Oracle® Application Server Upgrade and Compatibility Guide 10g (10.1.4.0.1) for Microsoft Windows Part Number B28235-01 |
|
|
View PDF |
This appendix describes how to upgrade to Oracle Identity Management 10g (10.1.4.0.1) in an Oracle Internet Directory replicated environment.
Refer to the following sections for more information:
Task 2: Prepare for the Oracle Identity Management Multimaster or Fan-Out Replication Upgrade
Task 3: Perform the Oracle Internet Directory Replica Upgrade
Review the following prerequisites and requirements before proceeding with the upgrade procedures in this chapter:
Valid Starting Points When Upgrading a Replication Environment
Understanding the Proper Order of Upgrades in a Replication Environment
Oracle Recommendations When Upgrading a Replication Environment
In this chapter, the destination replica is the newly installed and upgraded 10g (10.1.4.0.1) replica; the source replica is the 10g Release 2 (10.1.2) replica you are upgrading.
The upgrade procedures in this chapter are designed for administrators who have installed and configured an Oracle Internet Directory 10g (9.0.4), 10g Release 2 (10.1.2.0.2), or 10g Release 2 (10.1.2.1.0) multimaster or fan-out replication environment.
This chapter assumes that the Oracle Identity Management components in the replication environment are distributed. In other words, you have installed the Oracle Internet Directory (and optionally Oracle Directory Integration Platform) components in one or more Oracle homes, and you installed the Oracle Application Server Single Sign-On and Oracle Delegated Administration Services components in one or more additional Oracle homes.
Figure A-1 shows a typical Oracle Identity Management 10g Release 2 (10.1.2) multimaster replication environment, which is described in detail in "Deploying Identity Management with Multimaster Replication," in the 10g Release 2 (10.1.2) Oracle Application Server High Availability Guide.
Figure A-1 A Typical Oracle Identity Management 10g Release 2 (10.1.2) Multimaster Replication Environment
Information about deploying Oracle Identity Management with fan-out replication can be found in the Oracle Application Server 10g Release 2 (10.1.2) Oracle Identity Management Concepts and Deployment Planning Guide, which is available in the Oracle Application Server 10g Release 2 (10.1.2) documentation library.
Oracle recommends that you first upgrade theOracle Internet Directory and Oracle Directory Integration Platform Oracle homes on all replicas to 10g (10.1.4.0.1). Then, after the Oracle Internet Directory installations are upgraded, upgrade the OracleAS Single Sign-On and Oracle Delegated Administration Services components of Oracle Identity Management.
Oracle Corporation recommends the following during the upgrade procedure:
After you upgrade the destination replica, disable replication between the destination replica and the source replica. The destination replica can receive and process changes from source replica, but the source replica cannot process changes originated and received from destination replica.
The replication environment can be a Single Master (that is, only one replica is set to read and write, and all others are set to read only).
Before you begin upgrading Oracle Internet Directory in a replicated environment, you must perform the following steps for all replicas other than Master Definition Site (MDS) Replica or Primary supplier replica:
Locate the database registration entry of the database of replica to be upgraded.
SOURCE_ORACLE_HOME\bin\ldapsearch -h hostname_of_replica_being_upgraded -p port -D cn=orcladmin -w superuser_password -b "cn=oraclecontext" -s one "(objectclass=orcldbserver)" dn
This will return a list of Distinguished Names (DNs) corresponding to all the Databases registered in Oracle Internet Directory in the following form:
cn=database_name,cn=oraclecontext
From the returned list of entries, locate and make a note of the DN of the following entry, which corresponds to the replica upgraded:
cn=dbname_of_replica_to_be_upgraded,cn=oraclecontext
Identify the replica ID of the replica to be upgraded by issuing following command:
SOURCE_ORACLE_HOME\bin\ldapsearch -h hostname_of_replica_being_upgraded -p port -D cn=orcladmin -w superuser_password -b "" -s base "(objectclass=*)" orclreplicaid
Modify the seeAlso
attribute of the replica subentry so that it points to the database you are about to upgrade.
The seeAlso
attribute is a standard Oracle Internet Directory attribute. For more information, see the "Attribute Reference" in the Oracle Identity Management User Reference.
To modify the seeAlso
attribute:
Create a file, for example mod.ldif
, with following contents:
#File Name : mod.ldif dn: orclreplicaid=replicaid_from_step_2,cn=replication configuration changetype: modify replace: seeAlso #The DN used in seealso attribute is obtained in Step #1. seeAlso: cn=dbname_of_replica_being_upgraded,cn=oraclecontext
Modify the replica subentry using ldapmodify command.
