Use the WLST commands listed in Table 3-12 to view and define trusted issuers, trusted distinguished name (DN) lists, and token attribute rules for trusted DNs.
When using WLST to create, modify, and delete token issuer trust documents, you must execute the commands in the context of a session. Each session applies to a single trust document only.
For additional information about using these commands, see "Configuring SAML Trusted Issuers, DN Lists, and Token Attribute Rules Using WLST" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Note:
The commands in this section apply to Oracle Infrastructure Web Services only.
To view the help for the WLST commands described in this section, connect to a running instance of the server and enter help('wsmManage').
The help('wsmManage') now displays JWT trusted issuers as a supported token type.
Table 3-12 Web Services Token Issuer Trust Commands
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Create a new token issuer trust document using the name provided. |
Online |
|
|
Delete the entry for the issuer, including the DN list in it. |
Online |
|
|
Delete a token attribute rule associated with a trusted DN. |
Online |
|
|
Delete the token issuer trust document, specified by the name argument, from the repository. |
Online |
|
|
Display the names of the DN lists associated with a specified issuer. |
Online |
|
|
Export trusted issuers, associated DNs, and token attribute rules. |
Online |
|
|
Import trusted issuers, associated DNs, and token attribute rules. |
Online |
|
|
List the token issuer trust documents in the repository. |
Online |
|
|
Remove trusted issuers, associated DNs, and token attribute rules. |
Online |
|
|
Select the token issuer trust document, identified by the name argument, to be modified in the session. |
Online |
|
|
Specify a trusted token issuer with a DN list. |
Online |
|
|
Add, delete, or update token attribute rules for a given token signing certificate DN. |
Online |
|
|
Set the mapping to map value of an attribute for a trusted DN to local user attribute value and the mapped user attribute. |
Online |
|
|
Set or reset the display name of the Token Issuer Trust document currently selected in the session. |
Online |
Note:
This command applies to Oracle Infrastructure web services only.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Description
Within a session, creates a new token issuer trust document using the name provided.
You must start a session (beginWSMSession) before creating or modifying any token issuer trust documents. If there is no current session or there is already an existing modification process, an error is displayed.
For more information on using this command, see "Configuring SAML Trusted Issuers, DN Lists, and Token Attribute Rules Using WLST" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Syntax
createWSMTokenIssuerTrustDocument(name, displayName)
| Arguments | Definition |
|---|---|
|
|
Name of the document to be created. An error is thrown if a name is not provided. |
|
|
Optional. Display name for the document. |
Examples
In the following example, the trust document named tokenissuertrustWLSbase_domain is created, with a display name of wls_domain Trust Document. In the second example, no display name is provided.
wls:/wls-domain/serverConfig> createWSMTokenIssuerTrustDocument("tokenissuertrustWLSbase_domain","wls_domain Trust Document") wls:/wls-domain/serverConfig> createWSMTokenIssuerTrustDocument("tokenissuertrustWLSbase_domain")
Note:
This command applies to Oracle Infrastructure web services only.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Description
Within a session, deletes the list of all the trusted key identifiers matching the type (such as dns.hok, dns.sv, or dns.jwt) for the issuer specified. This issuer must exist in the token issuer trust document selected in the session for modification. If no trusted key identifiers exist, then the issuer itself is deleted.
To delete a specified list of trusted key identifiers for an issuer, use selectWSMTokenIssuerTrustDocument.
You must start a session (beginWSMSession) and select a token issuer trust document for modification before executing this command. If there is no current session or there is already an existing modification process, an error is displayed.
You cannot modify the default token issuer trust document.
Syntax
deleteWSMTokenIssuerTrust(type, issuer)
| Arguments | Definition |
|---|---|
|
|
Type of issuer to be deleted, such as |
|
|
Name of the issuer whose trusted DN list will be deleted. |
Examples
In the following example, the issuer www.yourCompany.com and the DN list in the dns.sv trusted SAML sender vouches client list for the issuer are deleted:
wls:/wls-domain/serverConfig> deleteWSMTokenIssuerTrust('dns.sv', 'www.yourCompany.com')
Note:
This command applies to Oracle Infrastructure web services only.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Description
Delete a token attribute rule associated with a trusted DN from the token issuer trust document.
