Manually Configuring Java EE Applications to Use OPSS 21-15 wls:param-namejps.policystore.removalwls:param-name wls:param-valueOFFwls:param-value wls:application-param For details about the configuration of this parameter on WebSphere, see Oracle Fusion Middleware Third-Party Application Server Guide. When set, the parameter’s value must be OFF. By default, it is not set. Set to OFF to prevent the removal of policies; if not set, policies are removed. The above setting should be considered when multiple applications are sharing the same application stripe. The undeploying application would choose not to remove application policies because other applications may be using the common set of policies. jps.policystore.migration.validate.principal This parameter is supported on WebLogic only, and it specifies whether the check for principals in system and application policies at deployment or redeployment should take place. It is configured as illustrated in the following fragment: wls:application-param wls:param-namejps.policystore.migration.validate.principalwls:param-name wls:param-valueTRUEwls:param-value wls:application-param When set, the parameter’s value must be TRUE or FALSE. When set to TRUE the system checks the validity of enterprise users and groups: if a principal in an application or system policy refers to an enterprise user or group not found in the identity store, a warning is issued. When set to FALSE, the check is skipped. If not set, the parameter value defaults to FALSE. Validation errors are logged in the server log, and they do not terminate the operation.

21.4.2 Policy Parameter Configuration According to Behavior

This section describes the settings required to manage application policies with the following behaviors: ■ To Skip Migrating All Policies ■ To Migrate All Policies with Merging ■ To Migrate All Policies with Overwriting ■ To Remove or Prevent the Removal of Application Policies ■ To Migrate Policies in a Static Deployment Any value settings other than the ones described in the following sections are not recommended and may lead to unexpected migration behavior. For more details, see Recommendations . Note: Deciding to set this parameter to OFF for a given application requires knowing, at the time the application is deployed, whether the application stripe is shared by other applications. 21-16 Oracle Fusion Middleware Application Security Guide All behaviors can be specified with Fusion Middleware Control when the application is deployed, redeployed, or undeployed with that tool.

21.4.2.1 To Skip Migrating All Policies

The following matrix shows the settings that prevent the migration from taking place: Typically, you would skip migrating policies when redeploying the application when you want to keep domain policies as they are, but you would migrate policies when deploying the application for the first time.

21.4.2.2 To Migrate All Policies with Merging

The following matrix shows the setting of required and optional parameters that migrates only policies that are not in the target store optional parameters are enclosed in between brackets: Typically, you would choose migrating policies with merging at redeploy when the policies have changed and you want to add to the existing policies.

21.4.2.3 To Migrate All Policies with Overwriting

The following matrix shows the setting that migrates all policies overwriting matching target policies optional parameters are enclosed in between brackets: Table 21–2 Settings to Skip Policy Migration Valid at deploy or redeploy JpsApplicationLifecycleListener Set jps.policystore.migration OFF Table 21–3 Settings to Migrate Policies with Merging Valid at deploy or redeploy JpsApplicationLifecycleListener Set jps.policystore.migration MERGE [jps.policystore.applicationid] Set to the appropriate string. Defaults to servlet or EJB name. [jps.apppolicy.idstoreartifact.migration] Set to FALSE to exclude migrating policies that reference enterprise artifacts; otherwise set to TRUE. Defaults to TRUE. [jps.policystore.migration.validate.principal] Set to TRUE to validate enterprise users and roles in application and system policies. Set to FALSE, otherwise. If unspecified, it defaults to FALSE. Table 21–4 Settings to Migrate Policies with Overwriting Valid at deploy or redeploy JpsApplicationLifecycleListener Set jps.policystore.migration OVERWRITE [jps.policystore.migration.validate.principal] Set to TRUE to validate enterprise users and roles in application and system policies. Set to FALSE, otherwise. If unspecified, it defaults to FALSE.