4 Infrastructure Security Custom WLST Commands

This chapter provides detailed descriptions of custom WLST commands for infrastructure security, including command syntax, arguments and command examples.

Note:

If you installed an IDM 11gR2 release, for supported WLST commands, refer to the appropriate WLST command reference in the Oracle online library for your release. For IDM 11gR2 releases prior to PS3, refer to "Infrastructure Security Custom WLST Commands" in WebLogic Scripting Tool Command Reference. For IDM 11gR2 PS3 or higher releases, refer to WebLogic Scripting Tool Command Reference for Identity and Access Management.

The following sections describe the Oracle Fusion Middleware Infrastructure Security custom WLST commands in detail. Topics include:

For additional information about Oracle Platform Security Services, see Oracle Fusion Middleware Application Security Guide.

Note:

To use the Infrastructure Security custom WLST commands, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" in the Oracle Fusion Middleware Administrator's Guide.

4.1 Overview of WLST Security Commands

WLST security commands are divided into the following categories:

Table 4-1 WLST Command Categories

Command Category Description

Audit Configuration Commands

View and manage audit policies and the audit repository configuration

SSL Configuration Commands

View and manage wallets, JKS keystores, and SSL configuration for Oracle HTTP Server, Oracle WebCache, Oracle Internet Directory, and Oracle Virtual Directory components.

Oracle Identity Federation Commands

View and manage configuration for Oracle Identity Federation

Directory Integration Platform Commands

For information on DIP tools, see "Directory Integration Platform Tools" in the Oracle Fusion Middleware Reference for Oracle Identity Management

Security Commands

Manage domain and credential domain stores and migrate domain policy store.

Oracle Access Manager Commands

Manage OAM-related components, such as authorization providers, identity asserters, and SSO providers.

Library Oracle Virtual Directory (libOVD) Commands

View and manage Library Oracle Virtual Directory (libOVD) configurations associated with a particular OPSS context.

Identity Directory Service Commands

Manage Identity Directory Service entity attributes, entity definitions, relationships, and default operational configurations.


4.2 Audit Configuration Commands

Use the WLST commands listed in Table 4-2 to view and manage audit policies and the audit repository configuration.

Table 4-2 WLST Audit Commands

Use this command... To... Use with WLST...

getNonJavaEEAuditMBeanName

Display the mBean name for a non-Java EE component.

Online

getAuditPolicy

Display audit policy settings.

Online

setAuditPolicy

Update audit policy settings.

Online

getAuditRepository

Display audit repository settings.

Online

setAuditRepository

Update audit repository settings.

Online

listAuditEvents

List audit events for one or all components.

Online

exportAuditConfig

Export a component's audit configuration.

Online

importAuditConfig

Import a component's audit configuration.

Online

createAuditDBView

Create an audit definitions view in the database.

Online

listAuditComponents

List components that can be audited.

Online

registerAudit

Registers audit definitions for a specified component in the audit store.

Online

deregisterAudit

Removes audit definitions of a specified component from the audit store.

Online


For more information, see the Oracle Fusion Middleware Application Security Guide.

4.2.1 getNonJavaEEAuditMBeanName

Online command that displays the mbean name for non-Java EE components.

4.2.1.1 Description

This command displays the mbean name for non-Java EE components given the instance name, component name, component type, and the name of the Oracle WebLogic Server on which the component's audit mbean is running. The mbean name is a required parameter to other audit WLST commands when managing a non-Java EE component.

4.2.1.2 Syntax

getNonJavaEEAuditMBeanName(instName, compName, compType, svrName)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are ohs, oid, ovd, and WebCache.
svrName Specifies the name of the Oracle WebLogic Server.

4.2.1.3 Example

The following interactive command displays the mBean name for an Oracle Internet Directory:

wls:/mydomain/serverConfig> getNonJavaEEAuditMBeanName(instName='inst1', compName='oid1', compType='oid', svrName='AdminServer')

4.2.2 getAuditPolicy

Online command that displays the audit policy settings.

4.2.2.1 Description

This command displays audit policy settings including the filter preset, special users, custom events, maximum log file size, and maximum log directory size. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

4.2.2.2 Syntax

getAuditPolicy([mbeanName, componentType])
Argument Definition
mbeanName Specifies the name of the component audit MBean for non-Java EE components.
componentType Requests the audit policy for a specific component registered in the audit store. If not specified, the audit policy in jps-config.xml is returned.

4.2.2.3 Examples

The following command displays the audit settings for a Java EE component:

wls:/mydomain/serverConfig> getAuditPolicy()
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)
 
FilterPreset:All
Max Log File Size:104857600
Max Log Dir Size:0

The following command displays the audit settings for MBean CSAuditProxyMBean:

wls:/mydomain/serverConfig> getAuditPolicy(on='oracle.security.audit.test:type=CSAuditMBean,
name=CSAuditProxyMBean')

4.2.3 setAuditPolicy

Online command that updates an audit policy.

4.2.3.1 Description

Online command that configures the audit policy settings. You can set the filter preset, add or remove users, and add or remove custom events. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

4.2.3.2 Syntax

setAuditPolicy([mbeanName],[filterPreset],[addSpecialUsers],
[removeSpecialUsers],[addCustomEvents],[removeCustomEvents], [componentType], [maxDirSize], [maxFileSize], [andCriteria], [orCriteria], [componentEventsFile])
Argument Definition
mbeanName Specifies the name of the component audit MBean for non-Java EE components.
filterPreset Specifies the filter preset to be changed.
addSpecialUsers Specifies the special users to be added.
removeSpecialUsers Specifies the special users to be removed.
addCustomEvents Specifies the custom events to be added.
removeCustomEvents Specifies the custom events to be removed.
componentType Specifies the component definition type to be updated. If not specified, the audit configuration defined in jps-config.xml is modified.
maxDirSize Specifies the maximum size of the log directory.
maxFileSize Specifies the maximum size of the log file.
andCriteria Specifies the and criteria in a custom filter preset definition.
orCriteria Specifies the or criteria in a custom filter preset definition.
componentEventsFile Specifies a component definition file under the 11g Release 1 (11.1.1.6) metadata model. This parameter is required if you wish to create/update an audit policy in the audit store for an 11g Release 1 (11.1.1.6) metadata model component, and the filter preset level is set to "Custom".

4.2.3.3 Examples

The following interactive command sets audit policy to None level, and adds users user2 and user3 while removing user1 from the policy:

wls:/mydomain/serverConfig> setAuditPolicy (filterPreset=
'None',addSpecialUsers='user2,user3',removeSpecialUsers='user1')

wls:/mydomain/serverConfig> getAuditPolicy();
Already in Domain Runtime Tree

FilterPreset:None
Special Users:user2,user3
Max Log File Size:104857600
Max Log Dir Size:0

The following interactive command adds login events while removing logout events from the policy:

wls:/mydomain/serverConfig> setAuditPolicy(filterPreset=
'Custom',addCustomEvents='UserLogin',removeCustomEvents='UserLogout')
 

The following interactive command sets audit policy to a Low level:

wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Low');
Already in Domain Runtime Tree
Audit Policy Information updated successfully

wls:/IDMDomain/domainRuntime> getAuditPolicy();
Already in Domain Runtime Tree
FilterPreset:Low
Max Log File Size:104857600
Max Log Dir Size:0

The following command sets a custom filter to audit the CheckAuthorization event:

wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Custom', addCustomEvents='JPS:CheckAuthorization');
Already in Domain Runtime Tree
 
Audit Policy Information updated successfully
wls:/IDMDomain/domainRuntime> getAuditPolicy();
Already in Domain Runtime Tree
 
FilterPreset:Custom
Special Users:user1
Max Log File Size:104857600
Max Log Dir Size:0
Custom Events:JPS:CheckAuthorization

4.2.4 getAuditRepository

Online command that displays audit repository settings.

4.2.4.1 Description

This command displays audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository configuration resides in opmn.xml). Also displays database configuration if the repository is a database type.

4.2.4.2 Syntax

getAuditRepository 

4.2.4.3 Example

The following command displays audit repository configuration:

wls:/IDMDomain/domainRuntime> getAuditRepository()
Already in Domain Runtime Tree
 
Repository Type:File

4.2.5 setAuditRepository

Online command that updates audit repository settings.

4.2.5.1 Description

This command sets the audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository is configured by editing opmn.xml).

4.2.5.2 Syntax

setAuditRepository([switchToDB],[dataSourceName],[interval])
Argument Definition
switchToDB If true, switches the repository from file to database.
dataSourceName Specifies the name of the data source.
interval Specifies intervals at which the audit loader kicks off.

4.2.5.3 Examples

The following command switches from a file repository to a database repository:

wls:/IDMDomain/domainRuntime> setAuditRepository(switchToDB='true');
Already in Domain Runtime Tree
 
Audit Repository Information updated
 
wls:/IDMDomain/domainRuntime> getAuditRepository();
Already in Domain Runtime Tree
 
JNDI Name:jdbc/AuditDB
Interval:15
Repository Type:DB

The following interactive command changes audit repository to a specific database and sets the audit loader interval to 14 seconds:

wls:/mydomain/serverConfig> setAuditRepository(switchToDB='true',dataSourceName='jdbcAuditDB',interval='14')

4.2.6 listAuditEvents

Online command that displays a component's audit events.

4.2.6.1 Description

This command displays a component's audit events and attributes. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter. Without a component type, all generic attributes applicable to all components are displayed.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

4.2.6.2 Syntax

listAuditEvents([mbeanName],[componentType])
Argument Definition
mbeanName Specifies the name of the component MBean.
componentType Specifies the component type to limit the list to all events of the component type.

4.2.6.3 Examples

The following command displays audit events for the Oracle Platform Security Services component:

wls:/IDMDomain/domainRuntime> listAuditEvents(componentType='JPS');
Already in Domain Runtime Tree
 
Common Attributes
ComponentType
Type of the component. For MAS integrated SystemComponents this is the componentType
InstanceId
Name of the MAS Instance, that this component belongs to
HostId
DNS hostname of originating host
HostNwaddr
IP or other network address of originating host
ModuleId
ID of the module that originated the message. Interpretation is unique within Component ID.
ProcessId
ID of the process that originated the message

The following command displays audit events for Oracle HTTP Server:

wls:/mydomain/serverConfig> listAuditEvents(componentType='ohs')

The following command displays all audit events:

wls:/IDMDomain/domainRuntime> listAuditEvents();
Already in Domain Runtime Tree
 
Components:
DIP
JPS
OIF
OWSM-AGENT
OWSM-PM-EJB
ReportsServer
WS-PolicyAttachment
WebCache
WebServices
Attributes applicable to all components:
ComponentType
InstanceId
HostId
HostNwaddr
ModuleId
ProcessId
OracleHome
HomeInstance
ECID
RID
...

4.2.7 exportAuditConfig

Online command that exports a component's audit configuration.

4.2.7.1 Description

This command exports the audit configuration to a file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

4.2.7.2 Syntax

exportAuditConfig([mbeanName],fileName, [componentType])
Argument Definition
mbeanName Specifies the name of the non-Java EE component MBean.
fileName Specifies the path and file name to which the audit configuration should be exported.
componentType Specifies that only events of the given component be exported to the file. If not specified, the audit configuration in jps-config.xml is exported.

4.2.7.3 Examples

The following interactive command exports the audit configuration for a component:

wls:/mydomain/serverConfig> exportAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean,
name=CSAuditProxyMBean',fileName='/tmp/auditconfig')

The following interactive command exports the audit configuration for a Java EE component; no mBean is specified:

wls:/mydomain/serverConfig> exportAuditConfig(fileName='/tmp/auditconfig')

4.2.8 importAuditConfig

Online command that imports a component's audit configuration.

4.2.8.1 Description

This command imports the audit configuration from an external file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.

Note:

You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.

4.2.8.2 Syntax

importAuditConfig([mbeanName],fileName, [componentType])
Argument Definition
mbeanName Specifies the name of the non-Java EE component MBean.
fileName Specifies the path and file name from which the audit configuration should be imported.
componentType Specifies that only events of the given component be imported from the file. If not specified, the audit configuration in jps-config.xml is imported.

4.2.8.3 Examples

The following interactive command imports the audit configuration for a component:

wls:/mydomain/serverConfig> importAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean,
name='CSAuditProxyMBean',fileName='/tmp/auditconfig')

The following interactive command imports the audit configuration from a file; no mBean is specified:

wls:/mydomain/serverConfig> importAuditConfig(fileName='/tmp/auditconfig')

4.2.9 createAuditDBView

Creates a SQL script that can generate a view for audit in the database.

4.2.9.1 Description

This command generates a SQL script that you can use to create a database view of the audit definitions of a specified component. The script is written to the specified file and also printed out to the console.

Upon execution, the result of the SQL script depends on the audit model at your site:

  • If using the 11.1.1.6.0 model, and the component is registered in the audit store, the script creates a view using the system component tables (IAU_COMMON, IAU_USERSESSION, IAU_AUDITSERVICE and IAU_CUSTOM) for the specified component.

  • If using the pre-11.1.1.6.0 model, the component is not registered in the audit store but its event definitions reside in the component_events.xml file (in the oracle_common/modules/oracle.iau_11.1.1/components/<componentType> dir), and the view is created using the IAU_BASE and component tables.

4.2.9.2 Syntax

createAuditDBView(fileName, componentType)
Argument Definition
fileName Specifies the path and file name to which the SQL script is written.
componentType The component whose definitions are the basis of the view.

4.2.9.3 Example

wls:/mydomain/serverConfig> 
createAuditDBView(fileName="/tmp/JPSAuditView.sql", componentType="JPS")

4.2.10 listAuditComponents

Lists components that can be audited.

4.2.10.1 Description

This command creates a list of the components that can be audited. It lists components registered in the audit store using both the 11.1.1.6.0 model and the pre-11.1.1.6.0 model.

4.2.10.2 Syntax

listAuditComponents(fileName)
Argument Definition
fileName Specifies the path and file name to which the output is written.

4.2.10.3 Example

listAuditComponents(fileName = "/tmp/complist.txt")

4.2.11 registerAudit

Registers the specified component in the audit store.

4.2.11.1 Description

Adds the event definition and translation content for a specified component to the audit store. If you try to register using the pre-11.1.1.6.0 audit XML schema definition, it is upgraded to the 11.1.1.6.0 XML schema definition and then registered with the audit store.

4.2.11.2 Syntax

registerAudit(xmlFile, [xlfFile], componentType, [mode=OVERWRITE|UPGRADE])
Argument Definition
xmlFile Specifies the Component Event definition file.
xlfFile Specifies the component xlf jar file. Optional.
componentType Specifies the component to be registered.
mode OVERWRITE or UPGRADE. Default is UPGRADE.

4.2.11.3 Example

wls:/mydomain/serverConfig>registerAudit(xmlFile="/tmp/comp.xml", 
xmlFile="/tmp/comp_xlf.jar", componentType="AuditApp", mode="UPGRADE")

4.2.12 deregisterAudit

Removes the event definition and translation content for the specified component from the audit store.

4.2.12.1 Description

Removes an existing event definition and translation content for a specified component or application from the audit store.

4.2.12.2 Syntax

deregisterAudit(componentType)
Argument Definition
componentType Specifies the component whose definitions are to be removed.

4.2.12.3 Example

deregisterAudit(componentType="AuditApp")

4.3 SSL Configuration Commands

Use the WLST commands listed in Table 4-3 to view and manage SSL configuration for Oracle Fusion Middleware components.

Table 4-3 WLST Commands for SSL Configuration

Use this command... To... Use with WLST...

addCertificateRequest

Generate a certificate signing request in an Oracle wallet.

Online

addSelfSignedCertificate

Add a self-signed certificate to an Oracle wallet.

Online

changeKeyStorePassword

Change the password to a JKS keystore.

Online

changeWalletPassword

Change the password to an Oracle wallet.

Online

configureSSL

Set the SSL attributes for a component listener.

Online

createKeyStore

Create a JKS keystore.

Online

createWallet

Create an Oracle wallet.

Online

deleteKeyStore

Delete a JKS keystore.

Online

deleteWallet

Delete an Oracle wallet.

Online

exportKeyStore

Export a JKS keystore to a file.

Online

exportKeyStoreObject

Export an object from a JKS keystore to a file.

Online

exportWallet

Export an Oracle wallet to a file.

Online

exportWalletObject

Export an object from an Oracle wallet to a file.

Online

generateKey

Generate a key pair in a JKS keystore.

Online

getKeyStoreObject

Display a certificate or other object present in a JKS keystore.

Online

getSSL

Display the SSL attributes for a component listener.

Online

getWalletObject

Display a certificate or other object present in an Oracle wallet.

Online

importKeyStore

Import a JKS keystore from a file.

Online

importKeyStoreObject

Import a certificate or other object from a file to a JKS keystore.

Online

importWallet

Import an Oracle wallet from a file.

Online

importWalletObject

Import a certificate or other object from a file to an Oracle wallet.

Online

listKeyStoreObjects

List all objects present in a JKS keystore.

Online

listKeyStores

List all JKS keystores configured for a component instance.

Online

listWalletObjects

List all objects present in an Oracle wallet.

Online

listWallets

List all Oracle wallets configured for a component instance.

Online

removeKeyStoreObject

Remove a certificate or other object from a component instance's JKS keystore.

Online

removeWalletObject

Remove a certificate or other object from a component instance's Oracle wallet.

Online


For more information, see the Oracle Fusion Middleware Administrator's Guide.

4.3.1 addCertificateRequest

Online command that generates a certificate signing request in an Oracle wallet.

4.3.1.1 Description

This command generates a certificate signing request in Base64 encoded PKCS#10 format in an Oracle wallet for a component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). To get a certificate signed by a certificate authority (CA), send the certificate signing request to your CA.

4.3.1.2 Syntax

addCertificateRequest(instName, compName, compType, walletName, password, DN, keySize)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
DN Specifies the Distinguished Name of the key pair entry.
keySize Specifies the key size in bits.

4.3.1.3 Example

The following command generates a certificate signing request with DN cn=www.acme.com and key size 1024 in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> addCertificateRequest('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.acme.com', '1024')

4.3.2 addSelfSignedCertificate

Online command that adds a self-signed certificate.

4.3.2.1 Description

This command creates a key pair and wraps it in a self-signed certificate in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Only keys based on the RSA algorithm are generated.

4.3.2.2 Syntax

addSelfSignedCertificate(instName, compName, compType, walletName, password, DN, keySize)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
DN Specifies the Distinguished Name of the key pair entry.
keySize Specifies the key size in bits.

4.3.2.3 Example

The following command adds a self-signed certificate with DN cn=www.acme.com, key size 1024 to wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> addSelfSignedCertificate('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.acme.com', '1024')

4.3.3 changeKeyStorePassword

Online command that changes the keystore password.

4.3.3.1 Description

This command changes the password of a Java Keystore (JKS) file for an Oracle Virtual Directory instance.

4.3.3.2 Syntax

changeKeyStorePassword(instName, compName, compType, keystoreName, currPassword, newPassword)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the filename of the keystore.
currPassword Specifies the current keystore password.
newPassword Specifies the new keystore password.

4.3.3.3 Example

The following command changes the password of file keys.jks for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> changeKeyStorePassword('inst1', 'ovd1', 'ovd','keys.jks', 'currpassword', 'newpassword')

4.3.4 changeWalletPassword

Online command that changes the password of an Oracle wallet.

4.3.4.1 Description

This command changes the password of an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). This command is only applicable to password-protected wallets.

4.3.4.2 Syntax

changeWalletPassword(instName, compName, compType, walletName,currPassword, newPassword)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'.
walletName Specifies the filename of the wallet.
currPassword Specifies the current wallet password.
newPassword Specifies the new wallet password.

4.3.4.3 Example

The following command changes the password for wallet1 from currpassword to newpassword for Oracle HTTP Server instance ohs1 in application server instance inst1:

wls:/mydomain/serverConfig> changeWalletPassword('inst1', 'ohs1', 'ohs','wallet1', 'currpassword', 'newpassword')

4.3.5 configureSSL

Online command that sets SSL attributes.

4.3.5.1 Description

This command sets the SSL attributes for a component listener. The attributes are specified in a properties file format (name=value). If a properties file is not provided, or it does not contain any SSL attributes, default attribute values are used. For component-specific SSL attribute value defaults, see the chapter "SSL Configuration in Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.

4.3.5.2 Syntax

configureSSL(instName, compName, compType, listener, filePath)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'oid', 'ovd', ohs', and 'webcache'.
listener Specifies the name of the component listener to be configured for SSL.
filePath Specifies the absolute path of the properties file containing the SSL attributes to set.

4.3.5.3 Examples

The following command configures SSL attributes specified in the properties file /tmp/ssl.properties for Oracle Virtual Directory instance ovd1 in application server instance inst1, for listener listener1:

wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener1','/tmp/ssl.properties')

The following command configures SSL attributes without specifying a properties file. Since no file is provided, the default SSL attribute values are used:

wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener2')

4.3.6 createKeyStore

Online command that creates a JKS keystore.

4.3.6.1 Description

This command creates a Java keystore (JKS) for the specified Oracle Virtual Directory instance. For keystore file location and other information, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.

4.3.6.2 Syntax

createKeyStore(instName, compName, compType, keystoreName, password)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the filename of the keystore file to be created.
password Specifies the keystore password.

4.3.6.3 Example

The following command creates JKS file keys.jks with password password for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> createKeyStore('inst1', 'ovd1', 'ovd','keys.jks', 'password')

4.3.7 createWallet

Online command that creates an Oracle wallet.

4.3.7.1 Description

This command creates an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Wallets can be of password-protected or auto-login type. For wallet details, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.

4.3.7.2 Syntax

createWallet(instName, compName, compType, walletName, password)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'.
walletName Specifies the name of the wallet file to be created.
password Specifies the wallet password.

4.3.7.3 Examples

The following command creates a wallet named wallet1 with password password, for Oracle HTTP Server instance ohs1 in application server instance inst1:

wls:/mydomain/serverConfig> createWallet('inst1', 'ohs1', 'ohs','wallet1', 'password')

The following command creates an auto-login wallet named wallet2 for Oracle WebCache instance wc1, in application server instance inst1:

wls:/mydomain/serverConfig> createWallet('inst1', 'wc1', 'webcache','wallet2', '')

4.3.8 deleteKeyStore

Online command that deletes a keystore.

4.3.8.1 Description

This command deletes a keystore for a specified Oracle Virtual Directory instance.

4.3.8.2 Syntax

deleteKeyStore(instName, compName, compType, keystoreName)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore file to delete.

4.3.8.3 Example

The following command deletes JKS file keys.jks for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> deleteKeyStore('inst1', 'ovd1', 'ovd','keys.jks')

4.3.9 deleteWallet

Online command that deletes an Oracle wallet.

4.3.9.1 Description

This command deletes an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).

4.3.9.2 Syntax

deleteWallet(instName, compName, compType, walletName)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'.
walletName Specifies the name of the wallet file to be deleted.

4.3.9.3 Example

The following command deletes a wallet named wallet1 for Oracle HTTP Server instance ohs1 in application server instance inst1:

wls:/mydomain/serverConfig> deleteWallet('inst1', 'ohs1', 'ohs','wallet1')

4.3.10 exportKeyStore

Online command that exports the keystore to a file.

4.3.10.1 Description

This command exports a keystore, configured for the specified Oracle Virtual Directory instance, to a file under the given directory. The exported filename is the same as the keystore name.

4.3.10.2 Syntax

exportKeyStore(instName, compName, compType, keystoreName, password, path)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore file.
password Specifies the password of the keystore.
path Specifies the absolute path of the directory under which the keystore is exported.

4.3.10.3 Example

The following command exports the keystore keys.jks for Oracle Virtual Directory instance ovd1 to file keys.jks under /tmp:

wls:/mydomain/serverConfig> exportKeyStore('inst1', 'ovd1', 'ovd', 'keys.jks', 'password', '/tmp')

4.3.11 exportKeyStoreObject

Online command that exports an object from a keystore to a file.

4.3.11.1 Description

This command exports a certificate signing request, certificate/certificate chain, or trusted certificate present in a Java keystore (JKS) to a file for the specified Oracle Virtual Directory instance. The certificate signing request is generated before exporting the object. The alias specifies the object to be exported.

4.3.11.2 Syntax

exportKeyStoreObject(instName, compName, compType, keystoreName, password, type, path, alias)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore file.
password Specifies the password of the keystore.
type Specifies the type of the keystore object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' and 'TrustedChain'.
path Specifies the absolute path of the directory under which the object is exported as a file named base64.txt.
alias Specifies the alias of the keystore object to be exported.

4.3.11.3 Examples

The following command generates and exports a certificate signing request from the key-pair indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1 in application server instance inst1. The certificate signing request is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'CertificateRequest', '/tmp','mykey')

The following command exports a certificate or certificate chain indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '/tmp','mykey')

The following command exports a trusted certificate indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. The trusted certificate is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '/tmp','mykey')

4.3.12 exportWallet

Online command that exports an Oracle wallet.

4.3.12.1 Description

This command exports an Oracle wallet, configured for a specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), to file(s) under the given directory. If the exported file is an auto-login only wallet, the file name is 'cwallet.sso'. If it is password-protected wallet, two files are created: 'ewallet.p12' and 'cwallet.sso'.

4.3.12.2 Syntax

exportWallet(instName, compName, compType, walletName,password, path)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
path Specifies the absolute path of the directory under which the object is exported.

4.3.12.3 Examples

The following command exports auto-login wallet wallet1 for Oracle Internet Directory instance oid1 to file cwallet.sso under /tmp:

wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet1','','/tmp')

The following command exports password-protected wallet wallet2 for Oracle Internet Directory instance oid1 to two files, ewallet.p12 and cwallet.sso, under /tmp:

wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp')

4.3.13 exportWalletObject

Online command that exports a certificate or other wallet object to a file.

4.3.13.1 Description

This command exports a certificate signing request, certificate, certificate chain or trusted certificate present in an Oracle wallet to a file for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be exported.

4.3.13.2 Syntax

exportWalletObject(instName, compName, compType, walletName, password, type, path, DN)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
type Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedChain'.
path Specifies the absolute path of the directory under which the object is exported as a file base64.txt.
DN Specifies the Distinguished Name of the wallet object being exported.

4.3.13.3 Examples

The following command exports a certificate signing request with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate signing request is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 
'oid','wallet1', 'password', 'CertificateRequest', '/tmp','cn=www.acme.com')

The following command exports a certificate with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 
'oid','wallet1', 'password', 'Certificate', '/tmp','cn=www.acme.com')

The following command exports a trusted certificate with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The trusted certificate is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 
'oid','wallet1', 'password', 'TrustedCertificate', '/tmp','cn=www.acme.com')

The following command exports a certificate chain with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:

wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 
'oid','wallet1', 'password', 'TrustedChain', '/tmp','cn=www.acme.com')

4.3.14 generateKey

Online command that generates a key pair in a Java keystore.

4.3.14.1 Description

This command generates a key pair in a Java keystore (JKS) for Oracle Virtual Directory. It also wraps the key pair in a self-signed certificate. Only keys based on the RSA algorithm are generated.

4.3.14.2 Syntax

generateKey(instName, compName, compType, keystoreName, password, DN, keySize, alias, algorithm)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore.
password Specifies the password of the keystore.
DN Specifies the Distinguished Name of the key pair entry.
keySize Specifies the key size in bits.
alias Specifies the alias of the key pair entry in the keystore.
algorithm Specifies the key algorithm. Valid value is 'RSA'.

4.3.14.3 Examples

The following command generates a key pair with DN cn=www.acme.com, key size 1024, algorithm RSA and alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.acme.com', '1024', 'mykey', 'RSA')

The following command is the same as above, except it does not explicitly specify the key algorithm:

wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.acme.com', '1024', 'mykey')

4.3.15 getKeyStoreObject

Online command that shows details about a keystore object.

4.3.15.1 Description

This command displays a specific certificate or trusted certificate present in a Java keystore (JKS) for Oracle Virtual Directory. The keystore object is indicated by its index number, as given by the listKeyStoreObjects command. It shows the certificate details including DN, key size, algorithm, and other information.

4.3.15.2 Syntax

getKeyStoreObject(instName, compName, compType, keystoreName, password, type, index)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore file.
password Specifies the password of the keystore.
type Specifies the type of the keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'.
index Specifies the index number of the keystore object as returned by the listKeyStoreObjects command.

4.3.15.3 Examples

The following command shows a trusted certificate with index 1 present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '1')

The following command shows a certificate with index 1 present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '1')

4.3.16 getSSL

Online command that lists the configured SSL attributes.

4.3.16.1 Description

This command lists the configured SSL attributes for the specified component listener. For Oracle Internet Directory, the listener name is always sslport1.

4.3.16.2 Syntax

getSSL(instName, compName, compType, listener)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ovd', 'oid', 'ohs', and 'webcache'.
listener Specifies the name of the component listener.

4.3.16.3 Example

The following command shows the SSL attributes configured for Oracle Internet Directory instance oid1, in application server instance inst1, for listener sslport1:

wls:/mydomain/serverConfig> getSSL('inst1', 'oid1', 'oid', 'sslport1')

4.3.17 getWalletObject

Online command that displays information about a certificate or other object in an Oracle wallet.

4.3.17.1 Description

This command displays a specific certificate signing request, certificate or trusted certificate present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). The wallet object is indicated by its index number, as given by the listWalletObjects command. For certificates or trusted certificates, it shows the certificate details including DN, key size, algorithm and other data. For certificate signing requests, it shows the subject DN, key size and algorithm.

4.3.17.2 Syntax

getWalletObject(instName, compName, compType, walletName, password, type, index)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
type Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'.
index Specifies the index number of the wallet object as returned by the listWalletObjects command.

4.3.17.3 Examples

The following command shows certificate signing request details for the object with index 0 present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest', '0')

The following command shows certificate details for the object with index 0 present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'Certificate', '0')

The following command shows trusted certificate details for the object with index 0, present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate', '0')

4.3.18 importKeyStore

Online command that imports a keystore from a file.

4.3.18.1 Description

This command imports a Java keystore (JKS) from a file to the specified Oracle Virtual Directory instance for manageability. The component instance name must be unique.

4.3.18.2 Syntax

importKeyStore(instName, compName, compType, keystoreName, password, filePath)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore being imported. This name must be unique for this component instance.
password Specifies the password of the keystore.
filePath Specifies the absolute path of the keystore file to be imported.

4.3.18.3 Example

The following command imports the keystore /tmp/keys.jks as file.jks into Oracle Virtual Directory instance ovd1. Subsequently, the keystore is managed through the name file.jks:

wls:/mydomain/serverConfig> importKeyStore('inst1', 'ovd1', 'ovd', 'file.jks',
'password', '/tmp/keys.jks')

4.3.19 importKeyStoreObject

Online command that imports an object from a file to a keystore.

4.3.19.1 Description

This command imports a certificate, certificate chain, or trusted certificate into a Java keystore (JKS) for Oracle Virtual Directory, assigning it the specified alias which must be unique in the keystore. If a certificate or certificate chain is being imported, the alias must match that of the corresponding key-pair.

4.3.19.2 Syntax

importKeyStoreObject(instName, compName, compType, keystoreName, password, type, filePath, alias)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore.
password Specifies the password of the keystore.
type Specifies the type of the keystore object to be imported. Valid values are 'Certificate' and 'TrustedCertificate'.
filePath Specifies the absolute path of the file containing the keystore object.
alias Specifies the alias to assign to the keystore object to be imported.

4.3.19.3 Examples

The following command imports a certificate or certificate chain from file cert.txt into keys.jks, using alias mykey for Oracle Virtual Directory instance ovd1, in application server instance inst1. The file keys.jks must already have an alias mykey for a key-pair whose public key matches that in the certificate being imported:

wls:/mydomain/serverConfig> > importKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'Certificate','/tmp/cert.txt', 'mykey')

The following command imports a trusted certificate from file trust.txt into keys.jks using alias mykey1, for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> importKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'TrustedCertificate','/tmp/trust.txt', 'mykey1')

4.3.20 importWallet

Online command that imports an Oracle wallet from a file.

4.3.20.1 Description

This command imports an Oracle wallet from a file to the specified component instance (Oracle HTTP Server, Oracle WebCache, or Oracle Internet Directory) for manageability. If the wallet being imported is an auto-login wallet, the file path must point to cwallet.sso; if the wallet is password-protected, it must point to ewallet.p12. The wallet name must be unique for the component instance.

4.3.20.2 Syntax

importWallet(instName, compName, compType, walletName, password, filePath)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet being imported. The name must be unique for the component instance.
password Specifies the password of the wallet.
filePath Specifies the absolute path of the wallet file being imported.

