Skip Headers
Oracle® Fusion Middleware Patching Guide for Oracle Identity and Access Management
11g Release 2 (11.1.2.1.0)

Part Number E36789-05
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

3 Applying the Latest Oracle Fusion Middleware Patch Set

This chapter describes the tools and procedures required for you to patch your existing Oracle Identity and Access Management 11g Release 2 (11.1.2).

NOTE:

The patching tasks described in this chapter are not required for all environments or upgrade paths. Perform only those tasks that apply to your specific deployment.

3.1 Summary of the Oracle Fusion Middleware Patching Process

Table 3-1 provides links to additional information for each of the patching steps.

Table 3-1 Summary of Patching Procedures and Links to Documentation

Step Description

1

Perform the following general pre-patching tasks:

  1. Reviewing System Requirement, Certification and Interoperability Information

  2. Installing Oracle SOA Suite Patches (Oracle Identity Manager Users Only)

  3. Exporting Pre-Upgrade Oracle Privileged Account Manager (OPAM) Data (optional)

  4. Exporting Oracle Identity Navigator 11.1.1.5.0 Metadata (optional)

  5. Shutting Down Administration Server and Managed Servers

  6. Backing Up Your Middleware Home, Domain Home and Oracle Instances

  7. Backing Up Your Database and Database Schemas

  8. Renaming the emCCR File for Silent Patching

If you are patching in silent mode, see Section 3.2.8, "Renaming the emCCR File for Silent Patching".

2

Download and start the appropriate installer for your product:

For details, see Downloading and Starting the Installer.

3

Update the software in your Oracle home using the downloaded Installer.

4

Run the Patch Set Assistant to update any required schemas.

For more information, see Updating Your Schemas with Patch Set Assistant

5

Start the Administration Server and SOA Manager Server.

Starting the Administration Server and Managed Servers

NOTE: Do not start the Oracle Identity Manager Managed Servers.

6

Perform the post-patching tasks that apply to your environment.

For more information, see Post-Patching Procedures.

7

Restart the servers and processes.

For more information, see Restarting the Administration Server and OIM Managed Servers.

8

Verify that your patch installation is complete.

For more information, see Verifying Your Patch Set Installation.


If you are running your products in a distributed environment (for example, you have Managed Servers running in multiple domains on multiple systems) and you have set up a shared Middleware home on a shared network drive mounted to each machine that is part of your domain, then this patching procedure only needs to be done once (see Section 2.3.3, "Patching in a Distributed Environment").

If your distributed environment has a separate Middleware home on each system, then this patching procedure must be repeated for each domain on each system.

More information about distributed topologies can be found in the Enterprise Deployment Guide for your specific product.

3.2 General Pre-Patching Tasks

This section describes tasks that should be completed before you patch your software:

3.2.1 Reviewing System Requirement, Certification and Interoperability Information

Before you begin to update your software, you should make sure that your system environment and configuration meet the minimum requirements for the software you want to install in order to perform the update. This section contains links to several key pieces of documentation you should review:

3.2.1.1 System Requirements and Specifications

For certification information, refer to the System Requirements and Supported Platforms for Oracle Fusion Middleware document on the Oracle Fusion Middleware Supported System Configurations page at the following URL:

http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html

This document contains information related to hardware and software requirements, minimum disk space and memory requirements, database schema requirements, and required system libraries, packages, or patches.

3.2.1.2 Certification and Supported Platforms for Identity and Access Management

Read the System Requirements and Supported Platforms for Oracle Forms and Reports 11g Release 2 (11.1.2.x) Certification Matrix document. This document contains certification information related to supported 32-bit and 64-bit operating systems, databases, web servers, LDAP servers, adapters, IPv6, JDKs, and third-party products.

3.2.1.3 Interoperability and Compatibility

Read Oracle Fusion Middleware Interoperability and Compatibility Guide for Oracle Identity and Access Management. This document contains important information regarding the ability of Oracle Fusion Middleware products to function with previous versions of other Oracle Fusion Middleware, Oracle, or third-party products. This information is applicable to both new Oracle Fusion Middleware users and existing users who are upgrading their existing environment.

3.2.2 Installing Oracle SOA Suite Patches (Oracle Identity Manager Users Only)

Oracle Identity Manager requires the process workflows in Oracle SOA Suite to manage request approvals. You must apply mandatory SOA patches before installing Oracle Identity Manager.

For information about the patches, refer to the "Mandatory Patches Required for Installing Oracle Identity Manager" topic in the 11g Release 2 Oracle Fusion Middleware Release Notes.

Caution:

Failure to apply the required prerequisite patches may result in issues with your updated Oracle Identity and Access Management 11g Release 2 (11.1.2) deployment and supporting services.

