Oracle® Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service 11g Release 1 (11.1.1) Part Number E15478-05 |
|
|
View PDF |
This chapter proides the procedure for creating an Oracle Access Manager 11g environment that is a replica of an existing, provisioned Oracle Access Manager 11g environment. You can use this approach for rolling out upgrades after testing. The information applies whether you are creating a replica of a test environment for a production environment or vice versa. The source environment is the one being replicated; the target environment is the destination.
This chapter includes the following topics:
See Also:
Oracle Fusion Middleware Administrator's Guide for details about moving Oracle Access Manager to a new (or an existing) production environment.Install and configure target components, as described in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
It is fairly common to develop and test applications in a smaller restricted environment, and then eventually roll out the test applications (and, optionally, test data) to a larger shared environment. You can use the information in this chapter to move Oracle Access Manager 11g data from a test deployment (the source) to a production deployment (the target). You can also use this approach for testing and rolling out upgrades.
Table B-1 describes the types of deployments that customers might have within their enterprise. Deployment types might be named differently in your enterprise.
Table B-1 Deployment Types
Deployment Type | Description |
---|---|
Development Deployment |
Ideally a sandbox-type setting where the dependency on the overall deployment is minimal |
QA Deployment |
Typically a smaller shared deployment used for testing |
Pre-production Deployment |
Typically a shared deployment used for testing with a wider audience |
Production Deployment |
Fully shared and available within the enterprise on a daily basis |
Within each deployment, Oracle Access Manager 11g configuration data is stored in files while Oracle Access Manager 11g policy data is stored in a database.
On the policy configuration side, each application domain is constructed using the following shared components:
Authentication Module
Authentication Scheme (containing one authentication module)
Host-Identifiers
Resources
On the system configuration side, agents host resources or partner applications that must be protected. An agent can be an OAM Agent (Webgate or Access Client) or an OSSO agent. Each agent must be registered with OAM 11g to protect hosted resources. Registering an agent:
Defines the agent and its specific configuration parameters
Creates an application domain for the specified resources
Creates an authentication policy with the default authentication scheme for the partner application
Creates an authorization policy for the specified resources
Generates the symmetric key for the partner application
Transitioning policy and partner information from the test (source) environment to the production (target) environment is accomplished with MBean registered on the AdminServer of the OAM Server. WLST commands fetch the partner and policy information from the source server and applies this on the production server.
The following overview presents the general scope of tasks that must be performed to move OAM 11g policy and partner information from a test (source) environment to a production (target) environment.
Task overview: Moving OAM 11g from test to production
Perform planning activities, as described in Planning an OAM 11g Move from Test to Production.
Export data such as users and groups, the identity and policy stores, and credentials from the source and then Import data to the target as described in Moving OAM 11g From Test to Production.
To reuse source data in only the target system, you can re-register the agents within the target deployment after importing the source data to the target
Modify any information that is specific to the new environment such as host name or ports.
Deploy applications.
This section provides a high-level overview of data migration approaches, methods, and tools for OAM 11g:
About Migrating OSSO Information from One OAM Instance to Another
About Building a Dependency Tree for Each Application Domain
Oracle Access Manager and Oracle Identity Manager are components of Oracle Fusion Middleware 11g. All existing access technologies in the Oracle Identity Management stack converge in Oracle Access Manager 11g. The differences in the scope of tasks required to move an entire Identity Management environment from a test source to a production target are described in Table B-2.
Table B-2 Differences when Transferring Data to New versus Existing Target Environments
New Target Environment | Existing Target Environment |
---|---|
In this scenario you want to move existing Identity Management components in a test environment to a new environment that does not yet exist. This requires the following tasks. Task 8 is the subject of this chapter. All other tasks are described in the Oracle Fusion Middleware Administrator's Guide |
In this scenario you want to move one or more applications from the source to a target in an existing environment, while retaining the source security-related configuration. This requires migrating application-specific data and incremental changes from the source to the target. Task 2 is the subject of this chapter. All other tasks are described in the Oracle Fusion Middleware Administrator's Guide |
|
|
When moving Oracle Access Manager 11g from test to production, you can use one of the methods described in:
Table B-3 describes full replication. By performing manual and automated tasks, you can replicate the OAM test source setup to an OAM production target.
Table B-3 Full Replication
Requirements | Automated and Manual Tasks | Not Required or Processed |
---|---|---|
|
The following WLST commands are used:
An Administrator must also:
|
|
Table B-4 describes golden template processing. By performing manual and automated tasks, you can create a target OAM Server with the identical topology as the source.
