4 Migrate an Instance to Oracle WebLogic Server for Oracle Cloud Infrastructure Using Classic Tools

Use the Oracle Cloud Infrastructure Classic Java Migration Tool to migrate your Oracle WebLogic Server domain resources and applications from your existing Oracle Java Cloud Service instance in Oracle Cloud Infrastructure Classic to a new domain in Oracle WebLogic Server for Oracle Cloud Infrastructure.

Note:

Oracle recommends migrating your existing domains in Oracle Java Cloud Service to Oracle WebLogic Server for Oracle Cloud Infrastructure.

Before you begin the migration process, see Prepare to Migrate Oracle Java Cloud Service to Oracle Cloud Infrastructure.

When you migrate an Oracle Java Cloud Service instance, the following terms are used:

• Source: The Oracle Java Cloud Service instance in Oracle Cloud Infrastructure Classic.
• Target: The domain and related cloud resources in Oracle WebLogic Server for Oracle Cloud Infrastructure.

Topics:

• Get Information About the Target Environment
• Launch the Migration Controller Instance in the Source Environment
• Update the Secret File
• Update the Default Profile File
• Discover Resources in Your Source Environment
• List Your Oracle Java Cloud Service Instances
• Export Your Source Instance Configuration
• Perform Prerequisite Tasks for Oracle WebLogic Server for Oracle Cloud Infrastructure
• Create the Target Domain Using Oracle WebLogic Server for Oracle Cloud Infrastructure
• Migrate Oracle Fusion Middleware Security Resources
• Migrate Oracle Identity Cloud Service Roles and Policies
• Integrate Fusion Middleware Components with Oracle Identity Cloud Service
• Edit the Domain Configuration File
• Copy Supporting Files to the Target
• Update the Oracle WebLogic Server Domain on the Target Instance

Get Information About the Target Environment

Collect the information required for the migration tools to connect to the target Oracle Cloud Infrastructure environment.

1. Access the Oracle Cloud Infrastructure Console.
2. From the menu, choose Administration and then choose Tenancy Details.
3. Record the tenancy's OCID and Home Region.
4. From the menu, choose Identity and then Users.
5. Click your user name.
6. Record the user's OCID. Under API Keys, record the Fingerprint.
   You will also need the corresponding PEM key file.
7. From the menu, choose Identity and then Compartments.
8. Record the OCID of the compartment where you want to create the instance.
9. From the menu, choose Identity and then Federation.
10. From the Oracle Identity Cloud Service Console URL, identify and record the identity domain ID, which has the format idcs-<guid>.
11. From the menu, choose Networking and then Virtual Cloud Networks (VCN).
12. Select the Compartment where you want to create the instance.
13. Click the VCN in which you want to create this instance.
14. Under Subnets, click the subnet in which you want to create this instance.
15. Record the subnet's OCID. If it is not a regional subnet, then also record the subnet's Availability Domain.
16. If you selected a regional subnet, then choose an availability domain for the target instance.
    1. Access the Oracle Java Cloud Service Console.
    2. Click Create Instance.
    3. Select your Region.
    4. From Availability Domain, record the name of the availability domain in which you want to create this instance.
    5. Click Cancel.

The following table shows sample values for each input.

Name	Sample Value
Tenancy OCID	ocid1.tenancy.oc1..aaaaaaaaju6k54i7...
User OCID	ocid1.user.oc1..aaaaaaaahvtv5qo...
User API Key Fingerprint	81:45:aa:...
Compartment OCID	ocid1.compartment.oc1..aaaaaaaaz...
Region	us-ashburn-1
Availability Domain	kWVD:US-ASHBURN-AD-3
Subnet OCID	ocid1.subnet.oc1.iad.aaaaaaaarz7...
Identity Domain ID	idcs-9bd53...

Launch the Migration Controller Instance in the Source Environment

In your Oracle Cloud Infrastructure Compute Classic account, create the source controller (Control-S) instance, which includes Oracle Cloud Infrastructure Classic Java Migration Tool.

The Control-S compute instance must be created in the same identity domain and site as the source Oracle Java Cloud Service instance that you want to migrate.

The Control-S compute instance and associated storage volumes are by default billed at the applicable rates for your account. However, you can rename these resources so that the name includes /oraclemigration as a container. Resources created in this /oraclemigration container aren't billed to your account.

