7 Upgrading Access System Schema and Data In Place

If your installation does not include Access System components, you can skip this chapter. This chapter is intended to be used by directory server administrators who are responsible for maintaining and updating directory schemas and data.

This chapter explains what you must do and the order in which you must perform the Access System schema and data upgrade in place. Topics include:

About Access System Schema and Data Upgrades
Upgrading the Schema and Data with the Master Access Manager Component
Uploading Directory Server Index Files
Verifying the Access Schema and Data Upgrade
Creating a Temporary Directory Profile For Access System Upgrades
Backing Up Upgraded Policy Data
Recovering From an Access System Schema or Data Upgrade Failure
Looking Ahead

Note:

If you are using the zero downtime method, skip this chapter and see Part VI. If your starting Oracle Access Manager release is earlier than 6.1.1, contact Oracle Support before upgrading: http://www.oracle.com/support/contact.html

7.1 About Access System Schema and Data Upgrades

After upgrading the Identity System schema and data (with the master Identity Server and including a master WebPass upgrade), you are ready to upgrade the Access System schema and data.

Figure 7-1 illustrates the Access System schema and data upgrade tasks. As you can see, in addition to performing and verifying this upgrade you must create a temporary directory profile for later Access System component upgrades. Additional notes follow the figure. Refer to your own planning summaries and use the tracking summaries in Appendix F to check your progress.

Figure 7-1 Access System Schema and Data Upgrade Tasks

Description of "Figure 7-1 Access System Schema and Data Upgrade Tasks"

Task overview: Upgrading Access System schema and data

Perform all schema and data preparation tasks in Chapter 5.
Upgrade the newly added master Access Manager and accept the automatic schema and data upgrade, as explained in "Upgrading the Schema and Data with the Master Access Manager Component".

Note:
Problems During the Upgrade: See troubleshooting tips in Appendix G.
Upgrade Successful: Perform the activities in the following list, in sequence:
- Uploading Directory Server Index Files
- Verifying the Access Schema and Data Upgrade
- Creating a Temporary Directory Profile For Access System Upgrades that grants the Access Server write access to policy data and ensures that information in the WebGatestatic.lst file is written to the directory server appropriately.
- Backing Up Upgraded Policy Data
Upgrade Not Successful: Proceed to "Recovering From an Access System Schema or Data Upgrade Failure".

7.2 Upgrading the Schema and Data with the Master Access Manager Component

During this task, you upgrade the master Access Manager component (now known as the Policy Manager) instance that you added for this purpose, and accept the automatic schema and data upgrade.

Figure 7-2 illustrates the program-driven upgrade process and the points at which you must respond during this upgrade.

Figure 7-2 Access System Schema and Policy Data Upgrade Process

Description of "Figure 7-2 Access System Schema and Policy Data Upgrade Process "

Task overview: Upgrading the Access System schema and data includes

Starting the Master Access Manager Upgrade
Specifying the Target Directory and Languages
Updating the Access System Schema and Policy Data
Upgrading the Access Manager and Web Server Configuration Files
Finishing and Verifying the Access System Schema and Data Upgrade

7.2.1 Access System Schema and Data Upgrade Prerequisites

Before you begin upgrading the master Access Manager, check the tasks in Table 7-1 to ensure you have completed these.

Failure to complete prerequisites can adversely affect your upgrade.

Table 7-1 Access System Schema and Data Upgrade Prerequisites

Access System Schema and Data Upgrade Prerequisites
Familiarize yourself with information in Part I, "Introduction"
Perform all required steps for schema and data preparation in Chapter 5. If you have a multi-language environment, see "Preparing Multi-Language Installations". If you are upgrading a release 6.x installation, see "Preparing Release 6.x Environments".
Perform the Identity System schema and data upgrade, and back up upgraded data, as described in Chapter 6.

Access System Schema and Data Upgrade Prerequisites

Familiarize yourself with information in Part I, "Introduction"

Perform all required steps for schema and data preparation in Chapter 5.

If you have a multi-language environment, see "Preparing Multi-Language Installations".
If you are upgrading a release 6.x installation, see "Preparing Release 6.x Environments".

Perform the Identity System schema and data upgrade, and back up upgraded data, as described in Chapter 6.

