3 Migrating Oracle Adaptive Access Manager 10g Environments

This chapter describes how to migrate your existing Oracle Adaptive Access Manager (OAAM) 10g environment to Oracle Adaptive Access Manager 11g Release 2 (11.1.2.2.0).

This chapter contains the following sections:

Section 3.1, "Migration Overview"
Section 3.2, "Topology Comparison"
Section 3.3, "Migration Roadmap"
Section 3.4, "Prerequisites for Migration"
Section 3.5, "Installing Oracle Identity and Access Management 11.1.2.2.0"
Section 3.6, "Creating Oracle Platform Security Services Schema"
Section 3.7, "Upgrading OAAM 10g Schema"
Section 3.8, "Configuring OAAM 11.1.2.2.0 in a New or Existing Oracle WebLogic Domain"
Section 3.9, "Configuring Database Security Store"
Section 3.10, "Configuring Node Manager"
Section 3.11, "Starting WebLogic Administration Server"
Section 3.12, "Stopping OAAM Managed Servers"
Section 3.13, "Upgrading OAAM Middle Tier Using Upgrade Assistant"
Section 3.14, "Starting OAAM Managed Servers"
Section 3.15, "Verifying the Migration"

3.1 Migration Overview

The process for migrating OAAM 10g to OAAM 11.1.2.2.0 involves installing Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0), configuring OAAM 11.1.2.2.0, upgrading OAAM 10g schemas, configuring the database security store, and upgrading the Oracle Adaptive Access Manager middle tier.

For more information about other migration scenarios, see Section 1.2, "Migration and Coexistence Scenarios".

3.2 Topology Comparison

Figure 3-1 compares the topologies of OAAM 10g and OAAM 11.1.2.2.0.

Figure 3-1 Comparison of OAAM 10g and OAAM 11g Topologies

Description of "Figure 3-1 Comparison of OAAM 10g and OAAM 11g Topologies"

3.3 Migration Roadmap

Table 3-1 provides the migration roadmap.

Table 3-1 Task Roadmap

Task No	Task	For More Information
1	Complete the prerequisites.	See, Prerequisites for Migration
2	Install Oracle Identity and Access Management 11.1.2.2.0.	See, Installing Oracle Identity and Access Management 11.1.2.2.0
3	Create Oracle Platform Security Services (OPSS) schema, and Metadata Services (MDS) schema using Repository Creation Utility (RCU).	See, Creating Oracle Platform Security Services Schema
4	Upgrade the OAAM 10g schema using the Upgrade Assistant.	See, Upgrading OAAM 10g Schema
5	Configure OAAM 11.1.2.2.0 in a new or existing domain.	See, Configuring OAAM 11.1.2.2.0 in a New or Existing Oracle WebLogic Domain
6	Configure the database security store by running the `configuresecuritystore.py` script.	See, Configuring Database Security Store
7	Configure the Node Manager.	See, Configuring Node Manager
8	Start the WebLogic Administration Server.	See, Starting WebLogic Administration Server
9	Stop the OAAM Managed Servers (OAAM Admin Server, OAAM Server, and OAAM Offline Server).	See, Stopping OAAM Managed Servers
10	Upgrade the OAAM middle tier using Upgrade Assistant.	See, Upgrading OAAM Middle Tier Using Upgrade Assistant
11	Start the OAAM Managed Servers (OAAM Admin Server, OAAM Server, and OAAM Offline Server).	See, Starting OAAM Managed Servers
12	Verify the migration.	See, Verifying the Migration

3.4 Prerequisites for Migration

You must complete the following prerequisites for migrating Oracle Adaptive Access Manager 10g to Oracle Adaptive Access Manager 11.1.2.2.0:

Read the system requirements and certification documents to ensure that your environment meets the minimum requirements for the products you are installing.
- Oracle Fusion Middleware System Requirements and Specifications
  
  This document contains information related to hardware and software requirements, minimum disk space and memory requirements, and required system libraries, packages, or patches.
- Oracle Fusion Middleware Supported System Configurations
  
  This document contains information related to supported installation types, platforms, operating systems, databases, JDKs, and third-party products.
- For interoperability and compatibility issues that may arise when installing, refer to Oracle Fusion Middleware Interoperability and Compatibility Guide.
  
