This documentation is for WSO2 Identity Server 5.4.0. View documentation for the latest release.
Upgrading from a Previous Release - Identity Server 5.4.0 - WSO2 Documentation
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The following instructions guide you through upgrading from WSO2 Identity Server 5.2.0 to WSO2 Identity Server 5.3.0. In this topic, <OLD_IS_HOME> is the directory that Identity Server 5.2.0 resides in and <NEW_IS_HOME> is the directory that Identity Server 5.3.0 resides in.

Prerequisite for migration
 Click to view vital information about custom claims

If you have added any custom claims, follow the steps in this prerequisite before migrating to IS 5.3.0:

This is required because, in the IS 5.3.0 version, all claims external to the WSO2 dialect are mapped to the relevant claim in the WSO2 dialect and not to the underlying attribute in the user store. When there are custom claims, there is no claim in the WSO2 dialect that is mapped to that attribute. Therefore, follow the steps below to create a new claim in the WSO2 dialect and map your custom claim to the local claim (i.e., the new claim created in the WSO2 dialect).

  1. Start the WSO2 IS server of IS 5.2.0 and login to the management console.
  2. Click on Add under Claims on the Main tab of the management console.
  3. Click Add New Claim and select the http://wso2.org/claims dialect.

  4. Enter the required information of the custom claim. For more information, see Adding Claim Mapping in IS 5.2.0.

  5. Click Add. The claim you created will be listed.
  6. Click on List under Claims on the Main tab of the management console again.
  7. Click on the claim dialect where you have your custom claim, and click on the Edit button of your custom claim.
  8. Map the local claim you just created to the custom claim by editing the Mapped Attribute(s) field.
  9. Click Update.

Note: Repeat the steps above for every custom claim you have created.

Migrating the embedded LDAP user store

It is not generally recommended to use the embedded LDAP user store that is shipped with WSO2 Identity Server in production setups. However, if migration of the embedded LDAP is required, follow the instructions below to migrate the existing IS 5.2.0 LDAP user store to IS 5.3.0.

  1. Copy the <OLD_IS_HOME>/repository/data folder to <NEW_IS_HOME>/repository/data folder.
  2. Restart the server to save the changes. 

To upgrade the version of WSO2 Identity Server, the user store database should be upgraded. Note that there are no registry schema changes between versions. 

Follow the steps below as needed to complete the migration process.

  1. Download Identity Server 5.3.0 and unzip it in the <NEW_IS_HOME> directory.
  2. Take a backup of the existing database used by Identity Server 5.2.0. This backup is necessary in case the migration causes issues in the existing database.
  3. Make the database script updates as indicated below.
      1. Download the migration resources and unzip it to a local directory. This folder is referred to as <IS5.3.0_MIGRATION_TOOL_HOME>.

      2. Copy the db script files in the <IS5.3.0_MIGRATION_TOOL_HOME>/dbscripts/identity/ directory to the <NEW_IS_HOME>/dbscripts/identity/migration-5.2.0_to_5.3.0/ directory.

      3. Copy the org.wso2.carbon.is.migrate.client-5.3.0.jar file in the  <IS5.3.0_MIGRATION_TOOL_HOME>/dropins directory to the <NEW_IS_HOME>/repository/components/dropins directory. 
      4. Alternatively, if you are using Oracle database, you can either provide the database owner credentials in the datasource configurations (identity and user management databases) or pass the identity database owner name with -DidentityOracleUser and user management database owner name with ­-DumOracleUser.
  4. Make a copy of the <OLD_IS_HOME>/repository/conf folder. (Do not change the original configs. You may use it as a backup in case there are any issues)

  5. Copy the following files from the <NEW_IS_HOME>/repository/conf/identity folder and paste it in the copy of the <OLD_IS_HOME>/repository/conf/identity folder:
    • captcha-config.properties
    • identity-event.properties
  6. Copy any custom OSGI bundles that were added manually from the <OLD_IS_HOME>/repository/components/dropins folder and paste it in the <NEW_IS_HOME>/repository/components/dropins folder. 
  7. Copy any added JAR files from the <OLD_IS_HOME>/repository/components/lib folder and paste it in the <NEW_IS_HOME>/repository/components/lib folder. 
  8. Open the output-event-adapters.xml file found in the <NEW_IS_HOME>/repository/conf folder and configure the relevant email configurations. 

