OPSS System and Configuration Properties

F OPSS System and Configuration Properties

This appendix documents OPSS system and configuration properties you set at the server startup.

It includes the following sections:

All OPSS system and configuration changes require server restart to take effect.

See also:

OPSS System Properties

A system property that has been introduced or modified is not in effect until the server is restarted. To set a system property, edit setDomainEnv.sh and add the property to the EXTRA_JAVA_PROPERTIES variable.

Table F-1 lists the system properties available with OPSS.

Table F-1 OPSS System Properties

System Property Name	Specifies
`common.components.home`	The location of the common components home. Required for both Java EE and SE applications. No default value.
`java.security.debug`	The permission failure when `JpsAuth.checkPermission` is called inside a `Subject.doAs` block and the permission check fails. Setting `jps.auth.debug` or `jps.auth.debug.verbose` is not enough to get a failure notification in this case. Optional.
`java.security.policy`	The location of the Java security policy file.
`jps.app.permissioncollectionmap.size`	The number of permission collection map entries kept in memory. Each entry corresponds with a set of permissions. It requires that you set `jps.policystore.ref.useSoftHardMapForSelectedMaps` to `true`. Optional. Valid values: a positive integer. Default value: 512.
`jps.authz`	The delegation of calls to the `AccessController.checkPermission` Java SE Development Kit (JDK) method that reduces runtime and debugging overhead. Optional. Valid values: `NULL`, `SM`, `ACC`, and `DEBUG_NULL`. No default value.
`jps.auth.debug`	The server logging output. Default value: `false`. Optional.
`jps.auth.debug.verbose`	The server logging output. Default value: `false`. Optional.
`jps.combiner.optimize`	The caching of a subject's protection domain. Optional. Valid values: `true`, `false`. Default value: `false`.
`jps.combiner.optimize.lazyeval`	The evaluation of a subject's protection domain when a check permission is triggered. Optional. Valid values: `true`, `false`. Default value: `false`.
`jps.combinermap.size`	The number of combiner map entries kept in memory. Each entry corresponds with a set of principals. It requires that you set `jps.policystore.ref.useSoftHardMapForSelectedMaps` to `true`. Optional. Valid values: a positive integer. Default value: `128`.
`jps.deployment.handler.disabled`	The migration of policies and credentials for applications deployed on a WebLogic Server. Valid only for WebLogic Server. Set to `true` to disable the migration of application policies and credentials for all applications deployed on the server regardless of application settings in the `weblogic-application.xml` file. Optional. Valid values: `true`, `false`. Default value: `false`.
`jps.policystore.hybrid.mode`	The hybrid mode. When it is enabled, the policy provider reads from the `java.policy`, `weblogic.policy` file, and the security store reads from the `jps-config.xm`l file. Optional. Valid values: `true`, `false`. Default value: `true`.
`jps.policystore.ref.useSoftHardMapForSelectedMaps`	The use of the map type. The map type is used to hold some structures in a special cache so that they are not garbage-collected by the Java Virtual Machine. If `false`, then the `SoftKeyHashMap` type is used. If `true`, then the `SoftHardKeyHashMap` type is used. This setting allows retaining some of the maps in memory. Note that every get/put operation will then have a lock operation overhead. See related `jps.subjectmap.size`, `jps.combinermap.size`, and `jps.app.permissioncollectionmap.size` properties. Optional. Valid values: `true`, `false`. Default value: `false`.
`jps.subject.cache.ttl`	The number of milliseconds after which group membership changes are in effect. This value must be kept synchronized with the value `Group Hierarchy Cache`. If this last parameter value is changed, then `jps.subject.cache.ttl` must be reset to match the new `Group Hierarchy Cache` value. Optional. Valid values: any positive integer. Default value: `60000`
`jps.subjectmap.size`	The number of subject map entries kept in memory. Each entry corresponds with TTL information about a subject. For this setting to take effect, the `jps.policystore.ref.useSoftHardMapForSelectedMaps` property must be `true`. Optional. Valid values: a positive integer. Default value: 128.
`oracle.security.jps.config`	The path to the domain configuration `jps-config.xml` or `jps-config-jse.xml` files. Paths specifications in those files can be absolute or relative to the location of the configuration file. Required. No default value.
`oracle.deployed.app.dir`	The path to the directory of a codesource URL. Optional. No default value. For an example of use, see <url>.
`oracle.deployed.app.ext`	The extension of codesource URL. Optional. No default value. For an example of use, see <url>.
`oracle.security.jps.log.for.approle.substring`	The name of an application role that contains a specified substring. If the substring to match is unspecified, then it logs all application role names. Optional. No default value.
`oracle.security.jps.log.for.permeffect`	The grant that was granted or denied. If the value is unspecified, then it logs all grants (regardless whether they were granted or denied). Optional. No default value.
`oracle.security.jps.log.for.permclassname`	The name of the permission class that matches exactly a specified name. If the name to match is unspecified, then it logs all permission class names. Optional. No default value.
`oracle.security.jps.log.for.permtarget.substring`	The name of a permission target that contains a specified substring. If the substring to match is unspecified, then it logs all permission targets. Optional. No default value.
`oracle.security.jps.log.for.enterprise.principalname`	The name of the principal (enterprise user or enterprise role) that matches exactly a specified name. If the name to match is unspecified, then it logs all principal names. Optional. No default value.
`opss.audit.logDirectory`	The location of the audit log files for SE applications if it is not set in the `jps-config-jse.xml` configuration file. Optional. No default value. Valid values: any writeable directory.
`wlst.offline.log`	The location of the log file when running offline WLST. Optional. No default value. Valid values: <filename>, stdout, strerr, disable.
`wlst.offline.log.priority`	The level of the notification. Optional. No default value. Valid values: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL, debug, info, warn, error, fatal.
`oracle.security.jps.policystore.resource.cache.size`	The number of resources kept in the resource cache for one application policy. Valid in Java EE and Java SE applications. Applies to Oracle Internet Directory and database stores. Optional. Default value: 1000.

