This chapter describes how to upgrade your existing Oracle Adaptive Access Manager 11g Release 1 (11.1.1.5.0) and 11g Release 1 (11.1.1.7.0) environments to Oracle Adaptive Access Manager 11g Release 2 (11.1.2.3.0) on Oracle WebLogic Server, using the manual upgrade procedure.
Note:
If your existing Oracle Identity and Access Management environment was deployed using the Life Cycle Management (LCM) Tools, you must use the automated upgrade procedure to upgrade to Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0).For information about automated upgrade procedure, supported starting points and topologies, see Chapter 2, "Understanding the Oracle Identity and Access Management Automated Upgrade".
Note:
This chapter refers to Oracle Adaptive Access Manager 11g Release 1 (11.1.1.5.0) and 11g Release 1 (11.1.1.7.0) environments as 11.1.1.x.x.This chapter includes the following sections:
Section 13.1, "Upgrade Roadmap for Oracle Adaptive Access Manager"
Section 13.3, "Shutting Down Administration Server and Managed Servers"
Section 13.4, "Backing Up Oracle Adaptive Access Manager 11g Release 1 (11.1.1.x.x)"
Section 13.6, "Upgrading Oracle Adaptive Access Manager Binaries to 11g Release 2 (11.1.2.3.0)"
Note:
If you do not follow the exact sequence provided in this task table, your Oracle Adaptive Access Manager upgrade may not be successful.Table 13-1 lists the steps to upgrade Oracle Adaptive Access Manager.
| Task | For More Information | |
|---|---|---|
|
1 |
Complete the prerequisites before you begin with the upgrade process. |
|
|
2 |
Shut down all servers. This includes both Administration Server and Managed Servers. |
See, Shutting Down Administration Server and Managed Servers |
|
3 |
Back up your environment. |
See, Backing Up Oracle Adaptive Access Manager 11g Release 1 (11.1.1.x.x) |
|
4 |
Optional - Upgrade Oracle WebLogic Server 10.3.5 to Oracle WebLogic Server 10.3.6. |
|
|
5 |
Upgrade Oracle Adaptive Access Manager binaries to 11.1.2.3.0. |
See, Upgrading Oracle Adaptive Access Manager Binaries to 11g Release 2 (11.1.2.3.0) |
|
6 |
Upgrade the OAAM, MDS, IAU, and OPSS Schemas using Patch Set Assistant. |
|
|
7 |
Extend your Oracle Adaptive Access Manager 11.1.1.x.x domain with the OPSS template. |
See, Extending Oracle Adaptive Access Manager 11.1.1.x.x Component Domains with OPSS Template |
|
8 |
Upgrade Oracle Platform Security Services, if required. |
|
|
9 |
Run the |
|
|
10 |
Start the Administration and Managed Servers. |
See, Starting the Administration Server and Oracle Adaptive Access Manager Managed Servers |
|
11 |
Redeploy the applications on Oracle Adaptive Access Manager 11.1.2.3.0 Servers. |
|
|
12 |
Delete the |
See, Deleting Folders |
|
13 |
Restart the servers. |
|
|
14 |
Verify the Oracle Adaptive Access Manager upgrade. |
Before you begin with the upgrade, you must complete the following prerequisites:
Review the Oracle Fusion Middleware System Requirements and Specifications and Oracle Fusion Middleware Supported System Configurations documents to ensure that your system meets the minimum requirements for the products you are installing or upgrading to. For more information see Section 24.1.1, "Verifying Certification, System Requirements, and Interoperability".
Ensure that you are using a Java Development Kit (JDK) version that is supported and certified with Oracle Identity and Access Management 11.1.2.3.0.
You can verify the required JDK version by reviewing the certification information on the Oracle Fusion Middleware Supported System Configurations page.
The JDK can be downloaded from the Java SE Development Kit 7 Downloads page on Oracle Technology Network (OTN).
