BLM Configuration API Security Providers Reference

This section provides a reference for the security provider attributes, and their default values.

Because default security provider attributes are not stored in the database, the BLM configuration API cannot discover the security provider attribute names or default values. Further, since there is an inheritance model with the provider attributes, if a given provider extends another, all the attributes from the parent are available as well.

You use these attribute names and default values with the BLM configuration API classes. For example, the SSMConfigurationManager.createProviderConfiguration() method has a parameter for mgmtinterface, which is the full name of the management interface associated with this provider. The mgmtinterface values are documented in this section.

As another example, the SSMProviderManager.getPropertyReport() method returns a report on a provider's properties collection. However, attributes that have not been explicitly set use their default values, which are not returned in the array of SSMProviderConfigElement objects. The default attribute values are documented in this section.

Each of the following sections includes a table that lists the attributes supported by each security provider. Each table includes a List column that designates whether the getValue/setValue or getValueList/setValueList methods should be used with each attribute.

ActiveDirectoryAuthenticator

The ActiveDirectoryAuthenticator extends com.bea.security.providers.authentication.LDAPAuthenticator. Table 6-1 describes the attributes supported by this provider.

Table 6-1 ActiveDirectoryAuthenticator
Attribute Name	Default Value	Description	List
mgmtinterface	com.bea.security.providers.authentication.ActiveDirectoryAuthenticator		N
UserNameAttribute	"cn"	The attribute of the LDAP user object the specifies the name of the user.	N
UserBaseDN	"ou=WLSMEMBERS,dc=example,dc=com"	The base distinguished name (DN) of the tree in the LDAP directory that contains users.	N
UserFromNameFilter	"(&;(cn=%u)(objectclass=user))"	LDAP search filter for finding a user given the name of the user. If the attribute (user name attribute and user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.	N
UserObjectClass	"user"	The LDAP object class that stores users.	N
GroupBaseDN	"ou=WLSGROUPS,dc=example,dc=com"	The base distinguished name (DN) of the tree in the LDAP directory that contains groups.	N
GroupFromNameFilter	"(&;(cn=%g)(objectclass=group))"	LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.	N
StaticGroupDNsfromMemberDNFilter	"(&(member=%M)(objectclass=group))"	LDAP search filter that, given the distinguished name (DN) of a member of a group, returns the DNs of the static LDAP groups that contain that member.	N
StaticGroupObjectClass	"group"	The name of the LDAP object class that stores static groups.	N
StaticMemberDNAttribute	"member"	The attribute of the LDAP static group object that specifies the distinguished names (DNs) of the members of the group.	N
UseTokenGroupsForGroupMembershipLookup	"false"	Boolean value that indicates whether to use TokenGroups attribute lookup algorithm instead of the standard recursive group membership lookup algorithm.	N
EnableSIDtoGroupLookupCaching	False	Indicates whether SID to group name lookup results are cached. This attribute is only used if the token group membership lookup algorithm is enabled (see UseTokenGroupsForGroupMembershipLookup).	N
MaxSIDToGroupLookupsInCache	"500"	The maximum size of the LRU cache for holding SID to group lookups if caching of SID to group name mappings is enabled and if the tokenGroups group membership lookup is enabled. The default is 500.	N

ALESIdentityAsserter

ALESIdentityAsserter extends com.bea.security.providers.authentication.alesidentity. Table 6-2 describes the attributes supported by this security provider.

