This chapter describes the Oracle Fusion Middleware Infrastructure Security WLST commands. It contains the following section:
For additional information about Oracle Platform Security Services (OPSS), see Securing Applications with Oracle Platform Security Services.
Note:
To use the Infrastructure Security custom WLST commands, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" section in the Administering Oracle Fusion Middleware.
The infrastructure WLST security commands are divided into the following categories:
Table 2-1 WLST Command Categories
Command Category | Description |
---|---|
Manage domain and credential domain stores and migrate domain policy store. |
|
View and manage audit policies and the audit repository configuration. |
|
Manage the OPSS keystore service. |
|
Manage Identity Directory Service Entity Attributes, Entity Definitions, Relationships and default Operational configurations. |
|
Manage Library Oracle Virtual Directory (LibOVD) LDAP and Join Adapters configuration. These commands act on the OVD configuration associated with a particular OPSS Context passed in as a parameter. |
Use the WLST security commands listed in Table 2-2 to operate on a domain policy or credential store, to migrate policies and credentials from a source repository to a target repository, and to import and export (credential) encryption keys.
Table 2-2 WLST Security Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Add a credential to the bootstrap credential store. |
Offline |
|
Add a resource to an entitlement. |
Online |
|
Create a new application role. |
Online |
|
Create a new credential. |
Online |
|
Create an entitlement. |
Online |
|
Create a resource. |
Online |
|
Create a new resource type. |
Online |
|
Remove all policies in an application. |
Online |
|
Remove an application role. |
Online |
|
Remove a credential. |
Online |
|
Remove an entitlement. |
Online |
|
Remove a resource. |
Online |
|
Remove an existing resource type. |
Online |
|
Export the domain encryption key to the file |
Offline |
|
List an entitlement. |
Online |
|
Fetch an existing resource type. |
Online |
|
Add a principal to a role. |
Online |
|
Create an entitlement. |
Online |
|
Create a new permission. |
Online |
|
Import the encryption key in file |
Offline |
|
List all roles in an application. |
Online |
|
List all members in an application role. |
Online |
|
List application stripes in policy store. |
Online |
|
List permissions assigned to a source code in global policies. |
Online |
|
List an entitlement. |
Online |
|
List entitlements in an application stripe. |
Online |
|
List all permissions granted to a principal. |
Online |
|
List actions in a resource. |
Online |
|
List resource types in an application stripe. |
Online |
|
List resources in an application stripe. |
Online |
|
List the type and location of the OPSS security store, and the user allowed to access it. |
Offline |
|
Migrate policies or credentials from a source repository to a target repository. |
Offline |
|
Update bootstrap credential store. |
Offline |
|
Reassociate policies and credentials to an LDAP repository. |
Online |
|
Restore the domain encryption key as it was before the last importing. |
Offline |
|
Remove a principal from a role. |
Online |
|
Remove an entitlement. |
Online |
|
Remove a permission. |
Online |
|
Remove a resource from an entitlement. |
Online |
|
Replace the current domain encryption key with a new one. |
Offline |
|
Modify the attribute values of a credential. |
Online |
|
Update the configuration of the trust service. |
Online |
Offline command that adds a credential to the bootstrap credential store.
Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException
.
addBootStrapCredential(jpsConfigFile, map, key, username, password)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
map
|
Specifies the map of the credential to add. |
key
|
Specifies the key of the credential to add. |
username
|
Specifies the name of the user in the credential to add. |
|
Specifies the password of the user in the credential to add. |
Online command that adds a resource with specified actions to an entitlement.
Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.
addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to add. |
resourceType
|
Specifies the type of the resource to add. The passed resource type must be present in the application stripe at the time this script is invoked. |
actions
|
Specifies the comma-separated list of actions for the added resource. |
The following invocation adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:
wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Online command that creates a new application role.
Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException
.
createAppRole(appStripe, appRoleName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online command that creates a new credential in the domain credential store.
Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
Optional arguments are enclosed in square brackets.
createCred(map, key, user, password, [desc])
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
Online command that creates a new entitlement.
Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement
to add additional resources to an existing entitlement; use revokeResourceFromEntitlement
to delete resources from an existing entitlement.
createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
name
|
Specifies the name of the entitlement created. |
resourceName
|
Specifies the name of the one resource member of the entitlement created. |
actions
|
Specifies a comma-separated the list of actions for the resource resourceName. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the entitlement created. Optional. |
Online command that creates a new resource.
Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.
createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resource is created. |
name
|
Specifies the name of the resource created. |
type
|
Specifies the type of resource created. The passed resource type must be present in the application stripe at the time this script is invoked. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the resource created. Optional. |
Online command that creates a new resource type in the domain policy store within a given application stripe.
Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. Optional arguments are enclosed in between square brackets; all other arguments are required. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in square brackets.
createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where to insert the resource type. |
resourceTypeName
|
Specifies the name of the resource type to insert. |
displayName
|
Specifies the name for the resource type used in UI gadgets. |
description |
Specifies a brief description of the resource type. |
provider
|
Specifies the provider for the resource type. |
matchere
|
Specifies the class of the resource type. If unspecified, it defaults to |
actions
|
Specifies the actions allowed on instances of the resource type. |
delimeter
|
Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','. |
The following invocation creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:
wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", resourceTypeName="resTypeName", displayName="displName", description="A resource type", provider="Printer", matcher="com.printer.Printer", actions="BWPrint;ColorPrint" [, delimeter=";"])
Online command that removes all policies with a given application stripe.
Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException
.
deleteAppPolicies(appStripe)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
Online command that removes an application role.
Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException
.
createAppRole(appStripe, appRoleName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online command that deletes an entitlement.
Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.
deleteEntitlement(appStripe="appStripeName", name="entitlementName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
name
|
Specifies the name of the entitlement to delete. |
Online command that removes a credential in the domain credential store.
Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException
.
deleteCred(map,key)
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
Online command that deletes a resource.
Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.
deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resource is deleted. |
name
|
Specifies the name of the resource deleted. |
type
|
Specifies the type of resource deleted. The passed resource type must be present in the application stripe at the time this script is invoked. |
Online command that removes a resource type from the domain policy store within a given application stripe.
Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException
.
deleteResourceType(appStripe, resourceTypeName)
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe from where to remove the resource type. |
resourceTypeName
|
Specifies the name of the resource type to remove. |
Offline command that extracts the encryption key from a domain's bootstrap wallet to the file ewallet.p12
.
Writes the domain's credential encryption key to the file ewallet.p12
. The password passed must be used to import data from that file with the command importEncryptionKey
.
exportEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
keyFilePath
|
Specifies the directory where the file |
keyFilePassword
|
Specifies the password to secure the file |
Online command that gets an entitlement.
Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.
getEntitlement(appStripe="appStripeName", name="entitlementName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to access. |
Online command that fetches a resource type from the domain policy store within a given application stripe.
Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException
.
getResourceType(appStripe, resourceTypeName)
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe from where to fetch the resource type. |
resourceTypeName
|
Specifies the name of the resource type to fetch. |
Online command that adds a principal to a role.
Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException
.
grantAppRole(appStripe, appRoleName,principalClass, principalName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
principalClass
|
Specifies the fully qualified name of a class. |
principalName
|
Specifies the principal name. |
Online command that creates a new entitlement.
Creates a new entitlement with a specified principal in a specified application stripe.
grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is granted. |
permSetName
|
Specifies the name of the entitlement created. |
The following invocation creates the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that creates a new permission.
Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following invocation creates a new application permission (for the application with application stripe myApp
) with the specified data:
wls:/mydomain/serverConfig> grantPermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following invocation creates a new system permission with the specified data:
wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permTarget="/tmp/fileName.ext", permActions="read,write")
Offline command that imports keys from the specified ewallet.p12 file into the domain.
Imports encryption keys from the file ewallet.p12
into the domain. The password passed must be the same as that used to create the file with the command exportEncryptionKey
.
importEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
keyFilePath
|
Specifies the directory where the |
keyFilePassword
|
Specifies the password used when the file |
Online command that lists all roles in an application.
Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException
.
listAppRoles(appStripe)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
Online command that lists all members in a role.
Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException
.
listAppRoleMembers(appStripe, appRoleName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
Online or offline command that lists the application stripes in the policy store.
This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.
listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])
Argument | Definition |
---|---|
configFile
|
Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store. |
regularExpression
|
Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *. |
The following (online) invocation returns the list of application stripes in the policy store:
wls:/mydomain/serverConfig> listAppStripes
The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:
wls:/mydomain/serverConfig> listAppStripes(configFile=" /home/myFile/jps-config.xml")
The following (online) invocation returns the list of application stripes that contain the prefix App:
wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")
Online command that lists permissions assigned to a source code in global policies.
listCodeSourcePermissions([codeBase="codeUrl"])
Argument | Definition |
---|---|
codeBaseURL
|
Specifies the name of the grantee codebase URL. |
Online command that lists an entitlement in a specified application stripe.
If a principal name and a class are specified, it lists the entitlements that match the specified principal; otherwise, it lists all the entitlements.
listEntitlement(appStripe="appStripeName" [, principalName="principalName", principalClass="principalClass"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
principalName
|
Specifies the name of the principal to match. Optional. |
principalClass
|
Specifies the class of the principal to match. Optional. |
Online command that lists the entitlements in an application stripe.
Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.
listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe from where to list entitlements. |
resourceTypeName
|
Specifies the name of the type of the resources to list. Optional. |
resourceName
|
Specifies the name of resource to match. Optional. |
The following invocation lists all the entitlements in the stripe myApplication:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")
The following invocation lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName")
Online command that lists all permissions granted to a given principal.
Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
listPermissions([appStripe,] principalClass, principalName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
The following invocation lists all permissions granted to a principal by the policies of application myApp
:
wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")
The following invocation lists all permissions granted to a principal by system policies:
wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")
Online command that lists the resources and actions in an entitlement.
Lists the resources and actions in an entitlement within an application stripe.
listResourceActions(appStripe="appStripeName", permSetName="entitlementName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement resides. |
permSetName
|
Specifies the name of the entitlement whose resources and actions to list. |
Online command that lists resources in a specified application stripe.
If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.
listResources(appStripe="appStripeName" [,type="resTypeName"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resources are listed. |
type
|
Specifies the type of resource listed. The passed resource type must be present in the application stripe at the time this script is invoked. |
Online command that lists resource types.
listResourceTypes(appStripe="appStripeName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resource types are located. |
Offline command that lists the type, the location, and the administrative user of the domain security store.
The script runs in offline mode and outputs the type of the OPSS security store (file, OID, or DB), its location, and the user allowed to access it (typically a security administrator).
listSecurityStoreInfo(domainConfig="configFilePath")
Argument | Definition |
---|---|
domainConfig
|
Specifies the full absolute path to the OPSS configuration file jps-config.xml; the file jps-config-jse.xml is also expected to be in the passed directory. |
Offline command that migrates identities, application-specific, system policies, a specific credential folder, or all credentials.
Migrates security artifacts from a source repository to a target repository. For full details, see "Migrating with the Script migrateSecurityStore" section in Securing Applications with Oracle Platform Security Services.
Offline command that updates a bootstrap credential store.
Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException
.
Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.
modifyBootStrapCredential(jpsConfigFile, username, password)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
username
|
Specifies the distinguished name of the user in the LDAP store. |
password
|
Specifies the password of the user. |
Suppose that in the LDAP store, the password of the user with distinguished name cn=orcladmin
has been changed to welcome1
, and that the configuration file jps-config.xml
is located in the current directory.Then the following invocation changes the password in the bootstrap credential store to welcome1
:
wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='welcome1')
Any output regarding the audit service can be disregarded.
Online command that migrates policies, credentials, audit metadata, and keys from an existing OPSS security store to a target OPSS security store.
The script reassociateSecurityStore
migrates the OPSS security store from a source to a target LDAP- or DB-based store, and it resets services in the files jps-config.xml
and jps-config-jse.xml
to the target repository. It also allows specifying that the OPSS security store be shared with that in a different domain (see optional argument join
below). The OPSS binaries and the target policy store must have compatible versions.
For complete details and samples see Securing Applications with Oracle Platform Security Services.
Offline command to restore the domain credential encryption key.
Restores the state of the domain bootstrap keys as it was before running importEncryptionKey.
restoreEncryptionKey(jpsConfigFile)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file |
Online command that removes a principal from a role.
Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException
.
revokeAppRole(appStripe, appRoleName, principalClass, principalName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
principalClass
|
Specifies the fully qualified name of a class. |
principalName
|
Specifies the principal name. |
Online command that deletes an entitlement.
Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.
revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is revoked. |
permSetName
|
Specifies the name of the entitlement deleted. |
The following invocation deleted the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that removes a permission.
Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following invocation removes the application permission (for the application with application stripe myApp
) with the specified data:
wls:/mydomain/serverConfig> revokePermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following invocation removes the system permission with the specified data:
wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permActions="read,write")
Online command that removes a resource from an entitlement.
revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to remove. |
resourceType
|
Specifies the type of the resource to remove. |
actions
|
Specifies the comma-separated list of actions to remove. |
The following invocation removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Offline command that changes the domain encryption key.
This offline script replaces the current domain OPSS encryption key with a new one; the current key is not deleted but archived, since it is used to decrypt data that was encrypted using that key.
Note the following important points:
This command should be executed from the administration server in the domain.
If the domain is the only domain accessing the security store, nothing else is required.
However, if two or more domains share the security store, the newly generated key should be exported from the domain where the script was run and imported into each of the other domains sharing the security store, using the scripts exportEncryptionKey and importEncryptionKey.
rollOVerEncryptionKey(jpsConfigFile="pathName")
Argument | Definition |
---|---|
jpsConfigFile |
Specifies the location of the file jps-config.xml; either relative to the location where the script is run, or the full path. |
Online command that updates password credentials only.
Updates password credentials only, that is, only the data encapsulated in credentials of type password. In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
Optional arguments are enclosed in square brackets.
updateCred(map, key, user, password, [desc])
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
Online command that updates the configuration of the domain trust service service with the values passed in a property file.
Updates the trust service domain configuration. In the event of an error, the command returns a WLSTException
.
updateTrustServiceConfig([providerName="<the provider name>",] propsFile="<path of properties file>")
Argument | Definition |
---|---|
providerName
|
Specifies the name of the trust service provider; optional; if unspecified, it defaults to |
propsFile
|
Specifies the path to the file where the property values are set. |
Here is a sample property file:
trust.keystoreType=KSS trust.keyStoreName=kss://<stripeName>/<keystoreName> trust.trustStoreName=kss://<stripeName>/<truststoreName> trust.aliasName=<aliasName> trust.issuerName=<aliasName>
Note that the list of specified properties differs according to the value of the property trust.keystoreType
. The type can be KSS
or JKS
; if a property is set to the empty string, then that property is removed from the trust service configuration. For the list of available properties, see "Trust Service Properties" section in Securing Applications with Oracle Platform Security Services.
Use the WLST commands listed in Table 2-3 to view and manage audit policies and the audit repository configuration.
Use this command... | To... | Use with WLST... |
---|---|---|
Display the mBean name for a non-Java EE component. |
Online |
|
Display audit policy settings. |
Online |
|
Update audit policy settings. |
Online |
|
Display audit repository settings. |
Online |
|
Update audit repository settings. |
Online |
|
List audit events for one or all components. |
Online |
|
Export a component's audit configuration. |
Online |
|
Import a component's audit configuration. |
Online |
|
Create an audit definitions view in the database. |
Online |
|
List components that can be audited. |
Online |
|
Registers audit definitions for a specified component in the audit store. |
Online |
|
Removes audit definitions of a specified component from the audit store. |
Online |
For more information, see the Securing Applications with Oracle Platform Security Services.
Online command that displays the mbean name for non-Java EE components.
This command displays the mbean name for non-Java EE components given the instance name, component name, component type, and the name of the Oracle WebLogic Server on which the component's audit mbean is running. The mbean name is a required parameter to other audit WLST commands when managing a non-Java EE component.
getNonJavaEEAuditMBeanName(instName, compName, compType, svrName)
Argument | Definition |
---|---|
|
Specifies the name of the application server instance. |
|
Specifies the name of the component instance. |
|
Specifies the type of component. Valid values are ohs, oid, ovd, and WebCache. |
|
Specifies the name of the Oracle WebLogic Server. |
Online command that displays the audit policy settings.
This command displays audit policy settings including the filter preset, special users, custom events, and maximum log file size. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
getAuditPolicy([mbeanName, componentType])
Argument | Definition |
---|---|
|
Specifies the name of the component audit MBean for non-Java EE components. |
|
Requests the audit policy for a specific component registered in the audit store. If not specified, the audit policy in |
The following command displays the audit settings for a Java EE component:
wls:/mydomain/serverConfig> getAuditPolicy()
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)
FilterPreset:All
Max Log File Size:104857600
The following command displays the audit settings for MBean CSAuditProxyMBean
:
wls:/mydomain/serverConfig> getAuditPolicy(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean')
Online command that updates an audit policy.
Online command that configures the audit policy settings. You can set the filter preset, add or remove users, and add or remove custom events. The component mbean name is required for non-Java EE components like Oracle Internet Directory and Oracle Virtual Directory.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
setAuditPolicy([mbeanName],[filterPreset],[addSpecialUsers], [removeSpecialUsers],[addCustomEvents],[removeCustomEvents], [componentType], [maxDirSize], [maxFileSize], [andCriteria], [orCriteria], [componentEventsFile])
Argument | Definition |
---|---|
|
Specifies the name of the component audit MBean for non-Java EE components. |
|
Specifies the filter preset to be changed. |
|
Specifies the special users to be added. |
|
Specifies the special users to be removed. |
|
Specifies the custom events to be added. |
|
Specifies the custom events to be removed. |
|
Specifies the component definition type to be updated. If not specified, the audit configuration defined in jps-config.xml is modified. |
|
This argument is not used. |
|
Specifies the maximum size of the log file. |
|
Specifies the |
|
Specifies the |
|
Specifies a component definition file under the 11g Release 1 (11.1.1.6) metadata model. This parameter is required if you wish to create/update an audit policy in the audit store for an 11g Release 1 (11.1.1.6) metadata model component, and the filter preset level is set to ”Custom”. |
The following interactive command sets audit policy to None
level, and adds users user2
and user3
while removing user1
from the policy:
wls:/mydomain/serverConfig> setAuditPolicy (filterPreset= 'None',addSpecialUsers='user2,user3',removeSpecialUsers='user1') wls:/mydomain/serverConfig> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:None Special Users:user2,user3 Max Log File Size:104857600 Max Log Dir Size:0
The following interactive command adds login events while removing logout events from the policy:
wls:/mydomain/serverConfig> setAuditPolicy(filterPreset= 'Custom',addCustomEvents='UserLogin',removeCustomEvents='UserLogout')
The following interactive command sets audit policy to a Low
level:
wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Low'); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:Low Max Log File Size:104857600 Max Log Dir Size:0
The following command sets a custom filter to audit the CheckAuthorization
event:
wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Custom', addCustomEvents='JPS:CheckAuthorization'); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(); Already in Domain Runtime Tree FilterPreset:Custom Special Users:user1 Max Log File Size:104857600 Max Log Dir Size:0 Custom Events:JPS:CheckAuthorization
Online command that displays audit repository settings.
