Oracle® Application Server Upgrade and Compatibility Guide 10g (10.1.4.0.1) for Microsoft Windows Part Number B28235-01 |
|
|
View PDF |
Use the following sections to learn more about an alternative method of upgrading your OracleAS Identity Management environment:
Differences Between Data Migration and Typical OracleAS Identity Management Upgrade Procedures
Using the Data Migration Method of Upgrading OracleAS Identity Management
Before you use the instructions in this chapter, review Table C-1, which describes the differences between data migration and the more typical OracleAS Identity Management upgrade procedures described in Chapter 7, "Using Oracle Universal Installer to Upgrade Oracle Identity Management".
Use this table to be sure you use the upgrade procedure best suited for your OracleAS Identity Management environment.
Table C-1 Comparison of Data Migration and Typical OracleAS Identity Management Upgrade Procedure
Typical OracleAS Identity Management Upgrade | Data Migration Upgrade |
---|---|
Use Oracle Universal Installer to automatically:
|
|
All upgrade tasks are performed on one host on the same platform. |
You can migrate your OracleAS Identity Management data from one host to another, and you can migrate data from one platform to another (for example, from UNIX to Microsoft Windows). |
After the upgrade, you use the destination Oracle home and the original source Oracle home is decommissioned. |
After the data migration, you can continue using both the source and destination installations. The source installation is left untouched. |
This upgrade can be used only to upgrade from a previous version to a newer version. |
This procedure can be used to upgrade to a newer version of Oracle Application Server or to move data between installations of the same version. |
During the upgrade, the OracleAS Identity Management services are down. |
During this upgrade, there is no downtime required, although Oracle Internet Directory must be in read-only mode while the data in the directory is backed up. |
The upgrade is relatively quick and less time-consuming because many of the steps are automated. |
The upgrade procedure will usually take longer than a typical OracleAS Identity Management upgrade because many of the steps are manual. |
Use the following steps to upgrade OracleAS Identity Management using the data migration method.
Task 1 Install a new, complete 10g (10.1.4.0.1) OracleAS Identity Management environment
You can install any of the supported OracleAS Identity Management topologies described in the Oracle Application Server Installation Guide. The new 10g (10.1.4.0.1) OracleAS Identity Management environment must include its own OracleAS Metadata Repository and database.
Review the following requirements when installing and configuring the new OracleAS Identity Management environment:
The database name you select during the installation must not conflict with the database in the source environment.
Do not install any other application server component against the new Identity management instance until the data migration is complete.
Do not load any user data before data migration is complete.
Test and verify that all identity management components are working smoothly.
During the installation, note the application server instance name, the ias_admin
password, and the system
database user password that you specify for the new install. You will use this information during the remaining steps in the upgrade procedure.
Task 2 Back up the OracleAS Identity Management data in the source environment
Set the Oracle Internet Directory to read-only mode.
Create an LDIF file; for example, mod.ldif
, with the following content:
dn: changetype : modify replace: orclservermode orclservermode: ro
Run the following command to execute the LDIF file:
SOURCE_ORACLE_HOME\bin\ldapmodify -h source_oid_host -p port -D cn=orcladmin -w orcladmin_password -v -f mod.ldif
Setting Oracle Internet Directory to read-only is not required, but if you do not set the directory to read-only, any changes made while you are backing up the directory will not be included in the backup.
Back up the Oracle Internet Directory by using the following commands:
SOURCE_ORACLE_HOME\bin\ldifwrite -c db_connect_string -b "cn=oraclecontext" -f bkp1.ldif SOURCE_ORACLE_HOME\bin\ldifwrite -c db_connect_string -b "dc=com" -f bkp2.ldif
In these examples, replace db_connect_string with the Oracle Internet Directory database connect string. If you do not provide this string, it defaults to the value of the ORACLE_SID environment variable.
Also in this example, it is assumed that dc=com
is the root of the subscriber. If you have additional subscribers, then execute an equivalent ldifwrite
command for the root of each subscriber.
See Also: "ldifwrite" in the Oracle Identity Management User Reference |
Merge bkp1.ldif
and bkp2.ldif
into one file; for example, merge the two files into a file called bkp.ldif
and save the file in a known location so you can later load it into the new destination Oracle Internet Directory.
Set the source Oracle Internet Directory back to read-write mode.
