1. Migrating API Platform Cloud Service Instances to Oracle Cloud Infrastructure
  2. Prepare for Migration

2 Prepare for Migration

Summarizes what you need to do to prepare for migration.

Topics:

Create a Service Request for Migration

Initiating a Service Request (SR) with Oracle customer support starts the process of migrating your API Platform Cloud Service instance to Oracle Cloud Infrastructure.

Oracle performs migration for you, so you must create a Service Request (SR) to request this service. After you create the SR, Oracle provides two tools you download and use for completing the pre-migration steps.
  1. Open the My Oracle Support portal at support.oracle.com.
  2. Create a Service Request (SR) for Oracle to migrate your instance to Oracle Cloud Infrastructure.
    Oracle will provide access to tooling you will use for the pre-migration process.
  3. Given directions from the SR, download the LDAP data conversion script (ldap-to-idcs-csv.sh) and Migration Application.
After you have completed the pre-migration steps, you then upload your data to the SR.

Access Oracle API Platform Cloud Service

You access API Platform Cloud Service through the web console.

Depending on how you signed up for Oracle Cloud, you’ll be directed to either the Oracle Cloud Infrastructure Console or the Oracle Cloud Infrastructure Classic Console.

Topics

Access Oracle API Platform Cloud Service from the Oracle Cloud Infrastructure Console

On most Oracle Cloud accounts, which are Universal Credits subscriptions, you access the API Platform Cloud Service console from the Oracle Cloud Infrastructure Console.

  1. Sign in to Oracle Cloud.
    The Infrastructure Console is displayed.
  2. From the Infrastructure Console, click the navigation menu Navigation menu icon in the top left corner, expand Platform Services, and then click API Platform.
    The Instances page is displayed.
  3. From the Instances page, you can create a new API Platform Cloud Service, or you can click an existing instance to view or manage it.

To view help for the current page, click the help icon Help Drawer icon at the top of the page.

Access Oracle API Platform Cloud Service Classic from the Oracle Cloud Infrastructure Classic Console

On older Oracle Cloud accounts that are not Universal Credits subscriptions, you access the API Platform Cloud Service console from the Oracle Cloud Infrastructure Classic Console.

  1. Sign in to Oracle Cloud.
    The Infrastructure Classic Console is displayed.
  2. From the Infrastructure Classic Console, click the navigation menu Navigation menu icon in the top left corner, and then click API Platform Classic.
    The Instances page is displayed.
  3. From the Instances page, you can create a new API Platform Cloud Service, or you can click an existing instance to view or manage it.

Create an Oracle API Platform Service Instance

Create an Oracle API Platform Cloud Service instance to use as a target for the migration to Oracle Cloud Infrastructure.

Create a new service instance that will be the final destination for your migrated artifacts. After you create the instance, you share the region and identity domain details with Oracle. Oracle uses this information to import the artifacts from your original Oracle Cloud Infrastructure Classic instance and perform sanity checks. When the migration is complete, Oracle returns the new service instance's ownership to you.

Before you begin, ensure that you have subscribed to the required services, collected the required information for each service, and created SSH keys. See Before You Begin with Oracle API Platform Cloud Service in Using Oracle API Platform Cloud Service.

To create an Oracle API Platform Cloud Service instance by using the Provisioning wizard on the service console:

  1. Open the service console.
  2. Click Create Instance.
  3. Complete the remainder of the steps documented in Create an Oracle API Platform Cloud Instance in Using Oracle API Platform Cloud Service.
  4. Append the instance name, region, and identity domain to your Service Request.
Oracle uses this service instance for the migration target.

Transfer Identity Data

The target Oracle API Platform Cloud Service instance on Oracle Cloud Infrastructure will use Oracle Identity Cloud Service for user accounts and security, while the originating Oracle API Platform Cloud Service Classic instance uses LDAP. You must export the LDAP data.

