Migration Upgrade

For migration of an AquaLogic Service Bus 2.1 domain to an AquaLogic Service Bus 2.5 domain, no wizard is provided. All steps are manual. To upgrade an AquaLogic Service Bus 2.1 domain to 2.5 using the migration upgrade method, complete the steps described in this section.

Step 1: Export the AquaLogic Service Bus 2.1 Configuration

Use the AquaLogic Service Bus Console to export the AquaLogic Service Bus 2.1 configuration that you want to upgrade. To do so, select Export Resources from the System Administration panel in the console. For information about exporting AquaLogic Service Bus configurations, see "Exporting Configuration Data" in System Administration in Using the AquaLogic Service Bus Console.

Step 2: Export the Security Configurations

Use the WebLogic Server Administration Console to export security data from the domain: Inthe WebLogic Server Administration Console, select Domain Structure

Security Realms, then choose the security realm. Select Migration

Export to export the data.

The following table summarizes the security data and the types of security providers in which it is stored.

Security Data	Security Provider Type
User accounts	Authentication Provider
Group definitions	Authentication Provider
Role definitions	Role Mapping Provider
User names and passwords in service accounts	Username/Password Credential Mapping Provider
PKI credential map entries	PKI Credential Mapping Provider
SAML Relying Parties	SAML Credential Mapping Provider V2
SAML Asserting Parties	SAML Identity Assertion Provider V2
Trusted Certificates (for SSL and WSS)	Certification Path Provider (Certificate Registry)

If you created service accounts and added user names and passwords to the service accounts, then your domain includes a username/password credential mapping provider. If your domain includes this provider or a PKI credential mapping provider, you must configure the export process to export credential mapping passwords in clear text (unencrypted). Your new domain will not be able to use passwords that were encrypted by a different domain.

To Export Credential Mapping Data With Unencrypted Passwords

Carefully restrict access to the directory and file into which you export credential maps so that unauthorized users cannot read the unencrypted passwords. When you import the credential maps into the new domain, the credential mapping provider encrypts the passwords. After the upgrade is complete, securely dispose of the file with unencrypted passwords.
Export data from each security provider individually.

WebLogic Server allows you to either export all of the security data in a single export operation or to export data from each security provider individually. Do not export all of the data in a single export operation. The single export operation does not allow you to export passwords in clear text.

While exporting data from the credential mapping providers, do the following to export the passwords for the credentials in clear text: When the WebLogic Server Administration Console displays a page with the Export Constraints text box, enter the following: passwords=cleartext

Step 3: Install AquaLogic Service Bus 2.5

Step 4: Create a New AquaLogic Service Bus 2.5 Domain

Create a new AquaLogic Service Bus 2.5 domain using the Domain Configuration Wizard or using the offline configuration tools, as described in:

Creating a New AquaLogic Service Bus Domain in Creating WebLogic Domains Using the Configuration Wizard

"Creating and Extending Domains" in Using Offline Configuration Tools.

Step 5: Configure WebLogic Server Security

In the new domain, configure the WebLogic security framework with SSL and the security providers that you need to support your proxy and business services. See Configuring the WebLogic Security Framework: Main Steps in the AquaLogic Service Bus Security Guide.

In AquaLogic Service Bus 2.5, the WebLogic Default Authorization provider and Default Role Mapping provider is deprecated. Instead of configuring these providers in your new domain, BEA recommends that you use the WebLogic XACML Authorization provider and XACML Role Mapping provider. Later in the upgrade process you can import 2.1 policies and role maps into the XACML providers. See Deprecated Security Features in BEA AquaLogic Service Bus Release Notes.
If your new domain uses a PKI credential mapping provider, copy the keystores to the new domain and configure the PKI credential mapping provider to use the keystore.
If your 2.1 domain modified the Web Service security configurations named __SERVICE_BUS_INBOUND_WEB_SERVICE_SECURITY_MBEAN__ or __SERVICE_BUS_OUTBOUND_WEB_SERVICE_SECURITY_MBEAN__, make the same modifications in the 2.5 domain.
For example, if in your 2.1 domain you added the UseX509ForIdentity property to the __SERVICE_BUS_INBOUND_WEB_SERVICE_SECURITY_MBEAN__ configuration (which is required to support inbound authentication with an X.509 token), add the property in the 2.5 domain. See Use X.509 certificates to establish identity in The WebLogic Server Administration Console Online Help.

Step 6: Recreate Other WebLogic Server Objects

JMS resources, such as connection factories, queues, topics, and so on.
Work Manager definitions

Step 7: Import Security Data

Import the security information for each security provider separately.
See Only One Credential Mapping Provider Allowed.
BEA recommends that you import access control policies into the WebLogic XACML Authorization Provider. If you exported data from the WebLogic Default Authorization Provider in your 2.1 domain, when you import into the XACML Authorization Provider make sure that you select DefaultAtz from the Import Format list.
BEA recommends that you import security role maps into the WebLogic XACML Role Mapping Provider. If you exported data from the WebLogic Default Role Mapper Provider in your 2.1 domain, when you import into the XACML provider make sure you select DefaultRoles in the Import Format list.

Step 8: Import the AquaLogic Service Bus Configuration Data

For each 2.1 service account, the import process attempts to re-bind service accounts to the user names and passwords that are in the username/password credential mapping provider. For example, if your 2.1 domain included a service account with the user name of "pat" and password of "patspassword", the import process looks in the username/password credential mapping provider in the 2.5 domain for "pat" and "patspassword." If the import process does not find the credentials for a service account in the username/password credential mapping provider, you must add credentials to the service account before you can activate the session. You cannot import empty service accounts into AquaLogic Service Bus 2.5.

Searches the PKI credential mapping provider for alias-to-key-pair bindings that match those in the imported proxy service provider. If it finds a match, it enables the proxy service provider to use those key-pair bindings. If it does not find a match, the import process imports the proxy service provider without any key-pair bindings. While it is valid to create a proxy service provider that contains no key-pair bindings, if you want to use the provider to provide credentials, you must use the AquaLogic Service Bus Console to add key-pair bindings to the proxy service provider.
Prompts you to remove X.509 certificates that were used only for Web Service Security (WSS) authentication.

In AquaLogic Service Bus 2.5 you cannot create a proxy service provider that supplies an X.509 credential only for WSS authentication. You can create a proxy service provider that supplies X.509 credentials for digital signatures, digital encryption, or SSL client authentication. The proxy service provider uses the X.509 digital-signature credential for those web services that require the certificate for both WSS authentication and digital signature.

If a 2.1 proxy service provider contained a digital-signature credential and an X.509 authentication credential, and if both credentials refer to the same key-pair, the import process does not import the X.509 token authentication credential. You do not need to remove the credential. To confirm that the X.509 token authentication credential will not be imported into the 2.5 domain, the import process outputs the following message: Service Provider has been upgraded. The Web Service Security X.509 Token key has been removed. This credential has been deprecated in AquaLogic Service Bus 2.5. The Digital Signature key will be used instead.

See Security Updates Expand Configuration Options in "What's New in AquaLogic Service Bus" in BEA AquaLogic Service Bus Release Notes.

Step 9: Complete Any Manual Upgrade Procedures

Some AquaLogic Service Bus domain configuration changes are not automated and must be implemented manually. See Upgrade Considerations.

Upgrade Guide