This chapter describes the Oracle Fusion Middleware Infrastructure Security WLST commands.
It includes the following topic:
Securing Applications with Oracle Platform Security Services.
"Using Custom WLST Commands" in the Administering Oracle Fusion Middleware.
The infrastructure WLST security commands are divided into the following categories:
Table 2-1 WLST Command Categories
| Command Category | Description |
|---|---|
|
Manage domain and credential domain stores and migrate domain policy store. |
|
|
View and manage audit policies and the audit repository configuration |
|
|
Manage the OPSS keystore service. |
|
|
Manage Identity Directory Service entity attributes, entity definitions, relationships, and default operational configurations. |
|
|
View and manage Library Oracle Virtual Directory (libOVD) configurations associated with a particular OPSS context. |
Note:
In syntax descriptions, optional arguments are enclosed in square brackets; all other arguments are required.Use the WLST security commands listed in Table 2-2 to operate on a domain policy or credential store, to migrate policies and credentials from a source repository to a target repository, and to import and export (credential) encryption keys.
Table 2-2 WLST Security Commands
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Add a credential to the bootstrap credential store |
Offline |
|
|
Add a resource to an entitlement. |
Online |
|
|
Create a new application role. |
Online |
|
|
Create a new credential. |
Online |
|
|
Create an entitlement. |
Online |
|
|
Create a resource. |
Online |
|
|
Create a new resource type. |
Online |
|
|
Remove all policies in an application. |
Online |
|
|
Remove an application role. |
Online |
|
|
Remove a credential. |
Online |
|
|
Remove an entitlement. |
Online |
|
|
Remove a resource. |
Online |
|
|
Remove an existing resource type. |
Online |
|
|
Export the domain encryption key to the file |
Offline |
|
|
List an entitlement. |
Online |
|
|
Fetch an existing resource type. |
Online |
|
|
Add a principal to a role. |
Online |
|
|
Create an entitlement. |
Online |
|
|
Create a new permission. |
Online |
|
|
Import the encryption key in file |
Offline |
|
|
List all roles in an application. |
Online |
|
|
List all members in an application role. |
Online |
|
|
List application stripes in policy store. |
Online |
|
|
List permissions assigned to a source code in global policies. |
Online |
|
|
List an entitlement. |
Online |
|
|
List entitlements in an application stripe. |
Online |
|
|
List all permissions granted to a principal. |
Online |
|
|
List actions in a resource. |
Online |
|
|
List resource types in an application stripe. |
Online |
|
|
List resources in an application stripe. |
Online |
|
|
List the type and location of the OPSS security store, and the user allowed to access it. |
Offline |
|
|
Migrate policies or credentials from a source repository to a target repository. |
Offline |
|
|
Update bootstrap credential store |
Offline |
|
|
Reassociate policies and credentials to an LDAP repository |
Online |
|
|
Restore the domain encryption key as it was before the last importing. |
Offline |
|
|
Remove a principal from a role. |
Online |
|
|
Remove an entitlement. |
Online |
|
|
Remove a permission. |
Online |
|
|
Remove a resource from an entitlement |
Online |
|
|
Replace the current domain encryption key with a new one. |
Offline |
|
|
Modify the attribute values of a credential. |
Online |
|
|
Update the configuration of the trust service. |
Online |
Offline command that adds a credential to the bootstrap credential store.
Adds a password credential with the given map, key, user name, and user password to the bootstrap credentials configured in the default JPS context of a JPS configuration file. In the event of an error, the command returns a WLSTException.
addBootStrapCredential(jpsConfigFile, map, key, username, password)
| Argument | Definition |
|---|---|
jpsConfigFile |
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
map |
Specifies the map of the credential to add. |
key |
Specifies the key of the credential to add. |
username |
Specifies the name of the user in the credential to add. |
password |
Specifies the password of the user in the credential to add. |
The following example adds a credential to the bootstrap credential store:
wls:/mydomain/serverConfig> addBootStrapCredential(jpsConfigFile='./jps-config.xml', map='myMapName', key='myKeyName', username='myUser', password='myPassword')
Online command that adds a resource with specified actions to an entitlement.
Adds a resource with specified actions to an entitlement in a specified application stripe. The passed resource type must exist in the passed application stripe.
addResourceToEntitlement(appStripe="appStripeName", name="entName", resourceName="resName",actions="actionList")
| Argument | Definition |
|---|---|
appStripe |
Specifies the application stripe where the entitlement is located. |
name |
Specifies the name of the entitlement to modify. |
resourceName |
Specifies the name of the resource to add. |
resourceType |
Specifies the type of the resource to add. The passed resource type must be present in the application stripe at the time this script is invoked. |
actions |
Specifies the comma-separated list of actions for the added resource. |
The following example adds the resource myResource to the entitlement myEntitlement in the application stripe myApplication:
wls:/mydomain/serverConfig> addResourceToEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Online command that creates a new application role.
Creates a new application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.
createAppRole(appStripe, appRoleName)
| Argument | Definition |
|---|---|
appSripe |
Specifies an application stripe. |
appRoleName |
Specifies a role name. |
The following example creates a new application role with application stripe myApp and role name myRole:
wls:/mydomain/serverConfig> createAppRole(appStripe="myApp", appRoleName="myRole")
Online command that creates a new credential in the domain credential store.
Creates a new credential in the domain credential store with a given map name, key name, type, user name and password, URL and port number. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.
createCred(map, key, user, password, [desc])
| Argument | Definition |
|---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
The following example creates a new password credential with the specified data:
wls:/mydomain/serverConfig> createCred(map="myMap, key="myKey", user="myUsr", password="myPassw", desc="updated usr name and passw to connect to app xyz")
Online command that creates a new entitlement.
Creates a new entitlement with just one resource and a list of actions in a specified application stripe. Use addResourceToEntitlement to add additional resources to an existing entitlement; use revokeResourceFromEntitlement to delete resources from an existing entitlement.
createEntitlement(appStripe="appStripeName", name="entitlementName", resourceName="resName", actions="actionList" [,-displayName="dispName"] [,-description="descript"])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is created. |
name
|
Specifies the name of the entitlement created. |
resourceName
|
Specifies the name of the one resource member of the entitlement created. |
actions
|
Specifies a comma-separated the list of actions for the resource resourceName. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the entitlement created. Optional. |
The following example creates the entitlement myEntitlement with just the resource myResource in the stripe myApplication:
wls:/mydomain/serverConfig> createEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", actions="read,write")
Online command that creates a new resource.
Creates a resource of a specified type in a specified application stripe. The passed resource type must exist in the passed application stripe.
createResource(appStripe="appStripeName", name="resName", type="resTypeName" [,-displayName="dispName"] [,-description="descript"])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the resource is created. |
name
|
Specifies the name of the resource created. |
type
|
Specifies the type of resource created. The passed resource type must be present in the application stripe at the time this script is invoked. |
displayName
|
Specifies the display name of the resource created. Optional. |
description
|
Specifies the description of the resource created. Optional. |
The following example creates the resource myResource in the stripe myApplication:
wls:/mydomain/serverConfig> createResource(appStripe="myApplication", name="myResource", type="myResType", displayName="myNewResource")
Online command that creates a new resource type in the domain policy store within a given application stripe.
Creates a new resource type element in the domain policy store within a given application stripe and with specified name, display name, description, and actions. In the event of an error, the command returns a WLSTException.
createResourceType(appStripe, resourceTypeName, displayName, description [, provider] [, matcher], actions [, delimeter])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where to insert the resource type. |
resourceTypeName
|
Specifies the name of the resource type to insert. |
displayName
|
Specifies the name for the resource type used in UI gadgets. |
description |
Specifies a brief description of the resource type. |
provider
|
Specifies the provider for the resource type. |
matchere
|
Specifies the class of the resource type. If unspecified, it defaults to oracle.security.jps.ResourcePermission. |
actions
|
Specifies the actions allowed on instances of the resource type. |
delimeter
|
Specifies the character used to delimit the list of actions. If unspecified, it defaults to comma ','. |
The following example creates a resource type in the stripe myApplication with actions BWPrint and ColorPrint delimited by a semicolon:
wls:/mydomain/serverConfig> createResourceType(appStripe="myApplication", resourceTypeName="resTypeName", displayName="displName", description="A resource type", provider="Printer", matcher="com.printer.Printer", actions="BWPrint;ColorPrint" [, delimeter=";"])
Online command that removes all policies with a given application stripe.
Removes all policies with a given application stripe. In the event of an error, the command returns a WLSTException.
deleteAppPolicies(appStripe)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
The following example removes all policies of application myApp:
wls:/mydomain/serverConfig> deleteAppPolicies(appStripe="myApp")
Online command that removes an application role.
Removes an application role in the domain policy store with a given application and role name. In the event of an error, the command returns a WLSTException.
createAppRole(appStripe, appRoleName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
The following example removes the role with application stripe myApp and role name myRole:
wls:/mydomain/serverConfig> deleteAppRole(appStripe="myApp", appRoleName="myRole")
Online command that deletes an entitlement.
Deletes an entitlement in a specified application stripe. It performs a cascading deletion by removing all references to the specified entitlement in the application stripe.
deleteEntitlement(appStripe="appStripeName", name="entitlementName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
name
|
Specifies the name of the entitlement to delete. |
The following example deletes the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> deleteEntitlement(appStripe="myApplication", name="myEntitlement")
Online command that removes a credential in the domain credential store.
Removes a credential with given map name and key name from the domain credential store. In the event of an error, the command returns a WLSTException.
deleteCred(map,key)
| Argument | Definition |
|---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
The following example removes the credential with map name myMap and key name myKey:
wls:/mydomain/serverConfig> deleteCred(map="myApp",key="myKey")
Online command that deletes a resource.
Deletes a resource and all its references from entitlements in an application stripe. It performs a cascading deletion: if the entitlement refers to one resource only, it removes the entitlement; otherwise, it removes from the entitlement the resource actions for the passed type.
deleteResource(appStripe="appStripeName", name="resName", type="resTypeName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the resource is deleted. |
name
|
Specifies the name of the resource deleted. |
type
|
Specifies the type of resource deleted. The passed resource type must be present in the application stripe at the time this script is invoked. |
The following example deletes the resource myResource in the stripe myApplication:
wls:/mydomain/serverConfig> deleteResource(appStripe="myApplication", name="myResource", type="myResType")
Online command that removes a resource type from the domain policy store within a given application stripe.
Removes a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.
deleteResourceType(appStripe, resourceTypeName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe from where to remove the resource type. |
resourceTypeName
|
Specifies the name of the resource type to remove. |
The following example removes the resource type myResType from the stripe myApplication:
wls:/mydomain/serverConfig> deleteResourceType(appStripe="myApplication", resourceTypeName="myResType")
Offline command that extracts the encryption key from a domain's bootstrap wallet to the file ewallet.p12.
Writes the domain's credential encryption key to the file ewallet.p12. The password passed must be used to import data from that file with the command importEncryptionKey.
exportEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
| Argument | Definition |
|---|---|
jpsConfigFile
|
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
keyFilePath
|
Specifies the directory where the file ewallet.p12 is created; note that the content of this file is encrypted and secured by the value passed to keyFilePassword. |
keyFilePassword
|
Specifies the password to secure the file ewallet.p12; note that this same password must be used when importing that file. |
The following example writes the file ewallet.p12 in the directory myDir:
exportEncryptionKey(jpsConfigFile="pathName", keyFilePath="myDir" ,keyFilePassword="password")
Online command that gets an entitlement.
Returns the name, display name, and all the resources (with their actions) of an entitlement in an application stripe.
getEntitlement(appStripe="appStripeName", name="entitlementName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to access. |
The following example returns the information of the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> getEntitlement(appStripe="myApplication", name="myEntitlement")
Online command that fetches a resource type from the domain policy store within a given application stripe.
Gets the relevant parameters of a <resource-type> entry in the domain policy store within a given application stripe and with specified name. In the event of an error, the command returns a WLSTException.
getResourceType(appStripe, resourceTypeName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe from where to fetch the resource type. |
resourceTypeName
|
Specifies the name of the resource type to fetch. |
The following example fetches the resource type myResType from the stripe myApplication:
wls:/mydomain/serverConfig> getResourceType(appStripe="myApplication", resourceTypeName="myResType")
Online command that adds a principal to a role.
Adds a principal (class or name) to a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.
grantAppRole(appStripe, appRoleName,principalClass, principalName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
principalClass
|
Specifies the fully qualified name of a class. |
principalName
|
Specifies the principal name. |
The following example adds a principal to the role with application stripe myApp and role name myRole:
wls:/mydomain/serverConfig> grantAppRole(appStripe="myApp", appRoleName="myRole",principalClass="com.example.xyzPrincipal", principalName="myPrincipal")
Online command that grant an entitlement to a named principal.
Grants an entitlement to a specified principal in a specified application stripe.
grantEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the principal resides. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is granted. |
permSetName
|
Specifies the name of the entitlement granted. |
The following example grants the entitlement myEntitlement in the stripe myApplication to the principal myPrincipalName:
wls:/mydomain/serverConfig> grantEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that creates a new permission.
Creates a new permission for a given code base or URL. In the event of an error, the command returns a WLSTException.
grantPermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following example creates a new application permission (for the application with application stripe myApp) with the specified data:
wls:/mydomain/serverConfig> grantPermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following example creates a new system permission with the specified data:
wls:/mydomain/serverConfig> grantPermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permTarget="/tmp/fileName.ext", permActions="read,write")
Offline command that imports keys from the specified ewallet.p12 file into the domain.
Imports encryption keys from the file ewallet.p12 into the domain. The password passed must be the same as that used to create the file with the command exportEncryptionKey.
importEncryptionKey(jpsConfigFile, keyFilePath, keyFilePassword)
| Argument | Definition |
|---|---|
jpsConfigFile
|
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
keyFilePath
|
Specifies the directory where the ewallet.p12 is located. |
keyFilePassword
|
Specifies the password used when the file ewallet.p12 was generated. |
importEncryptionKey(jpsConfigFile="pathName", keyFilePath="dirloc" ,keyFilePassword="password")
Online command that lists all roles in an application.
Lists all roles within a given application stripe. In the event of an error, the command returns a WLSTException.
listAppRoles(appStripe)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. |
The following example returns all roles with application stripe myApp:
wls:/mydomain/serverConfig> listAppRoles(appStripe="myApp")
Online command that lists all members in a role.
Lists all members in a role with a given application stripe and role name. In the event of an error, the command returns a WLSTException.
listAppRoleMembers(appStripe, appRoleName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
The following example returns all members in the role with application stripe myApp and role name myRole:
wls:/mydomain/serverConfig> listAppRoleMembers(appStripe="myApp", appRoleName="myRole")
Online or offline command that lists the application stripes in the policy store.