    <adapterConfig type="email">
        <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust
            based authentication rather username/password authentication -->
        <property key="mail.smtp.from">abcd@gmail.com</property>
        <property key="mail.smtp.user">abcd</property>
        <property key="mail.smtp.password">xxxx</property>
        <property key="mail.smtp.host">smtp.gmail.com</property>
        <property key="mail.smtp.port">587</property>
        <property key="mail.smtp.starttls.enable">true</property>
        <property key="mail.smtp.auth">true</property>
        <!-- Thread Pool Related Properties -->
        <property key="minThread">8</property>
        <property key="maxThread">100</property>
        <property key="keepAliveTimeInMillis">20000</property>
        <property key="jobQueueSize">10000</property>
    </adapterConfig>

    Tip: This email configuration is similiar to the email configuration shown in the code block below, which is found in the <IS_HOME>/repository/conf/axis2/axis2.xml file. This configuration is used for email-enabled features. You can configure the same values in the output-event-adapters.xml file for email-enabled features using REST APIs in IS 5.3.0.

    Email configuration in axis2.xml file
    <transportSender name="mailto"class="org.apache.axis2.transport.mail.MailTransportSender">
        <parameter name="mail.smtp.from">sampleemail@gmail.com</parameter>
        <parameter name="mail.smtp.user">sampleemail</parameter>
        <parameter name="mail.smtp.password">password</parameter>
        <parameter name="mail.smtp.host">smtp.gmail.com</parameter>
        <parameter name="mail.smtp.port">587</parameter>
        <parameter name="mail.smtp.starttls.enable">true</parameter>
        <parameter name="mail.smtp.auth">true</parameter>
    </transportSender> 
  9. Copy the .jks files from the <OLD_IS_HOME>/repository/resources/security folder and paste them in <NEW_IS_HOME>/repository/resources/security folder. 

  10. If you have created tenants in the previous WSO2 Identity Server version and if there are any resources in the <OLD_IS_HOME>/repository/tenants directory, copy the content to the <NEW_IS_HOME>/repository/tenants directory.
  11. If you have created secondary user stores in the previous WSO2 IS version, copy the content in the <OLD_IS_HOME>/repository/deployment/server/userstores directory to the <NEW_IS_HOME>/repository/deployment/server/userstores directory.

  12. If you have done custom changes to the config files in your previous version of WSO2 IS, see the table below. 

    The table below lists out all the configuration changes from IS 5.2.0 to IS 5.3.0. You can scroll through the table and change the relevant configurations according to the features you are using. Any step which is not explicitly mentioned as “optional” is mandatory for the migration. 

    Tip: Scroll left/right to view the entire table below.

    Mandatory configuration changes: Click here to view the table..

     Click here to expand...
    Configuration FileChanges

    [MANDATORY]

    carbon.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

    Add the following property to the config file.

    <HideMenuItemId>claim_mgt_menu</HideMenuItemId>

    [OPTIONAL]

    entitlement.properties file stored in the <PRODUCT_HOME>/repository/conf/identity/ directory.

    If you are using the service provider authorization feature, add the following property to the config file.

    If you have any other AttributeDesignators configured with the number 2, use the smallest unused number instead of 2 when adding the property below.

    PIP.AttributeDesignators.Designator.2=org.wso2.carbon.identity.application.authz.xacml.pip.AuthenticationContextAttributePIP

    [MANDATORY]

    application-authentication.xml file stored in the <PRODUCT_HOME>/repository/conf/identity/ directory.

    Add the following property under the <Extensions> tag.

    <AuthorizationHandler>org.wso2.carbon.identity.application.authz.xacml.handler.impl.XACMLBasedAuthorizationHandler</AuthorizationHandler>

    [OPTIONAL]

    application-authentication.xml file stored in the <PRODUCT_HOME>/repository/conf/identity/ directory.

