BLM Configuration API Security Providers Reference
This section provides a reference for the security provider attributes, and their default values.
Because default security provider attributes are not stored in the database, the BLM configuration API cannot discover the security provider attribute names or default values. Further, since there is an inheritance model with the provider attributes, if a given provider extends another, all the attributes from the parent are available as well.
You use these attribute names and default values with the BLM configuration API classes. For example, the SSMConfigurationManager.createProviderConfiguration() method has a parameter for mgmtinterface, which is the full name of the management interface associated with this provider. The mgmtinterface values are documented in this section.
As another example, the SSMProviderManager.getPropertyReport() method returns a report on a provider's properties collection. However, attributes that have not been explicitly set use their default values, which are not returned in the array of SSMProviderConfigElement objects. The default attribute values are documented in this section.
Note:
All information entered through the BLM Configuration API is string based.
Each of the following sections includes a table that lists the attributes supported by each security provider. Each table includes a List column that designates whether the getValue/setValue or getValueList/setValueList methods should be used with each attribute.
The ActiveDirectoryAuthenticator extends com.bea.security.providers.authentication.LDAPAuthenticator. Table 9-1 describes the attributes supported by this provider.
The attribute of the LDAP user object the specifies the name of the user.
N
UserBaseDN
“ou=WLSMEMBERS,dc=example,dc=com”
The base distinguished name (DN) of the tree in the LDAP directory that contains users.
N
UserFromNameFilter
"(&(cn=%u)(objectclass=user))”
LDAP search filter for finding a user given the name of the user. If the attribute (user name attribute and user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.
N
UserObjectClass
“user”
The LDAP object class that stores users.
N
GroupBaseDN
“ou=WLSGROUPS,dc=example,dc=com”
The base distinguished name (DN) of the tree in the LDAP directory that contains groups.
N
GroupFromNameFilter
"(&(cn=%g)(objectclass=group))"
LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.
N
StaticGroupDNsfromMemberDNFilter
“(&(member=%M)(objectclass=group))”
LDAP search filter that, given the distinguished name (DN) of a member of a group, returns the DNs of the static LDAP groups that contain that member.
N
StaticGroupObjectClass
“group”
The name of the LDAP object class that stores static groups.
N
StaticMemberDNAttribute
“member”
The attribute of the LDAP static group object that specifies the distinguished names (DNs) of the members of the group.
N
UseTokenGroupsForGroupMembershipLookup
“false”
Boolean value that indicates whether to use TokenGroups attribute lookup algorithm instead of the standard recursive group membership lookup algorithm.
N
EnableSIDtoGroupLookupCaching
False
Indicates whether SID to group name lookup results are cached. This attribute is only used if the token group membership lookup algorithm is enabled (see UseTokenGroupsForGroupMembershipLookup).
N
MaxSIDToGroupLookupsInCache
“500”
The maximum size of the LRU cache for holding SID to group lookups if caching of SID to group name mappings is enabled and if the tokenGroups group membership lookup is enabled. The default is 500.
N
ALESIdentityAsserter
ALESIdentityAsserter extends com.bea.security.providers.authentication.alesidentity. Table 9-2 describes the attributes supported by this security provider.
Specifies whether the request header value or cookie value must be decoded using Base64 before it is sent to the Identity Assertion provider. This box is checked by default for purposes of backward compatibility; however, most Identity Assertion providers do not require this decoding.
N
TrustedCAKeystore
“{shared.dir}/keys/demoProviderTrust.jks”
The location of the Trusted Keystore stored in the TrustedCAKeystoreType keystore format. {shared.dir} will be replaced with the Security Service Module (SSM) instance directory at runtime. This attribute is determined by the value of instance.home in SSM.properties located in the /config directory of the SSM instance.
If SSM.properties cannot be located, then the system property wles.ssmws.instance.home is checked. For the Web Services SSM, this attribute is automatically set to the Web Services SSM instance home.
If DEFAULT is specified, then the java.home env variable is used to locate the cacerts keystore normally located at JAVA_HOME/lib/security/cacerts.
TrustedKeystore
“{shared.dir}/keys/demoProviderTrust.jk”
The Location of the Trusted Keystore stored in the TrustedKeystoreType keystore format. {shared.dir} will be replaced with the SSM instance directory at runtime.
This attribute is determined by the value of instance.home in SSM.properties located in the /config directory of the SSM instance. If SSM.properties cannot be located, then the system property wles.ssmws.instance.home is checked. For the Web Services SSM, this attribute is automatically set to the Web Services SSM instance home.
N
TrustedCAKeystoreType
“JKS”
The type of keystore to which the trustedCAKeystore is configured.
N
TrustedKeystoreType
“JKS”
The type of keystore to which the trustedKeystore is configured.
N
TrustedCertAlias
“demo_provider_trust”
The Cert Alias to be used to verify the Identity Assertion.
N
TrustedCertAliasPasswd
“password”
The password to use for the Cert Alias specified to retrieve the private key from the keystore.
