This section provides detailed information about tools used to import/export data from the database:
The Policy Propagation Import/Export (policyIX) tool can be used to import and export policies and also export SSM configurations — it does not support importing SSM configurations. It is commonly used to move policy data from one database to another and to export an SSM configuration to an XML file for use when the SSM is deployed without an SCM.
Note: | This section does not cover the use of policyIX for imports/exports between OES and Oracle Enterprise Repository. For that information, see Storing and Versioning Policy with Oracle Enterprise Repository in the Integration Guide. |
To sign exported configuration files, PolicyIX uses the SSL infrastructure specified during the Administration Server installation, . Specifically, the policyIX.bat
file invokes the tool with -Dales.policyTool.signer=wles-admin
. The ales.policyTool.signer
property is a required Java property that specifies the alias of the signing key in the identity keystore, which must be equal to the Administration server machine name.
The public key of the Administration Server is then retrieved from the SSL peer keystore for the purpose of validating the configuration file’s signature. This public key is available from the Administration Server’s certificate that was added to the SSL peer keystore during the enrollment process.
The unencoded signature of the XML file is stored in a corresponding signature file, whose name is derived from the full name of the signed XML file (including extension) with the added .sig extension. For example, myconfig.xml.sig
.
After you export the configuration data, you must manually copy the XML configuration file and signature file to the SSM configuration directory, BEA_HOME/ales32-ssm
/
<ssm-type>
/
instance-name
/config.
If you do not use the default name (wles.securityrealm.xml
) for the configuration file, set the wles.realm.filename
property in the SSM instance’s /config
/security.properties
file. See the SSM Installation and Configuration Guide for additional information about the security.properties
file.
RootOrg/DefaultOrg/DefaultApp
.config.xml
) are not supported. For more information about this file, see PolicyIX Configuration File.Use the following command to export an SSM configuration:
policyIX.bat <config_id
> -exportConfig <config.xml
> <exportfile.xml
> -passwdPrompt
For example, the following command exports a SSM configuration named java2ssm
to a file named java2ssmconfig.xml
.
policyIX.bat java2ssm -exportConfig ..\config\policyIX_config.xml java2ssmconfig.xml
The configuration file used by policyIX. For details, see PolicyIX Configuration File.
|
|
Use the following command to export policies from the database to an XML file:
policyIX.bat -export <
config.xml
> <
exportfile.xml
> -passwdPrompt
Configuration file used by policyIX. The <
export_configuration >element in this file specifies the policies and identities to export and the product version of the SSM. See details, see export_configuration. |
|
Use the following command to load policies from an XML file to the database:
policyIX.bat -import -disableTransaction <
config.xml
> <
importfile.xml
> -passwdPrompt
The configuration file used by policyIX. The
<import_configuration> element must specify how to handle policy duplicates. For details, see import_configuration. |
|
Table 3-1 describes the possible elements in the policyIX configuration file.
When using policyIX to import policies, the policies to be imported must be specified in the required XML format. This section describes the required format and provides an example.
In addition to the information provided here, there are two ways understand the XML requirements:
The XML shown in Figure 3-1 could be used to import the following policies:
grant(//role/myrole, //resources/myresource, //MyOrg/MyDir/RJones/) if true;
grant( post, //myresource, //role/myrole/) if true;
<?xml version="1.0" encoding="UTF-8"?>
<xb:policy_propagation xmlns:xb="http://policypropagation.ales.com/xmlbean">
<xb:policy_propagation_data_v2>
<xb:scopes>
<xb:application_entry value="RootOrg!MyOrg!MyApp">
<xb:resources>
<xb:resource_entry value="//resources/myresource"/>
</xb:resources>
<xb:actions>
<xb:action_entry value="post"/>
</xb:actions>
<xb:roles>
<xb:role_entry value="myrole" parent=""/>
</xb:roles>
<xb:policies>
<xb:membership_rule_entry>
xb:policy_effect value="grant"/>
xb:policy_roles>
<xb:policy_role_entry value="myrole"/>
</xb:policy_roles>
<xb:policy_resources>
<xb:policy_resource_entry value="//resources/myresource"/>
</xb:policy_resources>
<xb:policy_subjects>
<xb:policy_user_entry name="RJones" directory="MyDir" scope="MyOrg"/>
</xb:policy_subjects>
</xb:membership_rule_entry>
<xb:authorization_policy_entry>
<xb:policy_effect value="grant"/>
<xb:policy_actions>
<xb:policy_action_entry value="post"/>
</xb:policy_actions>
<xb:policy_resources>
<xb:policy_resource_entry value="//resources/myresource"/>
</xb:policy_resources>
<xb:policy_subjects>
<xb:policy_role_entry value="myrole"/>
</xb:policy_subjects>
</xb:authorization_policy_entry>
</xb:policies>
</xb:application_entry>
</xb:scopes>
</xb:policy_propagation_data_v2>
</xb:policy_propagation>
Table 3-2 describes the XML elements used in the above example.
