15 Migrating Sun OpenSSO Enterprise 8.0 Environments

This chapter describes how to migrate Sun OpenSSO Enterprise (OpenSSO Enterprise) 8.0 to Oracle Access Management Access Manager (Access Manager) 11g Release 2 (11.1.2).

The chapter contains the following sections:

15.1 Migration Overview

This section introduces two tools that are used in the process of migrating Sun OpenSSO Enterprise 8.0 to Oracle Access Manager 11.1.2.

OpenSSO Agent Assessment Tool

The OpenSSO Agent Assessment Tool reads the agents and policies from the OpenSSO Enterprise server, analyzes which policy elements can be migrated to Access Manager 11.1.2, and generates an assessment report. The generated report provides information on whether the agents can be migrated or not, and whether the policies can be manually migrated, auto-migrated, or semi-migrated based on the Access Manager 11.1.2 policy model.

The assessment tool reads and shows information about OpenSSO Enterprise agent profile, policies, user stores, and authentication stores. It assesses what data can be migrated, and what cannot be migrated to Access Manager 11.1.2, based on the understanding of the artifacts supported in Access Manager 11.1.2.

You can generate the assessment report more than once before you can migrate the OpenSSO Enterprise 8.0 to Access Manager 11.1.2.

Migration Tool

The Migration tool migrates the following artifacts of OpenSSO Enterprise 8.0 to Access Manager 11.1.2:

  • Agents configuration

  • Policies

  • User store configuration

  • Authentication store configuration

Note:

The migration tool and assessment tool do not support connection with the configuration store over the SSL port.

For more information about other migration scenarios, see Section 1.3, "Migration and Coexistence Scenarios".

15.2 Modes of Migration

This section describes the two modes of migration that you can perform using the procedure described in this chapter. The following are the two modes of migration:

15.2.1 Complete Migration

Complete Migration migrates all compatible agents, policies, user stores, and authentication stores of OpenSSO Enterprise 8.0 to Access Manager 11.1.2. The migration that you perform for the first time is a complete migration. After the first migration, each next run will be considered as delta migration. Complete migration can be performed only once, and only for the first time.

The fresh migration sets the migration version in the Access Manager 11.1.2 configuration store.

To perform complete migration, follow the procedure described in Migration Roadmap.

Note:

If the complete migration fails, you must manually clean up the partially migrated data, before you start performing the complete migration again.

15.2.2 Delta Migration

Delta Migration is a mode of migration where you can migrate the newly added artifacts (agents, policies, user stores, and authentication stores) of OpenSSO Enterprise 8.0 to Access Manager 11.1.2. Delta migration is supported only for creation operations.

After the first round of migration (that is, complete migration), every migration that you perform is delta migration.

Each time you perform delta migration, the information about the migration version set by complete migration in the Access Manager 11.1.2 configuration store is retrieved, is incremented by one, and is saved back to the Access Manager 11.1.2 configuration store.

The procedure to perform a delta migration is same as that of a complete migration, and is described in Migration Roadmap.

15.3 Migration Summary

This sections summarizes the artifacts of OpenSSO Enterprise 8.0 that are compatible with Access Manager 11.1.2. This section contains the following topics:

15.3.1 Summary of Migration of Agents

This section summarizes the migration of agents from OpenSSO Enterprise 8.0 to Access Manager 11.1.2.

  • This migration tool migrates the agent configuration and not the agent itself. The following agents are supported for migration:

    Java EE Agents 3.0: WebLogic 10.3

    Web Agents 3.0: Internet Information Services (IIS) 7.5

  • Centralized Agents are migrated to Access Manager 11.1.2. These are the agents that work in centralized configuration mode. They store all their configuration details in OpenSSO Enterprise 8.0 server, and read the configuration during agent bootstrap from the OpenSSO Enterprise server over REST call. These agents do not honor local configuration file. After migration, the configuration details of these agents are stored in Access Manager 11.1.2.

  • Local agents are migrated with minimal configuration. Local agents are the agents that work in local configuration mode. These agents honor the local configuration file only for their own configuration. Only the basic configuration properties like agent ID, agent password, agent base URL of the local agents are stored in the OpenSSO Enterprise 8.0 Server. After migration, these configuration details are stored in the Access Manager 11.1.2 Server.

  • Agent migration has the backward compatibility.

  • If two or more agents exist with the same name under different realms, the agents are migrated with the name preceded by the realm name.

    For example: If the agent named j2eeAgent exists in both TopRealm (/) and SubRealm (/>SubRealm), then these agents are migrated with the name TopRealm_j2eeAgent and SubRealm_j2eeAgent.

15.3.2 Summary of Migration of Policies

This section summarizes the migration of policies from OpenSSO Enterprise 8.0 to Access Manager 11.1.2.

OpenSSO Enterprise 8.0 policies consist of the following four artifacts:

  • Rules (resources + actions)

  • Subjects

  • Conditions

  • Response Providers

The policies in the assessment report (PolicyInfo.txt), which is generated when you run the OpenSSO Agent assessment tool, are classified into Auto Policies, Semi Policies, and Manual Policies based on the compatibility of the artifacts in Access Manager 11.1.2:

  • Auto Policies: A policy is regarded as auto policy if all the artifacts of that policy can be mapped to the policy artifacts in Access Manager 11.1.2. All the auto policies can be migrated to Access Manager 11.1.2.

  • Semi Policies: A policy is regarded as semi policy if some of the artifacts of that policy can be mapped to the policy artifacts in Access Manager 11.1.2. Semi policies are not migrated to Access Manager 11.1.2.

  • Manual Policies: A policy is regarded as manual policy if none of the artifacts of that policy can be mapped to the policy artifacts of Access Manager 11.1.2. Manual policies are not migrated to Access Manager 11.1.2.

OpenSSO Enterprise 8.0 has two types of policies:

  • Referral Policies: These policies do not apply to migration.

  • Non-Referral Policies: These policies are migrated.

Rules

  • An OpenSSO Enterprise policy without a rule is not supported for migration. Such policy is considered invalid.

  • Rules that have the actions GET and POST are only applicable for migration. These rules have the service type as URL Policy Agent.

  • Rules with other service types such as Discovery Service that has the actions LOOKUP and UPDATE, and service type Liberty Personal Profile Service that has the actions QUERY and MODIFY are not applicable for migration because these actions (which are known as resource operations in Access Manager 11.1.2) are not supported in Access Manager 11.1.2.

Subjects

Only the subject type OpenSSO Identity Subject (user and group) and Authenticated Users are supported for migration. These subjects are migrated as part of Identity Condition in Access Manager 11.1.2.

Conditions

  • Active Session Time

    • This condition of OpenSSO Enterprise policy is mapped to the attribute Session Expiry Time of the AttributeCondition in Access Manager 11.1.2.

    • The attribute Terminate session of this condition is ignored during migration as the appropriate mapping of this attribute does not exist in Access Manager 11.1.2.

  • Authentication by Module Instance

    • This condition of OpenSSO Enterprise policy is migrated to Access Manager 11.1.2 as AuthN scheme, and not as a condition.

    • Table 15-1 lists the authentication modules of OpenSSO Enterprise 8.0 that are migrated and mapped with AuthN scheme into Access Manager 11.1.2.

      Table 15-1 Mapping of Authentication Module

      Authentication Module in OpenSSO Enterprise 8.0 Authentication Plug-in in Access Manager 11.1.2

      Certificate auth module

      X509 auth plug-in

      WindowsDesktopSSO auth module

      Kerberos auth plug-in

      LDAP auth module

      LDAP auth plug-in


  • Authentication Level (less than or equal to) and Authentication Level (greater than or equal to)

    • Both the conditions of OpenSSO Enterprise policy are mapped to the session attributes of the AttributeCondition with namespace SESSION and attribute name Authentication Level.

    • Both the conditions are mapped to the AttributeOperator EQUALS, as Access Manager 11.1.2 does not have corresponding mapping for greater then or equal to and less than or equal to. This mapping is done because of the equals factor in the policy condition in OpenSSO Enterprise 8.0. Therefore, both the conditions greater then or equal to and less than or equal to are similar in Access Manager 11.1.2.

