3 Upgrade and Migration Issues for Oracle Identity and Access Management

This chapter describes issues associated with the upgrade and migration process of Oracle Identity and Access Management 11g Release 2 (11.1.2). It includes the following sections:

3.1 Upgrade Issues

This section describes issues related to upgrading the following components:

  • Oracle Identity Manager 11g Release 1 (11.1.1.5.0) to Oracle Identity Manager 11g Release 2 (11.1.2)

  • Oracle Access Manager 11g Release 1 (11.1.1.5.0) to Oracle Access Management Access Manager 11g Release 2 (11.1.2)

  • Oracle Adaptive Access Manager 11g Release 1 (11.1.1.5.0) to Oracle Adaptive Access Manager 11g Release 2 (11.1.2)

  • Oracle Identity Navigator 11g Release 1 (11.1.1.5.0) to Oracle Identity Navigator 11g Release 2 (11.1.2)

  • Oracle Entitlements Server 11g Release 1 (11.1.1.5.0) to Oracle Entitlements Server 11g Release 2 (11.1.2)

  • Oracle Identity and Access Management 11g Release 1 (11.1.1.3.0) to Oracle Identity and Access Management 11g Release 2 (11.1.2)

  • Oracle Identity Manager 9.x to Oracle Identity Manager 11g Release 2 (11.1.2)

3.1.1 General Issues and Workarounds

This section describes general issues and workarounds. It includes the following topics:

3.1.1.1 OIM-OAM-OAAM: 11.1.1.5.0 to 11.1.2: Error Reset Password in First Login

While upgrading an OAM-OIM-OAAM integrated11g R1 (11.1.1.5.0) environment to 11g R2 (11.1.2), when the user tries to login into http://bej301133.cn.oracle.com:7777/identity for the first time, the user is redirected to the password management page. However, when the user clicks Submit after editing the user profile, an error message pops up.

The workaround is as follows:

On UNIX:

  1. Go to the following location:

    IAM_ORACLE_HOME/server/apps

  2. In this location, create a directory by using the following command:

    mkdir temp

  3. Copy the oracle.iam.console.identity.self-service.ear file to the temp folder that you created in step 2, by running the following command:

     cp oracle.iam.console.identity.self-service.ear temp

  4. Go to the temp folder that you created :

    cd temp

  5. Extract the contents of the oracle.iam.console.identity.self-service.ear file by running the following command:

    jar -xvf oracle.iam.console.identity.self-service.ear

    The folder META-INF/ is automatically created in the location.

  6. Locate the weblogic-application.xml file in the folder META-INF, and edit the contents of the file by adding the following packages before the parameter </weblogic-application>:

    <prefer-application-packages>
<package-name>oracle.iam.*</package-name>
<package-name>oracle.security.am.common.nap.*</package-name>
<package-name>oracle.security.am.common.aaaclient.*</package-name>
<package-name>oracle.security.am.common.*</package-name>
</prefer-application-packages>

  7. Save the changes made in the weblogic-application.xml file and exit.

  8. Package the extracted contents back into the oracle.iam.console.identity.self-service.ear file by running the following command:

    jar -cvf oracle.iam.console.identity.self-service.ear

  9. Copy the contents of the temp folder to the original location IAM_ORACLE_HOME/server/apps.

    Ensure that you take a backup of the files of the existing location, before you replace the content.

3.1.1.2 Save Column with Multiple/Null Values to be Manually Updated for LookupByQuery

This bug is related to manual updations that a customer would need to perform as a post-upgrade step. This happens when there are multiple values specified for the Column Names attribute while defining lookupby in a 9.x environment.

If the OIM 9.x Role or User data model contains UDFs of type Lookup Query, then after upgrading, do the following:

For Role:

  1. Start the Design Console.

  2. Select Administration.

  3. Select User Defined field and select Roles.

  4. Ensure that the property for Column Names and Lookup Column Name is set to the desired column name for the Role Lookup Query UDF. If the value is not present, provide an appropriate value, and click Save.

This updates the MDS definitions. These fields are visible in the OIM 11.1.2 Administrator user interface.

