Skip Headers
Oracle® Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management
11g Release 2 (11.1.2)

Part Number E28183-10
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

6 Upgrading Oracle Identity Manager 11g Release 1 (11.1.1.5.0) Environments

This chapter describes how to upgrade your existing Oracle Identity Manager 11g Release 1 (11.1.1.5.0) environment to Oracle Identity Manager 11g Release 2 (11.1.2).

This chapter contains the following sections:

Read the Oracle Fusion Middleware System Requirements and Specifications document to ensure that your environment meets the minimum requirements for the products you are installing or upgrading.

6.1 Feature Comparison

Table 6-1 lists the key differences in functionality between Oracle Identity Manager 11g Release 1 (11.1.1.5.0) and Oracle Identity Manager 11g Release 2 (11.1.2).

Table 6-1 Features Comparison

Oracle Identity Manager 11g Release 1 (11.1.1.5.0) Oracle Identity Manager 11g Release 2 (11.1.2)

Separate interfaces for end-user self-service and delegated administration.

A unified interface for end user self service and delegated administration.

Search for access items, such as roles, entitlements, or applications through a complex set of menus.

OIM users can navigate to the OIM catalog directly, search for access items, and submit a request. They can also associate metadata with each of the access items.

Incomprehensible resource and IT resource names that make the access request process difficult.

Intuitive, easy-to-understand resource names through an abstraction named Application Instances, which are a combination of an IT resource instance and a resource object.

Manual, tedious process of creating and configuring disconnected applications.

Simplified onboarding of disconnecting applications that enables system integrators to create and manage access to disconnected applications.

Users' access controlled by request templates granted to users, based on their role membership.

A user's access controlled by a combination of end-user's publishing and the access items publishing in organizations.

OIM-specific user interface to administer end user "authorization policies".

Authorization Policy Manager, a standards-based UI, used to administer authorization policies. This standardized UI allows administrators to administer and manage policies across the Oracle Identity Management suite of products.

Evaluation of access policies for each user as soon as the user is updated.

Evaluation of access policies in a fixed set of time intervals when the Evaluate User Policies scheduled job is run.


6.2 Upgrade Roadmap for Oracle Identity Manager

The procedure for upgrading Oracle Identity Manager 11.1.1.5.0 to 11.1.2 involves the following high-level steps:

  1. Pre-Upgrade Steps: This step involves tasks like generating the pre-upgrade report, analyzing the report and performing the necessary pre-upgrade tasks described in the report, shutting down the servers, backing up the 11.1.1.5.0 environment and so on.

  2. Upgrading the Oracle Home and Database Schemas: This step involves tasks like upgrading Oracle SOA Suite, upgrading 11.1.1.5.0 Oracle Home to 11.1.2, creating Oracle Platform Security Services schema using Repository Creation Utility, upgrading Oracle Platform Security Services, configuring the security store, upgrading Oracle Identity Manager using Patch Set Assistant and so on.

  3. Upgrading the Oracle Identity Manager Middle Tier: This step involves tasks like upgrading Oracle Identity Manager middle tier, starting the servers, patching the Oracle Identity Manager MDS metadata and so on.

  4. Upgrading Other Oracle Identity Manager Installed Components: This step involves tasks like upgrading Oracle Identity Manager Design Console, Oracle Identity Manager Remote Manger, and configuring BI Publisher Reports.

  5. Post-Upgrade Steps: This step involves the post-upgrade tasks like enabling Oracle Identity Manager - Oracle Access Manager integration, upgrading user UDF, customizing event handlers, upgrading SOA composites and so on.

Table 6-2 lists the steps to upgrade Oracle Identity Manager 11.1.1.5.0.

Note:

If you do not follow the exact sequence provided in this task table, your Oracle Identity Manager upgrade may not be successful.

Table 6-2 Upgrade Flow

Sl No Task For More Information
 

Pre-Upgrade Steps

 

1

Review the changes in the features of Oracle Identity Manager 11.1.2.

See, Feature Comparison

2

Generate the pre-upgrade report by running the PreUpgradeReport utility.

See, Generating the Pre-Upgrade Report

3

Analyze the report and complete the pre-upgrade actions described in the report.

See, Analyzing Pre-Upgrade Report

4

Empty the oimProcessQueue JMS queue to ensure that JMS messages are processed before you start upgrading.

See, Emptying the oimProcessQueue JMS Queue

5

Complete all of the pre-requisite tasks.

See, Other Prerequisites

6

Shut down all servers. This includes Administration Server, SOA Managed Servers, and Oracle Identity Manager Managed Servers.

See, Shutting Down Administration Server and Managed Servers

7

Back up your environment.

See, Backing Up Oracle Identity Manager 11g Release 1 (11.1.1.5.0)

8

Ensure that the JRF is upgraded.

See, Ensuring That JRF is Upgraded

     
 

Upgrading the Oracle Home and Database Schemas

 

9

Optional - Upgrade Oracle WebLogic Server 10.3.5 to Oracle WebLogic Server 10.3.6.

See, Optional: Upgrading Oracle WebLogic Server

10

Upgrade SOA suite used by Oracle Identity Manager.

See, Upgrading Oracle SOA Suite Used by Oracle Identity Manager

11

Upgrade 11.1.1.5.0 Oracle Home to 11.1.2.

See, Upgrading Oracle Identity Manager 11g Release 2 (11.1.2)

12

Run Oracle Fusion Middleware Repository Creation Utility (RCU) to create and load OPSS schema for Oracle Identity and Access Management products.

See, Creating Oracle Platform Security Services Schema

13

Extend your Oracle Identity Manager 11.1.1.5.0 domain with the OPSS template.

See, Extending Oracle Identity Manager 11.1.1.5.0 Component Domains with OPSS Template

14

Upgrade Oracle Platform Security Services.

See, Upgrading Oracle Platform Security Services

15

Run the configuresecuritystore.py script to configure policy stores.

See, Configuring OPSS Security Store

16

Upgrade Oracle Identity Manager using the Patch Set Assistant.

See, Upgrading Oracle Identity Management Schemas Using Patch Set Assistant

17

Start the WebLogic Administration Server.

See, Starting the Administration Server and SOA Managed Servers

     
 

Upgrading the Oracle Identity Manager Middle Tier

 

18

Set Oracle Identity Manager Environment variables.

See, Setting Environment Variables

19

Upgrade Oracle Identity Manager Middle Tier.

See, Upgrading Oracle Identity Manager Middle Tier

20

Verify the Oracle Identity Manager Middle Tier Upgrade.

See, Verifying Oracle Identity Manager Middle Tier Upgrade

21

Change the deployment order of Oracle Identity Manager from 47 to 48.

See, Changing the Deployment Order of Oracle Identity Manager EAR

22

Restart the Administration Server and SOA Managed Servers.

See, Restarting the Administration Server and SOA Managed Server

23

Patch the Oracle Identity Manager MDS metadata by starting the Oracle Identity Manager Managed Servers.

See, Patching Oracle Identity Management MDS Metadata

     
 

Upgrading Other Oracle Identity Manager Installed Components

 

24

Upgrade Oracle Identity Manager Design Console.

See, Upgrading Oracle Identity Manager Design Console

25

Upgrade Oracle Identity Manager Remote Manager.

See, Upgrading Oracle Identity Manager Remote Manager

26

Configure BI Publisher Reports

See, Configuring BI Publisher Reports

     
 

Post-Upgrade Steps

 

27

Complete the post-upgrade steps.

Post upgrade tasks include the following:

28

Verify the upgrade.

See, Verifying the Upgrade


6.3 Pre-Upgrade

This section contains the following topics:

6.3.1 Generating the Pre-Upgrade Report

The Pre-UpgradeReport utility analyses your existing Oracle Identity Manager 11.1.1.5.0 environment, and provides information about the mandatory prerequisites that you must complete before you upgrade 11.1.1.5.0 environment. The information in the pre-upgrade report is related to the invalid approval policies, requests and event handlers that are affected by the upgrade, list of mandatory Database components that need to be installed before upgrade, cyclic groups in LDAP directory, deprecated authorization policies, and issues in creating potential application instance.

You must run the PreUpgradeReport utility before you begin the upgrade process, and address all the issues listed as part of this report with the solution provided in the report. Run this report until no pending issues are listed in the report.

Note:

It is important to address all the issues listed in the pre-upgrade report, before you can proceed with the upgrade, as upgrade might fail if the issues are not fixed.

Download the pending transaction report utility, as described in the My Oracle Support document ID 1471905.1.

Run generatePreUpgradeReport.sh on UNIX, or generatePreUpgradeReport.bat on Windows, and provide the following details:

  • Oracle Identity Manager schema JDBC URL

    [jdbc:oracle:thin:@hostname:portnumber/service name]

  • Oracle Identity Manager schema username

  • Oracle Identity Manager schema password

  • MDS schema JDBC URL

    [jdbc:oracle:thin:@hostname:portnumber/service name]

  • MDS schema User Name

  • MDS schema Password

  • Database Administrator username

  • SYSDBA password

  • Enter report output directory

6.3.2 Analyzing Pre-Upgrade Report

The pending transaction report utility generates seven different reports, which includes the information outlined in Table 6-3.

Note:

You must review all the reports, and perform the tasks described in each of the reports.

Table 6-3 Pre-Upgrade Utility Reports

Report Name Description For More Information

index.html

The index.html provides links to all the seven reports generated by the pre-upgrade utility.

-

APPROVALPOLICYPreUpgradeReport.html

This report lists the request approval policies that has a rule defined on the non existing template.

See, Section 6.3.2.1, "Description of APPROVALPOLICYPreUpgradeReport.html Report".

AUTHORIZATIONPOLICYPreUpgradeReport.html

This report lists all of the invalid authorization policies. Oracle Identity Manager 11.1.2 does not use the authorization policies created in Oracle Identity Manager 11.1.1.5.0. Therefore, all of the authorization policies created in Oracle Identity Manager 11.1.1.5.0 are invalid in this release.

See, Section 6.3.2.2, "Description of AUTHORIZATIONPOLICYPreUpgradeReport.html Report".

CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html

This report detects the list of cyclic groups in LDAP.

The report includes a list of cyclic groups and instructions to remove cyclic dependency. It is mandatory to remove all cyclic dependencies running in the Oracle Identity Manager 11.1.1.5.0 environment.

See, Section 6.3.2.3, "Description of CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html Report".

EVENT_HANDLERPreUpgradeReport.html

This report captures all user customizations related to Event Handler in Oracle Identity Manager 11.1.1.5.0.

See, Section 6.3.2.4, "Description of EVENT_HANDLERPreUpgradeReport.html Report".

ORACLE_TEXTPreUpgradeReport.html

This report lists the mandatory Database components that needs to be installed before you proceed with the upgrade.

See, Section 6.3.2.5, "Description of ORACLE_TEXTPreUpgradeReport.html Report".

PROVISIONINGPreUpgradeReport.html

This report lists the potential application instance creation issues.

See, Section 6.3.2.6, "Description of PROVISIONINGPreUpgradeReport.html Report".

REQUESTPreUpgradeReport.html

This report lists any invalid requests and the actions to be taken.

See, Section 6.3.2.7, "Description of REQUESTPreUpgradeReport.html Report".


6.3.2.1 Description of APPROVALPOLICYPreUpgradeReport.html Report

The report APPROVALPOLICYPreUpgradeReport.html lists the invalid approval policies. This report contains the following sections:

This report also contains an additional note on approval policy based on deprecated request type. You must review the report completely, before you start upgrading the Oracle Identity Manager 11.1.1.5.0 environment.

6.3.2.1.1 Approval Policy rule defined on template

This section lists the Oracle Identity Manager 11.1.1.5.0 approval policies whose rules are defined based on the request template.The Request templates feature is not supported in Oracle Identity Manager 11.1.2. Therefore, if your Oracle Identity Manager 11.1.1.5.0 contains approval policies having rules based on request template, you must reconfigure the request approval policies by following the steps described in the report.

6.3.2.1.2 List of Approval Polices which needs to be updated with custom approval process

This section lists the 11.1.1.5.0 approval policies that need to be associated with different approval process before you start the upgrade process.

The approval process default/ResourceAdministratorApproval, default/ResourceAuthorizerApproval are not supported in 11.1.2. Therefore, if your Oracle Identity Manager 11.1.1.5.0 contains approval policies having these approval process, you must associate them with different approval process.

6.3.2.1.3 Approval policy based on unsupported request type

This section provides information about the request types that are not supported in 11.1.2.

The following 11.1.1.5.0 request types are not supported in 11.1.2, and they are changed to non-self request type in 11.1.2:

  • Self Assign Roles

  • Modify Self Profile

  • Self Remove Roles

  • Self De-Provision Resource

  • Self Modify Provisioned Resource

  • Self-Request Resource

Self-request type mapping to Non-Self request type is shown Table 6-4.

Table 6-4 Mapping of Self request type to Non-Self request type

Self Request Type Non-Self Request Type

Self-Request Resource

Provision Resource

Self Modify Provisioned Resource

Modify Provisioned Resource

Self Remove Roles

Remove from Roles

Modify Self Profile

Modify User Profile

Self De-Provision Resource

De-Provision Resource

Self Assign Roles

Assign Roles


6.3.2.2 Description of AUTHORIZATIONPOLICYPreUpgradeReport.html Report

The report AUTHORIZATIONPOLICYPreUpgradeReport.html lists the deprecated authorization policies.

Oracle Identity Manager 11.1.2 uses a new authorization policy framework that is standards based, and is used by the entire Oracle stack. Any changes made to authorization policies in Oracle Identity Manager 11.1.1.5 must be reapplied post upgrade.

You must review the table in this report that lists the authorization policies of the 11.1.1.5.0 environment that are deprecated in 11.1.2.

6.3.2.3 Description of CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html Report

The report CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html provides information about the Cyclic groups in LDAP directory.

Oracle Identity Manager 11.1.2 does not support cyclic groups in the LDAP directory. Therefore, you must remove the cyclic dependency from Oracle Identity Manager 11.1.1.5.0 setup before you proceed with the upgrade. For more information about removing the cyclic groups dependent on LDAP, see Removing Cyclical Groups Dependent on LDAP. The procedure for removing cyclic groups is also described in this report.

Removing Cyclical Groups Dependent on LDAP

If the LDAP in your Oracle Identity Manager 11.1.1.5.0 environment has cyclic groups loaded, you must remove the cyclic groups by doing the following:.

