7 Upgrading Oracle Privileged Account Manager 11g Release 2 (11.1.2.x.x) Environments

This chapter describes how to upgrade Oracle Privileged Account Manager (OPAM) 11g Release 2 (11.1.2.1.0) and 11g Release 2 (11.1.2) environments to Oracle Privileged Account Manager 11g Release 2 (11.1.2.2.0) on Oracle WebLogic Server.

Note:

For information about upgrading Oracle Privileged Account Manager on IBM WebSphere, see "Upgrading Oracle Privileged Account Manager on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide.

Note:

This chapter refers to Oracle Privileged Account Manager 11g Release 2 (11.1.2) and 11g Release 2 (11.1.2.1.0) environments as 11.1.2.x.x.

This chapter includes the following sections:

7.1 Upgrade Roadmap for Oracle Privileged Account Manager

Table 7-1 lists the tasks to be performed to upgrade Oracle Privileged Account Manager 11.1.2.x.x to Oracle Privileged Account Manager 11.1.2.2.0.

Table 7-1 Roadmap for Upgrading Oracle Privileged Account Manager 11.1.2.x.x to 11.1.2.2.0

Sl No Task For More Information

1

Review system requirements and certifications.

See, Reviewing System Requirements and Certification

2

If you are upgrading Oracle Privileged Account Manager 11.1.2 to Oracle Privileged Account Manager 11.1.2.2.0, you must export the pre-upgrade data.

If you are upgrading Oracle Privileged Account Manager 11.1.2.1.0 to Oracle Privileged Account Manager 11.1.2.2.0, skip this task.

See, Section 7.3, "Exporting the Pre-Upgrade Data"

3

Stop the Administration Server and all the Managed Servers.

See, Stopping the Administration Servers and the Managed Server(s)

4

If you are not using Oracle WebLogic Server 10.3.6, and you must upgrade Oracle WebLogic Server to 10.3.6.

See, Upgrading Oracle WebLogic Server to 10.3.6

5

Upgrade the Oracle Privileged Account Manager binaries to 11.1.2.2.0.

See, Updating Oracle Privileged Account Manager Binaries to 11.1.2.2.0

6

Upgrade the 11.1.2.x.x Database schemas.

See, Upgrading the Database Schemas

7

Start all the servers.

See, Start the Administration Server and the Managed Server(s)

8

Redeploy the Oracle Identity Navigator and Oracle Privileged Account Manager applications.

See, Redeploying the Applications

9

If you are upgrading Oracle Privileged Account Manager 11.1.2 to Oracle Privileged Account Manager 11.1.2.2.0, you must set up either TDE mode or non-TDE mode in the OPAM Data Store.

If you are upgrading Oracle Privileged Account Manager 11.1.2.1.0 to Oracle Privileged Account Manager 11.1.2.2.0, skip this task.

See, Enabling TDE or Non-TDE Mode in OPAM Data Store

10

If you are upgrading Oracle Privileged Account Manager 11.1.2 to Oracle Privileged Account Manager 11.1.2.2.0, you must import the pre-upgrade data.

If you are upgrading Oracle Privileged Account Manager 11.1.2.1.0 to Oracle Privileged Account Manager 11.1.2.2.0, skip this task.

See, Importing the Pre-Upgrade Data

11

If you are upgrading Oracle Privileged Account Manager 11.1.2 to Oracle Privileged Account Manager 11.1.2.2.0, you must clear the pre-upgrade OPSS artifacts.

If you are upgrading Oracle Privileged Account Manager 11.1.2.1.0 to Oracle Privileged Account Manager 11.1.2.2.0, skip this task.

See, Clearing Pre-Upgrade OPSS Artifacts

12

Configure the Oracle Privileged Account Manager session manager (if required).

See, Optional: Configuring the Oracle Privileged Account Manager 11.1.2.2.0 Session Manager

13

Configure the Oracle Identity Navigator application (if required).

See, Optional: Configuring Oracle Identity Navigator Application on OPAM Managed Server

14

Verify the upgrade.

