31.6.5 Post-Import Configuration Tasks

After importing Identity Server and Access Gateway configuration data, you must perform configurations that are specific to the target system and that are not part of the exported data.

Tasks after importing the Identity Server configuration data

  • After the import process is complete, the system displays a list of certificates that you need to create or import manually and apply. Code Promotion imports Identity Server key stores, but you must create the certificates referenced in them on the server where you have imported the configuration data.

    • To create certificates, go to Security > Certificates. See Creating Certificates.

      The new certificate name must exactly match the names listed.

    • Update Identity Server devices in the modified clusters. Go to Troubleshooting > Certificates and click Re-push certificates, and then update all devices in the cluster.

  • Import the customized files listed in Code Promotion > Settings through Advanced File Configurator > Import Configurations. See Exporting and Importing Configurations.

  • Configure user stores for the newly added clusters. After the import process is complete, the system displays a list of Identity Server clusters for which you need to configure user stores. Code Promotion creates a placeholder entry for the user store. Code Promotions sets eDirectory as the default user store. You must enter the IP address, search context, and the password for the user stores of the target system. See Configuring Identity User Stores.

  • For a new cluster, add Identity Server devices to it manually. This enables you to use the imported configuration.

  • Distribute the policy extension JARs to devices in Administration Console under Policy > Extensions. For more information, see Distributing a Policy Extension.

  • (Conditional) Update service providers with the new metadata. The identity provider certificate is different in the exported and imported systems. Therefore, you must re-import the identity provider metadata to all service providers in that cluster for federation to work. For more information, see Viewing and Reimporting a Trusted Provider’s Metadata.

  • Code Promotion does not import persistent federation identities and shared secrets. Only Identity Servers in your exported setup and service providers share these. You must configure these on the server after you import the configuration data.

  • When you add a new node in a cluster and no cache exists, the system takes customization of any active node in that cluster and applies that customization to this node on the target system.

  • For User Attribute Retrieval and Transformation:

    • If a data source entry exists only in staging, then a new entry is created in the production environment. Code Promotion creates a placeholder entry for data source fields. You must enter username, password, IP, port, search context for LDAP, and URL of the data source.

    • If a data source entry exists in staging and production environments and if the data source name is the same, but has a different data source type, the production entry is retained.

Tasks after importing the Access Gateway configuration data

  • After the import process is complete, the system displays a list of certificates that you need to create or import manually and apply. Proxy key stores are imported, but you must create the certificates referenced in them on the target system.

    • To create certificates, go to Security > Certificates. See Creating Certificates.

    • The new certificate name must exactly match with names listed.

    • In Troubleshooting > Certificates, re-push certificates, and update all devices in the cluster.

  • Import the customized files listed in Code Promotion > Settings through Advanced File Configurator > Import Configurations. See Exporting and Importing Configurations.

  • If SSL is enabled between the imported proxy services and the web servers, and you selected to verify the certificate authorities of the web server certificates, then ensure that the web server's trusted roots are added to Access Gateway's proxy trust store.

    Go to Troubleshooting > Certificates, re-push certificates, and update all devices in the cluster.

  • Configure the user store if you have imported a new user store. Configure or edit the user stores for Identity Server clusters associated with the target Access Gateway cluster.

  • Update the following Identity Server dependencies of policies with appropriate Identity Server cluster names and data if any of the policies refer to these:

    • Authentication contract, Liberty user profile, LDAP OU, Roles, LDAP group, credential profile, OAuth scope, and OAuth claims

    • Java data injection modules (these are deprecated)

  • If you have imported the policy extensions, distribute the policy extension JARs to the devices in Administration Console under Policy > Extensions, and restart Access Gateway. If you imported policy extensions as part of Device Customization, then only restart Access Gateway.

    For more information, see Distributing a Policy Extension.

  • When you add a new node in a cluster and no cache exists, the system takes customization of any active node in that cluster and applies that customization to this node on the target system.

  • If the imported Access Gateway or policies refer to anything other than the following Identity Server dependencies, import these dependencies by using Identity Server Code Promotion:

    • Contracts

    • Methods

    • Classes

    • User stores

    • LDAP attributes

    • Shared secrets