Table 6-2 ALESIdentityAsserter
Attribute Name	Default Value	Description	List
mgmtinterface	"com.bea.security.providers.authentication.alesidentity.ALESIdentityAsserter		N
ActiveTypes	"{"ALESIdentityAssertion"}"		Y
Base64DecodingRequired	"false"	Specifies whether the request header value or cookie value must be decoded using Base64 before it is sent to the Identity Assertion provider. This box is checked by default for purposes of backward compatibility; however, most Identity Assertion providers do not require this decoding.	N
TrustedCAKeystore	"{HOME}/ssl/demoProviderTrust.jks"	The location of the Trusted Keystore stored in the TrustedCAKeystoreType keystore format. {HOME} will be replaced with the Security Service Module (SSM) instance directory at runtime. This attribute is determined by the value of instance.home in SSM.properties located in the /config directory of the SSM instance. If SSM.properties cannot be located, then the system property wles.ssmws.instance.home is checked. For the Web Services SSM, this attribute is automatically set to the Web Services SSM instance home. If DEFAULT is specified, then the java.home env variable is used to locate the cacerts keystore normally located at JAVA_HOME/lib/security/cacerts.
TrustedKeystore	"{HOME}/ssl/demoProviderTrust.jks"	The Location of the Trusted Keystore stored in the TrustedKeystoreType keystore format. {HOME} will be replaced with the SSM instance directory at runtime. This attribute is determined by the value of instance.home in SSM.properties located in the /config directory of the SSM instance. If SSM.properties cannot be located, then the system property wles.ssmws.instance.home is checked. For the Web Services SSM, this attribute is automatically set to the Web Services SSM instance home.	N
TrustedCAKeystoreType	"JKS"	The type of keystore to which the trustedCAKeystore is configured.	N
TrustedKeystoreType	"JKS"	The type of keystore to which the trustedKeystore is configured.	N
TrustedCertAlias	"demo_provider_trust"	The Cert Alias to be used to verify the ALES Identity Assertion.	N
TrustedCertAliasPasswd	"password"	The password to use for the Cert Alias specified to retrieve the private key from the keystore.	N

ALESIdentityCredentialMapper

ALESIdentityCredentialMapper extends weblogic.management.security.credentials.CredentialMapper. Table 6-3 describes the attributes supported by this security provider.

Table 6-3 ALEsIdentityCredential Mapper
Attribute Name	Default Value	Description	List
mgmtinterface	"com.bea.security.providers.credentials.alesidentity.ALESIdentityCredentialMapper"		N
TrustedKeystore	"{HOME}/ssl/demoProviderTrust.jks"	The Keystore to be used to get the Certificate chain to sign the ALES Identity Assertion with. {HOME} will be replaced with the SSM instance directory at runtime. This attribute is determined by the value of instance.home in SSM.properties located in the /config directory of the SSM instance. If SSM.properties cannot be located, then the system property wles.ssmws.instance.home is checked. For the Web Services SSM, this attribute is automatically set to the Web Services SSM instance home.	N
TrustedKeystoreType	"JKS"	The TYPE of keystore that is specified in the TrustedKeystore.	N
TrustedCertAlias	demo_provider_trust	The Cert Alias to be used to sign the ALES Identity Assertion.	N
TrustedCertAliasPasswd	"password"	The Password to use for the Cert Alias specified to retrieve the private key from the keystore.	N

AsiAdjudicator

AsiAdjudicator extends weblogic.management.security.authorization.Adjudicator. Table 6-4 describes the attributes supported by this security provider.

Table 6-4 AsiAdjudicator
Attribute Name	Default Value	Description	List
mgmtinterface	"com.bea.security.providers.authorization.ASIAdjudicator"		N
RequireUnanimousPermit	"true"	Requires all authorization providers to vote PERMIT in order for the adjudication provider to vote PERMIT. If the attribute is set to disabled, ABSTAIN votes are ignored.	N

AsiAuthorizationProvider

ASIAuthorizationProvider extends com.bea.security.providers.authorization.asi Table 6-5 describes the attributes supported by this security provider.

Table 6-5 AsiAuthorizationProvider
Attribute Name	Default Value	Description	List
mgmtinterface	"com.bea.security.providers.authorization.asi.ASIAuthorizationProvider"		N
IgnoreNonASIRoles	"false"	Specifies if the provider should ignore roles generated by role mapping providers other than the ASI Role Mapping provider.	N
AccessAllowedCaching	"true"	When enabled results from authorization queries are cached providing significantly improved performance for applications which make repetitive queries.	N

ASIAuthorizer

ASIAuthorizer extends weblogic.management.security.Provider. Table 6-6 describes the attributes supported by this security provider.

