Fusion Middleware Documentation
Advanced Search


Administering Web Services
Close Window

Table of Contents

Show All | Collapse

8 Managing Application Migration Between Environments

This chapter describes how to migrate Web service applications between environments, such as from development or test to production. It includes the following sections:

For information about moving from a test environment to a production environment, see "Moving from a Test to a Production Environment" in Administering Fusion Middleware.

8.1 Overview of Web Service Application Migration

To migrate Web service applications independently between environments, such as from test to production, or in a scaled clustered environment, you must export the policies and the deployment configuration information to the new environment so that you can deploy the application. Depending on your configuration, you may also need to migrate policy configuration artifacts and policy assertion templates.

A deployment descriptor is an XML file that contains the basic deployment configuration for an application. For WebLogic Server and Java EE Web services applications, you create a deployment plan that contains the necessary deployment descriptors for deploying the application in a new environment.

For ADF Business Components, however, run-time policy changes are persisted in proprietary deployment descriptor (PDD) files: oracle-webservices.xml and oracle-webservices-client.xml. Because these files are not included in the WebLogic deployment plan or exported with any other deployment descriptors, you must export and import these PDD files separately. You must also export and import these PDD files separately if you are scaling your application in a clustered environment.

  • For a SOA composite, Web services and Oracle WSM configurations are persisted in a composite.xml file which is included in a configuration plan used for deployment configuration. The SOA framework provides its own mechanism for composite services and configuration lifecycle and synchronizations.

The general steps for migrating a Web service application from a development or test environment to a production environment are as follows:

  1. Install and configure the production environment with the components that you need.

  2. Migrate security information, such as users and groups, the identity and policy stores, and credentials. For more information, see "Migrating Policy Configuration".

  3. Migrate policies and deployment configuration data as required. For more information, see "Migrating Policies". Modify any information that is specific to the new environment such as host name or ports.

  4. Deploy the applications in the new environment.

For information about migrating Fusion Middleware applications between environments, see "Advanced Administration: Expanding Your Environment" in Administering Oracle Fusion Middleware.

8.2 Overview of Horizontal Policy Migration

The following steps describe a typical scenario for how to create a policy and migrate the policy horizontally through the different stages of the application development and deployment cycles.

  1. Use Oracle Enterprise Manager Fusion Middleware Control to create a policy.

    For more information, see "Creating and Editing Web Service Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

  2. Export the policy to a zip archive.

    For more information, see "Migrating Policies".

  3. Copy the policy file to policy store location in the Oracle JDeveloper environment.

  4. Create a Web service in Oracle JDeveloper and attach the policy to the Web service.

    For more information, see "Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper.

  5. Deploy the Web service to the staging server, and test the Web service.

    For more information, see "Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper.

  6. Import the policy to the production server environment.

    For more information, see "Migrating Policies".

  7. Migrate the following information, as required:

  8. Deploy the application into the production environment, and test the Web service.

    See Chapter 3, "Deploying Web Services Applications" and Chapter 5, "Testing Web Services."

8.3 Migrating Policies

You can export one or more user-created policies to an archive file using Fusion Middleware Control. You can then import the archive to move it to another repository.

Note:

Read-only documents, such as predefined policies and assertion templates, will not be imported or exported using either Fusion Middleware Control or WLST because they will already be present in the target environment.

For details about exporting and importing user-created policies using Fusion Middleware Control, refer to the following topics in Securing Web Services and Managing Policies with Oracle Web Services Manager:

Alternatively, you can use the exportWSMRepository and importWSMArchive WLST commands to export and import the policies. The following describes the steps required:

To migrate policies using WLST commands:

  1. Export the OWSM policies to a supported archive file, such as a zip file, using the exportWSMRepository command.

    For example, to export all user-created OWSM policies named in the test/ directory to an archive named policies.zip, enter the following:

    wls:/jrfServer_domain/serverConfig> exportWSMRepository('/tmp/policies.zip',['policies:test/%'])
     
    Exporting "/policies/test/wss11_x509_token_with_message_protection_service_policy_test"
    Exporting "/policies/test/wss_username_token_over_ssl_service_policy_Test"
    Successfully exported "2" documents.
    
  2. Optionally, you can edit the archive after it has been created. If, for example, you do not want to migrate all the policies to the new environment, you can manually remove them from the archive.