Create an LDIF file; for example, modrw.ldif
, with the following content:
dn: changetype : modify replace: orclservermode orclservermode: rw
Run the following command to execute the LDIF file:
SOURCE_ORACLE_HOME\bin\ldapmodify -h source_oid_host -p port -D cn=orcladmin -w orcladmin_password -v -f modrw.ldif
Task 3 Back up the OracleAS Single Sign-On data in the source environment
Back up the OracleAS Single Sign-On data using the following command:
SOURCE_ORACLE_HOME\sso\bin\ssomig -export -s orasso -p source_database_orasso_schema_password -c source_SSO_database_connect_string -log_d full_log_directory_path
In this example:
Replace source_database_orasso_schema_password with the database schema password for OracleAS Single Sign-On.
This password is randomized during installation of the OracleAS infrastructure. To obtain the password, see Appendix B of the Oracle Application Server Single Sign-On Administrator's Guide.
Replace source_SSO_database_connect_string with the net service name for the OracleAS Single Sign-On database.
Replace full_log_directory_path with the name of the log directory.
This directory must be writable. The log file, the export configuration file, and the dump file are written here. Use the absolute path for the directory when running the script. The default is ORACLE_HOME
/sso/log
.
See Also: "Export and Import Script: Syntax and Parameters" in the Oracle Application Server Single Sign-On Administrator's Guide |
Task 4 Prepare the destination OracleAS Identity Management Oracle home for Data Migration
Back up the local registration information from the destination OracleAS Identity Management so it can be restored after you migrate the data from the source OracleAS Identity Management instance.
Note that the data saved in this backup file includes the password for the new 10g (10.1.4.0.1) ORASSO schema. You will need to retrieve this password from the backup registration LDIF file that you create in this step.
To back up the local registration information, including the ORASSO password, enter the following command:
DESTINATION_ORACLE_HOME\ldap\bin\remtool -backupmetadata -replica oidhost:oidport/repdnpwd -bkup ldiffilename
In this example:
Replace oidhost with the host name of the destination Oracle Internet Directory.
Replace oidport with the port at which the destination Oracle Internet Directory is listening.
Replace repdnpwd with the replication DN password of the destination Oracle Internet Directory, which by default is the same as the cn=orcladmin
password after the installation.
Replace ldiffilename with the name of the ldif
file that will contain the backed up registration data.
See Also: "remtool" in the Oracle Identity Management User Reference |
Merge the destination OracleAS Identity Management schema with the source OracleAS Identity Management schema:
DESTINATION_ORACLE_HOME\bin\schemasync -srchost source_oid_hostname -srcport source_oid_port_number -srcdn source_oid_privileged_DN -srcpwd source_oid_privileged_DN_password -dsthost destination_oid_hostname -dstport destination_oid_port -dstdn destination_oid_privileged_dn -dstpwd destination_oid_privileged_DN_password -ldap
In this example, replace source_oid_privileged_DN and destination_oid_privileged_DN with the distinguished name of the user used to bind to the directory. This user must have permissions to modify the directory schema, for example the super user (cn=orcladmin
).
The -ldap
parameter is optional. If you include the -ldap
parameter, then the schema changes are applied directly from the source Oracle Internet Directory to the destination Oracle Internet Directory. If you do not include the -ldap
parameter, then the new attribute definitions are saved to the following LDIF file:
ORACLE_HOME\ldap\odi\data\attributetypes.ldif
And, the object class definitions are saved to the following LDIF file:
ORACLE_HOME\ldap\odi\data\objectclasses.ldif
Any errors that occur during the schema synchronization are logged in the following log files:
ORACLE_HOME/ldap\odi\log\attributetypes.log ORACLE_HOME/ldap\odi\log\objectclasses.log
See Also: "schemasync " in the Oracle Identity Management User Reference |
Stop the Oracle Internet Directory in the destination Oracle home using OPMN:
DESTINATION_ORACLE_HOME\opmn\bin\opmnctl stopall
Clean up any conflicting data from the destination Oracle Internet Directory by running the following commands:
DESTINATION_ORACLE_HOME\ldap\bin\bulkdelete connect="db_connect_string" basedn="cn=OracleContext" DESTINATION_ORACLE_HOME\ldap\bin\bulkdelete connect="db_connect_string" basedn="dc=com"
This example assumes that dc=com
is the root of the subscriber. If you have additional subscribers, then use an equivalent bulkdelete
command for the root of each additional subscriber.