Table 6-6 AsiAuthorizer
Attribute Name	Default Value	Description	List
mgmtinterface	"com.bea.security.providers.authorization.asi.ASIAuthorizer"		N
AdvancedConfigurationProperties		Specifies additional advanced configuration parameters.	Y
Directory	"asi"	Specifies the identity directory to use when performing the authorization or role mapping.	N
PreLoadAttributes	"adaptive-private"	Determines whether or not the provider loads ContextHandler data before starting to evaluate policy or waits for a callback to ask for specific items. Pre-loading attributes can dramatically improve performance in policies that use contextual attributes.	N
SessionEvictionCapacity	500	The number of authorization and role mapping sessions to actively maintain. Once the limit is reached, old sessions are dropped and automatically re-established when needed.	N
SessionEvictionPercentage	10	The percentage of authorization and role mapping sessions to drop when the eviction capacity is reached.	N
ApplicationDeploymentParent	"//app/policy"	Specifies the root of the resource tree for this SSM.	N
SharedResourcesParent	"shared"	Specifies the root on the shared resource tree for this SSM. This item may be relative to the value specified by Application Deployment Parent on the Details tab.	N
ResourceConverters		Specifies the types of resources supported by these providers. The value is a list of fully-qualified Java class names. These classes should implement the ResourceConverter interface. This product includes resource converters for the standard WebLogic resource types.	Y
InstantiateWeblogicResourceConverters	"true"	Instantiate Resource Converters for all default WebLogic resource types.	N
AttributeRetrievers		Specifies plugins used to retrieve attribute values from complex data objects. These classes should implement the AttributeRetriever interface.	Y
EvaluationFunctions		Specifies plugins used to perform complex evaluations. These classes should implement the EvaluationFunction interface.	Y
AttributeConverters		Specifies the plugins to use when converting native Java types into the required string representation used when evaluating policy. If a converter is not registered for a given type, then the toString() method is used by default.	Y
AnonymousSubjectName	"anonymous"	The name to use when performing queries for an unauthenticated user.	N
"UseUserAttributes"	"true"	Specifies whether or not user attributes are used in evaluation of policy.	N
ActivateOnStartUp	"true"	Determines whether or not the authorization and role mapping providers process policy requests from cached policy before contacting the Policy Distributor for a policy update.	N
SessionExpirationSec	"60"	The duration for which to cache session data, in seconds.	N
SubjectDataCacheExpirationSec	"60"	The duration for which to cache subject data, in seconds.	N

ASIRoleMapperProvider

ASIRoleMapperProvider extends weblogic.management.security.authorization.RoleMapper. Table 6-7 describes the attributes supported by this security provider.

Table 6-7 ASIRoleMapperProvider
Attribute Name	Default Value	Description	List
mgmtinterface	"com.bea.security.providers.authorization.asi.ASIRoleMapper"		N
LazyRoleProvider	"true"	When enabled the role provider will delay calculation of role membership until the result is inspected. Leaving this attribute set to `true` provides significant performance improvements when used in conjunction with the ASI Authorization provider.	N
GetRolesCaching	"true"	When enabled results from role mapping queries are cached providing significantly improved performance for applications which make repetitive queries.	N

DatabaseAuthenticator

DatabaseAuthenticatorextends com.bea.security.providers.authentication.dbms.DBMSAuthenticator.

DatabaseCredentialMapper

DatabaseCredentialMapper extends weblogic.management.security.credentials.CredentialMapper. Table 6-8 describes the attributes supported by this security provider.

Table 6-8 DatabaseCredentialMapper

Attribute Name

Default Value

Description

List

mgmtinterface

"com.bea.security.providers.credentials.dbms.DatabaseCredentialMapper"

AllowedTypes

"DBPASSWORD"

The types of credentials this provider is allowed to retrieve. If this attribute is set to a single value of asterisk (*), then all credential types are accepted and the queries determine if the type is appropriate.

SelectByIdent

"true"

Enables selection of credentials from the database based on the username of the requesting identity.

SelectByIdentGroup

"false"

Enables selection of credentials from the database based upon the groups of the requesting identity.

DatabaseUserName

The username to use to log into the primary database connection pool.