By default, policyIX on WebLogic Server 8.15 supports the export of configuration data — but not policy data. This section describes how to manually modify the policy propagation servlet so that policyIX will also import/export policy data.
BEA_Home\ales32-admin\asiDomain\applications\asi.war
web.xml
to include the following servlet and listener definitions:
<listener>
<listener-class>com.ales.policypropagation.servlet.PropagationSessi
onListener</listener-class>
</listener>
<servlet>
<servlet-name>policyPropagationServlet</servlet-name>
<servlet-class>com.ales.policypropagation.servlet.PolicyPropagation
Servlet</servlet-class>
<init-param>
<param-name>file.max.upload.size</param-name>
<param-value>104857600</param-value>
</init-param>
<init-param>
<param-name>session.inactive.internal</param-name>
<param-value>2</param-value>
</init-param>
<init-param>
<param-name>output.bulksize</param-name>
<param-value>200</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>policyPropagationServlet</servlet-name>
<url-pattern>/policypropagation</url-pattern>
</servlet-mapping>
asi.war
with the updated web.xml
file and update the stage file located in BEA_HOME/ales32-admin/asiDomain/asiAdminServer/stage/asiconsole/asi.war
directory.BEA_HOME/ales32-admin/config/WLESWebLogic.conf
as shown below. Note: Entries you must add are shown in bold italics.
wrapper.java.classpath.1=@bea.home@
wrapper.java.classpath.2=@admin.home@/lib/asi-weblogic.jar
wrapper.java.classpath.3=@admin.home@/lib/jsafe.jar
wrapper.java.classpath.4=@admin.home@/lib/jsafeJCE.jar
wrapper.java.classpath.5=@admin.home@/lib/asn1.jar
wrapper.java.classpath.6=@admin.home@/lib/certj.jar
wrapper.java.classpath.7=@admin.home@/lib/saaj.jar
wrapper.java.classpath.8=@java.home@/lib/tools.jar
wrapper.java.classpath.9=@weblogic.home@/server/lib/weblogic_sp.jar
wrapper.java.classpath.10=@admin.home@/lib/xmlpublic.jar
wrapper.java.classpath.11=@weblogic.home@/server/lib/weblogic.jar
wrapper.java.classpath.12=@weblogic.home@/server/lib/webservices.jar
wrapper.java.classpath.13=@admin.home@/lib/wls-v8-rt.jar
wrapper.java.classpath.14=@admin.home@/lib/api.jar
wrapper.java.classpath.15=@admin.home@/lib/framework.jar
wrapper.java.classpath.16=@admin.home@/lib/scmapi.jar
wrapper.java.classpath.17=@admin.home@/lib/log4j.jar
wrapper.java.classpath.18=@admin.home@/lib/asi_classes.jar
wrapper.java.classpath.19=@admin.home@/lib/ssladapter.jar
wrapper.java.classpath.20=@admin.home@/lib/asitools.jar
wrapper.java.classpath.21=@admin.home@/lib/process.jar
wrapper.java.classpath.22=@admin.home@/lib/webservice.jar
wrapper.java.classpath.23=@admin.home@/lib/providers/ales/jconn3.jar
wrapper.java.classpath.24=@weblogic.home@/server/lib/jconn2.jar
wrapper.java.classpath.25=@admin.home@/lib/wrapper.jar
wrapper.java.classpath.26=@admin.home@/lib/asisignal.jar
wrapper.java.classpath.27=@admin.home@/lib/CR330583_414.jar
wrapper.java.classpath.28=@admin.home@/lib/CR336221_414.jar
wrapper.java.classpath.29=@admin.home@/lib/CR338979_414_jdk1.4.jar
wrapper.java.classpath.30=@admin.home@/lib/kodo-runtime.jar