1. Access the Oracle Cloud Infrastructure Compute Classic Console.
2. Click Create Instance.
3. Click Show All Images.
4. Select the image OL_7.5_UEKR4_x86_64_MIGRATION, which is found under Oracle Images.
5. Click Next.
6. Select a Shape with a sufficient number of OCPUs for the migration task.
7. Click Next.
8. Enter a Name, or use the default instance name.
9. Select an existing public SSH Key or add a new one. You'll use the corresponding private key to connect to the Control-S instance.
10. Click Next.
11. Verify that Shared Network is selected.
12. For Public IP Address, select Persistent Public IP Reservation.
13. For Security Lists, verify that the default security list is selected, which allows SSH inbound traffic.
    Also ensure that security rules are in place to allow SSH outbound, SMB inbound, and HTTPS outbound traffic.
14. If you want to migrate instances that have an interface on an IP network, then configure the network interfaces of the Control-S instance on the relevant IP networks as well, so that the Control-S instance can access the source instances that you want to migrate.
15. Complete the creation of the compute instance.
    Wait until its status is Running.
16. Optional: Move the Control-S instance and storage volumes into the /oraclemigration container.
    Alternatively, if you create the Control-S instance using the API, CLI, or Terraform, you can specify /oraclemigration in the resource names as part of the instance parameters.
    1. Click the Orchestrations tab.
    2. Locate the relevant orchestration for your compute instance, and from the menu, select Suspend.
    3. After the orchestration status changes to Suspended, from the menu, select Update.
    4. From the Instance section, click the menu and select Edit JSON.
    5. In the Edit Orchestration Object JSON window, locate the instance name. This is usually displayed within the template section, after networking.

       "name": "/Compute-Identity_Domain/User/Instance",

       Modify the instance name to include the /oraclemigration container. For example:

       "name": "/Compute-ExampleDomain/user@example.com/oraclemigration/MyControlS",

    6. Click Update.
    7. From the Orchestrations page, go to the relevant orchestration and from the menu, select Terminate.
    8. After the orchestration status changes to Stopped, from the menu, select Update.
    9. From the Storage Volume section, go to the relevant storage volume, click the menu and select Edit JSON.
    10. In the Edit Orchestration Object JSON window, locate the storage volume name in the template section:

        "name": "/Identity_Domain/User/Volume",

        Modify the instance name to include the /oraclemigration container. For example:

        "name": "/Compute-ExampleDomain/user@example.com/oraclemigration/MyControlS_storage",

    11. Click Update.
    12. Repeat these steps for any other storage volume in this orchestration that you want to move to the /oraclemigration container.
    13. From the Orchestrations page, go to the relevant orchestration and from the menu, select Start.
17. Use an SSH client and your private key to log into the Control-S compute instance as the opc user.

Update the Secret File

All of the tools required for the migration are already installed on the Control-S instance, but additional configuration is required to provide details about the source and target environments.

A single Control-S instance can migrate resources only from a single Oracle Cloud Infrastructure Classic account and site, and only to a single Oracle Cloud Infrastructure tenancy, region, and availability domain.

1. From the Control-S compute instance, copy /home/opc/ansible/secret.yml.sample to /home/opc/ansible/secret.yml.
2. Edit /home/opc/ansible/secret.yml.
3. Update the following Oracle Cloud Infrastructure parameters.
   • compartment_id is the OCID of the compartment where you want to create the target instance.
   • user_id is the OCID of the Oracle Cloud Infrastructure user.
   • fingerprint is the API key fingerprint of the user.
   • tenancy_id is the OCID of the Oracle Cloud Infrastructure tenancy.
   • region is the Oracle Cloud Infrastructure region where you want to create the target instance.
   • availability_domain is the availability domain where you want to create the target instance.
   • subnet_id is the OCID of the subnet where you want to create the instance.

   For example:

   # OCI info
   compartment_id: ocid1.compartment.oc1..aaaaaaaa...
   user_id: ocid1.user.oc1..aaaaaaaa...
   fingerprint: a0:a0:a0:a0:a0...
   tenancy_id: ocid1.tenancy.oc1..aaaaaaaa...
   region: us-ashburn-1
   availability_domain: kWVD:US-ASHBURN-AD-3
   ...
   subnet_id: ocid1.subnet.oc1.iad.aaaaaaaa...

4. Modify permissions on this file to restrict access.

   chmod 600 /home/opc/ansible/secret.yml

5. Apply the configuration to the system.

   opcmigrate migrate instance service setup

   This command creates the required files /home/opc/.opc/profiles/default and /home/opc/.oci/config.

6. Copy the Oracle Cloud Infrastructure user's PEM key file to the Control-S instance. Name the file /home/opc/.oci/oci_api_key.pem.
7. Modify permissions on the Oracle Cloud Infrastructure key file to restrict access.

   chmod 600 /home/opc/.oci/oci_api_key.pem

8. Copy the public and private SSH key files required for accessing your source Oracle Java Cloud Service instance to the Control-S instance.
9. Modify permissions on the Oracle Java Cloud Service key files to restrict access.
   For example:

   chmod 600 /home/opc/jcskey.pub
   chmod 600 /home/opc/jcskey

Update the Default Profile File

The Oracle Cloud Infrastructure Classic Java Migration Tool connects to your source environment using information that you provide in a profile file.

The information you provide in the profile file includes the user name or identity for each service in the source environment, as well as the service end point and region. If you want to run the tool in multiple regions or tenancies, you can create separate profile files for each region and tenancy.

You also provide connectivity details for each Oracle Java Cloud Service instance that you want to migrate. If you include the WebLogic Server administrator credentials for a service instance, Oracle Cloud Infrastructure Classic Java Migration Tool also migrates any Oracle Fusion Middleware security resources (custom users, groups, roles, policies, or credential maps) to the target domain.