    If you are using the mobile connect authenticator feature, add the following element under the <AuthenticatorConfigs> tag.

    <AuthenticatorConfig name="MobileConnectAuthenticator" enabled="true">
        <Parameter name="MobileConnectKey">mobileConnectClientId</Parameter>
        <Parameter name="MobileConnectSecret">mobileConnectClientSecret</Parameter>
    </AuthenticatorConfig>

    [MANDATORY]

    Owasp.CsrfGuard.Carbon.properties stored in the <PRODUCT_HOME>/repository/conf/security/ directory.

    Find the following line.

    Old configuration
    org.owasp.csrfguard.unprotected.authiwa=%servletContext%/commonauth/iwa/*

    Update the line as follows.

    New Configuration
    org.owasp.csrfguard.unprotected.oauthiwa=%servletContext%/commonauth/iwa/*

    Add the following property.

    org.owasp.csrfguard.unprotected.mex=%servletContext%/mexut/*

    [MANDATORY]

    user-mgt.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

    Add the following element under the <Realm> <Configuration> tag.

    <Property name="initializeNewClaimManager">true</Property>

    [MANDATORY]

    email-admin-config.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

    If you have not made any custom changes to this file in your previous version of WSO2 IS:

      • Copy the <NEW_IS_HOME>/repository/conf/email/email-admin-config.xml file and replace the existing one.

    If you have made custom changes to this file in your previous version:

      1. Locate the templates you have updated that differ from the default config file. You can use a diff tool to compare your <OLD_IS_HOME>/repository/conf/email/email-admin-config.xml file with the default file to identify the custom changes you have made. Note these changes/updates.
      2. Copy the file from <NEW_IS_HOME>/repository/conf/email/email-admin-config.xml to <OLD_IS_HOME>/repository/conf/email/ directory and rename it to email-"admin-config-new.xml".
      3. For each template you have modified, do the following:

        Note: If you opt to migrate to the new identity management implementation, follow all the steps below. If you wish to continue with the old identity management implementation, skip steps iii and iv.

        1. Locate the relevant template configuration in the old email-admin-config-new.xml file by searching for ‘<configuration type="xxxxx" where “xxxxx” is the type at email-admin-config.xml.

        2. Update the subject, body, and footer in the new config file with the values from the existing configuration.

        3. [OPTIONAL] Update the placeholders so that they are enclosed with double braces (E.g., {user-name} -> {{user-name}} )

        4. [OPTIONAL] Update the user’s attribute related placeholders to follow the {{user.claim.yyyy}} format where yyyy is the attribute name (E.g., {first-name} -> {{user.claim.givenname}})
      1. Delete the <OLD_IS_HOME>/repository/conf/email/email-admin-config.xml file and rename the email-admin-config-new.xml file to "email-admin-config.xml” to finish the update.

    For more information about this feature, see Email Templates.

    [OPTIONAL]

    output-event-adapters.xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

    Add the following properties under the <outputEventAdaptersConfig> tag.

    <adapterConfig type="wso2event">
        <property key="default.thrift.tcp.url">tcp://localhost:7612</property  
        <property key="default.thrift.ssl.url">ssl://localhost:7712</property>
        <property key="default.binary.tcp.url">tcp://localhost:9612</property>
        <property key="default.binary.ssl.url">ssl://localhost:9712</property>
    </adapterConfig>
    [MANDATORY] identity.xml file stored in the <PRODUCT_HOME>/repository/conf/identity directory.

    Add the following event listeners as child elements under the <EventListeners> tag.

    <EventListeners>
    	....
    	....
    	<EventListener 
      	type="org.wso2.carbon.user.core.listener.UserOperationEventListener" 
      	name="org.wso2.carbon.identity.governance.listener.IdentityStoreEventListener"
      	orderId="97" enable="true">
        <Property name="Data.Store">org.wso2.carbon.identity.governance.store.JDBCIdentityDataStore</Property>
    	</EventListener>
                
    	<EventListener 
      	type="org.wso2.carbon.user.core.listener.UserOperationEventListener" 
      	name="org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener" 
      	orderId="95" 
      	enable="true"/>
    	....
    </EventListeners>

    Add the following properties under the <OAuth> tag.

