Skip Headers
Oracle® Fusion Middleware Patching Guide
11g Release 1 (11.1.1.5.0)

Part Number E16793-12
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Master Index
Master Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

6 Patching Oracle Identity and Access Management

This chapter describes how to patch your existing Oracle Identity and Access Management 11.1.1.3.0 installation to 11.1.1.5.0. It also describes how to migrate your existing configuration from 11.1.1.3.0 to 11.1.1.5.0.

This chapter contains the following sections:

If you have a version of Oracle Identity Management that is earlier than 11g, you must upgrade your software and the patching instructions in this chapter are not applicable. For upgrade instructions, see the Oracle Fusion Middleware Upgrade Guide for Oracle Identity Management.

6.1 Preparing to Patch

This section discusses the following topics:

6.1.1 Prerequisites

Ensure that the following versions of Oracle Fusion Middleware software are installed on your machine before moving from Oracle Identity and Access Management 11.1.1.3.0 to Oracle Identity and Access Management 11.1.1.5.0:

  • Oracle WebLogic Server 11g (10.3.3)

  • Oracle SOA Suite 11.1.1.3.0 (required for Oracle Identity Manager only)

  • Oracle Identity and Access Management 11g Release 1 (11.1.1.3.0)

6.1.2 Before You Begin

Read the following before you start moving from Oracle Identity and Access Management 11.1.1.3.0 to 11.1.1.5.0

  • This chapter describes how to patch an existing Oracle Identity and Access Management 11.1.1.3.0 installation to Oracle Identity and Access Management 11.1.1.5.0. If you are installing Oracle Identity and Access Management (11.1.1.5.0) for the first time, refer to the "Installing Oracle Identity and Access Management (11.1.1.5.0)" topic in the Oracle Fusion Middleware Installation Guide for Oracle Identity Management.

  • By completing the procedure in this chapter, your existing 11.1.1.3.0 Oracle Identity Manager, Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Identity Navigator are patched to their 11.1.1.5.0 versions. In addition, the following components are installed:

    • Oracle Adaptive Access Manager (Offline)

    • Oracle Entitlements Server

  • When you are patching Oracle Access Manager from 11.1.1.3.0 to 11.1.1.5.0, Oracle Access Manager will be patched. In addition, Oracle Secure Token Service will be installed. For more information, see Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.

6.1.3 Backing Up Oracle Fusion Middleware

Before you begin patching, you should back up your Oracle Fusion Middleware environment. For more information, see "Backing Up Your Environment" in the Oracle Fusion Middleware Administrator's Guide.

6.1.4 Patching Oracle WebLogic Server 10.3.3. to 10.3.5

Perform the following steps to patch your existing Oracle WebLogic Server 10.3.3 to 10.3.5 by using the WebLogic Server Upgrade installer.

  1. Download the Upgrade installer from My Oracle Support.

    For instructions, see "Downloading an Upgrade Installer From My Oracle Support" in Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.

  2. Run the Upgrade installer in graphical mode to patch your WebLogic Server.

    For instructions, see "Running the Upgrade Installer in Graphical Mode" in Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.

Note:

After patching Oracle WebLogic Server to 10.3.5, an additional JDK directory can be seen in the Middleware home. The patch does not remove the existing JDK from the Oracle WebLogic Server 10.3.3 installation.

If you want to run the Upgrade installer in silent mode (for example, you have an environment where you need to patch multiple instances of Oracle WebLogic Server), see the instructions in "Running the Installation Program in Silent Mode" in Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.

6.1.5 Patching Oracle SOA Suite 11.1.1.3.0 to 11.1.1.5.0 (Oracle Identity Manager Users Only)

If you have Oracle Identity Manager installed, you must patch Oracle SOA Suite 11.1.1.3.0 to Oracle SOA Suite 11.1.1.5.0.

Note:

Only Oracle Identity Manager requires Oracle SOA Suite 11g (11.1.1.5.0). This step is required because Oracle Identity Manager uses process workflows in Oracle SOA Suite to manage request approvals.

For instructions, see Chapter 3, "Applying the Latest Oracle Fusion Middleware Patch Set". In addition to the general patching tasks described in this chapter, make sure you also perform the tasks in Section 3.8.6, "Post-Patching Tasks for Oracle SOA Suite".

