This chapter describes the Oracle Fusion Middleware Infrastructure Security WLST commands.
It contains the following section:
For additional information about Oracle Platform Security Services (OPSS), see Securing Applications with Oracle Platform Security Services.
Note:
To use the Infrastructure Security custom WLST commands, you must invoke the WLST script from the Oracle Common home. See "Using Custom WLST Commands" in the Administering Oracle Fusion Middleware.The infrastructure WLST security commands are divided into the following categories:
Table 2-1 WLST Command Categories
Command Category | Description |
---|---|
Manage domain and credential domain stores and migrate domain policy store. |
|
View and manage audit policies and the audit repository configuration |
|
Manage the OPSS keystore service. |
|
Manage Identity Directory Service entity attributes, entity definitions, relationships, and default operational configurations. |
|
View and manage Library Oracle Virtual Directory (libOVD) configurations associated with a particular OPSS context. |
Use the WLST security commands listed in Table 2-2 to operate on a domain policy or credential store, to migrate policies and credentials from a source repository to a target repository, and to import and export (credential) encryption keys.
Table 2-2 WLST Security Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Add a credential to the bootstrap credential store |
Offline |
|
Add a resource to an entitlement. |
Online |
|
Create a new application role. |
Online |
|
Create a new credential. |
Online |
|
Create an entitlement. |
Online |
|
Create a resource. |
Online |
|
Create a new resource type. |
Online |
|
Remove all policies in an application. |
Online |
|
Remove an application role. |
Online |
|
Remove a credential. |
Online |
|
Remove an entitlement. |
Online |
|
Remove a resource. |
Online |
|
Remove an existing resource type. |
Online |
|
Export the domain encryption key to the file |
Offline |
|
List an entitlement. |
Online |
|
Fetch an existing resource type. |
Online |
|
Add a principal to a role. |
Online |
|
Create an entitlement. |
Online |
|
Create a new permission. |
Online |
|
Import the encryption key in file |
Offline |
|
List all roles in an application. |
Online |
|
List all members in an application role. |
Online |
|
List application stripes in policy store. |
Online |
|
List permissions assigned to a source code in global policies. |
Online |
|
List an entitlement. |
Online |
|
List entitlements in an application stripe. |
Online |
|
List all permissions granted to a principal. |
Online |
|
List actions in a resource. |
Online |
|
List resource types in an application stripe. |
Online |
|
List resources in an application stripe. |
Online |
|
List the type and location of the OPSS security store, and the user allowed to access it. |
Offline |
|
Migrate policies or credentials from a source repository to a target repository. |
Offline |
|
Update bootstrap credential store |
Offline |
|
Reassociate policies and credentials to an LDAP repository |
Online |
|
Restore the domain encryption key as it was before the last importing. |
Offline |
|
Remove a principal from a role. |
Online |
|
Remove an entitlement. |
Online |
|
Remove a permission. |
Online |
|
Remove a resource from an entitlement |
Online |
|
Replace the current domain encryption key with a new one. |
Offline |
|
Modify the attribute values of a credential. |
Online |
|
Update the configuration of the trust service. |
Online |
Offline command that adds a credential to the bootstrap credential store.
Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException
.
addBootStrapCredential(jpsConfigFile, map, key, username, password)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
map
|
Specifies the map of the credential to add. |
key
|
Specifies the key of the credential to add. |
username
|
Specifies the name of the user in the credential to add. |
password |
Specifies the password of the user in the credential to add. |
Online command that adds a resource with specified actions to an entitlement.
Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.
addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to add. |
resourceType
|
Specifies the type of the resource to add. The passed resource type must be present in the application stripe at the time this script is invoked. |
actions
|
Specifies the comma-separated list of actions for the added resource. |
The following invocation adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:
wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Online command that creates a new application role.
Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException
.
Online command that creates a new credential in the domain credential store.
Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
Optional arguments are enclosed in square brackets.
createCred(map, key, user, password, [desc])
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
Online command that creates a new entitlement.
Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement
to add additional resources to an existing entitlement; use revokeResourceFromEntitlement
to delete resources from an existing entitlement.
createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
name
|
Specifies the name of the entitlement created. |
resourceName
|
Specifies the name of the one resource member of the entitlement created. |
actions
|
Specifies a comma-separated the list of actions for the resource resourceName. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the entitlement created. Optional. |
Online command that creates a new resource.
Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.
createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resource is created. |
name
|
Specifies the name of the resource created. |
type
|
Specifies the type of resource created. The passed resource type must be present in the application stripe at the time this script is invoked. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the resource created. Optional. |
Online command that creates a new resource type in the domain policy store within a given application stripe.
Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. Optional arguments are enclosed in between square brackets; all other arguments are required. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in square brackets.
createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where to insert the resource type. |
resourceTypeName
|
Specifies the name of the resource type to insert. |
displayName
|
Specifies the name for the resource type used in UI gadgets. |
description |
Specifies a brief description of the resource type. |
provider
|
Specifies the provider for the resource type. |
matchere
|
Specifies the class of the resource type. If unspecified, it defaults to oracle.security.jps.ResourcePermission . |
actions
|
Specifies the actions allowed on instances of the resource type. |
delimeter
|
Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','. |
The following invocation creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:
wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", resourceTypeName="resTypeName", displayName="displName", description="A resource type", provider="Printer", matcher="com.printer.Printer", actions="BWPrint;ColorPrint" [, delimeter=";"])
Online command that removes all policies with a given application stripe.
Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException
.
Online command that removes an application role.
Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException
.
Online command that deletes an entitlement.
Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.
Online command that removes a credential in the domain credential store.
Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException
.
Online command that deletes a resource.
Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.
deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resource is deleted. |
name
|
Specifies the name of the resource deleted. |
type
|
Specifies the type of resource deleted. The passed resource type must be present in the application stripe at the time this script is invoked. |
Online command that removes a resource type from the domain policy store within a given application stripe.
Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException
.
Offline command that extracts the encryption key from a domain's bootstrap wallet to the file ewallet.p12
.
Writes the domain's credential encryption key to the file ewallet.p12
. The password passed must be used to import data from that file with the command importEncryptionKey
.
exportEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
keyFilePath
|
Specifies the directory where the file ewallet.p12 is created; note that the content of this file is encrypted and secured by the value passed to keyFilePassword . |
keyFilePassword
|
Specifies the password to secure the file ewallet.p12 ; note that this same password must be used when importing that file. |
Online command that gets an entitlement.
Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.
Online command that fetches a resource type from the domain policy store within a given application stripe.
Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException
.
Online command that adds a principal to a role.
Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException
.
Online command that creates a new entitlement.
Creates a new entitlement with a specified principal in a specified application stripe.
grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is granted. |
permSetName
|
Specifies the name of the entitlement created. |
The following invocation creates the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that creates a new permission.
Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following invocation creates a new application permission (for the application with application stripe myApp
) with the specified data:
wls:/mydomain/serverConfig> grantPermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following invocation creates a new system permission with the specified data:
wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permTarget="/tmp/fileName.ext", permActions="read,write")
Offline command that imports keys from the specified ewallet.p12 file into the domain.
Imports encryption keys from the file ewallet.p12
into the domain. The password passed must be the same as that used to create the file with the command exportEncryptionKey
.
importEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
keyFilePath
|
Specifies the directory where the ewallet.p12 is located. |
keyFilePassword
|
Specifies the password used when the file ewallet.p12 was generated. |
Online command that lists all roles in an application.
Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException
.
Online command that lists all members in a role.
Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException
.
Online or offline command that lists the application stripes in the policy store.
