F OPSS System and Configuration Properties

This appendix documents OPSS system properties (set through the switch -D at server start) and configuration properties (set with elements <property> and <extendedProperty> in the configuration file jps-config.xml) in the following sections:

OPSS System Properties
OPSS Configuration Properties

To manage server properties programmatically, use OPSS MBeans. For details and example, see Section E.2.3, "Programming with OPSS MBeans."

Note:

All OPSS configuration changes (manual or through JpsConfiguration MBean) require server restart to take effect.

OPSS data domain changes do not require server restart to take effect. Data changes include modifying an application policy and creating, deleting, or updating a credential.

F.1 OPSS System Properties

A system property that has been introduced or modified is not in effect until the server is restarted. In order to set a system property the administrator must edit the setDomainEnv.sh shell script and add the property to the environment variable EXTRA_JAVA_PROPERTIES in that script.

Table F-1 lists the Java system properties available with OPSS.

Table F-1 Java System Properties Used by OPSS

Name	Description
`java.security.debug=access,failure`	Notifies about a permission failure when the method JpsAuth.checkPermission is called inside a Subject.doAs block and the permission check fails. Note that setting jps.auth.debug or jps.auth.debug.verbose is not enough to get a failure notification in this case. Optional.
`java.security.policy`	Specifies the location of the Java security policy file.
`jps.authz`	Enables or disables the delegation of calls to JDK API AccessController.checkPermission, which reduces runtime and debugging overhead. Optional. Valid values: `NULL`, `SM`, `ACC`, and `DEBUG_NULL`. No default value.
`jps.auth.debug`	Controls server logging output. Default value: FALSE. For details, see Section L.1.2.1, "jps.auth.debug." See also java.security.debug. Optional.
`jps.auth.debug.verbose`	Controls server logging output. Default value: FALSE. For details, see Section L.1.2.2, "jps.auth.debug.verbose." See also java.security.debug. Optional.
`jps.combiner.optimize`	Enables or disables the caching of a subject's protection domain. Optional. Valid values: `TRUE`, `FALSE`. Default value: `FALSE`.
`jps.combiner.optimize.lazyeval`	Enables or disables the evaluation of a subject's protection domain when a check permission is triggered. Optional. Valid values: `TRUE`, `FALSE`. Default value: `FALSE`.
`jps.deployment.handler.disabled`	Enables or disables the migration of policies and credentials for applications deployed in a WebLogic Server. Valid only for the WebLogic Server. Set to TRUE to disable the migration of application policies and credentials for all applications deployed in the server regardless of the particular application settings in the application file weblogic-application.xml. Optional. Valid values: `TRUE`, `FALSE`. Default value: `FALSE`.
`jps.policystore.hybrid.mode`	Enables or disables the hybrid mode. The hybrid mode is used to facilitate the transition from the Sun java.security.Policy to the OPSS Java PolicyProvider. When the hybrid mode is enabled, the OPSS Java Policy Provider reads from both files, java.policy and system-jazn-data.xml. Optional. Valid values: `TRUE`, `FALSE`. Default value: `TRUE`.
`oracle.security.jps.config`	Specifies the path to the domain configuration files `jps-config.xml` or `jps-config-jse.xml`. Paths specifications in those files can be absolute or relative to the location of the configuration file. Required. No default value.
`oracle.deployed.app.dir`	Specifies the path to the directory of a code source URL. Optional. No default value. For an example of use, see <url>.
`oracle.deployed.app.ext`	Specifies the extension of code source URL. Optional. No default value. For an example of use, see <url>.
`oracle.security.jps.log.for.approle.substring`	Logs the name of an application role that contains a specified substring; if the substring to match is unspecified, it logs all application role names. Optional. No default value. For an example of use and further details, see Section L.1.2.3, "Debugging the Authorization Process."
oracle.security.jps.log.for.permeffect	Logs a grant that was granted or denied according to a specified value; if the value is unspecified, it logs all grants (regardless whether they were granted or denied). Optional. No default value. For an example of use and further details, see Section L.1.2.3, "Debugging the Authorization Process."
oracle.security.jps.log.for.permclassname	Logs the name of the permission class that matches exactly a specified name; if the name to match is unspecified, it logs all permission class names. Optional. No default value. For an example of use and further details, see Section L.1.2.3, "Debugging the Authorization Process."
oracle.security.jps.log.for.permtarget.substring	Logs the name of a permission target that contains a specified substring; if the substring to match is unspecified, it logs all permission targets. Optional. No default value. For an example of use and further details, see Section L.1.2.3, "Debugging the Authorization Process."
oracle.security.jps.log.for.enterprise.principalname	Logs the name of the principal (enterprise user or enterprise role) that matches exactly a specified name; if the name to match is unspecified, it logs all principal names. Optional. No default value. For an example of use and further details, see Section L.1.2.3, "Debugging the Authorization Process."