7.2.2 Starting the Master Access Manager Upgrade

Again, you use the 10g (10.1.4.0.1) Policy Manager installer for your specific Web server to launch the upgrade. The sample upgrade described here starts from release 6.1.1. The GUI method and recommended Automatic mode are used to illustrate messages you see, responses you give, and the sequence of events. Your starting release and environment might differ.

Note:

Should an error occur, the name of the log file that contains information about the error is identified on the screen. For more information, see "Accessing Log Files".

To start the Access System schema and data upgrade (master Access Manager)

Confirm that you have completed all prerequisites for this upgrade, as listed in "Access System Schema and Data Upgrade Prerequisites".
Log in as a user with the appropriate administrator privileges to upgrade the schema and Oracle Access Manager files.
Stop the master Access Manager Web server.
Locate and launch the 10g (10.1.4.0.1) Policy Manager installer using your preferred method:

GUI Method, Windows:

Oracle_Access_Manager10_1_4_0_1_Win32_NSAPI_PolicyManager.exe

Console Method, Solaris:

./Oracle_Access_Manager10_1_4_0_1_sparc-s2_NSAPI_PolicyManager

The Welcome screen appears.
Dismiss the Welcome screen.
Respond to the administrator question based upon your platform. For example:

7.2.3 Specifying the Target Directory and Languages

You specify the same target directory as the master Access Manager component. When you accept the upgrade, the target directory is created and 10g (10.1.4.0.1) files are extracted into it. You are then asked to select the languages that you would like to upgrade.

To specify the target Access Manager directory and languages

Choose the directory where you installed the instance you added, then click Next.
Accept the upgrade by clicking Yes, then click Next
Ensure that a check mark appears beside English and any other languages you are upgrading, then click Next.
Confirm the languages listed.
Record the time-stamped directory name and continue.
Note the amount of disk space required, then start the file extraction into the target directory.

You are asked to specify a mode for the upgrade process: Automatic or Confirmed.

If you are using Console method, the installation script exits and a transcript appears. Run the command in the transcript then continue with step 9. (On Unix, the command is printed to a file (start_migration), and a message is printed to run this file.)

Press the number for your choice., then review messages that appear. For example:

Creating orig folders ...
----------------------------------------------------
Copying general configuration files
OK.
----------------------------------------------------
Updating parameter catalogs ...
OK.
----------------------------------------------------

Proceed with "Updating the Access System Schema and Policy Data" next.

7.2.4 Updating the Access System Schema and Policy Data

Oracle recommends that you accept the automatic update of the schema and data. The Access System schema and data are upgraded as follows:

If Oracle Access Manager policy data is stored in the same directory as user and configuration data, the schema was updated during the master Identity Server upgrade. In this case, only policy data is updated during the master Access Manager upgrade.
If Oracle Access Manager policy data is stored separately from user and configuration data, both the schema and policy data are upgraded during the master Access Manager upgrade.

The first update is detected automatically and you are not asked about schema or data updates during remaining Access Manager upgrades.

Starting with release 6.5, the Access System began using directory server profiles and database instance profiles for accessing user data. As a result, during the incremental upgrade from 6.1.1 to 6.5, a message informs you that a directory server profile is created ("DB Profiles created"), as illustrated in the next procedure. If your starting release is 6.5 or later, you won't see this message.

To upgrade the Access System schema and policy data

Review the messages and note the directory path when it appears.

-------------------------------------
Starting migration 6.1.1 -> 6.5.0 )...
-------------------------------------
Oracle Access Manager schema migration....
  Retrieving Policy configuration parameters...
  OK.
-------------------------------------
Oracle Access Manager data migration....
  Retrieving Policy configuration parameters...
  OK.
Checking Access Policy version
Version not up to date. Performing Access Policy data migration
Updating Access Policy migration parameters..

The following directory server's schema will be updated:
                        Host:DNShostname.domain.com
                        Port: port#
                        Type:ns

NOTE: If you do not want to migrate schema at this time,
                type 'SKIP'.
Please type 'yes' to proceed:

Type the full word "yes" to update policy data, which can also include a schema upgrade. For example:

Yes
     OK

The transcript continues.

