18 Upgrading Oracle Access Management Multi-Data Center Environments

This chapter describes how to upgrade Oracle Access Management deployed across multi-data centers (MDC), to 11g Release 2 (11.1.2.3.0).

Note:

To upgrade Oracle Access Management MDC environments to 11.1.2.3.0, ensure that all of the data centers (DC) are at the same Patch Set level.

When you plan to upgrade to 11.1.2.3.0, you can choose to have zero down time by stopping the data center that needs to be upgraded, and routing all the traffic to the other data centers. Once the upgrade has been completed on one data center, it can start and function as an independent data center. You can then redirect all the traffic to the upgraded data center, provided all of the non-upgraded data centers are removed from the load balancer (LBR). Only when the remaining data centers individually upgraded to the level of the first data center, they can participate in MDC.

This section includes the following sections:

• Understanding Oracle Access Management Multi-Data Center Topology

• Upgrade Roadmap

• Backing Up the Existing Environment

• Enabling Write Permission to Master and Clones (if Necessary)

• Disabling and Deleting All Replication Agreements Between Master and Clone

• Redirecting Traffic to Clone Data Center

• Upgrading OAM on Master Data Center

• Redirecting Traffic to Master Data Center

• Upgrading OAM on Clone Data Center

• Freezing all Changes to Master and Clones (if Necessary)

• Syncing Access Metadata

• Creating Replication Agreement

• Bringing up the Master and Clone Data Centers Online

• Troubleshooting

18.1 Understanding Oracle Access Management Multi-Data Center Topology

Figure 18-1 illustrates the Oracle Access Management multi-data center topology.

Figure 18-1 Oracle Access Management in MDC Setup

Description of ''Figure 18-1 Oracle Access Management in MDC Setup''

This is a sample topology that illustrates Oracle Access Management in a multi-data center setup. This figure shows a Master data center and a Clone data center, each of them including a full Access Manager installation. In this topology, GTM refers to the global load balancer, LTM refers to the local load balancer, and WG refers to the WebGate. The S2S OAP is the Oracle Access Protocol.

The procedure in this chapter describes how to upgrade Oracle Access Management in a MDC setup similar to Figure 18-1.

18.2 Upgrade Roadmap

Table 18-1 lists the steps to upgrade Oracle Access Management deployed across multi-data centers, to 11.1.2.3.0.

Table 18-1 Upgrade Roadmap

Task No	Task	For More Information
1	Review the Oracle Access Management multi-data center topology.	See, Understanding Oracle Access Management Multi-Data Center Topology
2	Back up your existing environment.	See, Backing Up the Existing Environment
3	Enable write permission to Master and Clone data centers, if not already done.	See, Enabling Write Permission to Master and Clones (if Necessary)
4	Disable and delete all replication agreements between Master and Clone data centers.	See, Disabling and Deleting All Replication Agreements Between Master and Clone
5	Redirect the traffic to the Clone data center.	See, Redirecting Traffic to Clone Data Center
6	Upgrade Oracle Access Management on Master data center.	See, Upgrading OAM on Master Data Center
7	Redirect the traffic to the Master data center.	See, Redirecting Traffic to Master Data Center
8	Upgrade Oracle Access Management on Clone data center.	See, Upgrading OAM on Clone Data Center
9	Freeze all changes to the Master and Clones, if required.	See, Freezing all Changes to Master and Clones (if Necessary)
10	Sync the access UDM data by exporting the access store data from Master data center and importing it on the Clone data center.	See, Syncing Access Metadata
11	Create the replication agreement again.	See, Creating Replication Agreement
12	Bring up the Master and Clone data centers online.	See, Bringing up the Master and Clone Data Centers Online

18.3 Backing Up the Existing Environment

After stopping all the servers, you must back up the following on every data center before proceeding with the upgrade process:

• MW_HOME directory (Middleware home directory), including the Oracle Home directories inside Middleware home.

• Oracle Access Management Domain Home directory on all OAM hosts.

• Following Database schemas:

  • Oracle Access Manager schema

  • Audit and any other dependent schema

  For more information about backing up schemas, see Oracle Database Backup and Recovery User's Guide.

18.4 Enabling Write Permission to Master and Clones (if Necessary)

Before you start the upgrade, you must enable modifications to the system and policy configurations on both Master and Clones. To do this, run the following command on Master and Clone data centers:

SetMultiDataCenterWrite(WriteEnableFlag="true")

18.5 Disabling and Deleting All Replication Agreements Between Master and Clone

Disable all replication agreements between Master and Clone by running the following command:

PUT http://oam1.example.com/oam/services/rest/_replication/201312040602298762 HTTP/1.1 Content-Type: application/json {"enabled":"false","pollInterval":"60","replicaType":"clone"}

After you disable the replication agreements, delete them by running the following command:

DELETE http://oam1.example.com/oam/services/rest/_replication/ 201312040602298762 HTTP/1.1

18.6 Redirecting Traffic to Clone Data Center

An in-line upgrade procedure is used to upgrade the Master data center which requires downtime. Therefore, all traffic must be rerouted to the Clone data centers (also referred to as, the backup data centers or the secondary data centers). Consult your network infrastructure team or refer to the network infrastructure documentation to accomplish the traffic re-routing.