    <OIDCWebFingerEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/.well-known/webfinger</OIDCWebFingerEPUrl>
    
    <!-- For tenants below urls will be modified as https://<hostname>:<port>/t/<tenant domain>/<path>-->
    <OAuth2DCREPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/identity/connect/register</OAuth2DCREPUrl>
    <OAuth2JWKSPage>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/jwks</OAuth2JWKSPage>
    <OIDCDiscoveryEPUrl>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/oidcdiscovery</OIDCDiscoveryEPUrl>

    Add the following property under the <SSOService> tag.

    <!--<SAMLSSOAssertionBuilder>org.wso2.carbon.identity.sso.saml.builders.assertion.ExtendedDefaultAssertionBuilder</SAMLSSOAssertionBuilder>-->

    Add the following properties at the top level.

     Click here to view the properties...
    <!--Recovery>
            <Notification>
                <Password>
                    <Enable>false</Enable>
                </Password>
                <Username>
                    <Enable>false</Enable>
                </Username>
                <InternallyManage>true</InternallyManage>
            </Notification>
            <Question>
                <Password>
                    <Enable>false</Enable>
                    <NotifyStart>true</NotifyStart>
                    <Separator>!</Separator>
                    <MinAnswers>2</MinAnswers>
                    <ReCaptcha>
                        <Enable>true</Enable>
                        <MaxFailedAttempts>3</MaxFailedAttempts>
                    </ReCaptcha>
                </Password>
            </Question>
            <ExpiryTime>3</ExpiryTime>
            <NotifySuccess>true</NotifySuccess>
            <AdminPasswordReset>
                <Offline>false</Offline>
                <OTP>false</OTP>
                <RecoveryLink>false</RecoveryLink>
            </AdminPasswordReset>
        </Recovery>
    
        <EmailVerification>
            <Enable>false</Enable>
            <LockOnCreation>false</LockOnCreation>
            <Notification>
                <InternallyManage>true</InternallyManage>
            </Notification>
        </EmailVerification>
    
    	<SelfRegistration>
        <Enable>false</Enable>
        <LockOnCreation>false</LockOnCreation>
        <Notification>
            <InternallyManage>true</InternallyManage>
        </Notification>
        <ReCaptcha>false</ReCaptcha>
        </SelfRegistration-->

    Remove the following section:

    <ISAnalytics>
            <DefaultValues>
                <userName>NOT_AVAILABLE</userName>
                <userStoreDomain>NOT_AVAILABLE</userStoreDomain>
                <rolesCommaSeperated>NOT_AVAILABLE</rolesCommaSeperated>
                <serviceprovider>NOT_AVAILABLE</serviceprovider>
                <identityProvider>NOT_AVAILABLE</identityProvider>
            </DefaultValues>
        </ISAnalytics>

    Add the following properties to the top level.

     Click here to view the properties...
    <ResourceAccessControl>
            <Resource context="(.*)/api/identity/user/(.*)" secured="true" http-method="all"/>
            <Resource context="(.*)/api/identity/recovery/(.*)" secured="true" http-method="all"/>
            <Resource context="(.*)/.well-known(.*)" secured="true" http-method="all"/>
            <Resource context="(.*)/identity/register(.*)" secured="true" http-method="all">
                <Permissions>/permission/admin/manage/identity/applicationmgt/delete</Permissions>
            </Resource>
            <Resource context="(.*)/identity/connect/register(.*)" secured="true" http-method="all">
                <Permissions>/permission/admin/manage/identity/applicationmgt/create</Permissions>
            </Resource>
            <Resource context="(.*)/oauth2/introspect(.*)" secured="true" http-method="all">
                <Permissions>/permission/admin/manage/identity/applicationmgt/view</Permissions>
            </Resource>
            <Resource context="(.*)/api/identity/entitlement/(.*)" secured="true" http-method="all">
                <Permissions>/permission/admin/manage/identity/pep</Permissions>
            </Resource>
        </ResourceAccessControl>
    