3.2.3 Exporting Pre-Upgrade Oracle Privileged Account Manager (OPAM) Data

Pre-upgrade OPAM data, such as targets, accounts, and users, must be migrated after applying the 11.1.2.1.0 patch. The steps below describe the process used to export the OPAM data to an XML file. A manual export is required because the back end data store will be moved from the OPSS schema to a native OPAM data store in the new version. After the patch is applied, you must import the data to the data store as described in Section 3.7.5.

Use the following procedure to export the OPAM data before applying the patch:

  1. Set the following environment variables:

    Variable Description

    ORACLE_HOME

    Where Oracle Privileged Account Manager is installed.

    JAVA_HOME

    Location of JDK used for the WebLogic installation.


  2. Navigate to $ORACLE_HOME/opam/bin.

  3. Execute ./opam.sh with the following parameters:

    ./opam.sh 
    [-url <OPAM server url>]] (defaults to https://localhost:18102/opam)
    -u [user name] (the user should have OPAM_SECURITY_ADMIN and OPAM_USER_MANAGER roles)
    -p <password>
    -x export -f [export xml file]
    [-encpassword <encryption/decryption password>] (provide a value for encpassword for better security)
    [-enckeylen <Key Length for encryption/decryption of password>] (defaults to 128)
    [-log <log file Location>] (defaults to opamlog_<timestamp>.txt)
    

    Note:

    If the data was exported without an encryption password, then specify this with the parameter "-noencrypt true" while importing the data.

3.2.4 Exporting Oracle Identity Navigator 11.1.1.5.0 Metadata

To prevent data loss, pre-upgrade Oracle Identity Navigator (OINAV) metadata must also be exported to an XML file before applying the patch.

Refer to "Exporting Oracle Identity Navigator 11.1.1.5.0 Metadata" in the Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management.

3.2.5 Shutting Down Administration Server and Managed Servers

The patching process involves changes to the binaries and to the schema. Therefore, before you begin applying the patch, you must shut down the Administration Server and Managed Servers.

To shut down the Servers, do the following:

Stopping the Administration Server

To stop the Administration Server, do the following:

On UNIX:

Run the following command:

cd <MW_HOME>/user_projects/domains/<domain_name>/bin

./stopWebLogic.sh

On Windows:

Run the following command:

cd <MW_HOME>\user_projects\domains\<domain_name>\bin

stopWebLogic.cmd

Stopping Managed Servers

To stop the Managed Servers, do the following:

On UNIX:

  1. Move from your present working directory to the <MW_HOME>/user_projects/domains/<domain_name>/bin directory by running the following command on the command line:

    cd <MW_HOME>/user_projects/domains/<domain_name>/bin

  2. Run the following command to stop the servers:

    ./stopManagedWebLogic.sh <server_name> <admin_url> <user_name> <password>

    where

    <server_name> is the name of the Managed Server.

    <admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.

    <user_name> is the username of the WebLogic Administration Server.

    <password> is the password of the WebLogic Administration Server.

On Windows:

  1. Move from your present working directory to the <MW_HOME>\user_projects\domains\<domain_name>\bin directory by running the following command on the command line:

    cd <MW_HOME>\user_projects\domains\<domain_name>\bin

  2. Run the following command to stop the Managed Servers:

    stopManagedWebLogic.cmd <server_name> <admin_url> <username> <password>

    where

    <server_name> is the name of the Managed Server.

    <admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.

    <username> is the username of the WebLogic Administration Server.

    <password> is the password of the WebLogic Administration Server.

For more information, see "Stopping the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

3.2.6 Backing Up Your Middleware Home, Domain Home and Oracle Instances

After stopping the servers and processes, back up your Middleware home directory (including the Oracle home directories inside the Middleware home), your local Domain home directory, your local Oracle instances, and also the Domain home and Oracle instances on any remote systems that use the Middleware home.

If your patch set installation is unexpectedly interrupted, or if you choose to cancel out of the installation before it is complete, you may not be able to install the patch unless you restore your environment to the previous configuration before running the Installer again.

Note:

There is no patch set deinstallation procedure. The -deinstall procedure that you would use for a typical installation will not remove the patch set.

3.2.7 Backing Up Your Database and Database Schemas

If the product you are installing has associated database schemas, you should also back up your database before you begin the patching procedure. Make sure this back up includes the schema version registry table, as each Fusion Middleware schema has a row in this table. The name of the schema version registry table is SYTEM.SCHEMA_VERSION_REGISTRY$. Refer to your database documentation for instructions on how to do this.

If you run the Patch Set Assistant to update an existing schema and it does not succeed, you must restore the original schema before you can try again. Make sure you backup your existing database schemas before you run the Patch Set Assistant.

3.2.8 Renaming the emCCR File for Silent Patching

If you are patching your software in silent mode, you may encounter the following error messages:

"SEVERE:Values for the following variables could not be obtained from the command line or response file(s):
MYORACLESUPPORT_USERNAME(MyOracleSupportUsername)"

To work around this issue, rename the ORACLE_HOME/ccr/bin/emCCR (on UNIX operating systems) or ORACLE_HOME\ccr\bin\emCCR (on Windows operating systems) file.