-------------------------------------
Converting Access Policy data. Please wait..
.....
OK
Removing old Access Policy data. Please wait ..
........
OK
Importing new Access Policy data. Please wait ...
OK
-----------------------------
Oracle Access Manager data migration has completed successfully.
Press <ENTER> to continue :

Press the Enter Key when the data upgrade completes and continue with the retrieval of Oracle Access Manager configuration parameters and database profile creation (if your starting release was 7.x you will not see the DB Profiles created message.
```
-------------------------------------
        Retrieving Oracle configuration parameters...
DB Profiles created.
-----------------------------
```
Continue with "Upgrading the Access Manager and Web Server Configuration Files" next.

7.2.5 Upgrading the Access Manager and Web Server Configuration Files

During this sequence the component-configuration upgrade is completed for the master Access Manager. This includes Web server configuration updates and policy data configuration parameters.

To upgrade the Web Server and Access Manager configuration

Review messages and respond appropriately for your environment when asked.

-------------------------------------
Updating web server configuration files...
Connecting to server ...Done.
OK.
-------------------------------------
Updating component-specific configuration files...
OK.
-------------------------------------
Starting migration ( 6.5.0 -> 7.0.0 )...
-------------------------------------
Oracle Access Manager schema migration....
Retrieving Policy configuration parameters...
OK.
-------------------------------------
Checking Access Policy version ...
Version not up to date. Performing Access Policy data migration ...

Updating Access Policy migration parameters...
The following directory server's schema will be updated:
                        Host:DNShostname.domain.com
                        Port: port#
                        Type:ns
NOTE: If you do not want to migrate schema at this time,
                                        type 'SKIP'.
Please type 'yes' to proceed:

Continue the upgrade as directed.

yes

The process continues, as indicated here.

Converting Access Policy data. Please wait...
.....
OK.
Removing old Access Polidy data. Please wait ...
.....
OK.
Cleaning up obsolete schema from the directory.
Deleting Obsolete schema for policy. Please wait.
Importing new Access Policy data. Please wait...
OK.
-----------------------------------------
Oracle Access Manager data migration has completed successfully.
Press <ENTER> to continue :

Respond after the data upgrade and notice that Web server configuration and component-specific upgrades occur next.

Enter
-------------------------------------
Updating web server configuration files...
OK.
-------------------------------------
Updating component-specific configuration files...
OK.
-------------------------------------
Starting migration ( 6.5.0 -> 7.0.0 )...
-------------------------------------
Oracle Access Manager schema migration....
Retrieving Policy configuration parameters...
OK.
-------------------------------------
Oracle Access Manager data migration....
Retrieving Policy configuration parameters...
OK.
-------------------------------------
Checking Access Policy version ...
Version not up to date. Performing Access Policy data migration ...

Updating Access Policy migration parameters...
The following directory server's schema will be updated:
                        Host:DNShostname.domain.com
                        Port: port#
                        Type:ns
NOTE: If you do not want to migrate schema at this time,
                                        type 'SKIP'.
Please type 'yes' to proceed:

Type the full word "yes" to continue.

yes

OK.
Converting Access Policy data. Please wait...
OK.
Removing old Access Policy data. Please wait ...
OK.
Importing new Access Policy data. Please wait...
OK.
----------------------------------------
Oracle Access Manager data migration has completed successfully.
Press <ENTER> to continue :

Continue with component-specific configuration for release 7.0 to 10g (10.1.4.0.1), if needed:

Enter
Updating component-specific configuration files.
...
Converting Access Policy data. Please wait...
OK.
Removing old Access Policy data. Please wait ...
OK.
Importing new Access Policy data. Please wait...
OK.
----------------------------------------
Oracle Access Manager data migration has completed successfully.
Press <ENTER> to continue :

Directory permissions copied ... C:\NetPoint\WebComponent\access_20060223_180406\oblix)
C:\NetPoint\WebComponent\access\oblix)
---------------------------------------------------
Migration has completed successfully!
Press <ENTER> to continue.

When this phase completes, continue as instructed on the screen and proceed to "Finishing and Verifying the Access System Schema and Data Upgrade".

7.2.6 Finishing and Verifying the Access System Schema and Data Upgrade

You finish the master Access Manager upgrade as described next.