        <ClientAppAuthentication>
            <Application name="dashboard" hash="66cd9688a2ae068244ea01e70f0e230f5623b7fa4cdecb65070a09ec06452262"/>
        </ClientAppAuthentication>
    
        <TenantContextsToRewrite>
            <WebApp>
                <Context>/api/identity/user/v0.9</Context>
                <Context>/api/identity/recovery/v0.9</Context>
                <Context>/oauth2</Context>
                <Context>/api/identity/entitlement</Context>
            </WebApp>
            <Servlet>
                <Context>/identity/(.*)</Context>
            </Servlet>
        </TenantContextsToRewrite>
    [OPTIONAL] web.xml file stored in the <PRODUCT_HOME>/repository/conf /tomcat/carbon/WEB_INF directory.

    Add the following properties after the CsrfGuardHttpSessionListener.

    <filter>
          <filter-name>CaptchaFilter</filter-name>
          <filter-class>org.wso2.carbon.identity.captcha.filter.CaptchaFilter</filter-class>
        </filter>
    
        <filter-mapping>
          <filter-name>CaptchaFilter</filter-name>
          <url-pattern>/samlsso</url-pattern>
          <url-pattern>/oauth2</url-pattern>
          <url-pattern>/commonauth</url-pattern>
          <dispatcher>FORWARD</dispatcher>
          <dispatcher>REQUEST</dispatcher>
        </filter-mapping>
    [MANDATORY] catalina-server .xml file stored in the <PRODUCT_HOME>/repository/conf /tomcat/ directory.

    Add the following valves under the <Host> tag.

    <!-- Authentication and Authorization valve for the rest apis and we can configure context for this in identity.xml  -->
                    <Valve className="org.wso2.carbon.identity.auth.valve.AuthenticationValve"/>
                    <Valve className="org.wso2.carbon.identity.authz.valve.AuthorizationValve"/>
                    <Valve className="org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve"/>
    [OPTIONAL]    
    carbon.
    xml file stored in the <PRODUCT_HOME>/repository/conf/ directory.

    Add the following properties after the </Security> tag.

    <HideMenuItemIds>
    <HideMenuItemId>identity_mgt_emailtemplate_menu</HideMenuItemId>
    <HideMenuItemId>identity_security_questions_menu</HideMenuItemId>
    </HideMenuItemIds>
    [OPTIONAL] log4j.properties file stored in the <PRODUCT_HOME>/repository/conf/ directory.

    Add the following property.

    log4j.logger.org.springframework=WARN
    [MANDATORY]   data-agent-config.xml file stored in the <NEW_IS_HOME>/repository/conf/data-bridge directory.

    Add the following properties under the <Agent> ThriftDataEndpoint and under the <Agent> BinaryDataEndpoint tags.

    <!--<sslEnabledProtocols>TLSv1,TLSv1.1,TLSv1.2</sslEnabledProtocols>-->
    <!--<ciphers>SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES
    _128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,SSL
    _RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_
    3DES_EDE_CBC_SHA</ciphers>-->
    [MANDATORY]   claim-config.xml file stored in the <NEW_IS_HOME>/repository/conf/ directory.

    Replace the following attribute found under the <Claim> <ClaimURI>http://wso2.org/claims/locality> tag.

    Replace this attribute:
    <AttributeID>localityName</AttributeID>
     
    with this:
    <AttributeID>local</AttributeID>

    Modify the following claims as follows.