Caution:

Be sure to change the name back after the patching process has completed or you may encounter errors with other operations (such as My Oracle Support or other installers.)

For example, on a UNIX operating system:

cd ORACLE_HOME/ccr/bin
mv emCCR emCCR_LAST

On a Windows operating system:

cd ORACLE_HOME\ccr\bin
mv emCCR emCCR_LAST

See "Silent Oracle Fusion Middleware Installation and Deinstallation" in Oracle Fusion Middleware Installation Planning Guide for more details about silent installation.

3.3 Downloading and Starting the Installer

The following sections contain instructions on how to obtain the proper installer required to patch your product:

3.3.1 About the Installer Used for Patching

The installer for Identity and Access Management is a full installer that can also function as an update installer. You can use it to update an existing Identity and Access Management home, or you can use it to install a new, complete Identity and Access Management home.

3.3.2 Downloading the Required Installer

To download and unpack the Installer files for your product:

  1. Download the installer from the Oracle Technology Network, My Oracle Support, or Oracle Software Delivery Cloud (formerly E-Delivery).

    For more information, see "Select an Oracle Fusion Middleware Software Download Site" and "Download the Software Required for Your Starting Point" in Oracle Fusion Middleware Download, Installation, and Configuration ReadMe Files.

  2. Unpack the downloaded archive that contains the installer and software that you want to install into a directory on the target computer.

3.3.3 Starting the Installer

To start the installer you just downloaded and unpacked:

  1. Change directory to the Disk1 folder inside the unpacked archive folder.

  2. Start the Installer:

    On UNIX operating systems:

    ./runInstaller
    

    On Windows operating systems run the following:

    setup.exe
    

Depending on your system environment and product you are updating, you may be prompted to provide the location of a JRE/JDK on your system when you start the installer. When you installed Oracle WebLogic Server, a JRE was installed in the jdk160_version directory inside the Middleware home; you can use this location to start the installer.

Note:

if you are installing on a 64-bit platform, you have to install 64-bit JRE before you can install the Oracle WebLogic Server. See the System Requirements and Supported Platforms for Oracle Forms and Reports 11g Release 2 (11.1.2.x) to determine which version is required with this release.

If you do not have Oracle WebLogic Server installed on your system, you can use the JDK in the jdk directory inside the Oracle home.

Make sure you specify the absolute path to your JRE/JDK location; relative paths are not supported.

The Installer can also be run in silent mode. See "Silent Oracle Fusion Middleware Installation and Deinstallation" in Oracle Fusion Middleware Installation Planning Guide for more details.

3.4 Applying the Patch Set

After you have started the Installer, follow the instructions on the screen to apply the patch set to your existing Middleware home.

Note:

If your domain includes multiple host computers, you must run the Installer separately on each host to update the software on that host.

As you review each screen of the Patch Set installer, note that there may be differences between applying a patch set and installing software for the first time.

Note:

When you are applying a patch set, you must identify an existing Middleware home on the Specify Installation Location screen.

Table 3-2 provides a summary of the typical installation screens you will see when you are applying a patch set to an existing Middleware home.

If you need additional help with any of the installation screens click Help to access the online help.

Table 3-2 Typical Installation Flow For Installing a Patch Set

Screen When Does This Screen Appear? Description

Welcome

Always.

This page introduces you to the Oracle Fusion Middleware Installer.

Install Software Updates

Always.

Select the method you want to use for obtaining software updates, or select Skip Software Updates if you do not want to get updates.

If updates are found, the installer will automatically attempt to apply them at this point; make sure that the server you are using to perform the installation is connected to the Internet.

Prerequisite Checks

Always.

Verify that your system meets all necessary prerequisites.

Specify Installation Location

Always.

Specify your existing Oracle Middleware home and product Oracle home locations.

Installation Summary

Always.

Verify the information on this screen, then click Install to begin the installation.

Installation Progress

Always.

This screen shows the progress of the installation.

Click Next when the installation is 100% complete.

Installation Complete

Always.

Click Save to save your configuration information to a file. This information includes port numbers, installation directories, URLs, and component names which you may need to access at a later time.

You can view the log file located in the MW_HOME/oracle_common/upgrade/logs (on UNIX operating systems) or MW_HOME\oracle_common\upgrade\logs (on Windows operating systems) directory for details about the upgrade.

After saving your configuration information, click Finish to dismiss the installer.


3.5 Running the Patch Set Assistant

Once you have applied the patch set, as described in Section 3.4, run the Patch Set Assistant to update any required schemas. For more information, see Updating Your Schemas with Patch Set Assistant.

Once the schemas have been updated, complete any post-patching procedures that apply to your installation, as described in Section 3.7.