6.1.6 Patching Oracle Identity and Access Management 11.1.1.3.0 to 11.1.1.5.0

Patching Oracle Identity and Access Management 11.1.1.3.0 to 11.1.1.5.0 involves the following steps:

  1. Download the Oracle Identity and Access Management 11.1.1.5.0 Patch Set Installer. See the instructions in Section 3.5.2, "Download the Installer".

  2. Run the Oracle Identity and Access Management 11.1.1.5.0 Patch Set Installer from your local system. For instructions, see Section 3.5.3, "Start the Installer".

  3. Follow the instructions in Section 3.6, "Patch Set Installer Instructions" to navigate through the Patch Set Installer screens and patch your Oracle Identity and Access Management software.

    Note:

    On the Specify Installation Location screen, You must specify the location of the same Middleware home that contains Oracle Identity and Access Management 11.1.1.3.0 components. You must also specify the same Oracle home that was created in the Oracle Identity and Access Management 11.1.1.3.0 installation. This directory will be referred to as the IAM home (IAM_Home) for the remainder of this document.

    For more information about these directories, see "Oracle Fusion Middleware Directory Structure and Concepts" in the Oracle Fusion Middleware Installation Planning Guide.

6.2 Updating Oracle Identity Manager 11.1.1.3.0 to 11.1.1.5.0

To update Oracle Identity Manager 11.1.1.3.0 to 11.1.1.5.0, complete the steps in both Section 6.2.1, "Instructions for Updating Oracle Identity Manager" and Section 6.2.2, "Configuring Oracle Identity Manager Design Console".

Additionally, if you have enabled LDAP Sync in the Oracle Identity Manager 11.1.1.3.0 environment and the LDAP server is configured to enable referential integrity, see Section 6.2.3, "Setting System Properties for LDAP Sync and Referential Integrity".

6.2.1 Instructions for Updating Oracle Identity Manager

  1. Back up the Oracle Identity Manager 11.1.1.3.0 schema, the MDS schema, the Oracle Identity Manager 11.1.1.3.0 domain, and your Oracle Identity Manager and Oracle SOA Suite binaries.

    Note:

    If your application includes any UI customizations, ensure that you back up such customizations before updating Oracle Identity Manager 11.1.1.3.0 to 11.1.1.5.0. After the update, you should redo the customizations.

    Note:

    All of the default 11.1.1.3.0 Event Handlers will be overwritten during the update; make sure that you back up all of the Event Handlers that come with the original product. You can export the Event Handlers from MDS through the MDS export utility (IAM_11.1.1.3.0_Home/server/bin/weblogicExportMetadata.sh). This back up can be used to redo any customization related to the default Event Handlers after updating Oracle Identity Manager.

    For more information about the MDS export utility, see "Using the Export Utility" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

  2. Close all requests that are in pending state.

    Any requests that are pending and not closed prior to upgrade may fail and may need to be resubmitted. A request is in pending state if the status is NOT one of "Request Closed", "Request Completed", "Request Withdrawn", "Request Failed" "Template Approval Rejected", "Request Approval Rejected", "Operation Approval Rejected", "Request Partially Failed", or "Request Completed with Errors".

    To find all pending requests using the Administration Console:

    1. Log in to the Advanced Administration Console as a user with "Request Administrators" role.

    2. Run an advanced search for requests with the top level operator "Any" and with conditions "Request Status Not equals" with all of the statuses listed above.

    Note:

    This search cannot be limited to (or combined with) a specific request type.

    To find all pending requests using SQL, use the following command:

    select request_id, request_status from request
    where request_status not in ('Request Closed', 'Request Completed',
                                 'Request Withdrawn', 'Request Failed',
                                 'Template Approval Rejected',
                                 'Request Approval Rejected',
                                 'Operation Approval Rejected',
                                 'Request Partially Failed',
                                 'Request Completed with Errors');
    
  3. Shut down the following servers running in the domain:

    • Administration Server for both Oracle Identity Manager and Oracle SOA Suite.

    • All Managed Servers for Oracle Identity Manager and Oracle SOA Suite.

  4. Make sure you have patched your Oracle SOA Suite software to the latest version, as described in Section 6.1.5, "Patching Oracle SOA Suite 11.1.1.3.0 to 11.1.1.5.0 (Oracle Identity Manager Users Only)".

  5. Run the Oracle Identity and Access Management 11g Release 1 (11.1.1.5.0) Patch Set Installer to patch your existing IAM_11.1.1.3.0_Home to the IAM_Home for Oracle Identity and Access Management 11.1.1.5.0, as described in Section 6.1.6, "Patching Oracle Identity and Access Management 11.1.1.3.0 to 11.1.1.5.0".