4.3.20.3 Examples

The following command imports auto-login wallet file /tmp/cwallet.sso as wallet1 into Oracle Internet Directory instance oid1. Subsequently, the wallet is managed with the name wallet1. No password is passed since it is an auto-login wallet:

wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet1', '', '/tmp/cwallet.sso')

The following command imports password-protected wallet /tmp/ewallet.p12 as wallet2 into Oracle Internet Directory instance oid1. Subsequently, the wallet is managed with the name wallet2. The wallet password is passed as a parameter:

wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp/ewallet.p12')

4.3.21 importWalletObject

Online command that imports a certificate or other object into an Oracle wallet.

4.3.21.1 Description

This command imports a certificate, trusted certificate or certificate chain into an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache component or Oracle Internet Directory).When importing a certificate, use the same wallet file from which the certificate signing request was generated.

4.3.21.2 Syntax

importWalletObject(instName, compName, compType, walletName, password, type, filePath)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
type Specifies the type of wallet object to be imported. Valid values are 'Certificate', 'TrustedCertificate' and 'TrustedChain'.
filePath Specifies the absolute path of the file containing the wallet object.

4.3.21.3 Examples

The following command imports a certificate chain in PKCS#7 format from file chain.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedChain','/tmp/chain.txt')

The following command imports a certificate from file cert.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 
'password', 'Certificate','/tmp/cert.txt')

The following command imports a trusted certificate from file trust.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','/tmp/trust.txt')

4.3.22 listKeyStoreObjects

Online command that lists the contents of a keystore.

4.3.22.1 Description

This command lists all the certificates or trusted certificates present in a Java keystore (JKS) for Oracle Virtual Directory.

4.3.22.2 Syntax

listKeyStoreObjects(instName, compName, compType, keystoreName, password, type)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore file.
password Specifies the password of the keystore.
type Specifies the type of keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'.

4.3.22.3 Examples

The following command lists all trusted certificates present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate')

The following command lists all certificates present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate')

4.3.23 listKeyStores

Online command that lists all the keystores for a component.

4.3.23.1 Description

This command lists all the Java keystores (JKS) configured for the specified Oracle Virtual Directory instance.

4.3.23.2 Syntax

listKeyStores(instName, compName, compType)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance
compType Specifies the type of component. Valid value is 'ovd'.

4.3.23.3 Example

The following command lists all keystores for Oracle Virtual Directory instance ovd1 in application server instance inst1:

wls:/mydomain/serverConfig> listKeyStores('inst1', 'ovd1', 'ovd')

4.3.24 listWalletObjects

Online command that lists all objects in an Oracle wallet.

4.3.24.1 Description

This command lists all certificate signing requests, certificates, or trusted certificates present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).

4.3.24.2 Syntax

listWalletObjects(instName, compName, compType, walletName, password, type)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
type Specifies the type of wallet object to be listed. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'.

4.3.24.3 Examples

The following command lists all certificate signing requests in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> > listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest')

The following command lists all certificates in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'Certificate')

The following command lists all trusted certificates in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate')

4.3.25 listWallets

Online command that lists all wallets configured for a component instance.

4.3.25.1 Description

This command displays all the wallets configured for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), and identifies the auto-login wallets.

4.3.25.2 Syntax

listWallets(instName, compName, compType)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.

4.3.25.3 Example

The following command lists all wallets for Oracle Internet Directory instance oid1 in application server instance inst1:

wls:/mydomain/serverConfig> listWallets('inst1', 'oid1', 'oid')

4.3.26 removeKeyStoreObject

Online command that removes an object from a keystore.

4.3.26.1 Description

This command removes a certificate request, certificate, trusted certificate, or all trusted certificates from a Java keystore (JKS) for Oracle Virtual Directory. Use an alias to remove a specific object; no alias is needed if all trusted certificates are being removed.

4.3.26.2 Syntax

removeKeyStoreObject(instName, compName, compType, keystoreName, password, type, alias)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid value is 'ovd'.
keystoreName Specifies the name of the keystore file.
password Specifies the password of the keystore.
type Specifies the type of the keystore object to be removed. Valid values are 'Certificate', 'TrustedCertificate' or 'TrustedAll'.
alias Specifies the alias of the keystore object to be removed.

4.3.26.3 Examples

The following command removes a certificate or certificate chain denoted by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'Certificate','mykey')

The following command removes a trusted certificate denoted by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:

wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'TrustedCertificate','mykey')

The following command removes all trusted certificates in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. Since no alias is required, the value None is passed for that parameter:

wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 
'ovd','keys.jks', 'password', 'TrustedAll',None)

4.3.27 removeWalletObject

Online command that removes a certificate or other object from an Oracle wallet.

4.3.27.1 Description

This command removes a certificate signing request, certificate, trusted certificate or all trusted certificates from an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be removed.

4.3.27.2 Syntax

removeWalletObject(instName, compName, compType, walletName, password, type, DN)
Argument Definition
instName Specifies the name of the application server instance.
compName Specifies the name of the component instance.
compType Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'.
walletName Specifies the name of the wallet file.
password Specifies the password of the wallet.
type Specifies the type of the keystore object to be removed. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedAll'.
DN Specifies the Distinguished Name of the wallet object to be removed.

4.3.27.3 Examples

The following command removes all trusted certificates from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. It is not necessary to provide a DN, so we pass null (denoted by None) for the DN parameter:

wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedAll',None)

The following command removes a certificate signing request indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'CertificateRequest','cn=www.acme.com')

The following command removes a certificate indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate','cn=www.acme.com')

The following command removes a trusted certificate indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:

wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','cn=www.acme.com')

4.4 Oracle Identity Federation Commands

Use the WLST commands listed in Table 4-4 to view and manage configuration for Oracle Identity Federation.

Table 4-4 WLST Commands for Oracle Identity Federation

Use this command... To... Use with WLST...

addConfigListEntryInMap

Add a configuration list entry to a map.

Online

addConfigMapEntryInMap

Add a configuration map entry to a map.

Online

addConfigPropertyListEntry

Add a configuration property list entry.

Online

addConfigPropertyMapEntry

Add a configuration property map entry to the map.

Online

addCustomAuthnEngine

Add a custom authentication engine.

Online

addCustomSPEngine

Add a custom SP engine.

Online

addFederationListEntryInMap

Add a federations list entry to the map.

Online

addFederationMapEntryInMap

Add a federation map entry to the map.

Online

addFederationPropertyListEntry

Add a federation property list entry.

Online

addFederationPropertyMapEntry

Add a federation property map entry.

Online

deleteCustomAuthnEngine

Delete a custom authentication engine.

Online

deleteCustomSPEngine

Delete a custom SP engine.

Online

deleteProviderFederation

Delete a provider from the federation.

Online

deleteUserFederation

Delete a user from the federation.

Online

changeMessageStore

Change the message store to memory or RDBMS.

Online

changePeerProviderDescription

Change a peer provider's description.

Online

changeSessionStore

Change the session store to memory or RDBMS.

Online

createConfigPropertyList

Create a configuration property list.

Online

createConfigPropertyListInMap

Create a configuration property list in the map.

Online

createConfigPropertyMap

Create a configuration property map.

Online

createConfigPropertyMapInMap

Create a nested configuration property map in a map.

Online

createFederationPropertyList

Create a federation property list.

Online

createFederationPropertyListInMap

Create a federation property list in the map.

Online

createFederationPropertyMap

Create a federation property map.

Online

createFederationPropertyMapInMap

Create a nested federation property map in a map.

Online

createPeerProviderEntry

Create a peer provider entry.

Online

getConfigListValueInMap

Retrieve a configuration list value from the map.

Online

getConfigMapEntryInMap

Retrieve a configuration map value from the map.

Online

getConfigProperty

Retrieve a configuration property entry.

Online

getConfigPropertyList

Retrieve a configuration property list.

Online

getConfigPropertyMapEntry

Retrieve a configuration property map entry.

Online

getFederationListValueInMap

Retrieve a federation list value from the map.

Online

getFederationMapEntryInMap

Retrieve a federation map entry from a nested map.

Online

getFederationProperty

Retrieve a federation property.

Online

getFederationPropertyList

Retrieve the federation property list.

Online

extractproviderprops

Export all provider configuration properties to a text file.

Script

setproviderprops

Set a provider's properties based on an input text file.

Script

getFederationPropertyMapEntry

Retrieve a federation property map entry.

Online

listCustomAuthnEngines

Display the list of custom authentication engines.

Online

listCustomSPEngines

Display the list of custom SP engines.

Online

loadMetadata

Load metadata from a file.

Online

oifStatus

Display the current status of Oracle Identity Federation on the managed server.

Online

removeConfigListInMap

Delete a configuration list in the map.

Online

removeConfigMapEntryInMap

Delete a configuration map entry in the map.

Online

removeConfigMapInMap

Delete a nested configuration map.

Online

removeConfigProperty

Delete a configuration property.

Online

removeConfigPropertyList

Delete a property list.

Online

removeConfigPropertyMap

Delete a property map.

Online

removeConfigPropertyMapEntry

Delete an entry in the property map.

Online

removeFederationListInMap

Delete a federation list in the map.

Online

removeFederationMapInMap

Delete a nested federation map.

Online

removeFederationMapEntryInMap

Delete a nested federation map entry.

Online

removeFederationProperty

Delete a federation property.

Online

removeFederationPropertyList

Delete a federation property list.

Online

removeFederationPropertyMap

Delete a federation property map.

Online

removeFederationPropertyMapEntry

Delete a federation property map entry.

Online

removePeerProviderEntry

Delete a peer provider entry.

Online

setConfigProperty

Set a configuration property.

Online

setCustomAuthnEngine

Define a custom authentication engine.

Online

setCustomSPEngine

Define a custom SP engine.

Online

setFederationProperty

Set a federation property.

Online


For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.

4.4.1 addConfigListEntryInMap

Online command that adds a property value to a map.

4.4.1.1 Description

This command adds a property value to a nested list inside a map in config.xml.

4.4.1.2 Syntax

addConfigListEntryInMap(configName, mapname, listName, value, type)
Argument Definition
configname Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated.
mapname Specifies the name of the property to map to be changed in config.xml.
listname Specifies the name of the list.
value Specifies the property value.
type Specifies the type of property, BOOLEAN or STRING or LONG.

4.4.1.3 Example

The following command adds valueA to a map list in server configuration:

wls:/mydomain/serverConfig> addConfigListEntryInMap('serverconfig','mymap','mylistA','valueA','string')

4.4.2 addConfigMapEntryInMap

Online command that adds a nested map property entry in a map.

4.4.2.1 Description

This command that adds a property name/value pair to a map nested inside a map in config.xml.

4.4.2.2 Syntax

addConfigMapEntryInMap(configName, mapname, nestedMapName, propName, value, type)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated.
mapname Specifies the name of the property map to be changed in config.xml.
nestedMapName name of the nested property map to be changed.
propName Specifies the name of the list.
value Specifies the property value.
type Specifies the type of property, BOOLEAN or STRING or LONG.

4.4.2.3 Example

The following command adds a boolean name/value pair to nestedmapB inside the map mymap.

wls:/mydomain/serverConfig> addConfigMapEntryInMap('serverconfig','mymap','nestedmapB','myvarB','true',
'boolean')

4.4.3 addConfigPropertyListEntry

Online command that adds a list property entry to config.xml.

4.4.3.1 Description

This command adds a property value to a list in config.xml.

4.4.3.2 Syntax

addConfigPropertyListEntry(configName, listName, value, type)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated.
listName Specifies the name of the property list to be added in config.xml.
value Specifies the new property list value. The entered value is appended to the list.
type Specifies the type of property, BOOLEAN or STRING or LONG.

4.4.3.3 Example

The following command adds a string value to mylistA.

wls:/mydomain/serverConfig> addConfigPropertyListEntry('serverconfig','mylistA','valueA','string')

4.4.4 addConfigPropertyMapEntry

Online command that adds a property name/value entry in a map in config.xml.

4.4.4.1 Description

This command adds a property name/value entry in a map in config.xml.

4.4.4.2 Syntax

addConfigPropertyMapEntry(configName, mapName, propName, value, type)
Argument Definition
configname Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated.
mapname Specifies the name of the property map in config.xml.
propName Specifies the name of the property map.
value Specifies the property map value to be added.
type Specifies the type of property, BOOLEAN or STRING or LONG.

4.4.4.3 Example

The following command adds valueA of string type to a map.

wls:/mydomain/serverConfig> addConfigPropertyMapEntry('serverconfig','mymapA','myvarA','valueA','string')

4.4.5 addCustomAuthnEngine

Online command that adds a custom authentication integration engine.

4.4.5.1 Description

This command adds a custom authentication integration engine to config.xml.

4.4.5.2 Syntax

addCustomAuthnEngine(name, [enabled], [webContext], [authnRelativePath],  [logoutRelativePath], [logoutEnabled])
Argument Definition
name Specifies the name of the custom engine.
enabled This flag specifies whether the engine is enabled (true) or not (false, default).
webContext Specifies the web context for the engine.
authnRelativePath Specifies the authentication relative path URL for the engine.
logoutRelativePath Specifies the logout relative path URL for the engine.
logoutEnabled This flag is set true to enable logout for the engine, else false.

4.4.5.3 Example

The following command defines an engine named test and enables it.

wls:/mydomain/serverConfig> addCustomAuthnEngine('test','true')

4.4.6 addCustomSPEngine

Online command that adds a custom service provider (SP) engine.

4.4.6.1 Description

This command adds a custom SP integration engine to config.xml.

4.4.6.2 Syntax

addCustomSPEngine(name, [enabled, [authnMech], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
Argument Definition
name Specifies the name of the custom engine.
enabled This flag specifies whether the engine is enabled (true) or not (false).
authnMech Specifies the authentication mechanism for the engine.
webContext Specifies the web context for the engine.
authnRelativePath Specifies the authentication relative path URL for the engine.
logoutRelativePath Specifies the logout relative path URL for the engine.
logoutEnabled This flag is set true to enable logout for the engine, else false.

4.4.6.3 Example

The following command adds an engine and gives it a disabled status.

addCustomSPEngine('new engine','false','oracle:fed:authentication:unspecified','webcontext')

4.4.7 addFederationListEntryInMap

Online command that adds a list property entry in a map.

4.4.7.1 Description

This command adds a property value to a nested list inside a map in cot.xml.

4.4.7.2 Syntax

addFederationListEntryInMap(providerID, mapname, listName, value, type)
Argument Definition
providerID Specifies the provider ID.
mapname Specifies the name of the property map to be changed in cot.xml.
listName Specifies the name of the property list to be added to the map.
value Specifies the property list value to be added. The entered value is appended to the list.
type Specifies the type of property, BOOLEAN or STRING or LONG.

4.4.7.3 Example

The following command adds a boolean property list to mymap.

wls:/mydomain/serverConfig> addFederationListEntryInMap('providerB','mymap','mylistB','true','boolean')

4.4.8 addFederationMapEntryInMap

Online command that adds a nested map property entry in a map.

4.4.8.1 Description

This command adds a property name/value pair to a map nested inside a map in cot.xml.

4.4.8.2 Syntax

addFederationMapEntryInMap(providerID, mapname, nestedMapName, propName, value, type)
Argument Definition
providerID Specifies the provider ID.
mapname Specifies the name of the property map to be changed in cot.xml.
nestedMapName Specifies the name of the nested property map to be changed.
propName Specifies the name of the property to be updated in the map.
value Specifies the property value to be added. The entered value is appended to the list.
type Specifies the type of property, BOOLEAN or STRING or LONG.

4.4.8.3 Example

The following command adds a value of type string to the myvarA property in a nested map.

wls:/mydomain/serverConfig> addFederationMapEntryInMap('providerA','mymap','nestedmapA','myvarA','valueA',
'string')

4.4.9 addFederationPropertyListEntry

Online command that adds a list property entry.

4.4.9.1 Description

This command adds a property value to a list in cot.xml.

4.4.9.2 Syntax

addFederationPropertyListEntry(providerID, listName, value, type)
Argument Definition
providerID Specifies the provider ID.
listName Specifies the name of the property list to be updated.
value Specifies the property list value to be added. The entered value is appended to the list.
type Specifies the type of property, BOOLEAN or STRING or LONG.

4.4.9.3 Example

The following command adds a value in string format to a specified property list.

wls:/mydomain/serverConfig> addFederationPropertyListEntry('providerA','mylistA','valueA','string')

4.4.10 addFederationPropertyMapEntry

Online command that a property name/value entry in a map.

4.4.10.1 Description

This command adds a property name/value pair to a map in cot.xml.

4.4.10.2 Syntax

addFederationPropertyMapEntry(providerID, mapName, propName, value, type)
Argument Definition
providerID Specifies the provider ID.
mapName Specifies the name of the property map to be changed in cot.xml.
propName Specifies the name of the property to be added in the map.
value Specifies the property value to be added. The entered value is appended to the list.
type Specifies the type of property, BOOLEAN or STRING or LONG.

4.4.10.3 Example

The following command adds boolean property myvarB to a map.

wls:/mydomain/serverConfig> addFederationPropertyMapEntry('providerA','mymapB','myvarB','true','boolean')

4.4.11 deleteCustomAuthnEngine

Online command that deletes a custom authentication integration engine from the configuration.

4.4.11.1 Description

This command deletes a custom authentication integration engine in config.xml. You must provide the engine ID for an existing custom authentication engine in config.xml.

4.4.11.2 Syntax

deleteCustomAuthnEngine(engineID)
Argument Definition
engineID Specifies the engine ID of an existing engine to be deleted.

4.4.11.3 Example

The following command deletes the authentication engine with ID id1234.

wls:/mydomain/serverConfig> deleteCustomAuthnEngine('id1234')

4.4.12 deleteCustomSPEngine

Online command that deletes a custom service provider (SP) integration engine from the configuration.

4.4.12.1 Description

This command deletes a custom SP integration engine in config.xml. The EngineID for an existing custom SP engine in config.xml must be provided.

4.4.12.2 Syntax

ddeleteCustomSPEngine(engineID)
Argument Definition
engineID Specifies the engine ID of an existing engine to be deleted.

4.4.12.3 Example

The following command deletes the engine with ID id1234.

wls:/mydomain/serverConfig> deleteCustomSPEngine('id1234')

4.4.13 deleteProviderFederation

Online command that deletes federations for given provider.

4.4.13.1 Description

This command deletes federations for given provider ID.

4.4.13.2 Syntax

deleteProviderFederation(providerID)
Argument Definition
providerID Specifies the ProviderID for the peer provider for which federation is to be deleted.

4.4.13.3 Example

The following command deletes providerA:

wls:/mydomain/serverConfig> deleteProviderFederation(providerA)

4.4.14 deleteUserFederation

Online command that deletes federations for given users.

4.4.14.1 Description

This command deletes federations for the given list of users.

4.4.14.2 Syntax

deleteUserFederation([user1, ...])
Argument Definition
user1 Specifies a comma-separated list of users whose federations are to be deleted. At least one user must be specified.

4.4.14.3 Example

The following command deletes federations for three users:

wls:/mydomain/serverConfig> deleteUserFederation(['userA','userB','userC'])

4.4.15 changeMessageStore

Online command that changes the message store between memory and RDBMS.

4.4.15.1 Description

This command changes the message store to memory or RDBMS.

4.4.15.2 Syntax

changeMessageStore(type, [jndiname])
Argument Definition
type Specifies the type of store, RDBMS or Memory. Default is Memory.
jndiname Specifies the jndi name to set for the store. Required if type is RDBMS.

4.4.15.3 Example

The following command changes the message store to RDBMS:

wls:/mydomain/serverConfig> changeMessageStore('RDBMS','jdbc/mydb')

4.4.16 changePeerProviderDescription

Online command that changes the peer provider description.

4.4.16.1 Description

This command updates a peer provider description in cot.xml.

4.4.16.2 Syntax

changePeerProviderDescription(providerID, description)
Argument Definition
providerID Specifies the provider ID.
description Specifies the provider description.

4.4.16.3 Example

The following command updates the description of a provider:

wls:/mydomain/serverConfig> changePeerProviderDescription('providerA','new description')

4.4.17 changeSessionStore

Online command that changes the session store between memory and RDBMS.

4.4.17.1 Description

This command changes the session store to memory or RDBMS.

4.4.17.2 Syntax

changeSessionStore(type, [jndiname])
Argument Definition
type Specifies the type of store, RDBMS or Memory. Default is Memory.
jndiname Specifies the jndi name to set for the store. Required if type is RDBMS.

4.4.17.3 Example

The following command changes the session store to RDBMS.

wls:/mydomain/serverConfig> changeSessionStore('RDBMS','jdbc/mydb')

4.4.18 createConfigPropertyList

Online command that creates a property list.

4.4.18.1 Description

This command creates a property list in config.xml.

4.4.18.2 Syntax

createConfigPropertyList(configName, listName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated.
listName Specifies the property list name.

4.4.18.3 Example

The following command creates property list mylistA.

wls:/mydomain/serverConfig> createConfigPropertyList('serverconfig','mylistA')

4.4.19 createConfigPropertyListInMap

Online command that creates a property list nested in the property map.

4.4.19.1 Description

This command creates a property list, nested in the property map, in config.xml.

4.4.19.2 Syntax

createConfigPropertyListInMap(configName, mapName, listName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated.
mapName Specifies an existing property map to contain the nested list.
listName Specifies the property list name.

4.4.19.3 Example

The following command creates property list mylistA nested in a property map.

wls:/mydomain/serverConfig> createConfigPropertyListInMap('serverconfig','mymapA','mylistA')

4.4.20 createConfigPropertyMap

Online command that creates a property map.

4.4.20.1 Description

This command that creates a property map in config.xml.

4.4.20.2 Syntax

createConfigPropertyMap(configName, mapName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated.
mapName Specifies the property map to create.

4.4.20.3 Example

The following command creates property map mymapA:

wls:/mydomain/serverConfig> createConfigPropertyMap('serverconfig','mymapA')

4.4.21 createConfigPropertyMapInMap

Online command that creates a property map.

4.4.21.1 Description

This command that creates a property map in config.xml.

4.4.21.2 Syntax

createConfigPropertyMapInMap(configName, mapName, nestedMapName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated.
mapName Specifies the name of an existing property map.
nestedMapName Specifies the name of the property map to create nested inside mapName.

4.4.21.3 Example

The following command creates nested property map nestedmymapA:

wls:/mydomain/serverConfig> createConfigPropertyMapInMap('serverconfig','mymapA','nestedmapA')

4.4.22 createFederationPropertyList

Online command that creates a property list.

4.4.22.1 Description

This command creates a property list in cot.xml.

4.4.22.2 Syntax

createFederationPropertyList(providerID, listName)
Argument Definition
providerID Specifies the provider ID.
listName Specifies the name of the property list.

4.4.22.3 Example

The following command creates property list mylistA:

wls:/mydomain/serverConfig> createFederationPropertyList('providerA','mylistA')

4.4.23 createFederationPropertyListInMap

Online command that creates a property list nested in a property map.

4.4.23.1 Description

This command creates a property list, nested in a property map, in cot.xml.

4.4.23.2 Syntax

createFederationPropertyListInMap(providerID, mapName, listName)
Argument Definition
providerID Specifies the provider ID.
mapName Specifies an existing property map to contain the nested list.
listName Specifies the name of the property list.

4.4.23.3 Example

The following command creates nested property list mylistA:

wls:/mydomain/serverConfig> createFederationPropertyListInMap('providerA','mymapA','mylistA')

4.4.24 createFederationPropertyMap

Online command that creates a property map.

4.4.24.1 Description

This command that creates a property map in cot.xml.

4.4.24.2 Syntax

createFederationPropertyMap(providerID, mapName)
Argument Definition
providerID Specifies the provider ID.
mapName Specifies the name of the property map to be added to cot.xml.

4.4.24.3 Example

The following command creates property map mymapA:

wls:/mydomain/serverConfig> createFederationPropertyMap('providerA','mymapA')

4.4.25 createFederationPropertyMapInMap

Online command that creates a nested property map.

4.4.25.1 Description

This command that creates a property map, nested in another property map, in cot.xml.

4.4.25.2 Syntax

createFederationPropertyMapInMap(providerID, mapName, nestedMapName)
Argument Definition
providerID Specifies the provider ID.
mapName Specifies the name of an existing property map.
nestedMapName Specifies the name of the property map to be nested inside mapName in cot.xml.

4.4.25.3 Example

The following command creates nested property map nestedmapA:

wls:/mydomain/serverConfig> createFederationPropertyMapInMap('providerA','mymapA','nestedmapA')

4.4.26 createPeerProviderEntry

Online command that creates a peer provider property map entry.

4.4.26.1 Description

This command creates a peer provider as a Map property entry to cot.xml.

4.4.26.2 Syntax

createPeerProviderEntry(providerID, description, providerType, version)
Argument Definition
providerID Specifies the provider ID to be created.
description This is the description of the provider ID.
providerType Specifies the provider type of the peer provider to be created.
version Specifies the version of the peer provider to be created.

4.4.26.3 Example

The following command creates a SAML 2.0 service provider:

wls:/mydomain/serverConfig> createPeerProviderEntry('providerA','idp test','SP','SAML2.0')

4.4.27 getConfigListValueInMap

Online command that returns a list nested in a map.

4.4.27.1 Description

This command returns a list, nested in a map, from config.xml.

4.4.27.2 Syntax

getConfigListValueInMap(configName, mapName, listName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be accessed.
mapName Specifies the name of the property map.
listName Specifies the name of the list to be fetched from the map.

4.4.27.3 Example

The following command returns mylistA:

wls:/mydomain/serverConfig> getConfigListValueInMap('serverConfig','mymapA','mylistA')

4.4.28 getConfigMapEntryInMap

Online command that returns a map property entry nested in a map.

4.4.28.1 Description

This command returns a map property entry, nested in a map, from config.xml.

4.4.28.2 Syntax

getConfigMapEntryInMap(configName, mapname, nestedMapName, propName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be accessed.
mapname Specifies the name of the property map.
nestedMapName Specifies the name of the nested property map.
propName Specifies the name of the property to be fetched from the nested map.

4.4.28.3 Example

The following command returns property entry myvarA:

wls:/mydomain/serverConfig> getConfigMapEntryInMap('serverconfig','mymap','nestedmapA','myvarA')

4.4.29 getConfigProperty

Online command that returns a property value.

4.4.29.1 Description

This command returns a property value from config.xml.

4.4.29.2 Syntax

getConfigProperty(configName, propName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be accessed.
propName Specifies the name of the property to be fetched from the nested map.

4.4.29.3 Example

The following command returns property myvarA:

wls:/mydomain/serverConfig> getConfigProperty('serverconfig','myvarA')

4.4.30 getConfigPropertyList

Online command that returns a property list.

4.4.30.1 Description

This command returns a property list from config.xml.

4.4.30.2 Syntax

getConfigPropertyList(configName, listName)
Argument Definition
configName Specifies the configuration name.
listName Specifies the name of the property list to be fetched from config.xml.

4.4.30.3 Example

The following command returns mylistA:

wls:/mydomain/serverConfig> getConfigPropertyList('serverconfig','mylistA')

4.4.31 getConfigPropertyMapEntry

Online command that returns a property value from a map.

4.4.31.1 Description

This command returns a property value from a map in config.xml.

4.4.31.2 Syntax

getConfigPropertyMapEntry(configName, mapName, propName)
Argument Definition
configName Specifies the configuration name (for example, idpsaml20, serverconfig, spsaml20, ...).
mapName Specifies the name of the property map.
propName Specifies the name of the property to be fetched from the map in config.xml.

4.4.31.3 Example

The following command returns property propA:

wls:/mydomain/serverConfig> getConfigPropertyMapEntry('serverconfig','mapA', 'propA')

4.4.32 getFederationListValueInMap

Online command that returns a list value nested in a map.

4.4.32.1 Description

This command returns a list value nested in a map from cot.xml.

4.4.32.2 Syntax

getFederationListValueInMap(providerID, mapName, listName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map.
listName Specifies the name of the list to be fetched from the map.

4.4.32.3 Example

The following command returns nested list mylistA:

wls:/mydomain/serverConfig> getFederationListValueInMap('providerA','mymapA','mylistA')

4.4.33 getFederationMapEntryInMap

Online command that returns a map property entry nested in a map.

4.4.33.1 Description

This command returns a map property entry, nested in a map, from cot.xml.

4.4.33.2 Syntax

getFederationMapEntryInMap(providerID, mapname, nestedMapName, propName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map.
nestedMapName Specifies the name of the nested property map.
propName Specifies the name of the property to be fetched from the nested map.

4.4.33.3 Example

The following command returns property entry myvarA:

wls:/mydomain/serverConfig> getFederationMapEntryInMap('providerA','mymap','nestedmapA','myvarA')

4.4.34 getFederationProperty

Online command that returns a property value.

4.4.34.1 Description

This command returns a property value from cot.xml.

4.4.34.2 Syntax

getFederationProperty(providerID, propName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
propName Specifies the name of the property to be fetched from cot.xml.

4.4.34.3 Example

The following command returns property myvarA:

wls:/mydomain/serverConfig> getFederationProperty('providerA','myvarA')

4.4.35 getFederationPropertyList

Online command that returns a property list.

4.4.35.1 Description

This command returns a property list from cot.xml.

4.4.35.2 Syntax

getFederationPropertyList(providerID, listName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
listName Specifies the name of the list to be fetched from the map.

4.4.35.3 Example

The following command returns list mylistA:

wls:/mydomain/serverConfig> getFederationPropertyList('providerA','mylistA')

4.4.36 extractproviderprops

A WLST script that exports the properties of a provider.

4.4.36.1 Description

A WLST script that extracts all the configuration properties of the specified provider and exports them to a text file. You can later use this file to set the same properties on another provider. Execute this command from a UNIX or Windows command shell prompt and not from the WLST command shell. This script is stored in ORACLE_HOME/fed/scripts.

4.4.36.2 Syntax

extractproviderprops.py providerID filename
Argument Definition
providerID Specifies the name of the provider whose properties are to be extracted.
filename Specifies the name of the text file to which the provider properties are extracted.

When you execute the script, you are prompted for the WebLogic administrator credentials and the connection URL; for the latter, specify the Managed Server port, not the Administration Server port.

File Format

The format of the extract file is:

TYPE:NAME:PROPNAME:PROPVALUE:PROPTYPE

For example:

X:X:sendattribute:false:boolean
MAP:attributelist/mailemail:datastore-attr:mail:string
LIST:sendattributefornameid:unspecified::string

4.4.37 setproviderprops

A WLST script that sets the properties of a provider using values from a text file.

4.4.37.1 Description

A WLST script that sets the properties of a provider using values from a text file. Execute this command from a UNIX or Windows command shell prompt and not from the WLST command shell. This script is stored in ORACLE_HOME/fed/scripts.

The text file is generated by the extractproviderprops command.

4.4.37.2 Syntax

setproviderprops.py providerID filename
Argument Definition
providerID Specifies the name of the provider whose properties are to be updated.
filename Specifies the name of the input file from which to read the properties.

When you execute the script, you are prompted for the WebLogic administrator credentials and the connection URL; for the latter, specify the Managed Server port, not the Administration Server port.

4.4.38 getFederationPropertyMapEntry

Online command that returns a property value from a map.

4.4.38.1 Description

This command returns a property value from a map in cot.xml.

4.4.38.2 Syntax

getFederationPropertyMapEntry(providerID, mapName, propName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map.
propName Specifies the name of the property to be fetched from the nested map.

4.4.38.3 Example

The following command returns property propA from a map:

wls:/mydomain/serverConfig> getFederationPropertyMapEntry('providerA','mapA', 'propA')

4.4.39 listCustomAuthnEngines

Online command that returns a list of custom authentication integration engines.

4.4.39.1 Description

This command returns a list of custom authentication integration engines from config.xml.

4.4.39.2 Syntax

listCustomAuthnEngines()

4.4.39.3 Example

The following command returns the list of all SP engines:

wls:/mydomain/serverConfig> listCustomAuthnEngines()

4.4.40 listCustomSPEngines

Online command that returns a list of custom SP integration engines.

4.4.40.1 Description

This command returns a list of custom service provider (SP) integration engines from config.xml.

4.4.40.2 Syntax

listCustomSPEngines()

4.4.40.3 Example

The following command returns the list of all SP integration engines:

wls:/mydomain/serverConfig> listCustomSPEngines()

4.4.41 loadMetadata

Online command that loads metadata from an input file.

4.4.41.1 Description

This command loads metadata from an input file into cot.xml.

4.4.41.2 Syntax

loadMetadata(metadatafile,description)
Argument Definition
metadatafile Specifies the metadata file of the peer provider to be added or updated.
description This is a brief description of the peer provider to be loaded.

4.4.41.3 Example

The following command loads metadata from the file metadatafile.xml:

wls:/mydomain/serverConfig> loadMetadata('/home/metadatafile.xml','some description')

4.4.42 oifStatus

Online command that reports the current status of the Oracle Identity Federation application in the managed server to which WLST is connected.

4.4.42.1 Description

This command displays the current status of Oracle Identity Federation on the managed server.

4.4.42.2 Syntax

loifStatus('serverurl', 'configfile', 'keyfile')
Argument Definition
serverurl Specifies the URL of the managed server.
configfile This is a pre-defined user configuration file created with the WLST storeUserConfig command.
keyfile This is a pre-defined key file created with the WLST storeUserConfig command

4.4.42.3 Example

The following command provides no arguments; WLST prompts you for the Oracle WebLogic Server username, password, and the managed server URL, then displays the federation server status:

wls:/mydomain/serverConfig> oifStatus()

The following command provides only the managed server URL; WLST prompts you for the Oracle WebLogic Server username and password:

wls:/mydomain/serverConfig> oifStatus('', '', 't3://localhost:7499')

The following command provides all arguments needed for WLST to display the federation server status:

wls:/mydomain/serverConfig> oifStatus('configfileA', 'keyfileB', 't3://localhost:7499')

4.4.43 removeConfigListInMap

Online command that removes a list property nested in a map.

4.4.43.1 Description

This command removes a list property nested in a map from config.xml.

4.4.43.2 Syntax

removeConfigListInMap(configName, mapName, listName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be accessed.
mapName Specifies the name of the property map.
listName Specifies the name of the list to be removed from the map.

4.4.43.3 Example

The following command removes the list property mylistA:

wls:/mydomain/serverConfig> removeConfigListInMap('serverConfig','mymapA','mylistA')

4.4.44 removeConfigMapEntryInMap

Online command that removes a map property nested in a map.

4.4.44.1 Description

This command removes a map property entry nested in a map from config.xml.

4.4.44.2 Syntax

removeConfigMapEntryInMap(configName, mapname, nestedMapName, propName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be accessed.
mapName Specifies the name of the property map.
nestedMapName Specifies the name of the nested property map.
propName Specifies the name of the property to be removed from the nested map.

4.4.44.3 Example

The following command removes the nested property myvarA:

wls:/mydomain/serverConfig> removeConfigMapEntryInMap('serverconfig','mymap','nestedmapA','myvarA')

4.4.45 removeConfigMapInMap

Online command that removes a map property nested in a map.

4.4.45.1 Description

This command removes a map property entry nested in a map from config.xml.

4.4.45.2 Syntax

removeConfigMapEntryInMap(configName, mapName, nestedMapName, propName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated.
mapName Specifies the name of the property map.
nestedMapName Specifies the name of the nested property map.
propName Specifies the name of the property to be removed from the nested map.

4.4.45.3 Example

The following command removes the nested property myvarA:

wls:/mydomain/serverConfig> removeConfigMapEntryInMap('serverconfig','mymap','nestedmapA','myvarA')

4.4.46 removeConfigProperty

Online command that removes a configuration property.

4.4.46.1 Description

This command removes a property from config.xml.

4.4.46.2 Syntax

removeConfigProperty(configName, propName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated.
propName Specifies the name of the property to be removed.

4.4.46.3 Example

The following command removes the property myvarA:

wls:/mydomain/serverConfig> removeConfigProperty('serverconfig','myvarA')

4.4.47 removeConfigPropertyList

Online command that removes a configuration property list.

4.4.47.1 Description

This command removes a property list from config.xml.

4.4.47.2 Syntax

removeConfigPropertyList(configName, listName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated.
listName Specifies the name of the property list to be removed.

4.4.47.3 Example

The following command removes the property list mylistA:

wls:/mydomain/serverConfig> removeConfigPropertyList('serverconfig','mylistA')

4.4.48 removeConfigPropertyMap

Online command that removes a property map.

4.4.48.1 Description

This command removes a property map in config.xml.

4.4.48.2 Syntax

removeConfigPropertyMap(configName, mapName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated.
mapName Specifies the name of the property map to be removed.

4.4.48.3 Example

The following command removes mapA:

wls:/mydomain/serverConfig> removeConfigPropertyMap('serverconfig','mapA')

4.4.49 removeConfigPropertyMapEntry

Online command that removes a property value from a map.

4.4.49.1 Description

This command removes a property value from a map in config.xml.

4.4.49.2 Syntax

removeConfigPropertyMapEntry(configName, mapName, propName)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated.
mapName Specifies the name of the property map to be updated.
propName Specifies the name of the property to be removed from the map.

4.4.49.3 Example

The following command removes property propA:

wls:/mydomain/serverConfig> removeConfigPropertyMapEntry('serverconfig','mapA', 'propA')

4.4.50 removeFederationListInMap

Online command that removes a property list in a map.

4.4.50.1 Description

This command removes a property list in a map, in cot.xml.

4.4.50.2 Syntax

removeFederationListInMap(providerID, mapName, listName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map.
listName Specifies the name of the property list to be removed.

4.4.50.3 Example

The following command removes mylistA in mymapA:

wls:/mydomain/serverConfig> removeFederationListInMap('providerA','mymapA','mylistA')

4.4.51 removeFederationMapInMap

Online command that removes a nested map in a map.

4.4.51.1 Description

This command removes a property map nested inside a map in cot.xml.

4.4.51.2 Syntax

removeFederationMapInMap(providerID, mapname, nestedMapName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map containing the nested map.
nestedMapName Specifies the name of the nested property map to be removed.

4.4.51.3 Example

The following command removes nestedmapA in mymap:

wls:/mydomain/serverConfig> removeFederationMapInMap('providerA','mymap','nestedmapA')

4.4.52 removeFederationMapEntryInMap

Online command that removes a nested map property entry in a map.

4.4.52.1 Description

This command removes a property name/value pair to a map nested inside a map in cot.xml.

4.4.52.2 Syntax

removeFederationMapEntryInMap(providerID, mapname, nestedMapName, propName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map containing the nested map.
nestedMapName Specifies the name of the nested property map.
propName Specifies the name of the property to be removed from the nested map.

4.4.52.3 Example

The following command removes map property entry myvarA:

wls:/mydomain/serverConfig> removeFederationMapEntryInMap('providerA','mymap','nestedmapA','myvarA')

4.4.53 removeFederationProperty

Online command that removes a property value.

4.4.53.1 Description

This command removes a property entry in cot.xml.

4.4.53.2 Syntax

removeFederationProperty(providerID, propName)
Argument Definition
providerID Specifies the name of the peer provider to be updated.
propName Specifies the name of the property to be removed.

4.4.53.3 Example

The following command removes the provider property myvarA:

wls:/mydomain/serverConfig> removeFederationProperty('providerA','myvarA')

4.4.54 removeFederationPropertyList

Online command that removes a property list entry.

4.4.54.1 Description

This command removes a property list entry in cot.xml.

4.4.54.2 Syntax

removeFederationPropertyList(providerID, listName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
listName Specifies the name of the property list to be removed.

4.4.54.3 Example

The following command removes mylistA:

wls:/mydomain/serverConfig> removeFederationPropertyList('providerA','mylistA')

4.4.55 removeFederationPropertyMap

Online command that removes a property map.

4.4.55.1 Description

This command removes a property map in cot.xml.

4.4.55.2 Syntax

removeFederationPropertyMap(providerID, mapName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map to be removed.

4.4.55.3 Example

The following command removes a map:

wls:/mydomain/serverConfig> removeFederationPropertyMap('providerA','mapA')

4.4.56 removeFederationPropertyMapEntry

Online command that removes a property value from a map.

4.4.56.1 Description

This command removes a property value from a map in cot.xml.

4.4.56.2 Syntax

removeFederationPropertyMapEntry(providerID, mapName, propName)
Argument Definition
providerID Specifies the name of the peer provider to be accessed.
mapName Specifies the name of the property map to be updated.
propName Specifies the name of the property to be removed from the map.

4.4.56.3 Example

The following command removes property propA from a map:

wls:/mydomain/serverConfig> removeFederationPropertyMapEntry('providerA','mapA', 'propA')

4.4.57 removePeerProviderEntry

Online command that removes a peer provider entry.

4.4.57.1 Description

This command removes a peer provider entry from cot.xml.

4.4.57.2 Syntax

removePeerProviderEntry(providerID)
Argument Definition
providerID Specifies the name of the peer provider to be removed.

4.4.57.3 Example

The following command removes providerA:

wls:/mydomain/serverConfig> removePeerProviderEntry('providerA')

4.4.58 setConfigProperty

Online command that sets a property value in config.xml.

4.4.58.1 Description

This command adds or updates a property value in config.xml.

4.4.58.2 Syntax

setConfigProperty(configname, propName, value, type)
Argument Definition
configName Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated.
propName Specifies the name of the property to be added/updated in config.xml.
value Specifies the property value.
type Specifies the type of property, BOOLEAN or STRING or LONG.

4.4.58.3 Example

The following command sets the property myvarA and its value in the server configuration:

wls:/mydomain/serverConfig> setConfigProperty('serverconfig','myvarA','myvalA','string')

4.4.59 setCustomAuthnEngine

Online command that updates a custom authentication integration engine.

4.4.59.1 Description

This command updates a custom authentication integration engine in config.xml.

4.4.59.2 Syntax

setCustomAuthnEngine(engineID, name, [enabled], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
Argument Definition
engineID Specifies the engine ID of an existing engine.
name Specifies the name of the custom engine.
enabled This flag specifies whether the engine is enabled (true) or not (false).
webContext Specifies the web context for the engine.
authnRelativePath Specifies the authentication relative path URL for the engine.
logoutRelativePath Specifies the logout relative path URL for the engine.
logoutEnabled This flag is set true to enable logout for the engine, else false.

4.4.59.3 Example

The following command updates the configuration of custom authentication engine abcdef:

wls:/mydomain/serverConfig> setCustomAuthnEngine('abcdef',
'custom one','false','oracle:fed:authentication:unspecified','webcontext')

4.4.60 setCustomSPEngine

Online command that updates a custom SP integration engine.

4.4.60.1 Description

This command updates an existing custom SP integration engine in config.xml.

4.4.60.2 Syntax

setCustomSPEngine(engineID, name, [enabled, [authnMech], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
Argument Definition
engineID Specifies the engine ID of an existing custom engine.
name Specifies the name of the custom engine.
enabled This flag specifies whether the engine is enabled (true) or not (false).
authnMech Specifies the authentication mechanism for the engine.
webContext Specifies the web context for the engine.
authnRelativePath Specifies the authentication relative path URL for the engine.
logoutRelativePath Specifies the logout relative path URL for the engine.
logoutEnabled This flag is set true to enable logout for the engine, else false.

4.4.60.3 Example

The following command sets the name and the enabled flag for the engine with ID engineID2:

wls:/mydomain/serverConfig> setCustomSPEngine('engineid2','test','true')

4.4.61 setFederationProperty

Online command that adds or updates a property value.

4.4.61.1 Description

This command adds a property entry or updates an existing entry in cot.xml.

4.4.61.2 Syntax

setFederationProperty(providerID, propName, value, type)
Argument Definition
providerID Specifies the name of the peer provider to be updated.
propName Specifies the name of the property to be added/updated in cot.xml.
value Specifies the property value.
type Specifies the type of property, BOOLEAN or STRING or LONG.

4.4.61.3 Example

The following command creates the property myvarA and sets its value:

wls:/mydomain/serverConfig> setFederationProperty('providerA','myvarA','myvalA','string')

4.5 Directory Integration Platform Commands

Some of the Directory Integration Platform (DIP) tools use WLST internally, and therefore, there are no custom WLST commands available to run from the WLST command prompt or to use within scripts. For information on DIP tools, see "Directory Integration Platform Tools" in the Oracle Fusion Middleware Reference for Oracle Identity Management.

4.6 Security Commands

Use the WLST security commands listed in Table 4-5 to operate on a domain policy or credential store, to migrate policies and credentials from a source repository to a target repository, and to import and export (credential) encryption keys.

Table 4-5 WLST Security Commands

Use this command... To... Use with WLST...

addBootStrapCredential

Add a credential to the bootstrap credential store.

Offline

addResourceToEntitlement

Add a resource to an entitlement.

Online

createAppRole

Create a new application role.

Online

createCred

Create a new credential.

Online

createEntitlement

Create an entitlement.

Online

createResource

Create a resource.

Online

createResourceType

Create a new resource type.

Online

deleteAppPolicies

Remove all policies in an application.

Online

deleteAppRole

Remove an application role.

Online

deleteCred

Remove a credential.

Online

deleteEntitlement

Remove an entitlement.

Online

deleteResource

Remove a resource.

Online

deleteResourceType

Remove an existing resource type.

Online

exportEncryptionKey

Export the domain encryption key to the file ewallet.p12.

Offline

getEntitlement

List an entitlement.

Online

getResourceType

Fetch an existing resource type.

Online

grantAppRole

Add a principal to a role.

Online

grantEntitlement

Create an entitlement.

Online

grantPermission

Create a new permission.

Online

importEncryptionKey

Import the encryption key in file ewallet.p12 to the domain.

Offline

listAppRoles

List all roles in an application.

Online

listAppRolesMembers

List all members in an application role.

Online

listAppStripes

List application stripes in policy store.

Online

listCodeSourcePermissions

List permissions assigned to a source code in global policies.

Online

listEntitlements

List entitlements in an application stripe.

Online

listPermissions

List all permissions granted to a principal.

Online

listResources

List resources in an application stripe.

Online

listResourceActions

List actions in a resource.

Online

listResourceTypes

List resource types in an application stripe.

Online

listSecurityStoreInfo

List the type and location of the OPSS security store, and the user allowed to access it.

Offline

migrateSecurityStore

Migrate policies or credentials from a source repository to a target repository.

Offline

modifyBootStrapCredential

Update bootstrap credential store

Offline

reassociateSecurityStore

Reassociate policies and credentials to an LDAP repository

Online

restoreEncryptionKey

Restore the domain encryption key as it was before the last importing.

Offline

revokeEntitlement

Remove an entitlement.

Online

revokeAppRole

Remove a principal from a role.

Online

revokePermission

Remove a permission.

Online

revokeResourceFromEntitlement

Remove a resource from an entitlement

Online

rollOverEncryptionKey

Create a new credential store encryption key.

Offline

updateCred

Modify the attribute values of a credential.

Online

updateTrustServiceConfig

Update the trust store configuration.

Online

upgradeSecurityStore

Upgrade security data from data used with release 10.1.x to data used with release 11.

Offline


4.6.1 createAppRole

Online command that creates a new application role.

4.6.1.1 Description

Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.

4.6.1.2 Syntax

createAppRole(appStripe, appRoleName)
Argument Definition
appStripe 
Specifies an application stripe.
appRoleName 
Specifies a role name.

4.6.1.3 Example

The following invocation creates a new application role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> createAppRole(appStripe="myApp", appRoleName="myRole")

4.6.2 deleteAppRole

Online command that removes an application role.

4.6.2.1 Description

Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.

4.6.2.2 Syntax

createAppRole(appStripe, appRoleName)
Argument Definition
appStripe 
Specifies an application stripe.
appRoleName 
Specifies a role name.

4.6.2.3 Example

The following invocation removes the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> createAppRole(appStripe="myApp", appRoleName="myRole")

4.6.3 grantAppRole

Online command that adds a principal to a role.

4.6.3.1 Description

Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.

4.6.3.2 Syntax

grantAppRole(appStripe, appRoleName,principalClass, principalName)
Argument Definition
appStripe 
Specifies an application stripe.
appRoleName 
Specifies a role name.
principalClass 
Specifies the fully qualified name of a class.
principalName 
Specifies the principal name.

4.6.3.3 Example

The following invocation adds a principal to the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> grantAppRole(appStripe="myApp",  
appRoleName="myRole",principalClass="com.example.xyzPrincipal",
principalName="myPrincipal")

4.6.4 revokeAppRole

Online command that removes a principal from a role.

4.6.4.1 Description

Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.

4.6.4.2 Syntax

revokeAppRole(appStripe, appRoleName, principalClass, principalName)
Argument Definition
appStripe 
Specifies an application stripe.
appRoleName 
Specifies a role name.
principalClass 
Specifies the fully qualified name of a class.
principalName 
Specifies the principal name.

4.6.4.3 Example

The following invocation removes a principal to the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> revokeAppRole(appStripe="myApp", 
appRoleName="myRole",principalClass="com.example.xyzPrincipal", 
principalName="myPrincipal")

4.6.5 listAppRoles

Online command that lists all roles in an application.

4.6.5.1 Description

Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException.

4.6.5.2 Syntax

listAppRoles(appStripe)
Argument Definition
appStripe 
Specifies an application stripe.

4.6.5.3 Example

The following invocation returns all roles with application stripe myApp:

wls:/mydomain/serverConfig> listAppRoles(appStripe="myApp")

4.6.6 listAppRolesMembers

Online command that lists all members in a role.

4.6.6.1 Description

Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException.

4.6.6.2 Syntax

listAppRoleMembers(appStripe, appRoleName)
Argument Definition
appStripe 
Specifies an application stripe.
appRoleName 
Specifies a role name.

4.6.6.3 Example

The following invocation returns all members in the role with application stripe myApp and role name myRole:

wls:/mydomain/serverConfig> listAppRoleMembers(appStripe="myApp", appRoleName="myRole")

4.6.7 grantPermission

Online command that creates a new permission.

4.6.7.1 Description

Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException.

4.6.7.2 Syntax

Optional arguments are enclosed in between square brackets.

grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument Definition
appStripe 
Specifies an application stripe. If not specified, the command works on system policies.
codeBaseURL 
Specifies the URL of the code granted the permission.
principalClass 
Specifies the fully qualified name of a class (grantee).
principalName 
Specifies the name of the grantee principal.
permClass 
Specifies the fully qualified name of the permission class.
permTarget 
Specifies, when available, the name of the permission target. Some permissions may not include this attribute.
permActions 
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class.

4.6.7.3 Examples

The following invocation creates a new application permission (for the application with application stripe myApp) with the specified data:

wls:/mydomain/serverConfig> grantPermission(appStripe="myApp",  
principalClass="my.custom.Principal",  principalName="manager",
permClass="java.security.AllPermission")

The following invocation creates a new system permission with the specified data:

wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager",   
permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", 
permTarget="/tmp/fileName.ext", permActions="read,write")

4.6.8 revokePermission

Online command that removes a permission.

4.6.8.1 Description

Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException.

4.6.8.2 Syntax

Optional arguments are enclosed in between square brackets.

revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument Definition
appStripe 
Specifies an application stripe. If not specified, the command works on system policies.
codeBaseURL 
Specifies the URL of the code granted the permission.
principalClass 
Specifies the fully qualified name of a class (grantee).
principalName 
Specifies the name of the grantee principal.
permClass 
Specifies the fully qualified name of the permission class.
permTarget 
Specifies, when available, the name of the permission target. Some permissions may not include this attribute.
permActions 
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class.

4.6.8.3 Examples

The following invocation removes the application permission (for the application with application stripe myApp) with the specified data:

wls:/mydomain/serverConfig> revokePermission(appStripe="myApp",  
principalClass="my.custom.Principal", principalName="manager", 
permClass="java.security.AllPermission")

The following invocation removes the system permission with the specified data:

wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager",  
permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", 
permActions="read,write")

4.6.9 listPermissions

Online command that lists all permissions granted to a given principal.

4.6.9.1 Description

Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException.

4.6.9.2 Syntax

Optional arguments are enclosed in between square brackets.

listPermissions([appStripe,] principalClass, principalName)
Argument Definition
appStripe 
Specifies an application stripe. If not specified, the command works on system policies.
principalClass 
Specifies the fully qualified name of a class (grantee).
principalName 
Specifies the name of the grantee principal.

4.6.9.3 Examples

The following invocation lists all permissions granted to a principal by the policies of application myApp:

wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")
                

The following invocation lists all permissions granted to a principal by system policies:

wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")

4.6.10 deleteAppPolicies

Online command that removes all policies with a given application stripe.

4.6.10.1 Description

Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException.

4.6.10.2 Syntax

deleteAppPolicies(appStripe)
Argument Definition
appStripe 
Specifies an application stripe. If not specified, the command works on system policies.

4.6.10.3 Example

The following invocation removes all policies of application myApp:

wls:/mydomain/serverConfig> deleteAppPolicies(appStripe="myApp")

4.6.11 migrateSecurityStore

Offline command that migrates identities, policies (application-specific and system), credentials, audit, and keystore service artifacts from one repository to another.

For details, see the following sections in Oracle Fusion Middleware Application Security Guide:

4.6.11.1 Description

Migrates identities, application-specific, or system policies from a source repository to a target repository. Migrates a specific credential folder or all credentials.

The kinds of the repositories where the source and target data is stored is transparent to the command, and any combination of file-based and LDAP-based repositories is allowed (LDAP-repositories must use an OVD or an OID LDAP server only). In the event of an error, the command returns a WLSTException.

4.6.11.2 Syntax

The command syntax varies depending on the scope (system or application-specific or both) of the policies being migrated.

Optional arguments are enclosed in square brackets.

To migrate identities, use the following syntax:

migrateSecurityStore(type="idStore", configFile, src, dst, [dstLdifFile])
                     

To migrate all policies (system and application-specific, for all applications) use the following syntax

migrateSecurityStore(type="policyStore", configFile, src, 
dst,[overWrite,][preserveAppRoleGuid])

To migrate just system policies, use the following syntax:

migrateSecurityStore(type="globalPolicies", configFile, src, dst, [overWrite])

To migrate just application-specific policies, for one application, use the following syntax:

migrateSecurityStore(type="appPolicies", configFile,src, dst, srcApp 
[,dstApp] [,overWrite] [,migrateIdStoreMapping][,preserveAppRoleGuid] [,mode])

To migrate all credentials, use the following syntax:

migrateSecurityStore(type="credStore", configFile, src, dst, [overWrite])

To migrate just one credential folder, use the following syntax:

migrateSecurityStore(type="folderCred", configFile,src, dst, [srcFolder,]
[dstFolde,] [srcConfigFile,] [overWrite])
Argument Definition
type 
Specifies the type of policies migrates.

To migrate identities, set it to idStore.

To migrate all policies (system and application-specific, for all applications), set to policyStore.

To migrate just system policies, set to globalPolicies.

To migrate just application-specific policies, set to appPolicies.

To migrate all credentials, set to credStore.

To migrate just one credential folder, set to folderCred.

configFile  
Specifies the location of a configuration file jps-config.xml relative to the directory where the command is run. The configuration file passed need not be an actual domain configuration file, but it can be assembled just to specify the source and destination repositories of the migration.
src 
Specifies the name of a jps-context in the configuration file passed to the argument configFile, where the source store is specified.
dst 
Specifies the name of another jps-context in the configuration file passed to the argument configFile, where the destination store is specified.
srcApp 
Specifies the name of the source application, that is, the application whose policies are being migrated.
dstApp 
Specifies the name of the target application, that is, the application whose policies are being written. If unspecified, it defaults to the name of the source application.
srcFolder 
Specifies the name of the folder from where credentials are migrated. This argument is optional. If unspecified, the credential store is assumed to have only one folder and the value of this argument defaults to the name of that folder.
dstFolder 
Specifies the folder to where the source credentials are migrated. This argument is optional and, if unspecified, defaults to the folder passed to srcFolder.
srcConfigFile 
Specifies the location of an alternate configuration file, and it is used in the special case in which credentials are not configured in the file passed to configFile. This argument is optional. If unspecified, it defaults to the value passed to configFile; if specified, the value passed to configFile is ignored.
overWrite 
Specifies whether data in the target matching data being migrated should be overwritten by or merged with the source data. Optional and false by default. Set to true to overwrite matching data; set to false to merge matching data.
migrateIdStoreMapping 
Specifies whether the migration of application policies should include or exclude the migration of enterprise policies. Optional and true by default. Set it to False to exclude enterprise policies from the migration of application policies.
dstLdifFile
Specifies the location where the LDIF file will be created. Required only if destination is an LDAP-based identity store. Notice that the LDIF file is not imported into the LDAP server; the importing of the file LDIF should be done manually, after the file has been edited to account for the appropriate attributes required in your LDAP server.
preserveAppRoleGuid
Specifies whether the migration of policies should preserve or recreate GUIDs. Optional and false, by default. Set to true to preserve GUIDs; set to false to recreated GUIDs.
mode
Specifies whether the migration should stop and signal an error upon encountering a duplicate principal or a duplicate permission in an application policy. Set to lax to allow the migration to continue upon encountering duplicate items, to migrate just one of the duplicated items, and to log a warning to this effect; set to strict to force the migration to stop upon encountering duplicate items. If unspecified, it defaults to strict.

Note the following requirements about the passed arguments:

  • The file jps-config.xml is found in the passed location.

  • The file jps-config.xml includes the passed jps-contexts.

  • The source and the destination context names are distinct. From these two contexts, the command determines the locations of the source and the target repositories involved in the migration.

4.6.11.3 Example

The following invocation illustrates the migration of the file-based policies of application PolicyServlet1 to file-based policies of application PolicyServlet2, that does not stop on encountering duplicate principals or permissions, that migrates just one of duplicate items, and that logs a warning when duplicates are found:

wls:/mydomain/serverConfig> migrateSecurityStore(type="appPolicies",  
configFile="jps-congif.xml", src="default1", dst="context2",
srcApp="PolicyServlet1", dstApp="PolicyServlet2", overWrite="true", mode="lax")
                

The above invocation assumes that:

  • The file jps-config.xml is located in the directory where the command is run (current directory).

  • That file includes the following elements:

<serviceInstance name="policystore1.xml" provider="some.provider">
  <property name="location" value="jazn-data1.xml"/>
</serviceInstance>
<serviceInstance name="policystore2.xml" provider="some.provider">
  <property name="location" value="jazn-data2.xml"/>
</serviceInstance>
...
<jpsContext name="default1">
  <serviceInstanceRef ref="policystore1.xml"/>
  ...
</jpsContext>
<jpsContext name="context2">
  <serviceInstanceRef ref="policystore2.xml"/>
  ...
</jpsContext>

The file-based policies for the two applications involved in the migration are defined in the files jazn-data1.xml and jazn-data2.xml, which are not shown but assumed located in the current directory.

The following invocation illustrates the migration of file-based credentials from one location to another:

wls:/mydomain/serverConfig> migrateSecurityStore(type="credStore", configFile="jps-congif.xml", src="default1", dst="context2")
                

The above invocation assumes that:

  • The file jps-config.xml is located in the directory where the command is run (current directory).

  • That file includes the following elements:

<serviceInstance name="credstore1" provider="some.provider">
  <property name="location" value="./credstore1/cwallet.sso"/>
</serviceInstance>
<serviceInstance name="credstore2" provider="some.provider">
  <property name="location" value="./credstore2/cwallet.sso"/>
</serviceInstance>
...
<jpsContext name="default1">
  <serviceInstanceRef ref="credstore1"/>
  ...
</jpsContext>
<jpsContext name="context2">
  <serviceInstanceRef ref="credstore2"/>
  ...
</jpsContext>

For detailed configuration examples to use with this command, see Oracle Fusion Middleware Application Security Guide.

4.6.12 updateCred

Online command that modifies the type, user name, and password of a credential.

4.6.12.1 Description

Modifies the type, user name, password, URL, and port number of a credential in the domain credential store with given map name and key name. This command can update the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only. When the command executes successfully no error messages are displayed.

4.6.12.2 Syntax

Optional arguments are enclosed in square brackets.

updateCred(map, key, user, password, [desc])
Argument Definition
map 
Specifies a map name (folder).
key 
Specifies a key name.
user 
Specifies the credential user name.
password 
Specifies the credential password.
desc 
Specifies a string describing the credential.

4.6.12.3 Example

The following invocation updates a password credential with the specified data:

wls:/mydomain/serverConfig> updateCred(map="myMap", key="myKey", user="myUsr", 
password="myPassw", desc="updated passw cred to connect to app xyz")

4.6.13 createCred

Online command that creates a new credential in the domain credential store.

4.6.13.1 Description

Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only. When the command executes successfully no error messages are displayed.

4.6.13.2 Syntax

Optional arguments are enclosed in square brackets.

createCred(map, key, user, password, [desc])
Argument Definition
map  
Specifies a map name (folder).
key 
Specifies a key name.
user 
Specifies the credential user name.
password 
Specifies the credential password.
desc 
Specifies a string describing the credential.

4.6.13.3 Example

The following invocation creates a new password credential with the specified data:

wls:/mydomain/serverConfig> createCred(map="myMap, key="myKey", user="myUsr", 
password="myPassw", desc="updated usr name and passw to connect to app xyz")

4.6.14 deleteCred

Online command that removes a credential in the domain credential store.

4.6.14.1 Description

Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException. When the command executes successfully no error messages are displayed.

4.6.14.2 Syntax

deleteCred(map,key)
Argument Definition
map  
Specifies a map name (folder).
key 
Specifies a key name.

4.6.14.3 Example

The following invocation removes the credential with map name myMap and key name myKey:

wls:/mydomain/serverConfig> deleteCred(map="myApp",key="myKey")

4.6.15 modifyBootStrapCredential

Offline command that updates a bootstrap credential store.

4.6.15.1 Description

Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException.

Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.

4.6.15.2 Syntax

modifyBootStrapCredential(jpsConfigFile, username, password)
Argument Definition
jpsConfigFile  
Specifies the location of the file jps-config.xml relative to the location where the command is run.
username
Specifies the distinguished name of the user in the LDAP store.
password
Specifies the password of the user.

4.6.15.3 Example

Suppose that in the LDAP store, the password of the user with distinguished name cn=orcladmin has been changed to welcome1, and that the configuration file jps-config.xml is located in the current directory.Then the following invocation changes the password in the bootstrap credential store to welcome1:

wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='welcome1')

Any output regarding the audit service can be disregarded.

4.6.16 addBootStrapCredential

Offline command that adds a credential to the bootstrap credential store.

4.6.16.1 Description

Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException.

4.6.16.2 Syntax

addBootStrapCredential(jpsConfigFile, map, key, username, password)
Argument Definition
jpsConfigFile  
Specifies the location of the file jps-config.xml relative to the location where the command is run.
map 
Specifies the map of the credential to add.
key 
Specifies the key of the credential to add.
username 
Specifies the name of the user in the credential to add.
password Specifies the password of the user in the credential to add.

4.6.16.3 Example

The following invocation adds a credential to the bootstrap credential store:

wls:/mydomain/serverConfig> addBootStrapCredential(jpsConfigFile='./jps-config.xml', map='myMapName', key='myKeyName', username='myUser', password='myPassword')

4.6.17 exportEncryptionKey

Offline command that extracts the encryption key from a domain's bootstrap wallet to the file ewallet.p12.

4.6.17.1 Description

Writes the domain's credential encryption key to the file ewallet.p12. The password passed must be used to import data from that file with the command importEncryptionKey.

4.6.17.2 Syntax

exportEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument Definition
jpsConfigFile  
Specifies the location of the file jps-config.xml relative to the location where the command is run.
keyFilePath 
Specifies the directory where the file ewallet.p12 is created; note that the content of this file is encrypted and secured by the value passed to keyFilePassword.
keyFilePassword 
Specifies the password to secure the file ewallet.p12; note that this same password must be used when importing that file.

4.6.17.3 Example

The following invocation writes the file ewallet.p12 in the directory myDir:

exportEncryptionKey(jpsConfigFile="pathName", keyFilePath="myDir" ,keyFilePassword="password")

4.6.18 importEncryptionKey

Offline command that imports keys from the specified ewallet.p12 file into the domain.

4.6.18.1 Description

Imports encryption keys from the file ewallet.p12 into the domain. The password passed must be the same as that used to create the file with the command exportEncryptionKey.

4.6.18.2 Syntax

importEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument Definition
jpsConfigFile  
Specifies the location of the file jps-config.xml relative to the location where the command is run.
keyFilePath 
Specifies the directory where the ewallet.p12 is located.
keyFilePassword 
Specifies the password used when the file ewallet.p12 was generated.

4.6.18.3 Example

importEncryptionKey(jpsConfigFile="pathName", keyFilePath="dirloc" ,keyFilePassword="password")

4.6.19 restoreEncryptionKey

Offline command to restore the domain credential encryption key.

4.6.19.1 Description

Restores the state of the domain bootstrap keys as it was before running importEncryptionKey.

4.6.19.2 Syntax

restoreEncryptionKey(jpsConfigFile)
Argument Definition
jpsConfigFile  
Specifies the location of the file jps-config.xml relative to the location where the command is run.

4.6.19.3 Example

restoreEncryptionKey(jpsConfigFile="pathName")

4.6.20 rollOverEncryptionKey

Offline command to create a new domain credential encryption key.

4.6.20.1 Description

Creates a new credential encryption key in the domain wallet. Note the following important points:

  • It should be executed from the administration server in the domain. No server restart is needed after invoking this script.

  • If the domain is the only domain accessing the security store, nothing else is required.

  • However, if two or more domains share the security store, the newly generated key should be exported from the domain where the script was run and imported into each of the other domains sharing the security store, using the scripts exportEncryptionKey and importEncryptionKey.

  • On the WebSphere platform, the script name is Opss.rollOverEncryptionKey.