Note:

Before you start the servers and verify your installation, review Section 3.7, "Post-Patching Procedures" and perform any necessary post-patching tasks. You may need to start the servers after performing some of the tasks.

3.6 Starting the Administration Server and Managed Servers

Note:

Do not start the Oracle Identity Manager Managed Servers.

After the upgrade is complete, start the WebLogic Administration Server, the Administration Server for the domain that contains Oracle Identity Management, and Managed Servers.

Starting the Administration

To start the Administration Server, do the following:

On UNIX:

Run the following command:

cd <MW_HOME>/user_projects/domains/<domain_name>/bin

./startWebLogic.sh

On Windows:

Run the following command:

cd <MW_HOME>\user_projects\domains\<domain_name>\bin

startWebLogic.cmd

Starting Managed Servers

To start the Managed Servers, do the following:

On UNIX:

  1. Move from your present working directory to the <MW_HOME>/user_projects/domains/<domain_name>/bin directory by running the following command on the command line:

    cd <MW_HOME>/user_projects/domains/<domain_name>/bin

  2. Run the following command to start the Servers:

    ./startManagedWebLogic.sh <managed_server_name> <admin_url> <user_name> <password>

    where

    <managed_server_name> is the name of the Managed Server

    <admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.

    <user_name> is the username of the WebLogic Administration Server.

    <password> is the password of the WebLogic Administration Server.

On Windows:

  1. Move from your present working directory to the <MW_HOME>\user_projects\domains\<domain_name>\bin directory by running the following command on the command line:

    cd <MW_HOME>\user_projects\domains\<domain_name>\bin

  2. Run the following command to start the Managed Servers:

    startManagedWebLogic.cmd <managed_server_name> <admin_url> <user_name> <password>

    where

    <managed_server_name> is the name of the Managed Server.

    <admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.

    <user_name> is the username of the WebLogic Administration Server.

    <password> is the password of the WebLogic Administration Server.

For more information, see "Starting the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

3.7 Post-Patching Procedures

This section contains information about manual tasks performed after the Release 11.1.2.1.0 patch installation is complete. Some of the tasks may not apply to your environment as you may not be using the products in question.

3.7.1 Upgrading Oracle Identity Manager Middle Tier Using Property File

After you have applied the 11.1.2.1.0 patch set, you will need to run an additional upgrade utility to upgrade the Oracle Identity Manager's Middle Tier. The steps below describe the manual process:

Note:

Before you begin this process be sure that the following prerequisites have been met:

  • Back up your existing Middleware home, Domain home and any other relevant data as described in Section 3.2.6.

  • Start the Admin Server and SOA Server. If the OIM Server is running, stop it before running the Middle Tier upgrade script.

On UNIX:

  1. Move from your present working directory to the <OIM_ORACLE_HOME>/server/bin directory by running the following command on the command line:

    cd <OIM_ORACLE_HOME>/server/bin

  2. Change the path to <OIM_ORACLE_HOME>/bin.

  3. Open the following file in a text editor:

    oim_upgrade_input.properties

  4. Add the parameters, as listed in Table 3-3.

  5. Move from your present working directory to the <MW_HOME>/Oracle_IDM1/server/bin directory by running the following command on the command line:

    cd <MW_HOME>/Oracle_IDM1/server/bin

  6. Run the following command:

    ./OIMUpgrade.sh

    Note:

    The following warning is displayed:

    [WARN][jrockit] PermSize=128M ignored: Not a valid option for JRockit

    [WARN][jrockit] MaxPermSize=256M ignored: Not a valid option for JRockit

    You can ignore this message.

On Windows:

  1. Move from your present working directory to the <OIM_ORACLE_HOME>\server\bin directory by running the following command on the command line:

    cd <OIM_ORACLE_HOME>\server\bin

  2. Change the path to <OIM_ORACLE_HOME>\bin.

  3. Open the following file in a text editor:

    oim_upgrade_input.properties

  4. Add the parameters, as listed in Table 3-3.

  5. Move from your present working directory to the <MW_HOME>\<OIM_ORACLE_HOME>\server\bin directory by running the following command on the command line:

    cd <MW_HOME>\<OIM_ORACLE_HOME>\server\bin

  6. Run the following command:

    OIMUpgrade.bat

    Note:

    The following warning is displayed:

    [WARN][jrockit] PermSize=128M ignored: Not a valid option for JRockit

    [WARN][jrockit] MaxPermSize=256M ignored: Not a valid option for JRockit

    You can ignore this message.

  7. Verify the Middle Tier Upgrade.

    See Section 3.9.3, "Verifying Oracle Identity Manager Middle Tier Upgrade".