F.2 OPSS Configuration Properties

This section describes the properties of various instances in the following sections:

Policy Store Properties
Credential Store Properties
LDAP Identity Store Properties
Properties Common to All LDAP-Based Instances
Anonymous and Authenticated Roles Properties

F.2.1 Policy Store Properties

The policy store properties are described in the following sections:

Policy Store Configuration
Runtime Policy Store Configuration

F.2.1.1 Policy Store Configuration

The policy store provider class that can be used with LDAP- or DB-based instances is the following:

oracle.seurity.jps.internal.policystore.ldap.LdapPolicyStoreProvider

Table F-2 describes the properties of policy store instances. The properties are listed in three blocks according to the kind of application they can be used in.

Table F-2 Policy Store Properties

Name	Description
The following properties are valid in both J2EE and J2SE applications
`bootstrap.security.principal.key`	The key for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Required. No default value. The out-of-the-box value is `bootstrap`.
`bootstrap.security.principal.map`	The map for the password credentials to access the LDAP policy store, stored in the CSF store. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Required. Default value: `BOOTSTRAP_JPS`.
`oracle.security.jps.farm.name`	The RDN format of the domain node in the LDAP policy store. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Required. No default value.
`oracle.security.jps.ldap.root.name`	The RDN format of the root node in the LDAP policy store. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Required. No default value.
`ldap.url`	The URL of the LDAP policy store, with the format `ldap://host:port`. Valid in J2EE and J2SE applications. Applies only to LDAP stores. Required. No default value.
`policystore.type`	The type of the LDAP policy store. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Required. No default value. Value examples: `OID`, `DB_ORACLE`.
`oracle.security.jps.policystore.resourcetypeenforcementmode`	Controls the throwing of exceptions if any of the following checks fail: Verify that if two resource types share the same permission class, that permission must be either `ResourcePermission` or extend `AbstractTypedPermission`, and this last resource type cannot be created. Verify that all permissions have resource types defined, and that the resource matcher permission class and the permission being granted match. If set to `Strict`, when any of the above checks fail, the system throws an exception and the operation is aborted. If set to `Lenient`, when any of the above checks fail, the system does not throw any exceptions, the operation continues without disruption, and any discrepancies encountered are logged in the log files. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Optional. Default value: `Lenient` Valid values: `Strict`, `Lenient`.
The following properties are valid in J2EE applications only
`datasource.jndi.name`	The JNDI name of the JDBC data source instance. Valid in only J2EE applications. Applies to only DB stores. Required. No default value.
`failover.retry.times`	The number of retry attempts. Valid in only J2EE applications. Applies to only DB stores. Optional. Default value: 3
`failover.retry.interval`	The number of seconds between retry attempts. Valid in only J2EE applications. Applies to only DB stores. Optional. Default value: 15
The following properties are valid in J2SE applications only
`security.principal`	The clear text name of the principal to use instead of the user name specified in the bootstrap. Not recommended. Valid in only J2SE applications. Applies to LDAP and DB stores. Optional. No default value.
`security.credential`	The clear text password for the security principal to use instead of the password specified in the bootstrap. Not recommended. Valid in only J2SE applications. Applies to LDAP and DB stores. Optional. No default value.
`jdbc.driver`	The JDBC driver. Valid in only J2SE applications. Applies to only DB stores. Required. No default value. Value example: `oracle.jdbc.driver.OracleDriver`
`jdbc.url`	The URL of the JBDC. Valid in only J2SE applications. Applies to only DB stores. Required. No default value. Value example: `jdbc:oracle:thin:@xxx27.com:1345:asi102cn`
`eclipselink.jdbc.read-connections.min`	The minimum number of connections allowed in the JDBC read connection pool. Valid in only J2SE applications. Applies to only DB stores. Optional. Default value: 5
`eclipselink.jdbc.read-connections.max`	The maximum number of connections allowed in the JDBC read connection pool. Valid in only J2SE applications. Applies to only DB stores. Optional. Default value: 20

