2 OPSS Security Store WLST Commands
Use the WLST security commands listed in Table 2-1 to operate on a domain policy or credential store, to migrate policies and credentials from a source repository to a target repository, and to import and export (credential) encryption keys.
Table 2-1 WLST Security Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Add a credential to the bootstrap credential store |
Offline |
|
Add a resource to an entitlement. |
Online |
|
Create a new application role. |
Online |
|
Create a new credential. |
Online |
|
Create an entitlement. |
Online |
|
Create a resource. |
Online |
|
Create a new resource type. |
Online |
|
Remove all policies in an application. |
Online |
|
Remove an application role. |
Online |
|
Remove a credential. |
Online |
|
Remove an entitlement. |
Online |
|
Remove a resource. |
Online |
|
Remove an existing resource type. |
Online |
|
Export the domain encryption key to the file |
Offline |
|
List an entitlement. |
Online |
|
Fetch an existing resource type. |
Online |
|
Add a principal to a role. |
Online |
|
Create an entitlement. |
Online |
|
Create a new permission. |
Online |
|
Import the encryption key in file |
Offline |
|
List all roles in an application. |
Online |
|
List all members in an application role. |
Online |
|
List application stripes in policy store. |
Online |
|
List permissions assigned to a source code in global policies. |
Online |
|
List an entitlement. |
Online |
|
List entitlements in an application stripe. |
Online |
|
List all permissions granted to a principal. |
Online |
|
List actions in a resource. |
Online |
|
List resources in an application stripe. |
Online |
|
List resource types in an application stripe. |
Online |
|
List the type and location of the OPSS security store, and the user allowed to access it. |
Offline |
|
Migrate policies or credentials from a source repository to a target repository. |
Offline |
|
Update bootstrap credential store |
Offline |
|
Reassociate policies and credentials to an LDAP repository |
Online |
|
Restore the domain encryption key as it was before the last importing. |
Offline |
|
Remove a principal from a role. |
Online |
|
Remove an entitlement. |
Online |
|
Remove a permission. |
Online |
|
Remove a resource from an entitlement |
Online |
|
Replace the current domain encryption key with a new one. |
Offline |
|
Modify the attribute values of a credential. |
Online |
|
Update the configuration of the trust service. |
Online |
Note:
In syntax descriptions, optional arguments are enclosed in square brackets; all other arguments are required.
- addBootStrapCredential
- addResourceToEntitlement
- createAppRole
- createCred
- createEntitlement
- createResource
- createResourceType
- deleteAppPolicies
- deleteAppRole
- deleteCred
- deleteEntitlement
- deleteResource
- deleteResourceType
- exportEncryptionKey
- getEntitlement
- getResourceType
- grantAppRole
- grantEntitlement
- grantPermission
- importEncryptionKey
- listAppRoles
- listAppRolesMembers
- listAppStripes
- listCodeSourcePermissions
- listEntitlement
- listEntitlements
- listPermissions
- listResourceActions
- listResources
- listResourceTypes
- listSecurityStoreInfo
- migrateSecurityStore
- modifyBootStrapCredential
- reassociateSecurityStore
- restoreEncryptionKey
- revokeAppRole
- revokeEntitlement
- revokePermission
- revokeResourceFromEntitlement
- rollOverEncryptionKey
- updateCred
- updateTrustServiceConfig
addBootStrapCredential
Offline command that adds a credential to the bootstrap credential store.
Description
Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException
.
Syntax
addBootStrapCredential(jpsConfigFile, map, key, username, password)
Argument | Definition |
---|---|
|
Specifies the location of the file Note: You can specify ajps-config.xml file or a
jps-config-jse.xml file for the
jpsConfigFile argument.
|
|
Specifies the map of the credential to add. |
|
Specifies the key of the credential to add. |
|
Specifies the name of the user in the credential to add. |
|
Specifies the password of the user in the credential to add. |
Example
The following example adds a credential to the bootstrap credential store:
wls:/mydomain/serverConfig> addBootStrapCredential(jpsConfigFile='./jps-config.xml', map='myMapName', key='myKeyName', username='myUser', password='password')
Parent topic: OPSS Security Store WLST Commands
addResourceToEntitlement
Online command that adds a resource with specified actions to an entitlement.
Description
Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.
