12 Upgrading Oracle Access Manager 11g Release 1 (11.1.1.x.x) Environments

This chapter describes how to upgrade your existing Oracle Access Manager 11g Release 1 (11.1.1.5.0) and 11g Release 1 (11.1.1.7.0) environments to Oracle Access Management 11g Release 2 (11.1.2.3.0) on Oracle WebLogic Server, using the manual upgrade procedure.

Note:

If your existing Oracle Identity and Access Management environment was deployed using the Life Cycle Management (LCM) Tools, you must use the automated upgrade procedure to upgrade to Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0). For information about automated upgrade procedure, supported starting points and topologies, see Chapter 2, "Understanding the Oracle Identity and Access Management Automated Upgrade".

If you wish to upgrade Oracle Access Management multi-data center environments, refer to Chapter 18, "Upgrading Oracle Access Management Multi-Data Center Environments".

Note:

This chapter refers to Oracle Access Manager 11g Release 1 (11.1.1.5.0) and 11g Release 1 (11.1.1.7.0) environments as 11.1.1.x.x.

This chapter includes the following sections:

• Section 12.1, "Upgrade Roadmap for Oracle Access Manager"

• Section 12.2, "Performing the Required Pre-Upgrade Tasks"

• Section 12.3, "Upgrading Oracle Home"

• Section 12.4, "Creating Necessary Schemas"

• Section 12.5, "Extending Oracle Access Manager 11.1.1.x.x Domain with Oracle Platform Security Services Template"

• Section 12.6, "Upgrading Oracle Platform Security Services"

• Section 12.7, "Configuring Oracle Platform Security Services Security Store"

• Section 12.8, "Exporting Access Data"

• Section 12.9, "Importing Access Data"

• Section 12.10, "Copying Modified System mbean Configurations"

• Section 12.11, "Ensuring that the Newly Created OAM Policy Schema is in Use"

• Section 12.12, "Starting the Administration Server and Access Manager Managed Servers"

• Section 12.13, "Redeploying Access Manager Server Applications and Shared Libraries"

• Section 12.14, "Stopping the Administration Server and Access Manager Managed Servers"

• Section 12.15, "Deleting Folders"

• Section 12.16, "Upgrading System Configuration"

• Section 12.17, "Starting the Servers"

• Section 12.18, "Extending the Oracle Access Management Domain to Include Mobile Security Suite and Policy Manager"

• Section 12.19, "Performing the Required Post-Upgrade Tasks"

• Section 12.20, "Verifying the Oracle Access Management Upgrade"

• Section 12.21, "Troubleshooting"

12.1 Upgrade Roadmap for Oracle Access Manager

Note:

If you do not follow the exact sequence provided in this task table, your Oracle Access Manager upgrade may not be successful.

Table 12-1 lists the tasks that you must complete to upgrade Oracle Access Manager 11.1.1.x.x environments.

Table 12-1 Upgrade Flow

Task No.	Task	For More Information
1	Complete the necessary prerequisites before you upgrade Oracle Access Manager 11.1.1.x.x to 11.1.2.3.0.	See, Performing the Required Pre-Upgrade Tasks
2	Upgrade Oracle Home by upgrading Oracle WebLogic Server to 10.3.6, applying mandatory patches for Oracle Access Manager, and upgrading Oracle Access Manager binaries to 11.1.2.3.0.	See, Upgrading Oracle Home
3	Create Oracle Access Manager (OAM) and Oracle Platform Security Services (OPSS) schema using the Repository Creation Utility.	See, Creating Necessary Schemas
4	Upgrade 11.1.1.x.x Oracle Home to 11.1.2.3.0.	See, Upgrading Oracle Access Manager Binaries to 11.1.2.3.0
5	Extend your Oracle Access Manager 11.1.1.x.x domain with the OPSS template.	See, Extending Oracle Access Manager 11.1.1.x.x Domain with Oracle Platform Security Services Template
6	Upgrade Oracle Platform Security Services.	See, Upgrading Oracle Platform Security Services
7	Run the configuresecuritystore.py script to configure policy stores.	See, Configuring Oracle Platform Security Services Security Store
8	Export access data.	See, Exporting Access Data
9	Import access data.	See, Importing Access Data
10	Copy infrastructure mbean jar and configuration files	See, Copying Modified System mbean Configurations
11	Start the Administration Server and Oracle Access Management Access Manager Managed Servers.	See, Starting the Administration Server and Access Manager Managed Servers
12	Redeploy Access Manager servers and shared libraries.	See, Redeploying Access Manager Server Applications and Shared Libraries
13	Stop the Administration Server and Oracle Access Management Access Manager Managed Server.	See, Stopping the Administration Server and Access Manager Managed Servers
14	Delete the tmp and stage folders.	See, Deleting Folders
15	Upgrade the system configuration of Oracle Access Management. This step is required for the 11.1.2.3.0 features to work. This step is mandatory as compatibility mode is not supported for Oracle Access Manager 11.1.1.x.x upgrade.	See, Upgrading System Configuration
16	Start the WebLogic Administration Server and the Oracle Access Management Access Manager Managed Server(s).	See, Starting the Servers
17	Extend the Oracle Access Management domain to include Oracle Mobile Security Suite and Policy Manager.	See, Extending the Oracle Access Management Domain to Include Mobile Security Suite and Policy Manager
18	Perform the required post-upgrade tasks.	See, Performing the Required Post-Upgrade Tasks
19	Verify the Oracle Access Management upgrade.	See, Verifying the Oracle Access Management Upgrade

12.2 Performing the Required Pre-Upgrade Tasks

Before you begin with the upgrade, you must complete the following prerequisites:

• Review the Oracle Fusion Middleware System Requirements and Specifications and Oracle Fusion Middleware Supported System Configurations documents to ensure that your system meets the minimum requirements for the products you are installing or upgrading to. For more information see Section 24.1.1, "Verifying Certification, System Requirements, and Interoperability".

• Ensure that you are using a Java Development Kit (JDK) version that is supported and certified with Oracle Identity and Access Management 11.1.2.3.0.