Topics

Export Users from LDAP

The first step is to export the users from the LDAP server.

The directory into which you export the LDAP data must exist before your perform the export. If it does not exist, the function will silently fail.

To export user data from LDAP:

  1. Create a directory for the exported files, if necessary.
  2. Log on to the WebLogic Server Console.
  3. Click Security Realms and select your realm.
  4. Click Migration and then click Export.
A DefaultAuthenticator.dat file is created in the directory you specified.

Convert the Data File to CSV

You must convert the DefaultAuthenticator.dat data file from LDAP into CSV files to create usernames for the Oracle API Platform Cloud Service environment.

Use the ldap-to-idcs-csv.sh script you imported to convert the DefaultAuthenticator.dat file from LDAP to the users.csv and groups.csv files.

In the target Oracle API Platform Cloud Service environment, Oracle Identity Cloud Service uses full email addresses as usernames, for example, john.example@example.com. The original Oracle API Platform Cloud Service Classic environment you are migrating from does not use full email addresses, for example, john.example. You must either use the script provided to update the usernames, or change them manually, depending on how you specified the username. In the case where the original username is of the form john.example, the script appends the domain name example.com to this name to obtain john.example@example.com. If you use a different format for your original usernames, you must update them manually.

To convert the data file into CSV files:

  1. Copy the ldap-to-idcs-csv.sh script you downloaded to the DefaultAuthenticator.dat file location.
  2. Open the ldap-to-idcs-csv.sh script and review the instructions on how to set environment variables that control the script's behavior.
  3. Set the environment variables as directed.
  4. Run ./ldap-to-idcs-csv.sh to generate the users.csv and groups.csv files.
    The users.csv and groups.csv files are generated.
  5. Review the users.csv and groups.csv files and apply fixes manually where necessary.

Import the CSV Files into IDCS

After you have created the CSV files, you can then import them into IDCS.

For prerequisites, additional information about this procedure, and troubleshooting, see Importing User Accounts and Importing Groups in Administering Oracle Identity Cloud Service.
To import the CSV files into IDCS:
  1. Log in to the IDCS console.
  2. In the Identity Cloud Service console, expand the Navigation Drawer, and then click Users.
  3. Click Import.
  4. In the Import Users dialog, click Browse to navigate to the location of users.csv and select the file.
  5. Verify that the path and name of the CSV file that you selected appear in the Select a file to import field.
  6. Click Import.
  7. In the Identity Cloud Service console, expand the Navigation Drawer, and then click Groups.
  8. Click Import.
  9. In the Import Groups dialog, click Browse to navigate to the location of groups.csv and select the file.
  10. Verify that the path and name of the CSV file that you selected appear in the Select a file to import field.
  11. Click Import.
You can view the results. When you import either users or groups, a dialog appears with a Job ID link for the import job. Click the link to view the details on the Jobs page. If a Schedule ID appears instead, it means that the job cannot be processed immediately. You can copy the Schedule ID and use it to search for the on the Jobs page.

Assign Users and Groups to Application Roles

After importing users and groups into Oracle Identity Cloud Service, assign application roles to them.

Exporting users and groups from LDAP doesn't preserve assignments to application roles. You must assign roles manually.
  1. Access the Oracle Identity Cloud Service console.
  2. Expand the Navigation Drawer, and then click Applications.
  3. Select your application.
  4. Click the Application Roles tab.
  5. Assign users to your Oracle application. See Assigning Users to Oracle Applications in Administering Oracle Identity Cloud Service.
  6. Assign groups to your Oracle application. See Assigning Groups to Oracle Applications in Administering Oracle Identity Cloud Service.
  7. Import the users and groups for application roles. See Import Users and Groups for Oracle Application Roles in Administering Oracle Identity Cloud Service.
User and group assignments to application roles are complete.

Export the Data from the Database Schema

Export the data from the database schema so that Oracle can import it into the Oracle-managed database in the Oracle Cloud Infrastructure environment.

