6 Mobile Security Access Server WLST Commands
Mobile Access Security Server WLST commands are divided into the following categories to manage MSAS instances:
6.1 Using the WLST Commands
Prerequisites to be followed before running the WLST commands.
-
Ensure that the Administration Server for the MSM domain is running.
-
Execute the MSAS WLST commands from the
IDM_HOME
/common/bin
directory. For example,/home/oracle/omsm/ORACLE_IDM/common/bin
. -
Connect to a running instance of the server and enter
help('msasManage')
to display the help for the MSAS configuration, identity store, and repository management commands. -
Connect to a running instance of the server and enter
help('wsmManage')
to display the help forresetWSMPolicyRepository
, session commands, and trusted issuer configuration commands
6.2 MSAS Configuration Commands
Use these MSAS Configuration Commands to manage MSAS configurations and application metadata.
Table 6-1 MSAS Configuration Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Display the MSAS configuration properties, and their values and groups, for a MSAS instance. |
Online |
|
Create or modify the configuration properties for a MSAS instance. |
Online |
|
Set the logger configuration for a MSAS instance to a specified level. |
Online |
|
Get logger configuration for a MSAS instance. |
Online |
|
List the logger configurations for a MSAS instance. |
Online |
6.2.1 displayMSASConfiguration
The displayMSASConfiguration command is an online command that displays the configuration properties, and their values and groups, for a MSAS instance.
Description
Displays the configuration properties, and their values and groups, for a MSAS instance. If a property is not defined in the MSAS instance's configuration document, then the default value defined for the product is displayed. If a MSAS instance name is not specified, or the specified MSAS instance does not exist, then the default values defined for the product are displayed.
Syntax
displayMSASConfiguration(instanceName=None)
Argument | Definition |
---|---|
instanceName |
Optional. The name of the MSAS instance associated with the configuration document from which property values are displayed. |
Example
This example displays the MSAS configuration properties, including their values and groups, for an instance named MSAS-123456
.
wls:/mydomain/serverConfig> displayMSASConfiguration('MSAS-123456')
This example displays the default MSAS configuration properties.
wls:/mydomain/serverConfig> displayMSASConfiguration()
6.2.2 setMSASConfiguration
The setMSASConfiguration command is an online command that sets the configuration properties in the configuration document associated with a MSAS instance
Description
Sets the configuration properties in the configuration document associated with a MSAS instance. If the configuration document does not exist for the instance, it is created automatically. A new property with values and/or groups of values can be added inside the configuration document. The set of acceptable properties are determined by the default set of properties supported by the product. Specific property values or groups of values can also be removed from the configuration document. The configuration document is removed if it does not have any properties.
Syntax
setMSASConfiguration(instanceName,categoryName,propertyName,group=None,values=None)
Argument | Definition |
---|---|
instanceName |
The name of the MSAS instance associated with the configuration document to be modified. |
categoryName |
The category of the configuration property. This is verified with the default set of properties for acceptability. |
propertyName |
The name of the configuration property. This is verified with the default set of properties for acceptability. |
groupName |
Optional. The group containing the set of values to add in the configuration document. If the group exists, and this value is set to |
propertyValues |
Optional. The array of values to set for a property or group inside the configuration document. Default is None which refers to an empty array list |
Example
This example is setting the location of the SSL keystore in a MSAS instance named MSAS-123456
.
wls:/mydomain/serverConfig> setMSASConfiguration('MSAS-123456','ServerSettings','ssl.keystore.location',None,['kss://mag1/sslkeystore'])
6.2.3 setMSASLogLevel
The setMSASLogLevel command is an online command that sets the logger configuration for a MSAS instance to a specified level.
Description
Sets the logger configuration for a MSAS instance to a specified level (for example, WARNING
).
Syntax
setMSASLogLevel(instanceName,logger,level)
Argument | Definition |
---|---|
instanceName |
The name of the MSAS instance logging configuration to be modified. This option is required; there is no default value. |
logger |
A logger name. The empty string denotes the root logger. This option is required; there is no default value. |
level |
The level name. It has to be one of the following:
An empty string can be used to set the level to null (inherited from parent). This option is required; there is no default value. |
Example
This example is setting a logging level of FINEST
for an MSAS logger named oracle.idm.gateway.grs
in an instance named MSAS-123456
.
wls:/mydomain/serverConfig> setMSASLogLevel('MSAS-123456','oracle.idm.gateway.grs','FINEST'])
This example is setting a logging level to null for an MSAS logger named oracle.idm.gateway.grs
in an instance named MSAS-123456
.
wls:/mydomain/serverConfig> setMSASLogLevel('MSAS-123456','oracle.idm.gateway.grs',''])
This example is setting a logging level of SEVERE
for the root logger in an instance named MSAS-123456
.
wls:/mydomain/serverConfig> setMSASLogLevel('MSAS-123456','','SEVERE'])
6.2.4 getMSASLogLevel
The getMSASLogLevel command is an online command that retrieves the logger configuration for a MSAS instance.
Description
Gets the logger configuration for a MSAS instance.
Syntax
getMSASLogLevel(instanceName,logger)
Argument | Definition |
---|---|
instanceName |
The MSAS instance name of the logging configuration. This option is required; there is no default value. |
logger |
A logger name. The empty string denotes the root logger. This option is required; there is no default value. |
Example
This example is getting the logging level for an MSAS logger named oracle.idm.gateway.grs
in an instance named MSAS-123456
.
wls:/mydomain/serverConfig> getMSASLogLevel('MSAS-123456','oracle.idm.gateway.grs')
This example is getting the logging level for the root MSAS logger in an instance named MSAS-123456
.
wls:/mydomain/serverConfig> getMSASLogLevel('MSAS-123456','oracle.idm.gateway.grs')
6.2.5 listMSASLoggers
The listMSASLoggers command is an online command that lists the logger configurations for a MSAS instance.
Description
Lists the logger configurations for a MSAS instance.
Syntax
listMSASLoggers(instanceName)
Argument | Definition |
---|---|
instanceName |
The MSAS instance name of the logging configuration. This option is required; there is no default value. |
Example
This example is listing the loggers for a MSAS instance named MSAS-123456
.
wls:/mydomain/serverConfig> listMSASLoggers('MSAS-123456'])
6.3 MSAS Identity Store Profile Commands
Use these commands to manage an identity store profile, which is a logical representation of a user repository. The identity store configuration is stored in an Identity Profile Document in the MSAS Repository. All identity store profile management commands must be performed in the context of a repository session. A repository session can only act on a single document.
