Migrate an Instance to Oracle Java Cloud Service Using Classic Tools

Get Information About the Target Environment

Collect the information required for the migration tools to connect to the target Oracle Cloud Infrastructure environment.

Access the Oracle Cloud Infrastructure Console.
From the menu, choose Administration and then choose Tenancy Details.
Record the tenancy's OCID and Home Region.
From the menu, choose Identity and then Users.
Click your user name.
Record the user's OCID. Under API Keys, record the Fingerprint.
You will also need the corresponding PEM key file.
From the menu, choose Identity and then Compartments.
Record the OCID of the compartment where you want to create the instance.
From the menu, choose Identity and then Federation.
From the Oracle Identity Cloud Service Console URL, identify and record the identity domain ID, which has the format idcs-<guid>.
From the menu, choose Networking and then Virtual Cloud Networks (VCN).
Select the Compartment where you want to create the instance.
Click the VCN in which you want to create this instance.
Under Subnets, click the subnet in which you want to create this instance.
Record the subnet's OCID. If it is not a regional subnet, then also record the subnet's Availability Domain.
If you selected a regional subnet, then choose an availability domain for the target instance.
1. Access the Oracle Java Cloud Service Console.
2. Click Create Instance.
3. Select your Region.
4. From Availability Domain, record the name of the availability domain in which you want to create this instance.
5. Click Cancel.

The following table shows sample values for each input.

Name	Sample Value
Tenancy OCID	`ocid1.tenancy.oc1..aaaaaaaaju6k54i7...`
User OCID	`ocid1.user.oc1..aaaaaaaahvtv5qo...`
User API Key Fingerprint	`81:45:aa:...`
Compartment OCID	`ocid1.compartment.oc1..aaaaaaaaz...`
Region	`us-ashburn-1`
Availability Domain	`kWVD:US-ASHBURN-AD-3`
Subnet OCID	`ocid1.subnet.oc1.iad.aaaaaaaarz7...`
Identity Domain ID	`idcs-9bd53...`

Launch the Migration Controller Instance in the Source Environment

In your Oracle Cloud Infrastructure Compute Classic account, create the source controller (Control-S) instance, which includes Oracle Cloud Infrastructure Classic Java Migration Tool.

The Control-S compute instance must be created in the same identity domain and site as the source Oracle Java Cloud Service instance that you want to migrate.

The Control-S compute instance and associated storage volumes are by default billed at the applicable rates for your account. However, you can rename these resources so that the name includes /oraclemigration as a container. Resources created in this /oraclemigration container aren't billed to your account.

Access the Oracle Cloud Infrastructure Compute Classic Console.
Click Create Instance.
Click Show All Images.
Select the image OL_7.5_UEKR4_x86_64_MIGRATION, which is found under Oracle Images.
Click Next.
Select a Shape with a sufficient number of OCPUs for the migration task.
Click Next.
Enter a Name, or use the default instance name.
Select an existing public SSH Key or add a new one. You'll use the corresponding private key to connect to the Control-S instance.
Click Next.
Verify that Shared Network is selected.
For Public IP Address, select Persistent Public IP Reservation.
For Security Lists, verify that the default security list is selected, which allows SSH inbound traffic.
Also ensure that security rules are in place to allow SSH outbound, SMB inbound, and HTTPS outbound traffic.
If you want to migrate instances that have an interface on an IP network, then configure the network interfaces of the Control-S instance on the relevant IP networks as well, so that the Control-S instance can access the source instances that you want to migrate.
Complete the creation of the compute instance.
Wait until its status is Running.
Optional: Move the Control-S instance and storage volumes into the /oraclemigration container.
Alternatively, if you create the Control-S instance using the API, CLI, or Terraform, you can specify /oraclemigration in the resource names as part of the instance parameters.
1. Click the Orchestrations tab.
2. Locate the relevant orchestration for your compute instance, and from the menu, select Suspend.
3. After the orchestration status changes to Suspended, from the menu, select Update.
4. From the Instance section, click the menu and select Edit JSON.
5. In the Edit Orchestration Object JSON window, locate the instance name. This is usually displayed within the template section, after networking.
```
"name": "/Compute-Identity_Domain/User/Instance",
```
  Modify the instance name to include the /oraclemigration container. For example:
```
"name": "/Compute-ExampleDomain/user@example.com/oraclemigration/MyControlS",
```
6. Click Update.
7. From the Orchestrations page, go to the relevant orchestration and from the menu, select Terminate.
8. After the orchestration status changes to Stopped, from the menu, select Update.
9. From the Storage Volume section, go to the relevant storage volume, click the menu and select Edit JSON.
10. In the Edit Orchestration Object JSON window, locate the storage volume name in the template section:
```
"name": "/Identity_Domain/User/Volume",
```
  Modify the instance name to include the /oraclemigration container. For example:
```
"name": "/Compute-ExampleDomain/user@example.com/oraclemigration/MyControlS_storage",
```
11. Click Update.
12. Repeat these steps for any other storage volume in this orchestration that you want to move to the /oraclemigration container.
13. From the Orchestrations page, go to the relevant orchestration and from the menu, select Start.
Use an SSH client and your private key to log into the Control-S compute instance as the opc user.

