1. WebLogic Scripting Tool Command Reference for Identity and Access Management
  2. WLST for Oracle Mobile Security Suite
  3. Mobile Security Access Server WLST Commands

6 Mobile Security Access Server WLST Commands

Use these custom WebLogic Scripting Tool (WLST) commands to manage Mobile Access Security Server (MSAS) instances. You can also manage in the MSAS console.

Mobile Access Security Server WLST commands are divided into the following categories to manage MSAS instances:

6.1 Using the WLST Commands

Prerequisites to be followed before running the WLST commands.

  • Ensure that the Administration Server for the MSM domain is running.

  • Execute the MSAS WLST commands from the IDM_HOME/common/bin directory. For example, /home/oracle/omsm/ORACLE_IDM/common/bin.

  • Connect to a running instance of the server and enter help('msasManage') to display the help for the MSAS configuration, identity store, and repository management commands.

  • Connect to a running instance of the server and enter help('wsmManage') to display the help for resetWSMPolicyRepository, session commands, and trusted issuer configuration commands

6.2 MSAS Configuration Commands

Use these MSAS Configuration Commands to manage MSAS configurations and application metadata.

Table 6-1 MSAS Configuration Commands

Use this command... To... Use with WLST...

displayMSASConfiguration

Display the MSAS configuration properties, and their values and groups, for a MSAS instance.

Online

setMSASConfiguration

Create or modify the configuration properties for a MSAS instance.

Online

setMSASLogLevel

Set the logger configuration for a MSAS instance to a specified level.

Online

getMSASLogLevel

Get logger configuration for a MSAS instance.

Online

listMSASLoggers

List the logger configurations for a MSAS instance.

Online

6.2.1 displayMSASConfiguration

The displayMSASConfiguration command is an online command that displays the configuration properties, and their values and groups, for a MSAS instance.

Description

Displays the configuration properties, and their values and groups, for a MSAS instance. If a property is not defined in the MSAS instance's configuration document, then the default value defined for the product is displayed. If a MSAS instance name is not specified, or the specified MSAS instance does not exist, then the default values defined for the product are displayed.

Syntax

displayMSASConfiguration(instanceName=None)
Argument Definition 
instanceName

Optional. The name of the MSAS instance associated with the configuration document from which property values are displayed.

Example

This example displays the MSAS configuration properties, including their values and groups, for an instance named MSAS-123456. 

wls:/mydomain/serverConfig> displayMSASConfiguration('MSAS-123456')

This example displays the default MSAS configuration properties.

wls:/mydomain/serverConfig> displayMSASConfiguration()

6.2.2 setMSASConfiguration

The setMSASConfiguration command is an online command that sets the configuration properties in the configuration document associated with a MSAS instance

Description

Sets the configuration properties in the configuration document associated with a MSAS instance. If the configuration document does not exist for the instance, it is created automatically. A new property with values and/or groups of values can be added inside the configuration document. The set of acceptable properties are determined by the default set of properties supported by the product. Specific property values or groups of values can also be removed from the configuration document. The configuration document is removed if it does not have any properties.

Syntax

setMSASConfiguration(instanceName,categoryName,propertyName,group=None,values=None)
Argument Definition 
instanceName

The name of the MSAS instance associated with the configuration document to be modified.

 
categoryName

The category of the configuration property. This is verified with the default set of properties for acceptability.

 
propertyName

The name of the configuration property. This is verified with the default set of properties for acceptability. 

groupName

Optional. The group containing the set of values to add in the configuration document. If the group exists, and this value is set to None, then the group is removed. 

propertyValues

Optional. The array of values to set for a property or group inside the configuration document. Default is None which refers to an empty array list

Example

This example is setting the location of the SSL keystore in a MSAS instance named MSAS-123456. 

wls:/mydomain/serverConfig> setMSASConfiguration('MSAS-123456','ServerSettings','ssl.keystore.location',None,['kss://mag1/sslkeystore'])

6.2.3 setMSASLogLevel

The setMSASLogLevel command is an online command that sets the logger configuration for a MSAS instance to a specified level.

Description

Sets the logger configuration for a MSAS instance to a specified level (for example, WARNING).

Syntax

setMSASLogLevel(instanceName,logger,level)
Argument Definition 
instanceName

The name of the MSAS instance logging configuration to be modified. This option is required; there is no default value.

 
logger

A logger name. The empty string denotes the root logger. This option is required; there is no default value.

 
level

The level name. It has to be one of the following:

  • SEVERE

  • WARNING

  • INFO

  • CONFIG

  • FINE

  • FINER

  • FINEST

An empty string can be used to set the level to null (inherited from parent). This option is required; there is no default value.

Example

This example is setting a logging level of FINEST for an MSAS logger named oracle.idm.gateway.grs in an instance named MSAS-123456. 

wls:/mydomain/serverConfig> setMSASLogLevel('MSAS-123456','oracle.idm.gateway.grs','FINEST'])

This example is setting a logging level to null for an MSAS logger named oracle.idm.gateway.grs in an instance named MSAS-123456. 

wls:/mydomain/serverConfig> setMSASLogLevel('MSAS-123456','oracle.idm.gateway.grs',''])

This example is setting a logging level of SEVERE for the root logger in an instance named MSAS-123456. 

wls:/mydomain/serverConfig> setMSASLogLevel('MSAS-123456','','SEVERE'])

6.2.4 getMSASLogLevel

The getMSASLogLevel command is an online command that retrieves the logger configuration for a MSAS instance.

Description

Gets the logger configuration for a MSAS instance.

Syntax

getMSASLogLevel(instanceName,logger)
Argument Definition 
instanceName

The MSAS instance name of the logging configuration. This option is required; there is no default value.

 
logger

A logger name. The empty string denotes the root logger. This option is required; there is no default value.

Example

This example is getting the logging level for an MSAS logger named oracle.idm.gateway.grs in an instance named MSAS-123456. 

wls:/mydomain/serverConfig> getMSASLogLevel('MSAS-123456','oracle.idm.gateway.grs')

This example is getting the logging level for the root MSAS logger in an instance named MSAS-123456. 

wls:/mydomain/serverConfig> getMSASLogLevel('MSAS-123456','oracle.idm.gateway.grs')

6.2.5 listMSASLoggers

The listMSASLoggers command is an online command that lists the logger configurations for a MSAS instance.

Description

Lists the logger configurations for a MSAS instance.

Syntax

listMSASLoggers(instanceName)
Argument Definition 
instanceName

The MSAS instance name of the logging configuration. This option is required; there is no default value.

Example

This example is listing the loggers for a MSAS instance named MSAS-123456. 

wls:/mydomain/serverConfig> listMSASLoggers('MSAS-123456'])

6.3 MSAS Identity Store Profile Commands

Use these commands to manage an identity store profile, which is a logical representation of a user repository. The identity store configuration is stored in an Identity Profile Document in the MSAS Repository. All identity store profile management commands must be performed in the context of a repository session. A repository session can only act on a single document.