To finish and verify the Access System schema and data upgrade

Apply any changes to the Web server configuration file, if needed.
Start the upgraded Access Manager Web server to confirm that this upgrade was successful.
Web Server Does Not Start: See troubleshooting tips in Appendix G.
View Access Manager migration log files and error ldifs to see if they contain any errors. See "Accessing Log Files".
Upgrade Successful: Proceed with "Uploading Directory Server Index Files" to ensure that all attributes are included for the Access System schema and data (and be sure to manually add an index for the obpolicykeyword attribute.
Upgrade Not Successful: Proceed to "Recovering From an Access System Schema or Data Upgrade Failure".

Note:
The new product term for the Access Manager component is Policy Manager, which will be used in the remainder of this guide. For more information, see "Product and Component Name Changes".

7.3 Uploading Directory Server Index Files

This procedure is the same as the one you completed after upgrading the Identity System schema and data.

For Access System data, be sure to manually add an index for the obpolicykeyword attribute. For more information, complete appropriate activities for your environment in "Uploading Directory Server Index Files".

After uploading index files for the Access System, continue with "Verifying the Access Schema and Data Upgrade", next.

7.4 Verifying the Access Schema and Data Upgrade

You complete this procedure to validate the Access System schema and data upgrade.

To verify the Access System schema and data upgrade

Using your directory administration console, confirm that the schema contains all the object classes and attributes as defined in the Oracle Access Manager Schema Description.
Using your directory administration console, verify that all the indexes have been added.
Different Directory Server Instances: Perform the steps in the following list to ensure that the schema was also updated:
- View the configuration node in the configuration directory server and confirm that the value of the obver attribute is 10.1.4.0.
- Check to ensure that the schema contains 10g (10.1.4.0.1) attributes obPolicyEnabled and objectclass oblixLPMPolicy.
Upgrade Successful: Proceed as indicated in the next list:
Upgrade Not Successful: Proceed to "Recovering From an Access System Schema or Data Upgrade Failure".

7.5 Creating a Temporary Directory Profile For Access System Upgrades

After upgrading the master Policy Manager, and before upgrading any other Access System component, a Master Access Administrator must create a specific temporary directory server profile using the Identity System Console. This profile grants the Access Server write access to policy data stored in the directory server and updated during the Policy Manager upgrade.

Note:

If you are using the zero downtime upgrade method, go to"Adding a Temporary Directory Profile for Original Access System Upgrades".

During WebGate upgrades, the Access Server gathers configuration information stored in the WebGatestatic.lst file and updates the directory server using the temporary directory profile created for this purpose. After writing information to the directory server, the Access Server returns status information to the WebGate. Any unknown parameters in the WebGateStatic.lst file are moved to the directory server.

Note:

Upgrading any Access System components before creating this profile could result in a failed upgrade. The exception to this rule is the master Policy Manager that you upgraded with the Access System schema and data.

In earlier releases, WebGate configuration parameters were stored in the WebGatestatic.lst file. However, in Oracle Access Manager 10g (10.1.4.0.1), WebGate configuration is accomplished using the Access System Console. Proper migration of earlier WebGate configuration parameters during an upgrade is required to enable you to change the parameter values, and add new ones, using the Access System Console. After upgrading a WebGate to 10g (10.1.4.0.1), you must use the System Console to adjust parameters. You cannot continue to use the WebGatestatic.lst file after upgrading.

Guidelines for the Temporary Directory Profile

When creating this temporary directory profile you must:

Assign a profile name of migration_wgstatic_profile; do not use another name.
Create the migration_wgstatic_profile for the directory where the policy data is stored. If your user, configuration, and policy data are stored together on a single directory, create this new profile for that directory. However, if your policy data is stored in the same directory as configuration data, create this new profile for that directory.
Assign permissions for all operations to the migration_wgstatic_profile.
Use the same namespace as the policy base stored in PolicyManager_install_dir/access/oblix/config/configInfo.xml. The value of the ldapPolicyBase parameter should be used: for example, obapp=PSC, o=Oblix, o=company,c=us.
If your directory server supports LDAP referrals, enable LDAP referrals in this temporary directory server profile. A referral directs a client request to another server to find requested information in another location. See the Oracle Access Manager Identity and Common Administration Guide for details.
If the policy data directory server is SSL-enabled, the CA certificate is needed by the Access Server to connect to the directory. The CA certificate must be manually added (using the certutil tool) to the certificate store in AccessServer_install_dir/access/oblix/config/cert8.db or cert7.db. However, if the existing policy data directory used by the Access Server is already in SSL mode and uses the same CA certificate, this step need not be done.