  1. Use JEXplorer or Softerra LDAP Administrator and navigate to the cyclic groups.

  2. Look for uniquemember attribute.

  3. Remove all values from the attribute.

  4. Save the group.

  5. Run LDAPConfigPostSetup.sh on UNIX and LDAPConfigPostSetup.bat on Windows to sync data from LDAP to Oracle Identity Manager database.

Example Scenario

If you have cyclic group dependency between two groups: Group1 and Group2, do the following to remove cyclic dependency:

  1. Connect to LDAP using JEXplorer or Softerra LDAP.

  2. Go to the group container of Group1.

  3. Go to the uniquemember attribute under Group1.

  4. Remove the value of Group2, from unique members, and save the change made.

  5. Run LDAPConfigPostSetup.sh on UNIX and LDAPConfigPostSetup.bat on Windows to synchronize data from LDAP to Oracle Identity Manager database.

6.3.2.4 Description of EVENT_HANDLERPreUpgradeReport.html Report

The report EVENT_HANDLERPreUpgradeReport.html provides information about event handlers. When you upgrade Oracle Identity Manager 11.1.1.5.0 to Oracle Identity Manager 11.1.2, the customizations made to the OOTB event handlers XMLs in 11.1.1.5.0 will not be preserved in 11.1.2. All the customizations defined in a separate XML (non OOTB) in 11.1.1.5.0 will be preserved in 11.1.2. You must redo all the customizations after upgrading to 11.1.2. This report contains the following sections:

Refer to the table in the report for more details about the event handlers.

6.3.2.4.1 New Event Handler Added by the customer in the OOTB(11.1.1.5.0) Event Handler Metadata XML

This section provides information about the new event handlers added in the OOTB (11.1.1.5.0).

The event handler newly added in the OOTB (11.1.1.5.0) Event Handler Metadata XML will not be available after you upgrade to 11.1.2. Oracle Identity Manager 11.1.2 event handlers will replace the 11.1.1.5.0 event handlers. Therefore, you must add the event handler again in a new file after the upgrade.

Note:

Do not add new event handler in the same OOTB Event Handler XML. You must create a new XML and add the new event handler to it.

6.3.2.4.2 OOTB(11.1.1.5.0) Event Handler modified by the Customer

This section provides information about the event handlers that are modified in the OOTB (11.1.1.5.0).

You must redo all the customizations that you did to the event handlers in OOTB (11.1.1.5.0), after you upgrade Oracle Identity Manager 11.1.1.5.0 to 11.1.2.

6.3.2.4.3 OOTB(11.1.1.5.0) Event Handler deleted by Customer

This section provides information about the event handlers that were deleted in OOTB (11.1.1.5.0).

The deleted event handlers are restored after you upgrade to 11.1.2. Therefore, you must delete them again as per requirement.

6.3.2.5 Description of ORACLE_TEXTPreUpgradeReport.html Report

The report ORACLE_TEXTPreUpgradeReport.html provides information about the installation status of the mandatory database components.

Before you upgrade Oracle Identity Manager 11.1.1.5.0 to 11.1.2, you must install certain Database components. The table in this report lists the database components that need to be installed before you upgrade. The table also shows the status of the installation, and the solution. Review the table, and perform the actions required.

6.3.2.6 Description of PROVISIONINGPreUpgradeReport.html Report

The report PROVISIONINGPreUpgradeReport.html lists the potential application instances creation issues. The report contains the following sections:

6.3.2.6.1 Provisioning, Entitlement, and Access Policy Configuration Details

This sections describes the steps you must complete before you upgrade Oracle Identity Manager 11.1.1.5.0 to 11.1.2. These steps are related to provisioning, entitlement, and access policy configuration. Complete all the steps described in this section of the report.

6.3.2.6.2 List of Resource Objects without Process Form

This section provides information about the resource objects in Oracle Identity Manager 11.1.1.5.0 that do not have process form. Each resource object must have a process form associated with it. Therefore, if a resource object is not associated with a process form, you must associate the resource object with a process form before you start the upgrade process. Review the table in this section of the report, that lists the details of the resource objects without process form.

6.3.2.6.3 List of Resource Objects without ITResource field Type in Process Form

This section provides information about the resource objects without ITResource field type in their respective process forms. Review the table in this section of the report, which contains more details. If your Oracle Identity Manager 11.1.1.5.0 has resource objects without ITResource field in their process forms, do the following:

  1. Create appropriate IT resource definition.

  2. Create IT resource instance for the same corresponding to the target that is being provisioned.

  3. Edit the process form and add a field of type "ITResource" to the process form. Set the following properties:

    Type=IT Resource definition created in step-1

    ITResource=true

  4. Activate the form.

  5. Update the IT resource field on existing provisioned accounts using FVC Utility.

  6. Once the above steps are completed, you can create application instances corresponding to the Resource Object+ITResource combination.

6.3.2.6.4 List of Resource Objects with multiple ITResource Lookup fields in Process Form

This section provides information about the resource objects that have multiple lookup fields in their process form. In the Oracle Identity Manager 11.1.1.5.0 environment, if you have resource objects with multiple ITResource set in the process form, you must set the value of the property ITResource Type to true for at least one of the attributes.

6.3.2.6.5 List of Access Policies without ITResource value set in default policy data

This section lists the access policies for which the ITResource values of the resource objects should be set in the default policy data. The table in this section lists the access policies in Oracle Identity Manager 11.1.1.5.0 for which ITResource field is missing. You must set the values of ITResurce field for each of the access policy listed in the table.

6.3.2.6.6 List of Access Policies with Revoke If No Longer Applies flag unchecked

This section lists the access policies that have Revoke If No Longer Applies flag unchecked. The table in this section contains the list of access policies that will be updated to Disable If No Longer Applies, during upgrade. The table also indicates if tasks for enable, disable, revoke actions are not defined for these policies. You must add the missing tasks before you proceed with the upgrade. Also, if you want the behavior of the policy to change to RNLA checked, you must check the RNLA flag for the respective policy.

6.3.2.6.7 List of Entitlements stored in Lookup definitions that do not have IT Resource Key in the lookup encode value

This section lists entitlements stored in lookup definitions that do not have IT Resource Key pretended to their encoding values using "~". Entitlements stored in lookup definitions need IT Resource Key prepended to the encoded values using "~". Review the table in this section of the pre-upgrade report, which contains more details.

6.3.2.7 Description of REQUESTPreUpgradeReport.html Report

The report REQUESTPreUpgradeReport.html lists requests that are affected because of the upgrade. This report contains the following sections:

6.3.2.7.1 Requests with unsupported request stages

This section lists the requests that are in one of the following unsupported request stages:

  • Obtaining Template Approval

  • Template Approval Approved

  • Template Approval Rejected

  • Template Approval Auto Approved

Manual intervention is required to move these requests to the next stage by approving, withdrawing, or closing such requests. Otherwise, requests are moved to request closed stage as part of the upgrade.

Review the list of requests that are in the unsupported request stage.

6.3.2.7.2 Requests which will be automatically changed to corresponding non-self request type

This section lists the requests that are based on one of the following request types will be changed to the corresponding non-self request type after the upgrade:

  • Self Assign Roles

  • Modify Self Profile

  • Self Remove Roles

  • Self De-Provision Resource

  • Self Modify Provisioned Resource

  • Self-Request Resource

Request types for these requests are automatically changed to the corresponding non-self request type as part of the upgrade.

Self-request type mapping to non-self request type is shown in Table 6-5:

Table 6-5 Mapping of Self-Request Type to Non-Self Request Type

Self request type Non-Self request type

Self-Request Resource

Provision Resource

Self Modify Provisioned Resource

Modify Provisioned Resource

Self Remove Roles

Remove from Roles

Modify Self Profile

Modify User Profile

Self De-Provision Resource

De-Provision Resource

Self Assign Roles

Assign Roles


6.3.3 Ensuring That getPlatformTransactionManager() Method is Not Used in Custom Code

Ensure that the method getPlatformTransactionManager() is not used in the custom event handler code, as this method is not available in 11.1.2.

If you are using the method getPlatformTransactionManager() in the custom event handler code, set the attribute tx to TRUE in the event handler XML definition.

For more information on setting the attributes in the event handler XML definition, see "Defining Custom Events Definition XML" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

6.3.4 Emptying the oimProcessQueue JMS Queue

Offline Provisioning is not supported in Oracle Identity Manager 11.1.2, as it is no longer needed on Oracle Identity Manager 11.1.2.

Empty the oimProcessQueue JMS queue to ensure that JMS messages are processed before you start upgrading. To do so, complete the following:

  1. Shut down applications to disable accessing of Oracle Identity Manager offline provisioning by end-users, SPML, and API clients.

  2. Monitor the oimProcessQueue JMS queue from the Weblogic Administration Console and allow Oracle Identity Manager to run, till oimProcessQueue JMS queue is empty.

6.3.5 Other Prerequisites

This is a list of checks you must run and set before you begin upgrading:

  • Check if oracle.soa.worklist.webapp is targeted to Oracle Identity Manager server in 11.1.1.5.0. If not, targeted it to Oracle Identity Manager Managed Server.

  • The OOTB applications in Oracle Identity Manager are deployed in NO_STAGE mode. Check if oracle.idm.uishell is in No Stage mode. If oracle.idm.uishell is in Stage mode, you must re-deploy it.

    Complete the following steps to change the mode to No Stage:

    1. Set the WL_HOME and OIM_HOME.

    2. Undeploy oracle.idm.uishell by running the following command:

      java -cp $WL_HOME/server/lib/weblogic.jar weblogic.Deployer -adminurl t3://localhost:8005 -username weblogic -password weblogic1 -undeploy -name oracle.idm.uishell

    3. Deploy oracle.idm.uishell in stage mode by running the following command:

      java -cp $WL_HOME/server/lib/weblogic.jar weblogic.Deployer -adminurl t3://localhost:8005 -username weblogic -password weblogic1 -deploy -name oracle.idm.uishell -source $OIM_HOME/modules/oracle.idm.uishell_11.1.1/oracle.idm.uishell.war -nostage -library -targets AdminServer,$OIM_SERVER_NAME

  • Ensure that all pending requests are addressed before you upgrade.

  • In case of a migrated, upgraded, or restored database in the Oracle Identity Manager enviornment, you must synchronize all the Oracle Identity Manager Schema Privileges (SYSTEM and OBJECT Grants) from the source to the target (restored) schema by doing the following:

    1. Capture the OIM Database Schema user constituent grants from the source schema by executing the following SQLs as SYS database user:

      • SELECT DBMS_METADATA.GET_GRANTED_DDL ('SYSTEM_GRANT','<OIM_Schema_Name>') FROM DUAL;

      • SELECT DBMS_METADATA.GET_GRANTED_DDL ('OBJECT_GRANT', '<OIM_Schema_Name>') FROM DUAL;

    2. In the schema restoration phase prior to schema upgrade, execute the grants output of the SQLs captured in step-1, as post schema restoration step.

    3. Recompile any INVALID objects in the OIM schema using the following steps:

      a. Identify INVALID schema objects as SYS user by running the following SQL:

      SELECT owner,object_type,object_name,status FROM dba_objects WHERE status = 'INVALID' AND owner in ('<OIM_Schema_Name1>') ORDER BY owner, object_type, object_name;

      b. Compile the INVALID schema objects using any appropriate method. The following is an example of compiling INVALID schema objects by executing the method UTL_RECOMP as SYS user for the OIM schema:

      UTL_RECOMP.recomp_serial('<OIM_Schema_Name>');

      END;

      Repeat step-a until there are no INVALID objects.

    Note:

    For information on schema backup and restoration using Data Pump Client Utility for Oracle Identity Manager 11g Release 1, see My Oracle Support document ID 1359656.1.

    For information on schema backup and restoration using Data Pump Client Utility for Oracle Identity Manager 11g Release 2, see My Oracle Support document ID 1492129.1.

6.3.6 Ensuring That JRF is Upgraded

Before starting the upgrade process, you must ensure that Java Required Files (JRF) is upgraded. To do this, complete the following steps:

  1. Log in to the WebLogic Administration console using the following URL:

    http://host:port/console

    In this URL, host refers to the name of the host on which WebLogic Administration Server is running, and port refers to the port number.

  2. Click Deployments on the left navigation pane for the OIM_Domain.

  3. Ensure that the following libraries are present:

    • oracle.adf.desktopintegration(1.0,11.1.1.2.0)

    • oracle.adf.desktopintegration.model(1.0,11.1.1.2.0)

    • oracle.bi.adf.model.slib(1.0,11.1.1.2.0)

    • oracle.bi.adf.view.slib(1.0,11.1.1.2.0)

    • oracle.bi.adf.webcenter.slib(1.0,11.1.1.2.0)

    • oracle.bi.composer(11.1.1,0.1)

    • oracle.bi.jbips(11.1.1,0.1)

    If the above libraries are not present, you must upgrade JRF. For more information about upgrading JRF, see "Updating Fusion Middleware Shared Libraries" in the Oracle Fusion Middleware Patching Guide.

6.3.7 Shutting Down Administration Server and Managed Servers

The upgrade process involves changes to the binaries and to the schema. Therefore, before you begin the upgrade process, you must shut down the Managed Servers and the Administration Server.

To shut down the Servers, do the following:

Stopping Managed Servers

To stop the Managed Servers, do the following:

On UNIX:

  1. Move from your present working directory to the <MW_HOME>/user_projects/domains/<domain_name>/bin directory by running the following command on the command line:

    cd <MW_HOME>/user_projects/domains/<domain_name>/bin

  2. Run the following command to stop the servers:

    ./stopManagedWebLogic.sh <server_name> <admin_url> <user_name> <password>

    where

    <server_name> is the name of the Managed Server.

    <admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.

    <user_name> is the username of the WebLogic Administration Server.

    <password> is the password of the WebLogic Administration Server.

On Windows:

  1. Move from your present working directory to the <MW_HOME>\user_projects\domains\<domain_name>\bin directory by running the following command on the command line:

    cd <MW_HOME>\user_projects\domains\<domain_name>\bin

  2. Run the following command to stop the Managed Servers:

    stopManagedWebLogic.cmd <server_name> <admin_url> <username> <password>

    where

    <server_name> is the name of the Managed Server.

    <admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.

    <username> is the username of the WebLogic Administration Server.

    <password> is the password of the WebLogic Administration Server.

