This chapter provides detailed descriptions of custom WLST commands for infrastructure security, including command syntax, arguments and command examples.
Note:
If you installed an IDM 11gR2 release, for supported WLST commands, refer to the appropriate WLST command reference in the Oracle online library for your release. For IDM 11gR2 releases prior to PS3, refer to "Infrastructure Security Custom WLST Commands" in WebLogic Scripting Tool Command Reference. For IDM 11gR2 PS3 or higher releases, refer to WebLogic Scripting Tool Command Reference for Identity and Access Management.The following sections describe the Oracle Fusion Middleware Infrastructure Security custom WLST commands in detail. Topics include:
For additional information about Oracle Platform Security Services, see Oracle Fusion Middleware Application Security Guide.
Note:
To use the Infrastructure Security custom WLST commands, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" in the Oracle Fusion Middleware Administrator's Guide.WLST security commands are divided into the following categories:
Table 4-1 WLST Command Categories
| Command Category | Description |
|---|---|
|
View and manage audit policies and the audit repository configuration |
|
|
View and manage wallets, JKS keystores, and SSL configuration for Oracle HTTP Server, Oracle WebCache, Oracle Internet Directory, and Oracle Virtual Directory components. |
|
|
View and manage configuration for Oracle Identity Federation |
|
|
For information on DIP tools, see "Directory Integration Platform Tools" in the Oracle Fusion Middleware Reference for Oracle Identity Management |
|
|
Manage domain and credential domain stores and migrate domain policy store. |
|
|
Manage OAM-related components, such as authorization providers, identity asserters, and SSO providers. |
|
|
View and manage Library Oracle Virtual Directory (libOVD) configurations associated with a particular OPSS context. |
|
|
Manage Identity Directory Service entity attributes, entity definitions, relationships, and default operational configurations. |
Use the WLST commands listed in Table 4-2 to view and manage audit policies and the audit repository configuration.
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Display the mBean name for a non-Java EE component. |
Online |
|
|
Display audit policy settings. |
Online |
|
|
Update audit policy settings. |
Online |
|
|
Display audit repository settings. |
Online |
|
|
Update audit repository settings. |
Online |
|
|
List audit events for one or all components. |
Online |
|
|
Export a component's audit configuration. |
Online |
|
|
Import a component's audit configuration. |
Online |
|
|
Create an audit definitions view in the database. |
Online |
|
|
List components that can be audited. |
Online |
|
|
Registers audit definitions for a specified component in the audit store. |
Online |
|
|
Removes audit definitions of a specified component from the audit store. |
Online |
For more information, see the Oracle Fusion Middleware Application Security Guide.
Online command that displays the mbean name for non-Java EE components.
This command displays the mbean name for non-Java EE components given the instance name, component name, component type, and the name of the Oracle WebLogic Server on which the component's audit mbean is running. The mbean name is a required parameter to other audit WLST commands when managing a non-Java EE component.
getNonJavaEEAuditMBeanName(instName, compName, compType, svrName)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are ohs, oid, ovd, and WebCache. |
svrName |
Specifies the name of the Oracle WebLogic Server. |
Online command that displays the audit policy settings.
This command displays audit policy settings including the filter preset, special users, custom events, maximum log file size, and maximum log directory size. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.getAuditPolicy([mbeanName, componentType])
| Argument | Definition |
|---|---|
mbeanName |
Specifies the name of the component audit MBean for non-Java EE components. |
componentType |
Requests the audit policy for a specific component registered in the audit store. If not specified, the audit policy in jps-config.xml is returned. |
The following command displays the audit settings for a Java EE component:
wls:/mydomain/serverConfig> getAuditPolicy()
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)
FilterPreset:All
Max Log File Size:104857600
Max Log Dir Size:0
The following command displays the audit settings for MBean CSAuditProxyMBean:
wls:/mydomain/serverConfig> getAuditPolicy(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean')
Online command that updates an audit policy.
Online command that configures the audit policy settings. You can set the filter preset, add or remove users, and add or remove custom events. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.setAuditPolicy([mbeanName],[filterPreset],[addSpecialUsers], [removeSpecialUsers],[addCustomEvents],[removeCustomEvents], [componentType], [maxDirSize], [maxFileSize], [andCriteria], [orCriteria], [componentEventsFile])
| Argument | Definition |
|---|---|
mbeanName |
Specifies the name of the component audit MBean for non-Java EE components. |
filterPreset |
Specifies the filter preset to be changed. |
addSpecialUsers |
Specifies the special users to be added. |
removeSpecialUsers |
Specifies the special users to be removed. |
addCustomEvents |
Specifies the custom events to be added. |
removeCustomEvents |
Specifies the custom events to be removed. |
componentType |
Specifies the component definition type to be updated. If not specified, the audit configuration defined in jps-config.xml is modified. |
maxDirSize |
Specifies the maximum size of the log directory. |
maxFileSize |
Specifies the maximum size of the log file. |
andCriteria |
Specifies the and criteria in a custom filter preset definition. |
orCriteria |
Specifies the or criteria in a custom filter preset definition. |
componentEventsFile |
Specifies a component definition file under the 11g Release 1 (11.1.1.6) metadata model. This parameter is required if you wish to create/update an audit policy in the audit store for an 11g Release 1 (11.1.1.6) metadata model component, and the filter preset level is set to "Custom". |
The following interactive command sets audit policy to None level, and adds users user2 and user3 while removing user1 from the policy:
wls:/mydomain/serverConfig> setAuditPolicy (filterPreset= 'None',addSpecialUsers='user2,user3',removeSpecialUsers='user1') wls:/mydomain/serverConfig> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:None Special Users:user2,user3 Max Log File Size:104857600 Max Log Dir Size:0
The following interactive command adds login events while removing logout events from the policy:
wls:/mydomain/serverConfig> setAuditPolicy(filterPreset= 'Custom',addCustomEvents='UserLogin',removeCustomEvents='UserLogout')
The following interactive command sets audit policy to a Low level:
wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Low'); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:Low Max Log File Size:104857600 Max Log Dir Size:0
The following command sets a custom filter to audit the CheckAuthorization event:
wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Custom', addCustomEvents='JPS:CheckAuthorization'); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:Custom Special Users:user1 Max Log File Size:104857600 Max Log Dir Size:0 Custom Events:JPS:CheckAuthorization
Online command that displays audit repository settings.
Online command that updates audit repository settings.
This command sets the audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository is configured by editing opmn.xml).
setAuditRepository([switchToDB],[dataSourceName],[interval])
| Argument | Definition |
|---|---|
switchToDB |
If true, switches the repository from file to database. |
dataSourceName |
Specifies the name of the data source. |
interval |
Specifies intervals at which the audit loader kicks off. |
The following command switches from a file repository to a database repository:
wls:/IDMDomain/domainRuntime> setAuditRepository(switchToDB='true'); Already in Domain Runtime Tree Audit Repository Information updated wls:/IDMDomain/domainRuntime> getAuditRepository(); Already in Domain Runtime Tree JNDI Name:jdbc/AuditDB Interval:15 Repository Type:DB
The following interactive command changes audit repository to a specific database and sets the audit loader interval to 14 seconds:
wls:/mydomain/serverConfig> setAuditRepository(switchToDB='true',dataSourceName='jdbcAuditDB',interval='14')
Online command that displays a component's audit events.
This command displays a component's audit events and attributes. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter. Without a component type, all generic attributes applicable to all components are displayed.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.listAuditEvents([mbeanName],[componentType])
| Argument | Definition |
|---|---|
mbeanName |
Specifies the name of the component MBean. |
componentType |
Specifies the component type to limit the list to all events of the component type. |
The following command displays audit events for the Oracle Platform Security Services component:
wls:/IDMDomain/domainRuntime> listAuditEvents(componentType='JPS');
Already in Domain Runtime Tree
Common Attributes
ComponentType
Type of the component. For MAS integrated SystemComponents this is the componentType
InstanceId
Name of the MAS Instance, that this component belongs to
HostId
DNS hostname of originating host
HostNwaddr
IP or other network address of originating host
ModuleId
ID of the module that originated the message. Interpretation is unique within Component ID.
ProcessId
ID of the process that originated the message
The following command displays audit events for Oracle HTTP Server:
wls:/mydomain/serverConfig> listAuditEvents(componentType='ohs')
The following command displays all audit events:
wls:/IDMDomain/domainRuntime> listAuditEvents();
Already in Domain Runtime Tree
Components:
DIP
JPS
OIF
OWSM-AGENT
OWSM-PM-EJB
ReportsServer
WS-PolicyAttachment
WebCache
WebServices
Attributes applicable to all components:
ComponentType
InstanceId
HostId
HostNwaddr
ModuleId
ProcessId
OracleHome
HomeInstance
ECID
RID
...
Online command that exports a component's audit configuration.
This command exports the audit configuration to a file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.exportAuditConfig([mbeanName],fileName, [componentType])
| Argument | Definition |
|---|---|
mbeanName |
Specifies the name of the non-Java EE component MBean. |
fileName |
Specifies the path and file name to which the audit configuration should be exported. |
componentType |
Specifies that only events of the given component be exported to the file. If not specified, the audit configuration in jps-config.xml is exported. |
The following interactive command exports the audit configuration for a component:
wls:/mydomain/serverConfig> exportAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following interactive command exports the audit configuration for a Java EE component; no mBean is specified:
wls:/mydomain/serverConfig> exportAuditConfig(fileName='/tmp/auditconfig')
Online command that imports a component's audit configuration.
This command imports the audit configuration from an external file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.importAuditConfig([mbeanName],fileName, [componentType])
| Argument | Definition |
|---|---|
mbeanName |
Specifies the name of the non-Java EE component MBean. |
fileName |
Specifies the path and file name from which the audit configuration should be imported. |
componentType |
Specifies that only events of the given component be imported from the file. If not specified, the audit configuration in jps-config.xml is imported. |
The following interactive command imports the audit configuration for a component:
wls:/mydomain/serverConfig> importAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name='CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following interactive command imports the audit configuration from a file; no mBean is specified:
wls:/mydomain/serverConfig> importAuditConfig(fileName='/tmp/auditconfig')
Creates a SQL script that can generate a view for audit in the database.
This command generates a SQL script that you can use to create a database view of the audit definitions of a specified component. The script is written to the specified file and also printed out to the console.
Upon execution, the result of the SQL script depends on the audit model at your site:
If using the 11.1.1.6.0 model, and the component is registered in the audit store, the script creates a view using the system component tables (IAU_COMMON, IAU_USERSESSION, IAU_AUDITSERVICE and IAU_CUSTOM) for the specified component.
If using the pre-11.1.1.6.0 model, the component is not registered in the audit store but its event definitions reside in the component_events.xml file (in the oracle_common/modules/oracle.iau_11.1.1/components/<componentType> dir), and the view is created using the IAU_BASE and component tables.
Lists components that can be audited.
This command creates a list of the components that can be audited. It lists components registered in the audit store using both the 11.1.1.6.0 model and the pre-11.1.1.6.0 model.
Registers the specified component in the audit store.
Adds the event definition and translation content for a specified component to the audit store. If you try to register using the pre-11.1.1.6.0 audit XML schema definition, it is upgraded to the 11.1.1.6.0 XML schema definition and then registered with the audit store.
registerAudit(xmlFile, [xlfFile], componentType, [mode=OVERWRITE|UPGRADE])
| Argument | Definition |
|---|---|
xmlFile |
Specifies the Component Event definition file. |
xlfFile |
Specifies the component xlf jar file. Optional. |
componentType |
Specifies the component to be registered. |
mode |
OVERWRITE or UPGRADE. Default is UPGRADE. |
Removes the event definition and translation content for the specified component from the audit store.
Removes an existing event definition and translation content for a specified component or application from the audit store.
Use the WLST commands listed in Table 4-3 to view and manage SSL configuration for Oracle Fusion Middleware components.
Table 4-3 WLST Commands for SSL Configuration
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Generate a certificate signing request in an Oracle wallet. |
Online |
|
|
Add a self-signed certificate to an Oracle wallet. |
Online |
|
|
Change the password to a JKS keystore. |
Online |
|
|
Change the password to an Oracle wallet. |
Online |
|
|
Set the SSL attributes for a component listener. |
Online |
|
|
Create a JKS keystore. |
Online |
|
|
Create an Oracle wallet. |
Online |
|
|
Delete a JKS keystore. |
Online |
|
|
Delete an Oracle wallet. |
Online |
|
|
Export a JKS keystore to a file. |
Online |
|
|
Export an object from a JKS keystore to a file. |
Online |
|
|
Export an Oracle wallet to a file. |
Online |
|
|
Export an object from an Oracle wallet to a file. |
Online |
|
|
Generate a key pair in a JKS keystore. |
Online |
|
|
Display a certificate or other object present in a JKS keystore. |
Online |
|
|
Display the SSL attributes for a component listener. |
Online |
|
|
Display a certificate or other object present in an Oracle wallet. |
Online |
|
|
Import a JKS keystore from a file. |
Online |
|
|
Import a certificate or other object from a file to a JKS keystore. |
Online |
|
|
Import an Oracle wallet from a file. |
Online |
|
|
Import a certificate or other object from a file to an Oracle wallet. |
Online |
|
|
List all objects present in a JKS keystore. |
Online |
|
|
List all JKS keystores configured for a component instance. |
Online |
|
|
List all objects present in an Oracle wallet. |
Online |
|
|
List all Oracle wallets configured for a component instance. |
Online |
|
|
Remove a certificate or other object from a component instance's JKS keystore. |
Online |
|
|
Remove a certificate or other object from a component instance's Oracle wallet. |
Online |
For more information, see the Oracle Fusion Middleware Administrator's Guide.
Online command that generates a certificate signing request in an Oracle wallet.
This command generates a certificate signing request in Base64 encoded PKCS#10 format in an Oracle wallet for a component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). To get a certificate signed by a certificate authority (CA), send the certificate signing request to your CA.
addCertificateRequest(instName, compName, compType, walletName, password, DN, keySize)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
DN |
Specifies the Distinguished Name of the key pair entry. |
keySize |
Specifies the key size in bits. |
The following command generates a certificate signing request with DN cn=www.acme.com and key size 1024 in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> addCertificateRequest('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.acme.com', '1024')
Online command that adds a self-signed certificate.
This command creates a key pair and wraps it in a self-signed certificate in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Only keys based on the RSA algorithm are generated.
addSelfSignedCertificate(instName, compName, compType, walletName, password, DN, keySize)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
DN |
Specifies the Distinguished Name of the key pair entry. |
keySize |
Specifies the key size in bits. |
The following command adds a self-signed certificate with DN cn=www.acme.com, key size 1024 to wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> addSelfSignedCertificate('inst1', 'oid1', 'oid','wallet1', 'password', 'cn=www.acme.com', '1024')
Online command that changes the keystore password.
This command changes the password of a Java Keystore (JKS) file for an Oracle Virtual Directory instance.
changeKeyStorePassword(instName, compName, compType, keystoreName, currPassword, newPassword)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the filename of the keystore. |
currPassword |
Specifies the current keystore password. |
newPassword |
Specifies the new keystore password. |
Online command that changes the password of an Oracle wallet.
This command changes the password of an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). This command is only applicable to password-protected wallets.
changeWalletPassword(instName, compName, compType, walletName,currPassword, newPassword)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
walletName |
Specifies the filename of the wallet. |
currPassword |
Specifies the current wallet password. |
newPassword |
Specifies the new wallet password. |
Online command that sets SSL attributes.
This command sets the SSL attributes for a component listener. The attributes are specified in a properties file format (name=value). If a properties file is not provided, or it does not contain any SSL attributes, default attribute values are used. For component-specific SSL attribute value defaults, see the chapter "SSL Configuration in Oracle Fusion Middleware" in the Oracle Fusion Middleware Administrator's Guide.
configureSSL(instName, compName, compType, listener, filePath)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'oid', 'ovd', ohs', and 'webcache'. |
listener |
Specifies the name of the component listener to be configured for SSL. |
filePath |
Specifies the absolute path of the properties file containing the SSL attributes to set. |
The following command configures SSL attributes specified in the properties file /tmp/ssl.properties for Oracle Virtual Directory instance ovd1 in application server instance inst1, for listener listener1:
wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener1','/tmp/ssl.properties')
The following command configures SSL attributes without specifying a properties file. Since no file is provided, the default SSL attribute values are used:
wls:/mydomain/serverConfig> configureSSL('inst1', 'ovd1', 'ovd', 'listener2')
Online command that creates a JKS keystore.
This command creates a Java keystore (JKS) for the specified Oracle Virtual Directory instance. For keystore file location and other information, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.
createKeyStore(instName, compName, compType, keystoreName, password)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the filename of the keystore file to be created. |
password |
Specifies the keystore password. |
Online command that creates an Oracle wallet.
This command creates an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). Wallets can be of password-protected or auto-login type. For wallet details, see the chapter "Managing Keystores, Wallets, and Certificates" in the Oracle Fusion Middleware Administrator's Guide.
createWallet(instName, compName, compType, walletName, password)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
walletName |
Specifies the name of the wallet file to be created. |
password |
Specifies the wallet password. |
The following command creates a wallet named wallet1 with password password, for Oracle HTTP Server instance ohs1 in application server instance inst1:
wls:/mydomain/serverConfig> createWallet('inst1', 'ohs1', 'ohs','wallet1', 'password')
The following command creates an auto-login wallet named wallet2 for Oracle WebCache instance wc1, in application server instance inst1:
wls:/mydomain/serverConfig> createWallet('inst1', 'wc1', 'webcache','wallet2', '')
Online command that deletes a keystore.
This command deletes a keystore for a specified Oracle Virtual Directory instance.
deleteKeyStore(instName, compName, compType, keystoreName)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore file to delete. |
Online command that deletes an Oracle wallet.
This command deletes an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).
deleteWallet(instName, compName, compType, walletName)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
walletName |
Specifies the name of the wallet file to be deleted. |
Online command that exports the keystore to a file.
This command exports a keystore, configured for the specified Oracle Virtual Directory instance, to a file under the given directory. The exported filename is the same as the keystore name.
exportKeyStore(instName, compName, compType, keystoreName, password, path)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore file. |
password |
Specifies the password of the keystore. |
path |
Specifies the absolute path of the directory under which the keystore is exported. |
Online command that exports an object from a keystore to a file.
This command exports a certificate signing request, certificate/certificate chain, or trusted certificate present in a Java keystore (JKS) to a file for the specified Oracle Virtual Directory instance. The certificate signing request is generated before exporting the object. The alias specifies the object to be exported.
exportKeyStoreObject(instName, compName, compType, keystoreName, password, type, path, alias)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore file. |
password |
Specifies the password of the keystore. |
type |
Specifies the type of the keystore object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' and 'TrustedChain'. |
path |
Specifies the absolute path of the directory under which the object is exported as a file named base64.txt. |
alias |
Specifies the alias of the keystore object to be exported. |
The following command generates and exports a certificate signing request from the key-pair indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1 in application server instance inst1. The certificate signing request is exported under the directory /tmp:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'CertificateRequest', '/tmp','mykey')
The following command exports a certificate or certificate chain indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '/tmp','mykey')
The following command exports a trusted certificate indicated by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. The trusted certificate is exported under the directory /tmp:
wls:/mydomain/serverConfig> exportKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '/tmp','mykey')
Online command that exports an Oracle wallet.