Syntax
addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")
Argument | Definition |
---|---|
|
Specifies the application stripe where the entitlement is located. |
|
Specifies the name of the entitlement to modify. |
|
Specifies the name of the resource to add. |
|
Specifies the type of the resource to add. The passed resource type must be present in the application stripe at the time this script is invoked. |
|
Specifies the comma-separated list of actions for the added resource. |
Example
The following example adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:
wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Parent topic: OPSS Security Store WLST Commands
createAppRole
Online command that creates a new application role.
Description
Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException
.
Syntax
createAppRole(appStripe, appRoleName)
Argument | Definition |
---|---|
|
Specifies an application stripe. |
|
Specifies a role name. |
Example
The following example creates a new application role with application stripe myApp and role name myRole:
wls:/mydomain/serverConfig> createAppRole(appStripe="myApp", appRoleName="myRole")
Parent topic: OPSS Security Store WLST Commands
createCred
Online command that creates a new credential in the domain credential store.
Description
Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
Syntax
createCred(map, key, user, password, [desc])
Argument | Definition |
---|---|
map |
Specifies a map name (folder). |
key |
Specifies a key name. |
user |
Specifies the credential user name. |
password |
Specifies the credential password. |
desc |
Specifies a string describing the credential. |
Example
The following example creates a new password credential with the specified data:
wls:/mydomain/serverConfig> createCred(map="myMap, key="myKey", user="myUsr", password="password", desc="updated usr name and passw to connect to app xyz")
Parent topic: OPSS Security Store WLST Commands
createEntitlement
Online command that creates a new entitlement.
Description
Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement
to add additional resources to an existing entitlement; use revokeResourceFromEntitlement
to delete resources from an existing entitlement.
Syntax
createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe where the entitlement is created. |
name |
Specifies the name of the entitlement created. |
resourceName |
Specifies the name of the one resource member of the entitlement created. |
actions |
Specifies a comma-separated the list of actions for the resource resourceName. |
displayName |
Specifies the display name of the resource created. Optional. |
description |
Specifies the description of the entitlement created. Optional. |
Example
The following example creates the entitlement myEntitlement with just the resource myResource in the stripe myApplication:
wls:/mydomain/serverConfig> createEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", actions="read,write")
Parent topic: OPSS Security Store WLST Commands
createResource
Online command that creates a new resource.
Description
Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.
Syntax
createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe where the resource is created. |
name |
Specifies the name of the resource created. |
type |
Specifies the type of resource created. The passed resource type must be present in the application stripe at the time this script is invoked. |
displayName |
Specifies the display name of the resource created. Optional. |
description |
Specifies the description of the resource created. Optional. |
Example
The following example creates the resource myResource in the stripe myApplication:
wls:/mydomain/serverConfig> createResource(appStripe="myApplication", name="myResource", type="myResType", displayName="myNewResource")
Parent topic: OPSS Security Store WLST Commands
createResourceType
Online command that creates a new resource type in the domain policy store within a given application stripe.
Description
Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. In the event of an error, the command returns a WLSTException
.
Syntax
createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe where to insert the resource type. |
resourceTypeName |
Specifies the name of the resource type to insert. |
displayName |
Specifies the name for the resource type used in UI gadgets. |
description |
Specifies a brief description of the resource type. |
provider |
Specifies the provider for the resource type. |
matchere |
Specifies the class of the resource type. If unspecified, it defaults to |
actions |
Specifies the actions allowed on instances of the resource type. |
delimeter |
Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','. |
Example
The following example creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:
wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", resourceTypeName="resTypeName", displayName="displName", description="A resource type", provider="Printer", matcher="com.printer.Printer", actions="BWPrint;ColorPrint" [, delimeter=";"])
Parent topic: OPSS Security Store WLST Commands
deleteAppPolicies
Online command that removes all policies with a given application stripe.
Description
Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException
.
Syntax
deleteAppPolicies(appStripe)
Argument | Definition |
---|---|
appStripe |
Specifies an application stripe. If not specified, the command works on system policies. |
Example
The following example removes all policies of application myApp
:
wls:/mydomain/serverConfig> deleteAppPolicies(appStripe="myApp")
Parent topic: OPSS Security Store WLST Commands
deleteAppRole
Online command that removes an application role.
Description
Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException
.