1. Access the Oracle Cloud Infrastructure Compute Classic Console.
2. Click the Site select box.
3. Record the REST Endpoint.
4. Identify and record your Oracle Java Cloud Service REST Endpoint.
   See Send Requests in REST API for Oracle Java Cloud Service.
5. Access the Oracle Java Cloud Service Console.
6. Click the source instance.
7. Click Instance Details , and then record the Region in which the source instance was created.
8. From the Control-S compute instance, create a properties file with the WebLogic Server administrator user name and password of your source instance.

   admin_user=your_username
   admin_password=your_password

   This step is required only if the source domain includes custom users, groups, roles, policies or credential maps.

9. From the Control-S compute instance, edit the file /home/opc/.opc/profiles/default.
10. In the compute section, update the endpoint and user parameters. Enter the name of a user with access to Oracle Cloud Infrastructure Compute Classic.

    "compute": {
      "endpoint": "Compute_Endpoint",
      "user": "/Compute-Identity_Domain/User_Name"
      ...

    For example:

    "compute": {
      "endpoint": "compute.uscom-central-1.oraclecloud.com"
      "user": "/Compute-ExampleDomain/user@example.com",
      ...

11. Optional: Enter the location of a file that contains your Oracle Cloud Infrastructure Compute Classic password.

    For example:

    "compute": {
      "endpoint": "compute.uscom-central-1.oraclecloud.com"
      "user": "/Compute-ExampleDomain/user@example.com",
      "password-file": "/home/opc/.opc/password-file",
      ...

    If you don't specify a password file for a service, you'll be prompted to provide the password when you run the tool.

12. If not already present, add the paas section to the file.

    {
      ...
      "compute": {
      ...
      },
      "paas": {
        "user": "User_Name",
        "identity_id": "Identity_Domain_Id",
        "endpoint": "PaaS_Endpoint",
        "region": "Source_Region"
      }
    }

    For example:

    {
      ...
      "compute": {
      ...
      },
      "paas": {
        "user": "user@example.com",
        "identity_id": "idcs-0000abcd0000defg0000hijk0000lmno",
        "endpoint": "psm.us.oraclecloud.com",
        "region": "uscom-central-1"
      }
    }

13. Add the jcs section to the file. Specify the locations of the public and private SSH key files for your source Oracle Java Cloud Service instance.

    {
      ...
      "paas": {
      ...
      },
      "jcs": {
        "Instance_Name": {
          "ssh_private_key": "Private_Key_File",
          "ssh_public_key": "Public_Key_File"
        }
      }
    }

    For example:

    {
      ...
      "paas": {
      ...
      },
      "jcs": {
        "MyJavaInstance": {
          "ssh_private_key": "/home/opc/jcskey",
          "ssh_public_key": "/home/opc/jcskey.pub"
        }
      }
    }

14. In the jcs section, specify the location of the properties file that contains the WebLogic Server credentials for the source instance.

    For example:

    ...
      "jcs": {
        "MyJavaInstance": {
          "ssh_private_key": "/home/opc/jcskey",
          "ssh_public_key": "/home/opc/jcskey.pub",
          "wls_admin_properties": "/home/opc/wls_admin_properties"
        }

    This step is required only if the source domain includes custom users, groups, roles, policies or credential maps.

Discover Resources in Your Source Environment

To discover all Oracle Cloud Infrastructure Classic resources in the services for which you've provided credentials, log in to the Control-S instance and run the following command.

opcmigrate discover

When prompted, enter the passwords for the user names that you specified in the default profile.

For example:

opcmigrate discover
Compute Classic Password [/Compute-ExampleDomain/user@example.com]:
INFO Authenticating with OCI Classic Compute API
INFO Compute Endpoint: https://compute.uscom-central-1.oraclecloud.com
INFO Discovering resources for "ExampleDomain".
WARNING Load Balancer Classic credentials not configured in profile
PaaS Services Password [user@example.com]:
WARNING Object Storage Classic credentials not configured in profile
INFO Discovering containers: ['/Compute-ExampleDomain']
INFO Getting Account Resources for /Compute-ExampleDomain
INFO Getting Network Resources for /Compute-ExampleDomain
INFO Getting Network Resources for /oracle/public
INFO Getting Instance Resources for /Compute-ExampleDomain
INFO Getting Instance Resources for /oracle/public
INFO Getting Instances for /Compute-ExampleDomain
INFO Getting PaaS Resources for uscom-central-1
INFO Storing discovered resources to 'resources-default.json'

List Your Oracle Java Cloud Service Instances

To list the Oracle Java Cloud Service instances in the source environment, log in to the Control-S instance and run the following command.

opcmigrate migrate jcs list

This command uses the output generated by the discover command to identify and list the available Oracle Java Cloud Service instances.

For example:

opcmigrate migrate jcs list
INFO Loaded resources from 'resources-default.json' ...
Java Cloud Service Instances

Name                 Version              State                Description      
-------------------- -------------------- -------------------- ------------------------------------------------------------
MyJavaInstance       11gR1                READY                My first instance
AnotherInstance      12cR3                READY                My second instance

Export Your Source Instance Configuration

To create an archive of the source Oracle Java Cloud Service instance using the WebLogic Server Deploy Tooling, log in to the Control-S instance and run the following command.

opcmigrate migrate jcs export -s <instance_name>

This command creates the following files:

• <instance_name>-<date>-<timestamp>.tgz: An archive of the source instance, which includes the applications that are on the source instance as well as the domain configuration metadata. This archive is uploaded to Oracle Cloud Infrastructure Object Storage.
• <instance_name>-<date>-<timestamp>.json: You edit this file to specify the required passwords for the target domain, as well as to specify any configuration parameters that will be different on the target instance.

