This chapter describes the tools and procedures required for you to patch your existing Oracle Identity and Access Management 11g Release 2 (11.1.2).
Section 3.1, "Summary of the Oracle Fusion Middleware Patching Process"
Section 3.6, "Starting the Administration Server and Managed Servers"
Section 3.8, "Restarting the Administration Server and OIM Managed Servers"
NOTE:
The patching tasks described in this chapter are not required for all environments or upgrade paths. Perform only those tasks that apply to your specific deployment.
Table 3-1 provides links to additional information for each of the patching steps.
Table 3-1 Summary of Patching Procedures and Links to Documentation
| Step | Description |
|---|---|
|
1 |
Perform the following general pre-patching tasks:
If you are patching in silent mode, see Section 3.2.8, "Renaming the emCCR File for Silent Patching". |
|
2 |
Download and start the appropriate installer for your product: For details, see Downloading and Starting the Installer. |
|
3 |
Update the software in your Oracle home using the downloaded Installer. |
|
4 |
Run the Patch Set Assistant to update any required schemas. For more information, see Updating Your Schemas with Patch Set Assistant |
|
5 |
Start the Administration Server and SOA Manager Server. Starting the Administration Server and Managed Servers NOTE: Do not start the Oracle Identity Manager Managed Servers. |
|
6 |
Perform the post-patching tasks that apply to your environment. For more information, see Post-Patching Procedures. |
|
7 |
Restart the servers and processes. For more information, see Restarting the Administration Server and OIM Managed Servers. |
|
8 |
Verify that your patch installation is complete. For more information, see Verifying Your Patch Set Installation. |
If you are running your products in a distributed environment (for example, you have Managed Servers running in multiple domains on multiple systems) and you have set up a shared Middleware home on a shared network drive mounted to each machine that is part of your domain, then this patching procedure only needs to be done once (see Section 2.3.3, "Patching in a Distributed Environment").
If your distributed environment has a separate Middleware home on each system, then this patching procedure must be repeated for each domain on each system.
More information about distributed topologies can be found in the Enterprise Deployment Guide for your specific product.
This section describes tasks that should be completed before you patch your software:
Section 3.2.1, "Reviewing System Requirement, Certification and Interoperability Information"
Section 3.2.2, "Installing Oracle SOA Suite Patches (Oracle Identity Manager Users Only)"
Section 3.2.3, "Exporting Pre-Upgrade Oracle Privileged Account Manager (OPAM) Data"
Section 3.2.4, "Exporting Oracle Identity Navigator 11.1.1.5.0 Metadata"
Section 3.2.5, "Shutting Down Administration Server and Managed Servers"
Section 3.2.6, "Backing Up Your Middleware Home, Domain Home and Oracle Instances"
Section 3.2.7, "Backing Up Your Database and Database Schemas"
Section 3.2.8, "Renaming the emCCR File for Silent Patching"
Before you begin to update your software, you should make sure that your system environment and configuration meet the minimum requirements for the software you want to install in order to perform the update. This section contains links to several key pieces of documentation you should review:
For certification information, refer to the System Requirements and Supported Platforms for Oracle Fusion Middleware document on the Oracle Fusion Middleware Supported System Configurations page at the following URL:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
This document contains information related to hardware and software requirements, minimum disk space and memory requirements, database schema requirements, and required system libraries, packages, or patches.
Read the System Requirements and Supported Platforms for Oracle Forms and Reports 11g Release 2 (11.1.2.x) Certification Matrix document. This document contains certification information related to supported 32-bit and 64-bit operating systems, databases, web servers, LDAP servers, adapters, IPv6, JDKs, and third-party products.
Read Oracle Fusion Middleware Interoperability and Compatibility Guide for Oracle Identity and Access Management. This document contains important information regarding the ability of Oracle Fusion Middleware products to function with previous versions of other Oracle Fusion Middleware, Oracle, or third-party products. This information is applicable to both new Oracle Fusion Middleware users and existing users who are upgrading their existing environment.
Oracle Identity Manager requires the process workflows in Oracle SOA Suite to manage request approvals. You must apply mandatory SOA patches before installing Oracle Identity Manager.
For information about the patches, refer to the "Mandatory Patches Required for Installing Oracle Identity Manager" topic in the 11g Release 2 Oracle Fusion Middleware Release Notes.
