This chapter describes how to upgrade your existing Oracle Access Manager 11g Release 1 (11.1.1.5.0) and 11g Release 1 (11.1.1.7.0) environments to Oracle Access Management 11g Release 2 (11.1.2.3.0) on Oracle WebLogic Server, using the manual upgrade procedure.
Note:
If your existing Oracle Identity and Access Management environment was deployed using the Life Cycle Management (LCM) Tools, you must use the automated upgrade procedure to upgrade to Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0). For information about automated upgrade procedure, supported starting points and topologies, see Chapter 2, "Understanding the Oracle Identity and Access Management Automated Upgrade".If you wish to upgrade Oracle Access Management multi-data center environments, refer to Chapter 18, "Upgrading Oracle Access Management Multi-Data Center Environments".
Note:
This chapter refers to Oracle Access Manager 11g Release 1 (11.1.1.5.0) and 11g Release 1 (11.1.1.7.0) environments as 11.1.1.x.x.This chapter includes the following sections:
Section 12.7, "Configuring Oracle Platform Security Services Security Store"
Section 12.10, "Copying Modified System mbean Configurations"
Section 12.11, "Ensuring that the Newly Created OAM Policy Schema is in Use"
Section 12.12, "Starting the Administration Server and Access Manager Managed Servers"
Section 12.13, "Redeploying Access Manager Server Applications and Shared Libraries"
Section 12.14, "Stopping the Administration Server and Access Manager Managed Servers"
Section 12.20, "Verifying the Oracle Access Management Upgrade"
Note:
If you do not follow the exact sequence provided in this task table, your Oracle Access Manager upgrade may not be successful.Table 12-1 lists the tasks that you must complete to upgrade Oracle Access Manager 11.1.1.x.x environments.
Task No. | Task | For More Information |
---|---|---|
1 |
Complete the necessary prerequisites before you upgrade Oracle Access Manager 11.1.1.x.x to 11.1.2.3.0. |
|
2 |
Upgrade Oracle Home by upgrading Oracle WebLogic Server to 10.3.6, applying mandatory patches for Oracle Access Manager, and upgrading Oracle Access Manager binaries to 11.1.2.3.0. |
|
3 |
Create Oracle Access Manager (OAM) and Oracle Platform Security Services (OPSS) schema using the Repository Creation Utility. |
|
4 |
Upgrade 11.1.1.x.x Oracle Home to 11.1.2.3.0. |
|
5 |
Extend your Oracle Access Manager 11.1.1.x.x domain with the OPSS template. |
See, Extending Oracle Access Manager 11.1.1.x.x Domain with Oracle Platform Security Services Template |
6 |
Upgrade Oracle Platform Security Services. |
|
7 |
Run the |
See, Configuring Oracle Platform Security Services Security Store |
8 |
Export access data. |
|
9 |
Import access data. |
|
10 |
Copy infrastructure mbean jar and configuration files |
|
11 |
Start the Administration Server and Oracle Access Management Access Manager Managed Servers. |
See, Starting the Administration Server and Access Manager Managed Servers |
12 |
Redeploy Access Manager servers and shared libraries. |
See, Redeploying Access Manager Server Applications and Shared Libraries |
13 |
Stop the Administration Server and Oracle Access Management Access Manager Managed Server. |
See, Stopping the Administration Server and Access Manager Managed Servers |
14 |
Delete the |
See, Deleting Folders |
15 |
Upgrade the system configuration of Oracle Access Management. This step is required for the 11.1.2.3.0 features to work. This step is mandatory as compatibility mode is not supported for Oracle Access Manager 11.1.1.x.x upgrade. |
|
16 |
Start the WebLogic Administration Server and the Oracle Access Management Access Manager Managed Server(s). |
See, Starting the Servers |
17 |
Extend the Oracle Access Management domain to include Oracle Mobile Security Suite and Policy Manager. |
See, Extending the Oracle Access Management Domain to Include Mobile Security Suite and Policy Manager |
18 |
Perform the required post-upgrade tasks. |
|
19 |
Verify the Oracle Access Management upgrade. |
Before you begin with the upgrade, you must complete the following prerequisites:
Review the Oracle Fusion Middleware System Requirements and Specifications and Oracle Fusion Middleware Supported System Configurations documents to ensure that your system meets the minimum requirements for the products you are installing or upgrading to. For more information see Section 24.1.1, "Verifying Certification, System Requirements, and Interoperability".
Ensure that you are using a Java Development Kit (JDK) version that is supported and certified with Oracle Identity and Access Management 11.1.2.3.0.
You can verify the required JDK version by reviewing the certification information on the Oracle Fusion Middleware Supported System Configurations page.
The JDK can be downloaded from the Java SE Development Kit 7 Downloads page on Oracle Technology Network (OTN).
Note:
For more information about JDK version requirements, see the "Oracle WebLogic Server and JDK Considerations" topic in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management 11g Release 2 (11.1.2) document.Ensure that the following artifacts are present in your environment:
oamclient-truststore.jks
This file is located at DOMAIN_HOME
/output/webgate-ssl/oamclient-keystore.jks
.
oamclient-keystore.jks
This file is located at DOMAIN_HOME
/output/webgate-ssl/oamclient-truststore.jks
.