Task 5 Load the source Oracle Internet Directory data into the destination Oracle Internet Directory
Copy the bkp.ldif
file to the destination host; use an appropriate file transfer method, such as FTP.
Comment any ACL attributes in the LDIF file that are not defined in the directory schema.
With the 10g (10.1.4.0.1) release, Oracle Internet Directory introduces a new restriction for Access Control Lists (orclaci
and orclentrylevelaci
attributes). Specifically, you cannot specify attribute names that are not defined in directory schema. As a result, while adding or migrating entries from previous Oracle Internet Directory releases, the load operation will fail if any entries have attribute names that are not defined in the directory schema.
To avoid this problem, in the bkp.ldif
file, comment any ACLs that have undefined attributes.
For example, the following 10g Release 2 (10.1.2) entry uses undefined attributes that are identified with bold text:
orclaci: access to attr=(orclUserApplnProvStatus,orclUserApplnProvStatusDesc, orclUserProvFailureCount) by group="cn=oracledasedituser,cn=groups, cn=OracleContext,dc=us,dc=oracle,dc=com" (read,search,write,compare) by group="cn=oracledascreateuser,cn=groups,cn=OracleContext,dc=us,dc=oracle, dc=com" (read,search,write,compare) by self (read,search,nowrite,compare) by * (none)
To avoid this problem, comment the entry as follows, before loading or verifying the LDIF file.
# orclaci: access to attr=(orclUserApplnProvStatus,orclUserApplnProvStatusDesc, # orclUserProvFailureCount) by group="cn=oracledasedituser,cn=groups, # cn=OracleContext,dc=us,dc=oracle,dc=com" (read,search,write,compare) by # group="cn=oracledascreateuser,cn=groups,cn=OracleContext,dc=us,dc=oracle, # dc=com" (read,search,write,compare) by self (read,search,nowrite,compare) # by * (none)
Verify the backup data in the LDIF file:
DESTINATION_ORACLE_HOME\ldap\bin\bulkload connect="destination_oid_connect_string" check=true restore=true file="path_to_bkp.ldif\bkp.ldif"
In this example, replace path_to_bkp.ldif with the path to the location where you stored the backup LDIF files.
After running the bulkload check
command, check the contents of the following log files:
DESTINATION_ORACLE_HOME\ldap\log\bulkload.log DESTINATION_ORACLE_HOME\ldap\load\badentry.ldif
If necessary, perform the bulkload
command repeatedly on the ldif
file until no errors are reported in the log files.
For example, look for these common error messages:
Error Message: DN Error --- DN "<DN of the error entry>", rc=0
Action: An entry in the ldif
file has an invalid DN and cannot be loaded into the destination Oracle Internet Directory. Remove this entry from the ldif
file.
Error Message: ERROR * gslsbzCheckDupAttrValinEntry : Dupl Value {X- ORCLLMV}4F6500711D4185249B624840E0439040 found
Action: An entry in the ldif
files has duplicate values for Password verifiers. Clean up the entries that have duplicate password verifiers.
Load the source Oracle Internet Directory data into the destination Oracle Internet Directory:
DESTINATION_ORACLE_HOME\ldap\bin\bulkload connect="destination_oid_connect_string" generate=true check=true restore=true load=true file="path_to_bkp.ldif\bkp.ldif"
In this example, replace path_to_bkp.ldif with the path to the location where you stored the backup LDIF files.
Check the log files again to be sure no errors were generated while the data was loaded into the destination Oracle Internet Directory. Errors in this step (such as index creation errors) can cause serious problems later.
Task 6 Obtain the ORASSO Schema Password for the Destination Database
When you migrate the OracleAS Single Sign-On data to the destination database, you will need the password for the ORASSO schema.
You can obtain this password from the registration data backup LDIF file, which you created with remtool in "Task 4, "Prepare the destination OracleAS Identity Management Oracle home for Data Migration".
Use a text editor to open the registration data LDIF file, which you created in Task 4, "Prepare the destination OracleAS Identity Management Oracle home for Data Migration"
Locate the following entry in the LDIF file:
orclresourcename=ORASSO,
orclReferenceName=database_global_name,
cn= IAS Infrastructure Databases,
cn=IAS, cn=Products, cn=OracleContext
The password is stored as the value of attribute orclpasswordattribute
of this entry.
