Migrate an Instance to Oracle WebLogic Server for Oracle Cloud Infrastructure Using Application Migration Service

3 Migrate an Instance to Oracle WebLogic Server for Oracle Cloud Infrastructure Using Application Migration Service

Use Application Migration in Oracle Cloud Infrastructure to migrate your Oracle WebLogic Server domain resources and applications from your existing Oracle Java Cloud Service instance in Oracle Cloud Infrastructure Classic to a new domain in Oracle WebLogic Server for Oracle Cloud Infrastructure.

Note:

Oracle recommends migrating your existing domains in Oracle Java Cloud Service to Oracle WebLogic Server for Oracle Cloud Infrastructure.

Application Migration is available only in specific Oracle Cloud Infrastructure regions. See Overview of Application Migration in the Oracle Cloud Infrastructure documentation.

Application Migration does not support the migration of WebLogic Server domains that include these types of resources:

Custom Identity or Trust Keystore
Foreign JNDI Provider
Foreign JMS Server
JMS Bridge Destination
Storage-and-Forward (SAF) Context
JavaMail Session
WebLogic Diagnostic Framework (WLDF) REST Notification Endpoint

If your source Oracle Java Cloud Service instance uses these resource types, then Oracle recommends using the Oracle Cloud Infrastructure Classic Java Migration Tool instead of Application Migration. See Migrate an Instance to Oracle WebLogic Server for Oracle Cloud Infrastructure Using Classic Tools.

Before you begin the migration process, see Prepare to Migrate Oracle Java Cloud Service to Oracle Cloud Infrastructure.

When you migrate an Oracle Java Cloud Service instance, the following terms are used:

Source: The connection to your Oracle Cloud Infrastructure Classic account in Application Migration.
Source Instance: The Oracle Java Cloud Service instance in Oracle Cloud Infrastructure Classic.
Target: The domain and related cloud resources in Oracle WebLogic Server for Oracle Cloud Infrastructure.

Topics:

Perform Prerequisite Tasks for Oracle WebLogic Server for Oracle Cloud Infrastructure

Before you use Application Migration Service to create a domain using Oracle WebLogic Server for Oracle Cloud Infrastructure, you must create the required infrastructure resources.

Create the following Oracle Cloud Infrastructure resources if they don't already exist:
- A compartment
- A virtual cloud network (VCN) and at least one subnet.
- A vault and encryption key
If your source instance uses Oracle Identity Cloud Service for authentication, then create a new confidential application in Oracle Identity Cloud Service for the target domain.

Identify the client ID and secret of the confidential application.
Use Oracle Cloud Infrastructure Vault to create secrets for the passwords that you need for the target domain.
- WebLogic Server administrator password
- Database administrator password
- Client secret, if using Oracle Identity Cloud Service

See Before You Begin with Oracle WebLogic Server for Oracle Cloud Infrastructure in Using Oracle WebLogic Server for Oracle Cloud Infrastructure.

Application Migration Service automatically creates an Oracle Cloud Infrastructure Database before it creates the target domain. Oracle WebLogic Server for Oracle Cloud Infrastructure provisions the required infrastructure schema to this database.

Create a Source

Use Application Migration to connect to your Oracle Cloud Infrastructure Classic account and region.

From the Oracle Cloud Infrastructure console, navigate to Application Migration.
Select the Compartment in which to create the source.
Click Sources.
Click Create Source.
Enter a Name and Description for the source.
For Source Type, select Oracle Cloud Infrastructure - Classic.
For Account, enter the name of your Oracle Cloud Infrastructure Classic account.
Select the Oracle Cloud Infrastructure Classic Region in which you created your source Oracle Java Cloud Service instance.
Enter credentials for this Oracle Cloud Infrastructure Classic account that have access to Oracle Java Cloud Service.
Click Create.

For more information, see Manage Sources in the Oracle Cloud Infrastructure documentation.

Create a Migration

Use Application Migration to connect to the WebLogic Server domain for the Oracle Java Cloud Service instance within your source.