wrapper.java.classpath.31=@admin.home@/lib/jca1.0.jar
wrapper.java.classpath.32=@admin.home@/lib/jdbc2_0-stdext.jar
wrapper.java.classpath.33=@admin.home@/lib/jdo.jar
wrapper.java.classpath.34=@admin.home@/lib/jta-spec1_0_1.jar
wrapper.java.classpath.35=@admin.home@/lib/openjpa.jar
wrapper.java.classpath.36=@admin.home@/lib/commons-collections-3.2.jar
wrapper.java.classpath.37=@admin.home@/lib/commons-lang-2.1.jar
wrapper.java.classpath.38=@admin.home@/lib/commons-pool-1.3.jar
wrapper.java.classpath.39=@admin.home@/lib/serp.jar
wrapper.java.classpath.40=@admin.home@/lib/persistence-api.jar
wrapper.java.classpath.41=@admin.home@/lib/quarkparser.jar
wrapper.java.classpath.42=@admin.home@/lib/backport-util-concurrent.jar
wrapper.java.classpath.43=@admin.home@/lib/org.mortbay.jetty.jar
wrapper.java.classpath.44=@admin.home@/lib/javax.servlet.jar
wrapper.java.classpath.45=@admin.home@/lib/org.apache.jasper.jar
wrapper.java.classpath.46=@admin.home@/lib/sslserver.jar
wrapper.java.classpath.47=@admin.home@/lib/sslclient.jar
wrapper.java.classpath.48=@admin.home@/lib/axis.jar
wrapper.java.classpath.49=@admin.home@/lib/commons-logging-1.0.4.jar
wrapper.java.classpath.50=@admin.home@/lib/commons-discovery-0.2.jar
wrapper.java.classpath.51=@admin.home@/lib/pdsoap.jar
wrapper.java.classpath.52=@admin.home@/lib/wsdl4j-1.5.1.jar
wrapper.java.classpath.53=@admin.home@/lib/antlr.jar
wrapper.java.classpath.54=@admin.home@/lib/xmlbeans-2.3.0/xbean.jar
wrapper.java.classpath.55=@admin.home@/lib/jsr173_1.0_api.jar
wrapper.java.classpath.56=@weblogic.home@/server/lib/ojdbc14.jar
wrapper.java.classpath.57=@admin.home@/lib/ld-server-core.jar
wrapper.java.classpath.58=@admin.home@/lib/wlsdo.jar
wrapper.java.classpath.59=@admin.home@/lib/wlxbean.jar
wrapper.java.classpath.60=@admin.home@/lib/xbean.jar
wrapper.java.classpath.61=@admin.home@/lib/xqrl.jar
wrapper.java.classpath.62=@admin.home@/lib/ld-client.jar
wrapper.java.classpath.63=@db.jdbc.driver.loc@
wrapper.java.classpath.64=@admin.home@/config
wrapper.java.classpath.65=@admin.home@/lib/alesAssetSchemaObjects.jar
wrapper.java.classpath.66=@admin.home@/lib/policyPropagation.jar
wrapper.java.classpath.67=@admin.home@/lib/policyPropagationALER30.jar
wrapper.java.classpath.68=@admin.home@/lib/configSchemaObjects.jar
wrapper.java.classpath.69=@admin.home@/lib/policyPropagationALER26.jar
wrapper.java.classpath.70=@admin.home@/lib/policySchemaObjects.jar
wrapper.java.classpath.71=@admin.home@/lib/commons-fileupload.jar
wrapper.java.classpath.72=@admin.home@/lib/managementapi.jar
wrapper.java.classpath.73=@admin.home@/lib/jdom.jar
policypropagation
under the following existing resource:ASI/asiconsole/url/asi
policypropagation
resource:grant( [//priv/GET,//priv/POST], //app/policy/ASI/asiconsole/url/asi/policypropagation, //role/Everyone) if true;
policyIX.sh|bat
in an editor and add the following java option:-Dadmin.server.type=wls81
Policyexporter is used to output data from the policy store to plain-text policy files. These policy files can be imported back to the same or to another policy store using the policyloader as described in Policyloader.