Table 6-2 Identity Profile Management Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Create a new identity store profile in a MSAS instance within a repository session. |
Online |
|
Display the contents of a specified identity store profile, or list the names of all identity profiles, in a MSAS instance. |
Online |
|
Select an identity store profile in a MSAS instance for modification within a repository session. |
Online |
|
Delete an identity store profile from a specified MSAS instance within a repository session. |
Online |
|
Set or update the directory information for an identity store profile in a MSAS instance within a repository session. |
Online |
|
Set or update the user information for an identity store profile in a MSAS instance within a repository session. |
Online |
|
Set or update the group information for an identity store profile for a MSAS instance within a repository session. |
Online |
6.3.1 createIdentityProfile
The createIdentityProfile command is an online command that creates a new identity store profile in a MSAS instance within a repository session.
Description
Create a new identity store profile in a MSAS instance within a repository session. The identity store profile must be associated with a specified MSAS instance. Issuing this command outside of a repository session will result in an error.
Note:
-
This command only creates a new identity store profile for a MSAS instance. To use an identity store profile at runtime, the MSAS configuration must already be set, as described in setMSASConfiguration. After running
setMSASConfiguration
, you must also restart the Oracle MSAS Management Server for the runtime to access the configured profile.You cannot create multiple identity store profiles in the same session. You must commit the session after creating a profile, and then start a new session to create another profile.
-
If an error occurs during the creation of an identity store profile, the profile must first be committed before it can be deleted.
Syntax
createIdentityProfile(instanceName,Profilename,description=None)
Argument | Definition |
---|---|
instanceName |
Name of the MSAS instance in which you want to create an identity store profile. |
ProfileName |
Name of the new identity store profile. |
description |
Optional. Description of the new identity store profile. |
Example
This example creates an identity store profile named identity-profile
in a MSAS instance named MSAS-123456
, with a description of Identity profile
.
wls:/mydomain/serverConfig> createIdentityProfile('MSAS-123456','identity-profile','Identity profile')
6.3.2 displayIdentityProfile
The displayIdentityProfile command is an online command that displays the contents of a specified identity store profile in a MSAS instance, or list the names of all identity store profiles associated with a specified MSAS instance.
Description
Display the contents of a specified identity store profile in a MSAS instance, or list the names of all identity store profiles associated with a specified MSAS instance. If this command is executed from an active session, session changes are also displayed. If this command is executed outside of active session, content from the repository is displayed.
Syntax
displayIdentityProfile(instanceName,ProfileName=None)
Argument | Definition |
---|---|
instance |
Name of the MSAS instance associated with the identity store profiles to be displayed. |
ProfileName |
Optional. The name of the identity store profile to be displayed. If a name is not specified, then the names of the all available identity profiles for the MSAS instance are displayed. |
Example
This example displays the contents of an identity store profile named identity-profile
in an instance named MSAS-123456
.
wls:/mydomain/serverConfig> displayIdentityProfile('MSAS-123456','identity-profile')
This example displays the names of the all available identity store profiles in the MSAS instance MSAS-123456
.
wls:/mydomain/serverConfig> displayIdentityProfile('MSAS-123456')
6.3.3 selectIdentityProfile
The selectIdentityProfile command is an online command that selects an identity store profile for modification in a MSAS instance within a repository session.
Description
Select an identity store profile for modification in a MSAS instance within a repository session.
Syntax
selectIdentityProfile(instanceName,ProfileName,description=None)
Argument | Definition |
---|---|
instanceName |
Name of the MSAS instance associated with the identity store profile to be modified. |
ProfileName |
Name of the identity store profile to be modified. |
Example
This example selects the identity profile identity-profile
in MSAS instance MSAS-123456
for modification:
wls:/mydomain/serverConfig> selectIdentityProfile('MSAS-123456','identity-profile')
6.3.4 deleteIdentityProfile
The deleteIdentityProfile command is an online command that deletes an identity store profile from a MSAS instance within a repository session.
Description
Delete an identity store profile from a MSAS instance within a repository session. Issuing this command outside of a repository session will result in an error.
Note:
You cannot both create and delete the same identity store profile in a single repository session. You must commit the session after creating a profile, and then start a new session in order to delete that profile.
Syntax
deleteIdentityProfile(instanceName,Profilename)
Argument | Definition |
---|---|
instanceName |
Name of the MSAS instance associated with the identity store profile to be deleted. |
ProfileName |
Name of the identity store profile to be deleted. |
Example
This example deletes the identity profile identity-profile
from the MSAS instance MSAS-123456
.
wls:/mydomain/serverConfig> deleteIdentityProfile('MSAS-123456','identity-profile')
6.3.5 setIdentityProfileDirectory
The setIdentityProfileDirectory command is an online command that sets or updates the directory information for an identity store profile in a MSAS instance within a repository session.
Description
Set or update the directory information for an identity store profile in a MSAS instance within a repository session. The secure
argument can be used to determine if the identity store connection should be made over SSL. Before running this command, an identity store profile must be selected for modification or must be created in the current session.
Syntax
setIdentityProfileDirectory(DirectoryType,hosts,bindDN,bindPass,baseDN,isSecure)
Argument | Definition |
---|---|
directoryType |
Type of identity store profile directory. Supported types are:
|
hosts |
Host port information of the directory in the form |
bindDN |
The distinguished name of the user to be used for connecting to the directory. For example: CN=Administrator,CN=Users,DC=mycompany,DC=com. |
bindPass |
Bind distinguished name (DN) password for accessing the directory. |
baseDN |
Base distinguished name (DN) information of the directory. For example: DC=mycompany,DC=com |
isSecure |
Flag (boolean) to indicate if the connection to the directory should be made over SSL. When set to true the connection is configured over SSL. |
Example
This example creates an identity store profile directory with a type of OID
on a host named ['host.example.com:1234'], with bind distinguished name of cn=host,dn=oracle,dn=com
, using a password of welcome
, and a base distinguished name of cn=host,dn=oracle,dn=com
, which does not require an SSL connection because the secure
argument is false
.
wls:/mydomain/serverConfig> setIdentityProfileDirectory('OID',['host.example.com:1234'],'cn=host,dn=oracle,dn=com','welcome','cn=us,dn=oracle,dn=com',false)
This example creates an identity store profile directory that is identical to the one created in the previous example except that it requires an SSL connection to access the directory because the secure
argument is true
.
wls:/mydomain/serverConfig> setIdentityProfileDirectory('OID',['host.example.com:1234'],'cn=host,dn=oracle,dn=com','welcome','cn=us,dn=oracle,dn=com',true)
6.3.6 setIdentityProfileUser
The setIdentityProfileUser command is an online command that sets or updates the user information for an identity store profile in a MSAS instance within a repository session.
