Securing WebLogic Server

Migrating Security Data

WebLogic Server provides methods for exporting security data from one security realm or security provider and importing the data into another realm or provider. The following sections provide information about exporting and importing security data.

• Overview of Security Data Migration
• Migration Concepts
• Formats and Constraints Supported by the WebLogic Security Providers
• Migrating Data Using WLST

 

---

Overview of Security Data Migration

Security realms persist different kinds of security data. Examples of security data used by security providers in a WebLogic security realm include users and groups (for the WebLogic Authentication provider), security policies (for the WebLogic Authorization provider), security roles (for the WebLogic Role Mapping provider), or credential maps (for the WebLogic Credential Mapping provider). When you configure a new security realm or a new security provider, you may prefer to use the security data from your existing realm or provider, rather than recreate all the users, groups, policies, roles, and credential maps. Several WebLogic security providers support security data migration. This means you can export security data from one security realm, and import it into a new security realm. You can migrate security data for each security provider individually, or migrate security data for all the WebLogic security providers at once (that is, security data for an entire security realm). You migrate security data through the WebLogic Administration Console or by using the WebLogic Scripting Tool (WLST).

Migrating security data may be helpful when:

• Transitioning from development to production mode.
• Copying production mode security configurations to the security realms in new WebLogic Server domains.
• Moving data from one security realm to a new security realm in the same WebLogic Server domain, where one or more of the default WebLogic security providers will be replaced with new security providers.

The remainder of this section describes the concepts you need to understand when migrating security data, the formats and constraints supported by the WebLogic security providers, and how to use WLST to migrate security data.

For more information about migrating security data using the WebLogic Administration Console, see the following topics in the online help:

• Export data from security realms
• Import data into security realms
• Export data from security providers
• Import data into security providers

 

---

Migration Concepts

A format is simply a data format that specifies how security data should be exported or imported. Supported formats are the list of data formats that a given security provider understands how to process.

Constraints are key/value pairs that specify options to the export or import process. Use constraints to control which security data is exported to or imported from the security provider's database (in the case of the WebLogic Server security providers, the embedded LDAP server). For example, you may want to export only users (not groups) from an Authentication provider's database. Supported constraints are the list of constraints you may specify during the migration process for a particular security provider. For example, an Authentication provider's database may be used to import users and groups, but not security policies.

Export files are the files to which security data is written (in the specified format) during the export portion of the migration process. Import files are files from which security data is read (also in the specified format) during the import portion of the migration process. Both export and import files are simply temporary storage locations for security data as it is migrated from one security provider's data store to another.

 

---

Formats and Constraints Supported by the WebLogic Security Providers

WebLogic Server does not provide any standard, public formats for developers of security providers. Therefore, in order for security data to be exported and imported from one security provider to another, both security providers must understand how to process the same format.

Notes: Because the data format used for the WebLogic Server security providers is unpublished, you cannot currently migrate security data from a WebLogic security provider to a custom security provider, or vice versa.

WebLogic security providers support the following formats and constraints.

Table 8-1 Formats and Constraints Supported by the WebLogic Security Providers

WebLogic Provider	Supported Format	Supported Constraints
WebLogic Authentication Provider	DefaultAtn	Users, groups
WebLogic Authorization Provider	DefaultAtz	None
WebLogic Role Mapping Provider	DefaultRoles	None
WebLogic Credential Mapping Provider	DefaultCreds	Passwords

 

In the WebLogic Administration Console, the constraints are only displayed for the WebLogic Authentication provider because you have the option of exporting or importing users and groups, only users, or only groups.

When exporting credential maps from the WebLogic Credential Mapping provider, you need to specify whether or not the passwords for the credentials are exported in clear text. The mechanism used to encrypt passwords in each WebLogic Server domain is different; therefore, you want to export passwords in clear text if you plan to use them in a different WebLogic Server domain. After the credential maps are imported into the WebLogic Credential Mapping provider in the new WebLogic Server domain, the passwords are encrypted. Carefully protect the directory and file in which you export credential maps in clear text as secure data is available on your system during the migration process.

 

---

Migrating Data Using WLST

You can use the WebLogic Scripting Tool (WLST) to export and import data from a security provider. The format of the WLST command to import data is:

cd("SecurityConfiguration/mydomain/DefaultRealm/myrealm/path-to-MBean/mbeanname")

cmo.importData(format,filename,constraints)

where

mbeanname—Name of the security provider MBean.

format—DefaultAtn, DefaultAtz, DefaultRoles, or DefaultCreds

filename—The directory location and filename in which to export or import the security data. Remember that, regardless of whether you are using a UNIX or Windows operating system, you need to use a forward slash, not a back slash, as a path separator for pathname arguments in WLST commands.

constraints—The contraints that limit the data to be exported or imported

For more information, see WebLogic Scripting Tool.

 

---

Migrating Data Using weblogic.admin

Note: The weblogic.Admin utility is deprecated in this release of WebLogic Server. Use WLST instead.

You can also use the weblogic.Admin utility to export and import security data between security realms and security providers. The format of the command is:

java weblogic.Admin -username username -password password \
INVOKE -mbean mbeanname \
-method methodname dataformat filename constraints

where

username—Name of the Admin user

password—Password of the Admin user

mbeanname—Name of the security provider MBean.

methodname—exportData or importData

dataformat—DefaultAtn, DefaultAtz, DefaultRoles, or DefaultCreds

filename—The directory location and filename in which to export or import the security data

constraints—The constraints that limit the data to be exported or imported

Note: The directory and file into which you export the security data should be carefully protected with operating system security as they contain secure information about your deployment.

For example:

java weblogic.Admin -username system -password weblogic INVOKE -mbean Security:Name=myrealmDefaultAuthenticator -method importData DefaultAtn d:\temp\security.info " "