18.7 Upgrading OAM on Master Data Center

Upgrade Oracle Access Management on the Master data center by following the instructions described in Chapter 17, "Upgrading Oracle Access Management Highly Available Environments".

18.8 Redirecting Traffic to Master Data Center

An in-line upgrade procedure is used to upgrade the Clone data center which requires downtime. Therefore, all traffic must be rerouted to the Master data center. Consult your network infrastructure team or refer to the network infrastructure documentation to accomplish the traffic re-routing.

18.9 Upgrading OAM on Clone Data Center

Upgrade the Oracle Access Management on Clone data center(s) by following the instructions described in Chapter 17, "Upgrading Oracle Access Management Highly Available Environments".

18.10 Freezing all Changes to Master and Clones (if Necessary)

After you upgrade Oracle Access Management on all of the Clone data center(s), it is recommended that you freeze the changes to the Master and the Clone data center(s). This is to avoid any inadvertent writes. To do this, run the following command on the Master and the Clone data center(s):

SetMultiDataCenterWrite(WriteEnableFlag="false")

18.11 Syncing Access Metadata

This step is required for OAM metadata stored in Unified Data Model (UDM) to be synced from Master to Clone. This can be achieved using the WLST commands - exportAccessStore and importAccessStore. These commands need to be executed after you upgrade all of the data centers and before creating the new replication agreement. This exports the UDM artifacts created till that point, from the Master data center and imports them in the Clone data center(s).

To sync the UDM metadata, complete the following steps:

1. Run the following WLST command on the Master data center to create a ZIP file containing the UDM metadata:

   exportAccessStore(toFile="/master/location/dc1metadata.zip", namePath="/")

2. Copy dc1metadata.zip to each of the upgraded Clone data centers.

3. Run the following WLST command on the each of the Clone data centers to import the UDM metadata:

   importAccessStore(fromFile="/clone/location/dc1metadata.zip", namePath="/")

18.12 Creating Replication Agreement

Create the replication agreement again by running the following command:

Note:

Ensure that Master & Clone data centers REST endpoints are up and running, before you run this command.

curl -u <repluser> -H 'Content-Type: application/json' -X POST 'https://supplier.example.com/oam/services/rest/_replication/setup' -d '{"name":"DC12DC2", "source":"DC1","target":"DC2","documentType":"ENTITY"}'

For more information about creating the replication agreement, see "Creating the Replication Agreement" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

18.13 Bringing up the Master and Clone Data Centers Online

After successful upgrade, both Master and Clone data centers can be brought up online. Traffic can be routed to both data centers based on existing routing rules. Consult your network infrastructure team or refer to the network infrastructure documentation to accomplish the traffic re-routing.

18.14 Troubleshooting

This section describes troubleshooting methods for some of the common problems that might occur during the upgrade process.

Note:

For information about the issues that you might encounter during the upgrade process, and their workaround, see Oracle Fusion Middleware Release Notes.

This section contains the following topic:

• Multi-Data Centre Feature Not Working After Upgrade

18.14.1 Multi-Data Centre Feature Not Working After Upgrade

If you had enabled Multi-Data Centre (MDC) feature in your 11.1.2.x.x setup, you must re-register the MDC partners and enable the MDC functionality that is added in 11.1.2.3.0. To do this, complete the following steps post-upgrade:

1. In each Data Centre (DC), remove the MDC partners by running the following WebLogic Scripting Tool (WLST) command:

   removePartnerForMultiDataCentre=("<cluster_ID>")

   For example:

   removePartnerForMultiDataCentre("cluster1")

   You must run this command for each of the MDC partners. For more information about using the removePartnerForMultiDataCentre() command, see "removePartnerForMultiDataCentre" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

2. In 11.1.2.3.0, fail over for the MDC partners are supported. Therefore, you must specify the primary and secondary servers for each of the MDC partners using the Access Manager console. To do this, complete the following steps:

   1. Log in to the Access Manager 11.1.2.3.0 console using the following URL:

      http://oam_admin_server_host:oam_admin_server_port/oamconsole

   2. Navigate to SSO Agents.

   3. Modify the Primary Server and Secondary Server for each of the MDC partners.

3. Add the modified MDC partners to the respective Data Centres using the following command:

   addPartnerForMultiDataCentre(propfile="../MDC_properties/partnerInfo.properties")

   While running this command, make sure you use the updated partnerInfo.properties file. You must run this command for each of the MDC partners. For more information about using the addPartnerForMultiDataCentre() command, see "addPartnerForMultiDataCentre" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

4. Verify that the MultiDataCenterPartners section in each of the MDC partner profile contains the following settings instead of the Hostname and Port:

   <Setting Name="PrimaryHostPort" Type="xsd:string">
   <Setting Name="SecondaryHostPort" Type="xsd:string">