Update the Secret File

All of the tools required for the migration are already installed on the Control-S instance, but additional configuration is required to provide details about the source and target environments.

A single Control-S instance can migrate resources only from a single Oracle Cloud Infrastructure Classic account and site, and only to a single Oracle Cloud Infrastructure tenancy, region, and availability domain.

From the Control-S compute instance, copy /home/opc/ansible/secret.yml.sample to /home/opc/ansible/secret.yml.
Edit /home/opc/ansible/secret.yml.
Update the following Oracle Cloud Infrastructure parameters.
- compartment_id is the OCID of the compartment where you want to create the target instance.
- user_id is the OCID of the Oracle Cloud Infrastructure user.
- fingerprint is the API key fingerprint of the user.
- tenancy_id is the OCID of the Oracle Cloud Infrastructure tenancy.
- region is the Oracle Cloud Infrastructure region where you want to create the target instance.
- availability_domain is the availability domain where you want to create the target instance.
- subnet_id is the OCID of the subnet where you want to create the instance.
For example:
```
# OCI info
compartment_id: ocid1.compartment.oc1..aaaaaaaa...
user_id: ocid1.user.oc1..aaaaaaaa...
fingerprint: a0:a0:a0:a0:a0...
tenancy_id: ocid1.tenancy.oc1..aaaaaaaa...
region: us-ashburn-1
availability_domain: kWVD:US-ASHBURN-AD-3
...
subnet_id: ocid1.subnet.oc1.iad.aaaaaaaa...
```
Modify permissions on this file to restrict access.
```
chmod 600 /home/opc/ansible/secret.yml
```
Apply the configuration to the system.
```
opcmigrate migrate instance service setup
```
This command creates the required files /home/opc/.opc/profiles/default and /home/opc/.oci/config.
Copy the Oracle Cloud Infrastructure user's PEM key file to the Control-S instance. Name the file /home/opc/.oci/oci_api_key.pem.
Modify permissions on the Oracle Cloud Infrastructure key file to restrict access.
```
chmod 600 /home/opc/.oci/oci_api_key.pem
```
Copy the public and private SSH key files required for accessing your source Oracle Java Cloud Service instance to the Control-S instance.
Modify permissions on the Oracle Java Cloud Service key files to restrict access.
For example:
```
chmod 600 /home/opc/jcskey.pub
chmod 600 /home/opc/jcskey
```

Update the Default Profile File

The Oracle Cloud Infrastructure Classic Java Migration Tool connects to your source environment using information that you provide in a profile file.

The information you provide in the profile file includes the user name or identity for each service in the source environment, as well as the service end point and region. If you want to run the tool in multiple regions or tenancies, you can create separate profile files for each region and tenancy.

You also provide connectivity details for each Oracle Java Cloud Service instance that you want to migrate. If you include the WebLogic Server administrator credentials for a service instance, Oracle Cloud Infrastructure Classic Java Migration Tool also migrates any Oracle Fusion Middleware security resources (custom users, groups, roles, policies, or credential maps) to the target domain.

Access the Oracle Cloud Infrastructure Compute Classic Console.
Click the Site select box.
Record the REST Endpoint.
Identify and record your Oracle Java Cloud Service REST Endpoint.
See Send Requests in REST API for Oracle Java Cloud Service.
Access the Oracle Java Cloud Service Console.
Click the source instance.
Click Instance Details , and then record the Region in which the source instance was created.
From the Control-S compute instance, create a properties file with the WebLogic Server administrator user name and password of your source instance.
```
admin_user=your_username
admin_password=your_password
```
This step is required only if the source domain includes custom users, groups, roles, policies or credential maps.
From the Control-S compute instance, edit the file /home/opc/.opc/profiles/default.

In the compute section, update the endpoint and user parameters. Enter the name of a user with access to Oracle Cloud Infrastructure Compute Classic.

"compute": {
  "endpoint": "Compute_Endpoint",
  "user": "/Compute-Identity_Domain/User_Name"
  ...

For example:

"compute": {
  "endpoint": "compute.uscom-central-1.oraclecloud.com"
  "user": "/Compute-ExampleDomain/user@example.com",
  ...

Optional: Enter the location of a file that contains your Oracle Cloud Infrastructure Compute Classic password.
For example:
```
"compute": {
  "endpoint": "compute.uscom-central-1.oraclecloud.com"
  "user": "/Compute-ExampleDomain/user@example.com",
  "password-file": "/home/opc/.opc/password-file",
  ...
```
If you don't specify a password file for a service, you'll be prompted to provide the password when you run the tool.

If not already present, add the paas section to the file.

{
  ...
  "compute": {
  ...
  },
  "paas": {
    "user": "User_Name",
    "identity_id": "Identity_Domain_Id",
    "endpoint": "PaaS_Endpoint",
    "region": "Source_Region"
  }
}

For example:

{
  ...
  "compute": {
  ...
  },
  "paas": {
    "user": "user@example.com",
    "identity_id": "idcs-0000abcd0000defg0000hijk0000lmno",
    "endpoint": "psm.us.oraclecloud.com",
    "region": "uscom-central-1"
  }
}

Add the jcs section to the file. Specify the locations of the public and private SSH key files for your source Oracle Java Cloud Service instance.

{
  ...
  "paas": {
  ...
  },
  "jcs": {
    "Instance_Name": {
      "ssh_private_key": "Private_Key_File",
      "ssh_public_key": "Public_Key_File"
    }
  }
}

For example:

{
  ...
  "paas": {
  ...
  },
  "jcs": {
    "MyJavaInstance": {
      "ssh_private_key": "/home/opc/jcskey",
      "ssh_public_key": "/home/opc/jcskey.pub"
    }
  }
}

In the jcs section, specify the location of the properties file that contains the WebLogic Server credentials for the source instance.
For example:
```
...
  "jcs": {
    "MyJavaInstance": {
      "ssh_private_key": "/home/opc/jcskey",
      "ssh_public_key": "/home/opc/jcskey.pub",
      "wls_admin_properties": "/home/opc/wls_admin_properties"
    }
```
This step is required only if the source domain includes custom users, groups, roles, policies or credential maps.

Discover Resources in Your Source Environment

To discover all Oracle Cloud Infrastructure Classic resources in the services for which you've provided credentials, log in to the Control-S instance and run the following command.

opcmigrate discover

When prompted, enter the passwords for the user names that you specified in the default profile.

For example:

opcmigrate discover
Compute Classic Password [/Compute-ExampleDomain/user@example.com]:
INFO Authenticating with OCI Classic Compute API
INFO Compute Endpoint: https://compute.uscom-central-1.oraclecloud.com
INFO Discovering resources for "ExampleDomain".
WARNING Load Balancer Classic credentials not configured in profile
PaaS Services Password [user@example.com]:
WARNING Object Storage Classic credentials not configured in profile
INFO Discovering containers: ['/Compute-ExampleDomain']
INFO Getting Account Resources for /Compute-ExampleDomain
INFO Getting Network Resources for /Compute-ExampleDomain
INFO Getting Network Resources for /oracle/public
INFO Getting Instance Resources for /Compute-ExampleDomain
INFO Getting Instance Resources for /oracle/public
INFO Getting Instances for /Compute-ExampleDomain
INFO Getting PaaS Resources for uscom-central-1
INFO Storing discovered resources to 'resources-default.json'

List Your Oracle Java Cloud Service Instances

To list the Oracle Java Cloud Service instances in the source environment, log in to the Control-S instance and run the following command.

opcmigrate migrate jcs list

This command uses the output generated by the discover command to identify and list the available Oracle Java Cloud Service instances.

For example:

opcmigrate migrate jcs list
INFO Loaded resources from 'resources-default.json' ...
Java Cloud Service Instances

Name                 Version              State                Description      
-------------------- -------------------- -------------------- ------------------------------------------------------------
MyJavaInstance       11gR1                READY                My first instance
AnotherInstance      12cR3                READY                My second instance

Export Your Source Instance Configuration

To create an archive of the source Oracle Java Cloud Service instance using the WebLogic Server Deploy Tooling, log in to the Control-S instance and run the following command.

opcmigrate migrate jcs export -s <instance_name>

This command creates the following files:

<instance_name>-<date>-<timestamp>.tgz: An archive of the source instance, which includes the applications that are on the source instance as well as the domain configuration metadata. This archive is uploaded to Oracle Cloud Infrastructure Object Storage.
<instance_name>-<date>-<timestamp>.json: You edit this file to specify the required passwords for the target domain, as well as to specify any configuration parameters that will be different on the target instance.

For example:

opcmigrate migrate jcs export -s MyJavaInstance
INFO Loaded resources from 'resources-default.json' ...
INFO Exporting JCS service 'MyJavaInstance'
INFO Installing Oracle WebLogic Server Deploy Tooling on 203.0.113.13
INFO Create temporary directory on controller
INFO Download WebLogic Deploy Tooling to controller
INFO Upload and Extract WebLogic Deploy Tooling archive to remote host
INFO Remove temporary directory from controller
INFO Exporting WebLogic Domain at 203.0.113.13
INFO Create temporary directory on remote host
INFO Run WebLogic Deploy Tooling discoverDomain.sh command
INFO Download discovered domain files to controller
INFO Remove temp directory from remote
INFO Generating WebLogic config template 'MyJavaInstance-20190722-18:50:35.json'
INFO Creating instance archive 'MyJavaInstance-20190722-18:50:35.tgz'
INFO Uploading artifacts to object storage
INFO JCS service 'MyJavaInstance' export complete

By default, this command uses the resources-default.json file in the local directory. You can use the --file option to specify a resources file with a different name or in a different directory.

Perform Prerequisite Tasks for Oracle Java Cloud Service

Before you create an Oracle Java Cloud Service instance in an Oracle Cloud Infrastructure region, you must create the required infrastructure and database resources.

Create the following Oracle Cloud Infrastructure resources if they don't already exist:
- A compartment
- A virtual cloud network (VCN) and at least one subnet
- A storage bucket and user authentication token for backups (optional)
- Policies that allow Oracle Java Cloud Service to access the resources in your compartment
See Prerequisites for Oracle Platform Services in the Oracle Cloud Infrastructure documentation.
Create a database in Oracle Cloud Infrastructure Database if one doesn't already exist.

Oracle Java Cloud Service will provision the required infrastructure schema to this database. See Managing Bare Metal and Virtual Machine DB Systems in the Oracle Cloud Infrastructure documentation.

Create the Target Instance on Oracle Cloud Infrastructure

Create a new Oracle Java Cloud Service instance in an Oracle Cloud Infrastructure region. This instance must have the same topology and configuration as the source instance in Oracle Cloud Infrastructure Classic.

You can use a Terraform configuration generated by Oracle Cloud Infrastructure Classic Java Migration Tool to create the target instance. Alternatively, you can create the target instance by using the Oracle Java Cloud Service Console, CLI, API, or any other supported method.

Because your source and target instances are located in the same Oracle Cloud account (identity domain), they cannot have identical instance names.

The domain, server, and cluster names in a service instance are derived from the first eight characters of the instance name. For example, the following instance names are different, but result in identical domain, server, and cluster names in Oracle WebLogic Server:

MyJCSInstance
MyJCSInstanceOCI

Create the Target Instance Using the Console

You can use the Oracle Java Cloud Service Console to create the service instance on Oracle Cloud Infrastructure.

From the Oracle Java Cloud Service Console, click Create Instance.
Enter an Instance Name.
Select an Oracle Cloud Infrastructure Region, Availability Domain, and Subnet.
For Service Level and Software Edition, select the same values as the source instance.
For Software Release, select the same major version (X.Y) as the source instance.
For example, 12.2.1.2 and 12.2.1.3 are the same major version of Oracle WebLogic Server.
Click Next.
Click Advanced.
For WebLogic Clusters, create the same number of clusters as the source instance. Also set the cluster names and server counts to the same values as the source instance.
For example, if the source instance has a single cluster named cluster1 with a server count of 3, then the target instance must have the same configuration.
For the Compute Shape of your WebLogic Cluster, select an Oracle Cloud Infrastructure shape that most closely matches the number of Oracle Compute Units (OCPUs) and the amount of memory that are available in the Oracle Cloud Infrastructure Classic shape in your source instance.
See Select Oracle Cloud Infrastructure Shapes.
If your source instance uses Oracle Identity Cloud Service for authentication, then select Enable Authentication Using Identity Cloud Service.
For SSH Public Key, upload an existing key or generate a new one.
For Local Administrative User Name and Password, enter the same Oracle WebLogic Server administrator credentials as your source instance.
If your source instance includes an Oracle Traffic Director load balancer, then select a Compute Shape for the load balancer that most closely matches the Oracle Cloud Infrastructure Classic shape in the source instance.
If your source instance includes an Oracle Coherence data grid cluster, then select the same Cluster Size and Managed Servers Per Node as the data grid cluster in the source instance. Also select a Compute Shape for the data grid cluster that most closely matches the Oracle Cloud Infrastructure Classic shape.
For Database Type, select Oracle Cloud Infrastructure Database.
Select the Compartment Name where your Oracle Cloud Infrastructure Database resides.
For Database Instance Name, select the Oracle Cloud Infrastructure Database that you created for the Oracle Java Cloud Service infrastructure schema.
Also enter a value for PDB Name if applicable.
Enter the Password for your database system administrator.
Complete the instance creation wizard.

For more information about using the console, see Create an Oracle Java Cloud Service Instance Attached to a Public Subnet on Oracle Cloud in Administering Oracle Java Cloud Service.

Create the Target Instance Using Terraform

You can use Oracle Cloud Infrastructure Classic Java Migration Tool and Terraform to create the target instance.

Log in to the Control-S instance and run the following command:
```
opcmigrate migrate jcs create -s <instance_name> -o jcs_instance.tf
```
In the Terraform configuration generated by this command, the appropriate compute shape is selected automatically. The tool also creates a unique name for the target instance based on the name of the source instance.
Create a file named terraform.tfvars file. Add the following parameters:
- user_ocid is the OCID of the Oracle Cloud Infrastructure user.
- fingerprint is the API key fingerprint of the user.
- private_key_path is the path to the API PEM key file.
- region is the Oracle Cloud Infrastructure region where you want to create the instance.
- tenancy_ocid is the OCID of the Oracle Cloud Infrastructure tenancy.
- compartment_id is the OCID of the compartment where you want to create the instance.
- subnet_id is the OCID of the subnet where you want to create the instance.
- identity_domain is the Identity Service Id.
- identity_user is the name of the federated user that has the Java Administrator role.
- identity_password is the password of the federated user.
- weblogic_admin_username is the user name of the WebLogic Server administrator.
- weblogic_admin_password is the password of the WebLogic Server administrator.
- weblogic_database_username is the user name of the database administrator.
- weblogic_database_password is the password of the database administrator.
For example:
```
user_ocid="ocid1.user.oc1..aaa..."
fingerprint="81:45..."
private_key_path="/home/opc/oci_api_key.pem"
region="us-ashburn-1"
tenancy_ocid="ocid1.tenancy.oc1..aaa..."
compartment_id="ocid1.compartment.oc1..aaa..."
subnet_id="ocid1.subnet.oc1.iad.aaa..."
identity_domain="idcs-9bd53..."
identity_user="user@example.com"
identity_password="Your_Password"
weblogic_admin_username="weblogic"
weblogic_admin_password="Your_Password"
weblogic_database_username="sys"
weblogic_database_password="Your_Password"
```

Add the weblogic_database_connect_string parameter to the file. Enter the database connection string used by the instance to connect to the database and to provision the infrastructure schema.

The following table shows the URL format to use, depending on the Oracle Database version, and whether you created a Virtual Machine (VM) or Bare Metal database type.

Database Version	Database Type	URL Format
12c	VM	`//<db_hostname>-scan.<db_domain>:<db_port>/<pdb_name>.<db_domain>`
12c	Bare Metal	`//<db_hostname>.<db_domain>:<db_port>/<pdb_name>.<db_domain>`
11g	VM	`//<db_hostname>-scan.<db_domain>:<db_port>/<db_unique_name>.<db_domain>`
11g	Bare Metal	`//<db_hostname>.<db_domain>:<db_port>/<db_unique_name>.<db_domain>`

If you did not specify a PDB name when you created an Oracle Cloud Infrastructure Database that is running Oracle Database 12c, the default name is <db_name>_pdb1.

For example:

weblogic_database_connect_string="//myinfradb-scan.mydbsubnet.myvcn.oraclevcn.com:1521/pdb1.mydbsubnet.myvcn.oraclevcn.com"

By default, the Terraform configuration creates your instance in the first availability domain in the specified region. If you want to change the availability domain where the instance is created, edit the Terraform configuration file.
1. Edit the file jcs_instance.tf.
2. Edit the local variable, ad.
```
locals {
  ad                         = 0
  subnet_availability_domain = ...
}
```
  The value 0 is used to specify AD-1. Change the value to 1 to specify AD-2, or 2 to specify AD-3.
To initialize Terraform, run this command.
```
terraform init
```

To create the Oracle Java Cloud Service instance, run this command.

terraform apply

Enter yes when prompted.

For example:

terraform apply
...
Terraform will perform the following actions:
  + oraclepaas_java_service_instance.MyJavaInstance_9de860
      id:                                       <computed>
      availability_domain:                      "QnsC:US-ASHBURN-AD-1"
...
Plan: 1 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.
  Enter a value: yes
oraclepaas_java_service_instance.MyJavaInstance_9de860: Creating...
...
oraclepaas_java_service_instance.MyJavaInstance_9de860: Still creating... (23m0s elapsed)
oraclepaas_java_service_instance.MyJavaInstance_9de860: Creation complete after 23m8s (ID: MyJavaInstanceOCI)
Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

From the output, identify the name of the new instance.

Use the Oracle Java Cloud Service Console to identify the IP address of the first node in the target instance.

For more information about the Oracle Cloud Platform provider for Terraform, see oraclepaas_java_service_instance in the HashiCorp Terraform documentation.

Migrate Oracle Fusion Middleware Security Resources

If you customized the Oracle WebLogic Server security providers in your source Oracle Java Cloud Service instance, then you must apply the same changes in the target service instance.

If you specified the WebLogic Server administrator credentials for your source instance in the default profile, the Oracle Cloud Infrastructure Classic Java Migration Tool automatically migrates the following Oracle Fusion Middleware security resources from the source domain to the target domain:

Users
Groups
Roles
Policies
Keystores
Credential maps
Audit policies
Web Services Manager (WSM) policies

The tool does not automatically update the security providers in the target instance.

Access the Fusion Middleware Control Console for your source instance.
https://<source_admin_ip>:7002/em
Sign in to the console as your Oracle WebLogic Server system administrator.
From a different browser window or tab, sign in to the Fusion Middleware Control Console for your target instance.
https://<target_admin_ip>:7002/em
From both consoles, click WebLogic Domain, select Security, and then select Security Provider Configuration.
Compare the security provider configuration of the source and target instances, and then update the configuration of the target instance as necessary.

Do not modify the Security Store.

Migrate Oracle Identity Cloud Service Roles and Policies

If your source Oracle Java Cloud Service instance uses Oracle Identity Cloud Service for authentication, then you must migrate the administrator roles and web tier policy to the target instance.

The source and target instances are each associated with a security application in Oracle Identity Cloud Service. The security application grants administrative rights for the WebLogic Server domain to specific users and groups in Oracle Identity Cloud Service.

Your source and target instances must be in the same identity domain.

Access the Oracle Identity Cloud Service console.
Click the navigation drawer , and then select Applications.
Export the administrator roles for your source instance.
1. Click the security application for your source instance, JaaS_<source_instance_name>.
2. Click Application Roles.
3. Click Export, and then select Export All.
4. When prompted for confirmation, click Export Application Roles.
5. Click the job ID.
  If a job ID link is not displayed, click the navigation drawer , select Jobs, and then click the job.
6. After the export job has finished, click Download. Save the file AppRoleExport_<id>.csv to your computer.
7. Click the navigation drawer , and then select Applications.
Export the web tier policy for your source instance.
1. Click the security application for your source instance, JaaS_<source_instance_name>.
2. Click Web Tier Policy.
3. Click Export. Save the file CloudGatePolicy.txt to your computer.
4. From the navigation links at the top of the page, click Applications.
Import the administrator roles to your target instance.
1. Click the security application for your target instance, JaaS_<target_instance_name>.
2. Click Application Roles.
3. Click Import.
4. Select the file AppRoleExport_<id>.csv on your computer, and then click Import.
5. Click the job ID link.
  If a job ID link is not displayed, click the navigation drawer , select Jobs, and then click the job.
6. Verify that the import job has finished.
  You can ignore any error in the job with these messages:
  - "Grant already exists" - the same user or group is already assigned to the role
  - "Missing required attribute(s): Grantee" - no users or groups are assigned to the role
7. Click the navigation drawer , and then select Applications.
Import the web tier policy to your target instance.
1. Click the security application for your target instance, JaaS_<target_instance_name>.
2. Click Web Tier Policy.
3. Click Import. Select the file CloudGatePolicy.txt on your computer.
  You might need to refresh your web browser in order to view the resources that you imported from the policy file.
4. Click Validate.
5. Verify that the web tier policy validation was successful.
6. From the navigation links at the top of the page, click Applications.
Assign any custom applications to the roles for your target instance.
1. Click the security application for your source instance, JaaS_<source_instance_name>.
2. Click Application Roles.
3. If there is an Applications Assigned link for the first role, click this link, and then record the application names for this role.
4. Repeat the previous step for all remaining roles in this application.
5. From the navigation links at the top of the page, click Applications.
6. Click the security application for your target instance, JaaS_<target_instance_name>.
7. Click Application Roles.
8. Click Menu for the first role, and then select Assign Applications.
9. Select the same applications that are assigned to this role in the source instance, and then click OK.
10. Repeat the previous step for all remaining roles in this application.
11. From the navigation links at the top of the page, click Applications.
Configure any custom security settings for your target instance.
1. Click the security application for your source instance, JaaS_<source_instance_name>.
  The Details page is displayed.
2. From a different browser window or tab, view the security application for your target instance, JaaS_<target_instance_name>.
3. Compare the Details page of the source and target applications, and then update the target application as necessary. Click Save.
4. From both browser windows or tabs, click Configuration.
5. Expand Resources on the Configuration page.
6. Compare the Resources of the source and target applications, and then update the target application as necessary. Click Save.
  Ignore the resources named OCMSApp and LBAAS. You do not need to create these resources in the target instance.
7. Expand Client Configuration on the Configuration page.
8. Compare the Client Configuration of the source and target applications, and then update the target application as necessary.

Edit the Target Configuration File

The export command creates a file that contains parameters for updating the target WebLogic Server domain. Specify JDBC URLs and passwords, SSL keystore passwords, and other details for the target instance.

For security purposes, Oracle WebLogic Server Deploy Tooling excludes the values of all passwords during domain discovery.

On the Control-S instance, edit the file <instance_name>-<date-time-stamp>.json.
Refer to the output from the export command to determine the specific file name.
Update the following attributes.
- JCSServiceName - The name of the target Oracle Java Cloud Service instance
- JCSAdminIPAddress - The IP address of the first node in the target instance (running the Administration Server)
- WeblogicAdminUser - The user name for the WebLogic Server domain administrator on the target instance
- WeblogicAdminPassword - The password for the WebLogic Server domain administrator on the target instance
If your source instance includes a load balancer, then update the FrontendHost attribute for each cluster in the Cluster node. Enter the public IP address of the load balancer in your target instance.
Example:
```
"topology": {
  "Cluster": {
    "cluster": {
      "FrontendHost": "<target_LB_IP>"
    }
  ...
}
```
If you configured any custom startup arguments for a server in your source instance, then update the AdditionalServerStartArguments attribute for each server in the Server node.
Set the value of AdditionalServerStartArguments to the custom arguments only.
Example:
```
"topology": {
  ...
  "Server": {
    ...
    "server_1": {
      ...
      "AdditionalServerStartArguments": "-Dmy.custom.arg=true"
    }
  ...
}
```

If the servers in your source instance are configured to use custom identity and trust keystore files, then update the file with the keystore passwords.

CustomIdentityKeyStorePassPhrase
CustomTrustKeyStorePassPhrase
ServerPrivateKeyPassPhrase

Example:

"topology": {
  ...
  "Server": {
    "server_1": {
      ...
      "CustomIdentityKeyStorePassPhrase": "<your_password>",
      "CustomTrustKeyStorePassPhrase": "<your_password>",
      "ServerPrivateKeyPassPhrase": "<your_password>"
    }
  ...
}

If your source instance includes custom Java Database Connectivity (JDBC) data sources, then provide the location and password of the new application databases in Oracle Cloud Infrastructure.

For each data source in the JDBCSystemResource node, update the password attribute.

Example:

"resources": {
  "JDBCSystemResource": {
    "MyDataSource1": {
      ...
      "password": "<your_password>"
    }
  }
  ...

For each data source, find the url attribute and specify the URL to the corresponding Oracle Cloud Infrastructure Database.

The following table shows the URL format to use, depending on the Oracle Database version, and whether you created a Virtual Machine (VM) or Bare Metal database type.

Database Version	Database Type	URL Format
12c	VM	`jdbc:oracle:thin:@//<db_hostname>-scan.<db_domain>:<db_port>/<pdb_name>.<db_domain>`
12c	Bare Metal	`jdbc:oracle:thin:@//<db_hostname>.<db_domain>:<db_port>/<pdb_name>.<db_domain>`
11g	VM	`jdbc:oracle:thin:@//<db_hostname>-scan.<db_domain>:<db_port>/<db_unique_name>.<db_domain>`
11g	Bare Metal	`jdbc:oracle:thin:@//<db_hostname>.<db_domain>:<db_port>/<db_unique_name>.<db_domain>`

The following example shows a Virtual Machine database named myappdb, that is running Oracle Database 12c, and contains a PDB named pdb1:

"resources": {
  "JDBCSystemResource": {
    "MyDataSource1": {
      "url": "jdbc:oracle:thin:@//myappdb-scan.mydbsubnet.myvcn.oraclevcn.com:1521/pdb1.mydbsubnet.myvcn.oraclevcn.com",
      ...
    }
  }
  ...

If your source instance includes any Foreign JNDI Providers, Foreign JMS Servers, JMS Bridge Destinations, or Store-and-Forward (SAF) Contexts, then provide the locations and passwords for these external resources.
1. For each provider in the ForeignJNDIProvider node, update the password attribute.
  Also update the url attribute if the location of this JNDI server is different than the JNDI server in the source environment.
  Example:
```
"resources": {
  ...
  "ForeignJNDIProvider": {
    "MyJNDIProvider1": {
      "url": "t3://myjndiserver.example.com:9073", 
      "password": "<your_password>"
    }
  }
  ...
```
2. For each foreign server in the ForeignJMSServer node, update the password attributes.
  Also update the url attribute if the location of this JMS server is different than the JMS server in the source environment.
  Example:
```
"resources": {
  ...
  "ForeignJMSServer": {
    "MyForeignJMS1": {
      "url": "t3://myjms.example.com:9073",
      "ForeignConnectionFactory": {
        "MyForeignJMS1Factory": {
          "password": "<your_password>"
        }
      }
    }
  }
  ...
```
3. For each bridge destination in the JMSBridgeDestination node, update the password attribute.
  Also update the url attribute if the location of this bridge destination is different than the bridge destination in the source environment.
  Example:
```
"resources": {
  ...
  "JMSBridgeDestination": {
    "MyBridgeDest1": {
      "url": "t3://myjms.example.com:9073", 
      "password": "<your_password>"
    }
  }
  ...
```
4. For each SAF context in the SAFLoginContext node, update the password attribute.
  Also update the url attribute if the Store-and-Forward destination server is different than the server in the source environment.
  Example:
```
"resources": {
  ...
  "SAFLoginContext": {
    "MySAF1": {
      "url": "t3://myjms.example.com:9073", 
      "password": "<your_password>"
    }
  }
  ...
```

If your source instance includes any JavaMail sessions, then update the passwords for each mail session in the MailSession node.

Example:

"resources": {
  ...
  "MailSession": {
    "MyMailSession1": {
      "password": "<your_password>",
      "properties": {
        "mail.smtp.password": "<your_password>",
        "mail.imap.password": "<your_password>"
      }
    }
  }
  ...

If your source instance includes any custom WebLogic Diagnostic Framework (WLDF) REST notification endpoints, then provide the passwords for each WLDF resource in the WLDFSystemResource node.
Also update the url attribute if the destination server is different than the server in the source environment.
Example:
```
"resources": {
  ...
  "WLDFSystemResource": {
    "MyModule": {
      "RestNotification": {
        "MyNotification1": {
          "url": "http://myserver.example.com:9073/notify",
          "password": "<your_password>"
        }
      }
    }
  }
  ...
```

Copy Supporting Files to the Target Instance

Identify and copy any files to your target Oracle Java Cloud Service instance that are not managed by Oracle WebLogic Server Deploy Tooling.

Oracle WebLogic Server Deploy Tooling automatically finds and archives the following types of files in your source instance's domain configuration. It also adds these files to your target instance's domain configuration:

Application deployments
Library deployments
Custom keystores

Other files that your applications or domain resources require are not automatically managed by Oracle WebLogic Server Deploy Tooling, including files that are located outside the DOMAIN_HOME directory. You must manually copy these files to the target instance.

Use SSH to connect to the Administration Server node in your source instance.
```
ssh -i <privatekey> opc@<source_admin_IP>
```
Switch to the oracle user.
```
sudo su - oracle
```
Identify any supporting files that need to be copied to the target instance.
Copy the files to the /tmp directory.
Example:
```
cp /u01/myfiles/app.properties /tmp
```
Note:
If you have multiple files to transfer, then consider adding them to a single archive file.
Change the owner of the files to the opc user.
Example:
```
exit
sudo chown opc:opc /tmp/app.properties
```
Disconnect from the node.
Use SCP to download the files from the Administration Server node in your source instance to your local computer.
Example:
```
scp -i <privatekey> opc@<source_admin_IP>:/tmp/app.properties .
```
Use SCP to upload the files to the Administration Server node in your target instance.
Example:
```
scp -i <privatekey> app.properties opc@<target_admin_IP>:/tmp
```
Use SSH to connect to the Administration Server node in your target instance.
```
ssh -i <privatekey> opc@<target_admin_IP>
```
Change the owner of the files to the oracle user.
Example:
```
sudo chown oracle:oracle /tmp/app.properties
```
Switch to the oracle user.
```
sudo su - oracle
```
Move the files to the same location that they were found on the source instance.
Example:
```
mkdir /u01/myfiles
mv /tmp/app.properties /u01/myfiles
```
Disconnect from the node.

Import the Target Instance Configuration

After the target Oracle Java Cloud Service instance is running on Oracle Cloud Infrastructure, use Oracle Cloud Infrastructure Classic Java Migration Tool to import the WebLogic Server domain configuration that you previously exported from the source instance.

The tool downloads the archive from Oracle Cloud Infrastructure Object Storage, updates your target instance's domain configuration with the values provided in the JSON file, deploys your applications, and then restarts the domain.

Oracle Cloud Infrastructure Classic Java Migration Tool creates a bastion compute instance in Oracle Cloud Infrastructure in order for the Control-S instance to access your target service instance. After updating the target service instance, the tool deletes the temporary bastion compute instance.

Run the following command.

opcmigrate migrate jcs import -c <instance_name>-<date>-<timestamp>.json -a <instance_name>-<date>-<timestamp>.tgz

For example:

opcmigrate migrate jcs import -c MyJavaInstance-20190813.json -a MyJavaInstance-20190813.tgz
INFO Loaded resources from 'resources-default.json' ...
INFO Importing JCS service 'MyJavaInstance'
...
INFO Provisioning bastion host
INFO Initializing Terraform
INFO Applying Terraform
INFO Bastion host provisioned: 203.0.113.50
INFO Waiting for SSH to become available
INFO Installing Oracle WebLogic Server Deploy Tooling on 203.0.113.14
INFO Create temporary directory on controller
INFO Download WebLogic Deploy Tooling to controller
INFO Upload and Extract WebLogic Deploy Tooling archive to remote host
INFO Remove temporary directory from controller
INFO Uploading WebLogic Domain related files to 203.0.113.14
...
INFO Run WebLogic Deploy Tooling validateModel.sh command
INFO Stopping WebLogic domain
INFO Stop WebLogic Domain
INFO Updating WebLogic domain
INFO Set target host full path names for uploaded files
INFO Update WebLogic Domain
INFO Starting WebLogic domain
INFO Start WebLogic domain
INFO Tearing down bastion host...
INFO Tearing down Terraform
INFO JCS service 'MyJavaInstance' import complete