DatabasePassword

The password to use to log into the primary database connection pool.

AdministratorUserName

The database username used for the administration of mappings.

AdministratorPassword

The database password used for the administration of mappings.

DatabaseProperties

Properties to use when creating a database connection in the primary connection pool. These properties are entered as NAME=VALUE

DatabaseURL

The JDBC URL the primary connection pool uses to connect to the database. This attribute is also used for credential mapping administration.

DatabaseDriverName

The class name of the JDBC driver to use for the provider database connections. This attribute is also used for credential mapping administration.

ConnectionPoolMin

"5"

The minimum number of connections to allow in the primary connection pool.

ConnectionPoolMax

"20"

The maximum number of connections to allow in the primary connection pool.

ConnectionRetireTime

"120"

The number of seconds of idle time before a connection is removed from a connection pool.

EnableAutomaticFailover

"false"

Enables the use of the backup connection pool if the primary connection pool fails.

BackupDatabaseUserName

The username to use to log into the backup database.

BackupDatabasePassword

The password to use to log into the backup database.

BackupDatabaseProperties

Properties to use when obtaining the JDBC connection to the backup database. These properties are entered as NAME=VALUE

BackupDatabaseURL

The JDBC URL to use to connect to the backup database.

BackupConnectionPoolMin

"0"

The minimum number of connections to allow in the backup connection pool.

BackupConnectionPoolMax

"20"

The maximum number of connections to allow in the backup connection pool.

FailureThreshold

"3"

The number of database errors that must occur sequentially on a connection pool before that pool is considered failed.

PrimaryRetryInterval

"30"

When operating with the backup pool, this setting determines how often the primary pool is evaluated for fail back. This value is in seconds.

QueryByIdent

"select username, password from asi_credential_map where byident = {0} and forident = {1} and config = {5}"

The query to use to retrieve credentials from the database based upon the requester identity. This query must return two columns, username and password. The password should be encrypted. The following placeholders are replaced in the query at runtime:

{0} the username of the requesting identity
{1} the username of the target identity
{2} the normalized form of the resource
{3} the normalized form of the action or default if none is defined
{4} the credential type being requested
{5} the name of this provider configuration

QueryByIdentGroup

The query to use to retrieve credentials from the database during group membership evaluation. If enabled, this query is called once for every group the forIdent user is in. This query must return two columns, username and password. The password should be encrypted. The following placeholders are replaced in the query at runtime:

{0} the group name of the requesting identity
{1} the username of the target identity
{2} the normalized form of the resource
{3} the normalized form of the action or default if none is defined
{4} the credential type being requested
{5} the name of this provider configuration

CountRecordQuery

"select count(*) from asi_credential_map where config = {0}"

The query to use to retrieve a count of the credential records associated with a specific configuration for administration of credential mappings. This query must return one numeric value. The following placeholders are replaced in the query at runtime:
{0} the name of this provider configuration.

RetrieveRecordQuery

"select map_id, byident, forident, username, password, normalres, normalact, config from asi_credential_map where config = {0} and map_id = {1}"

The query to use to retrieve a credential record from the database for administration of credential mappings. This query must return a column for record id (numeric), byIdent, forIdent, username, password, resource, action, and config in that order. The password is encrypted. Resource, action and config are optional values (you may return null). All other columns must have values.
The following placeholders are replaced in the query at runtime:
{0} the name of the provider configuration
{1} the record id being retrieved (numeric).

ListRecordsQuery

"select map_id, byident, forident, username, password, normalres, normalact, config from asi_credential_map where config = {0} order by byident,forident,username,normalres,normalact,map_id"

The query to use to retrieve a list of records from the database for use in the administration of credential mappings. This query must return a column for record id (numeric), byIdent, forIdent, username, password, resource, action and config in the correct order. The password is encrypted. Resource, action and config are optional values (you may return null). All other columns must have values.
The following placeholders are replaced in the query at runtime:
{0} the name of the provider configuration.

DeleteRecordQuery

"delete asi_credential_map where map_id = {1}"

The query to use delete a credential mapping record from the database.
The following placeholders are replaced in the query at runtime:
{0} the name of the provider configuration
{1} the record id being deleted (numeric).

