Layer7 API Management

Expand all | Collapse all

GMU identity provider migration mapping problem

  • 1.  GMU identity provider migration mapping problem

    Posted 10-06-2016 09:33 AM

    Hello,

     

    I am facing problem in Identity provider mapping.

     

    I have two server Dev and UAT , i have initially configured enterprise LDAP in identity provider during base installation on both instances.

     

    now when i am trying to migrate a policy that authenticate against that LDAP . I am getting 

     

    Error: Property Key=Identity provider Error message "(name)" must be unique

    Can you suggest any override on it.

     

    I have already tried manage mappings but it didn't work.



  • 2.  Re: GMU identity provider migration mapping problem

    Posted 10-07-2016 09:33 AM

    Hello,

    Is this the first time you've tried to migrate this service/folder to UAT ?

    If yes, does the ID Provider exist on UAT already, or are you wanting GMU to create it?

     

    can you post your 'migrateOut/migrateIn' commands and results.xml, it'll help myself and others troubleshoot.

     

    thanks,

     

    Doyle



  • 3.  Re: GMU identity provider migration mapping problem

    Posted 10-09-2016 11:43 AM

    Hello Doyle ,

     

    Yes, it's first time i am migrating this service to UAT.

     

    UAT and Higher Environments already configured with the same External Identity provider.

     

    I Don't want GMU to create it for me explicitly.

     

    Here is the migrate in and Migrate out commands i am using. 

     

    Migrate out commands i user in my script.

    TARGET_FILE=$TARGET_ENV/$INTEXT/Service/$SHORTN
    #
    echo "Exporting Service Policy $SHORTN to $TARGET_FILE.xml"
    /opt/SecureSpan/gmu/GatewayMigrationUtility.sh migrateOut --argFile /opt/SecureSpan/gmu/commonargs.props --serviceName "/$INTEXT/$SHORTN" --dest $TARGET_FILE.xml --defaultAction NewOrExisting
    #
    echo "Managing Mappings for Service Policy $TARGET_FILE.xml"
    /opt/SecureSpan/gmu/GatewayMigrationUtility.sh manageMappings --argFile /opt/SecureSpan/gmu/commonargs.props --bundle $TARGET_FILE.xml --type service --action NewOrUpdate
    #
    echo "Templating Service Policy $TARGET_FILE.xml to $TARGET_FILE.properties"
    /opt/SecureSpan/gmu/GatewayMigrationUtility.sh template --argFile /opt/SecureSpan/gmu/commonargs.props --bundle $TARGET_FILE.xml --template $TARGET_FILE.properties

     

    MigrateIn commands i used 

     

    /opt/SecureSpan/gmu/GatewayMigrationUtility.sh migrateIn --argFile /opt/SecureSpan/gmu/commonargs.props --bundle $TARGET_FILE.xml --template $TARGET_FILE.properties --results results.xml -destFolder / $2 $3

     

     

    Results.xml file 

     

     
    <?xml version="1.0" encoding="UTF-8" standalone="no"?>
    <l7:Item xmlns:l7="http://ns.l7tech.com/2010/04/gateway-management">
    <l7:Name>Bundle mappings</l7:Name>
    <l7:Type>BUNDLE MAPPINGS</l7:Type>
    <l7:TimeStamp>2016-10-09T17:23:23.283+02:00</l7:TimeStamp>
    <l7:Link rel="self" uri="https://ese0874.ss:9443/restman/1.0/bundle?test=false&activate=true"/>
    <l7:Resource>
    <l7:Mappings>
    <l7:Mapping action="NewOrExisting" errorType="UniqueKeyConflict" srcId="d94910c473027e135cb9318c93f45a0e" srcUri="https://ese0874.ss:9443/restman/1.0/identityProviders/d94910c473027e135cb9318" type="ID_PROVIDER_CONFIG">
    <l7:Properties>
    <l7:Property key="ErrorMessage">
    <l7:StringValue>(name) must be unique</l7:StringValue>
    </l7:Property>
    </l7:Properties>
    </l7:Mapping>
    <l7:Mapping action="NewOrExisting" actionTaken="CreatedNew" srcId="78ba1a30fcca23c5ce92243" srcUri="https://ese0781.ss:9443/restman/1.0/clusterProperties/78ba1a30fcca23c5ce92243" targetId="78ba1a30fcca23c5ce92243" targetUri="https://ese0874.ss:9443/restman/1.0/clusterProperties/78ba1a30fcca23c5ce92f" type="CLUSTER_PROPERTY">
    <l7:Properties>
    <l7:Property key="MapBy">
    <l7:StringValue>name</l7:StringValue>
    </l7:Property>
    </l7:Properties>
    </l7:Mapping>
    <l7:Mapping action="NewOrExisting" actionTaken="UsedExisting" srcId="00000000000002:dev-with aleternative subject name" srcUri="https://ese0781.ss:9443/restman/1.0/privateKeys/00000000000:dev-with%20aleternative%20subject%20name" targetId="00000000000000000000000000000002:dev-with aleternative subject name" targetUri="https://ese0874.ss:9443/restman/1.0/privateKeys/000000000000:dev-with%20aleternative%20subject%20name" type="SSG_KEY_ENTRY"/>
    <l7:Mapping action="NewOrExisting" actionTaken="UsedExisting" srcId="72fbfd7ad86d62e647a42" srcUri="https://ese0781.ss:9443/restman/1.0/folders/72fbfd7ad86d62e647a4a410" targetId="c050a38b2e806e11a8b58e" targetUri="https://ese0874.ss:9443/restman/1.0/folders/c050a38b2e806e1e7ddc6" type="FOLDER">
    <l7:Properties>
    <l7:Property key="FailOnNew">
    <l7:BooleanValue>true</l7:BooleanValue>
    </l7:Property>
    </l7:Properties>
    </l7:Mapping>
    <l7:Mapping action="NewOrUpdate" actionTaken="CreatedNew" srcId="78ba1a30fcca23c5ce92243" srcUri="https://ese0781.ss:9443/restman/1.0/services/78ba1a30fcca23c5ce92243" targetId="78ba1a30fcca23c5ce92243" targetUri="https://ese0874.ss:9443/restman/1.0/services/78ba1a30fcca23c5ce92243" type="SERVICE"/>
    </l7:Mappings>
    </l7:Resource>
    </l7:Item>