To delete only the list of filter values for an attribute, use the setWSMTokenIssuerTrustAttributeFilter command.
You must start a session (beginWSMSession) and select a token issuer trust document for modification before executing this command. If there is no current session or there is already an existing modification process, an error is displayed.
Syntax
deleteWSMTokenIssuerTrustAttributeRule(dn)
| Arguments | Description |
|---|---|
|
|
The DN of the token signing certificate that identifies the rule to be deleted. |
Examples
In the following example, the token attribute rule associated with the 'CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US trusted DN is deleted.
wls:/wls-domain/serverConfig> deleteWSMTokenIssuerTrustAttributeRule('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US')
Note:
This command applies to Oracle Infrastructure web services only.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Description
Deletes the token issuer trust document, specified by the name argument, from the repository. The default token issuer trust document cannot be deleted.
Syntax
deleteWSMTokenIssuerTrustDocument (name)
| Arguments | Definition |
|---|---|
|
|
Name of the token issuer trust document to be deleted. |
Examples
In the following example, the token issuer trust document tokenissuertrustWLSbase_domain trust document is deleted:
wls:/wls-domain/serverConfig> deleteWSMTokenIssuerTrustDocument('tokenissuertrustWLSbase_domain')
Note:
This command applies to Oracle Infrastructure web services only.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Description
Displays the list of all the trusted key identifiers matching the type specified, such as dns.hok, dns.sv, or dns.jwt, and the issuer name.
You must start a session (beginWSMSession) and select a token issuer trust document for modification before executing this command. If there is no current session or there is already an existing modification process, an error is displayed.
Syntax
displayWSMTokenIssuerTrust(type, issuer=None)
| Arguments | Definition |
|---|---|
|
|
Type of the trusted key identifiers list to be displayed for the issuer. For example, |
|
|
Optional. Name of the trusted issuer for which the trusted key identifiers list is to be displayed. If you do not specify an issuer name, all of the trusted issuers for the given type are listed. |
Examples
In the following example, the DN lists for the www.example.com trusted issuer are displayed:
wls:/wls-domain/serverConfig> displayWSMTokenIssuerTrust('dns.sv', 'www.example.com')
Note:
This command applies to Oracle Infrastructure web services only.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Description
Export the trust configuration (issuers, DNs, and token attribute rules) for all trusted issuers. The configuration will be exported to an XML file identified by the specified location. The configuration for the issuers specified in the exclude list will not be exported. If no argument is passed, trust configuration for all trusted issuers will be exported.
Syntax
exportWSMTokenIssuerTrustMetadata(trustFile,excludeIssuers=None)
| Arguments | Definition |
|---|---|
|
|
Location of the file where the exported metadata will be stored. |
|
|
Optional. The list of issuers for which trust metadata should not be exported. |
Examples
The following examples show the exportWSMTokenIssuerTrustMetadata command.
exportWSMTokenIssuerTrustMetadata(trustFile='/tmp/trustData.xml',
excludeIssuers=['www.example.com','www.myissuer.com'])
exportWSMTokenIssuerTrustMetadata('/tmp/trustData.xml',['www.example.com'])
exportWSMTokenIssuerTrustMetadata(trustFile='/tmp/trustData.xml')
Note:
This command applies to Oracle Infrastructure web services only.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Description
Import the trust configuration (issuers, DNs, and token attribute rules) for all trusted issuers. The configuration will be imported from the specified XML file.
Syntax
importWSMTokenIssuerTrustMetadata(trustFile)
| Argument | Definition |
|---|---|
|
|
Location of the file from where the configuration will be imported. |
Examples
The following examples show the importWSMTokenIssuerTrustMetadata command.
importWSMTokenIssuerTrustMetadata(trustFile='/tmp/trustData.xml')
importWSMTokenIssuerTrustMetadata('/tmp/trustData.xml')
Note:
This command applies to Oracle Infrastructure web services only.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Description
When used without any arguments, this command lists all the token issuer trust documents in the repository. If the detail argument is set to true, the display name and the status of the document are also displayed.
