When you migrated the configuration, credential vault slots and
segments were also migrated. To complete the process, you need to migrate
existing credential secrets by exporting them from the earlier version and
importing them into the current version. If you do not migrate existing credential
vault secrets, users must provide their credential information the first time
a Version
6.1 portlets attempts to
use the data.
Because credential secrets hold confidential information, their migration
requires special command line options on the XML configuration interface as
well as changes to the WebSphere Portal Express system
configuration to retain confidentiality of the secrets. Use the XML configuration
interface directly on the system where the WebSphere Portal Express server
resides to minimize the communication path of the confidential information.
- Install PK28148 "Credential vault import/export through XML access"
on the earlier WebSphere Portal Express system.
- Change the configuration of the earlier version system to enable
the exportation of encrypted secrets. Add the following information
to the Credential Vault service configuration.
| Property key |
Expected value |
Default value |
Description |
|---|
| export.userDN |
user DN string |
none |
The user distinguished name (DN) value of the XML access
user that should be allowed to export secrets usinga the XML configuration
interface. This DN is usually the same user DN string as defined in the same
configuration file under the systemcred.dn key. The user needs authority to
access the XML configuration interface and must use the interface during export
operations. |
| export.cipher |
cipher string |
AES |
The cipher used for encryption during the export operation.
This cipher must be available using Java JCE in the earlier version. |
| export.keyLength |
integer |
128 |
Number of bits used as the key length for the cipher. |
export.userDN=uid=wpsadmin,o=default organization
export.cipher=AES
export.keyLength=128
- Restart the earlier version server to save the changes.
- Export credential secrets from the earlier system using the XML
configuration interface. When using the XML command line client
for credential export, the command syntax requires two additional parameters:
- credentialexport
- A parameter without value that indicates that export of credentials should
be enabled
- passphrase
- A parameter that is used to create a key of the specified length for the
encryption. The minimum length of this string is the number of bits set as
export keylength in the Credential Vault service
configuration, divided by eight.
xmlaccess -user user -password password -url http://myhost:9081/wps/config/
-in XML_file -out result_file.xml -credentialexport -passphrase encryptionPassphrase
For example: xmlaccess.sh -user wpsadmin -password your_password -url http://portalhost:9081/wps/config/
-in ExportVault.xml -out ExportedCredentialSecrets.xml
-credentialexport -passphrase JGD786JHgasdf8a67kjhUIT7sdj7nsh776jasdf786regUFZT756675zufurz
Example file ExportVault.xml for
version 5.0.2:<?xml version="1.0" encoding="UTF-8"?>
<request xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="PortalConfig_1.2.1.xsd"
type="export" export-users="true">
<!-- Sample for exporting the credential vault data. -->
<portal action="locate">
<credential-segment action="export" objectid="*"/>
</portal>
</request>
- Change the configuration of the current WebSphere Portal Express system
to enable importing of encrypted secrets. Add the following information
to the Credential Vault service configuration.
| Property key |
Expected value |
Default value |
Description |
|---|
| export.userDN |
user DN string |
none |
The user distinguished name (DN) value of the XML access
user that should be allowed to import secrets using the XML configuration
interface. This DN is usually the same user DN string as defined in the same
configuration file under the systemcred.dn key. The user needs authority to
access the XML configuration interface and must use the interface during import
operation. |
| export.enforceSSL |
true or false |
true |
This field controls if the credental import operation
must be done using a secured HTTP connection (value = "true") or if it is
allowed to import credentials using an unsecured HTTP connection (value =
"false"). |
- Restart the portal for your changes to take effect.
- Import credential secrets into the current WebSphere Portal Express system
using the XML configuration interface. To retain confidentiality, use a secure
connection. For example:
xmlaccess.sh -user wpsadmin -password your_password -url https://portalhost:9444/wps/config/
-in ExportedCredentialSecrets.xml -out result.xml
-credentialexport -passphrase JGD786JHgasdf8a67kjhUIT7sdj7nsh776jasdf786regUFZT756675zufurz
-truststore $WASHome/profiles/wp_profile/etc/DummyClientTrustFile.jks
-trustpwd WebAS
Notes: - Use the same passphrase value that was used during the export operation.
- The import might fail if the user DN schema has been changed between the
earlier version and the current system or when credentials for users are contained
in the XML file that are not present in the current system. In this case,
manually remove the obsolete credential entries from the XML file before running
the import operation.
- You should import credentials using an HTTPS connection; however, if you
choose not to, set the export.enforceSSL configuration property to
false.
- Delete all XML files and copies that hold exported credentials.
At a minimum, delete the export file ExportedCredentialSecrets.xml from
the earlier version system.
- Delete obsolete shared credentials on the current system. Depending on the version of the earlier system, some secrets and shared
credential slots are migrated that are obsolete in the current version.
Remove
these obsolete slots using the
Credential Vault administrative
portlet under . Select
Manage
system vault slots and delete the following slots, if they exist:
- deployment.user
- wmm.system.id.user
- deployment.truststore
- deployment.keystore
Portal, Express Beta Version 6.1
