13 Migrating Oracle Adaptive Access Manager 10g Environments

This chapter describes how to migrate Oracle Adaptive Access Manager (OAAM) 10g to Oracle Adaptive Access Manager 11g Release 2 (11.1.2). The chapter contains the following sections:

• Migration Overview

• Topology Comparison

• Migration Roadmap

• Prerequisites for Migration

• Installing Oracle Identity and Access Management 11.1.2

• Creating Oracle Platform Security Services Schema

• Upgrading OAAM 10g Schema

• Configuring OAAM 11.1.2 in a New or Existing Oracle WebLogic Domain

• Configuring Database Security Store

• Configuring Node Manager

• Starting the WebLogic Administration Server

• Stopping OAAM Managed Servers

• Upgrading OAAM Middle Tier Using Upgrade Assistant

• Starting OAAM Managed Servers

• Verifying the Migration

13.1 Migration Overview

The process for migrating OAAM 10g to OAAM 11.1.2 involves installing Oracle Identity and Access Management 11g Release 2 (11.1.2), configuring OAAM 11.1.2, upgrading OAAM 10g schemas, configuring the database security store, and upgrading the Oracle Adaptive Access Manager middle tier.

For more information about other migration scenarios, see Section 1.3, "Migration and Coexistence Scenarios".

13.2 Topology Comparison

Figure 13-1 compares the topologies of OAAM 10g and OAAM 11.1.2.

Figure 13-1 Comparison of OAAM 10g and OAAM 11g Topologies

Description of "Figure 13-1 Comparison of OAAM 10g and OAAM 11g Topologies"

13.3 Migration Roadmap

Table 13-1 provides the migration roadmap.

Table 13-1 Task Roadmap

Task No	Task	For More Information
1	Complete the prerequisites.	See, Prerequisites for Migration
2	Install Oracle Identity and Access Management 11.1.2.	See, Installing Oracle Identity and Access Management 11.1.2
3	Create Oracle Platform Security Services (OPSS) schema, and Metadata Services (MDS) schema using Repository Creation Utility (RCU).	See, Creating Oracle Platform Security Services Schema
4	Upgrading the OAAM schema.	See, Upgrading OAAM 10g Schema
5	Configure OAAM 11.1.2 in a new or existing domain.	See, Configuring OAAM 11.1.2 in a New or Existing Oracle WebLogic Domain
6	Configure the database security store by running the configuresecuritystore.py script.	See, Configuring Database Security Store
7	Configure the Node Manager.	See, Configuring Node Manager
8	Start the WebLogic Administration Server.	See, Starting the WebLogic Administration Server
9	Stop the OAAM Managed Servers (OAAM Admin Server, OAAM Server, and OAAM Offline Server).	See, Stopping OAAM Managed Servers
10	Upgrade the OAAM middle tier using Upgrade Assistant.	See, Upgrading OAAM Middle Tier Using Upgrade Assistant
11	Start the OAAM Managed Servers (OAAM Admin Server, OAAM Server, and OAAM Offline Server).	See, Starting OAAM Managed Servers
12	Verify the migration.	See, Verifying the Migration

13.4 Prerequisites for Migration

You must complete the following prerequisites for migrating Oracle Adaptive Access Manager 10g to Oracle Adaptive Access Manager 11.1.2:

1. Read the Oracle Fusion Middleware System Requirements and Specifications document to ensure that your environment meets the minimum requirements for the products you are installing, upgrading, and migrating.

   Note:

   For information about Oracle Fusion Middleware concepts and directory structure, see "Understanding Oracle Fusion Middleware Concepts and Directory Structure" in the Oracle Fusion Middleware Installation Planning Guide for Oracle Identity and Access Management.

2. Verify that the Oracle Adaptive Access Manager 10g version that you are using is supported for migration. For information about supported starting points for Oracle Adaptive Access Manager 10g migration, see Section 11.3, "Supported Starting Points for Oracle Adaptive Access Manager 10g Migration".

13.5 Installing Oracle Identity and Access Management 11.1.2

As part of the migration process, you must install Oracle Identity and Access Management 11g Release 2 (11.1.2).

For information about installing Oracle Identity and Access Management 11.1.2, see "Installing Oracle Identity and Access Management (11.1.2)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

13.6 Creating Oracle Platform Security Services Schema

Create the following schemas by running the Repository Creation utility (RCU) 11.1.2. IAU (Audit Schema) is optional.

