Adventures in OBIEE: Migrate Enterprise Manager Application Roles and Weblogic Users and Groups between environments

Managing users across environments, when using the built-in Weblogic LDAP was a tedious process. What I have found to work well is create the users once, and then have a script which caries them across to the rest of the environments. This has been very useful in our Development and Test environments when getting the users seeded.

The Enterprise Manager (EM) migration script utilizes a very cool java program that ArtofBI developed and posted to Github. I've tweaked the code a bit for my needs, so attached to this post also includes the modified javasource and complied JAR.

Continue after the break for links to the files, and example scripts for both Enterprise Manager and Weblogic.

	OBIEE11g_Amelia.jar
	XMLSecurityParserManager.java
	HelperFunctions.java
	XQuerySecurityManager.java
	OBIEE11g_Amelia.java

At a high level, the migrateWeblogicUsers.sh script will

Create an import and export python script
Runs the python scripts with WLST to export and then import the Weblogic Users and Groups.

At a high level, the migrateAppRoles.sh script will

Copy (scp) over the system-jazn-data.xml from the destination to the source
Process the XML file with OBIEE11g_Amelia.jar, which produces a python script
Runs the python script with WLST to import the new Application Roles.

Click me to view migrateAppRoles.sh

#! /bin/bash

######
# migrateAppRoles.sh
# Created by Ben Mackin (bmackin@gmail.com)
#
# This script will facilitate migrating of Application Roles between environments.
######

set -o pipefail

checkStatus ()
{
   if [ $1 -ne 0 ]; then
      echo -e "\n`date +[%H:%M:%S]` ###### FAILED ######\n\n" | tee -a $LOGFILE
      echo "The migration failed: $2" | mutt -a $LOGFILE -s "$SUBJECT - FAILED" $EMAIL
      exit 1
   fi

   echo -e "`date +[%H:%M:%S]` ## Success\n" | tee -a $LOGFILE
   return 0
}

if [ $# -lt 8 ]; then
   echo -e "\nUsage: migrateAppRoles.sh -h toHost -u user -p password -f fromHost\n\t-h\tWeblogic host you are migrating to.\n\t-u\tUsername of
 admin Weblogic user.\n\t-p\tPassword of admin Weblogic user.\n\t-f\tWeblogic host where you migrating from.\n"
   exit -1
fi

while getopts ":h:u:p:f:" opt; do
  case $opt in
    h) MIGTOHOST=${OPTARG} ;;
    u) MIGTOUSER=${OPTARG} ;;
    p) MIGTOPASS=${OPTARG} ;;
    f) MIGFROMHOST=${OPTARG} ;;
    \?) echo "Invalid option: -$OPTARG" | tee -a $LOGFILE; exit ;;
    :) echo "Option -$OPTARG requires an argument." | tee -a $LOGFILE; exit ;;
  esac
done

SECURITY_FILE_LOC=/apps/applobi/OBIEE11g/user_projects/domains/bifoundation_domain/config/fmwconfig/system-jazn-data.xml
LOGFILE=~/logs/${MIGTOHOST}_migrateapproles_$(date +%y%m%d_%H%M%S).log
EMAIL=null@null.com
SUBJECT="Migrate Application Roles to $MIGTOHOST - `date +%m/%d/%Y` @ `date +%H:%M:%S`"

echo -e "`date +[%H:%M:%S]` ## Doing application role deployment to $MIGTOHOST from $MIGFROMHOST\n" | tee -a $LOGFILE
echo -e "`date +[%H:%M:%S]` ## Copy the applicaiton roles file from $MIGFROMHOST\n" | tee -a $LOGFILE
scp -q $MIGFROMHOST:$SECURITY_FILE_LOC system-jazn-data.xml 2>&1 | tee -a $LOGFILE
checkStatus "$?" "The deployment failed: scp -q $MIGFROMHOST:$SECURITY_FILE_LOC system-jazn-data.xml"