N
ALESIdentityCredentialMapper
ALESIdentityCredentialMapper extends weblogic.management.security.credentials.CredentialMapper. Table 9-3 describes the attributes supported by this security provider.
The keystore to be used to get the certificate chain to sign the Identity Assertion. {shared.dir} will be replaced with the SSM instance directory at runtime.
This attribute is determined by the value of instance.home in SSM.properties located in the /config directory of the SSM instance. If SSM.properties cannot be located, then the system property wles.ssmws.instance.home is checked. For the Web Services SSM, this attribute is automatically set to the Web Services SSM instance home.
N
TrustedKeystoreType
“JKS”
The TYPE of keystore that is specified in the TrustedKeystore.
N
TrustedCertAlias
demo_provider_trust
The Cert Alias to be used to sign the Identity Assertion.
N
TrustedCertAliasPasswd
“password”
The Password to use for the Cert Alias specified to retrieve the private key from the keystore.
N
AsiAdjudicator
AsiAdjudicator extends weblogic.management.security.authorization.Adjudicator. Table 9-4 describes the attributes supported by this security provider.
Requires all authorization providers to vote PERMIT in order for the adjudication provider to vote PERMIT. If the attribute is set to disabled, ABSTAIN votes are ignored.
N
AsiAuthorizationProvider
ASIAuthorizationProvider extends com.bea.security.providers.authorization.asi Table 9-5 describes the attributes supported by this security provider.
Specifies if the provider should ignore roles generated by role mapping providers other than the ASI Role Mapping provider.
N
AccessAllowedCaching
“true”
When enabled results from authorization queries are cached providing significantly improved performance for applications which make repetitive queries.
N
ASIAuthorizer
ASIAuthorizer extends weblogic.management.security.Provider. Table 9-6 describes the attributes supported by this security provider.
Specifies the identity directory to use when performing the authorization or role mapping.
N
PreLoadAttributes
“adaptive-private”
Determines whether or not the provider loads ContextHandler data before starting to evaluate policy or waits for a callback to ask for specific items. Pre-loading attributes can dramatically improve performance in policies that use contextual attributes.
N
SessionEvictionCapacity
500
The number of authorization and role mapping sessions to actively maintain. Once the limit is reached, old sessions are dropped and automatically re-established when needed.
N
SessionEvictionPercentage
10
The percentage of authorization and role mapping sessions to drop when the eviction capacity is reached.
N
ApplicationDeploymentParent
“//app/policy”
Specifies the root of the resource tree for this SSM.
N
SharedResourcesParent
“shared”
Specifies the root on the shared resource tree for this SSM. This item may be relative to the value specified by Application Deployment Parent on the Details tab.
N
ResourceConverters
Specifies the types of resources supported by these providers. The value is a list of fully-qualified Java class names. These classes should implement the ResourceConverter interface. This product includes resource converters for the standard WebLogic resource types.
Y
InstantiateWeblogicResourceConverters
“true”
Instantiate Resource Converters for all default WebLogic resource types.
N
AttributeRetrievers
Specifies plugins used to retrieve attribute values from complex data objects. These classes should implement the AttributeRetriever interface.
Y
EvaluationFunctions
Specifies plugins used to perform complex evaluations. These classes should implement the EvaluationFunction interface.
Y
AttributeConverters
Specifies the plugins to use when converting native Java types into the required string representation used when evaluating policy. If a converter is not registered for a given type, then the toString() method is used by default.
Y
AnonymousSubjectName
“anonymous”
The name to use when performing queries for an unauthenticated user.
N
“UseUserAttributes”
“true”
Specifies whether or not user attributes are used in evaluation of policy.
N
ActivateOnStartUp
“true”
Determines whether or not the authorization and role mapping providers process policy requests from cached policy before contacting the Policy Distributor for a policy update.
N
SessionExpirationSec
“60”
The duration for which to cache session data, in seconds.
N
SubjectDataCacheExpirationSec
“60”
The duration for which to cache subject data, in seconds.
N
ASIRoleMapperProvider
ASIRoleMapperProvider extends weblogic.management.security.authorization.RoleMapper. Table 9-7 describes the attributes supported by this security provider.
When enabled the role provider will delay calculation of role membership until the result is inspected. Leaving this attribute set to true provides significant performance improvements when used in conjunction with the ASI Authorization provider.
N
GetRolesCaching
“true”
When enabled results from role mapping queries are cached providing significantly improved performance for applications which make repetitive queries.
DatabaseCredentialMapper extends weblogic.management.security.credentials.CredentialMapper. Table 9-8 describes the attributes supported by this security provider.
The types of credentials this provider is allowed to retrieve. If this attribute is set to a single value of asterisk (*), then all credential types are accepted and the queries determine if the type is appropriate.
Y
SelectByIdent
“true”
Enables selection of credentials from the database based on the username of the requesting identity.
N
SelectByIdentGroup
“false”
Enables selection of credentials from the database based upon the groups of the requesting identity.
N
DatabaseUserName
The username to use to log into the primary database connection pool.
