Some tips & tricks on migrating SOA Suite 10g to 11g – Part 2

This blog contains some experiences taken from our migration from SOA Suite 10g to SOA Suite 11g. The previous one was about custom XSLT functions, sensors, composite instance tracking, and Domain Value Maps (DVM). This entry is about using Oracle Internet Directory (OID) 10g as identity provider for SOA Suite 11g.

Integrating OID 10g with SOA Suite 11g
Using OID 10g as identity- and access provider in SOA Suite 10g wasn’t entirely trivial. After applying the steps as documented in Oracle BPEL Process Manager Administrator’s Guide 10g you needed to perform some additional configuration steps that could be somewhat tricky at first. Jaap Poot has some great blogs on this.

How different in SOA Suite 11g. Just configure OID 10g as security provider in WebLogic Server Administration Console and you’re done. No need for running Ant scripts, performing lots of post-configuration, and so on. Just follow the steps as listed in the Oracle Fusion Middleware Administrator’s Guide for Oracle SOA Suite 11g Release 1. And don’t forget to set the control flag to SUFFICIENT for every provider, including the DefaultAuthenticator. If you set the OID provider to SUFFICIENT and DefaultAuthenticator to REQUIRED, you’ll see the OID users and groups in WebLogic Server Administration Console, but not in JDeveloper or the BPM Worklist application.

SOA Suite 11g supports only one identity- and accessmanagement provider, while WebLogic Server supports chaining of multiple identity- and accessmanagement providers.

After restarting WebLogic Server, the users and roles in OID 10g are available to the Human Task editor in JDeveloper (of course, you need to configure a connection to SOA Suite 11g):

And also to the default SOA Suite 11g BPM Worklist application, that can be accessed at http://host:port/integration/worklistapp (e.g. http://localhost:8001/integration/worklistapp).

The final step is to add the user “weblogic” and group “Administrators” to OID 10g. This is documented in a different document, and can therefore be overlooked. See 27.2 Logging In to Oracle BPM Worklist.

Permissions in SOA Suite 11g (such as workflow.admin) are mapped to principles (such as SOAAdmin). These principles are then member of groups (Administrators) that need to exist in the used identity and access management solution. Since the group “Administrators” by default does not exist in OID 10g, you need to create it and assign the users to it that need to have the specified SOA Suite 11g permissions. For example, permission to change settings in the BPM Worklist application or authenticate on behalf of another user. The other groups such as BPMWorkflowAdmin were already present in OID 10g as seeded there during configuration of SOA Suite 10g.

The mapping from principles to groups is configured in the user_projects/domains/soa_domain/config/fmwconfig/system-jazn-data.xml file. You can view and edit these application policies and application roles in Enterprise Manager Fusion Middleware Control. Select: Farm_soa_domain –> SOA –> soa-infra –> Security –> Application Policies (or Application Roles).

So, that’s great. Configuring OID 10g for SOA Suite 11g takes less than an hour.