Upgrade Guide

Upgrading Security Features

When upgrading from WebLogic Integration 2.1 SP2 or WebLogic Integration 7.0 SP2 to WebLogic Integration 8.1, security features must be upgraded manually. This section contains information about these procedures.

Topics Included in this Section

WebLogic Server Security Upgrade

Provides information on upgrading WebLogic Server ACLs, users, groups, and certificates.

WebLogic BPM Security Upgrade

Provides information on upgrading WebLogic business process management (BPM) security.

WebLogic B2B Security Upgrade

Provides information on upgrading B2B security.

WebLogic Application Integration Security Upgrade

Provides information on upgrading WebLogic application integration security.

WebLogic Server Security Upgrade

WebLogic Server ACLs, users, groups, certificates, and so on must be upgraded by following the Security section of the WebLogic Server 8.1 Upgrade Guide at the following URL:

http://download.oracle.com/docs/cd/E13222_01/wls/docs81/security.html

WebLogic Integration 8.1 uses the Default Security Configuration in WebLogic Server 8.1. For more information refer to Managing WebLogic Security.

WebLogic BPM Security Upgrade

Upgrading WebLogic business process management (BPM) security affects users, roles, organizations, calendars, e-mail, and permissions.

WebLogic BPM Users, Roles, and Organizations

WebLogic business process management (BPM) security upgrades to users are handled separately from roles and organizations.

WebLogic BPM Users

All WebLogic BPM users must become WebLogic Server users.

User wlisystem is no longer a special user. The following table shows its replacement in WebLogic Integration 8.1.

Table 6-1 WebLogic Integration 2.1 and 7.0 SP2 wlisystem User vs WebLogic Integration 8.1 Functionality

WebLogic Integration 2.1 SP2 and WebLogic Integration 7.0 SP2 wlisystem User	Replacement in WebLogic Integration 8.1
The wlisystem user was used when an event or trigger invoking a workflow had no associated user.	A business process started by a message will be run as user `anonymous` by default, unless the business process defines the `<run-as>` attribute. Business processes that have been migrated using the upgrade wizard will use `<run-as> wlisystem` as the running user.

WebLogic Integration 2.1 SP2 and WebLogic Integration 7.0 SP2 wlisystem User

Replacement in WebLogic Integration 8.1

The wlisystem user was used when an event or trigger invoking a workflow had no associated user.

A business process started by a message will be run as user anonymous by default, unless the business process defines the <run-as> attribute.

Business processes that have been migrated using the upgrade wizard will use <run-as> wlisystem as the running user.

WebLogic BPM Roles and Organizations

The following table shows the replacement in WebLogic Integration 8.1 for BPM roles and organizations.

Table 6-2 WebLogic Integration 2.1 and 7.0 SP2 BPM Roles and Organizations vs WebLogic Integration 8.1 Functionality

WebLogic Integration 2.1 SP2 and WebLogic Integration 7.0 SP2 Roles and Organizations	Replacement in WebLogic Integration 8.1
Users had roles and were assigned to organizations.	A BPM role and organization are combined and mapped to a WebLogic Server group. Note: The concept of an organization no longer exists.

WebLogic Integration 2.1 SP2 and WebLogic Integration 7.0 SP2 Roles and Organizations

Replacement in WebLogic Integration 8.1

Users had roles and were assigned to organizations.

A BPM role and organization are combined and mapped to a WebLogic Server group.

Note: The concept of an organization no longer exists.

WebLogic BPM Calendars and Email

WebLogic Integration BPM Calendars and Email have been replaced with new functionality. The following table shows the change in WebLogic Integration 8.1 for BPM calendars and email.

Table 6-3 WebLogic Integration 2.1 SP2 and 7.0 SP2 BPM Calendars and Email vs 8.1 Functionality

WebLogic Integration 2.1 SP2 and WebLogic Integration 7.0 SP2 BPM Calendars and Email	Replacement in WebLogic Integration 8.1
Calendars existed at the organization, role, and user levels.	Calendars now exists only at the user level, and are configured via the WebLogic Integration Administration Console. Email addresses for users must be re-entered via the WebLogic Integration Administration Console.

WebLogic Integration 2.1 SP2 and WebLogic Integration 7.0 SP2 BPM Calendars and Email

Replacement in WebLogic Integration 8.1

Calendars existed at the organization, role, and user levels.

Calendars now exists only at the user level, and are configured via the WebLogic Integration Administration Console.

Email addresses for users must be re-entered via the WebLogic Integration Administration Console.

WebLogic BPM Permissions

Permissions in WebLogic Integration 8.1 are set via the WebLogic Integration Administration Console. The following table shows the change in WebLogic Integration 8.1 for BPM permissions.

Table 6-4 WebLogic Integration 2.1 SP2 and 7.0 SP2 BPM permissions vs 8.1 Functionality

WebLogic Integration 2.1 SP2 and 7.0 SP2 BPM permissions	Replacement in WebLogic Integration 8.1
Permissions were set for users and roles.	Permissions are defined using specially named roles that must be configured via the WebLogic Integration Administration Console. The following permissions should be associated with the `admin` role: ConfigureSystems ConfigureComponents MonitorInstances CreateTemplate DeleteTemplate AdministerUser Note: The ExecuteTemplate permission has been replaced by the security policy on business process methods.