See also:

System Properties

Configuring Services with Scripts

OPSS Configuration Properties

The following sections describe service properties:

Properties Common to OPSS Services

The following tables describe the OPSS properties common to all services except for the trust store service. For information about trust store service properties, see Trust Service Properties.

Table F-2 Common Properties — Properties valid in both Java EE and SE applications

Property Name	Specifies
`bootstrap.security.principal.key`	The key for the password credentials to access the LDAP store, stored in the `cwallet.sso` file. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Required. No default value. The ready-to-use value is `bootstrap`.
`bootstrap.security.principal.map`	The map for the password credentials to access the LDAP store, stored in the `cwallet.sso` file. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Required. Default value: `BOOTSTRAP_JPS`.
`jdbc.url`	The URL of the JBDC. Valid in Java SE and Java EE applications. Applies to only DB security stores. Required. No default value. Value example: `jdbc:oracle:thin:@xxx27.com:1345:asi102cn`
`ldap.url`	The URL of the LDAP security store, with the format `ldap://host:port`. Valid in Java EE and SE applications. Applies only to LDAP stores. Required. No default value.
`oracle.security.jps.farm.name`	The relative distinguished name format of the domain node in the LDAP store. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Required. No default value.
`oracle.security.jps.ldap.root.name`	The relative distinguished name format of the root node in the LDAP store. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Required. No default value.
`oracle.security.jps.pdp.PolicyProvider.PermissionCollectionCache.MaxSize`	The maximum number of permission collections allowed in the cache per protection domain and request permission class. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Optional. Default value: 5000
`server.type`	The type of the security store. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Required. No default value. Values: `OID`, `DB_ORACLE`.

Table F-3 Common Properties — Properties valid in Java EE applications

Property Name	Specifies
`datasource.jndi.name`	The Java Naming and Directory Interface (JNDI) name of the Java Database Connectivity (JDBC) data source instance. Valid in Java EE applications only. Applies to only DB security stores. Required. No default value.
`oracle.security.jps.failover.retry.times`	The number of retry attempts. Valid in Java EE applications only. Applies to only DB security stores. Optional. Default value: 3
`oracle.security.jps.failover.retry.interval`	The number of seconds between retry attempts. Valid in Java EE applications only. Applies to only DB security stores. Optional. Default value: 15
`weblogic.dbuser.map` `weblogic.dbuser.key`	The credential's map and key for the WebLogic DB user/password. They apply only when `oracle.security.jps.db.useWeblogicDBUserMapKey` is `true`. In this case, both or none of them should be configured. Valid in Java EE applications only. Applies to only DB security stores. Optional. Default value: none.
`oracle.security.jps.db.useWeblogicDBUserMapKey`	Where to find the map and key for the WebLogic DB user/password. This property is automatically set when reassociating to a DB security store. Valid in Java EE applications only. Applies to only DB security stores. Optional. Valid values: `true` or `false`. Default value: `false`. If `true`, then the `weblogic.dbuser.map` and `weblogic.dbuser.key` properties specify the credential's map and key for the WebLogic DB user/password. Otherwise, if `false` or unspecified, then the `bootstrap.security.principal.map` and `bootstrap.security.principal.key` properties specify the credential's map and key for the WebLogic DB user/password.

Table F-4 Common Properties — Properties valid in Java SE applications

Property Name Specifies

Property Name	Specifies
`security.principal`	The clear text name of the principal to use instead of the user name specified in the bootstrap. Used in developments environments only. Valid in Java SE applications only. Applies to LDAP and DB security stores. Optional. No default value.
`security.credential`	The clear text password for the security principal to use instead of the password specified in the bootstrap. Not recommended. Valid in Java SE applications only. Applies to LDAP and DB security stores. Optional. No default value.
`jdbc.driver`	The JDBC driver. Valid in Java SE applications only. Applies to only DB security stores. Required. No default value. Value example: `oracle.jdbc.driver.OracleDriver`

security.principal

The clear text name of the principal to use instead of the user name specified in the bootstrap. Used in developments environments only.

Valid in Java SE applications only.

Applies to LDAP and DB security stores.

Optional.

No default value.

security.credential

The clear text password for the security principal to use instead of the password specified in the bootstrap. Not recommended.

Valid in Java SE applications only.

Applies to LDAP and DB security stores.

Optional.

No default value.

jdbc.driver

The JDBC driver.

Valid in Java SE applications only.

Applies to only DB security stores.

Required.

No default value.

Value example: oracle.jdbc.driver.OracleDriver

See also:

Configuring Services with Scripts

Policy Store Service Properties

The following sections describe the policy store service properties:

See also:

Configuring Services with Scripts

Policy Store Service Configuration

The policy store provider class to use with LDAP or DB security stores is the oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider class.

Table F-5 describes the properties specific to policy store. Additional properties are listed in Properties Common to OPSS Services.

Table F-5 Policy Properties

Property Name Specifies

Property Name	Specifies
`oracle.security.jps.policystore.resourcetypeenforcementmode`	Throwing exceptions if any of the following checks fail: Verify that if two resource types share the same permission class, then that permission must be either `ResourcePermission` or extend `AbstractTypedPermission`, and this last resource type cannot be created. Verify that all permissions have resource types defined, and that the resource matcher permission class and the permission being granted match. If set to `Strict`, when any of the checks fail, then the system throws an exception and the operation is stopped. If set to `Lenient`, when any of the checks fail, then the system does not throw any exceptions, the operation continues without disruption, and any discrepancies encountered are logged in the log files. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Optional. Default value: `Lenient` Valid values: `Strict`, `Lenient`.

oracle.security.jps.policystore.resourcetypeenforcementmode

Throwing exceptions if any of the following checks fail:

Verify that if two resource types share the same permission class, then that permission must be either ResourcePermission or extend AbstractTypedPermission, and this last resource type cannot be created.
Verify that all permissions have resource types defined, and that the resource matcher permission class and the permission being granted match.

