3 Upgrade, Migration, and Patching Issues for Oracle Identity and Access Management

This chapter describes issues associated with the upgrade and migration process of Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0). It includes the following sections:

3.1 Upgrade Issues

This section describes issues related to upgrading the following components:

  • Oracle Identity Manager 11g Release 1 (11.1.1.5.0) to Oracle Identity Manager 11g Release 2 (11.1.2.1.0)

  • Oracle Access Manager 11g Release 1 (11.1.1.5.0) to Oracle Access Management Access Manager 11g Release 2 (11.1.2.1.0)

  • Oracle Adaptive Access Manager 11g Release 1 (11.1.1.5.0) to Oracle Adaptive Access Manager 11g Release 2 (11.1.2.1.0)

  • Oracle Identity Navigator 11g Release 1 (11.1.1.5.0) to Oracle Identity Navigator 11g Release 2 (11.1.2.1.0)

  • Oracle Entitlements Server 11g Release 1 (11.1.1.5.0) to Oracle Entitlements Server 11g Release 2 (11.1.2.1.0)

  • Oracle Identity Manager 9.x to Oracle Identity Manager 11g Release 2 (11.1.2.1.0)

For the list of upgrade issues reported in 11g Release 2 (11.1.2), see "Upgrade and Migration Issues for Oracle Identity and Access Management" in the Oracle Fusion Middleware Release Notes for 11g Release 2 (11.1.2).

3.1.1 General Issues and Workarounds

This section describes general issues and workarounds related to the upgrade scenarios. It includes the following topic:

3.1.1.1 Upgrade User Form Does Not Upgrade UDF of Type LOV Correctly

This issue occurs when you upgrade Oracle Identity Manager 9.x or Oracle Identity Manager 11g Release 1 (11.1.1.5.0) to Oracle Identity Manager 11g Release 2 (11.1.2.1.0). The LOV fields for User, Role, and Organization Forms on User Interface are not upgraded correctly.

You must apply the following workaround before you click on Upgrade User Form or Upgrade Role Form or Upgrade Organization Form. This workaround should not be applied after Upgrade User Form is completed.

The workaround is as follows:

  1. Log in to the /sysadmin console using the following URL:

    http://OIM_HOST:OIM_PORT/sysadmin

  2. Create and activate a sandbox.

  3. Click Form Designer.

  4. Search for User form, and open it.

  5. For each LOV UDF, create the UDF with the name same as the UDF name in the User.xml file. Make sure you select both Searchable and Searchable Picklist.

  6. Repeat for all the searchable LOV fields of Role and Organization forms.

  7. Publish the sandbox.

3.2 Migration Issues

This section describes issues related to the following scenarios:

  • Migrating Oracle Access Manager 10g to Oracle Access Management Access Manager 11g Release 2 (11.1.2.1.0)

  • Migrating Oracle Adaptive Access Manager 10g to Oracle Adaptive Access Manager 11g Release 2 (11.1.2.1.0)

  • Migrating Oracle Single Sign-On 10g to Oracle Access Management Access Manager 11g Release 2 (11.1.2.1.0)

  • Migrating Sun OpenSSO Enterprise 8.0 to Oracle Access Management Access Manager 11g Release 2 (11.1.2.1.0)

  • Migrating Sun Java System Access Manager 7.1 to Oracle Access Management Access Manager 11g Release 2 (11.1.2.1.0)

  • Coexistence of Oracle Access Manager 10g with Oracle Access Management Access Manager 11g Release 2 (11.1.2.1.0)

  • Coexistence of Sun OpenSSO Enterprise 8.0 with Oracle Access Management Access Manager 11g Release 2 (11.1.2.1.0)

  • Coexistence of Sun Java System Access Manager 7.1 with Oracle Access Management Access Manager 11g Release 2 (11.1.2.1.0)

3.2.1 General Issues and Workarounds

This section describes general issues and workarounds related to the migration scenarios. It includes the following topics:

3.2.1.1 osso.conf Files may be Copied to Alternate File Location If Upgrading Oracle Single Sign-On 10g Fails

This issue occurs when you upgrade Oracle Single Sign-On 10g to Oracle Access Management Access Manager 11g Release 2 (11.1.2.1.0). If errors occurs during the execution of the Upgrade Assistant which require you to re-run the process, there is a possibility that required osso.conf files will not be generated, in the location specified in the Upgrade Assistant Summary screen, at the end of the process.

If this occurs, the osso.conf files needed to complete the upgrade, can also be found in the following directory:

<MW_HOME>/user_projects/domains/<Domain_Home>/output/upgrade

3.2.1.2 Server Logs and Assessment Report for Certain Scenarios Show Only English Messages

Known issue.

The server logs and assessment report shows only English messages when you migrate the following components to Oracle Access Management Access Manager 11g Release 2 (11.1.2.1.0):

  • Oracle Access Manager 10g

  • Sun OpenSSO Enterprise 8.0

  • Sun Java System Access Manager 7.1

3.2.1.3 Registering Policy Agent 2.2 Using RREG Fails Due to Unavailability of Agent Template

This issue occurs when you register Policy Agent 2.2 in Oracle Access Management 11.1.2.1.0 Server using Remote Registration tool (RREG), during migration. This is because of the unavailability of the agent template.

The workaround for this issue is as follows:

  1. Copy the oam-admin.ear from the following directory to a temporary location:

    On Unix: MW_HOME/oam/server/apps/

    On Windows: MW_HOME\oam\server\apps\

  2. Unpack the oam-admin.ear file in any desired location. The oam-admin.ear contains ngam-ui.war file.

  3. Unpack the ngam-ui.war file in any desired location. The ngam-ui.war contains oam-migrate.jar file.

  4. Unpack the oam-migrate.jar file in any desired location.

  5. Go to the following directory from the location where you have unpacked the oam-migrate.jar:

    On UNIX: oracle/security/am/migrate/OpenSSO/resources/templates/

    On Windows: oracle\security\am\migrate\OpenSSO\resources\templates\

  6. Complete the following steps depending on the type of 2.2 Policy Agent:

    • For 2.2 J2EE Agent:

      On UNIX: Copy the AMAgent.template from the directory ../templates/j2eeagents to the location MW_HOME/RReg_Home/templates/opensso/j2eeagents

      On Windows: Copy the AMAgent.template from the directory ..\templates\j2eeagents to the location MW_HOME\RReg_Home\templates\opensso\j2eeagents

    • For 2.2 Web Agent:

      On UNIX: Copy the AMAgent.template from the directory ../templates/webagents to the location MW_HOME/RReg_Home/templates/opensso/webagents

      On Windows: Copy the AMAgent.template from the directory ..\templates\webagents to the location MW_HOME\RReg_Home\templates\opensso\webagents

3.2.1.4 Oracle Access Management 11g Release 2 (11.1.2.0.0) Coexistence, Upgrade, and Migration Supplement

Oracle Fusion Middleware Upgrade and Migration Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0) discusses how to upgrade or migrate various Single Sign-On and Access Management environments to Oracle Access Management 11g Release 2 (11.1.2.0.0). You should use this guide for information about upgrade, migration, and coexistence procedures.

If necessary, you can read the following support note for any late-breaking information and changes:

My Oracle Support document ID 1473025.1

3.3 Patching Issues

This section describes general issues and workarounds related to applying the Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0) patch to an existing Oracle Identity and Access Management 11g Release 2 (11.1.2.0.0) environment. It includes the following topics:

3.3.1 Updating System Mbean Configuration

In Oracle Access Manager Release 2 (11.1.2.1.0), the System Mbean Configuration files have been modified to remove the dependency on domain home. The copyMbeanXmlFiles command moves the domain Mbean jars out of the domain home to eliminate any future upgrade or patching issues.

After you have applied the 11.1.2.1.0 patch, you must run the following WLST commands to complete the patching process for OAM:

  1. After applying the 11.1.2.1.0 patch set, use the Patch Set Assistant to update the Oracle Access Manager Components as described in "Updating Your Schemas with Patch Set Assistant".

    Make sure that you select Oracle Access Manager on the Select Component screen.

  2. After a successful run of the Patch Set Assistant, navigate to the following directory and execute the copyMbeanXmlFiles command, as shown in the example below.

    You must specify the directory paths for your Middleware and OAM Oracle homes. Directories below are shown as examples only.

    On Unix operating systems:

    cd $ORACLE_HOME/common/bin/wlst.sh
copyMbeanXmlFiles ('/MW_HOME/user_projects/domains/my_domain',' '/MW_HOME/Oracle_IDM') where 2nd parameter <OAM_ORACLE_HOME> is optional.

    On Windows operating systems:

    cd $ORACLE_HOME/common/bin/wlst.sh
copyMbeanXmlFiles('C:\\Oracle\\MW_HOME\\user_projects\domains\\my_domain','C:\\Oracle\\MW_HOME\\Oracle_IDM') where 2nd parameter <OAM_ORACLE_HOME> is optional.

  3. After a successful run of the above command, verify that the 11.1.2.1.0 Mbean XML files are copied to the following locations:

    <DOMAIN_HOME>/config/fmwconfig/mbeans

    <DOMAIN_HOME>/config/fmwconfig

3.3.2 SOA Email Notification Does Not Work

In an Oracle Identity Manager 11g Release 2 (11.1.2.1.0) deployment that has been upgraded from 11g Release 2 (11.1.2.1), SOA email notification does not work.

To workaround this issue:

  1. Apply patch 16366204.

  2. Start Admin and SOA Server.

  3. Update the JpsContextName MBean. To do so:

    1. Login to Oracle Enterprise Manager.

    2. On the left pane, expand Weblogic Domain.

    3. Right-click WLS_DOMAIN, and select System MBeans Browser.

    4. Go to Application Defined MBeans, com.oracle.sdp.messaging, Server: soa_server1, Application:usermessagingserver, SDPMessagingServerConfig, ServerConfig, JpsContextName.

    5. Enter oim as the value, and click Apply.

  4. Restart the SOA Server.

3.3.3 AD User Management Connector Issues

After you have applied the Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0) patch, the AD User Management 11.1.1.5.0 reconciliation profile used for Oracle Identity Manager may be overwritten.

To correct this issue, open the "Active Directory Organization Recon" job and clear the last token listed (if it its has a specified value) and run the job.

3.3.4 Harmless Error After Applying Interim Patch 14481477

If Interim Patch 14481477 was applied to the existing Oracle Identity and Access Management 11g Release 2 (11.1.2.0.0) environment before applying the 11.1.2.1.0 patch, you may see the following warning. You can safely ignore this error message.

Error Message:

OUI-10221:The install touches a component that is patched by interim patches'Interim Patch# 14481477'. The interim patches affect other components not included in the install.
You may rollback the interim patches 'Interim Patch# 14481477'using OPatch for consistency before performing the upgrade. You may also choose to ignore this warning and continue with the upgrade. If you choose to continue, the conflicting patches will be removed from the inventory. However, some files that are not updated during the upgrade may be left behind. Contact Support to check applicability and availability of interim patches 'Interim Patch# 14481477' for this install. 
Do you want to ignore the patch conflicts and continue with the upgrade?.

3.3.5 Delete WebLogic Server TMP Directories

After you have applied the Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0) patch, some of the transaction screens may not open properly. To correct this issue, delete the server-level temporary directories as described below.

  1. Shut down all of the managed servers.

  2. Navigate to the following directory:

    cd $MIDDLEWAREHOME/user_projects/domains/$<DOMAINNAME>/servers/

  3. For each of the servers located in the /servers directory, delete the contents of the _WL_user folder in the /tmp directory.

    For example, if you have an OIM Managed Server on a Unix operating system, you would remove the contents of the /_WL_user directory in the following location:

    $MIDDLEWAREHOME/user_projects/domains/$<DOMAINNAME>/servers/$OIMMANAGEDSERVERNAME/tmp/_WL_user

  4. Repeat the process for each server in the /servers directory and restart the managed servers.

3.3.6 Classpath Issue While Patching Oracle Identity Manager Middle Tier

If you receive the following error message while updating your Oracle Identity Manager (OIM) Middle Tier from 11.1.2.0.0 to 11.1.2.1.0, you must update the ucp.jar classpath in the OIMUpgrade.sh script.

Error Message:

Exception in thread "main" java.lang.NoClassDefFoundError: oracle/ucp/jdbc/PoolDataSourceFactory

To correct this issue, update the OIMUpgrade.sh script as described below:

  1. Navigate to <MW_HOME>/Oracle_IDM1/server/bin

  2. Open OIMUpgrade.sh in edit mode.

  3. Replace the path for $OIM_HOME/server/ext/ucp.jar in MDSJARS classpath settings with the following:

    $MW_HOME/oracle_common/modules/oracle.ucp_11.1.0.jar

  4. Save the OIMUpgrade.sh file and then run OIM Middle Tier upgrade as described in "Upgrading Oracle Identity Manager Middle Tier Using Property File".

3.3.7 Metadata Services (MDS) Patching Fails if OIM Server is Started Before Middle Tier Upgrade

When you are patching from OIM 11g Release 2 (11.1.2.0.0) to OIM 11g Release 2 (11.1.2.1.0), Metadata Services (MDS) patching fails if the Oracle Identity Manager Server is started before the Middle Tier upgrade.

The following exception is seen in the MDS report ORACLE_HOME/server/logs/MDS_REPORT_DIRECTORY/MDSReport.html, if you start the OIM Managed Server after the binary upgrade or schema upgrade, and before the middle tier upgrade:

java.lang.NullPointerException at 
oracle.iam.oimupgrade.mdstransferlisteners.util.CommonUtil.readmetadataMergeCl 
assMap(CommonUtil.java:369) at 
oracle.iam.oimupgrade.mdstransferlisteners.util.ListenerUtil.postOperation(Lis 
tenerUtil.java:148) at 
oracle.iam.oimupgrade.mdstransferlisteners.RequestTransferListener.postOperati 
on(RequestTransferListener.java:61) at 
oracle.mds.internal.transfer.InternalMDSTransfer$1.run(InternalMDSTransfer.jav
a:2183)

Workaround:

The workaround for this issue is to apply MDS patching after you complete the Oracle Identity Manager upgrade process. To do this, complete the following steps:

  1. Launch the WebLogic Scripting Tool (WLST) by running the following command from the location MW_HOME/oracle_common/common/bin:

    On UNIX: ./wlst.sh

    On Windows: wlst.cmd

  2. Connect to the WebLogic Administration Server by running the following command:

    connect('wls_admin_username','wls_admin_password','t3://hostname:port')

    In this command,

    • wls_admin_username is the username of the WebLogic Administration Server.

    • wls_admin_password is the password of the WebLogic Administration Server.

    • hostname is the machine where WebLogic Administration Server ia running.

    • port is the Administration Server port

  3. Import the MAR with forced MDS Patching using the following command:

    importMAR('OIMMetadata','OIM_Managed_Server_Name','true')

    In this command, OIM_Managed_Server_Name is the name of the OIM Managed Server.

    For more information about using importMAR command, see "importMAR" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.

3.3.8 Middle Tier Upgrade Fails When Patching OIM 11.1.2.0.0 to 11.1.2.1.0

This issue occurs when you patch Oracle Identity Manager 11g Release 2 (11.1.2.0.0) to Oracle Identity Manager 11g Release 2 (11.1.2.1.0). Middle tier upgrade fails with the following exception when you patch OIM 11.1.2.0.0 to 11.1.2.1.0:

Exception in thread "main" java.lang.NoClassDefFoundError:
oracle/ucp/jdbc/PoolDataSourceFactory

The workaround for this issue is as follows:

  1. Open the file OIMUpgrade.sh from the location MW_HOME/Oracle_IDM1/server/bin in text editor.

  2. In MDSJARS classpath settings, replace the path $OIM_HOME/server/ext/ucp.jar with $MW_HOME/oracle_common/modules/oracle.ucp_11.1.0.jar.

  3. Save the file OIMUpgrade.sh.

  4. Run the middle tier upgrade again.