If the artifacts are not present, generate them using the keytool
command. For information about creating these artifacts, see "Creating Oracle Access Manager Key Store" in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management for 11g Release 1 (11.1.1.5.0).
When you generate these files, they are created in the directory where the command for creating them is run. You must copy these files to the location DOMAIN_HOME
/output/webgate-ssl/
and rename them as mentioned.
Oracle Access Management 11.1.2.3.0 has additional components configured in it's Administration Server. Therefore, ensure that the WebLogic domain memory settings are updated to suite the machine configurations.
If the servers are started using command line, you must update the memory settings in the setDomainEnv.sh
file. If the servers are started using Node Manager, you must update the memory settings using the WebLogic Administration console. It is recommended to do both.
To update the memory settings in the setDomainEnv.sh
file, complete the following steps:
Go to the DOMAIN_HOME
/bin
directory.
Take a backup of file setDomainEnv.sh
(on UNIX) or setDomainEnv.cmd
(on Windows).
Open the setDomainEnv.sh
(on UNIX) or setDomainEnv.cmd
(on Windows) in an editor, and search for the following lines:
On UNIX:
# IF USER_MEM_ARGS the environment variable is set, use it to override ALL # MEM_ARGS values if [ "${USER_MEM_ARGS}" != "" ] ; then MEM_ARGS="${USER_MEM_ARGS}" export MEM_ARGS fi
On Windows:
@REM IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values if NOT "%USER_MEM_ARGS%"=="" ( set MEM_ARGS=%USER_MEM_ARGS% )
Add the USER_MEM_ARGS
settings as shown in the following example:
On UNIX:
# IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values # Added for OAM 11.1.2.3 upgrade USER_MEM_ARGS="-Xms4096m -Xmx4096m -XX:MaxPermSize=512m" export USER_MEM_ARGS if [ "${USER_MEM_ARGS}" != "" ] ; then MEM_ARGS="${USER_MEM_ARGS}" export MEM_ARGS fi
On Windows:
@REM IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values @REM Added for OAM 11.1.2.3 upgrade set USER_MEM_ARGS=-Xms4096m -Xmx4096m -XX:MaxPermSize=512m if NOT "%USER_MEM_ARGS%"=="" ( set MEM_ARGS=%USER_MEM_ARGS% )
Save the changes to the file
To update the memory settings using the WebLogic Administration console, complete the following steps:
Log in to the WebLogic Administration Console using the following URL:
http://
host
:
port
/console
Click Servers on the left navigation pane.
Select the OAM Server.
Go to the Server Start tab.
Click Arguments.
Set the value of JVM arguments for the OAM Server. For example:
-Xms4096m -Xmx4096m
Save the changes.
For more information about the memory requirements for Oracle Identity and Access Management, see "Memory and Space Requirements for Oracle Fusion Middleware and Oracle Identity and Access Management" in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management for 11g Release 2 (11.1.2).
Verify the Oracle Access Manager 11.1.1.x.x schema and credentials. To verify the Oracle Access Manager 11.1.1.x.x schema, check the schema name in the DOMAIN_HOME
/config/jdbc/oam-db-jdbc.xml
file or verify the OAM datasource on the WebLogic Administration console by doing the following:
Log in to the WebLogic Administration Console using the following URL:
http://
host
:
port
/console
Click Services on the left navigation pane.
Click Data Sources, and then select oamDS.
Click Connection pool and verify the OAM data source.
To verify the schema credentials, use the schema name and password to connect to the database.
Shut down the WebLogic Administration Server and Oracle Access Manager Managed Servers. For information about stopping the servers, see Section 24.1.9, "Stopping the Servers".
Back up the following before you proceed with the upgrade:
MW_HOME directory, including the Oracle Home directories inside Middleware Home
Domain Home directory
Oracle Access Manager schemas
MDS schemas
Audit and any other dependent schemas
For information about backing up the Middleware Home and schemas, see Section 24.1.2, "Backing up the Existing Environment".
This section describes the tasks to be completed to upgrade the existing Oracle home.
This section includes the following topics:
Oracle Identity and Access Management 11.1.2.3.0 is certified with Oracle WebLogic Server 11g Release 1 (10.3.6). Therefore, if your existing Oracle Access Manager environment is using Oracle WebLogic Server 10.3.5 or any earlier version, you must upgrade it to Oracle WebLogic Server 10.3.6.
For information about upgrading Oracle WebLogic Server, see Section 24.1.5, "Upgrading Oracle WebLogic Server to 11g Release 1 (10.3.6)".
Ensure that you apply some mandatory patches to fix specific issues with Oracle WebLogic Server 10.3.6.
To identify the required patches that you must apply for Oracle WebLogic Server 10.3.6, see "Downloading and Applying Required Patches" in the Oracle Fusion Middleware Infrastructure Release Notes.
The patches listed in the release notes are available from My Oracle Support. The patching instructions are mentioned in the README.txt
file that is provided with each patch.