This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.
listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])
Argument | Definition |
---|---|
configFile
|
Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store. |
regularExpression
|
Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *. |
The following (online) invocation returns the list of application stripes in the policy store:
wls:/mydomain/serverConfig> listAppStripes
The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:
wls:/mydomain/serverConfig> listAppStripes(configFile=" /home/myFile/jps-config.xml")
The following (online) invocation returns the list of application stripes that contain the prefix App:
wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")
Online command that lists permissions assigned to a source code in global policies.
Online command that lists an entitlement in a specified application stripe.
If a principal name and a class are specified, it lists the entitlements that match the specified principal; otherwise, it lists all the entitlements.
listEntitlement(appStripe="appStripeName" [, principalName="principalName", principalClass="principalClass"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
principalName
|
Specifies the name of the principal to match. Optional. |
principalClass
|
Specifies the class of the principal to match. Optional. |
Online command that lists the entitlements in an application stripe.
Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.
listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe from where to list entitlements. |
resourceTypeName
|
Specifies the name of the type of the resources to list. Optional. |
resourceName
|
Specifies the name of resource to match. Optional. |
The following invocation lists all the entitlements in the stripe myApplication:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")
The following invocation lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName")
Online command that lists all permissions granted to a given principal.
Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
listPermissions([appStripe,] principalClass, principalName)
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
The following invocation lists all permissions granted to a principal by the policies of application myApp
:
wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")
The following invocation lists all permissions granted to a principal by system policies:
wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")
Online command that lists the resources and actions in an entitlement.
Lists the resources and actions in an entitlement within an application stripe.
Online command that lists resources in a specified application stripe.
If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.
listResources(appStripe="appStripeName" [,type="resTypeName"])
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the resources are listed. |
type
|
Specifies the type of resource listed. The passed resource type must be present in the application stripe at the time this script is invoked. |
Online command that lists resource types.
Offline command that lists the type, the location, and the administrative user of the domain security store.
The script runs in offline mode and outputs the type of the OPSS security store (file, OID, or DB), its location, and the user allowed to access it (typically a security administrator).
listSecurityStoreInfo(domainConfig="configFilePath")
Argument | Definition |
---|---|
domainConfig
|
Specifies the full absolute path to the OPSS configuration file jps-config.xml; the file jps-config-jse.xml is also expected to be in the passed directory. |
The following invocation returns the type, location, and administrative user of the OPSS policy store:
wls:/mydomain/serverConfig> listSecurityStoreInfo(domainConfig="/home/myConfigPathDirectory/config/fmwconfig")
The following lines illustrate a sample output generated by this command:
For jps-config.xml Store Type: DB_ORACLE Location/Endpoint: jdbc:oracle:thin:@adc2120515.us.myComp.com:1555/OWSM.US.COM User: DEV_OPSS Datasource: jdbc/OpssDataSource For jps-config-jse.xml Store Type: DB_ORACLE Location/Endpoint: jdbc:oracle:thin:@adc2120515.us.myComp.com:1521/OWSM.US.COM User: DEV_OPSS
Offline command that migrates identities, application-specific, system policies, a specific credential folder, or all credentials.
Migrates security artifacts from a source repository to a target repository. For full details, see Migrating with the Script migrateSecurityStore.
Offline command that updates a bootstrap credential store.
Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException
.
Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.
modifyBootStrapCredential(jpsConfigFile, username, password)
Argument | Definition |
---|---|
jpsConfigFile
|
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
username
|
Specifies the distinguished name of the user in the LDAP store. |
password
|
Specifies the password of the user. |
Suppose that in the LDAP store, the password of the user with distinguished name cn=orcladmin
has been changed to welcome1
, and that the configuration file jps-config.xml
is located in the current directory.Then the following invocation changes the password in the bootstrap credential store to welcome1
:
wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='welcome1')
Any output regarding the audit service can be disregarded.
Online command that migrates the policy and credential stores to an LDAP repository.
The script reassociateSecurityStore
migrates the OPSS security store from a source to a target LDAP- or DB-based store, and it resets services in the files jps-config.xml
and jps-config-jse.xml
to the target repository. It also allows specifying that the OPSS security store be shared with that in a different domain (see optional argument join
below). The OPSS binaries and the target policy store must have compatible versions.
For complete details and samples see Securing Applications with Oracle Platform Security Services.
Offline command to restore the domain credential encryption key.
Restores the state of the domain bootstrap keys as it was before running importEncryptionKey.
Online command that removes a principal from a role.
Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException
.
Online command that deletes an entitlement.
Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.
revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is revoked. |
permSetName
|
Specifies the name of the entitlement deleted. |
The following invocation deleted the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that removes a permission.
Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException
.
Optional arguments are enclosed in between square brackets.
revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
Argument | Definition |
---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following invocation removes the application permission (for the application with application stripe myApp
) with the specified data:
wls:/mydomain/serverConfig> revokePermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following invocation removes the system permission with the specified data:
wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permActions="read,write")
Online command that removes a resource from an entitlement.
revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")
Argument | Definition |
---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to remove. |
resourceType
|
Specifies the type of the resource to remove. |
actions
|
Specifies the comma-separated list of actions to remove. |
The following invocation removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Offline command that changes the domain encryption key.
This offline script replaces the current domain OPSS encryption key with a new one; the current key is not deleted but archived, since it is used to decrypt data that was encrypted using that key.
Note the following important points:
This command should be executed from the administration server in the domain. No server restart is needed after its execution.
If the domain is the only domain accessing the security store, nothing else is required.
However, if two or more domains share the security store, the newly generated key should be exported from the domain where the script was run and imported into each of the other domains sharing the security store, using the scripts exportEncryptionKey and importEncryptionKey.
Online command that modifies the type, user name, and password of a credential.
Modifies the type, user name, password, URL, and port number of a credential in the domain credential store with given map name and key name. This command can update the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException
. This command runs in interactive mode only.
Optional arguments are enclosed in square brackets.
updateCred(map, key, user, password, [desc])
Argument | Definition |
---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
Online command that updates the configuration of the domain trust service service with the values passed in a property file.
Updates the trust service domain configuration. In the event of an error, the command returns a WLSTException
.
updateTrustServiceConfig([providerName="<the provider name>",] propsFile="<path of properties file>")
Argument | Definition |
---|---|
providerName
|
Specifies the name of the trust service provider; optional; if unspecified, it defaults to trust.provider.embedded . |
propsFile
|
Specifies the path to the file where the property values are set. |
Here is a sample property file:
trust.keystoreType=KSS trust.keyStoreName=kss://<stripeName>/<keystoreName> trust.trustStoreName=kss://<stripeName>/<truststoreName> trust.aliasName=<aliasName> trust.issuerName=<aliasName>
Note that the list of specified properties differs according to the value of the property trust.keystoreType
. The type can be KSS
or JKS
; if a property is set to the empty string, then that property is removed from the trust service configuration. For the list of available properties, see section Trust Service Properties.
Use the WLST commands listed in Table 2-3 to view and manage audit policies and the audit repository configuration.
Use this command... | To... | Use with WLST... |
---|---|---|
Display the mBean name for a non-Java EE component. |
Online |
|
Display audit policy settings. |
Online |
|
Update audit policy settings. |
Online |
|
Display audit repository settings. |
Online |
|
Update audit repository settings. |
Online |
|
List audit events for one or all components. |
Online |
|
Export a component's audit configuration. |
Online |
|
Import a component's audit configuration. |
Online |
|
Create an audit definitions view in the database. |
Online |
|
List components that can be audited. |
Online |
|
Registers audit definitions for a specified component in the audit store. |
Online |
|
Removes audit definitions of a specified component from the audit store. |
Online |
For more information, see the Securing Applications with Oracle Platform Security Services.
Online command that displays the mbean name for non-Java EE components.