Description
Set or update the user information for an identity store profile in a MSAS instance within a repository session. Before running this command, an identity store profile must be selected for modification or must be created in the current session.
Syntax
setIdentityProfileUser(baseDN,loginIDAttribute,objectClassNames))
Argument | Definition |
---|---|
baseDN |
The base distinguished name (DN) used to create users. |
loginIDAttribute |
The login identity of the user. |
objectClassNames |
The fully-qualified names of one or more of LDAP object classes used to identify users. |
Example
This example creates an identity store profile user with base DN of cn=host,dn=oracle,dn=com
, with login ID of uid
, which is represented by a schema object class named inteorgperson
.
wls:/mydomain/serverConfig> setIdentityProfileUser('cn=user,dn=oracle,dc=com','uid',['inteorgperson'])
6.3.7 setIdentityProfileGroup
The setIdentityProfileGroup command is an online command that sets or updates the group information for an identity store profile in a MSAS instance within a repository session.
Command Category: MSAS Configuration Management
Use with WLST: Online
Description
Set or update the group information for an identity store profile in a MSAS instance within a repository session. Before running this command, an identity store profile must be selected for modification or must be created in current session.
Syntax
setIdentityProfileGroup(baseDN,groupNameAttribute,objectClassNames)
Argument | Definition |
---|---|
baseDN |
The base DNs used to create groups or enterprise roles. |
groupNameAttribute |
The attribute that uniquely identifies the name of the enterprise role or group. |
objectClassNames |
The fully-qualified names of one or more LDAP object classes used to represent enterprise roles or groups. |
Example
This example creates an identity store profile user group with a base DN of cn=host,dn=oracle,dn=com
, with group name attribute of cn
, which is represented by a schema object class named groupofuniquenames
.
wls:/mydomain/serverConfig> setIdentityProfileGroup('cn=group,dn=oracle,dc=com','cn',['groupofuniquenames'])
6.4 Repository Commands
Use these Repository WLST commands to manage the documents stored in the Oracle Repository.
Table 6-3 Policy Repository Management Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Export MSAS application metadata from the repository to a specified ZIP archive. |
Online |
|
Import MSAS application metadata into the repository from a specified ZIP archive. |
Online |
|
Migrate physical host:port values for applications in a MSAS instance to a mapped host:port value. |
Online |
|
Delete the existing policies stored in the repository and refresh it with the latest set of predefined policies that are provided in the new installation of the Oracle MSAS software. |
Online |
6.4.1 exportMSASAppMetadata
The exportMSASAppMetadata command is an online command that exports MSAS application metadata from the repository into a specified ZIP archive.
Description
Exports MSAS application metadata from the repository into a specified ZIP archive. If the specified archive already exists, you can choose whether to merge the documents into the existing archive, overwrite the archive, or cancel the operation. By default, all metadata for MSAS applications in the current domain is exported to the archive. However, you can use a MSAS instance name and MSAS application name to export specific metadata for these MSAS applications in the repository.
Syntax
exportMSASAppMetadata(archiveFileName,[instanceName=None],[applicationName=None],[includeShared='false'])
Argument | Definition |
---|---|
archiveFileName |
Name of the ZIP archive. If the specified archive already exists, you can choose whether to overwrite the archive, merge the documents into the existing archive, or cancel the operation. During override, the original archive is backed up and a message describes the location of the backup archive. |
instanceName |
Optional. The name of the MSAS instance from which you want to export the metadata of one or more MSAS applications. If no MSAS instance name is specified, but a valid MSAS application name is specified, then the metadata for all MSAS instances containing this MSAS application is exported. When neither the MSAS instance nor MSAS application name is specified, then the metadata for all the MSAS applications across all MSAS instances is exported. A wildcard '%' is allowed. If this argument is set to |
applicationName |
Optional. The name of the MSAS application for the metadata to be exported. A wildcard '%' is allowed. If this argument is set to |
includeShared |
Optional. Specifies whether a shared resource (such as a referenced policy) should be included with exported metadata. |
Example
This example exports the metadata for all the MSAS applications across all MSAS instances into an archive named MSASApplications.zip
.
wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip')
This example also exports the metadata for all MSAS applications across all MSAS instances into the MSASApplications.zip
archive.
wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','',[''])
This example exports the metadata for all applications across all MSAS instances that begin with MSAS
into the MSASApplications.zip
archive.
wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','MSAS%')
This example exports the metadata for all applications that begin with virtual
on an instance named MSAS-123456
into the MSASApplications.zip
archive.
wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','MSAS-1234561',['virtual%'])
This example exports the metadata for an application named Virtual_Foo
on the MSAS-123456
instance into the MSASApplications.zip
archive.
wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','MSAS-1234561',['virtual_Foo'])
This example exports the metadata for all applications that begin with virtual
across all MSAS instances into the MSASApplications.zip
archive.
wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','',['virtual%'])
This example exports the metadata for all applications that begin with virtual
, including application's shared resources, on the MSAS-123456
instance into the MSASApplications.zip
archive.
wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','MSAS-1234561',['virtual%'],true)
6.4.2 importMSASAppMetadata
The importMSASAppMetadata command is an online command that imports MSAS application metadata into the repository from a specified ZIP archive.
Description
Import MSAS application metadata into the repository from a specified ZIP archive. You can use the map
argument to provide the location of a file that describes how to map physical information from the source environment to the target environment. You can generate a new map file by setting the generateMapFile
argument to true
.
