Migration considerations
You can optimize the migration process by reviewing the migration considerations and taking any actions that apply to your deployment.
Review the following information:
- Limitations and workarounds
- Version 5 data that is not migrated
- Parity between Version 5 and Version 10
- Customizations to recreate
Limitations and workarounds
- For an Admin organization, you must be logged in as
admin
in order to migrate TLS profiles, OAuth providers, and user registries. - The
apicm
login token expires after eight hours. If the token expires whileapicm archive:push
is running,apicm
generates errors due to lack of the necessary access permissions. There are two workarounds:- Log in again and re-run
apicm archive:push
. The token is refreshed with each new login. - Extend the token expiration time by logging in again with an optional argument:
–expireHours=<number_of_hours>
. See Token expiration.
- Log in again and re-run
- When migrating catalog spaces in an provider organization that uses a local user registry (LUR), ensure that the LUR is configured with the visibility setting of either Public or Custom. If set to Custom, ensure that the provider organization is selected. For information on configuring registries, see Setting visibility for a user registry.
- Migration of version 5 username token policy for authenticating the username token is not supported.
- Unable to publish, on version 10, products that contain an API with a Swagger property using
regex that includes "
(?
" in the characters for the pattern. You can expect to see an error message similar to the following:(? The preceding token is not quantifiable
- The migration utility validates Products and APIs against the OpenAPI
specification. The
archive:unpack
command issues warnings for any Product or API that fails validation. To resolve warnings, fix the Product or API an re-run the unpack command. Validation is not performed on draft Products and draft APIs. Example warning:WARN[0019] Error validating product cloud/provider-orgs/onlinebanking/catalogs/test/products/clientipfilter-policy-test-api-1.0.0.yml: Validation errors: Error validating API cloud/provider-orgs/onlinebanking/catalogs/test/products/api123-1.0.0.api.yml - Must validate one and only one schema (oneOf) (context: (root).securityDefinitions, line: 36, col: 3) - securityDefinitions.authorizationUrl Does not match format 'uri' (context: (root).securityDefinitions.authorizationUrl, line: 0, col: 0)
- OAuth Provider APIs:
- To ensure that APIs that use OAuth security definitions are mapped to the corresponding OAuth
Provider APIs in version 10, make sure that either the Authorization URL or the Token URL defined in OAuth
Security Definitions of APIs that use OAuth correctly point to the base path of the OAuth Provider
API. Note that the Migration tool uses that logic to map Consumer APIs to Provider APIs, and adds
x-ibm-oauth-provider
in the OAuth Security Definition of the consumer API. - To verify whether OAuth Provider APIs are migrated correctly, ensure that all the APIs that use
OAuth Security Definition have the new field
x-ibm-oauth-provider
added. Check the value of that field and make sure it points to a correct OAuth Provider resource object that was created and configured in the catalog to which the API is published. - In version 5 OAuth Providers are a specialized type of API that are published within products. In version 10, OAuth Providers are first class objects that are directly published in the provider organization and are not APIs that are published within products. Because of this, it is possible that you may have some version 5 products that only contained OAuth Provider APIs. Since these products do not contain any Open API definitions in version 10, they will not be published because all products in version 10 must contain at least one Open API definition.
- To ensure that APIs that use OAuth security definitions are mapped to the corresponding OAuth
Provider APIs in version 10, make sure that either the Authorization URL or the Token URL defined in OAuth
Security Definitions of APIs that use OAuth correctly point to the base path of the OAuth Provider
API. Note that the Migration tool uses that logic to map Consumer APIs to Provider APIs, and adds
- Automatic migration of vendor extensions is not supported. The version 5
dbextract
output includes the original content of vendor extensions, but this output is not automatically unpacked by theapicm archive:unpack
command. You must use your original zip files when manually configuring vendor extensions in a version 10 environment.Use the CLI to create the extensions you need. See the reference page for apic extensions:create: apic extensions:create.
- Portal Delegated User Registry migration limitations
- Automated migration is not supported for some version 5 PDUR OIDC registries. You must manually supply
the
client_id
andclient_secret
. See Step 6 in Migration steps with PDUR. - LDAP User Registry - automated configuration of the registry is not supported. You can configure manually. See Step 6 in Migration steps with PDUR.
- Automated migration is not supported for some version 5 PDUR OIDC registries. You must manually supply
the
- The SCIM (System for Cross-domain Identity Management) user registry type was supported in
Version 4 but was deprecated for Version 5. The SCIM user registry type is not supported in version 10. If
data with a SCIM identity provider type is detected during migration of version 5 data, the migration
utility logs an error
message:
WARN[0614] manual fix required for cloud/provider-orgs/apimteam/user-registries/scimcv/user-registry.yml: The SCIM user registry type is no longer supported
Any v5 data with a SCIM identity provider type must be manually migrated. For version 10, you can use OIDC with a backend user registry that supports SCIM. You must develop custom code to complete the data flow between the OIDC provider and your backend user registry. The API Connect built-in OIDC registry interacts with your OIDC provider.