  You can verify the required JDK version by reviewing the certification information on the Oracle Fusion Middleware Supported System Configurations page.

  The JDK can be downloaded from the Java SE Development Kit 7 Downloads page on Oracle Technology Network (OTN).

  Note:

  For more information about JDK version requirements, see the "Oracle WebLogic Server and JDK Considerations" topic in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management 11g Release 2 (11.1.2) document.

• Ensure that the following artifacts are present in your environment:

  • oamclient-truststore.jks

    This file is located at DOMAIN_HOME/output/webgate-ssl/oamclient-keystore.jks.

  • oamclient-keystore.jks

    This file is located at DOMAIN_HOME/output/webgate-ssl/oamclient-truststore.jks.

  If the artifacts are not present, generate them using the keytool command. For information about creating these artifacts, see "Creating Oracle Access Manager Key Store" in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management for 11g Release 1 (11.1.1.5.0).

  When you generate these files, they are created in the directory where the command for creating them is run. You must copy these files to the location DOMAIN_HOME/output/webgate-ssl/ and rename them as mentioned.

• Oracle Access Management 11.1.2.3.0 has additional components configured in it's Administration Server. Therefore, ensure that the WebLogic domain memory settings are updated to suite the machine configurations.

  If the servers are started using command line, you must update the memory settings in the setDomainEnv.sh file. If the servers are started using Node Manager, you must update the memory settings using the WebLogic Administration console. It is recommended to do both.

  To update the memory settings in the setDomainEnv.sh file, complete the following steps:

  1. Go to the DOMAIN_HOME/bin directory.

  2. Take a backup of file setDomainEnv.sh (on UNIX) or setDomainEnv.cmd (on Windows).

  3. Open the setDomainEnv.sh (on UNIX) or setDomainEnv.cmd (on Windows) in an editor, and search for the following lines:

     On UNIX:

     # IF USER_MEM_ARGS the environment variable is set, use it to override ALL
     # MEM_ARGS values 
     
     if [ "${USER_MEM_ARGS}" != "" ] ; then 
     MEM_ARGS="${USER_MEM_ARGS}" 
     export MEM_ARGS 
     fi
     

     On Windows:

     @REM IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values
     
     if NOT "%USER_MEM_ARGS%"=="" ( 
     set MEM_ARGS=%USER_MEM_ARGS% 
     ) 
     

  4. Add the USER_MEM_ARGS settings as shown in the following example:

     On UNIX:

     # IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values 
     
     # Added for OAM 11.1.2.3 upgrade 
     USER_MEM_ARGS="-Xms4096m -Xmx4096m -XX:MaxPermSize=512m" 
     export USER_MEM_ARGS 
     
     if [ "${USER_MEM_ARGS}" != "" ] ; then 
     MEM_ARGS="${USER_MEM_ARGS}" 
     export MEM_ARGS 
     fi 
     

     On Windows:

     @REM IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values 
     
     @REM Added for OAM 11.1.2.3 upgrade 
     set USER_MEM_ARGS=-Xms4096m -Xmx4096m -XX:MaxPermSize=512m 
     
     if NOT "%USER_MEM_ARGS%"=="" ( 
     set MEM_ARGS=%USER_MEM_ARGS% 
     ) 
     

  5. Save the changes to the file

  To update the memory settings using the WebLogic Administration console, complete the following steps:

  1. Log in to the WebLogic Administration Console using the following URL:

     http://host:port/console

  2. Click Servers on the left navigation pane.

  3. Select the OAM Server.

  4. Go to the Server Start tab.

  5. Click Arguments.

  6. Set the value of JVM arguments for the OAM Server. For example:

     -Xms4096m -Xmx4096m

  7. Save the changes.

  For more information about the memory requirements for Oracle Identity and Access Management, see "Memory and Space Requirements for Oracle Fusion Middleware and Oracle Identity and Access Management" in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management for 11g Release 2 (11.1.2).

• Verify the Oracle Access Manager 11.1.1.x.x schema and credentials. To verify the Oracle Access Manager 11.1.1.x.x schema, check the schema name in the DOMAIN_HOME/config/jdbc/oam-db-jdbc.xml file or verify the OAM datasource on the WebLogic Administration console by doing the following:

  1. Log in to the WebLogic Administration Console using the following URL:

     http://host:port/console

  2. Click Services on the left navigation pane.

  3. Click Data Sources, and then select oamDS.

  4. Click Connection pool and verify the OAM data source.

  To verify the schema credentials, use the schema name and password to connect to the database.

• Shut down the WebLogic Administration Server and Oracle Access Manager Managed Servers. For information about stopping the servers, see Section 24.1.9, "Stopping the Servers".

• Back up the following before you proceed with the upgrade:

  • MW_HOME directory, including the Oracle Home directories inside Middleware Home

  • Domain Home directory

  • Oracle Access Manager schemas

  • MDS schemas

  • Audit and any other dependent schemas

  For information about backing up the Middleware Home and schemas, see Section 24.1.2, "Backing up the Existing Environment".

12.3 Upgrading Oracle Home

This section describes the tasks to be completed to upgrade the existing Oracle home.

This section includes the following topics:

• Upgrading Oracle WebLogic Server to 10.3.6

• Applying Mandatory Patches for Oracle WebLogic Server

• Upgrading Oracle Access Manager Binaries to 11.1.2.3.0

12.3.1 Upgrading Oracle WebLogic Server to 10.3.6

Oracle Identity and Access Management 11.1.2.3.0 is certified with Oracle WebLogic Server 11g Release 1 (10.3.6). Therefore, if your existing Oracle Access Manager environment is using Oracle WebLogic Server 10.3.5 or any earlier version, you must upgrade it to Oracle WebLogic Server 10.3.6.

For information about upgrading Oracle WebLogic Server, see Section 24.1.5, "Upgrading Oracle WebLogic Server to 11g Release 1 (10.3.6)".

12.3.2 Applying Mandatory Patches for Oracle WebLogic Server

Ensure that you apply some mandatory patches to fix specific issues with Oracle WebLogic Server 10.3.6.

To identify the required patches that you must apply for Oracle WebLogic Server 10.3.6, see "Downloading and Applying Required Patches" in the Oracle Fusion Middleware Infrastructure Release Notes.

