Creates Day-0 Configuration
post
/radius-config/v1/init
Permits administrators to create global or application scoped configuration and RADIUS administrator users or groups to seed initial Day-0 configuration for the first time into Oracle RADIUS Agent. A global configuration is shared between multiple RADIUS clients and an application scoped configuration is restricted to a particular RADIUS client application. This API is unprotected and used only once to seed the initial configurations that does initial wiring with OAA, if required OAA configurations are provided. Note that any REST API call after Day-0 requires RADIUS administrator credentials.
Request
There are no request parameters for this operation.
Supported Media Types
- application/json
Day-0 configuration details
Root Schema : schema
Type:
Show Source
object-
application: object
application
RADIUS client configuration details
-
authentication: object
authentication
Global primary authentication config details
-
logging: object
logging
Logging details
-
mfa: object
mfa
Global multi factor authentication config details
-
preferences: object
preferences
Global preferences config details
-
radiusAdminGroup(required): array
radiusAdminGroup
List of admin groups that are present in directory to manage configurations and RADIUS clients for Oracle RADIUS Agent This is required for day-0 and optional for others
-
radiusAdminUser(required): array
radiusAdminUser
List of admin users that are present in directory to manage configurations and RADIUS clients for Oracle RADIUS Agent This is required for day-0 and optional for others
-
radiusListener: object
radiusListener
Global RADIUS Listener config details
-
server: object
server
Server config details
Nested Schema : application
Type:
objectRADIUS client configuration details
Nested Schema : authentication
Type:
objectGlobal primary authentication config details
Show Source
-
custom: object
custom
Custom Authenticator configuration details
-
ldap: object
ldap
LDAP configuration details
-
provider(required): string
Default Value:
LDAPConfigured authentication provider type -
userCacheCleanupInitialDelay: integer
(int64)
Default Value:
0LUserCache clean up initial delay after which the cleanup thread will start -
userCacheCleanupInterval: integer
(int64)
Default Value:
300000LUser cache cleanup interval -
userCacheCleanupPoolSize: integer
(int32)
Default Value:
1User cache cleanup thread pool size -
userCacheConcurrencyLevel: integer
(int32)
Default Value:
4User cache concurrency level -
userCacheEntryTimeout: integer
(int64)
Default Value:
300000LUser cache entry timeout value in ms
Nested Schema : logging
Type:
objectLogging details
Nested Schema : mfa
Type:
objectGlobal multi factor authentication config details
Show Source
-
oaa(required): object
oaa
OAA configuration details
-
provider(required): string
Default Value:
OAAProvider name
Nested Schema : preferences
Type:
objectGlobal preferences config details
Show Source
-
allowSpecificFactorInPassword: boolean
Default Value:
falseIndicates if directly invoking Specific Factor by enduser is enabled or not -
allowTokenInPassword: boolean
Default Value:
trueIndicates if synchronous login mode (Password, delimiter, token concatenation) is enabled/disabled -
appendDelimiter: string
Default Value:
;Delimiter used for synchronous mode ( Password+delimiter+token)Example:password;123456 -
defaultSecondFactor: string
Default Value:
ChallengeOMATOTPDefault Second Factor. This Factor will be used when no preferred factor is available for the user from OAA's User Preferences and synchronous mode is used in the RADIUS Request -
defaultTokenLength: integer
(int32)
Default Value:
6Length of the token for synchronous login mode. This represents the token length of the DefaultSecondFactor configured -
factorToTokenLengthMap: object
factorToTokenLengthMap
RADIUS Factor to factor token length mapping
-
groupAsSingleString: boolean
Default Value:
falseReturns group details as a single string in response separated by a delimiter that is configured if it's true -
groupAsSingleStringDelimiter: string
Default Value:
,Delimiter used when groups are returned as single string -
groupAttrID: integer
(int32)