SaveRecordQuery

"update asi_credential_map set byident={0}, forident={1}, username={2}, normalres={3}, normalact={4} where map_id = {6}"

The query to use to update a credential mapping record from the database. This query is called whenever updates need to be recorded without a password change. The following placeholders are replaced in the query at runtime:
{0} the username of the requesting user.
{1} the username or alias of the target user.
{2} the remote username
{3} the normalized form of the resource
{4} the normalized form of the action or default if none is defined
{5} the name of the provider configuration
{6} the record id being update (numeric).

SaveRecordWithPasswordQuery

"update asi_credential_map set byident={0}, forident={1}, username={2}, normalres={3}, normalact={4}, password={7} where map_id = {6}"

The query to use to update a credential mapping record from the database. This query is called whenever updates need to be recorded with a password change. The following placeholders are replaced in the query at runtime:
0} the username of the requesting user
{1} the username username of the target user
{2} the remote username
{3} the normalized form of the resource
{4} the normalized form of the action or default if none is defined
{5} the name of the provider configuration
{6} the record id being updated (numeric)
{7} the encrypted password.

AddRecordQuery

"insert into asi_credential_map ( byident, forident, username, password, normalres, normalact, config ) values ( {0}, {1}, {2}, {6}, {3}, {4}, {5} )"

The query to use to add a credential mapping record to the database. The following placeholders are replaced in the query at runtime:
{0} the username of the requesting user
{1} the username or alias of the target user
{2} the remote username
{3} the normalized form of the resource
{4} the normalized form of the action or default if none is defined
{5} the name of the provider configuration
{6} the encrypted password.

SharedSecret

A secret pass-phrase used to decrypt passwords stored in the database. Only passwords encrypted with this same secret pass-phrase are available to this provider.

Note:

Changing this secret phrase invalidates all currently stored passwords. If you change this shared secret you will have to reset the passwords in the database so that they match.

DefaultAuthenticator

DefaultAuthenticator extends weblogic.management.security.authentication.Authenticator. Table 6-9 describes the attributes supported by this security provider.

Table 6-9 DefaultAuthenticator
Attribute Name	Default Value	Description	List
mgmtinterface	weblogic.security.providers.authentication.DefaultAuthenticator		N
MinimumPasswordLength	"8"	The minimum number of characters required in a password.	N
SupportedImportFormats	{"DefaultAtn"}	The format of the file to import. The list of supported import formats is determined by the AUthentication provider from which the users and groups were originally exported.	Y
SupportedImportConstraints		The users and groups that you want to be imported into this Authentication provider's database. If none are specified, all are imported.	Y
SupportedExportFormats	{"Default"}	The format of the file to export. The list of supported export formats is determined by this Authentication provider.	Y
SupportedExportConstraints	{"users","groups"}	The users and groups that you want to be exported from this Authentication provider's database. If none are specified, all are exported.	Y
GroupMembershipSearching	"unlimited"	Specifies whether recursive group membership searching is unlimited or limited. Valid values are unlimited and limited	N
MaxGroupMembershipSearchLevel	"0"	This setting specifies how many levels of group membership can be searched. This setting is valid only if GroupMemberShipSearching is set to limited	N
UseRetrievedUserNameAsPrincipal	"false"	This flag specifies whether we should use the username retrieved from LDAP as the principal in the subject.	N

DefaultAuthorizer

DefaultAuthorizer extends weblogic.management.security.authorization.DeployableAuthorizer. Table 6-10 describes the attributes supported by this security provider.

Table 6-10 DefaultAuthorizer
Attribute Name	Default Value	Description	List
mgmtinterface	weblogic.security.providers.authorization.DefaultAuthorizer		N
SupportedImportFormats	{"DefaultAtz"}	The format of the file to import. The list of supported import formats is determined by the Authorization provider from which the authorization policies were originally exported.	Y
SupportedImportConstraints		The authorization policies that you want to be imported into this Authorization provider's database. If none are specified, all are imported.	Y
SupportedExportFormats	{"DefaultAtz"}	The format of the file to export. The list of supported export formats is determined by this Authorization provider.	Y
SupportedExportConstraints		The authorization policies that you want exported from this Authorization provider's database. If none are specified, all are exported.	Y

DefaultCredentialMapper

DefaultCredentialMapper extends weblogic.management.security.credentials.DeployableCredentialMapper. Table 6-11 describes the attributes supported by this security provider.

