Managing Application Migration Between Environments

8 Managing Application Migration Between Environments

To migrate web service applications independently between environments, such as from test to production, or in a scaled clustered environment, you must export the policies and the deployment configuration information to the new environment so that you can deploy the application. Depending on your configuration, you may also need to migrate policy configuration artifacts and policy assertion templates.

This chapter includes the following sections:

For information about moving from a test environment to a production environment, see "Moving from a Test to a Production Environment" in Administering Oracle Fusion Middleware.

8.1 Introduction to Web Service Application Migration

A deployment descriptor is an XML file that contains the basic deployment configuration for an application.

For WebLogic Server and Java EE web service applications, you create a deployment plan that contains the necessary deployment descriptors for deploying the application in a new environment.

For ADF Business Components and WebCenter services, however, run-time policy changes are persisted in proprietary deployment descriptor (PDD) files: oracle-webservices.xml and oracle-webservices-client.xml. Because these files are not included in the WebLogic deployment plan or exported with any other deployment descriptors, you must export and import these PDD files separately. You must also export and import these PDD files separately if you are scaling your application in a clustered environment.

Note that the following Oracle Infrastructure web services components provide different configuration management mechanisms.

For a SOA composite, web services and OWSM configurations are persisted in a composite.xml file which is included in a configuration plan used for deployment configuration. The SOA framework provides its own mechanism for composite services and configuration lifecycle and synchronizations.
ADF Web Service data control configuration stores connection details for WebCenter services in a connections.xml file and all post-deployment changes as customizations in the Metadata Services (MDS) repository.

8.2 Migrating a Web Service Application from a Development or Test Environment to a Production Environment

The general steps for migrating a web service application from a development or test environment to a production environment are as follows:

Install and configure the production environment with the components that you need.
Migrate security information, such as users and groups, the identity and policy stores, and credentials. For more information, see "Overview of Migrating Policy Configuration".
Migrate policies and deployment configuration data as required. For more information, see "Migrating Policies". Modify any information that is specific to the new environment such as host name or ports.
Deploy the applications in the new environment.

For information about migrating Fusion Middleware applications between environments, see "Advanced Administration: Expanding Your Environment" in Administering Oracle Fusion Middleware.

8.3 Creating and Migrating a Policy Horizontally Through the Different Stages

The following steps describe a typical scenario for how to create a policy and migrate the policy horizontally through the different stages of the application development and deployment cycles.

Use Oracle Enterprise Manager Fusion Middleware Control to create a policy.

For more information, see "Creating and Editing Web Service Policies" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Export the policy to a zip archive.

For more information, see "Migrating Policies".
Extract the contents of the META-INF directory in the zip archive to the policy store location in the Oracle JDeveloper environment. For more information, see "Exporting Policies from the OWSM Repository for Use in JDeveloper" in Securing Web Services and Managing Policies with Oracle Web Services Manager
Create a web service in Oracle JDeveloper and attach the policy to the web service.

For more information, see "Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper.
Deploy the web service to the staging server, and test the web service.

For more information, see "Developing and Securing Web Services" in Developing Applications with Oracle JDeveloper.
Import the policy to the production server environment.

For more information, see "Migrating Policies".
Migrate the following information, as required:
- Policy configuration. See "Overview of Migrating Policy Configuration".
- Assertion templates. See "Migrating Assertion Templates".
Deploy the application into the production environment, and test the web service.

See Deploying Web Service Applications and Testing Web Services.

8.4 Migrating Policies

You can export one or more user-created policies to an archive file using Fusion Middleware Control. You can then import the archive to move it to another repository.

Note:

Read-only documents, such as predefined policies and assertion templates, will not be imported or exported using either Fusion Middleware Control or WLST because they will already be present in the target environment.

For details about exporting and importing user-created policies using Fusion Middleware Control, refer to the following topics in Securing Web Services and Managing Policies with Oracle Web Services Manager:

Alternatively, you can use the exportWSMRepository and importWSMArchive WLST commands to export and import the policies.

To migrate policies using WLST commands:

Export the OWSM policies to a supported archive file, such as a zip file, using the exportWSMRepository command.

For example, to export all user-created OWSM policies named in the test/ directory to an archive named policies.zip, enter the following:

wls:/jrfServer_domain/serverConfig> exportWSMRepository('/tmp/policies.zip',['policies:test/%'])
 
Exporting "/policies/test/wss11_x509_token_with_message_protection_service_policy_test"
Exporting "/policies/test/wss_username_token_over_ssl_service_policy_Test"
Successfully exported "2" documents.

Optionally, you can edit the archive after it has been created. If, for example, you do not want to migrate all the policies to the new environment, you can manually remove them from the archive.
Move the archive to the new machine. Ensure that the OWSM Policy Manager is deployed on the new machine.

Import the OWSM policies using the importWSMArchive command. For example, to import the policies exported in the previous step:

wls:/jrfServer_domain/serverConfig> importWSMArchive('/tmp/policies.zip')

Importing "META-INF/policies/test/wss11_x509_token_with_message_protection_service_policy_test"
Importing "META-INF/policies/test/wss_username_token_over_ssl_service_policy_Test"
Successfully imported "2" documents

For more information about these WLST commands, see "Web Services Custom WLST Commands" in WLST Command Reference for Infrastructure Components.