Default Value:
1 (for ORACLE)RADIUS attribute ID for the group mapping. Groups are returned as part of this RADIUS attribute -
groupAttrVendorID: integer
(int32)
Default Value:
111 (for ORACLE_ROLE attribute)RADIUS vendor ID for the group mapping. Groups are returned as part of this RADIUS attribute. RADIUS Vendor ID 111 stands for Oracle and a value of -1 needs to be used in order to use any standard RADIUS attribute -
groupNameMapping: object
groupNameMapping
Mappings to map group names in primary authenticator to different values
-
mfaOptions: object
mfaOptions
Additional OAA Provider specific options like "assuranceLevel", "factorChoices" (for auto-wiring of ORA and OAA), "defaultGroup" for setting default group name that is passed to OAA
-
radiusFactorToMFAFactorMap: object
radiusFactorToMFAFactorMap
RadiusAgent's Factor to MFA Provider's Factor mapping. These keywords can be used to invoke a specific factor for MFA
-
returnGroups: boolean
Default Value:
falseIndicates if groups need to be returned during authenticationExample:true/false -
userAttrMap: array
userAttrMap
Represents mapping for user attributes from primary authenticator to specified RADIUS Attributes which are to be returned during authentication
Nested Schema : radiusAdminGroup
Type:
arrayList of admin groups that are present in directory to manage configurations and RADIUS clients for Oracle RADIUS Agent This is required for day-0 and optional for others
Show Source
Example:
[ "cn=group1,ou=groups,dc=example,dc=com","cn=group2,ou=groups,dc=example,dc=com" ]
OR
[ "group1"," + "group2" ]Nested Schema : radiusAdminUser
Type:
arrayList of admin users that are present in directory to manage configurations and RADIUS clients for Oracle RADIUS Agent This is required for day-0 and optional for others
Show Source
Example:
[ "cn=radiusAdminUser,ou=people,dc=example,dc=com","cn=adminUser,ou=people,dc=example,dc=com" ]
OR
[ "radiusAdminUser"," + "adminUser" ]Nested Schema : radiusListener
Type:
objectGlobal RADIUS Listener config details
Show Source
-
channelSelectTimeout: integer
(int64)
Default Value:
120000UDP NIO channel selection timeout in ms -
coreThreadPoolSize: integer
(int32)
Default Value:
10CorePoolSize value for the underlying ThreadPoolExecutor of the worker threads -
numberOfWorkerThreads: integer
(int32)
Default Value:
20The number of worker threads configured, maximum PoolSize value for the underlying ThreadPoolExecutor of the worker threads -
requestCacheCleanupInitialDelay: integer
(int64)
Default Value:
0Request Cache Cleanup Thread's initial delay -
requestCacheCleanupInterval: integer
(int64)
Default Value:
60000Request cache cleanup thread's interval -
requestCacheCleanupPoolSize: integer
(int32)
Default Value:
0Request Cache Cleanup Thread Pool Size -
requestCacheConcurrencyLevel: integer
(int32)
Default Value:
6Request Cache's concurrency level -
requestCacheEntryTimeout: integer
(int64)
Default Value:
30000Request cache's entry timeout value in milliseconds -
socketSOTimeout: integer
(int32)
Default Value:
1800000The underlying socket SO timeout in ms -
threadPoolKeepAliveTime: integer
(int64)
Default Value:
10000Thread Pool Keep Alive Time for the underlying ThreadPoolExecutor of the worker threads -
threadPoolMaxQueueSize: integer
(int32)
Default Value:
0Allowed maximum queue size value for the underlying queue used by ThreadPoolExecutor of the worker threads
Nested Schema : server
Type:
objectServer config details
Show Source
-
customDictionary: string
Custom RADIUS dictionary file that contain definitions for vendor specific attributes
-
customDictionaryAsStream: array
customDictionaryAsStream
Custom dictionary file as stream
-
customDictionaryFileAsStream: array
customDictionaryFileAsStream
-
enableDynamicClients: boolean
Default Value:
falseIndicates if dynamic clients are allowed or not -
enableMetrics: boolean
Default Value:
trueIndicates if metrics is enabled -
heartBeatInterval: integer
(int32)
Default Value:
120000Configured heartbeat thread invocation interval in ms to check availability of authenticator like LDAP -
stateCacheConcurrencyLevel: integer
(int32)
Default Value:
6State Attribute Cache's concurrency Level -
stateCacheEntryTimeout: integer