Table 6-11 DefaultCredentialMapper
Attribute Name	Default Value	Description	List
mgmtinterface	weblogic.security.providers.credentials.DefaultCredentialMapper		N
SupportedImportFormats	{"DefaultCreds"}	The format of the fie to import. The list of supported import formats is determined by the Credential Mapping provider from which the credential maps were originally exported.	Y
SupportedImportConstraints		The credential maps that you want to be imported into this Credential Mapping provider's database. If none are specified, all are imported.	Y
SupportedExportFormats	{"DefaultCreds"}	The format of the file to export. The list of supported export formats is determined by this Credential Mapping provider.	Y
SupportedExportConstraints	{"passwords"}	The credential maps that you want to be exported from this Credential Mapping provider's database. If none are specified, all are exported.	Y

DefaultRoleMapper

DefaultRoleMapper extends weblogic.management.security.authorization.DeployableRoleMapper. Table 6-12 describes the attributes supported by this security provider.

Table 6-12 DefaultRoleMapper
Attribute Name	Default Value	Description
mgmtinterface	weblogic.security.providers.authorization.DefaultRoleMapper
SupportedImportFormats	{"DefaultRoles"}	The format of the file to import. The list of supported import formats is determined by the Role Mapping provider from which the security roles were originally exported.
SupportedImportConstraints		The security roles that you want to be imported into this Role Mapping provider's database. If none are specified, all are imported.
SupportedExportFormats	{"DefaultRoles"}	The format of the file to export. The list of supported export formats is determined by this Role Mapping provider.
SupportedExportConstraints		The security roles you want to be exported from this Role Mapping provider's database. If none are specified, all are exported.

IPlanetAuthenticator

IPlanetAuthenticator extends com.bea.security.providers.authentication.LDAPAuthenticator. Table 6-13 describes the attributes supported by this security provider.

Table 6-13 IPlanetAuthenticator
Attribute Name	Default Value	Description	List
mgmtinterface	"com.bea.security.providers.authentication.IplanetAuthenticator"		N
GroupFromNameFilter	"(\|(&(cn=%g)(objectclass=groupofUniqueNames))(& (cn=%g)(objectclass=groupOfURLs)))"	An LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.	N
StaticMemberDNAttribute	"member"	The attribute of an LDAP static group object that specifies the distinguished names (DNs) of the members of the group.	N
DynamicGroupObjectClass	"groupofURLs"	The LDAP object class that stores dynamic groups.	N
DynamicGroupNameAttribute	"cn"	The attribute of the dynamic LDAP group object that specifies the name of the group.	N
DynamicMemberURLAttribute	"memberURL"	The attribute of the dynamic LDAP group object that specifies the URLs of the members of the dynamic group.	N

LDAPAuthenticator

LDAPAuthenticator extends weblogic.management.security.authentication.Authenticator. Table 6-14 describes the attributes supported by this security provider.