This command displays the mbean name for non-Java EE components given the instance name, component name, component type, and the name of the Oracle WebLogic Server on which the component's audit mbean is running. The mbean name is a required parameter to other audit WLST commands when managing a non-Java EE component.
getNonJavaEEAuditMBeanName(instName, compName, compType, svrName)
Argument | Definition |
---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are ohs, oid, ovd, and WebCache. |
svrName |
Specifies the name of the Oracle WebLogic Server. |
Online command that displays the audit policy settings.
This command displays audit policy settings including the filter preset, special users, custom events, maximum log file size, and maximum log directory size. The component mbean name is required for non-Java EE components like Oracle HTTP Server.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.getAuditPolicy([mbeanName, componentType])
Argument | Definition |
---|---|
mbeanName |
Specifies the name of the component audit MBean for non-Java EE components. |
componentType |
Requests the audit policy for a specific component registered in the audit store. If not specified, the audit policy in jps-config.xml is returned. |
The following command displays the audit settings for a Java EE component:
wls:/mydomain/serverConfig> getAuditPolicy(componentType='JPS');
Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root.
For more help, use help(domainRuntime)
FilterPreset:All
Max Log File Size:104857600
The following command displays the audit settings for MBean CSAuditProxyMBean
:
wls:/mydomain/serverConfig> getAuditPolicy(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean')
Online command that updates an audit policy.
Online command that configures the audit policy settings. You can set the filter preset, add or remove users, and add or remove custom events. The component mbean name is required for non-Java EE components like Oracle HTTP Server.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.setAuditPolicy([mbeanName],[filterPreset],[addSpecialUsers], [removeSpecialUsers],[addCustomEvents],[removeCustomEvents], [componentType], [maxFileSize], [andCriteria], [orCriteria], [componentEventsFile])
Argument | Definition |
---|---|
mbeanName |
Specifies the name of the component audit MBean for non-Java EE components. |
filterPreset |
Specifies the filter preset to be changed. |
addSpecialUsers |
Specifies the special users to be added. |
removeSpecialUsers |
Specifies the special users to be removed. |
addCustomEvents |
Specifies the custom events to be added. |
removeCustomEvents |
Specifies the custom events to be removed. |
componentType |
Specifies the component definition type to be updated. The audit runtime policy for the component is registered in the audit store. If not specified, the audit configuration defined in jps-config.xml is modified. |
maxFileSize |
Specifies the maximum size of the log file. |
andCriteria |
Specifies the and criteria in a custom filter preset definition. |
orCriteria |
Specifies the or criteria in a custom filter preset definition. |
componentEventsFile |
Specifies a component definition file under the 11g Release 1 (11.1.1.6) metadata model. This parameter is required if you wish to create/update an audit policy in the audit store for an 11g Release 1 (11.1.1.6) metadata model component, and the filter preset level is set to ”Custom”. |
The following interactive command sets audit policy to None
level, and adds users user2
and user3
while removing user1
from the policy:
wls:/mydomain/serverConfig> setAuditPolicy (filterPreset= 'None',addSpecialUsers='user2,user3',removeSpecialUsers='user1',componentType='JPS') wls:/mydomain/serverConfig> getAuditPolicy(componentType='JPS'); Already in Domain Runtime Tree FilterPreset:None Special Users:user2,user3 Max Log File Size:104857600
The following interactive command adds login events while removing logout events from the policy:
wls:/mydomain/serverConfig> setAuditPolicy(filterPreset= 'Custom',addCustomEvents='UserLogin',removeCustomEvents='UserLogout')
The following interactive command sets audit policy to a Low
level:
wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Low',componentType='JPS); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(componentType='JPS') Already in Domain Runtime Tree FilterPreset:Low Max Log File Size:104857600
The following command sets a custom filter to audit the CheckAuthorization
event:
wls:/IDMDomain/domainRuntime>setAuditPolicy(filterPreset='Custom', componentType='JPS',addCustomEvents='Authorization:CheckPermission, CheckSubject;CredentialManagement:CreateCredential,DeleteCredential'); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(componentType='JPS'); Already in Domain Runtime Tree FilterPreset:Custom Special Users:user1 Max Log File Size:104857600 Custom Events:JPS:CheckAuthorization
Online command that displays audit repository settings.
Online command that updates audit repository settings.
This command sets the audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository is configured by editing opmn.xml
).
setAuditRepository([switchToDB],[dataSourceName],[interval])
Argument | Definition |
---|---|
switchToDB |
If true , switches the repository from file to database. |
dataSourceName |
Specifies the name of the data source. |
interval |
Specifies intervals at which the audit loader kicks off. |
The following command switches from a file repository to a database repository:
wls:/IDMDomain/domainRuntime> setAuditRepository(switchToDB='true'); Already in Domain Runtime Tree Audit Repository Information updated wls:/IDMDomain/domainRuntime> getAuditRepository(); Already in Domain Runtime Tree JNDI Name:jdbc/AuditDB Interval:15 Repository Type:DB
The following interactive command changes audit repository to a specific database and sets the audit loader interval to 14 seconds:
wls:/mydomain/serverConfig> setAuditRepository(switchToDB='true',dataSourceName='jdbc/AuditDB',interval='14')
Online command that displays a component's audit events.
This command displays a component's audit events and attributes. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter. Without a component type, all generic attributes applicable to all components are displayed.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.listAuditEvents([mbeanName],[componentType])
Argument | Definition |
---|---|
mbeanName |
Specifies the name of the component MBean. |
componentType |
Specifies the component type to limit the list to all events of the component type. |
The following command displays audit events for the Oracle Platform Security Services component:
wls:/IDMDomain/domainRuntime> listAuditEvents(componentType='JPS');
Already in Domain Runtime Tree
Common Attributes
ComponentType
Type of the component. For MAS integrated SystemComponents this is the componentType
InstanceId
Name of the MAS Instance, that this component belongs to
HostId
DNS hostname of originating host
HostNwaddr
IP or other network address of originating host
ModuleId
ID of the module that originated the message. Interpretation is unique within Component ID.
ProcessId
ID of the process that originated the message
The following command displays audit events for Oracle HTTP Server:
wls:/mydomain/serverConfig> listAuditEvents(componentType='ohs')
The following command displays all audit events:
wls:/IDMDomain/domainRuntime> listAuditEvents();
Already in Domain Runtime Tree
Components:
DIP
JPS
OIF
OWSM-AGENT
OWSM-PM-EJB
ReportsServer
WS-PolicyAttachment
WebCache
WebServices
Attributes applicable to all components:
ComponentType
InstanceId
HostId
HostNwaddr
ModuleId
ProcessId
OracleHome
HomeInstance
ECID
RID
...
Online command that exports a component's audit configuration.
This command exports the audit configuration to a file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.exportAuditConfig([mbeanName],fileName, [componentType])
Argument | Definition |
---|---|
mbeanName |
Specifies the name of the non-Java EE component MBean. |
fileName |
Specifies the path and file name to which the audit configuration should be exported. |
componentType |
Specifies that only events of the given component be exported to the file. If not specified, the audit configuration in jps-config.xml is exported. |
The following interactive command exports the audit configuration for a component:
wls:/mydomain/serverConfig> exportAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following interactive command exports the audit configuration for a Java EE component; no mBean is specified:
wls:/mydomain/serverConfig> exportAuditConfig(fileName='/tmp/auditconfig')
Online command that imports a component's audit configuration.