See, Verifying the Oracle Privileged Account Manager Upgrade

7.2 Reviewing System Requirements and Certification

Before you start the upgrade process, you must read the system requirements and certification document to ensure that your system meets the minimum requirements for the products you are installing or upgrading to. For more information see Section 2.1, "Reviewing System Requirements and Certification".

7.3 Exporting the Pre-Upgrade Data

If you are upgrading Oracle Privileged Account Manager 11.1.2 to 11.1.2.2.0, you must export the pre-upgrade Oracle Privileged Account Manager data before you start the upgrade process.

Note:

If you are upgrading Oracle Privileged Account Manager 11.1.2.1.0 to 11.1.2.2.0, skip this task.

You must export the pre-upgrade OPAM data such as targets, accounts, and users, before you upgrade Oracle Privileged Account Manager 11.1.2 to 11.1.2.2.0. The steps provided in this section describes the process to export the OPAM data to an XML file. A manual export is required because the back end data store will be moved from the OPSS schema to a native OPAM data store in the new version.

Use the following procedure to export the OPAM data:

  1. Set the following environment variables:

    Variable Description
    ORACLE_HOME Where Oracle Privileged Account Manager is installed.
    JAVA_HOME Location of JDK used for the WebLogic installation.

  2. Navigate to ORACLE_HOME/opam/bin.

  3. Execute the following command with all the parameters mentioned:

    On UNIX:

    ./opam.sh 
[-url <OPAM server url>]] (defaults to https://localhost:18102/opam)
-u [user name] (the user should have OPAM_SECURITY_ADMIN and OPAM_USER_MANAGER roles)
-p <password>
-x export -f [export xml file]
[-encpassword <encryption/decryption password>] (provide a value for encpassword for better security)
[-enckeylen <Key Length for encryption/decryption of password>] (defaults to 128)
[-log <log file Location>] (defaults to opamlog_<timestamp>.txt)

    On Windows:

    ./opam.bat 
[-url <OPAM server url>]] (defaults to https://localhost:18102/opam)
-u [user name] (the user should have OPAM_SECURITY_ADMIN and OPAM_USER_MANAGER roles)
-p <password>
-x export -f [export xml file]
[-encpassword <encryption/decryption password>] (provide a value for encpassword for better security)
[-enckeylen <Key Length for encryption/decryption of password>] (defaults to 128)
[-log <log file Location>] (defaults to opamlog_<timestamp>.txt)

    Note:

    If the data was exported without an encryption password, then specify this with the parameter "-noencrypt true" while importing the data.

7.4 Stopping the Administration Servers and the Managed Server(s)

The upgrade process involves changes to the binaries and to the schema. So, before you begin the upgrade process, you must shut down the WebLogic Administration Server and the Oracle Privileged Account Manager Managed Server(s).

For information about stopping the WebLogic Administration Server and the Managed Servers, see Section 2.8, "Stopping the Servers".

7.5 Upgrading Oracle WebLogic Server to 10.3.6

Oracle Identity and Access Management 11.1.2.2.0 is certified with Oracle WebLogic Server 11g Release 1 (10.3.6). Therefore, if your existing Oracle Privileged Account Manager environment is using Oracle WebLogic Server 10.3.5 or the previous versions, you must upgrade Oracle WebLogic Server to 10.3.6.

For information about upgrading Oracle WebLogic Server to 10.3.6, see Section 2.3, "Upgrading to Oracle WebLogic Server 10.3.6".

7.6 Updating Oracle Privileged Account Manager Binaries to 11.1.2.2.0

To update Oracle Privileged Account Manager 11.1.2.x.x binaries to 11.1.2.2.0, you must use the Oracle Identity and Access Management 11.1.2.2.0 Installer. During the procedure, point the Middleware Home to your existing 11.1.2.x.x Oracle Privileged Account Manager Middleware Home. Your Oracle Home is upgraded from 11.1.2.x.x to 11.1.2.2.0.

For information about updating the Oracle Privileged Account Manager binaries to 11.1.2.2.0, see Section 2.4, "Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.2.0)".

7.7 Upgrading the Database Schemas

Upgrade the following schemas using the Patch Set Assistant.

  • OPAM

  • OPSS - OPSS is selected as a dependency when you select OPAM.

