Wednesday, May 26, 2010

Migrating Security Policies from Development to Standalone WLS 11g

While ago I was working on ADF security deployment to standalone WebLogic server - Practical ADF Security Deployment on WebLogic Server. It was still first 11g production release, and we had problems with automated security policies migration during deployment. Problems were solved using policies migration scripts from Steve Muench article - Simplified ADF 11g Application Credential and Policy Migration to Standalone WebLogic Servers. Its worth to mention, with latest JDeveloper 11g PS2 and WebLogic release, security policies are migrated during deployment process automatically - WLS system-jazn-data.xml is updated without running additional scripts. However, it happens we need to update system-jazn-data.xml with new policies, without whole application redeployment. For this purpose, similarly as in Steve article, we can use WLST command - migrateSecurityStore.

If you will run Steve scripts on latest Oracle Fusion release - you will see that some parts need to be updated (build.xml should contain updated references to JPS libraries, jps-config.xml should be updated with new system-jazn-data.xml location in fmwconfig folder). Main goal of my today post is to describe how you can apply migrateSecurityStore command and migrate security policies from development environment (or any other) into test/production WLS environment.

I'm using sample jazn-data.xml from this application - There is one simple security policy defined for index page:

Application role is mapped to specific Enterprise role:

In order to use migrateSecurityStore command, you will need to define jps-config.xml file, where you will point to source jazn-data.xml and to destination system-jazn-data.xml:

More about this file structure, please read in Oracle FMW Security Guide - Section In my case, I have created jps-config.xml file inside WLS domain folder structure, I have copied source jazn-data.xml manually.

In order to execute WLST command, we will need to run WLST.cmd script. Make sure, you are using WLST.cmd script from oracle_common folder, otherwise it will not recognize ADF related WLST commands:

When WLST is running, you can execute migrateSecurityStore command. This WLST command can be run offline, this means no need to have running WLS server. Make sure you specify jps-config.xml file, source and destination contexts correctly, as it is defined in jps-config.xml:

And here we go, security policies are magically migrated to WLS system-jazn-data.xml and ready to be used:

Next step, make sure WLS server is connected to Active Directory service, where WLS can find users with correct Enterprise roles. Or for test purpose, define these users and roles in WLS embedded security realm.

Ah, almost forgot - make sure you have restarted WebLogic, before trying to test if it works.


Vivek Vishal said...

Hi Andrejus,

i tried the same steps mentioned in your blog, but i am getting below error:
Traceback (innermost last):
File "", line 1, in ?
File "C:\Admin2\Middleware\oracle_common\common\wlst\", line 935,
in migrateSecurityStore
File "C:\Admin2\Middleware\oracle_common\common\wlst\", line 906,
in migrateSecurityStoreImpl
TypeError: cannot concatenate 'str' and 'NoneType' objects

please suggest a solution.

Andrejus Baranovskis said...

Which version of JDev you are using?


Mark Woodman said...


I just got the same error. In frustration I exited WLST and started it again... and then the command worked fine.

manohar veerapaneni said...

Hi Andrejus,

I am facing the same issue as Vivek mentioned above, I am using Jdev

Manohar Veerapaneni.

VinayM said...

This is Syntax error, follow "Script and Interactive Modes Syntaxes" from oracle docs. Add the space between the argument and command should work.
E.g : migrateSecurityStore(type="policyStore", configFile=”jps-config-policy.xml”, src="appPolicy", dst="domainPolicy")

Vinay M said...

Hi Andrejus,

I was able to migrate the policies successfully in my local. I have a requirement where in have to migrate app roles to another machine. for eg. in this jps-config-policy.xml "domainPolicy" location="/>.
Oracle specs provided example considering XML to LDAP migration and did not find any procedure to achieve my requirement.
Thanks in Advance.

Anonymous said...

I am facing the exact same issue - TypeErrpr: cannot concatenate 'str' and 'NoneType' object.

here is my command complete-
migrateSecurityStore(type="appPolicies", configFile="../config/fmwconfig/jps-config-jse-export.xml", src="DBSourceContext", dst="XMLDestContext", srcApp="testA", dstApp="testB", overWrite="true", migrateIdStoreMapping="false")

I didn't quite follow what you said about space and arguments. I am facing the same issue trying to migrate policies from command line wlst. Could you give me some pointer to as what i am doing wrong in the statement.
Thanks in advance