  This document contains important information regarding the ability of Oracle Fusion Middleware products to function with previous versions of other Oracle Fusion Middleware, Oracle, or third-party products. This information is applicable to both new Oracle Fusion Middleware users and existing users who are upgrading their existing environment.
Note:

For information about Oracle Fusion Middleware concepts and directory structure, see "Understanding Oracle Fusion Middleware Concepts and Directory Structure" in the Oracle Fusion Middleware Installation Planning Guide for Oracle Identity and Access Management.
Verify that the Oracle Adaptive Access Manager 10g version that you are using is supported for migration. For information about supported starting points for Oracle Adaptive Access Manager 10g migration, see Section 1.4.2, "Supported Starting Points for Oracle Adaptive Access Manager 10g Migration".
If you wish to upgrade oaam_offline server 10g to 11.1.2.2.0 and if you have scheduled load jobs that load from oaam_server 10g schema, then you must upgrade oaam_server before you can start oaam_offline server (as described in Section 3.14, "Starting OAAM Managed Servers"). If you cannot upgrade oaam_server schema, then you must run the following SQL statement to create the view in the oaam_server schema:
```
create or replace view oaam_load_data_view as 
select l.create_time LOGIN_TIMESTAMP, l.request_id SESSION_ID, 
l.user_id USER_ID, l.user_login_id LOGIN_ID, l.node_id DEVICE_ID, 
l.user_group_id GROUP_ID, l.remote_ip_addr IP_ADDRESS, 
l.auth_status AUTH_STATUS, l.auth_client_type_code CLIENT_TYPE, 
(SELECT t1.data_value FROM v_fprints t1 
WHERE t1.fprint_id=l.fprint_id) USER_AGENT, 
(SELECT t2.data_value FROM v_fprints t2 
WHERE t2.fprint_id=l.digital_fp_id) FLASH_FINGERPRINT, 
l.sent_dig_sig_cookie DIGITAL_COOKIE, 
l.expected_dig_sig_cookie EXP_DIGITAL_COOKIE, 
l.sent_secure_cookie SECURE_COOKIE, 
l.expected_secure_cookie EXP_SECURE_COOKIE 
from vcrypt_tracker_usernode_logs l;
```
Note:

You can run the following SQL statement to list all the OAAM schemas in a database with their version numbers:

SELECT OWNER, VERSION FROM SCHEMA_VERSION_REGISTRY WHERE COMP_ID = 'OAAM';

You can skip this pre-upgrade task if you wish to upgrade oaam_offline, oaam_admin, and oaam_server at the same time.

3.5 Installing Oracle Identity and Access Management 11.1.2.2.0

As part of the migration process, you must install Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0).

For information about installing Oracle Identity and Access Management 11.1.2.2.0, see "Installing Oracle Identity and Access Management (11.1.2.2.0)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

3.6 Creating Oracle Platform Security Services Schema

Create the following schemas by running the Repository Creation utility (RCU) 11.1.2.2.0. IAU (Audit Schema) is optional.

Oracle Platform Security Services (OPSS) - (mandatory)
Metadata Services (MDS) - (mandatory)
IAU (Audit Schema) - (optional)

For more information about creating schemas, see "Creating Schemas" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.

3.7 Upgrading OAAM 10g Schema

You must upgrade the OAAM 10g schema to 11.1.2.2.0 by running the Upgrade Assistant. To do this, complete the following steps:

Run the following command from the location ORACLE_HOME/bin to start the Upgrade Assistant:

On UNIX: ./ua

On Windows: ua.bat
The Oracle Fusion Middleware Upgrade Assistant Welcome screen is displayed. Click Next.
The Specify Operation screen is displayed. Select the Upgrade Oracle Adaptive Access Manager Schema, and click Next.
The Prerequisites screen is displayed. Select Database Schema backup completed and Database version is certified by Oracle for Fusion Middleware upgrade, and click Next.

