2 OPSS Security Store WLST Commands

This chapter describes the OPSS security store commands.

Use the WLST security commands listed in Table 2-1 to operate on a domain policy or credential store, to migrate policies and credentials from a source repository to a target repository, and to import and export (credential) encryption keys.

Table 2-1 WLST Security Commands

Use this command... To... Use with WLST...

addBootStrapCredential

Add a credential to the bootstrap credential store

Offline

addResourceToEntitlement

Add a resource to an entitlement.

Online

createAppRole

Create a new application role.

Online

createCred

Create a new credential.

Online

createEntitlement

Create an entitlement.

Online

createResource

Create a resource.

Online

createResourceType

Create a new resource type.

Online

deleteAppPolicies

Remove all policies in an application.

Online

deleteAppRole

Remove an application role.

Online

deleteCred

Remove a credential.

Online

deleteEntitlement

Remove an entitlement.

Online

deleteResource

Remove a resource.

Online

deleteResourceType

Remove an existing resource type.

Online

exportEncryptionKey

Export the domain encryption key to the file ewallet.p12.

Offline

getEntitlement

List an entitlement.

Online

getResourceType

Fetch an existing resource type.

Online

grantAppRole

Add a principal to a role.

Online

grantEntitlement

Create an entitlement.

Online

grantPermission

Create a new permission.

Online

importEncryptionKey

Import the encryption key in file ewallet.p12 to the domain.

Offline

listAppRoles

List all roles in an application.

Online

listAppRolesMembers

List all members in an application role.

Online

listAppStripes

List application stripes in policy store.

Online

listCodeSourcePermissions

List permissions assigned to a source code in global policies.

Online

listEntitlement

List an entitlement.

Online

listEntitlements

List entitlements in an application stripe.

Online

listPermissions

List all permissions granted to a principal.

Online

listResourceActions

List actions in a resource.

Online

listResources

List resources in an application stripe.

Online

listResourceTypes

List resource types in an application stripe.

Online

listSecurityStoreInfo

List the type and location of the OPSS security store, and the user allowed to access it.

Offline

migrateSecurityStore

Migrate policies or credentials from a source repository to a target repository.

Offline

modifyBootStrapCredential

Update bootstrap credential store

Offline

reassociateSecurityStore

Reassociate policies and credentials to an LDAP repository

Online

restoreEncryptionKey

Restore the domain encryption key as it was before the last importing.

Offline

revokeAppRole

Remove a principal from a role.

Online

revokeEntitlement

Remove an entitlement.

Online

revokePermission

Remove a permission.

Online

revokeResourceFromEntitlement

Remove a resource from an entitlement

Online

rollOverEncryptionKey

Replace the current domain encryption key with a new one.

Offline

updateCred

Modify the attribute values of a credential.

Online

updateTrustServiceConfig

Update the configuration of the trust service.

Online

Note:

In syntax descriptions, optional arguments are enclosed in square brackets; all other arguments are required.

addBootStrapCredential

Offline command that adds a credential to the bootstrap credential store.

Description

Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException.

Syntax

addBootStrapCredential(jpsConfigFile, map, key, username, password)
Argument Definition

jpsConfigFile

Specifies the location of the file jps-config.xml relative to the location where the command is run.

map

Specifies the map of the credential to add.

key

Specifies the key of the credential to add.

username

Specifies the name of the user in the credential to add.

password

Specifies the password of the user in the credential to add.

Example

The following example adds a credential to the bootstrap credential store:

wls:/mydomain/serverConfig> addBootStrapCredential(jpsConfigFile='./jps-config.xml', map='myMapName', key='myKeyName', username='myUser', password='password')

addResourceToEntitlement

Online command that adds a resource with specified actions to an entitlement.

Description

Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.

Syntax

addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")
Argument Definition

appStripe

Specifies the application stripe where the entitlement is located.

name

Specifies the name of the entitlement to modify.

resourceName

Specifies the name of the resource to add.

resourceType

Specifies the type of the resource to add. The passed resource type must be present in the application stripe at the time this script is invoked.

actions

Specifies the comma-separated list of actions for the added resource.

Example

The following example adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:

wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", 
name="myEntitlement", resourceName="myResource", resourceType="myResType", 
actions="view,edit")

createAppRole

Online command that creates a new application role.

Description

Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.

Syntax

createAppRole(appStripe, appRoleName)
Argument Definition

appSripe

Specifies an application stripe.

appRoleName

Specifies a role name.