Syntax
importMSASAppMetadata(archiveFileName,[mapFileName=None],[generateMapFlag='false'])
Argument | Definition |
---|---|
archiveFileName |
Name of the ZIP archive to be imported. |
mapFileName |
Optional. Location of a sample map file that describes how to map physical information from the source environment to the target environment. You can generate a new map file by setting the |
generateMapFlag |
Optional. Specify whether to generate a map file at the location specified by the |
Example
This example imports application metadata from the MSASartifacts.zip
archive without using a map file.
wls:/mydomain/serverConfig> importMSASAppMetadata('/tmp/MSASartifacts.zip')
This example collects all application metadata from the MSASartifacts.zip
archive and puts it into a map file named MSASMapfile.txt
. If the specified map file already exists, it will be overwritten.
wls:/mydomain/serverConfig> importMSASAppMetadata('/tmp/MSASartifacts.zip','/tmp/MSASmapfile.txt', true)
This example imports application metadata from the specified MSASartifacts.zip
archive according to the MSASmapfile.txt
map file.
wls:/mydomain/serverConfig> importMSASAppMetadata('/tmp/MSASartifacts.zip','/tmp/MSASmapfile.txt')
6.4.3 migrateMSASAppHostports
The migrateMSASAppHostports command is an online command that replaces the source host:port values with host:port values according to the source-to-target mapping in the specified mapFileName
for applications in the repository that match the specified MSAS instance name and application name.
Description
For applications in the repository that match the specified MSAS instance name and application name, replaces the source host:port values (for example, URLs to a back-end service) with host:port values, according to the source-to-target mapping in the specified mapFileName
. You can generate a new map file by setting the generateMapFlag
argument to true
.
Syntax
migrateMSASAppHostports(instanceName,applicationName,mapFileName,[generateMapFlag='false'])
Argument | Definition |
---|---|
instanceName |
Name of the MSAS instance. A wildcard is not accepted. |
applicationName |
Name of MSAS application whose referenced back-end service host:port information needs to be migrated or replaced. A wildcard '%' is allowed. If this argument is set to |
mapFileName |
Location of a input map file that describes how to map source MSAS host:port values to a target host:port. You can generate a new map file by setting the If you specify a map file without setting the If you specify a map file without setting the |
generateMapFlag |
Optional. Specify whether to generate a map file at the location specified by the |
Example
This example collects all host:port values for the myApp
application on an instance named MSAS-1234
, and puts it into a newly-generated map file named generatedMapfile.txt
. (Note that if a specified map file already exists, it will be overwritten).
wls:/mydomain/serverConfig> migrateMSASAppHostports ('MSAS-1234','myApp','/tmp/generatedMapfile.txt',true)
This example migrates the host:port values for all applications that begin with myApp
on the MSAS-1234
instance according to the myMapfile.txt
map file.
wls:/mydomain/serverConfig> migrateMSASAppHostports('MSAS-1234', 'myApp%', '/tmp/myMapfile.txt')
The following migrates the host:port values for all applications on the MSAS-1234
instance according to the myMapfile.txt
map file.
wls:/mydomain/serverConfig> migrateMSASAppHostports('MSAS-1234', 'None', '/tmp/myMapfile.txt')
6.4.4 resetWSMPolicyRepository
The resetWSMPolicyRepository command is an online command that deletes the existing policies stored in the repository and refresh it with the latest set of predefined policies that are provided in the new installation of the Oracle MSAS software.
Caution:
This command will delete all MSAS artifacts, including registered MSAS application and configuration documents. Restarting the server would recover the seed MSAS documents in the repository but will not recover other user-created documents. Therefore, prior to running this command, Oracle recommends running the exportMSASAppMetadata command to back up all your MSAS metadata.
Description
Delete the existing policies stored in the repository and refresh it with the latest set of predefined policies that are provided in the new installation of the Oracle MSAS software. You can use the clearStore
argument to specify whether to delete all policies, including custom user policies, from the repository before loading the new predefined policies.
Note:
In order to reseed the repository with all Oracle MSAS predefined policies, you must restart the Mobile Security Manager (MSM) server after running the resetWSMPolicyRepository
command.
Syntax
resetWSMPolicyRepository([clearStore='false'])
Argument | Definition |
---|---|
|
Policies to be deleted. Valid values are:
|
Example
The following example deletes all the policies in the repository, including user policies, and adds the predefined policies provided in the current product installation:
wls:/wls-domain/serverConfig>resetWSMPolicyRepository(true)
6.5 Session Commands
Use these custom WLST commands to manage the session. Some MSAS WLST commands, which modify repository documents and trusted token issuers must be executed in the context of a session.
Table 6-4 Session Management WLST Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Abort the current modification session, discarding any changes that were made during the session. |
Online |
|
Begin a session to modify the repository documents. |
Online |
|
Write the contents of the current session to the repository. |
Online |
|
Describe the contents of the current session. This will indicate either that the session is empty or list the name of the document that is being updated, along with the type of update (create, modify, or delete). |
Online |
6.5.1 abortRepositorySession
The abortRepositorySession command is an online command that aborts the current Oracle Repository modification session, discarding any changes that were made to the repository during the session.
Description
Abort the current Oracle Repository modification session, discarding any changes that were made to the repository during the session.
Syntax
abortRepositorySession()
Examples
The following example aborts the current session.
wls:/wls-domain/serverConfig>abortRepositorySession()
6.5.2 beginRepositorySession
The beginRepositorySession command is an online command that initiates a session to modify the Oracle Repository.
Description
Begin a session to modify the Oracle Repository. A repository session can only act on a single document. An error will be displayed if there is already a current session.
Syntax
beginRepositorySession()
Example
The following example begins a session.
wls:/wls-domain/serverConfig>beginRepositorySession()
6.5.3 commitRepositorySession
The commitRepositorySession command is an online command that writes the contents of the current session to the Oracle Repository.
Description
Write the contents of the current session to the Oracle Repository. Messages are displayed that describe what was committed. An error will be displayed if there is no current session.
Syntax
commitRepositorySession()
Example
The following example commits the current repository modification session.
wls:/wls-domain/serverConfig>commitRepositorySession()
6.5.4 describeRepositorySession
The describeRepositorySession command is an online command that describes the contents of the current session.
Description
Describe the contents of the current session. This will either indicate that the session is empty or list the name of the document that is being updated, along with the type of update (create, modify, or delete). An error will be displayed if there is no current session.