The patches listed in the release notes are available from My Oracle Support. The patching instructions are mentioned in the README.txt file that is provided with each patch.

12.3.3 Upgrading Oracle Access Manager Binaries to 11.1.2.3.0

Upgrade the Oracle Access Manager binaries using the Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) installer. During the procedure, point the Middleware Home to your existing 11.1.1.x.x Oracle Access Manager Middleware Home.

Note:

Before upgrading the Oracle Access Manager binaries to 11g Release 2 (11.1.2.3.0), you must ensure that the OPatch version in ORACLE_HOME and MW_HOME/oracle_common is 11.1.0.10.3. Different OPatch version might cause patch application failure. If you have upgraded opatch to a newer version, you will have to roll back to version 11.1.0.10.3.

For information about upgrading Oracle Access Manager binaries to Oracle Access Management Access Manager 11.1.2.3.0, see Section 24.1.6, "Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.3.0)".

12.4 Creating Necessary Schemas

You must create the following schemas by running Repository Creation utility (RCU) 11.1.1.9.0:

• Oracle Access Manager (OAM) schema

• Oracle Platform Security Services (OPSS) schema

• Oracle Mobile Security Manager (OMSM) schema - (If you wish to configure Oracle Mobile Security Suite)

• Oracle Metadata Services (MDS) schema

For information about creating schemas using Run Repository Creation utility, see Section 24.1.3, "Creating Database Schemas Using Repository Creation Utility".

Note:

Even if you are creating new schemas, do not delete your Oracle Access Manager 11.1.1.x.x schemas and do not use the old schema name, as you will need the old schema credentials while "Exporting Access Data".

12.5 Extending Oracle Access Manager 11.1.1.x.x Domain with Oracle Platform Security Services Template

Oracle Access Management Access Manager 11.1.2.3.0 uses the database to store policies. This requires extending Oracle Access Manager 11.1.1.x.x domain to include the Oracle Platform Security Services (OPSS) data source.

To extend your Oracle Access Manager 11.1.1.x.x domain with the OPSS template, complete the following steps:

1. Run the following command:

   On UNIX:

   ./config.sh

   It is located in the <MW_HOME>/<Oracle_IDM1>/common/bin directory.

   On Windows:

   config.cmd

   It is located in the <MW_HOME>\<Oracle_IDM1>\common\bin directory.

2. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next.

3. On the Select a WebLogic Domain Directory screen, browse to the directory that contains the WebLogic domain in which you configured Oracle Access Manager. Click Next. The Select Extension Source screen appears.

4. On the Select Extension Source screen, select the Oracle Platform Security Service - 11.1.1.0 [Oracle_IDM1] option. After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen appears.

5. On the Configure JDBC Component Schema screen, do the following:

   • Select OAM Infrastructure, and update the Oracle Access Manager 11.1.1.x.x schema information with the Access Manager 11.1.2.3.0 schema details.

   • Select OPSS Schema, and specify the values for Schema Owner, Schema Password, Database and Service, Host Name, and Port.

   • Click Next.

   The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.

6. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines and Deployments and Services. Do not select anything as you have already configured your Oracle Access Manager 11.1.1.x.x environment. Click Next.

7. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

Your existing Oracle Access Manager domain is extended to support Oracle Platform Security Services (OPSS), and Oracle Access Manager is configured to use the newly created 11.1.2.3.0 OPSS policy schema.

12.6 Upgrading Oracle Platform Security Services

You must upgrade Oracle Platform Security Services (OPSS) by running upgradeOpss command.

Upgrading Oracle Platform Security Services is required to upgrade the configuration and policy stores of Oracle Access Manager to 11.1.2.3.0. It upgrades the jps-config.xml file and policy stores.

For information about upgrading Oracle Platform Security Services, see Section 24.1.7, "Upgrading Oracle Platform Security Services"

12.7 Configuring Oracle Platform Security Services Security Store

You must configure the Database Security Store as it is the only security store type supported by Oracle Identity and Access Management 11.1.2.3.0.

For more information on configuring Oracle Platform Security Services, see "Configuring Database Security Store for an Oracle Identity and Access Management Domain" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

12.8 Exporting Access Data

Policy information from Oracle Access Manager 11.1.1.x.x schema needs to be extracted before importing it to the Access Manager 11.1.2.3.0 schema. The exportAccessData WLST command exports the Access Manager policy and configuration information from the 11.1.1.x.x Oracle Access Manager domain. You must export Oracle Access Manager 11.1.1.x.x configuration details, policy stores, keys, and CSF Passwords.

Note:

Make sure to shutdown all WebLogic Server processes (administration server, Oracle Access Manager managed server, and node manager) before executing these export commands.

Complete the following steps to export data:

On UNIX:

1. Move from your present working directory to the <MW_HOME>/<Oracle_IDM1>/common/bin directory by running the following command on the command line:

   cd <MW_HOME>/<Oracle_IDM1>/common/bin

2. Run the following command to launch the WebLogic Scripting Tool (WLST):

   ./wlst.sh

3. At the WLST prompt, run the following script:

   exportAccessData("<UPGRADE_PROPERTIES_FILE>")

   For example:

   exportAccessData("<ORACLE_HOME>/oam/server/wlst/scripts/sample_properties/oam_upgrade.properties")

   See Table 12-3 for sample properties and description.

4. Exit the WLST console using the exit() command.

On Windows:

1. Move from your present working directory to the <MW_HOME>\<Oracle_IDM1>\common\bin directory by running the following command on the command line:

   cd <MW_HOME>\<Oracle_IDM1>\common\bin

2. Run the following command to launch the WebLogic Scripting Tool (WLST):

   wlst.cmd

3. At the WLST prompt, run the following script:

   exportAccessData("<UPGRADE_PROPERTIES_FILE>")

   For example:

   exportAccessData("<ORACLE_HOME>\\oam\\server\\wlst\\scripts\\sample_properties\\oam_upgrade-windows.properties")

   See Table 12-3 for sample properties and description.