echo -e "`date +[%H:%M:%S]` ## Run the Java program to build the WLST python script\n" | tee -a $LOGFILE
/apps/applobi/OBIEE11g/Oracle_BI1/jdk/bin/java -jar support/OBIEE11g_Amelia.jar system-jazn-data.xml ./ $MIGTOUSER $MIGTOPASS $MIGTOHOST 2>&1 |
 tee -a $LOGFILE
checkStatus "$?" "The deployment failed: java -jar support/OBIEE11g_Amelia.jar system-jazn-data.xml ./ $MIGTOUSER $MIGTOPASS $MIGTOHOST"
rm system-jazn-data.xml

echo -e "`date +[%H:%M:%S]` ## Run the WLST script to load the Application Roles to $MIGTOHOST\n" | tee -a $LOGFILE
/apps/applobi/OBIEE11g/Oracle_BI1/common/bin/wlst.sh OBI11gSecurityMigration.py 2>&1 | tee -a $LOGFILE
checkStatus "$?" "The deployment failed: wlst.cmd OBI11gSecurityMigration.py"

echo "`date +[%H:%M:%S]` ## Migration of Appliction Roles from $MIGFROMHOST to $MIGTOHOST compelted." | tee -a $LOGFILE

rm OBI11gSecurityMigration.py
rm OBI11gSecurityMigration_delete.py

echo "`date +[%H:%M:%S]` ## Migration of Appliction Roles from $MIGFROMHOST to $MIGTOHOST compelted." | mutt -a $LOGFILE -s "$SUBJECT - SUCCESS
FULL" $EMAIL

Click me to view migrateWeblogicUsers.sh

#! /bin/bash

######
# migrateWeblogicUsers.sh
# Created by Ben Mackin (bmackin@gmail.com)
#
# This script will facilitate migrating of Weblogic security between environments.
######

set -o pipefail

checkStatus ()
{
   if [ $1 -ne 0 ]; then
      echo -e "\n`date +[%H:%M:%S]` ###### FAILED ######\n\n" | tee -a $LOGFILE
      echo "The migration failed: $2" | mutt -a $LOGFILE -s "$SUBJECT - FAILED" $EMAIL
      exit 1
   fi

   echo -e "`date +[%H:%M:%S]` ## Success\n" | tee -a $LOGFILE
   return 0
}

# If there are less than 4 parameters, then show help and exit
if [ $# -lt 8 ]; then
   echo -e "\nUsage: migrateWeblogicUsers.sh -h toHost -u user -p password -f fromHost -w fromPassword\n\t-h\tWeblogic host you are migrating t
o.\n\t-u\tUsername of admin Weblogic user.\n\t-p\tPassword of admin Weblogic user.\n\t-f\tWeblogic host where you migrating from.\n\t-w\tPasswo
rd of admin Weblogic user (optional).\n"
   exit -1
fi

while getopts ":h:u:p:f:w:" opt; do
  case $opt in
    h) MIGTOHOST=${OPTARG} ;;
    u) MIGTOUSER=${OPTARG} ;;
    p) MIGTOPASS=${OPTARG} ;;
    f) MIGFROMHOST=${OPTARG} ;;
    w) MIGFROMPASS=${OPTARG} ;;
    \?) echo "Invalid option: -$OPTARG" | tee -a $LOGFILE; exit ;;
    :) echo "Option -$OPTARG requires an argument." | tee -a $LOGFILE; exit ;;
  esac
done

# If the from password is not set, assume the hosts share the same password
if [ -z "$MIGFROMPASS" ]; then
   MIGFROMPASS=$MIGTOPASS
fi