Note:
For more information about JDK version requirements, see the "Oracle WebLogic Server and JDK Considerations" topic in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management 11g Release 2 (11.1.2) document.The upgrade process involves changes to the binaries and to the schema. Therefore, before you begin the upgrade process, you must shut down the WebLogic Administration Server and the Oracle Adaptive Access Manager Managed Servers.
For more information about stopping the WebLogic Administration Server and the Managed Servers, see Section 24.1.9, "Stopping the Servers".
You must back up your Oracle Adaptive Access Manager 11.1.1.x.x environment before you upgrade to Oracle Adaptive Access Manager 11.1.2.3.0.
After stopping the servers, you must back up the following:
MW_HOME directory, including the Oracle Home directories inside Middleware Home
Domain Home directory
Oracle Adaptive Access Manager schemas
IAU schema, if it is part of any of your Oracle Adaptive Access Manager 11.1.1.x.x schemas
MDS schemas
Oracle Identity and Access Management 11.1.2.3.0 is certified with Oracle WebLogic Server 11g Release 1 (10.3.6). Therefore, if your existing Oracle Adaptive Access Manager environment is using Oracle WebLogic Server 10.3.5 or any earlier version, you must upgrade it to Oracle WebLogic Server 10.3.6.
Note:
If you are already using Oracle WebLogic Server 10.3.6, ensure that you apply the mandatory patches to fix specific issues with Oracle WebLogic Server 10.3.6.To identify the required patches that you must apply for Oracle WebLogic Server 10.3.6, see "Downloading and Applying Required Patches" in the Oracle Fusion Middleware Infrastructure Release Notes.
The patches listed in the release notes are available from My Oracle Support. The patching instructions are mentioned in the README.txt file that is provided with each patch.
For information about upgrading Oracle WebLogic Server to 10.3.6, see Section 24.1.5, "Upgrading Oracle WebLogic Server to 11g Release 1 (10.3.6)".
To upgrade Oracle Adaptive Access Manager, you must use the Oracle Identity and Access Management 11.1.2.3.0 Installer. During the procedure, point the Middleware Home to your existing 11.1.1.x.x Middleware Home. Your Oracle Home is upgraded from 11.1.1.x.x to 11.1.2.3.0.
For information about upgrading Oracle Adaptive Access Manager 11g Release 1 (11.1.1.x.x), see Section 24.1.6, "Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.3.0)".
You must upgrade the following schemas using Patch Set Assistant:
OAAM schema
MDS schema
OPSS schema
Note:
If OPSS schema is not part of the source, a new OPSS schema must be created first, using 11.1.1.9.0 RCU, and only then can it be upgraded. You must create Oracle Platform Security Services (OPSS) schema because Oracle Adaptive Access Manager upgrade process involves OPSS schema policy store changes. Keys, roles, permissions, and other artifacts used by the applications must migrate to the policy store.Run the Repository Creation utility (RCU) to create the OPSS schema. For more information, see "Creating Schemas" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
IAU schema (You must upgrade Audit schema (IAU) only if it is part of your 11.1.1.x.x schemas.
Note:
When upgrading schemas using Patch Set Assistant, you must select OAAM or OAAM_PARTN as appropriate, and provide details on all screens to complete the upgrade.For information about upgrading schemas using Patch Set Assistant, see Section 24.1.4, "Upgrading Schemas Using Patch Set Assistant".
Oracle Adaptive Access Manager 11.1.2.3.0 uses the database to store policies. This requires extending the 11.1.1.x.x Oracle Adaptive Access Manager domain to include the OPSS data source.
To do so, complete the following steps:
Run the following command to launch the Oracle Fusion Middleware configuration wizard:
On UNIX:
./config.sh
It is located in the <MW_HOME>/<Oracle_IDM1>/common/bin directory.
On Windows:
config.cmd
It is located in the <MW_HOME>\<Oracle_IDM1>\common\bin directory.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next.