Caution:
Failure to apply the required prerequisite patches may result in issues with your updated Oracle Identity and Access Management 11g Release 2 (11.1.2) deployment and supporting services.
Pre-upgrade OPAM data, such as targets, accounts, and users, must be migrated after applying the 11.1.2.1.0 patch. The steps below describe the process used to export the OPAM data to an XML file. A manual export is required because the back end data store will be moved from the OPSS schema to a native OPAM data store in the new version. After the patch is applied, you must import the data to the data store as described in Section 3.7.5.
Use the following procedure to export the OPAM data before applying the patch:
Set the following environment variables:
| Variable | Description |
|---|---|
|
|
Where Oracle Privileged Account Manager is installed. |
|
|
Location of JDK used for the WebLogic installation. |
Navigate to $ORACLE_HOME/opam/bin.
Execute ./opam.sh with the following parameters:
./opam.sh [-url <OPAM server url>]] (defaults to https://localhost:18102/opam) -u [user name] (the user should have OPAM_SECURITY_ADMIN and OPAM_USER_MANAGER roles) -p <password> -x export -f [export xml file] [-encpassword <encryption/decryption password>] (provide a value for encpassword for better security) [-enckeylen <Key Length for encryption/decryption of password>] (defaults to 128) [-log <log file Location>] (defaults to opamlog_<timestamp>.txt)
Note:
If the data was exported without an encryption password, then specify this with the parameter "-noencrypt true" while importing the data.
To prevent data loss, pre-upgrade Oracle Identity Navigator (OINAV) metadata must also be exported to an XML file before applying the patch.
Refer to "Exporting Oracle Identity Navigator 11.1.1.5.0 Metadata" in the Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management.
The patching process involves changes to the binaries and to the schema. Therefore, before you begin applying the patch, you must shut down the Administration Server and Managed Servers.
To shut down the Servers, do the following:
Stopping the Administration Server
To stop the Administration Server, do the following:
On UNIX:
Run the following command:
cd <MW_HOME>/user_projects/domains/<domain_name>/bin
./stopWebLogic.sh
On Windows:
Run the following command:
cd <MW_HOME>\user_projects\domains\<domain_name>\bin
stopWebLogic.cmd
To stop the Managed Servers, do the following:
On UNIX:
Move from your present working directory to the <MW_HOME>/user_projects/domains/<domain_name>/bin directory by running the following command on the command line:
cd <MW_HOME>/user_projects/domains/<domain_name>/bin
Run the following command to stop the servers:
./stopManagedWebLogic.sh <server_name> <admin_url> <user_name> <password>
where
<server_name> is the name of the Managed Server.
<admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.
<user_name> is the username of the WebLogic Administration Server.
<password> is the password of the WebLogic Administration Server.
On Windows:
Move from your present working directory to the <MW_HOME>\user_projects\domains\<domain_name>\bin directory by running the following command on the command line:
cd <MW_HOME>\user_projects\domains\<domain_name>\bin
Run the following command to stop the Managed Servers:
stopManagedWebLogic.cmd <server_name> <admin_url> <username> <password>
where
<server_name> is the name of the Managed Server.
<admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.
<username> is the username of the WebLogic Administration Server.
<password> is the password of the WebLogic Administration Server.
For more information, see "Stopping the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
After stopping the servers and processes, back up your Middleware home directory (including the Oracle home directories inside the Middleware home), your local Domain home directory, your local Oracle instances, and also the Domain home and Oracle instances on any remote systems that use the Middleware home.
If your patch set installation is unexpectedly interrupted, or if you choose to cancel out of the installation before it is complete, you may not be able to install the patch unless you restore your environment to the previous configuration before running the Installer again.
Note:
There is no patch set deinstallation procedure. The -deinstall procedure that you would use for a typical installation will not remove the patch set.
If the product you are installing has associated database schemas, you should also back up your database before you begin the patching procedure. Make sure this back up includes the schema version registry table, as each Fusion Middleware schema has a row in this table. The name of the schema version registry table is SYTEM.SCHEMA_VERSION_REGISTRY$. Refer to your database documentation for instructions on how to do this.
If you run the Patch Set Assistant to update an existing schema and it does not succeed, you must restore the original schema before you can try again. Make sure you backup your existing database schemas before you run the Patch Set Assistant.