This command exports an Oracle wallet, configured for a specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), to file(s) under the given directory. If the exported file is an auto-login only wallet, the file name is 'cwallet.sso'. If it is password-protected wallet, two files are created: 'ewallet.p12' and 'cwallet.sso'.
exportWallet(instName, compName, compType, walletName,password, path)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'oid', 'ohs', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
path |
Specifies the absolute path of the directory under which the object is exported. |
The following command exports auto-login wallet wallet1 for Oracle Internet Directory instance oid1 to file cwallet.sso under /tmp:
wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet1','','/tmp')
The following command exports password-protected wallet wallet2 for Oracle Internet Directory instance oid1 to two files, ewallet.p12 and cwallet.sso, under /tmp:
wls:/mydomain/serverConfig> exportWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp')
Online command that exports a certificate or other wallet object to a file.
This command exports a certificate signing request, certificate, certificate chain or trusted certificate present in an Oracle wallet to a file for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be exported.
exportWalletObject(instName, compName, compType, walletName, password, type, path, DN)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
type |
Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedChain'. |
path |
Specifies the absolute path of the directory under which the object is exported as a file base64.txt. |
DN |
Specifies the Distinguished Name of the wallet object being exported. |
The following command exports a certificate signing request with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate signing request is exported under the directory /tmp:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'CertificateRequest', '/tmp','cn=www.acme.com')
The following command exports a certificate with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate', '/tmp','cn=www.acme.com')
The following command exports a trusted certificate with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The trusted certificate is exported under the directory /tmp:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate', '/tmp','cn=www.acme.com')
The following command exports a certificate chain with DN cn=www.acme.com in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. The certificate or certificate chain is exported under the directory /tmp:
wls:/mydomain/serverConfig> exportWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedChain', '/tmp','cn=www.acme.com')
Online command that generates a key pair in a Java keystore.
This command generates a key pair in a Java keystore (JKS) for Oracle Virtual Directory. It also wraps the key pair in a self-signed certificate. Only keys based on the RSA algorithm are generated.
generateKey(instName, compName, compType, keystoreName, password, DN, keySize, alias, algorithm)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore. |
password |
Specifies the password of the keystore. |
DN |
Specifies the Distinguished Name of the key pair entry. |
keySize |
Specifies the key size in bits. |
alias |
Specifies the alias of the key pair entry in the keystore. |
algorithm |
Specifies the key algorithm. Valid value is 'RSA'. |
The following command generates a key pair with DN cn=www.acme.com, key size 1024, algorithm RSA and alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1 in application server instance inst1:
wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.acme.com', '1024', 'mykey', 'RSA')
The following command is the same as above, except it does not explicitly specify the key algorithm:
wls:/mydomain/serverConfig> generateKey('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'cn=www.acme.com', '1024', 'mykey')
Online command that shows details about a keystore object.
This command displays a specific certificate or trusted certificate present in a Java keystore (JKS) for Oracle Virtual Directory. The keystore object is indicated by its index number, as given by the listKeyStoreObjects command. It shows the certificate details including DN, key size, algorithm, and other information.
getKeyStoreObject(instName, compName, compType, keystoreName, password, type, index)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore file. |
password |
Specifies the password of the keystore. |
type |
Specifies the type of the keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'. |
index |
Specifies the index number of the keystore object as returned by the listKeyStoreObjects command. |
The following command shows a trusted certificate with index 1 present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate', '1')
The following command shows a certificate with index 1 present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate', '1')
Online command that lists the configured SSL attributes.
This command lists the configured SSL attributes for the specified component listener. For Oracle Internet Directory, the listener name is always sslport1.
getSSL(instName, compName, compType, listener)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ovd', 'oid', 'ohs', and 'webcache'. |
listener |
Specifies the name of the component listener. |
Online command that displays information about a certificate or other object in an Oracle wallet.
This command displays a specific certificate signing request, certificate or trusted certificate present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). The wallet object is indicated by its index number, as given by the listWalletObjects command. For certificates or trusted certificates, it shows the certificate details including DN, key size, algorithm and other data. For certificate signing requests, it shows the subject DN, key size and algorithm.
getWalletObject(instName, compName, compType, walletName, password, type, index)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
type |
Specifies the type of wallet object to be exported. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'. |
index |
Specifies the index number of the wallet object as returned by the listWalletObjects command. |
The following command shows certificate signing request details for the object with index 0 present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest', '0')
The following command shows certificate details for the object with index 0 present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'Certificate', '0')
The following command shows trusted certificate details for the object with index 0, present in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> getKeyStoreObject('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate', '0')
Online command that imports a keystore from a file.
This command imports a Java keystore (JKS) from a file to the specified Oracle Virtual Directory instance for manageability. The component instance name must be unique.
importKeyStore(instName, compName, compType, keystoreName, password, filePath)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore being imported. This name must be unique for this component instance. |
password |
Specifies the password of the keystore. |
filePath |
Specifies the absolute path of the keystore file to be imported. |
The following command imports the keystore /tmp/keys.jks as file.jks into Oracle Virtual Directory instance ovd1. Subsequently, the keystore is managed through the name file.jks:
wls:/mydomain/serverConfig> importKeyStore('inst1', 'ovd1', 'ovd', 'file.jks', 'password', '/tmp/keys.jks')
Online command that imports an object from a file to a keystore.
This command imports a certificate, certificate chain, or trusted certificate into a Java keystore (JKS) for Oracle Virtual Directory, assigning it the specified alias which must be unique in the keystore. If a certificate or certificate chain is being imported, the alias must match that of the corresponding key-pair.
importKeyStoreObject(instName, compName, compType, keystoreName, password, type, filePath, alias)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore. |
password |
Specifies the password of the keystore. |
type |
Specifies the type of the keystore object to be imported. Valid values are 'Certificate' and 'TrustedCertificate'. |
filePath |
Specifies the absolute path of the file containing the keystore object. |
alias |
Specifies the alias to assign to the keystore object to be imported. |
The following command imports a certificate or certificate chain from file cert.txt into keys.jks, using alias mykey for Oracle Virtual Directory instance ovd1, in application server instance inst1. The file keys.jks must already have an alias mykey for a key-pair whose public key matches that in the certificate being imported:
wls:/mydomain/serverConfig> > importKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate','/tmp/cert.txt', 'mykey')
The following command imports a trusted certificate from file trust.txt into keys.jks using alias mykey1, for Oracle Virtual Directory instance ovd1 in application server instance inst1:
wls:/mydomain/serverConfig> importKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate','/tmp/trust.txt', 'mykey1')
Online command that imports an Oracle wallet from a file.
This command imports an Oracle wallet from a file to the specified component instance (Oracle HTTP Server, Oracle WebCache, or Oracle Internet Directory) for manageability. If the wallet being imported is an auto-login wallet, the file path must point to cwallet.sso; if the wallet is password-protected, it must point to ewallet.p12. The wallet name must be unique for the component instance.
importWallet(instName, compName, compType, walletName, password, filePath)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet being imported. The name must be unique for the component instance. |
password |
Specifies the password of the wallet. |
filePath |
Specifies the absolute path of the wallet file being imported. |
The following command imports auto-login wallet file /tmp/cwallet.sso as wallet1 into Oracle Internet Directory instance oid1. Subsequently, the wallet is managed with the name wallet1. No password is passed since it is an auto-login wallet:
wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet1', '', '/tmp/cwallet.sso')
The following command imports password-protected wallet /tmp/ewallet.p12 as wallet2 into Oracle Internet Directory instance oid1. Subsequently, the wallet is managed with the name wallet2. The wallet password is passed as a parameter:
wls:/mydomain/serverConfig> importWallet('inst1', 'oid1', 'oid', 'wallet2', 'password', '/tmp/ewallet.p12')
Online command that imports a certificate or other object into an Oracle wallet.
This command imports a certificate, trusted certificate or certificate chain into an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache component or Oracle Internet Directory).When importing a certificate, use the same wallet file from which the certificate signing request was generated.
importWalletObject(instName, compName, compType, walletName, password, type, filePath)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
type |
Specifies the type of wallet object to be imported. Valid values are 'Certificate', 'TrustedCertificate' and 'TrustedChain'. |
filePath |
Specifies the absolute path of the file containing the wallet object. |
The following command imports a certificate chain in PKCS#7 format from file chain.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedChain','/tmp/chain.txt')
The following command imports a certificate from file cert.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate','/tmp/cert.txt')
The following command imports a trusted certificate from file trust.txt into wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> importWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','/tmp/trust.txt')
Online command that lists the contents of a keystore.
This command lists all the certificates or trusted certificates present in a Java keystore (JKS) for Oracle Virtual Directory.
listKeyStoreObjects(instName, compName, compType, keystoreName, password, type)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore file. |
password |
Specifies the password of the keystore. |
type |
Specifies the type of keystore object to be listed. Valid values are 'Certificate' and 'TrustedCertificate'. |
The following command lists all trusted certificates present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:
wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate')
The following command lists all certificates present in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:
wls:/mydomain/serverConfig> listKeyStoreObjects('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate')
Online command that lists all the keystores for a component.
This command lists all the Java keystores (JKS) configured for the specified Oracle Virtual Directory instance.
Online command that lists all objects in an Oracle wallet.
This command lists all certificate signing requests, certificates, or trusted certificates present in an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory).
listWalletObjects(instName, compName, compType, walletName, password, type)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
type |
Specifies the type of wallet object to be listed. Valid values are 'CertificateRequest', 'Certificate', and 'TrustedCertificate'. |
The following command lists all certificate signing requests in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> > listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'CertificateRequest')
The following command lists all certificates in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'Certificate')
The following command lists all trusted certificates in wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> listWalletObjects('inst1', 'oid1', 'oid','wallet1','password', 'TrustedCertificate')
Online command that lists all wallets configured for a component instance.
This command displays all the wallets configured for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory), and identifies the auto-login wallets.
Online command that removes an object from a keystore.
This command removes a certificate request, certificate, trusted certificate, or all trusted certificates from a Java keystore (JKS) for Oracle Virtual Directory. Use an alias to remove a specific object; no alias is needed if all trusted certificates are being removed.
removeKeyStoreObject(instName, compName, compType, keystoreName, password, type, alias)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid value is 'ovd'. |
keystoreName |
Specifies the name of the keystore file. |
password |
Specifies the password of the keystore. |
type |
Specifies the type of the keystore object to be removed. Valid values are 'Certificate', 'TrustedCertificate' or 'TrustedAll'. |
alias |
Specifies the alias of the keystore object to be removed. |
The following command removes a certificate or certificate chain denoted by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'Certificate','mykey')
The following command removes a trusted certificate denoted by alias mykey in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedCertificate','mykey')
The following command removes all trusted certificates in keys.jks, for Oracle Virtual Directory instance ovd1, in application server instance inst1. Since no alias is required, the value None is passed for that parameter:
wls:/mydomain/serverConfig> removeKeyStoreObject('inst1', 'ovd1', 'ovd','keys.jks', 'password', 'TrustedAll',None)
Online command that removes a certificate or other object from an Oracle wallet.
This command removes a certificate signing request, certificate, trusted certificate or all trusted certificates from an Oracle wallet for the specified component instance (Oracle HTTP Server, Oracle WebCache or Oracle Internet Directory). DN is used to indicate the object to be removed.
removeWalletObject(instName, compName, compType, walletName, password, type, DN)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are 'ohs', 'oid', and 'webcache'. |
walletName |
Specifies the name of the wallet file. |
password |
Specifies the password of the wallet. |
type |
Specifies the type of the keystore object to be removed. Valid values are 'CertificateRequest', 'Certificate', 'TrustedCertificate' or 'TrustedAll'. |
DN |
Specifies the Distinguished Name of the wallet object to be removed. |
The following command removes all trusted certificates from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1. It is not necessary to provide a DN, so we pass null (denoted by None) for the DN parameter:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedAll',None)
The following command removes a certificate signing request indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'CertificateRequest','cn=www.acme.com')
The following command removes a certificate indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'Certificate','cn=www.acme.com')
The following command removes a trusted certificate indicated by DN cn=www.acme.com from wallet1, for Oracle Internet Directory instance oid1, in application server instance inst1:
wls:/mydomain/serverConfig> removeWalletObject('inst1', 'oid1', 'oid','wallet1', 'password', 'TrustedCertificate','cn=www.acme.com')
Use the WLST commands listed in Table 4-4 to view and manage configuration for Oracle Identity Federation.
Table 4-4 WLST Commands for Oracle Identity Federation
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Add a configuration list entry to a map. |
Online |
|
|
Add a configuration map entry to a map. |
Online |
|
|
Add a configuration property list entry. |
Online |
|
|
Add a configuration property map entry to the map. |
Online |
|
|
Add a custom authentication engine. |
Online |
|
|
Add a custom SP engine. |
Online |
|
|
Add a federations list entry to the map. |
Online |
|
|
Add a federation map entry to the map. |
Online |
|
|
Add a federation property list entry. |
Online |
|
|
Add a federation property map entry. |
Online |
|
|
Delete a custom authentication engine. |
Online |
|
|
Delete a custom SP engine. |
Online |
|
|
Delete a provider from the federation. |
Online |
|
|
Delete a user from the federation. |
Online |
|
|
Change the message store to memory or RDBMS. |
Online |
|
|
Change a peer provider's description. |
Online |
|
|
Change the session store to memory or RDBMS. |
Online |
|
|
Create a configuration property list. |
Online |
|
|
Create a configuration property list in the map. |
Online |
|
|
Create a configuration property map. |
Online |
|
|
Create a nested configuration property map in a map. |
Online |
|
|
Create a federation property list. |
Online |
|
|
Create a federation property list in the map. |
Online |
|
|
Create a federation property map. |
Online |
|
|
Create a nested federation property map in a map. |
Online |
|
|
Create a peer provider entry. |
Online |
|
|
Retrieve a configuration list value from the map. |
Online |
|
|
Retrieve a configuration map value from the map. |
Online |
|
|
Retrieve a configuration property entry. |
Online |
|
|
Retrieve a configuration property list. |
Online |
|
|
Retrieve a configuration property map entry. |
Online |
|
|
Retrieve a federation list value from the map. |
Online |
|
|
Retrieve a federation map entry from a nested map. |
Online |
|
|
Retrieve a federation property. |
Online |
|
|
Retrieve the federation property list. |
Online |
|
|
Export all provider configuration properties to a text file. |
Script |
|
|
Set a provider's properties based on an input text file. |
Script |
|
|
Retrieve a federation property map entry. |
Online |
|
|
Display the list of custom authentication engines. |
Online |
|
|
Display the list of custom SP engines. |
Online |
|
|
Load metadata from a file. |
Online |
|
|
Display the current status of Oracle Identity Federation on the managed server. |
Online |
|
|
Delete a configuration list in the map. |
Online |
|
|
Delete a configuration map entry in the map. |
Online |
|
|
Delete a nested configuration map. |
Online |
|
|
Delete a configuration property. |
Online |
|
|
Delete a property list. |
Online |
|
|
Delete a property map. |
Online |
|
|
Delete an entry in the property map. |
Online |
|
|
Delete a federation list in the map. |
Online |
|
|
Delete a nested federation map. |
Online |
|
|
Delete a nested federation map entry. |
Online |
|
|
Delete a federation property. |
Online |
|
|
Delete a federation property list. |
Online |
|
|
Delete a federation property map. |
Online |
|
|
Delete a federation property map entry. |
Online |
|
|
Delete a peer provider entry. |
Online |
|
|
Set a configuration property. |
Online |
|
|
Define a custom authentication engine. |
Online |
|
|
Define a custom SP engine. |
Online |
|
|
Set a federation property. |
Online |
For more information, see the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation.
Online command that adds a property value to a map.
addConfigListEntryInMap(configName, mapname, listName, value, type)
| Argument | Definition |
|---|---|
configname |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
mapname |
Specifies the name of the property to map to be changed in config.xml. |
listname |
Specifies the name of the list. |
value |
Specifies the property value. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a nested map property entry in a map.
This command that adds a property name/value pair to a map nested inside a map in config.xml.
addConfigMapEntryInMap(configName, mapname, nestedMapName, propName, value, type)
| Argument | Definition |
|---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
mapname |
Specifies the name of the property map to be changed in config.xml. |
nestedMapName |
name of the nested property map to be changed. |
propName |
Specifies the name of the list. |
value |
Specifies the property value. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a list property entry to config.xml.
addConfigPropertyListEntry(configName, listName, value, type)
| Argument | Definition |
|---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
listName |
Specifies the name of the property list to be added in config.xml. |
value |
Specifies the new property list value. The entered value is appended to the list. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a property name/value entry in a map in config.xml.
addConfigPropertyMapEntry(configName, mapName, propName, value, type)
| Argument | Definition |
|---|---|
configname |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
mapname |
Specifies the name of the property map in config.xml. |
propName |
Specifies the name of the property map. |
value |
Specifies the property map value to be added. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a custom authentication integration engine.
addCustomAuthnEngine(name, [enabled], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
| Argument | Definition |
|---|---|
name |
Specifies the name of the custom engine. |
enabled |
This flag specifies whether the engine is enabled (true) or not (false, default). |
webContext |
Specifies the web context for the engine. |
authnRelativePath |
Specifies the authentication relative path URL for the engine. |
logoutRelativePath |
Specifies the logout relative path URL for the engine. |
logoutEnabled |
This flag is set true to enable logout for the engine, else false. |
Online command that adds a custom service provider (SP) engine.
addCustomSPEngine(name, [enabled, [authnMech], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
| Argument | Definition |
|---|---|
name |
Specifies the name of the custom engine. |
enabled |
This flag specifies whether the engine is enabled (true) or not (false). |
authnMech |
Specifies the authentication mechanism for the engine. |
webContext |
Specifies the web context for the engine. |
authnRelativePath |
Specifies the authentication relative path URL for the engine. |
logoutRelativePath |
Specifies the logout relative path URL for the engine. |
logoutEnabled |
This flag is set true to enable logout for the engine, else false. |
Online command that adds a list property entry in a map.
addFederationListEntryInMap(providerID, mapname, listName, value, type)
| Argument | Definition |
|---|---|
providerID |
Specifies the provider ID. |
mapname |
Specifies the name of the property map to be changed in cot.xml. |
listName |
Specifies the name of the property list to be added to the map. |
value |
Specifies the property list value to be added. The entered value is appended to the list. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a nested map property entry in a map.