Upgrade the Oracle Access Manager binaries using the Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) installer. During the procedure, point the Middleware Home to your existing 11.1.1.x.x Oracle Access Manager Middleware Home.
Note:
Before upgrading the Oracle Access Manager binaries to 11g Release 2 (11.1.2.3.0), you must ensure that the OPatch version inORACLE_HOME
and MW_HOME
/oracle_common
is 11.1.0.10.3. Different OPatch version might cause patch application failure. If you have upgraded opatch to a newer version, you will have to roll back to version 11.1.0.10.3.For information about upgrading Oracle Access Manager binaries to Oracle Access Management Access Manager 11.1.2.3.0, see Section 24.1.6, "Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.3.0)".
You must create the following schemas by running Repository Creation utility (RCU) 11.1.1.9.0:
Oracle Access Manager (OAM) schema
Oracle Platform Security Services (OPSS) schema
Oracle Mobile Security Manager (OMSM) schema - (If you wish to configure Oracle Mobile Security Suite)
Oracle Metadata Services (MDS) schema
For information about creating schemas using Run Repository Creation utility, see Section 24.1.3, "Creating Database Schemas Using Repository Creation Utility".
Note:
Even if you are creating new schemas, do not delete your Oracle Access Manager 11.1.1.x.x schemas and do not use the old schema name, as you will need the old schema credentials while "Exporting Access Data".Oracle Access Management Access Manager 11.1.2.3.0 uses the database to store policies. This requires extending Oracle Access Manager 11.1.1.x.x domain to include the Oracle Platform Security Services (OPSS) data source.
To extend your Oracle Access Manager 11.1.1.x.x domain with the OPSS template, complete the following steps:
Run the following command:
On UNIX:
./config.sh
It is located in the <MW_HOME>/<Oracle_IDM1>/common/bin
directory.
On Windows:
config.cmd
It is located in the <MW_HOME>\<Oracle_IDM1>\common\bin
directory.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next.
On the Select a WebLogic Domain Directory screen, browse to the directory that contains the WebLogic domain in which you configured Oracle Access Manager. Click Next. The Select Extension Source screen appears.
On the Select Extension Source screen, select the Oracle Platform Security Service - 11.1.1.0 [Oracle_IDM1] option. After selecting the domain configuration options, click Next. The Configure JDBC Component Schema screen appears.
On the Configure JDBC Component Schema screen, do the following:
Select OAM Infrastructure, and update the Oracle Access Manager 11.1.1.x.x schema information with the Access Manager 11.1.2.3.0 schema details.
Select OPSS Schema, and specify the values for Schema Owner, Schema Password, Database and Service, Host Name, and Port.
Click Next.
The Test JDBC Component Schema screen appears. After the test succeeds, the Select Optional Configuration screen appears.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines and Deployments and Services. Do not select anything as you have already configured your Oracle Access Manager 11.1.1.x.x environment. Click Next.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Access Manager domain is extended to support Oracle Platform Security Services (OPSS), and Oracle Access Manager is configured to use the newly created 11.1.2.3.0 OPSS policy schema.
You must upgrade Oracle Platform Security Services (OPSS) by running upgradeOpss
command.
Upgrading Oracle Platform Security Services is required to upgrade the configuration and policy stores of Oracle Access Manager to 11.1.2.3.0. It upgrades the jps-config.xml
file and policy stores.
For information about upgrading Oracle Platform Security Services, see Section 24.1.7, "Upgrading Oracle Platform Security Services"
You must configure the Database Security Store as it is the only security store type supported by Oracle Identity and Access Management 11.1.2.3.0.
For more information on configuring Oracle Platform Security Services, see "Configuring Database Security Store for an Oracle Identity and Access Management Domain" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Policy information from Oracle Access Manager 11.1.1.x.x schema needs to be extracted before importing it to the Access Manager 11.1.2.3.0 schema. The exportAccessData
WLST command exports the Access Manager policy and configuration information from the 11.1.1.x.x Oracle Access Manager domain. You must export Oracle Access Manager 11.1.1.x.x configuration details, policy stores, keys, and CSF Passwords.
Note:
Make sure to shutdown all WebLogic Server processes (administration server, Oracle Access Manager managed server, and node manager) before executing these export commands.Complete the following steps to export data:
Move from your present working directory to the <MW_HOME>/<Oracle_IDM1>/common/bin
directory by running the following command on the command line:
cd <MW_HOME>/<Oracle_IDM1>/common/bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
./wlst.sh
At the WLST prompt, run the following script:
exportAccessData("<UPGRADE_PROPERTIES_FILE>")
For example:
exportAccessData("<ORACLE_HOME>/oam/server/wlst/scripts/sample_properties/oam_upgrade.properties")
See Table 12-3 for sample properties and description.
Exit the WLST console using the exit()
command.
Move from your present working directory to the <MW_HOME>\<Oracle_IDM1>\common\bin
directory by running the following command on the command line:
cd <MW_HOME>\<Oracle_IDM1>\common\bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
wlst.cmd
At the WLST prompt, run the following script:
exportAccessData("<UPGRADE_PROPERTIES_FILE>")
For example:
exportAccessData("<ORACLE_HOME>\\oam\\server\\wlst\\scripts\\sample_properties\\oam_upgrade-windows.properties")
See Table 12-3 for sample properties and description.