This command displays audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository configuration resides in opmn.xml). Also displays database configuration if the repository is a database type.
Online command that updates audit repository settings.
This command sets the audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository is configured by editing opmn.xml
).
setAuditRepository([switchToDB],[dataSourceName],[interval], [timezone])
Argument | Definition |
---|---|
|
If |
|
Specifies the name of the data source. |
|
Specifies intervals at which the audit loader kicks off. |
|
Specifies the timezone the audit loader uses to record the timestamps of the audit events. The valid values are "utc" and "local". |
The following command switches from a file repository to a database repository:
wls:/IDMDomain/domainRuntime> setAuditRepository(switchToDB='true', dataSourceName='jdbc/AuditAppendDataSource'); Already in Domain Runtime Tree Audit Repository Information updated wls:/IDMDomain/domainRuntime> getAuditRepository(); Already in Domain Runtime Tree JNDI Name:jdbc/AuditDB Interval:15 Repository Type:DB
The following command changes audit repository to a specific database and sets the audit loader interval to 14 seconds:
wls:/mydomain/serverConfig> setAuditRepository(switchToDB='true',dataSourceName='jdbc/AuditAppendDataSource',
interval='14', timezone="utc")
The following command sets the timezone format for audit records to utc
:
wls:/mydomain/serverConfig> setAuditRepository(switchToDB="true",dataSourceName="jdbc/AuditAppendDataSource",
interval="14", timezone="utc")
Online command that displays a component's audit events.
This command displays a component's audit events and attributes. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter. Without a component type, all generic attributes applicable to all components are displayed.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
listAuditEvents([mbeanName],[componentType])
Argument | Definition |
---|---|
|
Specifies the name of the component MBean. |
|
Specifies the component type to limit the list to all events of the component type. |
The following command displays audit events for the Oracle Platform Security Services component:
wls:/IDMDomain/domainRuntime> listAuditEvents(componentType='JPS');
Already in Domain Runtime Tree
Common Attributes
ComponentType
Type of the component. For MAS integrated SystemComponents this is the componentType
InstanceId
Name of the MAS Instance, that this component belongs to
HostId
DNS hostname of originating host
HostNwaddr
IP or other network address of originating host
ModuleId
ID of the module that originated the message. Interpretation is unique within Component ID.
ProcessId
ID of the process that originated the message
The following command displays audit events for Oracle HTTP Server:
wls:/mydomain/serverConfig> listAuditEvents(componentType='ohs')
The following command displays all audit events:
wls:/IDMDomain/domainRuntime> listAuditEvents();
Already in Domain Runtime Tree
Components:
DIP
JPS
OIF
OWSM-AGENT
OWSM-PM-EJB
ReportsServer
WS-PolicyAttachment
WebCache
WebServices
Attributes applicable to all components:
ComponentType
InstanceId
HostId
HostNwaddr
ModuleId
ProcessId
OracleHome
HomeInstance
ECID
RID
...
Online command that exports a component's audit configuration.
This command exports the audit configuration to a file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
exportAuditConfig([mbeanName],fileName, [componentType])
Argument | Definition |
---|---|
|
Specifies the name of the non-Java EE component MBean. |
|
Specifies the path and file name to which the audit configuration should be exported. |
|
Specifies that only events of the given component be exported to the file. If not specified, the audit configuration in |
The following interactive command exports the audit configuration for a component:
wls:/mydomain/serverConfig> exportAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following interactive command exports the audit configuration for a Java EE component; no mBean is specified:
wls:/mydomain/serverConfig> exportAuditConfig(fileName='/tmp/auditconfig')
Online command that imports a component's audit configuration.
This command imports the audit configuration from an external file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.
importAuditConfig([mbeanName],fileName, [componentType])
Argument | Definition |
---|---|
|
Specifies the name of the non-Java EE component MBean. |
|
Specifies the path and file name from which the audit configuration should be imported. |
|
Specifies that only events of the given component be imported from the file. If not specified, the audit configuration in |
The following interactive command imports the audit configuration for a component:
wls:/mydomain/serverConfig> importAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name='CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following interactive command imports the audit configuration from a file; no mBean is specified:
wls:/mydomain/serverConfig> importAuditConfig(fileName='/tmp/auditconfig')
This command generates a SQL script that you can use to create a database view to query audit records from the database for a specific component.
This command generates a SQL script that you can use to query the database for audit records. The script is written to the specified file and also printed out to the console. Executing the script creates a database view that you can use to run audit queries and reports.
Upon execution, the result of the SQL script depends on the audit model at your site:
If using the 11.1.1.6.0 model, and the component is registered in the audit store, the script creates a view using the system component tables (IAU_COMMON, IAU_USERSESSION, IAU_AUDITSERVICE and IAU_CUSTOM) for the specified component.
If using the pre-11.1.1.6.0 model, the component is not registered in the audit store but its event definitions reside in the component_events.xml file (in the oracle_common/modules/oracle.iau_11.1.1/components/componentType dir), and the view is created using the IAU_BASE and component tables.
createAuditDBView(fileName, componentType)
Argument | Definition |
---|---|
|
Specifies the path and file name to which the SQL script is written. |
|
The component whose definitions are the basis of the view. |
Lists components that can be audited.