4. Exit the WLST console using the exit() command.

Table 12-2 describes the parameters you must specify on the command line:

Table 12-2 Parameters for Exporting Data

Parameter	Description
properties_location	Specify the path to the oam_upgrade.properties file in the Access Manager 11.1.1.x.x installation. The following example shows the complete path: On UNIX, it is located in the <ORACLE_HOME>/oam/server/wlst/scripts/sample_properties/oam_upgrade.properties directory. On Windows, it is located in the <ORACLE_HOME>\oam\server\wlst\scripts\sample_properties\oam_upgrade-windows.properties directory.

Table 12-3 lists the properties of oam_upgrade.properties:

Table 12-3 List of Properties Specified in oam_upgrade.properties File

Properties	Description
MIDDLEWARE_HOME	Specify the complete path to the Middleware Home. For example: On UNIX: /Oracle/Middleware On Windows: Oracle\\Middleware
ORACLE_HOME	This property refers to the location of the Oracle Identity and Access Management software. For example: On UNIX: /Oracle/Middleware/Oracle_IDM1 On Windows: <MW_HOME>\\Oracle_IDM1
OAM_DOMAIN_HOME	This property refers to the existing Oracle Access Manager 11.1.1.x.x domain home. For example: On UNIX: /Oracle/Middleware/user_projects/domains/oam_domain On Windows: <MW_HOME>\\user_projects\\domains\\<oam_domain> directory.
ORACLE_COMMON_HOME	This property refers to the common components home. The following example shows the complete path: On UNIX, it is located in the <MW_HOME>/oracle_common directory. On Windows, it is located in the <MW_HOME>\\oracle_common directory.
OAM_DEST_ARTIFACTS_LOCATION	This property refers to the location where you want to place the upgrade artifacts, such as Oracle Access Manager 11.1.1.x.x configuration and policy files. Note: Make sure that the artifacts folder has read/write access.
OAM_TYPE_OF_UPGRADE	This is an InPlace upgrade.
OAM_IS_INCREMENTAL	This property is used to specify if you run the upgrade in an incremental mode. Incremental form of upgrade is not supported in Access Manager 11.1.2.3.0. Therefore, set the value as False.
OAM_POLICY_UPGRADE_OPTIMIZATION	As a part of the Oracle Access Manager policy upgrade, the changes to the out of the box Access Manager policies are applied on top of the existing (11.1.1.x.x) out of the box policies. This process involves a three way merge of the Access Manager policies. This is a time consuming process (takes about 30 minutes). If you want to proceed with the merge, set the property to false. If you want to replace the Oracle Access Manager 11.1.1.x.x out of the box policies with the new ones, without the merge process, set this property to true.
OAM_PS1_SCHEMA_OWNER	Use this property to connect to the 11.1.1.x.x policy store. Specify the Oracle Access Manager 11.1.1.x.x schema owner.
OAM_PS1_SCHEMA_CRED	Use this property to connect to the 11.1.1.x.x policy store. Specify the Oracle Access Manager 11.1.1.x.x schema credentials.
OAM_PS1_CREDENTIAL_ALIAS	Use this property to connect to the 11.1.1.x.x policy store. Specify the Oracle Access Manager 11.1.1.x.x Oracle Entitlements Server database credential alias as: OESDBCredentialAlias
OAM_PS1_JDBC_CONN_STRING	Use this property to connect to the 11.1.1.x.x policy store. Specify the JDBC connection string in the following format: jdbc:oracle:thin:@dbhost:dbport/sid
OAM_PS1_JDBC_DRIVER_CLASS	Use this property to connect to the 11.1.1.x.x policy store. Specify the JDBC driver class in the following format: oracle.jdbc.OracleDriver
OAM_PS1_ROOT_DN	Use this property to connect to the 11.1.1.x.x policy store. Specify the properties as: cn=farm,cn=JPSContext,cn=jpsroot
OAM_PS1_POLICY_FILE	This property refers to the absolute path to the XML file where extracted 11.1.1.x.x policy needs to be saved. Specify the path where you want to save the extracted Oracle Access Manager 11.1.1.x.x policies. For example: On UNIX, specify the following path: OAM_PS1_POLICY_FILE=<UPGRADE_ATRIFACTS_DIR>/oam-policy-ps1.xml On Windows, specify the following path: OAM_PS1_POLICY_FILE=<UPGRADE_ATRIFACTS_DIR>\\oam-policy-ps1.xml
OAM_PS1_POLICY_JARS	Upgrade frameworks loads version specific jars for Exporting and Importing data. This property refers to the Oracle Access Manager 11.1.1.x.x policy jars available at the following path: On UNIX, it is located in the $<ORACLE_HOME>/oam/server/lib/upgrade/ps1-policy directory. On Windows, it is located in the <ORACLE_HOME>\\oam\\server\\lib\\upgrade\\ps1-policy directory.
OAM_PS1_CONFIG_FILE_LOC	This property refers to the Oracle Access Manager 11.1.1.x.x configuration files available in the following location: On UNIX, it is located in the $<DOMAIN_HOME>/config/fmwconfig/oam-config.xml directory. On Windows, it is located in the <DOMAIN_HOME>\\config\\fmwconfig\\oam-config.xml directory.
OAM_PS1_POLICY_FILE_TEMP	This property refers to the absolute path to the temporary policy XML. This temporary XML will be used for policy transformation. Specify the temporary location of the XML file. For example: On UNIX, specify the following path: OAM_PS1_POLICY_FILE_TEMP=<UPGRADE_ATRIFACTS_DIR>/oam-policy-ps1_temp.xml On Windows, specify the following path: OAM_PS1_POLICY_FILE_TEMP=<UPGRADE_ATRIFACTS_DIR>\\oam-policy-ps1_temp.xml
OAM_R2_POLICY_JARS	Upgrade frameworks loads version specific jars for exporting and importing data. This property refers to the Access Manager 11.1.2.3.0 policy jars available at the following location: On UNIX, it is located in the $<ORACLE_HOME>/oam/server/lib/upgrade/ps2-policy directory. On Windows, it is located in the <ORACLE_HOME>\\oam\\server\\lib\\upgrade\\ps2-policy directory.
OAM_R2_CONFIG_FILE_LOC	This property refers to the Access Manager 11.1.2.3.0 configuration files available at the following location: On UNIX, it is located in the $<ORACLE_HOME>/oam/server/config/oam-config.xml directory. On Windows, it is located in the <ORACLE_HOME>\\oam\\server\\config\\oam-config.xml directory.
OAM_SOURCE_VERSION	Specify the source version of Oracle Access Manager. If the source version is 11g Release 1 (11.1.1.7.0), specify 11.1.1.7.0. If the source version is 11g Release 1 (11.1.1.5.0), specify 11.1.1.5.0. If you have applied bundle patches, the minor bundle patch version should not be specified. For example, 11.1.1.5.2.
OAM_TARGET_VERSION	The Oracle Access Manager target version is 11.1.2.0.0.
OAM_OFFLINE_POLICY_MIGRATION	This property is used for the offline redeployment feature of the upgrade. This feature is not supported in this release. Therefore, the value of this property must be set to false.

