Exporting and importing of policies in OAM 11g

 

This post talks about the command used to export and importing of OAM 11g policies. OAM 11g provides this functionality through WLST scripting tool. This is the only possible approach to automatically export all policies from OAM 11g. The below steps are appropriate in linux env for exporting policies.

  1. Goto $ORACLE_HOME/common/bin.
  2. Run ./wlst.sh
  3. connect(‘weblogic’,’password’,’t3://weblogic_host:port’)
  4. exportPolicy(pathTempOAMPolicyFile,’/app/shared/home/tmweb/Oracle/Middleware_Dev2/oam_policies.xml’)

Refer the below screenshot for the output.

For importing policies into target OAM environment, follow the below steps:

  1. Goto $ORACLE_HOME/common/bin.
  2. Run ./wlst.sh
  3. connect(‘weblogic’,’password’,’t3://weblogic_host:port’)
  4. importPolicy(pathTempOAMPolicyFile,’/app/shared/home/tmweb/Oracle/Middleware_Dev2/oam_policies.xml’)

The exported policies xml file (oam_policies.xml in this case) contains the below data:

  1. Authentication schemes
  2. Host Identifiers
  3. Application domains: Resources, Authentication/Authorization policies etc.,

Once the policies are imported to target OAM server the application domains, authentication schemes, host identifiers will be created/updated. Please note that IAMSuiteAgent application domain will also gets imported into target OAM server and this does not harm the OAM setup.

The same policies file can be imported multiple times without any issues.

Hope this post helps.

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

23 comments
mike says May 11, 2012

Have you seen this output before? I get the same response with multiple servers and different environments (PROD, TEST, etc)

wls:/test_sso_domain/serverConfig> exportPolicy(pathTempOAMPolicyFile=’/u01/app/oracle/admin/test_sso_domain/mserver/test_sso_domain/policy-export.xml’)
Traceback (innermost last):
File “”, line 1, in ?
NameError: exportPolicy
wls:/test_sso_domain/serverConfig>

Reply
Mahendra says May 12, 2012

Please ensure to run wlst.sh from ORACLE_HOME/common/bin folder.

Reply
Manal says June 1, 2012

I am running it from the ORACLE_HOME/common/bin folder but im still getting an error:

wls:/idm_domain/serverRuntime> exportPolicy(pathTempOAMPolicyFile=’/odrive/oracle/temp/policies.xml’)
Traceback (innermost last):
File “”, line 1, in ?
NameError: exportPolicy

Reply
Mahendra says June 1, 2012

I have executed it just now from $ORACLE_HOME/common/bin.

Looks like you are executing some other than after connecting and before exportPolicy. In my case wls:/base_domain/serverConfig, in your case wls:/idm_domain/serverRuntime

wls:/base_domain/serverConfig> exportPolicy(pathTempOAMPolicyFile=’/app/shared/home/tmweb/Oracle/Middleware_Dev2/oam_policies_latest.xml’)
Successfully exported policies. Check log file for details.
wls:/base_domain/serverConfig>

Reply
Manal says June 1, 2012

I was trying something else in the above example. I did this and it still does not work:

bash-3.00$ /odrive/oracle/Middleware/wlserver_10.3/common/bin/wlst.sh

wls:/offline> connect(‘weblogic’,’password’,’host:port’)
Connecting to t3://www.localcorp.biz:7001 with userid weblogic …
Successfully connected to Admin Server ‘AdminServer’ that belongs to domain ‘idm_domain’.

Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.

wls:/idm_domain/serverConfig> exportPolicy(pathTempOAMPolicyFile=’/odrive/oracle/temp/policies.xml’)
Traceback (innermost last):
File “”, line 1, in ?
NameError: exportPolicy

Reply
Mahendra says June 1, 2012

You are executing wlst.sh from WL_HOME/common/bin. It should be executed from ORACLE_HOME/common/bin.

Reply
» Exporting and Importing partners in OAM 11g Online Apps DBA: One Stop Shop for Apps DBA’s says June 19, 2012

[…] have covered export and import of policies in previous post . The export and import partners also entail in similar steps using WLST […]

Reply
» How to export and import configurations in OAM 11g? Online Apps DBA: One Stop Shop for Apps DBA’s says July 3, 2012

[…] OAM 11g Policies are stored in database and this needs to be exported to an XML file, read this post for more details. The policies in target environment should have URLs (such as Authentication […]

Reply
aengineer says October 31, 2012

When we do a export of policy data, we get multiple files. For example, if we run:
exportPolicy(pathTempOAMPolicyFile=’/tmp/oam_policies.xml’);

we get 5 additional files with names of the form:
oam_policies.xml.@.1
through
oam_policies.xml.@.5

What are these additional files and are they needed for the import?

Thanks
Aspi Engineer

Reply
aengineer says October 31, 2012

The formatting for my last post was lost.

The 5 files have the naming convention:
oam_policies.xml.NNN@MACHINE-NAME.1
through
oam_policies.xml.NNN@MACHINE-NAME.5

Reply
Mahendra says November 2, 2012

@Aspi Engineer,

Those files are not required for import.

Reply
Viruls says July 30, 2013

I created a Join Adapter (AD-OID) and now my ovd is the default userstore. Let Say myOrgPerson(similar to inetOrgPerson) is my custom objectclass in which myDepartmentName is the attribute.

My Question is how can I create a condition of type attribute in Autherization Policy to compare the attribute value with “IT”.

Thanks in advance.

Reply
Mahendra says July 30, 2013

Is it OAM 10g or 11g? In 10g, you can add the object class to Identity system and specify the rule in authorization rule of policy domain.

Reply
Viruls says July 30, 2013

Mine is OAM 11g.

Reply
Viruls says July 30, 2013

Hi Mahendra,

Thanks for quick reply.

I am using OAM 11gR2.

Or Else can I create a condition of type attribute in Autherization Policy to compare the attribute “employeeTpe” (which is not a custom attribute) with the attribute value with “Permanent”.

And one more question is, Is it possible to set AD password in response headers in Authorization policy, Previously I mention that I am using OVD as default user store which points to a Join adapter(AD-OID) here OID is primary adapter and AD is the bind adapter.

Thanks in Advance.

Reply
Mahendra says July 31, 2013

I’m not sure how you do it in 11gR2. Why do you want to send password in response headers? Is not it a security risk?

Reply
ggadax says January 20, 2014

Hi Mahendra,

what if I would like to change something to the file produced by the export and import the changed file ?
In particular, I have to move policy from one environment to another and for some policy I will have to change the authentication scheme.

thanks

kind regards
Giovanni

Reply
ssrir says May 29, 2015

Hi Mahendra, I am trying to import partners using wlst tool in OAM 11.1.2.2.0. I am running it from ORACLE_HOME/common/bin and it goes well successfully. However, I do not see any change in oam-config.xml. There is no entry for any SSO Agents created. But, the artifacts are generated.

Reply
ssrir says May 29, 2015

I am also able to see the list og webgate instances under SSO agents in the console.

Reply
Mahendra says May 29, 2015

Hi,

Do you see the agents in OAM console? If you don’t see in OAM console either, try to run import again . Do you have see any errors while running import command?

Thanks
Mahendra

Reply
Surya Chirravuri says January 12, 2016

Hi, I ran importConfig and it hanged up. Any idea why that would happen and how to prevent data inconsistency?

Reply
    Atul Kumar says January 20, 2016

    @Surya logs should tell you that . did you look into log ?

    Reply
Add Your Reply