Securing WebLogic Server

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Migrating Security Data

You can export security data from one security realm or security provider and import the data into another realm or provider. The following sections provide information about exporting and importing security data.

 


Overview of Security Data Migration

WebLogic security realms persist different kinds of security data — for example, users and groups (for the WebLogic Authentication provider), security policies (for the XACML Authorization provider), security roles (for the XACML Role Mapping provider), and credential maps (for the WebLogic Credential Mapping provider). When you configure a new security realm or a new security provider, you may prefer to use the security data from your existing realm or provider, rather than recreate all the users, groups, policies, roles, and credential maps. Several WebLogic security providers support security data migration. This means you can export security data from one security realm, and import it into a new security realm. You can migrate security data for each security provider individually, or migrate security data for all the WebLogic security providers at once (that is, security data for an entire security realm). Note that you can only migrate security data from one provider to another if the providers use the same data format. SeeFormats and Constraints Supported by WebLogic Security Providers. You migrate security data through the WebLogic Administration Console or by using the WebLogic Scripting Tool (WLST).

Migrating security data may be helpful when you:

The remainder of this section describes security migration concepts, the formats and constraints supported by the WebLogic security providers, and steps for migrating security data with WLST.

To migrate security data with the WebLogic Administration Console, see the following topics in the online help:

 


Migration Concepts

A format is a data format that specifies how security data should be exported or imported. Supported formats are the list of data formats that a given security provider understands how to process.

Constraints are key/value pairs that specify options to the export or import process. Use constraints to control which security data is exported to or imported from the security provider’s database (in the case of the WebLogic Server security providers, the embedded LDAP server). For example, you may want to export only users (not groups) from an Authentication provider’s database. Supported constraints are the list of constraints you can specify during the migration process for a particular security provider. For example, you can specify that an Authentication provider’s database be used to import users and groups, but not security policies.

Export files are the files to which security data is written (in the specified format) during the export portion of the migration process. Import files are files from which security data is read (also in the specified format) during the import portion of the migration process. Both export and import files are simply temporary storage locations for security data as it is migrated from one security provider’s data store to another security provider’s data store.

 


Formats and Constraints Supported by WebLogic Security Providers

In order for security data to be exported and imported between security providers, both security providers must process the same format. Some data formats used for the WebLogic Server security providers are unpublished; therefore, you cannot currently migrate security data from a WebLogic security provider to a custom security provider, or vice versa, using the unpublished formats.

WebLogic security providers support the following import and export formats.

Table 8-1 Import and Export Formats Supported by the WebLogic Security Providers
WebLogic Provider
Supported Format
WebLogic Authentication Provider
DefaultAtn—unpublished format
XACML Authorization Provider
XACML—standard XACML 2.0 format
DefaultAtz—unpublished format
WebLogic Authorization Provider
DefaultAtz—unpublished format
XACML Role Mapping Provider
XACML—standard XACML 2.0 format
DefaultRoles—unpublished format
WebLogic Role Mapping Provider
DefaultRoles—unpublished format
WebLogic Credential Mapping Provider
DefaultCreds—unpublished format
SAML Identity Asserter V2
SAML Credential Mapping Provider V2
XML Partner Registry—An XML format defined by the SAML partner registry schema
JKS Key Store—A key store file format for importing and exporting partner certificates only
LDIF Template—LDIF format

WebLogic security providers support the following import and export constraints.

Table 8-2 Constraints Supported by the WebLogic Security Providers
WebLogic Security Provider
Supported Constraints
Description
WebLogic Authentication
users
groups
Export all users or all groups
XACML Authorization
None
 
WebLogic Authorization
None
 
XACML Role Mapping
None
 
WebLogic Role Mapping
None
 
WebLogic Credential Mapping
passwords
With the constraint passwords=cleartext, passwords will be exported in clear text. Otherwise, they will be exported in encrypted form.
SAML Identity Asserter V2
SAML Credential Mapping V2
partners
Which partners to import or export. The constraint value can be one of:

all—all partners

none—no partners

list—only listed partners

enabled—only enabled partners

disabled—only disabled partners

SAML Identity Asserter V2
SAML Credential Mapping V2
certificates
Which certificates to import or export. The constraint value can be one of the following:

all—all certificates

none—no certificates

list—only listed certificates

referenced—only certificates referenced by a partner

SAML Identity Asserter V2
SAML Credential Mapping V2
passwords
With the constraint passwords=cleartext, passwords will be exported in clear text. Otherwise, they will be exported in encrypted form.
SAML Identity Asserter V2
SAML Credential Mapping V2
importMode
Specifies how to resolve name conflicts between the imported data and existing data in the SAML registry. The constraint value can be one of the following:

fail—the import operation will fail if conflicts are detected (default)

rename—rename the imported entry that conflicts

replace—replace the existing entry with the conflicting imported entry

When exporting from the WebLogic Credential Mapping provider, SAML Credential Mapping provider, or SAML Identity Asserter, you need to specify whether or not the passwords for the credentials are exported in clear text. The constraint passwords=cleartext specifies that passwords will be exported in clear text. Otherwise, they will be exported in encrypted form. The mechanism used to encrypt passwords in each WebLogic Server domain is different; therefore, you want to export passwords in clear text if you plan to use them in a different WebLogic Server domain. After the credential maps are imported into the new WebLogic Server domain, the passwords are encrypted. Carefully protect the directory and file in which you export credential maps in clear text as secure data is available on your system during the migration process.

 


Migrating Data with WLST

You can use the WebLogic Scripting Tool (WLST) to export and import data from a security provider. Access the Runtime MBean for the security provider and use its importData or exportData operation. For example, you might use WLST to import data using commands like these:

domainRuntime()
cd(‘DomainServices/DomainRuntimeService/DomainConfiguration/mydomain/SecurityConfiguration/mydomain/DefaultRealm/myrealm/
path-to-MBean/mbeanname’)
cmo.importData(
format,filename,constraints)

where

mbeanname—Name of the security provider MBean.

format—A format that is valid for the particular security provider. See Table 8-1, Import and Export Formats Supported by the WebLogic Security Providers, on page 8-3.

filename—The directory location and filename in which to export or import the security data. Remember that, regardless of whether you are using a UNIX or Windows operating system, you need to use a forward slash, not a back slash, as a path separator for pathname arguments in WLST commands.

constraints—The constraints that limit the data to be exported or imported

For more information, see WebLogic Scripting Tool.

 


Migrating Data Using weblogic.admin

Note: The weblogic.Admin utility is deprecated. Use WLST instead.

You can also use the weblogic.Admin utility to export and import security data between security realms and security providers. The format of the command is:

java weblogic.Admin -username username -password password \
INVOKE -mbean
mbeanname \
-method
methodname dataformat filename constraints

where

username—Name of the Admin user

password—Password of the Admin user

mbeanname—Name of the security provider MBean.

methodnameexportData or importData

dataformatDefaultAtn, DefaultAtz, DefaultRoles, or DefaultCreds

filename—The directory location and filename in which to export or import the security data

constraints—The constraints that limit the data to be exported or imported

Note: The directory and file into which you export the security data should be carefully protected with operating system security as they contain secure information about your deployment.

For example:

java weblogic.Admin -username system -password weblogic INVOKE -mbean Security:Name=myrealmDefaultAuthenticator -method importData DefaultAtn d:\temp\security.info ““


  Back to Top       Previous  Next