Note:

The variables listed in Table 12-3 are not environment variables. These variables must be defined in the oam_upgrade.properties file.

When you specify paths to any files in the oam_upgrade.properties file, make sure it is in the format specified in the following example:

• On UNIX: /directory_1/directory_2/file

• On Windows: \\directory_1\\directory_2\\file

Sample Output of exportAccessData

wls:/offline> exportAccessData("<ORACLE_HOME>/oam/server/wlst/scripts/sample_properties/oam_upgrade.properties")
Jul 7, 2012 1:37:30 AM oracle.security.access.upgrade.WLSTExecutor executeCommand
INFO: EXPORT_DATA_COMMAND
Jul 7, 2012 1:37:30 AM oracle.security.access.upgrade.util.WLSTExportDataUtil executeCommand
INFO: OAAM PRODUCT
Jul 7, 2012 1:37:30 AM oracle.security.access.upgrade.util.WLSTExportDataUtil executeCommand
INFO: OAM PRODUCT
Jul 7, 2012 1:37:30 AM oracle.security.access.upgrade.util.WLSTExportDataUtil executeCommand
INFO: oamPlugin.getName() = oracle.security.am.upgrade.plugin.upgradehelper.UpgradeFactory
Jul 7, 2012 1:37:30 AM oracle.security.am.upgrade.plugin.util.UpgradeUtil exportConfiguration
INFO: Copying configuration file....
oracle.security.am.upgrade.plugin.upgradehelper.OAMVersionSpecificClassLoader@1e330f43
[EL Info]: 2012-07-07 01:37:32.849--ServerSession(503497062)--EclipseLink, version: Eclipse Persistence Services - 1.1.0.r3634
[EL Info]: 2012-07-07 01:37:35.212--ServerSession(503497062)--file:$ORACLE_HOME/oam/server/lib/upgrade/ps1-policy/oes-d8/jps-internal.jar-JpsDBDataManager login successful
Jul 7, 2012 1:37:39 AM com.tangosol.coherence.component.util.logOutput.Jdk log
INFO: 2012-07-07 01:37:39.026/135.466 Oracle Coherence 3.5.3/465p2 <Info> (thread=Main Thread, member=n/a): Loaded operational configuration from resource "jar:file:$ORACLE_HOME/oam/server/lib/upgrade/ps1-policy/coherence.jar!/tangosol-coherence.xml"
Jul 7, 2012 1:37:39 AM com.tangosol.coherence.component.util.logOutput.Jdk log
INFO: 2012-07-07 01:37:39.035/135.474 Oracle Coherence 3.5.3/465p2 <Info> (thread=Main Thread, member=n/a): Loaded operational overrides from resource "jar:file:$ORACLE_HOME/oam/server/lib/upgrade/ps1-policy/coherence.jar!/tangosol-coherence-override-dev.xml"
...................
WARNING: Cannot load audit configuration.
Jul 7, 2012 1:37:47 AM oracle.security.am.common.audit.AuditHandler getAuditor
WARNING: Cannot load audit configuration.
Jul 7, 2012 1:37:47 AM oracle.security.am.common.audit.AuditHandler getAuditor
WARNING: Cannot load audit configuration.
Jul 7, 2012 1:37:47 AM oracle.security.am.upgrade.plugin.upgradehelper.UpgradeFactory exportData
INFO: Extraction Done!!
Jul 7, 2012 1:37:47 AM oracle.security.am.upgrade.plugin.util.UpgradeCommonUtil removeDirectory
INFO: Deletion of Directory: true path: $OAM_ARTIFACTS_DIRECTORTY/temp.zip
Jul 7, 2012 1:37:47 AM oracle.security.am.upgrade.plugin.upgradehelper.UpgradeFactory exportData
INFO: Export completed successfully!

12.9 Importing Access Data

It is necessary to import the extracted Oracle Access Manager 11.1.1.x.x data to the Access Manager 11.1.2 schema. The Oracle Access Manager 11.1.1.x.x domain configuration is also merged with the Access Manager 11.1.2 configuration.

Note:

Make sure to shutdown all WebLogic Server processes (administration server, Oracle Access Manager managed server, and node manager) before executing these import commands.

To import Oracle Access Manager 11.1.1.x.x configuration data into Access Manager 11.1.2.3.0, complete the following steps:

On UNIX:

1. Move from your present working directory to the <MW_HOME>/<Oracle_IDM1>/common/bin directory by running the following command on the command line:

   cd <MW_HOME>/<Oracle_IDM1>/common/bin

2. Run the following command to launch the WebLogic Scripting Tool (WLST):

   ./wlst.sh

3. At the WLST prompt, run the following script:

   importAccessData("<UPGRADE_PROPERTIES_FILE>")

   For example:

   importAccessData("<ORACLE_HOME>/oam/server/wlst/scripts/sample_properties/oam_upgrade.properties")

   See Table 12-3 for sample properties and description.