You can use the wildcard character (*) in combination with other characters. If no wildcard character is specified in the name argument, the document that matches the name argument exactly is displayed. If the detail argument is set to true, the contents of the document are listed.
This command can be executed inside and outside of a session.
Syntax
listWSMTokenIssuerTrustDocuments(name=None, detail='false')
| Arguments | Definition |
|---|---|
|
|
Optional. Name of the token issuer trust document. You can use wildcards with this argument. |
|
|
Optional. List the details for the requested document. The default is |
Examples
In the following example, the token issuer trust document tokenissuertrustWLSbase_domain trust document is deleted:
wls:/wls-domain/serverConfig> listWSMTokenIssuerTrustDocuments(detail='true')
Note:
This command applies to Oracle Infrastructure web services only.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Description
Remove trusted issuers, associated DNs, and token attribute rules. The issuers specified in the exclude list will not be removed. If no argument is passed, then all trusted issuers and associated configuration will be removed.
Syntax
revokeWSMTokenIssuerTrust(excludeIssuers=None)
| Argument | Definition |
|---|---|
|
|
Optional list of issuers for which the trust configuration should not be removed. |
Examples
The following examples show the revokeWSMTokenIssuerTrust command.
revokeWSMTokenIssuerTrust(excludeIssuers=['www.example.com','www.issuer.com']) revokeWSMTokenIssuerTrust(['www.example.com','www.issuer.com']) revokeWSMTokenIssuerTrust()
Note:
This command applies to Oracle Infrastructure web services only.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Description
Selects the token issuer trust document, identified by the name argument, to be modified in the session. The name must match the value of the name attribute in the document.
You must start a session (beginWSMSession) before executing this command. If there is no current session or there is already an existing modification process, an error is displayed.
You cannot modify the default token issuer trust document.
Syntax
selectWSMTokenIssuerTrustDocument(name)
| Argument | Definition |
|---|---|
|
|
Name of the document to modified in the session. An error is thrown if a name is not provided. |
Examples
In the following example, the tokenissuertrustWLSbase_domain document is selected for modification:
wls:/wls-domain/serverConfig> selectWSMTokenIssuerTrustDocument('tokenissuertrustWLSbase_domain')
Note:
This command applies to Oracle Infrastructure web services only.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Description
Specify a trusted token issuer with a DN list. This command behaves as follows:
If the trusted issuer already exists for the type specified, and you provide a list of DNs or aliases for the trustedKeys argument, the previous list is replaced with the new list. If you enter an empty set ([]) for the trustedDNs argument, then the list of DN values are deleted for the issuer.
If the trusted issuer does not exist for the type specified and you specify a value for the trustedKeys argument, the issuer is created with the associated DN list. If you do not set the trustedKeys argument, a new issuer is created with an empty DN list.
You must start a session (beginWSMSession) and select a token issuer trust document for modification before executing this command. If there is no current session or there is already an existing modification process, an error is displayed.
You cannot modify the default token issuer trust document.
Syntax
setWSMTokenIssuerTrust(type, issuer, [trustedKeys]=None)
| Argument | Definition |
|---|---|
|
|
The type of the tokens issued by the issuer and how the issuer signing the certificates is identified with trusted keys. The following types are supported:
|
|
|
The name of the trusted issuer, for example |
|
|
Optional. List of trusted key identifiers values to set for the specified issuer. |
Examples
In the following example, www.yourcompany.com is set as a trusted issuer and a DN list is not specified:
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrust('dns.sv', 'www,yourcompany.com', [])
In the following example, the name 'CN=orcladmin, OU=Doc, O=Oracle, C=US' in added to the dns.sv DN list for the www.example.com trusted issuer.