Table 6-14 LDAPAuthenticator
Attribute Name	Default Value	Description	List
mgmtinterface	com.bea.security.providers.authentication.LDAPAuthenticator		N
UserObjectClass	"person"	The LDAP object class that stores users.	N
UserNameAttribute	"uid"	The attribute of an LDAP user object that specifies the name of the user.	N
UserDynamicGroupDNAttribute		The attribute of an LDAP user object that specifies the distinguished names (DNs) of dynamic groups to which this user belongs. If such an attribute does not exist, WebLogic Server determines if a user is a member of a group by evaluating the URLs on the dynamic group. If a group contains other groups, WebLogic Server evaluates the URLs on any of the descendents (indicates parent relationship) of the group.	N
UserBaseDN	"ou=people, o=example.com"	The base distinguished name (DN) of the tree in the LDAP directory that contains users.	N
UserSearchScope	"subtree"	Specifies how deep in the LDAP directory tree to search for Users. Valid values are subtree and onelevel.	N
UserFromNameFilter	"(&(uid=%u)(objectclass=person))"	An LDAP search filter for finding a user given the name of the user. If the attribute (user name attribute and user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.	N
AllUsersFilter		An LDAP search filter for finding all users beneath the base user distinguished name (DN). If the attribute (user object class) is not specified (that is, if the attribute is null or empty), a default search filter is created based on the user schema.	N
GroupBaseDN	"ou=groups, o=example.com"	The base distinguished name (DN) of the tree in the LDAP directory that contains groups.	N
GroupSearchScope	"subtree"	Specifies how deep in the LDAP directory tree to search for groups. Valid values are subtree and onelevel.	N
GroupFromNameFilter	(&(cn=%g)(objectclass=groupofuniquenames))	An LDAP search filter for finding a group given the name of the group. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.	N
AllGroupsFilter		An LDAP search filter for finding all groups beneath the base group distinguished name (DN). If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the Group schema.	N
StaticGroupObjectClass	"groupofuniquenames"	The name of the LDAP object class that stores static groups.	N
StaticGroupNameAttribute	"cn"	The attribute of a static LDAP group object that specifies the name of the group.	N
StaticMemberDNAttribute	"uniquemember"	The attribute of a static LDAP group object that specifies the distinguished names (DNs) of the members of the group.	N
StaticGroupDNsfromMemberDNFilter	(&(uniquemember=%M)(objectclass=groupofuniquenames))	An LDAP search filter that, given the distinguished name (DN) of a member of a group, returns the DNs of the static LDAP groups that contain that member. If the attribute is not specified (that is, if the attribute is null or empty), a default search filter is created based on the group schema.	N
DynamicGroupObjectClass		The LDAP object class that stores dynamic groups.	N
DynamicGroupNameAttribute		The attribute of a dynamic LDAP group object that specifies the name of the group.	N
DynamicMemberURLAttribute		The attribute of the dynamic LDAP group object that specifies the URLs of the members of the dynamic group.	N
AutomaticFailoverEnabled	"false"	The option to enable automatic failover when using the LDAP server.	N
BackupHost	"localhost"	The host name or IP address of the backup LDAP server.	N
BackupPort	"389"	The port number on which the backup LDAP server is listening.	N
BackupSSLEnabled	"false"	The option to enable SSL when connecting to the backup LDAP server.	N
BackupPrincipal		The Distinguished Name (DN) of the LDAP user that is authorized to connect to the backup LDAP server.	N
BackupCredential		The credential (generally a password) used to authenticate the backup LDAP user that is defined in the Principal attribute.	N
PrimaryRetryInterval	"3600"	Length of time, in seconds, before the backup LDAP server tries to fail back to the primary LDAP server.	N
GroupMembershipSearching	"unlimited"	Specifies whether recursive group membership searching is unlimited or limited. Valid values are unlimited and limited.	N
MaxGroupMembershipSearchLevel	"0"	This setting specifies how many levels of group membership can be searched. This setting is valid only if GroupMemberShipSearching is set to limited. Valid values are 0, and positive integers. For example, 0 indicates only direct group memberships will be found, positive number indicates the number of levels to go down.	N
VerifyUserForIdentityAssertion	"false"	Whether to verify that the user is present in the LDAP repository when an identity assertion is provided.	N
AddGroupsFromIdentityAssertion	"false"	Whether to add groups for the user from the identity assertion when Identity Assertion is turned on.	N
AddGroupsFromLocalLDAP	"true"	Whether to add groups for the user from the local LDAP identity store after user authentication.	N

Log4jAuditor

Log4jAuditor extends weblogic.management.security.audit.Auditor. Table 6-15 describes the attributes supported by this security provider.

Attribute Name

Default Value

Description

List

mgmtinterface

com.bea.security.providers.audit.Log4JAuditor

Severity

"ERROR"

Severity is the lowest level at which auditing is initiated. Audit event severity is treated as follows by the Log4j Audit Channel provider.

