Migrating token revocation information to DataPower API Gateway
You can use the Token Migration Utility (TMU) to migrate token revocation information from a v5 quota enforcement server (QES) to a gateway-peering cache in v10 DataPower® API Gateway.
Before you begin
Download the TMU from IBM Fix Central. The TMU includes a container image and a separate configuration file.
The TMU requires the following versions of DataPower Gateway on the source and
destination servers.
System | Required DataPower Gateway versions |
---|---|
Source |
v10.5.0.0 or higher v10.0.4.0sr1 or higher v10.0.1.4 or higher v2018.4.1.16 or higher |
Destination |
v10.5.0.4 or higher |
About this task
You can use the TMU to migrate revoked access tokens, revoked refresh tokens, resource owner consent, and, optionally, revoked resource owner consent.
Token migration consists of the following stages:
- Export QES data to a JSON file in the local directory.
- Import QES data into v10 DataPower Gateway from the JSON file.
- Configure a deny list in the v10 token cache.
Attention: Verify that the following requirements are met before you run the TMU.
- Ensure that the DataPower Gateway REST management interface is enabled. For information about enabling the REST management interface and configuring gateway peering for DataPower API Gateway, see Configuring DataPower API Gateway.
- Gateway peering requirements
- The v10 gateway peering password must be defined.
- The gateway-peering instance in DataPower Gateway for the internal token store requires that data persists across a restart to prevent data loss. Ensure that this instance is not configured to store data in memory.
- v5 QES configuration requirements
- Peer group mode must be disabled.
- The listening server port must use the default value
127.0.0.1:16379
. - The v5 QES password must be defined.
Tip:
- The
./tmu
command uses the argument--stage
or-s
to indicate the stage of migration to perform. - Use the
--help
argument to get information about any of the token migration stages.