Exit the WLST console using the exit()
command.
Table 12-2 describes the parameters you must specify on the command line:
Table 12-2 Parameters for Exporting Data
Parameter | Description |
---|---|
|
Specify the path to the On UNIX, it is located in the On Windows, it is located in the |
Table 12-3 lists the properties of oam_upgrade.properties
:
Table 12-3 List of Properties Specified in oam_upgrade.properties File
Properties | Description |
---|---|
|
Specify the complete path to the Middleware Home. For example: On UNIX: On Windows: |
|
This property refers to the location of the Oracle Identity and Access Management software. For example: On UNIX: On Windows: |
|
This property refers to the existing Oracle Access Manager 11.1.1.x.x domain home. For example: On UNIX: On Windows: |
|
This property refers to the common components home. The following example shows the complete path: On UNIX, it is located in the On Windows, it is located in the |
|
This property refers to the location where you want to place the upgrade artifacts, such as Oracle Access Manager 11.1.1.x.x configuration and policy files. Note: Make sure that the artifacts folder has read/write access. |
|
This is an |
|
This property is used to specify if you run the upgrade in an incremental mode. Incremental form of upgrade is not supported in Access Manager 11.1.2.3.0. Therefore, set the value as |
|
As a part of the Oracle Access Manager policy upgrade, the changes to the out of the box Access Manager policies are applied on top of the existing (11.1.1.x.x) out of the box policies. This process involves a three way merge of the Access Manager policies. This is a time consuming process (takes about 30 minutes). If you want to proceed with the merge, set the property to If you want to replace the Oracle Access Manager 11.1.1.x.x out of the box policies with the new ones, without the merge process, set this property to |
|
Use this property to connect to the 11.1.1.x.x policy store. Specify the Oracle Access Manager 11.1.1.x.x schema owner. |
|
Use this property to connect to the 11.1.1.x.x policy store. Specify the Oracle Access Manager 11.1.1.x.x schema credentials. |
|
Use this property to connect to the 11.1.1.x.x policy store. Specify the Oracle Access Manager 11.1.1.x.x Oracle Entitlements Server database credential alias as:
|
|
Use this property to connect to the 11.1.1.x.x policy store. Specify the JDBC connection string in the following format:
|
|
Use this property to connect to the 11.1.1.x.x policy store. Specify the JDBC driver class in the following format:
|
|
Use this property to connect to the 11.1.1.x.x policy store. Specify the properties as:
|
|
This property refers to the absolute path to the XML file where extracted 11.1.1.x.x policy needs to be saved. Specify the path where you want to save the extracted Oracle Access Manager 11.1.1.x.x policies. For example: On UNIX, specify the following path:
On Windows, specify the following path:
|
|
Upgrade frameworks loads version specific jars for Exporting and Importing data. This property refers to the Oracle Access Manager 11.1.1.x.x policy jars available at the following path: On UNIX, it is located in the On Windows, it is located in the |
|
This property refers to the Oracle Access Manager 11.1.1.x.x configuration files available in the following location: On UNIX, it is located in the On Windows, it is located in the |
|
This property refers to the absolute path to the temporary policy XML. This temporary XML will be used for policy transformation. Specify the temporary location of the XML file. For example: On UNIX, specify the following path:
On Windows, specify the following path:
|
|
Upgrade frameworks loads version specific jars for exporting and importing data. This property refers to the Access Manager 11.1.2.3.0 policy jars available at the following location: On UNIX, it is located in the On Windows, it is located in the |
|
This property refers to the Access Manager 11.1.2.3.0 configuration files available at the following location: On UNIX, it is located in the On Windows, it is located in the |
|
Specify the source version of Oracle Access Manager. If the source version is 11g Release 1 (11.1.1.7.0), specify If you have applied bundle patches, the minor bundle patch version should not be specified. For example, 11.1.1.5.2. |
|
The Oracle Access Manager target version is 11.1.2.0.0. |
|
This property is used for the offline redeployment feature of the upgrade. This feature is not supported in this release. Therefore, the value of this property must be set to |
Note:
The variables listed in Table 12-3 are not environment variables. These variables must be defined in theoam_upgrade.properties
file.