Example

The following example creates a new application role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> createAppRole(appStripe="myApp", appRoleName="myRole")

createCred

Online command that creates a new credential in the domain credential store.

Description

Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.

Syntax

createCred(map, key, user, password, [desc])
Argument Definition
map  

Specifies a map name (folder).

key 

Specifies a key name.

user 

Specifies the credential user name.

password 

Specifies the credential password.

desc 

Specifies a string describing the credential.

Example

The following example creates a new password credential with the specified data:

wls:/mydomain/serverConfig> createCred(map="myMap, key="myKey", user="myUsr", 
password="password", desc="updated usr name and passw to connect to app xyz")

createEntitlement

Online command that creates a new entitlement.

Description

Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement to add additional resources to an existing entitlement; use revokeResourceFromEntitlement to delete resources from an existing entitlement.

Syntax

createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is created.

name  

Specifies the name of the entitlement created.

resourceName  

Specifies the name of the one resource member of the entitlement created.

actions  

Specifies a comma-separated the list of actions for the resource resourceName.

displayName  

Specifies the display name of the resource created. Optional.

description  

Specifies the description of the entitlement created. Optional.

Example

The following example creates the entitlement myEntitlement with just the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> createEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", actions="read,write")

createResource

Online command that creates a new resource.

Description

Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.

Syntax

createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])
Argument Definition
appStripe  

Specifies the application stripe where the resource is created.

name  

Specifies the name of the resource created.

type  

Specifies the type of resource created. The passed resource type must be present in the application stripe at the time this script is invoked.

displayName  

Specifies the display name of the resource created. Optional.

description  

Specifies the description of the resource created. Optional.

Example

The following example creates the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> createResource(appStripe="myApplication", name="myResource", type="myResType", displayName="myNewResource")

createResourceType

Online command that creates a new resource type in the domain policy store within a given application stripe.

Description

Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. In the event of an error, the command returns a WLSTException.

Syntax

createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])
Argument Definition
appStripe  

Specifies the application stripe where to insert the resource type.

resourceTypeName 

Specifies the name of the resource type to insert.

displayName 

Specifies the name for the resource type used in UI gadgets.

description 

Specifies a brief description of the resource type.

provider 

Specifies the provider for the resource type.

matchere 

Specifies the class of the resource type. If unspecified, it defaults to oracle.security.jps.ResourcePermission.

actions 

Specifies the actions allowed on instances of the resource type.

delimeter 

Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','.

Example

The following example creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:

wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", 
resourceTypeName="resTypeName", displayName="displName", description="A resource
type", provider="Printer", matcher="com.printer.Printer",
actions="BWPrint;ColorPrint" [, delimeter=";"])

deleteAppPolicies

Online command that removes all policies with a given application stripe.

Description

Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException.

Syntax

deleteAppPolicies(appStripe)
Argument Definition
appStripe 

Specifies an application stripe. If not specified, the command works on system policies.

Example

The following example removes all policies of application myApp:

wls:/mydomain/serverConfig> deleteAppPolicies(appStripe="myApp")

deleteAppRole

Online command that removes an application role.

Description

Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.

Syntax

createAppRole(appStripe, appRoleName)
Argument Definition
appStripe 

Specifies an application stripe.

appRoleName 

Specifies a role name.

Example

The following example removes the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> deleteAppRole(appStripe="myApp", appRoleName="myRole")

deleteCred

Online command that removes a credential in the domain credential store.

Description

Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException.

Syntax

deleteCred(map,key)
Argument Definition
map  

Specifies a map name (folder).

key 

Specifies a key name.

Example

The following example removes the credential with map name myMap and key name myKey:

wls:/mydomain/serverConfig> deleteCred(map="myApp",key="myKey")

deleteEntitlement

Online command that deletes an entitlement.

Description

Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.

Syntax

deleteEntitlement(appStripe="appStripeName", name="entitlementName")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is deleted.

name  

Specifies the name of the entitlement to delete.

Example

The following example deletes the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> deleteEntitlement(appStripe="myApplication", name="myEntitlement")

deleteResource

Online command that deletes a resource.

Description

Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.

Syntax

deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")
Argument Definition
appStripe  

Specifies the application stripe where the resource is deleted.

name  

Specifies the name of the resource deleted.

type  

Specifies the type of resource deleted. The passed resource type must be present in the application stripe at the time this script is invoked.

