This chapter describes how to upgrade Oracle Identity Federation in a high availability environment.
This chapter contains the following sections:
Task 1: Understand the Oracle Identity Federation High Availability Upgrade
Task 2: Install the Oracle Identity Federation Schema in the Database
Task 3: Install Oracle WebLogic Server and Create the Middleware Home
Task 5: Extend the Domain and Create the First Oracle Identity Federation 11g Oracle Instance
Task 6: Use the Upgrade Assistant to Upgrade the First Oracle Identity Federation Oracle Instance
Task 7: Install and Configure the Second Oracle Identity Federation Instance on IDMHOST2
Task 8: Copy the Oracle Identity Federation Application from IDMHOST1 to IDMHOST2
Task 11: Verify the Oracle Identity Federation High Availbility Upgrade
Refer to the following sections to prepare for the Oracle Identity Federation high availbility upgrade:
Before you begin this upgrade procedure, it is assumed that:
The 10g source topology is equivalent to the 11g destination topology.
In other words, the Oracle Identity Federation topology that you are planning to install should be similar in its design to the 10g environment. For example, it is assumed that you will be running the same number hosts and the same number Oracle Identity Federation instances in the 11g environment.
For each Oracle Identity Federation instance you are upgrading, the target Oracle Identity Federation 11g Oracle Home must be on the same host as the source Oracle Identity Federation 10g Oracle home.
The database that will be used to host the Oracle Identity Federation schema has been upgraded to a version supported by Oracle Fusion Middleware 11g.
For more information, see "Upgrading and Preparing Your Databases" in the Oracle Fusion Middleware Upgrade Planning Guide.
The examples in this chapter assume you are upgrading two Oracle Identity Federation instances running on two separate host computers. These are referre to as IDMHOST1 and IDMHOST2.
In addition, the examples assume you have two database servers, also running two separate hosts, DBHOST1 and DBHOST2.
Before you can install Oracle Identity Federation 11g in preparation for upgrade, you must install the Oracle Identity Federation 11g schema in a supported database.
You use the Repository Creation Utility to create the schema and select the Oracle Identity Federation component on the Select Components screen of the Repository Creation Utility.
For more information, refer to Section 6.2, "Task 2: Use the Repository Creation Utility to Install the Oracle Identity Federation Schema in the Database".
To install Oracle WebLogic Server and create the middleware home, refer to "Installing Oracle WebLogic Server" in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
For more information about the Middleware home, see "Understanding Oracle Fusion Middleware Concepts" in the Oracle Fusion Middleware Administrator's Guide.
Use the following procedure to install and configure Oracle Internet Directory in preparation for an Oracle Identity Federation high availability upgrade:
Locate the Oracle Identity Management CD–ROM.
Alternatively, you can download and unpack the installation kit from the Oracle Technology Network:
http://www.oracle.com/technology/
If you are installing from the CD–ROM, then navigate to the root directory of the CD–ROM.
Or, if you downloaded and unpacked the software from the Oracle Technology Network, then change directory to the Disk1
directory in the location where you unpacked the software.
Start Oracle Universal Installer:
On UNIX systems, enter the following command to install Repository Creation Utility:
./runInstaller
On Windows systems, double-click the setup.exe
file.
Follow the instructions in the installer to install Oracle Identity Federation.
Refer to the following resources during the installation and configuration:
Table 11-1, which provides information on specific instructions required when installing and configuring the software for an Oracle Identity Federation high availability upgrade.
Oracle Fusion Middleware Installation Guide for Oracle Identity Management or click Help for general information about the prerequisites and other prompts required during an Oracle Identity Federation installation.
When the installation and configuration is complete, exit from the Oracle Identity Management installation and configuration tool.