Table 6-2 Identity Profile Management Commands

Use this command... To... Use with WLST...

createIdentityProfile

Create a new identity store profile in a MSAS instance within a repository session.

Online

displayIdentityProfile

Display the contents of a specified identity store profile, or list the names of all identity profiles, in a MSAS instance.

Online

selectIdentityProfile

Select an identity store profile in a MSAS instance for modification within a repository session.

Online

deleteIdentityProfile

Delete an identity store profile from a specified MSAS instance within a repository session.

Online

setIdentityProfileDirectory

Set or update the directory information for an identity store profile in a MSAS instance within a repository session.

Online

setIdentityProfileUser

Set or update the user information for an identity store profile in a MSAS instance within a repository session.

Online

setIdentityProfileGroup

Set or update the group information for an identity store profile for a MSAS instance within a repository session.

Online

6.3.1 createIdentityProfile

The createIdentityProfile command is an online command that creates a new identity store profile in a MSAS instance within a repository session.

Description

Create a new identity store profile in a MSAS instance within a repository session. The identity store profile must be associated with a specified MSAS instance. Issuing this command outside of a repository session will result in an error.

Note:

  • This command only creates a new identity store profile for a MSAS instance. To use an identity store profile at runtime, the MSAS configuration must already be set, as described in setMSASConfiguration. After running setMSASConfiguration, you must also restart the Oracle MSAS Management Server for the runtime to access the configured profile.

    You cannot create multiple identity store profiles in the same session. You must commit the session after creating a profile, and then start a new session to create another profile.

  • If an error occurs during the creation of an identity store profile, the profile must first be committed before it can be deleted.

Syntax

createIdentityProfile(instanceName,Profilename,description=None)
Argument Definition 
instanceName

Name of the MSAS instance in which you want to create an identity store profile.

 
ProfileName

Name of the new identity store profile.

 
description

Optional. Description of the new identity store profile.

Example

This example creates an identity store profile named identity-profile in a MSAS instance named MSAS-123456, with a description of Identity profile. 

wls:/mydomain/serverConfig> createIdentityProfile('MSAS-123456','identity-profile','Identity profile')

6.3.2 displayIdentityProfile

The displayIdentityProfile command is an online command that displays the contents of a specified identity store profile in a MSAS instance, or list the names of all identity store profiles associated with a specified MSAS instance.

Description

Display the contents of a specified identity store profile in a MSAS instance, or list the names of all identity store profiles associated with a specified MSAS instance. If this command is executed from an active session, session changes are also displayed. If this command is executed outside of active session, content from the repository is displayed.

Syntax

displayIdentityProfile(instanceName,ProfileName=None)
Argument Definition 
instance

Name of the MSAS instance associated with the identity store profiles to be displayed.

 
ProfileName

Optional. The name of the identity store profile to be displayed. If a name is not specified, then the names of the all available identity profiles for the MSAS instance are displayed.

Example

This example displays the contents of an identity store profile named identity-profile in an instance named MSAS-123456. 

wls:/mydomain/serverConfig> displayIdentityProfile('MSAS-123456','identity-profile')

This example displays the names of the all available identity store profiles in the MSAS instance MSAS-123456. 

wls:/mydomain/serverConfig> displayIdentityProfile('MSAS-123456')

6.3.3 selectIdentityProfile

The selectIdentityProfile command is an online command that selects an identity store profile for modification in a MSAS instance within a repository session.

Description

Select an identity store profile for modification in a MSAS instance within a repository session.

Syntax

selectIdentityProfile(instanceName,ProfileName,description=None)
Argument Definition 
instanceName

Name of the MSAS instance associated with the identity store profile to be modified.

 
ProfileName

Name of the identity store profile to be modified.

Example

This example selects the identity profile identity-profile in MSAS instance MSAS-123456 for modification: 

wls:/mydomain/serverConfig> selectIdentityProfile('MSAS-123456','identity-profile')

6.3.4 deleteIdentityProfile

The deleteIdentityProfile command is an online command that deletes an identity store profile from a MSAS instance within a repository session.

Description

Delete an identity store profile from a MSAS instance within a repository session. Issuing this command outside of a repository session will result in an error.

Note:

You cannot both create and delete the same identity store profile in a single repository session. You must commit the session after creating a profile, and then start a new session in order to delete that profile.

Syntax

deleteIdentityProfile(instanceName,Profilename)
Argument Definition 
instanceName

Name of the MSAS instance associated with the identity store profile to be deleted.

 
ProfileName

Name of the identity store profile to be deleted.

Example

This example deletes the identity profile identity-profile from the MSAS instance MSAS-123456. 

wls:/mydomain/serverConfig> deleteIdentityProfile('MSAS-123456','identity-profile')

6.3.5 setIdentityProfileDirectory

The setIdentityProfileDirectory command is an online command that sets or updates the directory information for an identity store profile in a MSAS instance within a repository session.

Description

Set or update the directory information for an identity store profile in a MSAS instance within a repository session. The secure argument can be used to determine if the identity store connection should be made over SSL. Before running this command, an identity store profile must be selected for modification or must be created in the current session.

Syntax

setIdentityProfileDirectory(DirectoryType,hosts,bindDN,bindPass,baseDN,isSecure)
Argument Definition 
directoryType

Type of identity store profile directory. Supported types are:

  • OID (Oracle Internet Directory)

  • OUD (Oracle Unified Directory)

  • ACTIVE_DIRECTORY

  • ODSEE (Oracle Directory Server Enterprise Edition)

  • WLS_LDAP (Embedded LDAP in WebLogic Server)

 
hosts

Host port information of the directory in the form host:port. 

bindDN

The distinguished name of the user to be used for connecting to the directory. For example: CN=Administrator,CN=Users,DC=mycompany,DC=com.

 
bindPass

Bind distinguished name (DN) password for accessing the directory.

 
baseDN

Base distinguished name (DN) information of the directory. For example: DC=mycompany,DC=com

 
isSecure

Flag (boolean) to indicate if the connection to the directory should be made over SSL. When set to true the connection is configured over SSL.

Example

This example creates an identity store profile directory with a type of OID on a host named ['host.example.com:1234'], with bind distinguished name of cn=host,dn=oracle,dn=com, using a password of welcome, and a base distinguished name of cn=host,dn=oracle,dn=com, which does not require an SSL connection because the secure argument is false. 

wls:/mydomain/serverConfig> setIdentityProfileDirectory('OID',['host.example.com:1234'],'cn=host,dn=oracle,dn=com','welcome','cn=us,dn=oracle,dn=com',false)

This example creates an identity store profile directory that is identical to the one created in the previous example except that it requires an SSL connection to access the directory because the secure argument is true. 

wls:/mydomain/serverConfig> setIdentityProfileDirectory('OID',['host.example.com:1234'],'cn=host,dn=oracle,dn=com','welcome','cn=us,dn=oracle,dn=com',true)

6.3.6 setIdentityProfileUser

The setIdentityProfileUser command is an online command that sets or updates the user information for an identity store profile in a MSAS instance within a repository session.