This script can be run in offline or online mode. When run in offline mode, a configuration file must be passed, and it lists the application stripes in the policy store referred to by the configuration in the default context of the passed configuration file; the default configuration must not have a service instance reference to an identity store. When run in online mode, a configuration file must not be passed, and it lists stripes in the policy store of the domain to which you connect. In any mode, if a regular expression is passed, it lists the application stripes with names that match the regular expression; otherwise, it lists all application stripes.
listAppStripes([configFile="configFileName"] [, regularExpression="aRegExp"])
| Argument | Definition |
|---|---|
configFile
|
Specifies the path to the OPSS configuration file. Optional. If specified, the script runs offline; the default context in the specified configuration file must not have a service instance reference to an identity store. If unspecified, the script runs online and it lists application stripes in the policy store. |
regularExpression
|
Specifies the regular expression that returned stripe names should match. Optional. If unspecified, it matches all names. To match substrings, use the character *. |
The following (online) invocation returns the list of application stripes in the policy store:
wls:/mydomain/serverConfig> listAppStripes
The following (offline) invocation returns the list of application stripes in the policy store referenced in the default context of the specified configuration file:
wls:/mydomain/serverConfig> listAppStripes(configFile=" /home/myFile/jps-config.xml")
The following (online) invocation returns the list of application stripes that contain the prefix App:
wls:/mydomain/serverConfig> listAppStripes(regularExpression="App*")
Online command that lists permissions assigned to a source code in global policies.
This command allows listing codebase permissions in global policies.
listCodeSourcePermissions([codeBase="codeUrl"])
| Argument | Definition |
|---|---|
codeBaseURL
|
Specifies the name of the grantee codebase URL. |
The following example returns the list permissions assigned to a code source in all global policies:
wls:/mydomain/serverConfig> listCodeSourcePermissions(codeBaseURL="file:/tmp/lib/myJars.jar")
Online command that lists an entitlement in a specified application stripe.
If a principal name and a class are specified, it lists the entitlements that match the specified principal; otherwise, it lists all the entitlements.
listEntitlement(appStripe="appStripeName" [, principalName="principalName", principalClass="principalClass"])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
principalName
|
Specifies the name of the principal to match. Optional. |
principalClass
|
Specifies the class of the principal to match. Optional. |
The following example lists all entitlements in the stripe myApplication:
wls:/mydomain/serverConfig> listEntitlement(appStripe="myApplication")
Online command that lists the entitlements in an application stripe.
Lists all the entitlements in an application stripe. If a resource name and a resource type are specified, it lists the entitlements that have a resource of the specified type matching the specified resource name; otherwise, it lists all the entitlements in the application stripe.
listEntitlements(appStripe="appStripeName" [,resourceTypeName="resTypeName", resourceName="resName"])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe from where to list entitlements. |
resourceTypeName
|
Specifies the name of the type of the resources to list. Optional. |
resourceName
|
Specifies the name of resource to match. Optional. |
The following example lists all the entitlements in the stripe myApplication:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication")
The following example lists all the entitlements in the stripe myApplication that contain a resource type myResType and a resource whose name match the resource name myResName:
wls:/mydomain/serverConfig> listEntitlements(appStripe="myApplication", resourceTypeName="myResType", resourceName="myResName")
Online command that lists all permissions granted to a given principal.
Lists all permissions granted to a given principal. In the event of an error, the command returns a WLSTException.
listPermissions([appStripe,] principalClass, principalName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
The following example lists all permissions granted to a principal by the policies of application myApp:
wls:/mydomain/serverConfig> listPermissions(appStripe="myApp", principalClass="my.custom.Principal",principalName="manager")
The following example lists all permissions granted to a principal by system policies:
wls:/mydomain/serverConfig> listPermissions(principalClass="my.custom.Principal", principalName="manager")
Online command that lists the resources and actions in an entitlement.
Lists the resources and actions in an entitlement within an application stripe.
listResourceActions(appStripe="appStripeName", permSetName="entitlementName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement resides. |
permSetName
|
Specifies the name of the entitlement whose resources and actions to list. |
The following example lists the resources and actions of the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> listResourceActions(appStripe="myApplication", permSetName="myEntitlement")
Online command that lists resources in a specified application stripe.
If a resource type is specified, it lists all the resources of the specified resource type; otherwise, it lists all the resources of all types.
listResources(appStripe="appStripeName" [,type="resTypeName"])
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the resources are listed. |
type
|
Specifies the type of resource listed. The passed resource type must be present in the application stripe at the time this script is invoked. |
The following example lists all resources of type myResType in the stripe myApplication:
wls:/mydomain/serverConfig> listResources(appStripe="myApplication", type="myResType")
Online command that lists resource types.
Lists all the resource types in a specified application stripe.
listResourceTypes(appStripe="appStripeName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the resource types are located. |
The following example lists all resource types in the stripe myApplication:
wls:/mydomain/serverConfig> listResourceTypes(appStripe="myApplication")
Offline command that lists the type, the location, and the administrative user of the domain security store.
The script runs in offline mode and outputs the type of the OPSS security store (file, OID, or DB), its location, and the user allowed to access it (typically a security administrator).
listSecurityStoreInfo(domainConfig="configFilePath")
| Argument | Definition |
|---|---|
domainConfig
|
Specifies the full absolute path to the OPSS configuration file jps-config.xml; the file jps-config-jse.xml is also expected to be in the passed directory. |
The following example returns the type, location, and administrative user of the OPSS policy store:
wls:/mydomain/serverConfig> listSecurityStoreInfo(domainConfig="/home/myConfigPathDirectory/config/fmwconfig")
The following lines illustrate a sample output generated by this command:
For jps-config.xml Store Type: DB_ORACLE Location/Endpoint: jdbc:oracle:thin:@adc2120515.us.myComp.com:1555/OWSM.US.COM User: DEV_OPSS Datasource: jdbc/OpssDataSource For jps-config-jse.xml Store Type: DB_ORACLE Location/Endpoint: jdbc:oracle:thin:@adc2120515.us.myComp.com:1521/OWSM.US.COM User: DEV_OPSS
Offline command that migrates identities, application-specific, system policies, a specific credential folder, or all credentials.
Migrates security artifacts from a source repository to a target repository. For full details, see Migrating with the Script migrateSecurityStore.
Offline command that updates a bootstrap credential store.
Updates a bootstrap credential store with given user name and password. In the event of an error, the command returns a WLSTException.
Typically used in the following scenario: suppose that the domain policy and credential stores are LDAP-based, and the credentials to access the LDAP store (stored in the LDAP server) are changed. Then this command can be used to seed those changes into the bootstrap credential store.
modifyBootStrapCredential(jpsConfigFile, username, password)
| Argument | Definition |
|---|---|
jpsConfigFile
|
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
username
|
Specifies the distinguished name of the user in the LDAP store. |
password
|
Specifies the password of the user. |
Suppose that in the LDAP store the password of the user with distinguished name cn=orcladmin has been changed to welcome1, and that the configuration file jps-config.xml is located in the current directory.Then the following example changes the password in the bootstrap credential store to welcome1:
wls:/mydomain/serverConfig> modifyBootStrapCredential(jpsConfigFile='./jps-config.xml', username='cn=orcladmin', password='welcome1')
Any output regarding the audit service can be disregarded.
Online command that migrates the policy and credential stores to an LDAP repository.
The script reassociateSecurityStore migrates the OPSS security store from a source to a target LDAP- or DB-based store, and it resets services in the files jps-config.xml and jps-config-jse.xml to the target repository. It also allows specifying that the OPSS security store be shared with that in a different domain (see optional argument join below). The OPSS binaries and the target policy store must have compatible versions.
For complete details and samples see Securing Applications with Oracle Platform Security Services.
Offline command to restore the domain credential encryption key.
Restores the state of the domain bootstrap keys as it was before running importEncryptionKey.
restoreEncryptionKey(jpsConfigFile)
| Argument | Definition |
|---|---|
jpsConfigFile
|
Specifies the location of the file jps-config.xml relative to the location where the command is run. |
restoreEncryptionKey(jpsConfigFile="pathName")
Online command that removes a principal from a role.
Removes a principal (class or name) from a role with a given application stripe and name. In the event of an error, the command returns a WLSTException.
revokeAppRole(appStripe, appRoleName, principalClass, principalName)
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. |
appRoleName
|
Specifies a role name. |
principalClass
|
Specifies the fully qualified name of a class. |
principalName
|
Specifies the principal name. |
The following example removes a principal to the role with application stripe myApp and role name myRole:
wls:/mydomain/serverConfig> revokeAppRole(appStripe="myApp", appRoleName="myRole",principalClass="com.example.xyzPrincipal", principalName="myPrincipal")
Online command that deletes an entitlement.
Deletes an entitlement and revokes the entitlement from the principal in a specified application stripe.
revokeEntitlement(appStripe="appStripeName", principalClass="principalClass", principalName="principalName" ,-permSetName="entName")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is deleted. |
principalClass
|
Specifies the class associated with the principal. |
principalName
|
Specifies the name of the principal to which the entitlement is revoked. |
permSetName
|
Specifies the name of the entitlement deleted. |
The following example deleted the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeEntitlement(appStripe="myApplication", principalClass="oracle.security.jps.service.policystore.ApplicationRole", principalName="myPrincipalName", permSetName="myEntitlement")
Online command that removes a permission.
Removes a permission for a given code base or URL. In the event of an error, the command returns a WLSTException.
revokePermission([appStripe,] [codeBaseURL,] [principalClass,] [principalName,]permClass, [permTarget,] [permActions])
| Argument | Definition |
|---|---|
appStripe
|
Specifies an application stripe. If not specified, the command works on system policies. |
codeBaseURL
|
Specifies the URL of the code granted the permission. |
principalClass
|
Specifies the fully qualified name of a class (grantee). |
principalName
|
Specifies the name of the grantee principal. |
permClass
|
Specifies the fully qualified name of the permission class. |
permTarget
|
Specifies, when available, the name of the permission target. Some permissions may not include this attribute. |
permActions
|
Specifies a comma-separated list of actions granted. Some permissions may not include this attribute and the actions available depend on the permission class. |
The following example removes the application permission (for the application with application stripe myApp) with the specified data:
wls:/mydomain/serverConfig> revokePermission(appStripe="myApp", principalClass="my.custom.Principal", principalName="manager", permClass="java.security.AllPermission")
The following example removes the system permission with the specified data:
wls:/mydomain/serverConfig> revokePermission(principalClass="my.custom.Principal", principalName="manager", permClass="java.io.FilePermission", permTarget="/tmp/fileName.ext", permActions="read,write")
Online command that removes a resource from an entitlement.
Removes a resource from an entitlement in a specified application stripe.
revokeResourceFromEntitlement(appStripe="appStripeName", name="entName", resourceName="resName", resourceType="resTypeName", actions="actionList")
| Argument | Definition |
|---|---|
appStripe
|
Specifies the application stripe where the entitlement is located. |
name
|
Specifies the name of the entitlement to modify. |
resourceName
|
Specifies the name of the resource to remove. |
resourceType
|
Specifies the type of the resource to remove. |
actions
|
Specifies the comma-separated list of actions to remove. |
The following example removes the resource myResource from the entitlement myEntitlement in the stripe myApplication:
wls:/mydomain/serverConfig> revokeResourceFromEntitlement(appStripe="myApplication", name="myEntitlement", resourceName="myResource", resourceType="myResType", actions="view,edit")
Offline command that changes the domain encryption key.
This offline script replaces the current domain OPSS encryption key with a new one; the current key is not deleted but archived, since it is used to decrypt data that was encrypted using that key.
Note the following important points:
This command should be executed from the administration server in the domain. No server restart is needed after its execution.
If the domain is the only domain accessing the security store, nothing else is required.
However, if two or more domains share the security store, the newly generated key should be exported from the domain where the script was run and imported into each of the other domains sharing the security store, using the scripts exportEncryptionKey and importEncryptionKey.
rollOVerEncryptionKey(jpsConfigFile="pathName")
| Argument | Definition |
|---|---|
| jpsConfigFile | Specifies the location of the file jps-config.xml; either relative to the location where the script is run, or the full path. |
The following example lists all resource types in the stripe myApplication:
wls:/mydomain/serverConfig> rollOverEncryptionKey(jpsConfigFile="myConfig")
Online command that modifies the type, user name, and password of a credential.
Modifies the type, user name, password, URL, and port number of a credential in the domain credential store with given map name and key name. This command can update the data encapsulated in credentials of type password only. In the event of an error, the command returns a WLSTException. This command runs in interactive mode only.
updateCred(map, key, user, password, [desc])
| Argument | Definition |
|---|---|
map
|
Specifies a map name (folder). |
key
|
Specifies a key name. |
user
|
Specifies the credential user name. |
password
|
Specifies the credential password. |
desc
|
Specifies a string describing the credential. |
The following example updates a password credential with the specified data:
wls:/mydomain/serverConfig> updateCred(map="myMap", key="myKey", user="myUsr", password="myPassw", desc="updated passw cred to connect to app xyz")
Online command that updates the configuration of the domain trust service service with the values passed in a property file.
Updates the trust service domain configuration. In the event of an error, the command returns a WLSTException.
updateTrustServiceConfig([providerName="<the provider name>",]
propsFile="<path of properties file>")
| Argument | Definition |
|---|---|
providerName
|
Specifies the name of the trust service provider; optional; if unspecified, it defaults to trust.provider.embedded. |
propsFile
|
Specifies the path to the file where the property values are set. |
Here is a sample property file:
trust.keystoreType=KSS trust.keyStoreName=kss://<stripeName>/<keystoreName> trust.trustStoreName=kss://<stripeName>/<truststoreName> trust.aliasName=<aliasName> trust.issuerName=<aliasName>
Note that the list of specified properties differs according to the value of the property trust.keystoreType. The type can be KSS or JKS; if a property is set to the empty string, then that property is removed from the trust service configuration. For the list of available properties, see section Trust Service Properties.
The following example updates the trust store service with the specifications in the file myProps:
wls:/mydomain/serverConfig> updateTrustServiceConfig(providerName="myProvider", propsFile="myProps")
Use the WLST commands listed in Table 2-3 to view and manage audit policies and the audit repository configuration.
| Use this command | To | Use with WLST |
|---|---|---|
|
Generate an SQL script to create an IAU view in the database. |
Online |
|
|
Generate an SQL script to create an audit definitions view in the database. |
Online |
|
|
Remove audit definitions of a specified component from the audit store. |
Online |
|
|
Export a component's audit configuration. |
Online |
|
|
Get information about a view. |
Online |
|
|
Display the mBean name for a non-Java EE component. |
Online |
|
|
Display audit policy settings. |
Online |
|
|
Display audit repository settings. |
Online |
|
|
Import a component's audit configuration. |
Online |
|
|
List components that can be audited. |
Online |
|
|
List audit events for one or all components. |
Online |
|
|
Update audit policy settings. |
Online |
|
|
Update audit repository settings. |
Online |
|
|
Register audit definitions for a specified component in the audit store. |
Online |
For more information, see the Securing Applications with Oracle Platform Security Services.
Online command that displays the mbean name for non-Java EE components.