  8. Restart the servers as described in Section 3.8, "Restarting the Administration Server and OIM Managed Servers".

Table 3-3 Oracle Identity Manager Middle Tier Upgrade Parameters

Parameter Description

oim.jdbcurl

Specify the Oracle Identity Manager JDBC URL.

oim.oimschemaowner

Specify the Oracle Identity Manager schema owner.

oim.oimmdsjdbcurl

Specify the MDS JDBC URL.

oim.mdsschemaowner

Specify the MDS schema owner name.

oim.adminhostname

Specify the Oracle WebLogic Server Administration host name.

oim.adminport

Specify the Oracle WebLogic Server Administration port.

oim.adminUserName

Specify the Oracle WebLogic Server Administration user name.

oim.soahostmachine

Specify the SOA host name where SOA Server is running.

oim.soaportnumber

Specify the SOA Server port.

oim.soausername

Specify the SOA Managed Server username.

oim.domain

Specify the Oracle Identity Manager domain location.


Example Parameters

oim.jdbcurl=db.example.com:5521/dbmode.example.com
oim.oimschemaowner=test_oim23
oim.oimmdsjdbcurl=db.example.com:5521/dbmode.example.com
oim.mdsschemaowner=test_mds
oim.adminport=7001
oim.adminhostname=<oim_host>:<oim_port>
oim.adminUserName=weblogic
oim.soahostmachine=<oim_soa_host>:<oim_soa_port>
oim.soaportnumber=8001
oim.soausername=weblogic
oim.domain=/<MW_HOME>/user_projects/domains/<base_domain>

3.7.2 Upgrading Oracle Identity Navigator Application

Note:

The OINAV version number is 11.1.1.3.0 while the Oracle Identity Navigator version number is 11.1.2.1.0.

This is not an error. The discrepancy is caused by a difference between how OINAV and Identity Access Management releases are tracked internally.

Upgrading Oracle Identity Navigator redeploys Oracle Identity Navigator using oinav.ear for Oracle Identity Navigator 11.1.2.1.0 release. There are two ways of redeploying the oinav.ear:

  • Upgrading oinav using the WebLogic Server Administration Console.

  • Upgrading oinav using the WebLogic Scripting Tool (WLST).

Using WebLogic Server Administration Console

Complete the following steps to upgrade Oracle Identity Navigator through the WebLogic Administration console:

  1. Log in to WebLogic Administration console:

    http://<admin server host>:<admin server port>/console

  2. Under Domain Structure, click Deployments.

  3. Select oinav (11.1.1.3.0) from the Name table.

  4. Click Update and click Finish in the Update Application Assistant screen after verifying the source path.

    Note:

    If WebLogic is running in production mode, click Lock & Edit before clicking Update.

Using WebLogic Scripting Tool (WLST)

Complete the following steps to upgrade Oracle Identity Navigator through the WLST console:

On UNIX

  1. Move from your present working directory to the <MW_HOME>/wlserver_10.3/common/bin directory by running the following command on the command line:

    cd <MW_HOME>/wlserver_10.3/common/bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    ./wlst.sh

  3. Connect to the Administration Server using the following command:

    connect('weblogic-username','weblogic-password','weblogic-url')

  4. At the WLST prompt, run the following command:

    redeploy('oinav#11.1.1.3.0')

  5. Exit the WLST console using the exit() command.

On Windows

  1. Move from your present working directory to the <MW_HOME>\wlserver_10.3\common\bin directory by running the following command on the command line:

    cd <MW_HOME>\wlserver_10.3\common\bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    wlst.cmd

  3. Connect to the Administration Server using the following command:

    connect('weblogic-username','weblogic-password','weblogic-url')

  4. At the WLST prompt, run the following command:

    redeploy('oinav#11.1.1.3.0')

  5. Exit the WLST console using the exit() command.

3.7.3 Importing the Oracle Identity Navigator 11.1.2 Metadata

After applying the patch set, you must import any pre-upgrade OINAV metadata you may have exported.

Refer to "Importing the Oracle Identity Navigator 11.1.2 Metadata" in the Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management.

3.7.4 Upgrading Oracle Privileged Account Manager (OPAM) Application

Note:

The OPAM application version number is 11.1.2.0.0 while the Oracle Privileged Account Manager version number is 11.1.2.1.0.

This is not an error. The discrepancy is caused by a difference between how OPAM and Identity Access Management releases are tracked internally.

Upgrading Oracle Privileged Account Manager redeploys Oracle Privileged Account Manager using opam.ear for Oracle Privileged Account Manager 11.1.2.1.0 release. There are two ways of redeploying the opam.ear:

  • Upgrading opam using the WebLogic Server Administration Console.

  • Upgrading opam using the WebLogic Scripting Tool (WLST).

Using WebLogic Server Administration Console

Complete the following steps to upgrade Oracle Privileged Account Manager through the WebLogic Administration console:

  1. Log in to WebLogic Administration console:

    http://<admin server host>:<admin server port>/console

  2. Under Domain Structure, click Deployments.

  3. Select opam (11.1.2.0.0) from the Name table.

  4. Click Update and click Finish in the Update Application Assistant screen after verifying the source path.

    Note:

    If WebLogic is running in production mode, click Lock & Edit before clicking Update.