This command imports the audit configuration from an external file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.importAuditConfig([mbeanName],fileName, [componentType])
Argument | Definition |
---|---|
mbeanName |
Specifies the name of the non-Java EE component MBean. |
fileName |
Specifies the path and file name from which the audit configuration should be imported. |
componentType |
Specifies that only events of the given component be imported from the file. If not specified, the audit configuration in jps-config.xml is imported. |
The following interactive command imports the audit configuration for a component:
wls:/mydomain/serverConfig> importAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name='CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following interactive command imports the audit configuration from a file; no mBean is specified:
wls:/mydomain/serverConfig> importAuditConfig(fileName='/tmp/auditconfig')
Creates a SQL script that can generate a view for audit in the database.
This command generates a SQL script that you can use to create a database view of the audit definitions of a specified component. The script is written to the specified file and also printed out to the console.
Upon execution, the result of the SQL script depends on the audit model at your site:
If using the 11.1.1.6.0 model, and the component is registered in the audit store, the script creates a view using the system component tables (IAU_COMMON, IAU_USERSESSION, IAU_AUDITSERVICE and IAU_CUSTOM) for the specified component.
If using the pre-11.1.1.6.0 model, the component is not registered in the audit store but its event definitions reside in the component_events.xml file (in the oracle_common/modules/oracle.iau_11.1.1/components/componentType dir), and the view is created using the IAU_BASE and component tables.
Lists components that can be audited.
This command creates a list of the components that can be audited. It lists components registered in the audit store using both the 11.1.1.6.0 model and the pre-11.1.1.6.0 model.
Registers the specified component in the audit store.
Adds the event definition and translation content for a specified component to the audit store. If you try to register using the pre-11.1.1.6.0 audit XML schema definition, it is upgraded to the 11.1.1.6.0 XML schema definition and then registered with the audit store.
registerAudit(xmlFile, [xlfFile], componentType, [mode=OVERWRITE|UPGRADE])
Argument | Definition |
---|---|
xmlFile |
Specifies the Component Event definition file. |
xlfFile |
Specifies the component xlf jar file. Optional. |
componentType |
Specifies the component to be registered. |
mode |
OVERWRITE or UPGRADE. Default is UPGRADE. |
Removes the event definition and translation content for the specified component from the audit store.
Removes an existing event definition and translation content for a specified component or application from the audit store.
This section contains commands used with the OPSS keystore service.
Note:
You need to acquire an OPSS handle to use keystore service commands; this handle is denoted by 'svc
' in the discussion that follows. For details, see Managing Keys and Certificates with the Keystore Service in Securing Applications with Oracle Platform Security Services.Table 2-4 lists the WLST commands used to manage the keystore service.
Table 2-4 OPSS Keystore Service Commands
Use this Command... | to... |
---|---|
Change the password for a key. |
|
Change the password on a keystore. |
|
Create a keystore. |
|
Delete a keystore. |
|
Delete an entry in a keystore. |
|
Export a keystore to file. |
|
Export a certificate to a file. |
|
Export a certificate request to a file. |
|
Generate a keypair. |
|
Generate a secret key. |
|
Get information about a certificate or trusted certificate. |
|
Get the secret key properties. |
|
Import a keystore from file. |
|
Import a certificate or other object. |
|
List certificates expiring in a specified period. |
|
List aliases in a keystore. |
|
List all the keystores in a stripe. |
|
Synchronizes the keystores in the administration server with keystores in the security store. |
Changes a key password.
changeKeyPassword(appStripe='stripe', name='keystore', password='password', alias='alias', currentkeypassword='currentkeypassword', newkeypassword='newkeypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe containing the keystore |
name
|
Specifies the name of the keystore |
password
|
Specifies the keystore password |
alias
|
Specifies the alias of the key entry whose password is changed |
currentkeypassword
|
Specifies the current key password |
newkeypassword
|
Specifies the new key password |
Changes the password of a keystore.
changeKeyStorePassword(appStripe='stripe', name='keystore', currentpassword='currentpassword', newpassword='newpassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe containing the keystore |
name
|
Specifies the name of the keystore |
currentpassword
|
Specifies the current keystore password |
newpassword
|
Specifies the new keystore password |
This keystore service command creates a new keystore.
createKeyStore(appStripe='stripe', name='keystore', password='password',permission=true|false)
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore is created. |
name
|
Specifies the name of the new keystore. |
password
|
Specifies the keystore password. |
permission
|
This parameter is true if the keystore is protected by permission only, false if protected by both permission and password. |
Deletes the named keystore.
deleteKeyStore(appStripe='stripe', name='keystore', password='password')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore to be deleted. |
password
|
Specifies the keystore password. |
Deletes a keystore entry.
deleteKeyStoreEntry(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be deleted |
keypassword
|
Specifies the key password of the entry to be deleted |
Exports a keystore to a file.
exportKeyStore(appStripe='stripe', name='keystore', password='password', aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', type='keystore-type', filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. The value also applies to the output file, based on the current usage of the command:
|
aliases
|
Comma separated list of aliases to be exported. |
keypasswords
|
Specifies the password(s) of the key(s) being exported. The usage depends on the keystore type:
|
type
|
Exported keystore type. Valid values are 'JKS' or 'JCEKS' or 'OracleWallet'. |
filepath
|
For type JKS or JCEKS, the absolute path of the file where the keystore is exported, including filename. For type OracleWallet, the absolute path of the directory where the keystore is exported. |
This example exports two aliases from the specified keystore.
exportKeyStore(appStripe='system', name='keystore2', password='password',aliases='orakey,seckey', keypasswords='keypassword1,keypassword2', type='JKS',filepath='/tmp/file.jks')
This example exports a keystore to create an Oracle Wallet file:
exportKeyStore(appStripe='system', name='keystore2', password='mypassword',aliases='orakey,seckey', keypasswords='', type='OracleWallet',filepath='/tmp')
Exports a certificate.
exportKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be exported |
keypassword
|
Specifies the key password. |
type
|
Specifies the type of keystore entry to be exported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'. |
filepath
|
Specifies the absolute path of the file where certificate, trusted certificate or certificate chain is exported. |
Exports a certificate request.
exportKeyStoreCertificateRequest(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the entry's alias name. |
keypassword
|
Specifies the key password. |
filepath
|
Specifies the absolute path of the file where certificate request is exported. |
Generates a key pair in a keystore.
Generates a key pair in a keystore and wraps it in a demo CA-signed certificate.
generateKeyPair(appStripe='stripe', name='keystore', password='password', dn='distinguishedname', keysize='keysize', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
dn
|
Specifies the distinguished name of the certificate wrapping the key pair. |
keysize
|
Specifies the key size. |
alias
|
Specifies the alias of the key pair entry. |
keypassword
|
Specifies the key password. |
Generates a secret key.
generateSecretKey(appStripe='stripe', name='keystore', password='password', algorithm='algorithm', keysize='keysize', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
algorithm
|
Specifies the symmetric key algorithm. |
keysize
|
Specifies the key size. |
alias
|
Specifies the alias of the key entry. |
keypassword
|
Specifies the key password. |
Gets a certificate from the keystore.
getKeyStoreCertificates(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the certificate, trusted certificate or certificate chain to be displayed. |
keypassword
|
Specifies the key password. |
Retrieves secret key properties.
getKeyStoreSecretKeyProperties(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the secret key whose properties are displayed. |
keypassword
|
Specifies the secret key password. |
Imports a keystore from file.