This command adds a property name/value pair to a map nested inside a map in cot.xml.
addFederationMapEntryInMap(providerID, mapname, nestedMapName, propName, value, type)
| Argument | Definition |
|---|---|
providerID |
Specifies the provider ID. |
mapname |
Specifies the name of the property map to be changed in cot.xml. |
nestedMapName |
Specifies the name of the nested property map to be changed. |
propName |
Specifies the name of the property to be updated in the map. |
value |
Specifies the property value to be added. The entered value is appended to the list. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that adds a list property entry.
addFederationPropertyListEntry(providerID, listName, value, type)
| Argument | Definition |
|---|---|
providerID |
Specifies the provider ID. |
listName |
Specifies the name of the property list to be updated. |
value |
Specifies the property list value to be added. The entered value is appended to the list. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that a property name/value entry in a map.
addFederationPropertyMapEntry(providerID, mapName, propName, value, type)
| Argument | Definition |
|---|---|
providerID |
Specifies the provider ID. |
mapName |
Specifies the name of the property map to be changed in cot.xml. |
propName |
Specifies the name of the property to be added in the map. |
value |
Specifies the property value to be added. The entered value is appended to the list. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that deletes a custom authentication integration engine from the configuration.
This command deletes a custom authentication integration engine in config.xml. You must provide the engine ID for an existing custom authentication engine in config.xml.
Online command that deletes a custom service provider (SP) integration engine from the configuration.
This command deletes a custom SP integration engine in config.xml. The EngineID for an existing custom SP engine in config.xml must be provided.
Online command that deletes federations for given provider.
Online command that deletes federations for given users.
Online command that changes the message store between memory and RDBMS.
Online command that changes the peer provider description.
Online command that changes the session store between memory and RDBMS.
Online command that creates a property list.
Online command that creates a property list nested in the property map.
This command creates a property list, nested in the property map, in config.xml.
createConfigPropertyListInMap(configName, mapName, listName)
| Argument | Definition |
|---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
mapName |
Specifies an existing property map to contain the nested list. |
listName |
Specifies the property list name. |
Online command that creates a property map.
Online command that creates a property map.
createConfigPropertyMapInMap(configName, mapName, nestedMapName)
| Argument | Definition |
|---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
mapName |
Specifies the name of an existing property map. |
nestedMapName |
Specifies the name of the property map to create nested inside mapName. |
Online command that creates a property list.
Online command that creates a property list nested in a property map.
Online command that creates a property map.
Online command that creates a nested property map.
This command that creates a property map, nested in another property map, in cot.xml.
Online command that creates a peer provider property map entry.
createPeerProviderEntry(providerID, description, providerType, version)
| Argument | Definition |
|---|---|
providerID |
Specifies the provider ID to be created. |
description |
This is the description of the provider ID. |
providerType |
Specifies the provider type of the peer provider to be created. |
version |
Specifies the version of the peer provider to be created. |
Online command that returns a list nested in a map.
getConfigListValueInMap(configName, mapName, listName)
| Argument | Definition |
|---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be accessed. |
mapName |
Specifies the name of the property map. |
listName |
Specifies the name of the list to be fetched from the map. |
Online command that returns a map property entry nested in a map.
getConfigMapEntryInMap(configName, mapname, nestedMapName, propName)
| Argument | Definition |
|---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be accessed. |
mapname |
Specifies the name of the property map. |
nestedMapName |
Specifies the name of the nested property map. |
propName |
Specifies the name of the property to be fetched from the nested map. |
Online command that returns a property value.
Online command that returns a property list.
Online command that returns a property value from a map.
getConfigPropertyMapEntry(configName, mapName, propName)
| Argument | Definition |
|---|---|
configName |
Specifies the configuration name (for example, idpsaml20, serverconfig, spsaml20, ...). |
mapName |
Specifies the name of the property map. |
propName |
Specifies the name of the property to be fetched from the map in config.xml. |
Online command that returns a list value nested in a map.
Online command that returns a map property entry nested in a map.
getFederationMapEntryInMap(providerID, mapname, nestedMapName, propName)
| Argument | Definition |
|---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
mapName |
Specifies the name of the property map. |
nestedMapName |
Specifies the name of the nested property map. |
propName |
Specifies the name of the property to be fetched from the nested map. |
Online command that returns a property value.
Online command that returns a property list.
A WLST script that exports the properties of a provider.
A WLST script that extracts all the configuration properties of the specified provider and exports them to a text file. You can later use this file to set the same properties on another provider. Execute this command from a UNIX or Windows command shell prompt and not from the WLST command shell. This script is stored in ORACLE_HOME/fed/scripts.
extractproviderprops.py providerID filename
| Argument | Definition |
|---|---|
providerID |
Specifies the name of the provider whose properties are to be extracted. |
filename |
Specifies the name of the text file to which the provider properties are extracted. |
When you execute the script, you are prompted for the WebLogic administrator credentials and the connection URL; for the latter, specify the Managed Server port, not the Administration Server port.
The format of the extract file is:
TYPE:NAME:PROPNAME:PROPVALUE:PROPTYPE
For example:
X:X:sendattribute:false:boolean MAP:attributelist/mailemail:datastore-attr:mail:string LIST:sendattributefornameid:unspecified::string
A WLST script that sets the properties of a provider using values from a text file.
A WLST script that sets the properties of a provider using values from a text file. Execute this command from a UNIX or Windows command shell prompt and not from the WLST command shell. This script is stored in ORACLE_HOME/fed/scripts.
The text file is generated by the extractproviderprops command.
setproviderprops.py providerID filename
| Argument | Definition |
|---|---|
providerID |
Specifies the name of the provider whose properties are to be updated. |
filename |
Specifies the name of the input file from which to read the properties. |
When you execute the script, you are prompted for the WebLogic administrator credentials and the connection URL; for the latter, specify the Managed Server port, not the Administration Server port.
Online command that returns a property value from a map.
Online command that returns a list of custom authentication integration engines.
Online command that returns a list of custom SP integration engines.
Online command that loads metadata from an input file.
Online command that reports the current status of the Oracle Identity Federation application in the managed server to which WLST is connected.
This command displays the current status of Oracle Identity Federation on the managed server.
loifStatus('serverurl', 'configfile', 'keyfile')
| Argument | Definition |
|---|---|
serverurl |
Specifies the URL of the managed server. |
configfile |
This is a pre-defined user configuration file created with the WLST storeUserConfig command. |
keyfile |
This is a pre-defined key file created with the WLST storeUserConfig command |
The following command provides no arguments; WLST prompts you for the Oracle WebLogic Server username, password, and the managed server URL, then displays the federation server status:
wls:/mydomain/serverConfig> oifStatus()
The following command provides only the managed server URL; WLST prompts you for the Oracle WebLogic Server username and password:
wls:/mydomain/serverConfig> oifStatus('', '', 't3://localhost:7499')
The following command provides all arguments needed for WLST to display the federation server status:
wls:/mydomain/serverConfig> oifStatus('configfileA', 'keyfileB', 't3://localhost:7499')
Online command that removes a list property nested in a map.
removeConfigListInMap(configName, mapName, listName)
| Argument | Definition |
|---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be accessed. |
mapName |
Specifies the name of the property map. |
listName |
Specifies the name of the list to be removed from the map. |
Online command that removes a map property nested in a map.
removeConfigMapEntryInMap(configName, mapname, nestedMapName, propName)
| Argument | Definition |
|---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be accessed. |
mapName |
Specifies the name of the property map. |
nestedMapName |
Specifies the name of the nested property map. |
propName |
Specifies the name of the property to be removed from the nested map. |
Online command that removes a map property nested in a map.
removeConfigMapEntryInMap(configName, mapName, nestedMapName, propName)
| Argument | Definition |
|---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
mapName |
Specifies the name of the property map. |
nestedMapName |
Specifies the name of the nested property map. |
propName |
Specifies the name of the property to be removed from the nested map. |
Online command that removes a configuration property.
Online command that removes a configuration property list.
Online command that removes a property map.
Online command that removes a property value from a map.
removeConfigPropertyMapEntry(configName, mapName, propName)
| Argument | Definition |
|---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
mapName |
Specifies the name of the property map to be updated. |
propName |
Specifies the name of the property to be removed from the map. |
Online command that removes a property list in a map.
Online command that removes a nested map in a map.
removeFederationMapInMap(providerID, mapname, nestedMapName)
| Argument | Definition |
|---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
mapName |
Specifies the name of the property map containing the nested map. |
nestedMapName |
Specifies the name of the nested property map to be removed. |
Online command that removes a nested map property entry in a map.
This command removes a property name/value pair to a map nested inside a map in cot.xml.
removeFederationMapEntryInMap(providerID, mapname, nestedMapName, propName)
| Argument | Definition |
|---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
mapName |
Specifies the name of the property map containing the nested map. |
nestedMapName |
Specifies the name of the nested property map. |
propName |
Specifies the name of the property to be removed from the nested map. |
Online command that removes a property value.
Online command that removes a property list entry.
Online command that removes a property map.
Online command that removes a property value from a map.
removeFederationPropertyMapEntry(providerID, mapName, propName)
| Argument | Definition |
|---|---|
providerID |
Specifies the name of the peer provider to be accessed. |
mapName |
Specifies the name of the property map to be updated. |
propName |
Specifies the name of the property to be removed from the map. |
Online command that removes a peer provider entry.
Online command that sets a property value in config.xml.
setConfigProperty(configname, propName, value, type)
| Argument | Definition |
|---|---|
configName |
Specifies the name of the configuration (for example, idpsaml20, serverconfig, spsaml20, ...) to be updated. |
propName |
Specifies the name of the property to be added/updated in config.xml. |
value |
Specifies the property value. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Online command that updates a custom authentication integration engine.
setCustomAuthnEngine(engineID, name, [enabled], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
| Argument | Definition |
|---|---|
engineID |
Specifies the engine ID of an existing engine. |
name |
Specifies the name of the custom engine. |
enabled |
This flag specifies whether the engine is enabled (true) or not (false). |
webContext |
Specifies the web context for the engine. |
authnRelativePath |
Specifies the authentication relative path URL for the engine. |
logoutRelativePath |
Specifies the logout relative path URL for the engine. |
logoutEnabled |
This flag is set true to enable logout for the engine, else false. |
Online command that updates a custom SP integration engine.
setCustomSPEngine(engineID, name, [enabled, [authnMech], [webContext], [authnRelativePath], [logoutRelativePath], [logoutEnabled])
| Argument | Definition |
|---|---|
engineID |
Specifies the engine ID of an existing custom engine. |
name |
Specifies the name of the custom engine. |
enabled |
This flag specifies whether the engine is enabled (true) or not (false). |
authnMech |
Specifies the authentication mechanism for the engine. |
webContext |
Specifies the web context for the engine. |
authnRelativePath |
Specifies the authentication relative path URL for the engine. |
logoutRelativePath |
Specifies the logout relative path URL for the engine. |
logoutEnabled |
This flag is set true to enable logout for the engine, else false. |
Online command that adds or updates a property value.
setFederationProperty(providerID, propName, value, type)
| Argument | Definition |
|---|---|
providerID |
Specifies the name of the peer provider to be updated. |
propName |
Specifies the name of the property to be added/updated in cot.xml. |
value |
Specifies the property value. |
type |
Specifies the type of property, BOOLEAN or STRING or LONG. |
Some of the Directory Integration Platform (DIP) tools use WLST internally, and therefore, there are no custom WLST commands available to run from the WLST command prompt or to use within scripts. For information on DIP tools, see "Directory Integration Platform Tools" in the Oracle Fusion Middleware Reference for Oracle Identity Management.
Use the WLST security commands listed in Table 4-5 to operate on a domain policy or credential store, to migrate policies and credentials from a source repository to a target repository, and to import and export (credential) encryption keys.
Table 4-5 WLST Security Commands
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Add a credential to the bootstrap credential store. |
Offline |
|
|
Add a resource to an entitlement. |
Online |
|
|
Create a new application role. |
Online |
|
|
Create a new credential. |
Online |
|
|
Create an entitlement. |
Online |
|
|
Create a resource. |
Online |
|
|
Create a new resource type. |
Online |
|
|
Remove all policies in an application. |
Online |
|
|
Remove an application role. |
Online |
|
|
Remove a credential. |
Online |
|
|
Remove an entitlement. |
Online |
|
|
Remove a resource. |
Online |
|
|
Remove an existing resource type. |
Online |
|
|
Export the domain encryption key to the file |
Offline |
|
|
List an entitlement. |
Online |
|
|
Fetch an existing resource type. |
Online |
|
|
Add a principal to a role. |
Online |
|
|
Create an entitlement. |
Online |
|
|
Create a new permission. |
Online |
|
|
Import the encryption key in file |
Offline |
|
|
List all roles in an application. |
Online |
|
|
List all members in an application role. |
Online |
|
|
List application stripes in policy store. |
Online |
|
|
List permissions assigned to a source code in global policies. |
Online |
|
|
List entitlements in an application stripe. |
Online |
|
|
List all permissions granted to a principal. |
Online |
|
|
List resources in an application stripe. |
Online |
|
|
List actions in a resource. |
Online |
|
|
List resource types in an application stripe. |
Online |
|
|
List the type and location of the OPSS security store, and the user allowed to access it. |
Offline |
|
|
Migrate policies or credentials from a source repository to a target repository. |
Offline |
|
|
Update bootstrap credential store |
Offline |
|
|
Reassociate policies and credentials to an LDAP repository |
Online |
|
|
Restore the domain encryption key as it was before the last importing. |
Offline |
|
|
Remove an entitlement. |
Online |
|
|
Remove a principal from a role. |
Online |
|
|
Remove a permission. |
Online |
|
|
Remove a resource from an entitlement |
Online |
|
|
Create a new credential store encryption key. |
Offline |
|
|
Modify the attribute values of a credential. |
Online |
|
|
Update the trust store configuration. |
Online |
|
|
Upgrade security data from data used with release 10.1.x to data used with release 11. |
Offline |
Online command that creates a new application role.
Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.
Online command that removes an application role.
Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.
Online command that adds a principal to a role.
Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.
Online command that removes a principal from a role.
Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.
Online command that lists all roles in an application.
Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException.
Online command that lists all members in a role.
Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException.
Online command that creates a new permission.
Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException.
Optional arguments are enclosed in between square brackets.
grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following invocation creates a new application permission (for the application with application stripe myApp) with the specified data:
wls:/mydomain/serverConfig> grantPermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following invocation creates a new system permission with the specified data:
wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permTarget="/tmp/fileName.ext", permActions="read,write")
Online command that removes a permission.
Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException.
Optional arguments are enclosed in between square brackets.
revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following invocation removes the application permission (for the application with application stripe myApp) with the specified data:
wls:/mydomain/serverConfig> revokePermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following invocation removes the system permission with the specified data:
wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permActions="read,write")
Online command that lists all permissions granted to a given principal.
Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException.
Optional arguments are enclosed in between square brackets.
listPermissions([appStripe,] principalClass, principalName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
The following invocation lists all permissions granted to a principal by the policies of application myApp:
wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")
The following invocation lists all permissions granted to a principal by system policies:
wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")
Online command that removes all policies with a given application stripe.
Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException.
Offline command that migrates identities, policies (application-specific and system), credentials, audit, and keystore service artifacts from one repository to another.
For details, see the following sections in Oracle Fusion Middleware Application Security Guide:
Migrates identities, application-specific, or system policies from a source repository to a target repository. Migrates a specific credential folder or all credentials.
The kinds of the repositories where the source and target data is stored is transparent to the command, and any combination of file-based and LDAP-based repositories is allowed (LDAP-repositories must use an OVD or an OID LDAP server only). In the event of an error, the command returns a WLSTException.
The command syntax varies depending on the scope (system or application-specific or both) of the policies being migrated.
Optional arguments are enclosed in square brackets.
To migrate identities, use the following syntax:
migrateSecurityStore(type="idStore", configFile, src, dst, [dstLdifFile])
To migrate all policies (system and application-specific, for all applications) use the following syntax
migrateSecurityStore(type="policyStore", configFile, src, dst,[overWrite,][preserveAppRoleGuid])
To migrate just system policies, use the following syntax:
migrateSecurityStore(type="globalPolicies", configFile, src, dst, [overWrite])
To migrate just application-specific policies, for one application, use the following syntax:
migrateSecurityStore(type="appPolicies", configFile,src, dst, srcApp [,dstApp] [,overWrite] [,migrateIdStoreMapping][,preserveAppRoleGuid] [,mode])
To migrate all credentials, use the following syntax:
migrateSecurityStore(type="credStore", configFile, src, dst, [overWrite])
To migrate just one credential folder, use the following syntax:
migrateSecurityStore(type="folderCred", configFile,src, dst, [srcFolder,] [dstFolde,] [srcConfigFile,] [overWrite])
| Argument | Definition |
|---|---|
type
|
Specifies the type of policies migrates.
To migrate identities, set it to To migrate all policies (system and application-specific, for all applications), set to To migrate just system policies, set to To migrate just application-specific policies, set to To migrate all credentials, set to To migrate just one credential folder, set to |
configFile
|
Specifies the location of a configuration file jps-config.xml relative to the directory where the command is run. The configuration file passed need not be an actual domain configuration file, but it can be assembled just to specify the source and destination repositories of the migration. |
src
|
Specifies the name of a jps-context in the configuration file passed to the argument configFile, where the source store is specified. |
dst
|
Specifies the name of another jps-context in the configuration file passed to the argument configFile, where the destination store is specified. |
srcApp
|
Specifies the name of the source application, that is, the application whose policies are being migrated. |
dstApp
|
Specifies the name of the target application, that is, the application whose policies are being written. If unspecified, it defaults to the name of the source application. |
srcFolder
|
Specifies the name of the folder from where credentials are migrated. This argument is optional. If unspecified, the credential store is assumed to have only one folder and the value of this argument defaults to the name of that folder. |
dstFolder
|
Specifies the folder to where the source credentials are migrated. This argument is optional and, if unspecified, defaults to the folder passed to srcFolder. |
srcConfigFile
|
Specifies the location of an alternate configuration file, and it is used in the special case in which credentials are not configured in the file passed to configFile. This argument is optional. If unspecified, it defaults to the value passed to configFile; if specified, the value passed to configFile is ignored. |
overWrite
|
Specifies whether data in the target matching data being migrated should be overwritten by or merged with the source data. Optional and false by default. Set to true to overwrite matching data; set to false to merge matching data. |
migrateIdStoreMapping
|
Specifies whether the migration of application policies should include or exclude the migration of enterprise policies. Optional and true by default. Set it to False to exclude enterprise policies from the migration of application policies. |
dstLdifFile
|
Specifies the location where the LDIF file will be created. Required only if destination is an LDAP-based identity store. Notice that the LDIF file is not imported into the LDAP server; the importing of the file LDIF should be done manually, after the file has been edited to account for the appropriate attributes required in your LDAP server. |
preserveAppRoleGuid
|
Specifies whether the migration of policies should preserve or recreate GUIDs. Optional and false, by default. Set to true to preserve GUIDs; set to false to recreated GUIDs. |
mode
|
Specifies whether the migration should stop and signal an error upon encountering a duplicate principal or a duplicate permission in an application policy. Set to lax to allow the migration to continue upon encountering duplicate items, to migrate just one of the duplicated items, and to log a warning to this effect; set to strict to force the migration to stop upon encountering duplicate items. If unspecified, it defaults to strict. |
Note the following requirements about the passed arguments:
The file jps-config.xml is found in the passed location.
