Migrate credential vault data using xmlaccess.sh

When you migrated the configuration, credential vault slots and segments were also migrated. To complete the process, you need to migrate existing credential secrets by exporting them from the earlier version and importing them into the current version. If you do not migrate existing credential vault secrets, users must provide their credential information the first time a v7.0 portlet attempts to use the data.

Because credential secrets hold confidential information, their migration requires special command line options on xmlaccess.sh as well as changes to the WebSphere Portal system configuration to retain confidentiality of the secrets. Use xmlaccess.sh directly on the system where the WebSphere Portal server resides to minimize the communication path of the confidential information.

  1. Change the configuration of the earlier version system to enable the exportation of encrypted secrets. Add the following information to the Credential Vault service configuration:

      export.userDN

        The user distinguished name (DN) value of the XML access user that should be allowed to export secrets using xmlaccess.sh. This DN is usually the same user DN string as defined in the same configuration file under the systemcred.dn key. The user needs authority to access xmlaccess.sh and must use the interface during export operations. Expected value: user DN string; Default value: None

      export.cipher

        The cipher used for encryption during the export operation. This cipher must be available using Java™ JCE in the earlier version.Expected value: cipher string; Default value: AES

      export.keyLength

        Number of bits used as the key length for the cipher.Expected value: integer; Default value: 128

      For example: 

      export.userDN=uid=wpsadmin,o=default organization
export.cipher=AES
export.keyLength=128

  2. Restart the earlier version server to save the changes.

  3. Export credential secrets from the earlier system using xmlaccess.sh.

      When using the XML command line client for credential export, the command syntax requires additional parameters: 

      xmlaccess -user user -password password -url https://myhost:10038/wps/config/ 
-in XML_file -out result_file.xml -credentialexport 
-passphrase encryptionPassphrase -trustore truststore_file -trustpwd truststore_password

      where:
      credentialexport

        Indicates that export of credentials should be enabled.

      passphrase

        Creates a key of the specified length for the encryption. The minimum length of this string is the number of bits set as export keylength in the Credential Vault service configuration, divided by eight.

      truststore

        Indicates the location of the trust store for HTTPS. This value is required for all configurations that use a custom certificate store to store certificates that are required for secure connections. This value is optional for configurations that use the Java standard cacerts certificate store.

      trustpwd

        Indicates the trust store password for HTTPS.

      For example: 

      xmlaccess.sh -user wpsadmin -password your_password 
-url https://portalhost:10038/wps/config/ 
-in C:/IBM/ExportVault.xml -out C:/IBM/ExportedCredentialSecrets.xml 
-credentialexport 
-passphrase JGD786JHgasdf8a67kjhUIT7sdj7nsh776jasdf786regUFZT756675zufurz 
-truststore C:/IBM/WebSphere/profiles/wp_profile/etc/DummyClientTrustFile.jks 
-trustpwd WebAS

      Example file ExportVault.xml: 

      <?xml version="1.0" encoding="UTF-8"?>
<request	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="PortalConfig_1.3.xsd"
type="export" export-users="true">
 
<!-- Sample for exporting the credential vault data. -->
<portal action="locate">
<credential-segment action="export" objectid="*"/>
</portal>
</request>

  4. Change the configuration of the current WebSphere Portal system to enable importing of encrypted secrets.

      Add the following information to the Credential Vault service configuration. For instructions, see the topic on Setting service configuration properties.
      export.userDN

        The user distinguished name (DN) value of the XML access user that should be allowed to import secrets using xmlaccess.sh. This DN is usually the same user DN string as defined in the same configuration file under the systemcred.dn key. The user needs authority to access xmlaccess.sh and must use the interface during import operation.Expected value: user DN string; Default value: none

      export.enforceSSL

        This field controls if the credential import operation must be done using a secured HTTP connection (value = "true") or if it is allowed to import credentials using an unsecured HTTP connection (value = "false").Expected value: true or false; Default value: true

  5. Restart the portal for changes to take effect.

  6. Import credential secrets into the current WebSphere Portal system using xmlaccess.sh. To retain confidentiality, use a secure connection.

      For example: 

      xmlaccess.sh -user wpsadmin -password your_password 
-url https://portalhost:10040/wps/config/ 
-in ExportedCredentialSecrets.xml -out result.xml 
-credentialexport
-passphrase JGD786JHgasdf8a67kjhUIT7sdj7nsh776jasdf786regUFZT756675zufurz
-truststore $WASHome/profiles/wp_profile/etc/DummyClientTrustFile.jks 
-trustpwd WebAS

      Notes:

      • Use the same passphrase value that was used during the export operation.

      • The import might fail if the user DN schema has been changed between the earlier version and the current system or when credentials for users are contained in the XML file that are not present in the current system. In this case, manually remove the obsolete credential entries from the XML file before running the import operation.

      • You should import credentials using an HTTPS connection; however, if you choose not to, set the export.enforceSSL configuration property to

          false.

  7. Delete all XML files and copies that hold exported credentials. At a minimum, delete the export file ExportedCredentialSecrets.xml from the earlier version system.

  8. Delete obsolete shared credentials on the current system.

      Depending on the version of the earlier system, some secrets and shared credential slots are migrated that are obsolete in the current version.

      Remove these obsolete slots using the Credential Vault administrative portlet under Administration -> Access -> Credential Vault. Select Manage system vault slots and delete the following slots, if they exist:

      • deployment.user

      • wmm.system.id.user

      • deployment.truststore

      • deployment.keystore


Parent

Migrate the access control configuration
Credential Vault


Related tasks


Set service configuration properties

 


+

Search Tips   |   Advanced Search