You can import the configuration data either for Identity Server or for Access Gateway at one time. You need to repeat the process to import the configuration data of each component.
If you are importing the configuration data on a new production environment, you must import the Identity Server configuration, and create reverse proxies and master proxy services before importing the Access Gateway configuration data.
Import the configuration data only on the primary Administration Console. Importing the configuration data includes the following actions:
Perform the following steps to import the configuration data:
Log in to the Administration Console where you want to import the configuration data.
Click Access Manager > Code Promotion.
In the Code Promotion page, click Import Configuration.
Click Browse to import the configuration file.
In Decryption Password, specify the password that you used to encrypt the configuration data file. You need this password to extract the contents of the configuration file.
(Optional) Select Backup current configuration before import and Backup customization files. This backup helps to roll back your changes if needed. Code promotion encrypts the backup file with the same password that you specified for decryption in Step 5. You can download this backup file from the Code Promotion page.
NOTE:This option backs up only the Identity Server-specific configuration. To back up the Access Gateway configuration, you must use the ambackup file.
Click Next. Continue with Section 25.7.2, Selecting the Component to Import the Configuration Data.
Code Promotion automatically detects whether the imported ZIP file contains configuration data of the Identity Server, Access Gateway, or both. It also checks for any device customization files.
Under Select Configuration To Import, select the option you need based on your requirements:
Identity Server Configuration: Select this option to import the Identity Server configuration data. Select Customization Files on Devices if you want to import Identity Server customization files.
Access Gateway Configuration: Select this option to import the Access Gateway configuration data. Select Customization Files on Devices if you want to import Access Gateway customization files.
(Only for Access Gateway) Under Access Gateway Cluster Mapping, specify the cluster in Source Cluster from which you want to export the configuration data and select the cluster in Target Cluster in which you want to import the configuration data. You can import configuration data of only one cluster at a time. If you want to import configuration from multiple clusters, run the import process separately for each cluster.
Click Next.
Continue with any one of the following sections based on the configuration you selected to import:
Importing the Identity Server configuration data includes the following steps:
In the Import Identity Server Clusters section, specify the import action for each cluster available in the imported configuration. Select the desired options based on your requirements.
NOTE:Importing Identity Server Configuration overwrites the existing Shared Settings on the system with new Shared Settings. However, if any of the existing settings on the target system are not part of the source system configuration, Code promotion will not delete them.
The following table lists examples with Attribute Sets and import action:
|
Imported Attribute Sets |
Existing Attribute Sets |
Import Action |
|---|---|---|
|
OIOSAML with five mappings |
OIOSAML with two mappings |
Replaces OIOSAML set with the imported one. It has five mappings. |
|
AttrSet1 |
Not available |
Adds AttrSet1. |
|
No import |
AttrSet2 is defined only in the target system |
AttrSet2 remains unchanged. |
In Clusters To Import, select a cluster to configure import settings.
Select an action for the selected cluster from Import Action.
Import As New Cluster: Select this option if you want to import the cluster as a new cluster. Ensure that the new cluster name is different from the existing cluster names defined on that system.
Overwrite Existing Cluster: Select this option if you want to overwrite the existing cluster with the selected cluster.
NOTE:You need to configure the import action for each cluster separately. If the cluster you want to import has only one user store, Code Promotion maps the user store to the default user store of the existing cluster. If the cluster you are importing has multiple user stores, then you must specify how to map them to the user stores of the existing cluster.
Click Next.
Continue with Section 25.7.5, Post-Import Configuration Tasks.
Code Promotion uses names to associate entities from the source system to the target system. It searches on the source system for names that are part of the import. If it finds the Access Gateway entities with the same names, it overwrites these entities. If not available, it creates new entries with the same names from the source system. When the Identity Server and policies-specific entities with the same names are available, you can select whether to overwrite these.
If the policy name, policy extension, and proxy service match on the source and target systems, but their type does not match, then the import does not happen.
Code Promotion does not export Access Gateway clusters, reverse proxies, and master proxies. Before importing the Access Gateway configuration data, you must manually create clusters, reverse proxies, and master or root proxy services in the target system.
If you want to import the Access Gateway protected resources that require Identity Server configuration other than contracts and its dependencies, LDAP attributes, and Shared Secret, you must first import the required Identity Server configuration. For example, for risk-based authentication or OAuth configuration, you need to import relevant Identity Server configuration separately. You can import these configurations manually or by using Identity Server Code Promotion.