(int64)
Default Value:
120000State Attribute Cache's Entry Timeout -
validatedTokenCacheConcurrencyLevel: integer
(int32)
Default Value:
6Validated MFA Token Cache's concurrency Level -
validatedTokenCacheEntryTimeout: integer
(int64)
Default Value:
60000Validated MFA Token Cache's Entry Timeout
Nested Schema : custom
Type:
objectCustom Authenticator configuration details
Show Source
-
className: string
Custom authentication provider class name
-
enabled(required): boolean
Default Value:
trueFlag to indicate if it is enabled -
jarsLocation: string
Gets the jars directory for the custom provider
-
name(required): string
Name of the configurationExample:
<name of provider> -
properties: object
properties
Defined properties
-
retryCount: integer
(int32)
Default Value:
1If configured and a value > 0 indicates that the Operation will be retried for the configured number of times in case of a Connection Failure. Retry can be turned off if value = 0 -
retryInterval: integer
(int64)
Default Value:
0When number of retries is > 1, retry interval between two retries in ms -
unrecognizedFields: object
unrecognizedFields
Read Only:
true
Nested Schema : ldap
Type:
objectLDAP configuration details
Show Source
-
authWithoutMFACriteria: string
Based on this filter, matching users are allowed to login using primary factor only when user footprint is not present in MFA
-
baseDN(required): string
The base DN of the LDAP domain that is used by RADIUS Agent for searching users and groupsExample:
dc=example,dc=com -
cipherSuites: array
cipherSuites
Default cipher suites used out of the box
-
connectTimeout: integer
(int64)
Default Value:
5000Time limit in milliseconds within which LDAP connection has to be made -
dn(required): string
The DN of user which RADIUS agent uses to connect to LDAP serverExample:
cn=Directory Manager -
enabled(required): boolean
Default Value:
trueFlag to indicate if it is enabled -
enableMemberOfQuery: boolean
Default Value:
falseEnable memberof searches which relies on group membership to be resolved by the backend LDAP server. OID/OUD returns nested group/dynamic groups along with direct membership while AD returns only direct membership of the user -
groupNamingAttribute: string
Default Value:
cnNaming attribute for groups in LDAP -
initSize: integer
(int32)
Default Value:
5This property indicates the number of connections that are created when connection pool is initialized -
keyFactorAlgorithm: string
Default Value:
RSAAlgorithm with which certificate has been signed -
keystore: string
Keystore file location to be used for SSL mutual authentication
-
keystoreCertificateAliasName: string
Alias name used for referring to the certificate in keystore JKS
-
keystorePassword: string
Password to the keystore file
-
keystoreTruststoreType: string
File type (JKS/PKCS12) when file based truststore/keystore is used. If null, it means certificate itself has been provided
-
ldapUrl(required): string
URL of the LDAP serverExample:
ldaps://<hostname>:<port> -
loginAttr: string
Default Value:
uidThe login attribute name in LDAP for user. This is used to construct filter to lookup user during login -
maxGroupsToFetch: integer
(int32)
Default Value:
0Sets the maximum number of entries to be returned as a result of the search. A value of 0 indicates no limit. (Note: this only applies to the case when group membership query constructed by ORA, and this does not apply to memberof query) -
maxNestedLevels: integer
(int32)
Default Value:
10Maximum depth search should happen for finding out groups a given user is member of in case if nested groups are configured. (Note: this only applies to the case when group membership query constructed by ORA, and this does not apply to memberof query) -
maxSize: integer
(int32)
Default Value:
100The maximum number of connections the pool maintains. If minSize is greater than maxSize then minSize is set to maxSize -
memberAttr: string
LDAP attribute name to be used for group related queries. If not specified then uniquemember and member are used. For AD we need to provide 'member' as its value for nested group searches to workExample:
member -
memberFilteringCriteria: string
