Importing and exporting security realms

[vprcic]

I'm trying to migrate to WL 14c from 12c, and since the default console is gone, I'm forced to use the Remote Console. One of the major requirements to do so is to be able to migrate the users and groups from one WL instance to another. Is there a way to import the realm from the 12c into 14c using the Remote Console? Both import and export was possible in the old one.

[moreaut]

The Remote Console does not support this yet.

We already have an internal issue for adding this support.

In the meantime, you'll need to do this by using other tools such as WLST or the WLS REST api.

Here's an example of how to do it using the WLS REST api.

# use case - copying the users and groups from domain1's default authenticator
# into domain2's default authenticator.

# export domain1's default authenticator's users and groups into a file.
# filename is relative to domain1's admin server's file system (not the curl client's file system)
# it doesn't matter which file name you choose as long as the file doesn't already exist.
curl -v --user from_domain_admin_username:from_domain_admin_password-H X-Requested-By:foo -H Content-Type:application/json -d '{
  "format": "DefaultAtn", "filename": "/tmp/default-atn.ldif", "constraints": null
}' http://from_domain_host:from_domain_port/management/weblogic/latest/domainConfig/securityConfiguration/realms/myrealm/authenticationProviders/DefaultAuthenticator/exportData

# display the exported domain1 users and groups
bash-4.4# ls -l /tmp/default-atn.ldif
-rw-r----- 1 oracle root 9153 Dec 12 14:09 /tmp/default-atn.ldif
bash-4.4# more /tmp/default-atn.ldif
...

# copy the file of exported domain1 users and groups from domain1's admin server's file system
# to domain2's admin server's file system
...

# import the exported domain1 users and groups into domain2's default authenticator
# filename is relative to domain2's admin server's file system (not the curl client's file system)
curl -v --user to_domain_admin_username:to_domain_admin_password-H X-Requested-By:foo -H Content-Type:application/json -d '{
  "format": "DefaultAtn", "filename": "/tmp/default-atn.ldif", "constraints": null
}' http://to_domain_host:to_domain_port/management/weblogic/latest/domainConfig/securityConfiguration/realms/myrealm/authenticationProviders/DefaultAuthenticator/importData

[TheFrogPad]

Documentation on security data migration is located at:

• https://docs.oracle.com/en/middleware/fusion-middleware/weblogic-server/12.2.1.4/secmg/security_data_migration.html

Here is a basic WLST script that shows export and import of user and group data from Embedded LDAP:

connect()

# Lookup authentication provider
realm = cmo.getSecurityConfiguration().getDefaultRealm()
atn = realm.lookupAuthenticationProvider('DefaultAuthenticator')

# Export data in one domain
atn.exportData('DefaultAtn', '/tmp/atn.ldift', None)

# Import data when connected to a different domain
atn.importData('DefaultAtn', '/tmp/data.ldift', None)

disconnect()
exit()

[vprcic]

Thank you for your answers. Just one more question: will this also import user passwords?

[TheFrogPad]

Yes, the data exported and then imported is the same as previous releases since these are the same APIs that are used by the console UI functions.

Clearly the file on disk should be protected and/or removed once the migration is performed. Also, an existing user already present when the import function is used is not replaced/updated, for e.g., the admin user for the new domain with the same username would not be updated. As mentioned above, there is no change in the functional behavior between the WebLogic releases.