4. Exit the WLST console using the exit() command.

On Windows:

1. Move from your present working directory to the <MW_HOME>\<Oracle_IDM1>\common\bin directory by running the following command on the command line:

   cd <MW_HOME>\<Oracle_IDM1>\common\bin

2. Run the following command to launch the WebLogic Scripting Tool (WLST):

   wlst.cmd

3. At the WLST prompt, run the following script:

   importAccessData("<UPGRADE_PROPERTIES_FILE>")

   For example:

   importAccessData("<ORACLE_HOME>\\oam\\server\\wlst\\scripts\\sample_properties\\oam_upgrade.properties")

   See Table 12-3 for sample properties and description.

4. Exit the WLST console using the exit() command.

Table 12-4 describes the parameters you need to specify on the command line:

Table 12-4 Parameters for Importing Data

Parameter	Description
properties_location	Specify the path to the oam_upgrade.properties file in the Oracle Access Manager 11.1.1.x.x installation. The following example shows the complete path: On UNIX, it is located in the IDM_HOME/oam/server/wlst/scripts/sample_properties/oam_upgrade.properties directory. On Windows, it is located in the IDM_HOME\oam\server\wlst\scripts\sample_properties\oam_upgrade.properties directory.

Sample Output of importAccessData

wls:/offline> importAccessData("<ORACLE_HOME>/oam/server/wlst/scripts/sample_properties/oam_upgrade.properties")
LOGGER intialised java.util.logging.Logger@1e26e4b1
Jul 7, 2012 1:38:25 AM oracle.security.access.upgrade.WLSTExecutor executeCommand
INFO: IMPORT_DATA_COMMAND
Jul 7, 2012 1:38:25 AM oracle.security.access.upgrade.util.WLSTImportDataUtil executeCommand
INFO: OAAM PRODUCT IMPORT DATA
Jul 7, 2012 1:38:25 AM oracle.security.access.upgrade.util.WLSTImportDataUtil executeCommand
INFO: OAM PRODUCT
Jul 7, 2012 1:38:25 AM oracle.security.access.upgrade.util.WLSTImportDataUtil executeCommand
INFO: oamPlugin.getName() = oracle.security.am.upgrade.plugin.upgradehelper.UpgradeFactory
Jul 7, 2012 1:38:27 AM oracle.security.am.common.policy.admin.provider.xml.XMLStore <init>
INFO: Loading policy store file: $OAM_ARTIFACTS_DIRECTORTY/oam-policy.xml.
Jul 7, 2012 1:38:30 AM com.tangosol.coherence.component.util.logOutput.Jdk log
INFO: 2012-07-07 01:38:30.069/17.816 Oracle Coherence 3.7.1.1 <Info> (thread=Main Thread, member=n/a): Loaded operational configuration from "jar:file:$MIDDLEWARE_HOMEoracle_common/modules/oracle.coherence/coherence.jar!/tangosol-coherence.xml"
Jul 7, 2012 1:38:30 AM com.tangosol.coherence.component.util.logOutput.Jdk log
INFO: 2012-07-07 01:38:30.103/17.850 Oracle Coherence 3.7.1.1 <Info> (thread=Main Thread, member=n/a): Loaded operational overrides from "jar:file:$MIDDLEWARE_HOMEoracle_common/modules/oracle.coherence/coherence.jar!/tangosol-coherence-override-dev.xml"
Jul 7, 2012 1:38:30 AM com.tangosol.coherence.component.util.logOutput.Jdk log
INFO: 2012-07-07 01:38:30.107/17.854 Oracle Coherence 3.7.1.1 <Info> (thread=Main Thread, member=n/a): Loaded operational overrides from "jar:file:$ORACLE_HOME/oam/server/lib/upgrade/ps2-policy/mapstore-coherence.jar!/tangosol-coherence-override.xml"
.....
Jul 7, 2012 1:38:36 AM oracle.security.am.common.audit.AuditHandler getAuditor
WARNING: Cannot load audit configuration.
Jul 7, 2012 1:38:36 AM oracle.security.am.common.audit.AuditHandler getAuditor
WARNING: Cannot load audit configuration.
Jul 7, 2012 1:38:36 AM oracle.security.am.common.audit.AuditHandler getAuditor
WARNING: Cannot load audit configuration.
Jul 7, 2012 1:38:38 AM oracle.security.am.upgrade.plugin.upgradehelper.UpgradeFactory importData
INFO: Import completed successfully!!

Note:

When you execute the importAccessData() command, the output might include additional text after the line INFO: Import completed successfully!!. The additional text has no impact on the result and can be ignored.

12.10 Copying Modified System mbean Configurations

After updating the Oracle Access Manager binaries to 11.1.2.3.0 you must copy the modified system or domain mbean configurations from the OAM_ORACLE_HOME to the DOMAIN_HOME.

On UNIX:

1. Move from your present working directory to the <MW_HOME>/common/bin directory by running the following command on the command line:

   cd <MW_HOME><Oracle_IDM1>/common/bin

2. Run the following command to launch the WebLogic Scripting Tool (WLST):

   ./wlst.sh

3. At the WLST prompt, run the following script:

   copyMbeanXmlFiles('DOMAIN_HOME','OAM_ORACLE_HOME')

   For example:

   copyMbeanXmlFiles('/Oracle/Middleware/user_projects/domains/base_domain','/Oracle/Middleware/Oracle_IDM1')

4. Exit the WLST console using the exit() command.

On Windows:

1. Move from your present working directory to the <MW_HOME>\common\bin directory by running the following command on the command line:

   cd <MW_HOME>\<Oracle_IDM1>\common\bin

2. Run the following command to launch the WebLogic Scripting Tool (WLST):

   wlst.cmd

3. At the WLST prompt, run the following script:

   copyMbeanXmlFiles ('<domain_name>',' 'Oracle_IDM')

   For example:

   copyMbeanXmlFiles('C:\\Oracle\\Middleware\\user_projects\domains\\base_domain','C:\\Oracle\\Middleware\\Oracle_IDM1')

4. Exit the WLST console using the exit() command.

12.11 Ensuring that the Newly Created OAM Policy Schema is in Use

Verify the database details to check if the newly created 11.1.2.3.0 OAM policy schema is in use. This can be done using the WebLogic Administration console or by checking the DOMAIN_HOME/config/jdbc/oam-db-jdbc.xml file. Ensure that the following tag in the oam-db-jdbc.xml file contains the name of the newly created 11.1.2.3.0 OAM Policy schema:

<name>oamDS</name>

12.12 Starting the Administration Server and Access Manager Managed Servers

Start the WebLogic Administration Server and the Access Manager Managed Servers. For more information, see Section 24.1.8, "Starting the Servers".