Example 1

The following fragment illustrates the configuration of an LDAP-based policy store instance for a JavaEE application:

<serviceInstance provider="ldap.policystore.provider" name="policystore.ldap">
     <property value="OID" name="policystore.type"/>
     <property value="bootstrap" name="bootstrap.security.principal.key"/>
     <property value="cn=wls-jrfServer" name="oracle.security.jps.farm.name"/>
     <property value="cn=jpsTestNode" name="oracle.security.jps.ldap.root.name"/>
     <property value="ldap://stadk06.us.oracle.com:3060" name="ldap.url"/>
     <property value="STATIC" name="oracle.security.jps.policystore.rolemember.cache.type"/>
     <property value="FIFO" name="oracle.security.jps.policystore.rolemember.cache.strategy"/>
     <property value="1000" name="oracle.security.jps.policystore.rolemember.cache.size"/>
     <property value="true" name="oracle.security.jps.policystore.policy.lazy.load.enable"/>
     <property value="PERMISSION_FIFO" name="oracle.security.jps.policystore.policy.cache.strategy"/>
     <property value="1000" name="oracle.security.jps.policystore.policy.cache.size"/>
     <property value="true" name="oracle.security.jps.policystore.refresh.enable"/>
     <property value="43200000" name="oracle.security.jps.policystore.refresh.purge.timeout"/>
     <property value="600000" name="oracle.security.jps.ldap.policystore.refresh.interval"/>
</serviceInstance>

Example 2

The following fragment illustrates the configuration of an LDAP-based policy store instance for a JavaSE application:

<serviceInstance name="policystore.oid" provider="policy.oid">
   <property value="OID" name="policystore.type"/>
   <property value="bootstrap" name="bootstrap.security.principal.key"/>
   <property name="ldap.url" value="ldap://sttt:3060"/>
   <property name="oracle.security.jps.ldap.root.name" value="cn=jpsNode"/>
   <property name="oracle.security.jps.farm.name" value="cn=domain1"/>
</serviceInstance>

For additional configurations samples for JavaSE applications, see Section 24.1.2, "Configuring LDAP-Based Policy and Credential Stores."

Example 3

The following fragment illustrates the configuration of DB-based stores (including an instance of a runtime service provider) for a JavaEE application:

<jpsConfig>
...
  <propertySets>
    <!-- property set props.db.1 common to all DB services -->
    <propertySet name="props.db.1">
      <property name="datasource.jndi.name"  value="opssds"/>
      <property value="cn=farm" name="oracle.security.jps.farm.name"/>
      <property value="cn=jpsroot" name="oracle.security.jps.ldap.root.name"/>
      <property value="dsrc_lookup_key"  
                name="bootstrap.security.principal.key"/>
      <property value="credential_map" name="bootstrap.security.principal.map"/>
    </propertySet>
  </propertySets>
 
  <serviceProviders>
    <serviceProvider      class="oracle.security.jps.internal.policystore.ldap.LdapPolicyStoreProvider" 
     type="POLICY_STORE" name="rdbms.policystore.provider" >
       <description>RDBMS based PolicyStore provider</description>
    </serviceProvider>
 
    <serviceProvider type="KEY_STORE" name="keystore.provider"        class="oracle.security.jps.internal.keystore.KeyStoreProvider">
      <description>PKI Based Keystore Provider</description>
      <property name="provider.property.name" value="owsm"/>
    </serviceProvider>
 
    <serviceProvider name="pdp.service.provider" type="PDP"       class="oracle.security.jps.az.internal.runtime.provider.PDPServiceProvider">
      <description>OPSS Runtime Service provider</description>
    </serviceProvider>
  </serviceProviders>
 
  <serviceInstances>
    <serviceInstance name="policystore.rdbms"                      provider="rdbms.policystore.provider">
      <property value="DB_ORACLE" name="policystore.type"/>
      <propertySetRef ref = "props.db.1"/>
      <property name="session_expiration_sec" value="60"/>
      <property name="failover.retry.times"  value="5"/>
    </serviceInstance>    
 