Table B-4 Golden Template
Requirements | Manual and Automated Tasks | Not Required or Processed |
---|---|---|
|
The Administrator must manually:
|
Any change in user configuration is an independent, manual step. |
The WLST commands clone the existing OAM test setup and:
|
||
If a source Webgate is configured with a list of primary/secondary OAM Server hosts and OAP ports that are not included in the target (production) environment, after the transition you might see empty fields or a subset of source primary or secondary servers listed in the target environment. |
After running WLST commands, above, the Administrator must also edit target (production) agent registration pages to match actual hosts and ports: |
Table B-5 describes requirements and processing for incremental transfer (known as delta replication). All incremental changes in the source are transferred to the target. Selective transfer is not required.
Table B-5 Delta-Replication
Requirements | Tasks | Not Required or Processed |
---|---|---|
The source OAM Server contains the "truth". Any conflicts between the source and the target are resolved based on the source. |
The Administrator runs the WLST command with the "MigrateAll" flag set to "false" to move only the changes from the source to the target system. |
Policy configuration that has not changed is not processed. |
Table B-6 outlines requirements and tasks. By performing manual and automated tasks, you can re-associate source client applications to the target environment.
Table B-6 Application Re-association
Requirements | Automated and Manual Tasks | Not Required or Processes |
---|---|---|
Re-associates partners and clients from the source environment to the target. |
The Administrator runs WLST commands to:
|
|
The Administrator uses the remote registration tool to:
|
Oracle Access Manager supports migrating partners across OAM Server instances. This is required in a GIT scenario wherein you must copy partner information from an internal to an external deployment.
When migrating a selected partner, retrieve the partner ID from the test system's oam-config.xml. For example, if the partner ID for the OSSO Agent with site name 'TEST_OSSO_AGENT2' is 998AF964144D39BC2F
, as shown here:
<Setting Name="998AF964144D39BC2F" Type="htf:map"> <Setting Name="AdminId" Type="xsd:string"></Setting> <Setting Name="SiteName" Type="xsd:string">TEST_OSSO_AGENT2</Setting>
Then execute the following command from the WLST prompt:
exportSelectedPartners(pathTempOAMPartnerFile="<path where the temporary file need to be generated>",partnersNameList="998AF964144D39BC2F")
Whether you are moving to a new target, or to an existing target, Oracle provides the WLST commands that use an MBean on the OAM 11g AdminServer and enable administrators to:
Configure the target user identity store to match the source user identity store, when needed.
Replicate and move application domain and policy data (for all or for only selected domains and policies).
Provide a conflict resolution profile (automatically) that describes how ID conflicts between the source and target systems must be resolved.
Exporting replicates and exports application domains and partner information to a temporary dump file. To protect this sensitive information, a keystore is generated with the dump file. The key in this keystore is used to encrypt the dump file.
Table B-7 provides information on export mode commands, which you run on the test source OAM Server that is hosting the partner to be exported.
Table B-7 Export Commands
Command | Description | Example |
---|---|---|
exportPartners() |
Exporting a partner creates an object with all partner information, along with the key for each of the partners. This command takes the path to the temporary oam-partners file as a parameter. |
exportPartners(pathTempOAMPartnerFile=' <pathTempOAMPartnerFile>) |
exportPolicy() |
Exports application domain and policy data from the source. OAM application domains are exported with all dependencies. This command takes the path to the temporary oam-policy file as a parameter. |
exportPolicy(pathTempOAMPolicyFile=' <pathTempOAMPolicyFile >') |
Importing decrypts the generated dump file using the key in the keystore and imports the dump file contents to the target OAM Server. You can import partners, policies, or policy differences, as described in Table B-8. Import commands are run on the target OAM Server.
Table B-8 Import Commands
Command | Description | Example |
---|---|---|
importPartners() |
Decrypts and imports partner data using the key in the keystore. This command takes as input the path the temporary oam-partners file as a parameter that was created during the export operation. |
importPartners (pathTempOAMPartnerFile=' <pathTempOAMPartnerFile>') |
importPolicy() |
Decrypts and imports application domain and policy data. Caution: This command overwrites all policy data on the target. This command takes as input the path the temporary oam-policy file that was created during the export operation. |
importPolicy(pathTempOAMPolicyFile=' <pathTempOAMPolicyFile >') |
importPolicyDelta() |
Decrypts and only the changes from the source to the target OAM Server without overwriting unchanged policy data on the target. Note: This command writes only changed policy data to the target. This command takes as input the path the temporary oam-policy file that was created during the export operation. |
importPolicyDelta(pathTempOAMPolicyFile=' <pathTempOAMPolicyFile >' |
Figure B-1 illustrates the processing that occurs between the source and target systems.