For example, in the following example, ORASSO schema password is welcome1
.
dn: OrclResourceName=ORASSO,
orclReferenceName=orcl.myhostdb1.us.oracle.com,
cn=IAS Infrastructure Databases,
cn=IAS,
cn=Products,
cn=OracleContext
orclflexattribute1: true
orclpasswordattribute: welcome1
orclresourcename: ORASSO
objectclass: orclResourceDescriptor
objectclass: top
Close the backup LDIF file without saving any changes to the file.
Task 7 Migrate the OracleAS Single Sign-On data
Copy the files created when you backed up the OracleAS Single Sign-On data in the source environment in Step 3 to the destination host.
Use an appropriate method for copying the files to the destination host, such as FTP. The files to copy are ssomig.dmp
and ssoconf.log
. By default, these files are created in the following directory:
DESTINATION_ORACLE_HOME\sso\log
Enter the following command to import the Single Sign-On data:
DESTINATION_ORACLE_HOME\sso\bin\ssomig -import -overwrite -s orasso -p destination_orasso_schema_password -c source_SSO_database_connect_string -log_d full_log_directory_path -log_f imp.log
In the above example:
Replace full_log_directory_path with the directory location where you have copied SSO data files (ssomig.dmp
and ssoconf.log
).
Replace destination_orasso_schemas_password with the ORASSO schema password of the destination database. You should have obtained this password in Task 6, "Obtain the ORASSO Schema Password for the Destination Database".
See Also: "Export and Import Script: Syntax and Parameters" in the Oracle Application Server Single Sign-On Administrator's Guide |
Task 8 Completing the OracleAS Identity Management Data Migration
Start the Oracle Internet Directory in the destination Oracle home using the oidmon
command utility:
DESTINATION_ORACLE_HOME\opmn\bin\oidmon connect=destination_oid_db start
It is important that you use oidmon
and not OPMN for this step because oidmon
starts only the Oracle Internet Directory processes and not any of the other OPMN-managed components in the Oracle home.
Restore the local registration information for the destination OracleAS Identity Management Oracle home that you saved in Task 4, "Prepare the destination OracleAS Identity Management Oracle home for Data Migration", as follows:
Open the file where local registration information is stored and comment all lines that start with attribute name "authpassword".
For example:
dn: orclApplicationCommonName=im1014.myhost.mydomain.com,cn=IAS Instances, cn=IAS, cn=Products, cn=OracleContext objectclass: top objectclass: orclApplicationEntity orclapplicationcommonname: im1014b.stadd54.us.oracle.com userpassword: {SHA}lyWKMuTVIxQ5p8IvhHcIxyGIQxY= #authpassword;oid: {SASL/MD5}trJGtjPG5zHYJ2a6BvIqJg== #authpassword;oid: {SASL/MD5-DN}HGuSwmmhGqW9zm37F7HhOA== #authpassword;oid: {SASL/MD5-U}K343/kWyrYqRR/Wi1ArXMA==
Restore the local registration information, as follows:
DESTINATION_ORACLE_HOME\bin\ldapadd -h destination_oid_hostname -p destination_oid_port -v -f locreg.ldif -D super_user_DN -w bindpassword -c
In this example, it is assumed that you saved the local registration information in a file called locreg.ldif
.
Note that while restoring the local registration entries, the addition of some entries will fail. This is expected and you will see errors as shown in the following example:
adding new entry cn=OperationURLs,cn=DAS,cn=Products,cn=OracleContext ldap_add: Already exists ldap_add: additional info: Object already exists adding new entry orclApplicationCommonName=ORASSO_SSOSERVER, cn=SSO,cn=Products,cn=OracleContext ldap_add: Already exists ldap_add: additional info: Object already exists
If Oracle Delegated Administration Services is configured, modify the entries for the service using the following steps.
The entries for Oracle Delegated Administration Services and OracleAS Single Sign-On must refer to the local, destination instance of the service. However, due to migration procedure, these entries will be pointing to source Oracle home. These values need to be replaced with the correct information appropriate to the destination Oracle home:
Open the locreg.ldif
file you created in Task 3, "Back up the OracleAS Single Sign-On data in the source environment", and then locate and copy the Oracle Delegated Administration Services URL from the file contents.