Note:

When you start the servers, you may see the following exception:

<Error> <oracle.idaas.common> <BEA-000000> <ORA-00942: table or view does not exist 
.
java.sql.SQLSyntaxErrorException: ORA-00942: table or view does not exist 
.
      at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:462) 
      at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:405) 
      at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:931) 
      at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:481) 
      at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:205)
      at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:548) 
      at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:217)

Ignore this warning and proceed.

12.13 Redeploying Access Manager Server Applications and Shared Libraries

You must redeploy Oracle Access Management Access Manager server applications for the following reasons:

• To uptake new shared libraries that Access Manager servers are dependent on.

• To uptake newer versions of Oracle Access Management Administration and Managed Server applications.

Access Manager Server applications can be redeployed using the WLST command redeployOAM.

Note:

Before you run the redeployOAM command, ensure that the Access Manager Managed Server(s) are in RUNNING state and not in the ADMIN state.

If the servers are in ADMIN state, do the following:

1. Log in to the WebLogic Administration Server using the following URL:

   http://host:port/console

2. Click Deployments.

3. Click oam_server(11.1.2.0.0) on the Summary of Deployments page.

4. Click OAM_SERVER on the Summary of Servers page.

5. Go to the Control tab and click RESUME.

To redeploy Access Manager server applications and shared Access Manager libraries, complete the following steps:

1. Run the following command to launch the WebLogic Scripting Tool (WLST) from the location $MW_HOME/ORACLE_HOME/common/bin:

   On UNIX: ./wlst.sh

   On Windows: wlst.cmd

2. Connect to the Administration Server using the following command:

   connect('<weblogic_username>','<weblogic_password>','<weblogic_host>:<port>')

3. Run the following command to redeploy the applications and shared libraries:

   redeployOAM("ORACLE_HOME","ORACLE_COMMON_HOME",adminTarget="Admin_server_name",serverTarget="oam_server")

   Note:

   If you are upgrading Oracle Access Manager high availability environments, specify the oam_cluster for the argument serverTarget while running redeployOAM command.

   Table 12-5 describes the parameters you need to specify on the command line:

   Table 12-5 Parameters to be Specified When Running redeployOAM Command

   Parameter	Description
   ORACLE_HOME	Specify the absolute path to the Oracle Home. For example: On UNIX, it is located at Oracle/Middleware directory. On Windows, it is located at Oracle\Middleware directory.
   ORACLE_COMMON_HOME	Specify the absolute path to the Oracle common home. For example: On UNIX, it is located in the Oracle/Middleware/Common_home directory. On Windows, it is located in the Oracle\Middleware\Common_home directory.
   adminTarget	Specify the Administration Server name you had specified while configuring Access Manager.
   serverTarget	Specify the name of the Access Manager Server you had specified while configuring Access Manager Server.

   
   

   For example:

   redeployOAM("/scratch/Oracle/Middleware/Oracle_IDM1","/scratch/Oracle/Middleware/oracle_common",adminTarget="AdminServer",serverTarget="OAM_SERVER")

   Note:

   • You might see the following exception after the Access Manager server deployment. This is because tmp and stage directories still exist. You can ignore the errors:

     HTTP:101216]Servlet: "AMInitServlet" failed to preload on startup in Web application: "oam".
     java.lang.ExceptionInInitializerError
     at java.lang.J9VMInternals.initialize(J9VMInternals.java:222)
     at oracle.security.am.engines.sso.adapter.AbstractSessionAdapterImpl.checkAndInit(AbstractSessionAdapterImpl.java:97)
     at oracle.security.am.engines.sso.adapter.AbstractSessionAdapterImpl.<init>(AbstractSessionAdapterImpl.java:75)
     at oracle.security.am.engines.sso.adapter.MultipleUserSessionAdapterImpl.<init>(MultipleUserSessionAdapterImpl.java:56
     at oracle.security.am.engines.sso.adapter.MultipleUserSessionAdapterImpl.<clinit>(MultipleUserSessionAdapterImpl.java:45)
     at java.lang.J9VMInternals.initializeImpl(Native Method)
     at java.lang.J9VMInternals.initialize(J9VMInternals.java:200)
     at oracle.security.am.engines.sso.adapter.SessionManagementAdapterFactory.getAdapter(SessionManagementAdapterFactory.java:46
     Caused by: oracle.security.am.common.utilities.exception.AmRuntimeException:OAM Server Key initialization failed
     Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
     

   • When you execute the redeployOAM command, the following warning may be displayed:

     "************************ Performing OAM Admin server deployment and Data Migration. This operation will take some time. Please wait until it completes.******"
     

     Note that redeployment takes approximately 30 minutes to complete due to policy migration. In addition, note that the time for completion of redeployment also depends on the amount of data present in the Oracle Access Manager system that is being upgraded.

4. Exit the WLST console using the exit() command.

The deployment may fail if the SDP library is already installed as a part of the SOA or OIM deployments. For recovery procedure, see Section 25.2.3, "Exception While Deploying Application".

Note:

.

After redeploying Oracle Access Management Access Manager, you must verify that the following libraries and applications are deployed to Access Manager cluster (OAM_CLUSTER):

Libraries

• oracle.oaam.libs (11.1.2.0.0)

• oracle.sdp.client (11.1.1)

• coherence (3.7.1.1)

• oracle.idm.ids.config.ui (11.1.2,11.1.2)

• oracle.idm.ipf (11.1.2,11.1.2)

Applications

• oamsso_logout (11.1.2.0.0)

• oam_server (11.1.2.0.0)

12.14 Stopping the Administration Server and Access Manager Managed Servers

Stop the WebLogic Administration Server and the Access Manager Managed Server(s). For more information, see Section 24.1.9, "Stopping the Servers".