• Oracle Platform Security Services (OPSS) - (mandatory)

• Metadata Services (MDS) - (mandatory)

• IAU (Audit Schema) - (optional)

For more information about creating schemas, see "Creating Schemas" in the Using Repository Creation Utility.

13.7 Upgrading OAAM 10g Schema

You must upgrade the OAAM 10g schema to 11.1.2 using a WLST command. To do this, complete the following steps:

1. You must update the access_upgrade.properties file available at the following location with the right database connection details:

   On UNIX: MW_HOME/IAM_HOME/common/wlst/access_upgrade.properties

   On Windows: MW_HOME\IAM_HOME\common\wlst\access_upgrade.properties

   In the access_upgrade.properties file, specify the right values for the following properties:

   • OAAM_DB_SCHEMA_USERNAME=OAAM_Database_schema_username

   • OAAM_DB_URL=OAAM_Database_URL

   • OAAM_DB_SYS_USERNAME=OAAM_DB_sys_username

   • OAAM_DB_10g=true

   where

   OAAM_Database_schema_username is the username of the OAAM database schema

   OAAM_Database_URL is the URL of the database where schemas are used. It must be specified in the format hostname:port:sid.

   OAAM_DB_sys_username is the username of the database system administrator

   You must set the value of the property OAAM_DB_10g to true,as you are upgrading OAAM 10g

2. Run the following command to launch the WebLogic Scripting Tool (WLST):

   On UNIX:

   1. Move from your present working directory to the IAM_HOME/common/bin directory by running the following command on the command line:

      cd IAM_HOME/common/bin

   2. Run the following command to launch the WebLogic Scripting Tool (WLST):

      ./wlst.sh

   On Windows:

   1. Move from your present working directory to the IAM_HOME\common\bin directory by running the following command on the command line:

      cd IAM_HOME\common\bin

   2. Run the following command to launch the WebLogic Scripting Tool (WLST):

      wlst.cmd

3. Run the following WLST command offline, to upgrade the OAAM 10g schema to 11.1.2:

   On UNIX:

   upgradeAccessSchema(filePath="MW_HOME/IAM_HOME/common/wlst/access_upgrade.properties")
   

   On Windows:

   upgradeAccessSchema(filePath="MW_HOME\\IAM_HOME\\common\\wlst\\access_upgrade.properties")
   

13.8 Configuring OAAM 11.1.2 in a New or Existing Oracle WebLogic Domain

After you install the software, you must configure Oracle Adaptive Access Manager 11.1.2. You can configure OAAM either in a new or in an existing domain. For more information, see "Configuring Oracle Adaptive Access Manager" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Note:

Ensure that you specify the Oracle Adaptive Access Manager 10g database details in the screen where it prompts you to enter the Oracle Adaptive Access Manager 11g database details. You must enter the 10g credentials because there is no separate 11g database. It checks the database for a few system tables, which are not present in Oracle Adaptive Access Manager 10g database.

13.9 Configuring Database Security Store

After you configure OAAM 11.1.2 in a domain, you must run the configuresecuritystore.py script to configure the Database Security Store. For more information, see "Configuring Database Security Store for an Oracle Identity and Access Management Domain" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Note:

If you have already run the configuresecuritystore.py script as part of the OAAM 11.1.2 configuration in Section 13.8, ignore this task.

13.10 Configuring Node Manager

If you wish to start and stop the Managed Servers through the WebLogic Administration console, you must configure the Node Manager, and start it. For information about configuring Node Manager, see "Configuring Node Manager to Start Managed Servers" in the Oracle Fusion Middleware Administrator's Guide.

13.11 Starting the WebLogic Administration Server

You must start the WebLogic Administration Server, do the following:

On UNIX:

1. Move from your present working directory to the MW_HOME/user_projects/domains/domain_name/bin directory using the command:

   cd MW_HOME/user_projects/domains/domain_name/bin/
   

2. Run the following command:

   ./startWebLogic.sh
   

   When prompted, enter the WebLogic Administration Server username and password.

On Windows:

1. Move from your present working directory to the MW_HOME\user_projects\domains\domain_name\bin directory using the following command on the command line:

   cd MW_HOME\user_projects\domains\domain_name\bin\
   

2. Run the following command:

   startWebLogic.cmd
   

   When prompted, enter the WebLogic Administration Server username and password.