4.6.20.2 Syntax

rollOverEncryptionKey(jpsConfigFile)
Argument Definition
jpsConfigFile  
Specifies the location of the file jps-config.xml relative to the location where the command is run.

4.6.20.3 Example

rollOverEncryptionKey(jpsConfigFile="pathName")

4.6.21 reassociateSecurityStore

Online command that migrates the security store from one repository to another.

For complete details, see section reassociateSecurityStore in Oracle Fusion Middleware Application Security Guide.

4.6.22 upgradeSecurityStore

Offline command that migrates release 10.1.x security data to release 11 security data.

For complete details, see section Upgrading with upgradeSecurityStore in Oracle Fusion Middleware Application Security Guide.

4.6.23 createResourceType

Online command that creates a new resource type in the domain policy store within a given application stripe.

4.6.23.1 Description

Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. Optional arguments are enclosed in between square brackets; all other arguments are required. In the event of an error, the command returns a WLSTException.

4.6.23.2 Syntax

Optional arguments are enclosed in square brackets.

createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])
Argument Definition
appStripe  
Specifies the application stripe where to insert the resource type.
resourceTypeName 
Specifies the name of the resource type to insert.
displayName 
Specifies the name for the resource type used in UI gadgets.
description 
Specifies a brief description of the resource type.
provider 
Specifies the provider for the resource type.
matchere 
Specifies the class of the resource type. If unspecified, it defaults to oracle.security.jps.ResourcePermission.
actions 
Specifies the actions allowed on instances of the resource type.
delimeter 
Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','.

4.6.23.3 Example

The following invocation creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:

wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", 
resourceTypeName="resTypeName", displayName="displName", description="A resource
type", provider="Printer", matcher="com.printer.Printer",
actions="BWPrint;ColorPrint" [, delimeter=";"])

4.6.24 getResourceType

Online command that fetches a resource type from the domain policy store within a given application stripe.

4.6.24.1 Description

Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.

4.6.24.2 Syntax

getResourceType(appStripe, resourceTypeName)
Argument Definition
appStripe  
Specifies the application stripe from where to fetch the resource type.
resourceTypeName 
Specifies the name of the resource type to fetch.

4.6.24.3 Example

The following invocation fetches the resource type myResType from the stripe myApplication:

wls:/mydomain/serverConfig> getResourceType(appStripe="myApplication", resourceTypeName="myResType")

4.6.25 deleteResourceType

Online command that removes a resource type from the domain policy store within a given application stripe.

4.6.25.1 Description

Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.

4.6.25.2 Syntax

deleteResourceType(appStripe, resourceTypeName)
Argument Definition
appStripe  
Specifies the application stripe from where to remove the resource type.
resourceTypeName 
Specifies the name of the resource type to remove.

4.6.25.3 Example

The following invocation removes the resource type myResType from the stripe myApplication:

wls:/mydomain/serverConfig> deleteResourceType(appStripe="myApplication", resourceTypeName="myResType")

4.6.26 listSecurityStoreInfo

Offline command that lists the type, the location, and the administrative user of the domain security store.

4.6.26.1 Description

The script runs in offline mode and outputs the type of the OPSS security store (file, OID, or DB), its location, and the user allowed to access it (typically a security administrator).

4.6.26.2 Syntax

listSecurityStoreInfo(domainConfig="configFilePath")
Argument Definition
domainConfig  
Specifies the full absolute path to the OPSS configuration file jps-config.xml; the file jps-config-jse.xml is also expected to be in the passed directory.

4.6.26.3 Example

The following invocation returns the type, location, and administrative user of the OPSS policy store:

wls:/mydomain/serverConfig> listSecurityStoreInfo(domainConfig="/home/myConfigPathDirectory/config/fmwconfig")

4.6.27 listAppStripes

Online or offline command that lists the application stripes in the policy store.

4.6.27.1 Description

This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.

If this command is used in offline mode after reassociating to a DB-based store, the configuration file produced by the reassociation must be manually edited.

4.6.27.2 Syntax

listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])
Argument Definition
configFile  
Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store.
regularExpression 
Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *.

4.6.27.3 Examples

The following (online) invocation returns the list of application stripes in the policy store:

wls:/mydomain/serverConfig> listAppStripes

The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:

wls:/mydomain/serverConfig> listAppStripes(configFile=" 
/home/myFile/jps-config.xml")

The following (online) invocation returns the list of application stripes that contain the prefix App:

wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")

4.6.28 listCodeSourcePermissions

Online command that lists permissions assigned to a source code in global policies.

4.6.28.1 Description

This command allows listing codebase permissions in global policies.

4.6.28.2 Syntax

listCodeSourcePermissions([codeBase="codeUrl"])
Argument Definition
codeBaseURL
Specifies the name of the grantee codebase URL.

4.6.28.3 Examples

The following invocation returns the list permissions assigned to a code source in all global policies:

wls:/mydomain/serverConfig> listCodeSourcePermissions(codeBaseURL="file:/tmp/lib/myJars.jar")

4.6.29 createResource

Online command that creates a new resource.

4.6.29.1 Description

Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.

4.6.29.2 Syntax

createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])
Argument Definition
appStripe  
Specifies the application stripe where the resource is created.
name  
Specifies the name of the resource created.
type  
Specifies the type of resource created. The passed resource type must be present in the application stripe at the time this script is invoked.
displayName  
Specifies the display name of the resource created. Optional.
description  
Specifies the description of the resource created. Optional.

4.6.29.3 Example

The following invocation creates the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> createResource(appStripe="myApplication", name="myResource", type="myResType", displayName="myNewResource")

4.6.30 deleteResource

Online command that deletes a resource.

4.6.30.1 Description

Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.

4.6.30.2 Syntax

deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")
Argument Definition
appStripe  
Specifies the application stripe where the resource is deleted.
name  
Specifies the name of the resource deleted.
type  
Specifies the type of resource deleted. The passed resource type must be present in the application stripe at the time this script is invoked.

4.6.30.3 Example

The following invocation deletes the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> deleteResource(appStripe="myApplication", name="myResource", type="myResType")

4.6.31 listResources

Online command that lists resources in a specified application stripe.

4.6.31.1 Description

If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.

4.6.31.2 Syntax

listResources(appStripe="appStripeName" [,type="resTypeName"])
Argument Definition
appStripe  
Specifies the application stripe where the resources are listed.
type  
Specifies the type of resource listed. The passed resource type must be present in the application stripe at the time this script is invoked.

4.6.31.3 Example

The following invocation lists all resources of type myResType in the stripe myApplication:

wls:/mydomain/serverConfig> listResources(appStripe="myApplication", type="myResType")

4.6.32 listResourceActions

Online command that lists the resources and actions in an entitlement.

4.6.32.1 Description

Lists the resources and actions in an entitlement within an application stripe.

4.6.32.2 Syntax

listResourceActions(appStripe="appStripeName", permSetName="entitlementName")
Argument Definition
appStripe  
Specifies the application stripe where the entitlement resides.
permSetName  
Specifies the name of the entitlement whose resources and actions to list.

4.6.32.3 Example

The following invocation lists the resources and actions of the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> listResourceActions(appStripe="myApplication", permSetName="myEntitlement")

4.6.33 createEntitlement

Online command that creates a new entitlement.

4.6.33.1 Description

Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement to add additional resources to an existing entitlement; use revokeResourceFromEntitlement to delete resources from an existing entitlement.

4.6.33.2 Syntax

createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is created.
name  
Specifies the name of the entitlement created.
resourceName  
Specifies the name of the one resource member of the entitlement created.
actions  
Specifies a comma-separated the list of actions for the resource resourceName.
displayName  
Specifies the display name of the resource created. Optional.
description  
Specifies the description of the entitlement created. Optional.

4.6.33.3 Example

The following invocation creates the entitlement myEntitlement with just the resource myResource in the stripe myApplication:

wls:/mydomain/serverConfig> createEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", actions="read,write")

4.6.34 getEntitlement

Online command that gets an entitlement.

4.6.34.1 Description

Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.

4.6.34.2 Syntax

getEntitlement(appStripe="appStripeName", name="entitlementName")
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is located.
name  
Specifies the name of the entitlement to access.

4.6.34.3 Example

The following invocation returns the information of the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> getEntitlement(appStripe="myApplication", name="myEntitlement")

4.6.35 deleteEntitlement

Online command that deletes an entitlement.

4.6.35.1 Description

Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.

4.6.35.2 Syntax

deleteEntitlement(appStripe="appStripeName", name="entitlementName")
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is deleted.
name  
Specifies the name of the entitlement to delete.

4.6.35.3 Example

The following invocation deletes the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> deleteEntitlement(appStripe="myApplication", name="myEntitlement")

4.6.36 addResourceToEntitlement

Online command that adds a resource with specified actions to an entitlement.

4.6.36.1 Description

Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.

4.6.36.2 Syntax

addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is located.
name  
Specifies the name of the entitlement to modify.
resourceName  
Specifies the name of the resource to add.
resourceType  
Specifies the type of the resource to add. The passed resource type must be present in the application stripe at the time this script is invoked.
actions  
Specifies the comma-separated list of actions for the added resource.

4.6.36.3 Example

The following invocation adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:

wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", 
name="myEntitlement", resourceName="myResource", resourceType="myResType", 
actions="view,edit")

4.6.37 revokeResourceFromEntitlement

Online command that removes a resource from an entitlement.

4.6.37.1 Description

Removes a resource from an entitlement in a specified application stripe.

4.6.37.2 Syntax

revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is located.
name  
Specifies the name of the entitlement to modify.
resourceName  
Specifies the name of the resource to remove.
resourceType  
Specifies the type of the resource to remove.
actions  
Specifies the comma-separated list of actions to remove.

4.6.37.3 Example

The following invocation removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", 
resourceName="myResource", resourceType="myResType", actions="view,edit")

4.6.38 listEntitlements

Online command that lists the entitlements in an application stripe.

4.6.38.1 Description

Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.

4.6.38.2 Syntax

listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])
Argument Definition
appStripe  
Specifies the application stripe from where to list entitlements.
resourceTypeName  
Specifies the name of the type of the resources to list. Optional.
resourceName  
Specifies the name of resource to match. Optional.

4.6.38.3 Examples

The following invocation lists all the entitlements in the stripe myApplication:

wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")

The following invocation lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:

wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName") 

4.6.39 grantEntitlement

Online command that creates a new entitlement.

4.6.39.1 Description

Creates a new entitlement with a specified principal in a specified application stripe.

4.6.39.2 Syntax

grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is created.
principalClass  
Specifies the class associated with the principal.
principalName  
Specifies the name of the principal to which the entitlement is granted.
permSetName  
Specifies the name of the entitlement created.

4.6.39.3 Example

The following invocation creates the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", 
principalClass="oracle.security.jps.service.policystore.ApplicationRole", 
principalName="myPrincipalName", permSetName="myEntitlement")

4.6.40 revokeEntitlement

Online command that deletes an entitlement.

4.6.40.1 Description

Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.

4.6.40.2 Syntax

revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument Definition
appStripe  
Specifies the application stripe where the entitlement is deleted.
principalClass  
Specifies the class associated with the principal.
principalName  
Specifies the name of the principal to which the entitlement is revoked.
permSetName  
Specifies the name of the entitlement deleted.

4.6.40.3 Example

The following invocation deleted the entitlement myEntitlement in the stripe myApplication:

wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", 
principalClass="oracle.security.jps.service.policystore.ApplicationRole", 
principalName="myPrincipalName", permSetName="myEntitlement")

4.6.41 listResourceTypes

Online command that lists resource types.

4.6.41.1 Description

Lists all the resource types in a specified application stripe.

4.6.41.2 Syntax

listResourceTypes(appStripe="appStripeName")
Argument Definition
appStripe  
Specifies the application stripe where the resource types are located.

4.6.41.3 Example

The following invocation lists all resource types in the stripe myApplication:

wls:/mydomain/serverConfig> listResourceTypes(appStripe="myApplication")

4.6.42 updateTrustServiceConfig

Online command that updates the domain trust service configuration values.

4.6.42.1 Description

Updates the trust service configuration with the values passed in a file.

4.6.42.2 Syntax

updateTrustServiceConfig([providerName="<the proverde name>",] propsFile="<path to the property file>")
Argument Definition
providerName  
Specifies the trust service provider name. Optional. If unspecified, it defaults to trust.provider.embedded.
propsFile  
Specifies the path to the property file. Required.

4.6.42.3 Example

The following invocation updates the trust service store with the values specified in the property file myProps:

wls:/mydomain/serverConfig> updateTrustServiceConfig(propsFile="myProps")

The following is a sample property file:

trust.keystoreType=KSS
trust.keyStoreName=kss://<stripeName>/<keystoreName>
trust.trustStoreName=kss://<stripeName>/<truststoreName>
trust.aliasName=<aliasName>
trust.issuerName=<aliasName>

The type can be KSS or JKS; if a property is set to the empty string, then that property is removed from the trust service configuration.

4.7 Oracle Access Manager Commands

Use the WLST commands listed in Table 4-6 to manage Oracle Access Manager (OAM)-related components, such as authorization providers, identity asserters, and SSO providers, as well as to display metrics and deployment topology, manage Oracle Access Manager server and agent configuration and logger settings.

Table 4-6 WLST Oracle Access Manager Commands

Use this command... To... Use with WLST...

listOAMAuthnProviderParams

List the parameters set for an Oracle Access Manager authentication or identity assertion provider.

Online

createOAMIdentityAsserter

Create a new identity asserter.

Online

updateOAMIdentityAsserter

Update an existing identity asserter.

Online

createOAMAuthenticator

Create a new authenticator.

Online

deleteOAMAuthnProvider

Delete an existing authentication provider.

Online

updateOAMAuthenticator

Update an existing authenticator.

Online

addOAMSSOProvider

Add a new SSO provider.

Online

displayTopology

List the details of deployed Oracle Access Manager Servers.

Online

Offline

displayMetrics

Display the performance metrics of an Oracle Access Manager Server and domain.

Online

displayOamServer

Display Oracle Access Manager Server configuration details.

Online

Offline

createOamServer

Create an entry for an Oracle Access Manager Server configuration.

Online

Offline

editOamServer

Edit the entry for an Oracle Access Manager Server configuration.

Online

Offline

deleteOamServer

Delete the named Oracle Access Manager Server configuration.

Online

Offline

displayOssoAgent

Display OSSO Agent configuration details.

Online

Offline

editOssoAgent

Edit OSSO Agent configuration details.

Online

Offline

deleteOssoAgent

Delete the named OSSO Agent configuration.

Online

Offline

displayWebgateAgent

Display WebGate Agent configuration details.

Online

Offline

editWebgateAgent

Edit 10g WebGate Agent registration details.

Online

Offline

deleteWebgateAgent

Delete the named 10g WebGate Agent configuration.

Online

Offline

changeLoggerSetting

Change Logger Settings.

Online

Offline

changeConfigDataEncryptionKey

Regenerate the configuration data encryption key and re-encrypt data.

Online

Offline

displayUserIdentityStore

Display a user identity store registration.

Online

Offline

editUserIdentityStore

Edit a user identity store registration.

Online

Offline

createUserIdentityStore

Create a user identity store registration.

Online

Offline

deleteUserIdentityStore

Delete a user identity store registration.

Online

Offline

configRequestCacheType

Configure the SSO server request cache type.

Online

Offline

displayRequestCacheType

Display the SSO server request cache type entry.

Online

Offline

exportPolicy

Export Oracle Access Manager policy data from a test (source) to an intermediate Oracle Access Manager file.

Online

importPolicy

Import Oracle Access Manager policy data from the Oracle Access Manager file specified.

Online

importPolicyDelta

Import Oracle Access Manager policy changes from the Oracle Access Manager file specified.

Online

migratePartnersToProd

Migrate partners from the source Oracle Access Manager Server to the specified target Oracle Access Manager Server.

Online

exportPartners

Export the Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified.

Online

importPartners

Import the Oracle Access Manager partners from the intermediate Oracle Access Manager file specified.

Online

configureOAAM

Configure the Oracle Access Manager-Oracle Adaptive Access Manager basic integration.

Online

registerOIFDAPPartner

Register Oracle Identity Federation as Delegated Authentication Protocol (DAP) Partner.

Online

Offline

enableCoexistMode

Enable the Coexist Mode.

Online

disableCoexistMode

Disable the Coexist Mode.

Online

editGITOValues

Edit GITO configuration parameters.

Online

Offline

editWebgate11gAgent

Edit an 11g WebGate registration.

Online

Offline

deleteWebgate11gAgent

Remove an 11g WebGate Agent registration.

Online

Offline

displayWebgate11gAgent

Display an 11g WebGate Agent registration.

Online

Offline

displayOAMMetrics

Display metrics of OAM Servers.

Online

Offline

updateOIMHostPort

Update the Oracle Identity Manager configuration when integrated with Oracle Access Manager.

Online

Offline

configureOIM

Creates an Agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager.

Online

updateOSSOResponseCookieConfig

Updates OSSO Proxy response cookie settings.

Online

Offline

deleteOSSOResponseCookieConfig

Deletes OSSO Proxy response cookie settings.

Online

Offline

displaySimpleModeGlobalPassphrase

Displays the simple mode global passphrase in plain text from the system configuration.

Online

exportSelectedPartners

Exports selected OAM Partners to the intermediate OAM file specified.

Online

migrateArtifacts

Migrates artifacts based on the input artifact file.

Online

registerThirdPartyTAPPartner

Registers any third party as a Trusted Authentication Protocol (TAP) Partner.

Online


4.7.1 listOAMAuthnProviderParams

Online command that lists the values of the parameters in effect in a domain authenticator or identity asserter.

4.7.1.1 Description

Lists the values of the parameters set for a given Oracle Access Manager authenticator or identity asserter. In the event of an error, the command returns a WLSTException.

4.7.1.2 Syntax

listOAMAuthnProviderParams(name)
Argument Definition
name 
Specifies the name of the authenticator or identity asserter.

4.7.1.3 Example

The following invocation lists the parameters and values set for the asserter named myIdAsserter:

listOAMAuthnProviderParams(name="myIdAsserter")

4.7.2 createOAMIdentityAsserter

Online command that creates an Oracle Access Manager identity asserter in the current domain.

4.7.2.1 Description

Creates an identity asserter with a given name in the current domain. Before executing this command, make sure that no Oracle Access Manager identity asserter is already configured in the current domain. In the event of an error, the command returns a WLSTException.

4.7.2.2 Syntax

createOAMIdentityAsserter(name)
Argument Definition
name 
Specifies the name of the new identity asserter. If no name is specified, it defaults to "OAMIdentityAsserter".

4.7.2.3 Example

The following invocation creates a new identity asserter named OAMIdentityAsserter:

createOAMIdentityAsserter(name="OAMIdentityAsserter")

4.7.3 updateOAMIdentityAsserter

Online command that updates the values of parameters of the Oracle Access Manager identity asserter in the current domain.

4.7.3.1 Description

Updates the value of given parameters of the domain Oracle Access Manager identity asserter. In the event of an error, the command returns a WLSTException.

4.7.3.2 Syntax

updateOAMIdentityAsserter(name, paramNameValueList)
Argument Definition
name 
Specifies the name of the Oracle Access Manager identity asserter whose parameter values to update.
paramNameValueList Specifies the comma-separated list of pairs of parameter name-value to be updated. The format of each pair is:
paramName="paramValue"

The parameter names that can be updated are the following only:

  • accessGateName—The name of the AccessGate used by the authenticator.

  • accessGatePwd—The password to the AccessGate used by the authenticator.

  • pAccessServer—The name of the primary access server. Values must have the format hostName:portNumber.

  • sAccessServer—The name of the secondary access server. Values must have the format hostName:portNumber.

  • transportSecurity—The mode of communication between AccessGate and OAM Access Server.

  • keystorePwd—The password to access the domain key store.

  • keystorePath—The absolute path of the JKS key store used for SSL communication between the authenticator and OAM Access Server.

  • simpleModePassphrase—The password shared by AccessGate and OAM Access Server in simple communication mode.

  • truststorePath —The absolute path of the JKS trust store used for SSL communication between the authenticator and OAM Access Server.

  • poolMaxConnections—The maximum number of connections in the OAM Server connection pool.

  • poolMinConnections—The minimum number of connections in the OAM Server connection pool.

  • ssoHeaderName—The SSO header name.

  • controlFlag—The JAAS control flag that sets up dependencies among all authenticators in the domain. Values can be only REQUIRED, SUFFICIENT, REQUISITE, or OPTIONAL.

  • appDomain—The name of the application domain.


4.7.3.3 Example

The following invocation updates the parameters accessGateName, accessGatePwd, pAccessServer, and ssoHeaderName in the Oracle Access Manager identity asserter named myIdAsserter:

updateOAMIdentityAsserter(name="myIdAsserter", 
accessGateName="OAM IAP AccessGate", accessGatePwd="welcome1", 
pAccessServer="myhost.domain.com:5543", ssoHeaderName="OAM_SSO_HEADER")

4.7.4 createOAMAuthenticator

Online command that creates an Oracle Access Manager authenticator in the current domain.

4.7.4.1 Description

Creates an Oracle Access Manager authenticator with a given name in the current domain. Before executing this command, make sure that no Oracle Access Manager authenticator is already configured in the default security domain. In the event of an error, the command returns a WLSTException.

4.7.4.2 Syntax

createOAMAuthenticator(name)
Argument Definition
name 
Specifies the name of the new authentication provider in the default domain. If no name is specified, it defaults to "OAMAuthenticator".

4.7.4.3 Example

The following invocation creates a new authentication provider named OAMAuthenticator:

createOAMAuthenticator(name="OAMAuthenticator")

4.7.5 deleteOAMAuthnProvider

Online command that deletes the OAM authenticator from the current domain.

4.7.5.1 Description

Deletes the OAM authenticator with a given name from the current domain. In the event of an error, the command returns a WLSTException.

4.7.5.2 Syntax

deleteOAMAuthnProvider(name)
Argument Definition
name 
Specifies the name of the authentication provider to delete.

4.7.5.3 Example

The following invocation deletes the authenticator myAuthenticator:

deleteOAMAuthnProvider(name="myAuthenticator")

4.7.6 updateOAMAuthenticator

Online command that updates the values of parameters of the Oracle Access Manager authenticator in the current domain.

4.7.6.1 Description

Updates the value of given parameters of the domain Oracle Access Manager authenticator. In the event of an error, the command returns a WLSTException.

4.7.6.2 Syntax

updateOAMAuthenticator(name, paramNameValueList)
Argument Definition
name 
Specifies the name of the Oracle Access Manager authenticator whose parameter values to update.
paramNameValueList Specifies the comma-separated list of pairs of parameter name-value to be updated. The format of each pair is
paramName='paramValue'

The only parameter names that can be updated are the following:

  • accessGateName—The name of the AccessGate used by the authenticator.

  • accessGatePwd—The password to the AccessGate used by the authenticator.

  • pAccessServer—The name of the primary access server. Values must have the format hostName:portNumber.

  • sAccessServer—The name of the secondary access server. Values must have the format hostName:portNumber.

  • transportSecurity—The mode of communication between AccessGate and OAM Access Server: open, simple, or cert.

  • keystorePwd—The password to access the domain key store.

  • keystorePath—The absolute path of the JKS key store used for SSL communication between the authenticator and OAM Access Server.

  • simpleModePassphrase—The password shared by AccessGate and OAM Access Server in simple communication mode.

  • truststorePath—The absolute path of the JKS trust store used for SSL communication between the authenticator and OAM Access Server.

  • poolMaxConnections—The maximum number of connections in the OAM Server connection pool.

  • poolMinConnections—The minimum number of connections in the OAM Server connection pool.

  • useRetNameAsPrincipal—Specifies whether the user name retrieved from the OAM authenticator should be used as the name of the Principal in the Subject.

  • controlFlag—The JAAS control flag that sets up dependencies among all authenticators in the domain. Values can be only REQUIRED, SUFFICIENT, REQUISITE, or OPTIONAL.

  • appDomain—The name of the application domain.


4.7.6.3 Example

The following invocation updates the parameters accessGateName, accessGatePwd, and pAccessServer in the Oracle Access Manager authenticator named myAuthenticator:

updateOAMAuthenticator(name="myAuthenticator", 
accessGateName="OAM AP AccessGate", accessGatePwd="welcome1",
pAccessServer="myhost.domain.com:5543")

4.7.7 addOAMSSOProvider

Online command that adds an Oracle Access Manager SSO provider with the given login URI, logout URI, and auto-login URI.

4.7.7.1 Description

Adds an SSO provider with the given login URI, logout URI, and auto-login URI. This command modifies the domain jps-config.xml by adding an Oracle Access Manager SSO service instance with the required properties. In the event of an error, the command returns a WLSTException.

4.7.7.2 Syntax

addOAMSSOProvider(loginuri, logouturi, autologinuri, beginimpuri, endimpuri)
Argument Definition
loginuri
Required. Specifies the URI of the login page and triggers SSO authentication.
logouturi Optional. Specifies the URI of the logout page and logs the signed-on user out. If unspecified, defaults to logouturi=NONE.

Set to "" to ensure that ADF security calls the OPSS logout service, which uses the implementation of the class OAMSSOServiceImpl to clear the cookie ObSSOCookie.

More generally, an ADF-secured web application that would like to clear cookies without logging out the user should use this setting.

autologinuri Required. Specifies the URI of the autologin page. Optional. If unspecified, it defaults to autologin=NONE.
beginimpuri Optional. Specifies the URI that triggers the impersonation SSO session.
endimpuri Optional. Specifies the URI that terminates the impersonation SSO session.

4.7.7.3 Example

The following invocation adds an SSO provider with the passed URIs; note the special behavior implied by the setting logouturi="" and the impersonation parameters, as explained in the above table:

addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication",
logouturi="/oamsso/logout.html",
beginimpuri="https://login.acme.com/impersonationInit.html"
endimpuri="https://login.acme.com/impersonationTerm.html")
autologin="/fooBar.cgi")

4.7.8 displayTopology

Online and offline command that displays the information about all the OAM Servers in a deployment.

4.7.8.1 Description

Lists the topology of deployed OAM Servers. There are no arguments for this command.

4.7.8.2 Syntax

displayTopology

4.7.8.3 Example

The following invocation lists the details of all deployed OAM Servers, as described above:

displayTopology

4.7.9 displayMetrics

Online command that displays the performance metrics of an OAM Server and domain.

4.7.9.1 Description

Displays the performance metrics of an OAM Server and domain specific to collectors, including host, process, and server names. There are no arguments for this command.

If none of the arguments are specified all the details of all the servers and collectors are displayed.

4.7.9.2 Syntax

displayMetrics()

4.7.9.3 Example

The following invocation lists all metrics specific to named collectors, as described above:

displayMetrics()

4.7.10 displayOamServer

Online and offline command that displays OAM Server registration details.

4.7.10.1 Description

Displays OAM Server registration details, including the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.

The scope of this command is an instance, only. The scope is not an argument.

4.7.10.2 Syntax

displayOamServer(host,port)
Argument Definition
host
Mandatory. Specifies the name of the OAM Server host.
port
Mandatory. Specifies the listening port of the OAM Server host.
domainhome 
Offline mode: Mandatory

Online mode: Optional


4.7.10.3 Example

The following invocation lists all metrics specific to named collectors, as described above:

displayOamServer(host="my_host", port="15000", domainHome="domainHome1")

4.7.11 createOamServer

Online and offline command that creates an OAM Server entry in the system configuration.

4.7.11.1 Description

Creates an OAM Server registration, including the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.

The scope of this command is an instance, only. The scope is not an argument

4.7.11.2 Syntax

createOamServer(host,port, paramNameValueList)
Argument Definition
host
Mandatory. Specifies the name of the OAM Server host.
port
Mandatory. Specifies the listening port of the OAM Server host.
domainHome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Mandatory:

  • configurationProfile—The name of this instance registration, which appears under Server Instances on the System Configuration tab in the OAM Administration Console.

  • oamProxyPort—The listening port of this instance.

  • oamProxyServerID—The name of the OAM Proxy for this server instance, which will appear under the OAM Proxy sub tab of the server instance in the OAM Administration Console.

  • siteName—siteName/serverName for the instance.


4.7.11.3 Example

The following invocation creates a configuration for your_host with listening port 15000. The configuration entry in the Administration Console will be oam_server1. The OAM Proxy port is 3004 and the OAM Proxy Server ID is AccessServerConfigProxy:

createOamServer(host="my_host", port="15000", configurationProfile=
"oam_server1", oamProxyPort="3004", oamProxyServerID="ProxyID", 
siteName="siteName1",domainHome="domainHome1")

4.7.12 editOamServer

Online and offline command that enables you to edit OAM Server registration details.

4.7.12.1 Description

Edits the registration for an OAM Server, which can include the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.

The scope of this command is an instance, only. The scope is not an argument.

4.7.12.2 Syntax

editOamServer(name, port, paramNameValueList)
Argument Definition
name
Mandatory. Specifies the name of the OAM Server host.
port
Mandatory. Specifies the port number of the OAM Server host.
domainHome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Mandatory:

  • configurationProfile—The name of this instance registration, which appears under Server Instances on the System Configuration tab in the OAM Administration Console.

  • oamProxyPort—The listening port of this instance.

  • oamProxyServerID—The name of the OAM Proxy for this server instance, which will appear under the OAM Proxy sub tab of the server instance in the OAM Administration Console.

  • siteName—siteName/serverName for the instance.


4.7.12.3 Example

You can use any of the optional attributes to change current settings. The following invocation enables you to add the OAM Proxy shared secret to the configuration entry oam_server1.

editOamServer(name="oam_server1", port="15000",configurationProfile=
"oam_server1", oamProxyPort="3004",oamProxyServerID="Proxy1", 
siteName="siteName1",domainHome="domainHome1")

4.7.13 deleteOamServer

Online and offline command that enables you to delete the named OAM Server registration.

4.7.13.1 Description

Deletes an entire OAM Server configuration.

The scope of this command is an instance, only. The scope is not an argument.

4.7.13.2 Syntax

deleteOamServer(host,port)
Argument Definition
host
Mandatory. Specifies the name of the OAM Server host.
port
Mandatory. Specifies the listening port of the OAM Server host.
domainhome 
Offline mode: Mandatory

Online mode: Optional


4.7.13.3 Example

The following invocation enables you to delete the OAM Server registration for oam_server1 with listening port 15000.

deleteOamServer(host="oam_server1",port="15000",domainHome="domainHome1")

4.7.14 displayOssoAgent

Online and offline command that displays OSSO Agent configuration details.

4.7.14.1 Description

Displays OSSO Agent registration details, which also appear in the OAM Administration Console.

The scope of this command is an instance, only. The scope is not an argument

4.7.14.2 Syntax

displayOssoAgent(agentName)
Argument Definition
agentName
Mandatory. Specifies the name of the OSSO Agent.
domainhome 
Offline mode: Mandatory

Online mode: Optional


4.7.14.3 Example

The following invocation displays the OSSO Agent's registration information:

displayOssoAgent(agentName="OSSOAgent1",domainHome="domainHome1")

4.7.15 editOssoAgent

Online and offline command that enables you to edit an OSSO Agent registration.

4.7.15.1 Description

Changes OSSO Agent configuration details, including the Site Token, Success URL, Failure URL, Home URL, Logout URL, Start Date, End Date, Administrator ID, and Administrator Info.

The scope of this command is an instance, only. The scope is not an argument

4.7.15.2 Syntax

editOssoAgent(agentName,paramNameValueList)
Argument Definition
agentName
Mandatory. Specifies the name of the OSSO Agent.
domainhome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs to be updated. The format of each pair is:
paramName='paramValue'

Optional:

  • siteToken—The Application Token used by the partner when requesting authentication.

  • successUrl—The redirect URL to be used upon successful authentication.

  • failureUrl—The redirect URL to be used if authentication fails.

  • homeUrl—The redirect URL to be used for the Home page after authentication.

  • logoutUrl—The redirect URL to be used when logging out. This redirects the user to the global logout page on the server

  • startDate—First month, day, and year for which login to the application is allowed by the server.

  • endDate—Final month, day, and year for which login to the application is allowed by the server.

  • adminId—Administrator login ID for this mod_osso instance.

  • adminInfo—Administrator details for this mod_osso instance.


4.7.15.3 Example

The following invocation changes the Administrator ID and information in the registration entry for OSSOAgent1:

editOssoAgent(agentName="OSSOAgent1", siteToken="siteToken", 
successUrl="successUrl",failureUrl="failureUrl",homeUrl="homeUrl", 
logoutUrl="logoutUrl",startDate="2009-12-10", endDate="2012-12-30",  
adminId= 345", adminInfo="Agent11", domainHome="domainHome1") 

4.7.16 deleteOssoAgent

Online and offline command that enables you to delete an OSSO Agent registration.

4.7.16.1 Description

Removes an OSSO Agent configuration.