Description

Set or update the user information for an identity store profile in a MSAS instance within a repository session. Before running this command, an identity store profile must be selected for modification or must be created in the current session.

Syntax

setIdentityProfileUser(baseDN,loginIDAttribute,objectClassNames))
Argument Definition 
baseDN

The base distinguished name (DN) used to create users.

 
loginIDAttribute

The login identity of the user.

 
objectClassNames

The fully-qualified names of one or more of LDAP object classes used to identify users.

Example

This example creates an identity store profile user with base DN of cn=host,dn=oracle,dn=com, with login ID of uid, which is represented by a schema object class named inteorgperson. 

wls:/mydomain/serverConfig> setIdentityProfileUser('cn=user,dn=oracle,dc=com','uid',['inteorgperson'])

6.3.7 setIdentityProfileGroup

The setIdentityProfileGroup command is an online command that sets or updates the group information for an identity store profile in a MSAS instance within a repository session.

Command Category: MSAS Configuration Management

Use with WLST: Online

Description

Set or update the group information for an identity store profile in a MSAS instance within a repository session. Before running this command, an identity store profile must be selected for modification or must be created in current session.

Syntax

setIdentityProfileGroup(baseDN,groupNameAttribute,objectClassNames)
Argument Definition 
baseDN

The base DNs used to create groups or enterprise roles.

 
groupNameAttribute

The attribute that uniquely identifies the name of the enterprise role or group.

 
objectClassNames

The fully-qualified names of one or more LDAP object classes used to represent enterprise roles or groups.

Example

This example creates an identity store profile user group with a base DN of cn=host,dn=oracle,dn=com, with group name attribute of cn, which is represented by a schema object class named groupofuniquenames. 

wls:/mydomain/serverConfig> setIdentityProfileGroup('cn=group,dn=oracle,dc=com','cn',['groupofuniquenames'])

6.4 Repository Commands

Use these Repository WLST commands to manage the documents stored in the Oracle Repository.

Table 6-3 Policy Repository Management Commands

Use this command... To... Use with WLST...

exportMSASAppMetadata

Export MSAS application metadata from the repository to a specified ZIP archive.

Online

importMSASAppMetadata

Import MSAS application metadata into the repository from a specified ZIP archive.

Online

migrateMSASAppHostports

Migrate physical host:port values for applications in a MSAS instance to a mapped host:port value.

Online

resetWSMPolicyRepository

Delete the existing policies stored in the repository and refresh it with the latest set of predefined policies that are provided in the new installation of the Oracle MSAS software.

Online

6.4.1 exportMSASAppMetadata

The exportMSASAppMetadata command is an online command that exports MSAS application metadata from the repository into a specified ZIP archive.

Description

Exports MSAS application metadata from the repository into a specified ZIP archive. If the specified archive already exists, you can choose whether to merge the documents into the existing archive, overwrite the archive, or cancel the operation. By default, all metadata for MSAS applications in the current domain is exported to the archive. However, you can use a MSAS instance name and MSAS application name to export specific metadata for these MSAS applications in the repository.

Syntax

exportMSASAppMetadata(archiveFileName,[instanceName=None],[applicationName=None],[includeShared='false'])
Argument Definition 
archiveFileName

Name of the ZIP archive. If the specified archive already exists, you can choose whether to overwrite the archive, merge the documents into the existing archive, or cancel the operation. During override, the original archive is backed up and a message describes the location of the backup archive.

 
instanceName

Optional. The name of the MSAS instance from which you want to export the metadata of one or more MSAS applications. If no MSAS instance name is specified, but a valid MSAS application name is specified, then the metadata for all MSAS instances containing this MSAS application is exported. When neither the MSAS instance nor MSAS application name is specified, then the metadata for all the MSAS applications across all MSAS instances is exported.

A wildcard '%' is allowed. If this argument is set to None, empty '', or '%', then all MSAS instances are searched. 

applicationName

Optional. The name of the MSAS application for the metadata to be exported.

A wildcard '%' is allowed. If this argument is set to None, empty '', or '%', then all applications in the specified instance are searched. 

includeShared

Optional. Specifies whether a shared resource (such as a referenced policy) should be included with exported metadata.

Example

This example exports the metadata for all the MSAS applications across all MSAS instances into an archive named MSASApplications.zip. 

wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip')

This example also exports the metadata for all MSAS applications across all MSAS instances into the MSASApplications.zip archive. 

wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','',[''])

This example exports the metadata for all applications across all MSAS instances that begin with MSAS into the MSASApplications.zip archive. 

wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','MSAS%')

This example exports the metadata for all applications that begin with virtual on an instance named MSAS-123456 into the MSASApplications.zip archive. 

wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','MSAS-1234561',['virtual%'])

This example exports the metadata for an application named Virtual_Foo on the MSAS-123456 instance into the MSASApplications.zip archive. 

wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','MSAS-1234561',['virtual_Foo'])

This example exports the metadata for all applications that begin with virtual across all MSAS instances into the MSASApplications.zip archive. 

wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','',['virtual%'])

This example exports the metadata for all applications that begin with virtual, including application's shared resources, on the MSAS-123456 instance into the MSASApplications.zip archive. 

wls:/mydomain/serverConfig> exportMSASAppMetadata('/tmp/MSASApplications.zip','MSAS-1234561',['virtual%'],true)

6.4.2 importMSASAppMetadata

The importMSASAppMetadata command is an online command that imports MSAS application metadata into the repository from a specified ZIP archive.

Description

Import MSAS application metadata into the repository from a specified ZIP archive. You can use the map argument to provide the location of a file that describes how to map physical information from the source environment to the target environment. You can generate a new map file by setting the generateMapFile argument to true.

Syntax

importMSASAppMetadata(archiveFileName,[mapFileName=None],[generateMapFlag='false'])
Argument Definition 
archiveFileName

Name of the ZIP archive to be imported.

 
mapFileName

Optional. Location of a sample map file that describes how to map physical information from the source environment to the target environment.

You can generate a new map file by setting the generateMapFlag argument to true. If the map file already exists, it will be overwritten; however, no import takes place in the repository. If you specify a map file without setting the generateMapFlag, or setting it to false, and the map file does not exist, the operation fails and an error is displayed. 

generateMapFlag

Optional. Specify whether to generate a map file at the location specified by the mapFileName argument. No metadata is imported when this argument is set to true, only a map file is generated. The default is false.