When you specify paths to any files in the oam_upgrade.properties
file, make sure it is in the format specified in the following example:
On UNIX: /directory_1/directory_2/file
On Windows: \\directory_1\\directory_2\\file
Sample Output of exportAccessData
wls:/offline> exportAccessData("<ORACLE_HOME>/oam/server/wlst/scripts/sample_properties/oam_upgrade.properties") Jul 7, 2012 1:37:30 AM oracle.security.access.upgrade.WLSTExecutor executeCommand INFO: EXPORT_DATA_COMMAND Jul 7, 2012 1:37:30 AM oracle.security.access.upgrade.util.WLSTExportDataUtil executeCommand INFO: OAAM PRODUCT Jul 7, 2012 1:37:30 AM oracle.security.access.upgrade.util.WLSTExportDataUtil executeCommand INFO: OAM PRODUCT Jul 7, 2012 1:37:30 AM oracle.security.access.upgrade.util.WLSTExportDataUtil executeCommand INFO: oamPlugin.getName() = oracle.security.am.upgrade.plugin.upgradehelper.UpgradeFactory Jul 7, 2012 1:37:30 AM oracle.security.am.upgrade.plugin.util.UpgradeUtil exportConfiguration INFO: Copying configuration file.... oracle.security.am.upgrade.plugin.upgradehelper.OAMVersionSpecificClassLoader@1e330f43 [EL Info]: 2012-07-07 01:37:32.849--ServerSession(503497062)--EclipseLink, version: Eclipse Persistence Services - 1.1.0.r3634 [EL Info]: 2012-07-07 01:37:35.212--ServerSession(503497062)--file:$ORACLE_HOME/oam/server/lib/upgrade/ps1-policy/oes-d8/jps-internal.jar-JpsDBDataManager login successful Jul 7, 2012 1:37:39 AM com.tangosol.coherence.component.util.logOutput.Jdk log INFO: 2012-07-07 01:37:39.026/135.466 Oracle Coherence 3.5.3/465p2 <Info> (thread=Main Thread, member=n/a): Loaded operational configuration from resource "jar:file:$ORACLE_HOME/oam/server/lib/upgrade/ps1-policy/coherence.jar!/tangosol-coherence.xml" Jul 7, 2012 1:37:39 AM com.tangosol.coherence.component.util.logOutput.Jdk log INFO: 2012-07-07 01:37:39.035/135.474 Oracle Coherence 3.5.3/465p2 <Info> (thread=Main Thread, member=n/a): Loaded operational overrides from resource "jar:file:$ORACLE_HOME/oam/server/lib/upgrade/ps1-policy/coherence.jar!/tangosol-coherence-override-dev.xml" ................... WARNING: Cannot load audit configuration. Jul 7, 2012 1:37:47 AM oracle.security.am.common.audit.AuditHandler getAuditor WARNING: Cannot load audit configuration. Jul 7, 2012 1:37:47 AM oracle.security.am.common.audit.AuditHandler getAuditor WARNING: Cannot load audit configuration. Jul 7, 2012 1:37:47 AM oracle.security.am.upgrade.plugin.upgradehelper.UpgradeFactory exportData INFO: Extraction Done!! Jul 7, 2012 1:37:47 AM oracle.security.am.upgrade.plugin.util.UpgradeCommonUtil removeDirectory INFO: Deletion of Directory: true path: $OAM_ARTIFACTS_DIRECTORTY/temp.zip Jul 7, 2012 1:37:47 AM oracle.security.am.upgrade.plugin.upgradehelper.UpgradeFactory exportData INFO: Export completed successfully!
It is necessary to import the extracted Oracle Access Manager 11.1.1.x.x data to the Access Manager 11.1.2 schema. The Oracle Access Manager 11.1.1.x.x domain configuration is also merged with the Access Manager 11.1.2 configuration.
Note:
Make sure to shutdown all WebLogic Server processes (administration server, Oracle Access Manager managed server, and node manager) before executing these import commands.To import Oracle Access Manager 11.1.1.x.x configuration data into Access Manager 11.1.2.3.0, complete the following steps:
Move from your present working directory to the <MW_HOME>/<Oracle_IDM1>/common/bin
directory by running the following command on the command line:
cd <MW_HOME>/<Oracle_IDM1>/common/bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
./wlst.sh
At the WLST prompt, run the following script:
importAccessData("<UPGRADE_PROPERTIES_FILE>")
For example:
importAccessData("<ORACLE_HOME>/oam/server/wlst/scripts/sample_properties/oam_upgrade.properties")
See Table 12-3 for sample properties and description.
Exit the WLST console using the exit()
command.
Move from your present working directory to the <MW_HOME>\<Oracle_IDM1>\common\bin
directory by running the following command on the command line:
cd <MW_HOME>\<Oracle_IDM1>\common\bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
wlst.cmd
At the WLST prompt, run the following script:
importAccessData("<UPGRADE_PROPERTIES_FILE>")
For example:
importAccessData("<ORACLE_HOME>\\oam\\server\\wlst\\scripts\\sample_properties\\oam_upgrade.properties")
See Table 12-3 for sample properties and description.
Exit the WLST console using the exit()
command.