This command displays the mbean name for non-Java EE components given the instance name, component name, component type, and the name of the Oracle WebLogic Server on which the component's audit mbean is running. The mbean name is a required parameter to other audit WLST commands when managing a non-Java EE component.
getNonJavaEEAuditMBeanName(instName, compName, compType, svrName)
| Argument | Definition |
|---|---|
instName |
Specifies the name of the application server instance. |
compName |
Specifies the name of the component instance. |
compType |
Specifies the type of component. Valid values are ohs, oid, ovd, and WebCache. |
svrName |
Specifies the name of the Oracle WebLogic Server. |
The following example displays the mBean name for an Oracle Internet Directory:
wls:/mydomain/serverConfig> getNonJavaEEAuditMBeanName(instName='inst1', compName='oid1', compType='oid', svrName='AdminServer')
Online command that displays the audit policy settings.
This command displays audit policy settings including the filter preset, special users, custom events, maximum log file size, and maximum log directory size. The component mbean name is required for non-Java EE components like Oracle HTTP Server.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.getAuditPolicy([mbeanName, componentType])
| Argument | Definition |
|---|---|
mbeanName |
Specifies the name of the component audit MBean for non-Java EE components. |
componentType |
Requests the audit policy for a specific component registered in the audit store. If not specified, the audit policy in jps-config.xml is returned. |
The following example displays the audit settings for a Java EE component:
wls:/mydomain/serverConfig> getAuditPolicy(componentType='JPS'); Location changed to domainRuntime tree. This is a read-only tree with DomainMBean as the root. For more help, use help(domainRuntime) FilterPreset:All Max Log File Size:104857600
The following example displays the audit settings for MBean CSAuditProxyMBean:
wls:/mydomain/serverConfig> getAuditPolicy(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean')
Online command that updates an audit policy.
Online command that configures the audit policy settings. You can set the filter preset, add or remove users, and add or remove custom events. The component mbean name is required for non-Java EE components like Oracle HTTP Server.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.setAuditPolicy([mbeanName],[filterPreset],[addSpecialUsers], [removeSpecialUsers],[addCustomEvents],[removeCustomEvents], [componentType], [maxFileSize], [andCriteria], [orCriteria], [componentEventsFile])
| Argument | Definition |
|---|---|
mbeanName |
Specifies the name of the component audit MBean for non-Java EE components. |
filterPreset |
Specifies the filter preset to be changed. |
addSpecialUsers |
Specifies the special users to be added. |
removeSpecialUsers |
Specifies the special users to be removed. |
addCustomEvents |
Specifies the custom events to be added. |
removeCustomEvents |
Specifies the custom events to be removed. |
componentType |
Specifies the component definition type to be updated. The audit runtime policy for the component is registered in the audit store. If not specified, the audit configuration defined in jps-config.xml is modified. |
maxFileSize |
Specifies the maximum size of the log file. |
andCriteria |
Specifies the and criteria in a custom filter preset definition. |
orCriteria |
Specifies the or criteria in a custom filter preset definition. |
componentEventsFile |
Specifies a component definition file under the 11g Release 1 (11.1.1.6) metadata model. This parameter is required if you wish to create/update an audit policy in the audit store for an 11g Release 1 (11.1.1.6) metadata model component, and the filter preset level is set to ”Custom”. |
The following example sets audit policy to None level, and adds users user2 and user3 while removing user1 from the policy:
wls:/mydomain/serverConfig> setAuditPolicy (filterPreset= 'None',addSpecialUsers='user2,user3',removeSpecialUsers='user1',componentType='JPS') wls:/mydomain/serverConfig> getAuditPolicy(componentType='JPS'); Already in Domain Runtime Tree FilterPreset:None Special Users:user2,user3 Max Log File Size:104857600
The following example adds login events while removing logout events from the policy:
wls:/mydomain/serverConfig> setAuditPolicy(filterPreset= 'Custom',addCustomEvents='UserLogin',removeCustomEvents='UserLogout')
The following example sets audit policy to a Low level:
wls:/IDMDomain/domainRuntime> setAuditPolicy(filterPreset='Low',componentType='JPS); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(componentType='JPS') Already in Domain Runtime Tree FilterPreset:Low Max Log File Size:104857600
The following example sets a custom filter to audit the CheckAuthorization event:
wls:/IDMDomain/domainRuntime>setAuditPolicy(filterPreset='Custom', componentType='JPS',addCustomEvents='Authorization:CheckPermission, CheckSubject;CredentialManagement:CreateCredential,DeleteCredential'); Already in Domain Runtime Tree Audit Policy Information updated successfully wls:/IDMDomain/domainRuntime> getAuditPolicy(componentType='JPS'); Already in Domain Runtime Tree FilterPreset:Custom Special Users:user1 Max Log File Size:104857600 Custom Events:JPS:CheckAuthorization
Online command that displays audit repository settings.
This command displays audit repository settings for Java EE components and applications (for other components like Oracle Internet Directory, the repository configuration resides in opmn.xml). Also displays database configuration if the repository is a database type.
getAuditRepository
The following example displays audit repository configuration:
wls:/IDMDomain/domainRuntime> getAuditRepository() Already in Domain Runtime Tree Repository Type:File
Online command that updates audit repository settings.
This command sets the audit repository settings for Java EE and SE components and applications (for other components like Oracle Internet Directory, the repository is configured by editing opmn.xml).
setAuditRepository([switchToDB],[dataSourceName],[interval],
[timezone], [repositoryType], [logDirectory],
[jdbcString], [dbUser], [dbPassword])
| Argument | Definition |
|---|---|
switchToDB |
If true, switches the repository from file to database. Valid value: true. |
dataSourceName |
Specifies the JNDI name of the data source. This data source must be configured in the specified Oracle Weblogic Server domain. |
interval |
Specifies the time, in seconds, that the audit loader sleeps. |
timezone |
Specifies the time zone in which the audit loader records the timestamps of the audit events. Valid values are utc and local. |
repostoryType |
Specifies the database type to which the data has to be uploaded. The supported databases are Oracle, MS SQL Server and IBM DB2. |
logDirectory |
Specifies the audit log directory for SE applications to store bus stop files. |
jdbcString |
Specifies the audit repository jdbc connection string for SE applications. |
dbUser |
Specifies the audit repository IAU schema user. |
interval |
Specifies the audit repository IAU schema password. |
The following example changes audit repository to a specific database and sets the audit loader interval to 14 seconds, and the time zone to utc:
wls:/mydomain/serverConfig> setAuditRepository(switchToDB="true",
dataSourceName="jdbc/AuditDB",interval="14",timezone="utc",
repositoryType="DB_ORACLE", logDirectory="/foo",
jdbcString="jdbc:oracle:thin:@db.example.com:5001:sid",
dbUser="scott_iau", dbPassword="tiger")
Online command that displays a component's audit events.
This command displays a component's audit events and attributes. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter. Without a component type, all generic attributes applicable to all components are displayed.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.listAuditEvents([mbeanName],[componentType])
| Argument | Definition |
|---|---|
mbeanName |
Specifies the name of the component MBean. |
componentType |
Specifies the component type to limit the list to all events of the component type. |
The following example displays audit events for the Oracle Platform Security Services component:
wls:/IDMDomain/domainRuntime> listAuditEvents(componentType='JPS'); Already in Domain Runtime Tree Common Attributes ComponentType Type of the component. For MAS integrated SystemComponents this is the componentType InstanceId Name of the MAS Instance, that this component belongs to HostId DNS hostname of originating host HostNwaddr IP or other network address of originating host ModuleId ID of the module that originated the message. Interpretation is unique within Component ID. ProcessId ID of the process that originated the message
The following example displays audit events for Oracle HTTP Server:
wls:/mydomain/serverConfig> listAuditEvents(componentType='ohs')
The following example displays all audit events:
wls:/IDMDomain/domainRuntime> listAuditEvents(); Already in Domain Runtime Tree Components: DIP JPS OIF OWSM-AGENT OWSM-PM-EJB ReportsServer WS-PolicyAttachment WebCache WebServices Attributes applicable to all components: ComponentType InstanceId HostId HostNwaddr ModuleId ProcessId OracleHome HomeInstance ECID RID ...
Online command that exports a component's audit configuration.
This command exports the audit configuration to a file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.exportAuditConfig([mbeanName],fileName, [componentType])
| Argument | Definition |
|---|---|
mbeanName |
Specifies the name of the non-Java EE component MBean. |
fileName |
Specifies the path and file name to which the audit configuration should be exported. |
componentType |
Specifies that only events of the given component be exported to the file. If not specified, the audit configuration in jps-config.xml is exported. |
The following example exports the audit configuration for a component:
wls:/mydomain/serverConfig> exportAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name=CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following example exports the audit configuration for a Java EE component; no mBean is specified:
wls:/mydomain/serverConfig> exportAuditConfig(fileName='/tmp/auditconfig')
Online command that imports a component's audit configuration.
This command imports the audit configuration from an external file. For non-Java EE components, pass the component mbean name as a parameter. Java EE applications and services like Oracle Platform Security Services (OPSS) do not need the mbean parameter.
Note:
You can obtain a non-Java EE component's MBean name using the getNonJavaEEAuditMBeanName command.importAuditConfig([mbeanName],fileName, [componentType])
| Argument | Definition |
|---|---|
mbeanName |
Specifies the name of the non-Java EE component MBean. |
fileName |
Specifies the path and file name from which the audit configuration should be imported. |
componentType |
Specifies that only events of the given component be imported from the file. If not specified, the audit configuration in jps-config.xml is imported. |
The following example imports the audit configuration for a component:
wls:/mydomain/serverConfig> importAuditConfig(on='oracle.security.audit.test:type=CSAuditMBean, name='CSAuditProxyMBean',fileName='/tmp/auditconfig')
The following example imports the audit configuration from a file; no mBean is specified:
wls:/mydomain/serverConfig> importAuditConfig(fileName='/tmp/auditconfig')
Creates a SQL script that generates a view for audit in the database.
This command generates a SQL script that you can use to create a database view of the audit definitions of a specified component. The script is written to the specified file and also printed out to the console.
Upon execution, the result of the SQL script depends on the audit model at your site:
If using the 11.1.1.6.0 model, and the component is registered in the audit store, the script creates a view using the system component tables (IAU_COMMON, IAU_USERSESSION, IAU_AUDITSERVICE and IAU_CUSTOM) for the specified component.
If using the pre-11.1.1.6.0 model, the component is not registered in the audit store but its event definitions reside in the component_events.xml file (in the oracle_common/modules/oracle.iau_11.1.1/components/componentType directory), and the view is created using the IAU_BASE and component tables.
createAuditDBView(fileName, componentType, [dbType], [viewType])
| Argument | Definition |
|---|---|
fileName |
The path and file name to which the SQL script is written. |
componentType |
The name of the registered component. |
dbType |
The database type. One of the following: DB_ORACLE, MS_SQL_SERVER, IBM_DB2. |
viewType |
The view type. One of the following: SIMPLE, INDEXABLE. |
wls:/mydomain/serverConfig>
createAuditDBView(fileName="/tmp/JPSAuditView.sql", componentType="JPS",
dbType="DB_ORACLE", viewType=INDEXABLE)
Generates an SQL script to create an IAU view in the database.
The generated script creates, by default, a SIMPLE view when the component is registered with the audit service; it switches the view from SIMPLE to INDEXABLE, or creates a view in the database. INDEXABLE views are supported for an Oracle database only. SIMPLE views can be created for all supported databases in the IAU_VIEWER schema.
createIAUView(componentType, [viewType])
| Argument | Definition |
|---|---|
componentType |
The component whose definitions are the basis of the view. |
viewType |
The type of view; valid values are SIMPLE or INDEXABLE. Default is SIMPLE. |
wls:/mydomain/serverConfig>createIAUView(componentType="AuditApp, viewType="INDEXABLE")
wls:/mydomain/serverConfig>createIAUView(componentType="AuditApp, viewType="SIMPLE")
wls:/mydomain/serverConfig>createIAUView(componentType="AuditApp")
Returns information about the view of a component.
Retrieves information about the view of a specified component.
getIAUViewInfo(componentType)
| Argument | Definition |
|---|---|
componentType |
The component whose definitions are the basis of the view. |
wls:/mydomain/serverConfig> getIAUViewInfo(componentType="JPS")
Lists components that can be audited.
This command creates a list of the components that can be audited. It lists components registered in the audit store using both the 11.1.1.6.0 model and the pre-11.1.1.6.0 model.
listAuditComponents(fileName)
| Argument | Definition |
|---|---|
fileName |
Specifies the path and file name to which the output is written. |
listAuditComponents(fileName = "/tmp/complist.txt")
Registers a component with the audit service.
Adds the event definition and translation content for a specified component to the audit store. If you try to register using the pre-11.1.1.6.0 audit XML schema definition, it is upgraded to the 11.1.1.6.0 XML schema definition and then registered with the audit store.
registerAudit(xmlFile, [xlfFile],componentType,[mode=OVERWRITE|UPGRADE],
[createView=SIMPLE|INDEXABLE|DISABLE])
| Argument | Definition |
|---|---|
xmlFile |
Specifies the Component Event definition file. |
xlfFile |
Specifies the component xlf jar file. Optional. |
componentType |
Specifies the component to be registered. |
mode |
Optional. OVERWRITE or UPGRADE. Default is UPGRADE. |
createView |
Optional. SIMPLE, INDEXABLE or DISABLE. Default is SIMPLE. |
wls:/mydomain/serverConfig>registerAudit(xmlFile="/tmp/comp.xml", xmlFile="/tmp/comp_xlf.jar", componentType="AuditApp", mode="UPGRADE", createView=INDEXABLE)
Removes the event definition and translation content from the audit store. for a component.
Removes an existing event definition and translation content for a specified component or application from the audit store.
deregisterAudit(componentType)
| Argument | Definition |
|---|---|
componentType |
Specifies the component whose definitions are to be removed. |
wls:/mydomain/serverConfig> deregisterAudit(componentType="AuditApp")
This section contains commands used with the OPSS keystore service.
Note:
You need to acquire an OPSS handle to use keystore service commands; this handle is denoted by 'svc' in the discussion that follows. For details, see "Managing Keys and Certificates" in Securing Applications with Oracle Platform Security Services.Table 2-4 lists the WLST commands used to manage the keystore service.
Table 2-4 OPSS Keystore Service Commands
| Use this Command... | to... | Use with WLST... |
|---|---|---|
|
Change the password for a key. |
Online |
|
|
Change the password on a keystore. |
Online |
|
|
Create a keystore. |
Online |
|
|
Delete a keystore. |
Online |
|
|
Delete an entry in a keystore. |
Online |
|
|
Export a keystore to file. |
Online |
|
|
Export a certificate to a file. |
Online |
|
|
Export a certificate request to a file. |
Online |
|
|
Generate a keypair. |
Online |
|
|
Generate a secret key. |
Online |
|
|
Get information about a certificate or trusted certificate. |
Online |
|
|
Get the secret key properties. |
Online |
|
|
Import a keystore from file. |
Online |
|
|
Import a certificate or other object. |
Online |
|
|
List certificates expiring in a specified period. |
Online |
|
|
List aliases in a keystore. |
Online |
|
|
List all the keystores in a stripe. |
Online |
|
|
Synchronizes the keystores in the administration server with keystores in the security store. |
Online |
Changes a key password.