On the Select a WebLogic Domain Directory screen, browse to the directory that contains the WebLogic domain in which you configured the components. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the Oracle Platform Security Service - 11.1.1.0 [Oracle_IDM1] option. After selecting the domain configuration options, click Next.
The Configure JDBC Data Sources screen is displayed. Configure the opssDS data source, as required. After the test succeeds, the Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select the Oracle Platform Security Services schema.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next.
The Test JDBC Component Schema screen is displayed. After the test succeeds, the Select Optional Configuration screen is displayed.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines and Deployments and Services. Do not select anything as you have already configured in your Oracle Identity and Access Management 11.1.1.x.x environment. Click Next.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Adaptive Access Manager domain is extended to support Oracle Platform Security Services (OPSS).
Note:
The upgrade steps need to be performed only if OPSS has already been configured.After you upgrade schemas, you must upgrade Oracle Platform Security Services (OPSS).
Upgrading Oracle Platform Security Services is required to upgrade the configuration and policy stores of Oracle Adaptive Access Manager to 11.1.2.3.0. It upgrades the jps-config.xml file and policy stores.
For information about upgrading Oracle Platform Security Services, see Section 24.1.7, "Upgrading Oracle Platform Security Services".
Note:
You need to configure OPSS Security Store only if it was not configured during the previous installation. If it has already been configured, perform the steps to upgrade OPSS. For more information, see Section 13.9, "Upgrading Oracle Platform Security Services".You must configure the database Security Store as it is the only security store type supported by Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0).
For more information on configuring Oracle Platform Security Services, see "Configuring Database Security Store for an Oracle Identity and Access Management Domain" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Note:
When you start the Administration Server and the Managed Servers, the Adaptive Access Manager Administration console application and the Access Manager Managed server application may start with a number of errors and exceptions. This is expected and can be ignored. These issues are resolved by the subsequent redeployment process.The redeploy command is an online WLST command. Therefore, you must start the Oracle Adaptive Access Manager Administration and Managed Servers before running the redeploy command.
For information about starting the Administration Server and Oracle Adaptive Access Manager Managed servers, see "Starting the Servers".
You must redeploy changes to the applications in the domain after upgrading Oracle Adaptive Access Manager to 11.1.2.3.0. Redeploy your 11.1.1.x.x application on the Oracle Adaptive Access Manager 11.1.2.3.0 servers.
You can redeploy the application using command line or using the WebLogic Administration console. Complete the following steps described in one of the following sections to redeploy applications:
Redeploying Applications Using Command Line
To redeploy applications on Oracle Adaptive Access Manager 11.1.2.3.0 servers using command line, do the following:
Run the following command from the location IAM_HOME/common/bin to launch the WebLogic Scripting Tool (WLST):
On UNIX: ./wlst.sh
On Windows: wlst.cmd
Connect to the Administration Server using the following command:
connect('weblogic-username','weblogic-password','weblogic-url')
For example:
connect('wlsuser','wlspassword','localhost:7001')
Run the following command to undeploy OAAM:
undeploy('oaam_admin')
undeploy('oaam_server')
undeploy('oracle.oaam.extensions')
Note:
If you have Oracle Adaptive Access Manager Offline Server in your setup, run theundeploy() command to undeploy 'oaam_offline' too.For more information about using the undeploy command, see "undeploy" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
Deploy the oaam.extension library application by running the following command:
deploy('oracle.oaam.extensions','$IAM_HOME/oaam/oaam_extensions/generic/oracle.oaam.extensions.war','oaam_admin_server1,oaam_server_server1','nostage',libraryModule='true')
Note:
If you have Oracle Adaptive Access Manager Offline Server in your setup, addoaam_offline_server1 to the list of targets while deploying oaam.extension library.For more information about using the deploy command, see "deploy" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
Deploy the OAAM applications by running the following commands:
deploy('oaam_admin','$IAM_HOME/oaam/oaam_admin/ear/oaam_admin.ear','oaam_admin_server1','nostage')
deploy('oaam_server','$IAM_HOME/oaam/oaam_server/ear/oaam_server.ear','oaam_server_server1','nostage')
The target servers for each deployments are as follows:
oaam_admin - Target: oaam_admin_server1
oaam_server - Target: oaam_server_server1
Note:
If you have Oracle Adaptive Access Manager Offline Server in your setup, deploy'oaam_offline' to the target 'oaam_offline_server1' by running the deploy() command.For more information about using the deploy command, see "deploy" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
Optional: If you had deployed the OAAM shared library, run the following command to redeploy it:
redeploy('oracle.oaam.libs')
Exit the WLST console using the exit() command.