For Users:

  1. Start the Configuration Service user interface.

  2. Select Administration.

  3. Select User Defined field.

  4. Open the User configuration service, open the UDFs which are of type Lookup By Query. Specify the required value in Column to Display and Column to save fields.

  5. Click Save.

This will update the MDS definitions for the User Lookup Query UDFs. These fields are visible in the OIM 11.1.2 Administrator user interface.

3.1.1.3 Entitlements Assigned in OIM 11.1.1.5.0 Are Not Shown in the Entitlement Tab After Upgrade

Entitlements assigned to OIM 11g Release 1 (11.1.1.5.0) users are not shown in the Entitlement tab after upgrading to OIM 11g Release 2 (11.1.2).

Entitlement or child forms provisioned to OIM 11g Release 1 (11.1.1.5.0) users, according to access policy, is removed from OIM 11g Release 1 (11.1.1.5.0) users after upgrading to OIM 11g Release 2 (11.1.2).The resource is shown in Accounts in the provisioned state.

3.1.1.4 OIM-OAM: Upgrade to OAM 11.1.1.5.2 or Later Mandatory Before Upgrade to OIM 11.1.2

If you wish to integrate OIM 11g Release 2 (11.1.2) with OAM for single sign-on, then you must upgrade OAM 11g Release 1 (11.1.1.5.0) to OAM 11g Release 1 (11.1.1.5.2) or later. If do not upgrade OAM 11g Release 1 (11.1.1.5.0) to OAM 11g Release 1 (11.1.1.5.2) or later, the auto-login functionality will not work.

The workaround for this issue is as follows:

For the auto-login functionality to work, upgrade OAM 11g Release 1 (11.1.1.5.0) to OAM 11g Release 1 (11.1.1.5.2) or later.

3.1.1.5 Lookup Values Do Not Get Saved in the My Information Page

The Look Up values selected do not get saved in the My Information page. An error, like the following, is displayed:

JBO-27010: Attribute set with value Senior Member Technical Staff for L1__c 
@ in UserEO has invalid precision/scale

The workaround for this issue is as follows:

Create UDF as Drop Down rather then as Look Up.

In step 5, ensure that Searchable in Picklist is not selected. Save the form.

In step 12, add UDF on My Information Page as ADF Select One Choice.

3.1.1.6 Bulk User Modify Does Not Work After Upgrade

Bulk User modify functionality does not work after upgrade.

The workaround for this issue is as follows:

  1. Export the following artifact from MDS:

    /metadata/iam-features-requestactions/model-data/ModifyUserDataset.xml

  2. Change the flag available-in-bulk="true" for the following attributes:

    • User Type

    • Role

    • User Manager

    • Start Date

    • End Date

    • usr_timezone

    • FA Language

  3. Change the length for attribute fax to 4000.

  4. Import the ModifyUserDataset.xml into MDS.

3.1.1.7 Upgrading Oracle Access Manager 11g R1 (11.1.1.5.0) to Oracle Access Management Access Manager 11g R2 (11.1.2) on AIX Platform Fails

Upgrading OAM 11.1.1.5.0 to Access Manager 11.1.2 on AIX platform fails. The upgrade appears complete and the first Access Manager Server starts up without any problem. However, subsequent servers fails to start up and shows the following message:

<Warning> <Coherence> <BEA-000000> <Oracle Coherence GE 3.7.1.1 <Warning>
(thread=Cluster, member=n/a): This Member(Id=0, Address=XX.XX.XX.XX:9097, MachineId=6803, Location=site:,machine:XXXXXX,process:3080574, Role=WeblogicServer) has been attempting to join the cluster using WKA list [XXXXXX/XX.XX.XX.XX:9095] for 30 seconds without success; this could indicate a mis-configured WKA, or it may simply be the result of a busy cluster or active failover.> 
<Warning> <Coherence> <BEA-000000> <Oracle Coherence GE 3.7.1.1 <Warning> 
thread=Cluster, member=n/a): Delaying formation of a new cluster; waiting for well-known nodes to respond>

Oracle Access Management Access Manager upgrade fails for Java version with the following artifacts:

java version "1.6.0"
Java(TM) SE Runtime Environment (build pap6460sr10-20111208_01(SR10))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc64-64
jvmap6460sr10-20111207_96808 (JIT enabled, AOT enabled)
J9VM - 20111207_096808
JIT  - r9_20111107_21307ifx1
GC   - 20110519_AA)
JCL  - 20111104_02