This command creates a list of the components that can be audited. It lists components registered in the audit store using both the 11.1.1.6.0 model and the pre-11.1.1.6.0 model.
listAuditComponents(fileName)
Argument | Definition |
---|---|
|
Specifies the path and file name to which the output is written. |
Registers the specified component in the audit store.
Adds the event definition and translation content for a specified component to the audit store. If you try to register using the pre-11.1.1.6.0 audit XML schema definition, it is upgraded to the 11.1.1.6.0 XML schema definition and then registered with the audit store.
registerAudit(xmlFile, [xlfFile], componentType, [mode=OVERWRITE|UPGRADE])
Argument | Definition |
---|---|
|
Specifies the Component Event definition file. |
|
Specifies the component xlf jar file. Optional. |
|
Specifies the component to be registered. |
|
OVERWRITE or UPGRADE. Default is UPGRADE. |
Removes the event definition and translation content for the specified component from the audit store.
Removes an existing event definition and translation content for a specified component or application from the audit store.
deregisterAudit(componentType)
Argument | Definition |
---|---|
|
Specifies the component whose definitions are to be removed. |
This section contains commands used with the OPSS keystore service.
Note:
You need to acquire an OPSS handle to use keystore service commands; this handle is denoted by 'svc
' in the discussion that follows. For details, see "Managing Keys and Certificates with the Keystore Service" section in Securing Applications with Oracle Platform Security Services.
Table 2-4 lists the WLST commands used to manage the keystore service.
Table 2-4 OPSS Keystore Service Commands
Use this Command... | to... |
---|---|
Change the password for a key. |
|
Change the password on a keystore. |
|
Create a keystore. |
|
Delete a keystore. |
|
Delete an entry in a keystore. |
|
Export a keystore to file. |
|
Export a certificate to a file. |
|
Export a certificate request to a file. |
|
Generate a keypair. |
|
Generate a secret key. |
|
Get information about a certificate or trusted certificate. |
|
Get the secret key properties. |
|
Import a keystore from file. |
|
Import a certificate or other object. |
|
List certificates expiring in a specified period. |
|
List aliases in a keystore. |
|
List all the keystores in a stripe. |
|
Synchronizes the keystores in the administration server with keystores in the security store. |
Changes a key password.
changeKeyPassword(appStripe='stripe', name='keystore', password='password', alias='alias', currentkeypassword='currentkeypassword', newkeypassword='newkeypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe containing the keystore. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the key entry whose password is changed. |
currentkeypassword
|
Specifies the current key password. |
newkeypassword
|
Specifies the new key password. |
Changes the password of a keystore.
changeKeyStorePassword(appStripe='stripe', name='keystore', currentpassword='currentpassword', newpassword='newpassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe containing the keystore. |
name
|
Specifies the name of the keystore. |
currentpassword
|
Specifies the current keystore password. |
newpassword
|
Specifies the new keystore password. |
This keystore service command creates a new keystore.
createKeyStore(appStripe='stripe', name='keystore', password='password',permission=true|false)
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore is created. |
name
|
Specifies the name of the new keystore. |
password
|
Specifies the keystore password. |
permission
|
This parameter is true if the keystore is protected by permission only, false if protected by both permission and password. |
Deletes the named keystore.
deleteKeyStore(appStripe='stripe', name='keystore', password='password')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore to be deleted. |
password
|
Specifies the keystore password. |
Deletes a keystore entry.
deleteKeyStoreEntry(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be deleted. |
keypassword
|
Specifies the key password of the entry to be deleted. |
Exports a keystore to a file.
exportKeyStore(appStripe='stripe', name='keystore', password='password', aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', type='keystore-type', filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
aliases
|
Comma separated list of aliases to be exported. |
keypasswords
|
Comma separated list of the key passwords corresponding to aliases. |
type
|
Exported keystore type. Valid values are 'JKS' or 'JCEKS'. |
filepath
|
Absolute path of the file where keystore is exported. |
Exports a certificate.
exportKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be exported. |
keypassword
|
Specifies the key password. |
type
|
Specifies the type of keystore entry to be exported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'. |
filepath
|
Specifies the absolute path of the file where certificate, trusted certificate or certificate chain is exported. |
Exports a certificate request.
exportKeyStoreCertificateRequest(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the entry's alias name. |
keypassword
|
Specifies the key password. |
filepath
|
Specifies the absolute path of the file where certificate request is exported. |
Generates a key pair in a keystore.
Generates a key pair in a keystore and wraps it in a demo CA-signed certificate.
generateKeyPair(appStripe='stripe', name='keystore', password='password', dn='distinguishedname', keysize='keysize', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
dn
|
Specifies the distinguished name of the certificate wrapping the key pair. |
keysize
|
Specifies the key size. |
alias
|
Specifies the alias of the key pair entry. |
keypassword
|
Specifies the key password. |
Generates a secret key.
generateSecretKey(appStripe='stripe', name='keystore', password='password', algorithm='algorithm', keysize='keysize', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
algorithm
|
Specifies the symmetric key algorithm. |
keysize
|
Specifies the key size. |
alias
|
Specifies the alias of the key entry. |
keypassword
|
Specifies the key password. |
Gets a certificate from the keystore.
getKeyStoreCertificates(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the certificate, trusted certificate or certificate chain to be displayed. |
keypassword
|
Specifies the key password. |
Retrieves secret key properties.
getKeyStoreSecretKeyProperties(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the secret key whose properties are displayed. |
keypassword
|
Specifies the secret key password. |
Imports a keystore from file.
importKeyStore(appStripe='stripe', name='keystore', password='password', aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', type='keystore-type', permission=true|false, filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
aliases
|
Specifies the comma-separated aliases of the entries to be imported from file. |
keypasswords
|
Specifies the comma-separated passwords of the keys in file. |
type
|
Specifies the imported keystore type. Valid values are 'JKS' or 'JCEKS'. |
filepath
|
Specifies the absolute path of the keystore file to be imported. |
permission
|
Specifies true if keystore is protected by permission only, false if protected by both permission and password. |
Imports a certificate or other specified object.
importKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be imported. |
keypassword
|
Specifies the key password of the newly imported entry. |
type
|
Specifies the type of keystore entry to be imported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'. |
filepath
|
Specifies the absolute path of the file from where certificate, trusted certificate or certificate chain is imported. |
Lists expiring certificates.
listExpiringCertificates(days='days', autorenew=true|false)
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
days
|
Specifies that the list should only include certificates within this many days from expiration. |
autorenew
|
Specifies true for automatically renewing expiring certificates, false for only listing them. |
Lists the aliases in a keystore.
