3 Migration/Side-by-Side Upgrade for SOA Cloud Service
Learn how to migrate your on-premises SOA application to the cloud or how to do a side-by-side upgrade in the cloud for SOA Cloud Service.
Topics:
Provision SOA Cloud Service
Provision a new SOA Cloud Service instance before starting the other migration and side-by-side upgrade related tasks. You’ll migrate or recreate configurations from your old source environment into this newly provisioned instance of SOA Cloud Service.
Create a simple hello world application (SOA composite/OSB proxy service/B2B agreement) and test to check that it works.
Prepare Clients for Migration/Side-by-Side Upgrade
Configure and prepare your clients such that the transition of HTTP clients from the old deployment to the new deployment is smooth and happens by switching the Domain Name System (DNS) entry.
These changes can be done gradually over time because after these changes are completed everything continues to work as before the changes. This includes some changes to the source environment.
To prepare clients:
Prepare Your Source for Migration/Side-by-Side Upgrade
You have to migrate the Integrated Development Environment (IDE) projects and export or capture needed artifacts from the source environment to prepare your source for Oracle SOA Cloud Service migration/side-by-side upgrade.
Prepare Your Target Environment
Prepare your target environment by importing or recreating all the configurations of your source. This will ensure successful deployment of the target instance.
Test Your Target Environment
You can test your target environment at this point to check if everything is working as expected after the migration. It is assumed that you have already tested in a stage system (test environment).
Transition from Old Deployment to New Deployment
After you have prepared your source and target environments for the migration/side-by-side upgrade, you can transition your production system from old deployment to new deployment. You can do this by transitioning: HTTP Clients, inbound adapters where address is the same for old and new, clients of inbound adapters where address is different for old and new, and clients who are reading from the old environment (such as a jms queue) but now need to read from the target environment.
Note that the transition from old to new deployment will not work if the following are used:
-
BPEL correlation sets or message ordering.
-
Mid-process receives from clients in BPEL.
-
If SOA composites have human workflow elements.
Reconfigure Tuning and Configuration Parameters
Reconfigure any Enterprise Manager tuning and configuration parameters that you had previously set in the source environment or you need to change in the target environment.
SOA
-
Lazy loading
-
Modularity profile
-
Autopurge
-
Timeouts (transaction, Enterprise JavaBeans, HTTP)
-
Work managers
-
SOA data source connection pool
-
Resiliency
-
In-memory
-
EDN
-
Instance tracking
ESS
-
Dispatcher
-
Processor thread pool
-
Attach ESS web service OWSM policy
-
Scheduled purge
Oracle Service Bus
-
Results cache
-
Work managers
B2B
Refer to the following topics in Using Oracle B2B:
-
For information about Enterprise Manager Parameters, see Setting B2B Configuration Properties in Fusion Middleware Control.
-
For information about B2B interface parameters, see Configuring B2B System Parameters.
Migrate Data Components
Migrate your data components such as LDAP, OPSS, OWSM, ESS, B2B, OSB and SOA from the source to the target environment.
You’ll perform these tasks as part of preparing your target environment for transitioning from the old environment to the new.
Note:
The side-by-side upgrade steps described here are for SOA Could Service 12.1.3 as source environment and SOA Cloud Service 12.2.1.2 as target environment. All the steps described here are certified only for target SOA Cloud Service deployment of 12.2.1.2.Migrate your data components in the following order:
-
Migrate LDAP Data
-
Migrate OPSS Data
-
Migrate OWSM Data
-
Migrate the remaining data (ESS, B2B, OSB and SOA) in any order.
Move LDAP Data
LDAP data includes the Oracle WebLogic Server specified user, group, enterprise role and security policies (predefined Oracle WebLogic configurations and configurations that users have added to internal LDAP). Import and move the LDAP data from your source to your target environment.
For migrating LDAP data from your on-premises SOA instance to the cloud, refer to the WebLogic LDAP documentation or refer to your on-premises IDM documentation. Check if any migration is possible or you will need to manually re-enter everything.
If you are doing a side-by-side upgrade in the cloud, note that SOA Cloud Service uses internal LDAP.
The WebLogic console has commands to export and import internal LDAP. This can be used to move users/groups/group memberships/enterprise roles etc. By default, LDAP import will not overlay users and groups, and other artifacts that are already there. This is the desired behavior. For details, see Exporting and Importing Information in the Embedded LDAP Server in Administering Security for Oracle WebLogic Server.
When you export the whole LDAP, information which the integration does not use such as XACML policies and default credential mapper, also gets exported. This information may get seeded by WebLogic and exporting/importing this information can have issues. So do not export/import this information.
For information on how to handle the WebLogic OOTB security provider data migration, see:
-
Security Data Migration in Developing Security Providers for Oracle WebLogic Server.
-
Migrating Security Data in Administering Security for Oracle WebLogic Server.
You can navigate to any security provider that supports the migration functions and invoke the import( ) and/or export ( ) MBean operation such that this security provider’s data can be addressed outside of any other security provider data. See Migrating Data with WLST in Administering Security for Oracle WebLogic Server.
Here is an example with direct lookup vs navigation:
$ java weblogic.WSLT
% connect()
% serverConfig()
% realm = cmo.getSecurityConfiguration().getDefaultRealm()
% atn = realm.lookupAuthenticationProvider('DefaultAuthenticator')
% atn.exportData('DefaultAtn', 'myFile', None)
% disconnect()
You can use WLST if you decide that you need any data beyond the default Authenticator (Embedded LDAP users/groups). It is recommended that you also export roles.
Exporting LDAP Data
This is an example of commands to export LDAP data from SOA Cloud Service 12.1.3.
Before exporting LDAP data, enter the following commands in the source SOA Cloud Service 12.1.3 environment.
ssh -i opc_rsa opc@<source_admin_host_ip>
sudo -su oracle
cd /u01/
cd /app/oracle/middleware/oracle_common/common/bin/
./wlst.sh
connect('weblogic','welcome1','t3s://<source_admin_host_ip>:<admin_port>')
<currentDomainName>=cmo.getName()
Importing LDAP Data
This is an example of commands to import LDAP data into SOA Cloud Service 12.2.1.2.
Note:
These commands have been certified only on SOA Cloud Service 12.2.1.2 as a target environment, but are also applicable to 12.2.1.3 and 12.2.1.4.ssh -i opc_rsa opc@<host_adminip_target>
sudo -su oracle
cd /u01/app/oracle/middleware/oracle_common/common/bin/
./wlst.sh
connect('weblogic','welcome1','t3s://<target_host_ip>:<target_host_port>')
currentDomainName=cmo.getName()
Move OPSS Data
Move OPSS data by exporting from the source (on-premises SOA application in case of migration to the cloud and SOA Cloud Service in case of side-by-side upgrade). Then copy the exported file to the newly provisioned target environment and import.
OPSS consists of the following:
-
OPSS policies application roles and permissions
These are mostly seeded automatically but in some cases customers can create their own roles and policies. Also, customers will define role memberships.
-
Keys, certificates and trust certificates
These are used for authentication, signing, encryption and SSL. Trust certificates are public certificates of certificate issuing authorities to establish the trust chain.
-
Credentials
Note the following when you move OPSS data:
-
Bootstrap credentials and bootstrap keys must be preserved in the target environment domain and should not be overlayed with import and export.
If nothing was done to specifically import/export keys into the system keystore in the source system, it is recommended that you do not migrate the source system keystore since the same contents will get seeded when the destination domain is created.
-
Migration of the OPSS audit service is not required.
-
Server SSL key must be preserved in the target environment domain and should not be overlayed with import and export.
Note:
Source environment deployment server certificates with host names in the certificates cannot be reused.OPSS Policies
Integration products typically do not permit users to create custom policies (roles and permissions) with the exception of Oracle Enterprise Scheduler (ESS). You cannot move custom policies because they are intermingled with seeded policies and OPSS does not support moving just custom policies.
For ESS, the custom policies are in the native hosting application stripe and this stripe is empty out of the box. So, it is possible to move these policies intact. For details on how to do this, see Migrating Policies with migrateSecurityStore in Securing Applications with Oracle Platform Security Services.
Keystores
OPSS supports two types of keystores: JKS (old) and KSS. By default, 12c uses KSS.
If the keys and certificates are in JKS, there is no OPSS involvement. You can simply copy the file to the other domain and move it to KSS.
There are two options available for KSS migration:
-
Use the command
MigrateSecurityStore
to migrate across domains. This means that for side-by-side upgrade (cloud to cloud), it may be possible to migrate directly, that is, database to database across domains. -
Use the command
MigrateSecurityStore
to migrate in a two-phased approach: migrate from KSS to file, copy over the file, and then migrate back to KSS.
For information on the commands and examples to migrate keys to file or across domains, see Migrating Keys and Certificates across Different Domains in Securing Applications with Oracle Platform Security Services. From a migration perspective, LDAP or DB should not make a difference. The steps to migrate are the same.
For information on importing and exporting individual keys in the keystores, see Tasks 4 and 5 of Managing Keystores with WLST in Securing Applications with Oracle Platform Security Services. You can use this in the target environment to export the server SSL key before the move and import it back after the move.
Server certificates typically have DNS names in them and are not usable in the target environment.
Credentials
You can use the migrateSecurityStore
command to migrate credentials.
There are two variants of the migrateSecurityStore
command:
-
You can use it to migrate all the credentials in the DB store. See Migrating All Credentials with migrateSecurityStore in Securing Applications with Oracle Platform Security Services.
-
You can migrate only the specific map that you're interested in. See Migrating One Credential Map with migrateSecurityStore in Securing Applications with Oracle Platform Security Services.
You'll need to invoke migration in two phases:
-
Run the migration on the first domain to migrate credentials (all or a specific map) from DB to file. This will create a file
cwallet.sso
. -
Carry over the file
cwallet.sso
to the second domain, and run the migration to migrate credentials from filecwallet.sso
(carried over from phase 1) to DB in the second domain.
The export is done in the source environment domain. The exported file is carried over and then the import is done in the target environment domain.
The OWSM bootstrap CSF key in KSS should not be overlaid. The bootstrap CSF key entry is specified in wsm-config.xml
under $DOMAIN_CONFIG_DIR/fmwconfig
.
Move OWSM Data
Move OWSM data by exporting it from the source and importing it to the target environment.
OWSM has the following artifacts of interest:
-
CSF keys: There are references to CSF keys in OWSM policies/policy overrides. There is no change required as long as actual values are available in the credential store owned by OPSS. CSF keys must be available in the target environment.
-
certs and keys: OWSM supports two types of keystores: JKS (file based) and KSS (owned by OPSS). The certificates/aliases in the source environment should be made available in the target environment. There are references to keys/certificates in OWSM policies/policy overrides.
-
Custom OWSM authorization policies: These are same as custom policies.
-
Custom OWSM policies
See Exporting Documents from the Repository Using WLST in Securing Web Services and Managing Policies with Oracle Web Services Manager.
See Importing Documents into the Repository Using WLST in Securing Web Services and Managing Policies with Oracle Web Services Manager.
-
Additional configurations that may be required: trust config and OAuth config
In 12c, exportWSMRepository
exports all custom policies from the repository, the trust configuration, OAuth configuration, and any other configuration documents.
In 11g, the specific custom policies have to be enumerated to export them. Note that it may not be as simple as moving the documents from 11g to 12c because as part of upgrade, the OWSM upgrade plugin takes care of adding/updating 12c specific changes in the artifacts. There may be no easy way to automate policy movement from 11g to 12c as part of migration.