Oracle Access Management Access Manager requires IBM java version with the following artifacts, as a prerequisite:

java version "1.6.0" 
Java(TM) SE Runtime Environment (build pap6460sr9fp2-20110627_03(SR9 FP2))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 AIX ppc64-64
jvmap6460sr9-20110624_85526 (JIT enabled, AOT enabled)
J9VM - 20110624_085526
JIT  - r9_20101028_17488ifx17
GC   - 20101027_AA)
JCL  - 20110530_01

3.1.1.8 Update setdomainenv Before Starting the Oracle Access Management Access Manager Servers

In addition to the steps provided in "Upgrading Oracle Access Manager 11g Release 1 (11.1.1.5.0) Environments" in the Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management, complete the following task before starting the Access Manager domain after upgrading:

  1. Go to the following directory:

    On UNIX:

    cd <OAM_DOMAIN_HOME>/bin

    On Windows:

    cd <OAM_DOMAIN_HOME>\bin

    where

    <OAM_DOMAIN_HOME> is the complete path to the Access Manager domain home. The following example shows the complete path:

    On UNIX, it is located in the <MW_HOME/user_projects/domains/<oam_domain> directory.

    On Windows, it is located in the <MW_HOME\user_projects\domains\<oam__domain> directory.

  2. Edit the setDomainEnv file by running the following command:

    On UNIX:

    vi setDomainEnv.sh

    On Windows:

    vi setDomainEnv.cmd

  3. Search for EXTRA_JAVA_PROPERTIES and select the property that looks like the following:

    EXTRA_JAVA_PROPERTIES="-DOAM_POLICY_FILE=${DOMAIN_HOME}/config/fmwconfig/oam-policy.xml -DOAM_CONFIG_FILE=${DOMAIN_HOME}/config/fmwconfig/oam-config.xml -DOAM_ORACLE_HOME=${OAM_ORACLE_HOME} -Doracle.security.am.SERVER_INSTNCE_NAME=${SERVER_NAME} -Does.jars.home=${OAM_ORACLE_HOME}/server/lib/oes-d8 -Does.integration.path=${OAM_ORACLE_HOME}/server/lib/oeslib/oes-integration.jar -Does.enabled=true -Djavax.xml.soap.SOAPConnectionFactory=weblogic.wsee.saaj.SOAPConnectionFactoryImpl -Djavax.xml.soap.MessageFactory=oracle.j2ee.ws.saaj.soap.MessageFactoryImpl -Djavax.xml.soap.SOAPFactory=oracle.j2ee.ws.saaj.soap.SOAPFactoryImpl ${EXTRA_JAVA_PROPERTIES}"

    export EXTRA_JAVA_PROPERTIES

  4. Add -Doam.oes.new=true property before -DOAM_POLICY_FILE. The file looks like the following after making the changes:

    EXTRA_JAVA_PROPERTIES="-Doam.oes.new=true -DOAM_POLICY_FILE=${DOMAIN_HOME}/config/fmwconfig/oam-policy.xml -DOAM_CONFIG_FILE=${DOMAIN_HOME}/config/fmwconfig/oam-config.xml -DOAM_ORACLE_HOME=${OAM_ORACLE_HOME} -Doracle.security.am.SERVER_INSTNCE_NAME=${SERVER_NAME} -Does.jars.home=${OAM_ORACLE_HOME}/server/lib/oes-d8 -Does.integration.path=${OAM_ORACLE_HOME}/server/lib/oeslib/oes-integration.jar -Does.enabled=true -Djavax.xml.soap.SOAPConnectionFactory=weblogic.wsee.saaj.SOAPConnectionFactoryImpl -Djavax.xml.soap.MessageFactory=oracle.j2ee.ws.saaj.soap.MessageFactoryImpl -Djavax.xml.soap.SOAPFactory=oracle.j2ee.ws.saaj.soap.SOAPFactoryImpl ${EXTRA_JAVA_PROPERTIES}"

    export EXTRA_JAVA_PROPERTIES

3.1.1.9 Authorization Policies Containing No Resources Are Not Extracted

This issue typically affects rolling upgrade customers, upgrading from OAM 11.1.1.3.0 to Oracle Access Management Access Management 11.1.2. Application domains which have authorization policies that contains no resources are not extracted by the exportAccessData command during upgrade. This does not impact other application domain extraction. The following error message is shown:

SEVERE: Resource : not found

The workaround for this issue is to either remove all authorization policies that contain no resources before upgrading or manually configure them.