If set to Strict, when any of the checks fail, then the system throws an exception and the operation is stopped.

If set to Lenient, when any of the checks fail, then the system does not throw any exceptions, the operation continues without disruption, and any discrepancies encountered are logged in the log files.

Valid in Java EE and SE applications.

Applies to LDAP and DB security stores.

Optional.

Default value: Lenient

Valid values: Strict, Lenient.

Example 1

The following example illustrates the configuration of a policy store instance for a Java EE application:

<propertySet name="props.ldap.1">
 <property name="java.naming.ldap.derefAliases" value="never"/>
 <property name="bootstrap.security.principal.key" value="bootstrap_6aCNhgRM3zF04ToliwecdF6K3oo="/>
 <property name="oracle.security.jps.farm.name" value="cn=compact1_oid26008"/>
 <property name="server.type" value="OID"/>
 <property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/>
 <property name="ldap.url" value="ldap://myComp.com:2020"/>
</propertySet>
 
<serviceProvider type="POLICY_STORE" name="policystore.provider" class="oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider"/>
 
<serviceInstance name="policystore.ldap" provider="policystore.provider">
 <propertySetRef ref="props.ldap.1"/>
</serviceInstance>

Example 2

The following example illustrates the configuration of an LDAP policy store instance for a Java SE application:

<serviceInstance name="policystore.oid" provider="policy.oid">
   <property value="OID" name="server.type"/>
   <property value="bootstrap" name="bootstrap.security.principal.key"/>
   <property name="ldap.url" value="ldap://myHost.com:1234"/>
   <property name="oracle.security.jps.ldap.root.name" value="cn=jpsNode"/>
   <property name="oracle.security.jps.farm.name" value="cn=domain1"/>
</serviceInstance>

Example 3

The following example illustrates the configuration of DB security stores for a Java EE application:

<jpsConfig>
...
  <propertySets>
    <!-- property set props.db.1 common to all DB services -->
    <propertySet name="props.db.1">
      <property name="jdbc.url" value="jdbc:oracle:thin@xxx.com:1521:orcl"/>
      <property name="datasource.jndi.name"  value="opssds"/>
      <property value="cn=farm" name="oracle.security.jps.farm.name"/>
      <property value="cn=jpsroot" name="oracle.security.jps.ldap.root.name"/>
      <property value="dsrc_lookup_key"  
                name="bootstrap.security.principal.key"/>
      <property value="credential_map" name="bootstrap.security.principal.map"/>
    </propertySet>
  </propertySets>
 
  <serviceProviders>
    <serviceProvider      class="oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider" 
     type="POLICY_STORE" name="rdbms.policystore.provider" >
       <description>RDBMS based PolicyStore provider</description>
    </serviceProvider>
 
    <serviceProvider type="KEY_STORE" name="keystore.provider"        class="oracle.security.jps.internal.keystore.KeyStoreProvider">
      <description>PKI Based Keystore Provider</description>
      <property name="provider.property.name" value="owsm"/>
    </serviceProvider>
 
    <serviceProvider name="pdp.service.provider" type="PDP"       class="oracle.security.jps.az.internal.runtime.provider.PDPServiceProvider">
      <description>OPSS Runtime Service provider</description>
    </serviceProvider>
  </serviceProviders>
 
  <serviceInstances>
    <serviceInstance name="policystore.rdbms"                      provider="rdbms.policystore.provider">
      <property value="DB_ORACLE" name="server.type"/>
      <propertySetRef ref = "props.db.1"/>
      <property name="session_expiration_sec" value="60"/>
      <property name="failover.retry.times"  value="5"/>
    </serviceInstance>    
 
    <serviceInstance name="credstore.rdbms" provider="rdbms.credstore.provider">
      <propertySetRef ref = "props.db.1"/>       
    </serviceInstance>
 
    <serviceInstance name="keystore.rdbms" provider="rdbms.keystore.provider">  
      <propertySetRef ref = "props.db.1"/>       
      <property name="server.type"  value="DB_ORACLE"/>
    </serviceInstance>
 
    <serviceInstance name="pdp.service" provider="pdp.service.provider">
      <property name="oracle.security.jps.runtime.pd.client.sm_name" value="permissionSm"/>
      <property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled" value="true"/>
      <property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionCapacity" value="500"/>
      <property name="oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionPercentage" value="10"/>
      <property name="failover.retry.times"  value="5"/>
      <property name="failover.retry.interval" value="20"/>
      <property name="oracle.security.jps.policystore.refresh.purge.timeout",
                value="30000"/>
      <propertySetRef ref = "props.db.1"/>
    </serviceInstance>
  </serviceInstances>
 
  <jpsContexts default="default">
    <jpsContext name="default">
      <serviceInstanceRef ref="pdp.service"/>      
      <serviceInstanceRef ref="policystore.rdbms"/>      
      <serviceInstanceRef ref="credstore.rdbms"/>
      <serviceInstanceRef ref="keystore.rdbms"/>
    </jpsContext>
  </jpsContexts>
...
</jpsConfig>

Example 4

The following example illustrates the configuration of a DB policy store for a Java SE application:

<serviceInstance name="policystore.rdbms" provider="policy.rdbms">
  <property name="server.type" value="DB_ORACLE"/>
  <property name="jdbc.url" value="jdbc:oracle:thin:@xxx.com:1722:orcl"/>
  <property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/>
  <property name="bootstrap.security.principal.key" value="bootstrap_DWgpEJgXwhDIoLYVZ2OWd4R8wOA=" />
  <property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/>
  <property name="oracle.security.jps.farm.name" value="cn=view_steph.atz"/>
</serviceInstance>

Runtime Policy Configuration

The runtime policy store provider class you use with LDAP or DB security stores is the oracle.security.jps.az.internal.runtime.provider.PDPServiceProvider class.