Example

This example imports application metadata from the MSASartifacts.zip archive without using a map file. 

wls:/mydomain/serverConfig> importMSASAppMetadata('/tmp/MSASartifacts.zip')

This example collects all application metadata from the MSASartifacts.zip archive and puts it into a map file named MSASMapfile.txt. If the specified map file already exists, it will be overwritten. 

wls:/mydomain/serverConfig> importMSASAppMetadata('/tmp/MSASartifacts.zip','/tmp/MSASmapfile.txt', true)

This example imports application metadata from the specified MSASartifacts.zip archive according to the MSASmapfile.txt map file. 

wls:/mydomain/serverConfig> importMSASAppMetadata('/tmp/MSASartifacts.zip','/tmp/MSASmapfile.txt')

6.4.3 migrateMSASAppHostports

The migrateMSASAppHostports command is an online command that replaces the source host:port values with host:port values according to the source-to-target mapping in the specified mapFileName for applications in the repository that match the specified MSAS instance name and application name.

Description

For applications in the repository that match the specified MSAS instance name and application name, replaces the source host:port values (for example, URLs to a back-end service) with host:port values, according to the source-to-target mapping in the specified mapFileName. You can generate a new map file by setting the generateMapFlag argument to true.

Syntax

migrateMSASAppHostports(instanceName,applicationName,mapFileName,[generateMapFlag='false'])
Argument Definition 
instanceName

Name of the MSAS instance. A wildcard is not accepted.

 
applicationName

Name of MSAS application whose referenced back-end service host:port information needs to be migrated or replaced.

A wildcard '%' is allowed. If this argument is set to None, "empty '', or '%', then all applications in the specified MSAS instance are searched. 

mapFileName

Location of a input map file that describes how to map source MSAS host:port values to a target host:port.

You can generate a new map file by setting the generateMapFlag argument to true. If the map file already exists, it will be overwritten. The generated map file provides destination host:port values for the source host:port values that need to be replaced.

If you specify a map file without setting the generateMapFlag argument to true, the map file is treated as an input map file and it will be read in for source-to-target host:port replacement for all matched applications.

If you specify a map file without setting the generateMapFlag, or by setting it to false, and the map file does not exist, the operation fails and an error is displayed. 

generateMapFlag

Optional. Specify whether to generate a map file at the location specified by the mapFileName argument. No MSAS application metadata is modified when this argument is set to true, only a map file is generated. The default is false.

Example

This example collects all host:port values for the myApp application on an instance named MSAS-1234, and puts it into a newly-generated map file named generatedMapfile.txt. (Note that if a specified map file already exists, it will be overwritten). 

wls:/mydomain/serverConfig>  migrateMSASAppHostports ('MSAS-1234','myApp','/tmp/generatedMapfile.txt',true)

This example migrates the host:port values for all applications that begin with myApp on the MSAS-1234 instance according to the myMapfile.txt map file. 

wls:/mydomain/serverConfig> migrateMSASAppHostports('MSAS-1234', 'myApp%', '/tmp/myMapfile.txt')

The following migrates the host:port values for all applications on the MSAS-1234 instance according to the myMapfile.txt map file. 

wls:/mydomain/serverConfig> migrateMSASAppHostports('MSAS-1234', 'None', '/tmp/myMapfile.txt')

6.4.4 resetWSMPolicyRepository

The resetWSMPolicyRepository command is an online command that deletes the existing policies stored in the repository and refresh it with the latest set of predefined policies that are provided in the new installation of the Oracle MSAS software.

Caution:

This command will delete all MSAS artifacts, including registered MSAS application and configuration documents. Restarting the server would recover the seed MSAS documents in the repository but will not recover other user-created documents. Therefore, prior to running this command, Oracle recommends running the exportMSASAppMetadata command to back up all your MSAS metadata.

Description

Delete the existing policies stored in the repository and refresh it with the latest set of predefined policies that are provided in the new installation of the Oracle MSAS software. You can use the clearStore argument to specify whether to delete all policies, including custom user policies, from the repository before loading the new predefined policies.

Note:

In order to reseed the repository with all Oracle MSAS predefined policies, you must restart the Mobile Security Manager (MSM) server after running the resetWSMPolicyRepository command.

Syntax

resetWSMPolicyRepository([clearStore='false'])
Argument Definition

clearStore='false'

Policies to be deleted. Valid values are:

  • true—All policies in the repository, including custom user policies, are deleted.

  • false—Only the predefined policies supplied by Oracle are deleted. The default is false.

Example

The following example deletes all the policies in the repository, including user policies, and adds the predefined policies provided in the current product installation:

wls:/wls-domain/serverConfig>resetWSMPolicyRepository(true)

6.5 Session Commands

Use these custom WLST commands to manage the session. Some MSAS WLST commands, which modify repository documents and trusted token issuers must be executed in the context of a session.

Table 6-4 Session Management WLST Commands

Use this command... To... Use with WLST...

abortRepositorySession

Abort the current modification session, discarding any changes that were made during the session.

Online

beginRepositorySession

Begin a session to modify the repository documents.

Online

commitRepositorySession

Write the contents of the current session to the repository.

Online

describeRepositorySession

Describe the contents of the current session. This will indicate either that the session is empty or list the name of the document that is being updated, along with the type of update (create, modify, or delete).

Online

6.5.1 abortRepositorySession

The abortRepositorySession command is an online command that aborts the current Oracle Repository modification session, discarding any changes that were made to the repository during the session.

Description

Abort the current Oracle Repository modification session, discarding any changes that were made to the repository during the session.

Syntax

abortRepositorySession()

Examples

The following example aborts the current session.

wls:/wls-domain/serverConfig>abortRepositorySession()

6.5.2 beginRepositorySession

The beginRepositorySession command is an online command that initiates a session to modify the Oracle Repository.

Description

Begin a session to modify the Oracle Repository. A repository session can only act on a single document. An error will be displayed if there is already a current session.

Syntax

beginRepositorySession()

Example

The following example begins a session.

wls:/wls-domain/serverConfig>beginRepositorySession()

6.5.3 commitRepositorySession

The commitRepositorySession command is an online command that writes the contents of the current session to the Oracle Repository.

Description

Write the contents of the current session to the Oracle Repository. Messages are displayed that describe what was committed. An error will be displayed if there is no current session.

Syntax

commitRepositorySession()

Example

The following example commits the current repository modification session.

wls:/wls-domain/serverConfig>commitRepositorySession()

6.5.4 describeRepositorySession

The describeRepositorySession command is an online command that describes the contents of the current session.

Description

Describe the contents of the current session. This will either indicate that the session is empty or list the name of the document that is being updated, along with the type of update (create, modify, or delete). An error will be displayed if there is no current session.

