31.6.4 Importing Access Gateway Configuration Data

Code Promotion uses names to associate entities from the source system to the target system. It searches on the source system for names that are part of the import. If it finds Access Gateway entities with the same names, it overwrites these entities. If not available, it creates new entries with the same names from the source system. When Identity Server and policies-specific entities with the same names are available, you can select whether to overwrite these.

If the policy name, policy extension, and proxy service match on the source and target systems, but their type does not match, then the import does not happen.

Code Promotion does not export Access Gateway clusters, reverse proxies, and master proxies. Before importing Access Gateway configuration data, you must manually create clusters, reverse proxies, and master or root proxy services in the target system.

If you want to import Access Gateway protected resources that require Identity Server configuration other than contracts and its dependencies, LDAP attributes, and Shared Secret, you must first import the required Identity Server configuration. For example, for risk-based authentication or OAuth configuration, you need to import relevant Identity Server configuration separately. You can import these configurations manually or by using Identity Server Code Promotion.

NOTE:If the reverse proxy in the source system is non-HTTP and in the target system it is HTTPS or vice-versa, ensure that you have tested the configuration before importing. In this case, the import might result in issues if there is any issue in the browser to Access Gateway communication.

Importing Access Gateway configuration data includes the following steps:

  1. Uploading Configuration File to Import

  2. Selecting the Component to Import the Configuration Data

  3. Selecting Proxy Services and Protected Resources to Import

  4. Verifying the Component-Specific Configuration Changes

  5. Updating Identity Server User Store References

  6. Setting Up New Proxy Services in the Target System after Import

  7. Post-Import Configuration Tasks 

Selecting Proxy Services and Protected Resources to Import

When you select a proxy service for import, all protected resources associated with this proxy service are selected automatically. You cannot deselect any protected resources of a selected proxy service for import.

Code Promotion validates the content you want to import in to the target system. If there is any issue, it displays validation errors.

Code Promotion imports Access Gateway customization details if you have selected the option. If any issue happens during customization files import, the system displays a message. You can continue or cancel the import process at that point.

To select proxy services and protected resources to import, complete the following steps:

  1. The Code Promotion page displays the entire list of proxy services and protected resources from the source setup. Select proxy services and protected resources that you want to import.

  2. Click Next. Continue with Verifying the Component-Specific Configuration Changes.

Verifying the Component-Specific Configuration Changes

Verify the details of configuration data that will be newly created and the data that will be overwritten on the destination system after import is complete. A proxy service might have a reference to logging profiles or http rewriter profiles. A protected resource refers to Identity Server contracts and policies. Identity Server contracts in turn refer to authentication class, methods, image sets, and user stores. A policy has a dependency on policy extensions, policy containers, Identity Server LDAP attributes and shared secrets. When you import Access Gateway configuration, all of these dependencies are imported.

IMPORTANT:You can import only enabled rewriter and logging profiles, not the disabled profiles.

Regardless of the type of logging profile (common or extended) and rewriter profile (word or character), if the name of the profile is same on both the source and target systems, Code Promotion overwrites the profile.

To verify configuration changes, perform the following steps:

  1. Select Access Gateway to verify the details about proxy services, protected resources, rewriter profiles, logging profiles, authentication procedures, and Access Gateway certificates that you are importing.

    If you are importing a proxy service to a production setup where the same proxy service exists, the system will not overwrite the following parameters and will retain these:

    • Published DNS Name

    • Host Header

    • Web Server Host Name

    • Connect Port

    • Web Server List

    Access Manager locks Access Gateway cluster and policy containers and releases these only after the import is complete or if you cancel the process before completing import.

  2. Select Identity Server to verify the details about Identity Server contracts, methods, classes, LDAP attributes, shared secrets, and images that Code Promotion is importing along with Access Gateway configuration data. Select Overwrite Existing Contracts if you have made any changes in the existing configuration in the source system. Selecting this option overwrites the contracts and their dependencies, such as methods and classes, in the target system. If you do not select to overwrite, Code Promotion does not import the modified configurations to the target system.

  3. Select Policy to verify the details about policies, such as policy container and policy extension, that Code Promotion is importing along with Access Gateway configuration data. Code Promotion matches policy containers by names for importing policies. If the names do not match, it creates new policy containers with that name on the target system. Select Overwrite Existing Policies if you have made any change to the existing configuration in the source system. Selecting this option overwrites the policies and its dependencies (such as policy extension, LDAP attribute, and shared secret) in the target system. If you do not select to overwrite, Code Promotion does not import the modified configurations to the target system.

    After selecting Overwrite Existing Policies, LDAP attributes and Shared Secret values in Identity Server overview page might change. Verify the details and select Verified again on Identity Server overview page.

  4. Select Verified in each section.

  5. Click Next. Continue with Updating Identity Server User Store References.

Updating Identity Server User Store References

If you have selected to overwrite a method or you have any new method that refers to a user store, update the reference of the user store of the source system to the user store of the target system. You can see the option to update user store references only when you select to overwrite a method or importing a new method.

You cannot reference the same user store on the target system to multiple user stores on the source system.

If the name of the user store on the source and target systems is the same, then the target system displays only that user store name that you should select.

If you have created a new user store in the source system, Code Promotion imports only the name to the target system. You must add entries manually after completing the import process.

To update the user store reference on the target system, perform the following steps:

  1. Select the user store in Imported User Store and then select a corresponding user store in the target system under Existing User Store. Perform this activity for all imported user stores.

  2. Click Next.

    Continue with Setting Up New Proxy Services in the Target System after Import.

Setting Up New Proxy Services in the Target System after Import

To set up new proxy services in the target system, perform the following steps:

  1. Specify the following details for all newly created proxy services:

    NOTE:By default, all fields (Published DNS Name, Cookie Domain, Host Header, Web Server Host Name, Web Server List, and Connect Port) contain source system entries.

    Field

    Description

    Published DNS Name

    (Only for domain-based proxy services) Specify the DNS name you want the public to use to access your site. This DNS name must resolve to the IP address you set up as a listening address on Access Gateway. The DNS name should be unique and not in use by any other proxy service.

    Cookie Domain

    Specify the domain for which the cookie is valid. Cookie domain is set as the corresponding master proxy service's cookie domain for domain-based and path-based proxy services. For a virtual proxy service, you can select a cookie domain based on the DNS specified.

    Host header

    Specify the name you want to send in the HTTP header to the web server.

    Web Server Host Name

    Specify the DNS name of the web server that Access Gateway should forward to the web server.

    Web Server List

    Specify Identity Server address or DNS name of web servers. You can define it on cluster level. If you want to specify it for an individual server, go to Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Web Servers. You can specify a Web Server Host Name for an individual server. For more information, see Section 2.6.4, Configuring Web Servers of a Proxy Service.

    Connect Port

    Specify the port that Access Gateway uses to communicate with the web server.

  2. Click Next.

  3. Click Finish when the import process is completed. Continue with Post-Import Configuration Tasks.