Additional filtering criteria for group searches. This condition when present is ANDed with the group membership query filter. Eg: For AD we need to provide (objectclass=group) for nested group search to workExample:
objectclass=group -
memberOfAttribute: string
Default Value:
memberofThe attribute which returns groups a user is member of. OUD works with ismemberof, AD works with memberof while OID supports both memberof and ismemberof -
minSize: integer
(int32)
Default Value:
5The minimum number of connections the pool maintains. If initSize is less than minSize then connection pool is initialized with minSize connections -
name(required): string
Name of the configurationExample:
<name of provider> -
password(required): string
The password of user which RADIUS agent uses to connect to LDAP serverExample:
<password> -
poolIncrementSize: integer
(int32)
Default Value:
5Number of connections to be made at a time when all existing connections are in use and number of connections are less than maxSize -
poolMaintenanceInterval: integer
(int64)
Default Value:
600000Time interval in milliseconds when maintenance thread would run -
poolMaxConnectionIdleTime: integer
(int64)
Default Value:
1500000Time in milliseconds after which an idle connection is expired -
poolMaxConnectionReuseTime: integer
(int64)
Default Value:
-1(No time limit)Time in milliseconds after which a connection is expired -
poolMaxWaitTime: integer
(int64)
Default Value:
20000Time limit in milliseconds for which client will wait for a LDAP connection to be made available -
properties: object
properties
Read Only:
true -
readTimeout: integer
(int64)
Default Value:
30000Time limit in milliseconds for which RADIUS agent will wait for LDAP server to respond back -
referral: string
Default Value:
followSpecifies the behavior when a referral is returned by LDAP server. Check JNDI java.naming.referral for possible values. -
retryCount: integer
(int32)
Default Value:
1If configured and a value > 0 indicates that the Operation will be retried for the configured number of times in case of a Connection Failure. Retry can be turned off if value = 0 -
retryInterval: integer
(int64)
Default Value:
0When number of retries is > 1, retry interval between two retries in ms -
reuseAddress: boolean
Default Value:
trueReuse ports even when it is in TIME_WAIT state -
searchTimeout: integer
(int32)
Default Value:
30000Time limit in milliseconds for LDAP searches -
searchUserBeforeBind: boolean
Default Value:
trueLookup user in LDAP server to get their DN before initiating user login. This can be disabled if LDAP server supports bind using a mapped ID directly (for example: ID mapper in OUD, UPN bind in Active Directory etc.) -
soKeepAlive: boolean
Default Value:
trueEnable keep alive probes for socket connection -
soTimeout: integer
(int32)
Default Value:
0Defines the socket timeout in milliseconds while waiting for data. A value of 0 indicates no timeout -
sslProtocol: string
Default Value:
TLSv1.3, TLSv1.2The cryptographic protocol RADIUS agent would use for connecting to LDAP server for secure connections. Multiple protocols can be given separated by comma -
tcpNoDelay: boolean
Default Value:
falseData is sent as soon as available -
trustedCertificate: string
Trusted certificate in Base 64 formatExample:
BASE 64 FORMAT -
trustedCertificateAliasName: string
Default Value:
ldap-server-trusted-certAlias name to be used for referring to trusted certificate in JKSExample:ldap-server-cert -
truststore: string
Truststore file location in case a JKS file is used for certificates
-
truststorePassword: string
Truststore password. This is optional and needs to be provided if truststore is used instead of a trustedCertificateExample:
<Password> -
userFilteringCriteria: string
Additional filtering criteria to search user. If specified, this filter gets appended with loginAttr (using AND condition)
Nested Schema : properties
Type:
objectDefined properties
Nested Schema : unrecognizedFields
Type:
objectRead Only:
trueNested Schema : cipherSuites
Type:
arrayDefault cipher suites used out of the box
Default Value:
Show Source
None (Uses JVM defaults)Nested Schema : properties
Type:
objectRead Only:
trueNested Schema : oaa
Type:
objectOAA configuration details
Show Source
-
agentgid: string
Agent ID in OAA for registered RADIUS agentExample:
agent1 -
clientId(required): string
Client ID in OAA for registered agent for RADIUS AgentExample:
clientId1 -
clientSecret(required): string
Client Secret in OAA for registered agent for RADIUS AgentExample:
secret1 -
clientType(required): string
Default Value:
radiusClient Type used in OAA for RADIUS agent -
connectTimeout: integer
(int32)
Default Value:
2000OAA API Connection Timeout in Millisecs -
enabled(required): boolean
Default Value:
trueFlag to indicate if it is enabled -
name(required): string
Name of the configurationExample:
<name of provider> -
oaaPolicyUrl: string
OAA Policy URLExample:
https://100.102.48.163:31223/oaa-policy -
oaaUrl(required): string
OAA Service Base URIExample:
https://127.0.0.1:37001/oaa/runtime -
policyUserName: string
OAA Policy UsernameExample:
oaa20210128t000000-oaa-policy -
policyUserPassword: string
OAA Policy PasswordExample:
oaaPolicyPassword1 -
properties: object
properties
Read Only:
true -
readTimeout: integer
(int32)
Default Value:
10000OAA API Read Timeout in Millisecs -
retryCount: integer
(int32)
Default Value:
1If configured and a value > 0 indicates that the Operation will be retried for the configured number of times in case of a Connection Failure. Retry can be turned off if value = 0 -
retryInterval: integer
(int64)
Default Value:
0When number of retries is > 1, retry interval between two retries in ms -
timeToLiveInMs: integer
(int64)
Default Value:
300000Factor Token's Time To Live in MilliSecs
Nested Schema : properties
Type:
objectRead Only:
trueNested Schema : factorToTokenLengthMap
Type:
objectRADIUS Factor to factor token length mapping
Default Value:
{"ChallengeOMATOTP": 6, "ChallengeYubicoOTP": 44}Nested Schema : groupNameMapping
Type:
objectMappings to map group names in primary authenticator to different values
Example:
{"group1":"ORA_GRP_1", "group2":"ORA_GRP_2"}Nested Schema : mfaOptions
Type:
objectAdditional OAA Provider specific options like "assuranceLevel", "factorChoices" (for auto-wiring of ORA and OAA), "defaultGroup" for setting default group name that is passed to OAA
Default Value:
"defaultGroup": "Default"Example:
"assuranceLevel": "Rad_CP0_%RNDM1%"Nested Schema : radiusFactorToMFAFactorMap
Type:
objectRadiusAgent's Factor to MFA Provider's Factor mapping. These keywords can be used to invoke a specific factor for MFA
Default Value:
{"totp": "ChallengeOMATOTP", "yubikey": "ChallengeYubicoOTP", "sms": "ChallengeSMS", "mail": "ChallengeEmail"}Nested Schema : userAttrMap
Type:
arrayRepresents mapping for user attributes from primary authenticator to specified RADIUS Attributes which are to be returned during authentication
Show Source
Example:
{"userAttrVendorID": 111, "userAttrName": "cn"}Nested Schema : UserAttrMapping
Type:
Show Source
object-
attrId: integer
(int32)
Attribute id of the mapped RADIUS user attributeExample:
2 -
attrName: string
User attribute name in primary authenticatorExample:
cn -
vendorId: integer
(int32)
Vendor ID associated with the mapped RADIUS user attributeExample:
111
Response
Supported Media Types
- application/json
200 Response
Initial configuration added successfully.
400 Response
Bad request
Root Schema : ResponseMessage
Type:
Show Source
object-
details: string
Details about the error occurredExample:
Detailed message about the cause of the error. -
errorCode: string
The error code of the error occurredExample:
IRA-00001 -
message: string
Message of the success/errorExample:
Configuration is successfully updated. -
timestamp: string
(date)
Timestamp at which success/error occurredExample:
2021-03-01T15:08:40.933Z[UTC]
409 Response
Initial configuration already present in Oracle RADIUS Agent.
Root Schema : ResponseMessage
Type:
Show Source
object-
details: string
Details about the error occurredExample:
Detailed message about the cause of the error. -
errorCode: string
The error code of the error occurredExample:
IRA-00001 -
message: string
Message of the success/errorExample:
Configuration is successfully updated. -
timestamp: string
(date)
Timestamp at which success/error occurredExample:
2021-03-01T15:08:40.933Z[UTC]