Using WebLogic Scripting Tool (WLST)

Complete the following steps to upgrade Oracle Privileged Account Manager through the WLST console:

On UNIX

  1. Move from your present working directory to the <MW_HOME>/wlserver_10.3/common/bin directory by running the following command on the command line:

    cd <MW_HOME>/wlserver_10.3/common/bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    ./wlst.sh

  3. Connect to the Administration Server using the following command:

    connect('weblogic-username','weblogic-password','weblogic-url')

  4. At the WLST prompt, run the following command:

    redeploy('opam#11.1.2.0.0')

  5. Exit the WLST console using the exit() command.

On Windows

  1. Move from your present working directory to the <MW_HOME>\wlserver_10.3\common\bin directory by running the following command on the command line:

    cd <MW_HOME>\wlserver_10.3\common\bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    wlst.cmd

  3. Connect to the Administration Server using the following command:

    connect('weblogic-username','weblogic-password','weblogic-url')

  4. At the WLST prompt, run the following command:

    redeploy('opam#11.1.2.0.0')

  5. Exit the WLST console using the exit() command.

3.7.5 Importing Pre-Upgrade OPAM Data

After applying the patch set, you must import the pre-upgrade OPAM data as described below:

  1. Set the following environment variables:

    Variable Description

    ORACLE_HOME

    Oracle Privileged Account Manager is installed.

    JAVA_HOME

    Location of JDK used for the WebLogic installation.


  2. Navigate to $ORACLE_HOME/opam/bin.

  3. Execute the opam.sh script with the following parameters:

    ./opam.sh 
    -url <OPAM server url> (defaults to https://localhost:18102/opam)
    -u <user name> (the user should have OPAM_SECURITY_ADMIN and OPAM_USER_MANAGER roles)
    -p <password>
    -x import -f <import xml file>
    -encpassword <encryption/decryption password> 
    -enckeylen <Key Length for encryption/decryption of password> (Defaults to 128)
    -log <log file Location> (defaults to opamlog_<timestamp>.txt)
    

3.7.6 Optional: Enabling TDE in Oracle Privileged Account Manager Data Store

Oracle Privileged Account Manager can operate with Oracle Database TDE (Transparent Data Encryption) mode. You can choose to either enable or disable the TDE mode. Oracle strongly recommends to enable the TDE mode for enhanced security.

This section includes the following topics:

3.7.6.1 Enabling TDE in the Database

For information about enabling Transparent Data Encryption (TDE) in the database for Oracle Privileged Account Manager, refer to the "Enabling Transparent Data Encryption" topic in Oracle Database Advanced Security Administrator's Guide.

For more information, see "Securing Stored Data Using Transparent Data Encryption" in the Oracle Database Advanced Security Administrator's Guide

After enabling TDE in the database for Oracle Privileged Account Manager, you must enable encryption in OPAM schema, as described in "Enabling Encryption in OPAM Schema" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

3.7.6.2 Enabling Encryption in OPAM Schema

To enable encryption in the OPAM schema, run the opamxencrypt.sql script with the OPAM schema user, using sqlplus or any other client.

IAM_HOME/opam/sql/opamxencrypt.sql

Example:

sqlplus DEV_OPAM/welcome1 @IAM_HOME/opam/sql/opamxencrypt.sql

3.7.7 Optional: Configuring Non-TDE Mode

Note:

This step is only necessary if you did not enable TDE as described in Section 3.7.6.1, "Enabling TDE in the Database".

While it is not recommended, if non-TDE mode is required by the user, the flag "tdemode" must be set to false. For more information, see "Setting Up Non-TDE Mode" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Caution:

Oracle recommends that you always use Transparent Data Encryption(TDE). Without TDE, your data is not secure.

For more information on switching between the two modes, see "Securing Data On Disk" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.

3.7.8 Upgrading Oracle Entitlements Server Domain and Policy Store

To upgrade Oracle Entitlements Server Administration Server and Policy Store, you must use the Oracle Identity and Access Management 11.1.2.1.0 Installer. During the procedure, point the Middleware Home to your existing 11.1.2.0.0 Middleware Home. Your Oracle Home is upgraded from 11.1.2.0.0 to 11.1.2.1.0.

For more information, see "Installing and Configuring Oracle Identity and Access Management (11.1.2)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

After the installation, use the Patch Set Assistant to upgrade OPSS Schemas (prefix_OPSS) as described in Section 4.3.2, "Starting the Patch Set Assistant".