For information about upgrading schemas using Patch Set Assistant, see Section 2.6, "Upgrading Schemas Using Patch Set Assistant".

After you upgrade the OPAM and OPSS schemas, the version of the OPAM schema will be 11.1.2.2.0.

7.8 Start the Administration Server and the Managed Server(s)

After you upgrade the schemas, start the WebLogic Administration Server and the Oracle Privileged Account Manager Managed Server(s).

For information about starting the WebLogic Administration Server and the Managed Servers, see Section 2.9, "Starting the Servers".

7.9 Redeploying the Applications

After you start the WebLogic Administration Server and the Oracle Privileged Account Manager Managed Servers, you must redelpoy the Oracle Identity Navigator and Oracle Privileged Account Manager applications. To do this, complete the following tasks:

7.9.1 Redeploying Oracle Identity Navigator Application

Note:

The Oracle Identity Navigator version number is 11.1.1.3.0 while the actual Oracle Identity Navigator version number should be 11.1.2.2.0.

This is not an error. The discrepancy is caused by a difference between how Oracle Identity Navigator and Oracle Identity and Access Management releases are tracked internally.

Upgrading Oracle Identity Navigator redeploys Oracle Identity Navigator using oinav.ear for Oracle Identity Navigator 11.1.2.2.0 release. There are two ways of redeploying the oinav.ear - using the WebLogic Administration console, and using the WebLogic Scripting Tool.

Redeploy Oracle Identity Navigator applications using one of the following ways:

Upgrading oinav Using WebLogic Server Administration Console

Complete the following steps to upgrade Oracle Identity Navigator through the WebLogic Administration console:

  1. Log in to WebLogic Administration console:

    http://admin_server_host:admin_server_port/console

  2. Under Domain Structure, click Deployments.

  3. Select oinav (11.1.1.3.0) from the Name table.

  4. Click Update and click Finish in the Update Application Assistant screen after verifying the source path.

    Note:

    If WebLogic is running in production mode, click Lock & Edit before clicking Update.

Upgrading oinav Using WebLogic Scripting Tool (WLST)

Complete the following steps to upgrade Oracle Identity Navigator through the WLST console:

On UNIX

  1. Move from your present working directory to the MW_HOME/wlserver_10.3/common/bin directory by running the following command on the command line:

    cd MW_HOME/wlserver_10.3/common/bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    ./wlst.sh

  3. Connect to the Administration Server using the following command:

    connect('weblogic-username','weblogic-password','weblogic-url')

  4. At the WLST prompt, run the following command:

    redeploy('oinav#11.1.1.3.0')

  5. Exit the WLST console using the exit() command.

On Windows

  1. Move from your present working directory to the MW_HOME\wlserver_10.3\common\bin directory by running the following command on the command line:

    cd MW_HOME\wlserver_10.3\common\bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    wlst.cmd

  3. Connect to the Administration Server using the following command:

    connect('weblogic-username','weblogic-password','weblogic-url')

  4. At the WLST prompt, run the following command:

    redeploy('oinav#11.1.1.3.0')

  5. Exit the WLST console using the exit() command.

7.9.2 Redeployng Oracle Privileged Account Manager Application

Note:

The OPAM application version number is 11.1.2.0.0 while the actual Oracle Privileged Account Manager version number should be 11.1.2.2.0.

This is not an error. The discrepancy is caused by a difference between how OPAM and Identity Access Management releases are tracked internally.

Upgrading Oracle Privileged Account Manager redeploys Oracle Privileged Account Manager using opam.ear for Oracle Privileged Account Manager 11.1.2.2.0 release. There are two ways of redeploying the opam.ear - using the WebLogic Administration console, and using the WebLogic Scripting Tool.

Redeploy Oracle Privileged Account Manager applications using one of the following ways:

Upgrading opam Using WebLogic Server Administration Console

Complete the following steps to upgrade Oracle Privileged Account Manager through the WebLogic Administration console:

  1. Log in to WebLogic Administration console:

    http://admin_server_host:admin_server_port/console

  2. Under Domain Structure, click Deployments.

  3. Select opam (11.1.2.0.0) from the Name table.

  4. Click Update and click Finish in the Update Application Assistant screen after verifying the source path.

    Note:

    If WebLogic is running in production mode, click Lock & Edit before clicking Update.