Table F-6 lists the runtime properties of policy store instances.

Table F-6 Runtime Policy Properties

Property Name	Specifies
`oracle.security.jps.policystore.rolemember.cache.type`	The type of the role member cache. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Optional. Valid values: STATIC - Cache objects are statically cached and can be cleaned explicitly only according the applied cache strategy, such as FIFO. The garbage collector does not clean a cache of this type. SOFT - The cleaning of a cache of this type relies on the garbage collector when there is a memory crunch. WEAK - The behavior of a cache of this type is similar to a cache of type SOFT, but the garbage collector cleans it more frequently. Default value: `STATIC`.
`oracle.security.jps.policystore.rolemember.cache.strategy`	The type of strategy used in the role member cache. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Optional. Valid values: FIFO - The cache implements the first-in-first-out strategy. NONE - All entries in the cache grow until a refresh or reboot occurs. There is no control over the size of the cache. Not recommended but efficient when the policy footprint is very small. Default value: `FIFO`.
`oracle.security.jps.policystore.rolemember.cache.size`	The number of the roles kept in the member cache. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Optional. Default value: 1000.
`oracle.security.jps.policystore.policy.lazy.load.enable`	The policy lazy load. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Optional. Valid values: `true`, `false`. Default value: `true`.
`oracle.security.jps.policystore.policy.cache.strategy`	The type of strategy used in the permission cache. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Optional. Valid values: PERMISSION_FIFO - The cache implements the first-in-first-out strategy. NONE - All entries in the cache grow until a refresh or reboot occurs. There is no control over the size of the cache. Not recommended but efficient when the policy footprint is very small. Default value: `PERMISSION_FIFO`.
`oracle.security.jps.policystore.policy.cache.size`	The number of grants kept in the permission cache. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Optional. Default value: 1000.
`oracle.security.jps.policystore.refresh.enable`	The policy store refresh. If this property is set, then `oracle.security.jps.ldap.cache.enable` cannot be set. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Optional. Valid values: `true`, `false`. Default value: `true`.
`oracle.security.jps.ldap.cache.enable`	The refresh of the cache. If this property is set, then `oracle.security.jps.policystore.refresh.enable` cannot be set. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Optional. Valid values: `true`, `false`. Default value: `true`.
`oracle.security.jps.policystore.refresh.purge.timeout`	The number of milliseconds after which the security store cache is purged. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Optional. Default value: 43200000 (12 hours).
`oracle.security.jps.ldap.policystore.refresh.interval`	The number of milliseconds at which the security store is polled for changes. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Optional. Default value: 600000 (10 minutes).
`oracle.security.jps.policystore.rolemember.cache.warmup.enable`	The way the ApplicationRole membership cache is created. If `true`, the cache is created at server startup. Otherwise, it is created on demand (lazy loading). Set to `true` when the number of users and groups is significantly higher than the number of application roles. Set to `false` when the number of application roles is very high. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Optional. Valid values: `true`, `false`. Default value: `false`.
`security.jps.runtime.pd.client.localpolicy.work_folder`	The folder for temporary storage. Valid in Java EE and SE applications. Applies to file, LDAP, and DB security stores. Optional. Default value: the system temporary folder.
`oracle.security.jps.pdp.AuthorizationDecisionCacheEnabled`	The authorization cache is enabled. Valid in Java EE and SE applications. Applies to file, LDAP, and DB security stores. Optional. Valid values: `true`, `false`. Default value: `false`.
`oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionPercentage`	The percentage of sessions to drop when the eviction capacity is reached. Valid in Java EE and SE applications. Applies to file, LDAP, and DB security stores. Optional. Default value: 10
`oracle.security.jps.pdp.AuthorizationDecisionCacheEvictionCapacity`	The maximum number of authorization and role mapping sessions to maintain. When the maximum is reached, old sessions are dropped and reestablished when it is needed. Valid in Java EE and SE applications. Applies to file, LDAP, and DB security stores. Optional. Default value: 500
`oracle.security.jps.pdp.AuthorizationDecisionCacheTTL`	The number of seconds during which session data is cached. Valid in Java EE and SE applications. Applies to file, LDAP, and DB security stores. Optional. Default value: 60
`oracle.security.jps.policystore.resourcetypeenforcementmode`	Throwing exceptions if any of the following checks fail: Verify that if two resource types share the same permission class, that permission must be either `ResourcePermission` or extend `AbstractTypedPermission`, and this last resource type cannot be created. Verify that all permissions have resource types defined, and that the resource matcher permission class and the permission being granted match. If set to `Strict` and any of the checks fail, then the system throws an exception and the operation is terminated. If set to `Lenient` and any of the checks fail, then the system does not throw any exceptions, the operation continues without disruption, and any discrepancies encountered are logged in the log files. Valid in Java EE and SE applications. Applies to LDAP and DB security stores. Optional. Default value: `Lenient` Valid values: `Strict`, `Lenient`.

Credential Service Properties

Table F-7 lists the properties specific to credential store instances. Additional properties are listed in Properties Common to OPSS Services.

Table F-7 Credential Store Properties

Property Name Specifies

Property Name	Specifies
`encrypt`	To encrypt credentials. Valid in Java EE and SE applications. Applies only to file and LDAP stores. Valid values: `true`, `false`. Optional. Default value: `false`.

encrypt

To encrypt credentials.