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrust('dns.sv', 'www.example.com', [['CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US', 'CN=orcladmin, OU=Doc, O=Oracle, C=US'])
In the following example, the list of DN values in the dns.sv DN list is removed from the www.example.com trusted issuer:
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrust('dns.sv', 'www.example.com', [])
In the following example, the alias orakey is specified as the X509 certificate alias for the SAML SV token type for the www.example.com trusted issuer:
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrust('dn.alias.sv', 'www.example.com', ['orakey'])
Note:
This command applies to Oracle Infrastructure web services only.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Description
Adds, deletes, or updates token attribute rules for a given token signing certificate DN.
Each rule has two parts: a name ID and an attributes part for user attributes that a DN for a signing certificate can assert. The name ID and the attribute can contain a filter with multiple value patterns.
This command behaves as follows:
If the attribute specified by the attr-name argument already exists with a list of filter values and you provide a new list of values for the filters argument, the previous list is replaced with the new list. If you enter an empty set ([]) for the filters argument, then the existing list of filter values is deleted.
If the attribute specified by the attr-name argument does not exist and you specify a list of values for the filters argument, the attribute is created and added to the document with the specified filter values. If you do not provide a value for the filters argument, an error is thrown.
You must start a session (beginWSMSession) and select a token issuer trust document for modification before executing this command. If there is no current session or there is already an existing modification process, an error is displayed.
Note:
You must first use the setWSMTokenIssuerTrust command to configure a list of trusted DN names for an issuer.
Syntax
setWSMTokenIssuerTrustAttributeFilter(dn, attr-name, filters)
| Argument | Definition |
|---|---|
|
|
The DN of the token signing certificate. |
|
|
The name of the attribute to assert. The value can be as follows:
|
|
|
Optional. List of filters for the attribute. The list has the format [' When If |
Examples
In the following example, the name ID yourTrustedUser is set as a trusted user for the weblogic trusted DN:
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustAttributeFilter('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US','name-id', ['yourTrustedUser'])
In the following example, the name IDs jdoe is added to the list of trusted users for the weblogic trusted DN:
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustAttributeFilter('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US','name-id', ['yourTrustedUser', 'jdoe'])
In the following example, the list of trusted users for the weblogic trusted DN is removed:
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustAttributeFilter('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US', 'name-id', [])
Note:
This command applies to Oracle Infrastructure web services only.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Description
For any DN in the trusted DN list of a trusted token issuer, this command sets the mapping for the attribute (for example, name-id) as specified by the attrName argument. The user attribute argument is optional, and it indicates the local user attribute it corresponds to. The user mapping attribute is also optional and indicates the user attribute to be used in the system to authenticate the users.
Syntax
setWSMTokenIssuerTrustAttributeMapping(dn,attrName,userAttribute=None, userMappingAttribute=None)
| Arguments | Definition |
|---|---|
|
|
DN as the identifier of the token attribute rule where modifications would be done. |
|
|
Name of the user attribute for which the mapping will be applied. |
|
|
Optional name of the local user attribute the value of the attribute corresponds to. |
|
|
Optional name of the local user attribute to map to. |
Examples
The following examples show the setWSMTokenIssuerTrustAttributeMapping command.
setWSMTokenIssuerTrustAttributeMapping('CN=weblogic, OU=Orakey, O=Oracle, C=US', 'name-id', 'mail', 'uid')
setWSMTokenIssuerTrustAttributeMapping('CN=weblogic, OU=Orakey, O=Oracle, C=US','name-id')
Note:
This command applies to Oracle Infrastructure web services only.
Command Category: Token Issuer Trust Configuration
Use with WLST: Online
Description
Sets or resets the display name of the Token Issuer Trust document currently selected in the session.
You must start a session (beginWSMSession) before creating or modifying any token issuer trust documents. If there is no current session or there is already an existing modification process, an error is displayed.
Syntax
setWSMTokenIssuerTrustDisplayName("displayName")
| Arguments | Definition |
|---|---|
|
|
Name to be set as a display name for the document currently selected for modification in the session. |
Examples
In the following example, the display name for the trust document being modified is set to Test Document.
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustDisplayName("Test Document")