Table 11-1 Summary of the Installation Screens When Installing and Configuring Oracle Identity Federation High Availability in Preparation for Upgrade
Screen | Description and Actions to Take |
---|---|
Select Install and Configure. |
|
Prerequisite Checks |
This screen verifies that your host computer meets all the system requirements for the Oracle Identity Management components. |
Select Create New Domain, and provide a password for the Enter an easy to recognize domain name, such as |
|
For more information, click Help or refer to the Oracle Fusion Middleware Installation Guide for Oracle Identity Management. For more information about the Middleware home, see "Understanding Oracle Fusion Middleware Concepts" in the Oracle Fusion Middleware Administrator's Guide. |
|
This screen identifies which components to install on disk. For the purposes of this procedure, select all the components on this screen. |
|
This screen identifies the components that will be configured during this installation and configuration session. For the purposes of this procedure, select only Enterprise Manager. Do not select any other components on this screen. You will configure the Oracle Identity Federation component later. |
Now that you have configured an Oracle WebLogic Server domain, you can extend the domain and create the first Oracle Identity Federation component Oracle instance. Refer to the following sections for more information:
Extending the Domain and Configuring Oracle Identity Federation
About Selecting and Configuring Oracle HTTP Server with Oracle Identity Federation
To extend the domain and configure Oracle Identity Federation:
Start Oracle Universal Installer:
On UNIX systems, enter the following command to install Repository Creation Utility:
./runInstaller
On Windows systems, double-click the setup.exe
file.
Follow the instructions in the installer to install Oracle Identity Federation.
Refer to the following resources during the installation and configuration:
Table 11-2, which provides information on specific instructions required when installing and configuring the software for an Oracle Identity Federation high availability upgrade.
Oracle Fusion Middleware Installation Guide for Oracle Identity Management or click Help for general information about the prerequisites and other prompts required during an Oracle Identity Federation installation.
When the installation and configuration is complete, exit from the Oracle Identity Management installation and configuration tool.
Table 11-2 Summary of the Installation Screens When Configuring the First Oracle Identity Federation Oracle Instance
Screen | Description and Actions to Take |
---|---|
Select Installation Type |
Select Install and Configure. |
Prerequisite Checks |
This screen verifies that your host computer meets all the system requirements for the Oracle Identity Management components. |
Select Domain |
|
Specify Installation Locations |
For more information, click Help or refer to the Oracle Fusion Middleware Installation Guide for Oracle Identity Management. For more information about the Middleware home, see "Understanding Oracle Fusion Middleware Concepts" in the Oracle Fusion Middleware Administrator's Guide. |
Select Components |
This screen identifies which components to install on disk. For the purposes of this procedure, select all the components on this screen. |
This screen identifies the components to configure during this installation and configuration session. For the purposes of this procedure:
|
|
Use this screen to specify the multicast address and port used by the managed servers within the Oracle WebLogic Server cluster. For example:
|
|
For this example, enter the following in the fields on this screen: |
|
Enter the following for each field on this screen: Authentication Type: JAAS User Store: NONE Federation Store: NONE User Session Store: RDBMS (default selection, which cannot be changed for a cluster) Message Store: RDBMS (default selection, which cannot be changed for a cluster. Configuration Store: RDBMS (default selection, which cannot be changed for a cluster. |
|
Enter the following information on this screen:
|
Oracle Identity Federation requires an Oracle HTTP Server instance. However, you can choose to install and configure the Oracle HTTP Server instance on the same host as Oracle Identity Federation, or you can install it on a separate host as part of a Web tier installation.
Note the following when deciding whether or not to install Oracle HTTP Server on the same host or not:
If you install Oracle HTTP Server on the same host as Oracle Identity Federation, you can use the Oracle Fusion Middleware Upgrade Assistant to upgrade the Oracle HTTP Server instance at the same time you are upgrading Oracle Identity Federation.
This means that the Upgrade Assistant can then migrate all your SSL certificates, OSSO integration configuration from the source Oracle Identity Federation 10g source topology to the Oracle Identity Federation 11g destination topology.
If you install Oracle HTTP Server on a separate host, the Upgrade Assistant will not migrate the SSL certificates and OSSO integration configuration. These artifacts will have to be migrated manually post upgrade.
The Oracle Fusion Middleware Upgrade Assistant automates the upgrade of many aspects of your Oracle Application Server 10g environment.