      For example, if you migrate an OpenSSO Enterprise 8.0 policy with a condition of authentication level less than or equal to 5, the migrated policy in Access Manager 11.1.2 will have the authentication level equal to 5.

  • Current Session Properties

    • This condition is mapped to the session attributes of the AttributeCondition with namespace SESSION and attribute name Other, where the key/value will be added as attributes of this condition. This condition in OpenSSO Enterprise 8.0 is multi-valued. Therefore, this condition in Access Manager 11.1.2 has multiple attributes with same name but different values.

  • Identity Membership

    • This condition in OpenSSO Enterprise policy is mapped to Identity condition in Access Manager 11.1.2.

    • All the unique users or groups from all the subjects, and all the unique users or groups from all the identity membership conditions in OpenSSO Enterprise 8.0 are created as a set of users or groups in one Identity condition in Access Manager 11.1.2.

    • During run-time verification, the ORing is performed between this set of users or groups

  • IP Address/DNS Name

    • The condition IP Address in OpenSSO Enterprise 8.0 policy is mapped to IP condition in Access Manager 11.1.2.

    • The condition DNS name is not supported in Access Manager 11.1.2.

  • LDAP Filter Condition

    • This condition in OpenSSO Enterprise policy is mapped to Identity condition in Access Manager 11.1.2.

    • All the unique LDAP filters from all the LDAP filter conditions in OpenSSO Enterprise 8.0 are created as a set of LDAP filters in one Identity condition in Access Manager 11.1.2.

  • Time (day, date, time, and time zone)

    • This condition in OpenSSO Enterprise 8.0 policy is mapped to Time condition in Access Manager 11.1.2.

    • The Time condition in OpenSSO Enterprise 8.0 contains one of the following values: date, time, day, or time zone; whereas the Time condition in Access Manager 11.1.2 contains either time or day. Therefore, the Time condition in OpenSSO Enterprise 8.0 containing only the time (start and end time) and day can be mapped to the Time condition in Access Manager 11.1.2. All the other cases are ignored.

Response Providers

  • OpenSSO Enterprise Server or Policy Server sends Identity or User repository attributes (that is, user attributes from any user store) to the agent as response providers. The OpenSSO agent sends these attributes back to the resource or application via Http header, request attribute, or Http cookie according to the configuration of the agent.

    All of the response providers (static as well as dynamic) are migrated from OpenSSO Enterprise 8.0 to Access Manager 11.1.2 with the type Http header.

15.3.3 Summary of Migration of User Stores

This section summarizes the migration of user stores from OpenSSO Enterprise 8.0 to Access Manager 11.1.2.

OpenSSO Enterprise has three types of user stores:

  • Active Directory: This user store can be migrated to Access Manager 11.1.2.

  • Generic LDAPv3: This user store can be migrated to Access Manager 11.1.2.

  • Sun DS with OpenSSO schema: This user store cannot be migrated to Access Manager 11.1.2, as no supported data store type is available in 11.1.2.

15.3.4 Summary of Migration of Authentication Stores

This section summarizes the migration of authentication stores from OpenSSO Enterprise 8.0 to Access Manager 11.1.2.

The following are the authentication stores in OpenSSO Enterprise 8.0 that can be migrated and mapped to the corresponding authentication modules in Access Manager 11.1.2:

  • LDAP in OpenSSO Enterprise 8.0 is mapped to OAM LDAP in Access Manager 11.1.2.

  • Certificate in OpenSSO Enterprise 8.0 is mapped to X509 in Access Manager 11.1.2.

  • Windows Desktop SSO in OpenSSO Enterprise 8.0 is mapped to Kerberos Access Manager 11.1.2.

All authentication stores with type LDAP are migrated to Access Manager 11.1.2 with name AS_RealmName_Modulename. The authentication stores with type other than LDAP are not migrated.

15.4 Topology Comparison

Figure 15-1 compares the topologies of Sun OpenSSO Enterprise 8.0 and Access Manager 11.1.2.