  3. Move the archive to the new machine. Ensure that the OWSM Policy Manager is deployed on the new machine.

  4. Import the OWSM policies using the importWSMArchive command. For example, to import the policies exported in the previous step:

    wls:/jrfServer_domain/serverConfig> importWSMArchive('/tmp/policies.zip')
    
    Importing "META-INF/policies/test/wss11_x509_token_with_message_protection_service_policy_test"
    Importing "META-INF/policies/test/wss_username_token_over_ssl_service_policy_Test"
    Successfully imported "2" documents
    

For more information about these WLST commands, see "Web Services Custom WLST Commands" in WLST Command Reference for Infrastructure Components.

8.4 Migrating Policy Configuration

The following sections describe how to migrate the configuration artifacts for OWSM policies. Sections include:

8.4.1 Migrating Keystores

If you are using message protection policies, you need to migrate your keystores. To migrate keystores:

  1. Manually copy your keystores to the new environment.

    For Java SE applications, copy the keystore to a user-defined location. For Java EE applications, copy the keystore to the same directory as the jps-config.xml file, namely DOMAIN_HOME/config/fmwconfig.

  2. By default, the keystore is named default-keystore.jks. If you have renamed the keystore, you must configure the keystore name in the Oracle Platform Security Services keystore service instance.

For information about configuring the keystore, see "Configuring Keystores for Message Protection" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

8.4.2 Migrating Users and Groups

Users and groups are maintained as part of the WebLogic Server security realm.

To migrate users and groups in embedded LDAP, you can migrate the data using either the Oracle WebLogic Administration Console or WLST. For a complete description of the steps required, see "Migrating Security Data" in Administering Security for Oracle WebLogic Server.

To migrate users and groups in an LDAP store, there is no migration path. You need to recreate the users and groups and specify the assignments in the LDAP store in the new environment. See "Configuring Authentication Providers" in Administering Security for Oracle WebLogic Server.

8.4.3 Migrating Credentials

There are two types of credentials maintained in the credential store that you may need to migrate:

  • Username and password

  • Keystore and encryption key passwords

The migration steps are described in the sections below.

8.4.3.1 Migrating Username and Password

If users are stored in an embedded LDAP and migrated, as described in "Migrating Users and Groups", then you simply migrate the existing credentials to the new credential store. For a complete description of the steps required, see "Migrating Security Data" in Administering Security for Oracle WebLogic Server.

If users are stored in an LDAP store, there is no automated migration path. You need to recreate the credentials in the credential store. For more information about configuring credentials, see "Configuring the Credential Store" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

8.4.3.2 Migrating Keystores and Encryption Key Passwords

You can migrate keystores and encryption key passwords manually using the procedure described in "Migrating Credentials Manually" in "Deploying Secure Applications" in Securing Applications with Oracle Platform Security Services.

8.4.4 Migrating Oracle Platform Security Services Application and System Policies

If your Web service uses authorization policies, you must migrate the Oracle Platform Security Services application and system policies that grant permissions. For more information, see "Migrating with the Script migrateSecurityStore" in "Configuring the OPSS Security Store" in Securing Applications with Oracle Platform Security Services.

8.4.5 Migrating Oracle Platform Security Services Configuration

There is no automated migration path for Oracle Platform Security Services configuration. You must recreate the configuration in the new environment.

There are three types of configurations in the Oracle Platform Security Services that you may need to recreate:

8.4.6 Migrating SSL

There is no automated migration path for SSL configuration. You must configure SSL keystores and settings in the new environment. For more information about configuring SSL keystores and settings in the new environment, see "Configuring Keystores for SSL" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

8.4.7 Migrating Kerberos Configuration

To migrate the Kerberos configuration:

  1. Copy the Kerberos configuration file to the new environment, matching the directory structure. The Kerberos configuration file is located in the following locations, based on your operating system:

    • UNIX: /etc/krb5.conf

    • Windows: C:\windows\krb5.ini

  2. Initialize the ticket cache with the correct credentials.

    For more information, see "Configuring Kerberos Tokens" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

8.5 Migrating Assertion Templates

You can export individual assertion templates from Oracle Enterprise Manager Fusion Middleware Control. You can then copy the policy to a directory or import the policy to move it to another repository.

For details about exporting and importing assertion templates, see "Managing Policy Assertion Templates" in Securing Web Services and Managing Policies with Oracle Web Services Manager.