    <serviceInstance name="credstore.rdbms" provider="rdbms.credstore.provider">
      <propertySetRef ref = "props.db.1"/>       
    </serviceInstance>
 
    <serviceInstance name="keystore.rdbms" provider="rdbms.keystore.provider">  
      <propertySetRef ref = "props.db.1"/>       
      <property name="keystore.provider.type"  value="db"/>
    </serviceInstance>
 
    <serviceInstance name="pdp.service" provider="pdp.service.provider">
      <property name="sm_configuration_name" value="permissionSm"/>
      <property name="work_folder" value="../../tempdir/permissionSm-work"/>
      <property name="authorization_cache_enabled" value="true"/>
      <property name="role_cache_enabled" value="true"/>
      <property name="session_eviction_capacity" value="500"/>
      <property name="session_eviction_percentage" value="10"/>
      <property name="session_expiration_sec" value="60"/>
      <property name="failover.retry.times"  value="5"/>
      <property name="failover.retry.interval" value="20"/>
      <property name="oracle.security.jps.policystore.purge.timeout",
                value="30000"/>
      <propertySetRef ref = "props.db.1"/>
    </serviceInstance>
  </serviceInstances>
 
  <jpsContexts default="default">
    <jpsContext name="default">
      <serviceInstanceRef ref="pdp.service"/>      
      <serviceInstanceRef ref="policystore.rdbms"/>      
      <serviceInstanceRef ref="credstore.rdbms"/>
      <serviceInstanceRef ref="keystore.rdbms"/>
    </jpsContext>
  </jpsContexts>
...
</jpsConfig>

Example 4

The following fragment illustrates the configuration of a DB-based policy store instance for a JavaSE application:

<serviceInstance name="policystore.rdbms" provider="policy.rdbms">
  <property name="policystore.type" value="DB_ORACLE"/>
  <property name="jdbc.url" value="jdbc:oracle:thin:@sc.us.oracle.com:1722:orcl"/>
  <property name="jdbc.driver" value="oracle.jdbc.driver.OracleDriver"/>
  <property name="bootstrap.security.principal.key" value="bootstrap_DWgpEJgXwhDIoLYVZ2OWd4R8wOA=" />
  <property name="oracle.security.jps.ldap.root.name" value="cn=jpsTestNode"/>
  <property name="oracle.security.jps.farm.name" value="cn=view_steph.atz"/>
</serviceInstance>

For additional configurations samples for JavaSE applications, see Section 24.1.3, "Configuring DB-Based OPSS Security Stores."

F.2.1.2 Runtime Policy Store Configuration

The runtime policy store provider class that can be used with LDAP- or DB-based instances is the following:

oracle.seurity.jps.az.internal.runtime.provider.PDPServiceProvider

Table F-3 lists the runtime properties of policy store instances.

Table F-3 Runtime Policy Store Properties

Name	Description
`oracle.security.jps.policystore.rolemember.cache.type`	The type of the role member cache. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Optional. Valid values: STATIC - Cache objects are statically cached and can be cleaned explicitly only according the applied cache strategy, such as FIFO. The garbage collector does not clean a cache of this type. SOFT - The cleaning of a cache of this type relies on the garbage collector when there is a memory crunch. WEAK - The behavior of a cache of this type is similar to a cache of type SOFT, but the garbage collector cleans it more frequently. Default value: `STATIC`.
`oracle.security.jps.policystore.rolemember.cache.strategy`	The type of strategy used in the role member cache. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Optional. Valid values: FIFO - The cache implements the first-in-first-out strategy. NONE - All entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small. Default value: `FIFO`.
`oracle.security.jps.policystore.rolemember.cache.size`	The number of the roles kept in the member cache. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Optional. Default value: 1000.
`oracle.security.jps.policystore.policy.lazy.load.enable`	Enables or disables the policy lazy load. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Optional. Valid values: `TRUE`, `FALSE`. Default value: `TRUE`.
`oracle.security.jps.policystore.policy.cache.strategy`	The type of strategy used in the permission cache. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Optional. Valid values: PERMISSION_FIFO - The cache implements the first-in-first-out strategy. NONE - All entries in the cache grow until a refresh or reboot occurs; there is no control over the size of the cache; not recommended but typically efficient when the policy footprint is very small. Default value: `PERMISSION_FIFO`.
`oracle.security.jps.policystore.policy.cache.size`	The number of permissions kept in the permission cache. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Optional. Default value: 1000.
`oracle.security.jps.policystore.refresh.enable`	Enables or disables the policy store refresh. If this property is set, then `oracle.security.jps.ldap.cache.enable` cannot be set. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Optional. Valid values: `TRUE`, `FALSE`. Default value: `TRUE`.
`oracle.security.jps.ldap.cache.enable`	Enables or disables the refresh of the cache. If this property is set, then `oracle.security.jps.policystore.refresh.enable` cannot be set. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Optional. Valid values: `TRUE`, `FALSE`. Default value: `TRUE`.
`oracle.security.jps.policystore.purge.timeout`	The time, in milliseconds, after which the policy store cache is purged. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Optional. Default value: 43200000 (12 hours).
`oracle.security.jps.policystore.refresh.interval`	The interval, in milliseconds, at which the policy store is polled for changes. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Optional. Default value: 600000 (10 minutes).
`oracle.security.jps.policystore.refresh.permissions.invalidate.threshold`	The number of user's permissions after which the permission cache is invalidated. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Optional. Default value: 50.
`oracle.security.jps.policystore.rolemember.cache.warmup.enable`	Controls the way the ApplicationRole membership cache is created. If set to TRUE, the cache is created at server startup; otherwise, it is created on demand (lazy loading). Set to TRUE when the number of users and groups is significantly higher than the number of application roles; set to FALSE otherwise, that is, when the number of application roles is very high. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Optional. Valid values: `TRUE`, `FALSE`. Default value: `FALSE`.
`work_folder`	The folder for temporary storage. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and DB stores. Optional. Default value: the system temporary folder.
`authorization_cache_enabled`	Specifies whether the authorization cache should be enabled. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and DB stores. Optional. Valid values: `TRUE`, `FALSE`. Default value: `FALSE`.
`session_eviction_percentage`	The percentage of sessions to drop when the eviction capacity is reached. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and DB stores. Optional. Default value: 10
`session_eviction_capacity`	The maximum number of authorization and role mapping sessions to maintain. When the maximum is reached, old sessions are dropped and reestablished when needed. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and DB stores. Optional. Default value: 500
`session_expiration_sec`	The number of seconds during which session data is cached. Valid in J2EE and J2SE applications. Applies to XML, LDAP, and DB stores. Optional. Default value: 60
`oracle.security.jps.policystore.resourcetypeenforcementmode`	Controls the throwing of exceptions if any of the following checks fail: Verify that if two resource types share the same permission class, that permission must be either `ResourcePermission` or extend `AbstractTypedPermission`, and this last resource type cannot be created. Verify that all permissions have resource types defined, and that the resource matcher permission class and the permission being granted match. If set to `Strict`, when any of the above checks fail, the system throws an exception and the operation is aborted. If set to `Lenient`, when any of the above checks fail, the system does not throw any exceptions, the operation continues without disruption, and any discrepancies encountered are logged in the log files. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Optional. Default value: `Lenient` Valid values: `Strict`, `Lenient`.

F.2.2 Credential Store Properties

Table F-4 lists the properties of credential store instances. The properties are listed in two blocks according to the kind of application they can be used in.

Table F-4 Credential Store Properties

Name	Description
The following properties are valid in J2EE applications only
`bootstrap.security.principal.key`	The key for the password credentials to access the LDAP credential store, stored in the CSF store. Valid only in J2EE applications. Applies to LDAP and DB stores. Required. No default value. The out-of-the-box value is `bootstrap`.
`bootstrap.security.principal.map`	The map for the password credentials to access the LDAP credential store, stored in the CSF store. Valid only in J2EE applications. Applies to LDAP and DB stores. Required. Default value: `BOOTSTRAP_JPS`.
The following properties are valid in both J2EE and J2SE applications
`oracle.security.jps.farm.name`	The RDN format of the domain node in the LDAP credential store. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Required. No default value.
`oracle.security.jps.ldap.root.name`	The RDN format of the root node in the LDAP policy store. Valid in J2EE and J2SE applications. Applies to LDAP and DB stores. Required. No default value.
`ldap.url`	Specifies the URL of the LDAP credential store using the format `ldap://host:port`. Valid in J2EE and J2SE applications. Applies only to LDAP stores. Required. No default value.