  6. Run Patch Set Assistant (located in the bin directory inside the OIM_HOME) to update the following schema:

    prefix_OIM: Oracle Identity Manager schema

    Chapter 4, "Updating Your Schemas with Patch Set Assistant" contains information about using the Patch Set Assistant:

  7. Run Patch Set Assistant (located in the bin directory inside the SOA_HOME) to update the following schemas:

    • prefix_MDS: MDS schema

    • prefix_SOAINFRA: SOA Infrastructure schema

    Note:

    You must run the Patch Set Assistant once for each schema. Because of dependencies, you should run the Patch Set Assistant to update the prefix_MDS schema first, then run it a second time to update the prefix_SOAINFRA schema.

    Chapter 4, "Updating Your Schemas with Patch Set Assistant" contains information about using the Patch Set Assistant:

  8. Start the Administration Server and the SOA Managed Server.

  9. Update Oracle Identity Manager mid-tier using the standalone utility as follows:

    1. Set the following environment variables:

      MW_HOME, WL_HOME, JAVA_HOME, OIM_HOME, and SOA_HOME

      Where MW_HOME is the Middleware home that contains Oracle Identity Manager 11.1.1.5.0, WL_HOME is the WebLogic Server home directory, JAVA_HOME is the location of the JDK included in the installer, OIM_HOME is the location of IAM_11.1.1.5.0_Home directory, and SOA_HOME is the Oracle home directory for the SOA suite 11.1.1.5.0 installed on the machine.

      Below are some sample values for your reference:

      Table 6-1 Sample Environment variable Values

      Variable Sample Value (UNIX operating systems)

      MW_HOME

      UNIX: /home/Oracle/Middleware

      Windows: Drive:\Oracle\Middleware

      WL_HOME

      UNIX: /home/Oracle/Middleware/wlserver_10.3

      Windows: Drive:\Oracle\Middleware\wlserver_10.3

      JAVA_HOME

      /home/Oracle/Middleware/jdk160_21

      Windows: Drive:\Oracle\Middleware\jdk160_21

      OIM_HOME

      /home/Oracle/Middleware/Oracle_OIM1

      Windows: Drive:\Oracle\Middleware\Oracle_OIM1

      SOA_HOME

      /home/Oracle/Middleware/Oracle_SOA1

      Windows: Drive:\Oracle\Middleware\Oracle_SOA1


    2. Create a directory for reporting and logging; you will be asked to specify this directory when you run the standalone utility.

    3. From your present working directory, navigate to the IAM_11.1.1.5.0_Home/server/bin directory.

    4. Run DW2PS1Upgrade.sh (on UNIX) or DW2PS1Upgrade.bat (on Windows).

    5. Enter the following input values, when prompted:

      Table 6-2 Input Required by Midtier Update Script

      Field/Input Description

      WL Server Location

      Enter the WebLogic Server location (WL_Home).

      MW Home

      Enter the absolute path to the Middleware home.

      OIM Oracle Home

      Enter the absolute path to the IAM_11.1.1.5.0_Home that contains OIM.

      Domain Directory

      Enter the path to the OIM domain.

      Report Directory

      Enter the path to the directory (specified in Step b) where a report should be generated.

      OIM Schema Connection String

      Enter the connection string for the database that contains the OIM schema.

      OIM Schema User Name

      Enter the OIM schema user name.

      OIM Schema Password

      Enter the OIM schema password.

      MDS Schema Connection String

      Enter the connection string for the database that contains the MDS schema.

      MDS Schema User Name

      Enter the MDS schema user name.

      MDS Schema Password

      Enter the MDS schema password.

      SOA Server Host Name

      Enter the host name of the machine where SOA Server is running.

      SOA Server Port

      Enter the SOA server port.

      SOA User Name

      Enter the SOA server user name.

      SOA Password

      Enter the SOA server password.

      WebLogic User Name

      Enter the Administration Server user name.

      WebLogic Password

      Enter the Administration Server user password.


    6. Check the summary report for upgrade status printed on the terminal and proceed only if all the features are shown as successfully upgraded. A sample summary report is shown below:

      **************************************
      Summary Report
      **************************************
      Feature ID :Upgraded
       
      DW2PS1UPG.Scheduler:Y
       
       
      DW2PS1UPG.OES:Y
       
       
      DW2PS1UPG.OIMConfig:Y
       
       
      DW2PS1UPG.MDSNSUpdate:Y
       
       
      DW2PS1UPG.DBEncryption:Y
       
      **************************************
      Upgrade Successful.OIM Server can be started
      ***************************************
      

      You must see the OIM Server can be started message before you continue.