importKeyStore(appStripe='stripe', name='keystore', password='password', aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', type='keystore-type', permission=true|false, filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore will reside. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. These rules apply:
|
aliases
|
Specifies the comma-separated aliases of the entries to be imported from the file. |
keypasswords
|
Specifies the passwords of the keys in the file. These rules apply:
|
type
|
Specifies the imported keystore type. Valid values are 'JKS' or 'JCEKS' or 'OracleWallet'. |
filepath
|
For type JKS or JCEKS, the absolute path of the keystore file to be imported, including filename. For type OracleWallet, the absolute path of the directory where the Oracle Wallet resides. |
permission
|
Specifies true if keystore is protected by permission only, false if protected by both permission and password. |
This example imports a JKS keystore file to keystore2
:
importKeyStore(appStripe='system', name='keystore2', password='password',aliases='orakey,seckey', keypasswords='keypassword1, keypassword2', type='JKS', permission=true, filepath='/tmp/file.jks')
This example imports an Oracle Wallet to keystore2
:
importKeyStore(appStripe='system', name='keystore2', password='mypassword',aliases='orakey,seckey', keypasswords='', type='OracleWallet', permission=true, filepath='/tmp')
Imports a certificate or other specified object.
importKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be imported. |
keypassword
|
Specifies the key password of the newly imported entry. |
type
|
Specifies the type of keystore entry to be imported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'. |
filepath
|
Specifies the absolute path of the file from where certificate, trusted certificate or certificate chain is imported. |
Lists expiring certificates.
listExpiringCertificates(days='days', autorenew=true|false)
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
days
|
Specifies that the list should only include certificates within this many days from expiration. |
autorenew
|
Specifies true for automatically renewing expiring certificates, false for only listing them. |
Lists the aliases in a keystore.
The syntax is as follows:
listKeyStoreAliases(appStripe='stripe', name='keystore', password='password', type='entrytype')
Argument | Definition |
---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
type
|
Specifies the type of entry for which aliases are listed. Valid values are 'Certificate', 'TrustedCertificate', 'SecretKey' or '*'. |
Lists all the keystores in a stripe.
Synchronizes Oracle WebLogic Server and system keystores from the central repository to the domain config
directory on the administration server.
Synchronizes keystores in the central security store with those present in the domain directory.
If the target format is Oracle Wallet, the command synchronizes the contents of all KSS keystores for a given stripe into auto-login wallets on the server.
The syntax is as follows:
syncKeyStores(stripeName='component-type#component-name', keystoreFormat='exported_file_format', rootDirectory='root_dir_absolute_path')
Argument | Definition |
---|---|
StripeName
|
Specifies the name of the stripe corresponding to the component.
If |
keystoreFormat
|
Specifies the format of the target keystore. Valid formats are 'KSS' and 'OracleWallet'. |
rootDirectory
|
For the Oracle Wallet format, specifies the absolute path of the server directory where the wallet(s) are created. If not specified, defaults to Admin_Server_Root/config/fmwconfig/ . |
Note:
Thesvc
argument does not apply to this command.The following command looks up the central repository for the "system" stripe and downloads its contents into the keystores.xml
file under the DOMAIN_HOME/config/fmwconfig
directory. It also downloads the contents of the domain trust store into the same file:
syncKeyStores()
The following command generates Oracle Wallets corresponding to all keystores in the stripe 'ohs#ohs1
':
syncKeyStores(stripeName=”ohs#ohs1”, keystoreFormat=”OracleWallet”, rootDirectory=”/tmp/bin”)
Use the WLST commands listed in Table 2-5 to manage Identity Directory Service entity attributes, entity definitions, relationships and default operational configurations.
Table 2-5 WLST Identity Directory Service Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Reload the Identity Directory Service configuration. |
Online |
|
Add a new attribute to the entity configuration. |
Online |
|
Add new properties for an attribute in an entity configuration. |
Online |
|
Add a new attribute to the specified entity. |
Online |
|
Add new properties for an attribute reference in an entity configuration. |
Online |
|
Add a new property for a specified operation configuration. |
Online |
|
Add a new entity to the entity configuration. |
Online |
|
Add new properties for an entity in an entity configuration. |
Online |
|
Add a new entity relation to the entity configuration. |
Online |
|
Add a new Identity Directory Service to the configuration. |
Online |
|
Add a new operation configuration to the entity configuration. |
Online |
|
Add a new property to a specified operation configuration. |
Online |
|
Delete an attribute from an entity configuration. |
Online |
|
Delete attribute properties in an entity configuration. |
Online |
|
Delete attribute reference properties in an entity configuration. |
Online |
|
Delete an entity from an entity configuration. |
Online |
|
Delete entity properties in an entity configuration. |
Online |
|
Delete the specified entity relation. |
Online |
|
Delete the specified Identity Directory Service in the configuration. |
Online |
|
Delete operation configuration in an entity configuration. |
Online |
|
List all attributes in the entity configuration. |
Online |
|
List all entities defined in the specified entity configuration. |
Online |
|
List all Identity Directory Services in the configuration. |
Online |
|
Remove an attribute from the specified entity. |
Online |
|
Removes a property for the specified operation configuration. |
Online |
|
Remove a property for the specified operation configuration. |
Online |
|
Update attributes in an entity configuration. |
Online |
|
Update attribute properties in an entity configuration. |
Online |
|
Update attribute reference properties in an entity configuration. |
Online |
|
Update an entity's properties in an entity configuration. |
Online |
|
Update an entity's properties in an entity configuration. |
Online |
|
Update the entity properties in an entity configuration. |
Online |
activateIDSConfigChanges
addAttributeInEntityConfig
addAttributeInEntityConfig(name, datatype, description, readOnly, pwdAttr, appName)
Table 2-6 addAttributeInEntityConfig Arguments
Argument | Definition |
---|---|
|
Name of the attribute to be added. |
|
The attribute's type is defined as one of the following:
|
|
Description of the attribute to be added. |
|
Flag to specify whether the attribute is read only or can be modified. |
|
Flag to specify whether the attribute defines a password or not. |
|
Name of the Identity Directory Service. |
addAttributePropsInEntityConfig
addAttributePropsInEntityConfig(name, propNames, propVals, appName)
Table 2-7 addAttributePropsInEntityConfig Arguments
Argument | Definition |
---|---|
|
Name of the attribute to be added. |
|
List of property names separated by "|". The properties ( For configuration attributes, however, the Identity Directory Service performs a schema check and interprets the configuration names and their values. |
|
List of corresponding property values separated by "|". |
|
Name of the Identity Directory Service. |
addAttributeRefForEntity
addAttributeRefForEntity(name, attrRefName, attrRefFilter, attrRefDefaultFetch, appName)
Table 2-8 addAttributeRefForEntity Arguments
Argument | Definition |
---|---|
|
Name of the entity to which the attribute will be added. |
|
Name of the attribute to be added to the entity. |
|
Type of filter to be used with the attribute, defined as one of the following:
|
|
Flag to specify whether the attribute is fetched by default. |
|
Name of the Identity Directory Service. |
addAttrrefPropsInEntityConfig
addAttrrefPropsInEntityConfig(entityName, attrName, propNames, propVals, appName)
Table 2-9 addAttrrefPropsInEntityConfig Arguments
Argument | Definition |
---|---|
|
Name of the entity. |
|
Name of the attribute reference. |
|
List of property names separated by "|". The properties ( For configuration attributes, however, the Identity Directory Service performs a schema check and interprets the configuration names and their values. |
|
List of corresponding property values separated by "|". |
|
Name of the Identity Directory Service. |
addCommonPropertyForOperationConfig
addCommonPropertyForOperationConfig(entityName, propName, propValue, appName)
Table 2-10 addCommonPropertyForOperationConfig Arguments
Argument | Definition |
---|---|
|
Name of the entity. |
|
Name of the property to be added for this operation configuration. |
|
Value of the property to be added for this operation configuration. |
|
Name of the Identity Directory Service. |
addEntity
addEntity(name, type, idAttr, create, modify, delete, search, attrRefNames, attrRefFilters, attrRefDefaultFetches, appName)
Table 2-11 addEntity Arguments
Argument | Definition |
---|---|
|
Name of the entity to which the attribute will be added. |
|
Name of the attribute to be added to the entity. |
|
Identity attribute of the entity to be added. |
|
Flag to specify the create is allowed. |
|
Flag to specify the modify is allowed. |
|
Flag to specify the delete is allowed. |
|
Flag to specify the search is allowed. |
|
Array of attribute names. |
|
An array of filter type values, defined as one of the following:
|
|
Array of boolean strings (true, false). |
|
Name of the Identity Directory Service. |
addEntityProps
addEntityRelation
addEntityRelation(name, type, fromEntity, fromAttr, toEntity, toAttr, recursive, appName)
Table 2-13 addEntityRelation Arguments
Argument | Definition |
---|---|
|
Name of the relation between the entities for the given attributes. |
|
Type of the entity relation ("ManyToMany", "ManyToOne", "OneToMany", "OneToOne"). |
|
Name of the from entity. |
|
Name of the from attribute. |
|
Name of the to entity. |
|
Name of the to attribute. |
|
Flag to set the entity relationship as recursive. |
|
Name of the Identity Directory Service. |
addIdentityDirectoryService
Adds a new IdentityStoreService to the Identity Directory Service configuration.