Syntax
createAppRole(appStripe, appRoleName)
Argument | Definition |
---|---|
appStripe |
Specifies an application stripe. |
appRoleName |
Specifies a role name. |
Example
The following example removes the role with application stripe myApp and role name myRole:
wls:/mydomain/serverConfig> deleteAppRole(appStripe="myApp", appRoleName="myRole")
Parent topic: OPSS Security Store WLST Commands
deleteCred
Online command that removes a credential in the domain credential store.
Description
Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException
.
Syntax
deleteCred(map,key)
Argument | Definition |
---|---|
map |
Specifies a map name (folder). |
key |
Specifies a key name. |
Example
The following example removes the credential with map name myMap
and key name myKey
:
wls:/mydomain/serverConfig> deleteCred(map="myApp",key="myKey")
Parent topic: OPSS Security Store WLST Commands
deleteEntitlement
Online command that deletes an entitlement.
Description
Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.
Syntax
deleteEntitlement(appStripe="appStripeName", name="entitlementName")
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe where the entitlement is deleted. |
name |
Specifies the name of the entitlement to delete. |
Example
The following example deletes the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> deleteEntitlement(appStripe="myApplication", name="myEntitlement")
Parent topic: OPSS Security Store WLST Commands
deleteResource
Online command that deletes a resource.
Description
Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.
Syntax
deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe where the resource is deleted. |
name |
Specifies the name of the resource deleted. |
type |
Specifies the type of resource deleted. The passed resource type must be present in the application stripe at the time this script is invoked. |
Example
The following example deletes the resource myResource in the stripe myApplication:
wls:/mydomain/serverConfig> deleteResource(appStripe="myApplication", name="myResource", type="myResType")
Parent topic: OPSS Security Store WLST Commands
deleteResourceType
Online command that removes a resource type from the domain policy store within a given application stripe.
Description
Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException
.
Syntax
deleteResourceType(appStripe, resourceTypeName)
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe from where to remove the resource type. |
resourceTypeName |
Specifies the name of the resource type to remove. |
Example
The following example removes the resource type myResType from the stripe myApplication:
wls:/mydomain/serverConfig> deleteResourceType(appStripe="myApplication", resourceTypeName="myResType")
Parent topic: OPSS Security Store WLST Commands
exportEncryptionKey
Offline command that extracts the encryption key from a domain's bootstrap wallet to the file ewallet.p12
.
Description
Writes the domain's credential encryption key to the file ewallet.p12
. The password passed must be used to import data from that file with the command importEncryptionKey
.
exportEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Syntax
Argument | Definition |
---|---|
jpsConfigFile |
Specifies the location of the file Note: You can specify ajps-config.xml file or a
jps-config-jse.xml file for the
jpsConfigFile argument.
|
keyFilePath |
Specifies the directory where the file |
keyFilePassword |
Specifies the password to secure the file |
Example
The following example writes the file ewallet.p12
in the directory myDir:
exportEncryptionKey(jpsConfigFile="pathName", keyFilePath="myDir" ,keyFilePassword="password")
Parent topic: OPSS Security Store WLST Commands
getEntitlement
Online command that gets an entitlement.
Description
Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.
Syntax
getEntitlement(appStripe="appStripeName", name="entitlementName")
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe where the entitlement is located. |
name |
Specifies the name of the entitlement to access. |
Example
The following example returns the information of the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> getEntitlement(appStripe="myApplication", name="myEntitlement")
Parent topic: OPSS Security Store WLST Commands
getResourceType
Online command that fetches a resource type from the domain policy store within a given application stripe.
Description
Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException
.
Syntax
getResourceType(appStripe, resourceTypeName)
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe from where to fetch the resource type. |
resourceTypeName |
Specifies the name of the resource type to fetch. |
Example
The following example fetches the resource type myResType from the stripe myApplication:
wls:/mydomain/serverConfig> getResourceType(appStripe="myApplication", resourceTypeName="myResType")
Parent topic: OPSS Security Store WLST Commands
grantAppRole
Online command that adds a principal to a role.
Description
Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException
.
