Sun OpenSSO Enterprise 8.0 Upgrade Guide

Planning Your OpenSSO Enterprise 8.0 Upgrade

Upgrading to Sun OpenSSO Enterprise 8.0 is supported from the following releases and platforms:

Previous Release	Upgrade Supported From This Platform
Sun Java System Access Manager 7.1 Upgrade is supported for: Sun Java Enterprise System package based installations WAR file deployment only if the configuration data is in Sun Java System Directory Server.	Solaris SPARC, Solaris x86, Linux, and Windows systems
Sun Java System Access Manager 7 2005Q4	Solaris SPARC, Solaris x86, and Linux systems
Sun Java System Federation Manager 7.0	Solaris SPARC, Solaris x86, Linux, and Windows systems

Previous Release

Upgrade Supported From This Platform

Sun Java System Access Manager 7.1

Upgrade is supported for:

Sun Java Enterprise System package based installations
WAR file deployment only if the configuration data is in Sun Java System Directory Server.

Solaris SPARC, Solaris x86, Linux, and Windows systems

Sun Java System Access Manager 7 2005Q4

Solaris SPARC, Solaris x86, and Linux systems

Sun Java System Federation Manager 7.0

Solaris SPARC, Solaris x86, Linux, and Windows systems

Caution –

Upgrade of the configuration data is supported only from and to Sun Java System Directory Server. If the configuration data for an Access Manager 7.1 WAR file deployment is stored using the flat file system, upgrade to OpenSSO Enterprise 8.0 is not supported.

Upgrade is not supported for the following separately installed features:

Access Manager or Federation Manager AMSDK
Access Manager or Federation Manager client SDK
Distributed Authentication UI server. See Considerations for a Distributed Authentication UI Server.
IDP Discovery Service
Remote console

Additional information is in the following sections.

Considerations for OpenSSO Enterprise 8.0 Patch Releases

Sun periodically releases patches for OpenSSO Enterprise 8.0 on http://sunsolve.sun.com/. To find the latest patch, search for patch ID 141655.

To migrate a deployment from Access Manager 7.1 or Access Manager 7 2005Q4 to an OpenSSO Enterprise 8.0 patch release, follow these general steps:

Upgrade to OpenSSO Enterprise 8.0, as described in this guide.
Apply the patch release, as described in Chapter 23, Patching OpenSSO Enterprise 8.0, in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.

Note –

Always run the latest versions of the ssoupgrade or ssoupgrade.bat script, ssopatch or ssopatch.bat utility, and updateschema or updateschema.bat script from the OpenSSO Enterprise 8.0 patch release.

Upgrade Considerations for Legacy and Realm Mode

The following Legacy and Realm mode upgrades are supported:

Legacy to Legacy mode
Legacy to Realm mode
Realm to Realm mode

Considerations for a Distributed Authentication UI Server

Upgrade is not supported for an Access Manager 7.x Distributed Authentication UI server deployment. To move from an Access Manager 7.x deployment, you must remove the old deployment and then install the OpenSSO Enterprise 8.0 version, as described in Chapter 9, Deploying a Distributed Authentication UI Server, in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.

OpenSSO Enterprise 8.0 can coexist with an Access Manager 7.1 Distributed Authentication UI server deployment. However, make sure that the following properties in the AMConfig.properties file on the Distributed Authentication UI server side in the WEB-INF directory are in sync with the OpenSSO Enterprise 8.0 server instance:

com.iplanet.am.naming.url
com.iplanet.am.server.protocol
com.iplanet.am.server.host
com.iplanet.am.server.port
com.sun.identity.agents.app.username
com.iplanet.am.service.password

Note: If you make any changes to the AMconfig.properties file, you must restart the Distributed Authentication UI server.

Coexistence with OpenSSO Enterprise 8.0

Coexistence can occur when instances of OpenSSO Enterprise and Access Manager 7.1 access the same Directory Server schema. (In previous versions of Access Manager, the Directory Server schema contains the server's configuration data.) Thus, OpenSSO Enterprise 8.0 can coexist with an instance of Access Manager 7.1 only if the older version was installed with the Directory Server schema. Coexistence mode denotes that customer has executed the ssopreupgrade script to remove the packages but not the ssoupgrade script to update the schema.

Coexistence usually occurs when multiple instances of Access Manager 7.1, accessing the same Directory Server schema, are being upgraded sequentially, one instance at a time. OpenSSO Enterprise 8.0 will continue to work with the Access Manager 7.1 schema and support all Access Manager 7.1 features (except for the Liberty ID-FF metadata as described in Backward Compatibility with OpenSSO Enterprise 8.0) until the schema is upgraded.

Important. In coexistence mode, all Access Manager 7.1 instances accessing the same Directory Server schema must have the same deployment URI (for example /amserver).

Coexistence is not supported between OpenSSO Enterprise 8.0 server and these releases:

Access Manager 7 2005Q4
Federation Manager 7.0

More information about upgrading multiple instances of Access Manager is in Upgrading Multiple Instances of Access Manager.

Tip –

Upgrading from older versions of Access Manager might cause issues when logging in and accessing realms in coexistence mode. There is no current workaround for this issue. It is suggested that you upgrade to OpenSSO Enterprise 8.0 update 1 once it is available.

Backward Compatibility with OpenSSO Enterprise 8.0

Backward compatibility is supported for all Access Manager 7.1 and Access Manager 7 2005Q4 existing features including the full SDK and the client SDK APIs. Backward compatibility is not supported for:

Access Manager 6 2005Q1 (6.3) and earlier releases
Liberty ID-FF schema metadata: Liberty ID-FF profiles do not work unless you upgrade the Access Manager or Federation Manager schema in Directory Server.