Example

The following example deletes the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> deleteResource(appStripe="myApplication", name="myResource", type="myResType")

deleteResourceType

Online command that removes a resource type from the domain policy store within a given application stripe.

Description

Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.

Syntax

deleteResourceType(appStripe, resourceTypeName)
Argument Definition
appStripe  

Specifies the application stripe from where to remove the resource type.

resourceTypeName 

Specifies the name of the resource type to remove.

Example

The following example removes the resource type myResType from the stripe myApplication:

wls:/mydomain/serverConfig> deleteResourceType(appStripe="myApplication", resourceTypeName="myResType")

exportEncryptionKey

Offline command that extracts the encryption key from a domain's bootstrap wallet to the file ewallet.p12.

Description

Writes the domain's credential encryption key to the file ewallet.p12. The password passed must be used to import data from that file with the command importEncryptionKey.

exportEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)

Syntax

Argument Definition
jpsConfigFile  

Specifies the location of the file jps-config.xml relative to the location where the command is run.

keyFilePath 

Specifies the directory where the file ewallet.p12 is created; note that the content of this file is encrypted and secured by the value passed to keyFilePassword.

keyFilePassword 

Specifies the password to secure the file ewallet.p12; note that this same password must be used when importing that file.

Example

The following example writes the file ewallet.p12 in the directory myDir:

exportEncryptionKey(jpsConfigFile="pathName", keyFilePath="myDir" ,keyFilePassword="password")

getEntitlement

Online command that gets an entitlement.

Description

Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.

Syntax

getEntitlement(appStripe="appStripeName", name="entitlementName")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is located.

name  

Specifies the name of the entitlement to access.

Example

The following example returns the information of the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> getEntitlement(appStripe="myApplication", name="myEntitlement")

getResourceType

Online command that fetches a resource type from the domain policy store within a given application stripe.

Description

Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.

Syntax

getResourceType(appStripe, resourceTypeName)
Argument Definition
appStripe  

Specifies the application stripe from where to fetch the resource type.

resourceTypeName 

Specifies the name of the resource type to fetch.

Example

The following example fetches the resource type myResType from the stripe myApplication:

wls:/mydomain/serverConfig> getResourceType(appStripe="myApplication", resourceTypeName="myResType")

grantAppRole

Online command that adds a principal to a role.

Description

Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.

Syntax

grantAppRole(appStripe, appRoleName,principalClass, principalName)
Argument Definition
appStripe 

Specifies an application stripe.

appRoleName 

Specifies a role name.

principalClass 

Specifies the fully qualified name of a class.

principalName 

Specifies the principal name. Set CN attribute value for the user or groups from the LDAP server.

Example

The following example adds a principal to the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> grantAppRole(appStripe="myApp",  
appRoleName="myRole",principalClass="com.example.xyzPrincipal",
principalName="myPrincipal")

grantEntitlement

Online command that grant an entitlement to a named principal.

Description

Grants an entitlement to a specified principal in a specified application stripe.

Syntax

grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument Definition
appStripe  

Specifies the application stripe where the principal resides.

principalClass  

Specifies the class associated with the principal.

principalName  

Specifies the name of the principal to which the entitlement is granted.

permSetName  

Specifies the name of the entitlement granted.

Example

The following example grants the entitlement myEntitlement in the stripe myApplication to the principal myPrincipalName:

wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", 
principalClass="oracle.security.jps.service.policystore.ApplicationRole", 
principalName="myPrincipalName", permSetName="myEntitlement")

grantPermission

Online command that creates a new permission.

Description

Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException.

Syntax

grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument Definition
appStripe 

Specifies an application stripe. If not specified, the command works on system policies.

codeBaseURL 

Specifies the URL of the code granted the permission.

principalClass 

Specifies the fully qualified name of a class (grantee).

principalName 

Specifies the name of the grantee principal.

permClass 

Specifies the fully qualified name of the permission class.

permTarget 

Specifies, when available, the name of the permission target. Some permissions may not include this attribute.

permActions 

Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class.

Example

The following example creates a new application permission (for the application with application stripe myApp) with the specified data:

wls:/mydomain/serverConfig> grantPermission(appStripe="myApp",  
principalClass="my.custom.Principal",  principalName="manager",
permClass="java.security.AllPermission")

The following example creates a new system permission with the specified data:

wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager",   
permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", 
permTarget="/tmp/fileName.ext", permActions="read,write")

importEncryptionKey

Offline command that imports keys from the specified ewallet.p12 file into the domain.

