1. Migrating Oracle Java Cloud Service Instances to Oracle WebLogic Server for OCI Using WDT
  2. Migrate an Instance
  3. Migrate Oracle Identity Cloud Service Roles and Policies

Migrate Oracle Identity Cloud Service Roles and Policies

If your source Oracle Java Cloud Service instance uses Oracle Identity Cloud Service for authentication, then you must migrate the administrator roles and web tier policy to the target domain.

The source and target are each associated with a security application in Oracle Identity Cloud Service. The security application grants administrative rights for the WebLogic Server domain to specific users and groups in Oracle Identity Cloud Service.

  1. Access the source Oracle Identity Cloud Service console.
  2. Go to the Oracle Java Cloud Service instance.
  3. In the Instace Overview page, click on the link against IDCS Application.
  4. In the application details page, go to the Web Tier Policy tab, and then select Export.
  5. Open the exported policy, and locate the following web tier policy in the response.
    ...
"webtierPolicy": [
  {
    "policyName": "jcs_cg_policy",
    "resourceFilters": [
  ...
]

    See Get an App in REST API for Oracle Identity Cloud Service.

  6. Return to the Oracle Identity Cloud Service console.
  7. From the application details page, click Application Roles.
  8. Click Export, and then select Export All.
  9. When prompted for confirmation, click Export Application Roles, and then click Close.
  10. Click the job ID.
    If a job ID link is not displayed, click the navigation drawer Navigation menu icon, select Jobs, and then click the job.
  11. After the export job has finished, click Download. Save the file AppRoleExport_<id>.csv.
  12. If your source and target are in different identity domains, then you must access the Oracle Identity Cloud Service console for the target identity domain.
  13. In the target domain, click the navigation drawer Navigation menu icon, and then select Applications.
  14. Click the security application for your target domain, <stack>_enterprise_idcs_app_<timestamp>.
  15. Click SSO Configuration.
  16. From the web tier policy that you exported with the REST API, identify the first entry in the resourceFilters block.
    Example:
    {
  "cloudgatePolicy": {
    "disableAuthorize": false,
    "allowCors": false,
    "requireSecureCookies": true,
    "webtierPolicy": [
      {
        "policyName": "jcs_cg_policy",
        "resourceFilters": [
          {
            "type": "regex",
            "filter": "/myapp/.*",
            "method": "oauth",
            "authorize": false
          },
          ...

    Copy the value of the filter property.

  17. Expand Resources.
  18. Within the Resources section, click Add.
  19. Enter a Resource Name.
    For example, myapp
  20. For Resource URL, paste the value of the filter property.
  21. If the filter's type property is regex, then select Regex.
  22. Click OK.
  23. Expand Authentication Policy. Under Managed Resources, click Add.
  24. For Resource, select your new resource.
  25. For Authentication Method, choose an option based on the filter's method property.
    • oauth - Select Form or Access Token
    • public - Select Public
    • unsupported - Select Unsupported
  26. Click Add.
  27. Repeat from step 17 to step 26 for each custom filter in the exported web tier policy.
  28. Click the navigation drawer Navigation menu icon, and then select Groups.
  29. Create these groups for the target domain.

    Note:

    Ensure you have the required permisssions to create groups.
    • <wls_domain_name>_Administrators
    • <wls_domain_name>_Deployers
    • <wls_domain_name>_Operators
    • <wls_domain_name>_Monitors

    For example:

    • MyWLS_Domain_Administrators
    • MyWLS_Domain_Deployers
    • MyWLS_Domain_Operators
    • MyWLS_Domain_Monitors
  30. Open AppRoleExport_<id>.csv, and identify the users and groups assigned to the Administrators role in the source instance.
  31. Edit the <wls_domain_name>_Administrators group, and add the same users and groups as the Administrators role in the source instance.
  32. Repeat the previous step for the remaining roles in AppRoleExport_<id>.csv:
    • Add the members of the Deployers role to the <wls_domain_name>_Deployers group.
    • Add the members of the Operators role to the <wls_domain_name>_Operators group.
    • Add the members of the Monitors role to the <wls_domain_name>_Monitors group.
  33. Sign in to the WebLogic Server Administration Console for the target domain.
    https://<target_admin_ip>:7002/console
  34. Click Security Realms.
  35. Click the default realm.
  36. Click the Roles and Policies tab.
  37. From the Roles table, expand Global Roles, and then expand Roles.
  38. Click View Role Conditions for the Admin role.
  39. Click the group name assigned to this role. The default is Administrators.
  40. Enter <wls_domain_name>_Administrators.
  41. Click OK, and then click Save.
  42. From the breadcrumb links at the top of the page, click Realm Roles.
  43. Repeat from step 37 for the remaining administrator roles:
    • Map Deployer to <wls_domain_name>_Deployers
    • Map Operator to <wls_domain_name>_Operators
    • Map Monitor to <wls_domain_name>_Monitors