For more information, see "Stopping the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Stopping the Administration Server

To stop the Administration Server, do the following:

On UNIX:

Run the following command:

cd <MW_HOME>/user_projects/domains/<domain_name>/bin

./stopWebLogic.sh

On Windows:

Run the following command:

cd <MW_HOME>\user_projects\domains\<domain_name>\bin

stopWebLogic.cmd

6.3.8 Backing Up Oracle Identity Manager 11g Release 1 (11.1.1.5.0)

You must back up your old Oracle Identity Manager 11.1.1.5.0 environment before you upgrade to Oracle Identity Manager 11g Release 2 (11.1.2).

After stopping the servers, back up the following:

  • MW_HOME directory, including the Oracle Home directories inside Middleware Home

  • Domain Home directory

  • Oracle Identity Manager schemas

  • MDS schema

  • ORASDPM schema

  • SOAINFRA schemas

For more information about backing up schemas, see Oracle Database Backup and Recovery User's Guide.

6.4 Upgrade Procedure

This section describes different tasks involved in the upgrade process, like upgrading Oracle Identity Manager and Oracle SOA Suite 11.1.1.5.0 binaries, creating 11.1.2 schemas, configuring the security store, upgrading the Oracle Identity Manager middle tier, verifying the upgrade and so on. The tasks in this section should be performed after you complete all the prerequisites described in section Pre-Upgrade.

This section contains the following topics:

6.4.1 Optional: Upgrading Oracle WebLogic Server

Note:

Upgrading Oracle WebLogic Server is not mandatory. However, Oracle recommends that you upgrade Oracle WebLogic Server to 10.3.6.

You can upgrade WebLogic Server 10.3.5 to Oracle WebLogic Server 10.3.6 by using the WebLogic 10.3.6 Upgrade Installer. Complete the following steps:

  1. Download the WebLogic 10.3.6 Upgrade Installer from Oracle Technology Network.

    For more information, see "Downloading an Upgrade Installer From My Oracle Support" in the Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.

  2. Run the Upgrade Installer in graphical mode to upgrade your WebLogic Server.

    For more information, see "Running the Upgrade Installer in Graphical Mode" in the Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.

6.4.2 Upgrading Oracle SOA Suite Used by Oracle Identity Manager

You must update your existing Oracle SOA 11.1.1.5.0 to Oracle SOA 11.1.1.6.0. To do so, complete the tasks listed in Table 6-6:

Table 6-6 Tasks to Update SOA

Task For More Information

Obtain the Oracle SOA Suite 11.1.1.6.0 installer.

See, Oracle Fusion Middleware Download, Installation, and Configuration ReadMe

Start the installer.

See, "Start the Installer" in the Oracle Fusion Middleware Patching Guide

Upgrade SOA to the latest version.

See, "Patch Set Installer Instructions" in the Oracle Fusion Middleware Patching Guide

Upgrade your SOA schemas using Patch Set Assistant.

See, Upgrading Schemas using Patch Set Assistant

Perform post-patching tasks only after starting the Administration Server and the SOA Managed Servers as described in Section 6.4.9, "Starting the Administration Server and SOA Managed Servers".

Do not perform the post-patching tasks for SOA until you complete all the tasks till Section 6.4.9.

See, "Post-Patching Tasks" for Oracle SOA Suite


6.4.2.1 Upgrading Schemas using Patch Set Assistant

This section consists of the following topics:

6.4.2.1.1 Checking Your Database and Schemas

Before running Patch Set Assistant, you should make sure that your database is running and that the schemas are supported. To check this, run the following SQL command:

SELECT OWNER, VERSION, STATUS, UPGRADED FROM SCHEMA_VERSION_REGISTRY;

If the number in the "VERSION" column is 11.1.1.5.0, then the schema is supported for upgrade.

6.4.2.1.2 Starting Patch Set Assistant

To start Patch Set Assistant, do the following:

On UNIX:

  1. Move from your present working directory to the <MW_HOME>/oracle_common/bin directory by running the following command on the command line:

    cd <MW_HOME>/oracle_common/bin

  2. Run the following command:

    ./psa

On Windows:

  1. Move from your present working directory to the <MW_HOME>\oracle_common\bin directory by running the following command on the command line:

    cd <MW_HOME>\oracle_common\bin

  2. Execute the following command:

    psa.bat

6.4.2.1.3 Using the Patch Set Assistant Graphical Interface

Note:

Even if you upgrade your schemas from 11.1.1.5.0 to 11.1.2, you will see the Patch Set Assistant version number as 11.1.1.6.1 on the Welcome screen.

This is not an error. The discrepancy is caused by a difference between how Patch Set Assistant and Identity Access Management releases are tracked internally.

After starting the Patch Set Assistant Installer, follow the instructions on the screen to update your schemas.

Follow the instructions in Table 6-7 to update your schemas:

Table 6-7 Patch Set Assistant Screens

Screen Description

Welcome

This page introduces you to the Patch Set Assistant.

Select Component

Select the top-level component you want to upgrade.

Prerequisite

Verify that you have satisfied the database prerequisites.

Schema

Specify your database credentials to connect to your database, then select the schema you want to update.

Note that this screen appears once for each schema that must be updated as a result of the component you selected on the Select Component screen.

Examine

This page displays the status of the Patch Set Assistant as it examines each component schema. Verify that your schemas have a "successful" indicator in the Status column.

Upgrade Summary

Verify that the schemas are the ones you want to upgrade.

Upgrade Progress

This screen shows the progress of the schema upgrade.

Upgrade Success

Once the upgrade is successful, you get this screen.


6.4.2.1.4 Verifying Schema Upgrade

You can verify the schema upgrade by checking out the log files. The Patch Set Assistant writes log files in the following locations:

On UNIX:

<MW_HOME>/oracle_common/upgrade/logs/psa/psatimestamp.log

On Windows:

<MW_HOME>\oracle_common\upgrade\logs\psa\psatimestamp.log

Some components create a second log file named psatimestamp.out in the same location.

The timestamp reflects the actual date and time when Patch Set Assistant was run.

If any failures occur when running Patch Set Assistant, you can use these log files to help diagnose and correct the problem. Do not delete them. You can alter the contents of the log files by specifying a different -logLevel from the command line.

Some of the operations performed by Patch Set Assistant may take longer to complete than others. If you want to see the progress of these long operations, you can see this information in the log file, or you can use the following query:

SELECT VERSION, STATUS, UPGRADED FROM SCHEMA_VERSION_REGISTRY WHERE OWNER='schema_name';

In the query results, the STATUS field is either UPGRADING or UPGRADED during the schema patching operation, and becomes VALID when the operation is completed.

6.4.3 Upgrading Oracle Identity Manager 11g Release 2 (11.1.2)

To upgrade Oracle Identity Manager, you must use the Oracle Identity and Access Management 11g Release 2 (11.1.2) Installer. During the procedure, point the Middleware Home to your existing 11.1.1.5.0 Middleware Home. Your Oracle Home is upgraded from 11.1.1.5.0 to 11.1.2.

This section contains the following topics:

6.4.3.1 Obtaining the Software

For more information on obtaining Oracle Fusion Middleware 11g software, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.

6.4.3.2 Starting the Oracle Identity and Access Management 11g Release 2 (11.1.2) Installer

This topic explains how to start the Oracle Identity and Access Management 11.1.2 Installer.

Notes:

  • If you are installing on an IBM AIX operating system, you must run the rootpre.sh script from the Disk1 directory before you start the Installer.

  • Starting the Installer as the root user is not supported.

Start the Installer from the location where you extracted the contents of the installer (for example, <unzipped_folder>/Disk1) by doing the following:

On UNIX:

Run the following command:

./runInstaller -jreLoc <complete path to the JRE directory>

For example:

./runInstaller -jreLoc <MW_HOME>/jdk160_29/jre

On Windows:

Run the following command:

setup.exe -jreLoc <complete path to the JRE directory>

For example:

setup.exe jreLoc <MW_HOME>\jdk160_29\jre

Note:

If you do not specify the -jreLoc option on the command line when using the Oracle JRockit JDK, the following warning message is displayed:

-XX:MaxPermSize=512m is not a valid VM option. Ignoring

This warning message does not affect the installation. You can continue with the installation.

On 64-bit platforms, when you install Oracle WebLogic Server using the generic jar file, the jrockit_1.6.0_29 directory is not created under your Middleware Home. You must enter the absolute path to the JRE folder from where your JDK is located.

6.4.3.3 Installing Oracle Identity and Access Management 11g Release 2 (11.1.2)

Use the Oracle Identity and Access Management 11.1.2 Installer to upgrade Oracle Identity Management 11.1.1.5.0 to Oracle Identity Management 11.1.2:

  1. After you start the Installer, the Welcome screen appears.

  2. Click Next on the Welcome screen. The Install Software Updates screen appears. Select whether or not you want to search for updates. Click Next.The Prerequisite Checks screen appears. If all prerequisite checks pass inspection, click Next. The Specify Installation Location screen appears.

  3. On the Specify Installation Location screen, point the Middleware Home to your existing 11.1.1.5.0 Middleware Home installed on your system.

  4. In the Oracle Home Directory field, specify the path of the existing Oracle Identity and Access Management Home. This directory is also referred to as <IAM_HOME> in this book.

    Click Next. The Installation Summary screen appears.

  5. The Installation Summary screen displays a summary of the choices that you made. Review this summary and decide whether you want to proceed with the installation. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing Oracle Identity and Access Management, click Install. The Installation Progress screen appears. Click Next.

    Note:

    If you cancel or abort when the installation is in progress, you must manually delete the <IAM_HOME> directory before you can reinstall the Oracle Identity and Access Management software.

    To invoke online help at any stage of the installation process, click Help on the installation wizard screens.

  6. The Installation Complete screen appears. On the Installation Complete screen, click Finish.

    This installation process copies the 11.1.2 Oracle Identity and Access Management software to your system.

For more information, see "Installing and Configuring Oracle Identity and Access Management (11.1.2)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

6.4.4 Creating Oracle Platform Security Services Schema

You must create Oracle Platform Security Services (OPSS) schema using Repository Creation Utility (RCU), as Oracle Identity Manager upgrade process involves OPSS schema policy store changes. Keys, roles, permissions, and other artifacts used by the applications must migrate to the policy store.

To create OPSS schema using Repository Creation utility, do the following:

  1. Obtain the RCU.

    For information about obtaining the RCU software, see "Obtaining RCU" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.

  2. Start the RCU.

    For information about starting the RCU, see "Starting RCU" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.

  3. Create the OPSS schema.

    For information about creating schemas, see "Creating Schemas" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.

    Note:

    In the Select Components screen, expand AS Common Schemas and select Oracle Platform Security Services. Make sure you do not select any other components.

    The Metadata Services schema is selected automatically. Deselect it and ignore the following message:

    Following components require Metadata Services schema: Oracle Platform Security Services.

6.4.5 Extending Oracle Identity Manager 11.1.1.5.0 Component Domains with OPSS Template

Oracle Identity Manager 11.1.2 uses the database to store Oracle Entitlements Server policies. This requires extending the 11.1.1.5.0 Oracle Identity Manager domain to include the OPSS data source.

To do so, complete the following steps:

  1. Run the following command to launch the Oracle Fusion Middleware configuration wizard:

    On UNIX:

    ./config.sh

    It is located in the <MW_HOME>/<Oracle_IDM1>/common/bin directory.

    On Windows:

    config.cmd

    It is located in the <MW_HOME>\<Oracle_IDM1>\common\bin directory.

  2. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next.

  3. On the Select a WebLogic Domain Directory screen, browse to the directory that contains the WebLogic domain in which you configured the components. Click Next. The Select Extension Source screen is displayed.

  4. On the Select Extension Source screen, select the Oracle Platform Security Service - 11.1.1.0 [Oracle_IDM1] option. After selecting the domain configuration options, click Next.

  5. The Configure JDBC Data Sources screen is displayed. Configure the opssDS data source, as required. After the test succeeds, the Configure JDBC Component Schema screen is displayed.

  6. On the Configure JDBC Component Schema screen, select the Oracle Platform Security Services schema.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next.

    The Test JDBC Component Schema screen is displayed. After the test succeeds, the Select Optional Configuration screen is displayed.

  7. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines and Deployments and Services. Do not select anything as you have already configured in your Oracle Identity Manager 11.1.1.5.0 environment. Click Next.

  8. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

Your existing Oracle Identity Manager domain is extended to support Oracle Platform Security Services (OPSS).

6.4.6 Upgrading Oracle Platform Security Services

To upgrade Oracle Platform Security Services (OPSS) schema, do the following:

On UNIX:

  1. Move from your present working directory to the <MW_HOME>/oracle_common/common/bin directory by running the following command on the command line:

    cd <MW_HOME>/oracle_common/common/bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    ./wlst.sh

  3. At the WLST prompt, run the following command:

    upgradeOpss(jpsConfig="existing_jps_config_file", jaznData="system_jazn_data_file")

    For example:

    upgradeOpss(jpsConfig="<MW_HOME>/user_projects/domains/<DOMAIN>/config/fmwconfig/jps-config.xml",jaznData="<MW_HOME>/oracle_common/modules/oracle.jps_11.1.1/domain_config/system-jazn-data.xml")

  4. Exit the WLST console using the exit()command.

On Windows:

  1. Move from your present working directory to the <MW_HOME>\oracle_common\common\bin directory by running the following command on the command line:

    cd <MW_HOME>\oracle_common\common\bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    wlst.cmd

  3. At the WLST prompt, run the following command:

    upgradeOpss(jpsConfig="existing_jps_config_file", jaznData="system_jazn_data_file")

    For example:

    upgradeOpss(jpsConfig="<MW_HOME>\\user_projects\\domains\\base_domain\\config\\fmwconfig\\jps-config.xml",jaznData="<MW_HOME>\\oracle_common\\modules\\oracle.jps_11.1.1\\domain_config\\system-jazn-data.xml")

  4. Exit the WLST console using the exit() command.

Table 6-8 describes the parameters you need to specify on the command line:

Table 6-8 Parameters for Upgrading OPSS

Parameter Description

jpsConfig

Specify the path to the jps-config.xml file in your 11.1.2 installation. The following example shows the complete path:

On UNIX, it is located in the <MW_HOME>/user_projects/domains/base_domain/config/fmwconfig/jps-config.xml directory.

On Windows, it is located in the <MW_HOME>\user_projects\domains\base_domain\config\fmwconfig\jps-config.xml directory.

jaznData

Specify the path to the system-jazn-data.xml file in your 11.1.2 installation. The following example shows the complete path:

On UNIX, it is located in the <MW_HOME>/oracle_common/modules/oracle.jps_11.1.1/domain_config/system-jazn-data.xml directory.