    7. Verify the domain patching did not generate any errors.

      Look for any error messages in the console. For example:

      Error: addTemplate() failed. Do dumpStack() to see details.
      
  10. Update Oracle Platform Security Services (OPSS) as follows:

    1. Run the MW_HOME/oracle_common/common/bin/wlst.sh (on UNIX operating systems) or MW_HOME\oracle_common\common\bin\wlst.cmd (on Windows operating systems) command.

    2. Connect to the Administration Server using the following command:

      connect('weblogic_username', 'weblogic_password');
      
    3. Run the following upgradeOpss WLST (online) command:

      upgradeOpss(jpsConfig="existing_jps_config_file", jaznData="system_jazn_data_file")
      

      Replace existing_jps_config_file with the full path to the location of the existing jps-config.xml file (usually DOMAIN_HOME/config/fmwconfig/jps-config.xml on UNIX operating systems or DOMAIN_HOME\config\fmwconfig\jps-config.xml on Windows operating systems.

      Replace system_jazn_data_file with the full path to the location of the 11.1.1.5.0 system-jazn-data.xml file (usually MW_HOME/oracle_common/modules/oracle.jps_11.1.1/domain_config/system-jazn-data.xml on UNIX operating systems or MW_HOME\oracle_common\modules\oracle.jps_11.1.1\domain_config\system-jazn-data.xml on Windows operating systems).

      Below is an example on a UNIX operating system:

      upgradeOpss(jpsConfig=”DOMAIN_HOME/config/fmwconfig/jps-config.xml", jaznData="MW_HOME/oracle_common/modules/oracle.jps_11.1.1/domain_config/system-jazn-data.xml")
      

    Note:

    You may see error messages on the console when you run the upgradeOpss command. These errors can be safely ignored so long as there is some text indicating that your operation was completed successfully. For more information about the error messages, refer to the Oracle Fusion Middleware Release Notes.
  11. Re-start the Administration Server and the SOA Managed Server to apply your changes to the domain.

  12. Run Oracle Identity Manager Managed Servers. In addition, navigate to the IAM_11.1.1.3.0_Home/server/logs directory to verify that the following directories are created after OIM 11.1.1.3.0 is updated to 11.1.1.5.0:

    • mergeDir

    • Report

    • sourceDir

    • targetDir

  13. Access the OIM application by using the URL (http://host:port/oim).

  14. Modify the RoleUserMembership.xml file as follows:

    1. Export /db/identity/entity-definition/RoleUserMembership.xml from MDS schema.

      For more information, see "Using the Export Utility" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

    2. Add the following attribute definition:

      <attribute name="request_key">
         <type>string</type>
         <required>false</required>
         <searchable>false</searchable>
         <attribute-group>Basic</attribute-group>
      </attribute>
      
    3. Import /db/identity/entity-definition/RoleUserMembership.xml back to the MDS schema.

  15. Configure the Oracle Identity Manager Design Console, as described in Section 6.2.2, "Configuring Oracle Identity Manager Design Console".

6.2.2 Configuring Oracle Identity Manager Design Console

The Oracle Identity Manager Design Console can be used to configure system settings that control the system-wide behavior of Oracle Identity Manager and affect its users. The Design Console allows you to perform user management, resource management, process management, and other administration and development tasks. For more information about the Design Console, see "Design Console Overview" in Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

Note:

Oracle Identity Manager Design Console must be installed inside a Middleware home. In addition, the Design Console must be outside the Oracle home where you installed Oracle Identity Manager (OIM_HOME). This means you must first run the Oracle WebLogic Server installer to create a new Middleware home before you install the Design Console.

To install and configure the Design Console:

  1. Make sure you have patched your environment to the latest version.

  2. Make sure know the URL of your Oracle Identity Management server; you will be asked for this when you configure the Design Console.

  3. Run the WebLogic Server installer to create a new Middleware home for the Design Console.

  4. Run Oracle Identity and Access Management 11.1.1.5.0 Patch Set Installer and install the software, including the Design Console, in the new Middleware home. For example, if your existing Oracle Identity Management installation resides in MW_HOME1\Oracle_IDM1, you can install the Design Console in MW_HOME2\Oracle_IDM1).

  5. Run the configuration tool from the location where you installed the Design Console (for example, MW_HOME2/Oracle_IDM1/bin/config.sh on UNIX operating systems or MW_HOME2\Oracle_IDM1\bin\config.bat on Windows operating systems) and configure the Design Console.

  6. Build and copy the wlfullclient.jar file as follows:

    1. Go to the MW_HOME2/wlserver_10.3/server/lib (on UNIX operating systems) or MW_HOME2\wlserver_10.3\server\lib (on Windows operating systems) directory.

    2. Set the JAVA_HOME environment variable and add the JAVA_HOME variable to the PATH environment variable.

      For example, you can set the JAVA_HOME to the jdk160_21 directory inside the Middleware home.

    3. Run the following command to build the wlfullclient.jar file.

      On UNIX operating systems:

      java -jar MW_HOME2/modules/com.bea.core.jarbuilder_1.6.0.1.jar
      

      On Windows operating systems:

      java -jar MW_HOME2\modules\com.bea.core.jarbuilder_1.6.0.1.jar
      
    4. Copy the wlfullclient.jar file to the new IAM_Home where you installed the Design Console. For example:

      On UNIX operating systems:

      cp MW_HOME2/wlserver_10.3/server/lib/wlfullclient.jar MW_HOME2/Oracle_IDM1/designconsole/ext
      

      On Windows operating systems:

      cp MW_HOME2\wlserver_10.3\server\lib\wlfullclient.jar MW_HOME2\Oracle_IDM1\designconsole\ext
      
  7. Backup and delete the old designconsole directory in your IAM_HOME (in the case of this example, MW_HOME1/Oracle_IDM1/designconsole on UNIX operating systems, or MW_HOME1\Oracle_IDM1\designconsole on Windows operating systems).

If you want to install the Design Console without having to install a new WebLogic Server and Oracle Identity and Access Management, you can also

6.2.3 Setting System Properties for LDAP Sync and Referential Integrity

If you have enabled LDAP Sync in the Oracle Identity Manager 11.1.1.3.0 environment and the LDAP server is configured to enable referential integrity, then you must set the system property XL.isReferentialIntegrityEnabled to TRUE in Oracle Identity Manager after updating to Oracle Identity Manager 11.1.1.5.0. The default value for this property is FALSE.

Note:

If your Oracle Identity Manager 11.1.1.3.0 installation was not configured with LDAP Sync enabled, then LDAP Sync is not enabled when you update to Oracle Identity Manager 11.1.1.5.0. After the update, if you wish to enable LDAP Sync, you must set up LDAP Sync, as described in the "Enabling LDAP Synchronization" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

If your Oracle Identity Manager 11.1.1.3.0 installation was configured with LDAP Sync enabled, then the LDAP Sync configuration is retained after you update to Oracle Identity Manager 11.1.1.5.0. The update process does not alter your previous LDAP Sync configuration.

6.3 Updating Oracle Access Manager 11.1.1.3.0 to 11.1.1.5.0

Before you update Oracle Access Manager, make sure the update of Oracle Identity Manager is complete as described in Section 6.2, "Updating Oracle Identity Manager 11.1.1.3.0 to 11.1.1.5.0".

Information about updating Oracle Access Manager 11.1.1.3.0 to 11.1.1.5.0 are located in the following support note on the http://support.oracle.com website:

Procedure to Update OAM 11.1.1.3.0 to OAM 11.1.1.5.0 (Doc ID 1318524.1)

6.4 Updating Oracle Adaptive Access Manager 11.1.1.3.0 to 11.1.1.5.0

To migrate Oracle Adaptive Access Manager 11.1.1.3.0 to 11.1.1.5.0, complete the following steps:

  1. Shut down the Administration Server (the Administration Server for the domain that contains Oracle Adaptive Access Manager 11.1.1.3.0) and the Oracle Adaptive Access Manager Managed Servers.

  2. Run the WebLogic Server Upgrade Installer to patch your WebLogic Server installation to the latest version (10.3.5), as described in Patching Oracle WebLogic Server 10.3.3. to 10.3.5.

  3. Run the Oracle Identity and Access Management 11g Release 1 (11.1.1.5.0) Patch Set Installer to patch your existing Oracle Identity and Access Management 11.1.1.3.0 installation (IAM_Home) to Oracle Identity and Access Management 11.1.1.5.0, as described in Patching Oracle Identity and Access Management 11.1.1.3.0 to 11.1.1.5.0.

