icon then Edit, to view the policy details and configure policy overrides. Click the Overrides tab and enter the OAuth2 client CSF key in the Value field. Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies.
On-Response	The Http Session Token Issue Policy is attached On-Response. This policy issues a session token with the authenticated user ID to the client. Select the policy name, or click the Options menu icon then Edit, to view the policy details and configure policy overrides. Optionally, click the Overrides tab to configure property overrides or to add a `keystore.sig.csf.key` or `keystore.enc.csf.key` to the keystore for signing the outbound message. To add keys, press Click to add to generate a keypair, or import a key from a JKS keystore. Then pick the key from the table and click OK. Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies.

OAuth2 Mobile Client

Use the OAuth2 Mobile Client section of the Authentication Endpoints tab to specify the OAuth2 endpoint to which the client can connect, and specify the mobile client ID in the CSF for the OAuth2 Mobile Client flow.

Element	Description
Endpoint	OAuth Service Profile Endpoint to which the MSAS Server registers a container mobile application and can create JWT User Token & OAM Tokens for OAuth2 Mobile Client Authentication flow.
Edit Policy	Use this action to open the URL Policy Configuration page for the endpoint. It displays the internal policies attached to the on-request and on-response subjects. You can use this page to view details about the endpoint and attached policies.
On-Request	The Http OAMMS Mobile Client Token Over SSL Service Policy. is attached On-Request. This internal policy performs OAMMS Mobile Client Authentication and creates OAUTH and OAM tokens. Select the policy name, or click the Options menu icon then Edit, to view the policy details and configure policy overrides. Click the Overrides tab and enter the mobile client ID in the Value field. Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies.
On-Response	The Http Session Token Issue Policy is attached On-Response. This policy issues a session token with the authenticated user ID to the client. Select the policy name, or click the Options menu icon then Edit, to view the policy details and configure policy overrides. Optionally, click the Overrides tab to configure property overrides or to add a `keystore.sig.csf.key` or `keystore.enc.csf.key` to the keystore for signing the outbound message. To add keys, press Click to add to generate a keypair, or import a key from a JKS keystore. Then pick the key from the table and click OK. Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies.

Crypto Service

Use the Crypto service section of the Authentication Endpoints tab to configure the Crypto Service with archive key aliases.

Element	Description
Key Rollover Aliases	Alias for the keystore used by the keystore rollover feature for the archived keys. These key aliases are maintained as an ordered list. The first alias is the oldest and second is next and so on.
Edit Policy	Use this action to open the URL Policy Configuration page for the endpoint. It displays the internal policies attached to the on-request and on-response subjects. You can use this page to view details about the endpoint and attached policies.
On-Request	Two policies are attached by default: The HTTP Session Token Verify Policy verifies the session token, including the timestamp and signature, decrypts the encrypted data, and asserts the identity using the user ID from session token. The request is rejected if the verification fails. Select the policy name, or click the Options menu icon then Edit, to view the policy details and configure policy overrides. Optionally, click the Overrides tab to configure property overrides or to add a `keystore.sig.csf.key` or `keystore.enc.csf.key` to the keystore for signing the outbound message. To add keys, press Click to add to generate a keypair, or import a key from a JKS keystore. Then pick the key from the table and click OK. The HTTP Action Security Policy enables the Action Security Policy that performs Server Key Encryption Key (SKEK) encryption and decryption. Note: To ensure proper authentication on this endpoint, you should not delete the default policy attachments, or attach additional policies.
On-Response	Click the Options menu icon to attach policies or templates if desired. There are no policies attached by default.

System Settings

The System Settings tab of the MSAS Instance Configuration page provides the ability to configure the system settings for the instance. It includes the following sections:

Outbound Message Settings
Proxy Server Settings
Server Settings
SSL Settings
Log Configuration

Outbound Message Settings

The Outbound Message Settings section enables you to configure the client connection to back-end services.