     



  • 4.  Re: GMU identity provider migration mapping problem

    Posted 10-09-2016 11:18 PM

    You need to use the ‘ignore' action to ignore ID_PROVIDER_CONFIG when creating a mappings file for migrateIn; something like:

     

     

    GatewayMigrationUtility.bat manageMappings -argFile  <blah> --bundle  <blah> --type ID_PROVIDER_CONFIG --action ignore

     

    Then use the resulting mappings file to migrateIn to the higher environment.

     

     



  • 5.  Re: GMU identity provider migration mapping problem

    Posted 10-10-2016 07:54 AM

    Hi Apoorva,

     

    As you have created the identity provider on the destination explicitly and it should not be over-written.

    You need to set the action as ignore for the Identity Provider (type ID_PROVIDER_CONFIG) using manageMappings.

     

    Example:

    shell> GatewayMigrationUtility.sh manageMappings --argFile /opt/SecureSpan/gmu/commonargs.props --bundle $TARGET_FILE.xml --type ID_PROVIDER_CONFIG --action Ignore

     

    With the above command all the identity provider configurations action will be set to ignore and on migrateIn command will not override the destination values.



  • 6.  Re: GMU identity provider migration mapping problem

    Posted 10-10-2016 08:07 AM

    Hello,

     

    as per you guys suggested , i made changes in my script as below 

    echo "Managing Mappings for Service Policy $TARGET_FILE.xml"
    /opt/SecureSpan/gmu/GatewayMigrationUtility.sh manageMappings --argFile /opt/SecureSpan/gmu/commonargs.props --bundle $TARGET_FILE.xml --type ID_PROVIDER_CONFIG --action ignore --type service --action NewOrUpdate

    Its working fine for the services configured with Identity provider. But having a strange message "Mapping not found"

    in case of service doesn't contain any Identity provider. 

     

    Managing Mappings for Service Policy DEV/<servicename>.xml
    Running..
    Execution failed. Reason: Mapping not found with type=ID_PROVIDER_CONFIG and srcName=null

    Templating Service Policy DEV/I160520.Int.GetMaterialDocumentFromEristat.xml to DEV/I160520.Int.GetMaterialDocumentFromEristat.properties
    Running.
    Template completed

     

    Can anyone suggest a generic solution to it.



  • 7.  Re: GMU identity provider migration mapping problem

    Posted 10-10-2016 11:33 AM

    I believe you'll lose the mapping if you use 'ignore'. You don't want to purely ignore the mapping as something still needs to reference it that you want imported. I think what you want to do is to map identity providers by Name instead of the default, by 'id'. You can accomplish this in your script by including the following manageMappings instruction.

     

    ./gmu.sh manageMappings -b myBundle.xml -t ID_PROVIDER_CONFIG -N

     

    what this instruction does, is it targets all ID providers in the bundle and modifies it to map by the Name of the ID Provider, instead of the ID ( the ID will be different, as the ID Providers were created manually ). Make sure the names are identical in each environment.

     

    Hope this helps,

     

    Doyle