3.1.1.10 T2P Failure in an Upgraded Environment

Known issue.

Test to Production (T2P) fails in an environment with OAM, OAAM, or OIN that is upgraded from 11.1.1.5.0 to 11.1.2.0.0.

3.1.1.11 OIM Upgrade: Access Policy Based Provisioning of EBS Resource Does Not Work

Access based provisioning does not work for most of the resource objects created through connector import.

The workaround for this issue is as follows:

Before upgrading OIM schemas, do the following:

  1. Log in to the OIM database schema.

  2. Run the following SQL scripts:

    BEGIN
execute immediate 'ALTER table OBJ MODIFY OBJ_ALLOWALL default ''1''';
execute immediate 'ALTER table OBJ MODIFY OBJ_ALLOW_MULTIPLE default
''1''';
execute immediate 'ALTER table OBJ MODIFY OBJ_SELF_REQUEST_ALLOWED
default ''1''';
execute immediate 'ALTER table OBJ MODIFY OBJ_OBJADMINONLY default
''0''';
END;

3.1.1.12 TCORGANIZATIONNOTFOUNDEXCEPTION Error While Creating New Organizations

In some specific environment, after upgrading OIM 11.1.1.5.0 to OIM 11.1.2, when you click on the Create Organization tab from the Identity Console, you may see this error:

TCORGANIZATIONNOTFOUNDEXCEPTION

To workaround, close the exception and create a new organization.

3.1.1.13 Forgot User Login Flow Shows System Error

Forgot User Login feature does not work after upgrading to OIM 11.1.2.

The workaround for this issue is as follows:

Create a notification template manually with the following credentials:

  1. Log in to the System Administration Console.

  2. Select Notification.

  3. In the search box, search for ForgottenUsernameNotification, PasswordExpiredNotification, and PasswordWarningNotification.

  4. Do the following if you do not see any of them listed in the search results:

    ForgottenUsernameNotification:

    1. Select the Create Notification Template. It is located above the search results with a plus icon, next to the pencil icon. The Create Notification Template screen appears.

    2. Enter the following details:

      • Template Name: ForgottenUsernameNotification

      • Available Event: ForgottenUsername

      • Encoding: UTF-8

      • Message Subject: Your User Login

      • Type: HTML

      • Short Message: User Login

      • Long Message:

        <html><head></head>
<body>
<p>
  Your $tenantName user login - $userLoginId
</p>
</body>
</html>

    3. Click Save.

    PasswordExpiredNotification:

    1. Select the Create Notification Template. It is located above the search results with a plus icon, next to the pencil icon. The Create Notification Template screen appears.

    2. Enter the following details:

      • Template Name: PasswordWarningNotification

      • Available Event: PasswordWarning

      • Encoding: UTF-8

      • Message Subject: Password Expiry Warning

      • Type: HTML

      • Short Message: Password Expiry

      • Long Message:

        <html><head></head>
<body>    
<![CDATA[ <p>
Your Password is about to be Expired. Please reset your Password.
         </p><p>
     UserID: %1<br>
     </p><p>
           For any issues, please contact [admin email or phone]
     </p>]]>
</body>
</html>

    3. Click Save.

    PasswordExpiration:

    1. Select the Create Notification Template. It is located above the search results with a plus icon, next to the pencil icon. The Create Notification Template screen appears.