     Click here to see the modified claims...
    <Claim>
      <ClaimURI>http://wso2.org/claims/userid</ClaimURI>
      <DisplayName>User ID</DisplayName>
      <AttributeID>scimId</AttributeID>
      <Description>Unique ID of the user</Description>
      <ReadOnly/>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/externalid</ClaimURI>
      <DisplayName>External User ID</DisplayName>
      <AttributeID>externalId</AttributeID>
      <Description>Unique ID of the user used in external systems</Description>
      <ReadOnly/>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/created</ClaimURI>
      <DisplayName>Created Time</DisplayName>
      <AttributeID>createdDate</AttributeID>
      <Description>Created timestamp of the user</Description>
      <ReadOnly/>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/modified</ClaimURI>
      <DisplayName>Last Modified Time</DisplayName>
      <AttributeID>lastModifiedDate</AttributeID>
      <Description>Last Modified timestamp of the user</Description>
      <ReadOnly/>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/location</ClaimURI>
      <DisplayName>Location</DisplayName>
      <AttributeID>location</AttributeID>
      <Description>Location</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/formattedName</ClaimURI>
      <DisplayName>Name - Formatted Name</DisplayName>
      <AttributeID>formattedName</AttributeID>
      <Description>Formatted Name</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/middleName</ClaimURI>
      <DisplayName>Middle Name</DisplayName>
      <AttributeID>middleName</AttributeID>
      <Description>Middle Name</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/honorificPrefix</ClaimURI>
      <DisplayName>Name - Honoric Prefix</DisplayName>
      <AttributeID>honoricPrefix</AttributeID>
      <Description>Honoric Prefix</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/honorificSuffix</ClaimURI>
      <DisplayName>Name - Honoric Suffix</DisplayName>
      <AttributeID>honoricSuffix</AttributeID>
      <Description>Honoric Suffix</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/userType</ClaimURI>
      <DisplayName>User Type</DisplayName>
      <AttributeID>userType</AttributeID>
      <Description>User Type</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/preferredLanguage</ClaimURI>
      <DisplayName>Preferred Language</DisplayName>
      <AttributeID>preferredLanguage</AttributeID>
      <Description>Preferred Language</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/local</ClaimURI>
      <DisplayName>Local</DisplayName>
      <AttributeID>local</AttributeID>
      <Description>Local</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/timeZone</ClaimURI>
      <DisplayName>Time Zone</DisplayName>
      <AttributeID>timeZone</AttributeID>
      <Description>Time Zone</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/emails.work</ClaimURI>
      <DisplayName>Emails - Work Email</DisplayName>
      <AttributeID>workEmail</AttributeID>
      <Description>Work Email</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/emails.home</ClaimURI>
      <DisplayName>Emails - Home Email</DisplayName>
      <AttributeID>homeEmail</AttributeID>
      <Description>Home Email</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/emails.other</ClaimURI>
      <DisplayName>Emails - Other Email</DisplayName>
      <AttributeID>otherEmail</AttributeID>
      <Description>Other Email</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/phoneNumbers</ClaimURI>
      <DisplayName>Phone Numbers</DisplayName>
      <AttributeID>phoneNumbers</AttributeID>
      <Description>Phone Numbers</Description>
      <RegEx>^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$</RegEx>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/phoneNumbers.home</ClaimURI>
      <DisplayName>Phone Numbers - Home Phone Number</DisplayName>
      <AttributeID>homePhone</AttributeID>
      <Description>Home Phone</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/phoneNumbers.work</ClaimURI>
      <DisplayName>Phone Numbers - Work Phone Number</DisplayName>
      <AttributeID>workPhone</AttributeID>
      <Description>Work Phone</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/phoneNumbers.fax</ClaimURI>
      <DisplayName>Phone Numbers - Fax Number</DisplayName>
      <AttributeID>fax</AttributeID>
      <Description>Fax Number</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/phoneNumbers.pager</ClaimURI>
      <DisplayName>Phone Numbers - Pager Number</DisplayName>
      <AttributeID>pager</AttributeID>
      <Description>Pager Number</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/phoneNumbers.other</ClaimURI>