Syntax
grantAppRole(appStripe, appRoleName,principalClass, principalName)
Argument | Definition |
---|---|
appStripe |
Specifies an application stripe. |
appRoleName |
Specifies a role name. |
principalClass |
Specifies the fully qualified name of a class. |
principalName |
Specifies the principal name. Set CN or DN attribute value for the user or groups from the LDAP server. |
Example
The following example adds a principal to the role
with application stripe myApp
and role name
myRole
:
-
Granting Application Role setting CN
wls:/mydomain/serverConfig> grantAppRole(appStripe="myApp", appRoleName="myRole",principalClass="com.example.xyzPrincipal", principalName="Admin")
-
Granting Application Role setting DN
wls:/mydomain/serverConfig> grantAppRole(appStripe="myApp", appRoleName="myRole",principalClass="com.example.xyzPrincipal", principalName="cn=Admin,ou=IT,ou=Groups,dc=vm,dc=oracle,dc=com")
For more information, see Doc ID 2858916.1.
Parent topic: OPSS Security Store WLST Commands
grantEntitlement
Online command that grant an entitlement to a named principal.
Description
Grants an entitlement to a specified principal in a specified application stripe.
Syntax
grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe where the principal resides. |
principalClass |
Specifies the class associated with the principal. |
principalName |
Specifies the name of the principal to which the entitlement is granted. |
permSetName |
Specifies the name of the entitlement granted. |
Example
The following example grants the entitlement myEntitlement in the stripe myApplication to the principal myPrincipalName:
wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Parent topic: OPSS Security Store WLST Commands
grantPermission
Online command that creates a new permission.
Description
Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException
.
Syntax
grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument | Definition |
---|---|
appStripe |
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL |
Specifies the URL of the code granted the permission. |
principalClass |
Specifies the fully qualified name of a class (grantee). |
principalName |
Specifies the name of the grantee principal. |
permClass |
Specifies the fully qualified name of the permission class. |
permTarget |
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions |
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
Example
The following example creates a new application permission (for the application with application stripe myApp
) with the specified data:
wls:/mydomain/serverConfig> grantPermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following example creates a new system permission with the specified data:
wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permTarget="/tmp/fileName.ext", permActions="read,write")
Parent topic: OPSS Security Store WLST Commands
importEncryptionKey
Offline command that imports keys from the specified ewallet.p12 file into the domain.
Description
Imports encryption keys from the file ewallet.p12
into the domain. The password passed must be the same as that used to create the file with the command exportEncryptionKey
.
Syntax
importEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument | Definition |
---|---|
jpsConfigFile |
Specifies the location of the file Note: You can specify ajps-config.xml file or a
jps-config-jse.xml file for the
jpsConfigFile argument.
|
keyFilePath |
Specifies the directory where the |
keyFilePassword |
Specifies the password used when the file |
Example
importEncryptionKey(jpsConfigFile="pathName", keyFilePath="dirloc" ,keyFilePassword="password")
Parent topic: OPSS Security Store WLST Commands
listAppRoles
Online command that lists all roles in an application.
Description
Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException
.
Syntax
listAppRoles(appStripe)
Argument | Definition |
---|---|
appStripe |
Specifies an application stripe. |
Example
The following example returns all roles with application stripe myApp
:
wls:/mydomain/serverConfig> listAppRoles(appStripe="myApp")
Parent topic: OPSS Security Store WLST Commands
listAppRolesMembers
Online command that lists all members in a role.
Description
Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException
.
Syntax
listAppRoleMembers(appStripe, appRoleName)
Argument | Definition |
---|---|
appStripe |
Specifies an application stripe. |
appRoleName |
Specifies a role name. |
Example
The following example returns all members in the role with application stripe myApp
and role name myRole
:
wls:/mydomain/serverConfig> listAppRoleMembers(appStripe="myApp", appRoleName="myRole")
Parent topic: OPSS Security Store WLST Commands
listAppStripes
Online or offline command that lists the application stripes in the policy store.
Description
This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.
Syntax
listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])
Argument | Definition |
---|---|
configFile |
Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store. |
regularExpression |
Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *. |
Example
The following (online) invocation returns the list of application stripes in the policy store:
wls:/mydomain/serverConfig> listAppStripes
The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:
wls:/mydomain/serverConfig> listAppStripes(configFile=" /home/myFile/jps-config.xml")
The following (online) invocation returns the list of application stripes that contain the prefix App:
wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")
Parent topic: OPSS Security Store WLST Commands
listCodeSourcePermissions
Online command that lists permissions assigned to a source code in global policies.