The syntax is as follows:
listKeyStoreAliases(appStripe='stripe', name='keystore', password='password', type='entrytype')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
type
|
Specifies the type of entry for which aliases are listed. Valid values are 'Certificate', 'TrustedCertificate', 'SecretKey' or '*'. |
Lists all the keystores in a stripe.
listKeyStores(appStripe='stripe')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe whose keystores are listed. |
Use the WLST commands listed in Table 2-5 to manage Identity Directory Service Entity Attributes, Entity Definitions, Relationships and default Operational configurations.
Table 2-5 WLST Identity Directory Service Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Reload the Identity Directory Service configuration. |
Online |
|
Add a new attribute to the entity configuration. |
Online |
|
Add a new attribute to the specified entity. |
Online |
|
Add a new entity to the entity configuration. |
Online |
|
Add a new entity relation to the entity configuration. |
Online |
|
Add a new Identity Directory Service to the configuration. |
Online |
|
Add a new operation configuration to the entity configuration. |
Online |
|
Add a new property to a specified operation configuration. |
Online |
|
Delete an attribute from an entity configuration. |
Online |
|
Delete an entity from an entity configuration. |
Online |
|
Delete the specified entity relation. |
Online |
|
Delete the specified Identity Directory Service in the configuration. |
Online |
|
Delete operation configuration in an entity configuration. |
Online |
|
List all attributes in the entity configuration. |
Online |
|
List all entities defined in the specified entity configuration. |
Online |
|
List all Identity Directory Services in the configuration. |
Online |
|
Remove an attribute from the specified entity. |
Online |
|
Remove a property for the specified operation configuration. |
Online |
addAttributeInEntityConfig
addAttributeInEntityConfig(name, datatype, description, readOnly, pwdAttr, appName)
Table 2-6 addAttributeInEntityConfig Arguments
Argument | Definition |
---|---|
|
Name of the attribute to be added. |
|
The attribute's type is defined as one of the following:
|
|
Description of the attribute to be added. |
|
Flag to specify whether the attribute is read only or can be modified. |
|
Flag to specify whether the attribute defines a password or not. |
|
Name of the Identity Directory Service. |
addAttributeRefForEntity
addAttributeRefForEntity(name, attrRefName, attrRefFilter, attrRefDefaultFetch, appName)
Table 2-7 addAttributeRefForEntity Arguments
Argument | Definition |
---|---|
|
Name of the entity to which the attribute will be added. |
|
Name of the attribute to be added to the entity. |
|
The type of filter to be used with the attribute is defined as one of the following:
|
|
Flag to specify whether the attribute is fetched by default. |
|
Name of the Identity Directory Service. |
addEntity
addEntity(name, type, idAttr, create, modify, delete, search, attrRefNames, attrRefFilters, attrRefDefaultFetches, appName)
Argument | Definition |
---|---|
|
Name of the entity to which the attribute will be added. |
|
Name of the attribute to be added to the entity. |
|
Identity attribute of the entity to be added. |
|
Flag to specify the create is allowed. |
|
Flag to specify the modify is allowed. |
|
Flag to specify the delete is allowed. |
|
Flag to specify the search is allowed. |
|
Array of attribute names. |
|
An array of filter type values is defined as one of the following:
|
|
Array of boolean strings (true, false). |
|
Name of the Identity Directory Service. |
addEntityRelation
addEntityRelation(name, type, fromEntity, fromAttr, toEntity, toAttr, recursive, appName)
Table 2-9 addEntityRelation Arguments
Argument | Definition |
---|---|
|
Name of the relation between the entities for the given attributes. |
|
Type of the entity relation ("ManyToMany", "ManyToOne", "OneToMany", "OneToOne"). |
|
Name of the from entity. |
|
Name of the from attribute. |
|
Name of the to entity. |
|
Name of the to attribute. |
|
Flag to set the entity relationship as recursive. |
|
Name of the Identity Directory Service. |
addIdentityDirectoryService
Add a new IdentityStoreService to the Identity Directory Service configuration.
addIdentityDirectoryService(name, description, propNames, propValues)
Table 2-10 addIdentityDirectoryService Arguments
Argument | Definition |
---|---|
|
Name of the IdentityStoreService to be added. |
|
Description of the IdentityStoreService. |
|
An array of property names to be added to the IdentityStoreService configuration. |
|
An array of values to be defined for the property names added to the IdentityStoreService configuration. |
addOperationConfig
addOperationConfig(entityName, propNames, propValues, appName)
Table 2-11 addOperationConfig Arguments
Argument | Definition |
---|---|
|
Name of the entity to which the operation configuration will be added. |
|
An array of property names to be added to the operation configuration. |
|
An array of property values for the properties added to the operation configuration. |
|
Name of the Identity Directory Service. |
addPropertyForOperationConfig
addPropertyForOperationConfig(entityName, propName, propValue, appName)
Table 2-12 addPropertyForOperationConfig Arguments
Argument | Definition |
---|---|
|
Name of the entity to which the operation configuration will be added. |
|
A property name to be added to the operation configuration. |
|
A value for the property added to the operation configuration. |
|
Name of the Identity Directory Service. |
deleteAttributeInEntityConfig
deleteEntityRelation
deleteIdentityDirectoryService
'
Delete the specified IdentityStoreService in the Identity Directory Service configuration.
deleteIdentityDirectoryService(name)
where name is the name of the IdentityStoreService configuration to be deleted.
deleteOperationConfig
listAllAttributeInEntityConfig
listAllAttributeInEntityConfig(appName)
where appName is the name of the Identity Directory Service that contains the entity configuration from which the list of attributes is retrieved.
listAllEntityInEntityConfig
listAllEntityInEntityConfig(appName)
where appName is the name of the Identity Directory Service that contains the entity configuration from which the list of entities is retrieved.
removeAttributeRefForEntity
Use the WLST commands listed in Table 2-19 to manage Library Oracle Virtual Directory (LibOVD) LDAP and Join Adapters configuration. These commands act on the OVD configuration associated with a particular OPSS Context passed in as a parameter.