On Windows, it is located in the <MW_HOME>\oracle_common\modules\oracle.jps_11.1.1\domain_config\system-jazn-data.xml directory.


6.4.7 Configuring OPSS Security Store

You must configure the database Security Store as it is the only security store type supported by Oracle Identity and Access Management 11g Release 2 (11.1.2). This is done by running the configureSecurityStore.py script.

For information about configuring Oracle Platform Security Services, see "Configuring Database Security Store for an Oracle Identity and Access Management Domain" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

6.4.8 Upgrading Oracle Identity Management Schemas Using Patch Set Assistant

You must upgrade Oracle Identity Manager schema using Patch Set Assistant (PSA). When you select the Oracle Identity Manager Schema, it automatically selects all dependent schemas and upgrades them too.

Complete the tasks listed in Table 6-9 to upgrade your schemas:

Table 6-9 Upgrade Oracle Identity Manager Schemas Using PSA

Task For More Information

Check the database and schemas in your system.

See, Checking Your Database and Schemas

Start the Patch Set Assistant to run the Installer.

See, Starting Patch Set Assistant

Use the Patch Set Assistant's graphic interface to upgrade your schemas to the current version.

See, Using the Patch Set Assistant Graphical Interface

Verify the schemas you have upgraded.

See, Verifying Schema Upgrade and Version Numbers After Upgrading Schemas


6.4.8.1 Version Numbers After Upgrading Schemas

Run select version,status,upgraded from schema_version_registry where owner=<SCHEMA_NAME>; and ensure that the version numbers are upgraded, as listed in Table 6-10:

Table 6-10 Component Version Numbers After Upgrading the Schemas

Component Version No.

APM

11.1.1.3.0

MDS

11.1.1.6.0

Oracle Identity Manager

11.1.2.0.0

ORASDPM

11.1.1.2.0

SOAINFRA

11.1.1.6.0 (Make sure that you have upgraded SOA schemas as described in Section 6.4.2.1, "Upgrading Schemas using Patch Set Assistant")


6.4.9 Starting the Administration Server and SOA Managed Servers

Note:

Do not start the Oracle Identity Manager Managed Servers.

After the upgrade is complete, start the WebLogic Administration Server, the Administration Server for the domain that contains Oracle Identity Management, and SOA Managed Servers.

Starting the Administration

To start the Administration Server, do the following:

On UNIX:

Run the following command:

cd <MW_HOME>/user_projects/domains/<domain_name>/bin

./startWebLogic.sh

On Windows:

Run the following command:

cd <MW_HOME>\user_projects\domains\<domain_name>\bin

startWebLogic.cmd

Starting Managed Servers

To start the Managed Servers, do the following:

On UNIX:

  1. Move from your present working directory to the <MW_HOME>/user_projects/domains/<domain_name>/bin directory by running the following command on the command line:

    cd <MW_HOME>/user_projects/domains/<domain_name>/bin

  2. Run the following command to start the SOA Managed Servers:

    ./startManagedWebLogic.sh <managed_server_name> <admin_url> <user_name> <password>

    where

    <managed_server_name> is the name of the Managed Server

    <admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.

    <user_name> is the username of the WebLogic Administration Server.

    <password> is the password of the WebLogic Administration Server.

On Windows:

  1. Move from your present working directory to the <MW_HOME>\user_projects\domains\<domain_name>\bin directory by running the following command on the command line:

    cd <MW_HOME>\user_projects\domains\<domain_name>\bin

  2. Run the following command to start the SOA Managed Servers:

    startManagedWebLogic.cmd <managed_server_name> <admin_url> <user_name> <password>

    where

    <managed_server_name> is the name of the Managed Server.

    <admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.

    <user_name> is the username of the WebLogic Administration Server.

    <password> is the password of the WebLogic Administration Server.

For more information, see "Starting the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

6.4.10 Setting Environment Variables

You must set environment variables, before you upgrade the Oracle Identity Manager middle tier. Follow the steps described in Table 6-11 to set the environment variables.

Table 6-11 Environment Variables for Oracle Identity Manager

Environment Variable Values

MW_HOME

Specify the path to the Oracle Identity Manager's Middleware Home. The following example shows the complete path:

On UNIX, it is located in the /oracle/Middleware directory.

On Windows, it is located in the \oracle\Middleware directory.

WL_HOME

Specify the path to the Oracle WebLogic Server home. The following example shows the complete path:

On UNIX, it is located in the oracle/Middleware/wlserver_10.3 directory.

On Windows, it is located in the oracle\Middleware\wlserver_10.3 directory.

JAVA_HOME

Specify the path to the Java home. The following example shows the complete path:

On UNIX, it is located in the <MW_HOME>/jdk160_29/ directory.

On Windows, it is located in the <MW_HOME>\jdk160_29\ directory.

OIM_HOME

Specify the path to the Oracle Identity Manager 11g Release 1 (11.1.1.5.0) Server home. The following example shows the complete path:

On UNIX, it is located in the <MW_HOME>/<Oracle_IDM1>/ directory.

On Windows, it is located in the <MW_HOME>\<Oracle_IDM1>\ directory.

SOA_HOME

Specify the path to the SOA Home. The following example shows the complete path:

On UNIX, it is located in the <MW_HOME>/<Oracle_SOA1>/ directory.

On Windows, it is located in the <MW_HOME>\<Oracle_SOA1>\ directory.


6.4.11 Upgrading Oracle Identity Manager Middle Tier

This section contains the following topics:

6.4.11.1 Additional Task for Windows 64-Bit Users Before Upgrading Middle Tier

If you are running the upgrade in a 64-bit Windows platform, complete the following task to run Middle Tier upgrade successfully:

  1. Add a JAVA_HOME entry to the environment variable pointing to a JDK installation, not to a JRE installation.

    Note:

    This path should be without spaces or like C:\Progra~1\Java\jdk1.6.0_29.

  2. Hard code the value of JAVA_HOME in <WL_HOME>\server\bin\setWLSEnv.cmd file to avoid any Middle Tier upgrade failures.

6.4.11.2 Upgrading Oracle Identity Manager Middle Tier Using Property File

Note:

The execution is reentrant and will resume with correct execution even if there is any interruption in between.

To upgrade Oracle Identity Manager Middle Tier using property file, complete the following steps:

On UNIX:

  1. Move from your present working directory to the <OIM_HOME>/server/bin directory by running the following command on the command line:

    cd <OIM_ORACLE_HOME>/server/bin

  2. Change the path to <OIM_ORACLE_HOME>/bin.

  3. Open the following file in a text editor:

    oim_upgrade_input.properties

  4. Add the parameters, as listed in Table 6-12.

  5. Move from your present working directory to the <MW_HOME>/Oracle_IDM1/server/bin directory by running the following command on the command line:

    cd <MW_HOME>/Oracle_IDM1/server/bin

  6. Run the following command:

    ./OIMUpgrade.sh

    Note:

    The following warning is displayed:

    [WARN ][jrockit] PermSize=128M ignored: Not a valid option for JRockit

    [WARN ][jrockit] MaxPermSize=256M ignored: Not a valid option for JRockit

    You can ignore this message.

On Windows:

  1. Move from your present working directory to the <OIM_HOME>\server\bin directory by running the following command on the command line:

    cd <OIM_ORACLE_HOME>\server\bin

  2. Change the path to <OIM_ORACLE_HOME>\bin.

  3. Open the following file in a text editor:

    oim_upgrade_input.properties

  4. Add the parameters, as listed in Table 6-12.

  5. Move from your present working directory to the <MW_HOME>\<OIM_ORACLE_HOME>\server\bin directory by running the following command on the command line:

    cd <MW_HOME>\<OIM_ORACLE_HOME>\server\bin

  6. Run the following command:

    OIMUpgrade.bat

    Note:

    The following warning is displayed:

    [WARN ][jrockit] PermSize=128M ignored: Not a valid option for JRockit

    [WARN ][jrockit] MaxPermSize=256M ignored: Not a valid option for JRockit

    You can ignore this message.

Table 6-12 Oracle Identity Manager Middle Tier Upgrade Parameters

Parameter Description

oim.jdbcurl

Specify the Oracle Identity Manager JDBC URL.

oim.oimschemaowner

Specify the Oracle Identity Manager schema owner.

oim.oimmdsjdbcurl

Specify the MDS JDBC URL.

oim.mdsschemaowner

Specify the MDS schema owner name.

oim.adminhostname

Specify the Oracle WebLogic Server Administration host name.

oim.adminport

Specify the Oracle WebLogic Server Administration port.

oim.adminUserName

Specify the username that is used to log in to the Oracle WebLogic Server Administration Console.

oim.soahostmachine

Specify the SOA host name where SOA Server is running.

oim.soaportnumber

Specify the SOA Server port.

oim.soausername

Specify the SOA Managed Server username.

oim.domain

Specify the Oracle Identity Manager domain location.


Example Parameters

oim.jdbcurl=db.example.com:5521/dbmode.example.com
oim.oimschemaowner=test_oim23
oim.oimmdsjdbcurl=db.example.com:5521/dbmode.example.com
oim.mdsschemaowner=test_mds
oim.adminport=7001
oim.adminhostname=<oim_host>:<oim_port>
oim.adminUserName=weblogic
oim.soahostmachine=<oim_soa_host>:<oim_soa_port>
oim.soaportnumber=8001
oim.soausername=weblogic
oim.domain=/<MW_HOME>/user_projects/domains/<base_domain>

6.4.11.3 Upgrading Oracle Identity Manager Middle Tier on the Command Line

You can also upgrade Oracle Identity Manager Middle Tier by running the OIMUpgrade command on the Command Line Interface (CLI):

On UNIX:

  1. Move from your present working directory to the <MW_HOME>/<OIM_ORACLE_HOME>/server/bin directory by running the following command on the command line:

    cd <MW_HOME>/<OIM_ORACLE_HOME>/server/bin

  2. Run the following command:

    ./OIMUpgrade.sh <oim connection string> <oim_schema_owner_name> <mds conection string> <mds schema owner name> <admin_hostname> <admin_port> <admin_username> <soa_host_machine_name> <soa_port_number> <soa_username> <domain_location_directory>

    Specify the parameters, as listed in Table 6-12.

On Windows:

  1. Move from your present working directory to the <MW_HOME>\<OIM_ORACLE_HOME>\server\bin directory by running the following command on the command line:

    cd <MW_HOME>\<OIM_ORACLE_HOME>\server\bin

  2. Run the following command:

    OIMUpgrade.bat <oim connection string> <oim_schema_owner_name> <mds_conection_string> <mds_schema_owner_name> <admin_hostname> <admin_port> <admin_username> <soa_host_machine_name> <soa_port_number> <soa_username> <domain_location_directory>

    Specify the parameters, as listed in Table 6-12.

6.4.12 Verifying Oracle Identity Manager Middle Tier Upgrade

Complete the following steps to verify the Oracle Identity Manager Middle Tier upgrade:

  1. Verify the log files at the following location, by looking for error or warning messages:

    On UNIX:

    <OIM_HOME>/server/upgrade/logs/MT

    On Windows:

    <OIM_HOME>\server\upgrade\logs\MT

    The following log files are generated:

    • ant_JRF.log

    • ant_PatchClasspath.log

    • OIMUpgrade<timestamp>.log

    • SeedSchedulerData.log

    No error message is displayed if the middle tier upgrade was successful.

  2. OIMupgrade.sh creates a detailed report. Complete the following steps to verify the Oracle Identity Manager Middle Tier upgrade:

    1. Go to the following path:

      On UNIX:

      <Oracle_IDM1>/server/upgrade/logs/MT/oimUpgradeReportDir

      On Windows:

      <Oracle_IDM1>\server\upgrade\logs\MT\oimUpgradeReportDir

    2. Click index.html.

      This contains list of all Oracle Identity Manager features and upgrade status of the last middle tier run, in a table format.

    3. Click on the corresponding link of each feature for a detailed feature report.

    Table 6-13 Middle Tier Upgrade Report

    Feature Name Description
     

    index.html

    This report provides a list of features and their upgrade status, from the last run.

    Access the detailed feature report through the corresponding link on each feature.

    PatchDomain

    PS1R2UPG.PatchDomain.html

    This report provides details of all domain related changes during the upgrade process.

    The changes are:

    • New EAR or shared libraries deployed during the upgrade process.

    • New server resources.

    • Foreign JNDI Provider Creation.

    • Application of upgrade template for creating the following resources:

      • New data sources

        For example:

        Application DBDS

      • jrf-async queuesDomain Classpath Upgrade

    • OPSS upgrade.

    • JRF upgrade.

    ROLE_RULE_MEMB

    PS1R2UPG.ROLE_RULE_MEMB.html

    This report provides details of roles processed on the basis of Search Rule, prepared from Rule Elements, defined in the Rules.

    REQUEST_STAGES

    PS1R2UPG.REQUEST_STAGES.html

    The following request stages are no longer supported:

    • Obtaining Template Approval

    • Template Approval Approved

    • Template Approval Rejected

    • Template Approval Auto Approved

    This report lists the following:

    • Requests for unsupported request stages, processed during upgrade.

    • Tasks associated to request with unsupported request stages, processed during upgrade.

    • SOA tasks associated to request with unsupported request stages, processed during upgrade.

    ReconUpgrade

    PS1R2UPG.ReconUpgrade.html

    This report lists object names processed during upgrade with names of the associated Horizontal Table Name, Recon Profile Name, and Entity Definition Name.

    SOAUpgrade

    NA

    New OOTB SOA Composites deployed:

    • sca_DisconnectedProvisioning_rev1.0.jar

    • sca_DefaultSODApproval_rev1.0.jar

    Scheduler

    NA

    This report lists the addition of the following Task Definition's and Scheduler Jobs:

    • Account Application Instance Update Task.

    • Catalog Synchronization Task.

    • Application Instance Post Delete. Processing Task.

    • Entitlement Post Delete Processing Task.

    ACCESSPOLICY

    PS12R2UPG.ACCESSPOLICY.html

    This report provides a list of access policy names and the corresponding resource objects, processed during upgrade along with DNLA flag value.

    Set the value as 1 if DNLA is set, 0 if RNLA is set.

    MDSNSUpdate

    NA

    Oracle Identity Manager Metadata present in Oracle Identity Manager MDS is updated with the latest namespace to keep them in consoance with changes in XSD Schemas.

    OIMConfig

    NA

    Oracle Identity Manager Application configuration, kept in the metadata location /db/oim-config.xml, is updated as per the latest configuration changes in Oracle Identity Manager 11.1.2.