The DN of the DAS URL container entry is as follows:
"cn=OperationURLs, cn=DAS, cn=Products, cn=OracleContext"
It is usually the next-to-last entry in the file.
Create an LDIF file called change_das_url.ldif
with the following contents:
dn: cn=OperationURLs,cn=DAS,cn=Products,cn=OracleContext changetype: modify replace: orcldasurlbase orcldasurlbase: URL_from_backup_file
Execute the following command to change the DAS URL:
DESTINATION_ORACLE_HOME\bin\ldapmodify -p destination_directory_port -h destination_directory_host -D super_user_DN -w super_user_password -f change_das_URL.ldif
If OracleAS Single Sign-On is configured, modify the OracleAS Single Sign-On (ORASSO) schema password using the following steps:
Create an LDIF file called change_sso_password.ldif
with the following contents:
dn: orclApplicationCommonName=ORASSO_SSOSERVER,cn=SSO,cn=Products,
cn=OracleContext
changetype: modify
replace: userpassword
userpassword: specify_a_new_password
Execute the following command to modify the password of OracleAS Single Sign-On entry in Oracle Internet Directory:
DESTINATION_ORACLE_HOME\bin\ldapmodify -p consumer_port -h consumer_host -D super_user_DN -w super_user_password -f change_sso_password.ldif
Change directory to the following directory in the destination Oracle home:
DESTINATION_ORACLE_HOME\sso\admin\plsql\sso
Log in to the database using SQL*Plus and the destination Oracle home ORASSO schema password.
At this point in the procedure, you should have obtained the ORASSO schema password as described in "Task 6, "Obtain the ORASSO Schema Password for the Destination Database".
Run the ssooconf.sql
script by issuing the following command:
SQL> @ssooconf.sql
This script prompts for following values.
Enter value for new_oid_host : Enter value for new_oid_port : Enter value for new_ssoserver_password : Enter value for new_ldapusessl :
In response to the Enter value for new_ssoserver_password prompt, enter the new Oracle Application Server Single Sign-On password that you specified in the change_sso_password.ldif
LDIF file in Step 4a.
For all other prompts, just accept the defaults by pressing the Enter or Return key.
Reset the ias_admin
instance password using the following command:
DESTINATION_ORACLE_HOME\bin\resetiASpasswd.bat cn=orcladmin orcladmin_pwd complete_path_to_destination_oracle_home
See Also: "Changing Instance Passwords in Oracle Internet Directory" in the Oracle Application Server Security Guide |
If you are using the data migration procedure to upgrade Oracle Internet Directory to 10g (10.1.4.0.1), the password policies that were migrated to the new directory will, by default, no longer behave as intended after they are loaded into the 10g (10.1.4.0.1) directory.
To update the password policies so they will work in the new 10g (10.1.4.0.1) environment, use the following procedure:
Add the following to the PATH environment variable:
DESTINATION_ORACLE_HOME\bin DESTINATION_ORACLE_HOME\network\bin
Use the following command-line tool to update the password policies in the 10g (10.1.4.0.1) Oracle Internet Directory:
java –cp DESTINATION_ORACLE_HOME/ldap/postcfg/oidca.jar;DESTINATION_ORACLE_HOME/jlib/ldapjclnt10.jar oracle.ldap.oidinstall.backend.OIDUpgradePasswordPolicies host port bindDN bindPassword ORACLE_HOME protocol
Note that all the arguments shown in the previous example must be entered on one line. They are shown in this format to make it easier to identify the required arguments.
Table C-2 describes the arguments and the values you must provide.