      <DisplayName>Phone Numbers - Other</DisplayName>
      <AttributeID>otherPhoneNumber</AttributeID>
      <Description>Other Phone Number</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/gtalk</ClaimURI>
      <DisplayName>IM - Gtalk</DisplayName>
      <AttributeID>imGtalk</AttributeID>
      <Description>IM - Gtalk</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/skype</ClaimURI>
      <DisplayName>IM - Skype</DisplayName>
      <AttributeID>imSkype</AttributeID>
      <Description>IM - Skype</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/photos</ClaimURI>
      <DisplayName>Photo</DisplayName>
      <AttributeID>photos</AttributeID>
      <Description>Photo</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/photourl</ClaimURI>
      <DisplayName>Photo URIL</DisplayName>
      <AttributeID>photoUrl</AttributeID>
      <Description>Photo URL</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/thumbnail</ClaimURI>
      <DisplayName>Photo - Thumbnail</DisplayName>
      <AttributeID>thumbnail</AttributeID>
      <Description>Photo - Thumbnail</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/addresses</ClaimURI>
      <DisplayName>Address</DisplayName>
      <AttributeID>addresses</AttributeID>
      <Description>Address</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/addresses.formatted</ClaimURI>
      <DisplayName>Address - Formatted</DisplayName>
      <AttributeID>formattedAddress</AttributeID>
      <Description>Address - Formatted</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/streetaddress</ClaimURI>
      <DisplayName>Address - Street</DisplayName>
      <AttributeID>streetAddress</AttributeID>
      <Description>Address - Street</Description>
      <DisplayOrder>5</DisplayOrder>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/addresses.locality</ClaimURI>
      <DisplayName>Address - Locality</DisplayName>
      <AttributeID>localityAddress</AttributeID>
      <Description>Address - Locality</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/groups</ClaimURI>
      <DisplayName>Groups</DisplayName>
      <AttributeID>groups</AttributeID>
      <Description>Groups</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/identity/verifyEmail</ClaimURI>
      <DisplayName>Verify Email</DisplayName>
      <AttributeID>manager</AttributeID>
      <Description>Temporary claim to invoke email verified feature</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/identity/askPassword</ClaimURI>
      <DisplayName>Ask Password</DisplayName>
      <AttributeID>postOfficeBox</AttributeID>
      <Description>Temporary claim to invoke email ask Password feature</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/identity/adminForcedPasswordReset</ClaimURI>
      <DisplayName>Force Password Reset</DisplayName>
      <AttributeID>departmentNumber</AttributeID>
      <Description>Temporary claim to invoke email force password feature</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/entitlements</ClaimURI>
      <DisplayName>Entitlements</DisplayName>
      <AttributeID>entitlements</AttributeID>
      <Description>Entitlements</Description>
    </Claim>
    <Claim>
      <ClaimURI>urn:scim:schemas:core:1.0:roles</ClaimURI>
      <DisplayName>Roles</DisplayName>
      <AttributeID>roles</AttributeID>
      <Description>Roles</Description>
      <DisplayOrder>5</DisplayOrder>
      <SupportedByDefault />
      <MappedLocalClaim>http://wso2.org/claims/role</MappedLocalClaim>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/x509Certificates</ClaimURI>
      <DisplayName>X509Certificates</DisplayName>
      <AttributeID>x509Certificates</AttributeID>
      <Description>X509Certificates</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/identity/failedPasswordRecoveryAttempts</ClaimURI>
      <DisplayName>Failed Password Recovery Attempts</DisplayName>
      <AttributeID>postalCode</AttributeID>
      <Description>Number of consecutive failed attempts done for password recovery</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/identity/emailVerified</ClaimURI>
      <DisplayName>Email Verified</DisplayName>
      <!-- Proper attribute Id in your user store must be configured for this -->
      <AttributeID>postalAddress</AttributeID>
      <Description>Email Verified</Description>
    </Claim>
    <Claim>
      <ClaimURI>http://wso2.org/claims/identity/failedLoginLockoutCount</ClaimURI>
      <DisplayName>Failed Lockout Count</DisplayName>
      <!-- Proper attribute Id in your user store must be configured for this -->
      <AttributeID>employeeNumber</AttributeID>
      <Description>Failed Lockout Count</Description>
    </Claim>