Table 2-19 WLST LibOVD Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Reload the LibOVD configuration. |
Online |
|
Add a attribute exclusion rule. |
Online |
|
Add a new attribute mapping rule. |
Online |
|
Add a domain exclusion rule. |
Online |
|
Add a new domain mapping rule. |
Online |
|
Add a join rule to an existing Join adapter for the OVD associated with the given OPSS context. |
Online |
|
Add a new remote host to an existing LDAP adapter. |
Online |
|
Create a new mapping context. |
Online |
|
Add a plugin to an existing adapter or at the global level. |
Online |
|
Add new parameter values to the existing adapter level plugin or global plugin. |
Online |
|
Create a new Join adapter for the OVD associated with the given OPSS context. |
Online |
|
Create a new LDAP adapter for the OVD associated with the given OPSS context. |
Online |
|
Delete an existing adapter for the OVD associated with the given OPSS context. |
Online |
|
Delete a attribute exclusion rule. |
Online |
|
Delete a attribute mapping rule. |
Online |
|
Delete a domain exclusion rule. |
Online |
|
Delete a domain mapping rule. |
Online |
|
Delete the specified mapping context. |
Online |
|
Display the details of an existing adapter that is configured for the OVD associated with the given OPSS context. |
Online |
|
List the name and type of all adapters that are configured for this OVD associated with the given OPSS Context. |
Online |
|
List all the mapping contexts. |
Online |
|
List all the attribute rules. |
Online |
|
List all the domain rules. |
Online |
|
Modify the existing LDAP adapter configuration. |
Online |
|
Remove a join rule from a Join adapter configured for this OVD associated with the given OPSS Context. |
Online |
|
Remove a remote host from an existing LDAP adapter configuration. |
Online |
|
Remove a plugin from an existing adapter or at global level. |
Online |
|
Remove an existing parameter from a configured adapter level plugin or global plugin. |
Online |
activateLibOVDConfigChanges
activateLibOVDConfigChanges(contextName)
where contextName
is the name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default.
addAttributeExclusionRule
addAttributeExclusionRule(attribute, mappingContextId, contextName)
Table 2-20 addAttributeExclusionRule Arguments
Argument | Definition |
---|---|
|
Name of the attribute to be added to the exclusion list. |
|
Name of the mapping context. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
addAttributeRule
addAttributeRule(srcAttrs, srcObjectClass, srcAttrType, dstAttr, dstObjectClass, dstAttrType, mappingExpression, direction, mappingContextId, contextName)
addDomainExclusionRule
addDomainExclusionRule(domain, mappingContextId, contextName)
Table 2-22 addDomainExclusionRule Arguments
Argument | Definition |
---|---|
|
Distinguished name (DN) of the attribute to be added to the exclusion list. |
|
Name of the mapping context. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
addDomainRule
addDomainRule(srcDomain, destDomain, domainConstructRule, mappingContextId, contextName)
Table 2-23 addDomainRule Arguments
Argument | Definition |
---|---|
|
Container DN in the source. |
|
Container DN in the destination. |
|
Domain mapping rule. |
|
Name of the mapping context. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
addJoinRule
Adds a join rule to an existing Join adapter for the OVD associated with the specified OPSS context.
addJoinRule(adapterName=<adapterName>, secondary=<secondary>, condition=<condition>, joinerType=<joinerType>, contextName=<contextName>)
Table 2-24 addJoinRule Arguments
Argument | Definition |
---|---|
|
Name of the Join adapter to be modified. |
|
Name of the adapter to join to. |
|
The attribute(s) to join on. |
|
An optional parameter that defines the type of Join. Accepted values include Simple (default), Conditional, OneToMany or Shadow. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
addJoinRule('join1','secondaryldap','cn=cn', 'Simple', 'default')
addJoinRule('join1','secondaryldap','cn=cn', 'Conditional', 'default')
addJoinRule(adapterName='join1', secondary='LDAP3', condition='uid=cn', JoinerType='OneToMany')
addJoinRule(adapterName='join1', secondary='LDAP2',condition='uid=cn', contextName='myContext')
addLDAPHost
Adds a new remote host (host:port pair) to an existing LDAP adapter. By default, the new host is configured in Read-Write mode with percentage set to 100.
addLDAPHost(adapterName=<adapterName>, host=<host>, port=<port>, contextName=<contextName>)
Table 2-25 addLDAPHost Arguments
Argument | Definition |
---|---|
|
Name of the Join adapter to be modified. |
|
Remote LDAP host to which the LDAP adapter will communicate. |
|
Remote LDAP host's port. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
addMappingContext
addPlugin
Adds a plugin to an existing adapter, or at the global level. The "i"th key corresponds to "i"th value. The plugin is added to default chain.
addPlugin(pluginName=<pluginName>, pluginClass=<pluginClass>, paramKeys=<paramKeys>, paramValues=<paramValues>, adapterName=<adapterName>, contextName=<contextName>)
Table 2-27 addPlugin Arguments
Argument | Definition |
---|---|
|
pluginName - Name of the plugin to be created. |
|
Class of the plugin. |
|
Init Param Keys separated by "|". |
|
Init Param Values separated by "|". |
|
Name of the adapter to be modified. If not specified, the plugin is added at the global level. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
addPlugin(adapterName='ldap1', pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com')
addPlugin(pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com')
addPluginParam
Add new parameter values to the existing adapter level plugin or global plugin. If the parameter already exists, the new value is added to the existing set of values. The "i"th key corresponds to "i"th value.
addPluginParam(pluginName=<pluginName>, paramKeys=<paramKeys>, paramValues=<paramValues>, adapterName=<adapterName>, contextName=<contextName>)
Table 2-28 addPluginParam Arguments
Argument | Definition |
---|---|
|
pluginName - Name of the plugin to be modified. |
|
Init Param Keys separated by "|". |
|
Init Param Values separated by "|". |
|
Name of the adapter to be modified. If not specified, the global plugin is modified. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
createJoinAdapter
Creates a new Join adapter for the OVD associated with the given OPSS context.