addIdentityDirectoryService(name, description, propNames, propValues)
Table 2-14 addIdentityDirectoryService Arguments
Argument | Definition |
---|---|
|
Name of the IdentityStoreService to be added. |
|
Description of the IdentityStoreService. |
|
An array of property names to be added to the IdentityStoreService configuration. |
|
An array of values to be defined for the property names added to the IdentityStoreService configuration. |
addOperationConfig
addOperationConfig(entityName, propNames, propValues, appName)
Table 2-15 addOperationConfig Arguments
Argument | Definition |
---|---|
|
Name of the entity to which the operation configuration will be added. |
|
An array of property names to be added to the operation configuration. |
|
An array of property values for the properties added to the operation configuration. |
|
Name of the Identity Directory Service. |
addPropertyForOperationConfig
addPropertyForOperationConfig(entityName, propName, propValue, appName)
Table 2-16 addPropertyForOperationConfig Arguments
Argument | Definition |
---|---|
|
Name of the entity to which the operation configuration will be added. |
|
A property name to be added to the operation configuration. |
|
A value for the property added to the operation configuration. |
|
Name of the Identity Directory Service. |
deleteAttributeInEntityConfig
deleteAttributePropsInEntityConfig
deleteAttrrefPropsInEntityConfig
deleteAttrrefPropsInEntityConfig(entityName, attrName, propNames, appName)
Table 2-19 deleteAttrrefPropsInEntityConfig Arguments
Argument | Definition |
---|---|
|
Name of the entity. |
|
Name of the attribute reference. |
|
List of property names to be deleted. If multiple properties are to be deleted, they should be separated by "|". |
|
Name of the Identity Directory Service. |
deleteEntityProps
deleteEntityRelation
deleteIdentityDirectoryService
'
Deletes the specified IdentityStoreService in the Identity Directory Service configuration.
deleteOperationConfig
listAllAttributeInEntityConfig
listAllEntityInEntityConfig
listAllIdentityDirectoryService
removeAttributeRefForEntity
removeCommonPropertyForOperationConfig
removePropertyForOperationConfig
updateAttributeInEntityConfig
updateAttributeInEntityConfig(name, attrNames, attrVals, appName)
Table 2-27 updateAttributeInEntityConfig Arguments
Argument | Definition |
---|---|
|
Name of the entity attribute to be updated. |
|
List of configuration attribute names separated by "|". Valid configuration attribute names are:
|
|
List of corresponding attribute values separated by "|". |
|
Name of the Identity Directory Service. |
updateAttributePropsInEntityConfig
updateAttrrefPropsInEntityConfig
updateAttrrefPropsInEntityConfig(entityName, attrName, propNames, propVals, appName)
Table 2-29 updateAttrrefPropsInEntityConfig Arguments
Argument | Definition |
---|---|
|
Name of the entity. |
|
Name of the attribute reference. |
|
List of property names separated by "|". |
|
List of corresponding property values separated by "|". |
|
Name of the Identity Directory Service. |
updateEntity
updateEntity(name, type, idAttr, create, modify, delete, search, appName)
Table 2-30 updateEntity Arguments
Argument | Definition |
---|---|
|
Name of the entity to be updated. |
|
Type of the entity. |
|
Identity attribute of the entity. |
|
Flag to specify the create is allowed. |
|
Flag to specify the modify is allowed. |
|
Flag to specify the delete is allowed. |
|
Flag to specify the search is allowed. |
|
Name of the Identity Directory Service. |
updateEntityAttrs
updateEntityAttrs(name, attrNames, attrVals, appName)
Table 2-31 updateEntityAttrs Arguments
Argument | Definition |
---|---|
|
Name of the entity attribute. To update the properties of an entity attribute, see updateAttributePropsInEntityConfig. |
|
List of configuration attribute names. If multiple configuration attributes are to be updated, they should be separated by "|". Valid configuration attribute names are:
|
|
List of corresponding configuration attribute values separated by "|". |
|
Name of the Identity Directory Service. |
Use the WLST commands listed in Table 2-33 to manage a libOVD configuration associated with a specific Oracle Platform Security Services (OPSS) context.
Table 2-33 WLST libOVD Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Add an attribute to the DN attributes list for an existing adapter. |
Online |
|
Reload the libOVD configuration. |
Online |
|
Add a attribute exclusion rule. |
Online |
|
Add a new attribute mapping rule. |
Online |
|
Add a domain exclusion rule. |
Online |
|
Add a new domain mapping rule. |
Online |
|
Add a join rule to an existing Join Adapter for a libOVD configuration. |
Online |
|
Add a new remote host to an existing LDAP adapter. |
Online |
|
Create a new mapping context. |
Online |
|
Add a plug-in to an existing adapter or at the global level. |
Online |
|
Add new parameter values to the existing adapter level plug-in or global plug-in. |
Online |
|
Add a control to the Request Control Exclude List for an existing LDAP adapter configuration. |
Online |
|
Add a control to the Request Control Include List for an existing LDAP adapter configuration. |
Online |
|
Assign the given view to an adapter. |
Online |
|
Create a new Join Adapter for a libOVD configuration. |
Online |
|
Create a new LDAP adapter for a libOVD configuration. |
Online |
|
Create a new LDAP adapter with default plug-ins based on the specified directory type. |
Online |
|
Create a new view. |
Online |
|
Delete an existing adapter for a libOVD configuration. |
Online |
|
Delete a attribute exclusion rule. |
Online |
|
Delete a attribute mapping rule. |
Online |
|
Delete a domain exclusion rule. |
Online |
|
Delete a domain mapping rule. |
Online |
|
Delete the specified mapping context. |
Online |
|
Delete the specified view. |
Online |
|
Display the details of an existing adapter for a libOVD configuration. |
Online |
|
List the name and type of all adapters that are configured for a libOVD configuration. |
Online |
|
List all the mapping contexts. |
Online |
|
List all the attribute rules. |
Online |
|
List all the domain rules. |
Online |
|
List all views |
Online |
|
Modify the existing LDAP adapter configuration. |
Online |
|
Modify the socket options for an existing LDAP adapter configuration. |
Online |
|
Remove all controls from the Request Control Exclude List for an existing LDAP adapter configuration. |
Online |
|
Remove all controls from a Request Control Include List for an existing LDAP adapter configuration. |
Online |
|
Remove an attribute from the DN attributes list for an existing LDAP adapter configuration. |
Online |
|
Remove a control from the Request Control Exclude List for an existing LDAP adapter configuration. |
Online |
|
Removes a control from the Request Control Include List for an existing LDAP adapter configuration. |
Online |
|
Remove a join rule from a Join Adapter configured for a libOVD configuration. |
Online |
|
Remove a remote host from an existing LDAP adapter configuration. |
Online |
|
Remove a plug-in from an existing adapter or at the global level. |
Online |
|
Remove an existing parameter from a configured adapter level plug-in or global plug-in. |
Online |
|
Replace existing parameter values for an adapter level plug-in or global plug-in. |
Online |
|
Unassign a view from an adapter. |
Online |
Adds an attribute to the DN Attributes List.