Description

Imports encryption keys from the file ewallet.p12 into the domain. The password passed must be the same as that used to create the file with the command exportEncryptionKey.

Syntax

importEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument Definition
jpsConfigFile  

Specifies the location of the file jps-config.xml relative to the location where the command is run.

keyFilePath 

Specifies the directory where the ewallet.p12 is located.

keyFilePassword 

Specifies the password used when the file ewallet.p12 was generated.

Example

importEncryptionKey(jpsConfigFile="pathName", keyFilePath="dirloc" ,keyFilePassword="password")

listAppRoles

Online command that lists all roles in an application.

Description

Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException.

Syntax

listAppRoles(appStripe)
Argument Definition
appStripe 

Specifies an application stripe.

Example

The following example returns all roles with application stripe myApp:

wls:/mydomain/serverConfig> listAppRoles(appStripe="myApp")

listAppRolesMembers

Online command that lists all members in a role.

Description

Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException.

Syntax

listAppRoleMembers(appStripe, appRoleName)
Argument Definition
appStripe 

Specifies an application stripe.

appRoleName 

Specifies a role name.

Example

The following example returns all members in the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> listAppRoleMembers(appStripe="myApp", appRoleName="myRole")

listAppStripes

Online or offline command that lists the application stripes in the policy store.

Description

This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.

Syntax

listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])
Argument Definition
configFile  

Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store.

regularExpression 

Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *.

Example

The following (online) invocation returns the list of application stripes in the policy store:

wls:/mydomain/serverConfig> listAppStripes

The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:

wls:/mydomain/serverConfig> listAppStripes(configFile=" 
/home/myFile/jps-config.xml")

The following (online) invocation returns the list of application stripes that contain the prefix App:

wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")

listCodeSourcePermissions

Online command that lists permissions assigned to a source code in global policies.

Description

This command allows listing codebase permissions in global policies.

Syntax

listCodeSourcePermissions([codeBase="codeUrl"])
Argument Definition
codeBaseURL

Specifies the name of the grantee codebase URL.

Example

The following example returns the list permissions assigned to a code source in all global policies:

wls:/mydomain/serverConfig> listCodeSourcePermissions(codeBaseURL="file:/tmp/lib/myJars.jar")

listEntitlement

Online command that lists an entitlement in a specified application stripe.

Description

If a principal name and a class are specified, it lists the entitlements that match the specified principal; otherwise, it lists all the entitlements.

Syntax

listEntitlement(appStripe="appStripeName" [, principalName="principalName", principalClass="principalClass"])
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is deleted.

principalName  

Specifies the name of the principal to match. Optional.

principalClass  

Specifies the class of the principal to match. Optional.

Example

The following example lists all entitlements in the stripe myApplication:

wls:/mydomain/serverConfig> listEntitlement(appStripe="myApplication")

listEntitlements

Online command that lists the entitlements in an application stripe.

Description

Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.

Syntax

listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])
Argument Definition
appStripe  

Specifies the application stripe from where to list entitlements.

resourceTypeName  

Specifies the name of the type of the resources to list. Optional.

resourceName  

Specifies the name of resource to match. Optional.

Examples

The following example lists all the entitlements in the stripe myApplication:

wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")

The following example lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:

wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName") 

listPermissions

Online command that lists all permissions granted to a given principal.

Description

Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException.

Syntax

listPermissions([appStripe,] principalClass, principalName)
Argument Definition
appStripe 

Specifies an application stripe. If not specified, the command works on system policies.

principalClass 

Specifies the fully qualified name of a class (grantee).

principalName 

Specifies the name of the grantee principal.

Example

The following example lists all permissions granted to a principal by the policies of application myApp:

wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")
                

The following example lists all permissions granted to a principal by system policies:

wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")

listResourceActions

Online command that lists the resources and actions in an entitlement.

Description

Lists the resources and actions in an entitlement within an application stripe.

Syntax

listResourceActions(appStripe="appStripeName", permSetName="entitlementName")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement resides.

permSetName  

Specifies the name of the entitlement whose resources and actions to list.

Example

The following example lists the resources and actions of the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> listResourceActions(appStripe="myApplication", permSetName="myEntitlement")

listResources

Online command that lists resources in a specified application stripe.

Description

If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.

Syntax

listResources(appStripe="appStripeName" [,type="resTypeName"])
Argument Definition
appStripe  

Specifies the application stripe where the resources are listed.

type  

Specifies the type of resource listed. The passed resource type must be present in the application stripe at the time this script is invoked.