Changes the password for a key.
svc.changeKeyPassword(appStripe='stripe', name='keystore', password='password', alias='alias', currentkeypassword='currentkeypassword', newkeypassword='newkeypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe containing the keystore |
name
|
Specifies the name of the keystore |
password
|
Specifies the keystore password |
alias
|
Specifies the alias of the key entry whose password is changed |
currentkeypassword
|
Specifies the current key password |
newkeypassword
|
Specifies the new key password |
The following example changes the password on the key entry orakey:
wls:/mydomain/serverConfig> svc.changeKeyPassword(appStripe='system', name='keystore', password='password', alias='orakey', currentkeypassword='currentkeypassword', newkeypassword='newkeypassword')
Changes the password of a keystore.
Changes the password of the specified keystore.
svc.changeKeyStorePassword(appStripe='stripe', name='keystore', currentpassword='currentpassword', newpassword='newpassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe containing the keystore |
name
|
Specifies the name of the keystore |
currentpassword
|
Specifies the current keystore password |
newpassword
|
Specifies the new keystore password |
The following example changes the password for keystore2.
wls:/mydomain/serverConfig> svc.changeKeyStorePassword(appStripe='system', name='keystore2', currentpassword='currentpassword', newpassword='newpassword')
This keystore service command creates a new keystore.
Creates a new keystore on the given application stripe.
svc.createKeyStore(appStripe='stripe', name='keystore', password='password',permission=true|false)
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore is created. |
name
|
Specifies the name of the new keystore. |
password
|
Specifies the keystore password. |
permission
|
This parameter is true if the keystore is protected by permission only, false if protected by both permission and password. |
The following example creates a keystore named keystore1.
wls:/mydomain/serverConfig> svc.createKeyStore(appStripe='system', name='keystore1', password='password', permission=true)
Deletes the named keystore.
This keystore service command deletes a specified keystore.
svc.deleteKeyStore(appStripe='stripe', name='keystore', password='password')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore to be deleted. |
password
|
Specifies the keystore password. |
The following example deletes the keystore named keystore1.
wls:/mydomain/serverConfig> svc.deleteKeyStore(appStripe='system', name='keystore1', password='password')
Deletes a keystore entry.
This command deletes the specified entry in a keystore.
svc.deleteKeyStoreEntry(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be deleted |
keypassword
|
Specifies the key password of the entry to be deleted |
The following example deletes a keystore entry denoted by alias orakey.
wls:/mydomain/serverConfig> svc.deleteKeyStoreEntry(appStripe='system', name='keystore2', password='password', alias='orakey', keypassword='keypassword')
Exports a keystore to a file.
Exports a keystore to a specified file.
svc.exportKeyStore(appStripe='stripe', name='keystore', password='password', aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', type='keystore-type', filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. The value also applies to the output file, based on the current usage of the command:
If the keystore is password-based, the value of this argument must be the same as the password specified when the password-based keystore was created. Otherwise, if the keystore is not password-based, any value is valid. |
aliases
|
Specifies a comma separated list of aliases to be exported. |
keypasswords
|
Specifies the password(s) of the key(s) being exported. The usage depends on the keystore type:
|
type
|
Exported keystore type. Valid values are 'JKS' or 'JCEKS' or 'OracleWallet'. |
filepath
|
For type JKS or JCEKS, the absolute path of the file where the keystore is exported, including filename. For type OracleWallet, the absolute path of the directory where the keystore is exported. |
The following example exports two aliases from the specified keystore.
wls:/mydomain/serverConfig> svc.exportKeyStore(appStripe='system', name='keystore2', password='password',aliases='orakey,seckey', keypasswords='keypassword1,keypassword2', type='JKS',filepath='/tmp/file.jks')
The following example exports a keystore to create an Oracle Wallet file:
wls:/mydomain/serverConfig> svc.exportKeyStore(appStripe='system', name='keystore2', password='mypassword',aliases='orakey,seckey', keypasswords='', type='OracleWallet',filepath='/tmp')
Exports a certificate.
Exports a certificate, trusted certificate or certificate chain.
svc.exportKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be exported |
keypassword
|
Specifies the key password. |
type
|
Specifies the type of keystore entry to be exported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'. |
filepath
|
Specifies the absolute path of the file where certificate, trusted certificate or certificate chain is exported. |
The following example exports a certificate corresponding to the orakey alias:
wls:/mydomain/serverConfig> svc.exportKeyStoreCertificate(appStripe='system', name='keystore2', password='password', alias='orakey', keypassword='keypassword', type='Certificate', filepath='/tmp/cert.txt')
Exports a certificate request.
Generates and exports a certificate request from a keystore.
svc.exportKeyStoreCertificateRequest(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the entry's alias name. |
keypassword
|
Specifies the key password. |
filepath
|
Specifies the absolute path of the file where certificate request is exported. |
The following example exports a certificate request corresponding to the orakey alias.
wls:/mydomain/serverConfig> svc.exportKeyStoreCertificateRequest(appStripe='system', name='keystore2', password='password', alias='orakey', keypassword='keypassword', filepath='/tmp/certreq.txt')
Generates a key pair in a keystore.
Generates a key pair using a specified algorithm, and wraps it in a demo CA-signed certificate.
svc.generateKeyPair(appStripe='stripe', name='keystore', password='password', dn='distinguishedname', keysize='keysize', alias='alias', keypassword='keypassword'[, algorithm='algorithm'])
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
dn
|
Specifies the distinguished name of the certificate wrapping the key pair. |
keysize
|
Specifies the key size. |
alias
|
Specifies the alias of the key pair entry. |
keypassword
|
Specifies the key password. |
algorithm
|
Specifies the algorithm to use to encrypt the generated keys. The only valid values are RSA or EC (Elliptic Curve Cryptography). Optional. If not specified, the command uses the RSA algorithm. |
The following example generates a keypair in keystore2 using the default RSA algorithm:
wls:/mydomain/serverConfig> svc.generateKeyPair(appStripe='system', name='keystore2', password='password', dn='cn=www.oracle.com', keysize='1024', alias='orakey', keypassword='keypassword')
The following example generates a keypair in keystore2 using the RSA algorithm:
wls:/mydomain/serverConfig> svc.generateKeyPair(appStripe='system', name='keystore2', password='password', dn='cn=www.oracle.com', keysize='1024', alias='orakey', keypassword='keypassword', algorithm='RSA')
The following example generates a keypair in keystore2. using the ECC (Elliptic Curve Cryptography) algorithm:
wls:/mydomain/serverConfig> svc.generateKeyPair(appStripe='system', name='keystore2', password='password', dn='cn=www.oracle.com', keysize='1024', alias='orakey', keypassword='keypassword', algorithm='EC')
Generates a secret key.
Generates a symmetric key in a keystore.
svc.generateSecretKey(appStripe='stripe', name='keystore', password='password', algorithm='algorithm', keysize='keysize', alias='alias', keypassword='keypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
algorithm
|
Specifies the symmetric key algorithm. |
keysize
|
Specifies the key size. |
alias
|
Specifies the alias of the key entry. |
keypassword
|
Specifies the key password. |
The following example generates a keypair with keysize 128 in keystore2.
wls:/mydomain/serverConfig> svc.generateSecretKey(appStripe='system', name='keystore2', password='password', algorithm='AES', keysize='128', alias='seckey', keypassword='keypassword')
Gets a certificate from the keystore.
Retrieves information about a certificate or trusted certificate.
svc.getKeyStoreCertificates(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the certificate, trusted certificate or certificate chain to be displayed. |
keypassword
|
Specifies the key password. |
The following example gets certificates associated with keystore3.
wls:/mydomain/serverConfig> svc.getKeyStoreCertificates(appStripe='system', name='keystore3', password='password', alias='orakey', keypassword='keypassword')
Retrieves secret key properties.
Retrieves secret key properties like the algorithm.
svc.getKeyStoreSecretKeyProperties(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the secret key whose properties are displayed. |
keypassword
|
Specifies the secret key password. |
The following example gets properties for secret key seckey:
wls:/mydomain/serverConfig> svc.getKeyStoreSecretKeyProperties(appStripe='system', name='keystore3', password='password', alias='seckey', keypassword='keypassword')
Imports a keystore from file.
Imports a keystore from a system file.
svc.importKeyStore(appStripe='stripe', name='keystore', password='password', aliases='comma-separated-aliases', keypasswords='comma-separated-keypasswords', type='keystore-type', permission=true|false, filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore will reside. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. These rules apply:
|
aliases
|
Specifies the comma-separated aliases of the entries to be imported from the file. If type is set to OracleWallet, it is not required; otherwise, it is a required argument. |
keypasswords
|
Specifies the passwords of the keys in the file. These rules apply:
|
type
|
Specifies the imported keystore type. Valid values are 'JKS' or 'JCEKS' or 'OracleWallet'. |
filepath
|
If type is set to JKS or JCEKS, it specifies rthe absolute path of the keystore file to be imported, including filname. If itype is set to OracleWallet, it specifies the absolute path of the directory where the Oracle Wallet is located. |
permission
|
Specifies true if keystore is protected by permission only, false if protected by both permission and password. If set to true, the imported file is permission protected, so when call getKeyStore or getKey, set password to null. |
The following example imports a JKS keystore file to keystore2:
wls:/mydomain/serverConfig> svc.importKeyStore(appStripe='system', name='keystore2', password='password',aliases='orakey,seckey', keypasswords='keypassword1, keypassword2', type='JKS', permission=true, filepath='/tmp/file.jks')
The following example imports an Oracle Wallet to keystore2:
svc.importKeyStore(appStripe='system', name='keystore2', password='mypassword',aliases='orakey,seckey', keypasswords='', type='OracleWallet', permission=true, filepath='/tmp')
Imports a certificate or other specified object.
Imports a certificate, trusted certificate or certificate chain.
svc.importKeyStoreCertificate(appStripe='stripe', name='keystore', password='password', alias='alias', keypassword='keypassword', type='entrytype',filepath='absolute_file_path')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
alias
|
Specifies the alias of the entry to be imported. |
keypassword
|
Specifies the key password of the newly imported entry. |
type
|
Specifies the type of keystore entry to be imported. Valid values are 'Certificate', 'TrustedCertificate' or 'CertificateChain'. |
filepath
|
Specifies the absolute path of the file from where certificate, trusted certificate or certificate chain is imported. |
The following example imports a certificate into keystore2.
wls:/mydomain/serverConfig> svc.importKeyStoreCertificate(appStripe='system', name='keystore2', password='password', alias='orakey', keypassword='keypassword', type='Certificate', filepath='/tmp/cert.txt')
Lists expiring certificates.
Lists expiring certificates and optionally renews them.
svc.listExpiringCertificates(days='days', autorenew=true|false)
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
days
|
Specifies that the list should only include certificates within this many days from expiration. |
autorenew
|
Specifies true for automatically renewing expiring certificates, false for only listing them. |
The following example lists certificates expiring within one year, and requests that they be renewed:
wls:/mydomain/serverConfig> svc.listExpiringCertificates(days='365', autorenew=true)
Lists the aliases in a keystore.
Lists the aliases in a keystore for a given type of entry.
svc.listKeyStoreAliases(appStripe='stripe', name='keystore', password='password', type='entrytype')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe where the keystore resides. |
name
|
Specifies the name of the keystore. |
password
|
Specifies the keystore password. |
type
|
Specifies the type of entry for which aliases are listed. Valid values are 'Certificate', 'TrustedCertificate', 'SecretKey' or '*'. |
The following example lists secret keys in keystore2:
wls:/mydomain/serverConfig> svc.listKeyStoreAliases(appStripe='system', name='keystore2', password='password', type='SecretKey')
Lists all the keystores in a stripe.
Lists all the keystores in the specified stripe.
svc.listKeyStores(appStripe='stripe')
| Argument | Definition |
|---|---|
svc
|
Specifies the service command object obtained through a call to getOpssService(). |
appStripe
|
Specifies the name of the stripe whose keystores are listed. |
The following example lists all keystores on all stripes.
wls:/mydomain/serverConfig> svc.listKeyStores(appStripe='*')
Synchronizes keystores from the OPSS security store to the local repository.
Downloads keystores from an application stripe in the security store to the specified directory on the file system, in the given format.
If the target format is Oracle Wallet, the command downloads the contents of all KSS keystores for a given stripe into auto-login wallets on the server. The contents of the domain trust store are automatically included in each wallet.
The syntax is as follows:
syncKeyStores(appStripe='<application_stripe>', keystoreFormat='exported_file_format', rootDirectory='root_dir_absolute_path')
| Argument | Definition |
|---|---|
appStripe
|
Name of the KSS application stripe containing the keystores that need to be synchronized with the local repository. |
keystoreFormat
|
Specifies the format of the target keystore. Valid formats are 'KSS' and 'OracleWallet'.
If the |
rootDirectory
|
For the Oracle Wallet format, specifies the absolute path of the server directory where the wallet(s) are created. |
Note:
Thesvc argument does not apply to this command.The following example looks up the security store for the "system" stripe and downloads its contents into the keystores.xml file under the DOMAIN_HOME/config/fmwconfig directory.
wls:/mydomain/serverConfig> syncKeyStores((appStripe='system', keystoreFormat='KSS')
The following example generates Oracle Wallets corresponding to all keystores in the stripe 'ohs':
syncKeyStores(appStripe=”ohs”, keystoreFormat=”OracleWallet”, rootDirectory=”/tmp/bin”)
Use the WLST commands listed in Table 2-5 to manage Identity Directory Service entity attributes, entity definitions, relationships and default operational configurations.
Table 2-5 WLST Identity Directory Service Commands
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Reload the Identity Directory Service configuration. |
Online |
|
|
Add a new attribute to the entity configuration. |
Online |
|
|
Add new properties for an attribute in an entity configuration. |
Online |
|
|
Add a new attribute to the specified entity. |
Online |
|
|
Add new properties for an attribute reference in an entity configuration. |
Online |
|
|
Add a new property for a specified operation configuration. |
Online |
|
|
Add a new entity to the entity configuration. |
Online |
|
|
Add new properties for an entity in an entity configuration. |
Online |
|
|
Add a new entity relation to the entity configuration. |
Online |
|
|
Add a new Identity Directory Service to the configuration. |
Online |
|
|
Add a new operation configuration to the entity configuration. |
Online |
|
|
Add a new property to a specified operation configuration. |
Online |
|
|
Delete an attribute from an entity configuration. |
Online |
|
|
Delete attribute properties in an entity configuration. |
Online |
|
|
Delete attribute reference properties in an entity configuration. |
Online |
|
|
Delete an entity from an entity configuration. |
Online |
|
|
Delete entity properties in an entity configuration. |
Online |
|
|
Delete the specified entity relation. |
Online |
|
|
Delete the specified Identity Directory Service in the configuration. |
Online |
|
|
Delete operation configuration in an entity configuration. |
Online |
|
|
List all attributes in the entity configuration. |
Online |
|
|
List all entities defined in the specified entity configuration. |
Online |
|
|
List all Identity Directory Services in the configuration. |
Online |
|
|
Remove an attribute from the specified entity. |
Online |
|
|
Remove a property for the specified operation configuration. |
Online |
|
|
Remove a property for the specified operation configuration. |
Online |
|
|
Update attributes in an entity configuration. |
Online |
|
|
Update attribute properties in an entity configuration. |
Online |
|
|
Update attribute reference properties in an entity configuration. |
Online |
|
|
Update an entity's properties in an entity configuration. |
Online |
|
|
Update an entity's properties in an entity configuration. |
Online |
|
|
Update the entity properties in an entity configuration. |
Online |
|
|
Dumps the LDAP connection pool statistics for the associated in-memory IDS configuration for the current JVM into a specified file. |
Online |
|
|
Dumps the LDAP connection pool statistics for all in-memory IDS configuration for the current JVM into a specified file. |
Online |
|
|
Dumps the LDAP connection pool statistics for all file-based IDS configuration for the current JVM into a specified file. |
Online |
|
|
Dumps the LDAP connection pool statistics for all file-based IDS configuration for the current JVM into a specified file. |
Online |
Online command that reloads the configuration for Identity Directory Service.