    2. Enter the following details:

      • Template Name: PasswordExpiredNotification

      • Available Event: PasswordExpiration

      • Encoding: UTF-8

      • Message Subject: Password Expired

      • Type: HTML

      • Short Message: Password Expired

      • Long Message:

        <html><head></head>
<body>
<![CDATA[ <p>
Your Password has Expired. Please reset your Password.
         </p><p>
     UserID: %1<br>
     </p><p>
           For any issues, please contact [admin email or phone]
     </p>]]>
</body>
</html>

    3. Click Save.

3.1.1.14 OIM Middle Tier Upgrade Patch Domain Report Shows Error for Foreign JNDI Provide Creation

This issue occurs if you upgrade the middle tier twice, during the OIM 11.1.1.5.0 to 11.1.2 upgrade process. The middle tier upgrade patch domain report shows error for Foreign JNDI Provide Creation, eventhough the parameter oim.domainextension.jndiprovider.patch is set to false in the oimupgrade.properties file.

The following is a sample patch domain report displayed when you perform the middle tier upgrade twice:

Domain Component                    Status 
Foreign JNDI Provider Creation      Error

Ignore this error report for Foreign JNDI Provider Creation.

3.1.1.15 Matching Rule is Lost During the OIM 11.1.1.5.0 Upgrade

When you upgrade OIM 11.1.1.5.0 to 11.1.2, the customization made for the matching rule is lost.

The workaround for this issue is to redo the customization for the matching rule in OIM 11.1.2.

3.2 Migration Issues

This section describes issues related to the following scenarios:

  • Migrating Oracle Access Manager 10g to Oracle Access Management Access Manager 11g Release 2 (11.1.2)

  • Migrating Oracle Adaptive Access Manager 10g to Oracle Adaptive Access Manager 11g Release 2 (11.1.2)

  • Migrating Oracle Single Sign-On 10g to Oracle Access Management Access Manager 11g Release 2 (11.1.2)

  • Migrating Sun OpenSSO Enterprise 8.0 to Oracle Access Management Access Manager 11g Release 2 (11.1.2)

  • Migrating Sun Java System Access Manager 7.1 to Oracle Access Management Access Manager 11g Release 2 (11.1.2)

  • Coexistence of Oracle Access Manager 10g with Oracle Access Management Access Manager 11g Release 2 (11.1.2)

  • Coexistence of Sun OpenSSO Enterprise 8.0 with Oracle Access Management Access Manager 11g Release 2 (11.1.2)

  • Coexistence of Sun Java System Access Manager 7.1 with Oracle Access Management Access Manager 11g Release 2 (11.1.2)

3.2.1 General Issues and Workarounds

This section describes general issues and workarounds. It includes the following topics:

3.2.1.1 osso.conf Files may be Copied to Alternate File Location If Upgrading Oracle Single Sign-On 10g Fails

This issue occurs when you upgrade Oracle Single Sign-On 10g to Oracle Access Management Access Manager 11g Release 2 (11.1.2). If errors occurs during the execution of the Upgrade Assistant which require you to re-run the process, there is a possibility that required osso.conf files will not be generated, in the location specified in the Upgrade Assistant Summary screen, at the end of the process.

If this occurs, the osso.conf files needed to complete the upgrade, can also be found in the following directory:

<MW_HOME>/user_projects/domains/<Domain_Home>/output/upgrade

3.2.1.2 Server Logs and Assessment Report for Certain Scenarios Show Only English Messages

Known issue.

The server logs and assessment report shows only English messages when you migrate the following components to Oracle Access Management Access Manager 11g Release 2 (11.1.2):

  • Oracle Access Manager 10g

  • Sun OpenSSO Enterprise 8.0

  • Sun Java System Access Manager 7.1

3.2.1.3 Migration of J2EE Agent 2.2 is not Supported

Known issue.

Migration of the profile of J2EE Agent 2.2 from Sun Java System Access Manager 7.1 to Oracle Access Management Access Manager 11g release 2 (11.1.2) is not supported, and therefore, the run-time verification support for the same is not available.

3.2.1.4 Oracle Access Management 11g Release 2 (11.1.2.0.0) Coexistence, Upgrade, and Migration Supplement

Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2) discusses how to upgrade or migrate various Single Sign-On and Access Management environments to Oracle Access Management 11g Release 2 (11.1.2.0.0). You should use this guide for information about upgrade, migration, and coexistence procedures.

If necessary, you can read the following support note for any late-breaking information and changes:

My Oracle Support document ID 1473025.1