For example:

opcmigrate migrate jcs export -s MyJavaInstance
INFO Loaded resources from 'resources-default.json' ...
INFO Exporting JCS service 'MyJavaInstance'
INFO Installing Oracle WebLogic Server Deploy Tooling on 203.0.113.13
INFO Create temporary directory on controller
INFO Download WebLogic Deploy Tooling to controller
INFO Upload and Extract WebLogic Deploy Tooling archive to remote host
INFO Remove temporary directory from controller
INFO Exporting WebLogic Domain at 203.0.113.13
INFO Create temporary directory on remote host
INFO Run WebLogic Deploy Tooling discoverDomain.sh command
INFO Download discovered domain files to controller
INFO Remove temp directory from remote
INFO Generating WebLogic config template 'MyJavaInstance-20190722-18:50:35.json'
INFO Creating instance archive 'MyJavaInstance-20190722-18:50:35.tgz'
INFO Uploading artifacts to object storage
INFO JCS service 'MyJavaInstance' export complete

By default, this command uses the resources-default.json file in the local directory. You can use the --file option to specify a resources file with a different name or in a different directory.

Perform Prerequisite Tasks for Oracle WebLogic Server for Oracle Cloud Infrastructure

Before you create a WebLogic Server domain using Oracle WebLogic Server for Oracle Cloud Infrastructure, you must create the required infrastructure and database resources.

1. Create the following Oracle Cloud Infrastructure resources if they don't already exist:
   • A compartment
   • A virtual cloud network (VCN) and at least one subnet.
   • A vault and encryption key
2. Create a database in Oracle Cloud Infrastructure Database if one doesn't already exist. The database must allow the target domain to access the database listen port (1521 by default).

   Oracle WebLogic Server for Oracle Cloud Infrastructure will provision the Java Required Files (JRF) schema to this database.

3. If your source instance uses Oracle Identity Cloud Service for authentication, then create a new confidential application in Oracle Identity Cloud Service for the target domain.

   Identify the client ID and secret of the confidential application.

4. Use Oracle Cloud Infrastructure Vault to create secrets for the passwords that you need for the target domain.
   • WebLogic Server administrator password
   • Database administrator password
   • Client secret, if using Oracle Identity Cloud Service

See Before You Begin with Oracle WebLogic Server for Oracle Cloud Infrastructure in Using Oracle WebLogic Server for Oracle Cloud Infrastructure.

Create the Target Domain Using Oracle WebLogic Server for Oracle Cloud Infrastructure

Launch the Oracle WebLogic Server for Oracle Cloud Infrastructure application in the Oracle Cloud Infrastructure Marketplace to create a new domain. This domain must have the same topology and configuration as the source Oracle Java Cloud Service instance.

Note:

The migration import tooling uses the SSH keys specified for the source instance in your ~/.opc/profiles/default file (or ~/.opc/profiles/<profile> file) on the Control-S instance. Be sure to use the same SSH key pair to create your target domain with Oracle WebLogic Server for Oracle Cloud Infrastructure.

Before creating a domain, copy the OCIDs for the secrets that contain your Oracle WebLogic Server administrator password and your database password. Use the same credentials as your source instance.

1. Sign in to the Oracle Cloud Infrastructure Console.
2. Click the navigation menu, and then select Marketplace.
3. Select the same Oracle WebLogic Server edition as your source instance.
4. For Version, select the same major version (X.Y) as the source instance.
   For example, 12.2.1.2 and 12.2.1.3 are the same major version of Oracle WebLogic Server.
5. Select the compartment in which you want to create the stack.
6. Click Launch Stack.
7. Enter a name for your stack.
8. Click Next.
9. Enter a resource name prefix.
10. Select an Oracle Cloud Infrastructure shape that most closely matches the number of Oracle Compute Units (OCPUs) and the amount of memory that are available in the Oracle Cloud Infrastructure Classic shape in your source instance.
    See Select Oracle Cloud Infrastructure Shapes.
11. Enter the SSH public key.
12. Select the availability domain where you want to create the domain.
13. Select the same number of managed servers as the source instance.
14. Enter the WebLogic Server user name, and paste the OCID for the secret that contains the WebLogic Server password.
15. For Network Compartment, select the same compartment you selected earlier upon launching the stack.
16. For Virtual Cloud Network Strategy, select Use Existing VCN and then select the virtual cloud network (VCN) where you want to create the domain.
17. For Subnet Strategy, select Use Existing Subnet or Create New Subnet.
18. If you're creating a new subnet, specify a CIDR for the new subnet.
    The new subnet's CIDR should not overlap with any other subnet CIDRs in the existing VCN.
19. If your source instance includes an Oracle Traffic Director load balancer, then provision a load balancer for the domain.
    1. Select Provision Load Balancer.
    2. Select an existing subnet where you want to create the load balancer.
20. If your source instance uses Oracle Identity Cloud Service for authentication, then configure Oracle Identity Cloud Service for the target domain.
    This configuration is supported only for WebLogic Server 12c, and also requires a load balancer.
    1. Select Enable Authentication Using Identity Cloud Service.
    2. Enter your Oracle Identity Cloud Service (IDCS) tenant name, which is also referred to as the instance ID.
    3. Enter the client ID and encrypted client secret of an existing confidential application in this Oracle Identity Cloud Service instance.
       The client secret must be encrypted.
21. For Database Strategy, select Database System.
22. Select the compartment and VCN in which you created the database.
23. Select your DB System, database home, database version, and database.
24. Enter the pluggable database (PDB) name if the selected database is running Oracle Database 12c or later.
25. Enter the name of a database user with database administrator (DBA) privileges, and paste the OCID of the secret that contains the database password.
26. Enter the database listen port (1521 by default).
27. If your domain and database are on different VCNs, then you must configure local VCN peering.