INFORMATION

SUCCESS

WARNING

ERROR

FAILURE

For example, if the log4j severity threshold is set to ERROR (default setting), then all audit events with severity ERROR and FAILURE are audited. Different audit events can be selectively audited depending on the setting for each of them.

All audit events can be DISABLED or WITHOUT_CONTEXT. Those that have context, you can select WITH_CONTEXT.

Log4jConfigProperties

{"log4j.appender.ASIauditFile=org.apache.log4j.RollingFileAppender","log4j.appender.ASIauditFile.File={HOME}/log/secure_audit.log","log4j.appender.ASIauditFile.layout=org.apache.log4j.PatternLayout","log4j.appender.ASIauditFile.layout.ConversionPattern=%d [%t] %-5p %c - %m%n","log4j.logger.ASI_AUDIT=NULL, ASIauditFile","log4j.additivity.ASI_AUDIT=false"

These properties are passed to log4j upon initialization of the log4j provider.

By default the log4j provider uses the RollingFileAppender. {HOME} will be replaced with the current location of the SSM at runtime.

This setting is determined by the value of instance.home in SSM.properties.

Custom log4j appenders can be configured here to send the Auditing information to other destinations such as JMS, NT Events log, JDBC etc. For more information, see the log4j documentation.

Log4jRendererProperties

Custom renderers can be added here for rendering classes that implement the weblogic.security.spi.AuditEvent interface. For example, weblogic.security.spi.AuditEvent=com.bea.security.providers.audit.AuditEventRenderer

See Log4J documentation on how to write a renderer for a custom object.

Be sure to include the jar file containing the custom renderer classes in the ALES_HOME/lib/providers directory

EnabledAuditEvents

List of AuditEvent types that will be Audited other than the default ones that can be configured using drop down boxes. Custom AuditEvents not listed here will not be audited.

The exception to this is if you set Audit Event to WITHOUT_CONTEXT. In that case all AuditEvents will be audited.

Custom AuditEvents can be added using following interface: weblogic.security.spi.AuditEvent.

AuditEvent

"WITHOUT_CONTEXT"

Setting for events of type weblogic.security.spi.AuditEvent.

Note: If you set Audit Event to WITHOUT_CONTEXT, then all AuditEvents will be enabled for auditing.

AuditAuthenticationEvent

"WITHOUT_CONTEXT"

Setting for events of type weblogic.security.spi.AuditAtnEvent.

AuditAuthorizationEvent

"WITHOUT_CONTEXT"

Setting for events of type weblogic.security.spi.AuditAtzEvent.

AuditRoleEvent

"WITHOUT_CONTEXT"

Setting for events of type weblogic.security.spi.AuditRoleEvent.

AuditProviderRecordEvent

"WITHOUT_CONTEXT"

Setting for events of type com.bea.security.spi.ProviderAuditRecord

AuditManagementEvent

"WITHOUT_CONTEXT"

Setting for events of type weblogic.security.spi.AuditMgmtEvent

AuditPolicyEvent

"WITHOUT_CONTEXT"

Setting for events of type weblogic.security.spi.AuditPolicyEvent

AuditRoleDeploymentEvent

"WITHOUT_CONTEXT"

Setting for events of type weblogic.security.spi.AuditRoleDeploymentEvent

NovellAuthenticator

NovellAuthenticator extends com.bea.security.providers.authentication.LDAPAuthenticator. Table 6-16 describes the attributes supported by this security provider.

Administration Reference

BLM Configuration API Security Providers Reference

ActiveDirectoryAuthenticator

ALESIdentityAsserter

ALESIdentityCredentialMapper

AsiAdjudicator

AsiAuthorizationProvider

ASIAuthorizer

ASIRoleMapperProvider

DatabaseAuthenticator

DatabaseCredentialMapper

DefaultAuthenticator

DefaultAuthorizer

DefaultCredentialMapper

DefaultRoleMapper

IPlanetAuthenticator

LDAPAuthenticator

Log4jAuditor

NovellAuthenticator