3.7.9 Configuring BI Publisher Reports

Complete the following steps to configure the BI Publisher Reports:

  1. Obtain the reports bundle oim_product_BIP11gReports_11_1_2_1_0.zip. from the following location:

    MW_HOME/IAM_HOME/server/reports/oim_product_BIP11gReports_11_1_2_1_0.zip
    
  2. Unzip oim_product_BIP11gReports_11_1_2_1_0.zip at the following location:

    IAM_HOME/Middleware/user_projects/domains/domain_name/config/bipublisher/repository/Reports/
     
    
  3. Configure reports by following the instructions in "Configuring Oracle Identity Manager Reports" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

3.7.10 Updating SOA Server Default Composite

In an integrated environment, Oracle Identity Management is front ended by OHS. All SOA server default composites must be updated. Perform the following steps:

  1. Log in to Oracle Enterprise Manager Fusion Middleware Control Console.

  2. Navigate to SOA, then soa-infra (SOA server name), then default.

    Update the composite types applicable to your environment. For example: ApprovalTask, Human Workflow, DisconnectedProvisiong, etc.

    See Also:

    The Fusion Middleware Control online help and SOA Suite documentation

  3. For each default composite, perform the following:

    1. Click the composite name.

    2. From Component Metrics select the composite type. For example, click ApprovalTask.

    3. Select the Administration tab and update the fields as follows:

      Host Name: OHS host name

      HTTP Port: If SSL mode, leave blank. If non-SSL mode, enter OHS HTTP port.

      HTTPS Port: If SSL mode, enter OHS HTTS port. If non-SSL mode, leave blank.

    4. Click Apply.

3.7.11 Copying Oracle Access Manager MBean XML Files

Update the MBean XML files with Oracle Identity Management 11g Release 2 (11.1.2.1) MBean XML files using the offline WLST command copyMbeanXmlFiles(). This command copies the Oracle Access Manager and Oracle Identity Connect MBean XML files from the OAM_ORACLE_HOME to DOMAIN_HOME.

To copy Oracle Access Manager and Oracle Identity Connect MBean files to the DOMAIN_HOME:

  1. Go to the following directory:

    OAM_ORACLE_HOME/common/bin
    
  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    ./wlst.sh
    
  3. Run the following command:

    copyMbeanXmlFiles('DOMAIN_HOME','ORACLE_HOME')
    

    For example:

    On Linux:

    copyMbeanXmlFiles('/scratch/ste/MW_HOME/user_projects/domains/test_domain',' '/scratch/ste/MW_HOME/Oracle_IDM1') 
    

    Where the second parameter OAM_ORACLE_HOME is optional.

    On Windows:

    copyMbeanXmlFiles('C:\\Oracle\\MW_HOME\\user_projects\domains\\test_domain','C:\\Oracle\\MW_HOME\\Oracle_IDM1')
    

3.8 Restarting the Administration Server and OIM Managed Servers

Note:

Start only the Oracle Identity Manager (OIM) Managed Servers at this time.

To restart the Administration Server and Oracle Identity Manager Managed Servers, you must stop them first before starting them again.

To stop the servers, see Shutting Down Administration Server and Managed Servers.

To start the servers, see Starting the Administration Server and Managed Servers.

To start the Oracle Identity Manager Managed Servers, do the following:

On UNIX:

  1. Move from your present working directory to the <MW_HOME>/user_projects/domains/<domain_name>/bin directory by running the following command on the command line:

    cd <MW_HOME>/user_projects/domains/<domain_name>/bin

  2. Run the following command to start the Servers:

    ./startManagedWebLogic.sh <managed_server_name> <admin_url> <user_name> <password>

    where

    <managed_server_name> is the name of the Managed Server

    <admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.

    <user_name> is the username of the WebLogic Administration Server.

    <password> is the password of the WebLogic Administration Server.

On Windows:

  1. Move from your present working directory to the <MW_HOME>\user_projects\domains\<domain_name>\bin directory by running the following command on the command line:

    cd <MW_HOME>\user_projects\domains\<domain_name>\bin

  2. Run the following command to start the Managed Servers:

    startManagedWebLogic.cmd <managed_server_name> <admin_url> <user_name> <password>

    where

    <managed_server_name> is the name of the Managed Server.

    <admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.

    <user_name> is the username of the WebLogic Administration Server.

    <password> is the password of the WebLogic Administration Server.

3.9 Verifying Your Patch Set Installation

After you have successfully patched your environment, you can verify the status of your installation by performing any combination of the following:

Note:

OPAM Users: After you have verified that the patch was successfully applied, you should clear the OPSS artifacts of the pre-upgrade instance as described in Section 3.9.6.

3.9.1 Verifying the Upgrade

To verify your Oracle Identity Manager upgrade, perform the following steps:

  1. Use the following URL in a web browser to verify that Oracle Identity Manager 11.1.2.1.0 is running:

    http://<oim.example.com>:<oim_port>/sysadmin

    http://oim.example.com:14000/identity

    where

    <oim.example.com> is the path of the administration console.

    <oim_port> is the port number.

