WebSphere Portal, Express Beta Version 6.1
Operating systems: i5/OS, Linux,Windows

 

Migrating credential vault data using the XML configuration interface

When you migrated the configuration, credential vault slots and segments were also migrated. To complete the process, you need to migrate existing credential secrets by exporting them from the earlier version and importing them into the current version. If you do not migrate existing credential vault secrets, users must provide their credential information the first time a Version 6.1 portlets attempts to use the data.

Because credential secrets hold confidential information, their migration requires special command line options on the XML configuration interface as well as changes to the WebSphere Portal Express system configuration to retain confidentiality of the secrets. Use the XML configuration interface directly on the system where the WebSphere Portal Express server resides to minimize the communication path of the confidential information.

  1. Install PK28148 "Credential vault import/export through XML access" on the earlier WebSphere Portal Express system.

  2. Change the configuration of the earlier version system to enable the exportation of encrypted secrets. Add the following information to the Credential Vault service configuration.

    Property key Expected value Default value Description
    export.userDN user DN string none The user distinguished name (DN) value of the XML access user that should be allowed to export secrets usinga the XML configuration interface. This DN is usually the same user DN string as defined in the same configuration file under the systemcred.dn key. The user needs authority to access the XML configuration interface and must use the interface during export operations.
    export.cipher cipher string AES The cipher used for encryption during the export operation. This cipher must be available using Java JCE in the earlier version.
    export.keyLength integer 128 Number of bits used as the key length for the cipher.
    For example: 
    export.userDN=uid=wpsadmin,o=default organization
export.cipher=AES
export.keyLength=128

  3. Restart the earlier version server to save the changes.

  4. Export credential secrets from the earlier system using the XML configuration interface. When using the XML command line client for credential export, the command syntax requires two additional parameters:

    credentialexport

    A parameter without value that indicates that export of credentials should be enabled

    passphrase

    A parameter that is used to create a key of the specified length for the encryption. The minimum length of this string is the number of bits set as export keylength in the Credential Vault service configuration, divided by eight. 

    xmlaccess -user user -password password -url http://myhost:9081/wps/config/ 
-in XML_file -out result_file.xml -credentialexport -passphrase encryptionPassphrase
    For example: 
    xmlaccess.sh -user wpsadmin -password your_password -url http://portalhost:9081/wps/config/ 
             -in ExportVault.xml -out ExportedCredentialSecrets.xml 
             -credentialexport -passphrase JGD786JHgasdf8a67kjhUIT7sdj7nsh776jasdf786regUFZT756675zufurz
    Example file ExportVault.xml for version 5.0.2:
    <?xml version="1.0" encoding="UTF-8"?>
<request	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"				
xsi:noNamespaceSchemaLocation="PortalConfig_1.2.1.xsd"
type="export" export-users="true">

<!-- Sample for exporting the credential vault data. -->
<portal action="locate">
<credential-segment action="export" objectid="*"/>
</portal>
</request>

  5. Change the configuration of the current WebSphere Portal Express system to enable importing of encrypted secrets. Add the following information to the Credential Vault service configuration.

    Property key Expected value Default value Description
    export.userDN user DN string none The user distinguished name (DN) value of the XML access user that should be allowed to import secrets using the XML configuration interface. This DN is usually the same user DN string as defined in the same configuration file under the systemcred.dn key. The user needs authority to access the XML configuration interface and must use the interface during import operation.
    export.enforceSSL true or false true This field controls if the credental import operation must be done using a secured HTTP connection (value = "true") or if it is allowed to import credentials using an unsecured HTTP connection (value = "false").

  6. Restart the portal for your changes to take effect.

  7. Import credential secrets into the current WebSphere Portal Express system using the XML configuration interface. To retain confidentiality, use a secure connection. For example: 
    xmlaccess.sh -user wpsadmin -password your_password -url https://portalhost:9444/wps/config/ 
             -in ExportedCredentialSecrets.xml -out result.xml 
             -credentialexport -passphrase JGD786JHgasdf8a67kjhUIT7sdj7nsh776jasdf786regUFZT756675zufurz
				     -truststore $WASHome/profiles/wp_profile/etc/DummyClientTrustFile.jks 
             -trustpwd WebAS
    Notes:

  8. Delete all XML files and copies that hold exported credentials. At a minimum, delete the export file ExportedCredentialSecrets.xml from the earlier version system.

  9. Delete obsolete shared credentials on the current system. Depending on the version of the earlier system, some secrets and shared credential slots are migrated that are obsolete in the current version. Remove these obsolete slots using the Credential Vault administrative portlet under Administration > Access > Credential Vault. Select Manage system vault slots and delete the following slots, if they exist:

Parent topic: Migrating the access control configuration Related tasks
Migrating permissions on All Authenticated Users and All Portal User Groups Migrating permissions on administrative resources Migrating credential vault data using SQL and direct database operations
Library | Support | Terms of use |