    Oracle WebLogic Server for Oracle Cloud Infrastructure creates a public subnet in each VCN, and then creates a compute instance in each subnet. These compute instances run software to forward DNS requests across the VCNs.

    1. Specify a CIDR for the new subnet in the WebLogic VCN.
    2. Specify a CIDR for the new subnet in the database VCN.
    3. Select a shape for the new DNS Forwarder compute instance in each VCN.
28. Click Next, and then click Create.

See Create a JRF-Enabled Domain in Using Oracle WebLogic Server for Oracle Cloud Infrastructure.

Migrate Oracle Fusion Middleware Security Resources

If you customized the Oracle WebLogic Server security providers in your source Oracle Java Cloud Service instance, then you must apply the same changes in the target domain.

If you specified the WebLogic Server administrator credentials for your source instance in the default profile, the Oracle Cloud Infrastructure Classic Java Migration Tool automatically migrates the following Oracle Fusion Middleware security resources from the source domain to the target domain:

• Users
• Groups
• Roles
• Policies
• Keystores
• Credential maps
• Audit policies
• Web Services Manager (WSM) policies

The tool does not automatically update the security providers in the target domain.

1. Access the Fusion Middleware Control Console for your source instance.
   https://<source_admin_ip>:7002/em
2. Sign in to the console as your Oracle WebLogic Server system administrator.
3. From a different browser window or tab, sign in to the Fusion Middleware Control Console for your target domain.
   https://<target_admin_ip>:7002/em

   See Access the Fusion Middleware Control Console in Using Oracle WebLogic Server for Oracle Cloud Infrastructure.

4. From both consoles, click WebLogic Domain, select Security, and then select Security Provider Configuration.
5. Compare the security provider configuration of the source and target instances, and then update the configuration of the target instance as necessary.

   Do not modify the Security Store.

Migrate Oracle Identity Cloud Service Roles and Policies

If your source Oracle Java Cloud Service instance uses Oracle Identity Cloud Service for authentication, then you must migrate the administrator roles and web tier policy to the target domain.

The source and target are each associated with a security application in Oracle Identity Cloud Service. The security application grants administrative rights for the WebLogic Server domain to specific users and groups in Oracle Identity Cloud Service.

1. Access the Oracle Identity Cloud Service console.
2. Click the navigation drawer , and then select Applications.
3. Click the security application for your source instance, JaaS_<source_instance_name>.
4. Copy the following information for the security application:
   • Application ID
   • Client ID
   • Client secret
5. Encode the following string in base64 format.

   <client_id>:<client_secret>

6. Use the Oracle Identity Cloud Service REST API to request an access token for the source instance's security application.

   curl --location --request POST 'https://<idcs_host>/oauth2/v1/token' \
   --header 'Authorization: Basic <base64_encoded_clientid:secret>' \
   --header 'Content-Type: application/x-www-form-urlencoded' \
   --data-urlencode 'grant_type=password' \
   --data-urlencode 'scope=urn:opc:idm:__myscopes__' \
   --data-urlencode 'username=<idcs_user_name>' \
   --data-urlencode 'password=<idcs_password>'

   Copy the access token from the response.

   See Generate Access Token and Other OAuth Runtime Tokens to Access the Resource in REST API for Oracle Identity Cloud Service.

7. Use the Oracle Identity Cloud Service REST API to export the web tier policy for the security application.

   curl -X GET 'https://<idcs_host>/admin/v1/Apps/<application_ID>&attributes=displayName,urn:ietf:params:scim:schemas:oracle:idcs:extension:webTierPolicy:App:webTierPolicyJson' \
   -H 'Authorization:Bearer <access_token>'

   Locate the web tier policy in the response:

   ...
   "webtierPolicy": [
     {
       "policyName": "jcs_cg_policy",
       "resourceFilters": [
     ...
   ]

   See Get an App in REST API for Oracle Identity Cloud Service.