Reloads the Identity Directory Service configuration.
activateIDSConfigChanges()
This command has no arguments.
The following command reloads the Identity Directory Service configuration:
activateIDSConfigChanges()
Online command that adds an attribute to the entity configuration.
Adds a new attribute to the entity configuration.
addAttributeInEntityConfig(name, datatype, description, readOnly, pwdAttr, appName)
Table 2-6 addAttributeInEntityConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the attribute to be added. |
|
|
The attribute's type is defined as one of the following:
|
|
|
Description of the attribute to be added. |
|
|
Flag to specify whether the attribute is read only or can be modified. |
|
|
Flag to specify whether the attribute defines a password or not. |
|
|
Name of the Identity Directory Service. |
The following command adds an attribute commonname of userrole entity:
addAttributeInEntityConfig('commonname','string','common name',false,false,'userrole')
Online command that adds properties for an attribute in an entity configuration.
Adds new properties for an attribute in an entity configuration.
addAttributePropsInEntityConfig(name, propNames, propVals, appName)
Table 2-7 addAttributePropsInEntityConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the attribute to be added. |
|
|
List of property names separated by "|". The properties ( For configuration attributes, however, the Identity Directory Service performs a schema check and interprets the configuration names and their values. |
|
|
List of corresponding property values separated by "|". |
|
|
Name of the Identity Directory Service. |
The following command adds an attribute orgunit of entity userrole:
addAttributePropsInEntityConfig('orgunit','labelname|multivalued','common name|true','userrole')
Online command that adds attribute to an entity.
Adds a new attribute to the specified entity.
addAttributeRefForEntity(name, attrRefName, attrRefFilter, attrRefDefaultFetch, appName)
Table 2-8 addAttributeRefForEntity Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity to which the attribute will be added. |
|
|
Name of the attribute to be added to the entity. |
|
|
Type of filter to be used with the attribute, defined as one of the following:
|
|
|
Flag to specify whether the attribute is fetched by default. |
|
|
Name of the Identity Directory Service. |
The following command adds an attribute User to userrole entity:
addAttributeRefForEntity('User','givenname','none','true','userrole')
Online command that adds property for an attribute reference.
Adds new properties for an attribute reference in an entity configuration.
addAttrrefPropsInEntityConfig(entityName, attrName, propNames, propVals, appName)
Table 2-9 addAttrrefPropsInEntityConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity. |
|
|
Name of the attribute reference. |
|
|
List of property names separated by "|". The properties ( For configuration attributes, however, the Identity Directory Service performs a schema check and interprets the configuration names and their values. |
|
|
List of corresponding property values separated by "|". |
|
|
Name of the Identity Directory Service. |
The following command adds a multivalued property labelname for org entity:
addAttrrefPropsInEntityConfig('org', 'orgunit','labelname|multivalued','common name|true','userrole')
Online command that adds a property for an operation configuration.
Adds a new property for a specified operation configuration.
addCommonPropertyForOperationConfig(entityName, propName, propValue, appName)
Table 2-10 addCommonPropertyForOperationConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity. |
|
|
Name of the property to be added for this operation configuration. |
|
|
Value of the property to be added for this operation configuration. |
|
|
Name of the Identity Directory Service. |
The following command adds a new property member:
addCommonPropertyForOperationConfig('groupmember.attr', 'member', 'userrole')
Online command that adds an entity to the configuration.
Adds a new entity to the entity configuration.
addEntity(name, type, idAttr, create, modify, delete, search, attrRefNames, attrRefFilters, attrRefDefaultFetches, appName)
Table 2-11 addEntity Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity to which the attribute will be added. |
|
|
Name of the attribute to be added to the entity. |
|
|
Identity attribute of the entity to be added. |
|
|
Flag to specify the create is allowed. |
|
|
Flag to specify the modify is allowed. |
|
|
Flag to specify the delete is allowed. |
|
|
Flag to specify the search is allowed. |
|
|
Array of attribute names. |
|
|
An array of filter type values, defined as one of the following:
|
|
|
Array of boolean strings (true, false). |
|
|
Name of the Identity Directory Service. |
The following command adds an attribute group to the Group entity.
addEntity('Group','group','commonname',true,true,true,true,'name|commonname','none|none','true|false','userrole')
Adds property for an entity.
Online command that adds new properties for an entity in an entity configuration.
addEntityProps(name, propNames, propVals, appName)
Table 2-12 addEntityProps Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity. |
|
|
List of property names separated by "|". |
|
|
List of corresponding property values separated by "|". |
|
|
Name of the Identity Directory Service. |
The following command adds inclobjclasses and exclobjclasses properties:
addEntityProps('User','inclobjclasses|exclobjclasses','inetorgperson|orclidxperson','userrole')
Online command that adds entity relation to an entity.
Add a new entity relation to the entity configuration for the specified attributes.
addEntityRelation(name, type, fromEntity, fromAttr, toEntity, toAttr, recursive, appName)
Table 2-13 addEntityRelation Arguments
| Argument | Definition |
|---|---|
|
|
Name of the relation between the entities for the given attributes. |
|
|
Type of the entity relation ("ManyToMany", "ManyToOne", "OneToMany", "OneToOne"). |
|
|
Name of the from entity. |
|
|
Name of the from attribute. |
|
|
Name of the to entity. |
|
|
Name of the to attribute. |
|
|
Flag to set the entity relationship as recursive. |
|
|
Name of the Identity Directory Service. |
The following command adds the manager relation between the manager and User entities:
addEntityRelation('manager', 'ManyToOne', 'User', 'manager', 'User', 'principal', false, 'userrole')
Online command that adds an Identity Store Service.
Adds a new IdentityStoreService to the Identity Directory Service configuration.
addIdentityDirectoryService(name, description, propNames, propValues)
Table 2-14 addIdentityDirectoryService Arguments
| Argument | Definition |
|---|---|
|
|
Name of the IdentityStoreService to be added. |
|
|
Description of the IdentityStoreService. |
|
|
An array of property names to be added to the IdentityStoreService configuration. |
|
|
An array of values to be defined for the property names added to the IdentityStoreService configuration. |
The following command adds the userrole IdentityStoreService:
addIdentityDirectoryService('userrole', 'user role', 'ovd.context|entity.config', 'default|userrole')
Online command that adds operation configuration to an entity.
Adds a new operation configuration to the entity configuration.
addOperationConfig(entityName, propNames, propValues, appName)
Table 2-15 addOperationConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity to which the operation configuration will be added. |
|
|
An array of property names to be added to the operation configuration. |
|
|
An array of property values for the properties added to the operation configuration. |
|
|
Name of the Identity Directory Service. |
The following command adds the User entity to which the operation configuration will be added:
addOperationConfig('User', 'entity.searchbase', 'cn=users,dc=oracle,dc=com', 'userrole')
Online command that adds a property to an operation configuration.
Adds a new property to a specified operation configuration.
addPropertyForOperationConfig(entityName, propName, propValue, appName)
Table 2-16 addPropertyForOperationConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity to which the operation configuration will be added. |
|
|
A property name to be added to the operation configuration. |
|
|
A value for the property added to the operation configuration. |
|
|
Name of the Identity Directory Service. |
The following command adds the property to the operation configuration:
addPropertyForOperationConfig('User','entity.searchbase', 'cn=users,dc=oracle,dc=com', 'userrole')
Online command that deletes attribute from an entity.
Deletes an attribute from an entity configuration.
deleteAttributeInEntityConfig(name, appName)
Table 2-17 deleteAttributeInEntityConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the attribute to be deleted. |
|
|
Name of the Identity Directory Service. |
The following command deletes the commonname attribute.
deleteAttributeInEntityConfig('commonname', 'userrole')
Online command that deletes the properties of an attribute.
Deletes attribute properties in an entity configuration.
deleteAttributePropsInEntityConfig(name, propNames, appName)
Table 2-18 deleteAttributePropsInEntityConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the attribute. |
|
|
List of property names separated by "|". |
|
|
Name of the Identity Directory Service. |
The following example deletes the property labelname from the userrole entity:
deleteAttributePropsInEntityConfig('orgunit','labelname|multivalued','userrole')
Online command that deletes attribute reference properties in an entity.
Deletes one or more attribute reference properties in an entity configuration.
deleteAttrrefPropsInEntityConfig(entityName, attrName, propNames, appName)
Table 2-19 deleteAttrrefPropsInEntityConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity. |
|
|
Name of the attribute reference. |
|
|
List of property names to be deleted. If multiple properties are to be deleted, they should be separated by "|". |
|
|
Name of the Identity Directory Service. |
The following command deletes two properties from attribute reference orgunit of entity org:
deleteAttrrefPropsInEntityConfig('org', 'orgunit','labelname|multivalued','userrole')
Online command that deletes an entity.
Deletes an entity from an entity configuration.
deleteEntity(name, appName)
Table 2-20 deleteEntity Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity to be deleted. |
|
|
Name of the Identity Directory Service. |
The following command deletes the User entity.
deleteEntity('User', 'userrole')
Online command that deletes the properties of an entity.
Deletes entity properties in an entity configuration.
deleteEntityProps(name, propNames, appName)
Table 2-21 deleteEntityProps Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity. |
|
|
List of property names separated by "|". |
|
|
Name of the Identity Directory Service. |
The following command deletes the two properties inclobjclasses and exclobjclasses of User entity:
deleteEntityProps('User','inclobjclasses|exclobjclasses','userrole')
Online command that deletes the relationship between entities.
Deletes the specified entity relation between entities for the given attributes.
deleteEntityRelation(name, appName)
Table 2-22 deleteEntityRelation Arguments
| Argument | Definition |
|---|---|
|
|
Name of the relation between the entities for the given attributes. |
|
|
Name of the Identity Directory Service. |
The following command deletes the manager relation specified between entities:
deleteEntityRelation('manager', 'userrole')
Online command that deletes the specified IdentityStoreService.
Deletes the specified IdentityStoreService in the Identity Directory Service configuration.
deleteIdentityDirectoryService(name)
where name is the name of the IdentityStoreService configuration to be deleted.
The following example deletes ids1 IdentityStoreService configuration.
deleteIdentityDirectoryService('ids1')
Online command that deletes an operation configuration.
Deletes an operation configuration in an entity configuration.
deleteOperationConfig(entityName, appName)
Table 2-23 deleteOperationConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity from which the operation configuration will be removed. |
|
|
Name of the Identity Directory Service. |
The following command deletes the operation configuration associated with entity User and application userrole:
deleteOperationConfig('User','userrole')
Online command that lists all attributes.
Lists all attributes in the entity configuration.
listAllAttributeInEntityConfig(appName)
where appName is the name of the Identity Directory Service that contains the entity configuration from which the list of attributes is retrieved.
The following command obtains the list of attributes from userrole entity:
listAllAttributeInEntityConfig('userrole')
Online command that lists all entities for an entity configuration.
Lists all entities defined in the specified entity configuration.
listAllEntityInEntityConfig(appName)
where appName is the name of the Identity Directory Service that contains the entity configuration from which the list of entities is retrieved.
The following command obtains the list of entities associated with userrole entity:
listAllEntityInEntityConfig('userrole')
Online command that lists all IdentityStoreService for an Identity Directory Service configuration.
Lists all IdentityStoreService in Identity Directory Service configuration.
listAllIdentityDirectoryService()
This command has no arguments.
The following command lists all the IdentityStoreService for an Identity Directory Service configuration:
listAllIdentityDirectoryService()
Online command that deletes an attribute from an entity.
Removes an attribute from the specified entity.
removeAttributeRefForEntity(name, attrRefName, appName)
Table 2-24 removeAttributeRefForEntity Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity from which the attribute will be removed. |
|
|
The name of the attribute to be removed. |
|
|
Name of the Identity Directory Service. |
The following command deletes the givenname attribute associated with User entity:
removeAttributeRefForEntity('User','givenname','userrole')
Online command that deletes a property for an operation configuration.
Removes a property for the specified operation configuration.
removeCommonPropertyForOperationConfig(entityName, propName, appName)
Table 2-25 removeCommonPropertyForOperationConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity. |
|
|
Name of property to be removed for this operation configuration. |
|
|
Name of the Identity Directory Service. |
The following command removes groupmember.attr property associated with User entity:
removeCommonPropertyForOperationConfig('User','groupmember.attr','userrole')
Online command that removes a property for an operation configuration.
Removes a property for the specified operation configuration.
removePropertyForOperationConfig(entityName, propName, appName)
Table 2-26 removePropertyForOperationConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity from which the operation configuration will be removed. |
|
|
A property name to be removed from the operation configuration. |
|
|
Name of the Identity Directory Service. |
The following command removes entity.searchbase property associated with User entity:
removePropertyForOperationConfig('User','entity.searchbase','userrole')
Online command that updates an attribute for an entity configuration.
Updates attributes in an entity configuration.
updateAttributeInEntityConfig(name, attrNames, attrVals, appName)
Table 2-27 updateAttributeInEntityConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity attribute to be updated. |
|
|
List of configuration attribute names separated by "|". Valid configuration attribute names are:
|
|
|
List of corresponding attribute values separated by "|". |
|
|
Name of the Identity Directory Service. |
The following command updates the commonname attribute:
updateAttributeInEntityConfig('commonname','readOnly|pwdAttr|attrInUse','true|false|false','userrole')
Online command that updates the properties of an attribute for an entity.
Updates attribute properties in an entity configuration.
updateAttributePropsInEntityConfig(name, propNames, propVals, appName)
Table 2-28 updateAttributePropsInEntityConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the attribute to be updated. |
|
|
List of property names separated by "|". |
|
|
List of corresponding property values separated by "|". |
|
|
Name of the Identity Directory Service. |
The following command updates the properties for orgunit attribute associated with userrole application:
updateAttributePropsInEntityConfig('orgunit','multivalued','multivalued','userrole')
Online command that updates attribute reference properties for an entity.
Updates attribute reference properties in an entity configuration.
updateAttrrefPropsInEntityConfig(entityName, attrName, propNames, propVals, appName)
Table 2-29 updateAttrrefPropsInEntityConfig Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity. |
|
|
Name of the attribute reference. |
|
|
List of property names separated by "|". |
|
|
List of corresponding property values separated by "|". |
|
|
Name of the Identity Directory Service. |
The following command updates the attribute reference properties:
updateAttrrefPropsInEntityConfig('org', 'orgunit','entity.searchbase','multivalued','userrole')
Online command that updates properties of an entity.
