8.4 Overview of Migrating Policy Configuration

The following sections describe how to migrate the configuration artifacts for OWSM policies. This section includes the following topics:

8.4.1 Migrating Keystores

If you are using message protection policies, you need to migrate your keystores. To migrate keystores:

Manually copy your keystores to the new environment.

For Java SE applications, copy the keystore to a user-defined location. For Java EE applications, copy the keystore to the same directory as the jps-config.xml file, namely DOMAIN_HOME/config/fmwconfig.
By default, the keystore is named default-keystore.jks. If you have renamed the keystore, you must configure the keystore name in the Oracle Platform Security Services keystore service instance.

For information about configuring the keystore, see "Configuring Keystores for Message Protection" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

To migrate keystores with Keystore Service:

Export the keystore to a file with the exportKeyStore command.
Import the file to the new keystore with the importKeyStore command.

For information about using the keystore migration commands in KSS, see "Managing Keys and Certificates" in Securing Applications with Oracle Platform Security Services.

8.4.2 Migrating Users and Groups

Users and groups are maintained as part of the WebLogic Server security realm.

To migrate users and groups in embedded LDAP, you can migrate the data using either the Oracle WebLogic Administration Console or WLST. For a complete description of the steps required, see "Migrating Security Data" in Administering Security for Oracle WebLogic Server 12c (12.2.1).

To migrate users and groups in an LDAP store, there is no migration path. You need to recreate the users and groups and specify the assignments in the LDAP store in the new environment. See "Configuring Authentication Providers" in Administering Security for Oracle WebLogic Server 12c (12.2.1).

8.4.3 Migrating Credentials

There are two types of credentials maintained in the credential store that you may need to migrate:

Username and password
Keystore and encryption key passwords

The migration steps are described in the sections below.

8.4.3.1 Migrating Username and Password

If users are stored in an embedded LDAP and migrated, as described in "Migrating Users and Groups", then you simply migrate the existing credentials to the new credential store. For a complete description of the steps required, see "Migrating Security Data" in Administering Security for Oracle WebLogic Server 12c (12.2.1).

If users are stored in an LDAP store, there is no automated migration path. You need to recreate the credentials in the credential store. For more information about configuring credentials, see "Configuring the Credential Store" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

8.4.3.2 Migrating Keystores and Encryption Key Passwords

You can migrate keystores and encryption key passwords manually using the procedure described in "Migrating Credentials Manually" in "Deploying Secure Applications" in Securing Applications with Oracle Platform Security Services.

8.4.4 Migrating Oracle Platform Security Services Application and System Policies

If your web service uses authorization policies, you must migrate the Oracle Platform Security Services application and system policies that grant permissions. For more information, see "Migrating with the Script migrateSecurityStore" in "Configuring the OPSS Security Store" in Securing Applications with Oracle Platform Security Services.

8.4.5 Migrating Oracle Platform Security Services Configuration

There is no automated migration path for Oracle Platform Security Services configuration. You must recreate the configuration in the new environment.

There are three types of configurations in the Oracle Platform Security Services that you may need to recreate:

SAML trusted assertion issuer names (applicable for all SAML policies).

If you use the default configuration for SAML trusted issuer configuration, then no migration is required. For information about configuring SAML in the new environment, see "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Keystore locations and CSF key configuration for keystore and keystore password (applicable for message protection policies only).

If you use the default configuration for keystores, then no migration is required. For information about configuring keystores in the new environment, see "Configuring Keystores for Message Protection" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Keytab location and service principal name (applicable to Kerberos policy).

For information about configuring the keytab location and service principal name in the new environment, see the following topics in Securing Web Services and Managing Policies with Oracle Web Services Manager:
- Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control
- Configuring the Kerberos Login Module Using Fusion Middleware Control

8.4.6 Migrating SSL

There is no automated migration path for SSL configuration. You must configure SSL keystores and settings in the new environment. For more information about configuring SSL keystores and settings in the new environment, see "Configuring Keystores for SSL" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

8.4.7 Migrating Kerberos Configuration

To migrate the Kerberos configuration:

Copy the Kerberos configuration file to the new environment, matching the directory structure. The Kerberos configuration file is located in the following locations, based on your operating system:
- UNIX: /etc/krb5.conf
- Windows: C:\windows\krb5.ini
Initialize the ticket cache with the correct credentials.

For more information, see "Configuring Kerberos Tokens" in Securing Web Services and Managing Policies with Oracle Web Services Manager.