8. Return to the Oracle Identity Cloud Service console.
9. From the application details page, click Application Roles.
10. Click Export, and then select Export All.
11. When prompted for confirmation, click Export Application Roles, and then click Close.
12. Click the job ID.
    If a job ID link is not displayed, click the navigation drawer , select Jobs, and then click the job.
13. After the export job has finished, click Download. Save the file AppRoleExport_<id>.csv.
14. Click the navigation drawer , and then select Applications.
15. Click the security application for your target domain, <stack>_enterprise_idcs_app_<timestamp>.

    If your source and target are in different identity domains, then you must access the Oracle Identity Cloud Service console for the target identity domain.

16. Click SSO Configuration.
17. From the web tier policy that you exported with the REST API, identify the first entry in the resourceFilters block.
    Example:

    {
      "cloudgatePolicy": {
        "disableAuthorize": false,
        "allowCors": false,
        "requireSecureCookies": true,
        "webtierPolicy": [
          {
            "policyName": "jcs_cg_policy",
            "resourceFilters": [
              {
                "type": "regex",
                "filter": "/myapp/.*",
                "method": "oauth",
                "authorize": false
              },
              ...

    Copy the value of the filter property.

18. Expand Resources.
19. Within the Resources section, click Add.
20. Enter a Resource Name.
    For example, myapp
21. For Resource URL, paste the value of the filter property.
22. If the filter's type property is regex, then select Regex.
23. Click OK.
24. Expand Authentication Policy. Under Managed Resources, click Add.
25. For Resource, select your new resource.
26. For Authentication Method, choose an option based on the filter's method property.
    • oauth - Select Form or Access Token
    • public - Select Public
    • unsupported - Select Unsupported
27. Click Add.
28. Repeat from step 18 for each additional filter in the exported web tier policy.
29. Click the navigation drawer , and then select Groups.
30. Create these groups for the target domain.
    • <domain>_Administrators
    • <domain>_Deployers
    • <domain>_Operators
    • <domain>_Monitors

    For example:

    • MyDomain_Administrators
    • MyDomain_Deployers
    • MyDomain_Operators
    • MyDomain_Monitors
31. Open AppRoleExport_<id>.csv, and identify the users and groups assigned to the Administrators role in the source instance.
32. Edit the <domain>_Administrators group, and add the same users and groups as the Administrators role in the source instance.
33. Repeat the previous step for the remaining roles in AppRoleExport_<id>.csv:
    • Add the members of the Deployers role to the <domain>_Deployers group.
    • Add the members of the Operators role to the <domain>_Operators group.
    • Add the members of the Monitors role to the <domain>_Monitors group.
34. Sign in to the WebLogic Server Administration Console for the target domain.
    https://<target_admin_ip>:7002/console
35. Click Security Realms.
36. Click the default realm.
37. Click the Roles and Policies tab.
38. From the Roles table, expand Global Roles, and then expand Roles.
39. Click View Role Conditions for the Admin role.
40. Click the group name assigned to this role. The default is Administrators.
41. Enter <domain>_Administrators.
42. Click OK, and then click Save.
43. From the breadcrumb links at the top of the page, click Realm Roles.
44. Repeat from step 38 for the remaining administrator roles:
    • Map Deployer to <domain>_Deployers
    • Map Operator to <domain>_Operators
    • Map Monitor to <domain>_Monitors

Integrate Fusion Middleware Components with Oracle Identity Cloud Service

If your source Oracle Java Cloud Service instance uses Oracle Identity Cloud Service for authentication, then you can integrate certain Oracle Fusion Middleware components in the target domain with Oracle Identity Cloud Service.

If your source instance uses Oracle Web Services Manager to protect web service applications and clients, then see Secure Web Services Using Identity Cloud Service in Using Oracle WebLogic Server for Oracle Cloud Infrastructure.

If applications on your source instance use Oracle Platform Security Services APIs to look up user and group information, then see Integrate OPSS User and Group APIs with Identity Cloud Service in Using Oracle WebLogic Server for Oracle Cloud Infrastructure.

Edit the Domain Configuration File

The export command creates a file that contains parameters for updating the target WebLogic Server domain. Specify JDBC URLs and passwords, SSL keystore passwords, and other details for the target instance.

For security purposes, Oracle WebLogic Server Deploy Tooling excludes the values of all passwords during domain discovery.

1. On the Control-S instance, edit the file <instance_name>-<date-time-stamp>.json.

   Refer to the output from the export command to determine the specific file name.

2. Update the following attributes.
   • JCSServiceName - The name of the target domain that you created with Oracle WebLogic Server for Oracle Cloud Infrastructure (including the resource name prefix you provided when you created the domain)
   • JCSAdminIPAddress - The IP address of the first node in the target instance (running the Administration Server)
   • WeblogicAdminUser - The user name for the WebLogic Server domain administrator on the target instance
   • WeblogicAdminPassword - The password for the WebLogic Server domain administrator on the target instance
3. If your source instance includes a load balancer, then update the FrontendHost attribute for each cluster in the Cluster node.

   Enter the public IP address of the load balancer in your target instance.

   Example:

   "topology": {
     "Cluster": {
       "cluster": {
         "FrontendHost": "<target_LB_IP>"
       }
     ...
   }

4. If you configured any custom startup arguments for a server in your source instance, then update the AdditionalServerStartArguments attribute for each server in the Server node.

