8-2 Securing Oracle WebLogic Server To migrate security data with the WebLogic Administration Console, see the following topics in the Oracle WebLogic Server Administration Console Help: ■ Export data from security realms ■ Import data into security realms ■ Export data from a security provider ■ Import data into a security provider

8.2 Migration Concepts

A format is a data format that specifies how security data should be exported or imported. Supported formats are the list of data formats that a given security provider understands how to process. Constraints are keyvalue pairs that specify options to the export or import process. Use constraints to control which security data is exported to or imported from the security providers database in the case of the WebLogic Server security providers, the embedded LDAP server. For example, you may want to export only users not groups from an Authentication providers database. Supported constraints are the list of constraints you can specify during the migration process for a particular security provider. For example, you can specify that an Authentication providers database be used to import users and groups, but not security policies. Export files are the files to which security data is written in the specified format during the export portion of the migration process. Import files are files from which security data is read also in the specified format during the import portion of the migration process. Both export and import files are simply temporary storage locations for security data as it is migrated from one security providers data store to another security providers data store.

8.3 Formats and Constraints Supported by WebLogic Security Providers

In order for security data to be exported and imported between security providers, both security providers must process the same format. Some data formats used for the WebLogic Server security providers are unpublished; therefore, you cannot currently migrate security data from a WebLogic security provider to a custom security provider, or vice versa, using the unpublished formats. WebLogic security providers support the import and export formats provided in Table 8–1 . Table 8–1 Import and Export Formats Supported by the WebLogic Security Providers WebLogic Provider Supported Format WebLogic Authentication provider DefaultAtn—unpublished format XACML Authorization Provider XACML—standard XACML 2.0 format DefaultAtz—unpublished format WebLogic Authorization Provider DefaultAtz—unpublished format XACML Role Mapping Provider XACML—standard XACML 2.0 format DefaultRoles—unpublished format WebLogic Role Mapping Provider DefaultRoles—unpublished format WebLogic Credential Mapping Provider DefaultCreds—unpublished format Migrating Security Data 8-3 WebLogic security providers support the import and export constraints provided in Table 8–2 . SAML Identity Asserter V2 SAML Credential Mapping Provider V2 XML Partner Registry—An XML format defined by the SAML partner registry schema JKS Key Store—A key store file format for importing and exporting partner certificates only LDIF Template—LDIF format Table 8–2 Constraints Supported by the WebLogic Security Providers WebLogic Security Provider Supported Constraints Description Default Authentication users groups Export all users or all groups ■ XACML Authorization ■ WebLogic Authorization ■ XACML Role Mapping ■ WebLogic Role Mapping none NA WebLogic Credential Mapping passwords With the constraint passwords=cleartext, passwords will be exported in clear text. Otherwise, they will be exported in encrypted form. ■ SAML Identity Asserter V2 ■ SAML Credential Mapping V2 partners Which partners to import or export. The constraint value can be one of: ■ all—all partners ■ none—no partners ■ list—only listed partners ■ enabled—only enabled partners ■ disabled—only disabled partners ■ SAML Identity Asserter V2 ■ SAML Credential Mapping V2 certificates Which certificates to import or export. The constraint value can be one of the following: ■ all—all certificates ■ none—no certificates ■ list—only listed certificates ■ referenced—only certificates referenced by a partner ■ SAML Identity Asserter V2 ■ SAML Credential Mapping V2 passwords With the constraint passwords=cleartext, passwords will be exported in clear text. Otherwise, they will be exported in encrypted form. Table 8–1 Cont. Import and Export Formats Supported by the WebLogic Security WebLogic Provider Supported Format 8-4 Securing Oracle WebLogic Server When exporting from the WebLogic Credential Mapping provider, SAML Credential Mapping provider, or SAML Identity Asserter, you need to specify whether or not the passwords for the credentials are exported in clear text. The constraint passwords=cleartext specifies that passwords will be exported in clear text. Otherwise, they will be exported in encrypted form. The mechanism used to encrypt passwords in each WebLogic domain is different; therefore, you want to export passwords in clear text if you plan to use them in a different WebLogic domain. After the credential maps are imported into the new WebLogic domain, the passwords are encrypted. Carefully protect the directory and file in which you export credential maps in clear text as secure data is available on your system during the migration process.

8.4 Migrating Data with WLST