Adds an attribute to the DN Attributes List for an existing adapter configured for the libOVD configuration associated with an OPSS context.
Reloads the libOVD configuration.
Adds an attribute exclusion rule.
addAttributeExclusionRule(attribute, mappingContextId, [contextName])
Table 2-36 addAttributeExclusionRule Arguments
Argument | Definition |
---|---|
|
Name of the attribute to be added to the exclusion list. |
|
Name of the mapping context. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Adds a new attribute mapping rule.
Adds a new attribute mapping rule to the libOVD configuration associated with a specific OPSS context..
Adds a domain exclusion rule.
addDomainExclusionRule(domain, mappingContextId, [contextName])
Table 2-38 addDomainExclusionRule Arguments
Argument | Definition |
---|---|
|
Distinguished name (DN) of the attribute to be added to the exclusion list. |
|
Name of the mapping context. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Adds a new domain mapping rule.
addDoma]inRule(srcDomain, destDomain, domainConstructRule, mappingContextId, [contextName])
Table 2-39 addDomainRule Arguments
Argument | Definition |
---|---|
|
Source domain. |
|
Destination domain |
|
Name of the attribute to be added to the exclusion list. |
|
Name of the mapping context. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Adds a join rule to a Join Adapter.
Adds a join rule to an existing Join Adapter for the libOVD configuration associated with the specified OPSS context.
addJoinRule(adapterName, secondary, condition, [joinerType], [contextName])
Table 2-40 addJoinRule Arguments
Argument | Definition |
---|---|
|
Name of the Join Adapter to be modified. |
|
Name of the adapter to join to. |
|
The attribute(s) to join on. |
|
Optional. Defines the type of Join. Values can be Simple (default), Conditional, OneToMany, or Shadow. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
addJoinRule('join1','secondaryldap','cn=cn', 'Simple', 'default') addJoinRule('join1','secondaryldap','cn=cn', 'Conditional', 'default') addJoinRule(adapterName='join1', secondary='LDAP3', condition='uid=cn', JoinerType='OneToMany') addJoinRule(adapterName='join1', secondary='LDAP2',condition='uid=cn', contextName='myContext')
Adds a new remote host.
Adds a new remote host (host and port) to an existing LDAP adapter. By default, the new host is configured in Read-Write mode with percentage set to 100.
addLDAPHost(adapterName, host, port, [contextName])
Table 2-41 addLDAPHost Arguments
Argument | Definition |
---|---|
|
Name of the Join Adapter to be modified. |
|
Remote LDAP host to which the LDAP adapter will communicate. |
|
Remote LDAP host port. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Creates a new mapping context.
Creates a new mapping context for the libOVD configuration associated with the specified OPSS context.
Adds a plug-in to an existing adapter or at the global level.
Adds a plug-in to an existing adapter or at the global level. The "i"th key corresponds to "i"th value. The plug-in is added to default chain.
addPlugin(pluginName, pluginClass, paramKeys, paramValues, [adapterName], [contextName])
Table 2-43 addPlugin Arguments
Argument | Definition |
---|---|
|
Name of the plug-in to be created. |
|
Class of the plug-in. |
|
Init Param Keys separated by "|". |
|
Init Param Values separated by "|". |
|
Optional. Name of the adapter to be modified. If not specified, the plug-in is added at the global level. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
addPlugin(adapterName='ldap1', pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com') addPlugin(pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com') addPlugin(pluginName='DMSMetrics',pluginClass='oracle.ods.virtualization.engine.chain.plugins.DMSMetrics.MonitorPerformance', paramKeys='None',paramValues='None',adapterName='ldap1',contextName='default')
Adds new parameter values to the existing adapter level plug-in or global plug-in.
Adds new parameter values to the existing adapter level plug-in or the global plug-in. If the parameter already exists, the new value is added to the existing set of values. The "i"th key corresponds to "i"th value.
addPluginParam(pluginName, paramKeys, paramValues, [adapterName], [contextName])
Table 2-44 addPluginParam Arguments
Argument | Definition |
---|---|
|
Name of the plug-in to be modified. |
|
Init Param Keys separated by "|". |
|
Init Param Values separated by "|". |
|
Optional Name of the adapter to be modified. If not specified, the global plug-in is modified. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Adds a control to the Request Control Exclude List.
Adds a control to the Request Control Exclude List for an existing LDAP adapter configuration.
Adds a control to the Request Control Include List.
Adds a control to the Request Control Include List for an existing LDAP adapter configuration.
Assigns a view to an LDAP adapter.
Assigns a view to an LDAP adapter in the libOVD configuration associated with an OPSS context.
Creates a new Join Adapter.
Creates a new Join Adapter for the libOVD configuration associated with an OPSS context.
createJoinAdapter([contextName], adapterName, root, primaryAdapter, bindAdapter)
Table 2-48 createJoinAdapter Arguments
Argument | Definition |
---|---|
|
Name of the Join Adapter to be created. |
|
Virtual Namespace of the Join Adapter. |
|
Specifies the identifier of the primary adapter, which is the adapter searched first in the join operation. |
|
root |
|
Specifies identifier of the bind adapter(s), which are the adapter(s) whose proxy account is used to bind in the LDAP operation. By default, |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Creates a new LDAP adapter.
Creates a new LDAP adapter for the libOVD configuration associated with an OPSS context.
createLDAPAdapter(adapterName, root, host, port, remoteBase, [isSecure], [bindDN], [bindPasswd], [passCred], [contextName])
Table 2-49 createLDAPAdapter Arguments
Argument | Definition |
---|---|
|
Name of the LDAP adapter to be created. |
|
Virtual Namespace of the LDAP adapter. |
|
Remote LDAP host with which the LDAP adapter will communicate. |
|
Remote LDAP host port number. |
|
Location in the remote DIT to which root corresponds. |
|
Optional. Boolean value that enables secure SSL/TLS connections to the remote hosts when set to |
|
Optional. Proxy |
|
Optional. Proxy |
|
Optional. Controls the credentials, if any, the libOVD configuration will pass to the back-end (remote host) LDAP server. Values can be Always (default), None, or BindOnly. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Creates a new LDAP adapter.
Creates a new LDAP adapter with default plug-ins based on the directory type for the libOVD configuration associated with an OPSS context.
createLDAPAdapterWithDefaultPlugins(adapterName, directoryType, root, host, port, remoteBase, [isSecure], [bindDN], [bindPasswd], [contextName])
Table 2-50 createLDAPAdapterWithDefaultPlugins Arguments
Argument | Definition |
---|---|
|
Name of the LDAP adapter to be created. |
|
Directory type. The value can be one of the following directories:
|
|
Virtual Namespace of the LDAP adapter. |
|
Remote LDAP host to which LDAP adapter should communicate. |
|
Remote host port. |
|
Location in the remote DIT to which the root corresponds. |
|
Optional. Boolean value that enables secure SSL/TLS connections to the remote hosts when set to |
|
Optional. Proxy |
|
Optional. Proxy |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
createLDAPAdapterWithDefaultPlugins("testLDAP", "OID", "dc=us,dc=oracle,dc=com", "myhost.example.domain.com", 3060, "dc=uk,dc=oid", false, "cn=testuser", "welcome1", "myContext") createLDAPAdapterWithDefaultPlugins(adapterName='ldap1', directoryType="OID", root='dc=com', host='myhost.example.domain.com', port=5566, remoteBase='dc=oid',bindDN="cn=testuser",bindPasswd="welcome1",contextName='default')
Creates a new view.