The file jps-config.xml includes the passed jps-contexts.
The source and the destination context names are distinct. From these two contexts, the command determines the locations of the source and the target repositories involved in the migration.
The following invocation illustrates the migration of the file-based policies of application PolicyServlet1 to file-based policies of application PolicyServlet2, that does not stop on encountering duplicate principals or permissions, that migrates just one of duplicate items, and that logs a warning when duplicates are found:
wls:/mydomain/serverConfig> migrateSecurityStore(type="appPolicies", configFile="jps-congif.xml", src="default1", dst="context2", srcApp="PolicyServlet1", dstApp="PolicyServlet2", overWrite="true", mode="lax")
The above invocation assumes that:
The file jps-config.xml is located in the directory where the command is run (current directory).
That file includes the following elements:
<serviceInstance name="policystore1.xml" provider="some.provider"> <property name="location" value="jazn-data1.xml"/> </serviceInstance> <serviceInstance name="policystore2.xml" provider="some.provider"> <property name="location" value="jazn-data2.xml"/> </serviceInstance> ... <jpsContext name="default1"> <serviceInstanceRef ref="policystore1.xml"/> ... </jpsContext> <jpsContext name="context2"> <serviceInstanceRef ref="policystore2.xml"/> ... </jpsContext>
The file-based policies for the two applications involved in the migration are defined in the files jazn-data1.xml and jazn-data2.xml, which are not shown but assumed located in the current directory.
The following invocation illustrates the migration of file-based credentials from one location to another:
wls:/mydomain/serverConfig> migrateSecurityStore(type="credStore", configFile="jps-congif.xml", src="default1", dst="context2")
The above invocation assumes that:
The file jps-config.xml is located in the directory where the command is run (current directory).
That file includes the following elements:
<serviceInstance name="credstore1" provider="some.provider"> <property name="location" value="./credstore1/cwallet.sso"/> </serviceInstance> <serviceInstance name="credstore2" provider="some.provider"> <property name="location" value="./credstore2/cwallet.sso"/> </serviceInstance> ... <jpsContext name="default1"> <serviceInstanceRef ref="credstore1"/> ... </jpsContext> <jpsContext name="context2"> <serviceInstanceRef ref="credstore2"/> ... </jpsContext>
For detailed configuration examples to use with this command, see Oracle Fusion Middleware Application Security Guide.
Online command that modifies the type, user name, and password of a credential.
Modifies the type, user name, password, URL, and port number of a credential in the domain credential store with given map name and key name. This command can update the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only. When the command executes successfully no error messages are displayed.
Optional arguments are enclosed in square brackets.
updateCred(map, key, user, password, [desc])
| Argument | Definition |
|---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
Online command that creates a new credential in the domain credential store.
Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only. When the command executes successfully no error messages are displayed.
Optional arguments are enclosed in square brackets.
createCred(map, key, user, password, [desc])
| Argument | Definition |
|---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
Online command that removes a credential in the domain credential store.
Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException. When the command executes successfully no error messages are displayed.
Offline command that updates a bootstrap credential store.
Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException.
Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.
modifyBootStrapCredential(jpsConfigFile, username, password)
| Argument | Definition |
|---|---|
jpsConfigFile
|
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
username
|
Specifies the distinguished name of the user in the LDAP store. |
password
|
Specifies the password of the user. |
Suppose that in the LDAP store, the password of the user with distinguished name cn=orcladmin has been changed to welcome1, and that the configuration file jps-config.xml is located in the current directory.Then the following invocation changes the password in the bootstrap credential store to welcome1:
wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='welcome1')
Any output regarding the audit service can be disregarded.
Offline command that adds a credential to the bootstrap credential store.
Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException.
addBootStrapCredential(jpsConfigFile, map, key, username, password)
| Argument | Definition |
|---|---|
jpsConfigFile
|
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
map
|
Specifies the map of the credential to add. |
key
|
Specifies the key of the credential to add. |
username
|
Specifies the name of the user in the credential to add. |
password |
Specifies the password of the user in the credential to add. |
Offline command that extracts the encryption key from a domain's bootstrap wallet to the file ewallet.p12.
Writes the domain's credential encryption key to the file ewallet.p12. The password passed must be used to import data from that file with the command importEncryptionKey.
exportEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
| Argument | Definition |
|---|---|
jpsConfigFile
|
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
keyFilePath
|
Specifies the directory where the file ewallet.p12 is created; note that the content of this file is encrypted and secured by the value passed to keyFilePassword. |
keyFilePassword
|
Specifies the password to secure the file ewallet.p12; note that this same password must be used when importing that file. |
Offline command that imports keys from the specified ewallet.p12 file into the domain.
Imports encryption keys from the file ewallet.p12 into the domain. The password passed must be the same as that used to create the file with the command exportEncryptionKey.
importEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
| Argument | Definition |
|---|---|
jpsConfigFile
|
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
keyFilePath
|
Specifies the directory where the ewallet.p12 is located. |
keyFilePassword
|
Specifies the password used when the file ewallet.p12 was generated. |
Offline command to restore the domain credential encryption key.
Restores the state of the domain bootstrap keys as it was before running importEncryptionKey.
Offline command to create a new domain credential encryption key.
Creates a new credential encryption key in the domain wallet. Note the following important points:
It should be executed from the administration server in the domain. No server restart is needed after invoking this script.
If the domain is the only domain accessing the security store, nothing else is required.
However, if two or more domains share the security store, the newly generated key should be exported from the domain where the script was run and imported into each of the other domains sharing the security store, using the scripts exportEncryptionKey and importEncryptionKey.
On the WebSphere platform, the script name is Opss.rollOverEncryptionKey.
Online command that migrates the security store from one repository to another.
For complete details, see section reassociateSecurityStore in Oracle Fusion Middleware Application Security Guide.
Offline command that migrates release 10.1.x security data to release 11 security data.
For complete details, see section Upgrading with upgradeSecurityStore in Oracle Fusion Middleware Application Security Guide.
Online command that creates a new resource type in the domain policy store within a given application stripe.
Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. Optional arguments are enclosed in between square brackets; all other arguments are required. In the event of an error, the command returns a WLSTException.
Optional arguments are enclosed in square brackets.
createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where to insert the resource type. |
resourceTypeName
|
Specifies the name of the resource type to insert. |
displayName
|
Specifies the name for the resource type used in UI gadgets. |
description |
Specifies a brief description of the resource type. |
provider
|
Specifies the provider for the resource type. |
matchere
|
Specifies the class of the resource type. If unspecified, it defaults to oracle.security.jps.ResourcePermission. |
actions
|
Specifies the actions allowed on instances of the resource type. |
delimeter
|
Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','. |
The following invocation creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:
wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", resourceTypeName="resTypeName", displayName="displName", description="A resource type", provider="Printer", matcher="com.printer.Printer", actions="BWPrint;ColorPrint" [, delimeter=";"])
Online command that fetches a resource type from the domain policy store within a given application stripe.
Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.
Online command that removes a resource type from the domain policy store within a given application stripe.
Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.
Offline command that lists the type, the location, and the administrative user of the domain security store.
The script runs in offline mode and outputs the type of the OPSS security store (file, OID, or DB), its location, and the user allowed to access it (typically a security administrator).
Online or offline command that lists the application stripes in the policy store.
This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.
If this command is used in offline mode after reassociating to a DB-based store, the configuration file produced by the reassociation must be manually edited.
listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])
| Argument | Definition |
|---|---|
configFile
|
Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store. |
regularExpression
|
Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *. |
The following (online) invocation returns the list of application stripes in the policy store:
wls:/mydomain/serverConfig> listAppStripes
The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:
wls:/mydomain/serverConfig> listAppStripes(configFile=" /home/myFile/jps-config.xml")
The following (online) invocation returns the list of application stripes that contain the prefix App:
wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")
Online command that lists permissions assigned to a source code in global policies.
Online command that creates a new resource.
Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.
createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the resource is created. |
name
|
Specifies the name of the resource created. |
type
|
Specifies the type of resource created. The passed resource type must be present in the application stripe at the time this script is invoked. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the resource created. Optional. |
Online command that deletes a resource.
Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.
deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the resource is deleted. |
name
|
Specifies the name of the resource deleted. |
type
|
Specifies the type of resource deleted. The passed resource type must be present in the application stripe at the time this script is invoked. |
Online command that lists resources in a specified application stripe.
If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.
listResources(appStripe="appStripeName" [,type="resTypeName"])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the resources are listed. |
type
|
Specifies the type of resource listed. The passed resource type must be present in the application stripe at the time this script is invoked. |
Online command that lists the resources and actions in an entitlement.
Lists the resources and actions in an entitlement within an application stripe.
Online command that creates a new entitlement.
Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement to add additional resources to an existing entitlement; use revokeResourceFromEntitlement to delete resources from an existing entitlement.
createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
name
|
Specifies the name of the entitlement created. |
resourceName
|
Specifies the name of the one resource member of the entitlement created. |
actions
|
Specifies a comma-separated the list of actions for the resource resourceName. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the entitlement created. Optional. |
Online command that gets an entitlement.
Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.
Online command that deletes an entitlement.
Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.
Online command that adds a resource with specified actions to an entitlement.
Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.
addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to add. |
resourceType
|
Specifies the type of the resource to add. The passed resource type must be present in the application stripe at the time this script is invoked. |
actions
|
Specifies the comma-separated list of actions for the added resource. |
The following invocation adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:
wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Online command that removes a resource from an entitlement.
revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to remove. |
resourceType
|
Specifies the type of the resource to remove. |
actions
|
Specifies the comma-separated list of actions to remove. |
The following invocation removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Online command that lists the entitlements in an application stripe.
Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.
listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe from where to list entitlements. |
resourceTypeName
|
Specifies the name of the type of the resources to list. Optional. |
resourceName
|
Specifies the name of resource to match. Optional. |
The following invocation lists all the entitlements in the stripe myApplication:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")
The following invocation lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName")
Online command that creates a new entitlement.
Creates a new entitlement with a specified principal in a specified application stripe.
grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is granted. |
permSetName
|
Specifies the name of the entitlement created. |
The following invocation creates the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that deletes an entitlement.
Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.
revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is revoked. |
permSetName
|
Specifies the name of the entitlement deleted. |
The following invocation deleted the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that lists resource types.
Online command that updates the domain trust service configuration values.
updateTrustServiceConfig([providerName="<the proverde name>",] propsFile="<path to the property file>")
| Argument | Definition |
|---|---|
providerName
|
Specifies the trust service provider name. Optional. If unspecified, it defaults to trust.provider.embedded. |
propsFile
|
Specifies the path to the property file. Required. |
The following invocation updates the trust service store with the values specified in the property file myProps:
wls:/mydomain/serverConfig> updateTrustServiceConfig(propsFile="myProps")
The following is a sample property file:
trust.keystoreType=KSS trust.keyStoreName=kss://<stripeName>/<keystoreName> trust.trustStoreName=kss://<stripeName>/<truststoreName> trust.aliasName=<aliasName> trust.issuerName=<aliasName>
The type can be KSS or JKS; if a property is set to the empty string, then that property is removed from the trust service configuration.
Use the WLST commands listed in Table 4-6 to manage Oracle Access Manager (OAM)-related components, such as authorization providers, identity asserters, and SSO providers, as well as to display metrics and deployment topology, manage Oracle Access Manager server and agent configuration and logger settings.
Table 4-6 WLST Oracle Access Manager Commands
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
List the parameters set for an Oracle Access Manager authentication or identity assertion provider. |
Online |
|
|
Create a new identity asserter. |
Online |
|
|
Update an existing identity asserter. |
Online |
|
|
Create a new authenticator. |
Online |
|
|
Delete an existing authentication provider. |
Online |
|
|
Update an existing authenticator. |
Online |
|
|
Add a new SSO provider. |
Online |
|
|
List the details of deployed Oracle Access Manager Servers. |
Online Offline |
|
|
Display the performance metrics of an Oracle Access Manager Server and domain. |
Online |
|
|
Display Oracle Access Manager Server configuration details. |
Online Offline |
|
|
Create an entry for an Oracle Access Manager Server configuration. |
Online Offline |
|
|
Edit the entry for an Oracle Access Manager Server configuration. |
Online Offline |
|
|
Delete the named Oracle Access Manager Server configuration. |
Online Offline |
|
|
Display OSSO Agent configuration details. |
Online Offline |
|
|
Edit OSSO Agent configuration details. |
Online Offline |
|
|
Delete the named OSSO Agent configuration. |
Online Offline |
|
|
Display WebGate Agent configuration details. |
Online Offline |
|
|
Edit 10g WebGate Agent registration details. |
Online Offline |
|
|
Delete the named 10g WebGate Agent configuration. |
Online Offline |
|
|
Change Logger Settings. |
Online Offline |
|
|
Regenerate the configuration data encryption key and re-encrypt data. |
Online Offline |
|
|
Display a user identity store registration. |
Online Offline |
|
|
Edit a user identity store registration. |
Online Offline |
|
|
Create a user identity store registration. |
Online Offline |
|
|
Delete a user identity store registration. |
Online Offline |
|
|
Configure the SSO server request cache type. |
Online Offline |
|
|
Display the SSO server request cache type entry. |
Online Offline |
|
|
Export Oracle Access Manager policy data from a test (source) to an intermediate Oracle Access Manager file. |
Online |
|
|
Import Oracle Access Manager policy data from the Oracle Access Manager file specified. |
Online |
|
|
Import Oracle Access Manager policy changes from the Oracle Access Manager file specified. |
Online |
|
|
Migrate partners from the source Oracle Access Manager Server to the specified target Oracle Access Manager Server. |
Online |
|
|
Export the Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified. |
Online |
|
|
Import the Oracle Access Manager partners from the intermediate Oracle Access Manager file specified. |
Online |
|
|
Configure the Oracle Access Manager-Oracle Adaptive Access Manager basic integration. |
Online |
|
|
Register Oracle Identity Federation as Delegated Authentication Protocol (DAP) Partner. |
Online Offline |
|
|
Enable the Coexist Mode. |
Online |
|
|
Disable the Coexist Mode. |
Online |
|
|
Edit GITO configuration parameters. |
Online Offline |
|
|
Edit an 11g WebGate registration. |
Online Offline |
|
|
Remove an 11g WebGate Agent registration. |
Online Offline |
|
|
Display an 11g WebGate Agent registration. |
Online Offline |
|
|
Display metrics of OAM Servers. |
Online Offline |
|
|
Update the Oracle Identity Manager configuration when integrated with Oracle Access Manager. |
Online Offline |
|
|
Creates an Agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager. |
Online |
|
|
Updates OSSO Proxy response cookie settings. |
Online Offline |
|
|
Deletes OSSO Proxy response cookie settings. |
Online Offline |
|
|
Displays the simple mode global passphrase in plain text from the system configuration. |
Online |
|
|
Exports selected OAM Partners to the intermediate OAM file specified. |
Online |
|
|
Migrates artifacts based on the input artifact file. |
Online |
|
|
Registers any third party as a Trusted Authentication Protocol (TAP) Partner. |
Online |
Online command that lists the values of the parameters in effect in a domain authenticator or identity asserter.
Lists the values of the parameters set for a given Oracle Access Manager authenticator or identity asserter. In the event of an error, the command returns a WLSTException.
Online command that creates an Oracle Access Manager identity asserter in the current domain.
Creates an identity asserter with a given name in the current domain. Before executing this command, make sure that no Oracle Access Manager identity asserter is already configured in the current domain. In the event of an error, the command returns a WLSTException.
Online command that updates the values of parameters of the Oracle Access Manager identity asserter in the current domain.
Updates the value of given parameters of the domain Oracle Access Manager identity asserter. In the event of an error, the command returns a WLSTException.
updateOAMIdentityAsserter(name, paramNameValueList)
| Argument | Definition |
|---|---|
name
|
Specifies the name of the Oracle Access Manager identity asserter whose parameter values to update. |
| paramNameValueList | Specifies the comma-separated list of pairs of parameter name-value to be updated. The format of each pair is:
paramName="paramValue" The parameter names that can be updated are the following only:
|
The following invocation updates the parameters accessGateName, accessGatePwd, pAccessServer, and ssoHeaderName in the Oracle Access Manager identity asserter named myIdAsserter:
updateOAMIdentityAsserter(name="myIdAsserter", accessGateName="OAM IAP AccessGate", accessGatePwd="welcome1", pAccessServer="myhost.domain.com:5543", ssoHeaderName="OAM_SSO_HEADER")
Online command that creates an Oracle Access Manager authenticator in the current domain.
Creates an Oracle Access Manager authenticator with a given name in the current domain. Before executing this command, make sure that no Oracle Access Manager authenticator is already configured in the default security domain. In the event of an error, the command returns a WLSTException.
Online command that deletes the OAM authenticator from the current domain.
Deletes the OAM authenticator with a given name from the current domain. In the event of an error, the command returns a WLSTException.
Online command that updates the values of parameters of the Oracle Access Manager authenticator in the current domain.
Updates the value of given parameters of the domain Oracle Access Manager authenticator. In the event of an error, the command returns a WLSTException.
updateOAMAuthenticator(name, paramNameValueList)
| Argument | Definition |
|---|---|
name
|
Specifies the name of the Oracle Access Manager authenticator whose parameter values to update. |
| paramNameValueList | Specifies the comma-separated list of pairs of parameter name-value to be updated. The format of each pair is
paramName='paramValue' The only parameter names that can be updated are the following:
|
The following invocation updates the parameters accessGateName, accessGatePwd, and pAccessServer in the Oracle Access Manager authenticator named myAuthenticator:
updateOAMAuthenticator(name="myAuthenticator", accessGateName="OAM AP AccessGate", accessGatePwd="welcome1", pAccessServer="myhost.domain.com:5543")
Online command that adds an Oracle Access Manager SSO provider with the given login URI, logout URI, and auto-login URI.
Adds an SSO provider with the given login URI, logout URI, and auto-login URI. This command modifies the domain jps-config.xml by adding an Oracle Access Manager SSO service instance with the required properties. In the event of an error, the command returns a WLSTException.
addOAMSSOProvider(loginuri, logouturi, autologinuri, beginimpuri, endimpuri)
| Argument | Definition |
|---|---|
loginuri
|
Required. Specifies the URI of the login page and triggers SSO authentication. |
logouturi |
Optional. Specifies the URI of the logout page and logs the signed-on user out. If unspecified, defaults to logouturi=NONE.