    CONTEXT

    NA

    DDL changes in the ORCHPRCESS TABLE.

    Data from the old context columns (ContextId) is transformed and moved to new context column (ContextVal).


6.4.13 Changing the Deployment Order of Oracle Identity Manager EAR

You must change the deployment order of oim.ear from 47 to 48. Complete the following steps to do so:

  1. Log in to the WebLogic console.

  2. Click Deployments in the left pane.

  3. Click oim.ear.

  4. Update the deployment order from 47 to 48, click Save.

6.4.14 Restarting the Administration Server and SOA Managed Server

To restart the Administration Server and Managed Servers, you must stop them first before starting them again.

To stop the servers, see Shutting Down Administration Server and Managed Servers.

To start the servers, see Starting the Administration Server and SOA Managed Servers.

Things to Check on the WebLogic Console After Starting the Administration Server

  • Check the new data source added:

    1. Log in to Weblogic console.

    2. Click Data Sources.

    3. Verify the data source data source given below:

      Name Type JNDI Name Targets

      oimApplicationDBDS

      Generic

      jdbc/ApplicationDBDS

      oim_server1


  • Check for SOA Foreign JNDI provider

    1. Log in to Weblogic console.

    2. Click Foreign JNDI Providers.

    3. Verify the existence of Foreign JNDI providers given below:

      Name Initial Context Factory Provider URL User Targets

      ForeignJNDIProvider-SOA

      weblogic.jndi.WLInitialContextFactory

      t3://celvpint8901.eg.abc.com:<port number>

      WebLogic

      oim_server1


  • Check the order of the EARs

    1. Log in to Weblogic console.

    2. Click Deployments.

    3. Verify the deployment order for the following list respectively:

      Name State Health Type Deployment Order

      oim (11.1.1.3.0)

      Active

      OK

      Enterprise Application

      48

      OIMAppMetadata (11.1.2.0.0)

      Active

      OK

      Enterprise Application

      47

      OIMMetadata (11.1.1.3.0)

      Active

      OK

      Enterprise Application

      46

      oracle.iam.console.identity.sysadmin.ear (V2.0)

      Active

      OK

      Enterprise Application

      406

      oracle.iam.console.identity.self-service.ear (V2.0)

      Active

      OK

      Enterprise Application

      405

      oracle.iam.ui.custom(11.1.1,11.1.1)

      Active

       

      Library

      404

      oracle.iam.ui.oia-view(11.1.1,11.1.1)

      Active

       

      Library

      403

      oracle.iam.ui.view(11.1.1,11.1.1)

      Active

       

      Library

      402

      oracle.iam.ui.model(1.0,11.1.1.5.0)

      Active

       

      Library

      401


6.4.15 Patching Oracle Identity Management MDS Metadata

Oracle Identity Manager 11.1.1.5.0 MDS metadata must be upgraded to Oracle Identity Manager 11.1.2 MDS metadata. Starting the Oracle Identity Manager Managed Servers patches the MDS metadata.

To start the Managed Servers, do the following:

On UNIX:

  1. Move from your present working directory to the <MW_HOME>/user_projects/domains/<domain_name>/bin directory by running the following command on the command line:

    cd <MW_HOME>/user_projects/domains/<domain_name>/bin

  2. Run the following command to start the Servers:

    ./startManagedWebLogic.sh <managed_server_name> <admin_url> <user_name> <password>

    where

    <managed_server_name> is the name of the Managed Server

    <admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.

    <user_name> is the username of the WebLogic Administration Server.

    <password> is the password of the WebLogic Administration Server.

On Windows:

  1. Move from your present working directory to the <MW_HOME>\user_projects\domains\<domain_name>\bin directory by running the following command on the command line:

    cd <MW_HOME>\user_projects\domains\<domain_name>\bin

  2. Run the following command to start the Managed Servers:

    startManagedWebLogic.cmd <managed_server_name> <admin_url> <user_name> <password>

    where

    <managed_server_name> is the name of the Managed Server.

    <admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.

    <user_name> is the username of the WebLogic Administration Server.

    <password> is the password of the WebLogic Administration Server.

For more information, see "Starting the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Verifying MDS Patch

Check MDS reports in the following location:

On UNIX:

<OIM_ORACLE_HOME>/server/logs/MDS_REPORT_DIRECTORY/MDSReport.html

On Windows:

<OIM_ORACLE_HOME>\server\logs\MDS_REPORT_DIRECTORY\MDSReport.html

6.4.16 Upgrading Oracle Identity Manager Design Console

The Oracle Identity Manager Design Console is used to configure system settings that control the system-wide behavior of Oracle Identity Manager and affect its users. The Design Console allows you to perform user management, resource management, process management, and other administration and development tasks. For more information about the Design Console, see "Design Console Overview" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

Oracle recommends that you install Oracle Identity Manager and the Design Console in different directory paths, regardless of whether the Design Console is on the same system as the Oracle Identity Management server.

To upgrade Design Console, complete the following steps:

  1. Back up the following files:

    • On UNIX, $<XLDC_HOME>/xlclient.sh

    • $<XLDC_HOME>/config/xlconfig.xml

    • On Windows, <XLDC_HOME>\xlclient.cmd

    • <XLDC_HOME>\config\xlconfig.xml

  2. Run the Oracle Identity and Access Management 11.1.2 Installer to upgrade the Design Console home <XLDC_HOME>.

    For more information, see "Installing and Configuring Oracle Identity and Access Management (11.1.2)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

  3. Restore the backed up files in the upgraded Design Console home.

  4. Build and copy the wlfullclient.jar file as follows:

    1. Go to WebLogic_Home/server/lib directory on UNIX and WebLogic_Home\server\lib directory on Windows.

    2. Set the JAVA_HOME environment variable and add the JAVA_HOME variable to the PATH environment variable.

      For example, you can set the JAVA_HOME to the jdk160_21 directory inside the Middleware home.

    3. Run the following command to build the wlfullclient.jar file:

      java -jar <MW_HOME>/modules/com.bea.core.jarbuilder_1.7.0.0.jar

    4. Copy the wlfullclient.jar file to the <IAM_HOME> where you installed the Design Console. For example:

      On UNIX:

      cp wlfullclient.jar <Oracle_IDM2>/designconsole/ext

      On Windows:

      copy wlfullclient.jar <Oracle_IDM2>\designconsole\ext

6.4.17 Upgrading Oracle Identity Manager Remote Manager

Complete the following steps to upgrade Remote Manager:

  1. Back up configuration files

    Before starting the Remote Manager upgrade, back up the following Remote Manager configuration files:

    • On UNIX, $<XLREMOTE_HOME>/remotemanager.sh

    • $<XLREMOTE_HOME>/xlremote/config/xlconfig.xml file.

    • On Windows, <XLREMOTE_HOME>\remotemanager.bat

    • <XLREMOTE_HOME>\xlremote\config\xlconfig.xml file.

  2. Run the Oracle Identity and Access Management Installer to upgrade the Remote Manager home.

    For more information, see "Installing and Configuring Oracle Identity and Access Management (11.1.2)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

  3. Restore configuration files.

    Restore the backed up configuration files in the upgraded Remote Manager home.

6.4.18 Configuring BI Publisher Reports

Complete the following steps to configure the BI Publisher Reports:

  1. Obtain the reports bundle oim_product_BIP11gReports_11_1_2_0_0.zip. from the following location:

    MW_HOME/IAM_HOME/server/reports/oim_product_BIP11gReports_11_1_2_0_0.zip

  2. Unzip oim_product_BIP11gReports_11_1_2_0_0.zip at the following location:

    IAM_HOME/Middleware/user_projects/domains/domain_name/config/bipublisher/repository/Reports/

  3. Configure reports by following the instructions in "Configuring Oracle Identity Manager Reports" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

6.5 Post-Upgrade Steps

This section contains the following topics:

6.5.1 After You Upgrade

After upgrading from Oracle Identity Manager 11.1.1.5.0 to Oracle Identity Manager 11.1.2:

  • The name of the following EARs remain unchanged from Oracle Identity Manager 11.1.1.5.0 to Oracle Identity Manager 11.1.2:

    • Oracle Identity Manager Metadata (11.1.1.3.0)

    • Oracle Identity Manager (11.1.1.3.0)

    There is no functional loss.

  • Resource Object flags are not supported in Oracle Identity Manager 11.1.2. Update all non-system resources with the following values:

    • Allow All: True

    • Provision By Object Admin Only: False

    • Self Request Allowed: True

  • All of the resources provisioned to an organization in Oracle Identity Manager 11.1.1.5.0 is available in Provisioned Accounts, after upgrading to Oracle Identity Manager 11.1.2. To view, go to the following path:

    1. Connect to the Oracle Identity Manager Identity console.

    2. Go to Administration.

    3. Select Organizations.

    4. Search for organizations.

    5. Select any organization.

    6. Go to Provisioned Accounts to see all Oracle Identity Manager 11.1.1.5.0 based resources, provisioned to an organization.

  • In Oracle Identity Manager 11.1.1.5.0, data object permission was shown in the Administration Console under Roles.

    In Oracle Identity Manager 11.1.2, data object permission is not shown.

  • Oracle Identity Manager 11.1.2 based Oracle Identity Manager reports is supported in BI Publisher 11g.

6.5.2 Validating the Database Objects

If you are using Oracle Database, you must check for the INVALID schema objects, and compile them if there are any. To do this, complete the following steps:

  1. Identify the INVALID schema objects by running the following SQL query as SYS user:

    SELECT owner,object_type,object_name,status FROM dba_objects WHERE status='INVALID' AND owner in ('<OIM_Schema_Name1>') ORDER BY owner, object_type, object_name;

  2. If there are any INVALID schema objects, you must compile them by connecting to the database as SYS user, and running the following from SQL*Plus:

    @<$Oracle_Database_Home_Location>/rdbms/admin/utlrp.sql

    After running the utlrp.sql, run the SQL query described in step-1 to ensure that there are no INVALID Database objects.

6.5.3 Creating sysadmin Key

After you upgrade OIM 11.1.1.5.0 to 11.1.2, you must manually create the sysadmin key using Oracle Enterprise Manager console. To do this, complete the following steps:

  1. Log in to the Oracle Enterprise Manager console using the following URL:

    http://<host>:<port>/em

  2. Select Farm_base_domain.

  3. Expand WebLogic Domain on the Target Navigation pane.

  4. Click base_domain.

  5. Click on the WebLogic Domain drop-down list.

  6. Click Security, and then click Credentials.

  7. Select oracle.wsm.security.

  8. Click Create Key.

  9. Specify the right values for the following fields:

    • Select Map: Select oracle.wsm.security for this field.

    • *Key: Specify OIMAdmin.

    • Type: Select Password.

    • *User Name: Specify the username of the system administrator. For example, xelsysadm.

    • *Password: Specify the password of the system administrator.

    • *Confirm Password: Retype the password to confirm.

  10. Click OK.

6.5.4 Impact of Removing Approver-Only Attribute in Request Data Set

Removing approver-only attribute in the Request Data Set results in the following:

  • Before upgrade: The requester cannot see attributes approver-only='true', during request submission.

    After upgrade: The requester must provide the value during request submission.

  • You must manually add LDAP Sync Validation Handler. To do so, complete the following steps:

    1. Export the EventHandlers.xml file by running the following WLST offline command:

      On UNIX:

      exportAccessData("/db/ldapMetadata/EventHandlers.xml")

      On Windows:

      exportAccessData("\\db\\ldapMetadata\\EventHandlers.xml")

    2. Add the following section of the EventHandlers.xml by editing the file in a text editor. Save the file:

      <validation-handler class="oracle.iam.ldapsync.impl.eventhandlers.user.UserCommonNameValidationHandler" entity-type="User" operation="MODIFY" name="UserCommonNameValidationHandler" order="1005" sync="TRUE">

      </validation-handler>

      <validation-handler class="oracle.iam.ldapsync.impl.eventhandlers.user.UserCommonNameValidationHandler" entity-type="User" operation="CREATE" name="UserCommonNameValidationHandler" order="1005" sync="TRUE">

      </validation-handler>

    3. Import the EventHandlers.xml file by running the following WLST offline command:

      On UNIX:

      importAccessData("/db/ldapMetadata/EventHandlers.xml")

      On Windows:

      importAccessData("\\db\\ldapMetadata\\EventHandlers.xml")

  • You must manually remove the RDN pre-process handler. To do so, complete the following steps:

    1. Export the EventHandlers.xml file by running the following WLST offline command:

      On UNIX:

      exportAccessData("/db/ldapMetadata/EventHandlers.xml")

      On Windows:

      exportAccessData("\\db\\ldapMetadata\\EventHandlers.xml")

    2. Remove the following section of the EventHandlers.xml by editing the file in a text editor. Save the file:

      <action-handler orch-target="oracle.iam.platform.kernel.vo.EntityOrchestration" class="oracle.iam.ldapsync.impl.eventhandlers.user.RDNPreProcessHandler" entity-type="User" operation="CREATE" name="CreateUserRDNPreProcessHandler" stage="preprocess" sync="TRUE" order="10000">

      </action-handler>

      <action-handler orch-target="oracle.iam.platform.kernel.vo.EntityOrchestration" class="oracle.iam.ldapsync.impl.eventhandlers.user.RDNPreProcessHandler" entity-type="User" operation="MODIFY"name="ModifyUserRDNPreProcessHandler" stage="preprocess" sync="TRUE" order="10000">

      </action-handler>

    3. Import the EventHandlers.xml file by running the following WLST offline command:

      On UNIX:

      importAccessData("/db/ldapMetadata/EventHandlers.xml")

      On Windows:

      importAccessData("\\db\\ldapMetadata\\EventHandlers.xml")

  • If you have any custom validation handlers in your environment, ensure that the validation is re-entrant. For more information, see "Writing Custom Validation Event Handlers" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

  • If you have any custom user name policy configured in your environment, see "Writing Custom User Name Policy" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager to ensure the following:

    • Use the recommended oracle.iam.identity.usermgmt.api.UserNameGenerationPolicy interface to implement policy, instead of using oracle.iam.identity.usermgmt.api.UserNamePolicy.

    • Ensure that Custom User Name policy return is the same user login when the approver updates an attribute that does not contribute in generating user login.

6.5.5 Changes to Request API After Upgrading to Oracle Identity Manager 11g Release 2 (11.1.2)

As part of Oracle Identity Manager 11g Release 2 (11.1.2) architecture, changes are introduced to RequestService and UnauthenticatedRequestService APIs in terms of usage and in terms of concepts involved. Request Template concept is no longer part of Oracle Identity Manager 11g Release 2 (11.1.2) and some methods in these APIs are deprecated. Also, RequestTemplateService API is completely deprecated.

