Configuring the OPSS Security Store 8-17 access to entry by dn=userDN browse,add,delete by none access to attr= by dn=userDN search,read,write,compare by none where storeRootDN stands for a node typically the root node of the store, and userDN stands for the DN of the administrator data the same userDN that was entered to perform reassociation. 2. Use the Oracle Internet Directory utility ldapmodify to apply these specifications to the Oracle Internet Directory. Here is an example of an LDIF file specifying an ACL: dn: cn=jpsRootNode changetype: modify add: orclACI access to entry by dn=cn=myAdmin,cn=users,dc=us,dc=oracle,dc=com browse,add,delete by none access to attr= by dn=cn=myAdmin,cn=users,dc=us,dc=oracle,dc=com search,read,write,compare by none For more information about access control lists and the command ldapmodify, see chapter 18 in Oracle Fusion Middleware Administrators Guide for Oracle Internet Directory.

8.5.2 Reassociating with the Script reassociateSecurityStore

The OPSS store can be reassociated with the OPSS script reassociateSecurityStore. For details, see Section 9.3.29, reassociateSecurityStore.

8.6 Migrating the OPSS Security Store

A domain includes one and only one policy store. Applications can specify their own policies, but these are stored as policies in the policy store when the application is deployed to a server. All applications deployed in a domain use a common policy store, the policy store. The policy store is logically partitioned in stripes, one for each application name specified in the file DOMAIN_HOMEconfigfmwconfigsystem-jazn-data.xml under the element applications. Migrating the OPSS security store consists in relocating the policy, credential, and key stores from one repository to another one. The source can be file-, LDAP-, or DB-based; the target can be LDAP- or DB-based. The OPSS binaries and the target policy store must have compatible versions; for details, see Section L.20, Incompatible Versions of Binaries and Policy Store. During application development, an application specifies its own policies, and these can be migrated to the OPSS security store when the application is deployed with Fusion Middleware Control. Policies can also be migrated manually; in addition, each application component can specify the use of anonymous user and role, authenticated role, and JAAS mode. The configuration of the policy store is performed by an administrator. These topics are explained in the following sections: ■ Migrating with Fusion Middleware Control ■ Migrating with the Script migrateSecurityStore 8-18 Oracle Fusion Middleware Application Security Guide

8.6.1 Migrating with Fusion Middleware Control

Application policies are specified in the application file jazn-data.xml and can be migrated to the policy store when the application is deployed to a server in the WebLogic environment with Fusion Middleware Control; they can also be removed from the policy store when the application is undeployed or be updated when the application is redeployed. All three operations, the migration, the removal, and the updating of application policies, can take place regardless of the type of policy repository, but they do require particular configurations. For details, see procedure in Section 6.5.2, Migrating Policies and Credentials at Deployment.

8.6.2 Migrating with the Script migrateSecurityStore

Application-specific policies or system policies can be migrated manually from a source repository to a target repository using the OPSS script migrateSecurityStore. This script is offline, that is, it does not require a connection to a running server to operate; therefore, the configuration file passed to the argument configFile need not be an actual domain configuration file, but it can be assembled just to specify the source and destination repositories of the migration. For further details about OPSS scripts and their syntax, see section Overview of WLST Command Categories, in Oracle Fusion Middleware WebLogic Scripting Tool Command Reference. For platform-specific requirements to run an OPSS script, see Important Note . To migrate all policies system and application-specific, for all applications on WebLogic use the script first or interactive second syntaxes arguments are written in separate lines for clarity: migrateSecurityStore.py -type policyStore -configFile jpsConfigFileLocation -src srcJpsContext -dst dstJpsContext Note: Use the system property jps.deployment.handler.disabled to disable the migration of application policies and credentials for applications deployed in a WebLogic Server. When this system property is set to TRUE, the migration of policies and credentials at deployment is disabled for all applications regardless of the particular application settings in the application file weblogic-application.xml. Note: Since the script migrateSecurityStore recreates GUIDs and takes a long time to migrate large volume of data, you may want to consider migrating stores with an alternate procedure that uses Oracle Internet Directory bulk operations. For details, see Section 6.5.2.3, Migrating Large Volume Policy and Credential Stores. .