Set to "" to ensure that ADF security calls the OPSS logout service, which uses the implementation of the class More generally, an ADF-secured web application that would like to clear cookies without logging out the user should use this setting. |
autologinuri |
Required. Specifies the URI of the autologin page. Optional. If unspecified, it defaults to autologin=NONE. |
beginimpuri |
Optional. Specifies the URI that triggers the impersonation SSO session. |
endimpuri |
Optional. Specifies the URI that terminates the impersonation SSO session. |
The following invocation adds an SSO provider with the passed URIs; note the special behavior implied by the setting logouturi="" and the impersonation parameters, as explained in the above table:
addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oamsso/logout.html", beginimpuri="https://login.acme.com/impersonationInit.html" endimpuri="https://login.acme.com/impersonationTerm.html") autologin="/fooBar.cgi")
Online and offline command that displays the information about all the OAM Servers in a deployment.
Online command that displays the performance metrics of an OAM Server and domain.
Online and offline command that displays OAM Server registration details.
Displays OAM Server registration details, including the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.
The scope of this command is an instance, only. The scope is not an argument.
Online and offline command that creates an OAM Server entry in the system configuration.
Creates an OAM Server registration, including the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.
The scope of this command is an instance, only. The scope is not an argument
createOamServer(host,port, paramNameValueList)
| Argument | Definition |
|---|---|
host
|
Mandatory. Specifies the name of the OAM Server host. |
port
|
Mandatory. Specifies the listening port of the OAM Server host. |
domainHome
|
Offline mode: Mandatory
Online mode: Optional |
| paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Mandatory:
|
The following invocation creates a configuration for your_host with listening port 15000. The configuration entry in the Administration Console will be oam_server1. The OAM Proxy port is 3004 and the OAM Proxy Server ID is AccessServerConfigProxy:
createOamServer(host="my_host", port="15000", configurationProfile= "oam_server1", oamProxyPort="3004", oamProxyServerID="ProxyID", siteName="siteName1",domainHome="domainHome1")
Online and offline command that enables you to edit OAM Server registration details.
Edits the registration for an OAM Server, which can include the host, port, registration name, OAM Proxy port and server ID, and, optionally, the OAM Proxy shared secret.
The scope of this command is an instance, only. The scope is not an argument.
editOamServer(name, port, paramNameValueList)
| Argument | Definition |
|---|---|
name
|
Mandatory. Specifies the name of the OAM Server host. |
port
|
Mandatory. Specifies the port number of the OAM Server host. |
domainHome
|
Offline mode: Mandatory
Online mode: Optional |
| paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Mandatory:
|
You can use any of the optional attributes to change current settings. The following invocation enables you to add the OAM Proxy shared secret to the configuration entry oam_server1.
editOamServer(name="oam_server1", port="15000",configurationProfile= "oam_server1", oamProxyPort="3004",oamProxyServerID="Proxy1", siteName="siteName1",domainHome="domainHome1")
Online and offline command that enables you to delete the named OAM Server registration.
Deletes an entire OAM Server configuration.
The scope of this command is an instance, only. The scope is not an argument.
Online and offline command that displays OSSO Agent configuration details.
Displays OSSO Agent registration details, which also appear in the OAM Administration Console.
The scope of this command is an instance, only. The scope is not an argument
Online and offline command that enables you to edit an OSSO Agent registration.
Changes OSSO Agent configuration details, including the Site Token, Success URL, Failure URL, Home URL, Logout URL, Start Date, End Date, Administrator ID, and Administrator Info.
The scope of this command is an instance, only. The scope is not an argument
editOssoAgent(agentName,paramNameValueList)
| Argument | Definition |
|---|---|
agentName
|
Mandatory. Specifies the name of the OSSO Agent. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
| paramNameValueList | Specifies the comma-separated list of parameter name-value pairs to be updated. The format of each pair is:
paramName='paramValue' Optional:
|
The following invocation changes the Administrator ID and information in the registration entry for OSSOAgent1:
editOssoAgent(agentName="OSSOAgent1", siteToken="siteToken", successUrl="successUrl",failureUrl="failureUrl",homeUrl="homeUrl", logoutUrl="logoutUrl",startDate="2009-12-10", endDate="2012-12-30", adminId= 345", adminInfo="Agent11", domainHome="domainHome1")
Online and offline command that enables you to delete an OSSO Agent registration.
Removes an OSSO Agent configuration.
The scope of this command is an instance, only. The scope is not an argument
Online and offline command that displays a 10g WebGate registration.
Displays all 10g WebGate registration details, which can also be seen in the OAM Administration Console.
The scope of this command is an instance, only. The scope is not an argument
Online and offline command that enables you to edit a 10g WebGate registration.
Enables you to change 10g WebGate Agent registration details.
The scope of this command is an instance, only. The scope is not an argument
editWebgateAgent(agentName,paramNameValueList)
| Argument | Definition |
|---|---|
agentName
|
Mandatory. Specifies the name of the WebGate Agent. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
| paramNameValueList | Specifies the comma-separated list of parameter name-value pairs to be updated. The format of each pair is:
paramName='paramValue' Mandatory:
Optional:
|
You can alter any or all of the settings. Use the following invocation to change specific information in the WebGate Agent registration, including the Agent ID, state, maximum connections, OAM Server timeout, primary cookie domain, cache time out, cookie session timeout, maximum session timeout, idle session timeout, and failover threshold, as follows:
editWebgateAgent(agentName="my_WebGate", agentId="WebGate2", state= "enabled", maxConnections="2", aaaTimeOutThreshold="2", primaryCookieDomain="adomain.com", cacheTimeOut="1200", cookieSessionTime=1500, maxSessionTime=1500, idleSessionTimeout= "1500", failoverThreshold="25", domainHome="domainHome1")
Online and offline command that enables you to delete a 10g WebGate Agent registration.
Removes an 10g WebGate Agent registration.
The scope of this command is an instance, only. The scope is not an argument
Online and offline command that changes the logger level.
Changes the level of one or more, or all, loggers.
The scope of this command is an instance, only. The scope is not an argument.
changeLoggerSetting (loggerName='', loggerLevel=''):
| Argument | Definition |
|---|---|
loggerName
|
Optional. Specifies the OAM logger name. Multiple OAM logger names can be specified, separated by commas, or you can use the wildcard (*) character to specify all OAM collectors, which is the default. |
loggerLevel
|
SEVERE, WARNING, INFO, CONFIG, FINE. |
Offline command that regenerates the configuration data encryption key.
Regenerates the configuration data encryption key, re-encrypts the configuration data using the new key, and outputs attribute information of the identity store.
The scope of this command is an instance, only. The scope is not an argument.
Online and offline command that displays user identity store registration information.
Displays information of the user identity store registered with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
Online and offline command that changes attributes of the user identity store for Oracle Access Manager.
Changes one or more attributes of the user identity store registered with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
editUserIdentityStore(name,paramNameValueList)
| Argument | Definition |
|---|---|
name
|
Mandatory. Specifies the unique name of the LDAP user identity store (only upper and lower case alpha characters and numbers). |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
| paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Include one or more of the following parameter name-value pairs, in addition to those in createUserIdentityStore, to change the OAM user identity store configuration:
|
Online and offline command that creates a user identity store registration for Oracle Access Manager.
Creates an entry for a new user identity store to be registered with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
createUserIdentityStore(name=,paramNameValueList)
| Argument | Definition |
|---|---|
name
|
Mandatory. Specifies the unique name of the LDAP user identity store (only upper and lower case alpha characters and numbers). |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
| paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Mandatory:
Optional:
|
The following invocation creates a new Oracle Internet Directory user identity store definition for use with Oracle Access Manager:
createUserIdentityStore(name="Name1",principal="Principal1", credential="Credential1", type="OID", userAttr="userAttr1", ldapProvider="ldapProvider", roleSecAdmin="roleSecAdmin1", roleSysMonitor="roleSysMonitor", roleSysManager="roleSysManager", roleAppAdmin="roleAppAdmin", userSearchBase="cn=users, ldapUrl="ldapUrl", isPrimary="isPrimary", userIDProvider="userIDProvider", groupSearchBase="cn=groups",domainHome="domainHome1")
Online and offline command that removes a Oracle Access Manager user identity store registration.
Deletes the user identity store registered with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
Online and offline command that configures the SSO server request cache type.
Configures the SSO server request cache type.
The scope of this command is an instance, only. The scope is not an argument.
Online and offline command that displays the SSO server request cache type.
Displays the SSO server request cache type entry.
The scope of this command is an instance, only. The scope is not an argument.
Online only command that exports OAM policy data from a test (source) environment to the intermediate Oracle Access Manager file specified.
Exports OAM policy data from a test (source) environment to the intermediate Oracle Access Manager file.
The scope of this command is an instance, only. The scope is not an argument.
Online only command that imports the OAM policy data from the intermediate Oracle Access Manager file specified.
Imports the OAM policy data from the intermediate Oracle Access Manager file specified.
The scope of this command is an instance, only. The scope is not an argument.
Online only command that imports the OAM policy changes from the intermediate Oracle Access Manager file specified.
Imports the OAM policy changes from the intermediate Oracle Access Manager file specified.
The scope of this command is an instance, only. The scope is not an argument.
Online only command that migrates partners from the current (source) OAM Server to the specified (target) OAM Server.
Migrates partners from the current (source) OAM Server to the specified (target) OAM Server.
The scope of this command is an instance, only. The scope is not an argument.
migratePartnersToProd(prodServerHost,prodServerPort,prodServerAdminUser,prodServerAdminPwd)
| Argument | Definition |
|---|---|
prodServerHost |
Host name of the target OAM Server to which partners are to be migrated. |
prodServerPort |
Port of the target OAM Server to which partners are to be migrated. |
prodServerAdminUser |
Administrator of the target OAM Server to which partners are to be migrated. |
prodServerAdminPwd |
Target OAM Server administrator's password. |
Online only command that exports Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified.
Exports the Oracle Access Manager partners from the source to the intermediate Oracle Access Manager file specified.
The scope of this command is an instance, only. The scope is not an argument.
Online only command that imports Oracle Access Manager partners from the intermediate Oracle Access Manager file specified.
Imports the OAM partners from the intermediate Oracle Access Manager file specified.
The scope of this command is an instance, only. The scope is not an argument.
Online only command that configures the Oracle Access Manager-Oracle Adaptive Access Manager basic integration.
Configures the OAM-OAAM basic integration.
The scope of this command is an instance, only. The scope is not an argument.
configureOAAM(dataSourceName,paramNameValueList)
| Argument | Definition |
|---|---|
dataSourceName |
Name of the data source to be created |
| paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Mandatory:
Optional:
|
The following invocation configures the Oracle Access Manager-Oracle Adaptive Access Manager basic integration.
configureOAAM(dataSourceName = "MyOAAMDS", hostName = "host.us.co.com", port = "1521", sid = "sid", userName = "username", passWord = "password", maxConnectionSize = None, maxPoolSize = None, serverName = "oam_server1")
Online and offline command that registers Oracle Identity Federation as a Delegated Authentication Protocol (DAP) Partner.
Registers Oracle Identity Federation as Delegated Authentication Protocol (DAP) Partner.
The scope of this command is an instance only. The scope is not an argument.
registerOIFDAPPartner()
| Argument | Definition |
|---|---|
| paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Mandatory: Include the following parameter name-value pairs to create a new OAM user identity store configuration:
Optional:
|
Online command that enables the Coexist Mode.
Online command that disables the Coexist Mode.
Online and offline command that edits GITO configuration parameters.
Edits GITO configuration parameters.
The scope of this command is an instance, only. The scope is not an argument.
editGITOValues(gitoEnabled, paramNameValueList)
| Argument | Definition |
|---|---|
gitoEnabled |
True (or false). Allows (or denies) user to set GITO enabled property. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
| paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Mandatory: Include the following parameter name-value pairs to create a new OAM user identity store configuration:
Optional:
|
Online and offline command that edits an 11g WebGate registration.
Edits an 11g WebGate registration.
The scope of this command is an instance, only. The scope is not an argument.
editWebgate11gAgent(agentname, paramNameValueList)
| Argument | Definition |
|---|---|
agentname |
Name of the registered OAM 11g WebGate agent to be edited. |
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
| paramNameValueList | Specifies the comma-separated list of parameter name-value pairs. The format of each pair is:
paramName='paramValue' Optional:
|
The following invocation lists all mandatory and optional parameters.
editWebgate11gAgent(agentName="WebgateAgent1", accessClientPasswd = "welcome1", state = "Enabled", preferredHost="141.144.168.148:2001", aaaTimeoutThreshold="10", security = "open", logOutUrls = "http://<host>:<port>", maxConnections = "16" maxCacheElems = "10000" , cacheTimeout = "1800", logoutCallbackUrl = "http://<host>:<port>", maxSessionTime = "24", logoutRedirectUrl = "logoutRedirectUrl", failoverThreshold = "1", tokenValidityPeriod="aPeriod" logoutTargetUrlParamName = "logoutTargetUrl", domainHome="domainHome1")
Online and offline command that enables you to delete an 11g WebGate Agent registration.
Removes an 11g WebGate Agent registration.
The scope of this command is an instance, only. The scope is not an argument
Online and offline command that enables you to display an 11g WebGate Agent registration.
Displays an 11g WebGate Agent registration.
The scope of this command is an instance, only. The scope is not an argument
Online and offline command that enables the display of metrics of OAM Servers.
Enables the display of metrics of OAM Servers.
The scope of this command is an instance, only. The scope is not an argument.
Online only command that updates the Oracle Identity Manager configuration when integrated with Oracle Access Manager.
Updates the Oracle Identity manager configuration in system configuration.
The scope of this command is an instance, only. The scope is not an argument.
Online only command that creates an agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager.
Creates an Agent registration specific to Oracle Identity Manager when integrated with Oracle Access Manager.
The scope of this command is an instance, only. The scope is not an argument.
updateOIMHostPort(hostname, port, secureProtocol)
| Argument | Definition |
|---|---|
hostname |
Name of the Oracle Identity Manager host. |
port |
Port of the Oracle Identity Manager Managed Server. |
oimSecureProtocolEnabled |
True or false (depending on HTTP or HTTPS). |
oimAccessGatePwd |
If provided will be the agent password for Open mode |
oimCookieDomain |
Domain to which the cookie is to be set |
oimWgId |
Agent registration name. |
oimWgVersion |
Possible values 10g or 11g. If not provided, default is 10g. |
The following invocation illustrates this command.
updateOIMHostPort(hostName="OIM host", port="7777", secureProtocol="true") configureOIM(oimHost="OIM host", oimPort="7777", oimSecureProtocolEnabled="true", oimAccessGatePwd = "Access Gate Password", oimCookieDomain = "OIM Cookie Domain", oimWgId="OIM Webgate ID", oimWgVersion="OIM Webgate Version")
Online and offline command that updates OSSO Proxy response cookie settings.
Updates OSSO Proxy response cookie settings.
The scope of this command is an instance, only. The scope is not an argument.
updateOSSOResponseCookieConfig()
| Argument | Definition |
|---|---|
domainhome
|
Offline mode: Mandatory
Online mode: Optional |
cookieName |
Optional. Name of the cookie for which settings are updated. If not specified, the global setting is updated. |
cookieMaxAge |
Maximum age of a cookie in minutes. A negative value sets a session cookie. |
isSecureCookie |
Boolean flag specifies if cookie should be secure (sent only over SSL channel). |
cookieDomain |
The domain of the cookie. |
Online and offline command that deletes OSSO Proxy response cookie settings.
Deletes OSSO Proxy response cookie settings.
The scope of this command is an instance, only. The scope is not an argument.
Displays the simple mode global passphrase in plain text from the system configuration.
Exports selected OAM Partners.
Migrates artifacts.
Registers any third party as a Trusted Authentication Protocol (TAP) Partner.
registerThirdPartyTAPPartner
| Argument | Definition |
|---|---|
path
|
Location of the artifacts file is present |
password
|
Password used while generating original artifacts. |
partnerName
|
Name of partner. Can be any name used for identifying the third party partner. |
keystoreLocation
|
The jceks file location. |
password
|
password |
tapTokenVersion |
Version of the Trusted Authentication Protocol. |
tapScheme |
Trusted Authentication Protocol Authn Scheme (TAPScheme, out of the box.) |
tapRedirectUrl |
Third party access URL. |
Table 4-7 describes the various types of WLST commands available for the Oracle Security Token Service.
Table 4-7 WLST Oracle Security Token Service Command Groups
| OSTS Command Type | Description |
|---|---|
|
Partner Commands |
WLST commands related to tasks involving partners. |
|
Relying Party Partner Mapping Commands |
The WS Prefix to Relying Party Partner mappings are used to map a service URL, specified in the AppliesTo field of a WS-Trust RST request, to a partner of type Relying Party. The WS prefix string can be an exact service URL, or a URL with a parent path to the service URL. For example, if a mapping is defined to map a WS Prefix (http://test.com/service) to a Relying Party (RelyingPartyPartnerTest), then the following service URLs would be mapped to the Relying Party: http://test.com/service, http://test.com/service/calculatorService, http://test.com/service/shop/cart... |
|
Partner Profiles Commands |
WLST commands related to tasks involving partner profiles. |
|
Issuance Templates Commands |
WLST commands related to tasks involving issuance templates. |
|
Validation Templates Commands |
WLST commands related to tasks involving validation templates. |
Use the WLST commands listed in Table 4-8 to manage Oracle Security Token Service
Table 4-8 WLST Commands Oracle Security Token Service
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Partner Commands |
||
|
Retrieve a partner and print result. |
Online |
|
|
Retrieve the names of Requester partners. |
Online |
|
|
Retrieve the names of all Relying Party partners. |
Online |
|
|
Retrieve the names of all Issuing Authority partners. |
Online |
|
|
Query OSTS to determine whether or not the partner exists in the Partner store. |
Online |
|
|
Create a new Partner entry. |
Online |
|
|
Update an existing Partner entry based on the provided information. |
Online |
|
|
Delete a partner entry. |
Online |
|
|
Retrieve the partner's username value. |
Online |
|
|
Retrieve the partner's password value. |
Online |
|
|
Set the username and password values of a partner entry. |
Online |
|
|
Remove the username and password values from a partner entry. |
Online |
|
|
Retrieve the Base64 encoded signing certificate for the partner. |
Online |
|
|
Retrieve the Base64 encoded encryption certificate for the partner. |
Online |
|
|
Upload the signing certificate to the partner entry. |
Online |
|
|
Upload the encryption certificate to the partner entry. |
Online |
|
|
Remove the signing certificate from the partner entry. |
Online Offline |
|
|
Remove the encryption certificate from the partner entry. |
Online Offline |
|
|
Retrieve and display all Identity mapping attributes used to map a token to a requester partner. |
Online Offline |
|
|
Retrieve and display the identity mapping attribute. |
Online Offline |
|
|
Set the identity mapping attribute for a requester partner. |
Online Offline |
|
|
Delete the identity mapping attribute for a requester partner. |
Online Offline |
|
|
Relying Party Partner Mapping Commands |
||
|
Retrieve and display all WS Prefixes. |
Online Offline |
|
|
Retrieve and display the Relying Party Partner mapped to the specified wsprefix parameter. |
Online Offline |
|
|
Create a new WS Prefix mapping to a Relying Partner. |
Online Offline |
|
|
Delete an existing WS Prefix mapping to a Relying Partner. |
Online Offline |
|
|
Partner Profiles Commands |
||
|
Retrieve the names of all the existing partner profiles. |
Online |
|
|
Retrieve partner profile configuration data. |
Online |
|
|
Create a new Requester Partner profile with default configuration data. |
Online |
|
|
Create a new Relying Party Partner profile with default configuration data. |
Online |
|
|
Create a new Issuing Authority Partner profile with default configuration data. |
Online |
|
|
Delete an existing partner profile. |
Online |
|
|
Issuance Template Commands |
||
|
Retrieve the names of all the existing Issuance Templates. |
Online Offline |
|
|
Retrieve configuration data of a specific Issuance Template. |
Online |
|
|
Create a new Issuance Template with default configuration data. |
Online |
|
|
Delete an existing Issuance Template. |
Online Offline |
|
|
Validation Template Commands |
||
|
Retrieve the names of all the existing Validation Templates. |
Online Offline |
|
|
Retrieve configuration data of a specific Validation Template. |
Online Offline |
|
|
Create a new WS Security Validation Template with default configuration data. |
Online Offline |
|
|
Create a new WS Trust Validation Template with default configuration data. |
Online Offline |
|
|
Delete an existing Issuance Template. |
Online Offline |
Online command that retrieves the Partner entry and prints out the configuration for this partner.