Table 12-4 describes the parameters you need to specify on the command line:
Table 12-4 Parameters for Importing Data
Parameter | Description |
---|---|
|
Specify the path to the On UNIX, it is located in the On Windows, it is located in the |
Sample Output of importAccessData
wls:/offline> importAccessData("<ORACLE_HOME>/oam/server/wlst/scripts/sample_properties/oam_upgrade.properties") LOGGER intialised java.util.logging.Logger@1e26e4b1 Jul 7, 2012 1:38:25 AM oracle.security.access.upgrade.WLSTExecutor executeCommand INFO: IMPORT_DATA_COMMAND Jul 7, 2012 1:38:25 AM oracle.security.access.upgrade.util.WLSTImportDataUtil executeCommand INFO: OAAM PRODUCT IMPORT DATA Jul 7, 2012 1:38:25 AM oracle.security.access.upgrade.util.WLSTImportDataUtil executeCommand INFO: OAM PRODUCT Jul 7, 2012 1:38:25 AM oracle.security.access.upgrade.util.WLSTImportDataUtil executeCommand INFO: oamPlugin.getName() = oracle.security.am.upgrade.plugin.upgradehelper.UpgradeFactory Jul 7, 2012 1:38:27 AM oracle.security.am.common.policy.admin.provider.xml.XMLStore <init> INFO: Loading policy store file: $OAM_ARTIFACTS_DIRECTORTY/oam-policy.xml. Jul 7, 2012 1:38:30 AM com.tangosol.coherence.component.util.logOutput.Jdk log INFO: 2012-07-07 01:38:30.069/17.816 Oracle Coherence 3.7.1.1 <Info> (thread=Main Thread, member=n/a): Loaded operational configuration from "jar:file:$MIDDLEWARE_HOMEoracle_common/modules/oracle.coherence/coherence.jar!/tangosol-coherence.xml" Jul 7, 2012 1:38:30 AM com.tangosol.coherence.component.util.logOutput.Jdk log INFO: 2012-07-07 01:38:30.103/17.850 Oracle Coherence 3.7.1.1 <Info> (thread=Main Thread, member=n/a): Loaded operational overrides from "jar:file:$MIDDLEWARE_HOMEoracle_common/modules/oracle.coherence/coherence.jar!/tangosol-coherence-override-dev.xml" Jul 7, 2012 1:38:30 AM com.tangosol.coherence.component.util.logOutput.Jdk log INFO: 2012-07-07 01:38:30.107/17.854 Oracle Coherence 3.7.1.1 <Info> (thread=Main Thread, member=n/a): Loaded operational overrides from "jar:file:$ORACLE_HOME/oam/server/lib/upgrade/ps2-policy/mapstore-coherence.jar!/tangosol-coherence-override.xml" ..... Jul 7, 2012 1:38:36 AM oracle.security.am.common.audit.AuditHandler getAuditor WARNING: Cannot load audit configuration. Jul 7, 2012 1:38:36 AM oracle.security.am.common.audit.AuditHandler getAuditor WARNING: Cannot load audit configuration. Jul 7, 2012 1:38:36 AM oracle.security.am.common.audit.AuditHandler getAuditor WARNING: Cannot load audit configuration. Jul 7, 2012 1:38:38 AM oracle.security.am.upgrade.plugin.upgradehelper.UpgradeFactory importData INFO: Import completed successfully!!
Note:
When you execute theimportAccessData()
command, the output might include additional text after the line INFO: Import completed successfully!!
. The additional text has no impact on the result and can be ignored.After updating the Oracle Access Manager binaries to 11.1.2.3.0 you must copy the modified system or domain mbean configurations from the OAM_ORACLE_HOME
to the DOMAIN_HOME
.
Move from your present working directory to the <MW_HOME>/common/bin
directory by running the following command on the command line:
cd <MW_HOME><Oracle_IDM1>/common/bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
./wlst.sh
At the WLST prompt, run the following script:
copyMbeanXmlFiles('
DOMAIN_HOME
','
OAM_ORACLE_HOME
')
For example:
copyMbeanXmlFiles('/Oracle/Middleware/user_projects/domains/base_domain','/Oracle/Middleware/Oracle_IDM1')
Exit the WLST console using the exit()
command.
Move from your present working directory to the <MW_HOME>\common\bin
directory by running the following command on the command line:
cd <MW_HOME>\<Oracle_IDM1>\common\bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
wlst.cmd
At the WLST prompt, run the following script:
copyMbeanXmlFiles ('<domain_name>',' 'Oracle_IDM')
For example:
copyMbeanXmlFiles('C:\\Oracle\\Middleware\\user_projects\domains\\base_domain','C:\\Oracle\\Middleware\\Oracle_IDM1')
Exit the WLST console using the exit()
command.
Verify the database details to check if the newly created 11.1.2.3.0 OAM policy schema is in use. This can be done using the WebLogic Administration console or by checking the DOMAIN_HOME
/config/jdbc/oam-db-jdbc.xml
file. Ensure that the following tag in the oam-db-jdbc.xml
file contains the name of the newly created 11.1.2.3.0 OAM Policy schema:
<name>oamDS</name>
Start the WebLogic Administration Server and the Access Manager Managed Servers. For more information, see Section 24.1.8, "Starting the Servers".
Note:
When you start the servers, you may see the following exception:<Error> <oracle.idaas.common> <BEA-000000> <ORA-00942: table or view does not exist . java.sql.SQLSyntaxErrorException: ORA-00942: table or view does not exist . at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:462) at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:405) at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:931) at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:481) at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:205) at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:548) at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:217)
Ignore this warning and proceed.
You must redeploy Oracle Access Management Access Manager server applications for the following reasons:
To uptake new shared libraries that Access Manager servers are dependent on.
To uptake newer versions of Oracle Access Management Administration and Managed Server applications.