13.12 Stopping OAAM Managed Servers

If you have started the OAAM Admin Server, OAAM Offline Server (if present), and OAAM Server, you must stop all of them before you can upgrade the OAAM middle tier in section 13.10. To stop these servers, do the following:

On UNIX:

1. Move from your present working directory to the directory MW_HOME/user_projects/domains/domain_name/bin directory using the command:

   cd MW_HOME/user_projects/domains/domain_name/bin/
   

2. Run the following command to stop the OAAM Admin Server:

   ./stopManagedWebLogic.sh oaam_admin_server admin_url username password
   

   In this command,

   oaam_admin_server is the name of the OAAM Admin Server.

   admin_url is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://host:port/console.

   username is the username of WebLogic Administration Server.

   password is the password of WebLogic Administration Server.

3. Run the following command to stop the OAAM Offline Server:

   ./stopManagedWebLogic.sh oaam_offline_server admin_url username password
   

   In this command,

   oaam_offline_server is the name of the OAAM Offline Server.

   admin_url is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://host:port/console.

   username is the username of WebLogic Administration Server.

   password is the password of WebLogic Administration Server.

4. Run the following command to stop the OAAM Server:

   ./stopManagedWebLogic.sh oaam_server admin_url username password
   

   In this command,

   oaam_server is the name of the OAAM Server.

   admin_url is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://host:port/console.

   username is the username of WebLogic Administration Server.

   password is the password of WebLogic Administration Server.

On Windows:

1. Move from the present working directory to the MW_HOME\user_projects\domains\domain_name\bin directory using the following command on the command line:

   cd MW_HOME\user_projects\domains\domain_name\bin\
   

2. Run the following command to stop the OAAM Admin Server:

   stopManagedWebLogic.cmd oaam_admin_server admin_url username password
   

   In this command,

   oaam_admin_server is the name of the OAAM Admin Server

   admin_url is the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://host:port/console.

   username is the username of WebLogic Administration Server.

   password is the password of WebLogic Administration Server.

3. Run the following command to stop the OAAM Offline Server:

   stopManagedWebLogic.cmd oaam_offline_server admin_url username password
   

   In this command,

   oaam_offline_server is the name of the OAAM Offline Server.

   admin_url is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://host:port/console.

   username is the username of WebLogic Administration Server.

   password is the password of WebLogic Administration Server.

4. Run the following command to stop the OAAM Server:

   stopManagedWebLogic.cmd oaam_server admin_url username password
   

   In this command,

   oaam_server is the name of the OAAM Server.

   admin_url is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://host:port/console.

   username is the username of WebLogic Administration Server.

   password is the password of WebLogic Administration Server.

Note:

If you have more than one OAAM Server, you must stop all of them.

13.13 Upgrading OAAM Middle Tier Using Upgrade Assistant

You must upgrade the OAAM 10g middle tier using Upgrade Assistant. To do this, complete the following steps:

1. If you have started the Oracle Adaptive Access Manager Managed Servers, they auto-generate symmetric keys required for encryption or decryption. You must delete the keys before performing middle tier upgrade. To do so, complete the following steps:

   1. Log in to Oracle Enterprise Manager using the URL:

      host:port/em

   2. Expand the WebLogic Domain on the left pane, and select the OAAM domain.

      The OAAM domain page is displayed.

   3. From the OAAM Domain, select Security, and then Credentials.

      The Credentials page is displayed.

   4. Expand oaam and delete the entries related to symmetric keys.

2. Launch Upgrade Assistant by doing the following:

   On UNIX:

   1. Move from your present working directory to the MW_HOME/IAM_HOME/bin directory using the following command:

      cd MW_HOME/IAM_HOME/bin
      

   2. Run the following command:

      ./ua
      

   On Windows:

   1. Move from your present working directory to the MW_HOME\IAM_HOME\bin directory using the following command on the command line:

      cd MW_HOME\IAM_HOME\bin
      

   2. Run the following command:

      ua.bat
      

   The Oracle Fusion Middleware Upgrade Assistant Welcome screen is displayed.

3. Click Next.

   The Specify Operation screen is displayed.

4. Select Upgrade Oracle Adaptive Access Manager Middle Tier.

   The options available in Upgrade Assistant are specific to the Oracle home from which it started. When you start Upgrade Assistant from an Oracle Application Server Identity Management Oracle home, the options shown on the Specify Operation screen are the valid options for an Oracle Application Server Identity Management Oracle home.

5. Click Next.

   The Specify Source Details screen is displayed.

6. Enter the following information:

   • Click Browse and enter the directory location for Oracle Adaptive Access Manager Adaptive Strong Authenticator Web Application 10g (ASA) and Adaptive Risk Manager Web Application 10g (ARM) applications.

   • Database Type: Select the database type from the drop-down list.