12.15 Deleting Folders

This step is required to uptake new version of the Access Manager Managed Server. The redeploy command does not delete the tmp directories.

In order to deploy Oracle Access Manager 11.1.1.x.x server content and applications to Access Manager 11.1.2.3.0, you must delete all folders in the following location:

On UNIX:

<MW_Home>/user_projects/domains/domain_home/servers/<OAM_MANAGED_SERVER_NAME>

On Windows:

<MW_Home>\user_projects\domains\domain_home\servers\<OAM_MANAGED_SERVER_NAME>

12.16 Upgrading System Configuration

For the Oracle Access Management 11.1.2.3.0 features to work, you must run the upgradeConfig() utility on the machine that hosts Administration Server. This utility upgrades the system configuration and policy store of Oracle Access Management to 11.1.2.3.0. This step is mandatory for the upgraded environment to work.

Note:

Compatibility mode is not supported for Oracle Access Manager 11.1.1.x.x upgrade. Therefore, it is mandatory to upgrade the system configurations in order to complete the Access Manager upgrade process.

To upgrade the system configuration of Oracle Access Management, do the following:

1. Stop the WebLogic Administration Server and the Access Manager Managed Server(s). For more information, see Section 24.1.9, "Stopping the Servers"

2. The upgradeConfig command needs to be run using the IPv4 stack. Therefore, you must add the following property to the wlst.sh file (on UNIX) or wlst.cmd file (on Windows) located at ORACLE_HOME/common/bin:

   -Djava.net.preferIPv4Stack=true

   To do this, open the wlst.sh or wlst.cmd file in a text editor, add the property, and save the file.

3. Run the following command to launch the WebLogic Scripting Tool (WLST) from the location $ORACLE_HOME/common/bin:

   On UNIX: ./wlst.sh

   On Windows: wlst.cmd

4. Run the following command in offline mode:

   upgradeConfig("domain_home", "sysdbaUser", "sysdbaPwd", "oamSchemaOwner", "oamdbJdbcUrl")

   In this command,

   • domain_home is the absolute path to the Access Manager WebLogic domain.

   • sysdbauser is the database username having sysdba privileges.

   • sysdbapwd is the password of the database user having sysdba privileges.

   • oamSchemaOwner is the database username for OAM schema.

   • oamdbjdbcUrl is the JDBC URL to connect to the Access Manager database. The JDBC URL must be in specified in the format "jdbc:oracle:thin:@<server_host>:<server_port>/<service_name>".

   For example:

   On UNIX:

   upgradeConfig("/Oracle/Middleware/user_projects/domains/base_domain", "sys", "pwd", "PREFIX_OAM", "jdbc:oracle:thin:@localhost:1521/orcl")

   On Windows:

   upgradeConfig("C:\\Oracle\\Middleware\\user_projects\\domains\\base_domain", "sys", "pwd", "PREFIX_OAM", "jdbc:oracle:thin:@localhost:1521/orcl")

12.17 Starting the Servers

Start the WebLogic Administration Server, Access Manager Managed Server(s), and the OMSS server. For more information, see Section 12.12, "Starting the Administration Server and Access Manager Managed Servers".

12.18 Extending the Oracle Access Management Domain to Include Mobile Security Suite and Policy Manager

Extend the Oracle Access Management domain to include Oracle Mobile Security Suite (OMSS) and Policy Manager. Using the functionality of Oracle Mobile Security Suite is optional. However, you must perform this step to enable the Policy Manager.

For more information, see Section 24.3.1, "Extending the 11.1.2.3.0 Access Manager Domain to Include Mobile Security Suite and Policy Manager".

Note:

To start using the features of Oracle Mobile Security Suite, you must enable Oracle Mobile Security Suite as described in Section 12.19.1, "Optional: Enabling Oracle Mobile Security Suite".

12.19 Performing the Required Post-Upgrade Tasks

This section describes the post-upgrade tasks required to enable the features of Access Manager 11.1.2.3.0. These tasks are optional.

This section includes the following topics:

• Optional: Enabling Oracle Mobile Security Suite

• Assigning Necessary Roles to Admin

12.19.1 Optional: Enabling Oracle Mobile Security Suite

If you wish to use the functionality of Oracle Mobile Security Suite, you must enable Oracle Mobile Security Suite after extending the Access Manager domain with Oracle Mobile Security Suite component.

For more information, see Section 24.3.2, "Enabling Oracle Mobile Security Suite".

12.19.2 Assigning Necessary Roles to Admin

Ensure that you assign necessary roles to the global role Admin, by setting the role conditions as IDM Administrators, Administrators, or OAMAdministrators.

For more information about creating and managing global security roles, see "Create global security roles" in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help for 11g Release 1 (10.3.6).

12.20 Verifying the Oracle Access Management Upgrade

Verify the Oracle Access Management upgrade by accessing the Oracle Access Management Access Manager Administration Console 11g Release 2 (11.1.2.3.0).

If you have enabled Oracle Mobile Security Suite (OMSS) and wish to use the functionality of OMSS, use the following URL to access the Access Manager Administration Console:

http://<oam_admin_server_host>:<oam_admin_server_port>/access

If you have not enabled Oracle Mobile Security Suite (OMSS), use the following URL to access the Access Manager Administration Console:

http://<oam_admin_server_host>:<oam_admin_server_port>/oamconsole

Note:

This note is applicable only to users who currently have Oracle Identity Manager and Oracle Access Manager components integrated in 11g R1 (11.1.1.5.1) or earlier versions, and are upgrading both Oracle Identity Manager and Access Manager to 11g Release 2 (11.1.2.3.0).

After upgrading the components to 11g Release 2 (11.1.2.3.0), see "Using the idmConfigTool Command" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

12.21 Troubleshooting

For the list of common issues that you might encounter during the Oracle Access Management upgrade process, and their workaround, see Section 25.2, "Troubleshooting Oracle Access Management Upgrade Issues".

For the list of known issues related to upgrade, and their workaround, see "Upgrade and Migration Issues for Oracle Identity and Access Management" in the Oracle Fusion Middleware Release Notes for Identity Management.