N
DatabasePassword
The password to use to log into the primary database connection pool.
N
AdministratorUserName
The database username used for the administration of mappings.
N
AdministratorPassword
The database password used for the administration of mappings.
N
DatabaseProperties
Properties to use when creating a database connection in the primary connection pool. These properties are entered as NAME=VALUE
Y
DatabaseURL
The JDBC URL the primary connection pool uses to connect to the database. This attribute is also used for credential mapping administration.
N
DatabaseDriverName
The class name of the JDBC driver to use for the provider database connections. This attribute is also used for credential mapping administration.
N
ConnectionPoolMin
“5”
The minimum number of connections to allow in the primary connection pool.
N
ConnectionPoolMax
“20”
The maximum number of connections to allow in the primary connection pool.
N
ConnectionRetireTime
“120”
The number of seconds of idle time before a connection is removed from a connection pool.
N
EnableAutomaticFailover
“false”
Enables the use of the backup connection pool if the primary connection pool fails.
N
BackupDatabaseUserName
The username to use to log into the backup database.
N
BackupDatabasePassword
The password to use to log into the backup database.
N
BackupDatabaseProperties
Properties to use when obtaining the JDBC connection to the backup database. These properties are entered as NAME=VALUE
Y
BackupDatabaseURL
The JDBC URL to use to connect to the backup database.
N
BackupConnectionPoolMin
“0”
The minimum number of connections to allow in the backup connection pool.
N
BackupConnectionPoolMax
“20”
The maximum number of connections to allow in the backup connection pool.
N
FailureThreshold
“3”
The number of database errors that must occur sequentially on a connection pool before that pool is considered failed.
N
PrimaryRetryInterval
“30”
When operating with the backup pool, this setting determines how often the primary pool is evaluated for fail back. This value is in seconds.
N
QueryByIdent
“select username, password from asi_credential_map where byident = {0} and forident = {1} and config = {5}”
The query to use to retrieve credentials from the database based upon the requester identity. This query must return two columns, username and password. The password should be encrypted. The following placeholders are replaced in the query at runtime:
{0} the username of the requesting identity {1} the username of the target identity {2} the normalized form of the resource {3} the normalized form of the action or default if none is defined {4} the credential type being requested {5} the name of this provider configuration
N
QueryByIdentGroup
The query to use to retrieve credentials from the database during group membership evaluation. If enabled, this query is called once for every group the forIdent user is in. This query must return two columns, username and password. The password should be encrypted. The following placeholders are replaced in the query at runtime:
{0} the group name of the requesting identity {1} the username of the target identity {2} the normalized form of the resource {3} the normalized form of the action or default if none is defined {4} the credential type being requested {5} the name of this provider configuration
N
CountRecordQuery
“select count(*) from asi_credential_map where config = {0}”
The query to use to retrieve a count of the credential records associated with a specific configuration for administration of credential mappings. This query must return one numeric value. The following placeholders are replaced in the query at runtime: {0} the name of this provider configuration.
N
RetrieveRecordQuery
“select map_id, byident, forident, username, password, normalres, normalact, config from asi_credential_map where config = {0} and map_id = {1}”
The query to use to retrieve a credential record from the database for administration of credential mappings. This query must return a column for record id (numeric), byIdent, forIdent, username, password, resource, action, and config in that order. The password is encrypted. Resource, action and config are optional values (you may return null). All other columns must have values. The following placeholders are replaced in the query at runtime: {0} the name of the provider configuration {1} the record id being retrieved (numeric).
N
ListRecordsQuery
“select map_id, byident, forident, username, password, normalres, normalact, config from asi_credential_map where config = {0} order by byident,forident,username,normalres,normalact,map_id”
The query to use to retrieve a list of records from the database for use in the administration of credential mappings. This query must return a column for record id (numeric), byIdent, forIdent, username, password, resource, action and config in the correct order. The password is encrypted. Resource, action and config are optional values (you may return null). All other columns must have values. The following placeholders are replaced in the query at runtime: {0} the name of the provider configuration.
N
DeleteRecordQuery
“delete asi_credential_map where map_id = {1}”
The query to use delete a credential mapping record from the database. The following placeholders are replaced in the query at runtime: {0} the name of the provider configuration {1} the record id being deleted (numeric).
N
SaveRecordQuery
“update asi_credential_map set byident={0}, forident={1}, username={2}, normalres={3}, normalact={4} where map_id = {6}”
The query to use to update a credential mapping record from the database. This query is called whenever updates need to be recorded without a password change. The following placeholders are replaced in the query at runtime: {0} the username of the requesting user. {1} the username or alias of the target user. {2} the remote username {3} the normalized form of the resource {4} the normalized form of the action or default if none is defined {5} the name of the provider configuration {6} the record id being update (numeric).