The scope of this command is an instance, only. The scope is not an argument

4.7.16.2 Syntax

deleteOssoAgent(agentName)
Argument Definition
agentName
Mandatory. Specifies the name of the OSSO Agent.
domainhome 
Offline mode: Mandatory

Online mode: Optional


4.7.16.3 Example

The following invocation removes the OSSO Agent named OSSOAgent1:

deleteOssoAgent(agentName="OSSOAgent1", domainHome="domainHome1")

4.7.17 displayWebgateAgent

Online and offline command that displays a 10g WebGate registration.

4.7.17.1 Description

Displays all 10g WebGate registration details, which can also be seen in the OAM Administration Console.

The scope of this command is an instance, only. The scope is not an argument

4.7.17.2 Syntax

displayWebgateAgent(agentName)
Argument Definition
agentName
Mandatory. Specifies the name of the WebGate Agent.
domainhome 
Offline mode: Mandatory

Online mode: Optional


4.7.17.3 Example

The following invocation displays registration information for my_WebGate:

displayWebgateAgent(agentName=)"my_Webgate", domainHome="domainHome1")

4.7.18 editWebgateAgent

Online and offline command that enables you to edit a 10g WebGate registration.

4.7.18.1 Description

Enables you to change 10g WebGate Agent registration details.

The scope of this command is an instance, only. The scope is not an argument

4.7.18.2 Syntax

editWebgateAgent(agentName,paramNameValueList)
Argument Definition
agentName
Mandatory. Specifies the name of the WebGate Agent.
domainhome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs to be updated. The format of each pair is:
paramName='paramValue'

Mandatory:

  • agentId—Name of the OAM Agent (WebGate).

Optional:

  • accessClientPassword—An optional password for this WebGate Agent.

  • state—Whether the OAM Agent is enabled or disabled.

  • preferredHost—Prevents security holes that can be created if a host's identifier is not included in the Host Identifiers list. For virtual hosting, you must use the Host Identifiers feature.

  • aaaTimeOutThreshold—Number (in seconds) to wait for a response from the OAM Run-time Server. If this parameter is set, it is used as an application TCP/IP timeout instead of the default TCP/IP timeout. Default = -1 (default network TCP/IP timeout is used).

  • security—Level of transport security to and from the OAM Run-time Server: open, simple, or cert.

  • primaryCookieDomain—The Web server domain on which the OAM Agent is deployed, for instance,.acompany.com.

  • maxConnections—The maximum number of connections that this OAM Agent can establish with the OAM Server. This number must be the same as (or greater than) the number of connections that are actually associated with this agent. Default = 1.

  • maxCacheElements—Number of elements maintained in the cache. Cache elements are URLs or Authentication Schemes. The value of this setting refers to the maximum consolidated count for elements in both of these caches. Default = 10000.

  • cacheTimeOut—Amount of time cached information remains in the OAM Agent cache when the information is neither used nor referenced. Default = 1800 (seconds).

  • cookieSessionTime—Amount of time that the ObSSOCookie persists. Default = 3600 (seconds)*.

  • maxSessionTime—Maximum amount of time, in seconds, that a user's authentication session is valid regardless of their activity. At the expiration of this time, the user is re-challenged for authentication. This is a forced logout. Default = 3600 (seconds). A value of 0 disables this timeout setting.

  • idleSessionTimeout—Amount of time in seconds that a user's authentication session remains valid without accessing any OAM Agent protected resources. Default = 3600 (seconds). A value of 0 disables this timeout setting.

  • failoverThreshold—Number representing the point when this OAM Agent opens connections to a Secondary OAM Server. Default = 1.


4.7.18.3 Example

You can alter any or all of the settings. Use the following invocation to change specific information in the WebGate Agent registration, including the Agent ID, state, maximum connections, OAM Server timeout, primary cookie domain, cache time out, cookie session timeout, maximum session timeout, idle session timeout, and failover threshold, as follows:

editWebgateAgent(agentName="my_WebGate", agentId="WebGate2", state=
"enabled", maxConnections="2", aaaTimeOutThreshold="2", 
primaryCookieDomain="adomain.com", cacheTimeOut="1200", 
cookieSessionTime=1500, maxSessionTime=1500, idleSessionTimeout=
"1500", failoverThreshold="25", domainHome="domainHome1")

4.7.19 deleteWebgateAgent

Online and offline command that enables you to delete a 10g WebGate Agent registration.

4.7.19.1 Description

Removes an 10g WebGate Agent registration.

The scope of this command is an instance, only. The scope is not an argument

4.7.19.2 Syntax

deleteWebgateAgent(agentName)
Argument Definition
agentName
Mandatory. Specifies the name of the WebGate Agent.
domainhome
Offline mode: Mandatory

Online mode: Optional


4.7.19.3 Example

The following invocation removes the WebGate Agent named my_WebGate:

deleteWebgateAgent(agentName="my_WebGate", domainHome="domainHome1")

4.7.20 changeLoggerSetting

Online and offline command that changes the logger level.

4.7.20.1 Description

Changes the level of one or more, or all, loggers.

The scope of this command is an instance, only. The scope is not an argument.

4.7.20.2 Syntax

changeLoggerSetting (loggerName='', loggerLevel=''): 
Argument Definition
loggerName
Optional. Specifies the OAM logger name. Multiple OAM logger names can be specified, separated by commas, or you can use the wildcard (*) character to specify all OAM collectors, which is the default.
loggerLevel
SEVERE, WARNING, INFO, CONFIG, FINE.

4.7.20.3 Example

The following invocation changes the logger level to SEVERE:

changeLoggerSetting(loggerName=" ", loggerLevel=SEVERE)

4.7.21 changeConfigDataEncryptionKey

Offline command that regenerates the configuration data encryption key.

4.7.21.1 Description

Regenerates the configuration data encryption key, re-encrypts the configuration data using the new key, and outputs attribute information of the identity store.

The scope of this command is an instance, only. The scope is not an argument.

4.7.21.2 Syntax

changePasswordEncKey (oldpassword='', newPassword='')
Argument Definition
oldPassword
Mandatory. Specifies the password that retrieves the current encryption key.
newPassword
Mandatory. Defines a new password that protects the newly generated encryption key.

4.7.21.3 Example

The following invocation changes the old and new password, regenerates the key, and re-encrypts the configuration data:

changePasswordEncKey(oldpassword="oldpassword", 
newPassword="newpassword")

4.7.22 displayUserIdentityStore

Online and offline command that displays user identity store registration information.

4.7.22.1 Description

Displays information of the user identity store registered with Oracle Access Manager.

The scope of this command is an instance, only. The scope is not an argument.

4.7.22.2 Syntax

displayUserIdentityStore(name) 
Argument Definition
name
Mandatory. Specifies the name of the LDAP user identity store.
domainhome 
Offline mode: Mandatory

Online mode: Optional


4.7.22.3 Example

The following invocation displays registration details of the user identity store:

displayUserIdentityStore(name="ID_store1", domainHome="domainHome1")

4.7.23 editUserIdentityStore

Online and offline command that changes attributes of the user identity store for Oracle Access Manager.

4.7.23.1 Description

Changes one or more attributes of the user identity store registered with Oracle Access Manager.

The scope of this command is an instance, only. The scope is not an argument.

4.7.23.2 Syntax

editUserIdentityStore(name,paramNameValueList)
Argument Definition
name
Mandatory. Specifies the unique name of the LDAP user identity store (only upper and lower case alpha characters and numbers).
domainhome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Include one or more of the following parameter name-value pairs, in addition to those in createUserIdentityStore, to change the OAM user identity store configuration:

  • userFilterObjectClasses—List of user filter object classes (separated by semi-colon).

  • groupFilterObjectClasses—List of group filter object classes (separated by semi-colon).

  • referralPolicy—LDAP referral policy (either "follow", "ignore" or "throw").

  • searchTimeLimit—Time limit in seconds for LDAP Search operation.

  • minConnections—Minimum number of connections in the connection pool.

  • maxConnections—Maximum number of connections in the connection pool.

  • connectionWaitTimeout—Number of seconds to wait for obtaining a connection from the pool.

  • connectionRetryCount—Number of attempts to establish a connection to identity store.

  • groupNameAttr—Name of the attribute to look up the user groups. For example:

    ou=people,ou=myrealm,dc=base_domain
    
  • groupCacheEnabled—Toggle (true/false) to enable LDAP group cache.

  • groupCacheSize—Number of entries in LDAP group cache.

  • groupCacheTTL—Total time to live for each entry of LDAP group cache.


4.7.23.3 Example

The following invocation changes the LDAP URL of the user identity store for OAM:

editUserIdentityStore(name="identity_store_name", 
LDAP_url="ldap://localhost:7003", domainHome="domaonHome1")

4.7.24 createUserIdentityStore

Online and offline command that creates a user identity store registration for Oracle Access Manager.

4.7.24.1 Description

Creates an entry for a new user identity store to be registered with Oracle Access Manager.

The scope of this command is an instance, only. The scope is not an argument.

4.7.24.2 Syntax

createUserIdentityStore(name=,paramNameValueList)
Argument Definition
name
Mandatory. Specifies the unique name of the LDAP user identity store (only upper and lower case alpha characters and numbers).
domainhome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Mandatory:

  • name—The name for this user ID store.

  • principal—The login ID of the LDAP administrator. For example, cn=Admin.

  • credential—The password of the Principal, which is encrypted for security.

  • type—The type of the LDAP ID store to be created.

  • userAttr—User attributes of the store.

  • usersearchbase—The node under which user data is stored in the LDAP ID store to be created. For example: cn=users.

  • groupSearchBase—The node under which group data is stored in the LDAP ID store to be created. Mandatory Attribute. For example: cn=groups.

  • ldapUrl—The URL for the LDAP host, including port number of the LDAP ID store to be created. For example, ldap://localhost:7001.

Optional:

  • roleSecAdmin—Name of the Admin group with all privileges for LDAP ID store.

  • roleSysMonitor—Name of the Admin group with read-only privileges for LDAP ID store to be created.

  • roleSysManager— Name of the Admin group with day-to-day operational privileges for LDAP ID store to be created.

  • ldapProvider—A supported LDAP provider. For example, OVD.

  • isPrimary—The designation of the primary User Identity Store. Boolean field.

  • userIDProvider—User Identity Provider of the store to be created.

  • domainHome—Domain Home location.


4.7.24.3 Example

The following invocation creates a new Oracle Internet Directory user identity store definition for use with Oracle Access Manager:

createUserIdentityStore(name="Name1",principal="Principal1", 
credential="Credential1", type="OID", userAttr="userAttr1", 
ldapProvider="ldapProvider", roleSecAdmin="roleSecAdmin1",
roleSysMonitor="roleSysMonitor", roleSysManager="roleSysManager", 
roleAppAdmin="roleAppAdmin", userSearchBase="cn=users, 
ldapUrl="ldapUrl", isPrimary="isPrimary", userIDProvider="userIDProvider",
groupSearchBase="cn=groups",domainHome="domainHome1")

4.7.25 deleteUserIdentityStore

Online and offline command that removes a Oracle Access Manager user identity store registration.

4.7.25.1 Description

Deletes the user identity store registered with Oracle Access Manager.

The scope of this command is an instance, only. The scope is not an argument.

4.7.25.2 Syntax

deleteUserIdentityStore(name) 
Argument Definition
name
Mandatory. Specifies the name of the LDAP user identity store to be removed.
domainhome 
Offline mode: Mandatory

Online mode: Optional


4.7.25.3 Example

The following invocation deletes the registration of the user identity store:

deleteUserIdentityStore(name="identity_store", domainHome="domainHome1")

4.7.26 configRequestCacheType

Online and offline command that configures the SSO server request cache type.

4.7.26.1 Description

Configures the SSO server request cache type.

The scope of this command is an instance, only. The scope is not an argument.

4.7.26.2 Syntax

configRequestCacheType(type) 
Argument Definition
type
Mandatory. Specifies requestCacheType.

requestCacheType—The value of request cache type: BASIC or COOKIE.


4.7.26.3 Example

The following invocation identifies the request cache type as Cookie:

configRequestCacheType(type="COOKIE") 

4.7.27 displayRequestCacheType

Online and offline command that displays the SSO server request cache type.

4.7.27.1 Description

Displays the SSO server request cache type entry.

The scope of this command is an instance, only. The scope is not an argument.

4.7.27.2 Syntax

displayRequestCacheType(domainHome)
Argument Definition
type
Mandatory. Specifies requestCacheType.

requestCacheType—The value of request cache type: BASIC or COOKIE.

domainhome 
Offline mode: Mandatory

Online mode: Optional


4.7.27.3 Example

The following invocation displays the request cache type.

displayRequestCacheType(domainHome="domainHome") 

4.7.28 exportPolicy

Online only command that exports OAM policy data from a test (source) environment to the intermediate Oracle Access Manager file specified.

4.7.28.1 Description

Exports OAM policy data from a test (source) environment to the intermediate Oracle Access Manager file.

The scope of this command is an instance, only. The scope is not an argument.

4.7.28.2 Syntax

exportPolicy(pathTempOAMPolicyFile)
Argument Definition
pathTempOAMPolicyFile 
Mandatory. Specifies the path to the temporary Oracle Access Manager file.

4.7.28.3 Example

The following invocation specifies the path to the temporary file used when exporting policy data from a test (source) environment.

exportPolicy(pathTempOAMPolicyFile="oam_policy.xml") 

4.7.29 importPolicy

Online only command that imports the OAM policy data from the intermediate Oracle Access Manager file specified.

4.7.29.1 Description

Imports the OAM policy data from the intermediate Oracle Access Manager file specified.

The scope of this command is an instance, only. The scope is not an argument.

4.7.29.2 Syntax

importPolicy(pathTempOAMPolicyFile)
Argument Definition
pathTempOAMPolicyFile Mandatory. Specifies the path to the temporary OAM file.

4.7.29.3 Example

The following invocation specifies the path to the temporary file used when importing policy data to a production (target).

importPolicy(pathTempOAMPolicyFile="oam_policy.xml") 

4.7.30 importPolicyDelta

Online only command that imports the OAM policy changes from the intermediate Oracle Access Manager file specified.

4.7.30.1 Description

Imports the OAM policy changes from the intermediate Oracle Access Manager file specified.

The scope of this command is an instance, only. The scope is not an argument.

4.7.30.2 Syntax

importPolicyDelta(pathTempOAMPolicyFile)
Argument Definition
pathTempOAMPolicyFile Mandatory. Specifies the path to the temporary Oracle Access Manager file.

4.7.30.3 Example

The following invocation specifies the path to the temporary file used when importing only changed policy data to a production (target).

importPolicyDelta(pathTempOAMPolicyFile="oam_policy_delta.xml") 

4.7.31 migratePartnersToProd

Online only command that migrates partners from the current (source) OAM Server to the specified (target) OAM Server.

4.7.31.1 Description

Migrates partners from the current (source) OAM Server to the specified (target) OAM Server.

The scope of this command is an instance, only. The scope is not an argument.

4.7.31.2 Syntax

migratePartnersToProd(prodServerHost,prodServerPort,prodServerAdminUser,prodServerAdminPwd)
Argument Definition
prodServerHost Host name of the target OAM Server to which partners are to be migrated.
prodServerPort Port of the target OAM Server to which partners are to be migrated.
prodServerAdminUser Administrator of the target OAM Server to which partners are to be migrated.
prodServerAdminPwd Target OAM Server administrator's password.

4.7.31.3 Example

The following invocation specifies the required information.

migratePartnersToProd(prodServerHost="host",prodServerPort="port", 
prodServerAdminUser="weblogic",prodServerAdminPwd="welcome")

4.7.32 exportPartners

Online only command that exports Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified.

4.7.32.1 Description

Exports the Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified.

The scope of this command is an instance, only. The scope is not an argument.

4.7.32.2 Syntax

exportPartners(pathTempOAMPartnerFile)
Argument Definition
pathTempOAMPartnerFile Mandatory. Specifies the path to the temporary Oracle Access Manager partner file.

4.7.32.3 Example

The following invocation specifies the path to the intermediate OAM partners file.

exportPartners(pathTempOAMPartnerFile="oam_partners.xml")

4.7.33 importPartners

Online only command that imports Oracle Access Manager partners from the intermediate Oracle Access Manager file specified.

4.7.33.1 Description

Imports the OAM partners from the intermediate Oracle Access Manager file specified.

The scope of this command is an instance, only. The scope is not an argument.

4.7.33.2 Syntax

importPartners(pathTempOAMPartnerFile)
Argument Definition
pathTempOAMPartnerFile Mandatory. Specifies the path to the temporary OAM partner file.

4.7.33.3 Example

The following invocation specifies the path to the intermediate OAM partners file.

importPartners(pathTempOAMPartnerFile="oam_partners.xml")

4.7.34 configureOAAM

Online only command that configures the Oracle Access Manager-Oracle Adaptive Access Manager basic integration.

4.7.34.1 Description

Configures the OAM-OAAM basic integration.

The scope of this command is an instance, only. The scope is not an argument.

4.7.34.2 Syntax

configureOAAM(dataSourceName,paramNameValueList)
Argument Definition
dataSourceName Name of the data source to be created
paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Mandatory:

  • hostName—The name of the database host.

  • port—Database port.

  • sid—The database sid (database identifier).

  • userName—OAAM schema name.

  • passWord—OAAM schema password.

Optional:

  • maxConnectionSize—Max connection reserve time out size.

  • maxPoolSize—Maximum size for connection pool.

  • serverName—Target server for the data source.


4.7.34.3 Example

The following invocation configures the Oracle Access Manager-Oracle Adaptive Access Manager basic integration.

configureOAAM(dataSourceName = "MyOAAMDS", hostName = "host.us.co.com", 
port = "1521", sid = "sid", userName = "username", passWord = "password", 
maxConnectionSize = None, maxPoolSize = None, serverName = "oam_server1")

4.7.35 registerOIFDAPPartner

Online and offline command that registers Oracle Identity Federation as a Delegated Authentication Protocol (DAP) Partner.

4.7.35.1 Description

Registers Oracle Identity Federation as Delegated Authentication Protocol (DAP) Partner.

The scope of this command is an instance only. The scope is not an argument.

4.7.35.2 Syntax

registerOIFDAPPartner()
Argument Definition
paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Mandatory:

Include the following parameter name-value pairs to create a new OAM user identity store configuration:

  • keystoreLocation—Location of the Keystore file (generated at the OIF Server.).

  • logoutURL—The OIF Server's logout URL.

Optional:

  • rolloverInterval—The Rollover Interval for the keys used to encrypt/decrypt SASSO Tokens.


4.7.35.3 Example

The following invocation illustrates use of all parameters.

registerOIFDAPPartner(keystoreLocation="/scratch/keystore", 
logoutURL="http://<oifhost>:<oifport>/fed/user/sploosso?doneURL=http://<oamhost>: 
<oam port>/ngam/server/pages/logout.jsp", rolloverTime="526")

4.7.36 enableCoexistMode

Online command that enables the Coexist Mode.

4.7.36.1 Description

Enables the Coexist Mode.

The scope of this command is an instance, only. The scope is not an argument.

4.7.36.2 Syntax

enableCoexistMode()

4.7.36.3 Example

The following invocation enables the Coexist Mode.

enableCoexistMode

4.7.37 disableCoexistMode

Online command that disables the Coexist Mode.

4.7.37.1 Description

Disables the Coexist Mode.

The scope of this command is an instance, only. The scope is not an argument.

4.7.37.2 Syntax

disableCoexistMode()

4.7.37.3 Example

The following invocation enables the Coexist Mode.

disableCoexistMode

4.7.38 editGITOValues

Online and offline command that edits GITO configuration parameters.

4.7.38.1 Description

Edits GITO configuration parameters.

The scope of this command is an instance, only. The scope is not an argument.

4.7.38.2 Syntax

editGITOValues(gitoEnabled, paramNameValueList)
Argument Definition
gitoEnabled True (or false). Allows (or denies) user to set GITO enabled property.
domainhome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Mandatory:

Include the following parameter name-value pairs to create a new OAM user identity store configuration:

  • gitoCookieDomain—Allows user to set the GITO cookie domain entry.

Optional:

  • gitoCookieName—Allows user to set the GITO cookie name.

  • gitoVersion—Allows user to set the GITO version. Can be ONLY v1.0 or v3.0.

  • gitoTimeout—Allows user to set the GITO timeout value.

  • gitoSecureCookieEnabled—True (or false). Allows (or denies) user to set the GITO cookie enabled property.


4.7.38.3 Example

The following invocation edits GITO configuration parameters.

editGITOValues(gitoEnabled="true",gitoCookieDomain=".abc.com",gitoCookieName="ABC"
,gitoVersion="v1.0",gitoTimeout="20",gitoSecureCookieEnabled="false",domainHome="/
abc/def/ijk")\n

4.7.39 editWebgate11gAgent

Online and offline command that edits an 11g WebGate registration.

4.7.39.1 Description

Edits an 11g WebGate registration.

The scope of this command is an instance, only. The scope is not an argument.

4.7.39.2 Syntax

editWebgate11gAgent(agentname, paramNameValueList)
Argument Definition
agentname Name of the registered OAM 11g WebGate agent to be edited.
domainhome 
Offline mode: Mandatory

Online mode: Optional

paramNameValueList Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue'

Optional:

accessClientPassword—Unique password for this WebGate

state—Specifies whether or the agent is enabled or disabled.

security—Level of communication security between the Agent and the OAM Server: Open, Simple, Cert.

aaaTimeOutThreshold—Number (in seconds) to wait for a response from the OAM Server.

logOutUrls—List of URLS that trigger the logout handler, which removes the ObSSOCookie.

maxConnections—The maximum number of connections that this OAM Agent can establish with the OAM Server.

maxCacheElements—Number of elements maintained in the cache.

cacheTimeout—Amount of time cached information remains in the OAM Agent cache when the information is neither used nor referenced. Default = 1800 (seconds).

logoutCallbackUrl —The URL to oam_logout_success, which clears cookies during the call back. By default, this is based on the Agent base URL supplied during agent registration. For example:

http://<host>:<port>

maxSessionTime—Maximum amount of time in seconds that a user's authentication session is valid, regardless of their activity.

logoutRedirectUrl—The URL (absolute path) to the central logout page (logout.html). By default, this is based on the OAM Administration Console host name with a default port of 14200.

failoverThreshold—Number representing the point when this OAM Agent opens connections to a Secondary OAM Server.

tokenValidityPeriod—Amount of time in seconds that a user's authentication session remains valid without accessing any OAM Agent protected resources.

logoutTargetUrlParamName—The value for this is name for the query parameter that the OPSS applications passes to WebGate during logout.


4.7.39.3 Example

The following invocation lists all mandatory and optional parameters.

editWebgate11gAgent(agentName="WebgateAgent1", accessClientPasswd = "welcome1", 
state = "Enabled", preferredHost="141.144.168.148:2001", aaaTimeoutThreshold="10",
security = "open", logOutUrls = "http://<host>:<port>", maxConnections = "16" 
maxCacheElems = "10000" , cacheTimeout = "1800", logoutCallbackUrl = 
"http://<host>:<port>", maxSessionTime = "24", logoutRedirectUrl =  
"logoutRedirectUrl", failoverThreshold = "1", tokenValidityPeriod="aPeriod" 
logoutTargetUrlParamName = "logoutTargetUrl", domainHome="domainHome1")

4.7.40 deleteWebgate11gAgent

Online and offline command that enables you to delete an 11g WebGate Agent registration.

4.7.40.1 Description

Removes an 11g WebGate Agent registration.

The scope of this command is an instance, only. The scope is not an argument

4.7.40.2 Syntax

deleteWebgate11gAgent(agentName)
Argument Definition
agentName
Mandatory. Specifies the name of the 11g WebGate Agent.
domainhome 
Offline mode: Mandatory

Online mode: Optional


4.7.40.3 Example

The following invocation removes the 11g WebGate Agent named my_11gWebGate:

deleteWebgate11gAgent(agentName="my_11gWebGate", domainHome="domainHome1")

4.7.41 displayWebgate11gAgent

Online and offline command that enables you to display an 11g WebGate Agent registration.

4.7.41.1 Description

Displays an 11g WebGate Agent registration.

The scope of this command is an instance, only. The scope is not an argument

4.7.41.2 Syntax

displayWebgate11gAgent(agentName)
Argument Definition
agentName
Mandatory. Specifies the name of the WebGate Agent.
domainhome 
Offline mode: Mandatory

Online mode: Optional


4.7.41.3 Example

The following invocation displays the WebGate Agent named my_11gWebGate:

displayWebgate11gAgent(agentName="my_11gWebGate", domainHome="domainHome1")

4.7.42 displayOAMMetrics

Online and offline command that enables the display of metrics of OAM Servers.

4.7.42.1 Description

Enables the display of metrics of OAM Servers.

The scope of this command is an instance, only. The scope is not an argument.

4.7.42.2 Syntax

displayOAMMetrics(domainHome)
Argument Definition
domainhome 
Offline mode: Mandatory

Online mode: Optional


4.7.42.3 Example

The following invocation enables the display of metrics of OAM Servers.

displayOAMMetrics (domainHome=(domainHome1") 

4.7.43 updateOIMHostPort

Online only command that updates the Oracle Identity Manager configuration when integrated with Oracle Access Manager.

4.7.43.1 Description

Updates the Oracle Identity manager configuration in system configuration.

The scope of this command is an instance, only. The scope is not an argument.

4.7.43.2 Syntax

updateOIMHostPort(hostname, port, secureProtocol)
Argument Definition
hostname Name of the Oracle Identity Manager host.
port Port of the Oracle Identity Manager host.
secureProtocol True or false.

4.7.43.3 Example

The following invocation illustrates this command.

updateOIMHostPort(hostName="OIM host", port="7777", secureProtocol="true") 

4.7.44 configureOIM

Online only command that creates an agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager.

4.7.44.1 Description

Creates an Agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager.

The scope of this command is an instance, only. The scope is not an argument.

4.7.44.2 Syntax

updateOIMHostPort(hostname, port, secureProtocol)
Argument Definition
hostname Name of the Oracle Identity Manager host.
port Port of the Oracle Identity Manager Managed Server.
oimSecureProtocolEnabled True or false (depending on HTTP or HTTPS).
oimAccessGatePwd If provided will be the agent password for Open mode
oimCookieDomain Domain to which the cookie is to be set
oimWgId Agent registration name.
oimWgVersion Possible values 10g or 11g. If not provided, default is 10g.

4.7.44.3 Example

The following invocation illustrates this command.

updateOIMHostPort(hostName="OIM host", port="7777", secureProtocol="true") 
configureOIM(oimHost="OIM host", oimPort="7777", oimSecureProtocolEnabled="true",
oimAccessGatePwd = "Access Gate Password", oimCookieDomain = "OIM Cookie Domain",
oimWgId="OIM Webgate ID", oimWgVersion="OIM Webgate Version")

4.7.45 updateOSSOResponseCookieConfig

Online and offline command that updates OSSO Proxy response cookie settings.

4.7.45.1 Description

Updates OSSO Proxy response cookie settings.

The scope of this command is an instance, only. The scope is not an argument.

4.7.45.2 Syntax

updateOSSOResponseCookieConfig()
Argument Definition
domainhome 
Offline mode: Mandatory

Online mode: Optional

cookieName Optional. Name of the cookie for which settings are updated. If not specified, the global setting is updated.
cookieMaxAge Maximum age of a cookie in minutes. A negative value sets a session cookie.
isSecureCookie Boolean flag specifies if cookie should be secure (sent only over SSL channel).
cookieDomain The domain of the cookie.

4.7.45.3 Example

The following invocation illustrates this command.

updateOSSOResponseCookieConfig(cookieName = "<cookieName>",
cookieMaxAge = "<cookie age in minutes>", isSecureCookie = "true | false",
cookieDomain="<domain of the cookie>", domainHome = "<wls_domain_home_path>")

4.7.46 deleteOSSOResponseCookieConfig

Online and offline command that deletes OSSO Proxy response cookie settings.

4.7.46.1 Description

Deletes OSSO Proxy response cookie settings.

The scope of this command is an instance, only. The scope is not an argument.

4.7.46.2 Syntax

deleteOSSOResponseCookieConfig()
Argument Definition
domainhome
Offline mode: Mandatory

Online mode: Optional

cookieName Mandatory. Name of the cookie for which settings are deleted.

4.7.46.3 Example

The following invocation illustrates this command.

deleteOSSOResponseCookieConfig(cookieName = "<cookieName>",
cookieDomain="<domain of the cookie>", domainHome = "<wls_domain_home_path>")

4.7.47 displaySimpleModeGlobalPassphrase

Displays the simple mode global passphrase in plain text from the system configuration.

4.7.47.1 Description

Online only command that displays the simple mode global passphrase in plain text from the system configuration.

4.7.47.2 Syntax

displaySimpleModeGlobalPassphrase

There are no arguments for this command.

4.7.47.3 Example

The following invocation illustrates this command.

displaySimpleModeGlobalPassphrase

4.7.48 exportSelectedPartners

Exports selected OAM Partners.

4.7.48.1 Description

Exports selected OAM Partners to the intermediate OAM file specified.

4.7.48.2 Syntax

exportSelectedPartners
Argument Definition
pathTempOAMPartnerFile The temporary file containing partners to be migrated.
partnersNameList comma separated list of partner ids to be migrated

4.7.48.3 Example

The following invocation illustrates this command.

exportSelectedPartners (pathTempOAMPartnerFile="/exampleroot/parent/tempfile.extn"
partnersNameList="partner1,partner2"

4.7.49 migrateArtifacts

Migrates artifacts.

4.7.49.1 Description

Migrates artifacts based on the input artifact file.

4.7.49.2 Syntax

migrateArtifacts
Argument Definition
path
Location of the artifacts file is present
password 
Password used while generating original artifacts.
type 
InPlace or OutOfPlace
isIncremental true or false. If true, an incremental upgrade is done.

4.7.49.3 Example

The following invocation illustrates this command.

migrateArtifacts(path = "/exampleroot/parent/t", password = "password", type = 
"InPlace", isIncremental="false")

4.7.50 registerThirdPartyTAPPartner

Registers any third party as a Trusted Authentication Protocol (TAP) Partner.

4.7.50.1 Description

Registers any third party as a Trusted Authentication Protocol (TAP) Partner.

4.7.50.2 Syntax

registerThirdPartyTAPPartner
Argument Definition
path
Location of the artifacts file is present
password 
Password used while generating original artifacts.
partnerName 
Name of partner. Can be any name used for identifying the third party partner.
keystoreLocation 
The jceks file location.
password 
password
tapTokenVersion Version of the Trusted Authentication Protocol.
tapScheme Trusted Authentication Protocol Authn Scheme (TAPScheme, out of the box.)
tapRedirectUrl Third party access URL.

4.7.50.3 Example

registerThirdPartyTAPPartner (partnerName="ThirdPartyTAPPartner",keystoreLocation=
"/scratch/DAPKeyStore/mykeystore.jks",password="test",tapTokenVersion="v2.0",
tapScheme="TAPScheme",tapRedirectUrl="http://thirdpartyserverhost:port/
loginPage.jsp");

4.8 Oracle Security Token Service

Table 4-7 describes the various types of WLST commands available for the Oracle Security Token Service.

Table 4-7 WLST Oracle Security Token Service Command Groups

OSTS Command Type Description

Partner Commands

WLST commands related to tasks involving partners.

Relying Party Partner Mapping Commands

The WS Prefix to Relying Party Partner mappings are used to map a service URL, specified in the AppliesTo field of a WS-Trust RST request, to a partner of type Relying Party. The WS prefix string can be an exact service URL, or a URL with a parent path to the service URL. For example, if a mapping is defined to map a WS Prefix (http://test.com/service) to a Relying Party (RelyingPartyPartnerTest), then the following service URLs would be mapped to the Relying Party: http://test.com/service, http://test.com/service/calculatorService, http://test.com/service/shop/cart...

Partner Profiles Commands

WLST commands related to tasks involving partner profiles.

Issuance Templates Commands

WLST commands related to tasks involving issuance templates.

Validation Templates Commands

WLST commands related to tasks involving validation templates.


Use the WLST commands listed in Table 4-8 to manage Oracle Security Token Service

Table 4-8 WLST Commands Oracle Security Token Service

Use this command... To... Use with WLST...

Partner Commands

   

getPartner

Retrieve a partner and print result.

Online

getAllRequesterPartners

Retrieve the names of Requester partners.

Online

getAllRelyingPartyPartners

Retrieve the names of all Relying Party partners.

Online

getAllIssuingAuthorityPartners

Retrieve the names of all Issuing Authority partners.

Online

isPartnerPresent

Query OSTS to determine whether or not the partner exists in the Partner store.

Online

createPartner

Create a new Partner entry.

Online

updatePartner

Update an existing Partner entry based on the provided information.

Online

deletePartner

Delete a partner entry.

Online

getPartnerUsernameTokenUsername

Retrieve the partner's username value.