NOTE:If the reverse proxy in the source system is non-HTTP and in the target system it is HTTPS or vice-versa, ensure that you have tested the configuration before importing. In this case, the import may result in issues if there is any issue in the browser to Access Gateway communication.
Importing the Access Gateway configuration data includes the following steps:
When you select a proxy service for import, all protected resources associated with this proxy service are selected automatically. You cannot deselect any protected resources of a selected proxy service for import.
Code Promotion validates the content you want to import in to the target system. If there is any issue, it displays validation errors.
Code Promotion imports the Access Gateway customization details if you have selected the option. If any issue happens during customization files import, the system displays a message. You can continue or cancel the import process at that point.
To select proxy services and protected resources to import, complete the following steps:
The Code Promotion page displays the entire list of proxy services and protected resources from the source setup. Select proxy services and protected resources that you want to import.
Click Next. Continue with Verifying the Component-Specific Configuration Changes.
Verify the details of configuration data that will be newly created and the data that will be overwritten on the destination system after import is complete. A proxy service may have a reference to logging profiles or http rewriter profiles. A protected resource refers to Identity Server contracts and policies. Identity Server contracts in turn refer to authentication class, methods, image sets, and user stores. A policy has a dependency on policy extensions, policy containers, Identity Server LDAP attributes and shared secrets. When you import the Access Gateway configuration, all of these dependencies are imported.
IMPORTANT:You can import only enabled rewriter and logging profiles, not the disabled profiles.
Regardless of the type of logging profile (common or extended) and rewriter profile (word or character), if the name of the profile is same on both the source and target systems, Code Promotion overwrites the profile.
To verify configuration changes, perform the following steps:
Select Access Gateway to verify the details about proxy services, protected resources, rewriter profiles, logging profiles, authentication procedures, and Access Gateway certificates that you are importing.
If you are importing a proxy service to a production setup where the same proxy service exists, the system will not overwrite the following parameters and will retain these:
Published DNS Name
Host Header
Web Server Host Name
Connect Port
Web Server List
Access Manager locks the Access Gateway cluster and policy containers and releases these only after the import is complete or if you cancel the process before completing import.
Select Identity Server to verify the details about Identity Server contracts, methods, classes, LDAP attributes, shared secrets, and images that Code Promotion is importing along with the Access Gateway configuration data. Select Overwrite Existing Contracts if you have made any changes in the existing configuration in the source system. Selecting this option overwrites the contracts and their dependencies, such as methods and classes, in the target system. If you do not select to overwrite, Code Promotion does not import the modified configurations to the target system.
Select Policy to verify the details about policies, such as policy container and policy extension, that Code Promotion is importing along with the Access Gateway configuration data. Code Promotion matches policy containers by names for importing policies. If the names do not match, it creates new policy containers with that name on the target system. Select Overwrite Existing Policies if you have made any change to the existing configuration in the source system. Selecting this option overwrites the policies and its dependencies (such as policy extension, LDAP attribute, and shared secret) in the target system. If you do not select to overwrite, Code Promotion does not import the modified configurations to the target system.
After selecting Overwrite Existing Policies, LDAP attributes and Shared Secret values in the Identity Server overview page may change. Verify the details and select Verified again on the Identity Server overview page.
Select Verified in each section.
Click Next. Continue with Updating Identity Server User Store References.
If you have selected to overwrite a method or you have any new method that refers to a user store, update the reference of the user store of the source system to the user store of the target system. You can see the option to update user store references only when you select to overwrite a method or importing a new method.
You cannot reference the same user store on the target system to multiple user stores on the source system.
If the name of the user store on the source and target systems is the same, then the target system displays only that user store name that you should select.
If you have created a new user store in the source system, Code Promotion imports only the name to the target system. You must add entries manually after completing the import process.
To update the user store reference on the target system, perform the following steps:
Select the user store in Imported User Store and then select a corresponding user store in the target system under Existing User Store. Perform this activity for all imported user stores.
Click Next.
Continue with Setting Up New Proxy Services in the Target System after Import.
To set up new proxy services in the target system, perform the following steps:
Specify the following details for all newly created proxy services:
NOTE:By default, all fields (Published DNS Name, Cookie Domain, Host Header, Web Server Host Name, Web Server List, and Connect Port) contain source system entries.