N
SaveRecordWithPasswordQuery
“update asi_credential_map set byident={0}, forident={1}, username={2}, normalres={3}, normalact={4}, password={7} where map_id = {6}”
The query to use to update a credential mapping record from the database. This query is called whenever updates need to be recorded with a password change. The following placeholders are replaced in the query at runtime: 0} username of the requesting user {1} username username of the target user {2} remote username {3} normalized form of the resource {4} normalized form of the action or default if none is defined {5} name of the provider configuration {6} record id being updated (numeric) {7} encrypted password.
The query to use to add a credential mapping record to the database. The following placeholders are replaced in the query at runtime: {0} username of the requesting user {1} username or alias of target user {2} remote username {3} normalized form of the resource {4} normalized form of the action or default if none is defined {5} name of provider configuration {6} encrypted password.
N
SharedSecret
A secret passphrase used to decrypt passwords stored in the database. Only passwords encrypted with this same secret pass-phrase are available to this provider.
NOTE: Changing this phrase invalidates all currently stored passwords. If you change this shared secret you will have to reset the passwords in the database so that they match.
N
DefaultAuthenticator
DefaultAuthenticator extends weblogic.management.security.authentication.Authenticator. Table 9-9 describes the attributes supported by this security provider.
Minimum number of characters required in a password.
N
SupportedImportFormats
{“DefaultAtn”}
Format of the file to import. The list of supported import formats is determined by the AUthentication provider from which the users and groups were originally exported.
Y
SupportedImportConstraints
Users and groups to import into this Authentication provider’s database. If none are specified, all are imported.
Y
SupportedExportFormats
{“Default”}
Format of the file to export. The list of supported export formats is determined by this Authentication provider.
Y
SupportedExportConstraints
{“users”,”groups”}
Users and groups to export from this Authentication provider’s database. If none are specified, all are exported.
Y
GroupMembershipSearching
“unlimited”
Specifies whether recursive group membership searching is unlimited or limited. Valid values are unlimited and limited
N
MaxGroupMembershipSearchLevel
“0”
Specifies how many levels of group membership can be searched. Valid only if GroupMemberShipSearching is set to limited
N
UseRetrievedUserNameAsPrincipal
“false”
Specifies if username retrieved from LDAP should be used as the principal in the subject.
N
DefaultAuthorizer
DefaultAuthorizer extends weblogic.management.security.authorization.DeployableAuthorizer. Table 9-10 describes the attributes supported by this security provider.
Format of the file to import. The list of supported import formats is determined by the Authorization provider from which the authorization policies were originally exported.
Y
SupportedImportConstraints
Authorization policies to import into this Authorization provider's database. If none are specified, all are imported.
Y
SupportedExportFormats
{“DefaultAtz”}
The format of the file to export. The list of supported export formats is determined by this Authorization provider.
Y
SupportedExportConstraints
Authorization policies to export from this Authorization provider's database. If none are specified, all are exported.
Y
DefaultCredentialMapper
DefaultCredentialMapper extends weblogic.management.security.credentials.DeployableCredentialMapper. Table 9-11 describes the attributes supported by this security provider.
Format of the fie to import. The list of supported import formats is determined by the Credential Mapping provider from which the credential maps were originally exported.
Y
SupportedImportConstraints
Credential maps to import into this Credential Mapping provider’s database. If none are specified, all are imported.
Y
SupportedExportFormats
{“DefaultCreds”}
The format of the file to export. The list of supported export formats is determined by this Credential Mapping provider.
Y
SupportedExportConstraints
{“passwords”}
Credential maps to export from this Credential Mapping provider’s database. If none are specified, all are exported.
Y
DefaultRoleMapper
DefaultRoleMapper extends weblogic.management.security.authorization.DeployableRoleMapper. Table 9-12 describes the attributes supported by this security provider.
The format of the file to import. The list of supported import formats is determined by the Role Mapping provider from which the security roles were originally exported.
SupportedImportConstraints
Security roles that to import into this Role Mapping provider’s database. If none are specified, all are imported.
SupportedExportFormats
{“DefaultRoles”}
The format of the file to export. The list of supported export formats is determined by this Role Mapping provider.
SupportedExportConstraints
Security roles to export from this Role Mapping provider’s database. If none are specified, all are exported.
IPlanetAuthenticator
IPlanetAuthenticator extends com.bea.security.providers.authentication.LDAPAuthenticator. Table 9-13 describes the attributes supported by this security provider.
An LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.
N
StaticMemberDNAttribute
“member”
The attribute of an LDAP static group object that specifies the distinguished names (DNs) of the members of the group.
N
DynamicGroupObjectClass
“groupofURLs”
The LDAP object class that stores dynamic groups.
N
DynamicGroupNameAttribute
“cn”
The attribute of the dynamic LDAP group object that specifies the name of the group.
N
DynamicMemberURLAttribute
“memberURL”
The attribute of the dynamic LDAP group object that specifies the URLs of the members of the dynamic group.
N
LDAPAuthenticator
LDAPAuthenticator extends weblogic.management.security.authentication.Authenticator. Table 9-14 describes the attributes supported by this security provider.
The attribute of an LDAP user object that specifies the name of the user.