Figure 15-1 OpenSSO Enterprise 8.0 and Access Manager 11.1.2 Topologies

Description of Figure 15-1 follows
Description of "Figure 15-1 OpenSSO Enterprise 8.0 and Access Manager 11.1.2 Topologies"

15.5 Migration Roadmap

Table 15-2 lists the steps to migrate Sun OpenSSO Enterprise 8.0 to Access Manager 11.1.2.

Table 15-2 Task Roadmap

Task No Task For More Information

1

Complete the prerequisites.

See, Prerequisites for Migration

2

Install Oracle Identity and Access Management 11.1.2.

See, Installing Oracle Identity and Access Management 11.1.2

3

Configure Oracle Access Management Access Manager 11.1.2.

See, Configuring Oracle Access Management Access Manager 11.1.2

4

Generate the assessment report, and analyze what artifacts can be migrated to Access Manager 11.1.2.

You can perform this task multiple times.

See, Generating the Assessment Report

5

Start the WebLogic Administration Server.

See, Starting the WebLogic Administration Server

6

Migrate OpenSSO Enterprise 8.0 to Access Manager 11.1.2 by running the migration tool.

See, Migrating the Artifacts of OpenSSO Enterprise 8.0 to Access Manager 11.1.2

7

Complete the post-migration steps.

See, Post-Migration Tasks

8

Verify the migration.

See, Verifying the Migration


15.6 Prerequisites for Migration

You must complete the following prerequisites for migrating OpenSSO Enterprise 8.0 to Access Manager 11.1.2:

  1. Read the Oracle Fusion Middleware System Requirements and Specifications document to ensure that your environment meets the minimum requirements for the products you are installing, upgrading, and migrating.

    Note:

    For information about Oracle Fusion Middleware concepts and directory structure, see "Understanding Oracle Fusion Middleware Concepts and Directory Structure" in the Oracle Fusion Middleware Installation Planning Guide for Oracle Identity and Access Management.

  2. Verify that the OpenSSO Enterprise version that you are using is supported for migration. For information about supported starting points for OpenSSO Enterprise 8.0 migration, see Section 11.5, "Supported Starting Points for Sun OpenSSO Enterprise Migration".

15.7 Installing Oracle Identity and Access Management 11.1.2

As part of migration process, you must freshly install Oracle Identity and Access Management 11.1.2. This 11.1.2 installation can be on the same machine where Sun OpenSSO Enterprise 8.0 is installed, or on a different machine.

For more information about installing Oracle Identity and Access Management 11.1.2, see "Installing Oracle Identity and Access Management (11.1.2)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

15.8 Configuring Oracle Access Management Access Manager 11.1.2

Configure Access Manager 11.1.2, and create a domain.

For information about configuring Access Manager 11.1.2, see "Configuring Oracle Access Management" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

15.9 Generating the Assessment Report

This section describes how to generate an assessment report using the OpenSSO Agent assessment tool. This assessment report provides a preview of agents, policies, user stores, and authentication stores that are available in the OpenSSO Enterprise 8.0 Server, and indicates which artifacts can be migrated to Access Manager 11.1.2.

You can generate an assessment report multiple times before you can start the migration process.

This section includes the following topics:

Note:

Before you run the OpenSSO Agent assessment tool, you must complete the following prerequisites:

  • Start the container on which OpenSSO Enterprise 8.0 is deployed.

  • Make sure that you use 1.6 or higher version of JDK.

  • Set the variable JAVA_HOME to the appropriate location where JDK 1.6 is installed.

15.9.1 Obtaining the Assessment Tool

Move from your present working directory to the IAM_HOME/oam/server/tools/opensso_assessment directory using the following command:

On UNIX:

cd IAM_HOME/oam/server/tools/opensso_assessment/

On Windows:

cd IAM_HOME\oam\server\tools\opensso_assessment\

Extract the contents of the OpenssoAgentdiscTool.zip folder to a directory of your choice. It is recommended that you use the name OpenssoAgentdiscTool to the unzipped folder.

15.9.2 Specifying LDAP Connection Details

You must specify LDAP connection details in the properties file before you run the OpenSSO Agent assessment tool by doing the following:

  1. Open the OpenSSOAgentDiscTool.properties file from the following location:

    On UNIX: unzipped_folder/resources/

    On Windows: unzipped_folder\resources\

  2. Set the appropriate values for the following properties:

    • openSSOLDAPServerURL=host:port

      In this property, host and port refer to the LDAP host and the port of the configuration store used in OpenSSO Enterprise 8.0.