The plain-text policy files include the following management object types:
— Resources, resource attributes, and resource bindings
— Actions, action bindings, and action groups
— Roles
— Authorization and role policies
— Identities, including user, group, and membership
— Declarations, constants and evaluation functions
— SSM configuration data and providers' configuration data
The export process also generates two additional files (object_config, objattr_config) that contain SSM configuration data. These files also get loaded and are similar to object and objattr respectively in format. These files are split so as to differentiate policy elements from configuration elements. However, object_config and objattr_config can be merged into object and objattr respectively, if needed.
Observe the following requirements and limitations:
To perform a policy export using policyexporter:
The directory name must contain no white space and cannot be not write-protected. The required free space depends on the size of the policy being exported.
To perform an export, you must be a database administrator or the policy owner.
/bin
directory. These scripts need to locate files relative to this directory.policyexporter.bat|.sh
as described in Running Policyexporter.To run policyexporter, perform the following steps:
t
he Administration Server’s \bin
directory.PATH
and that the client environment is set up properly.policyexporter.bat|.sh
<directory>
where <directory>
is the full path to the target directory where the policy should be exported.
Notes: |
The Policy Import tool (policyloader.bat|sh
) is a Java utility that can be used to import and export policy data. To import policies, it reads text files containing the policy definitions — each policy element is stored in a separate file, referred to as a policy file. For information on the specific format of these policy elements, see
Advanced Topics in the Policy Managers Guide.
PolicyIX imports/exports support the following objects:
— Organizations and Identities
— Applications
— Resources and resource attributes
— Actions including action groups
— Declarations, including attribute definitions, evaluation functions, and constants.
— Roles, role hierarchies, role attributes
— Policies including Membership Rules and Authorization policies
— Resource binding
— SSM configuration (export only)
— Meta objects
Policyloader uses multi-threading processing and is optimized for fast imports and distribution of large policies. In addition, policy imports are transactional: all policies are loaded, or none.
Note: | When running the Policy Import tool on a large policy, the number of records processed may not be synchronized. If multiple threads are used to import the data, when one thread completes before the other cannot be determined. If the threads are set too high, a message may appear indicating that the number of records processed is not synchronized. This is normal and is not a problem for the Policy Import tool. |
To perform a import using policyloader:
In addition, policy data files may be manually created as described Advanced Topics in the Policy Managers Guide.
You can use the ../examples/common/data/policy/template/load.conf
file as a template.
-recover
mode as described in Recover Mode.The configuration file consists of name/value pairs specifying information needed by policyloader. The file paths in the configuration file depend on the directory from which you run the Policy Import tool. You may use the full path filename to avoid directory dependency. Spaces are allowed between parameters and between new lines. Parameter names are case insensitive. Table 3-3 lists the parameters you need to configure for the Policy Import tool.
A sample file configuration file is shown in Policyloader Configuration File.
Listing 3-1 provides sample configuration file.
Note: | Be sure to use forward slashes (/) when specifying the policy file directory path. |
# Copyright (c) 2004-2008 Oracle and/or its affiliates. All rights reserved.
#####################################################################
## In addition, asi.properties is read in from the /config directory. Parameters set here will override values defined there.