Example

The following example lists all resources of type myResType in the stripe myApplication:

wls:/mydomain/serverConfig> listResources(appStripe="myApplication", type="myResType")

listResourceTypes

Online command that lists resource types.

Description

Lists all the resource types in a specified application stripe.

Syntax

listResourceTypes(appStripe="appStripeName")
Argument Definition
appStripe  

Specifies the application stripe where the resource types are located.

Example

The following example lists all resource types in the stripe myApplication:

wls:/mydomain/serverConfig> listResourceTypes(appStripe="myApplication")

listSecurityStoreInfo

Offline command that lists the type, the location, and the administrative user of the domain security store.

Description

The script runs in offline mode and outputs the type of the OPSS security store (file, OID, or DB), its location, and the user allowed to access it (typically a security administrator).

Syntax

listSecurityStoreInfo(domainConfig="configFilePath")
Argument Definition
domainConfig  

Specifies the full absolute path to the OPSS configuration file jps-config.xml; the file jps-config-jse.xml is also expected to be in the passed directory.

Example

The following example returns the type, location, and administrative user of the OPSS policy store:

wls:/mydomain/serverConfig> listSecurityStoreInfo(domainConfig="/home/myConfigPathDirectory/config/fmwconfig")

The following lines illustrate a sample output generated by this command:

For jps-config.xml
Store Type: DB_ORACLE
Location/Endpoint: jdbc:oracle:thin:@adc2120515.us.myComp.com:1555/OWSM.US.COM
User: DEV_OPSS
Datasource: jdbc/OpssDataSource
For jps-config-jse.xml
Store Type: DB_ORACLE
Location/Endpoint: jdbc:oracle:thin:@adc2120515.us.myComp.com:1521/OWSM.US.COM
User: DEV_OPSS

migrateSecurityStore

Offline command that migrates identities, application-specific, system policies, a specific credential folder, or all credentials.

Description

Migrates security artifacts from a source repository to a target repository. See Migrating with the Script migrateSecurityStore in Securing Applications with Oracle Platform Security Services.

modifyBootStrapCredential

Offline command that updates a bootstrap credential store.

Description

Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException.

Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.

Syntax

modifyBootStrapCredential(jpsConfigFile, username, password)
Argument Definition
jpsConfigFile  

Specifies the location of the file jps-config.xml relative to the location where the command is run.

username

Specifies the distinguished name of the user in the LDAP store.

password

Specifies the password of the user.

Example

Let's assume that the password of the user with the distinguished name cn=orcladmin in the LDAP store has been changed to password, and that the configuration file jps-config.xml is located in the current directory, then the following example changes the password in the bootstrap credential store to password:

wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='password')

Any output regarding the audit service can be disregarded.

reassociateSecurityStore

Online command that migrates the policy and credential stores to an LDAP repository.

Description

The script reassociateSecurityStore migrates the OPSS security store from a source to a target LDAP- or DB-based store, and it resets services in the files jps-config.xml and jps-config-jse.xml to the target repository. It also allows specifying that the OPSS security store be shared with that in a different domain (see optional argument join below). The OPSS binaries and the target policy store must have compatible versions.

For complete details and samples see Securing Applications with Oracle Platform Security Services.

restoreEncryptionKey

Offline command to restore the domain credential encryption key.

Description

Restores the state of the domain bootstrap keys as it was before running importEncryptionKey.

Syntax

restoreEncryptionKey(jpsConfigFile)
Argument Definition
jpsConfigFile  

Specifies the location of the file jps-config.xml relative to the location where the command is run.

Example

restoreEncryptionKey(jpsConfigFile="pathName")

revokeAppRole

Online command that removes a principal from a role.

Description

Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.

Syntax

revokeAppRole(appStripe, appRoleName, principalClass, principalName)
Argument Definition
appStripe 

Specifies an application stripe.

appRoleName 

Specifies a role name.

principalClass 

Specifies the fully qualified name of a class.

principalName 

Specifies the principal name.

Example

The following example removes a principal to the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> revokeAppRole(appStripe="myApp", 
appRoleName="myRole",principalClass="com.example.xyzPrincipal", 
principalName="myPrincipal")

revokeEntitlement

Online command that deletes an entitlement.

Description

Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.

Syntax

revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is deleted.

principalClass  

Specifies the class associated with the principal.

principalName  

Specifies the name of the principal to which the entitlement is revoked.

permSetName  

Specifies the name of the entitlement deleted.

