Introduction
- The JS7 - Identity Services provide local management of user accounts for authentication and authorization.
- The JS7 - Shiro Identity Service was a built-in service available from the JOC Cockpit.
- The Shiro Identity Service was available for early releases of JS7.
- The Shiro Identity Service has been discontinued:
| Display feature availability |
|---|
|
- The JS7 - Shiro Identity Service Migration Tool is available for users who upgrade from early JS7 2.0, 2.1 releases and from JS1 1.12, 1.13 releases.
- A Shiro Identity Service configuration will be migrated to a JS7 - JOC Identity Service.
- Migration tools will remain in place and can be applied throughout future JS7 2.x releases independently of the fact that the Shiro Identity Service has been discontinued.
| Anchor |
|---|
| when_to_migrate |
|---|
| when_to_migrate |
|---|
|
When to migrate- Users of JS7:
- JS7 releases up to 2.3 can be operated with an existing Shiro Identity Service configuration.
- Later JS7 releases require migration of the Shiro Identity Service configuration.
- Users of JS1:
- Users of JS1 releases 1.12 and 1.13 who migrate to JS7 should apply the migration procedure.
| Anchor |
|---|
| what_to_migrate |
|---|
| what_to_migrate |
|---|
|
What to migrateThe following applies for use of Shiro with releases 1.12, 1.13, 2.0, 2.1, 2.2:
- The JOC Cockpit stores user accounts, hashed passwords and role assignments
- in its database and
- in the
JETTY_BASE/resources/joc/shiro.ini.active file (for information purposes).- Users can create a copy of the
shiro.ini.active file, add their modifications and submit changes by renaming the file to shiro.ini. - With the next login of a user the
shiro.ini file will be applied and its contents are added to the JS7 database. - As a result of this operation the
shiro.ini file is renamed to shiro.ini.active. A previously available shiro.ini.active file is renamed to shiro.ini.backup.
- The migration procedure includes specifying the location of the
shiro.ini.active file or a file with an arbitrary name holding the latest Shiro configuration.
| Anchor |
|---|
| how_to_migrate |
|---|
| how_to_migrate |
|---|
|
How to migrateFor migration purposes the JS7 Identity Service management script is used: joc_manage_identity_service.sh|.cmd
The script is executed in the JS7 environment to which the Shiro configuration should be migrated. The script is available from:
JETTY_HOME/install/joc_manage_identity_service.sh |.cmd- If not otherwise specified during installation then the
JETTY HOME directory defaults to:/opt/sos-berlin.com/js7/joc (for Unix environments)Program Files\sos-berlin.com\js7\joc (for Windows environments)
The management script is invoked like this:
| Code Block |
|---|
| language | text |
|---|
| title | Run the management script for Shiro migration with Unix |
|---|
|
/opt/sos-berlin.com/js7/joc/install/joc_manage_identity_service.sh import <shiro-configuration-file> |
| Code Block |
|---|
| language | text |
|---|
| title | Run the management script for Shiro migration with Windows |
|---|
|
C:\Program Files\sos-berlin.com\js7\joc\install\joc_manage_identity_service.cmd import <shiro-configuration-file> |
The <shiro-configuration-file> specifies the file holding the latest Shiro configuration which is to be migrated: see What to migrate. Users can copy the file to their JS7 environment. A connection to the JobScheduler installation which the Shiro configuration is being migrated from is not required.
Execution of the management script performs the following operations in JS7:
- Add an Identity Service with Service Type
JOC and the name JOC-FROM-SHIRO:- For each LDAP realm included with the
<shiro-configuration-file> a corresponding Identity Service is created form the name of the LDAP realm.
- Populate roles of the
JOC-FROM-SHIRO Identity Service:- Any roles and permissions from the
<shiro-configuration-file> are added to the JOC-FROM-SHIRO Identity Service.
- Populate accounts of the
JOC-FROM-SHIRO Identity Service:- Any user accounts from the
<shiro-configuration-file> are added to the JOC-FROM-SHIRO Identity Service. - This includes adding assignments of roles to user accounts provided that assignments and roles are specified.
- This includes adding hashed passwords stored in the
<shiro-configuration-file>.- JS7 implements its own password hashing algorithm. However, password hashes migrated from Shiro can be used with JS7.
- When a user changes the password then the JS7 password hashing algorithm is applied.
- This procedure is intended for smooth migration which does not force users to change passwords.
- Should the management script find existing configuration items with the same name in the
JOC-FROM-SHIRO Identity Service, for example, matching names of roles or user accounts, then they will not be overwritten from the <shiro-configuration-file>.
If things go terribly wrong then refer to the JS7 - Rescue in case of lost access to JOC Cockpit article.