Skip navigation.

eDocs Home > BEA WebLogic Server 8.1 Documentation > Managing WebLogic Security > Migrating Security Data

Managing WebLogic Security

  Previous Next vertical dots separating previous/next from contents/index/pdf Contents Index View as PDF   Get Adobe Reader

Migrating Security Data

The following sections provide information about migrating security data between security realms and security providers.

 

Overview of Security Data Migration

Several WebLogic security providers support security data migration. This means you can export users and groups (for the WebLogic Authentication provider), security policies (for the WebLogic Authorization provider), security roles (for the WebLogic Role Mapping provider), or credential maps (for the WebLogic Credential Mapping provider) from one security realm, and import them into a new security realm. You can migrate security data for each security provider individually, or migrate security data for all the WebLogic security providers at once (that is, security data for an entire security realm). You migrate security data through the WebLogic Server Administration Console or by using the weblogic.admin utility.

Migrating security data may be helpful when:

 

Migration Concepts

A format is simply a data format that specifies how security data should be exported or imported. Supported formats are the list of data formats that a given security provider understands how to process.

Constraints are key/value pairs that specify options to the export or import process. Use constraints to control which security data is exported to or imported from the security provider's database (in the case of the WebLogic Server security providers, the embedded LDAP server). For example, you may want to export only users (not groups) from an Authentication provider's database. Supported constraints are the list of constraints you may specify during the migration process for a particular security provider. For example, an Authentication provider's database may be used to import users and groups, but not security policies.

Export files are the files to which security data is written (in the specified format) during the export portion of the migration process. Import files are files from which security data is read (also in the specified format) during the import portion of the migration process. Both export and import files are simply temporary storage locations for security data as it is migrated from one security provider's database to another.

 

Importing and Exporting Security Data from Security Realms

To export security data:

  1. Expand the Security-->Realms nodes.
  2. Select the name of the realm you are configuring (for example, TestRealm).
  3. Select the Migration-->Export tabs.
  4. Specify the directory and filename in which to export the security data in the Export Directory on Server attribute. The directory must exist; the Migration utility will not create a new directory.

    5. Note: The directory and file into which you export the security data should be carefully protected with operating system security as they contain secure information about your deployment.

  5. Click Export.

To import security data:

Note: Once the data is exported from the security realm, it can be imported at any time.

  1. Expand the Realms node.
  2. Select the name of the security realm in which the security data is to be imported.
  3. Select the Migration-->Import tabs.
  4. Specify the directory location and file name of the file that contains the exported security data in the Import Directory on Server attribute.
  5. Click Import.

To verify the security data was imported correctly:

  1. Expand the Security-->Realms nodes.
  2. Select the name of the realm into which the security data was imported.
  3. Click Users.
  4. Users from the security realm from which you exported the security data should appear in the Users table.

Note: Arguments for security policies and roles are stored in lowercase on the Windows platform and mixed case on UNIX platforms. If security policies and security roles are defined in a domain on one platform, exported, and then imported into a domain on a platform with different case handling, the security roles and policies may not work properly. Specifically, Web Application pages that are protected on one operating system may not be protected on a different operating system.

 

Importing and Exporting Security Data from Security Providers

Provider-specific security data can also be exported and imported between providers in different security realms. WebLogic Server does not provide any standard, public formats for developers of security providers. Therefore, in order for security data to be exported and imported from one security provider to another, both security providers must understand how to process the same format.

Notes: Because the data format used for the WebLogic Server security providers is unpublished, you cannot currently migrate security data from a WebLogic security provider to a custom security provider, or visa versa.

WebLogic security providers support the following formats and constraints.

Table 4-1 Formats and Constraints Supported by the WebLogic Security Providers

WebLogic Provider

Supported Format

Supported Constraints

WebLogic Authentication Provider

DefaultAtn

Users, groups

WebLogic Authorization Provider

DefaultAtz

None

WebLogic Role Mapping Provider

DefaultRoles

None

WebLogic Credential Mapping Provider

DefaultCreds

Passwords


 

In the WebLogic Server Administration Console, the constraints are only displayed for the WebLogic Authentication provider because you have the option of exporting or importing users and groups, only users, or only groups.

When exporting credential maps from the WebLogic Credential Mapping provider, you need to specify whether or not the passwords for the credentials are exported in clear text. The mechanism used to encrypt passwords in each WebLogic Server domain is different, therefore, you want to export passwords in clear text if you plan to use them in a different WebLogic Server domain. After the credential maps are imported into the WebLogic Credential Mapping provider in the new WebLogic Server domain, the passwords are encrypted. Carefully protect the directory and file in which you export credential maps in clear text as secure data is available on your system during the migration process.

To export security data from a security provider:

  1. Expand the Security-->Realms nodes.
  2. Select the name of the realm you are configuring (for example, TestRealm).
  3. Select the type of provider from which you want to export security data (for example, Authentication Providers).
  4. Select the security provider from which you want to export security data.
  5. Select the Migration-->Export tabs.
  6. Specify the directory and filename in which to export the security data in the Export Directory attribute. The directory must exist; the Import/Export feature will not create a new directory.

    7. Note: The directory and file into which you export the security data should be carefully protected with operating system security as they contain secure information about your deployment.

  7. Optionally, define a set of security data to be exported in the Export Constraints box.
  8. Click Export.

To import security data into a security provider:

Note: Once the data is exported from the security provider, it can be imported at any time.

  1. Expand the Realms node.
  2. Select the name of the security realm in which the security data is to be imported.
  3. Expand the Providers node.
  4. Select the security provider in which the security data is to be imported.
  5. Select the Migration-->Import tab.
  6. Specify the directory location and file name of the file that contains the exported security data in the Import Directory on Server attribute or use the Browse button to locate the exported file on your computer.
  7. Click Import.

Note: Arguments for security policies and roles are stored in lowercase on the Windows platform and mixed case on UNIX platforms. If security policies and security roles are defined in a domain on one platform, exported, and then imported into a domain on a platform with different case handling, the security roles and policies may not work properly. Specifically, Web Application pages that are protected on one operating system may not be protected on a different operating system.

 

Using the weblogic.Admin Utility

You can also use the weblogic.Admin utility to export and import security data between security realms and security providers. The format of the command is:

java weblogic.Admin -username username -password password \
INVOKE -mbean mbeanname \
-method methodname dataformat filename constraints

where

username—Name of the Admin user

password—Password of the Admin user

mbeanname—Name of the Security provider MBean.

methodnameexportData or importData

dataformatDefaultAtn, DefaultAtz, DefaultRoles, DefaultCreds

filename—The directory location and filename in which to export or import the security data.

constraints—""

Note: The directory and file into which you export the security data should be carefully protected with operating system security as they contain secure information about your deployment.

For example:

java weblogic.Admin -username system -password weblogic INVOKE -mbean Security:Name=myrealmDefaultAuthenticator -method importData DefaultAtn d:\temp\security.info ""

 

Skip navigation bar  Back to Top Previous Next