This section contains the following topics:

6.5.5.1 API Methods Deprecated in RequestService

The following is a list of API methods deprecated in RequestService:

  • public List<String> getTemplateNames() throws RequestServiceException

  • public RequestModel getModelForTemplate(String templateName) throws RequestServiceException

  • public RequestDataSet getRestrictedDataSet(String templateName, String entityType) throws RequestServiceException

  • public RequestTemplate getTemplate(String templateName) throws RequestServiceException

  • public void updateApproverOnlyData(String reqId, List<RequestBeneficiaryEntity> benEntities, List<RequestEntity> reqEntities) throws RequestServiceException

  • public List<String> getTemplateNamesForSelf() throws RequestServiceException

  • public List<RequestTemplate> getRequestTemplates(RequestTemplateSearchCriteria searchCriteria, Set<String> returnAttrs, Map<String,Object> configParams) throws RequestServiceException

The following is a list of API methods deprecated due to storing comments in SOA Human Task comments feature:

  • public void addRequestComment(String reqId, RequestComment comment) throws RequestServiceException

  • public List<RequestComment> getRequestComments(String reqId) throws RequestServiceException

  • public List<RequestComment> getRequestComments(String reqId, RequestComment.TYPE type) throws RequestServiceException

  • public List<RequestComment> getRequestComments(String reqId, String taskId, RequestComment.TYPE type) throws RequestServiceException

6.5.5.2 API Methods Deprecated in UnauthenticatedRequestService

The following is a list of API methods deprecated in UnauthenticatedRequestService:

  • public List<String> getTemplateNames() throws RequestServiceException

  • public RequestTemplate getTemplate(String templateName) throws RequestServiceException

  • public RequestDataSet getRestrictedDataSet(String templateName, String entitySubType) throws RequestServiceException

6.5.5.3 SELF Request Types Deprecated

Request types which were used to perform SELF operations have been deprecated. These operations include the following:

  • Self Modify User

  • Self Assign Roles

  • Self Remove Roles

  • Self Provision Resource

  • Self De-provision Resource

  • Self Modify Resource

You can continue with these operations by using the corresponding non-self request types.

6.5.5.4 API Methods That Have Changed in Terms of Usage

The only method that have changes in usage is RequestService.submitRequest()/UnauthenticatedRequestService.submitRequest(). The API method signature remains the same. However, the way RequestData Value Objects are created, have changed. The changes are covered in the following sections:

6.5.5.4.1 Changes to Entity-Type

Changes to entity-type includes the following:

  • Resource entity-type is replaced with Application Instance.

    Beginning from Oracle Identity Manager 11g Release 2 (11.1.2), in order to create any provision, revoke, disable, and enable account type of request, the entityType property must be set to ApplicationInstance instead of Resource.

  • A new entity-type called Entitlement is introduced in Oracle Identity Manager 11g Release 2 (11.1.2). Oracle Identity Manager supports creating Provision Entitlement and Revoke Entitlement type of requests.

6.5.5.4.2 Changes to Value Objects

Changes to value objects, related to RequestData includes the following:

  • requestTemplateName property which was a part of oracle.iam.request.vo.RequestData value objects is deprecated. Even if you set this property, it is not honoured.

  • A new property called operation is introduced in oracle.iam.request.vo.RequestEntity and oracle.iam.request.vo.RequestBeneficiaryEntity value objects. It is mandatory to set this property while creating the value objects. You can use the following constants defined in oracle.iam.request.vo.RequestConstants class.

    • MODEL_CREATE_OPERATION – Create User operation

    • MODEL_MODIFY_OPERATION – Modify User operation

    • MODEL_DELETE_OPERATION – Delete User operation

    • MODEL_ENABLE_OPERATION – Enable User operation

    • MODEL_DISABLE_OPERATION – Disable User operation

    • MODEL_ASSIGN_ROLES_OPERATION – Assign Roles operation

    • MODEL_REMOVE_ROLES_OPERATION – Remove Roles operation

    • MODEL_PROVISION_APPLICATION_INSTANCE_OPERATION – Provision Application Instance operation

    • MODEL_MODIFY_ACCOUNT_OPERATION – Modify Account operation

    • MODEL_REVOKE_ACCOUNT_OPERATION – Revoke Account operation

    • MODEL_ENABLE_ACCOUNT_OPERATION – Enable Account operation

    • MODEL_DISABLE_ACCOUNT_OPERATION – Disable Account operation

    • MODEL_PROVISION_ENTITLEMENT_OPERATION – Provision Entitlement operation

    • MODEL_REVOKE_ENTITLEMENT_OPERATION – Revoke Entitlement operation

    • MODEL_ACCESS_POLICY_PROVISION_APPINSANCE_OPERATION – Access Policy based provisioning operation

  • While creating RequestEntity or RequestBeneficiaryEntity value objects, you can also use the following method to set the entityType property:

    public void setRequestEntityType(oracle.iam.platform.utils.vo.OIMType type)

    type - OIMType.Role/ OIMType.ApplicationInstance/OIMType.Entitlement/ OIMType.User

6.5.5.4.3 Code Examples

Listed below are some code examples:

  • Create a RequestData for a Create User operation as follows:

    RequestData requestData = new RequestData("Create User");
    requestData.setJustification("Creating User John Doe");
    String usr = "John Doe";
    
    RequestEntity ent = new RequestEntity();
    ent.setEntityType(RequestConstants.USER);
    ent.setOperation(RequestConstants.MODEL_CREATE_OPERATION); //New in R2
    List<RequestEntityAttribute> attrs = new ArrayList<RequestEntityAttribute>();
     
    RequestEntityAttribute attr = new RequestEntityAttribute("Last Name", usr, RequestEntityAttribute.TYPE.String);
    attrs.add(attr);
    attr = new RequestEntityAttribute("First Name", usr, RequestEntityAttribute.TYPE.String);
    attrs.add(attr);
    attr = new RequestEntityAttribute("User Login", usr, RequestEntityAttribute.TYPE.String);
    attrs.add(attr);
    attr = new RequestEntityAttribute("Password", "Welcome123", RequestEntityAttribute.TYPE.String);
    attrs.add(attr);
    attr = new RequestEntityAttribute("Organization", 1L, RequestEntityAttribute.TYPE.Long);
    attrs.add(attr);
    attr = new RequestEntityAttribute("User Type", false, RequestEntityAttribute.TYPE.Boolean);
    attrs.add(attr);
    attr = new RequestEntityAttribute("Role", "Full-Time", RequestEntityAttribute.TYPE.String);
    attrs.add(attr);
    ent.setEntityData(attrs);
     
    List<RequestEntity> entities = new ArrayList<RequestEntity>();
    entities.add(ent);
    requestData.setTargetEntities(entities);
     
    //Submit the request with the above requestData
    
  • Create a RequestData for an Assign Roles operation as follows:

    RequestData requestData = new RequestData();
    
    requestData.setJustification("Assigning IDC ADMIN Role(role key 201) to user with key 121");
     
    RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity();
    ent1. setRequestEntityType (oracle.iam.platform.utils.vo.OIMType.Role);
    ent1.setOperation(oracle.iam.request.vo.RequestConstants.MODEL_ASSIGN_ROLES_OPERATION); //New in R2
    ent1.setEntitySubType("IDC ADMIN");
    ent1.setEntityKey("201");
     
    List<RequestBeneficiaryEntity> entities = new ArrayList<RequestBeneficiaryEntity>();
    entities.add(ent1);
     
    Beneficiary beneficiary = new Beneficiary();
    beneficiary.setBeneficiaryKey("121");
    beneficiary.setBeneficiaryType (Beneficiary.USER_BENEFICIARY);
    beneficiary.setTargetEntities(entities);
     
    List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
    beneficiaries.add(beneficiary);
    requestData.setBeneficiaries(beneficiaries);
     
    //Submit the request with the above requestData
    
  • Create a RequestData for a Provision Application Instance operation as follows:

    RequestData requestData = new RequestData();
     
    requestData.setJustification("Creating AD User (app instance key 201) account to user with key 121");
     
    RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity();
    ent1. setRequestEntityType (oracle.iam.platform.utils.vo.OIMType.ApplicationInstance);
    ent1.setOperation(oracle.iam.request.vo.RequestConstants.MODEL_PROVISION_APPLICATION_INSTANCE_OPERATION);
    ent1.setEntitySubType("AD User");
    ent1.setEntityKey("201");
    
    List<RequestBeneficiaryEntityAttribute> attrs = new ArrayList<RequestBeneficiaryEntityAttribute>();
    //Update 'attrs' above with all the data specific to AD User form.
    ent1.setEntityData(attrs);
     
    List<RequestBeneficiaryEntity> entities = new ArrayList<RequestBeneficiaryEntity>();
    entities.add(ent1);
    
    Beneficiary beneficiary = new Beneficiary();
    beneficiary.setBeneficiaryKey("121");
    beneficiary.setBeneficiaryType(Beneficiary.USER_BENEFICIARY);
    beneficiary.setTargetEntities(entities);
     
    List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
    beneficiaries.add(beneficiary);
    requestData.setBeneficiaries(beneficiaries);
    //Submit the request with the above requestData
    
  • Create a RequestData for a Provision Entitlement operation as follows:

    RequestData requestData = new RequestData();
    Beneficiary beneficiary1 = new Beneficiary();
    beneficiary1.setBeneficiaryKey("222");
    beneficiary1.setBeneficiaryType(Beneficiary.USER_BENEFICIARY);
     
    RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity();
    ent1.setEntityType(RequestConstants.ENTITLEMENT);
    ent1.setEntitySubType("AD USER ENTITLEMENT1");
    ent1.setEntityKey("122");
    ent1.setOperation(RequestConstants.MODEL_PROVISION_ENTITLEMENT_OPERATION);
     
    List<RequestBeneficiaryEntity> entities1 = new ArrayList<RequestBeneficiaryEntity>();
    entities1.add(ent1);
    beneficiary1.setTargetEntities(entities1);
     
    List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
    beneficiaries.add(beneficiary1);
    requestData.setBeneficiaries(beneficiaries);
    //Submit the request with the above requestData
    

6.5.6 Enabling Oracle Identity Manager-Oracle Access Manager Integration After Upgrading to Oracle Identity Manager 11g Release 2 (11.1.2)

Note:

Perform this task only if you want to integrate Oracle Identity Manager with Oracle Access Manager for single sign-on, after upgrading to Oracle Identity Manager 11.1.2.

Ensure that Oracle Access Manager is at release 11.1.1.5.2 or later.

If you want to integrate Oracle Identity Manager 11.1.2 with Oracle Access Manager for single sign-on, then you must upgrade Oracle Access Manager to 11.1.1.5.2 or later. If your Oracle Access Manager version is less than 11.1.1.5.2, the auto-login functionality does not work.

After upgrading to Oracle Identity Manager 11.1.2, upgrade Oracle Identity Manager and Oracle Access Manager configurations for auto-login functionality to work. After upgrading the configurations, NAP protocol is replaced by TAP protocol for communication between Oracle Identity Manager and Oracle Access Manager.

The following topics provide upgrade instructions for two possible scenarios:

Before you begin with the upgrade configuration procedures, refer to the "Using the idmConfigTool Command" for more about the IdmConfigTool in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

6.5.6.1 Using 10g WebGate for Oracle Identity Manager-Oracle Access Manager Integration

If you are using 10g WebGate, complete the following steps to upgrade Oracle Identity Manager and Oracle Access Manager configurations:

  1. In the idmConfigTool, run configOAM. This creates a 10g WebGate agent and an 11g WebGate agent in Oracle Access Manager. Ensure that the artifacts corresponding to both WebGates are created in <DOMAIN_HOME>/output directory.

  2. In the idmConfigTool, run configOIM. In a cross-domain setup where Oracle Identity Manager and Oracle Access Manager are in two different WebLogic domains, specify the following additional properties before running this option:

    • OAM11G_WLS_ADMIN_HOST: <host name of OAM admin server machine>

    • OAM11G_WLS_ADMIN_PORT: <OAM admin server port>

    • OAM11G_WLS_ADMIN_USER: <admin user of OAM domain>

    Note:

    When running the configOIM option, ensure that you provide the same properties that you provided in the configOAM option for OAM_TRANSFER_MODE and ACCESS_GATE_ID properties.

    The WEBGATE_TYPE property should be specified as ohsWebgate10g.

  3. Restart the Administration and Managed Servers. In the case of a cross domain setup, restart servers from both the domains.

    Restart the Oracle Identity Manager Administration Server and Managed server as follows:

    On UNIX:

    <MW_HOME>/user_projects/domains/domain_name/startWebLogic.sh

    <MW_HOME>/user_projects/domains/domain_name/bin/startManagedWebLogic.sh <managed_server1>

    On Windows:

    <MW_HOME>\user_projects\domains\domain_name\startWebLogic.cmd

    MW_HOME\user_projects\domains\domain_name\bin\startManagedWebLogic.cmd <oim_server>

    For more information, see "Restarting Servers" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

6.5.6.2 Using 11g WebGate for Oracle Identity Manager-Oracle Access Manager Integration

If you are using 11g WebGate, complete the following steps to upgrade Oracle Identity Manager and Oracle Access Manager configurations:

  1. In the idmConfigTool, run configOAM. This creates a 10g WebGate agent and an 11g WebGate agent in Oracle Access Manager. Ensure that the artifacts corresponding to both WebGates are created in the <DOMAIN_HOME>/output directory.

  2. In the idmConfigTool, run configOIM. In cross-domain setup where Oracle Identity Manager and Oracle Access Manager are in two different WebLogic domains, specify the following additional properties before running this option:

    • OAM11G_WLS_ADMIN_HOST: <host name of OAM admin server machine>

    • OAM11G_WLS_ADMIN_PORT: <OAM admin server port>

    • OAM11G_WLS_ADMIN_USER: <admin user of OAM domain>

    Note:

    When running the configOIM option, ensure that you provide the same properties that you provided in the configOAM option for OAM_TRANSFER_MODE and ACCESS_GATE_ID properties.

    The WEBGATE_TYPE property should be specified as ohsWebgate11g.

  3. Restart the Administration and Managed servers. In the case of a cross domain setup, restart servers from both the domains.