N
UserDynamicGroupDNAttribute
The attribute of an LDAP user object that specifies the distinguished names (DNs) of dynamic groups to which this user belongs. If it does not exist, WebLogic Server determines if a user is a member of a group by evaluating the URLs on the dynamic group. If a group contains other groups, WebLogic Server evaluates the URLs on any of the descendents (indicates parent relationship) of the group.
N
UserBaseDN
“ou=people, o=example.com”
Base distinguished name (DN) of the tree in the LDAP directory that contains users.
N
UserSearchScope
“subtree”
Specifies how deep in the LDAP directory tree to search for Users. Valid values are subtree and onelevel.
N
UserFromNameFilter
“(&(uid=%u)(objectclass=person))”
LDAP search filter for finding a user given the name of the user. If the attribute (user name attribute and user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.
N
AllUsersFilter
LDAP search filter for finding all users beneath the base user distinguished name (DN). If the attribute (user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.
N
GroupBaseDN
“ou=groups, o=example.com”
Base distinguished name (DN) of the tree in the LDAP directory that contains groups.
N
GroupSearchScope
“subtree”
Specifies how deep in the LDAP directory tree to search for groups. Valid values are subtree and onelevel.
N
GroupFromNameFilter
(&(cn=%g)(objectclass=groupofuniquenames))
LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.
N
AllGroupsFilter
LDAP search filter for finding all groups beneath the base group distinguished name (DN). If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the Group schema.
N
StaticGroupObjectClass
“groupofuniquenames”
Name of the LDAP object class that stores static groups.
N
StaticGroupNameAttribute
“cn”
Attribute of a static LDAP group object that specifies the name of the group.
N
StaticMemberDNAttribute
“uniquemember”
Attribute of a static LDAP group object that specifies the distinguished names (DNs) of the members of the group.
LDAP search filter that, given the distinguished name (DN) of a member of a group, returns the DNs of the static LDAP groups that contain that member. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.
N
DynamicGroupObjectClass
LDAP object class that stores dynamic groups.
N
DynamicGroupNameAttribute
Attribute of a dynamic LDAP group object that specifies the name of the group.
N
DynamicMemberURLAttribute
Attribute of the dynamic LDAP group object that specifies the URLs of the members of the dynamic group.
N
AutomaticFailoverEnabled
“false”
Option to enable automatic failover when using the LDAP server.
N
BackupHost
“localhost”
Host name or IP address of the backup LDAP server.
N
BackupPort
“389”
Port number on which the backup LDAP server is listening.
N
BackupSSLEnabled
“false”
Option to enable SSL when connecting to the backup LDAP server.
N
BackupPrincipal
Distinguished Name (DN) of the LDAP user authorized to connect to the backup LDAP server.
N
BackupCredential
Credential (generally a password) used to authenticate the backup LDAP user defined in the Principal attribute.
N
PrimaryRetryInterval
“3600”
Number of seconds before the backup LDAP server tries to fail back to the primary LDAP server.
N
GroupMembershipSearching
“unlimited”
Specifies whether recursive group membership searching is unlimited or limited. Valid values are unlimited and limited.
N
MaxGroupMembershipSearchLevel
“0”
Specifies how many levels of group membership can be searched. This setting is valid only if GroupMemberShipSearching is set to limited. Valid values are 0 and positive integers. 0 indicates only direct group memberships will be found. Positive number indicates the number of levels to go down.
N
VerifyUserForIdentityAssertion
“false”
Whether to verify that the user is present in the LDAP repository when an identity assertion is provided.
N
AddGroupsFromIdentityAssertion
“false”
Whether to add groups for the user from the identity assertion when Identity Assertion is turned on.
N
AddGroupsFromLocalLDAP
“true”
Whether to add groups for the user from the local LDAP identity store after user authentication.
N
Log4jAuditor
Log4jAuditor extends weblogic.management.security.audit.Auditor. Table 9-15 describes the attributes supported by this security provider.
Table 9-15 Log4jAuditor
Attribute Name
Default Value
Description
List
mgmtinterface
com.bea.security.providers.audit.Log4JAuditor
N
Severity
GLOBAL
ERROR
INFORMATION
SUCCESS
WARNING
FAILURE
Lowest level at which auditing is initiated. Treated as follows by the Log4j Audit Channel provider.
INFORMATION SUCCESS WARNING ERROR FAILURE
For example, if log4j severity threshold is ERROR (default setting), all audit events with severity ERROR and FAILURE are audited. Different audit events can be audited depending on the setting for each of them.
All audit events can be DISABLED or WITHOUT_CONTEXT. Those that have context, you can select WITH_CONTEXT.
These properties are passed to log4j upon initialization of the log4j provider.
By default, log4j provider uses the RollingFileAppender. {HOME} will be replaced with the current location of the SSM at runtime.
This setting is determined by the value of instance.home in SSM.properties.
Custom log4j appenders can be configured here to send the Auditing information to other destinations such as JMS, NT Events log, JDBC etc. For more information, see the log4j documentation.