- Roles limitations
Previously, in API Connect 5, it was possible to create a role (and associated permissions) at the organization level. This same role was inherited by the catalogs within this org. With the version 5 inheritance model it was possibly to modify the inherited role and add/remove permissions from it.
In API Connect 10 the inheritance model has changed. It is no longer possible to remove permissions from an inherited role. Because of this design change, it becomes difficult to perform a true 1-to-1 migration keeping the original parent-child relationships. For example, in version 5 it was possible for an inherited role to contain less permissions than its parent role. This is parent-child relationship is not allowed to exist for roles in API Connect 10.
In order to work-around this restriction, the parent-child relationship is purposely decoupled during migration. The child-level roles are treated as individual roles, separate from the original parent. However, the child-level roles cannot exist by themselves without a parent role. So, to satisfy this restriction a new artificial parent role is created for each of the children roles.
- Modifications made to default roles in version 5 are not migrated to version 10.
- If the version 5 settings
server_name_indication
andlimit_renegotiation
are not specified, the value defaults totrue
. However if they are specified with value offalse
that value is changed totrue
. Thus the settings are alwaystrue
. - Custom policies and Version 5 emulated policies
For custom policies and Version 5 emulated policies, such as the Invoke 1.5.0 policy, to be available for migrated API or OAuth provider assemblies, the Sandbox Catalog in the target provider organizations must have the associated DataPower® API Gateway service enabled; see Creating and configuring Catalogs.
- Subscriptions on staged products are not be automatically migrated because
in version 10 staged products cannot have subscriptions on them. In order to save those subscriptions you
must change the state of the product to either deprecated or published before doing the
archive:push
. You can do this either in version 5 before runningdbextract
, or you can do it after thedbextract
through mapping or editing of the product metadata and modifying the state of the product. If you have already pushed the staged product then you can publish the product in your version 10 environment and rerunarchive:push
in order to migrate the subscriptions. - The migration utility appends
-apigw
to the end of thex-ibm-name
of APIs to maintain uniqueness from the original version 5 artifacts. Therefore, custom backend services that rely on thex-ibm-name
of the APIs to be matched must be updated to look for-apigw
in the new API name. Alternatively, the custom backend service can be modified to strip-apigw
from the API name.
Version 5 data that is not migrated
- APIs with LTPA policies are not migrated as this policy is not supported in version 10.
- Configuration in version 5 for gateway type
Microgateway
is not migrated becauseMicrogateway
is not supported in version 10. - Transient or conflicting configuration data is not migrated
- Tasks that are still active are not included in the Version 5 backup. For example, lifecycle approvals or subscription approvals that have been requested but not granted.
- Drafts on version 5 that are local are not migrated. If you have draft APIs or draft products that you
want migrated to version 10, use
apic drafts:push
to upload them prior to starting migration. See Working with drafts. - Pending invitees in user registries are not migrated.
- Pending invitations for ownership of provider organization. Consumer organizations with pending
ownership are migrated.
If the Version 5 owner received an invitation for ownership but never accepted it, the owner identity is not migrated. This causes the organization to not be migrated. To avoid this issue, check for any unaccepted invitations prior to migration, and ensure they are accepted.
- Conflicting user names within the same identity provider are not migrated.
- Conflicting OAuth provider names or base paths. If the migration utility encounters conflicting names or base paths for OAuth providers, the provider is not migrated.
- OAuth Shared secret keys are not migrated unless you explicitly map them in the mapping.yml file for the gateway.
-
Organizations without an active owner (user identity) are not migrated
On the Version 5 deployment, verify that the owners of provider organizations and consumer organizations are current user identities. If the user identities of the owners no longer exist the identities are not migrated. One effect of this is that if the original owner of the organization is an identity that was not migrated, the provider organization or consumer organization cannot be migrated.
-
Version 5 Analytics data is not migrated
If you want to retain Version 5 analytics data, offload your Analytics prior to migrating to Version 10. Note that in Version 5 the analytics data is retained only for 90 days. For more information on Version 5 support for archiving Analytics data, see Viewing and exporting analytics and API event data.
Parity between Version 5 and Version 10
- The migration utility sluggifies the names and versions of some elements when moving from version 5 to
version 10 to ensure that each element in version 10 passed Open API schema validation and that each is uniquely
named. For the names of API properties, Catalogs, Provider Orgs, Consumer Orgs, Spaces, and some
other elements, any character other than
a-z
,0-9
, or-
, is converted to-
and a unique suffix based on the checksum of the name or version is added. Uppercase letters are changed to lowercase, with-
added between words. Leading-
characters are removed, and multiple consecutive-
characters are reduced to a single-
. For versions of similar elements , the.