    Restart the Oracle Identity Manager Administration Server and Managed server as follows:

    On UNIX:

    <MW_HOME>/user_projects/domains/domain_name/startWebLogic.sh

    <MW_HOME>/user_projects/domains/domain_name/bin/startManagedWebLogic.sh <managed_server1>

    On Windows:

    <MW_HOME>\user_projects\domains\domain_name\startWebLogic.cmd

    MW_HOME\user_projects\domains\domain_name\bin\startManagedWebLogic.cmd <oim_server>

    For more information, see "Restarting Servers" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

6.5.7 Running the Entitlement List Schedule

You must run the Entitlement List Schedule task in order to use catalog features.

Complete the following steps to run the Entitlement List Schedule job:

  1. Log in to the following location:

    http://<OIM_HOST>:<OIM_PORT>/sysadmin

  2. Click System Management.

  3. Select Scheduler.

  4. Enter "Entitlement List" in the Search Scheduled Jobs field and click Search.

  5. Select Entitlement List.

  6. Click Run Now. Wait till the job is complete.

6.5.8 Running the Evaluate User Policies Scheduled Task

You must run the Evaluate User Policies scheduled task to start provisioning based on access policy after the role grant. This scheduled task can be configured to run every 10 minutes, or you can run this scheduled task manually.

To start the scheduler, see "Starting and Stopping the Scheduler" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

6.5.9 Running Catalog Synchronization

Resource objects are transformed during the upgrade process. In order to provision the resource of an object, called App instance, with Oracle Identity Manager 11.1.2, you must run the Catalog Synchronization job.

For more information, see "Bootstrapping the Catalog" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

Note:

If no Entitlements show up, make sure that the entitlements field in the child tables is set to Entitlement=true and reloaded into the parent form.

6.5.10 UMS Notification Provider

This is a new Oracle Identity Manager 11.1.2 feature for notification. If you want to use this new notification model, after upgrading to 11.1.2, complete the following steps:

  1. Configure Email driver from Enterprise Manager user interface:

    1. Log in to Oracle Enterprise Manager Fusion Middleware Control and do the following:

      i. Expand Application Deployments.

      ii. Expand User Messaging Service.

      iii. Select usermessagingdriver-email (<soa_server1>).

      iv. Select Email Driver Properties.

      v. Select in Driver-Specific Configuration.

    2. Configure the values, as listed in Table 6-14:

      Table 6-14 UMS Parameters and Description

      Parameter Description

      OutgoingMailServer

      Name of the SMTP server.

      For example:

      abc.example.com

      OutgoingMailServerPort

      Port of the SMTP server.

      For example:

      456

      OutgoingMailServerSecurity

      The security setting used by the SMTP server Possible values can be None/TLS/SSL.

      OutgoingUsername

      Provide a valid username.

      For example:

      abc.eg@example.com

      OutgoingPassword

      Complete the following:

      1. Select Indirect Password. Create a new user.

      2. Provide a unique string for indirect Username/Key.

        For example:

        OIMEmailConfig. This mask the password and prevent it from exposing it in cleartext, in the config file.

      3. Provide valid password for this account.


  2. Configure the Notification provider XML through the Enterprise Manager user interface:

    1. Log in to Enterprise Manager and do the following:

      i. Expand Application Deployments.

      ii. Select OIMAppMetadata(11.1.1.3.0)(oim_server1) and right-click.

      iii. Select System MBean Browser.

      iv. Expand Application Defined MBeans.

      v. Expand oracle.iam.

      vi. Expand Server_OIM_Server1

      vii. Expand Application: oim.

      viii. Expand IAMAppRuntimeMBean.

      ix. Select UMSEmailNotificationProviderMBean.

    2. Configure the values, as listed in Table 6-15:

      Table 6-15 Parameter for Configuring Notification Provider

      Parameter Description

      Web service URL

      Start the URL of UMS web service. Any SOA server can be used.

      For example:

      http://<SOA_host>:<SOA_Port>/ucs/messaging/webservice

      Policies

      The OWSM Policy is attached to the given web service, leave it blank.

      Username

      The username is given in the security header of web service. If there is no policy attached, leave it blank.

      Password

      The password given in the security header of web service. If there is no policy attached, leave it blank.


After upgrading to 11.1.2, if you want to use SMTP notification provider instead of the default UMS notification provider, do the following:

  1. Log in to Enterprise Manager and do the following:

    1. Expand Application Deployments.

    2. Select OIMAppMetadata(11.1.1.3.0)(oim_server1) and Right click.

    3. Select System MBean Browser.

    4. Expand Application Defined MBeans.

    5. Expand oracle.iam.

    6. Expand Server_OIM_Server1

    7. Expand Application: oim.

    8. Expand IAMAppRuntimeMBean.

    9. Select UMSEmailNotificationProviderMBean.

  2. Ensure that the value of the attribute Enabled is set to true.

  3. Provide the configuration values in MBean (username, password, mailServerName) or the name of IT Resource in MBean.

    The IT Resource name is the name given in XL.MailServer system property, before you upgrade Oracle Identity Manager 11.1.1.5.0 to Oracle Identity Manager 11.1.2.

6.5.11 Upgrading User UDF

You must have UDF in your environment because if you do not update your User Interface with UDFs, several features like user creation, role creation, and self registration request where UDFs are involved fails.

This section contains the following topics:

6.5.11.1 Rendering the UDFs

For an Oracle Identity Manager 11.1.2 environment that has been upgraded from Oracle Identity Manager 11.1.1.5.0, the custom attributes for user entity already exist in the back-end. These attributes are not present as form fields on the Oracle Identity Manager 11.1.2 user interface screens until the user screens are customized to add the custom fields.

However, before you can customize the screens, you must first complete upgrading the custom attributes using the Upgrade User Form link in the System Administration console.

After completing the Upgrade User Form, the User value object (VO) instances in various Data Components like DataComponent-Catalog, DataComponent-My Information, DataComponent-User Registration shows the custom attributes. This includes all custom attributes available for Web Composer (Customized) and can be added to User user interface screens.

For more information, see "Customizing the Interface" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

Complete the following steps to render UDFs:

  1. Log in to the Identity System Administration console.

  2. Click Sandboxes. Click Create Sandbox. A Create Sandbox window appears.

  3. Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.

  4. Go to Upgrade. Select Upgrade User Form. Click Upgrade Now.

  5. Publish the Sandbox.

  6. Log out from Identity System Administration console.

  7. Log in to Identity Self Service console.

  8. Click Create Sandbox. A Create Sandbox window appears.

  9. Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.

  10. From the left navigation pane, select Users.

  11. Click Create User. A Create User page opens. Fill up all the mandatory fields. Add the same UDFs in Modify User and User Detail screen. Select the correct Data Component and UserVO Name as listed in Table 6-16.

    For example:

    From the left navigation pane, click Users. Click User to go to the Create User screen and fill all mandatory fields.

  12. Click Customize on top right. Select View. Select Source.

  13. Select Name in Basic Information and click Edit on the confirmation window.

  14. Select panelFormLayout. Click Add Content.

  15. Select the correct Data Component and VO Name as listed in Table 6-16:

    Table 6-16 UDF Screens and Description

    Screen Name Data Component VO Name Procedure

    Create User

    Data Component - Catalog

    UserVO

    Do the following:

    1. Click User.

    2. Click Create, it launches the Create User screen.

    Modify User

    Data Component - Catalog

    UserVO

    Do the following:

    1. Click User and search.

    2. Select a single user from search results.

    3. Click Edit, it launches the Modify User screen.

    View User Details

    Data Component - Manage Users

    UserVO1

    Do the following:

    1. Click User and search.

    2. Select a single user from search results.

    Bulk Modify User Flow

    Data Component - Catalog

    UserVO

    Do the following:

    1. Click User and search.

    2. Select more than a single user from search results.

    My Information

    Data Component - My Information

    UserVO1

    Do the following:

    1. Click Identity.

    2. Select the My Information sub-tab.

    Customizing Search Results

    Data Component - Manage Users

    UserVO1

    Do the following:

    1. Click Identity.

    2. Click Users.

    3. Click Customizations, it opens the Web Composer.

    User Registration

    Data Component - User Registration

    UserVO1

    Do the following:

    1. Click Customize to open Web Composer.

    2. Enable the left navigation links for unauthenticated pages.

    3. Click User Registration.

    4. Select User Registration.

    Adding UDF in Search Panel

    NA

    NA

    Do the following:

    1. Log in to Identity

    2. Click User.

    3. Search for "Add Fields" in the search box. It shows all searchable fields to the user.

    Customizing Request Summary/Details

    NA

    NA

    Requests created after Create User, Modify User, My Information, Self Registration


  16. Click Close.

  17. Click Sandboxes. Export the sandbox using Export Sandbox.

  18. Publish the sandbox.

  19. Log out from Identity Self Service, and log in again. The added UDF in the screen is seen.

6.5.11.2 User Interface Customization for 11.1.1.5.0 Mandatory UDF and OOTB Attributes

If you have rendered the OOTB attributes as mandatory in Oracle Identity Manager 11.1.1.5.0, you must customize the user interface in order to achieve the same customizations after upgrade.

  1. Log in to Identity System Administration console.

  2. Click Sandboxes. Click Create Sandbox. A Create Sandbox window appears.

  3. Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.

  4. Go to Upgrade. Select Upgrade User Form. Click Upgrade Now.

  5. Publish the Sandbox.

  6. Log out from Identity System Administration console.

  7. Log in to Identity Self Service console.

  8. Click Create Sandbox. A Create Sandbox window appears.

  9. Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.

  10. From the left navigation pane, click Users. Click User to go to the Create User screen and fill all the mandatory fields.

  11. Click Customize on top right. Select View. Select Source.

  12. Select Name in Basic Information and click Edit on the confirmation window.

  13. Select panelFormLayout. Click Add Content.

  14. Click Input Component and click Edit.

  15. On the Component Properties dialogue, select Show Required checkbox. In the Required field, select Expression Editor, and in the Expression Editor field, enter the value as true.

  16. Click Close.

  17. Click Sandboxes. Export the sandbox using Export Sandbox.

  18. Publish the sandbox.

  19. Log out from Identity Self Service, and log in again. The added UDF on the screen with an asterix (*) symbol is seen.

6.5.11.3 Lookup Query Modification

In user customization upgrade, multiple values for the Save Column may exist in User.xml. Based on the possible values; single, multiple, and null, do the following in the upgraded environment:

  • Use Single value for Save Column: User creation is successful, and the value of the field is also saved in database.

  • Use Multiple or NULL value for Save Column: User creation is successful, but the value is not saved in database.

Recommendation

Update the Lookup By Query metadata definition attached to an attribute in User or Role through Config Service or Design Console.

For more information, see Section 6.4.16, "Upgrading Oracle Identity Manager Design Console".

Note:

You can customize Role UDF and Organization UDF, as done in Section 6.5.11, "Upgrading User UDF".

6.5.12 Upgrading Application Instances

After you complete the upgrade, you must complete the following steps to upgrade Application Instances:

  1. Log in to the following console:

    http://<OIM_HOST>:<OIM_PORT>/sysadmin

  2. Expand Upgrade on the left navigation pane.

  3. Click Upgrade Application Instances.

This creates the U/I Forms and Datasets for the Application Instances, and seeds to MDS.

6.5.13 Redeploying XIMDD

Note:

This section is required only if the Diagnostic Dashboard services for AD Password Sync were deployed in 11.1.1.5.0 and if your application is deployed in staging mode in 11.1.1.5.0.

Before you can re-deploy, you must undeploy XIMDD from the 11.1.1.5.0 Oracle Identity Manager Managed Server or from the cluster. To do so, complete the following steps:

  1. Log in to the WebLogic Server Administration console:

    host:admin port/console

  2. If you are running in production mode, click Lock and Edit.

  3. Click Deployments.

  4. In the resulting list, look for XIMDD.

  5. If they are running, select XIMDD.

  6. Click Delete.

  7. Activate the changes.

To redeploy, complete the following steps:

  1. Log in to the WebLogic Server Administration console:

    host:admin port/console

  2. Click Lock & Edit.

  3. Click Deployments.

  4. Click Install.

  5. In the path, give the path for XIMDD.ear

    The default path is in the following location:

    On UNIX, $<OIM_HOME>/server/webapp/optional

    On Windows, <OIM_HOME>\server\webapp\optional

  6. Select XIMDD.ear. Click Next.

  7. Select Install this deployment as an application. Click Next .

  8. In Select deployment targets page, select oim server. Click Next.

  9. In the Optional Setting page, click Finish.

  10. Click Deployments.

  11. Select XIMDD. Click Start.

  12. From the options, select Service All Requests.

6.5.14 Redeploying SPML-DSML

Note:

This section is required only if the DSML web services for AD Password Sync were deployed in 11.1.1.5.0.

Before you can redeploy, you must undeploy SPML-DSML from the 11.1.1.5.0 Oracle Identity Manager Managed Server or from the cluster. To do so, complete the following steps:

  1. Log in to the WebLogic Server Administration console:

    host:admin port/console

  2. If you are running in production mode, obtain the Lock in order to make updates.

  3. Click Deployments.

  4. In the resulting list, look for spml.

  5. If they are running, select spml.

  6. Click Delete.

  7. Activate the changes.

To redeploy, complete the following steps:

  1. Log in to WebLogic Server Administration console through the following path:

    host:admin port/console

  2. Click Lock & Edit.

  3. Click Deployments.

  4. Click Install.

  5. In the path give the path for spml.ear

    The default path is in the following location:

    On UNIX, $<OIM_HOME>/server/webapp/optional

    On Windows, <OIM_HOME>\server\webapp\optional

  6. Select spml.ear. Click Next.

  7. Select Install this deployment as an application. Click Next .

  8. In Select deployment targets page, select oim server. Click Next.

  9. In the Optional Setting page, click Finish.

  10. Click Deployments.

  11. Select spml. Click Start.

  12. From the options, select Service All Requests.

6.5.15 Customizing Event Handlers

If you have used any event handlers in Oracle Identity Manager 11.1.1.5.0, you must re-customize the event handler for Oracle Identity Manager 11.1.2.

For more information, see "Developing Custom Event Handlers" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

6.5.16 Upgrading SOA Composites

You must manually upgrade OOTB composites and custom composites built before upgrading to 11.1.2.

This section contains the following topics:

Note:

Redeploying a composite moves all pending tasks to STALE state. Oracle recommends you to close any pending task before upgrading the composites.

