Oracle® Fusion Middleware Security Guide 11g Release 1 (11.1.1) Part Number E10043-01 |
|
|
View PDF |
This appendix documents OPSS system properties (set through the switch -D
at server start) and configuration properties (set with elements <property>
and <extendedProperty>
in the configuration file jps-config.xml
) in the following sections:
To manage server properties programmatically, use OPSS MBeans. For details and example, see Section E.2.3, "Programming with OPSS MBeans."
Note:
All OPSS configuration changes (manual or through JpsConfiguration MBean) require server restart to take effect.OPSS data domain changes do not require server restart to take effect. Data changes include modifying an application policy and creating, deleting, or updating a credential.
A system property cannot be set without restarting the server. In order to set a system property the administrator must edit the setDomainEnv.sh
shell script and add the property to the environment variable EXTRA_JAVA_PROPERTIES
in that script.
Table F-1 lists the Java system properties available with OPSS.
Table F-1 Java System Properties Used by OPSS
Name | Description |
---|---|
|
This property, which is exposed in Identity Store service, specifies which part of the user's name the For XML file-based identity stores: If this property is set to For LDAP-based identity stores: If set to Default: |
|
Specifies the location of the OPSS policy file. |
|
When set to True, it specifies that the migration of credentials should overwrite existing credentials when the application is deployed or redeployed when the server is running in development mode. For details, see Section 15.4.5.3, "To Migrate Credentials with Overwriting." |
|
Increases server logging output. For details, see Section I.1.2.1, "jps.auth.debug." |
|
Increases server logging output. For details, see Section I.1.2.2, "jps.auth.debug.verbose." |
|
Indicates the frequency, in milliseconds, at which the system checks the domain files -Djps.change.notifier.file.delay=600000 In production environments, it is recommended a frequency of about 10 min. (600000 milliseconds). In development environments, it is recommended a frequency of about 3 min. (180000 milliseconds). |
|
Enables Java 2 policy. Values: boolean Default: |
|
Specifies whether the policy store is read-only. Values: boolean Default: |
|
Specifies whether application roles are recalculated on each request. Setting this flag to true has a significant impact on server performance. Values: boolean Default: false |
|
Specifies the factory class for creating OPSS context instances. Values: string Default: |
|
Specifies the full path to the domain configuration files Value: string |
|
Specifies the factory class for creating OPSS configuration instances. Values: string Default: |
This section describes the properties that can be set in the file jps-config.xml
with the elements <property>
or <extendedProperty>
, in the following sections:
Table F-2 lists the properties that specify the location of LDAP- or file-based store instances.
Table F-2 Service Instance Properties
Table F-3 lists the properties of file- and LDAP-based identity store instances.
Table F-3 Identity Store Properties
Table F-4 lists the properties of LDAP-based stores that can be specified in service instances. In the case of an LDAP-based identity store service instance, to ensure that the User and Role API picks up the connection pool properties when it is using the JNDI connection factory, the identiry store service instance must include the following property:
<property name="INITIAL_CONTEXT_FACTORY" value="com.sun.jndi.ldap.LdapCtxFactory"/>
Table F-4 LDAP Properties
Example:
<jpsConfig ... > ... <!-- These are various JPS common properties used for LDAP operations --> <property name="oracle.security.jps.farm.name" value="cn=OracleFarmContainer"/> <property name="oracle.security.jps.ldap.root.name" value="cn=OracleJpsContainer"/> <property name="oracle.security.jps.ldap.max.retry" value="5"/> ... </jpsConfig>
Table F-5 lists the properties of just LDAP identity stores. See Identity Store Properties for a listing of properties that apply to both file-based and LDAP-based identity stores.
See Also:
<serviceInstance> for an example that uses some properties in this section
Table F-5 LDAP Identity Store Properties
Name | Property / Extended Property | Description |
---|---|---|
|
Extended property |
Specifies the base DNs in the LDAP directory for creating roles (groups). Values: strings Example: |
|
Extended property |
Specifies fully qualified names of object classes used for searching roles (groups). Values: strings |
|
Extended property |
Specifies the attributes that must be specified when creating a role (group) object. Values: strings |
|
Extended property |
Specifies the attribute of a static LDAP role object that specifies the distinguished names (DNs) of the members of the role. Values: strings Examples:
|
|
Extended property |
Specifies fully qualified names of one or more schema object classes used to represent roles (groups). Values: strings |
|
Extended property |
Specifies base DNs in the LDAP directory for searching roles (groups). Values: strings Example: |
|
Extended property |
Specifies base DNs in the LDAP directory for creating roles (groups). Values: strings Example: |
|
Extended property |
Specifies base DNs in the LDAP directory for searching roles (groups). Values: strings Example: |
|
Property |
Specifies the LDAP attribute that uniquely identifies the name of the role (group). Values: string Example: |
|
Property |
Specifies the maximum number of characters of the search filter for an identity store service, as illustrated in the following example: <property name="max.search.filter.length" value="500"/> Value: a positive integer |
|
Property |
Specifies the type of search to employ when the repository is queried. Values: SIMPLE, PAGED, VIRTUAL_LIST_VIEW For a description of these values, see the User and Role API javadoc. |
|
Property |
Specifies the password (obfuscated) of the LDAP user specified in If the password is stored in the credential store, then Values: string |
|
Property |
See the description for Values: string Example: orcladmin |
|
Property |
Specifies the alias for the LDAP user name. The key for the password is specified in If the password is stored in Values: string Example: JPS |
|
Property |
See the description for Values: string Example: ldap.credentials |
|
Extended property |
Specifies the base DNs in the LDAP directory for creating users. Values: strings Example: cn=users,dc=us,dc=abc,dc=com (single DN) |
|
Extended property |
Specifies fully qualified names of object classes used for searching users. Values: strings |
|
Property |
Specifies the login identity of the user. Values: string |
|
Extended property |
Specifies the attributes that must be specified when creating a user object. Values: strings |
|
Extended property |
Specifies fully qualified names of one or more schema object classes used to represent users. Values: strings |
|
Extended property |
Specifies base DNs in the LDAP directory for searching users. Values: strings Example: |
|
Property |
Specifies the LDAP attribute that uniquely identifies the name of the user. Values: string |
Table F-6 lists the properties of anonymous users, anonymous roles, and authenticated roles. Some of them may also be used to configure the anonymous service or an identity store login module.