    Remove the following claim.

    <Claim>
      <ClaimURI>http://wso2.org/claims/identity/lastLoginTime</ClaimURI>
      <DisplayName>Last Login</DisplayName>
      <!-- Proper attribute Id in your user store must be configured for this -->
      <AttributeID>carLicense</AttributeID>
      <Description>Last Login Time</Description>
    </Claim>

    Add the following claim.

    <ClaimURI>http://wso2.org/claims/identity/lastLogonTime</ClaimURI>
    <DisplayName>Last Logon</DisplayName>
    <!-- Proper attribute Id in your user store must be configured for this -->
    <AttributeID>carLicense</AttributeID>
    <Description>Last Logon Time</Description>
    </Claim>

    Replace the following attribute from under the <Claim> <ClaimURI> http://wso2.org/claims/challengeQuestion1 </ClaimURI> tag.

     

    Replace this attribute:
    <AttributeID>localityName</AttributeID>
     
    with this:
    <AttributeID>firstChallenge</AttributeID>

    Replace the following attribute from under the the <Claim> <ClaimURI> http://wso2.org/claims/challengeQuestion2 </ClaimURI>

     

    Replace this attribute:
    <AttributeID>localityName</AttributeID>
     
    with this:
    <AttributeID>secondChallenge</AttributeID>

    Modify this claim as follows:

    <Claim>
      <ClaimURI>http://wso2.org/claims/active</ClaimURI>
      <DisplayName>Active</DisplayName>
      <AttributeID>active</AttributeID>
      <Description>Status of the account</Description>
    </Claim>
  13. Replace the <NEW_IS_HOME>/repository/conf folder with the modified copy of the <OLD_IS_HOME>/repository/conf folder.

  14. Start the Identity Server 5.3.0 with the following command to perform the data migration for all components. 

    See the notes below to perform migration for individual components or for active tenants only. 

    1. Linux/Unix:

      sh wso2server.sh -Dmigrate -Dcomponent=identity 
    2. Windows:

      wso2server.bat -Dmigrate -Dcomponent=identity 

      Migrate individual components

      Optional: To migrate certain components only, use the relevant commands in the table below.

      Warning! Unless specifically required, it is recommended to perform the full data migration by executing the command given above. Component migration is intended for certain special cases only, and may cause errors due to incomplete migration, if done incorrectly.

       Click here to view the commands
      ComponentLinux/UnixWindows
      Identity Database Schema
      sh wso2server.sh -Dmigrate -Dcomponent
      =identity -DmigrateIdentityDB
      wso2server.bat -Dmigrate -Dcomponent
      =identity -DmigrateIdentityDB
      Claim Data
      sh wso2server.sh -Dmigrate -Dcomponent
      =identity -DmigrateClaimData
      wso2server.bat -Dmigrate -Dcomponent=
      identity -DmigrateClaimData
      Email Template Data
      sh wso2server.sh -Dmigrate -Dcomponent
      =identity -DmigrateEmailTemplateData
      wso2server.bat -Dmigrate -Dcomponent
      =identity -DmigrateEmailTemplateData
      Permission Data
      sh wso2server.sh -Dmigrate -Dcomponent
      =identity -DmigratePermissionData
      wso2server.bat -Dmigrate -Dcomponent
      =identity -DmigratePermissionData
      Challenge Question Data
      sh wso2server.sh -Dmigrate -Dcomponent
      =identity -DmigrateChallengeQuestionData
      wso2server.bat -Dmigrate -Dcomponent
      =identity -DmigrateChallengeQuestionData
      Resident IdP MetaData
      sh wso2server.sh -Dmigrate -Dcomponent
      =identity -DmigrateResidentIdpMetaData
      wso2server.bat -Dmigrate -Dcomponent
      =identity -DmigrateResidentIdpMetaData
      OIDC Scope Data
      sh wso2server.sh -Dmigrate -Dcomponent
      =identity -DmigrateOIDCScopeData
      wso2server.bat -Dmigrate -Dcomponent
      =identity -DmigrateOIDCScopeData

      Migrate active tenants only

      Optional:If you have any disabled/inactive tenants in your previous version of WSO2 IS that you do not want to bring forward to the next version, do a complete migration for all components with active tenants only.

       Click here to view the command

      Start the server against the migration client jar located in the <IS_HOME>/repository/components/dropins directory using the -DmigrateActiveTenantsOnly flag, as shown below.

      sh wso2server.sh -Dmigrate -Dcomponent=identity -DmigrateActiveTenantsOnly
  15. Once the migration is successful, stop the server and start using the appropriate command.
    1. Linux/Unix:

      sh wso2server.sh
    2. Windows:

      wso2server.bat
  • No labels