6.5.16.1 OOTB Composites Not Modified Before Upgrading

Upgrade OOTB composites that are not modified, using either JDeveloper or SOA Composer, before upgrading to Oracle Identity Manager 11.1.2. Complete the following steps to upgrade DefaultRequestApproval composite:

  1. Move from your present working directory to the <OIM_ORACLE_HOME>/server/workflows directory by running the following command on the command line:

    On UNIX:

    cd <OIM_ORACLE_HOME>/server/workflows

    On Windows:

    cd <OIM_ORACLE_HOME>\server\workflows

  2. Unzip DefaultRequestApproval.zip.

  3. Log in to the Oracle Enterprise Manager console:

    http://<host>:<port>/em

  4. Expand Farm_<oim_domain_name>_d > SOA -> soa-infra -> default

  5. Right click DefaultRequestApproval[1.0] and select SOA Deployment -> Redeploy

  6. Select Archive is on the machine where Enterprise Manager is running.

  7. Provide the absolute path to the sca jar for DefaultRequestApproval composite:

    On UNIX:

    <OIM_HOME>/server/workflows/composites/DefaultRequestApproval/deploy/sca_DefaultRequestApproval_rev1.0.jar

    On Windows:

    <OIM_HOME>server\workflows\composites\DefaultRequestApproval\deploy\sca_DefaultRequestApproval_rev1.0.jar

  8. Select No Configuration plan is required.

  9. Click Next.

  10. Select Deploy as default revision.

  11. Click Redeploy.

Repeat steps 2 to 11 for the remaining composites, which were not modified before upgrading to Oracle Identity Manager 11.1.2.

Note:

DefaultResourceAuthorizer and DefaultResourceAdministrator are no longer supported in 11.1.2.

6.5.16.2 OOTB Composites Modified Before Upgrading And Custom Composites

Upgrade custom composites created before upgrading to Oracle Identity Manager 11.1.2 and OOTB composites modified, using either JDeveloper or SOA Composer, before upgrading to Oracle Identity Manager 11.1.2. Complete the following steps to upgrade DefaultRequestApproval composite:

  1. Open the SOA composite project in JDeveloper (Use Jdeveloper 11.1.1.6.0).

  2. Open ApprovalTask.task file in designer mode.

  3. Select General.

  4. Change Owner to Group, SYSTEM ADMINISTRATORS, STATIC.

  5. Select Outcomes lookup. An Outcomes Dialog opens.

  6. Select Outcomes Requiring Comment.

  7. Select Reject and click Ok.

  8. Click Ok again.

  9. Select Notification.

  10. Click on the update icon under Notification. Update any old URLs in notification with the corresponding new URL in 11.1.2. An example notification content is given below:

    A <%/task:task/task:payload/task:RequestModel%> request has been assigned to you for approval. <BR><BR>
    Request ID: <%/task:task/task:payload/task:RequestID%> <BR>
    Request type: <%/task:task/task:payload/task:RequestModel%> <BR>
    <BR>
    Access this task in the 
    <A 
    style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/home?tf=approval_details
    >
    Identity Self Service
    </A>
     application or take direct action using the links below. Approvers are required to provide a justification when rejecting the request
    
  11. Click Advanced.

  12. Deselect Show worklist/workspace URL in notifications. Provide the URL to Pending Approvals in identity application as shown in the example in step 10.

  13. Repeat step 1 to 12 for other human tasks, if any, in the composite. Save your work.

  14. Right click Project and select Deploy -> Deploy to Application Server.

  15. Provide revision ID. Select Mark revision as default and Overwrite any existing composite with same revision ID.

    Note:

    You can also deploy the composites with different revision ID. In that case you have to modify all approval policies using this composite.

  16. Select your application server connection, if it already exists, and click Next. Create an application server connection if it does not exist.

  17. Click Next.

  18. Click Finish.

Repeat the procedure for the remaining custom composites and modified OOTB composites as well.

6.5.17 Provisioning Oracle Identity Management Login Modules Under WebLogic Server Library Directory

Note:

This task is required only if OIMAuthenticator.jar is already present under the <MW_HOME>/wlserver_10.3/server/lib/mbeantypes directory.

Apply the following steps across all the WebLogic Server homes in the domain :

On UNIX:

  1. Copy OIMAuthenticator.jar, oimmbean.jar, oimsigmbean.jar, and oimsignaturembean.jar files located under <OIM_ORACLE_HOME>/server/loginmodule/wls directory to <MW_HOME>/wlserver_10.3/server/lib/mbeantypes directory by running the following command on the command line:

    cp <OIM_ORACLE_HOME>/server/loginmodule/wls/* <MW_HOME>/wlserver_10.3/server/lib/mbeantypes/

  2. Move from your present working directory to the <MW_HOME>/wlserver_10.3/server/lib/mbeantypes directory by running the following command on the command line:

    cd <MW_HOME>/wlserver_10.3/server/lib/mbeantypes

  3. Change the permissions on these files to 750 by using the chmod command:

    chmod 750 *

  4. Restart all servers in the domain.

On Windows:

  1. Copy OIMAuthenticator.jar, oimmbean.jar, oimsigmbean.jar, and oimsignaturembean.jar files located under <OIM_ORACLE_HOME>\server\loginmodule\wls directory to <MW_HOME>\wlserver_10.3\server\lib\mbeantypes directory by running the following command on the command line:

    cp <OIM_ORACLE_HOME>\server\loginmodule\wls\* <MW_HOME>\wlserver_10.3\server\lib\mbeantypes

  2. Move from your present working directory to the <MW_HOME>\wlserver_10.3\server\lib\mbeantypes directory by running the following command on the command line:

    cd <MW_HOME>\wlserver_10.3\server\lib\mbeantypes

  3. Change the permissions on these files to 750 by using the chmod command:

    chmod 750 *

  4. Restart all servers in the domain.

6.5.18 Authorization Policy Changes

If you have custom Authorization Policies in Oracle Identity Manager in 11g Release 1 (11.1.1.5.0), in order to create or modify users, you must assign new administrator roles in relation to User Administration, Role Administration, or Help Desk.

Table 6-17 lists the Administration roles in Oracle Identity Manager 11g, either removed or consolidated into the System Administrator Administration role for all system administrative operations in Oracle Identity Manager 11.1.2:

Table 6-17 Changes in Role from Oracle Identity Manager 11g to 11.1.2

Sl No. Roles in Oracle Identity Manager 11g Roles Removed and Replaced in Oracle Identity Manager 11.1.2

1

SCHEDULER ADMINISTRATORS

Removed and replaced with SYSTEM CONFIGURATORS.

2

DEPLOYMENT MANAGER ADMINISTRATORS

Removed and replaced with SYSTEM CONFIGURATORS.

3

NOTIFICATION TEMPLATE ADMINISTRATORS

Removed and replaced with SYSTEM CONFIGURATORS.

4

SOD ADMINISTRATORS

Removed and replaced with SYSTEM ADMINISTRATORS.

5

SYSTEM CONFIGURATION ADMINISTRATORS

Removed and replaced with SYSTEM CONFIGURATORS.

6

GENERATE_USERNAME_ROLE

Removed and replaced with SYSTEM ADMINISTRATORS.

7

IDENTITY USER ADMINISTRATORS

Removed and replaced with USER ADMIN.

8

USER CONFIGURATION ADMINISTRATORS

Removed and replaced with SYSTEM CONFIGURATORS.

9

ACCESS POLICY ADMINISTRATORS

Removed and replaced with SYSTEM CONFIGURATORS.

10

RECONCILIATION ADMINISTRATORS

Removed and replaced with SYSTEM ADMINISTRATORS.

11

RESOURCE ADMINISTRATORS

Removed and replaced with SYSTEM CONFIGURATORS.

12

GENERIC CONNECTOR ADMINISTRATORS

Removed and replaced with SYSTEM CONFIGURATORS.

13

APPROVAL POLICY ADMINISTRATORS

Removed and replaced with SYSTEM CONFIGURATORS.

14

REQUEST ADMINISTRATORS

Removed and replaced with SYSTEM ADMINISTRATORS.

15

REQUEST TEMPLATE ADMINISTRATORS

Removed and replaced with SYSTEM CONFIGURATORS.

16

PLUGIN ADMINISTRATORS

Removed and replaced with SYSTEM CONFIGURATORS.

17

ATTESTATION CONFIGURATION ADMINISTRATORS

Removed and replaced with SYSTEM CONFIGURATORS.

18

ATTESTATION EVENT ADMINISTRATORS

Removed and replaced with SYSTEM ADMINISTRATORS.

19

ROLE ADMINISTRATORS

Removed and replaced with ROLE ADMIN.

20

USER NAME ADMINISTRATOR

Removed and now depends on administration roles.

21

IDENTITY ORGANIZATION ADMINISTRATORS

Removed and replaced with ORGANIZATION ADMIN.

22

IT RESOURCE ADMINISTRATORS

Removed and replaced with APPLICATION INSTANCE ADMIN.

23

REPORT ADMINISTRATORS

No link to reports from Oracle Identity Manager.

24

SPML_APP_ROLE

There is no change in this enterprise role and a corresponding role with the privileges is seeded in Oracle Entitlements Server.

25

ALL USERS

This is an enterprise role, not an administrator role.

26

SYSTEM CONFIGURATORS

All privileges as System Administrator role, except for the ability to manage Users, Roles, Organizations and Provisioning remains unchanged.

27

SYSTEM ADMINISTRATORS

Remains unchanged.


6.5.19 Verifying the Upgrade

To verify your Oracle Identity Manager upgrade, perform the following steps:

  1. Use the following URL in a web browser to verify that Oracle Identity Manager 11.1.2 is running:

    http://<oim.example.com>:<oim_port>/sysadmin

    http://oim.example.com:14000/identity

    where

    <oim.example.com> is the path of the administration console.

    <oim_port> is the port number.

  2. Use Fusion Middleware Control to verify that Oracle Identity Manager and any other Oracle Identity Management components are running in the Oracle Fusion Middleware environment.

  3. Install the Diagnostic Dashboard and run the following tests:

    • Oracle Database Connectivity Check

    • Account Lock Status

    • Data Encryption Key Verification

    • JMS Messaging Verification

    • SOA-Oracle Identity Manager Configuration Check

    • SPML Web Service

    • Test OWSM setup

    • Test SPML to Oracle Identity Manager request invocation

    • SPML attributes to Oracle Identity Manager attributes

    • Username Test

6.6 Troubleshooting

For troubleshooting information, see Table 6-18:

Table 6-18 Oracle Identity Manager Troubleshooting - Problems and Solutions

Problem Solution

Patch Set Assistant fails.

Check logs located at:

On UNIX:

<MW_HOME>/oracle_common/upgrade/logs/psa<time_stamp>.log

On Windows:

<MW_HOME>\oracle_common\upgrade\logs\psa<time_stamp>.log

Fix the problem, and run Patch Set Assistant again.

Middle Tier upgrade fails

Check logs located at:

On UNIX:

  • <OIM_ORACLE_HOME>/server/upgrade/logs/MT/OIMUpgrade<time_stamp>.log

  • <OIM_ORACLE_HOME>/server/upgrade/logs/MT/ant_JRF.log

  • <OIM_ORACLE_HOME>/server/upgrade./logs/MT/ant_PatchClasspath.log

On Windows:

  • <OIM_ORACLE_HOME>\server\upgrade\logs\MT\OIMUpgrade<time_stamp>.log

  • <OIM_ORACLE_HOME>\server\upgrade\logs\MT\ant_JRF.log

  • <OIM_ORACLE_HOME>\server\upgrade.\logs\MT\ant_PatchClasspath.log

All feature not upgrade in Middle Tier upgrade.

Check the Upgrade Report located at:

On UNIX:

<OIM_ORACLE_HOME>/upgrade/logs/MT/oimUpgradeReportDir/index.html

On Windows:

<OIM_ORACLE_HOME>\upgrade\logs\MT\oimUpgradeReportDir\index.html

Oracle Identity Manager upgrade control points.

Set the property value to true or false in the property file located at:

On UNIX:

<OIM_ORACLE_HOME>/server/bin/oimupgrade.properties

On Windows:

<OIM_ORACLE_HOME>\server\bin\oimupgrade.properties

For more information, see Section 6.6.1, "Oracle Identity Manager Upgrade Control Points".

MDS patching issues.

Check the MDS Patching Report located at:

On UNIX:

<OIM_ORACLE_HOME>/server/logs/MDS_REPORT_DIRECTORY/MDSReport.html

On Windows:

<OIM_ORACLE_HOME>\server\logs\MDS_REPORT_DIRECTORY\MDSReport.html

Some MDS documents not merged correctly.

Merge manually from the following locations:

On UNIX:

  • <OIM_ORACLE_HOME>/server/logs/sourceDir (OOTB MDS data location)

  • <OIM_ORACLE_HOME>/server/logs/targetDir (Your MDS data location)

On Windows:

  • <OIM_ORACLE_HOME>\server\logs\sourceDir (OOTB MDS data location)

  • <OIM_ORACLE_HOME>\server\logs\targetDir (Your MDS data location)

JDBC errors:

ORA-01882: timezone region not found

Add an additional environment variable, TZ, which is the time zone name, like GMT for example. The environment variable has to be set with older database or else you get an error.

For more information, see My Oracle Support document ID 1460281.1.


6.6.1 Oracle Identity Manager Upgrade Control Points

Oracle Identity Manager Upgrade has provided some control points in the oimupgrade.properties. On UNIX, it is located in the <OIM_ORACLE_HOME>/server/bin/directory, on Windows, it is located in the <OIM_ORACLE_HOME>\server\bin\ directory.

You can selectively disable the feature upgrade by setting the property as false.

If any feature fails, you can continue with the upgrade by disabling the failed feature by setting the corresponding feature upgrade property as false.

As and when the solution is available for the failed feature, enable the feature for upgrade by setting the property to true.

By default, all the properties are set as true.

  • Set the following property to false if you do not want to run Oracle Identity Manager configuration upgrade:

    oim.ps1.config.patch=true

  • Set the following property to false if you do not want to run SOA composite upgrade:

    oim.ps1.soacomposite.patch=true

Domain Extension Properties

  • Set the following property to false if you do not want to run Patch JNDI provider:

    oim.domainextension.jndiprovider.patch=true

  • Set the following property to false if you do not want to run Patch ClassPath:

    oim.domainextension.classpath.patch=true

  • Set the following property to false if you do not want to run Patch OPSS:

    oim.domainextension.opss.patch=true

  • Set the following property to false if you do not want to run Patch ears:

    oim.domainextension.ear.patch=true

  • Set the following property to false if you do not want to run Patch JRF:

    oim.domainextension.jrf.patch=true