    • openSSOLDAPBindDN=login_id

      where login_id is the bind DN of the LDAP server. You must have the administrative or root permissions to the configuration directory server of OpenSSO Enterprise 8.0.

    • openSSOLDAPSearchBase=LDAP_search_base

      where LDAP_search_base is LDAP search base for the configuration store.

  3. Save the file, and close.

Note:

if you do not specify the LDAP connection details, a message will be displayed in the UserStoresInfo.txt and AuthnStoreInfo.txt files. This message indicates that the information is not available. The same message will be displayed in the user stores and authentication stores sections in DashBoardInfo.txt file. You must then specify the right LDAP connection details in the OpenSSOAgentDiscTool.properties file, save the file, and run the assessment tool again.

If you specify any incorrect value for any of these parameters, you cannot run the assessment tool, and error is displayed accordingly.

15.9.3 Running the OpenSSO Agent Assessment Tool

To run the OpenSSO Agent assessment tool, do the following:

  1. Change your directory to the folder where you extracted the contents to, as described in Section 15.9.1, "Obtaining the Assessment Tool", using the following command:

    cd <path to the unzipped folder>
    
  2. Run the following command:

    java -jar openssoagentdisc.jar OpenSSO_server_URL username debugLevel
    

    In this command,

    OpenSSO_server_URL is the URL of the OpenSSO Enterprise 8.0 Server. You must specify it in the format: http://host:port/opensso, where host and port refer to hostname and the port of the machine where OpenSSO Enterprise 8.0 Server is running.

    username is the username of the OpenSSO Enterprise 8.0 Server.

    debugLevel parameter is optional. The value of this parameter should be either error or message. If you do not specify this parameter in the command, it takes the default value error.

    You are prompted to enter the following:

    1. Enter server login password:

      Enter the password of the OpenSSO Enterprise 8.0 server admin user.

    2. Enter LDAP login password:

      Enter the login password of the LDAP server.

    Note:

    For more information about the arguments used in this command, run the following command in the unzipped directory:

    java -jar openssoagentdisc.jar -help
    

15.9.4 Analyzing the Assessment Report

The OpenSSO Agent assessment tool generates five report files in the following location:

unzipped_folder/consoleOutput/

These reports contain information about agents, policies, user stores, and authentication stores of OpenSSO Enterprise 8.0 that are supported in Access Manager 11.1.2.

Table 15-3 lists the report files that are generated when you run the OpenSSO Agent assessment tool.

Table 15-3 Report Files Generated

File Description

AgentInfo.txt

Contains information about J2EE and web agents, and the list of supported agents in Access Manager 11.1.2.

AuthnStoreInfo.txt

Contains information about authentication stores.

DashBoardInfo.txt

Contains brief information about agents, policies, user stores, and authentication stores.

PolicyInfo.txt

Contains information about policies.

UserStoreInfo.txt

Contains information about user stores.


15.10 Starting the WebLogic Administration Server

You must start the WebLogic Administration Server before you can run the migration tool.

To start the WebLogic Administration Server, do the following:

On UNIX:

  1. Move from your present working directory to the MW_HOME/user_projects/domains/domain_name/bin directory using the command:

    cd MW_HOME/user_projects/domains/domain_name/bin/
    
  2. Run the following command:

    ./startWebLogic.sh
    

    When prompted, enter the username and password of the WebLogic Administration Server.

On Windows:

  1. Move from your present working directory to the MW_HOME\user_projects\domains\domain_name\bin directory using the following command on the command line:

    cd MW_HOME\user_projects\domains\domain_name\bin\
    
  2. Run the following command:

    startWebLogic.cmd
    

    When prompted, enter the username and password WebLogic Administration Server.

15.11 Migrating the Artifacts of OpenSSO Enterprise 8.0 to Access Manager 11.1.2

Before you start the actual migration of the artifacts from OpenSSO Enterprise 8.0 to Access Manager 11.1.2, make sure that you have generated the assessment report (as described in Section 15.9, "Generating the Assessment Report"), and analyzed what artifacts can be migrated to Access Manager 11g.

