Friday, January 2, 2015

Credential Store Framework (CSF) API Example

Description: Shows how to use the Credential Store Framework (CSF) API to fetch credentials from the credential store.

Adding Credentials to Store
1. Login to Oracle Enterprise Middleware Control (E.g. localhost:7001/em).

2. Expand WebLogic Domain, right click on the name of your domain, hover over to Security, and then click on Credentials.

3. Start adding keys to existing maps or create a new map with new keys. Each key can store credentials.

System Policies on Credential Store
You may need add a system policy in order to grant access for specific applications, JAR files, users or roles to read, write, or update the Credential Store.

1. Expand WebLogic Domain, right click on the name of your domain, hover over to Security, and then click on System Policies.

2. For this example, oiminternal is granted read access to all keys under a specific map. This is needed for the scheduled task code to work when running the job in OIM.

Permission Class:
Resource Name: context=SYSTEM,mapName=oimScheduledTask,keyName=*
Permission Actions: read

Source Code
The plugin can be downloaded here.

Exception: access denied ( context=SYSTEM,mapName=oim,keyName=* read)
Reason: Application or user may not have access to credential store.
Fix: You may need to add a system policy via EM console to manage access.


  1. This comment has been removed by the author.

  2. I am getting below exception : access denied ( context=SYSTEM,mapName=oim,keyName=* read)

    so do you know how to resolve this?

    1. I am also getting same error... Let me know if you found solution for that

  3. I am also getting the same. Please mail me if you have soultion.

  4. Solution 100% works:

    a) Go to the oracle_common wlst command location, keep in mind that other wlst scripts available in other locations might not know about OPSS specific commands.

    cd $MW_HOME/oracle_common/common/bin

    b) Run or wlst.cmd script, depending if it is Windows or Unix

    c) In prompt, connect to your domain:
    wls:/offline> connect()
    Please enter your username :
    Please enter your password :
    Please enter your server URL [t3://localhost:7001] :t3://:
    Connecting to t3://: with userid ...
    Successfully connected to Admin Server 'AdminServer' that belongs to domain 'domain'.

    Warning: An insecure protocol was used to connect to the server. To ensure on-the-wire security, the SSL port or Admin port should be used instead.

    d) Now, grant the credential by running in a single line, the grantPermission comand on the code source we determined in step 2, and specify the map, key and action as permTarget parameter with the following syntax.
    Make sure you run this command in one single line to avoid syntax errors.

    wls://serverConfig> grantPermission(permClass="",permTarget="context=SYSTEM,mapName=oim,keyName=*",permActions="read")

    e) Stop WebLogic Domain

    f) As a recommendation, Clear or make backup of actual log files, in order to register the latest activities.

    g) Start WebLogic Domain

    h) Test again.