Online command that retrieves Requester type partners.
Online command that retrieves Relying Party partners.
Online command that retrieves Issuing Authority partners and prints out the result.
Online command that queries OSTS to determine whether or not the specified partner exists in the Partner store.
Queries OSTS to determine whether or not the specified partner exists in the Partner store, and prints out the result.
Online command that creates a new Partner entry.
Creates a new Partner entry based on provided information. Displays a message indicating the result of the operation.
createPartner(partnerId, partnerType, partnerProfileId, description, bIsTrusted)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the new partner to be created. |
partnerType
|
Specifies the type of partner. Values can be one of the following:
|
partnerProfileId
|
Specifies the profile ID to be attached to this partner. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry. |
description
|
Specifies the optional description of this new partner entry. |
bIsTrusted
|
A value that indicates whether or not this new partner is trusted. Value can be either:
|
The following invocation creates STS_Requestor partner, customPartner, custom-partnerprofile with a description (custom requester), with a trust value of true, displays a message indicating the result of the operation:
createPartner(partnerId="customPartner", partnerType="STS_REQUESTER", partnerProfileId="custom-partnerprofile", description="custom requester", bIsTrusted="true")
Online command that updates an existing Partner entry.
Updates an existing Partner entry based on the provided information. Displays a message indicating the result of the operation.
updatePartner(partnerId, partnerProfileId, description, bIsTrusted)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the new partner to be updated. |
partnerProfileId
|
Specifies the partner profile ID. It must reference an existing partner profile, and the type of the partner profile must be compliant with the type of the new partner entry. |
description
|
Specifies the optional description f this new partner entry. |
bIsTrusted
|
A value that indicates whether or not this new partner is trusted. Value can be either:
|
The following invocation updates customPartner with a new profile ID, (x509-wss-validtemp), description (custom requester with new profile id), and a trust value of false. A message indicates the result of the operation:
updatePartner(partnerId="customPartner", partnerProfileId="x509-wss-validtemp", description="custom requester with new profile id", bIsTrusted="false")
Online command that deletes a partner entry from OSTS.
Deletes an existing Partner entry referenced by the partnerId parameter from OSTS, and prints out the result of the operation.
Online command that retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation.
Retrieves a partner's username value that will be used for UNT credentials partner validation or mapping operation, and displays the value.
Online command that retrieves a partner's password value that will be used for UNT credentials partner validation or mapping operation.
Retrieves a partner password value that will be used for UNT credentials partner validation or mapping operation, and displays the value.
Online command that sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation.
Sets the username and password values of a partner entry, that will be used for UNT credentials partner validation or mapping operation. Displays the result of the operation.
setPartnerUsernameTokenCredential(partnerId, UTUsername, UTPassword)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner. |
UTUsername
|
Specifies the username value used for UNT credentials validation or mapping operations. |
UTPassword
|
Specifies the username value used for UNT credentials validation or mapping operations. |
Online command that removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.
Removes the username and password values from a partner entry that are used for UNT credentials partner validation or mapping operation, and displays the result of the operation.
Online command that retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.
Retrieves the Base64 encoded signing certificate for the partner referenced by the partnerId parameter, and displays its value, as a Base64 encoded string.
Online command that retrieves the Base64 encoded encryption certificate, and displays its value as a Base64 encoded string.
Retrieves the Base64 encoded encryption certificate for the partner referenced by the partnerId parameter, and displays its value as a Base64 encoded string.
Online command that Uploads the provided certificate to the partner entry as the signing certificate. Displays the result of the operation.
Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the signing certificate. The supported formats of the certificate are DER and PEM. Displays the result of the operation.
Online command that Uploads the provided certificate to the partner entry as the encryption certificate. Displays the result of the operation.
Uploads the provided certificate to the partner entry (referenced by the partnerId parameter) as the encryption certificate. Displays the result of the operation.
Online command that removes the encryption certificate from the partner entry and displays the result of the operation.
Removes the encryption certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.
Online command that removes the signing certificate from the partner entry and displays the result of the operation.
Removes the signing certificate from the partner entry, referenced by the partnerId parameter, and displays the result of the operation.
Online command that retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.
Retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.
The identity mapping attributes only exist for partners of type Requester.
getPartnerAllIdentityAttributes(partnerId)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the Requester partner. Identity mapping attributes only exist for partners of type Requester |
The following invocation retrieves and displays all the identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner: customPartner.
getPartnerAllIdentityAttributes(partnerId="customPartner")
Online command that retrieves and displays identity mapping attributes used to map a token or to map binding data to a requester partner.
Retrieves and displays an identity mapping attribute used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner.
The identity mapping attributes only exist for partners of type Requester.
Online command that sets the identity mapping attribute for the Requester partner.
Set the identity mapping attribute specified by identityAttributeName for the partner of type requester specified by the partnerId parameter. These identity mapping attributes only exist for Requester partners. Displays the result of the operation.
setPartnerIdentityAttribute(partnerId, identityAttributeName, identityAttributeValue)
| Argument | Definition |
|---|---|
partnerId
|
Specifies the ID of the partner of type Requester. |
identityAttributeName
|
Specifies the name of the identity mapping attribute to retrieve and display. |
identityAttributeValue
|
Specifies the value of the identity mapping attribute to set. |
The following invocation sets the identity mapping attribute specified by identityAttributeName for the Requester partner of type requester specified by the partnerId parameter. Displays the result of the operation.
setPartnerIdentityAttribute(partnerId="customPartner", identityAttributeName="httpbasicusername",identityAttributeValue="test")
Online command that deletes the identity mapping attribute.
Deletes the identity mapping attribute specified by identityAttributeName.
The identity mapping attributes used to map a token to a requester partner, or to map binding data (SSL Client certificate or HTTP Basic Username) to a requester partner, and they only exist for Requester partners.
Online command that retrieves and displays all WS Prefixes to Relying Party Partner mappings.
Online command that retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.
Retrieves and displays the Relying Party Partner mapped to the specified wsprefix parameter, if a mapping for that WS Prefix exists.
Online command that creates a new WS Prefix mapping to a Relying Partner.
Creates a new WS Prefix mapping to a Relying Partner referenced by the partnerid parameter, and displays the result of the operation.
createWSPrefixAndPartnerMapping(wsprefix, partnerid, description)
| Argument | Definition |
|---|---|
wsprefix
|
Specifies the WS Prefix entry to retrieve and display. The path is optional. If specified, it should take the following form:
http_protocol://hostname_ip/path |
partnerId
|
Specifies the ID of the partner. |
description
|
Specifies an optional description. |
The following invocation creates a new WS Prefix mapping to a Relying Partner Partner referenced by the partnerid parameter, and displays the result of the operation.
createWSPrefixAndPartnerMapping(wsprefix="http://host1.example.com/path", partnerid="customRPpartner", description="some description")
Online command that deletes an existing mapping of WS Prefix to a Relying Partner Partner.
Deletes an existing mapping of WS Prefix to a Relying Partner, and displays the result of the operation.
Online command that retrieves the names of all the existing partner profiles and displays them.
Online command that retrieves the configuration data of a specific partner profile, and displays the content of the profile.
Retrieves the configuration data of the partner profile referenced by the partnerProfileId parameter, and displays the content of the profile.
Online command that creates a new requester partner profile with default configuration data.
Creates a new requester partner profile with default configuration data, and displays the result of the operation.
Table 4-9 describes the default configuration created with this command.
Table 4-9 Default Configuration: createRequesterPartnerProfile
| Element | Description |
|---|---|
Return Error for Missing Claims
|
Default: false |
Allow Unmapped Claims
|
Default: false |
Token Type Configuration
|
The Token Type Configuration table includes the following entries. There are no mappings of token type to WS-Trust Validation Template:
Note: Token Type Configuration and token type to Validation Template mapping are both empty |
Attribute Name Mapping
|
Default: The Attribute Name Mapping table is empty by default. |
createRequesterPartnerProfile(partnerProfileId, defaultRelyingPartyPPID, description)
| Argument | Definition |
|---|---|
partnerProfileId
|
Specifies the name of the partner profile. |
defaultRelyingPartyPPID
|
Specifies the relying party partner profile to use, if the AppliesTo field is missing from the RST or if it could not be mapped to a Relying Party Partner. |
description
|
Specifies the optional description for this partner profile |
The following invocation creates a new requester partner profile with default configuration data, and displays the result of the operation. For default data descriptions, see Table 4-9.
createRequesterPartnerProfile(partnerProfileId="custom-partnerprofile", defaultRelyingPartyPPID="rpPartnerProfileTest", description="custom partner profile")
Online command that creates a new relying party partner profile with default configuration data.
Creates a new relying party partner profile with default configuration data, and displays the result of the operation.
Table 4-10 describes the default configuration created with this command.
Table 4-10 Default Configuration: createRelyingPartyPartnerProfile
| Element | Description |
|---|---|
|
Download Policy |
Default: false |
|
Allow Unmapped Claims |
Default: false |
|
Token Type Configuration |
The Token Type Configuration will contain a single entry, with:
Note: For the token type of the issuance template referenced by defaultIssuanceTemplateID, it will be linked to the issuance template, while the other token types will not be linked to any issuance template. If the issuance template referenced by defaultIssuanceTemplateID is of custom token type, the table will only contain one entry, with the custom token type, mapped to the custom token type as the external URI, and mapped to the issuance template referenced by defaultIssuanceTemplateID |
|
Attribute Name Mapping |
The Attribute Name Mapping table is empty be default. |
createRelyingPartyPartnerProfile(partnerProfileId, defaultIssuanceTemplateID, description)
| Argument | Definition |
|---|---|
partnerProfileId
|
Specifies the name of the partner profile. |
defaultIssuanceTemplateID
|
Specifies the default issuance template and token type to issue if no token type was specified in the RST. |
description
|
Specifies the optional description for this partner profile |
The following invocation creates a new relying party partner profile with default configuration data, and displays the result of the operation.
createRelyingPartyPartnerProfile(partnerProfileId="custom-partnerprofile", defaultIssuanceTemplateID="saml11-issuance-template", description="custom partner profile")
Online command that creates a new issuing authority partner profile with default configuration data.
Creates a new issuing authority partner profile with the default configuration data in Table 4-11, and displays the result of the operation.
Table 4-11 Default Configuration: createIssuingAuthorityPartnerProfile
| Element | Description |
|---|---|
|
Server Clockdrift |
Default: 600 seconds |
|
Token Mapping |
The Token Mapping Section will be configured as follows:
Empty fields
|
|
Partner NameID Mapping |
The Partner NameID Mapping table will be provisioned with the following entries as NameID format. However, without any data in the datastore column the issuance template referenced by defaultIssuanceTemplateID is of token type SAML 1.1, SAML 2.0, or Username. The table will contain the following entries:
|
|
User NameID Mapping |
The User NameID Mapping table will be provisioned with the following entries as NameID format:
|
|
Attribute Mapping |
The Attribute Value Mapping and Attribute Name Mapping table is empty be default. |
Online command that deletes an partner profile referenced by the partnerProfileId parameter.
Deletes an partner profile referenced by the partnerProfileId parameter, and displays the result of the operation.
Online command that retrieves the names of all the existing issuance templates.
Online command that retrieves the configuration data of a specific issuance template.
Retrieves the configuration data of the issuance template referenced by the issuanceTemplateId parameter, and displays the content of the template.
Online command that creates a new issuance template with default configuration data.
Creates a new issuance template with default configuration data, and displays the result of the operation.
Table 4-12 describes the default configuration for this command.
Table 4-12 Default Configuration: createIssuanceTemplate
| Token Type | Description |
|---|---|
|
Username |
The issuance template will be created with the following default values:
|
|
SAML 1.1 or SAML 2.0 |
The issuance template will be created with the following default values:
Empty tables: Attribute Name Mapping, Attribute Value Mapping and Attribute Value Filter |
|
Custom Type |
The issuance template will be created with the following default values:
|
createIssuanceTemplate(issuanceTemplateId, tokenType, signingKeyId, description)
| Argument | Definition |
|---|---|
issuanceTemplateId
|
Specifies the name of the issuance template to be created. |
tokenType
|
Possible values can be:
|
signingKeyId
|
Specifies the keyID referencing the key entry (defined in the STS General Settings UI section) that will be used to sign outgoing SAML Assertions. Only required when token type is saml11 or saml20. |
description
|
An optional description. |
The following invocation creates a new issuance template with default configuration data, and displays the result of the operation.
createIssuanceTemplate(issuanceTemplateId="custom-issuancetemp", tokenType="saml20", signingKeyId="osts_signing", description="custom issuance template")
Online command that deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.
Deletes an issuance template referenced by the issuanceTemplateId parameter, and displays the result of the operation.
Online command that retrieves the names of all the existing validation templates.
Online command that retrieves the configuration data of a specific validation template, and displays the content of the template.
Retrieves the configuration data of the validation template referenced by the validationTemplateId parameter, and displays the content of the template.
Online command that creates a new validation template with default configuration data.
Creates a new validation template with default configuration data, and displays the result of the operation.
The WSS validation template is created with the values in Table 4-13, depending on the token type.
Table 4-13 Default Configuration: createWSSValidationTemplate
| Token Type | Description |
|---|---|
|
Username |
The validation template will be created with the following default values:
|
|
SAML 1.1 or SAML 2.0 |
The validation template will be created with the following default values:
The Token Mapping section will be created with the following default values:
Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping Also:
Partner NameID Mapping table will be provisioned with the following entries as NameID format, but without any data in the datastore column:
User NameID Mapping table will be provisioned with the following entries as NameID format:
|
|
X.509 |
The Token Mapping section will be created with the following default values:
Empty fields: User Token Attribute, User Datastore Attribute and Attribute Based User Mapping Also:
|
|
Kerberos |
The Token Mapping section will be created with the following default values:
Empty fields: Partner Token Attribute, Partner Datastore Attribute and Attribute Based User Mapping Also:
|
createWSSValidationTemplate(templateId, tokenType, defaultRequesterPPID, description)
| Argument | Definition |
|---|---|
templateId
|
Specifies the name of the name of the validation template to be created. |
tokenType
|
Specifies the token type of the validation template. Possible values can be:
|
defaultRequesterPPID
|
Specifies the Requester partner profile to use if OSTS is configured not to map the incoming message to a requester. |
description
|
Specifies an optional description. |
The following invocation creates a new validation template with default configuration data, and displays the result of the operation.
createWSSValidationTemplate(templateId="custom-wss-validtemp", tokenType="custom", defaultRequesterPPID="requesterPartnerProfileTest", description="custom validation template")
Online command that creates a new WS-Trust validation template with default configuration data.
Creates a new WS-Trust validation template with default configuration data, and displays the result of the operation.
The WS-Trust validation template is created with the values in Table 4-14, depending on the token type.
Table 4-14 Default Configuration: createWSTrustValidationTemplate
| Token Type | Description |
|---|---|
|
Username |
The WS-Trust validation template will be created with the following default values:
|
|
SAML 1.1 or SAML 2.0 |
The WS-Trust validation template will be created with the following default values:
The Token Mapping section will be created with the following default values:
Empty fields: User Datastore Attribute, Attribute Based User Mapping User NameID Mapping table will be provisioned with the following entries as NameID format:
|
|
X.509 |
The WS-Trust Token Mapping section will be created with the following default values:
|
|
Kerberos |
The WS-Trust Token Mapping section will be created with the following default values:
|
|
OAM |
The WS-Trust Token Mapping section will be created with the following default values:
|
|
custom |
The WS-Trust Token Mapping section will be created with the following default values:
|
createWSTrustValidationTemplate(templateId, tokenType, description)
| Argument | Definition |
|---|---|
templateId
|
Specifies the name of the name of the WS-Trust validation template to be created. |
tokenType
|
Specifies the token type of the WS-Trust validation template. Possible values can be:
|
description
|
Specifies an optional description. |
Online command that deletes a validation template.
Deletes a validation template referenced by the validationTemplateId parameter, and displays the result of the operation.
This section contains commands used with the OPSS keystore service.
Note:
You need to acquire an OPSS handle to use keystore service commands. For details, see Managing Keys and Certificates with the Keystore Service in the Oracle Fusion Middleware Application Security Guide.Table 4-15 lists the WLST commands used to manage the keystore service.