(period) character is also allowed. Examples:Version 5 name Example migrated name on version 10 abc-def
abc-def
(no change)Abc
abc-a2c6
AbcDef
abc-def-dfc
Abc Def
abc-def-1e82
With
sluggify-no-checksum
:abc-def
abc_def
abc-def-c2bb
abc--def
abc-def-813d
-abc-def
abc-def-abb
ABC-DEF
abc-def-d1e
Version 5 version Example version on version 10 1.0.0
1.0.0
(no change)1.0_2
1.0-2-3933
1.0 2
1.0-2-913
1.0--2
1.0-2-5410
-1.0-2
1.0-2-26cf
You can useapicm sluggify <arg>
to view how a name or version will be sluggified:$ ./apicm sluggify Abc abc-a2c6 $ ./apicm sluggify -v 1.0_2 1.0-2-3933 $./apicm sluggify --version '1.0 2' 1.0-2-913
- Version 10 does not support Spaces within the Sandbox Catalog.
Spaces in Sandbox Catalogs are not migrated from Version 5 to Version 10. The names of Spaces found in Version 5 Sandbox Catalogs are logged in the migration output log. You can use a mapping file to rename the Sandbox Catalogs in order to preserve Spaces.
- In version 10, publish of an API will fail if enforced is set to
true
, and phase is set to eitherSpecified
orIdentified
instead ofRealized
. During migration the phase will be set toRealized
in this case, so that the API can be successfully published. - Enforcement of user subscription to an API is handled differently between version 5 and version 10. In version 5,
subscription to a product is not allowed in the following scenario: An API is created with
enforced set to
false
. The API is associated with a product, the product is published, and a user attempts to subscribe to a Product or Plan from the Developer Portal. In version 10, the subscription is allowed for this scenario.This change can affect migration because a version 5 Product that could not be subscribed to in version 5 can be subscribed to in version 10. Note that the change in behavior for version 10 accommodates the scenario where Products or Plans have multiple APIs, some of which are enforced and some of which are not enforced. The new behavior allows such Products or Plans to be subscribed to.
- In version 10, the API Manager handles all authentication methods. This change eliminates the need for configuration of a catalog with a Portal Delegated User Registry (PDUR). See Migration steps with PDUR.
- If OpenAPI
info.contact.email
contains more than one email address, only the first email is used by migration. If the email is not in valid RFC5322 email format then it is removed during migration. - Provider-side applications
In API Connect, registered applications are a fundamental concept representing an application identity known to the system. Applications have their own credential sets in the form of client ID and client secret pairs, and access to published API endpoints is governed by subscriptions associated with registered applications. Most commonly, registered applications are created by app developers belonging to a consumer organization in the context of a developer portal.
However, API Connect 5 also provides the ability for provider organizations to register and manage applications, independent of any consumer organization. Provider-owned apps behave in the same way as consumer-owned apps and carry credentials and subscriptions in exactly the same way. Customers use provider-owned applications for API testing or for cases where the app and API are owned and managed directly by the same team.
The API Connect 10.x platform API does not support the creation of provider-side apps, so migration of provider-side apps is only possible if they are converted to consumer-side apps. Each provider-side app is migrated as follows by the API Connect migration utility:
- An instance of the app including its credentials (sets of client ID and secret) is created in each catalog belonging to the provider organization.
- The app is owned by a consumer organization which is the existing Sandbox Test Organization (for the provider organization's automatically created sandbox catalog) or a consumer organization named Catalog-name Test Organization (for other catalogs).
- The consumer organization's owner is a user named
test-user
. This user name already exists in the context of a provider organization's automatically created sandbox catalog. - The consumer organization's owning user belongs to a user registry named
catalog-name-test-org
. - The subscriptions belonging to the original provider-side app are retained.
cloud/
directory that is produced by theapicm archive:unpack
command. When anapicm archive:push
is performed, the definitions are propagated to the target system as part of the overall configuration.
Customizations to recreate
Version 5 provides methods to customize some configurations. After you complete the automated migration, manually reapply the following customizations.
- Customized email templates
Customized email templates are not migrated from Version 5. You can customize email templates in Version 10 with greater flexibility and precision. See Customizing email templates.
- Developer Portal customizations are not migrated to a new Drupal version
For the Developer Portal, none of the customizations are migrated because the Version 10 Drupal 9 baseline differs greatly from the Version 5 Drupal 7 baseline. This means that custom portal themes, custom modules, custom fields, custom blocks, custom pages, and more, cannot be migrated. For more information, see Migrating your Developer Portal from Version 5 to Version 10.