Syntax
describeRepositorySession()
Examples
The following example describes the current session.
wls:/wls-domain/serverConfig>describeRepositorySession()
6.6 Token Issuer Trust Configuration Commands
Use these WLST commands to view and define trusted issuers, trusted distinguished name (DN) lists, and token attribute rule filters for trusted SAML or JWT signing certificates. When using WLST commands to create, modify, and delete token issuer trust documents, you must execute the commands in the context of a session. Each session applies to a single trust document only.
Note:
Connect to a running instance of the server and enter help('wsmManage')
to view the help for these commands.
Table 6-5 Token Issuer Trust Commands
Use this command... | To... | Use with WLST... |
---|---|---|
Create a new token issuer trust document using the name provided. |
Online |
|
Delete the entry for the issuer, including the DN list in it. |
Online |
|
Delete a token attribute rule associated with a trusted DN. |
Online |
|
Delete the token issuer trust document, specified by the name argument, from the repository. |
Online |
|
Display the names of the DN lists associated with a specified issuer. |
Online |
|
Export the trust configuration (issuers, DNs, and token attribute rules) for all trusted issuers. |
Online |
|
Import the trust configuration (Issuers, DNs, and token attribute rules) for all trusted issuers. |
Online |
|
List the token issuer trust documents in the repository. |
Online |
|
Remove trusted issuers and associated configurations (DNs and token attribute rules). |
Online |
|
Select the token issuer trust document, identified by the name argument, to be modified in the session. |
Online |
|
Specify a trusted issuer with a DN list. |
Online |
|
Add, delete, or update token attribute rules for a given token signing certificate DN. |
Online |
|
Specify the DN of a token signing certificate and a list of trusted users. The name ID and the attribute can be mapped to another user ID. |
Online |
|
Sets or resets the display name of the Token Issuer Trust document currently selected in the session. |
Online |
6.6.1 createWSMTokenIssuerTrustDocument
The createWSMTokenIssuerTrustDocument command is an online command that creates a new token issuer trust document using the name provided within a session.
Description
Within a session, create a new token issuer trust document using the name provided. A display name can also be provided as the second argument. You must start a session (beginWSMSession
) before creating or modifying any token issuer trust documents. If there is no current session or there is already an existing modification process, an error is displayed.
Syntax
createWSMTokenIssuerTrustDocument(name, displayName)
Arguments | Definition |
---|---|
|
Name of the document to be created. An error is thrown if a name is not provided If a document by this name already exists, then a new document will not be created. |
|
Optional. Display name for the document. |
Examples
In the following example, the trust document named tokenissuertrustWLSbase_domain
is created, with a display name of wls_domain Trust Document
. In the second example, no display name is provided.
wls:/wls-domain/serverConfig> createWSMTokenIssuerTrustDocument("tokenissuertrustWLSbase_domain","wls_domain Trust Document") wls:/wls-domain/serverConfig> createWSMTokenIssuerTrustDocument("tokenissuertrustWLSbase_domain")
6.6.2 deleteWSMTokenIssuerTrust
The deleteWSMTokenIssuerTrust command is an online command that deletes a trusted token issuer and its associated trusted DN list within a session.
Description
Within a session, delete a trusted token issuer and its associated trusted DN list. Supported values for a SAML assertion or JWT token type are dns.sv
, dns.hok
, or dns.jwt
. This issuer must exist in the token issuer trust document selected in the session for modification. If no trusted key identifiers exist, then the issuer itself is deleted.
To delete a specified list of trusted key identifiers for an issuer, use selectWSMTokenIssuerTrustDocument. You must start a session (beginWSMSession
) and select a token issuer trust document for modification before executing this command. If there is no current session or there is already an existing modification process, an error is displayed. You cannot modify the default token issuer trust document.
Syntax
deleteWSMTokenIssuerTrust(type, issuer)
Arguments | Definition |
---|---|
|
The type of SAML assertion or JWT tokens the trusted issuer issues:
|
|
The name of the issuer whose trusted DN list will be deleted (for example, SAML assertion or JWT token). The issuer will also be deleted. |
Examples
In the following example, the issuer www.yourCompany.com
and the DN list in the dns.sv
trusted SAML sender vouches client list for the issuer are deleted:
wls:/wls-domain/serverConfig> deleteWSMTokenIssuerTrust('dns.sv', 'www.yourCompany.com')
In the following example, the issuer www.yourCompany.com
and the DN list in the dns.jwt
trusted JWT token sender vouches client list for the issuer are deleted:
wls:/wls-domain/serverConfig> deleteWSMTokenIssuerTrust('dns.jwt ', 'www.yourCompany.com')
6.6.3 deleteWSMTokenIssuerTrustAttributeRule
The deleteWSMTokenIssuerTrustAttributeRule command is an online command that deletes a token attribute rule associated with a trusted DN from the token issuer trust document.
Description
Delete a token attribute rule associated with a trusted DN from the token issuer trust document. To delete only the list of filter values for an attribute, use the setWSMTokenIssuerTrustAttributeFilter command. You must start a session (beginWSMSession
) and select a token issuer trust document for modification before executing this command. If there is no current session or there is already an existing modification process, an error is displayed.
Syntax
deleteWSMTokenIssuerTrustAttributeRule(dn)
Arguments | Description |
---|---|
|
The DN of the token signing certificate that identifies the rule to be deleted. |
Examples
In the following example, the token attribute rule associated with the 'CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
trusted DN is deleted.
wls:/wls-domain/serverConfig> deleteWSMTokenIssuerTrustAttributeRule('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US')
6.6.4 deleteWSMTokenIssuerTrustDocument
The deleteWSMTokenIssuerTrustDocument command is an online command that deletes the specified token issuer trust document permanently from the repository.
Description
Deletes the specified token issuer trust document permanently from the repository. The default token issuer trust document (oracle-default
) cannot be deleted.
Syntax
deleteWSMTokenIssuerTrustDocument (name)
Arguments | Definition |
---|---|
|
Name of the token issuer trust document to be deleted. |
Examples
In the following example, the token issuer trust document tokenissuertrustWLSbase_domain
trust document is deleted:
wls:/wls-domain/serverConfig> deleteWSMTokenIssuerTrustDocument('tokenissuertrustWLSbase_domain')
6.6.5 displayWSMTokenIssuerTrust
The displayWSMTokenIssuerTrust command is an online command that displays a trusted token issuer and its associated trusted DN list.
