Policies can be migrated through the different stages of the application development and deployment cycles (such as, development to production).
This chapter includes the following sections:
The following steps describe a typical scenario of how you would create a policy and migrate the policy through the different stages of the application development and deployment cycles.
Use Oracle Enterprise Manager Fusion Middleware Control to create a policy.
For more information, see "Creating Web Service Policies".
Export the policy to a file.
For more information, see "Migrating Policies".
Copy the policy file to policy store location in the Oracle JDeveloper environment.
Create a Web service in Oracle JDeveloper and attach the policy to the Web service.
For more information, see "Using Policies with Web Services" in the "Developing with Web Services" section of the JDeveloper online help.
Deploy the Web service to the staging server, and test the Web service.
For more information, see "Developing Web Services" in the JDeveloper online help.
Import the policy to the production server environment.
For more information, see "Migrating Policies".
Migrate the following information, as required:
Policy configuration. See "Migrating Policy Configuration".
Assertion templates. See "Migrating Assertion Templates".
Deploy the application into the production environment, and test the Web service.
See "Deploying Web Services Applications" and "Testing Web Services".
You can export individual policies from Oracle Enterprise Manager Fusion Middleware Control. You can then copy the policy to a directory or import the policy to move it to another repository.
For details about exporting and importing policies, see the following section in "Managing Web Service Policies":
Alternatively, you can use the exportMetadata and importMetadata WLST commands to export and import the policies. The following describes the steps required:
To migrate policies using WLST commands:
Export the Oracle WSM policies to a local directory. For example, to export all Oracle WSM artifacts to the /exported/owsm_policies directory:
exportMetadata(application='wsm-pm',server='<server_name>', docs='/policies/mycompany/**',toLocation='/exported/owsm_policies')
Move the files to the new machine. Ensure that the Oracle WSM Policy Manager is deployed on the new machine.
Import the Oracle WSM policies. For example, to import all Oracle WSM artifacts from the /toimport/owsm_policies directory:
importMetadata(application='wsm-pm',server='<server_name>', fromLocation='/toimport/owsm_policies', docs='/policy/mycompany/**')
Note:
Care should be taken when specifying the docs parameter. If the value /** is specified, then all objects are exported or imported, including policies, assertion templates, and policy attachments. Transferring policy attachments will introduce errors into the usage analysis numbers reported in the Fusion Middleware Control if the source and target environments are not identical. It is recommended that a more specific path be used whenever exporting and importing policies or assertion templates.For more information about the WLST commands, see Oracle Fusion Middleware Oracle WebLogic Scripting Tool.
The following sections describe how to migrate the configuration artifacts for Oracle WSM policies. Sections include:
If you are using message protection policies, you need to migrate your keystores. To migrate keystores:
Manually copy your keystores to the new environment.
For Java SE applications, copy the keystore to a user-defined location. For Java EE applications, copy the keystore to the same directory as the jps-config.xml file, namely DOMAIN_HOME/config/fmwconfig.
By default, the keystore is named default-keystore.jks. If you have renamed the keystore, you must configure the keystore name in the Oracle Platform Security Services keystore service instance.
For information about configuring the keystore, see "Setting up the Keystore for Message Protection".
Users and groups are maintained as part of the WebLogic Server security realm.
To migrate users and groups in embedded LDAP, you can migrate the data using either the Oracle WebLogic Administration Console or WLST. For a complete description of the steps required, see "Migrating Security Data" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
To migrate users and groups in an LDAP store, there is no migration path. You need to recreate the users and groups and specify the assignments in the LDAP store in the new environment. See "Configuring Authentication Providers" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
There are two types of credentials maintained in the credential store that you may need to migrate:
Username and password
Keystore and encryption key passwords
The migration steps are described in the sections below.
If users are stored in an embedded LDAP and migrated, as described in "Migrating Users and Groups", then you simply migrate the existing credentials to the new credential store. For a complete description of the steps required, see "Migrating Security Data" in Oracle Fusion Middleware Securing Oracle WebLogic Server.
If users are stored in an LDAP store, there is no automated migration path. You need to recreate the credentials in the credential store. For more information about configuring credentials, see "Configuring the Credential Store Provider".
You can migrate keystores and encryption key passwords manually using the procedure described in "Migrating Credentials Manually" in "Deploying Secure Applications" in Oracle Fusion Middleware Security Guide.
If your Web service uses authorization policies, you must migrate the Oracle Platform Security Services application and system policies that grant permissions. For more information, see "Migrating Policies with the Command migrateSecurityStore" in "OPSS Authorization and the Policy Store" in Oracle Fusion Middleware Security Guide.
There is no automated migration path for Oracle Platform Security Services configuration. You must recreate the configuration in the new environment.
There are three types of configurations in the Oracle Platform Security Services that you may need to recreate:
SAML trusted assertion issuer names (applicable for all SAML policies).
If you use the default configuration for SAML trusted issuer configuration, then no migration is required. For information about configuring SAML in the new environment, see "Configuring the SAML and Kerberos Login Modules".
Keystore locations and CSF key configuration for keystore and keystore password (applicable for message protection policies only).
If you use the default configuration for keystores, then no migration is required. For information about configuring keystores in the new environment, see "Setting up the Keystore for Message Protection".
Keytab location and service principal name (applicable to Kerberos policy).
For information about configuring the keytab location and service principal name in the new environment, see "Configuring the SAML and Kerberos Login Modules".
There is no automated migration path for SSL configuration. You must configure SSL keystores and settings in the new environment. For more information about configuring SSL keystores and settings in the new environment, see "Configuring Keystores for SSL".
To migrate the Kerberos configuration:
Copy the Kerberos configuration file to the new environment, matching the directory structure. The Kerberos configuration file is located in the following locations, based on your operating system:
UNIX: /etc/krb5.conf
Windows: C:\windows\krb5.ini
Initialize the ticket cache with the correct credentials.
For more information, see "Using Kerberos Tokens".
You can export individual assertion templates from Oracle Enterprise Manager Fusion Middleware Control. You can then copy the policy to a directory or import the policy to move it to another repository.
For details about exporting and importing assertion templates, see the following sections: