8-4 Securing Oracle WebLogic Server When exporting from the WebLogic Credential Mapping provider, SAML Credential Mapping provider, or SAML Identity Asserter, you need to specify whether or not the passwords for the credentials are exported in clear text. The constraint passwords=cleartext specifies that passwords will be exported in clear text. Otherwise, they will be exported in encrypted form. The mechanism used to encrypt passwords in each WebLogic domain is different; therefore, you want to export passwords in clear text if you plan to use them in a different WebLogic domain. After the credential maps are imported into the new WebLogic domain, the passwords are encrypted. Carefully protect the directory and file in which you export credential maps in clear text as secure data is available on your system during the migration process.

8.4 Migrating Data with WLST

You can use the WebLogic Scripting Tool WLST to export and import data from a security provider. Access the Runtime MBean for the security provider and use its importData or exportData operation. For example, you might use WLST to import data using commands like these: domainRuntime cdDomainServicesDomainRuntimeServiceDomainConfigurationmydomain SecurityConfigurationmydomainDefaultRealmmyrealmpath-to-MBeanmbeanname cmo.importDataformat,filename,constraints where: ■ mbeanname —Name of the security provider MBean. ■ format —A format that is valid for the particular security provider. See Table 8–1 . ■ SAML Identity Asserter V2 ■ SAML Credential Mapping V2 importMode Specifies how to resolve name conflicts between the imported data and existing data in the SAML registry. The constraint value can be one of the following: ■ fail—the import operation will fail if conflicts are detected default ■ rename—rename the imported entry that conflicts ■ replace—replace the existing entry with the conflicting imported entry Note: By default, the WebLogic Authentication provider stores passwords using a one-way hash. Passwords that have been encrypted by this provider cannot be unencrypted when you export data even if you use the passwords=cleartext constraint. If you want to be able to export passwords in clear text from this provider, you must set the Enable Password Digests attribute to true prior to creating or updating those passwords. For more information, see Default Authentication Provider: Provider Specific in Oracle WebLogic Server Administration Console Help. Table 8–2 Cont. Constraints Supported by the WebLogic Security Providers WebLogic Security Provider Supported Constraints Description Migrating Security Data 8-5 ■ filename —The directory location and filename in which to export or import the security data. Remember that, regardless of whether you are using a UNIX or Windows operating system, you need to use a forward slash, not a back slash, as a path separator for pathname arguments in WLST commands. ■ constraints —The constraints that limit the data to be exported or imported For more information, see Oracle WebLogic Scripting Tool. 8-6 Securing Oracle WebLogic Server 9 Managing the Embedded LDAP Server 9-1 9 Managing the Embedded LDAP Server WebLogic Server includes an embedded LDAP server that acts as the default security provider data store for the Default Authentication, Authorization, Credential Mapping, and Role Mapping providers.The following sections explain how to manage the embedded LDAP server: ■ Section 9.1, Configuring the Embedded LDAP Server