Online

getPartnerUsernameTokenPassword

Retrieve the partner's password value.

Online

setPartnerUsernameTokenCredential

Set the username and password values of a partner entry.

Online

deletePartnerUsernameTokenCredential

Remove the username and password values from a partner entry.

Online

getPartnerSigningCert

Retrieve the Base64 encoded signing certificate for the partner.

Online

getPartnerEncryptionCert

Retrieve the Base64 encoded encryption certificate for the partner.

Online

setPartnerSigningCert

Upload the signing certificate to the partner entry.

Online

setPartnerEncryptionCert

Upload the encryption certificate to the partner entry.

Online

deletePartnerSigningCert

Remove the signing certificate from the partner entry.

Online

Offline

deletePartnerEncryptionCert

Remove the encryption certificate from the partner entry.

Online

Offline

getPartnerAllIdentityAttributes

Retrieve and display all Identity mapping attributes used to map a token to a requester partner.

Online

Offline

getPartnerIdentityAttribute

Retrieve and display the identity mapping attribute.

Online

Offline

setPartnerIdentityAttribute

Set the identity mapping attribute for a requester partner.

Online

Offline

deletePartnerIdentityAttribute

Delete the identity mapping attribute for a requester partner.

Online

Offline

Relying Party Partner Mapping Commands

   

getAllWSPrefixAndPartnerMappings

Retrieve and display all WS Prefixes.

Online

Offline

getWSPrefixAndPartnerMapping

Retrieve and display the Relying Party Partner mapped to the specified wsprefix parameter.

Online

Offline

createWSPrefixAndPartnerMapping

Create a new WS Prefix mapping to a Relying Partner.

Online

Offline

deleteWSPrefixAndPartnerMapping

Delete an existing WS Prefix mapping to a Relying Partner.

Online

Offline

Partner Profiles Commands

   

getAllPartnerProfiles

Retrieve the names of all the existing partner profiles.

Online

getPartnerProfile

Retrieve partner profile configuration data.

Online

createRequesterPartnerProfile

Create a new Requester Partner profile with default configuration data.

Online

createRelyingPartyPartnerProfile

Create a new Relying Party Partner profile with default configuration data.

Online

createIssuingAuthorityPartnerProfile

Create a new Issuing Authority Partner profile with default configuration data.

Online

deletePartnerProfile

Delete an existing partner profile.

Online

Issuance Template Commands

   

getAllIssuanceTemplates

Retrieve the names of all the existing Issuance Templates.

Online

Offline

getIssuanceTemplate

Retrieve configuration data of a specific Issuance Template.

Online

createIssuanceTemplate

Create a new Issuance Template with default configuration data.

Online

deleteIssuanceTemplate

Delete an existing Issuance Template.

Online

Offline

Validation Template Commands

   

getAllValidationTemplates

Retrieve the names of all the existing Validation Templates.

Online

Offline

getValidationTemplate

Retrieve configuration data of a specific Validation Template.

Online

Offline

createWSSValidationTemplate

Create a new WS Security Validation Template with default configuration data.

Online

Offline

createWSTrustValidationTemplate

Create a new WS Trust Validation Template with default configuration data.

Online

Offline

deleteValidationTemplate

Delete an existing Issuance Template.

Online

Offline


4.8.1 getPartner

Online command that retrieves the Partner entry and prints out the configuration for this partner.

4.8.1.1 Description

Retrieves the Partner entry and prints out the configuration for this partner.

4.8.1.2 Syntax

getPartner(partnerId)
Argument Definition
partnerId
Specifies the partnerId: the ID of the partner.

4.8.1.3 Example

The following invocation retrieves the Partner entry and prints out the configuration for customPartner:

getPartner(partnerId="customPartner")

4.8.2 getAllRequesterPartners

Online command that retrieves Requester type partners.

4.8.2.1 Description

Retrieves Requester type partners.

4.8.2.2 Syntax

getAllRequesterPartners()

4.8.2.3 Example

The following invocation retrieves Requester type partners:

getAllRequesterPartners()

4.8.3 getAllRelyingPartyPartners

Online command that retrieves Relying Party partners.

4.8.3.1 Description

Retrieves the Relying Party partners.

4.8.3.2 Syntax

getAllRelyingPartyPartners()

4.8.3.3 Example

The following invocation retrieves Relying Party partners:

getAllRelyingPartyPartners()

4.8.4 getAllIssuingAuthorityPartners

Online command that retrieves Issuing Authority partners and prints out the result.

4.8.4.1 Description

Retrieves the Issuing Authority partners and prints out the result.

4.8.4.2 Syntax

getAllIssuingAuthorityPartners()

4.8.4.3 Example

The following invocation retrieves Issuing Authority partners and prints out the result:

getAllIssuingAuthorityPartners()

4.8.5 isPartnerPresent

Online command that queries OSTS to determine whether or not the specified partner exists in the Partner store.

4.8.5.1 Description

Queries OSTS to determine whether or not the specified partner exists in the Partner store, and prints out the result.

4.8.5.2 Syntax

isPartnerPresent(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner.

4.8.5.3 Example

The following invocation queries OSTS to determine whether or not customPartner exists in the Partner store, and prints out the result:

isPartnerPresent(partnerId="customPartner")

4.8.6 createPartner

Online command that creates a new Partner entry.

4.8.6.1 Description

Creates a new Partner entry based on provided information. Displays a message indicating the result of the operation.

4.8.6.2 Syntax

createPartner(partnerId, partnerType, partnerProfileId, description,
bIsTrusted)
Argument Definition
partnerId
Specifies the ID of the new partner to be created.
partnerType
Specifies the type of partner. Values can be one of the following:
  • STS_REQUESTER for Requester

  • STS_RELYING_PARTY for Relying Party

  • STS_ISSUING_AUTHORITY for Issuing Authority

partnerProfileId
Specifies the profile ID to be attached to this partner. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry.
description
Specifies the optional description of this new partner entry.
bIsTrusted
A value that indicates whether or not this new partner is trusted. Value can be either:
  • true for trusted

  • false if not trusted


4.8.6.3 Example

The following invocation creates STS_Requestor partner, customPartner, custom-partnerprofile with a description (custom requester), with a trust value of true, displays a message indicating the result of the operation:

createPartner(partnerId="customPartner", partnerType="STS_REQUESTER",
partnerProfileId="custom-partnerprofile", description="custom requester",
bIsTrusted="true")

4.8.7 updatePartner

Online command that updates an existing Partner entry.

4.8.7.1 Description

Updates an existing Partner entry based on the provided information. Displays a message indicating the result of the operation.

4.8.7.2 Syntax

updatePartner(partnerId, partnerProfileId, description, bIsTrusted)
Argument Definition
partnerId
Specifies the ID of the new partner to be updated.
partnerProfileId
Specifies the partner profile ID. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry.
description
Specifies the optional description f this new partner entry.
bIsTrusted
A value that indicates whether or not this new partner is trusted. Value can be either:
  • true for trusted

  • false if not trusted


4.8.7.3 Example

The following invocation updates customPartner with a new profile ID, (x509-wss-validtemp), description (custom requester with new profile id), and a trust value of false. A message indicates the result of the operation:

updatePartner(partnerId="customPartner", partnerProfileId="x509-wss-validtemp",
description="custom requester with new profile id", bIsTrusted="false")

4.8.8 deletePartner

Online command that deletes a partner entry from OSTS.

4.8.8.1 Description

Deletes an existing Partner entry referenced by the partnerId parameter from OSTS, and prints out the result of the operation.

4.8.8.2 Syntax

deletePartner(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner to be deleted.

4.8.8.3 Example

The following invocation deletes the customPartner partner entry referenced by the partnerId parameter from OSTS, and prints out the result of the operation:

deletePartner(partnerId="customPartner")

4.8.9 getPartnerUsernameTokenUsername

Online command that retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation.

4.8.9.1 Description

Retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation, and displays the value.

4.8.9.2 Syntax

getPartnerUsernameTokenUsername(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner.

4.8.9.3 Example

The following invocation retrieves the customPartner partner username value that will be used for UNT credentials partner validation or mapping operation, and displays the value:

getPartnerUsernameTokenUsername(partnerId="customPartner")

4.8.10 getPartnerUsernameTokenPassword

Online command that retrieves a partner's password value that will be used for UNT credentials partner validation or mapping operation.

4.8.10.1 Description

Retrieves a partner password value that will be used for UNT credentials partner validation or mapping operation, and displays the value.

4.8.10.2 Syntax

getPartnerUsernameTokenPassword(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner.

4.8.10.3 Example

The following invocation retrieves customPartner partner password value that will be used for UNT credentials partner validation or mapping operation, and displays the value:

getPartnerUsernameTokenPassword(partnerId="customPartner")

4.8.11 setPartnerUsernameTokenCredential

Online command that sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation.

4.8.11.1 Description

Sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation. Displays the result of the operation.

4.8.11.2 Syntax

setPartnerUsernameTokenCredential(partnerId, UTUsername, UTPassword)
Argument Definition
partnerId
Specifies the ID of the partner.
UTUsername
Specifies the username value used for UNT credentials validation or mapping operations.
UTPassword
Specifies the username value used for UNT credentials validation or mapping operations.

4.8.11.3 Example

The following invocation sets the username and password values of the customPartner partner entry, and displays the result of the operation:

setPartnerUsernameTokenCredential(partnerId="customPartner", UTUsername="test", UTPassword="password")

4.8.12 deletePartnerUsernameTokenCredential

Online command that removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.

4.8.12.1 Description

Removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.

4.8.12.2 Syntax

deletePartnerUsernameTokenCredential(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner to be deleted.

4.8.12.3 Example

The following invocation removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation:

deletePartnerUsernameTokenCredential(partnerId="customPartner")

4.8.13 getPartnerSigningCert

Online command that retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.

4.8.13.1 Description

Retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.

4.8.13.2 Syntax

getPartnerSigningCert(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner.

4.8.13.3 Example

The following invocation retrieves Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string:

getPartnerSigningCert(partnerId="customPartner")

4.8.14 getPartnerEncryptionCert

Online command that retrieves the Base64 encoded encryption certificate, and displays its value as a Base64 encoded string.

4.8.14.1 Description

Retrieves the Base64 encoded encryption certificate for the partner referenced by the partnerId parameter, and displays its value as a Base64 encoded string.

4.8.14.2 Syntax

getPartnerEncryptionCert(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner.

4.8.14.3 Example

The following invocation retrieves the Base64 encoded encryption certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string:

getPartnerEncryptionCert(partnerId="customPartner")

4.8.15 setPartnerSigningCert

Online command that Uploads the provided certificate to the partner entry as the signing certificate. Displays the result of the operation.

4.8.15.1 Description

Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the signing certificate. The supported formats of the certificate are DER and PEM. Displays the result of the operation.

4.8.15.2 Syntax

setPartnerSigningCert(partnerId, certFile)
Argument Definition
partnerId
Specifies the ID of the partner.
certFile
Specifies the location of the certificate on the local filesystem. Supported formats of the certificate are DER and PEM.

4.8.15.3 Example

The following invocation uploads the provided certificate to the partner entry customPartner as the signing certificate. Displays the result of the operation:

setPartnerSigningCert(partnerId="customPartner", certFile="/temp/signing_cert")

4.8.16 setPartnerEncryptionCert

Online command that Uploads the provided certificate to the partner entry as the encryption certificate. Displays the result of the operation.

4.8.16.1 Description

Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the encryption certificate. Displays the result of the operation.

4.8.16.2 Syntax

setPartnerEncryptionCert(partnerId, certFile)
Argument Definition
partnerId
Specifies the ID of the partner.
certFile
Specifies the location of the certificate on the local filesystem. Supported formats of the certificate are DER and PEM.

4.8.16.3 Example

The following invocation uploads the provided certificate to the partner entry customPartner as the signing certificate. Displays the result of the operation:

setPartnerSigningCert(partnerId="customPartner", certFile="/temp/signing_cert")

4.8.17 deletePartnerSigningCert

Online command that removes the encryption certificate from the partner entry and displays the result of the operation.

4.8.17.1 Description

Removes the encryption certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.

4.8.17.2 Syntax

deletePartnerSigningCert(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner.

4.8.17.3 Example

The following invocation removes the encryption certificate from the partner entry, customPartner, and displays the result of the operation:

deletePartnerSigningCert(partnerId="customPartner")

4.8.18 deletePartnerEncryptionCert

Online command that removes the signing certificate from the partner entry and displays the result of the operation.

4.8.18.1 Description

Removes the signing certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.

4.8.18.2 Syntax

deletePartnerEncryptionCert(partnerId)
Argument Definition
partnerId
Specifies the ID of the partner.

4.8.18.3 Example

The following invocation removes the signing certificate from the partner entry, customPartner, and displays the result of the operation:

deletePartnerEncryptionCert(partnerId="customPartner")

4.8.19 getPartnerAllIdentityAttributes

Online command that retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.

4.8.19.1 Description

Retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.

The identity mapping attributes only exist for partners of type Requester.

4.8.19.2 Syntax

getPartnerAllIdentityAttributes(partnerId)
Argument Definition
partnerId
Specifies the ID of the Requester partner. Identity mapping attributes only exist for partners of type Requester

4.8.19.3 Example

The following invocation retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner: customPartner.

getPartnerAllIdentityAttributes(partnerId="customPartner")

4.8.20 getPartnerIdentityAttribute

Online command that retrieves and displays identity mapping attributes used to map a token or to map binding data to a requester partner.

4.8.20.1 Description

Retrieves and displays an identity mapping attribute used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.

The identity mapping attributes only exist for partners of type Requester.

4.8.20.2 Syntax

getPartnerIdentityAttribute(partnerId, identityAttributeName)
Argument Definition
partnerId
Specifies the ID of the Requester partner.
IdentityAttributeName
Specifies the name of the identity mapping attribute to retrieve and display. For example: httpbasicusername.

4.8.20.3 Example

The following invocation retrieves and displays one identityAttribute and its value as specified by identityAttributeName.

getPartnerIdentityAttribute(partnerId="customPartner", identityAttributeName="httpbasicusername")

4.8.21 setPartnerIdentityAttribute

Online command that sets the identity mapping attribute for the Requester partner.

4.8.21.1 Description

Set the identity mapping attribute specified by identityAttributeName for the partner of type requester specified by the partnerId parameter. These identity mapping attributes only exist for Requester partners. Displays the result of the operation.

4.8.21.2 Syntax

setPartnerIdentityAttribute(partnerId, identityAttributeName, 
identityAttributeValue)
Argument Definition
partnerId
Specifies the ID of the partner of type Requester.
identityAttributeName
Specifies the name of the identity mapping attribute to retrieve and display.
identityAttributeValue
Specifies the value of the identity mapping attribute to set.

4.8.21.3 Example

The following invocation sets the identity mapping attribute specified by identityAttributeName for the Requester partner of type requester specified by the partnerId parameter. Displays the result of the operation.

setPartnerIdentityAttribute(partnerId="customPartner", 
identityAttributeName="httpbasicusername",identityAttributeValue="test")

4.8.22 deletePartnerIdentityAttribute

Online command that deletes the identity mapping attribute.

4.8.22.1 Description

Deletes the identity mapping attribute specified by identityAttributeName.

The identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner, and they only exist for Requester partners.

4.8.22.2 Syntax

deletePartnerIdentityAttribute(partnerId, identityAttributeName)
Argument Definition
partnerId
Specifies the ID of the partner.
identityAttributeName
Specifies the name of the identity mapping attribute to delete.

4.8.22.3 Example

The following invocation deletes the identity mapping attribute specified by identityAttributeName for Requester partner customPartner.

deletePartnerIdentityAttribute(partnerId="customPartner", 
identityAttributeName="httpbasicusername")

4.8.23 getAllWSPrefixAndPartnerMappings

Online command that retrieves and displays all WS Prefixes to Relying Party Partner mappings.

4.8.23.1 Description

Retrieves and displays all WS Prefixes to Relying Party Partner mappings.

4.8.23.2 Syntax

getAllWSPrefixAndPartnerMappings() 

4.8.23.3 Example

The following invocation retrieves and displays theWS Prefixes.

getAllWSPrefixAndPartnerMappings() 

4.8.24 getWSPrefixAndPartnerMapping

Online command that retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.

4.8.24.1 Description

Retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.

4.8.24.2 Syntax

getWSPrefixAndPartnerMapping(wsprefix) 
Argument Definition
wsprefix
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form:

http_protocol://hostname_ip/path


4.8.24.3 Example

The following invocation retrieves nd displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.

getWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path")

4.8.25 createWSPrefixAndPartnerMapping

Online command that creates a new WS Prefix mapping to a Relying Partner.

4.8.25.1 Description

Creates a new WS Prefix mapping to a Relying Partner referenced by the partnerid parameter, and displays the result of the operation.

4.8.25.2 Syntax

createWSPrefixAndPartnerMapping(wsprefix, partnerid, description)
Argument Definition
wsprefix
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form:

http_protocol://hostname_ip/path

partnerId
Specifies the ID of the partner.
description
Specifies an optional description.

4.8.25.3 Example

The following invocation creates a new WS Prefix mapping to a Relying Partner Partner referenced by the partnerid parameter, and displays the result of the operation.

createWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path",
partnerid="customRPpartner", description="some description")

4.8.26 deleteWSPrefixAndPartnerMapping

Online command that deletes an existing mapping of WS Prefix to a Relying Partner Partner.

4.8.26.1 Description

Deletes an existing mapping of WS Prefix to a Relying Partner, and displays the result of the operation.

4.8.26.2 Syntax

deleteWSPrefixAndPartnerMapping(wsprefix)
Argument Definition
wsprefix
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form:

http_protocol://hostname_ip/path


4.8.26.3 Example

The following invocation deletes the existing mapping of WS Prefix to a Relying Partner, and displays the result of the operation.

deleteWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path")

4.8.27 getAllPartnerProfiles

Online command that retrieves the names of all the existing partner profiles and displays them.

4.8.27.1 Description

Retrieves the names of all the existing partner profiles and displays them.

4.8.27.2 Syntax

getAllPartnerProfiles()

4.8.27.3 Example

The following invocation retrieves the names of all the existing partner profiles and displays them.

getAllPartnerProfiles()

4.8.28 getPartnerProfile

Online command that retrieves the configuration data of a specific partner profile, and displays the content of the profile.

4.8.28.1 Description

Retrieves the configuration data of the partner profile referenced by the partnerProfileId parameter, and displays the content of the profile.

4.8.28.2 Syntax

getPartnerProfile(partnerProfileId)
Argument Definition
partnerProfileId
Specifies the name of the partner profile.

4.8.28.3 Example

The following invocation retrieves the configuration data of the partner profile referenced by the partnerProfileId parameter, and displays the content of the profile.

getPartnerProfile(partnerProfileId="custom-partnerprofile")

4.8.29 createRequesterPartnerProfile

Online command that creates a new requester partner profile with default configuration data.

4.8.29.1 Description

Creates a new requester partner profile with default configuration data, and displays the result of the operation.

Table 4-9 describes the default configuration created with this command.

Table 4-9 Default Configuration: createRequesterPartnerProfile

Element Description
Return Error for Missing Claims

Default: false

Allow Unmapped Claims

Default: false

Token Type Configuration

The Token Type Configuration table includes the following entries. There are no mappings of token type to WS-Trust Validation Template:

  • SAML 1.1 token type mapped to the following External URI:

    http://docs.oasis-open.org/wss/oasis-wss-saml-
    token-profile-1.1#SAMLV1.1
    

    The SAML 1.1 token type is not mapped to any WS-Trust Validation Template.

  • SAML 2.0 token type mapped to the following External URI:

    http://docs.oasis-open.org/wss/oasis-wss-saml-
    token-profile-1.1#SAMLV2.0
    

    The SAML 2.0 token type is not mapped to any WS-Trust Validation Template.

  • Username token type mapped to the following External URI:

    http://docs.oasis-open.org/wss/2004/01/oasis-
    200401-wss-username-token-profile-1.0#UsernameToken
    

    The Username token type is not mapped to any WS-Trust Validation Template.

Note: Token Type Configuration and token type to Validation Template mapping are both empty

Attribute Name Mapping

Default: The Attribute Name Mapping table is empty by default.


4.8.29.2 Syntax

createRequesterPartnerProfile(partnerProfileId, defaultRelyingPartyPPID, 
description)
Argument Definition
partnerProfileId
Specifies the name of the partner profile.
defaultRelyingPartyPPID
Specifies the relying party partner profile to use, if the AppliesTo field is missing from the RST or if it could not be mapped to a Relying Party Partner.
description
Specifies the optional description for this partner profile

4.8.29.3 Example

The following invocation creates a new requester partner profile with default configuration data, and displays the result of the operation. For default data descriptions, see Table 4-9.

createRequesterPartnerProfile(partnerProfileId="custom-partnerprofile",
defaultRelyingPartyPPID="rpPartnerProfileTest", description="custom
partner profile")

4.8.30 createRelyingPartyPartnerProfile

Online command that creates a new relying party partner profile with default configuration data.

4.8.30.1 Description

Creates a new relying party partner profile with default configuration data, and displays the result of the operation.

Table 4-10 describes the default configuration created with this command.

Table 4-10 Default Configuration: createRelyingPartyPartnerProfile

Element Description

Download Policy

Default: false

Allow Unmapped Claims

Default: false

Token Type Configuration

The Token Type Configuration will contain a single entry, with:

  • The token type set to the type of Issuance Template referenced by defaultIssuanceTemplateID

  • The Issuance template set to defaultIssuanceTemplateID

Note: For the token type of the issuance template referenced by defaultIssuanceTemplateID, it will be linked to the issuance template, while the other token types will not be linked to any issuance template.

If the issuance template referenced by defaultIssuanceTemplateID is of custom token type, the table will only contain one entry, with the custom token type, mapped to the custom token type as the external URI, and mapped to the issuance template referenced by defaultIssuanceTemplateID

Attribute Name Mapping

The Attribute Name Mapping table is empty be default.


4.8.30.2 Syntax

createRelyingPartyPartnerProfile(partnerProfileId, defaultIssuanceTemplateID, 
description)
Argument Definition
partnerProfileId
Specifies the name of the partner profile.
defaultIssuanceTemplateID
Specifies the default issuance template and token type to issue if no token type was specified in the RST.
description
Specifies the optional description for this partner profile

4.8.30.3 Example

The following invocation creates a new relying party partner profile with default configuration data, and displays the result of the operation.

createRelyingPartyPartnerProfile(partnerProfileId="custom-partnerprofile",
defaultIssuanceTemplateID="saml11-issuance-template", description="custom partner profile")

4.8.31 createIssuingAuthorityPartnerProfile

Online command that creates a new issuing authority partner profile with default configuration data.

4.8.31.1 Description

Creates a new issuing authority partner profile with the default configuration data in Table 4-11, and displays the result of the operation.

Table 4-11 Default Configuration: createIssuingAuthorityPartnerProfile

Element Description

Server Clockdrift

Default: 600 seconds

Token Mapping

The Token Mapping Section will be configured as follows:

  • Override Simple User Mapping: false

  • Override User NameID Mapping: false

  • Override Attribute Based User Mapping: false

  • Override Simple Partner Mapping: false

  • Override Partner NameID Mapping: false

Empty fields

  • simple user mapping

  • attribute based user mapping

  • simple partner mapping

Partner NameID Mapping

The Partner NameID Mapping table will be provisioned with the following entries as NameID format. However, without any data in the datastore column the issuance template referenced by defaultIssuanceTemplateID is of token type SAML 1.1, SAML 2.0, or Username.

The table will contain the following entries:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

User NameID Mapping

The User NameID Mapping table will be provisioned with the following entries as NameID format:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName, empty datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, dn set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, mail set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, empty datastore column

Attribute Mapping

The Attribute Value Mapping and Attribute Name Mapping table is empty be default.


4.8.31.2 Syntax

createIssuingAuthorityPartnerProfile(partnerProfileId, description)
Argument Definition
partnerProfileId
Specifies the name of the partner profile.
description
Specifies the optional description for this partner profile

4.8.31.3 Example

The following invocation a new issuing authority partner profile with default configuration data, and displays the result of the operation.

createIssuingAuthorityPartnerProfile(partnerProfileId="custom-partnerprofile"
description="custom partner profile")

4.8.32 deletePartnerProfile

Online command that deletes an partner profile referenced by the partnerProfileId parameter.

4.8.32.1 Description

Deletes an partner profile referenced by the partnerProfileId parameter, and displays the result of the operation.

4.8.32.2 Syntax

deletePartnerProfile(partnerProfileId) 
Argument Definition
partnerProfileId
Specifies the name of the partner profile to be removed.

4.8.32.3 Example

The following invocation deletes an partner profile referenced by the partnerProfileId parameter, and displays the result of the operation.

deletePartnerProfile(partnerProfileId="custom-partnerprofile")

4.8.33 getAllIssuanceTemplates

Online command that retrieves the names of all the existing issuance templates.

4.8.33.1 Description

Retrieves the names of all the existing issuance templates and displays them.

4.8.33.2 Syntax

getAllIssuanceTemplates 

4.8.33.3 Example

The following invocation retrieves the names of all the existing issuance templates and displays them.

getAllIssuanceTemplates

4.8.34 getIssuanceTemplate

Online command that retrieves the configuration data of a specific issuance template.

4.8.34.1 Description

Retrieves the configuration data of the issuance template referenced by the issuanceTemplateId parameter, and displays the content of the template.

4.8.34.2 Syntax

getIssuanceTemplate(issuanceTemplateId) 
Argument Definition
issuanceTemplateId
Specifies the name of the issuance template.

4.8.34.3 Example

The following invocation retrieves the configuration data of the issuance template referenced by the issuanceTemplateId parameter, and displays the content of the template.

getIssuanceTemplate(issuanceTemplateId="custom-issuancetemp")

4.8.35 createIssuanceTemplate

Online command that creates a new issuance template with default configuration data.

4.8.35.1 Description

Creates a new issuance template with default configuration data, and displays the result of the operation.

Table 4-12 describes the default configuration for this command.

Table 4-12 Default Configuration: createIssuanceTemplate

Token Type Description

Username

The issuance template will be created with the following default values:

  • Send Encrypted Token: false

  • NameID User Attribute: uid

  • NameID User Attribute Store: User Store

  • Password Attribute: (empty)

  • Include Nonce: true

  • Include Timestamp: true

SAML 1.1

or

SAML 2.0

The issuance template will be created with the following default values:

  • Send Encrypted Token: false

  • Assertion Issuer: OAM Hostname

  • NameID Format: Email Address

  • NameID User Attribute: mail

  • NameID User Attribute Store: User Store

  • NameID Qualifier: (empty)

  • Include Authn Statement: true

  • Include Attr Statement: true

  • Sign Assertion: true

  • Include Certificate in Signature: true

  • Send Encrypted NameID: false (SAML 2.0 only)

  • Default Subject Confirmation Method: Sender Vouches

  • Compute HOK Symmetric Key: true

  • HOK Symmetric Key Generation Algorithm: http://www.w3.org/2001/04/xmlenc#aes128-cbc

Empty tables: Attribute Name Mapping, Attribute Value Mapping and Attribute Value Filter

Custom Type

The issuance template will be created with the following default values:

  • Send Encrypted Token: false


4.8.35.2 Syntax

createIssuanceTemplate(issuanceTemplateId, tokenType, signingKeyId, 
description) 
Argument Definition
issuanceTemplateId
Specifies the name of the issuance template to be created.
tokenType
Possible values can be:
  • username: indicates that the token type is UsernameToken

  • saml11: indicates that the token type is a SAML 1.1 Assertion

  • saml20: indicates that the token type is a SAML 2.0 Assertion

  • <other>: in this case, the token type is assumed to be a custom token type, referenced by <other> (replace <other> by a value)

signingKeyId
Specifies the keyID referencing the key entry (defined in the STS General Settings UI section) that will be used to sign outgoing SAML Assertions. Only required when token type is saml11 or saml20.
description
An optional description.

4.8.35.3 Example

The following invocation creates a new issuance template with default configuration data, and displays the result of the operation.

createIssuanceTemplate(issuanceTemplateId="custom-issuancetemp", tokenType="saml20", signingKeyId="osts_signing", description="custom issuance template")

4.8.36 deleteIssuanceTemplate

Online command that deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.

4.8.36.1 Description

Deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.

4.8.36.2 Syntax

deleteIssuanceTemplate(issuanceTemplateId) 
Argument Definition
issuanceTemplateId
Specifies the name of the existing issuance template to be removed.

4.8.36.3 Example

The following invocation deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.

deleteIssuanceTemplate(issuanceTemplateId="custom-issuancetemp")

4.8.37 getAllValidationTemplates

Online command that retrieves the names of all the existing validation templates.

4.8.37.1 Description

Retrieves the names of all the existing validation templates and displays them.

4.8.37.2 Syntax

getAllValidationTemplates() 

4.8.37.3 Example

The following invocation retrieves the names of all the existing validation templates and displays them.

getAllValidationTemplates()

4.8.38 getValidationTemplate

Online command that retrieves the configuration data of a specific validation template, and displays the content of the template.

4.8.38.1 Description

Retrieves the configuration data of the validation template referenced by the validationTemplateId parameter, and displays the content of the template.

4.8.38.2 Syntax

getValidationTemplate(validationTemplateId) 
Argument Definition
validationTemplateId
Specifies the name of the existing validation template.

4.8.38.3 Example

The following invocation retrieves the configuration data of a specific validation template, and displays the content of the template.

getValidationTemplate(validationTemplateId="custom-wss-validtemp")

4.8.39 createWSSValidationTemplate

Online command that creates a new validation template with default configuration data.

4.8.39.1 Description

Creates a new validation template with default configuration data, and displays the result of the operation.

The WSS validation template is created with the values in Table 4-13, depending on the token type.

Table 4-13 Default Configuration: createWSSValidationTemplate

Token Type Description

Username

The validation template will be created with the following default values:

  • Timestamp Lifespan: 600 seconds

  • Enable Credential Validation: true

  • Validation Source: Partner

  • Token Mapping: Map token to Partner

  • Enable Simple Partner Mapping: true

  • Partner Datastore Attribute: username

SAML 1.1

or

SAML 2.0

The validation template will be created with the following default values:

  • Authentication Timeout: 3600 seconds

  • Timestamp Lifespan: 3600 seconds

The Token Mapping section will be created with the following default values:

  • Map token: Map token to Partner

  • Enable Simple User Mapping: false

  • Enable User NameID Mapping: false

  • Enable Attribute Based User Mapping: false

  • Enable Simple Partner Mapping: false

  • Enable Partner NameID Mapping: false

Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping

Also:

  • Partner Token Attribute: NameID

  • Partner Datastore Attribute: username

Partner NameID Mapping table will be provisioned with the following entries as NameID format, but without any data in the datastore column:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

User NameID Mapping table will be provisioned with the following entries as NameID format:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName, empty datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, dn set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, mail set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, empty datastore column

X.509

The Token Mapping section will be created with the following default values:

  • Map token: Map token to Partner

  • Enable Simple User Mapping: false

  • Enable Attribute Based User Mapping: false

  • Enable Simple Partner Mapping: true

Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping

Also:

  • Partner Token Attribute: DN

  • Partner Datastore Attribute: sslclientcertdn

Kerberos

The Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: true

  • Enable Attribute Based User Mapping: false

  • Enable Simple Partner Mapping: false

Empty fields: Partner Token Attribute, Partner Datastore Attribute and Attribute Based User Mapping

Also:

  • User Token Attribute: TPE_KERBEROS_PRINCIPAL_FULL

  • User Datastore Attribute: mail


4.8.39.2 Syntax

createWSSValidationTemplate(templateId, tokenType,
defaultRequesterPPID, description)
Argument Definition
templateId
Specifies the name of the name of the validation template to be created.
tokenType
Specifies the token type of the validation template. Possible values can be:
  • username: indicates that the token type is UsernameToken

  • saml11: indicates that the token type is a SAML 1.1 Assertion

  • saml20: indicates that the token type is a SAML 2.0 Assertion

  • x509: indicates that the token type is an X.509 certificate

  • kerberos: indicates that the token type is a Kerberos token

  • oam: indicates that the token type is OAM

defaultRequesterPPID
Specifies the Requester partner profile to use if OSTS is configured not to map the incoming message to a requester.
description
Specifies an optional description.

4.8.39.3 Example

The following invocation creates a new validation template with default configuration data, and displays the result of the operation.

createWSSValidationTemplate(templateId="custom-wss-validtemp", tokenType="custom",
defaultRequesterPPID="requesterPartnerProfileTest", description="custom validation 
template")

4.8.40 createWSTrustValidationTemplate

Online command that creates a new WS-Trust validation template with default configuration data.

4.8.40.1 Description

Creates a new WS-Trust validation template with default configuration data, and displays the result of the operation.