The following fragment illustrates the configuration of a credential store in a J2EE application:

<serviceInstance provider="ldap.credentialstore.provider" name="credstore.ldap">
    <property value="bootstrap" name="bootstrap.security.principal.key"/>
    <property value="cn=wls-jrfServer" name="oracle.security.jps.farm.name"/>
    <property value="cn=jpsTestNode" name="oracle.security.jps.ldap.root.name"/>
    <property value="ldap://stttt.us.oracle.com:3060" name="ldap.url"/>
</serviceInstance>

F.2.3 LDAP Identity Store Properties

Table F-5 lists the properties of LDAP-based identity store instances. Extended properties are explicitly stated. User and Role API properties corresponding to a property are also stated.

Table F-5 LDAP-Based Identity Store Properties

Name	Description
`idstore.type`	The type of the identity store. Valid in J2SE and J2EE applications. Required Valid values: `OID` - Oracle Internet Directory `OVD` - Oracle Virtual Directory `ACTIVE_DIRECTORY` - Microsoft Active Directory `IPLANET` - Oracle Directory Server Enterprise Edition `EDIRECTORY` - Novell eDirectory `OPEN_LDAP` - OpenLdap `LIBOVD` - Oracle Library OVD `CUSTOM` - Any other type If using a custom authenticator, the service instance configuration must include one of the following properties: <property name="idstore.type" value="<your-idstore-type>" <property name="ADF_IM_FACTORY_CLASS" value="<your-IDM-FACTOY_CLASS_NAME>" Corresponding User and Role API property: ADF_IM_FACTORY_CLASS
`security.principal.alias`	The CSF map name. Valid in J2SE and J2EE applications. Required. No default value. Value example: `myalias`.
`security.principal.key`	The CSF key name. Valid only in J2SE applications. Required. No default value. Value example: `mykey`. Corresponding User and Role API property: ADF_IM_SECURITY_PRINCIPAL
`ldap.url`	The LDAP URL value. Valid in J2SE and J2EE applications. Required. No default value. Value example: `ldap://myServerName.com:389`. Corresponding User and Role API property: ADF_IM_PROVIDER_URL
`user.search.bases`	The user search base for the LDAP server in DN format. Extended property. Valid in J2SE and J2EE applications. Required. No default value. Value example: `cn=users,dc=us,dc=abc,dc=com` Corresponding User and Role API property: USER_SEARCH_BASES
`group.search.bases`	The group or enterprise search base for the LDAP server in DN format. Extended property. Valid in J2SE and J2EE applications. Required No default value. Value example: `cn=groups,dc=us,dc=abc,dc=com` Corresponding User and Role API property: ROLE_SEARCH_BASES
`idstore.config.provider`	The idstore provider class. Valid only in J2EE applications. Required The only supported value is: oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider
`group.create.bases`	The base DNs used to create groups or enterprise roles. Extended property. Valid in J2EE and J2SE applications. Required to allow writing operations with the User and Role API. Otherwise, optional. Value example of a single DN: <extendedProperty> <name>group.create.bases</name> <values> <value>cn=groups,dc=us,dc=oracle,dc=com</value> </values> </extendedProperty> Corresponding User and Role API property: ROLE_CREATE_BASES
`user.create.bases`	The base DNs used to create users. Extended property. Valid in J2EE and J2SE applications. Required to allow writing operations with the User and Role API. Otherwise, optional. Value example of a single DN: <extendedProperty> <name>user.create.bases</name> <values> <value>cn=users,dc=us,dc=oracle,dc=com</value> </values> </extendedProperty> Corresponding User and Role API property: USER_CREATE_BASES
`group.filter.object.classes`	The fully qualified names of object classes used to search enterprise roles and groups. Extended property. Valid in J2EE and J2SE applications. Optional. Value example: `groupOfUniqueNames`. Corresponding User and Role API property: ROLE_FILTER_OBJECT_CLASSES
`group.mandatory.attrs`	The attributes that must be specified when creating enterprise roles or groups. Extended property. Valid in J2EE and J2SE applications. Optional. Value example: <extendedProperty> <name>group.mandatory.attrs</name> <values> <value>cn</value> <value>objectClass</value> </values> </extendedProperty> Corresponding User and Role API property: ROLE_MANDATORY_ATTRS
`group.member.attrs`	The attribute of a static role that specifies the distinguished names (DNs) of the members of an enterprise role or group. Extended property. Valid in J2EE and J2SE applications. Optional. Value example: <extendedProperty> <name>group.member.attrs</name> <values> <value>uniqueMember</value> </values> </extendedProperty> Corresponding User and Role API property: ROLE_MEMBER_ATTRS