To migrate Sun OpenSSO Enterprise 8.0 to Access Manager 11.1.2, do the following:

  1. Create a properties file at any accessible location. For example, create a properties by name oam_migration.properties.

    Enter values for the following properties in the properties file:

    • openSSOServerURL=OpenSSO_server_URL

    • openSSOAdminUser=OpenSSO_admin_username

    • openSSOAdminPassword=

    • openSSOServerDebugLevel=error/message

    • openSSOLDAPServerURL=LDAP host:port

    • openSSOLDAPBindDN=LDAP_bind_DN

    • openSSOLDAPBindPwd=

    • openSSOLDAPSearchBase=LDAP_searchBase

    Table 15-4 describes the values you must specify for each of the properties in the properties file.

    Table 15-4 Property File Values

    Property Description

    openSSOServerURL

    Specify the URL of the OpenSSO Enterprise 8.0 Administration Server. It must be specified in the format:

    http://<host>:<port>/opensso

    where

    <host> is the machine on which the OpenSSO Enterprise 8.0 Administration Server is running

    <port> is the port number of the OpenSSO Enterprise Administration Server

    openSSOAdminUser

    Specify the username of the OpenSSO Enterprise Administration Server.

    openSSOAdminPassword

    Do not specify any value for this property. The migration tool prompts you for the OpenSSO Enterprise admin password when you run the migration command, as described in step-4.

    openSSOServerDebugLevel

    Specify one of the following values:

    • error

    • message

    This value represents the debug level.

    openSSOLDAPServerURL

    Specify the URL of the LDAP server. This must be specified in the format:

    host:port

    where

    host refers to the LDAP host of the configuration store used in OpenSSO Enterprise 8.0

    port refers to the LDAP port of the configuration store used in OpenSSO Enterprise 8.0

    The host and port values must be separated by colon.

    openSSOLDAPBindDN

    Specify the bind DN of the LDAP server. This user must have the admin or root permissions to the configuration directory server of OpenSSO Enterprise.

    openSSOLDAPBindPwd

    Do not specify any value for this property. The migration tool prompts you for the LDAP bind password when you run the migration command as described in step-4.

    openSSOLDAPSearchBase

    Specify the LDAP search base for the configuration store.


    Note:

    Do not specify any value for openSSOAdminPassword and openSSOLDAPBindPwd properties.

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    On UNIX:

    1. Move from your present working directory to the IAM_HOME/common/bin directory by running the following command on the command line:

      cd IAM_HOME/common/bin

    2. Run the following command to launch the WebLogic Scripting Tool (WLST):

      ./wlst.sh

    On Windows:

    1. Move from your present working directory to the IAM_HOME\common\bin directory by running the following command on the command line:

      cd IAM_HOME\common\bin

    2. Run the following command to launch the WebLogic Scripting Tool (WLST):

      wlst.cmd

  3. Run the following command to connect WLST to the WebLogic Server instance:

    connect('wls_admin_username','wls_admin_password','t3://hostname:port');
    

    In this command,

    wls_admin_username is the username of the WebLogic Administration Server.

    wls_admin_password is the password of the WebLogic Administration Server.

    hostname is the machine where WebLogic Administration Server ia running.

    port is the port of the Administration Server.

  4. Run the following command to migrate the artifacts of OpenSSO Enterprise 8.0 to Access Manager 11.1.2:

    oamMigrate(oamMigrateType="OpenSSO",pathMigrationPropertiesFile="absolute_path_of_properties_file");
    

    In this command,

    absolute_path_of_properties_file is the absolute path to the properties file that you created in step-1. For example:

    On UNIX: oamMigrate(oamMigrateType="OpenSSO",pathMigrationPropertiesFile="abc/def/oam_migration.properties"

    On Windows: oamMigrate(oamMigrateType="OpenSSO",pathMigrationPropertiesFile="abc\\def\\oam_migration.properties

    You are prompted to enter the following:

    1. Enter value for property : openSSOAdminPassword :

      Enter the password of the OpenSSO Enterprise 8.0 Administration Server.