Table F-6 Anonymous and Authenticated Roles Properties
Table F-7 lists the properties of the policy provider framework .
Table F-7 Policy Provider Framework Properties
Name | Property / Extended Property | Description |
---|---|---|
|
Property |
Specifies the fully qualified class name of the permission that extends Values: string |
|
Property |
Specifies the attribute of a static LDAP role object that specifies the distinguished names (DNs) of the members of the role. Values: string Example: |
|
Property |
Specifies the name of the LDAP attribute that uniquely identifies the name of the role. Values: string Example: |
|
Property |
Specifies LDAP schema object classes that represent a role. If specifying multiple classes, separate the classes with a space. The default for Sun Java System Directory Server is Values: string Example: |
|
Property |
Specifies a list of space-delimited distinguished names (DN) in the LDAP directory that contains roles. Values: string Example: |
|
Property |
Specifies how deep in the LDAP directory tree to search for roles. Values: |
|
Property |
Indicates the type of policy store. Values:
|
The following example illustrates the configuration of a policy store service provider, an instance of that provider, using an Oracle Internet Directory, and its use in a jpscontext.
<jpsConfig ... > ... <serviceProviders> <serviceProvider type="POLICY_STORE" name="policystore.ldap.provider" class= "oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider"> <description>LDAP-based PolicyStore</description> <property name="policystore.type" value="OID"/> <property name="connection.pool.max.size" value="30"/> <property name="connection.pool.provider.type" value="IDM"/> </serviceProvider> </serviceProviders> ... <serviceInstances> <serviceInstance name="policystore.oid" provider="policystore.ldap.provider"> <property name="max.search.filter.length" value="4096"/> <property name="security.principal" value="cn=orcladmin"/> <property name="security.credential" value="password"/> <property name="ldap.url" value="ldap://xyz.us.oracle.com:389"/> <property name="policystore.jpsbase" value="cn=jps,cn=oraclecontext"/> <property name="policystore.role.objectclass" value="orclrole"/> <property name="policystore.role.searchbase" value="cn=roles"/> <property name="policystore.role.searchscope" value="subtree"/> <property name="policystore.role.nameattr" value="cn"/> <property name="policystore.role.memberattr" value="uniquemember"/> <property name="policystore.role.roleheirarchyattr" value="assignedRoles"/> </serviceInstance> </serviceInstances> ... <jpsContexts default="default"> <jpsContext name="default"> <serviceInstanceRef ref="policystore.oid"/> </jpsContext> </jpsContexts> </jpsConfig>
Table F-8 lists the properties that configure keystore services. To use encryption or signing, you must access a private key in the keystore and specify an alias and a password to retrieve the key, after providing first the password to access the keystore itself.
Table F-8 Keystore Properties
Name | Property / Extended Property | Description |
---|---|---|
|
Property |
For encryption, specifies the alias for the applicable key. Values: string Example: |
|
Property |
For encryption, specifies the password for the applicable key. Values: string Example: |
|
Property |
Specifies the password to access the keystore. Values: string Example: |
|
Property |
Specifies the path to the keystore file. Values: string Example: |
|
Property |
For signing, specifies the alias for the applicable key. Values: string Example: |
|
Property |
For signing, specifies the password for the applicable key. Values: string Example: |
|
Property |
Specifies the type of keystore, such as JKS or Oracle wallet. Values: string Example: |
Example
<serviceInstance location="${oracle.instance}/config/JpsDataStore/JpsSystemStore/default-keystore.jks" provider="keystore.provider" name="keystore"> <description>Default JKS Keystore Service</description> <property value="JKS" name="keystore.type"/> <property value="oracle.wsm.security" name="keystore.csf.map"/> <property value="keystore-csf-key" name="keystore.pass.csf.key"/> <property value="sign-csf-key" name="keystore.sig.csf.key"/> <property value="enc-csf-key" name="keystore.enc.csf.key"/> </serviceInstance>