Updates an entity's properties in an entity configuration.
updateEntity(name, type, idAttr, create, modify, delete, search, appName)
Table 2-30 updateEntity Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity to be updated. |
|
|
Type of the entity. |
|
|
Identity attribute of the entity. |
|
|
Flag to specify the create is allowed. |
|
|
Flag to specify the modify is allowed. |
|
|
Flag to specify the delete is allowed. |
|
|
Flag to specify the search is allowed. |
|
|
Name of the Identity Directory Service. |
The following command updates the properties associated with Group entity:
updateEntity('Group','group','commonname',true,true,true,true,'userrole')
Online command that updates the configuration attributes for an entity.
Updates the configuration attributes for an entity attribute.
updateEntityAttrs(name, attrNames, attrVals, appName)
Table 2-31 updateEntityAttrs Arguments
| Argument | Definition |
|---|---|
|
|
Name of the entity attribute. To update the properties of an entity attribute, see updateAttributePropsInEntityConfig. |
|
|
List of configuration attribute names. If multiple configuration attributes are to be updated, they should be separated by "|". Valid configuration attribute names are:
|
|
|
List of corresponding configuration attribute values separated by "|". |
|
|
Name of the Identity Directory Service. |
The following command updates configuration attributes associated with User entity:
updateEntityAttrs('User','idAttr|firstnameAttr','uid|givenname','userrole')
Online command that updates the properties of an entity.
Updates the entity properties in an entity configuration.
updateEntityProps(name, propNames, propVals, appName)
Table 2-32 updateEntityProps Arguments
| Argument | Definition |
|---|---|
|
|
Name of the attribute to be updated. |
|
|
List of property names separated by "|". |
|
|
List of corresponding property values separated by "|". |
|
|
Name of the Identity Directory Service. |
The following command updates the properties associated with User entity:
updateEntityProps('User','inclobjclasses|exclobjclasses','inetorgperson|orclidxperson','userrole')
Online command that deletes the attribute properties in an entity configuration.
Deletes the attribute properties in an entity configuration.
deleteAttributePropsInEntityConfig(name, propNames, appName)
Table 2-33 deleteAttributePropsInEntityConfig
| Argument | Definition |
|---|---|
|
|
Name of the attribute to be deleted. |
|
|
List of property names separated by "|". |
|
|
Name of the Identity Directory Service. |
The following command deletes the attribute property, orgunit from the userrole.
deleteAttributePropsInEntityConfig('orgunit','labelname|validvalues','userrole')
Online command that dumps the LDAP connection pool statistics for the associated in-memory IDS configuration for the current JVM on which WLS is configured into a specified file.
Dumps the LDAP connection pool statistics for the associated in-memory IDS configuration for the current JVM on which WLS is configured into a specified file.
dumpConnectionPoolStatsForInMemoryConfig(name, fileName)
Table 2-34 dumpConnectionPoolStatsForInMemoryConfig
| Argument | Definition |
|---|---|
|
|
Name of the in-memory IDS configuration. |
|
|
Refers to the full path of the file. |
The following example dumps the connection pool statistics for the in-memory IDS configuration ids1 into the specified file:
dumpConnectionPoolStatsForInMemoryConfig('ids1', '/tmp/dump.txt')
Online command that dumps the LDAP connection pool statistics for all in-memory IDS configuration for the current JVM on which WLS is configured into a specified file.
Dumps the LDAP connection pool statistics for all in-memory IDS configuration for the current JVM on which WLS is configured into a specified file.
dumpConnectionPoolStatsForAllInMemoryConfig(fileName)
Table 2-35 dumpConnectionPoolStatsForAllInMemoryConfig
| Argument | Definition |
|---|---|
|
|
Refers to the full path of the file. |
The following example dumps LDAP connection pool statistics for all in-memory IDS configuration into the specified file:
dumpConnectionPoolStatsForAllInMemoryConfig('/tmp/dump.txt')
Online command that dumps the LDAP connection pool statistics for all file-based IDS configuration for the current JVM on which WLS is configured into a specified file.
Dumps the LDAP connection pool statistics for all file-based IDS configuration for the current JVM on which WLS is configured into a specified file.
dumpConnectionPoolStatsForAllFileBasedConfig(name, fileName)
Table 2-36 dumpConnectionPoolStatsForAllFileBasedConfig
| Argument | Definition |
|---|---|
|
|
Name of the file-based IDS configuration. |
|
|
Refers to the full path of the file. |
The following example dumps the connection pool statistics for ids file-based configuration into the specified file:
dumpConnectionPoolStatsForFileBasedConfig('ids1', '/tmp/dump.txt')
Online command that dumps the LDAP connection pool statistics for all file-based IDS configuration in the current JVM on which WLS is configured into a specified file.
Dumps the LDAP connection pool statistics for all file-based IDS configuration for the current JVM on which WLS is configured into a specified file.
dumpConnectionPoolStatsForAllFileBasedConfig(fileName)
Table 2-37 dumpConnectionPoolStatsForAllFileBasedConfig
| Argument | Definition |
|---|---|
|
|
Refers to the full path of the file. |
The following example dumps the connection pool statistics all file-based IDS configuration into the specified file:
dumpConnectionPoolStatsForFileBasedConfig('/tmp/dump.txt')
Use the WLST commands listed in Table 2-38 to manage a libOVD configuration associated with a specific Oracle Platform Security Services (OPSS) context.
Table 2-38 WLST libOVD Commands
| Use this command... | To... | Use with WLST... |
|---|---|---|
|
Add an attribute to the DN attributes list for an existing adapter. |
Online |
|
|
Reload the libOVD configuration. |
Online |
|
|
Add a attribute exclusion rule. |
Online |
|
|
Add a new attribute mapping rule. |
Online |
|
|
Add a domain exclusion rule. |
Online |
|
|
Add a new domain mapping rule. |
Online |
|
|
Add a join rule to an existing Join Adapter for a libOVD configuration. |
Online |
|
|
Add a new remote host to an existing LDAP adapter. |
Online |
|
|
Create a new mapping context. |
Online |
|
|
Add a plug-in to an existing adapter or at the global level. |
Online |
|
|
Add new parameter values to the existing adapter level plug-in or global plug-in. |
Online |
|
|
Add a control to the Request Control Exclude List for an existing LDAP adapter configuration. |
Online |
|
|
Add a control to the Request Control Include List for an existing LDAP adapter configuration. |
Online |
|
|
Assign the given view to an adapter. |
Online |
|
|
Create a new Join Adapter for a libOVD configuration. |
Online |
|
|
Create a new LDAP adapter for a libOVD configuration. |
Online |
|
|
Create a new LDAP adapter with default plug-ins based on the specified directory type. |
Online |
|
|
Create a new view. |
Online |
|
|
Delete an existing adapter for a libOVD configuration. |
Online |
|
|
Delete a attribute exclusion rule. |
Online |
|
|
Delete a attribute mapping rule. |
Online |
|
|
Delete a domain exclusion rule. |
Online |
|
|
Delete a domain mapping rule. |
Online |
|
|
Delete the specified mapping context. |
Online |
|
|
Delete the specified view. |
Online |
|
|
Display the details of an existing adapter for a libOVD configuration. |
Online |
|
|
List the name and type of all adapters that are configured for a libOVD configuration. |
Online |
|
|
List all the mapping contexts. |
Online |
|
|
List all the attribute rules. |
Online |
|
|
List all the domain rules. |
Online |
|
|
List all views |
Online |
|
|
Modify the existing LDAP adapter configuration. |
Online |
|
|
Modify the socket options for an existing LDAP adapter configuration. |
Online |
|
|
Remove all controls from the Request Control Exclude List for an existing LDAP adapter configuration. |
Online |
|
|
Remove all controls from a Request Control Include List for an existing LDAP adapter configuration. |
Online |
|
|
Remove an attribute from the DN attributes list for an existing LDAP adapter configuration. |
Online |
|
|
Remove a control from the Request Control Exclude List for an existing LDAP adapter configuration. |
Online |
|
|
Removes a control from the Request Control Include List for an existing LDAP adapter configuration. |
Online |
|
|
Remove a join rule from a Join Adapter configured for a libOVD configuration. |
Online |
|
|
Remove a remote host from an existing LDAP adapter configuration. |
Online |
|
|
Remove a plug-in from an existing adapter or at the global level. |
Online |
|
|
Remove an existing parameter from a configured adapter level plug-in or global plug-in. |
Online |
|
|
Replace existing parameter values for an adapter level plug-in or global plug-in. |
Online |
|
|
Un-assign a view from an adapter. |
Online |
|
|
List the type of SSL store in use for libOVD. |
Online |
|
|
Enable KSS for libOVD. |
Online |
|
|
Enable JKS for libOVD. |
Online |
|
|
Enable JKS for libOVD. |
Online |
|
|
Import given trusted certificate into SSL store. |
Online |
|
|
Migrate all trusted certificates from JKS to KSS store. |
Online |
|
|
Migrate given trusted certificates from JKS to KSS store. |
Online |
|
|
Change given LDAP host and port in an existing LDAP adapter configuration to the new host and port. |
Online |
|
|
Remove a remote host and a port from an existing LDAP adapter configuration. |
Online |
|
|
Set the given host and port to read-only/writable in an existing LDAP adapter configuration. |
Online |
|
|
Dumps the current connection pool statistics for an adapter to a file for the given JVM. |
Online |
Online command that adds an attribute to the DN Attributes List.
Adds an attribute to the DN Attributes List for an existing adapter configured for the libOVD configuration associated with an OPSS context.
addDNAttribute(adapterName, attributeName, [contextName])
Table 2-39 addDNAttribute Arguments
| Argument | Definition |
|---|---|
|
|
Name of the adapter to be updated. |
|
|
Name of the new DN attribute to be added. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is |
The following example adds memberof attribute to ldap1 adapter:
addDNAttribute(adapterName='ldap1', attributeName='memberof', contextName='default')
Online command that reloads the libOVD configuration.
Reloads the libOVD configuration associated with a specific OPSS context.
activateLibOVDConfigChanges([contextName])
Table 2-40 activateLibOVDConfigChanges Arguments
| Argument | Definition |
|---|---|
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is |
The following command reloads the default libOVD configuration for a specified OPSS context:
activateLibOVDConfigChanges('default')
Online command that adds an attribute exclusion rule.
Adds an attribute exclusion rule to the exclusion list.
addAttributeExclusionRule(attribute, mappingContextId, [contextName])
Table 2-41 addAttributeExclusionRule Arguments
| Argument | Definition |
|---|---|
|
|
Name of the attribute to be added to the exclusion list. |
|
|
Name of the mapping context. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is |
The following command add objectsid to the exclusion list:
addAttributeExclusionRule('objectsid','userrole')
Online command that adds a new attribute mapping rule.
Adds a new attribute mapping rule to the libOVD configuration associated with a specific OPSS context..
addAttributeRule(srcAttrs, srcObjectClass, srcAttrType, dstAttr, dstObjectClass, dstAttrType, mappingExpression, direction, mappingContextId, [contextName])
Table 2-42 addAttributeRule Arguments
| Argument | Definition |
|---|---|
|
|
Name of the mapping context. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is default. |
The following command creates a mapping rule for the libOVD configuration. Here, the lastname is mapped to the cn.
addAttributeRule('lastname','','','sn','','','','Inbound','userrole')
Online command that adds a domain exclusion rule.
Adds a domain exclusion rule to the exclusion list.
addDomainExclusionRule(domain, mappingContextId, [contextName])
Table 2-43 addDomainExclusionRule Arguments
| Argument | Definition |
|---|---|
|
|
Distinguished name (DN) of the attribute to be added to the exclusion list. |
|
|
Name of the mapping context. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command adds cn=group,dc=oracle,dc=com to the exclusion list:
addDomainExclusionRule('cn=group,dc=oracle,dc=com','userrole')
Online command that adds a new domain mapping rule.
Adds a new domain mapping rule.
addDoma]inRule(srcDomain, destDomain, domainConstructRule, mappingContextId, [contextName])
Table 2-44 addDomainRule Arguments
| Argument | Definition |
|---|---|
|
|
Source domain. |
|
|
Destination domain |
|
|
Name of the attribute to be added to the exclusion list. |
|
|
Name of the mapping context. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is |
The following command creates a domain mapping rule:
addDomainRule('dc=oracle,dc=com', 'dc=oracle,dc=com', '', 'defaultContext', 'default')
Online command that adds a join rule to a Join Adapter.
Adds a join rule to an existing Join Adapter for the libOVD configuration associated with the specified OPSS context.
addJoinRule(adapterName, secondary, condition, [joinerType], [contextName])
Table 2-45 addJoinRule Arguments
| Argument | Definition |
|---|---|
|
|
Name of the Join Adapter to be modified. |
|
|
Name of the adapter to join to. |
|
|
The attribute(s) to join on. |
|
|
Optional. Defines the type of Join. Values can be Simple (default), Conditional, OneToMany, or Shadow. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is |
The following commands create different join rules for an existing Join adapter:
addJoinRule('join1','secondaryldap','cn=cn', 'Simple', 'default')
addJoinRule('join1','secondaryldap','cn=cn', 'Conditional', 'default')
addJoinRule(adapterName='join1', secondary='LDAP3', condition='uid=cn', JoinerType='OneToMany')
addJoinRule(adapterName='join1', secondary='LDAP2',condition='uid=cn', contextName='myContext')
Online command that adds a new remote host.
Adds a new remote host (host and port) to an existing LDAP adapter. By default, the new host is configured in Read-Write mode with percentage set to 100.
addLDAPHost(adapterName, host, port, [contextName])
Table 2-46 addLDAPHost Arguments
| Argument | Definition |
|---|---|
|
|
Name of the Join Adapter to be modified. |
|
|
Remote LDAP host to which the LDAP adapter will communicate. |
|
|
Remote LDAP host port. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following commands add a host and a port to an existing LDAP adapter:
addLDAPHost(adapterName='ldap1', host='myhost.example.com', port=389)
addLDAPHost('ldap1', 'myhost.example.com','389', 'myContext')
Online command that creates a new mapping context.
Creates a new mapping context for the libOVD configuration associated with the specified OPSS context.
addMappingContext(mappingContextId, [contextName])
Table 2-47 addMappingContext Arguments
| Argument | Definition |
|---|---|
|
|
Name of the mapping context. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command creates a mapping context for the libOVD configuration:
addMappingContext('defaultContext','context')
Online command that adds a plug-in to an existing adapter or at the global level.