   Set the value of AdditionalServerStartArguments to the custom arguments only.

   Example:

   "topology": {
     ...
     "Server": {
       ...
       "server_1": {
         ...
         "AdditionalServerStartArguments": "-Dmy.custom.arg=true"
       }
     ...
   }

5. If the servers in your source instance are configured to use custom identity and trust keystore files, then update the file with the keystore passwords.
   • CustomIdentityKeyStorePassPhrase
   • CustomTrustKeyStorePassPhrase
   • ServerPrivateKeyPassPhrase

   Example:

   "topology": {
     ...
     "Server": {
       "server_1": {
         ...
         "CustomIdentityKeyStorePassPhrase": "<your_password>",
         "CustomTrustKeyStorePassPhrase": "<your_password>",
         "ServerPrivateKeyPassPhrase": "<your_password>"
       }
     ...
   }

6. If your source instance includes custom Java Database Connectivity (JDBC) data sources, then provide the location and password of the new application databases in Oracle Cloud Infrastructure.
   1. For each data source in the JDBCSystemResource node, update the password attribute.

      Example:

      "resources": {
        "JDBCSystemResource": {
          "MyDataSource1": {
            ...
            "password": "<your_password>"
          }
        }
        ...

   2. For each data source, find the url attribute and specify the URL to the corresponding Oracle Cloud Infrastructure Database.

      The following table shows the URL format to use, depending on the Oracle Database version, and whether you created a Virtual Machine (VM) or Bare Metal database type.

      Database Version	Database Type	URL Format
      12c	VM	jdbc:oracle:thin:@//<db_hostname>-scan.<db_domain>:<db_port>/<pdb_name>.<db_domain>
      12c	Bare Metal	jdbc:oracle:thin:@//<db_hostname>.<db_domain>:<db_port>/<pdb_name>.<db_domain>
      11g	VM	jdbc:oracle:thin:@//<db_hostname>-scan.<db_domain>:<db_port>/<db_unique_name>.<db_domain>
      11g	Bare Metal	jdbc:oracle:thin:@//<db_hostname>.<db_domain>:<db_port>/<db_unique_name>.<db_domain>

      The following example shows a Virtual Machine database named myappdb, that is running Oracle Database 12c, and contains a PDB named pdb1:

      "resources": {
        "JDBCSystemResource": {
          "MyDataSource1": {
            "url": "jdbc:oracle:thin:@//myappdb-scan.mydbsubnet.myvcn.oraclevcn.com:1521/pdb1.mydbsubnet.myvcn.oraclevcn.com",
            ...
          }
        }
        ...

7. If your source instance includes any Foreign JNDI Providers, Foreign JMS Servers, JMS Bridge Destinations, or Store-and-Forward (SAF) Contexts, then provide the locations and passwords for these external resources.
   1. For each provider in the ForeignJNDIProvider node, update the password attribute.

      Also update the url attribute if the location of this JNDI server is different than the JNDI server in the source environment.

      Example:

      "resources": {
        ...
        "ForeignJNDIProvider": {
          "MyJNDIProvider1": {
            "url": "t3://myjndiserver.example.com:9073", 
            "password": "<your_password>"
          }
        }
        ...

   2. For each foreign server in the ForeignJMSServer node, update the password attributes.

      Also update the url attribute if the location of this JMS server is different than the JMS server in the source environment.

      Example:

      "resources": {
        ...
        "ForeignJMSServer": {
          "MyForeignJMS1": {
            "url": "t3://myjms.example.com:9073",
            "ForeignConnectionFactory": {
              "MyForeignJMS1Factory": {
                "password": "<your_password>"
              }
            }
          }
        }
        ...

   3. For each bridge destination in the JMSBridgeDestination node, update the password attribute.

      Also update the url attribute if the location of this bridge destination is different than the bridge destination in the source environment.

      Example:

      "resources": {
        ...
        "JMSBridgeDestination": {
          "MyBridgeDest1": {
            "url": "t3://myjms.example.com:9073", 
            "password": "<your_password>"
          }
        }
        ...

   4. For each SAF context in the SAFLoginContext node, update the password attribute.

      Also update the url attribute if the Store-and-Forward destination server is different than the server in the source environment.

      Example:

      "resources": {
        ...
        "SAFLoginContext": {
          "MySAF1": {
            "url": "t3://myjms.example.com:9073", 
            "password": "<your_password>"
          }
        }
        ...

8. If your source instance includes any JavaMail sessions, then update the passwords for each mail session in the MailSession node.

   Example:

   "resources": {
     ...
     "MailSession": {
       "MyMailSession1": {
         "password": "<your_password>",
         "properties": {
           "mail.smtp.password": "<your_password>",
           "mail.imap.password": "<your_password>"
         }
       }
     }
     ...

9. If your source instance includes any custom WebLogic Diagnostic Framework (WLDF) REST notification endpoints, then provide the passwords for each WLDF resource in the WLDFSystemResource node.

   Also update the url attribute if the destination server is different than the server in the source environment.