Important:

This procedure must be completed before upgrading any additional Access System components. For more information about directory server profiles, see the Oracle Access Manager Identity and Common Administration Guide.

To create the temporary directory server profile for the Access Server

Navigate to the Identity System Console (formerly known as the COREid System Console). For example:
```
http://hostname:port/identity/oblix/
```
From the Identity System Console, click the System Configuration tab.
Click Directory Profiles to display the Configure Profiles page.
Locate the Configure LDAP Directory Server Profiles section and click Add to display the Create Directory Server Profile page.
Fill in the following information for this temporary profile: In the Name field, enter the following name and the namespace for your environment:

Name: migration_wgstatic_profile

Name Space: obapp=PSC,o=Oblix,o=company,c=us

where the Name Space is the value of the LDAP PolicyBase parameter in PolicyManager_install_dir/oblix/config/configInfo.lst
Select the All Operations button to give this profile permission to perform all operations.
In the Used By field, select the Access Servers option.

Next you must create a database instance profile where you identify the directory server where your policy data is stored. If your policy data is stored on a separate directory server, the new database instance profile should be created for that directory server. If user, configuration, and policy data are all on one directory server, the new database instance profile should be created for that directory server
In the Database Instances section of the Create Directory Server Profile page, click Add.

The Create Database Instance page appears.
Fill in the following information to configure a database instance profile for your policy data directory server:

Name:
Machine:
Port:
Root DN:
Root DN Password:

For more information, see the Oracle Access Manager Identity and Common Administration Guide for details.
In the Flags field, if your directory supports LDAP referrals click the LDAP referrals check box if appropriate for your environment.

See the Oracle Access Manager Identity and Common Administration Guide for details on configuring LDAP referrals.
Save the database instance profile and the associated directory server profile.
If the policy directory server operates in SSL mode, the Access Server requires a CA certificate to connect to it.

If the policy directory server uses the same CA certificate as the Access Server, no additional configuration is required. Otherwise, you must add the CA certificate (cert8.db or cert7.db) to the certificate store in the following directory:

AccessServer_install_dir/oblix/config

Where AccessServer_install_dir is the directory where the Access Server was installed. See the appendix on adding a new certificate store in the Oracle Access Manager Installation Guide for details.
Proceed to "Backing Up Upgraded Policy Data" next.

7.6 Backing Up Upgraded Policy Data

As mentioned earlier, Oracle recommends that you finish the schema and data upgrade by backing up the 10g (10.1.4.0.1) component directory and directory server instances. This will enable you to easily restore your environment to the newly upgraded state should that be a requirement.

To back up critical policy information after the upgrade

Back up the upgraded 10g (10.1.4.0.1) Policy Manager directory and store it in a new location.
Back up upgraded directory server instances using your directory vendor documentation as a guide.
Backup upgraded policy data, as described in "Backing up Oracle Access Manager Configuration and Policy Data".
Back up the upgraded Web server configuration file as described in your vendor documentation.
Windows: Back up Windows registry data, if required, as described in "Backing Up Windows Registry Data".
Proceed to "Looking Ahead".

7.7 Recovering From an Access System Schema or Data Upgrade Failure

If the schema and data upgrade was not successful, you can perform the following steps to rollback this upgrade, then try again.

To recover from an unsuccessful Access System schema and data upgrade

Restore the directory instance that you backed up before the upgrade to recover the earlier schema and data from backup.
Restore the earlier component installation directory that you backed up before the upgrade (to recover the earlier environment), then back it up again. You will retain one of the earlier directories as a backup copy and use one to restart the upgrade.
Policy Manager Web Server: Restore the earlier Web server configuration file.
Windows: Restore the backed up registry, if needed.
Using a backup copy of your earlier data and component installation directory, restart the upgrade, as described in "Upgrading the Schema and Data with the Master Access Manager Component".

7.8 Looking Ahead

After upgrading the Access System schema and data, proceed in sequence with the following chapters and tasks:

For more information about expected system behaviors, see Chapter 4.