Table 4-15 OPSS Keystore Service Commands
| Use this Command... | to... |
|---|---|
|
Change the password for a key. |
|
|
Change the password on a keystore. |
|
|
Create a keystore. |
|
|
Delete a keystore. |
|
|
Delete an entry in a keystore. |
|
|
Export a keystore to file. |
|
|
Export a certificate to a file. |
|
|
Export a certificate request to a file. |
|
|
Generate a keypair. |
|
|
Generate a secret key. |
|
|
Get information about a certificate or trusted certificate. |
|
|
Get the secret key properties. |
|
|
Import a keystore from file. |
|
|
Import a certificate or other object. |
|
|
List certificates expiring in a specified period. |
|
|
List aliases in a keystore. |
|
|
List all the keystores in a stripe. |
Changes a key password.
svc.changeKeyPassword(appStripe='stripe', name='keystore', password='password', alias='alias', currentkeypassword='currentkeypassword', newkeypassword='newkeypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe containing the keystore |
name
|
Specifies the name of the keystore |
password
|
Specifies the keystore password |
alias
|
Specifies the alias of the key entry whose password is changed |
currentkeypassword
|
Specifies the current key password |
newkeypassword
|
Specifies the new key password |
Changes the password of a keystore.
svc.changeKeyStorePassword(appStripe='stripe', name='keystore', currentpassword='currentpassword', newpassword='newpassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe containing the keystore |
name
|
Specifies the name of the keystore |
currentpassword
|
Specifies the current keystore password |
newpassword
|
Specifies the new keystore password |
This keystore service command creates a new keystore.
svc.createKeyStore(appStripe='stripe', name='keystore', password='password',permission=true|false)
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore is created. |
name
|
Specifies the name of the new keystore. |
password
|
Specifies the keystore password. |
permission
|
This parameter is true if the keystore is protected by permission only, false if protected by both permission and password. |
Deletes the named keystore.
svc.deleteKeyStore(appStripe='stripe', name='keystore', password='password')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore to be deleted. |
password
|
Specifies the keystore password. |
Deletes a keystore entry.
svc.deleteKeyStoreEntry(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be deleted |
keypassword
|
Specifies the key password of the entry to be deleted |
Exports a keystore to a file.
svc.exportKeyStore(appStripe='stripe', name='keystore', password='password', aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', type='keystore-type', filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
aliases
|
Comma separated list of aliases to be exported. |
keypasswords
|
Comma separated list of the key passwords correspo nding to aliases. |
type
|
Exported keystore type. Valid values are 'JKS' or 'JCEKS'. |
filepath
|
Absolute path of the file where keystore is exported. |
Exports a certificate.
svc.exportKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be exported |
keypassword
|
Specifies the key password. |
type
|
Specifies the type of keystore entry to be exported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'. |
filepath
|
Specifies the absolute path of the file where certificate, trusted certificate or certificate chain is exported. |
Exports a certificate request.
svc.exportKeyStoreCertificateRequest(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the entry's alias name. |
keypassword
|
Specifies the key password. |
filepath
|
Specifies the absolute path of the file where certificate request is exported. |
Generates a key pair in a keystore.
Generates a key pair in a keystore and wraps it in a demo CA-signed certificate.
svc.generateKeyPair(appStripe='stripe', name='keystore', password='password', dn='distinguishedname', keysize='keysize', alias='alias', keypassword='keypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
dn
|
Specifies the distinguished name of the certificate wrapping the key pair. |
keysize
|
Specifies the key size. |
alias
|
Specifies the alias of the key pair entry. |
keypassword
|
Specifies the key password. |
Generates a secret key.
svc.generateSecretKey(appStripe='stripe', name='keystore', password='password', algorithm='algorithm', keysize='keysize', alias='alias', keypassword='keypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
algorithm
|
Specifies the symmetric key algorithm. |
keysize
|
Specifies the key size. |
alias
|
Specifies the alias of the key entry. |
keypassword
|
Specifies the key password. |
Gets a certificate from the keystore.
svc.getKeyStoreCertificates(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the certificate, trusted certificate or certificate chain to be displayed. |
keypassword
|
Specifies the key password. |
Retrieves secret key properties.
svc.getKeyStoreSecretKeyProperties(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the secret key whose properties are displayed. |
keypassword
|
Specifies the secret key password. |
Imports a keystore from file.
svc.importKeyStore(appStripe='stripe', name='keystore', password='password', aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', type='keystore-type', permission=true|false, filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
aliases
|
Specifies the comma-separated aliases of the entries to be imported from file. |
keypasswords
|
Specifies the comma-separated passwords of the keys in file. |
type
|
Specifies the imported keystore type. Valid values are 'JKS' or 'JCEKS'. |
filepath
|
Specifies the absolute path of the keystore file to be imported. |
permission
|
Specifies true if keystore is protected by permission only, false if protected by both permission and password. |
Imports a certificate or other specified object.
svc.importKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be imported. |
keypassword
|
Specifies the key password of the newly imported entry. |
type
|
Specifies the type of keystore entry to be imported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'. |
filepath
|
Specifies the absolute path of the file from where certificate, trusted certificate or certificate chain is imported. |
Lists expiring certificates.
svc.listExpiringCertificates(days='days', autorenew=true|false)
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
days
|
Specifies that the list should only include certificates within this many days from expiration. |
autorenew
|
Specifies true for automatically renewing expiring certificates, false for only listing them. |
Lists the aliases in a keystore.
The syntax is as follows:
svc.listKeyStoreAliases(appStripe='stripe', name='keystore', password='password', type='entrytype')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
type
|
Specifies the type of entry for which aliases are listed. Valid values are 'Certificate', 'TrustedCertificate', 'SecretKey' or '*'. |
Use the WLST commands listed in Table 4-16 to manage a libOVD configuration associated with a specific Oracle Platform Security Services (OPSS) context.
Table 4-16 WLST libOVD Commands
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Add an attribute to the DN attributes list for an existing adapter. |
Online |
|
|
Reload the libOVD configuration. |
Online |
|
|
Add a attribute exclusion rule. |
Online |
|
|
Add a new attribute mapping rule. |
Online |
|
|
Add a domain exclusion rule. |
Online |
|
|
Add a new domain mapping rule. |
Online |
|
|
Add a join rule to an existing Join Adapter for a libOVD configuration. |
Online |
|
|
Add a new remote host to an existing LDAP adapter. |
Online |
|
|
Create a new mapping context. |
Online |
|
|
Add a plug-in to an existing adapter or at the global level. |
Online |
|
|
Add new parameter values to the existing adapter level plug-in or global plug-in. |
Online |
|
|
Add a control to the Request Control Exclude List for an existing LDAP adapter configuration. |
Online |
|
|
Add a control to the Request Control Include List for an existing LDAP adapter configuration. |
Online |
|
|
Assign the given view to an adapter. |
Online |
|
|
Create a new Join Adapter for a libOVD configuration. |
Online |
|
|
Create a new LDAP adapter for a libOVD configuration. |
Online |
|
|
Create a new LDAP adapter with default plug-ins based on the specified directory type. |
Online |
|
|
Create a new view. |
Online |
|
|
Delete an existing adapter for a libOVD configuration. |
Online |
|
|
Delete a attribute exclusion rule. |
Online |
|
|
Delete a attribute mapping rule. |
Online |
|
|
Delete a domain exclusion rule. |
Online |
|
|
Delete a domain mapping rule. |
Online |
|
|
Delete the specified mapping context. |
Online |
|
|
Delete the specified view. |
Online |
|
|
Display the details of an existing adapter for a libOVD configuration. |
Online |
|
|
List the name and type of all adapters that are configured for a libOVD configuration. |
Online |
|
|
List all the mapping contexts. |
Online |
|
|
List all the attribute rules. |
Online |
|
|
List all the domain rules. |
Online |
|
|
List all views |
Online |
|
|
Modify the existing LDAP adapter configuration. |
Online |
|
|
Modify the socket options for an existing LDAP adapter configuration. |
Online |
|
|
Remove all controls from the Request Control Exclude List for an existing LDAP adapter configuration. |
Online |
|
|
Remove all controls from a Request Control Include List for an existing LDAP adapter configuration. |
Online |
|
|
Remove an attribute from the DN attributes list for an existing LDAP adapter configuration. |
Online |
|
|
Remove a control from the Request Control Exclude List for an existing LDAP adapter configuration. |
Online |
|
|
Remove a control from the Request Control Include List for an existing LDAP adapter configuration. |
Online |
|
|
Remove a join rule from a Join Adapter configured for a libOVD configuration. |
Online |
|
|
Remove a remote host from an existing LDAP adapter configuration. |
Online |
|
|
Remove a plug-in from an existing adapter or at the global level. |
Online |
|
|
Remove an existing parameter from a configured adapter level plug-in or global plug-in. |
Online |
|
|
Replace existing parameter values for an adapter level plug-in or global plug-in. |
Online |
|
|
Remove a view from an adapter. |
Online |
|
|
List the type of SSL store in use for libOVD. |
Online |
|
|
Enable |
Online |
|
|
Enable |
Online |
|
|
Enable |
Online |
|
|
Import given trusted certificate into SSL store. |
Online |
|
|
Migrate all trusted certificates from |
Online |
|
|
Migrate given trusted certificates from |
Online |
|
|
Change given LDAP host and port in an existing LDAP adapter configuration to the new host and port. |
Online |
|
|
Remove a remote host and a port from an existing LDAP adapter configuration. |
Online |
|
|
Set the given host and port to read-only/writable in an existing LDAP adapter configuration. |
Online |
Adds an attribute to the DN Attributes List.
Adds an attribute to the DN Attributes List for an existing adapter configured for the libOVD configuration associated with an OPSS context.
addDNAttribute(adapterName, attributeName, [contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the adapter to be updated. |
attributeName |
Name of the new DN attribute to be added. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is ”default.” |
Reloads the libOVD configuration.
Adds an attribute exclusion rule.
addAttributeExclusionRule(attribute, mappingContextId, [contextName])
| Argument | Definition |
|---|---|
attribute |
Name of the attribute to be added to the exclusion list. |
mappingContextId |
Name of the mapping context. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Adds a new attribute mapping rule.
Adds a new attribute mapping rule to the libOVD configuration associated with a specific OPSS context.
addAttributeRule(srcAttrs, srcObjectClass, srcAttrType, dstAttr, dstObjectClass, dstAttrType, mappingExpression, direction, mappingContextId, [contextName])
| Argument | Definition |
|---|---|
mappingContextId |
Name of the mapping context. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Adds a domain exclusion rule.
addDomainExclusionRule(domain, mappingContextId, [contextName])
| Argument | Definition |
|---|---|
domain |
Distinguished name (DN) of the attribute to be added to the exclusion list. |
mappingContextId |
Name of the mapping context. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Adds a new domain mapping rule.
addDomainRule(srcDomain, destDomain, domainConstructRule, mappingContextId, [contextName])
| Argument | Definition |
|---|---|
| srcDomain | Source domain. |
destDomain |
Destination domain |
domainConstructRule |
Name of the attribute to be added to the exclusion list. |
mappingContextId |
Name of the mapping context. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Adds a join rule to a Join Adapter.
Adds a join rule to an existing Join Adapter for the libOVD configuration associated with the specified OPSS context.
addJoinRule(adapterName, secondary, condition, [joinerType], [contextName])
| Argument | Definition |
|---|---|
| adapterName | Name of the Join Adapter to be modified. |
secondary |
Name of the adapter to join to. |
condition |
The attribute(s) to join on. |
joinerType |
Optional. Defines the type of Join. Values can be Simple (default), Conditional, OneToMany, or Shadow. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
addJoinRule('join1','secondaryldap','cn=cn', 'Simple', 'default')
addJoinRule('join1','secondaryldap','cn=cn', 'Conditional', 'default')
addJoinRule(adapterName='join1', secondary='LDAP3', condition='uid=cn', joinerType='OneToMany')
addJoinRule(adapterName='join1', secondary='LDAP2',condition='uid=cn', contextName='myContext')
Adds a new remote host.
Adds a new remote host (host and port) to an existing LDAP adapter. By default, the new host is configured in Read-Write mode with percentage set to 100.
addLDAPHost(adapterName, host, port, [contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the Join Adapter to be modified. |
host |
Remote LDAP host to which the LDAP adapter will communicate. |
port |
Remote LDAP host port. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Creates a new mapping context.
Creates a new mapping context for the libOVD configuration associated with the specified OPSS context.
Adds a plug-in to an existing adapter or at the global level.
Adds a plug-in to an existing adapter or at the global level. The "i"th key corresponds to "i"th value. The plug-in is added to default chain.
addPlugin(pluginName, pluginClass, paramKeys, paramValues, [adapterName], [contextName])
| Argument | Definition |
|---|---|
pluginName |
Name of the plug-in to be created. |
pluginClass |
Class of the plug-in. |
paramKeys |
Init Param. Keys separated by "|". |
paramValues |
Init Param. Values separated by "|". |
adapterName |
Optional. Name of the adapter to be modified. If not specified, the plug-in is added at the global level. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
addPlugin(adapterName='ldap1', pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com') addPlugin(pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com') addPlugin(pluginName='DMSMetrics',pluginClass='oracle.ods.virtualization.engine.chain.plugins.DMSMetrics.MonitorPerformance', paramKeys='None',paramValues='None',adapterName='ldap1',contextName='default')
Adds new parameter values to the existing adapter level plug-in or global plug-in.
Adds new parameter values to the existing adapter level plug-in or the global plug-in. If the parameter already exists, the new value is added to the existing set of values. The "i"th key corresponds to "i"th value.
addPluginParam(pluginName, paramKeys, paramValues, [adapterName], [contextName])
| Argument | Definition |
|---|---|
pluginName |
Name of the plug-in to be modified. |
paramKeys |
Init Param Keys separated by "|". |
paramValues |
Init Param Values separated by "|". |
adapterName |
Optional. Name of the adapter to be modified. If not specified, the global plug-in is modified. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Adds a control to the Request Control Exclude List.
Adds a control to the Request Control Exclude List for an existing LDAP adapter configuration.
addToRequestControlExcludeList(adapterName, control, [contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the LDAP adapter to be modified. |
control |
LDAP control object identifier (OID). |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Adds a control to the Request Control Include List.
Adds a control to the Request Control Include List for an existing LDAP adapter configuration.
addToRequestControlIncludeList(adapterName, control, [contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the LDAP adapter to be modified. |
control |
LDAP control object identifier (OID). |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Assigns a view to an LDAP adapter.
Assigns a view to an LDAP adapter in the libOVD configuration associated with an OPSS context.
Creates a new Join Adapter.
Creates a new Join Adapter for the libOVD configuration associated with an OPSS context.
createJoinAdapter(adapterName, root, primaryAdapter, [bindAdapter],[contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the Join Adapter to be created. |
root |
Root. |
primaryAdapter |
Specifies the identifier of the primary adapter, which is the adapter searched first in the join operation. |
bindAdapter |
Specifies identifier of the bind adapter(s), which are the adapter(s) whose proxy account is used to bind in the LDAP operation. By default, primaryAdapter is set as bindAdapter. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Creates a new LDAP adapter.
Creates a new LDAP adapter for the libOVD configuration associated with an OPSS context.
createLDAPAdapter(adapterName, root, host, port, remoteBase, [isSecure], [bindDN], [bindPasswd], [passCred], [contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the LDAP adapter to be created. |
root |
Virtual Namespace of the LDAP adapter. |
host |
Remote LDAP host with which the LDAP adapter will communicate. |
port |
Remote LDAP host port number. |
remoteBase |
Location in the remote DIT to which root corresponds. |
isSecure |
Optional. Boolean value that enables secure SSL/TLS connections to the remote hosts when set to true. The default value is false. |
bindDN |
Optional. Proxy BindDN used to communicate with remote host. Default value is "". |
bindPasswd |
Optional. Proxy BindPasswd used to communicate with the remote host. Default value is "". |
passCred |
Optional. Controls the credentials, if any, the libOVD configuration will pass to the back-end (remote host) LDAP server. Values can be Always (default), None, or BindOnly. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Creates a new LDAP adapter.
Creates a new LDAP adapter with default plug-ins based on the directory type for the libOVD configuration associated with an OPSS context.
createLDAPAdapterWithDefaultPlugins(adapterName, directoryType, root, host, port, remoteBase, [isSecure], [bindDN], [bindPasswd], [contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the LDAP adapter to be created. |
directoryType |
Directory type. The value can be one of the following directories:
|
root |
Virtual Namespace of the LDAP adapter. |
host |
Remote LDAP host to which LDAP adapter should communicate. |
port |
Remote host port. |
remoteBase |
Location in the remote DIT to which the root corresponds. |
isSecure |
Optional. Boolean value that enables secure SSL/TLS connections to the remote hosts when set to true. The default value is false. |
bindDN |
Optional. Proxy BindDN used to communicate with remote host. Default value is "". |
bindPasswd |
Optional. Proxy BindPasswd used to communicate with the remote host. Default value is "". |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
createLDAPAdapterWithDefaultPlugins("testLDAP", "OID", "dc=us,dc=oracle,dc=com", "myhost.example.domain.com", 3060, "dc=uk,dc=oid", false, "cn=testuser", "welcome1", "myContext")
createLDAPAdapterWithDefaultPlugins(adapterName='ldap1', directoryType="OID", root='dc=com', host='myhost.example.domain.com', port=5566, remoteBase='dc=oid',bindDN="cn=testuser",bindPasswd="welcome1",contextName='default')
Creates a new view.
Creates a new view for the libOVD configuration associated with an OPSS context.
Deletes an existing adapter.
Deletes an existing adapter for the libOVD configuration associated with an OPSS context.
Deletes an attribute exclusion rule.
Deletes an attribute exclusion rule for the libOVD configuration associated with an OPSS context.
deleteAttributeExclusionRule(attribute, mappingContextId, [contextName])
| Argument | Definition |
|---|---|
attribute |
Name of the attribute to be removed from the exclusion list. |
mappingContextId |
Name of the mapping context. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Delete an attribute mapping rule.
Delete an attribute mapping rule for the libOVD configuration associated with an OPSS context.
deleteAttributeRule(srcAttrs, dstAttr, mappingContextId, [contextName])
| Argument | Definition |
|---|---|
srcAttrs |
Source attributes. |
dstAttr |
Destination attribute. |
mappingContextId |
Name of the mapping context. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Deletes a domain exclusion rule.
Deletes a domain exclusion rule for the libOVD configuration associated with an OPSS context.
deleteDomainExclusionRule(domain, mappingContextId, [contextName])
| Argument | Definition |
|---|---|
domain |
Distinguished Name of the container to be removed from the exclusion list. |
mappingContextId |
Name of the mapping context. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Deletes a domain mapping rule.
Deletes a domain mapping rule for the libOVD configuration associated with an OPSS context.
deleteDomainRule(srcDomain, destDomain, mappingContextId, [contextName])
| Argument | Definition |
|---|---|
srcDomain |
Source domain. |
destDomain |
Destination domain. |
mappingContextId |
Name of the mapping context. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Delete a mapping context.
Delete the specified mapping context for the libOVD configuration associated with an OPSS context.
Deletes a view.
Displays the details of an existing adapter.
Displays the details of an existing adapter configured for the libOVD configuration associated with an OPSS context.
Lists the name and type of all adapters.
Lists the name and type of all adapters that are configured for the libOVD configuration associated with an OPSS context.
Lists all mapping contexts.
Lists all the attribute rules.
List all the attribute rules in the format SOURCE_ATTRIBUTE:DESTINATION_ATTRIBUTE:DIRECTION.
Lists all domain rules.
Lists all views
Modifies parameters in an LDAP adapter.