Y
Log4jRendererProperties
Custom renderers can be added here for rendering classes that implement the weblogic.security.spi.AuditEvent interface. For example, weblogic.security.spi.AuditEvent=com.bea.security.providers.audit.AuditEventRenderer
See Log4J documentation on how to write a renderer for a custom object.
Be sure to include the jar file containing the custom renderer classes in the ALES_HOME/lib/providers directory
Y
EnabledAuditEvents
List of AuditEvent types that will be Audited other than the default ones that can be configured using drop down boxes. Custom AuditEvents not listed here will not be audited.
If set to WITHOUT_CONTEXT, all events are audited.
Add custom AuditEvents using weblogic.security.spi.AuditEvent interface.
AuditEvent
“WITHOUT_CONTEXT”
Events of type weblogic.security.spi.AuditEvent.
If set to WITHOUT_CONTEXT, all events are audited.
N
AuditAuthenticationEvent
“WITHOUT_CONTEXT”
Events of type weblogic.security.spi.AuditAtnEvent.
N
AuditAuthorizationEvent
“WITHOUT_CONTEXT”
Events of type weblogic.security.spi.AuditAtzEvent.
N
AuditRoleEvent
“WITHOUT_CONTEXT”
Events of type weblogic.security.spi.AuditRoleEvent.
N
AuditProviderRecordEvent
“WITHOUT_CONTEXT”
Events of type com.bea.security.spi.ProviderAuditRecord
N
AuditManagementEvent
“WITHOUT_CONTEXT”
Events of type weblogic.security.spi.AuditMgmtEvent
N
AuditPolicyEvent
“WITHOUT_CONTEXT”
Events of type weblogic.security.spi.AuditPolicyEvent
N
AuditRoleDeploymentEvent
“WITHOUT_CONTEXT”
Events of type weblogic.security.spi.AuditRoleDeploymentEvent
N
NovellAuthenticator
NovellAuthenticator extends com.bea.security.providers.authentication.LDAPAuthenticator. Table 9-16 describes the attributes supported by this security provider.
Attribute of an LDAP user object that specifies the name of the user.
N
UserFromNameFilter
“(&(cn=%u)(objectclass=person))
LDAP search filter for finding a user given the name of the user. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.
N
GroupFromNameFilter
(&(cn=%g)(objectclass=groupofnames))
LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.
N
StaticGroupObjectClass
“groupofnames”
Name of the LDAP object class that stores static groups.
N
StaticGroupDNsfromMemberDNFilter
“(&(uniquemember=%M)(objectclass=groupofnames))
LDAP search filter that, given the distinguished name (DN) of a member of a group, returns the DNs of the static LDAP groups that contain that member. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.
N
NTAuthenticator
NTAuthenticator extends weblogic.management.security.authentication.Authenticator. Table 9-17 describes the attributes supported by this security provider.
Domain controllers to use for locating unscoped usernames during authentication, listing users or groups, and handling unscoped names.
local Uses only the local machine. localanddomain - the default, uses the local machine and the domain of which the machine is a member, if it is not standalone.
domain Uses only the domain of which the machine is a member.
list Uses the list of domain controllers specified ny the DomainControllerList setting.
N
DomainControllerList
{“ [localanddomain]”}
List of Domain controllers to use for locating unscoped usernames during authentication, listing users or groups, and handling unscoped names. This setting is only used if the DomainControllers setting is set to list. The list should contain the domain controller names for trusted domains that you want to use. Placeholders are supported and expanded if specified. Supported placeholders are [local], [localanddomain], [domain]
Y
BadDomainControllerRetry
“delay”
Controls how the provider reacts when a bad domain controller name is found.
BADDCRetryDelayString indicates the domain controller can be used again only after a certain amount of time has elapsed since it was last tried unsuccessfully.
BADDCRetryNeverString indicates a bad domain controller is never retried.
BADDCRetryAlwaysString indicates a bad domain controller is always retried. The default is BADDCRetryDelayString.
N
BadDomainControllerRetryInterval
“60000”
Amount of time to wait when a bad domain controller name is found before trying to use the domain controller again. Used only when BadDomainControllerRetry setting is configured to use delay (BADDCRetryDelayString).
Default setting is 60000 ms (one minute). This setting helps reduce performance hits when a domain controller in the list of controllers is temporarily unavailable.
N
MapUPNNames
“first”
Indicates how the Authenticator attempts to map UPN style names for authentication. For example, username@domain. domain\\username is not ambiguous and is always allowed.
MAP UPNNames First String A name that matches the UPN format is treated as a UPN name first. If it is not a UPN name, the name is treated as an unscoped name.
MAP UPNNames Last String A name that matches the UPN format is treated as a UPN name, only if the name fails to match as an unscoped name.
MAP UPN Names Always String A name that matches the UPN format is always treated as an unscoped name and not treated as a UPN name.
MAP UPNNames Never String A name that matches the UPN format is always treated as a UPN name. Only use this option when you are certain there are no usernames that contain an @ symbol.
N
LogonType
“interactive”
This option indicates whether to perform a network or an interactive logon.