From the Oracle Cloud Infrastructure console, navigate to Application Migration.
Select the Compartment that contains your source.
Click Sources, and then select your source.
Click Actions for the Oracle Java Cloud Service instance that you want to migrate, and then click Create Migration.
Enter a Name and Description for the migration.
Enter the WebLogic Server administrator credentials for the Oracle Java Cloud Service instance.
Set the Target Instance Type to Oracle WebLogic Server for Oracle Cloud Infrastructure.
Click Create.

For more information, see Manage Migrations in the Oracle Cloud Infrastructure documentation.

Configure and Run a Migration

Use Application Migration to create the target domain in Oracle WebLogic Server for Oracle Cloud Infrastructure. Specify a network, credentials, databases, and other details.

From the Oracle Cloud Infrastructure console, navigate to Application Migration.
Select the Compartment that contains your migration.
Click Migrations, and then select your migration.
Click Configure.
In the Configure Service section, click Configure.
Select the Availability Domain in which you want to create the target instance.
Select the Virtual Cloud Network and Subnet in which you want to create the target instance.
For Secrets OCID for Database Administrator Password, paste the OCID of the secret that contains the password for the new Oracle Cloud Infrastructure Database.
Enter the same password in System Database Administrator Password.
Upload or paste the public SSH Key to use for the target instance and database.
Enter the WebLogic Server administrator credentials for the new domain.
1. Enter the WebLogic Server Admin User Name.
2. For Secrets OCID for WebLogic Server Admin Password, paste the OCID of the secret that contains the password.
3. Enter the same password in WebLogic Server Admin Password.
If your source instance uses Oracle Identity Cloud Service (IDCS) for authentication, then provide details about the confidential application that you created for the target domain.
1. For IDCS Tenant, enter your Oracle Identity Cloud Service (IDCS) tenant name, which is also referred to as the instance ID.
  This ID is typically found in the URL that you use to access Oracle Identity Cloud Service, and has the format idcs-<GUID>.
2. Enter the Client ID of an existing confidential application in this Oracle Identity Cloud Service instance.
3. For Secrets OCID for IDCS Client Secret, paste the OCID of the secret that contains the client secret of the confidential application.
Click Configure to return to the Configure Migration page.

If your source instance includes custom Java Database Connectivity (JDBC) data sources, then provide the location and password of the new application databases in Oracle Cloud Infrastructure.

In the Configure Application section, click Configure.

For each data source, enter the Connection String to the corresponding Oracle Cloud Infrastructure Database.

The following table shows the URL format to use, depending on the Oracle Database version, and whether you created a Virtual Machine (VM) or Bare Metal database type.

Database Version	Database Type	URL Format
12c	VM	`jdbc:oracle:thin:@//<db_hostname>-scan.<db_domain>:<db_port>/<pdb_name>.<db_domain>`
12c	Bare Metal	`jdbc:oracle:thin:@//<db_hostname>.<db_domain>:<db_port>/<pdb_name>.<db_domain>`
11g	VM	`jdbc:oracle:thin:@//<db_hostname>-scan.<db_domain>:<db_port>/<db_unique_name>.<db_domain>`
11g	Bare Metal	`jdbc:oracle:thin:@//<db_hostname>.<db_domain>:<db_port>/<db_unique_name>.<db_domain>`

The following example shows a Virtual Machine database named myappdb, that is running Oracle Database 12c, and contains a PDB named pdb1:

jdbc:oracle:thin:@//myappdb-scan.mydbsubnet.myvcn.oraclevcn.com:1521/pdb1.mydbsubnet.myvcn.oraclevcn.com

For each data source, set the Data Source Password.
Click Configure to return to the Configure Migration page.

Click Save and Run.
When prompted for confirmation, click Start.

Use Application Migration to monitor the progress of your work request. The target domain is provisioned as a Terraform stack using Resource Manager. To access the new domain, see these topics in Using Oracle WebLogic Server for Oracle Cloud Infrastructure:

If the work request indicates that the stack creation failed, use Resource Manager to view the log files. See Stack Creation Failed in Using Oracle WebLogic Server for Oracle Cloud Infrastructure.

If the work request indicates that the import step of the migration failed, you can get additional information by connecting to the first node in the target domain. Access the log files found at /u01/weblogic-deploy and /u01/jcsmig.

After correcting any problems, you can run the migration again.

For more information, see Manage Migrations in the Oracle Cloud Infrastructure documentation.

Copy Supporting Files to the Target Instance

Identify and copy any files to your target Oracle WebLogic Server for Oracle Cloud Infrastructure domain that are not automatically managed by Application Migration.

Application Migration migrates the following types of files from your source instance's domain configuration to your target domain's configuration:

Application deployments
Library deployments
Custom keystores

Other files that your applications or domain resources require are not automatically managed by Application Migration, including files that are located outside the DOMAIN_HOME directory. You must manually copy these files to the target instance.

Use SSH to connect to the Administration Server node in your source instance.
```
ssh -i <privatekey> opc@<source_admin_IP>
```
Switch to the oracle user.
```
sudo su - oracle
```
Identify any supporting files that need to be copied to the target instance.
Copy the files to the /tmp directory.
Example:
```
cp /u01/myfiles/app.properties /tmp
```
Note:
If you have multiple files to transfer, then consider adding them to a single archive file.
Change the owner of the files to the opc user.
Example:
```
exit
sudo chown opc:opc /tmp/app.properties
```
Disconnect from the node.
Use SCP to download the files from the Administration Server node in your source instance to your local computer.
Example:
```
scp -i <privatekey> opc@<source_admin_IP>:/tmp/app.properties .
```
Use SCP to upload the files to the Administration Server node in your target instance.
Example:
```
scp -i <privatekey> app.properties opc@<target_admin_IP>:/tmp
```
Use SSH to connect to the Administration Server node in your target instance.
```
ssh -i <privatekey> opc@<target_admin_IP>
```
Change the owner of the files to the oracle user.
Example:
```
sudo chown oracle:oracle /tmp/app.properties
```
Switch to the oracle user.
```
sudo su - oracle
```
Move the files to the same location that they were found on the source instance.
Example:
```
mkdir /u01/myfiles
mv /tmp/app.properties /u01/myfiles
```
Disconnect from the node.

Recreate Oracle Fusion Middleware Security Resources

If you created any custom users, groups, roles or policies in your source Oracle Java Cloud Service instance, then you must recreate them in the target Oracle WebLogic Server for Oracle Cloud Infrastructure domain.

Application Migration does not automatically migrate any Oracle Fusion Middleware security resources that you created to support your applications, including users, roles and policies. Perform this task if your source domain includes applications that use Oracle Fusion Middleware (FMW), Oracle Platform Security Services (OPSS), Oracle Application Development Framework (ADF) or Oracle Web Services Manager (WSM).

Access the Fusion Middleware Control Console for your source instance.
https://<source_admin_ip>:7002/em
Sign in to the console as your Oracle WebLogic Server system administrator.
From a different browser window or tab, sign in to the Fusion Middleware Control Console for your target domain.
https://<target_admin_ip>:7002/em
See Access the Fusion Middleware Control Console in Using Oracle WebLogic Server for Oracle Cloud Infrastructure.
Recreate users and groups.
1. From both consoles, click WebLogic Domain, select Security, and then select Security Realms.
2. From both consoles, click the realm, and then click Users and Groups.
3. Identify any custom users in the source instance, and then recreate these users in the target instance.
4. From both consoles, click Groups.
5. Identify any custom groups in the source instance, and then recreate these groups in the target instance.
Recreate roles and policies.
1. From both consoles, click WebLogic Domain, select Security, and then select Application Roles.
2. Identify any roles in the source instance, and then recreate these roles in the target instance.
  For more information, see these topics in Securing Applications with Oracle Platform Security Services:
3. From both consoles, click WebLogic Domain, select Security, and then select Application Policies.
4. Identify any policies in the source instance, and then recreate these policies in the target instance.
5. From both consoles, click WebLogic Domain, select Security, and then select System Policies.
6. Identify any system policies in the source instance, and then recreate these system policies in the target instance.
7. For Name, select Includes, and then enter the text common/wsm-agent-core.
8. Click Search System Security Grants .
9. Identify any custom permissions that you created for this system library in the source instance, and then recreate these permissions in the target instance.
  Repeat this process if you created custom permissions for other system libraries.

Recreate keystores.

From both consoles, click WebLogic Domain, select Security, and then select Keystore.

Identify any custom keystores in the source instance, and then recreate these keystores in the target instance.

If any of the following aliases are present in the system keystores, do not modify them:

Keystore	Aliases
`system/trust`	`democa`, `idcs_root_ca`
`system/demoidentity`	`DemoIdentity`
`system/castore`	`democa`
`system/publiccacerts`	`<name> [jdk]`, `idcs_root_ca`
`opss/trustservice_ts`	`trustservice`, `cloudca`
`opss/trustservice_ks`	`trustservice`
`owsm/keystore`	`oauth_<identity_domain>_trust_sign`, `cloudca`, `orakey`

For more information, see these topics in Securing Applications with Oracle Platform Security Services:

Recreate credential maps.
1. From both consoles, click WebLogic Domain, select Security, and then select Credentials.
2. Identify any custom credential maps in the source instance, and then recreate these credential maps in the target instance.
  Do not modify the default credential maps, including oracle.wsm.security.
  
  For more information, see these topics in Securing Applications with Oracle Platform Security Services:
Reconfigure security providers.
1. From both consoles, click WebLogic Domain, select Security, and then select Security Provider Configuration.
2. Compare the security provider configuration of the source and target instances, and then update the configuration of the target instance as necessary.
  
  Do not modify the Security Store.
Reconfigure the audit service.
1. From both consoles, click WebLogic Domain, select Security, and then select Audit Registration and Policy.
2. Compare the audit policy settings of the source and target instances, and then update the settings of the target instance as necessary.
  For more information, see these topics in Securing Applications with Oracle Platform Security Services:
Recreate Web Services Manager (WSM) policies.
1. From both consoles, click WebLogic Domain, select Web Services, and then select WSM Policies.
2. Identify any custom policies in the source instance, and then recreate these policies in the target instance.
  The default policies are read-only and identified with a lock icon.
  For more information, see these topics in Securing Web Services and Managing Policies with Oracle Web Services Manager:
3. From both consoles, click WebLogic Domain, select Web Services, and then select WSM Policy Sets.
4. Identify any policy sets in the source instance, and then recreate these policy sets in the target instance.

Migrate Oracle Identity Cloud Service Roles and Policies

If your source Oracle Java Cloud Service instance uses Oracle Identity Cloud Service for authentication, then you must migrate the administrator roles and web tier policy to the target domain in Oracle WebLogic Server for Oracle Cloud Infrastructure.

The source and target are each associated with a security application in Oracle Identity Cloud Service. The security application grants administrative rights for the WebLogic Server domain to specific users and groups in Oracle Identity Cloud Service.

Access the Oracle Identity Cloud Service console.
Click the navigation drawer , and then select Applications.
Click the security application for your source instance, JaaS_<source_instance_name>.
Copy the following information for the security application:
- Application ID
- Client ID
- Client secret
Encode the following string in base64 format.
```
<client_id>:<client_secret>
```

Use the Oracle Identity Cloud Service REST API to request an access token for the source instance's security application.

curl --location --request POST 'https://<idcs_host>/oauth2/v1/token' \
--header 'Authorization: Basic <base64_encoded_clientid:secret>' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=urn:opc:idm:__myscopes__' \
--data-urlencode 'username=<idcs_user_name>' \
--data-urlencode 'password=<idcs_password>'

Copy the access token from the response.

See Generate Access Token and Other OAuth Runtime Tokens to Access the Resource in REST API for Oracle Identity Cloud Service.

Use the Oracle Identity Cloud Service REST API to export the web tier policy for the security application.

curl -X GET 'https://<idcs_host>/admin/v1/Apps/<application_ID>&attributes=displayName,urn:ietf:params:scim:schemas:oracle:idcs:extension:webTierPolicy:App:webTierPolicyJson' \
-H 'Authorization:Bearer <access_token>'

Locate the web tier policy in the response:

...
"webtierPolicy": [
  {
    "policyName": "jcs_cg_policy",
    "resourceFilters": [
  ...
]

See Get an App in REST API for Oracle Identity Cloud Service.