Redeploying Applications Using WebLogic Administration Console
To redeploy applications on Oracle Adaptive Access Manager 11.1.2.3.0 servers using WebLogic Administration console, do the following:
Log in to the WebLogic Administration console using the following URL:
http://admin_host:admin_port/console:
Go to the Deployments tab.
Select oaam_admin, oaam_server and oracle.oaam.extensions from Deployments and click Delete.
Deploy the following applications by clicking Install:
oracle.oaam.extensions - Target should be oaam_server_server1, oaam_admin_server1.
Note:
Ensure thatoracle.oaam.extensions is deployed before you deploy other applications.oaam_admin - Target should be oaam_admin_server1.
oaam_server - Target should be oaam_server_server1.
To deploy Oracle Adaptive Access Manager 11.1.1.x.x server content and applications in Oracle Adaptive Access Manager 11.1.2.3.0, you must delete all content of folders in the following locations:
Deleting tmp:
<MW_Home>/user_projects/domains/domain_home/servers/<OAAM_ADMIN_SERVER_NAME>/tmp
<MW_Home>/user_projects/domains/domain_home/servers/<OAAM_MANAGED_SERVER_NAME>/tmp
<MW_Home>/user_projects/domains/domain_home/servers/<OAAM_OFFLINE_SERVER_NAME>/tmp
Deleting stage:
<MW_Home>/user_projects/domains/domain_home/servers/<OAAM_ADMIN_SERVER_NAME>/stage
<MW_Home>/user_projects/domains/domain_home/servers/<OAAM_MANAGED_SERVER_NAME>/stage
<MW_Home>/user_projects/domains/domain_home/servers/<OAAM_OFFLINE_SERVER_NAME>/stage
Deleting tmp:
<MW_Home>\user_projects\domains\domain_home\servers\<OAAM_ADMIN_SERVER_NAME>\tmp
<MW_Home>\user_projects\domains\domain_home\servers\<OAAM_MANAGED_SERVER_NAME>\tmp
<MW_Home>\user_projects\domains\domain_home\servers\<OAAM_OFFLINE_SERVER_NAME>\tmp
Deleting stage:
<MW_Home>\user_projects\domains\domain_home\servers\<OAAM_ADMIN_SERVER_NAME>\stage
<MW_Home>\user_projects\domains\domain_home\servers\<OAAM_MANAGED_SERVER_NAME>\stage
<MW_Home>\user_projects\domains\domain_home\servers\<OAAM_OFFLINE_SERVER_NAME>\stage
To restart the Administration Server or Managed Servers, you must stop the running Administration Server or Managed Servers first before starting them again.
To stop the servers, see Section 13.3, "Shutting Down Administration Server and Managed Servers".
To start the servers, see Section 13.11, "Starting the Administration Server and Oracle Adaptive Access Manager Managed Servers".
Note:
After all the upgrade steps are complete, check to make sure that the custom extensions (if any) are working correctly.Use the following URL in a web browser to verify that Oracle Adaptive Access Manager 11.1.2.3.0 is running:
http://<oaam_host>:<oaam_port>/oaam_admin
Assign the investigator role and verify to see the investigator UI.