If you are patching your software in silent mode, you may encounter the following error messages:
"SEVERE:Values for the following variables could not be obtained from the command line or response file(s): MYORACLESUPPORT_USERNAME(MyOracleSupportUsername)"
To work around this issue, rename the ORACLE_HOME/ccr/bin/emCCR (on UNIX operating systems) or ORACLE_HOME\ccr\bin\emCCR (on Windows operating systems) file.
Caution:
Be sure to change the name back after the patching process has completed or you may encounter errors with other operations (such as My Oracle Support or other installers.)
For example, on a UNIX operating system:
cd ORACLE_HOME/ccr/bin
mv emCCR emCCR_LAST
On a Windows operating system:
cd ORACLE_HOME\ccr\bin
mv emCCR emCCR_LAST
See "Silent Oracle Fusion Middleware Installation and Deinstallation" in Oracle Fusion Middleware Installation Planning Guide for more details about silent installation.
The following sections contain instructions on how to obtain the proper installer required to patch your product:
The installer for Identity and Access Management is a full installer that can also function as an update installer. You can use it to update an existing Identity and Access Management home, or you can use it to install a new, complete Identity and Access Management home.
To download and unpack the Installer files for your product:
Download the installer from the Oracle Technology Network, My Oracle Support, or Oracle Software Delivery Cloud (formerly E-Delivery).
For more information, see "Select an Oracle Fusion Middleware Software Download Site" and "Download the Software Required for Your Starting Point" in Oracle Fusion Middleware Download, Installation, and Configuration ReadMe Files.
Unpack the downloaded archive that contains the installer and software that you want to install into a directory on the target computer.
To start the installer you just downloaded and unpacked:
Change directory to the Disk1 folder inside the unpacked archive folder.
Start the Installer:
On UNIX operating systems:
./runInstaller
On Windows operating systems run the following:
setup.exe
Depending on your system environment and product you are updating, you may be prompted to provide the location of a JRE/JDK on your system when you start the installer. When you installed Oracle WebLogic Server, a JRE was installed in the jdk160_version directory inside the Middleware home; you can use this location to start the installer.
Note:
if you are installing on a 64-bit platform, you have to install 64-bit JRE before you can install the Oracle WebLogic Server. See the System Requirements and Supported Platforms for Oracle Forms and Reports 11g Release 2 (11.1.2.x) to determine which version is required with this release.
If you do not have Oracle WebLogic Server installed on your system, you can use the JDK in the jdk directory inside the Oracle home.
Make sure you specify the absolute path to your JRE/JDK location; relative paths are not supported.
The Installer can also be run in silent mode. See "Silent Oracle Fusion Middleware Installation and Deinstallation" in Oracle Fusion Middleware Installation Planning Guide for more details.
After you have started the Installer, follow the instructions on the screen to apply the patch set to your existing Middleware home.
Note:
If your domain includes multiple host computers, you must run the Installer separately on each host to update the software on that host.
As you review each screen of the Patch Set installer, note that there may be differences between applying a patch set and installing software for the first time.
Note:
When you are applying a patch set, you must identify an existing Middleware home on the Specify Installation Location screen.
Table 3-2 provides a summary of the typical installation screens you will see when you are applying a patch set to an existing Middleware home.
If you need additional help with any of the installation screens click Help to access the online help.
Table 3-2 Typical Installation Flow For Installing a Patch Set
| Screen | When Does This Screen Appear? | Description |
|---|---|---|
|
Always. |
This page introduces you to the Oracle Fusion Middleware Installer. |
|
|
Always. |
Select the method you want to use for obtaining software updates, or select Skip Software Updates if you do not want to get updates. If updates are found, the installer will automatically attempt to apply them at this point; make sure that the server you are using to perform the installation is connected to the Internet. |
|
|
Always. |
Verify that your system meets all necessary prerequisites. |
|
|
Always. |
Specify your existing Oracle Middleware home and product Oracle home locations. |
|
|
Always. |
Verify the information on this screen, then click Install to begin the installation. |
|
|
Always. |
This screen shows the progress of the installation. Click Next when the installation is 100% complete. |
|
|
Always. |
Click Save to save your configuration information to a file. This information includes port numbers, installation directories, URLs, and component names which you may need to access at a later time. You can view the log file located in the After saving your configuration information, click Finish to dismiss the installer. |
Once you have applied the patch set, as described in Section 3.4, run the Patch Set Assistant to update any required schemas. For more information, see Updating Your Schemas with Patch Set Assistant.
Once the schemas have been updated, complete any post-patching procedures that apply to your installation, as described in Section 3.7.
Note:
Before you start the servers and verify your installation, review Section 3.7, "Post-Patching Procedures" and perform any necessary post-patching tasks. You may need to start the servers after performing some of the tasks.
Note:
Do not start the Oracle Identity Manager Managed Servers.
After the upgrade is complete, start the WebLogic Administration Server, the Administration Server for the domain that contains Oracle Identity Management, and Managed Servers.
To start the Administration Server, do the following:
On UNIX:
Run the following command:
cd <MW_HOME>/user_projects/domains/<domain_name>/bin
./startWebLogic.sh
On Windows:
Run the following command:
cd <MW_HOME>\user_projects\domains\<domain_name>\bin
startWebLogic.cmd
To start the Managed Servers, do the following:
On UNIX:
Move from your present working directory to the <MW_HOME>/user_projects/domains/<domain_name>/bin directory by running the following command on the command line:
cd <MW_HOME>/user_projects/domains/<domain_name>/bin
Run the following command to start the Servers:
./startManagedWebLogic.sh <managed_server_name> <admin_url> <user_name> <password>
where
<managed_server_name> is the name of the Managed Server
<admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.
<user_name> is the username of the WebLogic Administration Server.
<password> is the password of the WebLogic Administration Server.
On Windows:
Move from your present working directory to the <MW_HOME>\user_projects\domains\<domain_name>\bin directory by running the following command on the command line:
cd <MW_HOME>\user_projects\domains\<domain_name>\bin
Run the following command to start the Managed Servers:
startManagedWebLogic.cmd <managed_server_name> <admin_url> <user_name> <password>
where
<managed_server_name> is the name of the Managed Server.
<admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.
<user_name> is the username of the WebLogic Administration Server.
<password> is the password of the WebLogic Administration Server.
For more information, see "Starting the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
This section contains information about manual tasks performed after the Release 11.1.2.1.0 patch installation is complete. Some of the tasks may not apply to your environment as you may not be using the products in question.
Upgrading Oracle Identity Manager Middle Tier Using Property File
Upgrading Oracle Privileged Account Manager (OPAM) Application
Optional: Enabling TDE in Oracle Privileged Account Manager Data Store
Upgrading Oracle Entitlements Server Domain and Policy Store
After you have applied the 11.1.2.1.0 patch set, you will need to run an additional upgrade utility to upgrade the Oracle Identity Manager's Middle Tier. The steps below describe the manual process:
Note:
Before you begin this process be sure that the following prerequisites have been met:
Back up your existing Middleware home, Domain home and any other relevant data as described in Section 3.2.6.
Start the Admin Server and SOA Server. If the OIM Server is running, stop it before running the Middle Tier upgrade script.
Move from your present working directory to the <OIM_ORACLE_HOME>/server/bin directory by running the following command on the command line:
cd <OIM_ORACLE_HOME>/server/bin
Change the path to <OIM_ORACLE_HOME>/bin.
Open the following file in a text editor:
oim_upgrade_input.properties
Add the parameters, as listed in Table 3-3.
Move from your present working directory to the <MW_HOME>/Oracle_IDM1/server/bin directory by running the following command on the command line:
cd <MW_HOME>/Oracle_IDM1/server/bin
Run the following command:
./OIMUpgrade.sh
Note:
The following warning is displayed:
[WARN][jrockit] PermSize=128M ignored: Not a valid option for JRockit
[WARN][jrockit] MaxPermSize=256M ignored: Not a valid option for JRockit
You can ignore this message.
Move from your present working directory to the <OIM_ORACLE_HOME>\server\bin directory by running the following command on the command line:
cd <OIM_ORACLE_HOME>\server\bin
Change the path to <OIM_ORACLE_HOME>\bin.
Open the following file in a text editor:
oim_upgrade_input.properties
Add the parameters, as listed in Table 3-3.
Move from your present working directory to the <MW_HOME>\<OIM_ORACLE_HOME>\server\bin directory by running the following command on the command line:
cd <MW_HOME>\<OIM_ORACLE_HOME>\server\bin
Run the following command:
OIMUpgrade.bat
Note:
The following warning is displayed:
[WARN][jrockit] PermSize=128M ignored: Not a valid option for JRockit
[WARN][jrockit] MaxPermSize=256M ignored: Not a valid option for JRockit
You can ignore this message.
Verify the Middle Tier Upgrade.
See Section 3.9.3, "Verifying Oracle Identity Manager Middle Tier Upgrade".
Restart the servers as described in Section 3.8, "Restarting the Administration Server and OIM Managed Servers".
Table 3-3 Oracle Identity Manager Middle Tier Upgrade Parameters
| Parameter | Description |
|---|---|
|
|
Specify the Oracle Identity Manager JDBC URL. |
|
|
Specify the Oracle Identity Manager schema owner. |
|
|
Specify the MDS JDBC URL. |
|
|
Specify the MDS schema owner name. |
|
|
Specify the Oracle WebLogic Server Administration host name. |
|
|
Specify the Oracle WebLogic Server Administration port. |
|
|
Specify the Oracle WebLogic Server Administration user name. |
|
|
Specify the SOA host name where SOA Server is running. |
|
|
Specify the SOA Server port. |
|
|
Specify the SOA Managed Server username. |
|
|
Specify the Oracle Identity Manager domain location. |
Example Parameters
oim.jdbcurl=db.example.com:5521/dbmode.example.com oim.oimschemaowner=test_oim23 oim.oimmdsjdbcurl=db.example.com:5521/dbmode.example.com oim.mdsschemaowner=test_mds oim.adminport=7001 oim.adminhostname=<oim_host>:<oim_port> oim.adminUserName=weblogic oim.soahostmachine=<oim_soa_host>:<oim_soa_port> oim.soaportnumber=8001 oim.soausername=weblogic oim.domain=/<MW_HOME>/user_projects/domains/<base_domain>
Note:
The OINAV version number is 11.1.1.3.0 while the Oracle Identity Navigator version number is 11.1.2.1.0.
This is not an error. The discrepancy is caused by a difference between how OINAV and Identity Access Management releases are tracked internally.
Upgrading Oracle Identity Navigator redeploys Oracle Identity Navigator using oinav.ear for Oracle Identity Navigator 11.1.2.1.0 release. There are two ways of redeploying the oinav.ear:
Upgrading oinav using the WebLogic Server Administration Console.
Upgrading oinav using the WebLogic Scripting Tool (WLST).
Using WebLogic Server Administration Console
Complete the following steps to upgrade Oracle Identity Navigator through the WebLogic Administration console:
Log in to WebLogic Administration console:
http://<admin server host>:<admin server port>/console
Under Domain Structure, click Deployments.
Select oinav (11.1.1.3.0) from the Name table.
Click Update and click Finish in the Update Application Assistant screen after verifying the source path.
Note:
If WebLogic is running in production mode, click Lock & Edit before clicking Update.
Using WebLogic Scripting Tool (WLST)
Complete the following steps to upgrade Oracle Identity Navigator through the WLST console:
Move from your present working directory to the <MW_HOME>/wlserver_10.3/common/bin directory by running the following command on the command line:
cd <MW_HOME>/wlserver_10.3/common/bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
./wlst.sh
Connect to the Administration Server using the following command:
connect('weblogic-username','weblogic-password','weblogic-url')
At the WLST prompt, run the following command:
redeploy('oinav#11.1.1.3.0')
Exit the WLST console using the exit() command.
Move from your present working directory to the <MW_HOME>\wlserver_10.3\common\bin directory by running the following command on the command line:
cd <MW_HOME>\wlserver_10.3\common\bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
wlst.cmd
Connect to the Administration Server using the following command:
connect('weblogic-username','weblogic-password','weblogic-url')
At the WLST prompt, run the following command:
redeploy('oinav#11.1.1.3.0')
Exit the WLST console using the exit() command.
After applying the patch set, you must import any pre-upgrade OINAV metadata you may have exported.
Refer to "Importing the Oracle Identity Navigator 11.1.2 Metadata" in the Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management.
Note:
The OPAM application version number is 11.1.2.0.0 while the Oracle Privileged Account Manager version number is 11.1.2.1.0.
This is not an error. The discrepancy is caused by a difference between how OPAM and Identity Access Management releases are tracked internally.
Upgrading Oracle Privileged Account Manager redeploys Oracle Privileged Account Manager using opam.ear for Oracle Privileged Account Manager 11.1.2.1.0 release. There are two ways of redeploying the opam.ear:
Upgrading opam using the WebLogic Server Administration Console.
Upgrading opam using the WebLogic Scripting Tool (WLST).
Using WebLogic Server Administration Console
Complete the following steps to upgrade Oracle Privileged Account Manager through the WebLogic Administration console:
Log in to WebLogic Administration console:
http://<admin server host>:<admin server port>/console
Under Domain Structure, click Deployments.
Select opam (11.1.2.0.0) from the Name table.
Click Update and click Finish in the Update Application Assistant screen after verifying the source path.
Note:
If WebLogic is running in production mode, click Lock & Edit before clicking Update.
Using WebLogic Scripting Tool (WLST)
Complete the following steps to upgrade Oracle Privileged Account Manager through the WLST console:
Move from your present working directory to the <MW_HOME>/wlserver_10.3/common/bin directory by running the following command on the command line:
cd <MW_HOME>/wlserver_10.3/common/bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
./wlst.sh
Connect to the Administration Server using the following command:
connect('weblogic-username','weblogic-password','weblogic-url')
At the WLST prompt, run the following command:
redeploy('opam#11.1.2.0.0')
Exit the WLST console using the exit() command.
Move from your present working directory to the <MW_HOME>\wlserver_10.3\common\bin directory by running the following command on the command line:
cd <MW_HOME>\wlserver_10.3\common\bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
wlst.cmd
Connect to the Administration Server using the following command:
connect('weblogic-username','weblogic-password','weblogic-url')
At the WLST prompt, run the following command:
redeploy('opam#11.1.2.0.0')
Exit the WLST console using the exit() command.
After applying the patch set, you must import the pre-upgrade OPAM data as described below:
Set the following environment variables:
| Variable | Description |
|---|---|
|
|
Oracle Privileged Account Manager is installed. |
|
|
Location of JDK used for the WebLogic installation. |
Navigate to $ORACLE_HOME/opam/bin.
Execute the opam.sh script with the following parameters:
./opam.sh -url <OPAM server url> (defaults to https://localhost:18102/opam) -u <user name> (the user should have OPAM_SECURITY_ADMIN and OPAM_USER_MANAGER roles) -p <password> -x import -f <import xml file> -encpassword <encryption/decryption password> -enckeylen <Key Length for encryption/decryption of password> (Defaults to 128) -log <log file Location> (defaults to opamlog_<timestamp>.txt)
Oracle Privileged Account Manager can operate with Oracle Database TDE (Transparent Data Encryption) mode. You can choose to either enable or disable the TDE mode. Oracle strongly recommends to enable the TDE mode for enhanced security.
This section includes the following topics:
For information about enabling Transparent Data Encryption (TDE) in the database for Oracle Privileged Account Manager, refer to the "Enabling Transparent Data Encryption" topic in Oracle Database Advanced Security Administrator's Guide.
For more information, see "Securing Stored Data Using Transparent Data Encryption" in the Oracle Database Advanced Security Administrator's Guide
After enabling TDE in the database for Oracle Privileged Account Manager, you must enable encryption in OPAM schema, as described in "Enabling Encryption in OPAM Schema" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
To enable encryption in the OPAM schema, run the opamxencrypt.sql script with the OPAM schema user, using sqlplus or any other client.
IAM_HOME/opam/sql/opamxencrypt.sql
Example:
sqlplus DEV_OPAM/welcome1 @IAM_HOME/opam/sql/opamxencrypt.sql
Note:
This step is only necessary if you did not enable TDE as described in Section 3.7.6.1, "Enabling TDE in the Database".
While it is not recommended, if non-TDE mode is required by the user, the flag "tdemode" must be set to false. For more information, see "Setting Up Non-TDE Mode" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Caution:
Oracle recommends that you always use Transparent Data Encryption(TDE). Without TDE, your data is not secure.
For more information on switching between the two modes, see "Securing Data On Disk" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.
To upgrade Oracle Entitlements Server Administration Server and Policy Store, you must use the Oracle Identity and Access Management 11.1.2.1.0 Installer. During the procedure, point the Middleware Home to your existing 11.1.2.0.0 Middleware Home. Your Oracle Home is upgraded from 11.1.2.0.0 to 11.1.2.1.0.
For more information, see "Installing and Configuring Oracle Identity and Access Management (11.1.2)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
After the installation, use the Patch Set Assistant to upgrade OPSS Schemas (prefix_OPSS) as described in Section 4.3.2, "Starting the Patch Set Assistant".
Complete the following steps to configure the BI Publisher Reports:
Obtain the reports bundle oim_product_BIP11gReports_11_1_2_1_0.zip. from the following location:
MW_HOME/IAM_HOME/server/reports/oim_product_BIP11gReports_11_1_2_1_0.zip
Unzip oim_product_BIP11gReports_11_1_2_1_0.zip at the following location:
IAM_HOME/Middleware/user_projects/domains/domain_name/config/bipublisher/repository/Reports/
Configure reports by following the instructions in "Configuring Oracle Identity Manager Reports" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
In an integrated environment, Oracle Identity Management is front ended by OHS. All SOA server default composites must be updated. Perform the following steps:
Log in to Oracle Enterprise Manager Fusion Middleware Control Console.
Navigate to SOA, then soa-infra (SOA server name), then default.
Update the composite types applicable to your environment. For example: ApprovalTask, Human Workflow, DisconnectedProvisiong, etc.
See Also:
The Fusion Middleware Control online help and SOA Suite documentation
For each default composite, perform the following:
Click the composite name.
From Component Metrics select the composite type. For example, click ApprovalTask.
Select the Administration tab and update the fields as follows:
Host Name: OHS host name
HTTP Port: If SSL mode, leave blank. If non-SSL mode, enter OHS HTTP port.
HTTPS Port: If SSL mode, enter OHS HTTS port. If non-SSL mode, leave blank.
Click Apply.
Update the MBean XML files with Oracle Identity Management 11g Release 2 (11.1.2.1) MBean XML files using the offline WLST command copyMbeanXmlFiles(). This command copies the Oracle Access Manager and Oracle Identity Connect MBean XML files from the OAM_ORACLE_HOME to DOMAIN_HOME.
To copy Oracle Access Manager and Oracle Identity Connect MBean files to the DOMAIN_HOME:
Go to the following directory:
OAM_ORACLE_HOME/common/bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
./wlst.sh
Run the following command:
copyMbeanXmlFiles('DOMAIN_HOME','ORACLE_HOME')
For example:
On Linux:
copyMbeanXmlFiles('/scratch/ste/MW_HOME/user_projects/domains/test_domain',' '/scratch/ste/MW_HOME/Oracle_IDM1')
Where the second parameter OAM_ORACLE_HOME is optional.
On Windows:
copyMbeanXmlFiles('C:\\Oracle\\MW_HOME\\user_projects\domains\\test_domain','C:\\Oracle\\MW_HOME\\Oracle_IDM1')
Note:
Start only the Oracle Identity Manager (OIM) Managed Servers at this time.
To restart the Administration Server and Oracle Identity Manager Managed Servers, you must stop them first before starting them again.
To stop the servers, see Shutting Down Administration Server and Managed Servers.
To start the servers, see Starting the Administration Server and Managed Servers.
To start the Oracle Identity Manager Managed Servers, do the following:
On UNIX:
Move from your present working directory to the <MW_HOME>/user_projects/domains/<domain_name>/bin directory by running the following command on the command line:
cd <MW_HOME>/user_projects/domains/<domain_name>/bin
Run the following command to start the Servers:
./startManagedWebLogic.sh <managed_server_name> <admin_url> <user_name> <password>
where
<managed_server_name> is the name of the Managed Server
<admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.
<user_name> is the username of the WebLogic Administration Server.
<password> is the password of the WebLogic Administration Server.
On Windows:
Move from your present working directory to the <MW_HOME>\user_projects\domains\<domain_name>\bin directory by running the following command on the command line:
cd <MW_HOME>\user_projects\domains\<domain_name>\bin
Run the following command to start the Managed Servers:
startManagedWebLogic.cmd <managed_server_name> <admin_url> <user_name> <password>
where
<managed_server_name> is the name of the Managed Server.
<admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.
<user_name> is the username of the WebLogic Administration Server.
<password> is the password of the WebLogic Administration Server.
After you have successfully patched your environment, you can verify the status of your installation by performing any combination of the following:
Note:
OPAM Users: After you have verified that the patch was successfully applied, you should clear the OPSS artifacts of the pre-upgrade instance as described in Section 3.9.6.
To verify your Oracle Identity Manager upgrade, perform the following steps:
Use the following URL in a web browser to verify that Oracle Identity Manager 11.1.2.1.0 is running:
http://<oim.example.com>:<oim_port>/sysadmin
http://oim.example.com:14000/identity
where
<oim.example.com> is the path of the administration console.
<oim_port> is the port number.
Use Fusion Middleware Control to verify that Oracle Identity Manager and any other Oracle Identity Management components are running in the Oracle Fusion Middleware environment.
Install the Diagnostic Dashboard and run the following tests:
Oracle Database Connectivity Check
Account Lock Status
Data Encryption Key Verification
JMS Messaging Verification
SOA-Oracle Identity Manager Configuration Check
SPML Web Service
Test OWSM setup
Test SPML to Oracle Identity Manager request invocation
SPML attributes to Oracle Identity Manager attributes
Username Test
Check the domain server logs, which are located in the servers directory inside the domain home directory. For example, on UNIX systems:
MW_HOME/user_projects/domains/domain_name/servers/server_name
On Windows systems:
MW_HOME\user_projects\domains\domain_name\servers\server_name
Complete the following steps to verify the Oracle Identity Manager Middle Tier upgrade:
Verify the log files created in the following location:
On UNIX:
<OIM_HOME>/server/upgrade/logs/MT
On Windows:
<OIM_HOME>\server\upgrade\logs\MT
The following log files are generated:
OIMUpgrade<timestamp>.log
SeedSchedulerData.log
OIMupgrade.sh creates a detailed report. Complete the following steps to verify the Oracle Identity Manager Middle Tier upgrade:
Go to the following path:
On UNIX:
<Oracle_IDM1>/server/upgrade/logs/MT/oimUpgradeReportDir
On Windows:
<Oracle_IDM1>\server\upgrade\logs\MT\oimUpgradeReportDir
Click index.html.
This contains list of all Oracle Identity Manager features and upgrade status of the last middle tier run, in a table format.
Click on the corresponding link of each feature for a detailed feature report.
Run the opmnctl status command from the INSTANCE_HOME/bin (on UNIX operating systems) or INSTANCE_HOME\bin (on Windows operating systems) directory in your instance home location. The example below shows the output on a UNIX system:
> ./opmnctl status Processes in Instance: asinst_1 ---------------------------------+--------------------+---------+--------- ias-component | process-type | pid | status ---------------------------------+--------------------+---------+--------- emagent_asinst_1 | EMAGENT | 11849 | Alive wc1 | WebCache-admin | 11333 | Alive wc1 | WebCache | 11332 | Alive ohs1 | OHS | 11207 | Alive
This information shows the components configured for this installation. The status "Alive" means the component is up and running.
You can also run the opmnctl status -l command to obtain a list of ports used by the components. The example below shows the output on a UNIX system:
> ./opmnctl status -l Processes in Instance: asinst_1 ---------------------------------+--------------------+---------+----------+------------+----------+-----------+------ ias-component | process-type | pid | status | uid | memused | uptime | ports ---------------------------------+--------------------+---------+----------+------------+----------+-----------+------ emagent_asinst_1 | EMAGENT | 11849 | Alive | 1133259606 | 4204 | 0:09:38 | N/A wc1 | WebCache-admin | 11333 | Alive | 1133259605 | 43736 | 0:15:35 | http_admin:8091 wc1 | WebCache | 11332 | Alive | 1133259604 | 63940 | 0:15:35 | http_stat:8092,http_invalidation:8093,https_listen:8094,http_listen:8090 ohs1 | OHS | 11207 | Alive | 1133259603 | 50744 | 0:15:43 | https:8889,https:8890,http:8888
Verify that you can access your installed and configured products, as shown in Table 3-4:
Table 3-4 Installed Product URLs
| Product or Component | URL |
|---|---|
|
Administration Server Console |
|
|
Enterprise Manager Console |
|
|
Enterprise Manager Agent |
|
|
Oracle Identity Manager |
|
|
System Administrator |
|
This step is only required if you are patching Oracle Privileged Account Manager (OPAM).
After you have verified that the patch was successfully applied, you should clear the OPSS artifacts of the pre-upgrade instance.
For UNIX operating systems:
$ORACLE_HOME/common/bin/wlst.sh $ORACLE_HOME/opam/config/clean-opss.py <WebLogic Administrator Username> <WebLogic Administrator Password> <t3://<adminserver-host>:<adminserver-port>
For Windows operating systems:
$ORACLE_HOME\common\bin\wlst.cmd $ORACLE_HOME\opam\config\clean-opss.py <WebLogic Administrator Username> <WebLogic Administrator Password> <t3://<adminserver-host>:<adminserver-port>