Published DNS Name: (Only for domain-based proxy services) Specify the DNS name you want the public to use to access your site. This DNS name must resolve to the IP address you set up as a listening address on the Access Gateway. The DNS name should be unique and not in use by any other proxy service.
Cookie Domain: Specify the domain for which the cookie is valid. Cookie domain is set as the corresponding master proxy service's cookie domain for domain-based and path-based proxy services. For a virtual proxy service, you can select a cookie domain based on the DNS specified.
Host Header: Specify the name you want to send in the HTTP header to the Web server.
Web Server Host Name: Specify the DNS name of the Web server that the Access Gateway should forward to the Web server.
Web Server List: Specify the Identity Server address or DNS name of Web servers. You can define it on cluster level. If you want to specify it for an individual server, go to Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers. You can specify a Web Server Host Name for an individual server. For more information, see Section 3.8.3, Configuring Web Servers of a Proxy Service.
Connect Port: Specify the port that the Access Gateway uses to communicate with the Web server.
Click Next.
Click Finish when the import process is completed. Continue with Post-Import Configuration Tasks.
After importing the Identity Server and Access Gateway configuration data, you must perform configurations that are specific to the target system and that are not part of the exported data.
After the import process is complete, the system displays a list of certificates that you need to create or import manually and apply. Code promotion imports Identity Server key stores, but you must create the certificates referenced in them on the server where you have imported the configuration data.
To create certificates, go to Security > Certificates. For more information about how to create certificates, see Section 10.0, Creating Certificates.
The new certificate name must exactly match the names listed.
Update Identity Server devices in the modified clusters. Go to Auditing > Troubleshooting > Certificates and click Re-push certificates, and then update all devices in the cluster.
Configure user stores for the newly added clusters. After the import process is complete, the system displays a list of Identity Server clusters for which you need to configure user stores. Code Promotion creates a placeholder entry for the user store. Code Promotions sets eDirectory as the default user store. You must enter the IP address, search context, and the password for the user stores of the target system. For more information, see Section 5.1.1, Configuring Identity User Stores.
Distribute the policy extension JARs to devices in the Administration Console under Policy > Extensions. For more information, see Distributing a Policy Extension.
(Conditional) Update service providers with the new metadata. The identity provider certificate is different in the exported and imported systems. Therefore, you must re-import the identity provider metadata to all service providers in that cluster for federation to work. For more information, see Viewing and Reimporting a Trusted Provider’s Metadata.
Code Promotion does not import persistent federation identities and shared secrets. Only the Identity Servers in your exported setup and service providers share these. You must configure these on the server after you import the configuration data.
When you add a new node in a cluster and no cache exists, the system takes customization of any active node in that cluster and applies that customization to this node on the target system. Modify the list of customization files to include all files as of the source setup. Otherwise, the customization available on the target system will be applied to the node.
After the import process is complete, the system displays a list of certificates that you need to create or import manually and apply. Proxy key stores are imported, but you must create the certificates referenced in them on the target system.
To create certificates, go to Security > Certificates. For more information about how to create certificates, see Section 10.0, Creating Certificates. For more information about how to create certificates, see Section 10.0, Creating Certificates.
The new certificate name must exactly match with names listed.
Go to Auditing > Troubleshooting > Certificates to re-push certificates and then update all devices in the cluster.
If SSL is enabled between the imported proxy services and the web servers, and you selected to verify the certificate authorities of the web server certificates, then ensure that the web server's trusted roots are added to the Access Gateway's proxy trust store.
Go to Auditing > Troubleshooting > Certificates to re-push certificates and then update all devices in the cluster.
Configure the user store if you have imported a new user store. Configure or edit the user stores for the Identity Server clusters associated with the target Access Gateway cluster.
Update the following Identity Server dependencies of policies with appropriate Identity Server cluster names and data if any of the policies refer to these:
Authentication contract, Liberty user profile, LDAP OU, Roles, LDAP group, credential profile, OAuth scope, and OAuth claims
Java data injection modules (these are deprecated)
If you have imported the policy extensions, distribute the policy extension JARs to the devices in Administration Console under Policy > Extensions and restart the Access Gateway. If you imported policy extensions as part of Device Customization, then only restart the Access Gateway.
For more information, see Distributing a Policy Extension.
When you add a new node in a cluster and no cache exists, the system takes customization of any active node in that cluster and applies that customization to this node on the target system. Modify the list of customization files to include all files as of the source setup. Otherwise, the customization available on the target system will be applied to the node.