Valid in Java EE and SE applications.

Applies only to file and LDAP stores.

Valid values: true, false.

Optional.

Default value: false.

The following example illustrates the configuration of a credential store for a Java EE application:

<propertySet name="props.ldap.1">
  <property name="java.naming.ldap.derefAliases" value="never"/>
  <property name="bootstrap.security.principal.key" value="bootstrap_6aCNhgRM3zF04ToliwecdF6K3oo="/>
  <property name="oracle.security.jps.farm.name" value="cn=compact1_oid26008"/>
  <property name="server.type" value="OID"/>
  <property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/>
  <property name="ldap.url" value="ldap://myComp.com:2020"/>
</propertySet>
 
<serviceProvider type="CREDENTIAL_STORE" name="ldap.credentialstore.provider" class="oracle.security.jps.internal.credstore.ldap.LdapCredentialStoreProvider"/>
<serviceInstance name="credstore.ldap" provider="ldap.credentialstore.provider">
  <propertySetRef ref="props.ldap.1"/>
</serviceInstance>

See also:

Configuring Services with Scripts

LDAP Identity Properties

Table F-8 lists the properties of LDAP identity stores, and states extended properties are and User and Role API properties.

Table F-8 LDAP Identity Store Properties

Property Name	Specifies
`idstore.type`	The type of the identity store. Valid in Java SE and Java EE applications. Required Valid values: `OID` - Oracle Internet Directory `OVD` - Oracle Virtual Directory `ACTIVE_DIRECTORY` - Microsoft Active Directory `IPLANET` - Oracle Directory Server Enterprise Edition `EDIRECTORY` - Novelle Directory `OPEN_LDAP` - OpenLdap `LIBOVD` - Oracle Library OVD `CUSTOM` - Any other type If using a custom authentication provider, then the service instance configuration must include one of the following properties: <property name="idstore.type" value="<your-idstore-type>" <property name="ADF_IM_FACTORY_CLASS" value="<your-IDM-FACTOY_CLASS_NAME>" Corresponding User and Role API property: ADF_IM_FACTORY_CLASS
`ldap.url`	The LDAP URL value. Valid in Java SE and Java EE applications. Required. No default value. Value example: `ldap://myServerName.com:1389`. Corresponding User and Role API property: ADF_IM_PROVIDER_URL
`user.search.bases`	The user search base for the LDAP server in DN format. Extended property. Valid in Java SE and Java EE applications. Required. No default value. Value example: `cn=users,dc=us,dc=abc,dc=com` Corresponding User and Role API property: USER_SEARCH_BASES
`group.search.bases`	The group or enterprise search base for the LDAP server in DN format. Extended property. Valid in Java SE and Java EE applications. Required No default value. Value example: `cn=groups,dc=us,dc=abc,dc=com` Corresponding User and Role API property: ROLE_SEARCH_BASES
`idstore.config.provider`	The `idstore` provider class. Valid only in Java EE applications. Required The only supported value is: oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider
`group.create.bases`	The base DNs used to create groups. Extended property. Valid in Java EE and SE applications. Required to allow writing operations with the User and Role API. Otherwise, optional. Value example of a single DN: <extendedProperty> <name>group.create.bases</name> <values> <value>cn=groups,dc=us,dc=oracle,dc=com</value> </values> </extendedProperty> Corresponding User and Role API property: ROLE_CREATE_BASES
`user.create.bases`	The base DNs used to create users. Extended property. Valid in Java EE and SE applications. Required to allow writing operations with the User and Role API. Otherwise, optional. Value example of a single DN: <extendedProperty> <name>user.create.bases</name> <values> <value>cn=users,dc=us,dc=oracle,dc=com</value> </values> </extendedProperty> Corresponding User and Role API property: USER_CREATE_BASES
`group.filter.object.classes`	The fully qualified names of object classes used to search groups. Extended property. Valid in Java EE and SE applications. Optional. Value example: `groupOfUniqueNames`. Corresponding User and Role API property: ROLE_FILTER_OBJECT_CLASSES
`group.mandatory.attrs`	The attributes that must be specified when creating groups. Extended property. Valid in Java EE and SE applications. Optional. Value example: <extendedProperty> <name>group.mandatory.attrs</name> <values> <value>cn</value> <value>objectClass</value> </values> </extendedProperty> Corresponding User and Role API property: ROLE_MANDATORY_ATTRS
`group.member.attrs`	The attribute of a static role that specifies the distinguished names (DNs) of the members of a group. Extended property. Valid in Java EE and SE applications. Optional. Value example: <extendedProperty> <name>group.member.attrs</name> <values> <value>uniqueMember</value> </values> </extendedProperty> Corresponding User and Role API property: ROLE_MEMBER_ATTRS
`group.object.classes`	The fully qualified names of one or more schema object classes used to represent groups. Extended property. Valid in Java EE and SE applications. Optional. Value example: <extendedProperty> <name>group.object.classes</name> <values> <value>top</value> <value>groupOfUniqueNames</value> </values> </extendedProperty> Corresponding User and Role API property: ROLE_OBJECT_CLASSES
`group.selected.create.base`	The base DNs for creating groups. Valid in Java EE and SE applications. Optional. Value example: `cn=users,dc=us,dc=abc,dc=com` (single DN) Corresponding User and Role API property: ROLE_SELECTED_CREATEBASE
`groupname.attr`	The attribute that uniquely identifies the name of the group. Valid in Java EE and SE applications. Optional. Value example: `cn` Corresponding User and Role API property: ROLE_NAME_ATTR
`group.selected.search.base`	The base DNs for searching groups. Valid in Java EE and SE applications. Optional. Value example: `cn=users,dc=us,dc=abc,dc=com` (single DN)
`max.search.filter.length`	The maximum number of characters of the search filter. Valid in Java EE and SE applications. Optional. Value: a positive integer. Corresponding User and Role API property: MAX_SEARCHFILTER_LENGTH
`search.type`	The type of search to employ when the repository is queried. Valid in Java EE and SE applications. Optional. Valid values: `SIMPLE`, `PAGED`, or `VIRTUAL_LIST_VIEW`. Corresponding User and Role API property: IDENTITY_SEARCH_TYPE
`user.filter.object.classes`	The fully qualified names of object classes used to search users. Extended property. Valid in Java EE and SE applications. Optional. Value example: `inetOrgPerson` Corresponding User and Role API property: USER_FILTER_OBJECT_CLASSES
`user.login.attr`	The login identity of the user. Valid in Java EE and SE applications. Optional. Value example: `<property name="user.login.attr" value="mail"/>` Corresponding User and Role API property: USER_LOGIN_ATTR
`user.mandatory.attrs`	The attributes that must be specified when you create a user. Extended property. Valid in Java EE and SE applications. Optional. Value example: <extendedProperty> <name>user.mandatory.attrs</name> <values> <value>cn</value> <value>objectClass</value> <value>sn</value> </values> </extendedProperty> Corresponding User and Role API property: USER_MANDATORY_ATTRS
`user.object.classes`	The fully qualified names of the schema classes used to represent users. Extended property. Valid in Java EE and SE applications. Optional. Corresponding User and Role API property: USER_OBJECT_CLASSES
`username.attr`	The LDAP attribute that uniquely identifies the name of the user. Valid in Java EE and SE applications. Optional. Corresponding User and Role API property: USER_NAME_ATTR Note that if you reset the attribute `username`, then you must also reset `username.attr`.
`ldap.host`	The name of the system hosting the identity store. Valid in Java EE and SE applications. Optional.
`subscriber.name`	The default realm for the identity store. Valid in Java EE and SE applications. Optional. Value example: `dc=us,dc=oracle,dc=com`. Corresponding User and Role API property: ADF_IM_SUBSCRIBER_NAME
`virtualize`	Where search and modifications are performed. If `true`, then searching and modifying is available in all configured authentication providers. If `false`, then searching and modifying is available in only the first provider in the configured stack. Set to `true` to use the User and Role API to search or write information in all providers. Valid in Java EE and SE applications. Optional. Valid values: `true` or `false`. Default value: `false`. Value example: `<property name="virtualize" value="true"/>`

The following example illustrates the configuration of an LDAP identity store for a Java SE application:

<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
    <property name="idstore.type" value="OID"/>
    <property name="ldap.url" value="ldap://myHost.com:1234"/>
    <extendedProperty>
       <name>user.search.bases</name>
          <values>
             <value>cn=users,dc=us,dc=oracle,dc=com</value>
          </values>
    </extendedProperty>
    <extendedProperty>
       <name>group.search.bases</name>
          <values>
             <value>cn=groups,dc=us,dc=oracle,dc=com</value>
          </values>
    </extendedProperty>
</serviceInstance>

See also:

Configuring Services with Scripts

Properties Common to All LDAP Servers

Table F-9 lists properties common to LDAP servers.

In case of an LDAP identity store and to ensure that the User and Role API picks up the connection pool properties when it is using the JNDI connection factory, the identity store instance must include the following property:

<property 
name="INITIAL_CONTEXT_FACTORY" value="com.sun.jndi.ldap.LdapCtxFactory"/>

Table F-9 Generic LDAP Properties

Property Name	Specifies
`connection.pool.authentication`	The type of LDAP connection that the JNDI connection pool uses. Valid in Java EE and SE applications. Optional. Values: `none`, `simple`, and `DIGEST-MD5`. Default value: `simple`.
`connection.pool.max.size`	The maximum number of connections in the LDAP connection pool. Valid in Java EE and SE applications. Optional. Value example: 30
`connection.pool.min.size`	The minimum number of connections in the LDAP connection pool. Valid in Java EE and SE applications. Optional. Value example: 5
`connection.pool.protocol`	The protocol to use for the LDAP connection. Valid in Java EE and SE applications. Optional. Values: `plain`, `ssl`. Default value: `plain`.
`connection.pool.provider.type`	The connection pool to use. Valid in Java EE and SE applications. Optional. Values: `JNDI`, `IDM`. Default value: `JNDI`.
`connection.pool.timeout`	The number of milliseconds that an idle connection can remain in the pool. After time-out, the connection is closed and removed from the pool. Valid in Java EE and SE applications. Optional. Default value: 300000 (5 minutes)
`oracle.security.jps.ldap.max.retry`	The maximum number of retry attempts if there are problems with the LDAP connection. Valid in Java EE and SE applications. Optional. Value example: 5

The following example illustrates a configuration of several properties:

   <!-- common properties used by all LDAPs -->
   <property name="oracle.security.jps.farm.name" value="cn=OracleFarmContainer"/>
   <property name="oracle.security.jps.ldap.root.name"
             value="cn=OracleJpsContainer"/>
   <property name="oracle.security.jps.ldap.max.retry" value="5"/>

See also:

Configuring Services with Scripts

Trust Service Properties

Table F-10 lists the properties specific to the trust service.