Modifies the following parameters defined in an existing LDAP adapter:
Remote Base
Root
Secure
BindDN
BindPassword
PassCredentials
MaxPoolSize
MaxPoolChecks
MaxPoolWait
InitialPoolSize
PoolCleanupInterval
MaxPoolConnectionIdleTime
Active
PingProtocol
PingBindDN
PingBindPassword
PageSize
HeartBeatInterval
OperationTimeout
SearchCountLimit
Visible
Critical
InclusionFilter
ExclusionFilter
DNPattern
RequestControlAllowServerSupported
modifyLDAPAdapter(adapterName, attribute, value, [contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the LDAP adapter to be modified. |
attribute |
Name of the attribute to be modified. |
value |
New value for the attribute. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
modifyLDAPAdapter(adapterName='ldap1', attribute='Root', value='dc=us, dc=oracle, dc=com', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='RemoteBase', value='dc=org', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PassCredentials', value='BindOnly', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='BindDN', value='cn=proxyuser,dc=com', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='BindPassword', value='testwelcome123', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='Secure', value=true, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolSize', value=500, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolChecks', value=10, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolWait', value=120000, contextName='mydefault') [value is in milliseconds] modifyLDAPAdapter(adapterName='ldap1', attribute='InitialPoolSize', value=10, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PoolCleanupInterval', value=300, contextName='mydefault') [value is in seconds] modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolConnectionIdleTime', value=300, contextName='mydefault') [value is in seconds] modifyLDAPAdapter(adapterName='ldap1', attribute='Active', value=false, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PingProtocol', value='LDAP', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PingBindDN', value='cn=proxyuser', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PingBindPassword', value='welcome1', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PageSize', value=500, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='HeartBeatInterval', value=120, contextName='mydefault') [value is in seconds] modifyLDAPAdapter(adapterName='ldap1', attribute='OperationTimeout', value=120000, contextName='mydefault') [value is in milliseconds] modifyLDAPAdapter(adapterName='ldap1', attribute='SearchCountLimit', value=100, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='Visible', value='Yes', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='Critical', value='false', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='InclusionFilter', value='objectclass=inetorgperson#base', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='ExclusionFilter', value='uniquemember=*#base', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='DNPattern', value='(.*)cn=[a-z0-9]*$', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='RequestControlAllowServerSupported', value=false, contextName='mydefault')
Modifies socket options.
modifySocketOptions(adapterName, reuseAddress, keepAlive, tcpNoDelay, readTimeout, [contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the LDAP adapter to be modified. |
reuseAddress |
Value of reuseAddress. |
keepAlive |
Value of keepAlive. |
tcpNoDelay |
Value of tcpNoDelay. |
readTimeout |
Value of readTimeout in seconds. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Removes all controls from the Request Control Exclude List.
Removes all controls from the Request Control Exclude List for an existing LDAP adapter configuration.
Removes all controls from the Request Control Include List.
Removes all controls from the Request Control Include List for an existing LDAP adapter configuration.
Removes a control from the Request Control Exclude List.
Removes a control from the Request Control Exclude List for an existing LDAP adapter configuration.
removeFromRequestControlExcludeList(adapterName, control, [contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the LDAP adapter to be modified. |
control |
LDAP control object identifier (OID). |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Removes a attribute from the DN Attributes List.
Removes a attribute from the DN Attributes List for an existing adapter that is configured for the libOVD associated with an OPSS context.
removeDNAttribute(adapterName attributeName, [contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the adapter to be updated. |
attributeName |
Name of the new DN attribute to be removed. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Removes a control from the Request Control Include List.
Removes a control from the Request Control Include List for an existing LDAP adapter configuration.
removeFromRequestControlIncludeList(adapterName, control, [contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the LDAP adapter to be modified. |
control |
LDAP control object identifier (OID). |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Removes a join rule from a Join Adapter.
Removes a join rule from a Join Adapter configured for the libOVD configuration associated with the specified OPSS context.
removeJoinRule(adapterName, secondary, [contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the Join Adapter to be modified. |
secondary |
The join rules corresponding to this secondary adapter are removed from the Join Adapter. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Removes a remote host from an existing LDAP adapter.
removeLDAPHost(adapterName, host, [contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the LDAP adapter to be modified. |
host |
Location of a remote LDAP host with which the LDAP adapter will communicate. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Removes a plug-in from an existing adapter.
removePlugin(pluginName, [adapterName], [contextName])
| Argument | Definition |
|---|---|
pluginName |
Name of the plug-in to be removed. |
adapterName |
Optional. Name of the adapter to be modified. If not specified, the global plug-in is removed. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Removes an existing parameter from a configured adapter level plug-in.
Removes an existing parameter from a configured adapter level plug-in or a global plug-in. This command removes all values of the particular parameter from the plug-in.
removePluginParam(pluginName, paramKey, [adapterName], [contextName])
| Argument | Definition |
|---|---|
pluginName |
Name of the plug-in to be modified. |
paramKey |
Parameter to be removed. |
adapterName |
Optional. Name of the adapter to be modified. If not specified, the global plug-in is modified. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Replaces existing parameter values for a plug-in.
Replaces existing parameter values for the specified adapter level plug-in or global plug-in.
replacePluginParam(pluginName, paramName, paramValues, [adapterName,][contextName])
| Argument | Description |
|---|---|
pluginName |
Name of the plug-in to be modified. |
paramName |
Name of the parameter to be replaced. |
paramValues |
New values of the parameter. For more than one new value, separate each new parameter value are by a "|". |
adapterName |
Optional. Name of the adapter to be modified. If not specified, the global plug-in is modified. |
contextName |
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is default. |
Unassigns a view from an adapter.
Online command that lists the type of SSL store in use.
Online command to enable KSS for libOVD.
This command enables KSS for SSL, and disables JKS if it was enabled before. For more information about KSS, see Oracle® Fusion Middleware Securing Applications with Oracle Platform Security Services.
Online command to enable JKS for libOVD.
This command enables JKS for SSL, and disables KSS if it was enabled before. The command assumes that the libOVD adapters.jks file exists.
Online command to enable JKS for SSL.
This command enables JKS for SSL, and disables KSS if it was enabled before. The command creates the libOVD adapters.jks file.
createKeyStoreAndEnableJKSForSSL(keystorePassword=[password], contextName=[contextName])
| Argument | Definition |
|---|---|
keystorePassword |
Password for libOVD adapters.jks file. |
contextName |
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default. |
Online command to import trusted certificate into SSL store.
importTrustedCertificateIntoSSLStore(certificateFileName=[cert_file],aliasName=[aliasName],contextName=[contextName])
| Argument | Definition |
|---|---|
certificateFileName |
File name that contains the certificate. |
aliasName |
Alias name for the certificate. |
contextName |
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default. |
Online command to migrate all trusted certificates from JKS-based libOVD truststore to KSS store.
This command migrates all trusted certificates from JKS-based libOVD truststore to KSS store.
Online command to migrate given trusted certificates from JKS-based libOVD truststore to KSS store.
This command migrates the given trusted certificates from JKS-based libOVD truststore to KSS store.
migrateTrustedCertificatesFromJKSToKSS(aliasNames=[alias_names], contextName=[contextName])
| Argument | Definition |
|---|---|
aliasNames |
List of alias names to migrate separated by a comma. |
contextName |
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default. |
Online command to change given LDAP host and port in an existing LDAP adapter configuration to a new host and port.
This command changes given LDAP host and port in an existing LDAP adapter configuration to a new host and port.
changeLDAPHostPort(adapterName=[adapterName], oldHost=[oldHost], oldPort=[oldPort], newHost=[newHost], newPort=[newPort], contextName=[contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the LDAP adapter to be modified. |
oldHost |
Old LDAP host. |
oldPort |
Old LDAP port. |
newHost |
New LDAP host. |
newPort |
New LDAP port. |
contextName |
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default. |
Online command to remove a remote host and a port from an existing LDAP adapter configuration.
This command removes a remote host and a port from an existing LDAP adapter configuration.
removeLDAPHostPort(adapterName=[adapterName], host=[host], port=[port], contextName=[contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the LDAP adapter to be modified. |
host |
Remote LDAP host. |
port |
Remote LDAP port. |
contextName |
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default. |
Online command to set the given host and port to read-only/writable in an existing LDAP adapter configuration.
This command sets the given host and port to read-only/writable in an existing LDAP adapter configuration.
setReadOnlyForLDAPHost(adapterName=[adapterName], host=[host], port=[port], readOnly=[true/false], contextName=[contextName])
| Argument | Definition |
|---|---|
adapterName |
Name of the LDAP adapter to be modified. |
host |
LDAP host. |
port |
LDAP port. |
readOnly |
It has values: true or false. |
contextName |
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is default. |
Use the WLST commands listed in Table 4-17 to manage Identity Directory Service entity attributes, entity definitions, relationships and default operational configurations.
Table 4-17 WLST Identity Directory Service Commands
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Reload the Identity Directory Service configuration. |
Online |
|
|
Add a new attribute to the entity configuration. |
Online |
|
|
Add new properties for an attribute in an entity configuration. |
Online |
|
|
Add a new attribute to the specified entity. |
Online |
|
|
Add new properties for an attribute reference in an entity configuration. |
Online |
|
|
Add a new property for a specified operation configuration. |
Online |
|
|
Add a new entity to the entity configuration. |
Online |
|
|
Add new properties for an entity in an entity configuration. |
Online |
|
|
Add a new entity relation to the entity configuration. |
Online |
|
|
Add a new Identity Directory Service to the configuration. |
Online |
|
|
Add a new operation configuration to the entity configuration. |
Online |
|
|
Add a new property to a specified operation configuration. |
Online |
|
|
Delete an attribute from an entity configuration. |
Online |
|
|
Delete attribute reference properties in an entity configuration. |
Online |
|
|
Delete an entity from an entity configuration. |
Online |
|
|
Delete entity properties in an entity configuration. |
Online |
|
|
Delete the specified entity relation. |
Online |
|
|
Delete the specified Identity Directory Service in the configuration. |
Online |
|
|
Delete operation configuration in an entity configuration. |
Online |
|
|
List all attributes in the entity configuration. |
Online |
|
|
List all entities defined in the specified entity configuration. |
Online |
|
|
List all Identity Directory Services in the configuration. |
Online |
|
|
Remove an attribute from the specified entity. |
Online |
|
|
Removes a property for the specified operation configuration. |
Online |
|
|
Remove a property for the specified operation configuration. |
Online |
|
|
Update attributes in an entity configuration. |
Online |
|
|
Update attribute properties in an entity configuration. |
Online |
|
|
Update attribute reference properties in an entity configuration. |
Online |
|
|
Update an entity's properties in an entity configuration. |
Online |
|
|
Update an entity's attributes in an entity configuration. |
Online |
|
|
Update the entity properties in an entity configuration. |
Online |
|
|
Delete attribute properties in an entity configuration. |
Online |
Reloads the Identity Directory Service configuration.
Adds a new attribute to the entity configuration.
addAttributeInEntityConfig(name, datatype, description, readOnly, pwdAttr, appName)
| Argument | Definition |
|---|---|
name |
Name of the attribute to be added. |
datatype |
The attribute's type is defined as one of the following:
|
description |
Description of the attribute to be added. |
readOnly |
Flag to specify whether the attribute is read only or can be modified. |
pwdAttr |
Flag to specify whether the attribute defines a password or not. |
appName |
Name of the Identity Directory Service. |
Adds new properties for an attribute in an entity configuration.
addAttributePropsInEntityConfig(name, propNames, propVals, appName)
| Argument | Definition |
|---|---|
name |
Name of the attribute to be added. |
propNames |
List of property names separated by "|".
The properties ( For configuration attributes, however, the Identity Directory Service performs a schema check and interprets the configuration names and their values. |
propVals |
List of corresponding property values separated by "|". |
appName |
Name of the Identity Directory Service. |
Adds a new attribute to the specified entity.
addAttributeRefForEntity(name, attrRefName, attrRefFilter, attrRefDefaultFetch, appName)
| Argument | Definition |
|---|---|
name |
Name of the entity to which the attribute will be added. |
attrRefName |
Name of the attribute to be added to the entity. |
attrRefFilter |
Type of filter to be used with the attribute, defined as one of the following:
|
attrRefDefaultFetch |
Flag to specify whether the attribute is fetched by default. |
appName |
Name of the Identity Directory Service. |
Adds new properties for an attribute reference in an entity configuration.
This command adds new properties for an attribute reference in an entity configuration.
addAttrrefPropsInEntityConfig(entityName, attrName, propNames, propVals, appName)
| Argument | Definition |
|---|---|
entityName |
Name of the entity. |
attrName |
Name of the attribute reference. |
propNames |
List of property names separated by "|".
The properties ( For configuration attributes, however, the Identity Directory Service performs a schema check and interprets the configuration names and their values. |
propVals |
List of corresponding property values separated by "|". |
appName |
Name of the Identity Directory Service. |
Adds a new property for a specified operation configuration.
addCommonPropertyForOperationConfig(entityName, propName, propValue, appName)
| Argument | Definition |
|---|---|
entityName |
Name of the entity. |
propName |
Name of the property to be added for this operation configuration. |
propValue |
Value of the property to be added for this operation configuration. |
appName |
Name of the Identity Directory Service. |
Adds a new entity to the entity configuration.
addEntity(name, type, idAttr, create, modify, delete, search, attrRefNames, attrRefFilters, attrRefDefaultFetches, appName)
| Argument | Definition |
|---|---|
name |
Name of the entity to which the attribute will be added. |
type |
Name of the attribute to be added to the entity. |
idAttr |
Identity attribute of the entity to be added. |
create |
Flag to specify the create is allowed. |
modify |
Flag to specify the modify is allowed. |
delete |
Flag to specify the delete is allowed. |
search |
Flag to specify the search is allowed. |
attrRefNames |
Array of attribute names. |
attrRefFilters |
An array of filter type values, defined as one of the following:
|
attrRefDefaultFetches |
Array of boolean strings (true, false). |
appName |
Name of the Identity Directory Service. |
Adds new properties for an entity in an entity configuration.
Add a new entity relation to the entity configuration.
addEntityRelation(name, type, fromEntity, fromAttr, toEntity, toAttr, recursive, appName)
| Argument | Definition |
|---|---|
name |
Name of the relation between the entities for the given attributes. |
type |
Type of the entity relation ("ManyToMany", "ManyToOne", "OneToMany", "OneToOne"). |
fromEntity |
Name of the from entity. |
fromAttr |
Name of the from attribute. |
toEntity |
Name of the to entity. |
toAttr |
Name of the to attribute. |
recursive |
Flag to set the entity relationship as recursive. |
appName |
Name of the Identity Directory Service. |
Adds a new IdentityStoreService to the Identity Directory Service configuration.
This command adds a new IdentityStoreService to the Identity Directory Service configuration.
addIdentityDirectoryService(name, description, propNames, propValues)
| Argument | Definition |
|---|---|
name |
Name of the IdentityStoreService to be added. |
description |
Description of the IdentityStoreService. |
propNames |
An array of property names to be added to the IdentityStoreService configuration. |
propValues |
An array of values to be defined for the property names added to the IdentityStoreService configuration. |
Adds a new operation configuration to the entity configuration.
addOperationConfig(entityName, propNames, propValues, appName)
| Argument | Definition |
|---|---|
entityName |
Name of the entity to which the operation configuration will be added. |
propNames |
An array of property names to be added to the operation configuration. |
propValues |
An array of property values for the properties added to the operation configuration. |
appName |
Name of the Identity Directory Service. |
Adds a new property to a specified operation configuration.
addPropertyForOperationConfig(entityName, propName, propValue, appName)
| Argument | Definition |
|---|---|
entityName |
Name of the entity to which the operation configuration will be added. |
propName |
A property name to be added to the operation configuration. |
propValue |
A value for the property added to the operation configuration. |
appName |
Name of the Identity Directory Service. |
Deletes an attribute from an entity configuration.
Deletes attribute properties in an entity configuration.
Deletes attribute reference properties in an entity configuration.
This command deletes attribute reference properties in an entity configuration.
deleteAttrrefPropsInEntityConfig(entityName, attrName, propNames, appName)
| Argument | Definition |
|---|---|
entityName |
Name of the entity. |
attrName |
Name of the attribute reference. |
propNames |
List of property names to be deleted. If multiple properties are to be deleted, they should be separated by "|". |
appName |
Name of the Identity Directory Service. |
Deletes an entity from an entity configuration.
Deletes entity properties in an entity configuration.
Deletes the specified entity relation.
Deletes the specified IdentityStoreService in the Identity Directory Service configuration.
This command deletes the specified IdentityStoreService in the Identity Directory Service configuration.
Deletes an operation configuration in an entity configuration.
Lists all attributes in the entity configuration.
Lists all entities defined in the specified entity configuration.
This command lists all entities defined in the specified entity configuration.
Lists all IdentityStoreService in Identity Directory Service configuration.
Removes an attribute from the specified entity.
Removes a property for the specified operation configuration.
Removes a property for the specified operation configuration
Updates attributes in an entity configuration.
updateAttributeInEntityConfig(name, attrNames, attrVals, appName)
| Argument | Definition |
|---|---|
name |
Name of the entity attribute to be updated. |
attrNames |
List of configuration attribute names separated by "|". Valid configuration attribute names are:
|
attrVals |
List of corresponding attribute values separated by "|". |
appName |
Name of the Identity Directory Service. |
Updates attribute properties in an entity configuration.
updateAttributePropsInEntityConfig(name, propNames, propVals, appName)
| Argument | Definition |
|---|---|
name |
Name of the attribute to be updated. |
propNames |
List of property names separated by "|". |
propVals |
List of corresponding property values separated by "|". |
appName |
Name of the Identity Directory Service. |
Updates attribute reference properties in an entity configuration.
This command updates attribute reference properties in an entity configuration.
updateAttrrefPropsInEntityConfig(entityName, attrName, propNames, propVals, appName)
| Argument | Definition |
|---|---|
entityName |
Name of the entity. |
attrName |
Name of the attribute reference. |
propNames |
List of property names separated by "|". |
propVals |
List of corresponding property values separated by "|". |
appName |
Name of the Identity Directory Service. |
Updates an entity's properties in an entity configuration.
updateEntity(name, type, idAttr, create, modify, delete, search, appName)
| Argument | Definition |
|---|---|
name |
Name of the entity to be updated. |
type |
Type of the entity. |
idAttr |
Identity attribute of the entity. |
create |
Flag to specify the create is allowed. |
modify |
Flag to specify the modify is allowed. |
delete |
Flag to specify the delete is allowed. |
search |
Flag to specify the search is allowed. |
appName |
Name of the Identity Directory Service. |
Updates the configuration attributes for an entity attribute.
updateEntityAttrs(name, attrNames, attrVals, appName)
| Argument | Definition |
|---|---|
name |
Name of the entity attribute.
To update the properties of an entity attribute, see updateAttributePropsInEntityConfig. |
attrNames |
List of configuration attribute names. If multiple configuration attributes are to be updated, they should be separated by "|". Valid configuration attribute names are:
|
attrVals |
List of corresponding configuration attribute values separated by "|". |
appName |
Name of the Identity Directory Service. |
Updates the entity properties in an entity configuration.
Deletes the attribute properties in an entity configuration.