Description
Display a trusted token issuer and its associated trusted DN list. Supported values for a SAML assertion or JWT token type are dns.hok
, dns.sv
, or dns.jwt
. The issuer
argument is optional. If the issuer and type is specified and exists in the trusted issuer list for the type, then the associated DN lists for the issuer is displayed. If issuer
is not set, then all trusted issuers of the given type are listed.
Syntax
displayWSMTokenIssuerTrust(type, issuer)
Arguments | Definition |
---|---|
|
The type of SAML assertion or JWT tokens the trusted issuer issues:
|
|
Optional. The issuer whose trusted DN list is displayed (for example, SAML assertion or JWT token). If not set, the list of all the trusted issuers is displayed. |
Examples
In the following example, the DN lists in the dns.sv
trusted SAML sender vouches client list for the www.oracle.com
trusted issuer are displayed:
wls:/wls-domain/serverConfig>displayWSMTokenIssuerTrust('dns.sv', 'www.oracle.com')
In the following example, the names of all trusted SAML issuers associated with the dns.sv
trusted SAML sender vouches client list are displayed:
wls:/wls-domain/serverConfig>displayWSMTokenIssuerTrust('dns.sv', None)
6.6.6 exportWSMTokenIssuerTrustMetadata
The exportWSMTokenIssuerTrustMetadata command is an online command that exports all trust configurations (issuer, DNs, and token attribute rules) for all trusted issuers.
Description
Export all the trust configurations (issuer, DNs, and token attribute rules) for all trusted issuers. The trust configuration will be exported to an XML file identified by the specified location. The trust configuration for the issuers specified in the exclude list will not be exported. If no argument is passed, the trust configuration for all trusted issuers will be exported.
Syntax
exportWSMTokenIssuerTrustMetadata(trustFile,excludeIssuers=None)
Arguments | Definition |
---|---|
|
The location of the file where the exported metadata will be stored. |
|
Optional. The list of issuers for which trust configuration should not be exported. |
Examples
In the following example, all trusted issuer configurations are exported to the specified XML file except for www.oracle.com
and www.yourcompany.com
, which have been excluded:
wls:/wls-domain/serverConfig>exportWSMTokenIssuerTrustMetadata(trustFile='/tmp/trustData.xml',['www.oracle.com','www.myissuer.com']) Starting Operation exportWSMTokenIssuerTrustMetadata ... Configuration for trusted issuers successfully exported.
In the following example, all specified trusted issuer configurations are exported to the specified XML file:
wls:/wls-domain/serverConfig>exportWSMTokenIssuerTrustMetadata(trustFile='/tmp/trustData.xml') Starting Operation exportWSMTokenIssuerTrustMetadata ... Configuration for trusted issuers successfully exported.
6.6.7 importWSMTokenIssuerTrustMetadata
The importWSMTokenIssuerTrustMetadata command is an online command that imports the trust configurations (issuers, DNs, and token attribute rules) for all trusted issuers.
Description
Import the trust configurations (issuers, DNs, and token attribute rules) for all trusted issuers. The trust configuration will be imported from an XML file identified by the specified location.
Syntax
importWSMTokenIssuerTrustMetadata(trustFile)
Arguments | Definition |
---|---|
|
The location of the file where the imported metadata will be stored. |
Examples
In the following example, all trusted issuer configurations are imported from the specified XML file:
wls:/wls-domain/serverConfig>importWSMTokenIssuerTrustMetadata(trustFile='/tmp/trustData.xml') Starting Operation importWSMTokenIssuerTrustMetadata ... Configuration for trusted issuers successfully imported.
6.6.8 listWSMTokenIssuerTrustDocuments
The listWSMTokenIssuerTrustDocuments command is an online command that lists all token issuer trust documents in the repository.
Description
When used without any arguments, this command lists all the token issuer trust documents in the repository. If the detail argument is set to true
, the display name and the status of the document are also displayed. You can use the wildcard character (*) in combination with other characters. If no wildcard character is specified in the name argument, the document that matches the name argument exactly is displayed. If the detail
argument is set to true
, the contents of the document are listed. This command can be executed inside and outside of a session.
Syntax
listWSMTokenIssuerTrustDocuments(name=None, detail='false')
Arguments | Definition |
---|---|
|
Optional. Name of the token issuer trust document. You can use wildcards with this argument. |
|
Optional. List the details for the requested document. The default is |
Examples
In the following example, the token issuer trust document tokenissuertrustWLSbase_domain
trust document is listed along with any details:
wls:/wls-domain/serverConfig> listWSMTokenIssuerTrustDocuments(tokenissuertrustWLSbase_domain,'true')
6.6.9 revokeWSMTokenIssuerTrust
The revokeWSMTokenIssuerTrust command is an online command that revokes trust by removing all trusted issuers and associated configurations (DNs and token attribute rules).
Description
Revokes trust by removing all trusted issuers and associated configurations (DNs and token attribute rules). The issuers specified in the optional exclude list will not be removed. If no argument is passed, then all trusted issuers and the associated configuration are removed.
Syntax
revokeWSMTokenIssuerTrust(excludeIssuers=None)
Arguments | Definition |
---|---|
|
Optional. The list of issuers for which trust configuration should not be removed. |
Examples
In the following example, all trusted issuer configurations are removed except for www.oracle.com
and www.yourcompany.com
, which have been excluded:
wls:/wls-domain/serverConfig>revokeWSMTokenIssuerTrust(['www.oracle.com','www.yourcompany.com']) Starting Operation revokeWSMTokenIssuerTrust ... Configuration for trusted issuers successfully removed.
In the following example, all trusted issuer configurations are removed:
wls:/wls-domain/serverConfig>revokeWSMTokenIssuerTrust() Starting Operation revokeWSMTokenIssuerTrust ... Configuration for trusted issuers successfully removed.
6.6.10 selectWSMTokenIssuerTrustDocument
The selectWSMTokenIssuerTrustDocument command is an online command that selects the token issuer trust document, identified by the name argument, to be modified in the session.
Description
Selects the token issuer trust document, identified by the name argument, to be modified in the session. The name must match the value of the name attribute in the document. You must start a session (beginWSMSession
) before executing this command. If there is no current session or there is already an existing modification process, an error is displayed. You cannot modify the default token issuer trust document.