    2. Enter value for property : openSSOLDAPBindPwd :

      Enter the bind password of the LDAP server.

    Note:

    Complete migration is performed when you run the oamMigrate() command for the first time.

    After an initial migration (complete migration), you can re-execute this command to perform delta migration.

    For more information about complete and delta migration, see Section 15.2, "Modes of Migration".

When the migration is complete, the WLST console displays a message stating the result of the migration.

15.12 Post-Migration Tasks

After you migrate OpenSSO Enterprise 8.0 to Access Manager 11.1.2, you must complete the following post-migration tasks:

  1. The agent artifacts (properties files) are generated when you perform a migration. The following two properties files are generated in the location domain_home/output/OpenSSOMigration/OpenSSO8.0/Realm_Name/Agent_Name/*.properties:

    • OpenSSOAgentBootstrap.properties

    • OpenSSOAgentConfiguration.properties

    You must copy these property files to the agents' configuration location. For each agent, complete the following steps:

    1. Stop the agent.

    2. Back up the existing properties file (that is, the properties file which existed on the agent host before you started the migration process).

    3. Copy the agent's artifacts (properties files) to the agent deployment location:

      /agent_install_dir/weblogic_v10_agent/Agent_001/config

    4. Modify the container specific property in the OpenSSOAgentBootstrap.properties file as follows:

      For Glassfish agent, set the following property:

      com.sun.identity.agents.config.service.resolver=com.sun.identity.agents.appserver.v81.AmASAgentServiceResolver
      

      For WebLogic agent, set the following property:

      com.sun.identity.agents.config.service.resolver=com.sun.identity.agents.weblogic.v10.AmWLAgentServiceResolver
      
    5. Restart the agent.

    6. Clean up the cookies and cache of the browser.

  2. The migration tool does not retrieve the passwords of the user stores that are migrated from OpenSSO Enterprise 8.0 to Access Manager 11.1.2. Therefore, after migration, you must manually update the passwords for all the user stores that are migrated. To do this, complete the following steps:

    1. Log in to the Oracle Access Management 11.1.2 console using the following URL:

      http://host:port/oamconsole
      

      In this URL, host refers to the fully qualified domain name of the machine hosting the Oracle Access Management Server, and port refers to the designated bind port for the Oracle Access Management Console, which is the same as the bind port for the Administration Server.

    2. Go to the System Configuration tab.

    3. Under Common Configuration, expand Data Sources on the left navigation pane.

    4. Expand User Identity Stores, manually update the password for all the migrated LDAP user stores that exist.

  3. After migration, the minimum and maximum pool size for the migrated authentication stores will be set to 0, by default. Hence, you must manually set the appropriate values for Minimum Pool Size and Maximum Pool Size for the authentication stores in the Oracle Access Management 11.1.2 console. To do this, complete the following steps:

    1. Log in to the Oracle Access Management 11.1.2 console using the URL:

      http://host:port/oamconsole
      
    2. Go to the System Configuration tab.

    3. Expand Common Configuration on the left navigation pane.

    4. Expand Data Sources, and then expand User Identity Stores.

    5. Select the authentication store to be edited.

    6. Scroll down to Connection Details, and set the values Minimum Pool Size and Maximum Pool Size. For example, Minimum Pool Size=10 and Maximum Pool Size=50.

    7. Click Apply.

15.13 Verifying the Migration

To verify the migration, do the following:

  1. Log in to the Oracle Access Management 11.1.2 console using the following URL:

    http://host:port/oamconsole
    

    In this URL,

    • host refers to the fully qualified domain name of the machine hosting the Oracle Access Management 11.1.2 console.

    • port refers to the designated bind port for the Oracle Access Management 11.1.2 console, which is the same as the bind port for the Administration Server.

    Verify that the OpenSSO Enterprise agents, user stores, authentication stores, authentication modules, host identifiers, resources, policies with correct authentication scheme having correct authentication module are migrated to Access Manager 11.1.2.

  2. Access any protected page using the URL. The URL now redirects you to the Oracle Access Management Server login page. Upon successful authentication, it should perform a successful authorization and you should be able to access the resource successfully.