Steps for Migrating OWSM Data
This is an example of commands to migrate OWSM data from SOA Cloud Service 12.1.3 to SOA Cloud Service 12.2.1.2.
Note:
These commands have been certified only on SOA Cloud Service 12.2.1.2 as a target environment, but are also applicable to 12.2.1.3 and 12.2.1.4.When migrating OWSM data, note that only custom policies and policy sets are migrated.
Move ESS Metadata
Since
we need to export tip versions of metadata in MDS in a specific package, we can use the
exportMetadata
WLST command with docs parameter as
"/oracle/apps/ess/custom/**"
and
"/oracle/as/ess/essapp/custom/**"
to an archive. Then we can import
from the archive to the target MDS repository using the importMetadata
WLST command.
To ensure the metadata is independent of environment, we need to tokenize URLs in job definitions first. Users have to define the new token values in the target environment (if required).
For MDS importMetadata
and exportMetadata
commands, see exportMetadata and importMetadata in WLST
Command Reference for Infrastructure Components.
Steps for Migrating ESS Metadata
This is an example of commands to migrate ESS metadata from SOA Cloud Service 12.1.3 to SOA Cloud Service 12.2.1.2.
Note:
These commands have been certified only on SOA Cloud Service 12.2.1.2 as a target environment, but are also applicable to 12.2.1.3 and 12.2.1.4.-
On the source SOA Cloud Service 12.1.3 environment, enter the following commands:
exportMetadata(application='EssNativeHostingApp',server='SOAOSBLS_server_1',toLocation='/u01/data/artifacts /Custom.mar',docs='/oracle/apps/ess/custom/**')
exportMetadata(application='ESSAPP', server='SOAOSBLS_server_1',toLocation='/tmp/ESSAPP_custom.mar',docs='/oracle/as/ess/essapp/custom/**')
-
On the target SOA Cloud Service 12.2.1.2 environment, enter the following commands:
importMetadata(application='EssNativeHostingApp',server='SOAOSBta_server_1',fromLocation='/u01/data/artifacts /Custom.mar',docs='/oracle/apps/ess/custom/**')
importMetadata(application='ESSAPP', server='SOAOSBta_server_1',fromLocation='/tmp/ESSAPP_custom.mar',docs='/oracle/as/ess/essapp/custom/**')
Move B2B Metadata
Move B2B metadata from your source to your target environment.
For detail instructions, see Importing and Exporting Data in Using Oracle B2B.
Move Oracle Service Bus Projects
The easiest way to export and import Oracle Service Bus metadata is through the console. You can export all the projects with one export.
See How to Export Resources to a Configuration JAR File in the Console in Developing Services with Oracle Service Bus.
Move SOA Projects
The SOA composite SAR archive can be generated easily in JDeveloper 12.2.1.2 by generating a SAR archive (instead of deploying to the server). This can be deployed to the target SOA Cloud Service 12.2.1.2 server from the console, ant script or WLST script.
See Deploying SOA Composite Application in Oracle JDeveloper in Developing SOA Applications with Oracle SOA Suite.
Transition Inbound Adapters/Transports
For successful migration/side-by-side upgrade, you need to transition inbound adapters/transports.
There are two use cases to consider for transitioning inbound adapters/transports. During transition, you disable the inbound adapters/transport at the source and enable it on the target environment. Also, when you first deploy the projects to the target environment, you do not want inbound adapters/transports to process production messages right away until you are ready for the transition. To solve both the use cases, you can do any of the following:
-
Change the etc/host file or add/remove permissions for the file directory.
-
Change to composite or adapter activate/deactivate.
SOA supports adapter activate/deactivate only in 12.1.3. In B2B, the inbound channel is disabled by default on import. Oracle Service Bus does not support this.
-
Change the inbound endpoints to test or true endpoints.
This requires a redeployment.