Syntax

describeRepositorySession()

Examples

The following example describes the current session.

wls:/wls-domain/serverConfig>describeRepositorySession()

6.6 Token Issuer Trust Configuration Commands

Use these WLST commands to view and define trusted issuers, trusted distinguished name (DN) lists, and token attribute rule filters for trusted SAML or JWT signing certificates. When using WLST commands to create, modify, and delete token issuer trust documents, you must execute the commands in the context of a session. Each session applies to a single trust document only.

Note:

Connect to a running instance of the server and enter help('wsmManage') to view the help for these commands.

Table 6-5 Token Issuer Trust Commands

Use this command... To... Use with WLST...

createWSMTokenIssuerTrustDocument

Create a new token issuer trust document using the name provided.

Online

deleteWSMTokenIssuerTrust

Delete the entry for the issuer, including the DN list in it.

Online

deleteWSMTokenIssuerTrustAttributeRule

Delete a token attribute rule associated with a trusted DN.

Online

deleteWSMTokenIssuerTrustDocument

Delete the token issuer trust document, specified by the name argument, from the repository.

Online

displayWSMTokenIssuerTrust

Display the names of the DN lists associated with a specified issuer.

Online

exportWSMTokenIssuerTrustMetadata

Export the trust configuration (issuers, DNs, and token attribute rules) for all trusted issuers.

Online

importWSMTokenIssuerTrustMetadata

Import the trust configuration (Issuers, DNs, and token attribute rules) for all trusted issuers.

Online

listWSMTokenIssuerTrustDocuments

List the token issuer trust documents in the repository.

Online

revokeWSMTokenIssuerTrust

Remove trusted issuers and associated configurations (DNs and token attribute rules).

Online

selectWSMTokenIssuerTrustDocument

Select the token issuer trust document, identified by the name argument, to be modified in the session.

Online

setWSMTokenIssuerTrust

Specify a trusted issuer with a DN list.

Online

setWSMTokenIssuerTrustAttributeFilter

Add, delete, or update token attribute rules for a given token signing certificate DN.

Online

setWSMTokenIssuerTrustAttributeMapping

Specify the DN of a token signing certificate and a list of trusted users. The name ID and the attribute can be mapped to another user ID.

Online

setWSMTokenIssuerTrustDisplayName

Sets or resets the display name of the Token Issuer Trust document currently selected in the session.

Online

6.6.1 createWSMTokenIssuerTrustDocument

The createWSMTokenIssuerTrustDocument command is an online command that creates a new token issuer trust document using the name provided within a session.

Description

Within a session, create a new token issuer trust document using the name provided. A display name can also be provided as the second argument. You must start a session (beginWSMSession) before creating or modifying any token issuer trust documents. If there is no current session or there is already an existing modification process, an error is displayed.

Syntax

createWSMTokenIssuerTrustDocument(name, displayName)
Arguments Definition

name

Name of the document to be created. An error is thrown if a name is not provided If a document by this name already exists, then a new document will not be created.

displayName

Optional. Display name for the document.

Examples

In the following example, the trust document named tokenissuertrustWLSbase_domain is created, with a display name of wls_domain Trust Document. In the second example, no display name is provided. 

wls:/wls-domain/serverConfig> createWSMTokenIssuerTrustDocument("tokenissuertrustWLSbase_domain","wls_domain Trust Document")
wls:/wls-domain/serverConfig> createWSMTokenIssuerTrustDocument("tokenissuertrustWLSbase_domain")

6.6.2 deleteWSMTokenIssuerTrust

The deleteWSMTokenIssuerTrust command is an online command that deletes a trusted token issuer and its associated trusted DN list within a session.

Description

Within a session, delete a trusted token issuer and its associated trusted DN list. Supported values for a SAML assertion or JWT token type are dns.sv, dns.hok, or dns.jwt. This issuer must exist in the token issuer trust document selected in the session for modification. If no trusted key identifiers exist, then the issuer itself is deleted.

To delete a specified list of trusted key identifiers for an issuer, use selectWSMTokenIssuerTrustDocument. You must start a session (beginWSMSession) and select a token issuer trust document for modification before executing this command. If there is no current session or there is already an existing modification process, an error is displayed. You cannot modify the default token issuer trust document.

Syntax

deleteWSMTokenIssuerTrust(type, issuer)
Arguments Definition

type

The type of SAML assertion or JWT tokens the trusted issuer issues:

  • dns.sv – SAML sender vouches client list

  • dns.hok – SAML HOK or Bearer

  • dns.jwt – JWT token.

issuer

The name of the issuer whose trusted DN list will be deleted (for example, SAML assertion or JWT token). The issuer will also be deleted.

Examples

In the following example, the issuer www.yourCompany.com and the DN list in the dns.sv trusted SAML sender vouches client list for the issuer are deleted: 

wls:/wls-domain/serverConfig> deleteWSMTokenIssuerTrust('dns.sv', 'www.yourCompany.com')

In the following example, the issuer www.yourCompany.com and the DN list in the dns.jwt trusted JWT token sender vouches client list for the issuer are deleted: 

wls:/wls-domain/serverConfig> deleteWSMTokenIssuerTrust('dns.jwt ', 'www.yourCompany.com')

6.6.3 deleteWSMTokenIssuerTrustAttributeRule

The deleteWSMTokenIssuerTrustAttributeRule command is an online command that deletes a token attribute rule associated with a trusted DN from the token issuer trust document.

Description

Delete a token attribute rule associated with a trusted DN from the token issuer trust document. To delete only the list of filter values for an attribute, use the setWSMTokenIssuerTrustAttributeFilter command. You must start a session (beginWSMSession) and select a token issuer trust document for modification before executing this command. If there is no current session or there is already an existing modification process, an error is displayed.

Syntax

deleteWSMTokenIssuerTrustAttributeRule(dn)
Arguments Description

dn

The DN of the token signing certificate that identifies the rule to be deleted.

Examples

In the following example, the token attribute rule associated with the 'CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US trusted DN is deleted. 

wls:/wls-domain/serverConfig> deleteWSMTokenIssuerTrustAttributeRule('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US')

6.6.4 deleteWSMTokenIssuerTrustDocument

The deleteWSMTokenIssuerTrustDocument command is an online command that deletes the specified token issuer trust document permanently from the repository.

Description

Deletes the specified token issuer trust document permanently from the repository. The default token issuer trust document (oracle-default) cannot be deleted.

Syntax

deleteWSMTokenIssuerTrustDocument (name)
Arguments Definition

name

Name of the token issuer trust document to be deleted.

Examples

In the following example, the token issuer trust document tokenissuertrustWLSbase_domain trust document is deleted: 

wls:/wls-domain/serverConfig> deleteWSMTokenIssuerTrustDocument('tokenissuertrustWLSbase_domain')

6.6.5 displayWSMTokenIssuerTrust

The displayWSMTokenIssuerTrust command is an online command that displays a trusted token issuer and its associated trusted DN list.

