|Oracle® Access Manager Installation Guide
This chapter provides important information you need when removing Oracle Access Manager components. Topics include:
Failure to complete all steps may adversely affect the removal and any subsequent installation. For details about removing cloned components or components installed in silent mode, see Chapter 15, "Replicating Components".
During Oracle Access Manager component installation, information is saved after certain operations. Until information is saved, you may return and restate details. However, after you are informed that a component is being installed, Oracle Access Manager files are added to the file system.
If you cancel the installation process after receiving the message that a component is being installed and before completing all procedures, you must restore the system to it's previous condition to remove Oracle Access Manager-related information.
There are several steps you need to complete to remove an Oracle Access Manager component, as outlined in the discussion that follows. Some changes made for Oracle Access Manager are not handled automatically and must be manually removed when the Uninstaller program finishes:
Language Packs: Each installed Language Pack must be removed individually using the appropriate file in the component's uninstall directory: component_install_dir\identity|access\_uninstComponentLP_langtag\uninstaller.exe. For example, suppose you have an Identity Server and the WebPass installed with a Korean Language Pack. After uninstalling the Korean Language Pack on each component host, you must stop and restart both the Identity Server Service and the WebPass Web server instance. This will re-initialize corresponding components with the proper language support. Removing the Language Pack associated with the default Administrator language selected during installation is not supported.
Do not remove (uninstall) the Language Pack associated with the default Administrator language selected during installation. If you accidentally remove the Language Pack associated with the default Administrator language selected during installation, see "Language Issues".
Schema and Data Changes: If Oracle Access Manager will be removed and reinstalled with the same directory instance, only the Oracle Access Manager configuration tree(s) need be deleted. In this case, there is no need to remove the Oracle Access Manager schema from the directory instance. When reinstalling the Identity Server, select “No” when asked if you want to update the schema (which is already present). Selecting “Yes” results in an error message "schema already exists".
If, however, you plan to remove and reinstall Oracle Access Manager a different directory instance (or not reinstall at all) then configuration data must be removed manually from the directory server and Oracle Access Manager schema extensions must also be removed using cleanup files provided for your directory server. You must remove data from the Identity Server and Policy Manager.
Depending on the type of directory server, you may have one or two cleanup files. For instance, schema extension cleanup files are provided for user data only for VDS. However schema extension cleanup files are provided for both user data and Oblix (configuration data) for NDS, IPlanet, and Oracle Internet Directory. Schema extension cleanup file names begin with an abbreviation that identifies the type of directory, followed by the type of data to be removed.
As an example, look for the files similar to the following in the Identity Server and Policy Manager installation directories:
DirectoryName_user_schema_delete.ldif—Oracle Access Manager user data cleanup file for the specific named directory—removes user data that resides on a separate directory instance from configuration data
DirectoryName_oblix_schema_delete.ldif—Oracle Access Manager configuration data cleanup file for the specific named directory—removes both user and configuration data when both reside on the same directory instance
OID_oblix_schema_index_delete.ldif—Oracle Access Manager cleanup file for Oracle Internet Directory only—removes the Oracle Access Manager attribute index from Oracle Internet Directory before or after you use corresponding Oracle Access Manager data and schema cleanup files.
Some directory vendors do not provide schema cleanup files. For instance, no such files are provided for ActiveDirectory, and Active Directory Application Mode (ADAM).
If Oracle Access Manager will be removed and reinstalled with the same directory instance, only the Oracle Access Manager configuration tree must be deleted. In this case, there is no need to remove the Oracle Access Manager schema from the directory instance. When reinstalling the Identity Server, select “No” when asked if you want to update the schema (which is already present). Selecting “Yes” results in an error message "schema already exists".
For details about removing then reinstalling Oracle Access Manager with Oracle Internet Directory, see "Reinstalling Oracle Access Manager with Oracle Internet Directory".
Web Server Configuration Changes: Web server configuration changes that occur during installation must be manually reverted after uninstalling the Oracle Access Manager component (WebPass, Policy Manager, WebGate). For example, the ISAPI transfilter will be installed for IIS WebPass. However, when you uninstall WebPass this is not removed automatically. Also, the created Web service extension and the link to the identity directory will not be removed. This type of information must be removed manually. These are examples of information to remove, not a complete list. Further, you must remove any changes that you manually made to your Web server configuration file for the Oracle Access Manager component (WebPass, Policy Manager, WebGate) should be removed. For more information about what is added for each component, see Part VI, "Web Server Configuration".
WebGate IIS Filters: To fully remove a WebGate and related filters from IIS, you must do more than simply remove the filters from the list in IIS. IIS retains all of its settings in a metabase file. On Windows 2000 and later, this is an XML file that can be modified by hand. For more information, see "Removing Web Server Configuration Changes Before Uninstall".
Turn off the Identity or Access Server service (or WebPass, Policy Manager, WebGate Web server) for the component you will remove.
If you don't turn off the Web server, uninstall may not succeed and the backup folder won't be removed. If this happens, you need to manually remove the backup folder.
Locate the appropriate Language Pack file in the component's uninstall directory. For example:
Run the Language Pack Uninstaller program to remove the files.
Repeat this process to remove the same Language Pack from associated components.
Stop and restart both the Identity Server Service and the WebPass Web server instance to re-initialize components with the proper language support.
Repeat this process to remove each Language Pack (except the one selected as the default Administrator language (locale)). For example:
Complete the following steps to remove all Oracle Access Manager configuration data from the directory server instance, then remove Oracle Access Manager schema extensions from your directory server, if needed:
Remove the Oracle Access Manager configuration tree from the directory server instance using instructions from your directory vendor.
All Directories: Using the ldapmodify tool, upload the appropriate schema cleanup files for your directory server from the following directory, then remove Oracle Access Manager schema extensions from your directory. For example:
where component_install_dir refers to the installation directory for the specific Oracle Access Manager component (Identity Server or Policy Manager for example), and DirectoryName_*_schema_delete.ldif refers to the clean up file for your specific directory and data type.
Oracle Internet Directory: After completing the preceding activity to remove Oracle Access Manager schema extensions from Oracle Internet Directory, use the ldapmodify tool to upload the Oracle Internet Directory attribute index cleanup file and remove the Oracle Access Manager attribute index. For example:
If you have only one instance of an Oracle Access Manager component, complete step 4 to remove it. If you have multiple instances of a component, see also step 5.
and so on.
On UNIX systems, use uninstaller.bin
Windows: The last component can be uninstalled from Add/Remove programs. Others can be uninstalled by running the uninstall program from the \identity or \access \uninstComponent directory.
UNIX: You must always run uninstaller.bin.
Remove Oracle Access Manager-related updates to your Web server configuration. For information about specific Web servers, see Part VI, "Web Server Configuration".
Restart the Web server, if needed.
Remove the component installation directory if it remains, especially if you plan to reinstall the product.
Under certain circumstances, you may want to reuse an existing Identity Server name. For example, you may want to use an existing Identity Server name if you need to remove an Identity Server instance from one computer and reinstall it on another computer or perhaps the system as become corrupted and the instance itself has become inoperable for some reason.
If you do not delete the original Identity Server name from the System Console, a login following the set up of a new instance may result in the message "Application has not been set up". Special steps must be taken to ensure you can set up the application and login when recycling an Identity Server name.
The steps that follow presume that you have another Identity Server and a WebPass setup within the same installation.
You must disassociate all WebPass instances that are currently associated with the Identity Server you will remove. You cannot disassociate an Identity Server if it is the only primary server configured for a WebPass.
Task overview: Recycle an Identity Server instance name
Disassociate the Identity Server to be removed from each associated WebPass instance using instructions in the Oracle Access Manager Identity and Common Administration Guide.
A disassociated WebPass cannot communicate with the Identity Server. If the WebPass is orphaned (not associated with any other Identity Server), proceed with step 2. Otherwise, skip to step 3.
Associate any orphaned WebPass instances with a different Identity Server using instructions in the Oracle Access Manager Identity and Common Administration Guide.
Delete the name of the Identity Server to be removed from the Identity System Console, as described in the discussion on deleting Identity Server parameters in the Oracle Access Manager Identity and Common Administration Guide.
If you delete Identity Server parameters from the Console, any attempt to start that server from a command line will fail.
Using your directory server administrator interface, locate and delete the Identity Server instance name that was assigned during Identity Server installation in the following hierarchy:
Oblix > Policies > WebResrcDB > Identity_Server_name
Uninstall the Identity Server instance as described in "Uninstalling Oracle Access Manager Components".
Perform the following activities, as described in the Oracle Access Manager Identity and Common Administration Guide.
Add a new Identity Server instance in the Identity System Console.
If steps 1 through 4 were performed, you may reuse the name of the deleted Identity Server when asked for a unique name.
Associate the new Identity Server instance with a WebPass and specify the priority.
Modify the WebPass instance to set the maximum connections to the appropriate number to communicate with all primary Identity Servers, if needed.
Install the new Identity Server and indicate that this is not the first Identity Server for this directory server, as described in Chapter 4, "Installing the Identity Server".
You do not need to update the schema again.
Re-run Identity System setup as described in the Oracle Access Manager Identity and Common Administration Guide, to ensure that the new Identity Server can connect to the directory and access data.