Oracle BI EE 11g - Migrating Security - Credential Store - Part 3

In the last 2 posts we saw the process involved in migrating the Identity as well as the Policy Stores. In today's post we shall see the process involved in migrating Credential Stores from one environment to the other. To recap, Credential Stores are nothing but a physical file that holds the credential details of other systems in an encrypted format. The credential store can be SSL enabled where in to even get inside the store will require a SSL certficate. Basically all the credentials are stored inside a file called as cwallet.sso. This is the file that holds all the credential entries. This file will be present under {Middleware_Home}\user_projects\domains\bifoundation_domain\config\fmwconfig. We will again explore the 2 different types of migration for credential stores.

Full Migration:

In the case of Credential Stores its not recommended to do full migration. The main reason for this is, there are certain Credential Maps like oracle.bi.system and oracle.bi.enterprise which contain instance specific usernames and passwords. So, migrating these from one environment to the other will overwrite these keys which might even render the instance unusable. But if at all the intention is to just clone the environment then we can use the migrateSecurityStore method that i wrote on the PolicyStore to do a full migration. The syntax is exactly similar to what we did during the full migration policy store.

migrateSecurityStore("credStore",configFile="C:/SecurityMigration/jps-config-cred.xml",src="sourcecredstore",dst="targetcredstore")

Given below is the sample jps-config-cred.xml that you can use for the migration.

Incremental Migration using WLST:

We can do incremental Credential Store migration using wlst methods like createCred(). To illustrate lets consider a scenario that is very similar to what we had in the last 2 blog posts i.e. we have 2 environments Dev and Prod. Development environment has the following Credentials Stored.

In Production environment, the following are the list of credentials.

So basically we have a new Credential Map called as DevMap which needs to be migrated to the production environment. Even though there are differences in the keys within oracle.bi.enterprise map, we would not like to migrate them as they are environment specific.

Listing the Credential in Dev Environment:

All the Credential Keys are generally stored in an encrypted format (the passwords). So, to migrate we will need to first extract these passwords and then do the migration to Production. The passwords can be extracted through the listCred() method of WLST. We need to be connected to the Admin Server for this method to work. The exact command is given below

connect("weblogic","welcome1","localhost:7001")
listCred("DevMap","DevKey")

This will show the encrypted password entered inside the key as shown below

And this is what we see in the enterprise manager.

 

As you see, with listCred we are able to extract the full credentials. Now, lets try to see what is the default password for the BISystemUser.

listCred("oracle.bi.system","system.user")

In the same way lets extract the passwords of the SampleAppLite repository.

listCred("oracle.bi.enterprise","repository.SampleAppLite")

With this we can even extract the lost Repository passwords.

Creating a new Credential in the Prod Environment:

Now that we have extracted the key details from Dev, using wlst we can create these directly into Production using the createCred method.

createCred(map="ProdMap",key="ProdKey",user="system",password="welcome1",desc="Test")

If we now login to EM, we should see the Credential created in Prod environment.

This concludes my series on the security migration for BI EE 11g.