Table F-10 Truststore Properties

Property Name	Specifies
`merge.jdkcacerts.with.trust`	Whether to return public CA certificates in the keystore `kss://system/publiccacerts` with a keystore query to `kss://system/trust`. Set to `true` to have all certificates in `publiccacerts` included in the keystore query return. Set to `false` not to have them included in the query. Valid in Java EE and SE applications. Values: `true` or `false`. Optional. Default: `false`.
`trust.keystoreType`	The type of the truststore: Java Keystore (JKS) or keystore service (KSS) keystore. Valid in Java EE and SE applications. Optional. Valid values: `JKS` of `KSS`. Default: none. If unspecified and KSS is provisioned, then the value is `KSS`. Otherwise it is `JKS`.
`trust.keyStoreName`	The store name with the format: kss://<stripeName>/<keyStoreName> Applies only when `trust.keystoreType` is `KSS`. Valid in Java EE and SE applications. Optional. Default: `kss://opss/trustservice_ks`.
`trust.trustStoreName`	The store URL with the format: kss://<stripeName>/<keyStoreName> Applies only when `trust.keystoreType` is `KSS`. Valid in Java EE and SE applications. Optional. Default: `kss://opss/trustservice_ts`.
`trust.aliasName`	The alias to use to get an X.509 certificate and private key from the keystore. Valid in Java EE and SE applications. Optional. Default: the name of the Oracle WebLogic Server domain.
`trust.issuerName`	The name (included in the token) that the target trust service uses to pick up and validate the token. Valid in Java EE and SE applications. Optional. Default: the name of the WebLogic Server domain.
`trust.provider.className`	The fully-qualified name of the trust provider class. Valid in Java EE and SE applications. Required. Value: `the only supported value is oracle.security.jps.internal.trust.provider.embedded.EmbeddedProviderImpl`.
`trust.clockSkew`	The number of seconds the time-gap allowed when verifying time conditions. Valid in Java EE and SE applications. Optional. Default: 0.
`trust.token.validityPeriod`	The number of seconds that a token remains valid after being issued. Valid in Java EE and SE applications. Required. Default: none.
`trust.csf.map`	The map of the credential to access the keystore. Valid in Java EE and SE applications. Optional. Default: the value of the keystore instance property `keystore.csf.map`.
`trust.csf.keystorePass`	Applies only when `trust.keystoreType` is `JKS`, and it specifies the key of the credential to access the private key (the map is set by `trust.csf.map`). Valid in Java EE and SE applications. Optional. Default: the value of the keystore instance property `keystore.pass.csf.key`.
`trust.csf.keyPass`	The key of the credential to access the keystore (the map is set by `trst.csf.map`). Applies only when `trust.keystoreType` is `JKS` Valid in Java EE and SE applications. Optional. Default: the value of the keystore instance property `keystore.sig.csf.key`.
`trust.token.includeCertificate`	The Security Assertion Markup Language (SAML) token includes a certificate. Valid in Java EE and SE applications. Required. Valid values: `true` or `false`. Default: `false`.

The following example illustrates the configuration of a trust service:

<propertySet name="trust.provider.embedded">
  <property name="trust.provider.className" value="oracle.security.jps.internal.trust.provider.embedded.EmbeddedProviderImpl"/>
  <property name="trust.clockSkew" value="60"/>
  <property name="trust.token.validityPeriod" value="1800"/>
  <property name="trust.aliasName" value="orakey"/>
  <property name="trust.issuerName" value="orakey"/>
  <property name="trust.csf.map " value="my-csf-map"/>
  <property name="trust.csf.keystorePass" value="my-keystore-csf-key"/>
  <property name="trust.csf.keypass" value="my-signing-csf-key"/>
</propertySet>

See also:

Configuring Services with Scripts

Audit Service Properties

Table F-11 lists the properties specific to audit. Additional properties are listed in Properties Common to OPSS Services.

Table F-11 Audit Properties

Property Name	Specifies	Required?	Values	Default Value
`audit.filterPreset`	The audit level.	no	None, Low, Medium, or High	None
`audit.customEvents`	The custom events that to audit. The events must be qualified using the component type. Commas separate events and a semicolon separates component types. Example: JPS:CheckAuthorization, CreateCredential; OIF:UserLogin	no	NA	NA
`audit.specialUsers`	The list of users whose activity is always audited, even if the `filterPreset` property is `none`.	no	NA	NA
`audit.maxFileSize`	The size of a bus-stop file where audit events are written. Integer is in Bytes	no	NA	104857600
`audit.loader.interval`	The number of seconds with which audit loader uploads to database.	no		15 seconds
`audit.loader .repositoryType`	The store type for the audit events. If type is Database (DB), then also define audit.loader.jndi or JDBC property.	yes	File, DB	File
audit.loader.jndi	The JNDI name of the data source in application servers for uploading audit events into database.	no	NA	jdbc/AuditAppendDataSource
`audit.db.principal.map audit.db.principal.key`	The map and key for the JDBC user name and password credential in bootstrap credential store, when running a Java SE application and the repository type is DB.	no	NA	NA
`audit.loader.jdbc.string`	The JDBC string for JDBC connection when running a Java SE application and repository type is DB.	no	NA
`audit.logDirectory`	The base directory for bus-stop files.	required for JavaSE	NA	jse
`audit.timezone`	Recording events using a specific time zone.	no	UTC, local	UTC
`audit.change.scanning. interval`	The number of milliseconds after which, the service checks for any changes.	no	whole number greater than zero	60000 (60 seconds)

The following example illustrates the use of properties in a configuration:

<serviceInstance name="audit" provider="audit.provider" location="./audit-store.xml">
   <property name="audit.filterPreset" value="Medium"/>
   <property name="audit.loader.jndi" value="jdbc/AuditAppendDataSource"/>
   <property name="audit.loader.repositoryType" value="DB" />
   <property name="server.type" value="DB_ORACLE"/>
   <property name="audit.timezone" value="local" />
 </serviceInstance>

See also:

Configuring Services with Scripts

Keystore Service Properties

Table F-12 lists the properties specific to the keystore. Additional properties are listed in Properties Common to OPSS Services.