Syntax
selectWSMTokenIssuerTrustDocument(name)
Argument | Definition |
---|---|
|
Name of the document to modified in the session. An error is thrown if a name is not provided. |
Examples
In the following example, the tokenissuertrustWLSbase_domain
document is selected for modification:
wls:/wls-domain/serverConfig> selectWSMTokenIssuerTrustDocument('tokenissuertrustWLSbase_domain')
6.6.11 setWSMTokenIssuerTrust
The setWSMTokenIssuerTrust command is an online command that configures a trusted token issuer and define trusted keys or a trusted DN list for the issuer.
Description
Configure a trusted token issuer and define trusted keys or a trusted DN list for the issuer. Supported values for a SAML assertion or JWT token type are dns.hok
, dns.sv
, or dns.jwt
. The trustedKeyIDs
argument is optional. If you do not set this argument, only the trusted issuer will be set for the specified type. This command can be used to specify the DN list associated with a trusted token issuer, update the list, or delete the list.
Syntax
setWSMTokenIssuerTrust(type, issuer, trustedKeyIDs)
Argument | Definition |
---|---|
|
The name of the trusted issuer, for example |
|
The type of SAML assertion or JWT tokens the trusted issuer issues:
|
|
Optional. An array of DNs for token signing certificates associated with the issuer for the specified type. This is a comma-separated list with the format |
Examples
In the following example, CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US'
is set as a DN in the dns.sv
DN list for the www.oracle.com
trusted issuer:
wls:/wls-domain/serverConfig>setWSMTokenIssuerTrust('dns.sv', 'www.oracle.com', ['CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US'])
In the following example, the name CN=orcladmin, OU=Doc, O=Oracle, C=US'
in added to the dns.sv
DN list for the www.oracle.com
trusted issuer:
wls:/wls-domain/serverConfig>setWSMTokenIssuerTrust('dns.sv','www.oracle.com', ['CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US', 'CN=orcladmin, OU=Doc, O=Oracle, C=US'])
In the following example, the list of DN values in the dns.sv
DN list is removed from the www.oracle.com
trusted issuer:
wls:/wls-domain/serverConfig>setWSMTokenIssuerTrust('dns.sv', 'www.oracle.com', [])
6.6.12 setWSMTokenIssuerTrustAttributeFilter
The setWSMTokenIssuerTrustAttributeFilter command is an online command that specifies token attribute filtering rules for a trusted DN list.
Description
Specify token attribute filtering rules for a trusted DN list. For each trusted DN configured for an issuer, a token attribute filtering rule can be configured and applied. Each rule has two parts: a name ID and an attributes part for attributes in a SAML assertion or a JWT token. The name ID and each attribute can contain a filter with multiple value patterns. To remove the list of filters for an attribute for the signing certificate, use an empty set ([]) for the value of filters
.
Note:
You must first use the setWSMTokenIssuerTrust
command to configure a list of trusted DN names for an issuer.
Syntax
setWSMTokenIssuerTrustAttributeFilter(dn, attrName, filters)
Argument | Definition |
---|---|
|
The DN of the token signing certificate. The DN as the identifier of the token attribute rule where modifications would be done. |
|
The name of the user attribute for which the filtering will be applied. The value can be as follows:
|
|
Optional. List of filters for the attribute. The list has the format [' When |
Examples
In the following example, the name ID yourTrustedUser
is set as a trusted user for the weblogic
trusted DN:
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustAttributeFilter('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US','name-id', ['yourTrustedUser'])
In the following example, the name IDs jdoe
is added to the list of trusted users for the weblogic
trusted DN:
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustAttributeFilter('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US','name-id', ['yourTrustedUser', 'jdoe'])
In the following example, the list of trusted users for the weblogic
trusted DN is removed:
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustAttributeFilter('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US', 'name-id', [])
6.6.13 setWSMTokenIssuerTrustAttributeMapping
The setWSMTokenIssuerTrustAttributeMapping command is an online command that specifies token attribute mapping rules for a trusted DN list.
Description
Specify token attribute mapping rules for a trusted DN list. For each trusted DN configured for a token issuer, a token attribute mapping rule can be configured and applied. Each rule has two parts: a name ID and an attributes part for attributes associated with a SAML assertion or a JWT token. For a trusted DN, a token attribute mapping rule sets the mapping for the value of an attribute as specified by the attrName
argument. The userAttribute
argument is optional and indicates the local user attribute it corresponds to. The userMappingAttribute
argument is optional and indicates the user attribute to be used in the system to authenticate the users. If the attribute as identified by attrName
exists for a token attribute rule for the DN, the mapping is overwritten by the new value. For example, in federated environments, where the user subject ID (for example, mail
) in the token is different from the user attribute (for example, uid
) for authenticating the same user, the name ID and each attribute can map the local user attribute for the subject name ID to the local user attribute to authenticate a trusted user.
Note:
You must first use the setWSMTokenIssuerTrust
command to configure a list of trusted DN names for an issuer.
Syntax
setTokenIssuerTrustAttributeMapping(dn, attrName, userAttribute=None, userMappingAttribute=None)
Arguments | Description |
---|---|
|
The trusted DN of a token signing certificate. |
|
The name of the use attribute for which the mapping will be applied The value can be as follows:
|
|
Optional. The local name of the user attribute in the local identity store that the subject name ID corresponds to. The value can be as follows:
|
|
Optional. The value of the local name of the user attribute in the local identity store that the subject name ID maps to for authentication. The value can be as follows:
|
Examples
In the following example, the mail
attribute for the Subject ID in the token is mapped to the uid
attribute.
wls:/base_domain/serverConfig>setTokenIssuerTrustAttributeMapping('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US', 'name-id', 'mail', 'uid') Starting Operation setWSMTokenIssuerTrustAttributeMapping ... The token attribute mapping are successfully set
In the following example, the local user attribute for the Subject ID in the token is mapped to the uid
attribute.
wls:/base_domain/serverConfig>setTokenIssuerTrustAttributeMapping('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US', 'name-id', '', 'uid')
6.6.14 setWSMTokenIssuerTrustDisplayName
The setWSMTokenIssuerTrustDisplayName command is an online command that sets or resets the display name of the Token Issuer Trust document currently selected in the session.
Description
Sets or resets the display name of the Token Issuer Trust document currently selected in the session.