Description

Display a trusted token issuer and its associated trusted DN list. Supported values for a SAML assertion or JWT token type are dns.hok, dns.sv, or dns.jwt. The issuer argument is optional. If the issuer and type is specified and exists in the trusted issuer list for the type, then the associated DN lists for the issuer is displayed. If issuer is not set, then all trusted issuers of the given type are listed.

Syntax

displayWSMTokenIssuerTrust(type, issuer)
Arguments Definition

type

The type of SAML assertion or JWT tokens the trusted issuer issues:

  • dns.sv – SAML sender vouches client list

  • dns.hok – SAML HOK or Bearer

  • dns.jwt – JWT token.

issuer

Optional. The issuer whose trusted DN list is displayed (for example, SAML assertion or JWT token). If not set, the list of all the trusted issuers is displayed.

Examples

In the following example, the DN lists in the dns.sv trusted SAML sender vouches client list for the www.oracle.com trusted issuer are displayed: 

wls:/wls-domain/serverConfig>displayWSMTokenIssuerTrust('dns.sv', 'www.oracle.com')

In the following example, the names of all trusted SAML issuers associated with the dns.sv trusted SAML sender vouches client list are displayed: 

wls:/wls-domain/serverConfig>displayWSMTokenIssuerTrust('dns.sv', None)

6.6.6 exportWSMTokenIssuerTrustMetadata

The exportWSMTokenIssuerTrustMetadata command is an online command that exports all trust configurations (issuer, DNs, and token attribute rules) for all trusted issuers.

Description

Export all the trust configurations (issuer, DNs, and token attribute rules) for all trusted issuers. The trust configuration will be exported to an XML file identified by the specified location. The trust configuration for the issuers specified in the exclude list will not be exported. If no argument is passed, the trust configuration for all trusted issuers will be exported.

Syntax

exportWSMTokenIssuerTrustMetadata(trustFile,excludeIssuers=None)
Arguments Definition

trustFile

The location of the file where the exported metadata will be stored.

excludeIssuers

Optional. The list of issuers for which trust configuration should not be exported.

Examples

In the following example, all trusted issuer configurations are exported to the specified XML file except for www.oracle.com and www.yourcompany.com, which have been excluded: 

wls:/wls-domain/serverConfig>exportWSMTokenIssuerTrustMetadata(trustFile='/tmp/trustData.xml',['www.oracle.com','www.myissuer.com'])

Starting Operation exportWSMTokenIssuerTrustMetadata ...
Configuration for trusted issuers successfully exported.

In the following example, all specified trusted issuer configurations are exported to the specified XML file:

wls:/wls-domain/serverConfig>exportWSMTokenIssuerTrustMetadata(trustFile='/tmp/trustData.xml')

Starting Operation exportWSMTokenIssuerTrustMetadata ...
Configuration for trusted issuers successfully exported.

6.6.7 importWSMTokenIssuerTrustMetadata

The importWSMTokenIssuerTrustMetadata command is an online command that imports the trust configurations (issuers, DNs, and token attribute rules) for all trusted issuers.

Description

Import the trust configurations (issuers, DNs, and token attribute rules) for all trusted issuers. The trust configuration will be imported from an XML file identified by the specified location.

Syntax

importWSMTokenIssuerTrustMetadata(trustFile)
Arguments Definition

trustFile

The location of the file where the imported metadata will be stored.

Examples

In the following example, all trusted issuer configurations are imported from the specified XML file:

wls:/wls-domain/serverConfig>importWSMTokenIssuerTrustMetadata(trustFile='/tmp/trustData.xml')

Starting Operation importWSMTokenIssuerTrustMetadata ...
Configuration for trusted issuers successfully imported.

6.6.8 listWSMTokenIssuerTrustDocuments

The listWSMTokenIssuerTrustDocuments command is an online command that lists all token issuer trust documents in the repository.

Description

When used without any arguments, this command lists all the token issuer trust documents in the repository. If the detail argument is set to true, the display name and the status of the document are also displayed. You can use the wildcard character (*) in combination with other characters. If no wildcard character is specified in the name argument, the document that matches the name argument exactly is displayed. If the detail argument is set to true, the contents of the document are listed. This command can be executed inside and outside of a session.

Syntax

listWSMTokenIssuerTrustDocuments(name=None, detail='false')
Arguments Definition

name

Optional. Name of the token issuer trust document. You can use wildcards with this argument.

detail

Optional. List the details for the requested document. The default is false.

Examples

In the following example, the token issuer trust document tokenissuertrustWLSbase_domain trust document is listed along with any details: 

wls:/wls-domain/serverConfig> listWSMTokenIssuerTrustDocuments(tokenissuertrustWLSbase_domain,'true')

6.6.9 revokeWSMTokenIssuerTrust

The revokeWSMTokenIssuerTrust command is an online command that revokes trust by removing all trusted issuers and associated configurations (DNs and token attribute rules).

Description

Revokes trust by removing all trusted issuers and associated configurations (DNs and token attribute rules). The issuers specified in the optional exclude list will not be removed. If no argument is passed, then all trusted issuers and the associated configuration are removed.

Syntax

revokeWSMTokenIssuerTrust(excludeIssuers=None)
Arguments Definition

excludeIssuers

Optional. The list of issuers for which trust configuration should not be removed.

Examples

In the following example, all trusted issuer configurations are removed except for www.oracle.com and www.yourcompany.com, which have been excluded: 

wls:/wls-domain/serverConfig>revokeWSMTokenIssuerTrust(['www.oracle.com','www.yourcompany.com'])

Starting Operation revokeWSMTokenIssuerTrust ...
Configuration for trusted issuers successfully removed.

In the following example, all trusted issuer configurations are removed:

wls:/wls-domain/serverConfig>revokeWSMTokenIssuerTrust()

Starting Operation revokeWSMTokenIssuerTrust ...
Configuration for trusted issuers successfully removed.

6.6.10 selectWSMTokenIssuerTrustDocument

The selectWSMTokenIssuerTrustDocument command is an online command that selects the token issuer trust document, identified by the name argument, to be modified in the session.

Description

Selects the token issuer trust document, identified by the name argument, to be modified in the session. The name must match the value of the name attribute in the document. You must start a session (beginWSMSession) before executing this command. If there is no current session or there is already an existing modification process, an error is displayed. You cannot modify the default token issuer trust document.

Syntax

selectWSMTokenIssuerTrustDocument(name)
Argument Definition

name

Name of the document to modified in the session. An error is thrown if a name is not provided.

Examples

In the following example, the tokenissuertrustWLSbase_domain document is selected for modification: 

wls:/wls-domain/serverConfig> selectWSMTokenIssuerTrustDocument('tokenissuertrustWLSbase_domain')

6.6.11 setWSMTokenIssuerTrust

The setWSMTokenIssuerTrust command is an online command that configures a trusted token issuer and define trusted keys or a trusted DN list for the issuer.