The Upgrade Assistant is installed automatically into the bin
directory of your Oracle Fusion Middleware Oracle home.
The following sections provide more information:
To start the Upgrade Assistant using the graphical user interface:
Note:
You can also use the Upgrade Assistant command-line interface to upgrade your Oracle Application Server 10g Oracle homes. For more information, see "Using the Upgrade Assistant Command-Line Interface" in the Oracle Fusion Middleware Upgrade Planning Guide.Change directory the ORACLE_HOME
/bin
directory of the Oracle Fusion Middleware installation.
Enter the following command to start the Upgrade Assistant.
On UNIX system:
./ua
On Windows systems:
ua.bat
The Upgrade Assistant displays the Welcome screen as shown in Figure 11-1
Figure 11-1 Upgrade Assistant Welcome Screen
Click Next to display the Select Operation screen (Figure 11-2).
The options available in the Upgrade Assistant are specific to the Oracle home from which it started. When you start Upgrade Assistant from an Oracle Application Server Identity Management Oracle home, the options shown on the Select Operation screen are the valid options for an Oracle Application Server Identity Management Oracle home.
Figure 11-2 Upgrade Assistant Select Operation Screen for an Oracle Identity Federation Upgrade
When you upgrade Oracle Identity Federation, the Upgrade Assistant upgrades the configuration files in the Oracle Identity Federation middle tier.
To upgrade Oracle Identity Federation when they reside in the same Oracle instance:
Start the Upgrade Assistant as described in Task 6a: Start the Upgrade Assistant for an Oracle Identity Federation Upgrade.
Select Upgrade Identity Management Instance on the Select Operation screen (Figure 11-2).
Refer to Table 11-3 for a description of the Upgrade Assistant screens that require input from you during an Oracle Identity Federation upgrade.
After the Specify Upgrade Options screen, the Upgrade Assistant performs the following tasks and provides the progress on each task:
Examines the components and schemas to be upgraded and verifies that they can be upgraded successfully.
Provides a summary of the components to be upgraded so you can verify that Upgrade Assistant is upgrading the components and schemas you expect.
Provides a progress screen so you can see the status of the upgrade as it proceeds.
Alerts you of any errors or problems that occur during the upgrade.
See Also:
"Troubleshooting Your Upgrade" in the Oracle Fusion Middleware Upgrade Planning Guide for specific instructions for troubleshooting problems that occur while running the Upgrade AssistantDisplays the End of Upgrade screen, which confirms that the upgrade was complete.
Exit the Upgrade Assistant.
Table 11-3 Upgrade Assistant Screens That Require Input During an Oracle Internet Directory and Oracle Directory Integration Platform Upgrade
Upgrade Assistant Screen | Description |
---|---|
Select the 10g (10.1.4.0.1) source Oracle home. If the Oracle home you want to upgrade does not appear in the drop-down lists, see "Source Oracle Home Not Listed by OracleAS Upgrade Assistant" in the Oracle Fusion Middleware Upgrade Planning Guide. |
|
Enter the complete path to the destination 11g Oracle home that you installed inside the middleware home. This is the Oracle home that contains the Oracle Identity Federation software. Alternatively, click Browse to select the directory. |
|
Enter the host, Administration Server port, and administration user credentials for the Oracle WebLogic Server domain you configured in Section 11.4, "Task 4: Configure the Oracle WebLogic Server Domain with Only Oracle Enterprise Manager Fusion Middleware Control". |
|
Warning Dialog Box |
The Upgrade Assistant displays this warning dialog box if the source Oracle home contains Oracle Application Server components that are not installed and configured in the destination Oracle instance. This warning appears, for example, if the source Oracle home contains an instance of Oracle HTTP Server, which is not available in the 11g Oracle home. If the information in the dialog box is accurate and you understand which components will be upgraded, click Yes to continue. Otherwise, click No and verify which components are installed and configured in each 11g Oracle instance. |
This screen offers these upgrade options:
For the purposes of this example, select both of these upgrade options. |
Before you can expand the Oracle WebLogic Server cluster you created on IDMHOST1 to include IDMHOST2, you must install the Oracle WebLogic Server binary files on IDMHOST2 and create Middleware home on IDMHOST2.