N
MapNTDomainName
“never”
Indicates whether to insert the Windows NT domain information into the principal name during authentication and the proper format to use.
MAP NTDomain Name Never String Windows NT domain name is never inserted into the principal name.
MAP NTDomain Name UPNString Windows NT domain name is inserted into the principal name using the style domain\\name.
MAP NTDomain Name Never String Windows NT domain name is inserted into the principal name using the style name@domain.
N
OpenLDAPAuthenticator
OpenLDAPAuthenticator extends com.bea.security.providers.authentication.LDAPAuthenticator. Table 9-18 describes the attributes supported by this security provider.
Attribute of an LDAP user object that specifies the name of the user.
N
UserBaseDN
“ou=people, dc=example, dc=com”
Base distinguished name (DN) of the tree in the LDAP directory that contains users.
N
UserFromNameFilter
“((cn=%u)(objectclass=person))”
LDAP search filter for finding a user given the name of the user. If the attribute (user name attribute and user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.
N
GroupBaseDN
“ou=groups, dc=example, dc=com”
Base distinguished name (DN) of the tree in the LDAP directory that contains groups.
N
GroupFromNameFilter
“((cn=%g)(objectclass=groupofnames))”
LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.
N
StaticGroupObjectClass
“groupofnames”
Name of the LDAP object class that stores static groups.
N
StaticMemberDNAttribute
“member”
Attribute of an LDAP static group object that specifies the distinguished names (DNs) of the members of the group.
N
StaticGroupDNsfromMemberDNFilter
“((member=%M)(objectclass=groupofnames))”
LDAP search filter that, given the distinguished name (DN) of a member of a group, returns the DNs of the static LDAP groups that contain that member.
N
PerfDBAuditor
PerfDBAuditor extends weblogic.management.security.audit.Auditor. Table 9-19 describes the attributes supported by this security provider.
Table 9-19 PerfDBAuditor
Attribute Name
Default Value
Description
List
mgmtinterface
com.bea.security.providers.audit.PerfDBAuditor
N
PerformanceStatisticsInterval
5
Performance statistics gathering interval, in minutes.
PerformanceStatisticsDuration
0
Length of circular buffer in minutes . Must be greater than or equal to the interval. A value of 0 means unlimited duration.
EnablePerformanceStatistics
true
Enables/disables performance-gathering counters.
JDBCDriverClassName
oracle.jdbc.driver.OracleDriver
Java class name of the JDBC Driver.
JDBCConnectionURL
The connection string for the authentication database.
DatabaseUserLogin
User id to access the authentication database.
DatabaseUserPassword
User password to access the authentication database.
JDBCConnectionProperties
Optional parameters for configuring the JDBC Connection. Legal values are determined by the JDBC Driver. These properties are entered as NAME=VALUE.
AuthenticationStatisticsTable
PERF_ATH_STAT
Database table for collecting authentication statistics.
AuthorizationStatisticsTable
PERF_ATZ_STAT
Database table for collecting authorization statistics.
AuthorizationAttrStatisticsTable
PERF_ATZ_ATTR_STAT
Database table for collecting authorization attribute statistics.
AuthorizationFuncStatisticsTable
PERF_ATZ_FUNC_STAT
Database table for collecting authorization function statistics.
ResourceDeploymentAuditor
ResourceDeploymentAuditor extends weblogic.management.security.audit.Auditor. Table 9-20 describes the attributes supported by this security provider.
If “true” the audit provider publishes resources to the Administration Application.
N
ResourceDeploymentNamingAuthority
“RESOURCEDEPLOYMENT”
Naming authority of audit events to process as resource deployment audit events.
N
SessionEvictionCapacity
“40”
Number of sessions to actively maintain. Once the limit is reached, old sessions are dropped and automatically reestablished when needed.
N
SessionEvictionPercentage
“25”
Percentage of the sessions to drop when the eviction capacity is reached.
N
SessionLifetime
“120000”
MJaximum number of milliseconds a session can use before it is discarded. A value of 0 indicates that sessions are indefinite.
N
SessionMaxUses
“100”
Maximum number of times a session can be used before it is discarded. A value of 0 indicates that sessions are indefinite.
N
ApplicationDeploymentParent
“//app/policy”
Root of the resource tree where new resources are published.
N
SharedResourcesParent
“shared”
Root of the resource tree where new shared resources are published. This item may be relative to the value specified by ApplicationDeploymentParent
N
ResourceConverters
Types of resources which are supported by this provider. The value is a list of fully qualified Java class names. These classes should implement the ResourceConverter interface. OES includes resource converters for the standard WebLogic Server resource types.
Y
InstantiateWeblogicResourceConverters
“true”
Instantiate Resource Converters for all default WebLogic resource types. When set to true, these converters are not listed in the ResourceConverter configuration attribute. The default set of converters supports all native WebLogic Server resource types.
N
AttributeConverters
Plugins to convert native Java types into the corresponding OES string representation. If a converter is not registered for a given type, then the toString() method is used by default.