Note:

Ensure that you have backed up database schemas before selecting Database Schema backup completed on the Prerequisites screen. Also, ensure that the database that you are using is supported for Oracle Adaptive Access Manager 11.1.2.2.0, before selecting the Database version is certified by Oracle for Fusion Middleware upgrade on the Prerequisites screen.
The Specify OAAM Source Database screen is displayed. Enter the following information:
- Database Type: Select the database type from the drop-down list.
- Connect String: Enter the connect string for the database in the format:
  
  host:port:sid
- OAAM Schema User: Enter the Oracle Adaptive Access Manager 10g schema user name.
- DBA User: Enter the DBA user name for your database.
- DBA Password: Enter the password of the DBA user.
Click Next.
The Examining Components screen is displayed.

Upgrade Assistant examines the components and checks that the source and target schemas contain the expected columns.

The Status column displays succeeded if the action is successful. If the Status displays failed, check the log file ua.log for details. To view the log files, click the link at the bottom of the screen.

Click Next. if the Status shows succeeded.
The Upgrade Summary screen is displayed. Click Upgrade.
The Upgrade Progress screen is displayed. This screen provides the following information:
- Status of the upgrade
- Any errors or problems that occur during the upgrade
Click Next.
The Upgrade Complete screen is displayed. This screen confirms that the upgrade was complete.
Click Close.

3.8 Configuring OAAM 11.1.2.2.0 in a New or Existing Oracle WebLogic Domain

After you install the software, you must configure Oracle Adaptive Access Manager 11.1.2.2.0. You can configure OAAM either in a new or in an existing domain. For more information, see "Configuring Oracle Adaptive Access Manager" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Note:

Ensure that you specify the Oracle Adaptive Access Manager 10g database details in the screen where it prompts you to enter the Oracle Adaptive Access Manager 11g database details. You must enter the 10g credentials because there is no separate 11g database. It checks the database for a few system tables, which are not present in Oracle Adaptive Access Manager 10g database.

3.9 Configuring Database Security Store

After you configure OAAM 11.1.2.2.0 in a domain, you must run the configuresecuritystore.py script to configure the Database Security Store. For more information, see "Configuring Database Security Store for an Oracle Identity and Access Management Domain" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Note:

If you have already run the configuresecuritystore.py script as part of the OAAM 11.1.2.2.0 configuration in Section 3.8, "Configuring OAAM 11.1.2.2.0 in a New or Existing Oracle WebLogic Domain", ignore this task.

3.10 Configuring Node Manager

If you wish to start and stop the Managed Servers through the WebLogic Administration console, you must configure the Node Manager, and start it. For information about configuring Node Manager, see "Configuring Node Manager to Start Managed Servers" in the Oracle Fusion Middleware Administrator's Guide.

3.11 Starting WebLogic Administration Server

To start the WebLogic Administration Server, follow the instructions described in Appendix A, "Starting the WebLogic Administration Server".

3.12 Stopping OAAM Managed Servers

If you have started the OAAM Admin Server, OAAM Offline Server (if present), and OAAM Server, you must stop all of them before you can upgrade the OAAM middle tier.

For more information about stopping Managed Server(s), see Appendix A, "Stopping the Managed Server(s)".

Note:

If you have more than one OAAM Server, you must stop all of them.

3.13 Upgrading OAAM Middle Tier Using Upgrade Assistant

You must upgrade the OAAM 10g middle tier using Upgrade Assistant. To do this, complete the following steps:

If you have started the Oracle Adaptive Access Manager Managed Servers, they auto-generate symmetric keys required for encryption or decryption. You must delete the keys before performing middle tier upgrade. To do so, complete the following steps:
1. Log in to Oracle Enterprise Manager using the URL:
  
  host:port/em
2. Expand the WebLogic Domain on the left pane, and select the OAAM domain.
  