Upgrading opam Using WebLogic Scripting Tool (WLST)

Complete the following steps to upgrade Oracle Privileged Account Manager through the WLST console:

On UNIX

  1. Move from your present working directory to the MW_HOME/wlserver_10.3/common/bin directory by running the following command on the command line:

    cd MW_HOME/wlserver_10.3/common/bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    ./wlst.sh

  3. Connect to the Administration Server using the following command:

    connect('weblogic-username','weblogic-password','weblogic-url')

  4. At the WLST prompt, run the following command:

    redeploy('opam#11.1.2.0.0')

  5. Exit the WLST console using the exit() command.

On Windows

  1. Move from your present working directory to the MW_HOME\wlserver_10.3\common\bin directory by running the following command on the command line:

    cd MW_HOME\wlserver_10.3\common\bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    wlst.cmd

  3. Connect to the Administration Server using the following command:

    connect('weblogic-username','weblogic-password','weblogic-url')

  4. At the WLST prompt, run the following command:

    redeploy('opam#11.1.2.0.0')

  5. Exit the WLST console using the exit() command.

7.10 Enabling TDE or Non-TDE Mode in OPAM Data Store

If you are upgrading Oracle Privileged Account Manager 11.1.2 to 11.1.2.2.0, you must enable TDE or non-TDE mode in the Oracle Privileged Account Manager data store.

Note:

If you are upgrading Oracle Privileged Account Manager 11.1.2.1.0 to 11.1.2.2.0, skip this task.

Oracle Privileged Account Manager can operate with Oracle Database TDE (Transparent Data Encryption) mode. You can choose to either enable or disable the TDE mode. Oracle strongly recommends to enable the TDE mode for enhanced security. Depending upon what mode you wish to enable, complete one of the following tasks:

7.10.1 Configuring TDE Mode in Data Store

To enable TDE mode in Oracle Privileged Account Manager data store, complete the following steps:

  1. Enabling TDE in the Database

  2. Enabling Encryption in OPAM Schema

7.10.1.1 Enabling TDE in the Database

For information about enabling Transparent Data Encryption (TDE) in the database for Oracle Privileged Account Manager, refer to the "Enabling Transparent Data Encryption" topic in Oracle Database Advanced Security Administrator's Guide.

For more information, see "Securing Stored Data Using Transparent Data Encryption" in the Oracle Database Advanced Security Administrator's Guide

After enabling TDE in the database for Oracle Privileged Account Manager, you must enable encryption in OPAM schema, as described in "Enabling Encryption in OPAM Schema" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

7.10.1.2 Enabling Encryption in OPAM Schema

To enable encryption in the OPAM schema, run the opamxencrypt.sql script with the OPAM schema user, using sqlplus or any other client.

IAM_HOME/opam/sql/opamxencrypt.sql

Example:

sqlplus DEV_OPAM/welcome1 @IAM_HOME/opam/sql/opamxencrypt.sql

7.10.2 Configuring Non-TDE Mode in Data Store

Note:

This step is only necessary if you did not enable TDE as described in Section 7.10.1, "Configuring TDE Mode in Data Store".

While it is not recommended, if non-TDE mode is required by the user, the flag "tdemode" must be set to false. For more information, see "Setting Up Non-TDE Mode" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Caution:

Oracle recommends that you always use Transparent Data Encryption(TDE). Without TDE, your data is not secure.

For more information on switching between the two modes, see "Securing Data On Disk" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.

7.11 Importing the Pre-Upgrade Data

If you are upgrading Oracle Privileged Account Manager 11.1.2 to 11.1.2.2.0, you must export the pre-upgrade Oracle Privileged Account Manager data after you upgrade to 11.1.2.2.0.

Note:

If you are upgrading Oracle Privileged Account Manager 11.1.2.1.0 to 11.1.2.2.0, skip this task.

To import the pre-upgrade OPAM data, do the following:

  1. Set the following environment variables:

    Variable Description
    ORACLE_HOME Oracle Privileged Account Manager is installed.
    JAVA_HOME Location of JDK used for the WebLogic installation.

  2. Navigate to ORACLE_HOME/opam/bin.

  3. Execute the opam.sh script with the following parameters:

    ./opam.sh 
-url <OPAM server url> (defaults to https://localhost:18102/opam)
-u <user name> (the user should have OPAM_SECURITY_ADMIN and OPAM_USER_MANAGER roles)
-p <password>
-x import -f <import xml file>
-encpassword <encryption/decryption password> 
-enckeylen <Key Length for encryption/decryption of password> (Defaults to 128)
-log <log file Location> (defaults to opamlog_<timestamp>.txt)

7.12 Clearing Pre-Upgrade OPSS Artifacts

If you are upgrading Oracle Privileged Account Manager 11.1.2 to 11.1.2.2.0, you must clear the pre-upgrade OPSS artifacts after you upgrade to 11.1.2.2.0.

Note:

If you are upgrading Oracle Privileged Account Manager 11.1.2.1.0 to 11.1.2.2.0, skip this task.

To clear the OPSS artifacts of the pre-upgrade instance, do the following:

On UNIX:

$ORACLE_HOME/common/bin/wlst.sh $ORACLE_HOME/opam/config/clean-opss.py <WebLogic Administrator Username> <WebLogic Administrator Password> <t3://<adminserver-host>:<adminserver-port>

On Windows:

$ORACLE_HOME\common\bin\wlst.cmd $ORACLE_HOME\opam\config\clean-opss.py <WebLogic Administrator Username> <WebLogic Administrator Password> <t3://<adminserver-host>:<adminserver-port>

7.13 Optional: Configuring the Oracle Privileged Account Manager 11.1.2.2.0 Session Manager

If you wish to configure the Oracle Privileged Account Manager 11.1.2.2.0 session manager, complete the following steps:

  1. Stop the WebLogic Administration Server and the Oracle Privileged Account Manager Managed Servers.

    For information about stopping the servers, see Section 7.4, "Stopping the Administration Servers and the Managed Server(s)".

  2. Run the WLST script configureSessionManager.py from the location ORACLE_HOME/opam/tools as shown in the following example:

    On UNIX:

    ./wlst.sh ORACLE_HOME/opam/tools/configureSessionManager.py -d <Path_to_WebLogic_Domain_Directory> -o <Path_to_Oracle_Home_Directory>

    On Windows:

    wlst.cmd ORACLE_HOME\opam\tools\configureSessionManager.py -d <Path_to_WebLogic_Domain_Directory> -o <Path_to_Oracle_Home_Directory>

7.14 Optional: Configuring Oracle Identity Navigator Application on OPAM Managed Server

If you wish to configure Oracle Identity Navigator on the Oracle Privileged Account Manager Managed Server, complete the following steps:

  1. Stop the servers.

  2. Move from your present working directory to the <IAM_HOME>/common/bin directory by running the following command on the command line:

    cd <IAM_HOME>/common/bin

  3. Run the following command to launch the Oracle Fusion Middleware configuration wizard:

    On UNIX:

    ./config.sh

    On Windows:

    config.cmd

  4. Select the Extend an existing WebLogic domain option, and select the OPAM domain.

  5. Select Oracle Identity Navigator for Managed Server from the products. Select Keep existing component option whenever it detects a conflict in the wizard.

  6. Complete the configuration. Oracle Identity Navigator will run on the Oracle Privileged Account Manager Managed Server after starting the servers.

7.15 Verifying the Oracle Privileged Account Manager Upgrade

Verify the Oracle Privileged Account Manager upgrade by doing the following:

  1. Log in to the Oracle Privileged Account Manager 11.1.2.2.0 console using the following URL:

    http://adminserver_host:adminserver_port/oinav/opam

    If you have configured Oracle Identity Navigator on the Oracle Privileged Account Manager Managed Server, you can also use the following URL to log in to the Oracle Privileged Account Manager 11.1.2.2.0 console:

    http://opamserver_host:opamserver_nonssl_port/oinav/opam

  2. Verify that the pre-upgrade data, targets, accounts, grants are present, and working as expected.