• Find us:
    +1-669-900-5138   |   +44-203-372-5553
  • Free Newsletter

    Get Latest Updates

  • Make Training Enquiry


    Company

  • Categories

  • Archive

  • Exporting and importing of policies in OAM 11g

    Posted by "" in "idm, installation, oam" on 2012-05-04

     

    This post talks about the command used to export and importing of OAM 11g policies. OAM 11g provides this functionality through WLST scripting tool. This is the only possible approach to automatically export all policies from OAM 11g. The below steps are appropriate in linux env for exporting policies.

    1. Goto $ORACLE_HOME/common/bin.
    2. Run ./wlst.sh
    3. connect(‘weblogic’,’password’,’t3://weblogic_host:port’)
    4. exportPolicy(pathTempOAMPolicyFile,’/app/shared/home/tmweb/Oracle/Middleware_Dev2/oam_policies.xml’)

    Refer the below screenshot for the output.

    For importing policies into target OAM environment, follow the below steps:

    1. Goto $ORACLE_HOME/common/bin.
    2. Run ./wlst.sh
    3. connect(‘weblogic’,’password’,’t3://weblogic_host:port’)
    4. importPolicy(pathTempOAMPolicyFile,’/app/shared/home/tmweb/Oracle/Middleware_Dev2/oam_policies.xml’)

    The exported policies xml file (oam_policies.xml in this case) contains the below data:

    1. Authentication schemes
    2. Host Identifiers
    3. Application domains: Resources, Authentication/Authorization policies etc.,

    Once the policies are imported to target OAM server the application domains, authentication schemes, host identifiers will be created/updated. Please note that IAMSuiteAgent application domain will also gets imported into target OAM server and this does not harm the OAM setup.

    The same policies file can be imported multiple times without any issues.

    Hope this post helps.

    18 Responses to “Exporting and importing of policies in OAM 11g”

    1. mike says:

      Have you seen this output before? I get the same response with multiple servers and different environments (PROD, TEST, etc)

      wls:/test_sso_domain/serverConfig> exportPolicy(pathTempOAMPolicyFile=’/u01/app/oracle/admin/test_sso_domain/mserver/test_sso_domain/policy-export.xml’)
      Traceback (innermost last):
      File “”, line 1, in ?
      NameError: exportPolicy
      wls:/test_sso_domain/serverConfig>

    2. Mahendra says:

      Please ensure to run wlst.sh from ORACLE_HOME/common/bin folder.

    3. Manal says:

      I am running it from the ORACLE_HOME/common/bin folder but im still getting an error:

      wls:/idm_domain/serverRuntime> exportPolicy(pathTempOAMPolicyFile=’/odrive/oracle/temp/policies.xml’)
      Traceback (innermost last):
      File “”, line 1, in ?
      NameError: exportPolicy

    4. Mahendra says:

      I have executed it just now from $ORACLE_HOME/common/bin.

      Looks like you are executing some other than after connecting and before exportPolicy. In my case wls:/base_domain/serverConfig, in your case wls:/idm_domain/serverRuntime

      wls:/base_domain/serverConfig> exportPolicy(pathTempOAMPolicyFile=’/app/shared/home/tmweb/Oracle/Middleware_Dev2/oam_policies_latest.xml’)
      Successfully exported policies. Check log file for details.
      wls:/base_domain/serverConfig>

    5. Manal says:

      I was trying something else in the above example. I did this and it still does not work:

      bash-3.00$ /odrive/oracle/Middleware/wlserver_10.3/common/bin/wlst.sh

      wls:/offline> connect(‘weblogic’,’password’,’host:port’)
      Connecting to t3://www.localcorp.biz:7001 with userid weblogic …
      Successfully connected to Admin Server ‘AdminServer’ that belongs to domain ‘idm_domain’.

      Warning: An insecure protocol was used to connect to the
      server. To ensure on-the-wire security, the SSL port or
      Admin port should be used instead.

      wls:/idm_domain/serverConfig> exportPolicy(pathTempOAMPolicyFile=’/odrive/oracle/temp/policies.xml’)
      Traceback (innermost last):
      File “”, line 1, in ?
      NameError: exportPolicy

    6. Mahendra says:

      You are executing wlst.sh from WL_HOME/common/bin. It should be executed from ORACLE_HOME/common/bin.

    7. […] have covered export and import of policies in previous post . The export and import partners also entail in similar steps using WLST […]

    8. […] OAM 11g Policies are stored in database and this needs to be exported to an XML file, read this post for more details. The policies in target environment should have URLs (such as Authentication […]

    9. aengineer says:

      When we do a export of policy data, we get multiple files. For example, if we run:
      exportPolicy(pathTempOAMPolicyFile=’/tmp/oam_policies.xml’);

      we get 5 additional files with names of the form:
      oam_policies.xml.@.1
      through
      oam_policies.xml.@.5

      What are these additional files and are they needed for the import?

      Thanks
      Aspi Engineer

    10. aengineer says:

      The formatting for my last post was lost.

      The 5 files have the naming convention:
      oam_policies.xml.NNN@MACHINE-NAME.1
      through
      oam_policies.xml.NNN@MACHINE-NAME.5

    11. Mahendra says:

      @Aspi Engineer,

      Those files are not required for import.

    12. Viruls says:

      I created a Join Adapter (AD-OID) and now my ovd is the default userstore. Let Say myOrgPerson(similar to inetOrgPerson) is my custom objectclass in which myDepartmentName is the attribute.

      My Question is how can I create a condition of type attribute in Autherization Policy to compare the attribute value with “IT”.

      Thanks in advance.

    13. Mahendra says:

      Is it OAM 10g or 11g? In 10g, you can add the object class to Identity system and specify the rule in authorization rule of policy domain.

    14. Viruls says:

      Mine is OAM 11g.

    15. Viruls says:

      Hi Mahendra,

      Thanks for quick reply.

      I am using OAM 11gR2.

      Or Else can I create a condition of type attribute in Autherization Policy to compare the attribute “employeeTpe” (which is not a custom attribute) with the attribute value with “Permanent”.

      And one more question is, Is it possible to set AD password in response headers in Authorization policy, Previously I mention that I am using OVD as default user store which points to a Join adapter(AD-OID) here OID is primary adapter and AD is the bind adapter.

      Thanks in Advance.

    16. Mahendra says:

      I’m not sure how you do it in 11gR2. Why do you want to send password in response headers? Is not it a security risk?

    17. ggadax says:

      Hi Mahendra,

      what if I would like to change something to the file produced by the export and import the changed file ?
      In particular, I have to move policy from one environment to another and for some policy I will have to change the authentication scheme.

      thanks

      kind regards
      Giovanni

    Leave a Reply



  • K21 Technologies is among the most experienced Oracle Gold Partner for Identity Access Management service providers. We work with application development companies and in-house technology division to help achieve significant returns on their IT security investment. Our clientele includes some of the globally renowned corporate, which speaks of our expertise in our field.

    We have the most talented and experienced team that can swiftly deploy security solutions even in complex IT ecosystem. Our clients highly appreciate our timely implementation, interactive training, on-demand support and community resources.
  • CONTACTS

    K21 Technologies
    8 Magnolia Place, Harrow,
    London, HA2 6DS

    UK: +44(0)7476444481
    USA: +1-888-414-1821

  • 2014, K21 Technologies. All rights reserved DMCA.com
  • TOP
    TOP