`group.object.classes`	The fully qualified names of one or more schema object classes used to represent enterprise roles or groups. Extended property. Valid in J2EE and J2SE applications. Optional. Value example: <extendedProperty> <name>group.object.classes</name> <values> <value>top</value> <value>groupOfUniqueNames</value> </values> </extendedProperty> Corresponding User and Role API property: ROLE_OBJECT_CLASSES
`group.selected.create.base`	The base DNs for creating enterprise roles or groups. Valid in J2EE and J2SE applications. Optional. Value example: `cn=users,dc=us,dc=abc,dc=com` (single DN) Corresponding User and Role API property: ROLE_SELECTED_CREATEBASE
`groupname.attr`	The attribute that uniquely identifies the name of the enterprise role or group. Valid in J2EE and J2SE applications. Optional. Value example: `cn` Corresponding User and Role API property: ROLE_NAME_ATTR
`group.selected.search.base`	The base DNs for searching enterprise roles or groups. Valid in J2EE and J2SE applications. Optional. Value example: `cn=users,dc=us,dc=abc,dc=com` (single DN)
`max.search.filter.length`	The maximum number of characters of the search filter. Valid in J2EE and J2SE applications. Optional. Value: a positive integer. Corresponding User and Role API property: MAX_SEARCHFILTER_LENGTH
`search.type`	The type of search to employ when the repository is queried. Valid in J2EE and J2SE applications. Optional. Valid values: `SIMPLE`, `PAGED`, or `VIRTUAL_LIST_VIEW`. Corresponding User and Role API property: IDENTITY_SEARCH_TYPE
`user.filter.object.classes`	The fully qualified names of object classes used to search users. Extended property. Valid in J2EE and J2SE applications. Optional. Value example: `inetOrgPerson` Corresponding User and Role API property: USER_FILTER_OBJECT_CLASSES
`user.login.attr`	The login identity of the user. Valid in J2EE and J2SE applications. Optional. Value example: `<property name="user.login.attr" value="mail"/>` Corresponding User and Role API property: USER_LOGIN_ATTR
`user.mandatory.attrs`	The attributes that must be specified when creating a user. Extended property. Valid in J2EE and J2SE applications. Optional. Value example: <extendedProperty> <name>user.mandatory.attrs</name> <values> <value>cn</value> <value>objectClass</value> <value>sn</value> </values> </extendedProperty> Corresponding User and Role API property: USER_MANDATORY_ATTRS
`user.object.classes`	The fully qualified names of the schema classes used to represent users. Extended property. Valid in J2EE and J2SE applications. Optional. Corresponding User and Role API property: USER_OBJECT_CLASSES
`username.attr`	The LDAP attribute that uniquely identifies the name of the user. Valid in J2EE and J2SE applications. Optional. Corresponding User and Role API property: USER_NAME_ATTR
`ldap.host`	The name of the system hosting the identity store. Valid in J2EE and J2SE applications. Optional.
`subscriber.name`	The default realm for the identity store. Valid in J2EE and J2SE applications. Optional. Value example: `dc=us,dc=oracle,dc=com`. Corresponding User and Role API property: ADF_IM_SUBSCRIBER_NAME
`virtualize`	Controls the authenticators where search and modifications are allowed; if set to TRUE, searching and modifying is available in all configured authenticators; otherwise, if set to FALSE, searching and modifying is available in only the first authenticator in the configured stack. Set to TRUE if you intend to use the User and Role API to search or write information in all authenticators. Valid in J2EE and J2SE applications. Optional. Valid values: `TRUE` or `FALSE`. Default value: `FALSE`. Value example: `<property name="virtualize" value="true"/>`

The following fragment illustrates the configuration of an LDAP-based identity store for a J2SE application:

<serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
    <property name="idstore.type" value="OID"/>
    <property name="security.principal.alias" value="MAP_NAME"/>
    <property name="security.principal.key" value="KEY_NAME"/>
    <property name="ldap.url" value="ldap://stadk06:3060"/>
    <extendedProperty>
       <name>user.search.bases</name>
          <values>
             <value>cn=users,dc=us,dc=oracle,dc=com</value>
          </values>
    </extendedProperty>
    <extendedProperty>
       <name>group.search.bases</name>
          <values>
             <value>cn=groups,dc=us,dc=oracle,dc=com</value>
          </values>
    </extendedProperty>
</serviceInstance>

F.2.4 Properties Common to All LDAP-Based Instances

Table F-6 lists generic properties of LDAP-based stores that can be specified in any service instance.