LOGFILE=~/logs/${MIGTOHOST}_migrateweblogicsec_$(date +%y%m%d_%H%M%S).log
EMAIL=null@null.com
SUBJECT="Migrate Weblogic Users to $MIGTOHOST - `date +%m/%d/%Y` @ `date +%H:%M:%S`"
FILEPATH=/tmp
DATE=`date +%y%m%d_%H%M%S`
FAIL=0

echo -e "`date +[%H:%M:%S]` ## Doing weblogic security migration from $MIGFROMHOST to $MIGTOHOST\n" | tee -a $LOGFILE
echo -e "`date +[%H:%M:%S]` ## Build the WLST export script\n" | tee -a $LOGFILE

echo "connect('$MIGTOUSER','$MIGFROMPASS','$MIGFROMHOST:7001')" > weblogicExport.py
echo "domainRuntime()" >> weblogicExport.py
echo "cd('/DomainServices/DomainRuntimeService/DomainConfiguration/bifoundation_domain/SecurityConfiguration/bifoundation_domain/DefaultRealm/m
yrealm/AuthenticationProviders/DefaultAuthenticator')" >> weblogicExport.py
echo "cmo.exportData('DefaultAtn','/tmp/DefaultAuthenticator_$DATE.dat', Properties())" >> weblogicExport.py
echo "cd('../../CredentialMappers/DefaultCredentialMapper')" >> weblogicExport.py
echo "cmo.exportData('DefaultCreds','/tmp/DefaultCredentialMapper_$DATE.dat', Properties())" >> weblogicExport.py
echo "cd('../../Authorizers/XACMLAuthorizer')" >> weblogicExport.py
echo "cmo.exportData('XACML','/tmp/XACMLAuthorizer_$DATE.dat', Properties())" >> weblogicExport.py
echo "cd('../../RoleMappers/XACMLRoleMapper')" >> weblogicExport.py
echo "cmo.exportData('XACML','/tmp/XACMLRoleMapper_$DATE.dat', Properties())" >> weblogicExport.py
echo "disconnect()" >> weblogicExport.py
echo "exit()" >> weblogicExport.py

echo -e "`date +[%H:%M:%S]` ## Success\n" | tee -a $LOGFILE

echo -e "`date +[%H:%M:%S]` ## Build the WLST import script\n" | tee -a $LOGFILE

echo "connect('$MIGTOUSER','$MIGTOPASS','$MIGTOHOST:7001')" > weblogicImport.py
echo "domainRuntime()" >> weblogicImport.py
echo "cd('/DomainServices/DomainRuntimeService/DomainConfiguration/bifoundation_domain/SecurityConfiguration/bifoundation_domain/DefaultRealm/m
yrealm/AuthenticationProviders/DefaultAuthenticator')" >> weblogicImport.py
echo "cmo.importData('DefaultAtn','$FILEPATH/DefaultAuthenticator.dat', Properties())" >> weblogicImport.py
echo "cd('../../CredentialMappers/DefaultCredentialMapper')" >> weblogicImport.py
echo "cmo.importData('DefaultCreds','$FILEPATH/DefaultCredentialMapper.dat', Properties())" >> weblogicImport.py
echo "cd('../../Authorizers/XACMLAuthorizer')" >> weblogicImport.py
echo "cmo.importData('XACML','$FILEPATH/XACMLAuthorizer.dat', Properties())" >> weblogicImport.py
echo "cd('../../RoleMappers/XACMLRoleMapper')" >> weblogicImport.py
echo "cmo.importData('XACML','$FILEPATH/XACMLRoleMapper.dat', Properties())" >> weblogicImport.py
echo "disconnect()" >> weblogicImport.py
echo "exit()" >> weblogicImport.py

echo -e "`date +[%H:%M:%S]` ## Success\n" | tee -a $LOGFILE

echo -e "`date +[%H:%M:%S]` ## Run the WLST script to export the weblogic users from $MIGFROMHOST\n" | tee -a $LOGFILE
/apps/applobi/OBIEE11g/Oracle_BI1/common/bin/wlst.sh weblogicExport.py 2>&1 | tee -a $LOGFILE
checkStatus "$?" "The deployment failed: wlst.cmd weblogicExport.py"