   Example:

   "resources": {
     ...
     "WLDFSystemResource": {
       "MyModule": {
         "RestNotification": {
           "MyNotification1": {
             "url": "http://myserver.example.com:9073/notify",
             "password": "<your_password>"
           }
         }
       }
     }
     ...

Copy Supporting Files to the Target

Identify and copy any files to your target domain that are not managed by Oracle WebLogic Server Deploy Tooling.

Oracle WebLogic Server Deploy Tooling automatically finds and archives the following types of files in your source instance's domain configuration. It also adds these files to your target domain configuration:

• Application deployments
• Library deployments
• Custom keystores

Other files that your applications or domain resources require are not automatically managed by Oracle WebLogic Server Deploy Tooling, including files that are located outside the DOMAIN_HOME directory. You must manually copy these files to the target nodes.

1. Use SSH to connect to the Administration Server node in your source Oracle Java Cloud Service instance.

   ssh -i <privatekey> opc@<source_admin_IP>

2. Switch to the oracle user.

   sudo su - oracle

3. Identify any supporting files that need to be copied to the target.
4. Copy the files to the /tmp directory.
   Example:

   cp /u01/myfiles/app.properties /tmp

   Note:

   If you have multiple files to transfer, then consider adding them to a single archive file.
5. Change the owner of the files to the opc user.
   Example:

   exit
   sudo chown opc:opc /tmp/app.properties

6. Disconnect from the node.
7. Use SCP to download the files from the Administration Server node in your source instance to your local computer.
   Example:

   scp -i <privatekey> opc@<source_admin_IP>:/tmp/app.properties .

8. Use SCP to upload the files to the Administration Server node in your target domain.
   Example:

   scp -i <privatekey> app.properties opc@<target_admin_IP>:/tmp

9. Use SSH to connect to the Administration Server node in your target domain.

   ssh -i <privatekey> opc@<target_admin_IP>

10. Change the owner of the files to the oracle user.
    Example:

    sudo chown oracle:oracle /tmp/app.properties

11. Switch to the oracle user.

    sudo su - oracle

12. Move the files to the same location that they were found on the source instance.
    Example:

    mkdir /u01/myfiles
    mv /tmp/app.properties /u01/myfiles

13. Disconnect from the node.

Update the Oracle WebLogic Server Domain on the Target Instance

Run the Oracle WebLogic Server Deploy Tooling on your target Oracle Java Cloud Service instance to update its domain configuration and to deploy your applications.

1. Use a Secure Shell (SSH) client to connect to the Administration Server node on the target instance as the opc user.

   ssh -i <privatekey> opc@<target_admin_IP>

2. Change the owner of the archive, model, and properties files to the oracle user.

   sudo chown oracle:oracle /tmp/source_domain.*
   sudo chown oracle:oracle /tmp/wdt.properties

3. Switch to the oracle user.

   sudo su - oracle

4. Navigate to the /u01/weblogic-deploy directory.

   cd /u01/weblogic-deploy

5. Copy the input files to the current directory.

   cp /tmp/<source_domain>.* .
   cp /tmp/wdt.properties .

6. Run the validateModel.sh command and specify the following parameters:
   • The location of your MIDDLEWARE_HOME directory
   • The names of the model, archive and properties files
   • The JRF domain type

   Format:

   /u01/weblogic-deploy/bin/validateModel.sh -oracle_home /u01/app/oracle/middleware/ -model_file <source_domain>.yaml -archive_file <source_domain>.zip -variable_file wdt.properties -domain_type JRF

   Example:

   /u01/weblogic-deploy/bin/validateModel.sh -oracle_home /u01/app/oracle/middleware/ -model_file MyInstan_domain.yaml -archive_file MyInstan_domain.zip -variable_file wdt.properties -domain_type JRF

7. Verify that the validateModel.sh command completed successfully. Correct any errors.

   ####<timestamp> <INFO> <validate> <__perform_model_file_validation> <WLSDPLY-05403>
   <Validation of /u01/weblogic-deploy/<source_domain>.yaml completed with 0 error(s), 0 warning(s) and 0 info(s) items>
   validateModel.sh completed successfully (exit code = 0)

8. Run the updateDomain.sh command and specify the following parameters:
   • The locations of your DOMAIN_HOME and MIDDLEWARE_HOME directories
   • The names of the model, archive, and properties files
   • The JRF domain type

   Format:

   /u01/weblogic-deploy/bin/updateDomain.sh -domain_home /u01/data/domains/<target_domain> -oracle_home /u01/app/oracle/middleware/ -model_file <source_domain>.yaml -archive_file <source_domain>.zip -variable_file wdt.properties -domain_type JRF

   Example:

   /u01/weblogic-deploy/bin/updateDomain.sh -domain_home /u01/data/domains/MyInstan_domain -oracle_home /u01/app/oracle/middleware/ -model_file MyInstan_domain.yaml -archive_file MyInstan_domain.zip -variable_file wdt.properties -domain_type JRF

9. Verify that the updateDomain.sh command completed successfully with no errors.

   updateDomain.sh completed successfully (exit code = 0)

   Log files are in the /u01/weblogic-deploy/logs directory.

10. Disconnect from the Administration Server node.