  2. Use Fusion Middleware Control to verify that Oracle Identity Manager and any other Oracle Identity Management components are running in the Oracle Fusion Middleware environment.

  3. Install the Diagnostic Dashboard and run the following tests:

    • Oracle Database Connectivity Check

    • Account Lock Status

    • Data Encryption Key Verification

    • JMS Messaging Verification

    • SOA-Oracle Identity Manager Configuration Check

    • SPML Web Service

    • Test OWSM setup

    • Test SPML to Oracle Identity Manager request invocation

    • SPML attributes to Oracle Identity Manager attributes

    • Username Test

3.9.2 Verifying the Domain Server Logs

Check the domain server logs, which are located in the servers directory inside the domain home directory. For example, on UNIX systems:

MW_HOME/user_projects/domains/domain_name/servers/server_name

On Windows systems:

MW_HOME\user_projects\domains\domain_name\servers\server_name

3.9.3 Verifying Oracle Identity Manager Middle Tier Upgrade

Complete the following steps to verify the Oracle Identity Manager Middle Tier upgrade:

  1. Verify the log files created in the following location:

    On UNIX:

    <OIM_HOME>/server/upgrade/logs/MT

    On Windows:

    <OIM_HOME>\server\upgrade\logs\MT

    The following log files are generated:

    • OIMUpgrade<timestamp>.log

    • SeedSchedulerData.log

  2. OIMupgrade.sh creates a detailed report. Complete the following steps to verify the Oracle Identity Manager Middle Tier upgrade:

    1. Go to the following path:

      On UNIX:

      <Oracle_IDM1>/server/upgrade/logs/MT/oimUpgradeReportDir

      On Windows:

      <Oracle_IDM1>\server\upgrade\logs\MT\oimUpgradeReportDir

    2. Click index.html.

      This contains list of all Oracle Identity Manager features and upgrade status of the last middle tier run, in a table format.

    3. Click on the corresponding link of each feature for a detailed feature report.

3.9.4 Verifying OPMN Status

Run the opmnctl status command from the INSTANCE_HOME/bin (on UNIX operating systems) or INSTANCE_HOME\bin (on Windows operating systems) directory in your instance home location. The example below shows the output on a UNIX system:

> ./opmnctl status

Processes in Instance: asinst_1
---------------------------------+--------------------+---------+---------
ias-component                    | process-type       |     pid | status  
---------------------------------+--------------------+---------+---------
emagent_asinst_1                 | EMAGENT            |   11849 | Alive   
wc1                              | WebCache-admin     |   11333 | Alive   
wc1                              | WebCache           |   11332 | Alive   
ohs1                             | OHS                |   11207 | Alive 

This information shows the components configured for this installation. The status "Alive" means the component is up and running.

You can also run the opmnctl status -l command to obtain a list of ports used by the components. The example below shows the output on a UNIX system:

> ./opmnctl status -l

Processes in Instance: asinst_1
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ias-component                    | process-type       |     pid | status   |        uid |  memused |    uptime | ports
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
emagent_asinst_1                 | EMAGENT            |   11849 | Alive    | 1133259606 |     4204 |   0:09:38 | N/A
wc1                              | WebCache-admin     |   11333 | Alive    | 1133259605 |    43736 |   0:15:35 | http_admin:8091
wc1                              | WebCache           |   11332 | Alive    | 1133259604 |    63940 |   0:15:35 | http_stat:8092,http_invalidation:8093,https_listen:8094,http_listen:8090
ohs1                             | OHS                |   11207 | Alive    | 1133259603 |    50744 |   0:15:43 | https:8889,https:8890,http:8888

3.9.5 Checking Browser URLs

Verify that you can access your installed and configured products, as shown in Table 3-4:

Table 3-4 Installed Product URLs

Product or Component URL

Administration Server Console

http://host:port/console

Enterprise Manager Console

http://host:port/em

Enterprise Manager Agent

http://host:port/emd/main

Oracle Identity Manager

http://oim.example.com:14000/identity

System Administrator

http://<oim.example.com>:<oim_port>/sysadmin


3.9.6 Clearing Pre-Upgrade OPSS Artifacts for OPAM

This step is only required if you are patching Oracle Privileged Account Manager (OPAM).

After you have verified that the patch was successfully applied, you should clear the OPSS artifacts of the pre-upgrade instance.

For UNIX operating systems:

$ORACLE_HOME/common/bin/wlst.sh $ORACLE_HOME/opam/config/clean-opss.py <WebLogic Administrator Username> <WebLogic Administrator Password> <t3://<adminserver-host>:<adminserver-port>

For Windows operating systems:

$ORACLE_HOME\common\bin\wlst.cmd $ORACLE_HOME\opam\config\clean-opss.py <WebLogic Administrator Username> <WebLogic Administrator Password> <t3://<adminserver-host>:<adminserver-port>