  4. Run Patch Set Assistant to update the following schemas:

    • prefix_OAAM: Oracle Adaptive Access Manager schema

    • prefix_OAAM_PARTN: Oracle Adaptive Access Manager partition schema

    • prefix_MDS: AS Common schema

    For instructions, see Chapter 4, "Updating Your Schemas with Patch Set Assistant".

  5. Extend the Oracle Adaptive Access Manager domain with the oracle.communications.client_template by running the Oracle Fusion Middleware Configuration Wizard as follows:

    1. From the patched IAM_Home (11.1.1.5.0), run the Oracle Fusion Middleware Configuration Wizard (located at IAM_Home/common/bin/).

    2. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

    3. On the Select a WebLogic Domain Directory screen, select the domain that contains Oracle Adaptive Access Manager 11.1.1.3.0. Click Next. The Select Extension Source screen is displayed.

    4. On the Select Extension Source screen, select the Extend my domain using an existing extension template option.

    5. In the Template location field, click Browse, and select the following location:

      IAM_Home/common/templates/applications/oracle.communications.client_template_11.1.1.jar

    6. Continue by following the on-screen instructions. Select the Deployments and Services check box on the Select Optional Configuration screen. On the Target Deployments to Clusters or Servers screen, ensure that the oracle.sdp.client#11.1.1.@11.1.1 library is targeted to the oaam_server Managed Server in your domain or cluster.

    7. Complete the domain extension process.

  6. Start the Administration Server.

  7. Perform this step only if you want to install Oracle Adaptive Access Manager Offline in your domain. Otherwise, skip this step.

    1. Run IAM_HOME/common/bin/wlst.sh (on UNIX operating systems) or IAM_HOME\common\bin\wlst.cmd (on Windows operating systems).

    2. Connect to the Administration Server using the following command:

      connect('weblogic-username', 'weblogic-password');
      
    3. Run the grantPermission WLST(online) command to create Oracle Adaptive Access Manager Offline Application grant to the out-of-the-box JPS common system-jazn-data.xml, as in the following example:

      grantPermission(codeBaseURL="file:${domain.home}/servers/${weblogic.Name}/tmp/_WL_user/oaam_offline_11.1.1.3.0/-",
      permClass="oracle.security.jps.service.credstore.CredentialAccessPermission",
      permTarget="context=SYSTEM,
      mapName=oaam,keyName=*"
      ,permActions="*")
      

      Where

      codeBaseURL= name of the grantee codebase URL.

      permClass= class name of the permission being granted.

      permTarget= target part of the permission that is being granted.

      permActions= permission actions that are being granted.

      The system-jazn-data.xml file is located in the DOMAIN_HOME/config/fmwconfig (on UNIX operating systems) or DOMAIN_HOME\config\fmwconfig (on Windows operating systems) directory.

    4. Exit WLST.

    5. From the patched IAM_Home (11.1.1.5.0), run the Oracle Fusion Middleware Configuration Wizard (located at IAM_Home/common/bin/).

    6. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next. The Select a WebLogic Domain Directory screen is displayed.

    7. On the Select a WebLogic Domain Directory screen, select the domain that contains Oracle Adaptive Access Manager 11.1.1.3.0. Click Next. The Select Extension Source screen is displayed.

    8. On the Select Extension Source screen, select the Oracle Adaptive Access Manager Offline - 11.1.1.3.0 option.

    9. Continue by following the on-screen instructions. Complete the domain extension process. The domain with Oracle Adaptive Access Manager is extended to support Oracle Adaptive Access Manager Offline.

    10. Restart the Administration Server.

  8. Undeploy and redeploy the oaam.extensions library through the WebLogic Server Administration Console as follows:

    1. Log in to the WebLogic Server Administration Console.

    2. Under Domain Structure, click Deployments. The Summary of Deployments page is displayed.

    3. Select the oracle.oaam.extensions library, and click Delete.

    4. Deploy the library by clicking Install. The Install Application Assistant page is displayed.

    5. Select the following application to install:

      IAM_Home/oaam/oaam_extensions/generic/oracle.oaam.extensions.war

    6. Install this application as a library.

    7. Select all Managed Servers hosting oaam_admin, oaam_server, and oaam_offline as the deployment targets for this application.

    8. For Source Accessibility, select the I will make the deployment accessible from the following location option. This option sets the staging mode to nostage.

    9. Complete the deployment of the library.

  9. Start all Managed Servers hosting oaam_admin, oaam_offline, and oaam_server.

  10. Optional: If you have customized the jazn-data permissions of oaam_admin, you should back up these changes by using the OPSS WLST migrateSecurityStore command. For instructions, see the "Migrating with the Script migrateSecurityStore" topic in the Oracle Fusion Middleware Application Security Guide.

  11. Redeploy oaam_admin, which overwrites the security policies of oaam_admin with the jazn-data.xml that is packaged in the Oracle Identity and Access Management 11.1.1.5.0 oaam_admin's ear. To do so, complete the following steps:

    1. Ensure that the Managed Server hosting oaam_admin is up and running.

    2. Log in to the WebLogic Server Administration Console.

    3. Under Domain Structure, click Deployments. The Summary of Deployments page is displayed.

    4. Select oaam_admin, and click Update.

    5. Complete the redeployment steps.

  12. Optional: If you had customized permissions for oaam_admin before migrating to Oracle Adaptive Access Manager 11.1.1.5.0, you must redo them after migrating to 11.1.1.5.0. You should use the backup that you took in Step 10. You can modify jazn-data.xml and use OPSS WLST commands.

6.5 Updating Oracle Identity Navigator 11.1.1.3.0 to 11.1.1.5.0

To update Oracle Identity Navigator 11.1.1.3.0 to 11.1.1.5.0, complete the following steps:

  1. On the machine where Oracle Identity Navigator 11.1.1.3.0 is installed, export the Oracle Identity Navigator metadata to an export directory using WLST as follows:

    1. Run wlst.sh (located at IAM_Home/common/bin).

    2. Connect to the Administration Server using the following command:

      connect('weblogic-username', 'weblogic-password');

    3. Run the following WLST (online) command:

      exportMetadata(application='oinav',server='AdminServer',toLocation='export_directory')

      export_directory is the directory where you want to export Oracle Identity Navigator metadata to.

  2. Stop the WebLogic Administration Server (the Administration Server for the domain where Oracle Identity Manager is installed and configured) and the Oracle Identity Navigator Managed Server.

  3. Run the WebLogic Server Upgrade Installer to patch your WebLogic Server installation to the latest version (10.3.5), as described in Patching Oracle WebLogic Server 10.3.3. to 10.3.5.

  4. Run the Oracle Identity and Access Management 11g Release 1 (11.1.1.5.0) Patch Set Installer to patch your existing Oracle Identity and Access Management 11.1.1.3.0 installation (IAM_Home) to Oracle Identity and Access Management 11.1.1.5.0, as described in Patching Oracle Identity and Access Management 11.1.1.3.0 to 11.1.1.5.0.

  5. After the patching is complete, start the WebLogic Administration Server (the Administration Server for the domain that contains Oracle Identity Navigator).

  6. Log in to the WebLogic Server Administration Console.

  7. Under Domain Structure, click Deployments. The Summary of Deployments page is displayed.

  8. Select oinav, and click Update.

    Alternatively, you can use the redeploy('oinav#11.1.1.3.0') WLST command to update the Oracle Identity Navigator application. Exit the WebLogic Server Administration Console.

  9. Import Oracle Identity Navigator metadata by running the following WLST command:

    importMetadata(application='oinav',server='AdminServer',fromLocation='export_directory')

    export_directory is the directory where you previously exported Oracle Identity Navigator metadata to.

6.6 Patching Oracle Identity and Access Management in a Clustered Environment

This section describes how to patch your existing Oracle Identity and Access Management 11.1.1.3.0 installation in a clustered environment to 11.1.1.5.0. The procedures in this section are based on a two node cluster as described below:

For more information about deploying Oracle Identity Management in an enterprise environment, refer to the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management.

6.6.1 Upgrading Node 1

To upgrade Node 1 in the cluster, follow the instructions in Section 6.2, "Updating Oracle Identity Manager 11.1.1.3.0 to 11.1.1.5.0".

6.6.2 Upgrading Node 2

To upgrade Node 2 in the cluster, follow the instructions below:

  1. Back up the Oracle Identity Manager 11.1.1.3.0 domain, and your Oracle Identity Manager and Oracle SOA Suite binaries.

  2. Shut down all Managed Servers for Oracle Identity Manager and Oracle SOA Suite that are running in the domain.

  3. If your Oracle WebLogic Server, Oracle Identity Management, and Oracle SOA Suite binaries are NOT at a shared location, perform the following steps. Otherwise, skip to Step 4.

    1. Patch Oracle WebLogic Server as described in Section 6.1.4, "Patching Oracle WebLogic Server 10.3.3. to 10.3.5".

    2. Update your Oracle SOA Suite software as described in Section 6.1.5, "Patching Oracle SOA Suite 11.1.1.3.0 to 11.1.1.5.0 (Oracle Identity Manager Users Only)".

    3. Update your Oracle Identity and Access Management software as described in Section 6.1.6, "Patching Oracle Identity and Access Management 11.1.1.3.0 to 11.1.1.5.0".

  4. Run the following command to pack your domain on Node 1:

    On UNIX operating systems:

    cd MW_HOME/oracle_common/common/bin
    ./pack.sh -domain=OIM_Domain_Home -template=Domain_Configuration_Jar_Destination -template_name="template_nanme" -managed=true
    

    On Windows operating systems:

    cd MW_HOME\oracle_common\common\bin
    pack.cmd -domain=OIM_Domain_Home -template=Domain_Configuration_Jar_Destination -template_name="template_nanme" -managed=true
    

    Replace OIM_Domain_Home with the full path to your OIM domain, Domain_Configuration_Jar_Destination with the full path to the location where you want to create your domain configuration .jar file, and template_name with the name of this domain configuration template.

    Below is an example on UNIX operating systems:

    ./pack.sh -domain=/home/Oracle/Domains/11.1.1.3.0_OIMDomain -template=/home/Oracle/Data -template_name="OIM Domain" -managed=true
    

    On Windows operating systems:

    pack.cmd -domain=D:\Oracle\Domains\11.1.1.3.0_OIMDomain -template=D:\Oracle\Data -template_name="OIM Domain" -managed=true
    
  5. Unpack the domain configuration information on Node 2.

    On UNIX operating systems:

    cd MW_HOME/oracle_common/common/bin
    ./unpack.sh -domain=OIM_Domain_Home -template=Domain_Configuration_Jar_Location -overwrite_domain=true
    

    On Windows operating systems:

    cd MW_HOME\oracle_common\common\bin
    pack.cmd -domain=OIM_Domain_Home -template=Domain_Configuration_Jar_Location -overwrite_domain=true
    

    Replace OIM_Domain_Home with the full path to your OIM domain on Node 2, and Domain_Configuration_Jar_Location with the full path to the location where you want created your domain configuration .jar file on Node 1.

    Below is an example on UNIX operating systems:

    ./unpack.sh -domain=/home/Oracle/Domains/11.1.1.3.0_OIMDomain -template=/home/Oracle/Data -overwrite_domain=true
    

    On Windows operating systems:

    pack.cmd -domain=D:\Oracle\Domains\11.1.1.3.0_OIMDomain -template=D:\Oracle\Data -overwrite_domain=true
    

    Note:

    The domain directory structures must be identical on both nodes.
  6. Go to the OIM_HOME/server/bin (on UNIX operating systems) or OIM_HOME\server\bin (on Windows operating systems) directory and edit the dwps1upgrade.properties file so that all properties EXCEPT for oim.ps1.soacomposite.patch are set to false.

  7. Start the SOA Managed Server on Node 2. This is required to deploy SOA composites on Node 2.

  8. Run the standalone utility as described in Step 9 in Section 6.2.1, "Instructions for Updating Oracle Identity Manager".

  9. Check to see if any login module .jar files are found in the MW_HOME/wlsserver_10.3/server/lib/mbeantypes (on UNIX operating systems) or MW_HOME\wlsserver_10.3\server\lib\mbeantypes (on Windows operating systems) directory in your Release 11.1.1.3.0 environment. If there are no files, you can skip this step.

    If there are, copy the following login module files from OIM_HOME/server/loginmodule/wls to MW_HOME/wlsserver_10.3/server/lib/mbeantypes (on UNIX operating systems) or from OIM_HOME\server\loginmodule\wls to MW_HOME\wlsserver_10.3\server\lib\mbeantypes (on Windows operating systems):

    • OIMAuthenticator.jar

    • oimmbean.jar

    • oimsigmbean.jar

    • oimsignaturembean.jar

  10. Start the OIM Managed Server on Node 2.

  11. Access the OIM application by using the URL (http://host:port/oim).