Access Manager Server applications can be redeployed using the WLST command redeployOAM
.
Note:
Before you run theredeployOAM
command, ensure that the Access Manager Managed Server(s) are in RUNNING
state and not in the ADMIN
state.
If the servers are in ADMIN
state, do the following:
Log in to the WebLogic Administration Server using the following URL:
http://
host
:
port
/console
Click Deployments.
Click oam_server(11.1.2.0.0) on the Summary of Deployments page.
Click OAM_SERVER
on the Summary of Servers page.
Go to the Control tab and click RESUME.
To redeploy Access Manager server applications and shared Access Manager libraries, complete the following steps:
Run the following command to launch the WebLogic Scripting Tool (WLST) from the location $MW_HOME
/
ORACLE_HOME
/common/bin
:
On UNIX: ./wlst.sh
On Windows: wlst.cmd
Connect to the Administration Server using the following command:
connect('
<weblogic_username>
','
<weblogic_password>
','
<weblogic_host>
:
<port>
')
Run the following command to redeploy the applications and shared libraries:
redeployOAM("
ORACLE_HOME
","
ORACLE_COMMON_HOME
",adminTarget="
Admin_server_name
",serverTarget="
oam_server
")
Note:
If you are upgrading Oracle Access Manager high availability environments, specify theoam_cluster
for the argument serverTarget
while running redeployOAM
command.Table 12-5 describes the parameters you need to specify on the command line:
Table 12-5 Parameters to be Specified When Running redeployOAM Command
Parameter | Description |
---|---|
|
Specify the absolute path to the Oracle Home. For example: On UNIX, it is located at On Windows, it is located at |
|
Specify the absolute path to the Oracle common home. For example: On UNIX, it is located in the On Windows, it is located in the |
|
Specify the Administration Server name you had specified while configuring Access Manager. |
|
Specify the name of the Access Manager Server you had specified while configuring Access Manager Server. |
For example:
redeployOAM("/scratch/Oracle/Middleware/Oracle_IDM1","/scratch/Oracle/Middleware/oracle_common",adminTarget="AdminServer",serverTarget="OAM_SERVER")
Note:
You might see the following exception after the Access Manager server deployment. This is because tmp
and stage
directories still exist. You can ignore the errors:
HTTP:101216]Servlet: "AMInitServlet" failed to preload on startup in Web application: "oam". java.lang.ExceptionInInitializerError at java.lang.J9VMInternals.initialize(J9VMInternals.java:222) at oracle.security.am.engines.sso.adapter.AbstractSessionAdapterImpl.checkAndInit(AbstractSessionAdapterImpl.java:97) at oracle.security.am.engines.sso.adapter.AbstractSessionAdapterImpl.<init>(AbstractSessionAdapterImpl.java:75) at oracle.security.am.engines.sso.adapter.MultipleUserSessionAdapterImpl.<init>(MultipleUserSessionAdapterImpl.java:56 at oracle.security.am.engines.sso.adapter.MultipleUserSessionAdapterImpl.<clinit>(MultipleUserSessionAdapterImpl.java:45) at java.lang.J9VMInternals.initializeImpl(Native Method) at java.lang.J9VMInternals.initialize(J9VMInternals.java:200) at oracle.security.am.engines.sso.adapter.SessionManagementAdapterFactory.getAdapter(SessionManagementAdapterFactory.java:46 Caused by: oracle.security.am.common.utilities.exception.AmRuntimeException:OAM Server Key initialization failed Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
When you execute the redeployOAM
command, the following warning may be displayed:
"************************ Performing OAM Admin server deployment and Data Migration. This operation will take some time. Please wait until it completes.******"
Note that redeployment takes approximately 30 minutes to complete due to policy migration. In addition, note that the time for completion of redeployment also depends on the amount of data present in the Oracle Access Manager system that is being upgraded.
Exit the WLST console using the exit()
command.
The deployment may fail if the SDP library is already installed as a part of the SOA or OIM deployments. For recovery procedure, see Section 25.2.3, "Exception While Deploying Application".
Note:
.After redeploying Oracle Access Management Access Manager, you must verify that the following libraries and applications are deployed to Access Manager cluster (OAM_CLUSTER
):
Libraries
oracle.oaam.libs (11.1.2.0.0)
oracle.sdp.client (11.1.1)
coherence (3.7.1.1)
oracle.idm.ids.config.ui (11.1.2,11.1.2)
oracle.idm.ipf (11.1.2,11.1.2)
Applications
oamsso_logout (11.1.2.0.0)
oam_server (11.1.2.0.0)
Stop the WebLogic Administration Server and the Access Manager Managed Server(s). For more information, see Section 24.1.9, "Stopping the Servers".
This step is required to uptake new version of the Access Manager Managed Server. The redeploy
command does not delete the tmp
directories.