After you run the password policies command-line tool, you can review the actions performed by the tool by reviewing the log file at:
DESTINATION_ORACLE_HOME\ldap\log\ppUpgrade.log
Table C-2 Arguments to the Oracle Internet Directory Password Policies Command-Line Tool
Argument | Description |
---|---|
host |
The name of the host computer on which Oracle Internet Directory 10g (10.1.4.0.1) is running. |
port |
The port on which Oracle Internet Directory 10g (10.1.4.0.1) is listening. |
bindDN |
The Distinguished Name (DN) of a privileged admin user (usually, |
bindPassword |
The user password associated with the DN you provided as the bindDN. |
ORACLE_HOME |
The Oracle home for Oracle Internet Directory instance |
protocol |
Use this optional argument to specify that you are using a secure (SSL) connection to the directory. If you are using SSL, enter "ssl" in place of protocol in the example. |
Upgrade the oraclecontext
and subscriber
context for the destination OracleAS Identity Management installation, as follows:
Note: This step (upgrading theoraclecontext and subscriber context) is applicable only when the source OracleAS Identity Management and the destination OracleAS Identity Management are of different versions. For example, you must run this step when using data migration to upgrade from 10g (9.0.4) to 10g (10.1.4.0.1). |
Run the following command to upgrade the Oracle Internet Directory metadata as part of a migration from a previous version of OracleAS Identity Management to 10g (10.1.4.0.1):
DESTINATION_ORACLE_HOME\bin\oidca mode=UPGRADE -silent dbuser=DBA_user dbpwd=DBA_user_password connstr=TNS_alias_db_connect_string sudn=oid_superuser_dn supwd=oid_superuser_password iasinstance=app_server_instance_name iaspwd=ias_admin_password
Table C-3 describes the arguments and values you should provide when you specify UPGRADE mode for oidca
.
Note that all the arguments shown in the previous example must be entered on one line. They are shown in this format to make it easier to identify the required arguments.
Table C-3 Summary of Arguments To Use For oidca in UPGRADE Mode
Argument | Description |
---|---|
dbuser |
Any database user account that has DBA privileges. The SYSTEM user account has DBA privileges and can be used for this connection. |
dbpwd |
Password of database account specified in dbuser argument. For SYSTEM user account, the password was specified during the installation. |
connstr |
Connect string for the Destination Oracle home database. |
sudn |
The super user DN, which is |
supwd |
The password of the super user DN. By default the super user DN password is set to same password as the at the time of install. |
iasinstance |
The name of Oracle Application Server instance that you specified at the time of install. |
iaspwd |
The |
Run the following command to upgrade the Oracle Directory Integration Platform metadata:
DESTINATION_ORACLE_HOME\bin\oidca mode=DIPUPGRADE -silent oidhost=oid_host sslport=oid_ssl_port sudn=oid_user_dn supwd=oid_user_password odspwd=oid_db_schema_password connstr=TNS_Alias_connect_string iasinstance=1014_iasinstance_name iaspwd=ias_admin_password -migrateprofiledata masteroidhost=host_of_oid_in_source_environment masteroidport=ssl_or_nonssl_port_in_source_environment [-ssl] mastersudn=user_dn_of_oid_in_source_environment mastersupwd=user_password_of_oid_in_source_environment
Note that if you are using the SSL port for the masteroidport
parameter, you must include the -ssl
argument to identify it as an SSL port.
The arguments shown in the previous example must be entered on one line. They are shown in this format to make it easier to identify the required arguments.
Table C-4 describes the arguments and values you should provide when you specify DIPUPGRADE mode for oidca
.
Table C-4 Summary of Arguments To Use For oidca in DIPUPGRADE Mode
Argument | Description |
---|---|
oidhost |
Host name where destination Oracle Internet Directory server is running |
sslport |
SSL port of destination Oracle Internet Directory server; you must specify the SSL port of the directory; you cannot use the non-SSL port with the |
sudn |
The super user DN, which is |
supwd |
The password of the super user DN. By default the super user DN password is set to same password as the at the time of install. |
odspwd |
The password of ODS database user account. By default the ODS user password is same as |
connstr |
Connect string for the Destination Oracle home database. |
iasinstance |
The name of Oracle Application Server instance that you specified at the time of install. |
iaspwd |
The |
masteroidhost |
The host name where source Oracle Internet Directory is running |
masteroidport |
The port number of source Oracle Internet Directory |
mastersudn |
The super user DN of source Oracle Internet directory. It is normally "cn=orcladmin" |
mastersupwd |
The password of the super user DN of the source Oracle Internet Directory. |
Stop the Oracle Internet Directory using the oidmon
utility:
DESTINATION_ORACLE_HOME\bin\oidmon connect=destination_oid_db stop
Start the Oracle Internet Directory and all the components in the destination Oracle home using OPMN:
DESTINATION_ORACLE_HOME\opmn\bin\opmnctl startall