8.5 Overview of Migrating Policy Configuration

Migration of an application between environment requires migration of configuration artifacts for OWSM policies, such as keystores, users and groups.

The following sections describe how to migrate the configuration artifacts for OWSM policies. This section includes the following topics:

8.5.1 Migrating Keystores

If you are using message protection policies, you need to migrate your keystores.

To migrate keystores:

Manually copy your keystores to the new environment.

For Java SE applications, copy the keystore to a user-defined location. For Java EE applications, copy the keystore to the same directory as the jps-config.xml file, namely DOMAIN_HOME/config/fmwconfig.
By default, the keystore is named default-keystore.jks. If you have renamed the keystore, you must configure the keystore name in the Oracle Platform Security Services keystore service instance.

For information about configuring the keystore, see "Configuring Keystores for Message Protection" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

To migrate keystores with Keystore Service:

Export the keystore to a file with the exportKeyStore command.
Import the file to the new keystore with the importKeyStore command.

For information about using the keystore migration commands in KSS, see "Managing Keys and Certificates" in Securing Applications with Oracle Platform Security Services.

8.5.2 Migrating Users and Groups

Users and groups are maintained as part of the WebLogic Server security realm. To migrate users and groups in embedded LDAP, you can migrate the data using either the Oracle WebLogic Remote Console or WLST.

For a complete description of the steps required, see "Migrating Security Data" in Administering Security for Oracle WebLogic Server.

To migrate users and groups in an LDAP store, there is no migration path. You need to recreate the users and groups and specify the assignments in the LDAP store in the new environment. See "Configuring Authentication Providers" in Administering Security for Oracle WebLogic Server.

8.5.3 Migrating Credentials

There are two types of credentials maintained in the credential store that you may need to migrate:

Username and password
Keystore and encryption key passwords

The migration steps are described in the sections below.

8.5.3.1 Migrating Username and Password

If users are stored in an embedded LDAP and migrated, as described in "Migrating Users and Groups", then you simply migrate the existing credentials to the new credential store. For a complete description of the steps required, see "Migrating Security Data" in Administering Security for Oracle WebLogic Server.

If users are stored in an LDAP store, there is no automated migration path. You need to recreate the credentials in the credential store. For more information about configuring credentials, see "Configuring the Credential Store" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

8.5.3.2 Migrating Keystores and Encryption Key Passwords

You can migrate keystores and encryption key passwords manually using the procedure described in "Migrating Credentials Manually" in "Deploying Secure Applications" in Securing Applications with Oracle Platform Security Services.

8.5.4 Migrating Oracle Platform Security Services Application and System Policies

If your web service uses authorization policies, you must migrate the Oracle Platform Security Services application and system policies that grant permissions.

For more information, see "Migrating with the Script migrateSecurityStore" in "Configuring the OPSS Security Store" in Securing Applications with Oracle Platform Security Services.

8.5.5 Migrating Oracle Platform Security Services Configuration

There is no automated migration path for Oracle Platform Security Services configuration. You must recreate the configuration in the new environment.

There are three types of configurations in the Oracle Platform Security Services that you may need to recreate:

SAML trusted assertion issuer names (applicable for all SAML policies).

If you use the default configuration for SAML trusted issuer configuration, then no migration is required. For information about configuring SAML in the new environment, see "Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Keystore locations and CSF key configuration for keystore and keystore password (applicable for message protection policies only).

If you use the default configuration for keystores, then no migration is required. For information about configuring keystores in the new environment, see "Configuring Keystores for Message Protection" in Securing Web Services and Managing Policies with Oracle Web Services Manager.
Keytab location and service principal name (applicable to Kerberos policy).

For information about configuring the keytab location and service principal name in the new environment, see the following topics in Securing Web Services and Managing Policies with Oracle Web Services Manager:
- Configuring the SAML and SAML2 Login Modules Using Fusion Middleware Control
- Configuring the Kerberos Login Module Using Fusion Middleware Control

8.5.6 Migrating SSL

There is no automated migration path for SSL configuration. You must configure SSL keystores and settings in the new environment.

For more information about configuring SSL keystores and settings in the new environment, see "Configuring Keystores for SSL" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

8.5.7 Migrating Kerberos Configuration

To migrate the Kerberos configuration:

Copy the Kerberos configuration file to the new environment, matching the directory structure. The Kerberos configuration file is located in the following locations, based on your operating system:
- UNIX: /etc/krb5.conf
- Windows: C:\windows\krb5.ini
Initialize the ticket cache with the correct credentials.

For more information, see "Configuring Kerberos Tokens" in Securing Web Services and Managing Policies with Oracle Web Services Manager.

8.6 Migrating Assertion Templates

You can export individual assertion templates from Oracle Enterprise Manager Fusion Middleware Control. You can then copy the policy to a directory or import the policy to move it to another repository.

For details about exporting and importing assertion templates, see "Managing Policy Assertion Templates" in Securing Web Services and Managing Policies with Oracle Web Services Manager.