createJoinAdapter(contextName=<contextName>, adapterName=<adapterName>, root=<root>, primaryAdapter=<primaryAdapter>, bindAdapter=<bindAdapter>)
Table 2-29 createJoinAdapter Arguments
Argument | Definition |
---|---|
|
Name of the Join adapter to be created. |
|
Virtual Namespace of the Join adapter. |
|
Specifies the identifier of the primary adapter (the adapter searched first in the join operation). |
|
|
|
Specifies identifier of the bind adapter(s) (the adapter(s) whose proxy account is used to bind in the LDAP operation). By default, the primaryAdapter is set as bindAdapter. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
createLDAPAdapter
Creates a new LDAP adapter for the OVD associated with the given OPSS context.
createLDAPAdapter(adapterName=<adapterName>, root=<root>, host=<host>, port=<port>, remoteBase=<remoteBase>, isSecure=<true|false>, bindDN=<bindDN>, bindPasswd=<bindPasswd>, passCred=<passCred>, contextName=<contextName>)
Table 2-30 createLDAPAdapter Arguments
Argument | Definition |
---|---|
|
Name of the LDAP adapter to be created. |
|
Virtual Namespace of the LDAP adapter. |
|
Remote LDAP host with which the LDAP adapter will communicate. |
|
Remote LDAP host's port number. |
|
Location in the remote DIT to which root corresponds. |
|
An optional parameter that enables secure SSL/TLS connections to the remote hosts when defined as true. The default value is "false". |
|
Proxy BindDN used to communicate with Remote host. An optional parameter with default value "". |
|
Proxy BindPasswd used to communicate with Remote host. An optional parameter with default value "". |
|
This optional parameter controls, what, if any, credentials the OVD will pass to the backend (remote host) LDAP server. Values can be Always (default), None or BindOnly. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
deleteAdapter
Deletes an existing adapter for the OVD associated with the given OPSS context.
deleteAttributeExlusionRule
deleteAttributeExclusionRule(attribute, mappingContextId, contextName)
Table 2-32 deleteAttributeExclusionRule Arguments
Argument | Definition |
---|---|
|
Name of the attribute to be removed from the exclusion list. |
|
Name of the mapping context. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
deleteAttributeRule
deleteDomainExclusionRule
deleteDomainExclusionRule(domain, mappingContextId, contextName)
Table 2-34 deleteEntityRelation Arguments
Argument | Definition |
---|---|
|
Distinguished Name of the container to be removed from the exclusion list. |
|
Name of the mapping context. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
deleteDomainRule
deleteDomainRule(srcDomain, destDomain, mappingContextId, contextName)
Table 2-35 deleteDomainRule Arguments
Argument | Definition |
---|---|
|
Container DN in source. |
|
Container DN in destination. |
|
Name of the mapping context. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
deleteMappingContext
getAdapterDetails
Displays the details of an existing adapter configured for the Oracle Virtual Directory associated with the specified OPSS context.
getAdapterDetails(adapterName=<adapterName>, contextName=<contextName>)
Table 2-37 getAdapterDetails Arguments
Argument | Definition |
---|---|
|
Name of the adapter which contains the details to be displayed. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
listAdapters
Lists the name and type of all adapters that are configured for the Oracle Virtual Directory associated with the specified OPSS Context.
listAllMappingContextIds
listAttributeRules
List all the attribute rules in the format SOURCE_ATTRIBUTE
:DESTINATION_ATTRIBUTE
:DIRECTION
listDomainRules
modifyLDAPAdapter
This command is used to modify the following parameters defined in an existing LDAP Adapter:
Remote Base
Root
Secure
BindDN
BindPassword
PassCredentials
MaxPoolSize
modifyLDAPAdapter(adapterName=<adapterName>, attribute=<attribute>, value=<value>, contextName=<contextName>)
Table 2-42 modifyLDAPAdapter Arguments
Argument | Definition |
---|---|
|
Name of the attribute to be modified. |
|
New value for the attribute. |
|
Name of the LDAP adapter to be modified. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
modifyLDAPAdapter(adapterName='ldap1', attribute='Root', value='dc=us, dc=oracle, dc=com', contextName='mydefault')
modifyLDAPAdapter(adapterName='ldap1', attribute='RemoteBase', value='dc=org')
modifyLDAPAdapter(adapterName='ldap1', attribute='PassCredentials', value='BindOnly')
modifyLDAPAdapter('ldap1', 'BindDN', 'cn=proxyuser,dc=com', 'mydefault')
modifyLDAPAdapter(adapterName='ldap1', attribute='BindPassword', value='testwelcome123')
modifyLDAPAdapter(adapterName='ldap1', attribute='Secure', value=true)
modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolSize', value=500)
removeJoinRule
Removes a join rule from a Join adapter configured for the Oracle Virtual Directory associated with the specified OPSS Context.
removeJoinRule(adapterName=<adapterName>, secondary=<secondary>, contextName=<contextName>)
Table 2-43 removeJoinRule Arguments
Argument | Definition |
---|---|
|
Name of the Join adapter to be modified. |
|
The join rules corresponding to this secondary adapter are removed from the join adapter. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
removeLDAPHost
removeLDAPHost(adapterName=<adapterName>, host=<host>, contextName=<contextName>)
Table 2-44 removeLDAPHost Arguments
Argument | Definition |
---|---|
|
Name of the LDAP adapter to be modified. |
|
Location of a remote LDAP host with which the LDAP adapter will communicate. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
removePlugin
removePlugin(pluginName=<pluginName>, adapterName=<adapterName>, contextName=<contextName>)
Table 2-45 removePlugin Arguments
Argument | Definition |
---|---|
|
Name of the plugin to be removed. |
|
Name of the adapter to be modified. If not specified, the global plugin is removed. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |
removePluginParam
Removes an existing parameter from a configured adapter level plugin or global plugin. This removes all values of the particular parameter from the plugin.
removePluginParam(pluginName=<pluginName>, paramKey=<paramKey>, adapterName=<adapterName>, contextName=<contextName>)
Table 2-46 removePluginParam Arguments
Argument | Definition |
---|---|
|
Name of the plugin to be modified. |
|
Parameter to be removed. |
|
Name of the adapter to be modified. If not specified, the global plugin is modified. |
|
Name of the Oracle Platform Security Services context to which the OVD configuration is associated. This default value of this optional parameter is default. |