WebLogic Integration 2.1 SP2 and 7.0 SP2 BPM permissions

Replacement in WebLogic Integration 8.1

Permissions were set for users and roles.

Permissions are defined using specially named roles that must be configured via the WebLogic Integration Administration Console. The following permissions should be associated with the admin role:

ConfigureSystems
ConfigureComponents
MonitorInstances
CreateTemplate
DeleteTemplate
AdministerUser

Note: The ExecuteTemplate permission has been replaced by the security policy on business process methods.

WebLogic B2B Security Upgrade

Upgrading WebLogic B2B security affects certificates, trading partner configuration, and the packaging of some Java classes you may be using.

For WebLogic Integration 8.1, the B2B system user is no longer used. Instead you will use the users and roles provided when you create a new WebLogic Integration domain.

Certificates must be placed in keystores before they can be upgraded. In WebLogic Integration 2.1 SP2 keystores were not available. In WebLogic Integration 7.0 SP2 the use of keystores was optional.

Upgrading Certificates in WebLogic Integration 2.1 SP2

Certificates used by WebLogic Integration 2.1 SP2 B2B must be imported into the WebLogic Integration 8.1 keystore one at a time by using a JavaSoft JDK keytool utility, or the WebLogic ImportPrivateKey utility as described in "ImportPrivateKey" in the Using the WebLogic Java Utilities section of the WebLogic Server Administration Guide at the following URL:

http://download.oracle.com/docs/cd/E13222_01/wls/docs70/adminguide/utils.html

and in the Configuring the Keystore section of the WebLogic Integration 7.0 B2B Security Guide at the following URL:

http://download.oracle.com/docs/cd/E13214_01/wli/docs70/b2bsecur/keystore.htm

Upgrading Certificates in WebLogic Integration 7.0 SP2

To upgrade certificates used by WebLogic Integration 7.0 SP2 B2B to WebLogic Integration 7.0 8.1, your certificates must be in a private keystore and your trusted certificate authorities must be in the CA keystore. If you have not yet set up these keystores, follow the instructions in the Configuring the Keystore section of the WebLogic Integration 7.0 B2B Security Guide.at the following URL:

http://download.oracle.com/docs/cd/E13214_01/wli/docs70/b2bsecur/keystore.htm

The main steps are:

Generate and configure the private and CA keystores.

Specify the password for the keystores.

In WebLogic Integration 7.0 SP2, enable the auto-migrate mode to allow bulk loading of certificates into the keystore.

After your certificates are in keystores, you can upgrade to WebLogic Integration 8.1 following these steps:

Copy the keystore files to another location.

Configure the WebLogic Server keystore to use the new keystore files. Note that in WebLogic Integration 8.1, clustered keystore configuration is node-specific. If you have clustered nodes, they will need to access a shared directory containing the keystores, or the keystores must be replicated on each node.

Enter the primary key password using the Trading Partner Management (TPM) console. Note that the TPM console must be running.

Upgrading Trading Partner Security Configuration

A script is provided to upgrade your trading partner security and message encryption configuration.

On Windows, run:

BEA_HOME/weblogic81/integration/upgrade/upgradeTPM.cmd

On UNIX, run:

BEA_HOME/weblogic81/integration/upgrade/upgradeTPM.sh

In these commands, BEA_HOME represents the WebLogic Platform home directory.

Upgrading Use of com.bea.b2b.security Classes

You will need to change and recompile your applications that use the com.bea.b2b.security package. The following table shows the changes in class names:

Table 6-5 WebLogic Integration 2.1 SP2 and WebLogic Integration 7.0 SP2 Classes vs WebLogic Integration8.1 Classes

WebLogic Integration 2.1 SP2 and WebLogic Integration 7.0 SP2 Classes	Replacement in WebLogic Integration 8.1
`com.bea.b2b.security.AuditLogger`	`com.bea.wli.security.audit.AuditLogger`
`com.bea.b2b.security.CertificateVerification`	`com.bea.wli.security.verification.CertificateVerification`
`com.bea.b2b.security.Timestamp`	`com.bea.wli.security.time.Timestamp`

WebLogic Application Integration Security Upgrade

Upgrading WebLogic Application Integration security affects EIS authentication and authorization, and application view access control.

Repackaging Adapter Code

Java classes for adapters must conform to a new package scheme. A script is provided to repackage your adapter code.

On Windows, run:

BEA_HOME/weblogic81/integration/upgrade/aiRepackageAdapter.cmd

On UNIX, run:

BEA_HOME/weblogic81/integration/upgrade/aiRepackageAdapter.sh

In these commands, BEA_HOME represents the WebLogic Platform home directory.

Upgrading Application View Access Control

The security information for WebLogic Application Integration is no longer held in ACL format. Instead, a role-based authorization scheme uses the underlying WebLogic Server 8.1 security infrastructure. Go to the Application Integration section of the WebLogic Integration 8.1 console to reconfigure the security information to access the application view.