SOURCE_ORACLE_HOME\bin\ldapmodify -h hostname_of_replica_being_upgraded -p port -D superuser_DN -w superuser_password -v -f mod.ldif
Navigate to the following directory and locate ias.properties
file:
SOURCE_ORACLE_HOME\config
Open the ias.properties
file and verify that the properties shown in Table A-1 are correct and valid.
Make sure the Oracle Internet Directory server is up and running.
To verify that Oracle Internet Directory is running, enter one of the following commands.
If you are running Oracle Internet Directory on a non-secure port:
SOURCE_ORACLE_HOME\bin\ldapbind -p Non-SSL_port
If you are running Oracle Internet Directory on a secure port:
SOURCE_ORACLE_HOME\bin\ldapbind -p SSL_port -U 1
These commands should return a "bind successful" message.
If you are upgrading a 10g (9.0.4) replication environment, verify that the tnsnames.ora
file contains only one alias for the local database.
For example, the tnsnames.ora
file might contain two entries for a database called ORCL03
, as in the following example:
ORCL03 = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP) (HOST = stakb03.acme.com) (PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = orcl03.acme.com))) ORCL03.US.ORACLE.COM = (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP) (HOST = stakb03.acme.com) (PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = orcl03.us.oracle.com)))
In this example, remove the second, fully-qualified entry for the local database before you begin the upgrade procedure. After upgrade is complete, you can add the fully qualified database name alias to the tnsnames.ora
file.
If you are upgrading from 10g (9.0.4), then perform the following steps to add required entries to the Oracle Internet Directory server:
Create an LDIF file, for example add.ldif
, with the contents shown in Example A-1.
Start a second instance of the Oracle Internet Directory server with "change log generation disabled" as shown below.
Note that this example assumes that the second instance is not in use and port 4444 is not used by any process.
oidctl connect=connect_string_of_db server=oidldapd instance=2 flags="-p 4444 -l false" start
Add the entries defined in the ldif
file you created in Step 8 by using ldapadd
tool as shown below.To add these entries, you must use the port used for the LDAP server you started in Step b.
This example assumes that the LDAP server you started in step 8 is listening at port 4444.
ldapadd -p 4444 -h hostname -D cn=orcladmin -w password -f ldif_filename -c
For example:
ldapadd -p 4444
-h mgmt42.acme.com
-D cn=orcladmin
-w m03kslj
-f add.ldif
-c
Stop the second LDAP server as shown below.
This example assumes that the instance number used for the second instance was 2.
oidctl connect=<connect_string_of_db> server=oidldapd instance=2 stop
Table A-1 Properties to Verify in ias.properties Before Replication Upgrade
Property Name | Correct Value Before Replication Upgrade |
---|---|
True |
|
host name of replica |
|
port of replica |
|
SSL port for replica |
Example A-1 Contents of LDIF File Used to Prepare for Replication Upgrade
#File Name : add.ldif ################################ # Event Type Configuration ################################ dn: cn=ProvisioningEventTypeConfig,cn=odi,cn=oracle internet directory changetype: add cn: ProvisioningEventTypeConfig orclaci: access to entry by group="cn=Provisioning Admins, cn=changelog subscriber,cn=oracle internet directory" (browse,add,delete) orclaci: access to attr=(*) by group="cn=Provisioning Admins, cn=changelog subscriber,cn=oracle internet directory" (read,search,write,compare) objectclass: orclContainer dn: orclODIPProvEventObjectType=ENTRY,cn=ProvisioningEventTypeConfig,cn=odi, cn=oracle internet directory changetype: add orclODIPProvEventObjectType: ENTRY orclODIPProvEventLDAPChangeType: Add orclODIPProvEventLDAPChangeType: Modify orclODIPProvEventLDAPChangeType: Delete orclODIPProvEventCriteria: objectclass=* objectclass: orclODIPProvEventTypeConfig dn: orclODIPProvEventObjectType=USER,cn=ProvisioningEventTypeConfig,cn=odi, cn=oracle internet directory changetype: add orclODIPProvEventObjectType: USER orclODIPProvEventLDAPChangeType: Add orclODIPProvEventLDAPChangeType: Modify orclODIPProvEventLDAPChangeType: Delete orclODIPProvEventCriteria: objectclass=InetOrgPerson orclODIPProvEventCriteria: objectclass=orclUserV2 objectclass: orclODIPProvEventTypeConfig dn: orclODIPProvEventObjectType=IDENTITY,cn=ProvisioningEventTypeConfig,cn=odi, cn=oracle internet directory changetype: add orclODIPProvEventObjectType: IDENTITY orclODIPProvEventLDAPChangeType: Add orclODIPProvEventLDAPChangeType: Modify orclODIPProvEventLDAPChangeType: Delete orclODIPProvEventCriteria: objectclass=InetOrgPerson orclODIPProvEventCriteria: objectclass=orclUserV2 objectclass: orclODIPProvEventTypeConfig dn: orclODIPProvEventObjectType=GROUP,cn=ProvisioningEventTypeConfig,cn=odi, cn=oracle internet directory changetype: add orclODIPProvEventLDAPChangeType: Add orclODIPProvEventLDAPChangeType: Modify orclODIPProvEventLDAPChangeType: Delete orclODIPProvEventCriteria: objectclass=orclGroup orclODIPProvEventCriteria: objectclass=orclPrivilegeGroup orclODIPProvEventCriteria: objectclass=groupOfUniqueNames orclODIPProvEventCriteria: objectclass=groupofNames objectclass: orclODIPProvEventTypeConfig dn: orclODIPProvEventObjectType=SUBSCRIPTION,cn=ProvisioningEventTypeConfig, cn=odi,cn=oracle internet directory changetype: add orclODIPProvEventObjectType: SUBSCRIPTION orclODIPProvEventLDAPChangeType: Add orclODIPProvEventLDAPChangeType: Modify orclODIPProvEventLDAPChangeType: Delete orclODIPProvEventCriteria: objectclass=orclServiceSubscriptionDetail objectclass: orclODIPProvEventTypeConfig dn: orclODIPProvEventObjectType=SUBSCRIBER,cn=ProvisioningEventTypeConfig, cn=odi,cn=oracle internet directory changetype: add orclODIPProvEventObjectType: SUBSCRIBER orclODIPProvEventLDAPChangeType: Add orclODIPProvEventLDAPChangeType: Modify orclODIPProvEventLDAPChangeType: Delete orclODIPProvEventCriteria: objectclass=orclSubscriber objectclass: orclODIPProvEventTypeConfig ###################################################################### # DIPADMIN Account ###################################################################### dn: cn=dipadmin,cn=odi,cn=oracle internet directory changetype: add cn: dipadmin sn: dipadmin description: DIP Administrator Idenitity in OID objectclass: person ###################################################################### # DIPADMIN Group ###################################################################### dn: cn=dipadmingrp,cn=odi,cn=oracle internet directory changetype: add cn: dipadmin owner: cn=dipadmin,cn=odi,cn=oracle internet directory uniquemember: cn=orcladmin uniquemember: cn=dipadmin,cn=odi,cn=oracle internet directory description: DIP Administrator Group in OID objectclass: groupOfUniqueNames objectclass: orclprivilegegroup ###################################################################### # ODIPGROUP getting recreated here from 904 (Had been removed in 902*) ###################################################################### dn: cn=odipgroup,cn=odi,cn=oracle internet directory changetype: add cn: odipgroup objectclass: top objectclass: groupofUniquenames objectclass: orclprivilegegroup uniquemember: cn=orcladmin orclaci: access to entry by group="cn=dipadmingrp,cn=odi,cn=oracle internet directory" (browse) by * (none) orclaci: access to attr=(uniquemember) by group="cn=dipadmingrp,cn=odi, cn=oracle internet directory" (search,read,write,compare) by * (none) dn: cn=odisgroup,cn=odi,cn=oracle internet directory changetype: add cn: odisgroup objectclass: top objectclass: groupofUniquenames objectclass: orclprivilegegroup uniquemember: cn=orcladmin orclaci: access to entry by * (none) orclaci: access to attr=(*) by * (none)
You can upgrade one replica at a time, or all of the replicas simultaneously. Refer to the following sections for more information:
Upgrading one computer at a time in a replicated environment ensures that Oracle Internet Directory is available during the upgrade for additions, modifications, and searching. When you use this method, only the replica you are upgrading is down. The other replicas continue to run and are available to your users.
Upgrading multiple replicas simultaneously ensures that the entire network is upgraded without a transient stage. The procedure is simpler than upgrading one replica at a time, but involves directory service downtime.