Adds a plug-in to an existing adapter or at the global level. The "i"th key corresponds to "i"th value. The plug-in is added to default chain.
addPlugin(pluginName, pluginClass, paramKeys, paramValues, [adapterName], [contextName])
Table 2-48 addPlugin Arguments
| Argument | Definition |
|---|---|
|
|
Name of the plug-in to be created. |
|
|
Class of the plug-in. |
|
|
Init Param Keys separated by "|". |
|
|
Init Param Values separated by "|". |
|
|
Optional. Name of the adapter to be modified. If not specified, the plug-in is added at the global level. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following commands add a plug-in to an existing adapter:
wls:/mydomain/serverConfig> addPlugin(adapterName='ldap1', pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com') wls:/mydomain/serverConfig> addPlugin(pluginName='VirtualAttr',pluginClass='oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin', paramKeys='AddAttribute | MatchFilter | ContainerDN', paramValues='cn=%uid% | objectclass=person | dc=oracle,dc=com') wls:/mydomain/serverConfig> addPlugin(pluginName='DMSMetrics',pluginClass='oracle.ods.virtualization.engine.chain.plugins.DMSMetrics.MonitorPerformance', paramKeys='None',paramValues='None',adapterName='ldap1',contextName='default')
Online command that adds new parameter values to the existing adapter level plug-in or global plug-in.
Adds new parameter values to the existing adapter level plug-in or the global plug-in. If the parameter already exists, the new value is added to the existing set of values. The "i"th key corresponds to "i"th value.
addPluginParam(pluginName, paramKeys, paramValues, [adapterName], [contextName])
Table 2-49 addPluginParam Arguments
| Argument | Definition |
|---|---|
|
|
Name of the plug-in to be modified. |
|
|
Init Param Keys separated by "|". |
|
|
Init Param Values separated by "|". |
|
|
Optional Name of the adapter to be modified. If not specified, the global plug-in is modified. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following commands add a new plug-in parameter for an existing plug-in:
wls:/mydomain/serverConfig> addPluginParam(adapterName='ldap1', pluginName='VirtualAttr', paramKeys='ReplaceAttribute | MatchFilter', paramValues='cn=%uid% | objectclass=person') wls:/mydomain/serverConfig> addPluginParam(pluginName='VirtualAttr', paramKeys='ReplaceAttribute | MatchFilter', par)
Online command that adds a control to the Request Control Exclude List.
Adds a control to the Request Control Exclude List for an existing LDAP adapter configuration.
addToRequestControlExcludeList(adapterName, control, [contextName])
Table 2-50 addToRequestControlExcludeList Arguments
| Argument | Definition |
|---|---|
|
|
Name of the LDAP adapter to be modified. |
|
|
LDAP control object identifier (OID). |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command adds 2.16.840.1.113894.1.8.31 control to ldap1 adapter's Request Control Exclude List:
addToRequestControlExcludeList(adapterName='ldap1', control='2.16.840.1.113894.1.8.31', contextName='default')
Online command that adds a control to the Request Control Include List.
Adds a control to the Request Control Include List for an existing LDAP adapter configuration.
addToRequestControlIncludeList(adapterName, control, [contextName])
Table 2-51 addToRequestControlIncludeList Arguments
| Argument | Definition |
|---|---|
|
|
Name of the LDAP adapter to be modified. |
|
|
LDAP control object identifier (OID). |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command adds 2.16.840.1.113894.1.8.31 control to ldap1 adapter's Request Control Include List:
addToRequestControlIncludeList(adapterName='ldap1', control='2.16.840.1.113894.1.8.31', contextName='default')
Online command that assigns a view to an LDAP adapter.
Assigns a view to an LDAP adapter in the libOVD configuration associated with an OPSS context.
assignViewToAdapter(viewName, adapterName, [contextName])
Table 2-52 assignViewToAdapter Arguments
| Argument | Definition |
|---|---|
|
|
Name of the view. |
|
|
Name of the LDAP adapter. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command assigns userView to ldap1 adapter:
assignViewToAdapter('userView','ldap1', 'default')
Online command that creates a new join adapter.
Creates a new join adapter for the libOVD configuration associated with an OPSS context.
createJoinAdapter(adapterName, root, primaryAdapter, [bindAdapter],[contextName])
Table 2-53 createJoinAdapter Arguments
| Argument | Definition |
|---|---|
|
|
Name of the Join Adapter to be created. |
|
|
Specifies the identifier of the primary adapter, which is the adapter searched first in the join operation. |
|
|
root |
|
|
Specifies identifier of the bind adapter(s), which are the adapter(s) whose proxy account is used to bind in the LDAP operation. By default, |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following commands create a Join adapter:
createJoinAdapter('join1','dc=join','primaryldap','myldap', 'myContext')
createJoinAdapter(adapterName='join1', root='dc=join', primaryAdapter='myldap')
Online command that creates a new LDAP adapter.
Creates a new LDAP adapter for the libOVD configuration associated with an OPSS context.
createLDAPAdapter(adapterName, root, host, port, remoteBase, [isSecure], [bindDN], [bindPasswd], [passCred], [contextName])
Table 2-54 createLDAPAdapter Arguments
| Argument | Definition |
|---|---|
|
|
Name of the LDAP adapter to be created. |
|
|
Virtual Namespace of the LDAP adapter. |
|
|
Remote LDAP host with which the LDAP adapter will communicate. |
|
|
Remote LDAP host port number. |
|
|
Location in the remote DIT to which root corresponds. |
|
|
Optional. Boolean value that enables secure SSL/TLS connections to the remote hosts when set to |
|
|
Optional. Proxy |
|
|
Optional. Proxy |
|
|
Optional. Controls the credentials, if any, the libOVD configuration will pass to the back-end (remote host) LDAP server. Values can be Always (default), None, or BindOnly. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following commands create an LDAP adapter:
createLDAPAdapter("testLDAP", "dc=us,dc=oracle,dc=com", "myhost.example.com", 3060, "dc=uk,dc=oid", false, "cn=testuser", "welcome1", "Always", "myContext"
createLDAPAdapter(adapterName='ldap1', root='dc=com', host='myhost.example.com', port=5566, remoteBase='dc=oid')
Online command that creates a new LDAP adapter.
Creates a new LDAP adapter with default plug-ins based on the directory type for the libOVD configuration associated with an OPSS context.
createLDAPAdapterWithDefaultPlugins(adapterName, directoryType, root, host, port, remoteBase, [isSecure], [bindDN], [bindPasswd], [contextName])
Table 2-55 createLDAPAdapterWithDefaultPlugins Arguments
| Argument | Definition |
|---|---|
|
|
Name of the LDAP adapter to be created. |
|
|
Directory type. The value can be one of the following directories:
|
|
|
Virtual Namespace of the LDAP adapter. |
|
|
Remote LDAP host to which LDAP adapter should communicate. |
|
|
Remote host port. |
|
|
Location in the remote DIT to which the root corresponds. |
|
|
Optional. Boolean value that enables secure SSL/TLS connections to the remote hosts when set to |
|
|
Optional. Proxy |
|
|
Optional. Proxy |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following commands create an LDAP adapter with default plug-ins based on the directory type:
wls:/mydomain/serverConfig> createLDAPAdapterWithDefaultPlugins("testLDAP", "OID", "dc=us,dc=oracle,dc=com", "myhost.example.domain.com", 3060, "dc=uk,dc=oid", false, "cn=testuser", "welcome1", "myContext")
wls:/mydomain/serverConfig> createLDAPAdapterWithDefaultPlugins(adapterName='ldap1', directoryType="OID", root='dc=com', host='myhost.example.domain.com', port=5566, remoteBase='dc=oid',bindDN="cn=testuser",bindPasswd="welcome1",contextName='default')
Online command that creates a new view.
Creates a new view for the libOVD configuration associated with an OPSS context.
createView(viewName, [contextName])
Table 2-56 createView Arguments
| Argument | Definition |
|---|---|
|
|
Name of the new view. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command create a view named, userView:
createView('userView','default')
Online command that deletes an existing adapter.
Deletes an existing adapter for the libOVD configuration associated with an OPSS context.
deleteAdapter(adapterName, [contextName])
Table 2-57 deleteAdapter Arguments
| Argument | Definition |
|---|---|
|
|
Name of the Join Adapter to be deleted. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command deletes join1 adapter:
deleteAdapter(adapterName='join1') deleteAdapter('join1', 'default'))
Online command that deletes an attribute exclusion rule.
Deletes an attribute exclusion rule for the libOVD configuration associated with an OPSS context.
deleteAttributeExclusionRule(attribute, mappingContextId, [contextName])
Table 2-58 deleteAttributeExclusionRule Arguments
| Argument | Definition |
|---|---|
|
|
Name of the attribute to be removed from the exclusion list. |
|
|
Name of the mapping context. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command deletes the objectsid attribute exclusion rule for the associated libOVD configuration:
deleteAttributeExclusionRule('objectsid','userrole')
Online command that delete an attribute mapping rule.
Deletes an attribute mapping rule for the libOVD configuration associated with an OPSS context.
deleteAttributeRule(srcAttrs, dstAttr, mappingContextId, [contextName])
Table 2-59 deleteEntityRelation Arguments
| Argument | Definition |
|---|---|
|
|
Source attributes. |
|
|
Destination attribute. |
|
|
Name of the mapping context. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command deletes the lastname attribute mapping rule from cn:
deleteAttributeRule('lastname','sn')
Online command that deletes a domain exclusion rule.
Deletes a domain exclusion rule for the libOVD configuration associated with an OPSS context.
deleteDomainExclusionRule(domain, mappingContextId, [contextName])
Table 2-60 deleteEntityRelation Arguments
| Argument | Definition |
|---|---|
|
|
Distinguished Name of the container to be removed from the exclusion list. |
|
|
Name of the mapping context. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command deletes 'cn=group,dc=oracle,dc=com' domain exclusion rule:
deleteDomainExclusionRule('cn=group,dc=oracle,dc=com')
Online command that deletes a domain mapping rule.
Deletes a domain mapping rule for the libOVD configuration associated with an OPSS context.
deleteDomainRule(srcDomain, destDomain, mappingContextId, [contextName])
Table 2-61 deleteDomainRule Arguments
| Argument | Definition |
|---|---|
|
|
Source domain. |
|
|
Destination domain. |
|
|
Name of the mapping context. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command deletes 'dc=oracle,dc=com' domain mapping rule:
deleteDomainRule('dc=oracle,dc=com','dc=oracle,dc=com','userrole')
Deletes a domain exclusion rule.
Deletes a domain exclusion rule for the libOVD configuration associated with an OPSS context.
deleteDomainExclusionRule(domain, mappingContextId, [contextName])
Table 2-62 deleteDomainExclusionRule Attributes
| Argument | Definition |
|---|---|
|
|
Distinguished Name of the container to be removed from the exclusion list. |
|
|
Name of the mapping context. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default value is |
deleteDomainExclusionRule('cn=group,dc=oracle,dc=com','userrole')
Online command that deletes a mapping context.
Deletes the specified mapping context for the libOVD configuration associated with an OPSS context.
deleteMappingContext(mappingContextId, [contextName])
Table 2-63 deleteMappingContext Arguments
| Argument | Definition |
|---|---|
|
|
Name of the mapping context. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command deletes a mapping context for a libOVD configuration:
deleteMappingContext('defaultContext','context)
Online command that deletes a view.
Deletes a view for the libOVD configuration associated with an OPSS context.
createView(viewName, [contextName])
Table 2-64 createView Arguments
| Argument | Definition |
|---|---|
|
|
Name of the view to delete. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command deletes userView view:
deleteView('userView','default')
Online command that displays the details of an existing adapter.
Displays the details of an existing adapter configured for the libOVD configuration associated with an OPSS context.
getAdapterDetails(adapterName, [contextName])
Table 2-65 getAdapterDetails Arguments
| Argument | Definition |
|---|---|
|
|
Name of the adapter that contains the details to be displayed. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following commands display the details of ldap1 and join1 adapter respectively:
getAdapterDetails(adapterName='ldap1', contextName='default') getAdapterDetails(adapterName='join1')
Online command that lists the name and type of all adapters.
Lists the name and type of all adapters that are configured for the libOVD configuration associated with an OPSS context.
listAdapters([contextName])
Table 2-66 listAdapters Arguments
| Argument | Definition |
|---|---|
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command displays the name and type of all adapters configured for a libOVD configuration:
listAdapters() listAdapters(contextName='myContext')
Online command that lists all mapping contexts.
Lists the mapping contexts associated with the specified OPSS context.
listAllMappingContextIds([contextName])
Table 2-67 listAllMappingContextIds Arguments
| Argument | Definition |
|---|---|
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command lists all the mapping contexts:
listAllMappingContextIds('default')
Online command that lists all the attribute rules.
List all the attribute rules in the format SOURCE_ATTRIBUTE:DESTINATION_ATTRIBUTE:DIRECTION.
listAttributeRules(mappingContextId, [contextName])
Table 2-68 listAttributeRules Arguments
| Argument | Definition |
|---|---|
|
|
Name of the mapping context. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command lists all the attribute rules:
listAttributeRules('defaultContext','default')
Online command that lists all domain rules.
Lists all the domain rules in the format of SOURCE_DOMAIN:DESTINATION_DOMAIN.
listDomainRules(mappingContextId, [contextName])
Table 2-69 listDomainRules Arguments
| Argument | Definition |
|---|---|
|
|
Name of the mapping context. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command lists all domain rules:
listDomainRules('defaultContext','default')
Online command that lists all views
Lists all views for a libOVD configuration associated with an OPSS context.
listViews([contextName])
Table 2-70 listViews Arguments
| Argument | Definition |
|---|---|
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command lists all views:
listViews('default')
Modifies parameters in an LDAP adapter.
Modifies the following LDAP adapter parameters:
Remote Base
Root
Secure
BindDN
BindPassword
PassCredentials
MaxPoolSize
MaxPoolChecks
MaxPoolWait
InitialPoolSize
PoolCleanupInterval
MaxPoolConnectionIdleTime
Active
PingProtocol
PingBindDN
PingBindPassword
PageSize
HeartBeatInterval
OperationTimeout
SearchCountLimit
Visible
Critical
InclusionFilter
ExclusionFilter
DNPattern
RequestControlAllowServerSupported
MaxPoolConnectionReuseTime
ConnectTimeout
PoolConnectionReclaimTime
Protocols
modifyLDAPAdapter(adapterName, attribute, value, [contextName])
Table 2-71 modifyLDAPAdapter Arguments
| Argument | Definition |
|---|---|
|
|
Name of the LDAP adapter to be modified. |
|
|
Name of the attribute to be modified. |
|
|
New value for the attribute. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following examples illustrate how to set attributes in ldap1:
modifyLDAPAdapter(adapterName='ldap1', attribute='Root', value='dc=us, dc=oracle, dc=com', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='RemoteBase', value='dc=org', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PassCredentials', value='BindOnly', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='BindDN', value='cn=proxyuser,dc=com', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='BindPassword', value='testwelcome123', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='Secure', value=true, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolSize', value=500, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolChecks', value=10, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolWait', value=120000, contextName='mydefault') [value is in milliseconds] modifyLDAPAdapter(adapterName='ldap1', attribute='InitialPoolSize', value=10, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PoolCleanupInterval', value=300, contextName='mydefault') [value is in seconds] modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolConnectionIdleTime', value=300, contextName='mydefault') [value is in seconds] modifyLDAPAdapter(adapterName='ldap1', attribute='Active', value=false, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PingProtocol', value='LDAP', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PingBindDN', value='cn=proxyuser', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PingBindPassword', value='welcome1', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='PageSize', value=500, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='HeartBeatInterval', value=120, contextName='mydefault') [value is in seconds] modifyLDAPAdapter(adapterName='ldap1', attribute='OperationTimeout', value=120000, contextName='mydefault') [value is in milliseconds] modifyLDAPAdapter(adapterName='ldap1', attribute='SearchCountLimit', value=100, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='Visible', value='Yes', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='Critical', value='false', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='InclusionFilter', value='objectclass=inetorgperson#base', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='ExclusionFilter', value='uniquemember=*#base', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='DNPattern', value='(.*)cn=[a-z0-9]*$', contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='RequestControlAllowServerSupported', value=false, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='MaxPoolConnectionReuseTime', value=3600, contextName='mydefault') [value is in seconds] modifyLDAPAdapter(adapterName='ldap1', attribute='ConnectTimeout', value=10000, contextName='mydefault') [value is in milli seconds] modifyLDAPAdapter(adapterName='ldap1', attribute='PoolConnectionReclaimTime', value=180, contextName='mydefault') modifyLDAPAdapter(adapterName='ldap1', attribute='Protocols', value='TLSv1.2', contextName='mydefault')
Online command that modifies socket options.