In the case of an LDAP-based identity store service instance, to ensure that the User and Role API picks up the connection pool properties when it is using the JNDI connection factory, the identity store service instance must include the following property:

<property 
name="INITIAL_CONTEXT_FACTORY" value="com.sun.jndi.ldap.LdapCtxFactory"/>

Table F-6 Generic LDAP Properties

Name	Description
`connection.pool.authentication`	Specifies the type of LDAP connection that the JNDI connection pool uses. Valid in J2EE and J2SE applications. Optional. Values: `none`, `simple`, and `DIGEST-MD5`. Default value: `simple`.
`connection.pool.max.size`	Specifies the maximum number of connections in the LDAP connection pool. Valid in J2EE and J2SE applications. Optional. Value example: 30
`connection.pool.min.size`	Specifies the minimum number of connections in the LDAP connection pool. Valid in J2EE and J2SE applications. Optional. Value example: 5
`connection.pool.protocol`	Specifies the protocol to use for the LDAP connection. Valid in J2EE and J2SE applications. Optional. Values: `plain`, `ssl`. Default value: `plain`.
`connection.pool.provider.type`	Specifies the connection pool to use. Valid in J2EE and J2SE applications. Optional. Values: `JNDI`, `IDM`. Default value: `JNDI`.
`connection.pool.timeout`	Specifies the number of milliseconds that an idle connection can remain in the pool; after timeout, the connection is closed and removed from the pool. Valid in J2EE and J2SE applications. Optional. Default value: 300000 (5 minutes)
`oracle.security.jps.ldap.max.retry`	Specifies the maximum number of retry attempts if there are problems with the LDAP connection. Valid in J2EE and J2SE applications. Optional. Value example: 5

The following fragment illustrates a configuration of several properties:

<jpsConfig ... >
   ...
   <!-- common properties used by all LDAPs -->
   <property name="oracle.security.jps.farm.name" value="cn=OracleFarmContainer"/>
   <property name="oracle.security.jps.ldap.root.name"
             value="cn=OracleJpsContainer"/>
   <property name="oracle.security.jps.ldap.max.retry" value="5"/>
   ...
</jpsConfig>

F.2.5 Anonymous and Authenticated Roles Properties

Table F-7 lists the properties that can be used to configure file-, LDAP-, or DB-based anonymous users, anonymous roles, and authenticated roles.

Table F-7 Anonymous and Authenticated Roles Properties

Name	Description
`anonymous.role.description`	Specifies a description of the anonymous role. Valid in J2EE and J2SE applications. Optional. No default value.
`anonymous.role.name`	Specifies the name of the principal in the anonymous role. Valid in J2EE and J2SE applications. Optional. Default value: `anonymous-role`
`anonymous.role.uniquename`	Specifies the name of the anonymous role. Valid in J2EE and J2SE applications. Optional. Default value: `anonymous-role`
`anonymous.user.name`	Specifies the name of the principal in the anonymous user. Valid in J2EE and J2SE applications. Optional. Default value: `anonymous`
`authenticated.role.description`	Specifies a description of the authenticated role. Valid in J2EE and J2SE applications. Optional. No default value.
`authenticated.role.name`	Specifies the name of the principal in authenticated user roles. Valid in J2EE and J2SE applications. Optional. Default value: `authenticated-role`
`authenticated.role.uniquename`	Specifies the name of the authenticated role. Valid in J2EE and J2SE applications. Optional. Default value: `authenticated-role`
`remove.anonymous.role`	Specifies whether the anonymous role should be removed from the subject after a user is authenticated. Valid in J2EE and J2SE applications. Optional. Valid values: `TRUE`, `FALSE`. Default value: `FALSE`.