Return to the Oracle Identity Cloud Service console.
From the application details page, click Application Roles.
Click Export, and then select Export All.
When prompted for confirmation, click Export Application Roles, and then click Close.
Click the job ID.
If a job ID link is not displayed, click the navigation drawer , select Jobs, and then click the job.
After the export job has finished, click Download. Save the file AppRoleExport_<id>.csv.
Click the navigation drawer , and then select Applications.
Click the security application for your target domain, <stack>_enterprise_idcs_app_<timestamp>.

If your source and target are in different identity domains, then you must access the Oracle Identity Cloud Service console for the target identity domain.
Click SSO Configuration.

From the web tier policy that you exported with the REST API, identify the first entry in the resourceFilters block.

Example:

{
  "cloudgatePolicy": {
    "disableAuthorize": false,
    "allowCors": false,
    "requireSecureCookies": true,
    "webtierPolicy": [
      {
        "policyName": "jcs_cg_policy",
        "resourceFilters": [
          {
            "type": "regex",
            "filter": "/myapp/.*",
            "method": "oauth",
            "authorize": false
          },
          ...

Copy the value of the filter property.

Expand Resources.
Within the Resources section, click Add.
Enter a Resource Name.
For example, myapp
For Resource URL, paste the value of the filter property.
If the filter's type property is regex, then select Regex.
Click OK.
Expand Authentication Policy. Under Managed Resources, click Add.
For Resource, select your new resource.
For Authentication Method, choose an option based on the filter's method property.
- oauth - Select Form or Access Token
- public - Select Public
- unsupported - Select Unsupported
Click Add.
Repeat from step 18 for each additional filter in the exported web tier policy.
Click the navigation drawer , and then select Groups.
Create these groups for the target domain.
- <domain>_Administrators
- <domain>_Deployers
- <domain>_Operators
- <domain>_Monitors
For example:
- MyDomain_Administrators
- MyDomain_Deployers
- MyDomain_Operators
- MyDomain_Monitors
Open AppRoleExport_<id>.csv, and identify the users and groups assigned to the Administrators role in the source instance.
Edit the <domain>_Administrators group, and add the same users and groups as the Administrators role in the source instance.
Repeat the previous step for the remaining roles in AppRoleExport_<id>.csv:
- Add the members of the Deployers role to the <domain>_Deployers group.
- Add the members of the Operators role to the <domain>_Operators group.
- Add the members of the Monitors role to the <domain>_Monitors group.
Sign in to the WebLogic Server Administration Console for the target domain.
https://<target_admin_ip>:7002/console
Click Security Realms.
Click the default realm.
Click the Roles and Policies tab.
From the Roles table, expand Global Roles, and then expand Roles.
Click View Role Conditions for the Admin role.
Click the group name assigned to this role. The default is Administrators.
Enter <domain>_Administrators.
Click OK, and then click Save.
From the breadcrumb links at the top of the page, click Realm Roles.
Repeat from step 38 for the remaining administrator roles:
- Map Deployer to <domain>_Deployers
- Map Operator to <domain>_Operators
- Map Monitor to <domain>_Monitors

Integrate Fusion Middleware Components with Oracle Identity Cloud Service

If your source Oracle Java Cloud Service instance uses Oracle Identity Cloud Service for authentication, then you can integrate certain Oracle Fusion Middleware components in the target domain with Oracle Identity Cloud Service.

If your source instance uses Oracle Web Services Manager to protect web service applications and clients, then see Secure Web Services Using Identity Cloud Service in Using Oracle WebLogic Server for Oracle Cloud Infrastructure.

If applications on your source instance use Oracle Platform Security Services APIs to look up user and group information, then see Integrate OPSS User and Group APIs with Identity Cloud Service in Using Oracle WebLogic Server for Oracle Cloud Infrastructure.