To export the database schema data:
  1. In the file system of your original database server, create a data dump directory, and make the oracle user its owner.
    sudo su -
mkdir/u01/apics-dump
chown oracle:dba /u01/apics-dump
  2. From SqlPlus or SqlDeveloper, use a connection string such as the following to connect to the PDB:
    sqlplus system/<system-user-password>@localhost:1521/pdb1
  3. Map the database to the directory you just created.
    -- create the mapping
create or replace directory apics_dump as '/u01/apics-dump';
-- grant permissions
grant read, write on directory apics_dump to public;
-- verify the mapping exists
select directory_name, directory_path from all_directories;
  4. Export the data dump from the OS command prompt.
    sudo su - oracle
# replace the placeholders with the appropriate parameters
expdp system/<system-user-password>@localhost:1521/pdb1 schemas=<schema-prefix>_APIP, <schema-prefix>_APIA exclude=TABLE:\"= \'HISTORY\'\" 
directory=apics_dump dumpfile=apiexp.dmp logfile=apiexp.log

    Note that the HISTORY table is excluded from the data dump. The history will start over from scratch in your new, migrated instance. Excluding the HISTORY makes the dump file size much smaller.

Install the Migration Application

Install the Migration Application in order to implement the curl commands used when you export CSF data and grants.

The name of the deployment must be API MT Migration Services.
To install the Migration Application:
  1. Copy the downloaded oracle.apiplatform.upgrade.migration.app.ear file to the /u01/app/oracle/suite/apip/lib directory on both your Managed Servers.
  2. Open your WebLogic Administration Console.
  3. Navigate to the Deployments page on the WebLogic Administration Console, click Lock & Edit, and then click Install.
  4. Select the oracle.apiplatform.upgrade.mtmigration.app.ear file, and then click Next.
  5. Select Install this deployment as an application, and then click Next.
  6. Type API MT Migration Services into the Name field, and then click Finish.
  7. Click Activate Changes.

Export CSF Data

Export CSF data to extract the credential information for services and service accounts from the secure storage used by your original service instance.

  1. Export the CSF keys. 
    curl -X POST -u <username>:<password> '<service-url>/apiplatform/mtmigration/keystore' --data 'passphrase=<your-passphrase-for-migration>' -o apicskeys.out
    The username and password can be the credentials of any user with administrator privileges.
    The resulting file is encrypted, using the passphrase you specify.

Export Grants

Export the grants.

Grants are stored in OPSS, so they are not part of the exported database dump. You must export them separately.
  1. Run the following curl command that exports the grants.
    curl -X POST -u <username>:<password> '<service-url>/apiplatform/mtmigration/grants' -o grants.zip
    The username and password can be the credentials of any user with administrator privileges.
  2. If the user and/or group names have changed, for example, if an email domain was added, complete the following steps:
    1. Extract the mapping.json file from grants.zip.
    2. In the case where the fromUser and toUser names are both LDAP names in the mapping.json file, edit the toUser value to the correct user name for Oracle Identity Cloud Service.
      Example of when fromUser and toUser values are both LDAP: 
      {
   "fromUser": "john.doe",
   "toUser": "john.doe"
}
      Edit toUser as follows: 
      {
   "fromUser": "john.doe",
   "toUser": "john.doe@example.com"
}
    3. Add the mapping.json file back to grants.zip.

Send the Information to Oracle

Send your data to Oracle to complete the migration.

  1. Collect the following information from previous steps:
    • Database dump file, including the export log
    • CSF keys and passphrase
    • Exported grants
  2. Upload your information to the Service Request you created for Oracle to migrate your instance.
  3. In your API Platform Cloud Service account, create a new user for your Oracle contact, and assign this user the Administrator role.
    Oracle needs this Administrator user to perform data import tasks and do sanity checking on the imported data.
Oracle imports your data and performs the migration for you.