#### Enterprise Domain Name (DEPRICATED - Should always be asi)
Domain asi
#### A OES admin user name. Must be the same as stored in database.
Username admin
#### Encrypted password file
PasswordFile C:/bea/ales32-shared/keys/password.xml
#### Password key file
PasswordKeyFile C:/bea/ales32-shared/keys/password.key
#### The application node holding the administration policy.
#### If commented out it assumes the dafult value of "admin".
ApplicationNode admin
#### Milliseconds to wait for server to respond. For large files
#### increase or use ASI.INFINITE
RequestTimeout 600000
#### Number of times retries should take place(DEFAULT 100)
BLMContextRetries 10
#### Milliseconds to wait between retries (DEFAULT 100ms)
BLMContextInterval_ms 10000
#### Number of concurrent threads.
RunningThread 2
#### Number of entries loaded in a single load (200 here)
BulkSize 200
#### Directory of policy files. May be a relative path.
PolicyDirectoryPath C:/bea/ales32-admin/data/adminPolicy/standardBase
#### Indicate if policies should be distributed. Default = YES
PolicyDistribution flush
#### File where all error messages are logged.
ErrorLogFile C:/bea/ales32-admin/log/loader.log
#### Action to be performed: load or remove. Default = LOAD
#Action REMOVE
#### Policy import mode: INITIAL or RECOVER. Default = INITIAL
#### This parameter can also be passed in as a command parameters.
#### Command line parameters override values in this file.
#Mode RECOVER
#### Uncomment to see debug information, default = 0 (no debug)
#Debug 1
#### Uncomment to hide console interaction (yes/no), default = yes
#### If you want to run loader in background/in batch process, set this to no
ConsoleDisplay no
Once the configuration file and the policy data files are set up, run policyloader follows:
policyloader.bat|sh <load.conf>
where <load.conf>
is the name of the configuration file.
You may also use the following options:
-disableTransaction
Prevents loading of policies in a single transaction. This is recommended when loading a large policy set. It improves loading performance, but loaded policy data will not be rolled back if the loading fails.
-help|-?|-usage
Print USAGE and exit.
-initial
Run in initial mode (there should be no versioned files in the policy directory).
-recover
Run in recover mode to revert to an earlier policy set. For details, see Recover Mode.
-load
(Default) Load policy from the files specified in the configuration file.
-remove
Removes the policies from the database.
Notes: |
Object
Exists
Error
message indicates that a duplicate policy entry was created.Object Exists Error
occurs, a file is generated about the error and the error message is logged. See the next section for more information.
If an error occurs, the Policy Loader terminates; you must restart the Policy Import tool. The name of the error file is defined in the your Policy Import tool configuration file by the ErrorLogFile
parameter. In addition, to distribute policy you need distribution privileges granted to you.
Also, because the Policy Import tool is multi-threaded and each thread writes out to the log when it is complete, you cannot guarantee the order in which each load completes.
The Policy Import tool processes policy files according to a predefined order, and if the policy file is not found, it tries to load the next policy file in the proper order. Records imported successfully are committed to the database. After the import process begins, you cannot go back within the same process and edit changes you have made. If you want to change what you have done, you have to start a new import process. After the import process is complete, you may run the removal operation to reverse the import process.
When the policyloader encounters an error (other than Object Exists Error)
, it generates a file named <filename>.<version>
(for example, object.1
, object.2
) and logs an error message. These files contain only the problematic lines from policy data files. You can now correct the mistakes in these files and re-run the policy loader in the recover mode.
Recover mode can be run in one of two ways:
In recovery mode, policyloader will only try to load the highest version files that have not already been loaded. If you corrected priv.1
and there are still problems, then the loader will generate priv.2
with just the lines that failed. You can then correct priv.2
and rerun the policy loader in the recover mode. Perform additional iterations until policyloader does not generate any new version files and the error log file does not indicate any outstanding errors.
Loads the administrative policy that determines administrative access to access the Administration Console and Entitlements Administration Application. This utility is automatically called during the installation process and it is unlikely you will ever need to run it independently.
OES_ADMIN_HOME
\bin\load_adminpolicy.bat
load_adminpolicy.bat