Modifies socket options for an existing LDAP adapter configuration.
modifySocketOptions(adapterName, reuseAddress, keepAlive, tcpNoDelay, readTimeout, [contextName])
Table 2-72 modifySocketOptions Arguments
| Argument | Definition |
|---|---|
|
|
Name of the LDAP adapter to be modified. |
|
|
Value of |
|
|
Value of |
|
|
Value of |
|
|
Value of |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command modifies the socket option for ldap1 adapter:
modifySocketOptions(adapterName='ldap1', reuseAddress=true, keepAlive=true, tcpNoDelay=true, readTimeout=180000, contextName='default')
Online command that removes all controls from the Request Control Exclude List.
Removes all controls from the Request Control Exclude List for an existing LDAP adapter configuration.
removeAllRequestControlExcludeList(adapterName, [contextName])
Table 2-73 removeAllRequestControlExcludeList Arguments
| Argument | Definition |
|---|---|
|
|
Name of the adapter to be updated. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command removes all controls from ldap1 adapter's Request Control Exclude List:
removeAllRequestControlExcludeList(adapterName='ldap1', contextName='default')
Online command that removes all controls from the Request Control Include List.
Removes all controls from the Request Control Include List for an existing LDAP adapter configuration.
removeAllRequestControlIncludeList(adapterName, [contextName])
Table 2-74 removeAllRequestControlIncludeList Arguments
| Argument | Definition |
|---|---|
|
|
Name of the adapter to be updated. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command removes all controls from ldap1 adapter's Request Control Include List:
removeAllRequestControlIncludeList(adapterName='ldap1', contextName='default')
Online command that removes a control from the Request Control Exclude List.
Removes a control from the Request Control Exclude List for an existing LDAP adapter configuration.
removeFromRequestControlExcludeList(adapterName, control, [contextName])
Table 2-75 removeFromRequestControlExcludeList Arguments
| Argument | Definition |
|---|---|
|
|
Name of the LDAP adapter to be modified. |
|
|
LDAP control object identifier (OID). |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command removes 2.16.840.1.113894.1.8.31 control from ldap1 adapter's Request Control Exclude List:
removeFromRequestControlExcludeList(adapterName='ldap1', control='2.16.840.1.113894.1.8.31', contextName='default')
Online command that removes a attribute from the DN Attributes List.
Removes a attribute from the DN Attributes List for an existing adapter that is configured for the libOVD associated with an OPSS context.
removeDNAttribute(adapterName attributeName, [contextName])
Table 2-76 removeDNAttribute Arguments
| Argument | Definition |
|---|---|
|
|
Name of the adapter to be updated. |
|
|
Name of the new DN attribute to be removed. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command removes memberof attribute from ldap1 adapter's attribute list:
removeDNAttribute(adapterName='ldap1', attributeName='memberof', contextName='default')
Online command that removes a control from the Request Control Include List.
Removes a control from the Request Control Include List for an existing LDAP adapter configuration.
removeFromRequestControlIncludeList(adapterName, control, [contextName])
Table 2-77 removeFromRequestControlIncludeList Arguments
| Argument | Definition |
|---|---|
|
|
Name of the LDAP adapter to be modified. |
|
|
LDAP control object identifier (OID). |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command removes 2.16.840.1.113894.1.8.31 control from ldap1 adapter's Request Control Include List:
removeFromRequestControlIncludeList(adapterName='ldap1', control='2.16.840.1.113894.1.8.31', contextName='default')
Online command that removes a join rule from a Join Adapter.
Removes a join rule from a Join Adapter configured for the libOVD configuration associated with the specified OPSS context.
removeJoinRule(adapterName, secondary, [contextName])
Table 2-78 removeJoinRule Arguments
| Argument | Definition |
|---|---|
|
|
Name of the Join Adapter to be modified. |
|
|
The join rules corresponding to this secondary adapter are removed from the Join Adapter. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command removes 2.16.840.1.113894.1.8.31 control from ldap1 adapter's Request Control Include List:
removeJoinRule('join1','secondaryldap1', 'default')
removeJoinRule(adapterName='join1', secondary='LDAP3')
Online command that removes a remote host from an existing LDAP adapter.
Removes a remote host (host:port) from an existing LDAP adapter.
removeLDAPHost(adapterName, host, [contextName])
Table 2-79 removeLDAPHost Arguments
| Argument | Definition |
|---|---|
|
|
Name of the LDAP adapter to be modified. |
|
|
Location of a remote LDAP host with which the LDAP adapter will communicate. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command removes the host and port from ldap1 adapter:
removeLDAPHost(adapterName='ldap1', host='myhost.example.com')
removeLDAPHost('ldap1', 'myhost.example.com', 'myContext')
Online command that removes a plug-in from an existing adapter.
Removes a plug-in from an existing adapter or at the global level.
removePlugin(pluginName, [adapterName], [contextName])
Table 2-80 removePlugin Arguments
| Argument | Definition |
|---|---|
|
|
Name of the plug-in to be removed. |
|
|
Optional. Name of the adapter to be modified. If not specified, the global plug-in is removed. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following commands remove VirtualAttr plug-in from ldap1 adapter:
removePlugin(adapterName='ldap1', pluginName='VirtualAttr') removePlugin(pluginName='VirtualAttr')
Online command that removes an existing parameter from a configured adapter level plug-in.
Removes an existing parameter from a configured adapter level plug-in or a global plug-in. This command removes all values of a particular parameter from the plug-in.
removePluginParam(pluginName, paramKey, [adapterName], [contextName])
Table 2-81 removePluginParam Arguments
| Argument | Definition |
|---|---|
|
|
Name of the plug-in to be modified. |
|
|
Parameter to be removed. |
|
|
Optional. Name of the adapter to be modified. If not specified, the global plug-in is modified. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following commands remove the plug-in parameter ReplaceAttribute from VirtualAttr plug-in:
removePluginParam(adapterName='ldap1', pluginName='VirtualAttr', paramKey='ReplaceAttribute') removePluginParam(pluginName='VirtualAttr', paramKey='ReplaceAttribute')
Online command that replaces parameter values for a plug-in.
Replaces existing parameter values for the specified adapter level plug-in or global plug-in.
replacePluginParam(pluginName, paramName, paramValues, [adapterName,][contextName])
Table 2-82 replacePluginParam Arguments
| Argument | Description |
|---|---|
|
|
Name of the plug-in to be modified. |
|
|
Name of the parameter to be replaced. |
|
|
New values of the parameter. For more than one new value, separate each new parameter value are by a "|". |
|
|
Optional. Name of the adapter to be modified. If not specified, the global plug-in is modified. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following commands replace the parameter values for the associated plug-in for an adapter:
replacePluginParam(adapterName='ldap1', pluginName='VirtualAttr', paramName='ReplaceAttribute', paramValues='cn=%uid%') replacePluginParam(adapterName='ldap1', pluginName='UserManagement', paramName='mapAttribute', paramValues='orclguid=objectGuid | uniquemember=member')
Online command that unassigns a view from an adapter.
Unassigns a view from an LDAP adapter configuration.
unassignViewFromAdapter(viewName, adapterName, [contextName])
Table 2-83 unassignViewFromAdapter Arguments
| Argument | Definition |
|---|---|
|
|
Name of the view. |
|
|
Name of the LDAP adapter. |
|
|
Optional. Name of the OPSS context with which the libOVD configuration is associated. Default is "default". |
The following command unassigns userView associated with ldap1 adapter:
unassignViewFromAdapter('userView','ldap1', 'default')
Online command that lists the type of SSL store in use.
This command lists the type of SSL store in use for libOVD (JKS or KSS).
listSSLStoreType(contextName=[contextName])
Table 2-84 listSSLStoreType Arguments
| Argument | Definition |
|---|---|
|
contextName |
Name of the OPSS context with which libOVD configuration is associated. The default value is |
This following command list the SSL store types in use:
listSSLStoreType(contextName='default')
Online command to enable KSS for libOVD.
This command enables KSS for SSL, and disables JKS if it was enabled before. For more information about KSS, see Oracle® Fusion Middleware Securing Applications with Oracle Platform Security Services.
enableKSSForSSL(contextName=[contextName])
Table 2-85 enableKSSForSSL Arguments
| Argument | Definition |
|---|---|
|
|
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is |
The following command enables KSS for SSL:
enableKSSForSSL(contextName='default')
Online command to enable JKS for libOVD.
This command enables JKS for SSL, and disables KSS if it was enabled before. The command assumes that the libOVD adapters.jks file exists.
enableJKSForSSL(contextName=[contextName])
Table 2-86 enableJKSForSSL Arguments
| Argument | Definition |
|---|---|
|
contextName |
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is |
The following command enables JKS for SSL:
enableJKSForSSL(contextName='default')
Online command to enable JKS for SSL.
This command enables JKS for SSL, and disables KSS if it was enabled before. The command creates the libOVD adapters.jks file.
createKeyStoreAndEnableJKSForSSL(keystorePassword=[password], contextName=[contextName])
Table 2-87 createKeyStoreAndEnableJKSForSSL Arguments
| Argument | Definition |
|---|---|
|
|
Password for libOVD adapters.jks file. |
|
|
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is |
The following command enable JKS for SSL:
createKeyStoreAndEnableJKSForSSL(keystorePassword='welcome1', contextName='default')
Online command to import trusted certificate into SSL store.
This command imports the provided trusted certificate into SSL store.
importTrustedCertificateIntoSSLStore(certificateFileName=[cert_file],aliasName=[aliasName],contextName=[contextName])
Table 2-88 importTrustedCertificateIntoSSLStore Arguments
| Argument | Definition |
|---|---|
|
|
File name that contains the certificate. |
|
|
Alias name for the certificate. |
|
|
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is |
The following command imports the provided trusted certificate into SSL store:
importTrustedCertificateIntoSSLStore(certificateFileName='/tmp/cert.txt',aliasName='myCert1',contextName='default')
Online command to migrate all trusted certificates from JKS-based libOVD truststore to KSS store.
This command migrates all trusted certificates from JKS-based libOVD truststore to KSS store.
migrateAllTrustedCertificatesFromJKSToKSS(contextName=[contextName])
Table 2-89 migrateAllTrustedCertificatesFromJKSToKSS Arguments
| Argument | Definition |
|---|---|
|
|
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is |
The following command migrates all trusted certificates from JKS-based libOVD truststore to KSS store:
migrateAllTrustedCertificatesFromJKSToKSS(contextName='default')
Online command to migrate given trusted certificates from JKS-based libOVD truststore to KSS store.
This command migrates the given trusted certificates from JKS-based libOVD truststore to KSS store.
migrateTrustedCertificatesFromJKSToKSS(aliasNames=[alias_names], contextName=[contextName])
Table 2-90 migrateTrustedCertificatesFromJKSToKSS Arguments
| Argument | Definition |
|---|---|
|
|
List of alias names to migrate separated by a comma. |
|
|
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is |
The following command migrates the specified trusted certificates from JKS-based libOVD truststore to KSS store:
migrateTrustedCertificatesFromJKSToKSS (aliasNames='alias1,alias2', contextName='default')
Online command to change given LDAP host and port in an existing LDAP adapter configuration to a new host and port.
This command changes given LDAP host and port in an existing LDAP adapter configuration to a new host and port.
changeLDAPHostPort(adapterName=[adapterName], oldHost=[oldHost], oldPort=[oldPort], newHost=[newHost], newPort=[newPort], contextName=[contextName])
Table 2-91 changeLDAPHostPort Arguments
| Argument | Definition |
|---|---|
|
|
Name of the LDAP adapter to be modified. |
|
|
Old LDAP host. |
|
|
Old LDAP port. |
|
|
New LDAP host. |
|
|
New LDAP port. |
|
|
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is |
The following command changes given LDAP host and port in an existing LDAP adapter configuration to a new host and port:
changeLDAPHostPort(adapterName='ldap1', oldHost='oldhost.example.domain.com', oldPort=389, newHost='newhost.example.domain.com', newPort=389)
Online command to remove a remote host and a port from an existing LDAP adapter configuration.
This command removes a remote host and a port from an existing LDAP adapter configuration.
removeLDAPHostPort(adapterName=[adapterName], host=[host], port=[port], contextName=[contextName])
Table 2-92 removeLDAPHostPort Arguments
| Argument | Definition |
|---|---|
|
|
Name of the LDAP adapter to be modified. |
|
|
Remote LDAP host. |
|
|
Remote LDAP port. |
|
|
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is |
The following command removes a remote host and a port from an existing LDAP adapter configuration:
removeLDAPHostPort(adapterName='ldap1', host='myhost.example.domain.com', port=389)
Online command to set the given host and port to read-only/writable in an existing LDAP adapter configuration.
This command sets the given host and port to read-only/writable in an existing LDAP adapter configuration.
setReadOnlyForLDAPHost(adapterName=[adapterName], host=[host], port=[port], readOnly=[true/false], contextName=[contextName])
Table 2-93 setReadOnlyForLDAPHost Arguments
| Argument | Definition |
|---|---|
|
|
Name of the LDAP adapter to be modified. |
|
|
LDAP host. |
|
|
LDAP port. |
|
|
It has values: |
|
|
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is |
The following command sets the given host and port to read-only in an existing LDAP adapter configuration:
setReadOnlyForLDAPHost(adapterName='ldap1', host='myhost.example.domain.com', port=389, readOnly=true)
Online command that dumps the current connection pool statistics for an adapter to a file for the given JVM on which WLS is configured.
This command dumps the current connection pool statistics for an adapter to a file for the given JVM on which WLS is configured.
dumpLdapConnectionPoolStats(fileName=[fileName], adapterName=[adapterName], contextName=[contextName])
Table 2-94 dumpLdapConnectionPoolStats Arguments
| Argument | Definition |
|---|---|
|
|
Refers to the full path of the file. |
|
|
Name of the LDAP adapter. |
|
|
Optional. Name of the OPSS context with which libOVD configuration is associated. The default value is |
The following example dumps the connection pool statistics for ldap1 adapter into the specified file:
dumpLdapConnectionPoolStats('/tmp/poolstats1.txt','ldap1', 'default')