Description
This command allows listing codebase permissions in global policies.
Syntax
listCodeSourcePermissions([codeBase="codeUrl"])
Argument | Definition |
---|---|
codeBaseURL |
Specifies the name of the grantee codebase URL. |
Example
The following example returns the list permissions assigned to a code source in all global policies:
wls:/mydomain/serverConfig> listCodeSourcePermissions(codeBaseURL="file:/tmp/lib/myJars.jar")
Parent topic: OPSS Security Store WLST Commands
listEntitlement
Online command that lists an entitlement in a specified application stripe.
Description
If a principal name and a class are specified, it lists the entitlements that match the specified principal; otherwise, it lists all the entitlements.
Syntax
listEntitlement(appStripe="appStripeName" [, principalName="principalName", principalClass="principalClass"])
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe where the entitlement is deleted. |
principalName |
Specifies the name of the principal to match. Optional. |
principalClass |
Specifies the class of the principal to match. Optional. |
Example
The following example lists all entitlements in the stripe myApplication:
wls:/mydomain/serverConfig> listEntitlement(appStripe="myApplication")
Parent topic: OPSS Security Store WLST Commands
listEntitlements
Online command that lists the entitlements in an application stripe.
Description
Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.
Syntax
listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe from where to list entitlements. |
resourceTypeName |
Specifies the name of the type of the resources to list. Optional. |
resourceName |
Specifies the name of resource to match. Optional. |
Examples
The following example lists all the entitlements in the stripe myApplication:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")
The following example lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName")
Parent topic: OPSS Security Store WLST Commands
listPermissions
Online command that lists all permissions granted to a given principal.
Description
Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException
.
Syntax
listPermissions([appStripe,] principalClass, principalName)
Argument | Definition |
---|---|
appStripe |
Specifies an application stripe. If not specified, the command works on system policies. |
principalClass |
Specifies the fully qualified name of a class (grantee). |
principalName |
Specifies the name of the grantee principal. |
Example
The following example lists all permissions granted to a principal by the policies of application myApp
:
wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")
The following example lists all permissions granted to a principal by system policies:
wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")
Parent topic: OPSS Security Store WLST Commands
listResourceActions
Online command that lists the resources and actions in an entitlement.
Description
Lists the resources and actions in an entitlement within an application stripe.
Syntax
listResourceActions(appStripe="appStripeName", permSetName="entitlementName")
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe where the entitlement resides. |
permSetName |
Specifies the name of the entitlement whose resources and actions to list. |
Example
The following example lists the resources and actions of the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> listResourceActions(appStripe="myApplication", permSetName="myEntitlement")
Parent topic: OPSS Security Store WLST Commands
listResources
Online command that lists resources in a specified application stripe.
Description
If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.
Syntax
listResources(appStripe="appStripeName" [,type="resTypeName"])
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe where the resources are listed. |
type |
Specifies the type of resource listed. The passed resource type must be present in the application stripe at the time this script is invoked. |
Example
The following example lists all resources of type myResType in the stripe myApplication:
wls:/mydomain/serverConfig> listResources(appStripe="myApplication", type="myResType")
Parent topic: OPSS Security Store WLST Commands
listResourceTypes
Online command that lists resource types.
Description
Lists all the resource types in a specified application stripe.
Syntax
listResourceTypes(appStripe="appStripeName")
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe where the resource types are located. |
Example
The following example lists all resource types in the stripe myApplication:
wls:/mydomain/serverConfig> listResourceTypes(appStripe="myApplication")
Parent topic: OPSS Security Store WLST Commands
listSecurityStoreInfo
Offline command that lists the type, the location, and the administrative user of the domain security store.
Description
The script runs in offline mode and outputs the type of the OPSS security store (file, OID, or DB), its location, and the user allowed to access it (typically a security administrator).