The WS-Trust validation template is created with the values in Table 4-14, depending on the token type.

Table 4-14 Default Configuration: createWSTrustValidationTemplate

Token Type Description

Username

The WS-Trust validation template will be created with the following default values:

  • Timestamp Lifespan: 600 seconds

  • Enable Credential Validation: false

  • Validation Source: User Store

  • Token Mapping: Map token to User

  • Enable Simple User Mapping: true

  • USer Datastore Attribute: uid

SAML 1.1

or

SAML 2.0

The WS-Trust validation template will be created with the following default values:

  • Authentication Timeout: 3600 seconds

  • Timestamp Lifespan: 3600 seconds

The Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: false

  • Enable User NameID Mapping: true

  • Enable Attribute Based User Mapping: false

Empty fields: User Datastore Attribute, Attribute Based User Mapping

User NameID Mapping table will be provisioned with the following entries as NameID format:

  • urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName, empty datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName, dn set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, mail set in the datastore column

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos, empty datastore column

  • urn:oasis:names:tc:SAML:2.0:nameid-format:persistent, empty datastore column

X.509

The WS-Trust Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: true

  • Enable Attribute Based User Mapping: false

  • Enable Simple Partner Mapping: true

  • User Token Attribute: CN

  • User Datastore Attribute: CN

  • Attribute Based User Mapping (empty)

Kerberos

The WS-Trust Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: true

  • Enable Attribute Based User Mapping: false

  • Attribute Based User Mapping (empty)

  • User Token Attribute: TPE_KERBEROS_PRINCIPAL_FULL

  • User Datastore Attribute: mail

OAM

The WS-Trust Token Mapping section will be created with the following default values:

  • Map token: Map token to User

  • Enable Simple User Mapping: true

  • Enable Attribute Based User Mapping: false

  • Attribute Based User Mapping (empty)

  • User Token Attribute: TPE_NAME_ID

  • User Datastore Attribute: uid

custom

The WS-Trust Token Mapping section will be created with the following default values:

  • Map token: Map token to None

  • Enable Simple User Mapping: false

  • Enable Attribute Based User Mapping: false

  • Attribute Based User Mapping (empty)

  • User Token Attribute: (empty)

  • User Datastore Attribute: (empty)


4.8.40.2 Syntax

createWSTrustValidationTemplate(templateId, tokenType, description)
Argument Definition
templateId
Specifies the name of the name of the WS-Trust validation template to be created.
tokenType
Specifies the token type of the WS-Trust validation template. Possible values can be:
  • username: indicates that the token type is UsernameToken

  • saml11: indicates that the token type is a SAML 1.1 Assertion

  • saml20: indicates that the token type is a SAML 2.0 Assertion

  • x509: indicates that the token type is an X.509 certificate

  • kerberos: indicates that the token type is a Kerberos token

  • oam: indicates that the token type is an Oracle Access Manager token, supported by default

  • <other>: in this case, the token type is assumed to be a custom token type, referenced by <other> (replace <other> by a value)

description
Specifies an optional description.

4.8.40.3 Example

The following invocation creates a new WS-Trust validation template with default configuration data, and displays the result of the operation.

createWSTrustValidationTemplate(templateId="custom-wss-validtemp", 
tokenType="custom", description="custom validation template")

4.8.41 deleteValidationTemplate

Online command that deletes a validation template.

4.8.41.1 Description

Deletes a validation template referenced by the validationTemplateId parameter, and displays the result of the operation.

4.8.41.2 Syntax

deleteValidationTemplate(validationTemplateId)
Argument Definition
validationTemplateId
Specifies the name of the validation template to be removed.

4.8.41.3 Example

The following invocation deletes a validation template referenced by the validationTemplateId parameter, and displays the result of the operation.

deleteValidationTemplate(validationTemplateId="custom-wss-validtemp") 

4.9 Oracle Keystore Service

This section contains commands used with the OPSS keystore service.

Note:

You need to acquire an OPSS handle to use keystore service commands. For details, see Managing Keys and Certificates with the Keystore Service in the Oracle Fusion Middleware Application Security Guide.

Table 4-15 lists the WLST commands used to manage the keystore service.

Table 4-15 OPSS Keystore Service Commands

Use this Command... to...

changeKeyPassword

Change the password for a key.

changeKeyStorePassword

Change the password on a keystore.

createKeyStore

Create a keystore.

deleteKeyStore

Delete a keystore.

deleteKeyStoreEntry

Delete an entry in a keystore.

exportKeyStore

Export a keystore to file.

exportKeyStoreCertificate

Export a certificate to a file.

exportKeyStoreCertificateRequest

Export a certificate request to a file.

generateKeyPair

Generate a keypair.

generateSecretKey

Generate a secret key.

getKeyStoreCertificates

Get information about a certificate or trusted certificate.

getKeyStoreSecretKeyProperties

Get the secret key properties.

importKeyStore

Import a keystore from file.

importKeyStoreCertificate

Import a certificate or other object.

listExpiringCertificates

List certificates expiring in a specified period.

listKeyStoreAliases

List aliases in a keystore.

listKeyStores

List all the keystores in a stripe.


4.9.1 changeKeyPassword

Changes a key password.

4.9.1.1 Description

Changes the password for a key.

4.9.1.2 Syntax

svc.changeKeyPassword(appStripe='stripe', name='keystore', password='password', 
alias='alias', currentkeypassword='currentkeypassword', 
newkeypassword='newkeypassword')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe containing the keystore
name
Specifies the name of the keystore
password
Specifies the keystore password
alias
Specifies the alias of the key entry whose password is changed
currentkeypassword
Specifies the current key password
newkeypassword
Specifies the new key password

4.9.1.3 Example

This example changes the password on the key entry orakey:

svc.changeKeyPassword(appStripe='system', name='keystore', password='password', 
alias='orakey', currentkeypassword='currentkeypassword', 
newkeypassword='newkeypassword')

4.9.2 changeKeyStorePassword

Changes the password of a keystore.

4.9.2.1 Description

Changes the password of the specified keystore.

4.9.2.2 Syntax

svc.changeKeyStorePassword(appStripe='stripe', name='keystore', currentpassword='currentpassword', newpassword='newpassword')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe containing the keystore
name
Specifies the name of the keystore
currentpassword
Specifies the current keystore password
newpassword
Specifies the new keystore password

4.9.2.3 Example

This example changes the password for keystore2.

svc.changeKeyStorePassword(appStripe='system', name='keystore2', 
currentpassword='currentpassword', newpassword='newpassword')

4.9.3 createKeyStore

This keystore service command creates a new keystore.

4.9.3.1 Description

Creates a new keystore on the given application stripe.

4.9.3.2 Syntax

svc.createKeyStore(appStripe='stripe', name='keystore', password='password',permission=true|false)
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe where the keystore is created.
name
Specifies the name of the new keystore.
password
Specifies the keystore password.
permission
This parameter is true if the keystore is protected by permission only, false if protected by both permission and password.

4.9.3.3 Example

This example creates a keystore named keystore1.

svc.createKeyStore(appStripe='system', name='keystore1', password='password', permission=true)

4.9.4 deleteKeyStore

Deletes the named keystore.

4.9.4.1 Description

This keystore service command deletes a specified keystore.

4.9.4.2 Syntax

svc.deleteKeyStore(appStripe='stripe', name='keystore', password='password')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe where the keystore resides.
name
Specifies the name of the keystore to be deleted.
password
Specifies the keystore password.

4.9.4.3 Example

This example deletes the keystore named keystore1.

svc.deleteKeyStore(appStripe='system', name='keystore1', password='password')

4.9.5 deleteKeyStoreEntry

Deletes a keystore entry.

4.9.5.1 Description

This command deletes the specified entry in a keystore.

4.9.5.2 Syntax

svc.deleteKeyStoreEntry(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe where the keystore resides.
name
Specifies the name of the keystore.
password
Specifies the keystore password.
alias
Specifies the alias of the entry to be deleted
keypassword
Specifies the key password of the entry to be deleted

4.9.5.3 Example

This example deletes a keystore entry denoted by alias orakey.

svc.deleteKeyStoreEntry(appStripe='system', name='keystore2', password='password', alias='orakey', keypassword='keypassword')

4.9.6 exportKeyStore

Exports a keystore to a file.

4.9.6.1 Description

Exports a keystore to the specified file.

4.9.6.2 Syntax

svc.exportKeyStore(appStripe='stripe', name='keystore', password='password', 

aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', 
type='keystore-type', filepath='absolute_file_path')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe where the keystore resides.
name
Specifies the name of the keystore.
password
Specifies the keystore password.
aliases
Comma separated list of aliases to be exported.
keypasswords
Comma separated list of the key passwords correspo nding to aliases.
type
Exported keystore type. Valid values are 'JKS' or 'JCEKS'.
filepath
Absolute path of the file where keystore is exported.

4.9.6.3 Example

This example exports two aliases from the specified keystore.

svc.exportKeyStore(appStripe='system', name='keystore2', 
password='password',aliases='orakey,seckey', 
keypasswords='keypassword1,keypassword2', 
type='JKS',filepath='/tmp/file.jks')

4.9.7 exportKeyStoreCertificate

Exports a certificate.

4.9.7.1 Description

Exports a certificate, trusted certificate or certificate chain.

4.9.7.2 Syntax

svc.exportKeyStoreCertificate(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword', 
type='entrytype',filepath='absolute_file_path')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe where the keystore resides.
name
Specifies the name of the keystore.
password
Specifies the keystore password.
alias
Specifies the alias of the entry to be exported
keypassword
Specifies the key password.
type
Specifies the type of keystore entry to be exported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'.
filepath
Specifies the absolute path of the file where certificate, trusted certificate or certificate chain is exported.

4.9.7.3 Example

This example exports a certificate corresponding to the orakey alias:

svc.exportKeyStoreCertificate(appStripe='system', name='keystore2', 
password='password', alias='orakey', keypassword='keypassword', 
type='Certificate', filepath='/tmp/cert.txt')

4.9.8 exportKeyStoreCertificateRequest

Exports a certificate request.

4.9.8.1 Description

Generates and exports a certificate request from a keystore.

4.9.8.2 Syntax

svc.exportKeyStoreCertificateRequest(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword', 
filepath='absolute_file_path')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe where the keystore resides.
name
Specifies the name of the keystore.
password
Specifies the keystore password.
alias
Specifies the entry's alias name.
keypassword
Specifies the key password.
filepath
Specifies the absolute path of the file where certificate request is exported.

4.9.8.3 Example

This example exports a certificate request corresponding to the orakey alias.

svc.exportKeyStoreCertificateRequest(appStripe='system', name='keystore2', 
password='password', alias='orakey', keypassword='keypassword', 
filepath='/tmp/certreq.txt')

4.9.9 generateKeyPair

Generates a key pair in a keystore.

4.9.9.1 Description

Generates a key pair in a keystore and wraps it in a demo CA-signed certificate.

4.9.9.2 Syntax

svc.generateKeyPair(appStripe='stripe', name='keystore', password='password', 
dn='distinguishedname', keysize='keysize', alias='alias', 
keypassword='keypassword')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe where the keystore resides.
name
Specifies the name of the keystore.
password
Specifies the keystore password.
dn
Specifies the distinguished name of the certificate wrapping the key pair.
keysize
Specifies the key size.
alias
Specifies the alias of the key pair entry.
keypassword
Specifies the key password.

4.9.9.3 Example

This example generates a keypair in keystore2.

svc.generateKeyPair(appStripe='system', name='keystore2', password='password', dn='cn=www.oracle.com', keysize='1024', alias='orakey', keypassword='keypassword')

4.9.10 generateSecretKey

Generates a secret key.

4.9.10.1 Description

Generates a symmetric key in a keystore.

4.9.10.2 Syntax

svc.generateSecretKey(appStripe='stripe', name='keystore', password='password', 
algorithm='algorithm', keysize='keysize', alias='alias', 
keypassword='keypassword')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe where the keystore resides.
name
Specifies the name of the keystore.
password
Specifies the keystore password.
algorithm
Specifies the symmetric key algorithm.
keysize
Specifies the key size.
alias
Specifies the alias of the key entry.
keypassword
Specifies the key password.

4.9.10.3 Example

This example generates a keypair with keysize 128 in keystore2.

svc.generateSecretKey(appStripe='system', name='keystore2', password='password', 
algorithm='AES', keysize='128', alias='seckey', keypassword='keypassword')

4.9.11 getKeyStoreCertificates

Gets a certificate from the keystore.

4.9.11.1 Description

Retrieves information about a certificate or trusted certificate.

4.9.11.2 Syntax

svc.getKeyStoreCertificates(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe where the keystore resides.
name
Specifies the name of the keystore.
password
Specifies the keystore password.
alias
Specifies the alias of the certificate, trusted certificate or certificate chain to be displayed.
keypassword
Specifies the key password.

4.9.11.3 Example

This example gets certificates associated with keystore3.

svc.getKeyStoreCertificates(appStripe='system', name='keystore3', password='password', alias='orakey', keypassword='keypassword')

4.9.12 getKeyStoreSecretKeyProperties

Retrieves secret key properties.

4.9.12.1 Description

Retrieves secret key properties like the algorithm.

4.9.12.2 Syntax

svc.getKeyStoreSecretKeyProperties(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe where the keystore resides.
name
Specifies the name of the keystore.
password
Specifies the keystore password.
alias
Specifies the alias of the secret key whose properties are displayed.
keypassword
Specifies the secret key password.

4.9.12.3 Example

This example gets properties for secret key seckey:

svc.getKeyStoreSecretKeyProperties(appStripe='system', name='keystore3', 
password='password', alias='seckey', keypassword='keypassword')

4.9.13 importKeyStore

Imports a keystore from file.

4.9.13.1 Description

Imports a keystore from a system file.

4.9.13.2 Syntax

svc.importKeyStore(appStripe='stripe', name='keystore', password='password', 
aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', 
type='keystore-type', permission=true|false, filepath='absolute_file_path')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe where the keystore resides.
name
Specifies the name of the keystore.
password
Specifies the keystore password.
aliases  
Specifies the comma-separated aliases of the entries to be imported from file.
keypasswords  
Specifies the comma-separated passwords of the keys in file.
type  
Specifies the imported keystore type. Valid values are 'JKS' or 'JCEKS'.
filepath 
Specifies the absolute path of the keystore file to be imported.
permission 
Specifies true if keystore is protected by permission only, false if protected by both permission and password.

4.9.13.3 Example

This example imports a file to keystore2:

svc.importKeyStore(appStripe='system', name='keystore2', 
password='password',aliases='orakey,seckey', keypasswords='keypassword1, 
keypassword2', type='JKS', permission=true, filepath='/tmp/file.jks')

4.9.14 importKeyStoreCertificate

Imports a certificate or other specified object.

4.9.14.1 Description

Imports a certificate, trusted certificate or certificate chain.

4.9.14.2 Syntax

svc.importKeyStoreCertificate(appStripe='stripe', name='keystore', 
password='password', alias='alias', keypassword='keypassword', 
type='entrytype',filepath='absolute_file_path')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe where the keystore resides.
name
Specifies the name of the keystore.
password
Specifies the keystore password.
alias  
Specifies the alias of the entry to be imported.
keypassword  
Specifies the key password of the newly imported entry.
type  
Specifies the type of keystore entry to be imported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'.
filepath  
Specifies the absolute path of the file from where certificate, trusted certificate or certificate chain is imported.

4.9.14.3 Example

This example imports a certificate into keystore2.

svc.importKeyStoreCertificate(appStripe='system', name='keystore2', 
password='password', alias='orakey', keypassword='keypassword', 
type='Certificate', filepath='/tmp/cert.txt')

4.9.15 listExpiringCertificates

Lists expiring certificates.

4.9.15.1 Description

Lists expiring certificates and optionally renews them.

4.9.15.2 Syntax

svc.listExpiringCertificates(days='days', autorenew=true|false)
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
days  
Specifies that the list should only include certificates within this many days from expiration.
autorenew  
Specifies true for automatically renewing expiring certificates, false for only listing them.

4.9.15.3 Example

This example lists certificates expiring within one year, and requests that they be renewed:

svc.listExpiringCertificates(days='365', autorenew=true)

4.9.16 listKeyStoreAliases

Lists the aliases in a keystore.

4.9.16.1 Description

Lists the aliases in a keystore for a given type of entry.

4.9.16.2 Syntax

The syntax is as follows:

svc.listKeyStoreAliases(appStripe='stripe', name='keystore', 
password='password', type='entrytype')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe where the keystore resides.
name
Specifies the name of the keystore.
password
Specifies the keystore password.
type
Specifies the type of entry for which aliases are listed. Valid values are 'Certificate', 'TrustedCertificate', 'SecretKey' or '*'.

4.9.16.3 Example

This example lists secret keys in keystore2:

svc.listKeyStoreAliases(appStripe='system', name='keystore2', 
password='password', type='SecretKey')

4.9.17 listKeyStores

Lists all the keystores in a stripe.

4.9.17.1 Description

Lists all the keystores in the specified stripe.

4.9.17.2 Syntax

svc.listKeyStores(appStripe='stripe')
Argument Definition
svc
Specifies the service command object obtained through a call to getOpssService().
appStripe
Specifies the name of the stripe whose keystores are listed.

4.9.17.3 Example

This example lists all keystores on all stripes.

svc.listKeyStores(appStripe='*')

4.10 Library Oracle Virtual Directory (libOVD) Commands

Use the WLST commands listed in Table 4-16 to manage a libOVD configuration associated with a specific Oracle Platform Security Services (OPSS) context.

Table 4-16 WLST libOVD Commands

Use this command... To... Use with WLST...

addDNAttribute

Add an attribute to the DN attributes list for an existing adapter.

Online

activateLibOVDConfigChanges

Reload the libOVD configuration.

Online

addAttributeExclusionRule

Add a attribute exclusion rule.

Online

addAttributeRule

Add a new attribute mapping rule.

Online

addDomainExclusionRule

Add a domain exclusion rule.

Online

addDomainRule

Add a new domain mapping rule.

Online

addJoinRule

Add a join rule to an existing Join Adapter for a libOVD configuration.

Online

addLDAPHost

Add a new remote host to an existing LDAP adapter.

Online

addMappingContext

Create a new mapping context.

Online

addPlugin

Add a plug-in to an existing adapter or at the global level.

Online

addPluginParam

Add new parameter values to the existing adapter level plug-in or global plug-in.

Online

addToRequestControlExcludeList

Add a control to the Request Control Exclude List for an existing LDAP adapter configuration.

Online

addToRequestControlIncludeList

Add a control to the Request Control Include List for an existing LDAP adapter configuration.

Online

assignViewToAdapter

Assign the given view to an adapter.

Online

createJoinAdapter

Create a new Join Adapter for a libOVD configuration.

Online

createLDAPAdapter

Create a new LDAP adapter for a libOVD configuration.

Online

createLDAPAdapterWithDefaultPlugins

Create a new LDAP adapter with default plug-ins based on the specified directory type.

Online

createView

Create a new view.

Online

deleteAdapter

Delete an existing adapter for a libOVD configuration.

Online

deleteAttributeExclusionRule

Delete a attribute exclusion rule.

Online

deleteAttributeRule

Delete a attribute mapping rule.

Online

deleteDomainExclusionRule

Delete a domain exclusion rule.

Online

deleteDomainRule

Delete a domain mapping rule.

Online

deleteMappingContext

Delete the specified mapping context.

Online

deleteView

Delete the specified view.

Online

getAdapterDetails

Display the details of an existing adapter for a libOVD configuration.

Online

listAdapters

List the name and type of all adapters that are configured for a libOVD configuration.

Online

listAllMappingContextIds

List all the mapping contexts.

Online

listAttributeRules

List all the attribute rules.

Online

listDomainRules

List all the domain rules.

Online

listViews

List all views

Online

modifyLDAPAdapter

Modify the existing LDAP adapter configuration.

Online

modifySocketOptions

Modify the socket options for an existing LDAP adapter configuration.

Online

removeAllRequestControlExcludeList

Remove all controls from the Request Control Exclude List for an existing LDAP adapter configuration.

Online

removeAllRequestControlIncludeList

Remove all controls from a Request Control Include List for an existing LDAP adapter configuration.

Online

removeFromRequestControlExcludeList

Remove an attribute from the DN attributes list for an existing LDAP adapter configuration.

Online

removeDNAttribute

Remove a control from the Request Control Exclude List for an existing LDAP adapter configuration.

Online

removeFromRequestControlIncludeList

Remove a control from the Request Control Include List for an existing LDAP adapter configuration.

Online

removeJoinRule

Remove a join rule from a Join Adapter configured for a libOVD configuration.

Online

removeLDAPHost

Remove a remote host from an existing LDAP adapter configuration.

Online

removePlugin

Remove a plug-in from an existing adapter or at the global level.

Online

removePluginParam

Remove an existing parameter from a configured adapter level plug-in or global plug-in.

Online

replacePluginParam

Replace existing parameter values for an adapter level plug-in or global plug-in.

Online

unassignViewFromAdapter

Remove a view from an adapter.

Online

listSSLStoreType

List the type of SSL store in use for libOVD.

Online

enableKSSForSSL

Enable KSS for libOVD.

Online

enableJKSForSSL

Enable JKS for libOVD.

Online

createKeyStoreAndEnableJKSForSSL

Enable JKS for libOVD.

Online

importTrustedCertificateIntoSSLStore

Import given trusted certificate into SSL store.

Online

migrateAllTrustedCertificatesFromJKSToKSS

Migrate all trusted certificates from JKS to KSS store.

Online

migrateTrustedCertificatesFromJKSToKSS

Migrate given trusted certificates from JKS to KSS store.

Online

changeLDAPHostPort

Change given LDAP host and port in an existing LDAP adapter configuration to the new host and port.

Online

removeLDAPHostPort

Remove a remote host and a port from an existing LDAP adapter configuration.

Online

setReadOnlyForLDAPHost

Set the given host and port to read-only/writable in an existing LDAP adapter configuration.

Online


4.10.1 addDNAttribute

Adds an attribute to the DN Attributes List.

4.10.1.1 Description

Adds an attribute to the DN Attributes List for an existing adapter configured for the libOVD configuration associated with an OPSS context.

4.10.1.2 Syntax

addDNAttribute(adapterName, attributeName, [contextName])
Argument Definition
adapterName Name of the adapter to be updated.
attributeName Name of the new DN attribute to be added.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is ”default.”

4.10.1.3 Example

addDNAttribute(adapterName='ldap1', attributeName='memberof', contextName='default')

4.10.2 activateLibOVDConfigChanges

Reloads the libOVD configuration.

4.10.2.1 Description

Reloads the libOVD configuration associated with a specific OPSS context.

4.10.2.2 Syntax

activateLibOVDConfigChanges([contextName])
Argument Definition
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.2.3 Example

activateLibOVDConfigChanges('default')

4.10.3 addAttributeExclusionRule

Adds an attribute exclusion rule.

4.10.3.1 Description

Adds an attribute exclusion rule to the exclusion list.

4.10.3.2 Syntax

addAttributeExclusionRule(attribute, mappingContextId, [contextName])
Argument Definition
attribute Name of the attribute to be added to the exclusion list.
mappingContextId Name of the mapping context.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.3.3 Example

addAttributeExclusionRule('objectsid','userrole')

4.10.4 addAttributeRule

Adds a new attribute mapping rule.

4.10.4.1 Description

Adds a new attribute mapping rule to the libOVD configuration associated with a specific OPSS context.

4.10.4.2 Syntax

addAttributeRule(srcAttrs, srcObjectClass, srcAttrType, dstAttr, dstObjectClass, dstAttrType, mappingExpression, direction, mappingContextId, [contextName])
Argument Definition
mappingContextId Name of the mapping context.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default".

4.10.4.3 Example

addAttributeRule('lastname','','','sn','','','','Inbound','userrole')

4.10.5 addDomainExclusionRule

Adds a domain exclusion rule.

4.10.5.1 Description

Adds a domain exclusion rule to the exclusion list.

4.10.5.2 Syntax

addDomainExclusionRule(domain, mappingContextId, [contextName])
Argument Definition
domain Distinguished name (DN) of the attribute to be added to the exclusion list.
mappingContextId Name of the mapping context.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.5.3 Example

addDomainExclusionRule('cn=group,dc=oracle,dc=com','userrole')

4.10.6 addDomainRule

Adds a new domain mapping rule.

4.10.6.1 Description

Adds a new domain mapping rule.

4.10.6.2 Syntax

addDomainRule(srcDomain, destDomain, domainConstructRule, mappingContextId, [contextName])
Argument Definition
srcDomain Source domain.
destDomain Destination domain
domainConstructRule Name of the attribute to be added to the exclusion list.
mappingContextId Name of the mapping context.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.6.3 Example

addDomainRule('dc=oracle,dc=com', 'dc=oracle,dc=com', '', 'defaultContext', 'default')

4.10.7 addJoinRule

Adds a join rule to a Join Adapter.

4.10.7.1 Description

Adds a join rule to an existing Join Adapter for the libOVD configuration associated with the specified OPSS context.

4.10.7.2 Syntax

addJoinRule(adapterName, secondary, condition, [joinerType], [contextName])
Argument Definition
adapterName Name of the Join Adapter to be modified.
secondary Name of the adapter to join to.
condition The attribute(s) to join on.
joinerType Optional. Defines the type of Join. Values can be Simple (default), Conditional, OneToMany, or Shadow.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.7.3 Examples

addJoinRule('join1','secondaryldap','cn=cn', 'Simple', 'default')

addJoinRule('join1','secondaryldap','cn=cn', 'Conditional', 'default')

addJoinRule(adapterName='join1', secondary='LDAP3', condition='uid=cn', joinerType='OneToMany')

addJoinRule(adapterName='join1', secondary='LDAP2',condition='uid=cn', contextName='myContext')

4.10.8 addLDAPHost

Adds a new remote host.

4.10.8.1 Description

Adds a new remote host (host and port) to an existing LDAP adapter. By default, the new host is configured in Read-Write mode with percentage set to 100.

4.10.8.2 Syntax

addLDAPHost(adapterName, host, port, [contextName])
Argument Definition
adapterName Name of the Join Adapter to be modified.
host Remote LDAP host to which the LDAP adapter will communicate.
port Remote LDAP host port.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.8.3 Examples

addLDAPHost(adapterName='ldap1', host='myhost.example.com', port=389)

addLDAPHost('ldap1', 'myhost.example.com',389, 'myContext')

4.10.9 addMappingContext

Creates a new mapping context.

4.10.9.1 Description

Creates a new mapping context for the libOVD configuration associated with the specified OPSS context.

4.10.9.2 Syntax

addMappingContext(mappingContextId, [contextName])
Argument Definition
mappingContextId Name of the mapping context.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.9.3 Example

addMappingContext('defaultContext','context')

4.10.10 addPlugin

Adds a plug-in to an existing adapter or at the global level.

4.10.10.1 Description

Adds a plug-in to an existing adapter or at the global level. The "i"th key corresponds to "i"th value. The plug-in is added to default chain.

4.10.10.2 Syntax

addPlugin(pluginName, pluginClass, paramKeys, paramValues, [adapterName], [contextName])
Argument Definition
pluginName Name of the plug-in to be created.
pluginClass Class of the plug-in.
paramKeys Init Param. Keys separated by "|".
paramValues Init Param. Values separated by "|".
adapterName Optional. Name of the adapter to be modified. If not specified, the plug-in is added at the global level.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.10.3 Examples

addPlugin(adapterName='ldap1', pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com')

addPlugin(pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com') 

addPlugin(pluginName='DMSMetrics',pluginClass='oracle.ods.virtualization.engine.chain.plugins.DMSMetrics.MonitorPerformance', paramKeys='None',paramValues='None',adapterName='ldap1',contextName='default')

4.10.11 addPluginParam

Adds new parameter values to the existing adapter level plug-in or global plug-in.

4.10.11.1 Description

Adds new parameter values to the existing adapter level plug-in or the global plug-in. If the parameter already exists, the new value is added to the existing set of values. The "i"th key corresponds to "i"th value.

4.10.11.2 Syntax

addPluginParam(pluginName, paramKeys, paramValues, [adapterName], [contextName])
Argument Definition
pluginName Name of the plug-in to be modified.
paramKeys Init Param Keys separated by "|".
paramValues Init Param Values separated by "|".
adapterName Optional. Name of the adapter to be modified. If not specified, the global plug-in is modified.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.11.3 Examples

addPluginParam(adapterName='ldap1', pluginName='VirtualAttr', paramKeys='ReplaceAttribute | MatchFilter', paramValues='cn=%uid% | objectclass=person')

addPluginParam(pluginName='VirtualAttr', paramKeys='ReplaceAttribute | MatchFilter', par)

4.10.12 addToRequestControlExcludeList

Adds a control to the Request Control Exclude List.

4.10.12.1 Description

Adds a control to the Request Control Exclude List for an existing LDAP adapter configuration.

4.10.12.2 Syntax

addToRequestControlExcludeList(adapterName, control, [contextName])
Argument Definition
adapterName Name of the LDAP adapter to be modified.
control LDAP control object identifier (OID).
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.12.3 Example

addToRequestControlExcludeList(adapterName='ldap1', control='2.16.840.1.113894.1.8.31', contextName='default')

4.10.13 addToRequestControlIncludeList

Adds a control to the Request Control Include List.

4.10.13.1 Description

Adds a control to the Request Control Include List for an existing LDAP adapter configuration.

4.10.13.2 Syntax

addToRequestControlIncludeList(adapterName, control, [contextName])
Argument Definition
adapterName Name of the LDAP adapter to be modified.
control LDAP control object identifier (OID).
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.13.3 Example

addToRequestControlIncludeList(adapterName='ldap1', control='2.16.840.1.113894.1.8.31', contextName='default')

4.10.14 assignViewToAdapter

Assigns a view to an LDAP adapter.

4.10.14.1 Description

Assigns a view to an LDAP adapter in the libOVD configuration associated with an OPSS context.

4.10.14.2 Syntax

assignViewToAdapter(viewName, adapterName, [contextName])
Argument Definition
viewName Name of the view.
adapterName Name of the LDAP adapter.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.14.3 Example

assignViewToAdapter('userView','ldap1', 'default')

4.10.15 createJoinAdapter

Creates a new Join Adapter.

4.10.15.1 Description

Creates a new Join Adapter for the libOVD configuration associated with an OPSS context.

4.10.15.2 Syntax

createJoinAdapter(adapterName, root, primaryAdapter, [bindAdapter],[contextName])
Argument Definition
adapterName Name of the Join Adapter to be created.
root Root.
primaryAdapter Specifies the identifier of the primary adapter, which is the adapter searched first in the join operation.
bindAdapter Specifies identifier of the bind adapter(s), which are the adapter(s) whose proxy account is used to bind in the LDAP operation. By default, primaryAdapter is set as bindAdapter.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default".

4.10.15.3 Examples

createJoinAdapter('join1','dc=join','primaryldap','myldap', 'myContext')

createJoinAdapter(adapterName='join1', root='dc=join', primaryAdapter='myldap')

4.10.16 createLDAPAdapter

Creates a new LDAP adapter.

4.10.16.1 Description

Creates a new LDAP adapter for the libOVD configuration associated with an OPSS context.

4.10.16.2 Syntax

createLDAPAdapter(adapterName, root, host, port, remoteBase, [isSecure], [bindDN], [bindPasswd], [passCred], [contextName])
Argument Definition
adapterName Name of the LDAP adapter to be created.
root Virtual Namespace of the LDAP adapter.
host Remote LDAP host with which the LDAP adapter will communicate.
port Remote LDAP host port number.
remoteBase Location in the remote DIT to which root corresponds.
isSecure Optional. Boolean value that enables secure SSL/TLS connections to the remote hosts when set to true. The default value is false.
bindDN Optional. Proxy BindDN used to communicate with remote host. Default value is "".
bindPasswd Optional. Proxy BindPasswd used to communicate with the remote host. Default value is "".
passCred Optional. Controls the credentials, if any, the libOVD configuration will pass to the back-end (remote host) LDAP server. Values can be Always (default), None, or BindOnly.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.16.3 Examples

createLDAPAdapter("testLDAP", "dc=us,dc=oracle,dc=com", "myhost.example.com", 3060, "dc=uk,dc=oid", false, "cn=testuser", "welcome1", "Always", "myContext"

createLDAPAdapter(adapterName='ldap1', root='dc=com', host='myhost.example.com', port=5566, remoteBase='dc=oid')

4.10.17 createLDAPAdapterWithDefaultPlugins

Creates a new LDAP adapter.

4.10.17.1 Description

Creates a new LDAP adapter with default plug-ins based on the directory type for the libOVD configuration associated with an OPSS context.