Example

The following example deleted the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", 
principalClass="oracle.security.jps.service.policystore.ApplicationRole", 
principalName="myPrincipalName", permSetName="myEntitlement")

revokePermission

Online command that removes a permission.

Description

Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException.

Syntax

revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument Definition
appStripe 

Specifies an application stripe. If not specified, the command works on system policies.

codeBaseURL 

Specifies the URL of the code granted the permission.

principalClass 

Specifies the fully qualified name of a class (grantee).

principalName 

Specifies the name of the grantee principal.

permClass 

Specifies the fully qualified name of the permission class.

permTarget 

Specifies, when available, the name of the permission target. Some permissions may not include this attribute.

permActions 

Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class.

Example

The following example removes the application permission (for the application with application stripe myApp) with the specified data:

wls:/mydomain/serverConfig> revokePermission(appStripe="myApp",  
principalClass="my.custom.Principal", principalName="manager", 
permClass="java.security.AllPermission")

The following example removes the system permission with the specified data:

wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager",  
permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", 
permActions="read,write")

revokeResourceFromEntitlement

Online command that removes a resource from an entitlement.

Description

Removes a resource from an entitlement in a specified application stripe.

Syntax

revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")
Argument Definition
appStripe  

Specifies the application stripe where the entitlement is located.

name  

Specifies the name of the entitlement to modify.

resourceName  

Specifies the name of the resource to remove.

resourceType  

Specifies the type of the resource to remove.

actions  

Specifies the comma-separated list of actions to remove.

Example

The following example removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", 
resourceName="myResource", resourceType="myResType", actions="view,edit")

rollOverEncryptionKey

Offline command that changes the domain encryption key.

Description

This offline script replaces the current domain OPSS encryption key with a new one; the current key is not deleted but archived, since it is used to decrypt data that was encrypted using that key.

Note the following important points:

  • This command should be executed from the administration server in the domain. No server restart is needed after its execution.

  • If the domain is the only domain accessing the security store, nothing else is required.

  • However, if two or more domains share the security store, the newly generated key should be exported from the domain where the script was run and imported into each of the other domains sharing the security store, using the scripts exportEncryptionKey and importEncryptionKey.

Syntax

rollOVerEncryptionKey(jpsConfigFile="pathName")
Argument Definition

jpsConfigFile

Specifies the location of the file jps-config.xml; either relative to the location where the script is run, or the full path.

Example

The following example lists all resource types in the stripe myApplication:

wls:/mydomain/serverConfig> rollOverEncryptionKey(jpsConfigFile="myConfig")

updateCred

Online command that modifies the type, user name, and password of a credential.

Description

Modifies the type, user name, password, URL, and port number of a credential in the domain credential store with given map name and key name. This command can update the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.

Syntax

updateCred(map, key, user, password, [desc])
Argument Definition
map 

Specifies a map name (folder).

key 

Specifies a key name.

user 

Specifies the credential user name.

password 

Specifies the credential password.

desc 

Specifies a string describing the credential.

Example

The following example updates a password credential with the specified data:

wls:/mydomain/serverConfig> updateCred(map="myMap", key="myKey", user="myUsr", 
password="password", desc="updated passw cred to connect to app xyz")

updateTrustServiceConfig

Online command that updates the configuration of the domain trust service service with the values passed in a property file.

Description

Updates the trust service domain configuration. In the event of an error, the command returns a WLSTException.

Syntax

updateTrustServiceConfig([providerName="<the provider name>",] 
                          propsFile="<path of properties file>")
Argument Definition
providerName 

Specifies the name of the trust service provider; optional; if unspecified, it defaults to trust.provider.embedded.

propsFile

Specifies the path to the file where the property values are set.

Here is a sample property file:

trust.keystoreType=KSS
trust.keyStoreName=kss://<stripeName>/<keystoreName>
trust.trustStoreName=kss://<stripeName>/<truststoreName>
trust.aliasName=<aliasName>
trust.issuerName=<aliasName>

Note that the list of specified properties differs according to the value of the property trust.keystoreType. The type can be KSS or JKS; if a property is set to the empty string, then that property is removed from the trust service configuration. For the list of available properties, see section Trust Service Properties in Securing Applications with Oracle Platform Security Services.

Example

The following example updates the trust store service with the specifications in the file myProps:

wls:/mydomain/serverConfig> updateTrustServiceConfig(providerName="myProvider", propsFile="myProps")