  The OAAM domain page is displayed.
3. From the OAAM Domain, select Security, and then Credentials.
  
  The Credentials page is displayed.
4. Expand oaam and delete the entries related to symmetric keys.
Launch Upgrade Assistant by doing the following:

On UNIX:
1. Move from your present working directory to the MW_HOME/IAM_HOME/bin directory using the following command:
```
cd MW_HOME/IAM_HOME/bin
```
2. Run the following command:
```
./ua
```
On Windows:
1. Move from your present working directory to the MW_HOME\IAM_HOME\bin directory using the following command on the command line:
```
cd MW_HOME\IAM_HOME\bin
```
2. Run the following command:
```
ua.bat
```
The Oracle Fusion Middleware Upgrade Assistant Welcome screen is displayed.
Click Next.

The Specify Operation screen is displayed.
Select Upgrade Oracle Adaptive Access Manager Middle Tier.

The options available in Upgrade Assistant are specific to the Oracle home from which it started. When you start Upgrade Assistant from an Oracle Application Server Identity Management Oracle home, the options shown on the Specify Operation screen are the valid options for an Oracle Application Server Identity Management Oracle home.
Click Next.

The Specify Source Details screen is displayed.
Enter the following information:
- Click Browse and enter the directory location for Oracle Adaptive Access Manager Adaptive Strong Authenticator Web Application 10g (ASA) and Adaptive Risk Manager Web Application 10g (ARM) applications.
- Database Type: Select the database type from the drop-down list.
- Connect String: Enter the name of the server where your database is running. Use one of the following formats for Oracle Database:
  
  //host:port/service or host:port:sid
- Schema User Name: Enter the user name for the OAAM schema.
- Schema Password: Enter the password for the OAAM schema.
Click Next.

The Specify WebLogic Server screen is displayed.
Enter the following information about your Oracle WebLogic Server domain:
- Host: The host name of the machine where WebLogic Administration Server is running.
- Port: The listening port of the Administration Server. The default Administration Server port is 7001.
- Username: The user name that is used to log in to the Administration Server. This is the same username you use to log in to the Administration Console for the domain.
- Password: The password for the administrator account that is used to log in to the Administration Server. This is the same password you use to log in to the Administration Console for the domain.
- Click Next.
The Specify Upgrade Options screen is displayed.
Select Start destination components after successful upgrade, and click Next.

The Examining Components screen is displayed.

Note:

Ensure that Node Manager is running, before you select Start destination components after successful upgrade.
Click Next.

The Upgrade Summary screen is displayed.
Click Upgrade.

The Upgrade Progress screen is displayed. This screen provides the following information:
- The status of the upgrade
- Any errors or problems that occur during the upgrade
Click Next.

The Upgrade Complete screen is displayed. This screen confirms that the upgrade was complete.
Click Close.

3.14 Starting OAAM Managed Servers

After you upgrade the OAAM middle tier, you must start the OAAM Managed Servers in the following order:

OAAM Admin Server
OAAM Offline Server, if you have configured OAAM Offline Server
OAAM Server

For more information about starting Managed Server(s), see Appendix A, "Starting the Managed Server(s)".

Note:

Make sure that the OAAM Admin Server is running before you start the OAAM Server.

3.15 Verifying the Migration

To verify if the OAAM 10g migration was successful, do the following:

Log in to the administration console of Oracle Adaptive Access Manager 11.1.2.2.0, using the administration server username and password, and verify whether the OAAM 10g artifacts are migrated to OAAM 11g. Use the following URL to log in to the OAAM Admin Server:
```
http://host:port/oaam_admin
```
where

host is the machine on which OAAM Admin Server is running

port is the port number of the OAAM Admin Server
Create a user, and assign the Investigator role. Log in to the OAAM Admin Server with this user, and verify that you see the Investigator UI successfully.

For more information about creating OAAM users, see "Creating OAAM Users" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.