4.10.17.2 Syntax

createLDAPAdapterWithDefaultPlugins(adapterName, directoryType, root, host, port, remoteBase, [isSecure], [bindDN], [bindPasswd], [contextName])
Argument Definition
adapterName Name of the LDAP adapter to be created.
directoryType Directory type. The value can be one of the following directories:
  • OID - Oracle Internet Directory

  • OUD - Oracle Unified Directory

  • SUNONE- Sun Java System Directory Server

  • OVD - Oracle Virtual Directory

  • ACTIVE_DIRECTORY - Microsoft Active Directory

  • EDIRECTORY - Novell eDirectory

  • OPEN_LDAP - Open LDAP

  • WLS_OVD - Oracle WebLogic Server OVD

  • TIVOLI - IBM Tivoli Directory Server

root Virtual Namespace of the LDAP adapter.
host Remote LDAP host to which LDAP adapter should communicate.
port Remote host port.
remoteBase Location in the remote DIT to which the root corresponds.
isSecure Optional. Boolean value that enables secure SSL/TLS connections to the remote hosts when set to true. The default value is false.
bindDN Optional. Proxy BindDN used to communicate with remote host. Default value is "".
bindPasswd Optional. Proxy BindPasswd used to communicate with the remote host. Default value is "".
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.17.3 Examples

createLDAPAdapterWithDefaultPlugins("testLDAP", "OID", "dc=us,dc=oracle,dc=com", "myhost.example.domain.com", 3060, "dc=uk,dc=oid", false, "cn=testuser", "welcome1", "myContext")

createLDAPAdapterWithDefaultPlugins(adapterName='ldap1', directoryType="OID", root='dc=com', host='myhost.example.domain.com', port=5566, remoteBase='dc=oid',bindDN="cn=testuser",bindPasswd="welcome1",contextName='default')

4.10.18 createView

Creates a new view.

4.10.18.1 Description

Creates a new view for the libOVD configuration associated with an OPSS context.

4.10.18.2 Syntax

createView(viewName, [contextName])
Argument Definition
viewName Name of the new view.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.18.3 Example

createView('userView','default')

4.10.19 deleteAdapter

Deletes an existing adapter.

4.10.19.1 Description

Deletes an existing adapter for the libOVD configuration associated with an OPSS context.

4.10.19.2 Syntax

deleteAdapter(adapterName, [contextName])
Argument Definition
adapterName Name of the Join Adapter to be deleted.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.19.3 Examples

deleteAdapter(adapterName='join1') 
deleteAdapter('join1', 'default')

4.10.20 deleteAttributeExclusionRule

Deletes an attribute exclusion rule.

4.10.20.1 Description

Deletes an attribute exclusion rule for the libOVD configuration associated with an OPSS context.

4.10.20.2 Syntax

deleteAttributeExclusionRule(attribute, mappingContextId, [contextName])
Argument Definition
attribute Name of the attribute to be removed from the exclusion list.
mappingContextId Name of the mapping context.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.20.3 Example

deleteAttributeExclusionRule('objectsid','userrole')

4.10.21 deleteAttributeRule

Delete an attribute mapping rule.

4.10.21.1 Description

Delete an attribute mapping rule for the libOVD configuration associated with an OPSS context.

4.10.21.2 Syntax

deleteAttributeRule(srcAttrs, dstAttr, mappingContextId, [contextName])
Argument Definition
srcAttrs Source attributes.
dstAttr Destination attribute.
mappingContextId Name of the mapping context.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.21.3 Example

deleteAttributeRule('lastname','sn')

4.10.22 deleteDomainExclusionRule

Deletes a domain exclusion rule.

4.10.22.1 Description

Deletes a domain exclusion rule for the libOVD configuration associated with an OPSS context.

4.10.22.2 Syntax

deleteDomainExclusionRule(domain, mappingContextId, [contextName])
Argument Definition
domain Distinguished Name of the container to be removed from the exclusion list.
mappingContextId Name of the mapping context.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.22.3 Example

deleteDomainExclusionRule('cn=group,dc=oracle,dc=com','userrole')

4.10.23 deleteDomainRule

Deletes a domain mapping rule.

4.10.23.1 Description

Deletes a domain mapping rule for the libOVD configuration associated with an OPSS context.

4.10.23.2 Syntax

deleteDomainRule(srcDomain, destDomain, mappingContextId, [contextName])
Argument Definition
srcDomain Source domain.
destDomain Destination domain.
mappingContextId Name of the mapping context.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.23.3 Example

deleteDomainRule('dc=oracle,dc=com','dc=oracle,dc=com','userrole')

4.10.24 deleteMappingContext

Delete a mapping context.

4.10.24.1 Description

Delete the specified mapping context for the libOVD configuration associated with an OPSS context.

4.10.24.2 Syntax

deleteMappingContext(mappingContextId, [contextName])
Argument Definition
mappingContextId Name of the mapping context.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.24.3 Example

deleteMappingContext('defaultContext','context)

4.10.25 deleteView

Deletes a view.

4.10.25.1 Description

Deletes a view for the libOVD configuration associated with an OPSS context.

4.10.25.2 Syntax

createView(viewName, [contextName])
Argument Definition
viewName Name of the view to delete.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.25.3 Example

deleteView('userView','default')

4.10.26 getAdapterDetails

Displays the details of an existing adapter.

4.10.26.1 Description

Displays the details of an existing adapter configured for the libOVD configuration associated with an OPSS context.

4.10.26.2 Syntax

getAdapterDetails(adapterName, [contextName])
Argument Definition
adapterName Name of the adapter that contains the details to be displayed.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.26.3 Examples

getAdapterDetails(adapterName='ldap1', contextName='default')

getAdapterDetails(adapterName='join1')

4.10.27 listAdapters

Lists the name and type of all adapters.

4.10.27.1 Description

Lists the name and type of all adapters that are configured for the libOVD configuration associated with an OPSS context.

4.10.27.2 Syntax

listAdapters([contextName])
Argument Definition
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.27.3 Examples

listAdapters()

listAdapters(contextName='myContext')

4.10.28 listAllMappingContextIds

Lists all mapping contexts.

4.10.28.1 Description

Lists the mapping contexts associated with the specified OPSS context.

4.10.28.2 Syntax

listAllMappingContextIds([contextName])
Argument Definition
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.28.3 Example

listAllMappingContextIds('default')

4.10.29 listAttributeRules

Lists all the attribute rules.

4.10.29.1 Description

List all the attribute rules in the format SOURCE_ATTRIBUTE:DESTINATION_ATTRIBUTE:DIRECTION.

4.10.29.2 Syntax

listAttributeRules(mappingContextId, [contextName])
Argument Definition
mappingContextId Name of the mapping context.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.29.3 Example

listAttributeRules('defaultContext','default') 

4.10.30 listDomainRules

Lists all domain rules.

4.10.30.1 Description

Lists all the domain rules in the format of SOURCE_DOMAIN:DESTINATION_DOMAIN.

4.10.30.2 Syntax

listDomainRules(mappingContextId, [contextName])
Argument Definition
mappingContextId Name of the mapping context.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.30.3 Example

listDomainRules('defaultContext','default')

4.10.31 listViews

Lists all views

4.10.31.1 Description

Lists all views for a libOVD configuration associated with an OPSS context.

4.10.31.2 Syntax

listViews([contextName])
Argument Definition
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.31.3 Example

listViews('default')

4.10.32 modifyLDAPAdapter

Modifies parameters in an LDAP adapter.

4.10.32.1 Description

Modifies the following parameters defined in an existing LDAP adapter:

  • Remote Base

  • Root

  • Secure

  • BindDN

  • BindPassword

  • PassCredentials

  • MaxPoolSize

  • MaxPoolChecks

  • MaxPoolWait

  • InitialPoolSize

  • PoolCleanupInterval

  • MaxPoolConnectionIdleTime

  • Active

  • PingProtocol

  • PingBindDN

  • PingBindPassword

  • PageSize

  • HeartBeatInterval

  • OperationTimeout

  • SearchCountLimit

  • Visible

  • Critical

  • InclusionFilter

  • ExclusionFilter

  • DNPattern

  • RequestControlAllowServerSupported

4.10.32.2 Syntax

modifyLDAPAdapter(adapterName, attribute, value, [contextName])
Argument Definition
adapterName Name of the LDAP adapter to be modified.
attribute Name of the attribute to be modified.
value New value for the attribute.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.32.3 Examples

modifyLDAPAdapter(adapterName='ldap1', attribute='Root', value='dc=us, dc=oracle, dc=com', contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='RemoteBase', value='dc=org', contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='PassCredentials', value='BindOnly', contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='BindDN', value='cn=proxyuser,dc=com', contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='BindPassword', value='testwelcome123', contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='Secure', value=true, contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolSize', value=500, contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolChecks', value=10, contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolWait', value=120000, contextName='mydefault') [value is in milliseconds] 

modifyLDAPAdapter(adapterName='ldap1', attribute='InitialPoolSize', value=10, contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='PoolCleanupInterval', value=300, contextName='mydefault') [value is in seconds]

modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolConnectionIdleTime', value=300, contextName='mydefault')  [value is in seconds]

modifyLDAPAdapter(adapterName='ldap1', attribute='Active', value=false, contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='PingProtocol', value='LDAP', contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='PingBindDN', value='cn=proxyuser', contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='PingBindPassword', value='welcome1', contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='PageSize', value=500, contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='HeartBeatInterval', value=120, contextName='mydefault') [value is in seconds]

modifyLDAPAdapter(adapterName='ldap1', attribute='OperationTimeout', value=120000, contextName='mydefault') [value is in milliseconds] 

modifyLDAPAdapter(adapterName='ldap1', attribute='SearchCountLimit', value=100, contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='Visible', value='Yes', contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='Critical', value='false', contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='InclusionFilter', value='objectclass=inetorgperson#base', contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='ExclusionFilter', value='uniquemember=*#base', contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='DNPattern', value='(.*)cn=[a-z0-9]*$', contextName='mydefault')

modifyLDAPAdapter(adapterName='ldap1', attribute='RequestControlAllowServerSupported', value=false, contextName='mydefault')

4.10.33 modifySocketOptions

Modifies socket options.

4.10.33.1 Description

Modifies socket options for an existing LDAP adapter configuration.

4.10.33.2 Syntax

modifySocketOptions(adapterName, reuseAddress, keepAlive, tcpNoDelay, readTimeout, [contextName])
Argument Definition
adapterName Name of the LDAP adapter to be modified.
reuseAddress Value of reuseAddress.
keepAlive Value of keepAlive.
tcpNoDelay Value of tcpNoDelay.
readTimeout Value of readTimeout in seconds.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.33.3 Example

modifySocketOptions(adapterName='ldap1', reuseAddress=true, keepAlive=true, tcpNoDelay=true, readTimeout=180000, contextName='default')

4.10.34 removeAllRequestControlExcludeList

Removes all controls from the Request Control Exclude List.

4.10.34.1 Description

Removes all controls from the Request Control Exclude List for an existing LDAP adapter configuration.

4.10.34.2 Syntax

removeAllRequestControlExcludeList(adapterName, [contextName])
Argument Definition
adapterName Name of the adapter to be updated.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.34.3 Example

removeAllRequestControlExcludeList(adapterName='ldap1', contextName='default')

4.10.35 removeAllRequestControlIncludeList

Removes all controls from the Request Control Include List.

4.10.35.1 Description

Removes all controls from the Request Control Include List for an existing LDAP adapter configuration.

4.10.35.2 Syntax

removeAllRequestControlIncludeList(adapterName, [contextName])
Argument Definition
adapterName Name of the adapter to be updated.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.35.3 Example

removeAllRequestControlIncludeList(adapterName='ldap1', contextName='default')

4.10.36 removeFromRequestControlExcludeList

Removes a control from the Request Control Exclude List.

4.10.36.1 Description

Removes a control from the Request Control Exclude List for an existing LDAP adapter configuration.

4.10.36.2 Syntax

removeFromRequestControlExcludeList(adapterName, control, [contextName])
Argument Definition
adapterName Name of the LDAP adapter to be modified.
control LDAP control object identifier (OID).
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.36.3 Example

removeFromRequestControlExcludeList(adapterName='ldap1', control='2.16.840.1.113894.1.8.31', contextName='default')

4.10.37 removeDNAttribute

Removes a attribute from the DN Attributes List.

4.10.37.1 Description

Removes a attribute from the DN Attributes List for an existing adapter that is configured for the libOVD associated with an OPSS context.

4.10.37.2 Syntax

removeDNAttribute(adapterName attributeName, [contextName])
Argument Definition
adapterName Name of the adapter to be updated.
attributeName Name of the new DN attribute to be removed.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.37.3 Example

removeDNAttribute(adapterName='ldap1', attributeName='memberof', contextName='default')

4.10.38 removeFromRequestControlIncludeList

Removes a control from the Request Control Include List.

4.10.38.1 Description

Removes a control from the Request Control Include List for an existing LDAP adapter configuration.

4.10.38.2 Syntax

removeFromRequestControlIncludeList(adapterName, control, [contextName])
Argument Definition
adapterName Name of the LDAP adapter to be modified.
control LDAP control object identifier (OID).
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.38.3 Example

removeFromRequestControlIncludeList(adapterName='ldap1', control='2.16.840.1.113894.1.8.31', contextName='default')

4.10.39 removeJoinRule

Removes a join rule from a Join Adapter.

4.10.39.1 Description

Removes a join rule from a Join Adapter configured for the libOVD configuration associated with the specified OPSS context.

4.10.39.2 Syntax

removeJoinRule(adapterName, secondary, [contextName])
Argument Definition
adapterName Name of the Join Adapter to be modified.
secondary The join rules corresponding to this secondary adapter are removed from the Join Adapter.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.39.3 Examples

removeJoinRule('join1','secondaryldap1', 'default')

removeJoinRule(adapterName='join1', secondary='LDAP3')

4.10.40 removeLDAPHost

Removes a remote host from an existing LDAP adapter.

4.10.40.1 Description

Removes a remote host (host:port) from an existing LDAP adapter.

4.10.40.2 Syntax

removeLDAPHost(adapterName, host, [contextName])
Argument Definition
adapterName Name of the LDAP adapter to be modified.
host Location of a remote LDAP host with which the LDAP adapter will communicate.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.40.3 Examples

removeLDAPHost(adapterName='ldap1', host='myhost.example.com')

removeLDAPHost('ldap1', 'myhost.example.com', 'myContext')

4.10.41 removePlugin

Removes a plug-in from an existing adapter.

4.10.41.1 Description

Removes a plug-in from an existing adapter or at the global level.

4.10.41.2 Syntax

removePlugin(pluginName, [adapterName], [contextName])
Argument Definition
pluginName Name of the plug-in to be removed.
adapterName Optional. Name of the adapter to be modified. If not specified, the global plug-in is removed.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.41.3 Examples

removePlugin(adapterName='ldap1', pluginName='VirtualAttr')

removePlugin(pluginName='VirtualAttr')

4.10.42 removePluginParam

Removes an existing parameter from a configured adapter level plug-in.

4.10.42.1 Description

Removes an existing parameter from a configured adapter level plug-in or a global plug-in. This command removes all values of the particular parameter from the plug-in.

4.10.42.2 Syntax

removePluginParam(pluginName, paramKey, [adapterName], [contextName])
Argument Definition
pluginName Name of the plug-in to be modified.
paramKey Parameter to be removed.
adapterName Optional. Name of the adapter to be modified. If not specified, the global plug-in is modified.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.42.3 Example

removePluginParam(adapterName='ldap1', pluginName='VirtualAttr', paramKey='ReplaceAttribute')

removePluginParam(pluginName='VirtualAttr', paramKey='ReplaceAttribute')

4.10.43 replacePluginParam

Replaces existing parameter values for a plug-in.

4.10.43.1 Description

Replaces existing parameter values for the specified adapter level plug-in or global plug-in.

4.10.43.2 Syntax

replacePluginParam(pluginName, paramName, paramValues, [adapterName,][contextName])
Argument Description
pluginName Name of the plug-in to be modified.
paramName Name of the parameter to be replaced.
paramValues New values of the parameter. For more than one new value, separate each new parameter value are by a "|".
adapterName Optional. Name of the adapter to be modified. If not specified, the global plug-in is modified.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.43.3 Examples

replacePluginParam(adapterName='ldap1', pluginName='VirtualAttr', paramName='ReplaceAttribute', paramValues='cn=%uid%')

replacePluginParam(adapterName='ldap1', pluginName='UserManagement', paramName='mapAttribute', paramValues='orclguid=objectGuid | uniquemember=member')

4.10.44 unassignViewFromAdapter

Unassigns a view from an adapter.

4.10.44.1 Description

Unassigns a view from an LDAP adapter configuration.

4.10.44.2 Syntax

unassignViewFromAdapter(viewName, adapterName, [contextName])
Argument Definition
viewName Name of the view.
adapterName Name of the LDAP adapter.
contextName Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default.

4.10.44.3 Example

unassignViewFromAdapter('userView','ldap1', 'default')

4.10.45 listSSLStoreType

Online command that lists the type of SSL store in use.

4.10.45.1 Description

This command lists the type of SSL store in use for libOVD (JKS or KSS).

4.10.45.2 Syntax

listSSLStoreType(contextName=[contextName])

Argument Definition
contextName Name of the OPSS context with which libOVD configuration is associated. The default value is default.

4.10.45.3 Example

listSSLStoreType(contextName='default')

4.10.46 enableKSSForSSL

Online command to enable KSS for libOVD.

4.10.46.1 Description

This command enables KSS for SSL, and disables JKS if it was enabled before. For more information about KSS, see Oracle® Fusion Middleware Securing Applications with Oracle Platform Security Services.

4.10.46.2 Syntax

enableKSSForSSL(contextName=[contextName])

Argument Definition
contextName Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default.

4.10.46.3 Example

enableKSSForSSL(contextName='default')

4.10.47 enableJKSForSSL

Online command to enable JKS for libOVD.

4.10.47.1 Description

This command enables JKS for SSL, and disables KSS if it was enabled before. The command assumes that the libOVD adapters.jks file exists.

4.10.47.2 Syntax

enableJKSForSSL(contextName=[contextName])

Argument Definition
contextName Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default.

4.10.47.3 Example

enableJKSForSSL(contextName='default')

4.10.48 createKeyStoreAndEnableJKSForSSL

Online command to enable JKS for SSL.

4.10.48.1 Description

This command enables JKS for SSL, and disables KSS if it was enabled before. The command creates the libOVD adapters.jks file.

4.10.48.2 Syntax

createKeyStoreAndEnableJKSForSSL(keystorePassword=[password], contextName=[contextName])

Argument Definition
keystorePassword Password for libOVD adapters.jks file.
contextName Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default.

4.10.48.3 Example

createKeyStoreAndEnableJKSForSSL(keystorePassword='welcome1', contextName='default')

4.10.49 importTrustedCertificateIntoSSLStore

Online command to import trusted certificate into SSL store.

4.10.49.1 Description

This command imports the provided trusted certificate into SSL store.

4.10.49.2 Syntax

importTrustedCertificateIntoSSLStore(certificateFileName=[cert_file],aliasName=[aliasName],contextName=[contextName])

Argument Definition
certificateFileName File name that contains the certificate.
aliasName Alias name for the certificate.
contextName Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default.

4.10.49.3 Example

importTrustedCertificateIntoSSLStore(certificateFileName='/tmp/cert.txt',aliasName='myCert1',contextName='default')

4.10.50 migrateAllTrustedCertificatesFromJKSToKSS

Online command to migrate all trusted certificates from JKS-based libOVD truststore to KSS store.

4.10.50.1 Description

This command migrates all trusted certificates from JKS-based libOVD truststore to KSS store.

4.10.50.2 Syntax

migrateAllTrustedCertificatesFromJKSToKSS(contextName=[contextName])

Argument Definition
contextName Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default.

4.10.50.3 Example

migrateAllTrustedCertificatesFromJKSToKSS(contextName='default')

4.10.51 migrateTrustedCertificatesFromJKSToKSS

Online command to migrate given trusted certificates from JKS-based libOVD truststore to KSS store.

4.10.51.1 Description

This command migrates the given trusted certificates from JKS-based libOVD truststore to KSS store.

4.10.51.2 Syntax

migrateTrustedCertificatesFromJKSToKSS(aliasNames=[alias_names], contextName=[contextName])

Argument Definition
aliasNames List of alias names to migrate separated by a comma.
contextName Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default.

4.10.51.3 Example

migrateTrustedCertificatesFromJKSToKSS (aliasNames='alias1,alias2', contextName='default')

4.10.52 changeLDAPHostPort

Online command to change given LDAP host and port in an existing LDAP adapter configuration to a new host and port.

4.10.52.1 Description

This command changes given LDAP host and port in an existing LDAP adapter configuration to a new host and port.

4.10.52.2 Syntax

changeLDAPHostPort(adapterName=[adapterName], oldHost=[oldHost], oldPort=[oldPort], newHost=[newHost], newPort=[newPort], contextName=[contextName])

Argument Definition
adapterName Name of the LDAP adapter to be modified.
oldHost Old LDAP host.
oldPort Old LDAP port.
newHost New LDAP host.
newPort New LDAP port.
contextName Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default.

4.10.52.3 Example

changeLDAPHostPort(adapterName='ldap1', oldHost='oldhost.example.domain.com', oldPort=389, newHost='newhost.example.domain.com', newPort=389)

4.10.53 removeLDAPHostPort

Online command to remove a remote host and a port from an existing LDAP adapter configuration.

4.10.53.1 Description

This command removes a remote host and a port from an existing LDAP adapter configuration.

4.10.53.2 Syntax

removeLDAPHostPort(adapterName=[adapterName], host=[host], port=[port], contextName=[contextName])

Argument Definition
adapterName Name of the LDAP adapter to be modified.
host Remote LDAP host.
port Remote LDAP port.
contextName Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default.

4.10.53.3 Example

removeLDAPHostPort(adapterName='ldap1', host='myhost.example.domain.com', port=389)

4.10.54 setReadOnlyForLDAPHost

Online command to set the given host and port to read-only/writable in an existing LDAP adapter configuration.

4.10.54.1 Description

This command sets the given host and port to read-only/writable in an existing LDAP adapter configuration.

4.10.54.2 Syntax

setReadOnlyForLDAPHost(adapterName=[adapterName], host=[host], port=[port], readOnly=[true/false], contextName=[contextName])

Argument Definition
adapterName Name of the LDAP adapter to be modified.
host LDAP host.
port LDAP port.
readOnly It has values: true or false.
contextName Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default.

4.10.54.3 Example

setReadOnlyForLDAPHost(adapterName='ldap1', host='myhost.example.domain.com', port=389, readOnly=true)

4.11 Identity Directory Service Commands

Use the WLST commands listed in Table 4-17 to manage Identity Directory Service entity attributes, entity definitions, relationships and default operational configurations.

Table 4-17 WLST Identity Directory Service Commands

Use this command... To... Use with WLST...

activateIDSConfigChanges

Reload the Identity Directory Service configuration.

Online

addAttributeInEntityConfig

Add a new attribute to the entity configuration.

Online

addAttributePropsInEntityConfig

Add new properties for an attribute in an entity configuration.

Online

addAttributeRefForEntity

Add a new attribute to the specified entity.

Online

addAttrrefPropsInEntityConfig

Add new properties for an attribute reference in an entity configuration.

Online

addCommonPropertyForOperationConfig

Add a new property for a specified operation configuration.

Online

addEntity

Add a new entity to the entity configuration.

Online

addEntityProps

Add new properties for an entity in an entity configuration.

Online

addEntityRelation

Add a new entity relation to the entity configuration.

Online

addIdentityDirectoryService

Add a new Identity Directory Service to the configuration.

Online

addOperationConfig

Add a new operation configuration to the entity configuration.

Online

addPropertyForOperationConfig

Add a new property to a specified operation configuration.

Online

deleteAttributeInEntityConfig

Delete an attribute from an entity configuration.

Online

deleteAttrrefPropsInEntityConfig

Delete attribute reference properties in an entity configuration.

Online

deleteEntity

Delete an entity from an entity configuration.

Online

deleteEntityProps

Delete entity properties in an entity configuration.

Online

deleteEntityRelation

Delete the specified entity relation.

Online

deleteIdentityDirectoryService

Delete the specified Identity Directory Service in the configuration.

Online

deleteOperationConfig

Delete operation configuration in an entity configuration.

Online

listAllAttributeInEntityConfig

List all attributes in the entity configuration.

Online

listAllEntityInEntityConfig

List all entities defined in the specified entity configuration.

Online

listAllIdentityDirectoryService

List all Identity Directory Services in the configuration.

Online

removeAttributeRefForEntity

Remove an attribute from the specified entity.

Online

removeCommonPropertyForOperationConfig

Removes a property for the specified operation configuration.

Online

removePropertyForOperationConfig

Remove a property for the specified operation configuration.

Online

updateAttributeInEntityConfig

Update attributes in an entity configuration.

Online

updateAttributePropsInEntityConfig

Update attribute properties in an entity configuration.

Online

updateAttrrefPropsInEntityConfig

Update attribute reference properties in an entity configuration.

Online

updateEntity

Update an entity's properties in an entity configuration.

Online

updateEntityAttrs

Update an entity's attributes in an entity configuration.

Online

updateEntityProps

Update the entity properties in an entity configuration.

Online

deleteAttributePropsInEntityConfig

Delete attribute properties in an entity configuration.

Online


4.11.1 activateIDSConfigChanges

Reloads the Identity Directory Service configuration.

4.11.1.1 Description

This command reloads the Identity Directory Service configuration.

4.11.1.2 Syntax

activateIDSConfigChanges()

This command has no arguments.

4.11.1.3 Example

activateIDSConfigChanges()

4.11.2 addAttributeInEntityConfig

Adds a new attribute to the entity configuration.

4.11.2.1 Description

This command adds a new attribute to the entity configuration.

4.11.2.2 Syntax

addAttributeInEntityConfig(name, datatype, description, readOnly, pwdAttr, appName)

Argument Definition
name Name of the attribute to be added.
datatype The attribute's type is defined as one of the following:
  • binary

  • boolean

  • datetime

  • double

  • integer

  • rfc822name

  • string

  • x500name

description Description of the attribute to be added.
readOnly Flag to specify whether the attribute is read only or can be modified.
pwdAttr Flag to specify whether the attribute defines a password or not.
appName Name of the Identity Directory Service.

4.11.2.3 Example

addAttributeInEntityConfig('commonname','string','common name',false,false,'userrole')

4.11.3 addAttributePropsInEntityConfig

Adds new properties for an attribute in an entity configuration.

4.11.3.1 Description

This command adds new properties for an attribute in an entity configuration.

4.11.3.2 Syntax

addAttributePropsInEntityConfig(name, propNames, propVals, appName)

Argument Definition
name Name of the attribute to be added.
propNames List of property names separated by "|".

The properties (propNames and propVals) are free key/value pairs. Applications can store any required metadata at the attribute level in these properties. The Identity Directory Service does not perform any validation for these property names and does not interpret or use these properties internally.

For configuration attributes, however, the Identity Directory Service performs a schema check and interprets the configuration names and their values.

propVals List of corresponding property values separated by "|".
appName Name of the Identity Directory Service.

4.11.3.3 Example

addAttributePropsInEntityConfig('orgunit','labelname|multivalued','common name|true','userrole')

4.11.4 addAttributeRefForEntity

Adds a new attribute to the specified entity.

4.11.4.1 Description

This command adds a new attribute to the specified entity.

4.11.4.2 Syntax

addAttributeRefForEntity(name, attrRefName, attrRefFilter, attrRefDefaultFetch, appName)

Argument Definition
name Name of the entity to which the attribute will be added.
attrRefName Name of the attribute to be added to the entity.
attrRefFilter Type of filter to be used with the attribute, defined as one of the following:
  • beginswith

  • contains

  • doesnotcontain

  • dynamic

  • endswith

  • equals

  • greaterequal

  • greaterthan

  • lessequal

  • lessthan

  • none

  • notequals

attrRefDefaultFetch Flag to specify whether the attribute is fetched by default.
appName Name of the Identity Directory Service.

4.11.4.3 Example

addAttributeRefForEntity('User','givenname','none','true','userrole')

4.11.5 addAttrrefPropsInEntityConfig

Adds new properties for an attribute reference in an entity configuration.

4.11.5.1 Description

This command adds new properties for an attribute reference in an entity configuration.

4.11.5.2 Syntax

addAttrrefPropsInEntityConfig(entityName, attrName, propNames, propVals, appName)

Argument Definition
entityName Name of the entity.
attrName Name of the attribute reference.
propNames List of property names separated by "|".

The properties (propNames and propVals) are free key/value pairs. Applications can store any required metadata at the attribute level in these properties. The Identity Directory Service does not perform any validation for these property names and does not interpret or use these properties internally.

For configuration attributes, however, the Identity Directory Service performs a schema check and interprets the configuration names and their values.

propVals List of corresponding property values separated by "|".
appName Name of the Identity Directory Service.

4.11.5.3 Example

addAttrrefPropsInEntityConfig('org', 'orgunit','labelname|multivalued','common name|true','userrole')

4.11.6 addCommonPropertyForOperationConfig

Adds a new property for a specified operation configuration.

4.11.6.1 Description

This command adds a new property for a specified operation configuration.

4.11.6.2 Syntax

addCommonPropertyForOperationConfig(entityName, propName, propValue, appName)

Argument Definition
entityName Name of the entity.
propName Name of the property to be added for this operation configuration.
propValue Value of the property to be added for this operation configuration.
appName Name of the Identity Directory Service.

4.11.6.3 Example

addCommonPropertyForOperationConfig('groupmember.attr', 'member', 'userrole')

4.11.7 addEntity

Adds a new entity to the entity configuration.

4.11.7.1 Description

This command adds a new entity to the entity configuration.

4.11.7.2 Syntax

addEntity(name, type, idAttr, create, modify, delete, search, attrRefNames, attrRefFilters, attrRefDefaultFetches, appName)

Argument Definition
name Name of the entity to which the attribute will be added.
type Name of the attribute to be added to the entity.
idAttr Identity attribute of the entity to be added.
create Flag to specify the create is allowed.
modify Flag to specify the modify is allowed.
delete Flag to specify the delete is allowed.
search Flag to specify the search is allowed.
attrRefNames Array of attribute names.
attrRefFilters An array of filter type values, defined as one of the following:
  • beginswith

  • contains

  • doesnotcontain

  • dynamic

  • endswith

  • equals

  • greaterequal

  • greaterthan

  • lessequal

  • lessthan

  • none

  • notequals

attrRefDefaultFetches Array of boolean strings (true, false).
appName Name of the Identity Directory Service.

4.11.7.3 Example

addEntity('Group','group','commonname',true,true,true,true,'name|commonname','none|none','true|false','userrole')

4.11.8 addEntityProps

Adds new properties for an entity in an entity configuration.

4.11.8.1 Description

This command adds new properties for an entity in an entity configuration.

4.11.8.2 Syntax

addEntityProps(name, propNames, propVals, appName)

Argument Definition
name Name of the entity.
propNames List of property names separated by "|".
propValues List of corresponding property values separated by "|".
appName Name of the Identity Directory Service.

4.11.8.3 Example

addEntityProps('User','inclobjclasses|exclobjclasses','inetorgperson|orclidxperson','userrole')

4.11.9 addEntityRelation

Add a new entity relation to the entity configuration.

4.11.9.1 Description

This command adds a new entity relation to the entity configuration.

4.11.9.2 Syntax

addEntityRelation(name, type, fromEntity, fromAttr, toEntity, toAttr, recursive, appName)

Argument Definition
name Name of the relation between the entities for the given attributes.
type Type of the entity relation ("ManyToMany", "ManyToOne", "OneToMany", "OneToOne").
fromEntity Name of the from entity.
fromAttr Name of the from attribute.
toEntity Name of the to entity.
toAttr Name of the to attribute.
recursive Flag to set the entity relationship as recursive.
appName Name of the Identity Directory Service.

4.11.9.3 Example

addEntityRelation('manager', 'ManyToOne', 'User', 'manager', 'User', 'principal', false, 'userrole')

4.11.10 addIdentityDirectoryService

Adds a new IdentityStoreService to the Identity Directory Service configuration.

4.11.10.1 Description

This command adds a new IdentityStoreService to the Identity Directory Service configuration.

4.11.10.2 Syntax

addIdentityDirectoryService(name, description, propNames, propValues)

Argument Definition
name Name of the IdentityStoreService to be added.
description Description of the IdentityStoreService.
propNames An array of property names to be added to the IdentityStoreService configuration.
propValues An array of values to be defined for the property names added to the IdentityStoreService configuration.

4.11.10.3 Example

addIdentityDirectoryService('userrole', 'user role', 'ovd.context|entity.config', 'default|userrole')

4.11.11 addOperationConfig

Adds a new operation configuration to the entity configuration.

4.11.11.1 Description

This command adds a new operation configuration to the entity configuration.

4.11.11.2 Syntax

addOperationConfig(entityName, propNames, propValues, appName)

Argument Definition
entityName Name of the entity to which the operation configuration will be added.
propNames An array of property names to be added to the operation configuration.
propValues An array of property values for th