Element	Description
Total Connections in pool	Maximum number of connections in a pool that a client can handle. The default is `512`.
Maximum Connections per host	Maximum number of connections in a pool, per host, that a client can handle. The default is 25.
Connection Timeout	Maximum time in milliseconds a client can wait when connecting to a back-end host. The default is `20,000` ms.
Idle Connection pool Timeout	Maximum time in milliseconds a client will keep idle connections in the pool.The default is `180,000` ms (3 minutes).
Request Timeout	Maximum time in milliseconds a client can wait for a response. The default is `60,000` ms (1 minute).

Proxy Server Settings

The Proxy Server Settings section enables you to configure the proxy server used for outbound calls to the internet through MSAS for back-end applications and services.

Element	Description
Name	Name of proxy server to uniquely identify it. This field is optional.
Host Name	Host name of proxy server.
Port	Port number of proxy server.
User Name	User ID to connect to the proxy server. Note: The User Name and Password is required only if the proxy server requires authentication.
Password	Password corresponding to the User ID to connect to the proxy server.
Hostnames without proxy	List of hosts that will not use the proxy server. It supports the asterisk `*` wildcard, but only as a suffix and prefix. By default, this field contains the value `localhost, 127.0.0.1`.

Server Settings

The Server Settings section enables you to specify general settings for the MSAS server.

Element	Description
Load Balancer URL	Front ending Load Balancer non-SSL URL, for example `http://lbr.example.org:80`.
Load Balancer SSL URL	Front ending Load Balancer SSL URL, for example `https://lbr.example.org:443`.
Service Principal Name	This property maps a URL with Service Principal Name. Service Principal Name is required for NTLM and SPNEGO. Click Add to add a Service Principal Name and URL. To remove a Service Principal Name and URL, select the table row and click Remove.
URL	Service Principal Name URL It supports the asterisk `` wildcard anywhere in the URL, for example, `http://example.host80/` or `*.example.org`.
Service Principal Name	Service Principal Name in the form of `SPN_SERVICECLASS/SPN_HOSTNAME`.

SSL Settings

The SSL Settings section enables you to add certificates and keys for the outbound and inbound SSL HTTPS connections.

Element	Description
SSL TrustStore Location	Read only field that specifies the location of SSL trust store. Only KSS keystore type is supported so the value must be a KSS URI.
Server Certificate	To import a certificate, select Click to import to open the Server Certificate page where you can import a certificate to the truststore. Note: Only Base64-encoded certificates are supported.
Choose File	Use this action to select the certificate to be imported from the file system.
Alias	Truststore alias.
Certificate Type	Type of certificate to be imported. Supported options are: Trusted Certificate
Import	Use this option to import the selected certificate into the truststore. It is added to the certificate table.
X	To delete a certificate, click X in the row of the certificate to be deleted. Click Yes to confirm the deletion.
SSL Keystore Location	Read only field that specifies the location of SSL keystore. The SSL keystore is used for inbound SSL connections to MSAS and as the MSAS identity keystore. Only KSS keystore type is supported so the value must be a KSS URI.
Private Key	To add a private key, click Click to add to open the Private Key page where you can generate a keypair or import a key from a JKS keystore.
Generate Keypair	Use this option to generate a private keypair for the MSAS SSL identity key.
Alias	Alias of the keypair entry.
Distinguished Name	Distinguished name of the certificate wrapping the keypair.
Algorithm	Symmetric key algorithm. The default is RSA.
Key Size	RSA key size. The default is 1024 bytes.
Generate Keypair	Generate the keypair using the information provided. The key is added to the keypair table.
Import from Keystore	Click to import the Java keystore file into the keystore service.
Choose File	Use this option to select a Java keystore file.
Keystore Password	Password for the JKS keystore from which the keypair will be imported.
Alias	Alias of the keypair to be imported.
Alias Password	Alias password for the keypair to be imported.
Import	Import the selected keypair into the KSS keystore. It is added to the keypair table.
X	To delete a keypair, click X in the row of the keypair to be deleted. Click Yes to confirm the deletion.