Description

Configure a trusted token issuer and define trusted keys or a trusted DN list for the issuer. Supported values for a SAML assertion or JWT token type are dns.hok, dns.sv, or dns.jwt. The trustedKeyIDs argument is optional. If you do not set this argument, only the trusted issuer will be set for the specified type. This command can be used to specify the DN list associated with a trusted token issuer, update the list, or delete the list.

Syntax

setWSMTokenIssuerTrust(type, issuer, trustedKeyIDs)
Argument Definition

issuer

The name of the trusted issuer, for example www.oracle.com.

type

The type of SAML assertion or JWT tokens the trusted issuer issues:

  • dns.sv – SAML sender vouches client list

  • dns.hok – SAML HOK or Bearer

  • dns.jwt – JWT token.

trustedKeyIDs

Optional. An array of DNs for token signing certificates associated with the issuer for the specified type. This is a comma-separated list with the format ['CN=name1', 'CN=name2', 'CN=name3', ...]. If you enter an empty set ([]) the list of DN values will be deleted for the issuer.

Examples

In the following example, CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US' is set as a DN in the dns.sv DN list for the www.oracle.com trusted issuer: 

wls:/wls-domain/serverConfig>setWSMTokenIssuerTrust('dns.sv', 'www.oracle.com', ['CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US'])

In the following example, the name CN=orcladmin, OU=Doc, O=Oracle, C=US' in added to the dns.sv DN list for the www.oracle.com trusted issuer: 

wls:/wls-domain/serverConfig>setWSMTokenIssuerTrust('dns.sv','www.oracle.com', ['CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US', 'CN=orcladmin, OU=Doc, O=Oracle, C=US'])

In the following example, the list of DN values in the dns.sv DN list is removed from the www.oracle.com trusted issuer: 

wls:/wls-domain/serverConfig>setWSMTokenIssuerTrust('dns.sv', 'www.oracle.com', [])

6.6.12 setWSMTokenIssuerTrustAttributeFilter

The setWSMTokenIssuerTrustAttributeFilter command is an online command that specifies token attribute filtering rules for a trusted DN list.

Description

Specify token attribute filtering rules for a trusted DN list. For each trusted DN configured for an issuer, a token attribute filtering rule can be configured and applied. Each rule has two parts: a name ID and an attributes part for attributes in a SAML assertion or a JWT token. The name ID and each attribute can contain a filter with multiple value patterns. To remove the list of filters for an attribute for the signing certificate, use an empty set ([]) for the value of filters.

Note:

You must first use the setWSMTokenIssuerTrust command to configure a list of trusted DN names for an issuer.

Syntax

setWSMTokenIssuerTrustAttributeFilter(dn, attrName, filters)
Argument Definition

dn

The DN of the token signing certificate. The DN as the identifier of the token attribute rule where modifications would be done.

attrName

The name of the user attribute for which the filtering will be applied. The value can be as follows:

  • name-id—assert a subject name ID.

filters

Optional. List of filters for the attribute. The list has the format ['value1', 'value2', 'value3, .... Each value can be an exact name or a name pattern with a wildcard character "*".

When name-id is selected for the attrName argument, then the value of the subject name ID in the incoming SAML assertion must match one of the specified values to go through. If no values are specified, then any value for the subject name ID will go through.

Examples

In the following example, the name ID yourTrustedUser is set as a trusted user for the weblogic trusted DN: 

wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustAttributeFilter('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US','name-id', ['yourTrustedUser'])

In the following example, the name IDs jdoe is added to the list of trusted users for the weblogic trusted DN: 

wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustAttributeFilter('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US','name-id', ['yourTrustedUser', 'jdoe'])

In the following example, the list of trusted users for the weblogic trusted DN is removed: 

wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustAttributeFilter('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US', 'name-id', [])

6.6.13 setWSMTokenIssuerTrustAttributeMapping

The setWSMTokenIssuerTrustAttributeMapping command is an online command that specifies token attribute mapping rules for a trusted DN list.

Description

Specify token attribute mapping rules for a trusted DN list. For each trusted DN configured for a token issuer, a token attribute mapping rule can be configured and applied. Each rule has two parts: a name ID and an attributes part for attributes associated with a SAML assertion or a JWT token. For a trusted DN, a token attribute mapping rule sets the mapping for the value of an attribute as specified by the attrName argument. The userAttribute argument is optional and indicates the local user attribute it corresponds to. The userMappingAttribute argument is optional and indicates the user attribute to be used in the system to authenticate the users. If the attribute as identified by attrName exists for a token attribute rule for the DN, the mapping is overwritten by the new value. For example, in federated environments, where the user subject ID (for example, mail) in the token is different from the user attribute (for example, uid) for authenticating the same user, the name ID and each attribute can map the local user attribute for the subject name ID to the local user attribute to authenticate a trusted user.

Note:

You must first use the setWSMTokenIssuerTrust command to configure a list of trusted DN names for an issuer.

Syntax

setTokenIssuerTrustAttributeMapping(dn, attrName, userAttribute=None, userMappingAttribute=None)
Arguments Description

dn

The trusted DN of a token signing certificate.

attrName

The name of the use attribute for which the mapping will be applied The value can be as follows:

  • name-id

userAttribute

Optional. The local name of the user attribute in the local identity store that the subject name ID corresponds to. The value can be as follows:

  • mail

userMappingAttribute

Optional. The value of the local name of the user attribute in the local identity store that the subject name ID maps to for authentication. The value can be as follows:

  • uid

Examples

In the following example, the mail attribute for the Subject ID in the token is mapped to the uid attribute. 

wls:/base_domain/serverConfig>setTokenIssuerTrustAttributeMapping('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US', 'name-id', 'mail', 'uid')

Starting Operation setWSMTokenIssuerTrustAttributeMapping ...
The token attribute mapping are successfully set

In the following example, the local user attribute for the Subject ID in the token is mapped to the uid attribute. 

wls:/base_domain/serverConfig>setTokenIssuerTrustAttributeMapping('CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US', 'name-id', '', 'uid')

6.6.14 setWSMTokenIssuerTrustDisplayName

The setWSMTokenIssuerTrustDisplayName command is an online command that sets or resets the display name of the Token Issuer Trust document currently selected in the session.

Description

Sets or resets the display name of the Token Issuer Trust document currently selected in the session.

You must start a session (beginWSMSession) before creating or modifying any token issuer trust documents. If there is no current session or there is already an existing modification process, an error is displayed.

Syntax

setWSMTokenIssuerTrustDisplayName("displayName")
Arguments Definition

displayName

Name to be set as a display name for the document currently selected for modification in the session.

