Migration XACML policies from older versions to new Identity Server versions.

Latest WSO2 Identity Server (4.5.0 and after it…) have lot changes when it is compared with its older versions (4.0.0, 4.1.0)…. There are database schema changes in user management databases and also lot changes in XACML space, (Please refer this for more details). Therefore, you can not plug new Identity Server versions with your old existing data directly (with the database that is used by older version such as 4.0.0 and 4.1.0). You must need to update database schema and do some more things to get it works.
In XACML, there are some changes of default policies locations (PDP and so on), and some implementation changes that would be effected in migrations. This blog would mainly explain how you can migrate XACML policies in older version to new Identity Server versions.

Step 1

You need to go through these database migration guide lines (if your  new server is 4.5.0). Basically you want to run this migration script with older database (Identity Server 4.0.0 and 4.1.0 databases). This would not change or modify any existing data. But this would alter some tables by adding new columns, would create new set of tables with default data and would delete some unwanted tables.

IMPORTANT NOTE : If you want to get the migrated database to be worked with older versions, after even migration has been done. You want to make sure following.

a) Please do not delete tables… You can remove following from migration script. (Some time it may have been removed already)

DROP TABLE IF EXISTS UM_CLAIM_BEHAVIOR;

b) If migration script have already deleted this table. Please create it by running following script,
that can be found in <IS_HOME>/dbscripts directory of older Identity Server versions.

CREATE TABLE UM_CLAIM_BEHAVIOR(
UM_ID INTEGER NOT NULL AUTO_INCREMENT,
UM_PROFILE_ID INTEGER,
UM_CLAIM_ID INTEGER,
UM_BEHAVIOUR SMALLINT,
UM_TENANT_ID INTEGER DEFAULT 0,
FOREIGN KEY(UM_PROFILE_ID, UM_TENANT_ID) REFERENCES UM_PROFILE_CONFIG(UM_ID, UM_TENANT_ID),
FOREIGN KEY(UM_CLAIM_ID, UM_TENANT_ID) REFERENCES UM_CLAIM(UM_ID, UM_TENANT_ID),
PRIMARY KEY (UM_ID, UM_TENANT_ID)
) ENGINE INNODB;

Step 2

Start new Identity Server instance by pointing to modified old database  (if you do not modified database as in Step1, You can not start server) and by pointing to the same user store that is used by older server (4.0.0 or 4.1.0).

Here you may need to modify the default configuration of “master-datasources.xml” file and “user-mgt.xml” to connect to older database and older user store.

Step 3

Login to new Identity Server and go to entitlement management console. You would NOT see any policies that were there in older version. But if you travel through the registry browser to following location

/_system/governance/repository/identity/Entitlement

You would find policies… Policies are already there; but new Identity Server would not be able to read them. Basically new Identity Server would not read policies from above registry location by default. Therefore we need to move these content in to new location and make it readable for new Identity Server version.

Step 4

You can find a simple tool that I have created to do above mentioned migration, from here. Please download it with the source. Let me explain what this tool does.

a) Retrieve policies from old Identity Server version.

b) Verify whether each policy has been published to PDP or Not.

c) Upload all policies to new Identity Server version.

If there are policies that have been published PDP (in older version) –> Push them in to PDP as enabled policies.

If there are policies that have been NOT published PDP (in older version) –> Push them as PAP policies.

Note : In older Identity Server version, there was a concept of enable/disable in PAP polices. And now, it has been moved to PDP. Therefore we do not want to consider it, as all policies are migrated as enabled PDP policies.

d) Retrieve global policy combining algorithm from older versions and set it in the new version.

 Step 5 

Run the tool to migrate policies. README file contain more details.

Now you are done… !!!

Discuss this article on Stack Overflow

Leave a Reply

Your email address will not be published. Required fields are marked *