   • Connect String: Enter the name of the server where your database is running. Use one of the following formats for Oracle Database:

     //host:port/service or host:port:sid

   • Schema User Name: Enter the user name for the OAAM schema.

   • Schema Password: Enter the password for the OAAM schema.

7. Click Next.

   The Specify WebLogic Server screen is displayed.

8. Enter the following information about your Oracle WebLogic Server domain:

   • Host: The host name of the machine where WebLogic Administration Server is running.

   • Port: The listening port of the Administration Server. The default Administration Server port is 7001.

   • Username: The user name that is used to log in to the Administration Server. This is the same username you use to log in to the Administration Console for the domain.

   • Password: The password for the administrator account that is used to log in to the Administration Server. This is the same password you use to log in to the Administration Console for the domain.

   • Click Next.

   The Specify Upgrade Options screen is displayed.

9. Select Start destination components after successful upgrade, and click Next.

   The Examining Components screen is displayed.

   Note:

   Ensure that Node Manager is running, before you select Start destination components after successful upgrade.

10. Click Next.

    The Upgrade Summary screen is displayed.

11. Click Upgrade.

    The Upgrade Progress screen is displayed. This screen provides the following information:

    • The status of the upgrade

    • Any errors or problems that occur during the upgrade

12. Click Next.

    The Upgrade Complete screen is displayed. This screen confirms that the upgrade was complete.

13. Click Close.

13.14 Starting OAAM Managed Servers

You must start the OAAM Managed Servers in the following order:

1. OAAM Admin Server

2. OAAM Offline Server, if you have configured OAAM Offline Server

3. OAAM Server

To start these servers, do the following:

On UNIX:

1. Move from your present working directory to the MW_HOME/user_projects/domains/domain_name/bin directory using the command:

   cd MW_HOME/user_projects/domains/domain_name/bin/
   

2. Run the following command to start the OAAM Admin Server:

   ./startManagedWebLogic.sh oaam_admin_server admin_url
   

   In this command,

   oaam_admin_server is the name of the OAAM Admin Server.

   admin_url is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://host:port/console.

   When prompted, enter the username and password of the WebLogic Administration Server.

3. Run the following command to start the OAAM OfflineServer:

   ./startManagedWebLogic.sh oaam_offline_server admin_url
   

   In this command,

   oaam_offline_server is the name of the OAAM Offline Server.

   admin_url is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://host:port/console.

   When prompted, enter the username and password of the WebLogic Administration Server.

4. Run the following command to start the OAAM Server:

   ./startManagedWebLogic.sh oaam_server admin_url
   

   In this command,

   oaam_server is the name of the OAAM Server

   admin_url is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://host:port/console.

   When prompted, enter the username and password of the WebLogic Administration Server.

On Windows:

1. Move from the present working directory to the MW_HOME\user_projects\domains\domain_name\bin directory using the command:

   cd MW_HOME\user_projects\domains\domain_name\bin\
   

2. Run the following command to start the OAAM Admin Server:

   startManagedWebLogic.cmd oaam_admin_server admin_url
   

   In this command,

   oaam_admin_server is the name of the OAAM Admin Server.

   admin_url is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://host:port/console.

   When prompted, enter the username and password of the WebLogic Administration Server.

3. Run the following command to start the OAAM Offline Server:

   startManagedWebLogic.cmd oaam_offline_server admin_url
   

   In this command,

   oaam_offline_server is the name of the OAAM Offline Server.

   admin_url is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://host:port/console.

   When prompted, enter the username and password of the WebLogic Administration Server.

4. Run the following command to start the OAAM Server:

   startManagedWebLogic.cmd oaam_server admin_url
   

   In this command,

   oaam_server is the name of the OAAM Server.

   admin_url is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://host:port/console.

   When prompted, enter the username and password of the WebLogic Administration Server.

Note:

Make sure that the OAAM Admin Server is running before you start the OAAM Server.

13.15 Verifying the Migration

To verify if the OAAM 10g migration was successful, do the following:

1. Log in to the administration console of Oracle Adaptive Access Manager 11.1.2, using the administration server username and password, and verify whether the OAAM 10g artifacts are migrated to OAAM 11g. Use the following URL to log in to the OAAM Admin Server:

   http://host:port/oaam_admin
   

   where

   host is the machine on which OAAM Admin Server is running

   port is the port number of the OAAM Admin Server

2. Create a user, and assign the Investigator role. Log in to the OAAM Admin Server with this user, and verify that you see the Investigator UI successfully.

   For more information about creating OAAM users, see "Creating OAAM Users" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.