Examples

In the following example, the display name for the trust document being modified is set to Test Document. 

wls:/wls-domain/serverConfig> setWSMTokenIssuerTrustDisplayName("Test Document")

6.7 Diagnostic Commands

Use the WLST diagnostic command to check the status of the Oracle components that are required for proper functioning of the product.

6.7.1 checkWSMStatus

The checkWSMStatus command is an online command that verifies the status of the Oracle components that are required for proper functioning of the product.

Description

Check the status of the Oracle components that are required for proper functioning of the product. The Oracle components that are checked are the policy manager (wsm-pm), the agent (agent), and the credential store and keystore configuration. The status of the components can be checked together or individually.

Note:

The Policy Manager (wsm-pm) application must be deployed and running for the check status tool to function correctly.

Syntax

checkWSMStatus([component=None],[address=None],[verbose=true])
Arguments Description

component

Optional. All checks will be performed if no value is specified. Valid options are:

  • wsm-pm—Policy Manager. Checks the configuration state of the policy manager component.

  • agent—Enforcement Agent. Checks status of end-to-end service-side enforcement through the wsm agent component. The enforcement check is specific only to the environment from which the command is run.

  • credstore—Credential Store. Checks whether the credentials are configured for the keystore password, signing, and encryption certificates in the keystore.

address

Optional. The HTTP URL of the host running the Policy Manager wsm-pm application. This value is required for checking enforcement through an agent component, for example, 

checkWSMStatus('agent', 'http://localhost:7001')

The address is not required in the WebLogic Server domain where auto-discovery is present.

verbose

Optional. If the value of this flag is true, then the detailed messages (including stack trace, if any) are displayed. Default is false.

Examples

In the following example, the checkWSMStatus command is run without arguments. The status of the credential store, policy manager, and enforcement agent is returned. 

wls:/base_domain/serverConfig> checkWSMStatus()
 
Credential Store Configuration:
 
PASSED.
        Message(s):
             keystore.pass.csf.key : Property is configured and its value is "keystore-csf-key".
                 Description: The "keystore.pass.csf.key" property points to the CSF alias that is mapped to the username and password of the keystore. Only the password is used; username is redundant in the case of the keystore.
             keystore-csf-key : Credentials configured.
             keystore.sig.csf.key : Property is configured and its value is "sign-csf-key".
                 Description: The "keystore.sig.csf.key" property points to the CSF alias that is mapped to the username and password of the private key that is used for signing.
             sign-csf-key : Credentials configured.
             Sign Key : Key configured.
                 Alias - orakey
             Sign Certificate : Certificate configured.
                 Alias - CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
                 Expiry - June 28, 2020 11:17:12 AM PDT
             keystore.enc.csf.key : Property is configured and its value is "enc-csf-key".
                 Description: The "keystore.enc.csf.key" property points to the CSF alias that is mapped to the username and password of the private key that is used for decryption.
             enc-csf-key : Credentials configured.
             Encrypt Key : Key configured.
                 Alias - orakey
             Encrypt Certificate : Certificate configured.
                 Alias - CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
                 Expiry - June 28, 2020 11:17:12 AM PDT
 
Policy Manager:
 
 
PASSED.
        Message(s):
             OWSM Policy Manager connection state is OK.
             OWSM Policy Manager connection URL is "host.example.com:1234".
 
Enforcement Agent:
 
 
PASSED.
        Message(s):
             Enforcement is successful.
             Service URL: http://host.example.com:7001/Diagnostic/DiagnosticService?wsdl

In the following example, the credential store key keystore-csf-key is deleted and the checkWSMStatus command is rerun for the credential store credstore. The status check fails because the csf-key keystore-csf-key is not present in the credential store: 

wls:/base_domain/serverConfig> deleteCred(map="oracle.wsm.security", key="keystore-csf-key") 
wls:/base_domain/serverConfig> checkWSMStatus('credstore')
 
Credential Store Configuration:
 
FAILED.
        Message(s):
             keystore.pass.csf.key : Property is configured and its value is "keystore-csf-key".
                 Description: The "keystore.pass.csf.key" property points to the CSF alias that is mapped to the username and password of the keystore. Only the password is used; username is redundant in the case of the keystore.
             keystore-csf-key : Credentials not configured.
 
Credential Store Diagnostic Messages:
        Message(s):
                 The csf-key keystore-csf-key is not present in the credential store. 
 
 Perform the following steps to update the credential store (using WLST commands):-
 1. connect()
 2. createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore-csf-key", password="<keystore-password>", desc="Keystore Password CSF Key")
 NOTE:- All the above commands are based on the Domain level configurations. The actual csf key may be overridden at runtime due to config override. See Documentation for more details.

In the following example, the csf-key keystore-csf-key is configured and the checkWSMStatus command is rerun. The configuration check passes. 

wls:/base_domain/serverConfig> createCred(map="oracle.wsm.security", key="keystore-csf-key", user="keystore-csf-key", password="welcome1", desc="Keystore Password CSF Key")
Already in Domain Runtime Tree
 
wls:/base_domain/serverConfig> checkWSMStatus('credstore')
 
Credential Store Configuration:
 
 
PASSED.
        Message(s):
             keystore.pass.csf.key : Property is configured and its value is "keystore-csf-key".
                 Description: The "keystore.pass.csf.key" property points to the CSF alias that is mapped to the username and password of the keystore. Only the password is used; username is redundant in the case of the keystore.
             keystore-csf-key : Credentials configured.
             keystore.sig.csf.key : Property is configured and its value is "sign-csf-key".
                 Description: The "keystore.sig.csf.key" property points to the CSF alias that is mapped to the username and password of the private key that is used for signing.
             sign-csf-key : Credentials configured.
             Sign Key : Key configured.
                 Alias - orakey
             Sign Certificate : Certificate configured.
                 Alias - CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
                 Expiry - June 28, 2020 11:17:12 AM PDT
             keystore.enc.csf.key : Property is configured and its value is "enc-csf-key".
                 Description: The "keystore.enc.csf.key" property points to the CSF alias that is mapped to the username and password of the private key that is used for decryption.
             enc-csf-key : Credentials configured.
             Encrypt Key : Key configured.
                 Alias - orakey
             Encrypt Certificate : Certificate configured.
                 Alias - CN=weblogic, OU=Orakey Test Encryption Purposes Only, O=Oracle, C=US
                 Expiry - June 28, 2020 11:17:12 AM PDT
true

The following example checks the enforcement status of the agent component at the URL http://localhost:7001. 

wls:/test_domain1/serverConfig> checkWSMStatus('agent','http://localhost:7001')
 
Enforcement Agent:
 
Note: Enforcement might succeed if OWSM Policy Manager is down due to policy caching. For such scenarios wsm-pm test must be run prior to this test.
 
PASSED.
        Message(s):
             Enforcement is successful.
             Service URL: http://localhost:7001/Diagnostic/DiagnosticService?wsdl