Log Configuration

The Log Configuration section enables you to configure run-time logging levels for MSAS sub-components. The configuration specified here applies to the logical MSAS instance, and is used by all physical MSAS instances to which the logical instance is bound.

Element	Description
Logger Name	Name of the logger. The root logger is populated by default. All loggers for which the level is not explicitly configured will inherit from the root logger.
Logging Level (Java Level)	Select a logging level from the menu. Valid values are: SEVERE—A serious problem that requires immediate attention from the administrator and is not caused by a bug in the product. WARNING—A potential problem that should be reviewed by the administrator. INFO—A major lifecycle event such as the activation or deactivation of a primary sub-component or feature. CONFIG—Configuration information to assist in debugging problems that may be associated with particular configurations. FINE— Detailed tracing messages that can cause a small performance impact. You can enable this level occasionally on a production environment to debug problems. FINER—Fairly detailed tracing messages that can cause a high performance impact. This level should not be enabled on a production environment, except on special situations to debug problems. FINEST—Highly detailed tracing messaged that can cause a very high performance impact. This level should not be enabled in a production environment. It is intended to be used to debug the product on a test or development environment.

Element

Description

Logger Name

Name of the logger. The root logger is populated by default. All loggers for which the level is not explicitly configured will inherit from the root logger.

Logging Level (Java Level)

Select a logging level from the menu. Valid values are:

SEVERE—A serious problem that requires immediate attention from the administrator and is not caused by a bug in the product.
WARNING—A potential problem that should be reviewed by the administrator.
INFO—A major lifecycle event such as the activation or deactivation of a primary sub-component or feature.
CONFIG—Configuration information to assist in debugging problems that may be associated with particular configurations.
FINE— Detailed tracing messages that can cause a small performance impact. You can enable this level occasionally on a production environment to debug problems.
FINER—Fairly detailed tracing messages that can cause a high performance impact. This level should not be enabled on a production environment, except on special situations to debug problems.
FINEST—Highly detailed tracing messaged that can cause a very high performance impact. This level should not be enabled in a production environment. It is intended to be used to debug the product on a test or development environment.

Perform the following actions for log level configuration.

Action Description

Action	Description
Add	Add an MSAS logger to the MSAS instance. Click Add and enter the name of the logger in the Logger Name field. Available loggers are: `oracle.idm.gateway.grs`—MSAS runtime server `oracle.idm.gateway.gmsclient`—MSAS management client `oracle.idm.gateway.snapshot`—MSAS security artifacts snapshot manager `oracle.idm.gateway.common`—MSAS common libraries `oracle.wsm`—Oracle Web Services Manager runtime libraries `oracle.security.jps`—Oracle Platform Security Service (OPSS) libraries `com.sun.jersey`—Jersey Then select the desired logging level from the menu and click Apply at the top of the page.
Remove	Remove the logger from the MSAS instance. Select the logger name in the table and click Remove.

Add

Add an MSAS logger to the MSAS instance. Click Add and enter the name of the logger in the Logger Name field. Available loggers are:

oracle.idm.gateway.grs—MSAS runtime server
oracle.idm.gateway.gmsclient—MSAS management client
oracle.idm.gateway.snapshot—MSAS security artifacts snapshot manager
oracle.idm.gateway.common—MSAS common libraries
oracle.wsm—Oracle Web Services Manager runtime libraries
oracle.security.jps—Oracle Platform Security Service (OPSS) libraries
com.sun.jersey—Jersey

Then select the desired logging level from the menu and click Apply at the top of the page.

Remove

Remove the logger from the MSAS instance. Select the logger name in the table and click Remove.

"Configuring a Mobile Security Access Server Instance" in Administering Oracle Mobile Security Access Server