Syntax
listSecurityStoreInfo(domainConfig="configFilePath")
Argument | Definition |
---|---|
domainConfig |
Specifies the full absolute path to the OPSS configuration file jps-config.xml; the file jps-config-jse.xml is also expected to be in the passed directory. |
Example
The following example returns the type, location, and administrative user of the OPSS policy store:
wls:/mydomain/serverConfig> listSecurityStoreInfo(domainConfig="/home/myConfigPathDirectory/config/fmwconfig")
The following lines illustrate a sample output generated by this command:
For jps-config.xml Store Type: DB_ORACLE Location/Endpoint: jdbc:oracle:thin:@adc2120515.us.myComp.com:1555/OWSM.US.COM User: DEV_OPSS Datasource: jdbc/OpssDataSource For jps-config-jse.xml Store Type: DB_ORACLE Location/Endpoint: jdbc:oracle:thin:@adc2120515.us.myComp.com:1521/OWSM.US.COM User: DEV_OPSS
Parent topic: OPSS Security Store WLST Commands
migrateSecurityStore
Offline command that migrates identities, application-specific, system policies, a specific credential folder, or all credentials.
Description
Migrates security artifacts from a source repository to a target repository. See Migrating with the Script migrateSecurityStore in Securing Applications with Oracle Platform Security Services.
Parent topic: OPSS Security Store WLST Commands
modifyBootStrapCredential
Offline command that updates a bootstrap credential store.
Description
Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException
.
Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.
Syntax
modifyBootStrapCredential(jpsConfigFile, username, password)
Argument | Definition |
---|---|
jpsConfigFile |
Specifies the location of the file Note: You can specify ajps-config.xml file or a
jps-config-jse.xml file for the
jpsConfigFile argument.
|
username |
Specifies the distinguished name of the user in the LDAP store. |
password |
Specifies the password of the user. |
Example
Let's assume that the password of the user with the distinguished name
cn=orcladmin
in the LDAP store has been changed to
password
, and that the configuration file
jps-config.xml
is located in the current directory, then the
following example changes the password in the bootstrap credential store to
password
:
wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='password')
Any output regarding the audit service can be disregarded.
Parent topic: OPSS Security Store WLST Commands
reassociateSecurityStore
Online command that migrates the policy and credential stores to an LDAP repository.
Description
The script reassociateSecurityStore
migrates the OPSS security store from a source to a target LDAP- or DB-based store, and it resets services in the files jps-config.xml
and jps-config-jse.xml
to the target repository. It also allows specifying that the OPSS security store be shared with that in a different domain (see optional argument join
below). The OPSS binaries and the target policy store must have compatible versions.
For complete details and samples see Securing Applications with Oracle Platform Security Services.
Parent topic: OPSS Security Store WLST Commands
restoreEncryptionKey
Offline command to restore the domain credential encryption key.
Description
Restores the state of the domain bootstrap keys as it was before running importEncryptionKey.
Syntax
restoreEncryptionKey(jpsConfigFile)
Argument | Definition |
---|---|
jpsConfigFile |
Specifies the location of the file Note: You can specify ajps-config.xml file or a
jps-config-jse.xml file for the
jpsConfigFile argument.
|
Example
restoreEncryptionKey(jpsConfigFile="pathName")
Parent topic: OPSS Security Store WLST Commands
revokeAppRole
Online command that removes a principal from a role.
Description
Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException
.
Syntax
revokeAppRole(appStripe, appRoleName, principalClass, principalName)
Argument | Definition |
---|---|
appStripe |
Specifies an application stripe. |
appRoleName |
Specifies a role name. |
principalClass |
Specifies the fully qualified name of a class. |
principalName |
Specifies the principal name. Set CN or DN attribute value for the user or groups from the LDAP server. |
Example
The following example removes a principal to the role with application
stripe myApp
and role name myRole
:
-
Revoking Application Role setting CN
wls:/mydomain/serverConfig> revokeAppRole(appStripe="myApp", appRoleName="myRole",principalClass="com.example.xyzPrincipal", principalName="Admin")
-
Revoking Application Role setting DN
wls:/mydomain/serverConfig> revokeAppRole(appStripe="myApp", appRoleName="myRole",principalClass="com.example.xyzPrincipal", principalName="cn=Admin,ou=IT,ou=Groups,dc=vm,dc=oracle,dc=com")
For more information, see Doc ID 2858916.1.
Parent topic: OPSS Security Store WLST Commands
revokeEntitlement
Online command that deletes an entitlement.
Description
Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.
Syntax
revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe where the entitlement is deleted. |
principalClass |
Specifies the class associated with the principal. |
principalName |
Specifies the name of the principal to which the entitlement is revoked. |
permSetName |
Specifies the name of the entitlement deleted. |
Example
The following example deleted the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Parent topic: OPSS Security Store WLST Commands
revokePermission
Online command that removes a permission.