Table F-12 Keystore Service Properties

Property Name	Specifies	Required?	Values	Default
`keystore.file.path`	The location of the file keystores.xml when file provider is configured.	Yes, if a file keystore provider is configured.	-	./
`ca`.`key`.`alias`	The key alias of the third party CA used for the keystore service instance.	No	-	-
`location`	The absolute or relative path. location of the keystore.	Yes, if keystore.type is JKS. No, if keystore.type is PKCS11 or HSM (LunaSA)	Path to keystore	./default-keystore.jks
`keystore.type`	The type of keystore.	No	KSS, JKS, PKCS11, Luna	JKS
`keystore.csf.map`	The credential store map name that OWSM uses. Used by OWSM only.	No	Credential store map name	oracle.wsm.security
`keystore.pass.csf.key`	The credential store key that points to Keystore password. Used by OWSM only.	No	Credential store csf key name	keystore-csf-key
`keystore.sig.csf.key`	The credential store key name that points to alias and password of signing key in keystore.For HSM, it is the direct key alias name rather than the credential store key name. Used by OWSM only.	No	Credential store csf key name or, for HSM, the direct alias	sign-csf-key
`keystore.enc.csf.key`	The credential store key name that points to alias and password of encryption key in keystore.For HSM, it is the direct key alias name rather than the credential store key name. Used by OWSM only.	No	Credential store csf key name or, for HSM, the direct alias	enc-csf-key

The following example illustrates a keystore configuration:

<propertySet name="props.ldap.1">
  <property name="java.naming.ldap.derefAliases" value="never"/>
  <property name="bootstrap.security.principal.key" value="bootstrap_6aCNhgRM3zF04ToliwecdF6K3oo="/>
  <property name="oracle.security.jps.farm.name" value="cn=compact1_oid26008"/>
  <property name="server.type" value="OID"/>
  <property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/>
  <property name="ldap.url" value="ldap://myComp.com:2020"/>
</propertySet>
 
<serviceProvider type="KEY_STORE" name="keystore.provider" class="oracle.security.jps.internal.keystore.KeyStoreProvider">
  </serviceProvider>
<serviceInstance name="keystore.ldap" provider="keystore.provider">
  <propertySetRef ref="props.ldap.1"/>
</serviceInstance>

The following example illustrates a keystore configuration for an LDAP provider:

<serviceInstance name="keystore" provider="keystore.provider"       location="./default-keystore.jks">
   <description>Default JPS Keystore Service</description>
   <property name="server.type" value="OID"/>
   <property name="keystore.type" value="JKS"/>
   <property name="keystore.csf.map" value="oracle.wsm.security"/>
   <property name="keystore.pass.csf.key" value="keystore-csf-key"/>
   <property name="keystore.sig.csf.key" value="sign-csf-key"/>
   <property name="keystore.enc.csf.key" value="enc-csf-key"/>
<property value="bootstrap" name="bootstrap.security.principal.key"/>
<property value="cn=wls-jrfServer" name="oracle.security.jps.farm.name"/>
<property value="cn=jpsTestNode" name="oracle.security.jps.ldap.root.name"/>
<property value="ldap://myHost.com:1234" name="ldap.url"/>
</serviceInstance>

The following example illustrates a keystore configuration for a DB provider:

<propertySet name="props.db.1">
   <property name="jdbc.url" value="jdbc:oracle:thin:@host:port:sid"/>
   <property name="oracle.security.jps.farm.name" value="cn=farm"/>
   <property name="server.type" value="DB_ORACLE"/>
   <property name="oracle.security.jps.ldap.root.name" value="cn=jpsroot"/>
   <property name="jdbc.driver" value="oracle.jdbc.OracleDriver"/>
   <property name="bootstrap.security.principal.map" value="credendial_map"/>
   <property name="bootstrap.security.principal.key" value="credential_key"/>
</propertySet>
 
<serviceInstance name="keystore.rdbms" provider="keystore.provider"            location="./default-keystore.jks">  
   <propertySetRef ref = "props.db.1"/>       
   <property name="server.type"  value="DB_ORACLE"/>
   <property name="keystore.type" value="JKS"/>
   <property name="keystore.csf.map" value="oracle.wsm.security"/>
   <property name="keystore.pass.csf.key" value="keystore-csf-key"/>
   <property name="keystore.sig.csf.key" value="sign-csf-key"/>
   <property name="keystore.enc.csf.key" value="enc-csf-key"/>
</serviceInstance>

See also:

Configuring Services with Scripts

Anonymous and Authenticated Roles Properties

Table F-13 lists the properties that can be used to configure anonymous users, anonymous roles, and authenticated roles.

Table F-13 Anonymous and Authenticated Roles Properties

Property Name	Specifies
`anonymous.role.description`	The description of the anonymous role. Valid in Java EE and SE applications. Optional. No default value.
`anonymous.role.name`	The name of the principal in the anonymous role. Valid in Java EE and SE applications. Optional. Default value: `anonymous-role`
`anonymous.role.uniquename`	The name of the anonymous role. Valid in Java EE and SE applications. Optional. Default value: `anonymous-role`
`anonymous.user.name`	The name of the principal in the anonymous user. Valid in Java EE and SE applications. Optional. Default value: `anonymous`
`authenticated.role.description`	The description of the authenticated role. Valid in Java EE and SE applications. Optional. No default value.
`authenticated.role.name`	The name of the principal in authenticated user roles. Valid in Java EE and SE applications. Optional. Default value: `authenticated-role`
`authenticated.role.uniquename`	The name of the authenticated role. Valid in Java EE and SE applications. Optional. Default value: `authenticated-role`
`remove.anonymous.role`	The anonymous role to remove from the subject after a user is authenticated. Valid in Java EE and SE applications. Optional. Valid values: `true`, `false`. Default value: `false`.

See also:

Configuring Services with Scripts