Policy conflicts are resolved automatically during processing. The source system is presumed to be the single source of truth during data migration. Any conflicts that are detected between the source system and the target system must be resolved during processing.
Before migrating an OAM 11g application domain, a dependency tree must be constructed for each of the application domains to be migrated.
The dependency tree can be represented as shown in Figure B-2.
Figure B-2 Dependency Tree for Each Application Domain
In the sample dependency tree shown in Figure B-2, the application domain consists of three authentication policies and two resources. Each authentication policy is configured with an authentication scheme and each of authentication scheme has an authentication module configured. This sample application domain applies to two resources (each resource is defined as a host identifier and a resource URL).
To migrate data for an application domain, the shared components (Modules, Schemes and Host-identifiers) must be migrated first, if they are not already migrated. Shared component data migration is followed by application domain data migration.
Planning and preparation are key components of any successful data transfer strategy. This section discusses the planning considerations and inventory items that you and your team need to create to ensure your success:
Review details in "About Methods to Move from Test to Production" and choose the method that best suits your needs as described in:
When transferring Oracle Access Manager configuration data from a source to a target, be sure to note the following types of differences between the two environments:
Names and implementation details of OAM Server instances
Names and implementation details of OAM Agents (Webgates, and Access Clients) including changing the OAM Server to which the Agent points.
Names and implementation details of OSSO Agents (mod_osso) including changing the OAM Server to which the Agent points
Definitions for Host Identifiers
Definitions for authentication schemes, including Challenge Redirect parameters.
Definitions for authorization policies, constraints, responses, and resources
Definitions for application domains, including all redirect URLs defined in authentication and authorization policies
Before starting any transfer activities, Oracle recommends that you take inventory of your existing Oracle Access Manager 11g Release 1 (11.1.1) deployment. You can gather details from existing installation records or you can gather fresh information directly from the deployment.
To help ensure data correctness before transfer, Oracle recommends that you develop specific tests that evaluate configuration in the source deployment.
After transfer, you can use these same tests in the target deployment to ensure that everything is working as expected.
All changes are reflected in the Oracle Access Manager Console and are automatically propagated to every OAM Server in the cluster.
When you have a single OAM Server and a single Oracle Access Manager Console running on different computers, changes are propagated to the managed run-time OAM Server.
Before starting any move, Oracle strongly recommends that you and your team schedule specific transfer windows and that you notify other administrators about planned activities in any deployment for which they are responsible.
Oracle recommends that you back up data before transfer, and restore the backup after transfer if needed.
This section is divided into the following based on your needs:
Use steps in the following procedure as needed to export partner and policy data from the test source environment.
Prerequisites
Planning an OAM 11g Move from Test to Production
See:
Appendix F, "Introduction to Custom WLST Commands for Administrators"
Oracle Fusion Middleware Administrator's Guide for details about moving Oracle Access Manager 10g to a new (or an existing) production environment
To export data from the test source
Export Partner Data: On the source OAM Server hosting the OAM 11g partner run the following command using the path to your own temporary OAM partners file. For example:
exportPartners(pathTempOAMPartnerFile=', <pathTempOAMPartnerFile>>')
Export Policy Data: On the source OAM Server hosting the OAM 11g policy data, run the following command using the path to your own temporary OAM policy file. For example:
exportPolicy(pathTempOAMPolicyFile=', <pathTempOAMPolicyFile >')
Repeat on each source OAM Server hosting partner and policy data.
Use steps in the following procedure as needed to import partner and policy data from the test source environment.
See Also:
"Introduction to Methods and Tools"Prerequisites
Exporting OAM 11g Data from Test (Source)
To import data to the production target
Import Partner Data: On the target OAM Server, run the following command using the path to the temporary source partners file. For example:
importPartners(pathTempOAMPartnerFile=', <pathTempOAMPartnerFile>>')
Import Full Policy Data: On the target OAM Server, run the following command using the path to the temporary source policy file. For example:
importPolicy(pathTempOAMPolicyFile=', <pathTempOAMPolicyFile >')
Import Only the Policy Delta: On the target OAM Server, run the following command using the path to the temporary source policy file. For example:
importPolicyDelta(pathTempOAMPolicyFile=', <pathTempOAMPolicyFile >')
Repeat on each source OAM Server hosting partner and policy data.