Description
Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException
.
Syntax
revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument | Definition |
---|---|
appStripe |
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL |
Specifies the URL of the code granted the permission. |
principalClass |
Specifies the fully qualified name of a class (grantee). |
principalName |
Specifies the name of the grantee principal. |
permClass |
Specifies the fully qualified name of the permission class. |
permTarget |
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions |
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
Example
The following example removes the application permission (for the application with application stripe myApp
) with the specified data:
wls:/mydomain/serverConfig> revokePermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following example removes the system permission with the specified data:
wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permActions="read,write")
Parent topic: OPSS Security Store WLST Commands
revokeResourceFromEntitlement
Online command that removes a resource from an entitlement.
Description
Removes a resource from an entitlement in a specified application stripe.
Syntax
revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")
Argument | Definition |
---|---|
appStripe |
Specifies the application stripe where the entitlement is located. |
name |
Specifies the name of the entitlement to modify. |
resourceName |
Specifies the name of the resource to remove. |
resourceType |
Specifies the type of the resource to remove. |
actions |
Specifies the comma-separated list of actions to remove. |
Example
The following example removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Parent topic: OPSS Security Store WLST Commands
rollOverEncryptionKey
Offline command that changes the domain encryption key.
Description
This offline script replaces the current domain OPSS encryption key with a new one; the current key is not deleted but archived, since it is used to decrypt data that was encrypted using that key.
Note the following important points:
-
This command should be executed from the administration server in the domain. No server restart is needed after its execution.
-
If the domain is the only domain accessing the security store, nothing else is required.
-
However, if two or more domains share the security store, the newly generated key should be exported from the domain where the script was run and imported into each of the other domains sharing the security store, using the scripts exportEncryptionKey and importEncryptionKey.
Syntax
rollOVerEncryptionKey(jpsConfigFile="pathName")
Argument | Definition |
---|---|
jpsConfigFile |
Specifies the location of the file Note: You can specify ajps-config.xml file or a
jps-config-jse.xml file for the
jpsConfigFile argument.
|
Example
The following example lists all resource types in the stripe myApplication:
wls:/mydomain/serverConfig> rollOverEncryptionKey(jpsConfigFile="myConfig")
Parent topic: OPSS Security Store WLST Commands
updateCred
Online command that modifies the type, user name, and password of a credential.
Description
Modifies the type, user name, password, URL, and port number of a credential in the domain credential store with given map name and key name. This command can update the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
Syntax
updateCred(map, key, user, password, [desc])
Argument | Definition |
---|---|
map |
Specifies a map name (folder). |
key |
Specifies a key name. |
user |
Specifies the credential user name. |
password |
Specifies the credential password. |
desc |
Specifies a string describing the credential. |
Example
The following example updates a password credential with the specified data:
wls:/mydomain/serverConfig> updateCred(map="myMap", key="myKey", user="myUsr", password="password", desc="updated passw cred to connect to app xyz")
Parent topic: OPSS Security Store WLST Commands
updateTrustServiceConfig
Online command that updates the configuration of the domain trust service service with the values passed in a property file.
Description
Updates the trust service domain configuration. In the event of an error, the command returns a WLSTException
.
Syntax
updateTrustServiceConfig([providerName="<the provider name>",] propsFile="<path of properties file>")
Argument | Definition |
---|---|
providerName |
Specifies the name of the trust service provider; optional; if unspecified, it defaults to |
propsFile |
Specifies the path to the file where the property values are set. |
Here is a sample property file:
trust.keystoreType=KSS trust.keyStoreName=kss://<stripeName>/<keystoreName> trust.trustStoreName=kss://<stripeName>/<truststoreName> trust.aliasName=<aliasName> trust.issuerName=<aliasName>
Note that the list of specified properties differs according to the value of the property trust.keystoreType
. The type can be KSS
or JKS
; if a property is set to the empty string, then that property is removed from the trust service configuration. For the list of available properties, see section Trust Service Properties in Securing Applications with Oracle Platform Security Services.
Example
The following example updates the trust store service with the specifications in the file myProps:
wls:/mydomain/serverConfig> updateTrustServiceConfig(providerName="myProvider", propsFile="myProps")
Parent topic: OPSS Security Store WLST Commands