Creates a new view for the libOVD configuration associated with an OPSS context.
Deletes an existing adapter.
Deletes an existing adapter for the libOVD configuration associated with an OPSS context.
Deletes an attribute exclusion rule.
Deletes an attribute exclusion rule for the libOVD configuration associated with an OPSS context.
deleteAttributeExclusionRule(attribute, mappingContextId, [contextName])
Table 2-53 deleteAttributeExclusionRule Arguments
Argument | Definition |
---|---|
|
Name of the attribute to be removed from the exclusion list. |
|
Name of the mapping context. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Delete an attribute mapping rule.
Delete an attribute mapping rule for the libOVD configuration associated with an OPSS context.
Deletes a domain exclusion rule.
Deletes a domain exclusion rule for the libOVD configuration associated with an OPSS context.
deleteDomainExclusionRule(domain, mappingContextId, [contextName])
Table 2-55 deleteEntityRelation Arguments
Argument | Definition |
---|---|
|
Distinguished Name of the container to be removed from the exclusion list. |
|
Name of the mapping context. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Deletes a domain mapping rule.
Deletes a domain mapping rule for the libOVD configuration associated with an OPSS context.
Delete a mapping context.
Delete the specified mapping context for the libOVD configuration associated with an OPSS context.
Displays the details of an existing adapter.
Displays the details of an existing adapter configured for the libOVD configuration associated with an OPSS context.
Lists the name and type of all adapters.
Lists the name and type of all adapters that are configured for the libOVD configuration associated with an OPSS context.
Lists all mapping contexts.
Lists all the attribute rules.
List all the attribute rules in the format SOURCE_ATTRIBUTE
:DESTINATION_ATTRIBUTE
:DIRECTION
.
Lists all domain rules.
Lists all the domain rules in the format of SOURCE_DOMAIN
:DESTINATION_DOMAIN
.
Modifies parameters in an LDAP adapter.
Modifies the following parameters defined in an existing LDAP adapter:
Remote Base
Root
Secure
BindDN
BindPassword
PassCredentials
MaxPoolSize
modifyLDAPAdapter(adapterName, attribute, value, [contextName])
Table 2-65 modifyLDAPAdapter Arguments
Argument | Definition |
---|---|
|
Name of the LDAP adapter to be modified. |
|
Name of the attribute to be modified. |
|
New value for the attribute. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
modifyLDAPAdapter(adapterName='ldap1', attribute='Root', value='dc=us, dc=oracle, dc=com', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='RemoteBase', value='dc=org', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PassCredentials', value='BindOnly', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='BindDN', value='cn=proxyuser,dc=com', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='BindPassword', value='testwelcome123', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='Secure', value=true, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolSize', value=500, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolChecks', value=10, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolWait', value=120000, contextName='mydefault') [value is in milliseconds] modifyLDAPAdapter(adapterName='ldap1', attribute='InitialPoolSize', value=10, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PoolCleanupInterval', value=300, contextName='mydefault') [value is in seconds] modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolConnectionIdleTime', value=300, contextName='mydefault') [value is in seconds] modifyLDAPAdapter(adapterName='ldap1', attribute='Active', value=false, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PingProtocol', value='LDAP', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PingBindDN', value='cn=proxyuser', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PingBindPassword', value='welcome1', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PageSize', value=500, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='HeartBeatInterval', value=120, contextName='mydefault') [value is in seconds] modifyLDAPAdapter(adapterName='ldap1', attribute='OperationTimeout', value=120000, contextName='mydefault') [value is in milliseconds] modifyLDAPAdapter(adapterName='ldap1', attribute='SearchCountLimit', value=100, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='Visible', value='Yes', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='Critical', value='false', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='InclusionFilter', value='objectclass=inetorgperson#base', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='ExclusionFilter', value='uniquemember=*#base', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='DNPattern', value='(.*)cn=[a-z0-9]*$', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='RequestControlAllowServerSupported', value=false, contextName='mydefault')
Modifies socket options.
modifySocketOptions(adapterName, reuseAddress, keepAlive, tcpNoDelay, readTimeout, [contextName])
Table 2-66 modifySocketOptions Arguments
Argument | Definition |
---|---|
|
Name of the LDAP adapter to be modified. |
|
Value of |
|
Value of |
|
Value of |
|
Value of |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Removes all controls from the Request Control Exclude List.
Removes all controls from the Request Control Exclude List for an existing LDAP adapter configuration.
Removes all controls from the Request Control Include List.
Removes all controls from the Request Control Include List for an existing LDAP adapter configuration.
Removes a control from the Request Control Exclude List.
Removes a control from the Request Control Exclude List for an existing LDAP adapter configuration.
removeFromRequestControlExcludeList(adapterName, control, [contextName])
Table 2-69 removeFromRequestControlExcludeList Arguments
Argument | Definition |
---|---|
|
Name of the LDAP adapter to be modified. |
|
LDAP control object identifier (OID). |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Removes a attribute from the DN Attributes List.
Removes a attribute from the DN Attributes List for an existing adapter that is configured for the libOVD associated with an OPSS context.
Removes a control from the Request Control Include List.
Removes a control from the Request Control Include List for an existing LDAP adapter configuration.
removeFromRequestControlIncludeList(adapterName, control, [contextName])
Table 2-71 removeFromRequestControlIncludeList Arguments
Argument | Definition |
---|---|
|
Name of the LDAP adapter to be modified. |
|
LDAP control object identifier (OID). |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Removes a join rule from a Join Adapter.
Removes a join rule from a Join Adapter configured for the libOVD configuration associated with the specified OPSS context.
removeJoinRule(adapterName, secondary, [contextName])
Table 2-72 removeJoinRule Arguments
Argument | Definition |
---|---|
|
Name of the Join Adapter to be modified. |
|
The join rules corresponding to this secondary adapter are removed from the Join Adapter. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Removes a remote host from an existing LDAP adapter.
removeLDAPHost(adapterName, host, [contextName])
Table 2-73 removeLDAPHost Arguments
Argument | Definition |
---|---|
|
Name of the LDAP adapter to be modified. |
|
Location of a remote LDAP host with which the LDAP adapter will communicate. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Removes a plug-in from an existing adapter.
removePlugin(pluginName, [adapterName], [contextName])
Table 2-74 removePlugin Arguments
Argument | Definition |
---|---|
|
Name of the plug-in to be removed. |
|
Optional. Name of the adapter to be modified. If not specified, the global plug-in is removed. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Removes an existing parameter from a configured adapter level plug-in.
Removes an existing parameter from a configured adapter level plug-in or a global plug-in. This command removes all values of the particular parameter from the plug-in.
removePluginParam(pluginName, paramKey, [adapterName], [contextName])
Table 2-75 removePluginParam Arguments
Argument | Definition |
---|---|
|
Name of the plug-in to be modified. |
|
Parameter to be removed. |
|
Optional. Name of the adapter to be modified. If not specified, the global plug-in is modified. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |
Replaces existing parameter values for a plug-in.
Replaces existing parameter values for the specified adapter level plug-in or global plug-in.
replacePluginParam(pluginName, paramName, paramValues, [adapterName,][contextName])
Table 2-76 replacePluginParam Arguments
Argument | Description |
---|---|
|
Name of the plug-in to be modified. |
|
Name of the parameter to be replaced. |
|
New values of the parameter. For more than one new value, separate each new parameter value are by a "|". |
|
Optional. Name of the adapter to be modified. If not specified, the global plug-in is modified. |
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is "default". |