Follow these steps to upgrade one replica at a time:
Make sure you have completed the procedure in Section A.2, "Task 2: Prepare for the Oracle Identity Management Multimaster or Fan-Out Replication Upgrade".
Identify the replica to be upgraded.
The replica can be an LDAP-based partial or fan-out replica, or it can be an Oracle Advanced Replication (ASR) based multimaster replica.
See Also: "Directory Replication Concepts" in the Oracle Internet Directory Administrator's Guide |
Stop the replication server on the replica to be upgraded.
SOURCE_ORACLE_HOME\oidctl connect=db_connect_string server=OIDREPLD instance=1 flags="-p port_at_which_ldap_server_is_listening" stop
See Also: "Oracle Identity Management Server Administration Tools" in the Oracle Identity Management User Reference for more information about theoidctl administration tool |
Make sure that the Oracle Internet Directory server, the Oracle Internet Directory database, and the database listener are up and running.
If you are upgrading an ASR-based replica, then delete all ASR jobs on other replicas by issuing the following command:
SOURCE_ORACLE_HOME\ldap\admin\oidrdjob.sql
All ASR jobs on other master sites that transfer changes to this replica are deleted. This has the effect of taking the replica currently being upgraded out of the replication environment, so that no changes come to it, while other replicas continue to operate and replicate changes.
Upgrade the replica as described in Chapter 7, "Using Oracle Universal Installer to Upgrade Oracle Identity Management".
Verify that the database in the upgraded replica Oracle home is up and running.
Test the connectivity to the other replicas.
The Net Services Upgrade assistant might have modified listener.ora
and tnsnames.ora,
breaking connectivity. If connectivity is broken, identify the entries that were modified in the files, and restore the entries from the corresponding files in the source Oracle home.
For example, copy the original entries from the following files in the source Oracle home to the corresponding files in the destination Oracle home:
SOURCE_ORACLE_HOME\network\admin\listener.ora SOURCE_ORACLE_HOME\network\admin\sqlnet.ora SOURCE_ORACLE_HOME\network\admin\tnsnames.ora
If you are upgrading from a 10g (9.0.4) replication environment, add the database alias you removed from the tnsnames.ora
file in Step 7 of Section A.2.
If you are upgrading an Oracle Advanced Replication (ASR) based Replica, recreate the jobs on each replica, after it is upgraded, by issuing the following command:
DESTINATION_ORACLE_HOME\ldap\bin\remtool –asrrectify
The jobs that were deleted in Step 5 are re-created. They will begin transferring the existing changes and new changes from other replicas to the upgraded replicas.
Perform the Oracle Internet Directory post-upgrade procedures.
Perform the procedures described in Section A.4, "Task 4: Completing the Upgrade of Each Replica" for the newly upgraded replica.
Start the replication server on the newly upgrade replica, if it is not already running:
DESTINATION_ORACLE_HOME\oidctl connect=db_connect_string server=OIDREPLD instance=1 flags="-p port_at_which_ldap_server_is_listening" start
See Also: "Oracle Identity Management Server Administration Tools" in the Oracle Identity Management User Reference for more information about theoidctl administration tool |
Upgrade the remaining replicas using the same procedures you used to upgrade the first replica.
Use the following procedure to upgrade all the replicas simultaneously:
In all replicas other than MDS replica or primary supplier replica, make sure you have completed the pre-upgrade steps provided in Section A.2, "Task 2: Prepare for the Oracle Identity Management Multimaster or Fan-Out Replication Upgrade".
Stop the replication server on all replicas in the Directory Replication Group (DRG):
SOURCE_ORACLE_HOME\oidctl connect=db_connect_string server=OIDREPLD instance=1 flags="-p port_at_which_ldap_server_is_listening" stop
See Also: "Oracle Identity Management Server Administration Tools" in the Oracle Identity Management User Reference for more information about theoidctl administration tool |
Use Oracle Universal Installer and the 10g (10.1.4.0.1) installation procedure to upgrade each of the Oracle Internet Directory replicas.
Refer to Section 7.5.2, "Upgrading OracleAS Identity Management in a Non-Colocated Infrastructure" for information about starting Oracle Universal Installer and selecting the proper options on the installer screens.
Verify that the database on each upgraded replica is up and running.
Test the connectivity to the other replicas.
The Net Services Upgrade assistant might have modified listener.ora
and tnsnames.ora,
breaking connectivity. If connectivity is broken, identify the entries that were modified in the files, and restore the entries from the corresponding files in the source Oracle home.