Y
AnonymousSubjectName
“anonymous”
Subject name to use when publishing resources for an anonymous user.
N
IdentityDirectory
“asi”
Identity directory to use while publishing resources.
N
Domain
Enterprise domain to use while publishing resources.
N
SAMLCredentialMapper
SAMLCredentialMapper extends weblogic.management.security.credentials.CredentialMapper. Table 9-21 describes the attributes supported by this security provider.
Keystore used to get the Certificate chain to sign the SAML Assertion with. {shared.dir} will be replaced with the SSM instance directory at runtime.
This setting is determined by the value of instance.home in SSM.properties located in the /config directory of the SSM instance. If SSM.properties cannot be located, then the system property wles.ssmws.instance.home is checked. For the Web Services SSM, this attribute is automatically set to the Web Services SSM instance home.
N
TrustedKeystoreType
“JKS”
TYPE of keystore that is specified in TrustedKeystore.
N
TrustedCertAlias
“demo_provider_trust”
Cert alias to be used to sign the SAML Assertion.
N
TrustedCertAliasPasswd
“password”
Password to use for the CertAlias specified to retrieve the private key from the keystore.
N
NotBeforeOffset
“120”
Number of seconds in the past to make an assertion valid to allow for clock skew.
N
NotAfterOffset
“300”
Number of seconds in the future to make an assertion valid.
N
IssuerURI
“https://www.bea.com”
Value of the Issuer attribute for SAML assertions.
N
Base64EncodingRequired
“false”
Encode generated SAML Assertion using Base64.
N
SAMLIdentityAsserter
SAMLIdentityAsserter extends weblogic.management.security.authentication.IdentityAsserter. Table 9-22 describes the attributes supported by this security provider.
Specifies the type currently used by the SAML Identity Assertion provider.
Y
TrustedCAKeystore
“{shared.dir}/keys/demoProviderTrust.jks”
Location of the Trusted Keystore stored in the TrustedCAKeystoreType keystore format. {shared.dir} will be replaced with the SSM instance directory at runtime. This setting is determined by the value of instance.home in SSM.properties located in the /config directory of the SSM instance.
If SSM.properties cannot be located, then the system property wles.ssmws.instance.home is checked. For the Web Services SSM, this attribute is automatically set to the Web Services SSM instance home.
If DEFAULT is specified, then the java.home env variable is used to locate the cacerts keystore normally located at JAVA_HOME/lib/security/cacerts.
N
TrustedKeystore
{shared.dir}/keys/demoProviderTrust.jks”
Location of the Trusted Keystore stored in the TrustedKeystoreType keystore format. {shared.dir} will be replaced with the SSM instance directory at runtime. This setting is determined by the value of instance.home in SSM.properties located in the /config directory of the SSM instance.
If SSM.properties cannot be located, then the system property wles.ssmws.instance.home is checked. For the Web Services SSM, this attribute is automatically set to the Web Services SSM instance home.
N
TrustedCAKeystoreType
“JKS”
Type of keystore to which the trustedCAKeystore is configured.
N
TrustedKeystoreType
“JKS”
Type of keystore to which the trustedKeystore is configured.
N
Base64DecodingRequired
“false”
Decode inbound SAML Assertion using Base64.
N
SinglePassNegotiateIdentityAsserter
SinglePassNegotiateIdentityAsserter extends weblogic.management.security.authentication.IdentityAsserter. Table 9-23 describes the attributes supported by this security provider.
Token types supported by the Single Pass Negotiate Identity Assertion provider.
Y
ActiveTypes
{“SPNEGO.AtnAssertion”,”Authorization”
Token types currently used by the Single Pass Negotiate Identity Assertion provider.
N
X509IdentityAsserter
X509IdentityAsserter extends weblogic.management.security.authentication.IdentityAsserter. Table 9-24 describes the attributes supported by this security provider.
Token types supported by the Identity Assertion provider.
Y
UserNameMapperClassName
Name of the Java class that maps X.509 digital certificates and X.501 distinguished names to AquaLogic Enterprise Security user names.
N
TrustedClientPrincipals
List of trusted client principals to use in CSI v2 identity assertion. The wildcard character (*) can be used to specify all principals are trusted. If a client is not listed as a trusted client principal, the CSIv2 identity assertion fails and the invoke is rejected.
Y
UseDefaultUserNameMapper
“false”
Specifies whether this X.509 Identity Assertion provider uses the default user name mapper implementation.
N
DefaultUserNameMapperAttributeType
“E”
Name of the attribute from the subject Distinguished Name (DN), which this Identity Assertion provider uses when mapping from the X.509 digital certificate or X.500 name token to the user name.
N
DefaultUserNameMapperAttributeDelimiter
“@”
The delimiter that ends the attribute value when mapping from the X.509 digital certificate or X.500 name token to the user name.
When XACML SCM policy deployment is enabled, this parameter configures how often (in milliseconds) the provider polls the SCM for XACML policy changes.
N
XACMLPolicy
XACML policy that is provisioned to the XACML authorization provider via the SCM.