echo -e "`date +[%H:%M:%S]` ## SCP the security files from $MIGFROMHOST\n" | tee -a $LOGFILE
scp -q $MIGFROMHOST:/tmp/DefaultAuthenticator_$DATE.dat $MIGTOHOST:$FILEPATH/DefaultAuthenticator.dat 2>&1 | tee -a $LOGFILE
if [ $? -ne 0 ]; then
   FAIL=1
fi
scp -q $MIGFROMHOST:/tmp/DefaultCredentialMapper_$DATE.dat $MIGTOHOST:$FILEPATH/DefaultCredentialMapper.dat 2>&1 | tee -a $LOGFILE
if [ $? -ne 0 ]; then
   FAIL=1
fi
scp -q $MIGFROMHOST:/tmp/XACMLAuthorizer_$DATE.dat $MIGTOHOST:$FILEPATH/XACMLAuthorizer.dat 2>&1 | tee -a $LOGFILE
if [ $? -ne 0 ]; then
   FAIL=1
fi
scp -q $MIGFROMHOST:/tmp/XACMLRoleMapper_$DATE.dat $MIGTOHOST:$FILEPATH/XACMLRoleMapper.dat 2>&1 | tee -a $LOGFILE
if [ $? -ne 0 ]; then
   FAIL=1
fi

ssh $MIGFROMHOST "rm /tmp/DefaultAuthenticator_$DATE.dat" | tee -a $LOGFILE
ssh $MIGFROMHOST "rm /tmp/DefaultCredentialMapper_$DATE.dat" | tee -a $LOGFILE
ssh $MIGFROMHOST "rm /tmp/XACMLAuthorizer_$DATE.dat" | tee -a $LOGFILE
ssh $MIGFROMHOST "rm /tmp/XACMLRoleMapper_$DATE.dat" | tee -a $LOGFILE

# Check if any of the previous steps failed
checkStatus "$FAIL" "The deployment failed: scp -q $MIGFROMHOST:/tmp/DefaultAuthenticator_$DATE.dat $FILEPATH/DefaultAuthenticator.dat"

echo -e "`date +[%H:%M:%S]` ## Run the WLST script to import the weblogic users from $MIGFROMHOST\n" | tee -a $LOGFILE
/apps/applobi/OBIEE11g/Oracle_BI1/common/bin/wlst.sh weblogicImport.py 2>&1 | tee -a $LOGFILE
checkStatus "$?" "The deployment failed: wlst.cmd weblogicImport.py"

echo "`date +[%H:%M:%S]` ## Migration of Weblogic Security from $MIGFROMHOST to $MIGTOHOST compelted." | tee -a $LOGFILE

rm weblogicImport.py
rm weblogicExport.py
ssh $MIGTOHOST "rm $FILEPATH/DefaultAuthenticator.dat" 2>&1 | tee -a $LOGFILE
ssh $MIGTOHOST "rm $FILEPATH/DefaultCredentialMapper.dat" 2>&1 | tee -a $LOGFILE
ssh $MIGTOHOST "rm $FILEPATH/XACMLAuthorizer.dat" 2>&1 | tee -a $LOGFILE
ssh $MIGTOHOST "rm $FILEPATH/XACMLRoleMapper.dat" 2>&1 | tee -a $LOGFILE

echo "`date +[%H:%M:%S]` ## Migration of Weblogic Security from $MIGFROMHOST to $MIGTOHOST compelted." | mutt -a $LOGFILE -s "$SUBJECT - SUCCES
SFULL" $EMAIL

1 comment:

UnknownMarch 25, 2015 at 1:36 PM
Hi Ben,

I tried your scripts and exports went fine, but received this error during import. Can you please check

Problem invoking WLST - Traceback (innermost last):
File "/u01/oraclebi/user_migration/weblogicImport.py", line 6, in ?
weblogic.management.utils.ErrorCollectionException: Import Errors:
[Security:099057]Could not decrypt password: {AES}No2DFDIL0GFbVSG6HmxYOxShLFb/rbPhVx/J5SLPJwQ=.

Sunday, February 24, 2013

Migrate Enterprise Manager Application Roles and Weblogic Users and Groups between environments

1 comment: