This chapter includes the following sections:
For information about moving from a test environment to a production environment, see "Moving from a Test to a Production Environment" in Administering Oracle Fusion Middleware.
To migrate web service applications independently between environments, such as from test to production, or in a scaled clustered environment, you must export the policies and the deployment configuration information to the new environment so that you can deploy the application. Depending on your configuration, you may also need to migrate policy configuration artifacts and policy assertion templates.
A deployment descriptor is an XML file that contains the basic deployment configuration for an application. For WebLogic Server and Java EE web service applications, you create a deployment plan that contains the necessary deployment descriptors for deploying the application in a new environment.
For ADF Business Components and WebCenter services, however, run-time policy changes are persisted in proprietary deployment descriptor (PDD) files: oracle-webservices.xml
and oracle-webservices-client.xml
. Because these files are not included in the WebLogic deployment plan or exported with any other deployment descriptors, you must export and import these PDD files separately. You must also export and import these PDD files separately if you are scaling your application in a clustered environment.
Note that the following Oracle Infrastructure web services components provide different configuration management mechanisms.
For a SOA composite, web services and OWSM configurations are persisted in a composite.xml file which is included in a configuration plan used for deployment configuration. The SOA framework provides its own mechanism for composite services and configuration lifecycle and synchronizations.
ADF Web Service data control configuration stores connection details for WebCenter services in a connections.xml file and all post-deployment changes as customizations in the Metadata Services (MDS) repository.
The general steps for migrating a web service application from a development or test environment to a production environment are as follows:
For information about migrating Fusion Middleware applications between environments, see "Advanced Administration: Expanding Your Environment" in Administering Oracle Fusion Middleware.
The following steps describe a typical scenario for how to create a policy and migrate the policy horizontally through the different stages of the application development and deployment cycles.
You can export one or more user-created policies to an archive file using Fusion Middleware Control. You can then import the archive to move it to another repository.
Note:
Read-only documents, such as predefined policies and assertion templates, will not be imported or exported using either Fusion Middleware Control or WLST because they will already be present in the target environment.
For details about exporting and importing user-created policies using Fusion Middleware Control, refer to the following topics in Securing Web Services and Managing Policies with Oracle Web Services Manager:
Alternatively, you can use the exportWSMRepository
and importWSMArchive
WLST commands to export and import the policies. The following describes the steps required:
To migrate policies using WLST commands:
For more information about these WLST commands, see "Web Services Custom WLST Commands" in WLST Command Reference for Infrastructure Components.
The following sections describe how to migrate the configuration artifacts for OWSM policies. Sections include:
If you are using message protection policies, you need to migrate your keystores.
To migrate keystores:
For information about configuring the keystore, see "Configuring Keystores for Message Protection" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
To migrate keystores with Keystore Service (KSS):
Export the keystore to a file with the exportKeyStore command.
Import the file to the new keystore with the importKeyStore command.
For details about using the keystore migration commands in KSS, see Managing Keys and Certificates with the Keystore Service in Securing Applications with Oracle Platform Security Services
Users and groups are maintained as part of the WebLogic Server security realm.
To migrate users and groups in embedded LDAP, you can migrate the data using either the Oracle WebLogic Administration Console or WLST. For a complete description of the steps required, see "Migrating Security Data" in Administering Security for Oracle WebLogic Server 12c (12.2.1).
To migrate users and groups in an LDAP store, there is no migration path. You need to recreate the users and groups and specify the assignments in the LDAP store in the new environment. See "Configuring Authentication Providers" in Administering Security for Oracle WebLogic Server 12c (12.2.1).
There are two types of credentials maintained in the credential store that you may need to migrate:
Username and password
Keystore and encryption key passwords
The migration steps are described in the sections below.
If users are stored in an embedded LDAP and migrated, as described in "Migrating Users and Groups", then you simply migrate the existing credentials to the new credential store. For a complete description of the steps required, see "Migrating Security Data" in Administering Security for Oracle WebLogic Server 12c (12.2.1).
If users are stored in an LDAP store, there is no automated migration path. You need to recreate the credentials in the credential store. For more information about configuring credentials, see "Configuring the Credential Store" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
You can migrate keystores and encryption key passwords manually using the procedure described in "Migrating Credentials Manually" in "Deploying Secure Applications" in Securing Applications with Oracle Platform Security Services.
If your web service uses authorization policies, you must migrate the Oracle Platform Security Services application and system policies that grant permissions. For more information, see "Migrating with the Script migrateSecurityStore" in "Configuring the OPSS Security Store" in Securing Applications with Oracle Platform Security Services.
There is no automated migration path for Oracle Platform Security Services configuration. You must recreate the configuration in the new environment.
There are three types of configurations in the Oracle Platform Security Services that you may need to recreate:
SAML trusted assertion issuer names (applicable for all SAML policies).
If you use the default configuration for SAML trusted issuer configuration, then no migration is required. For information about configuring SAML in the new environment, see "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Keystore locations and CSF key configuration for keystore and keystore password (applicable for message protection policies only).
If you use the default configuration for keystores, then no migration is required. For information about configuring keystores in the new environment, see "Configuring Keystores for Message Protection" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Keytab location and service principal name (applicable to Kerberos policy).
For information about configuring the keytab location and service principal name in the new environment, see the following topics in Securing Web Services and Managing Policies with Oracle Web Services Manager:
There is no automated migration path for SSL configuration. You must configure SSL keystores and settings in the new environment. For more information about configuring SSL keystores and settings in the new environment, see "Configuring Keystores for SSL" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
You can export individual assertion templates from Oracle Enterprise Manager Fusion Middleware Control. You can then copy the policy to a directory or import the policy to move it to another repository.
For details about exporting and importing assertion templates, see "Managing Policy Assertion Templates" in Securing Web Services and Managing Policies with Oracle Web Services Manager.