In order to deploy Oracle Access Manager 11.1.1.x.x server content and applications to Access Manager 11.1.2.3.0, you must delete all folders in the following location:
<MW_Home>/user_projects/domains/domain_home/servers/<OAM_MANAGED_SERVER_NAME>
<MW_Home>\user_projects\domains\domain_home\servers\<OAM_MANAGED_SERVER_NAME>
For the Oracle Access Management 11.1.2.3.0 features to work, you must run the upgradeConfig()
utility on the machine that hosts Administration Server. This utility upgrades the system configuration and policy store of Oracle Access Management to 11.1.2.3.0. This step is mandatory for the upgraded environment to work.
Note:
Compatibility mode is not supported for Oracle Access Manager 11.1.1.x.x upgrade. Therefore, it is mandatory to upgrade the system configurations in order to complete the Access Manager upgrade process.To upgrade the system configuration of Oracle Access Management, do the following:
Stop the WebLogic Administration Server and the Access Manager Managed Server(s). For more information, see Section 24.1.9, "Stopping the Servers"
The upgradeConfig
command needs to be run using the IPv4 stack. Therefore, you must add the following property to the wlst.sh
file (on UNIX) or wlst.cmd
file (on Windows) located at ORACLE_HOME
/common/bin
:
-Djava.net.preferIPv4Stack=true
To do this, open the wlst.sh
or wlst.cmd
file in a text editor, add the property, and save the file.
Run the following command to launch the WebLogic Scripting Tool (WLST) from the location $ORACLE_HOME
/common/bin
:
On UNIX: ./wlst.sh
On Windows: wlst.cmd
Run the following command in offline mode:
upgradeConfig("
domain_home
", "
sysdbaUser
", "
sysdbaPwd
", "
oamSchemaOwner
", "
oamdbJdbcUrl
")
In this command,
domain_hom
e is the absolute path to the Access Manager WebLogic domain.
sysdbauser
is the database username having sysdba
privileges.
sysdbapwd
is the password of the database user having sysdba
privileges.
oamSchemaOwner
is the database username for OAM schema.
oamdbjdbcUrl
is the JDBC URL to connect to the Access Manager database. The JDBC URL must be in specified in the format "jdbc:oracle:thin:@<
server_host
>:<
server_port
>/<
service_name
>"
.
For example:
On UNIX:
upgradeConfig("/Oracle/Middleware/user_projects/domains/base_domain", "sys", "pwd", "PREFIX_OAM", "jdbc:oracle:thin:@localhost:1521/orcl")
On Windows:
upgradeConfig("C:\\Oracle\\Middleware\\user_projects\\domains\\base_domain", "sys", "pwd", "PREFIX_OAM", "jdbc:oracle:thin:@localhost:1521/orcl")
Start the WebLogic Administration Server, Access Manager Managed Server(s), and the OMSS server. For more information, see Section 12.12, "Starting the Administration Server and Access Manager Managed Servers".
Extend the Oracle Access Management domain to include Oracle Mobile Security Suite (OMSS) and Policy Manager. Using the functionality of Oracle Mobile Security Suite is optional. However, you must perform this step to enable the Policy Manager.
For more information, see Section 24.3.1, "Extending the 11.1.2.3.0 Access Manager Domain to Include Mobile Security Suite and Policy Manager".
Note:
To start using the features of Oracle Mobile Security Suite, you must enable Oracle Mobile Security Suite as described in Section 12.19.1, "Optional: Enabling Oracle Mobile Security Suite".This section describes the post-upgrade tasks required to enable the features of Access Manager 11.1.2.3.0. These tasks are optional.
This section includes the following topics:
If you wish to use the functionality of Oracle Mobile Security Suite, you must enable Oracle Mobile Security Suite after extending the Access Manager domain with Oracle Mobile Security Suite component.
For more information, see Section 24.3.2, "Enabling Oracle Mobile Security Suite".
Ensure that you assign necessary roles to the global role Admin, by setting the role conditions as IDM Administrators, Administrators, or OAMAdministrators.
For more information about creating and managing global security roles, see "Create global security roles" in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help for 11g Release 1 (10.3.6).
Verify the Oracle Access Management upgrade by accessing the Oracle Access Management Access Manager Administration Console 11g Release 2 (11.1.2.3.0).
If you have enabled Oracle Mobile Security Suite (OMSS) and wish to use the functionality of OMSS, use the following URL to access the Access Manager Administration Console:
http://<oam_admin_server_host>:<oam_admin_server_port>/access
If you have not enabled Oracle Mobile Security Suite (OMSS), use the following URL to access the Access Manager Administration Console:
http://<oam_admin_server_host>:<oam_admin_server_port>/oamconsole
Note:
This note is applicable only to users who currently have Oracle Identity Manager and Oracle Access Manager components integrated in 11g R1 (11.1.1.5.1) or earlier versions, and are upgrading both Oracle Identity Manager and Access Manager to 11g Release 2 (11.1.2.3.0).After upgrading the components to 11g Release 2 (11.1.2.3.0), see "Using the idmConfigTool Command" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.
For the list of common issues that you might encounter during the Oracle Access Management upgrade process, and their workaround, see Section 25.2, "Troubleshooting Oracle Access Management Upgrade Issues".
For the list of known issues related to upgrade, and their workaround, see "Upgrade and Migration Issues for Oracle Identity and Access Management" in the Oracle Fusion Middleware Release Notes for Identity Management.