To install Oracle WebLogic Server and create the middleware home, refer to "Installing Oracle WebLogic Server" in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.
When you install Oracle WebLogic Server, make a note of the complete path to the Middleware home. You will need this information later in the upgrade procedure.
To install and configure the domain and configure Oracle Identity Federation:
Start Oracle Universal Installer:
On UNIX systems, enter the following command to install Repository Creation Utility:
./runInstaller
On Windows systems, double-click the setup.exe
file.
Follow the instructions in the installer to install Oracle Identity Federation.
Refer to the following resources during the installation and configuration:
Table 11-2, which provides information on specific instructions required when installing and configuring the software for an Oracle Identity Federation high availability upgrade.
Oracle Fusion Middleware Installation Guide for Oracle Identity Management or click Help for general information about the prerequisites and other prompts required during an Oracle Identity Federation installation.
When the installation and configuration is complete, exit from the Oracle Identity Management installation and configuration tool.
Table 11-4 Summary of the Installation Screens When Configuring the Second Oracle Identity Federation Oracle Instance
Screen | Description and Actions to Take |
---|---|
Select Install and Configure. |
|
Prerequisite Checks |
This screen verifies that your host computer meets all the system requirements for the Oracle Identity Management components. |
Select Expand Cluster and enter the domain details. Enter the host, port, user name, and password for the administration server in the domain you created on IDMHOST1 in "Task 4: Configure the Oracle WebLogic Server Domain with Only Oracle Enterprise Manager Fusion Middleware Control". Click Next. For more information, click Help or refer to the Oracle Fusion Middleware Installation Guide for Oracle Identity Management. |
|
For more information, click Help or refer to the Oracle Fusion Middleware Installation Guide for Oracle Identity Management. For more information about the Middleware home, see "Understanding Oracle Fusion Middleware Concepts" in the Oracle Fusion Middleware Administrator's Guide. |
|
This screen identifies which components to install on disk. For the purposes of this procedure, select all the components on this screen. |
|
This screen identifies the components to configure during this installation and configuration session. For the purposes of this procedure:
|
|
Use this screen to specify the multicast address and port used by the managed servers within the Oracle WebLogic Server cluster. For example:
|
|
For this example, enter the following in the fields on this screen:
|
|
Enter the following for each field on this screen: Authentication Type: JAAS User Store: NONE Federation Store: NONE User Session Store: RDBMS (default selection, which cannot be changed for a cluster) Message Store: RDBMS (default selection, which cannot be changed for a cluster. Configuration Store: RDBMS (default selection, which cannot be changed for a cluster. |
|
Enter the following information on this screen:
|
The Oracle Directory Integration Platform application is deployed on IDMHOST1 as an externally staged application. The application must be copied from IDMHOST1 to OIFHOST2; otherwise the managed server on IDMHOST2 is listed in the Oracle WebLogic Server administration console as being in an "unknown" state:
Create a stage directory on IDMHOST2:
MW_HOME/user_projects/domains/IDMDomain/servers
/wls_oif2/stage/OIF/11.1.1.0.0/OIF
Locate the Oracle Identity Federation stage directory on IDMHOST1:
MW_HOME/user_projects/domains/IDMDomain/servers
/wls_oif1/stage/OIF/11.1.1.0.0/OIF
Copy the directory and its contents to the stage location on IDMHOST2.
Follow these steps to start the wls_ods2 managed server in a cluster:
Open a browser and navigate to the WebLogic Administration Console at:
http://idmhost1.mycompany.com:port/console
Log in to the WebLogic Administration Console using the administrator credentials.
In the left pane of the WebLogic Administration Console, expand Environment and select Clusters.
Select the cluster (cluster_oif
) containing the managed server (wls_oif2
) you want to start.
Select Control.
Under Managed Server Instances in this Cluster, select the check box next to the managed server (wls_ods2
) you want to start and click Start.
On the Server Life Cycle Assistant page, click Yes to confirm.
Note:
Node Manager starts the server on the target machine. When the Node Manager finishes its start sequence, the server's state is indicated in the State column in the Server Status table.Refer to the following sections for information about important post-upgrade Oracle Identity Federation high availability procedures:
Follow the steps shown below to create a new Oracle HTTP Server instance and to enable communication between the Oracle HTTP Server instance and the Oracle Identity Federation server instance on IDMHOST1 and IDMHOST2.
When you install and configure Oracle Identity Federation, the Oracle HTTP Server software is installed in the Oracle home, but an Oracle HTTP Server instance is not configured by default:
Create an Oracle HTTP Server instance to configure with Oracle Identity Federation:
INSTANCE_HOME/bin/opmnctl createcomponent
-componentType OHS
-componentName ohs1
On IDMHOST2, edit the following configuration file:
INSTANCE_HOME/config/OHS/ohs_name/moduleconf/oif.conf
In this example, ohs_name is the name of the Oracle HTTP Server component; for example: ohs1
Uncomment and set the WebLogicCluster
variable to reference the managed servers running the Oracle Identity Federation Server instances.
For example, if the host and port of each managed server is as follows:
idmhost1.mycompany.com:7499 idmhost2.mycompany.com:7499
Then update the file to contain the following entry:
<Location /fed> WebLogicCluster idmhost1.mycompany.com:7499,idmhost2.mycompany.com:7499 SetHandler weblogic-handler </Location>
Save the oif.conf
file.
Start the Oracle HTTP Server as shown below:
INSTANCE_HOME /bin/opmnctl startproc process-type=OHS
Oracle Identity Federation topologies deployed in high availability configurations are front-ended by an external load balancer, which provides load balancing of the HTTP requests between the various OIF instances.
After upgrading the Oracle Identity Federation high availability environment, configure your load balancer to listen to the Oracle HTTP Server instances on IDMHOST1 and IDMHOST2.Refer to the documentation provided by the load balancer vendor to accomplish this task.
Follow the steps below to enable the Oracle Identity Federation instances on IDMHOST1 and IDMHOST2 to recognize the Load Balancer Virtual Hostname.
Use Oracle Enterprise Manager Fusion Middleware Control to complete this task.
Log in to Fusion Middleware Control and locate the Oracle Identity Federation instance home page.
Modify the server properties as follows:
From the Oracle Identity Federation menu, select Administration, and then Server Properties.
Change the Host field to reflect the virtual host name of the load balancer.
Change the Port and SSL Enabled, as well as the SOAP Port and SSL Enabled options to reflect the ports used by the load balancer.
Save the changes.
Modify the Identity Provider properties as follows:
From the Administration menu, select Identity Provider.
In the Provider ID field, enter the URL for the load balancer virtual host name and port.
For example:
http://load_balancer_host:port
Modify the Service Provider properties as follows:
From the Administration menu, select Service Provider.
In the Provider ID field, enter the URL for the load balancer virtual host name and port.
For example:
http://load_balancer_host:port
Repeat Steps 2 through 4 for the subsequent Oracle Identity Federation instances in the high availability environment.
Because the Oracle Identity Federation metadata will have changed, redistribute the metadata to any remote partners to notify them of the configuration changes you just made.
Follow the steps below to validate the upgraded Oracle Identity Federation high availability upgrade:
Use a web browser to access the URL's shown below:
http://<LoadBalancerHost>:<LoadBalancerPort>/fed/sp/metadata http://<LoadBalancerHost>:<LoadBalancerPort>/fed/idp/metadata
Follow the instructions in the following sections of the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Federation to import metadata from the SP into the IdP and the IDP metadata into the SP:
Go to the following URL and do a Single Sign-On operation:
http://Loadbalancer_SP_Host:Loadbalancer SP_port/fed/user/testspsso
During the upgrade, the single sign-on configurations from your 10g environment should have been migrated to the upgraded instances. As a result, you should be able to access those URLs, if the upgrade process completed successfully.