You must start a session (beginWSMSession
) before creating or modifying any token issuer trust documents. If there is no current session or there is already an existing modification process, an error is displayed.
Syntax
setWSMTokenIssuerTrustDisplayName("displayName")
Arguments | Definition |
---|---|
|
Name to be set as a display name for the document currently selected for modification in the session. |
Examples
In the following example, the display name for the trust document being modified is set to Test Document
.
wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustDisplayName("Test Document")
6.7 Diagnostic Commands
Use the WLST diagnostic command to check the status of the Oracle components that are required for proper functioning of the product.
6.7.1 checkWSMStatus
The checkWSMStatus command is an online command that verifies the status of the Oracle components that are required for proper functioning of the product.
Description
Check the status of the Oracle components that are required for proper functioning of the product. The Oracle components that are checked are the policy manager (wsm-pm
), the agent (agent
), and the credential store and keystore configuration. The status of the components can be checked together or individually.
Note:
The Policy Manager (wsm-pm
) application must be deployed and running for the check status tool to function correctly.
Syntax
checkWSMStatus([component=None],[address=None],[verbose=true])
Arguments | Description |
---|---|
|
Optional. All checks will be performed if no value is specified. Valid options are:
|
|
Optional. The HTTP URL of the host running the Policy Manager checkWSMStatus('agent', 'http://localhost:7001') The address is not required in the WebLogic Server domain where auto-discovery is present. |
|
Optional. If the value of this flag is |
Examples
In the following example, the checkWSMStatus
command is run without arguments. The status of the credential store, policy manager, and enforcement agent is returned.
wls:/base_domain/serverConfig> checkWSMStatus()
Credential Store Configuration:
PASSED.
Message(s):
keystore.pass.csf.key : Property is configured and its value is "keystore-csf-key".
Description: The "keystore.pass.csf.key" property points to the CSF alias that is mapped to the username and password of the keystore. Only the password is used; username is redundant in the case of the keystore.
keystore-csf-key : Credentials configured.
keystore.sig.csf.key : Property is configured and its value is "sign-csf-key".
Description: The "keystore.sig.csf.key" property points to the CSF alias that is mapped to the username and password of the private key that is used for signing.
sign-csf-key : Credentials configured.
Sign Key : Key configured.
Alias - orakey
Sign Certificate : Certificate configured.
Alias - CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
Expiry - June 28, 2020 11:17:12 AM PDT
keystore.enc.csf.key : Property is configured and its value is "enc-csf-key".
Description: The "keystore.enc.csf.key" property points to the CSF alias that is mapped to the username and password of the private key that is used for decryption.
enc-csf-key : Credentials configured.
Encrypt Key : Key configured.
Alias - orakey
Encrypt Certificate : Certificate configured.
Alias - CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
Expiry - June 28, 2020 11:17:12 AM PDT
Policy Manager:
PASSED.
Message(s):
OWSM Policy Manager connection state is OK.
OWSM Policy Manager connection URL is "host.example.com:1234".
Enforcement Agent:
PASSED.
Message(s):
Enforcement is successful.
Service URL: http://host.example.com:7001/Diagnostic/DiagnosticService?wsdl
In the following example, the credential store key keystore-csf-key
is deleted and the checkWSMStatus
command is rerun for the credential store credstore
. The status check fails because the csf-key keystore-csf-key
is not present in the credential store:
wls:/base_domain/serverConfig> deleteCred(map="oracle.wsm.security", key="keystore-csf-key")
wls:/base_domain/serverConfig> checkWSMStatus('credstore')
Credential Store Configuration:
FAILED.
Message(s):
keystore.pass.csf.key : Property is configured and its value is "keystore-csf-key".
Description: The "keystore.pass.csf.key" property points to the CSF alias that is mapped to the username and password of the keystore. Only the password is used; username is redundant in the case of the keystore.
keystore-csf-key : Credentials not configured.
Credential Store Diagnostic Messages:
Message(s):
The csf-key keystore-csf-key is not present in the credential store.
Perform the following steps to update the credential store (using WLST commands):-
1. connect()
2. createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore-csf-key", password="<keystore-password>", desc="Keystore Password CSF Key")
NOTE:- All the above commands are based on the Domain level configurations. The actual csf key may be overridden at runtime due to config override. See Documentation for more details.
In the following example, the csf-key keystore-csf-key
is configured and the checkWSMStatus
command is rerun. The configuration check passes.
wls:/base_domain/serverConfig> createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore-csf-key", password="welcome1", desc="Keystore Password CSF Key")
Already in Domain Runtime Tree
wls:/base_domain/serverConfig> checkWSMStatus('credstore')
Credential Store Configuration:
PASSED.
Message(s):
keystore.pass.csf.key : Property is configured and its value is "keystore-csf-key".
Description: The "keystore.pass.csf.key" property points to the CSF alias that is mapped to the username and password of the keystore. Only the password is used; username is redundant in the case of the keystore.
keystore-csf-key : Credentials configured.
keystore.sig.csf.key : Property is configured and its value is "sign-csf-key".
Description: The "keystore.sig.csf.key" property points to the CSF alias that is mapped to the username and password of the private key that is used for signing.
sign-csf-key : Credentials configured.
Sign Key : Key configured.
Alias - orakey
Sign Certificate : Certificate configured.
Alias - CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
Expiry - June 28, 2020 11:17:12 AM PDT
keystore.enc.csf.key : Property is configured and its value is "enc-csf-key".
Description: The "keystore.enc.csf.key" property points to the CSF alias that is mapped to the username and password of the private key that is used for decryption.
enc-csf-key : Credentials configured.
Encrypt Key : Key configured.
Alias - orakey
Encrypt Certificate : Certificate configured.
Alias - CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
Expiry - June 28, 2020 11:17:12 AM PDT
true
The following example checks the enforcement status of the agent component at the URL http://localhost:7001
.
wls:/test_domain1/serverConfig> checkWSMStatus('agent','http://localhost:7001')
Enforcement Agent:
Note: Enforcement might succeed if OWSM Policy Manager is down due to policy caching. For such scenarios wsm-pm test must be run prior to this test.
PASSED.
Message(s):
Enforcement is successful.
Service URL: http://localhost:7001/Diagnostic/DiagnosticService?wsdl