For example, copy the original entries from the following files in the source Oracle home to the corresponding files in the destination Oracle home:
SOURCE_ORACLE_HOME\network\admin\listener.ora SOURCE_ORACLE_HOME\network\admin\sqlnet.ora SOURCE_ORACLE_HOME\network\admin\tnsnames.ora
If you are upgrading from a 10g (9.0.4) replication environment, add the database alias you removed from the tnsnames.ora
file in Step 7 of Section A.2.
Perform the Oracle Internet Directory post-upgrade procedures.
For each upgraded replica, perform the steps in Section A.4, "Task 4: Completing the Upgrade of Each Replica".
Start the replication server on each of the upgraded replicas:
DESTINATION_ORACLE_HOME\oidctl connect=db_connect_string server=OIDREPLD instance=1 flags="-p port_at_which_ldap_server_is_listening" start
See Also: "Oracle Identity Management Server Administration Tools" in the Oracle Identity Management User Reference for more information about theoidctl administration tool |
The following sections describe tasks you must perform after you have completed the upgrade of a replica:
Changing the Replication DN Password in the Oracle Internet Directory Wallet for Each Replica
Setting the orclreplicationid Attribute in the Upgraded 10g (10.1.4.0.1) Directory
After you upgrade a replica, change the password for the replication distinguished name (DN). After you change or reset the password, you can then start oidmon
, LDAP server, and replication server.
Refer to the following sections for more information:
After you upgrade a replica, change the replication distinguished name (DN) password stored in the wallet using the Replication Environment Management Tool (remtool
), as follows:
DESTINATION_ORACLE_HOME\ldap\bin\remtool -pchgwalpwd -v -bind host:port/repl_dn_pwd
Note that you must provide the existing password on the remtool
command line. If you do not know the replication DN password, see Section A.4.1.2, "Resetting the Replication DN Password".
See Also: "remtool" in the Oracle Identity Management User Reference for details about the arguments you can use with theremtool command, including the -pchgwalpwd and -presetpwd arguments |
If you do not know replication DN password, reset the replication DN password using the following command:
DESTINATION_ORACLE_HOME\ldap\bin\remtool -presetpwd -v -bind host:port
If you are upgrading a fan-out replica, you must also reset the password of the replication DN at its supplier. To reset the password of replication DN at its supplier:
Create an LDIF file (for example, modpwd.ldif
), with following contents:
dn: cn=replication dn,orclreplicad=consumer_replicaid,cn=replication configuration changetype: modify replace: userpassword userpassword: new_password
Apply the change at supplier using ldapmodify tool as shown below:
ldapmodify -h supplier_hostname -p supplier_port_number> -D cn=orcladmin -w super_user_password_of_supplier -f modpwd.ldif
If you are upgrading a replica in an environment with fan-out replication, you must set the orclreplicationid
in the Oracle Internet Directory attribute to a valid value. This is a new attribute for Oracle Identity Management 10g (10.1.4.0.1).
Oracle recommends that you set the value of this attribute so it matches the value of the existing orclagreementID
attribute. To perform this task:
Create an LDIF file called id.ldif
with the following content:
dn: orclagreementid=000002,orclreplicaid=replicaid,cn=replication configurationchangetype: modifyreplace: orclreplicationidorclreplicationid: 2
Note that in the above example, the first two lines should appear all in one line in the LDIF file.
Apply the LDIF file by using the following ldapmodify
command:
ldapmodify -p port -h host -D DN -w password -f id.ldif
In this example, replace port, host, DN, and password with the appropriate values for your environment.
See Also: "The Replication Agreement Entry" in the chapter, "Oracle Internet Directory Replication Concepts" in the Oracle Internet Directory Administrator's Guide for information about theorclreplicationid attribute
"Oracle Internet Directory Data Management Tools" in the Oracle Identity Management User Reference for more information about using the |
After you have upgraded the Oracle Internet Directory Oracle homes, you can then upgrade the OracleAS Single Sign-On and Oracle Delegated Administration Services Oracle homes.
To upgrade the OracleAS Single Sign-On and Oracle Delegated Administration Services Oracle homes, use Oracle Universal Installer and the 10g (10.1.4.0.1) installation procedure.
Refer to Section 7.5.3, "Upgrading Distributed OracleAS Identity Management Configurations" for instructions on starting Oracle Universal Installer and selecting the proper options on the installer screens.