This chapter describes how to migrate Oracle Adaptive Access Manager (OAAM) 10g to Oracle Adaptive Access Manager 11g Release 2 (11.1.2). The chapter contains the following sections:
The process for migrating OAAM 10g to OAAM 11.1.2 involves installing Oracle Identity and Access Management 11g Release 2 (11.1.2), configuring OAAM 11.1.2, upgrading OAAM 10g schemas, configuring the database security store, and upgrading the Oracle Adaptive Access Manager middle tier.
For more information about other migration scenarios, see Section 1.3, "Migration and Coexistence Scenarios".
Figure 13-1 compares the topologies of OAAM 10g and OAAM 11.1.2.
Figure 13-1 Comparison of OAAM 10g and OAAM 11g Topologies
Table 13-1 provides the migration roadmap.
Task No | Task | For More Information |
---|---|---|
1 |
Complete the prerequisites. |
|
2 |
Install Oracle Identity and Access Management 11.1.2. |
See, Installing Oracle Identity and Access Management 11.1.2 |
3 |
Create Oracle Platform Security Services (OPSS) schema, and Metadata Services (MDS) schema using Repository Creation Utility (RCU). |
|
4 |
Upgrading the OAAM schema. |
|
5 |
Configure OAAM 11.1.2 in a new or existing domain. |
See, Configuring OAAM 11.1.2 in a New or Existing Oracle WebLogic Domain |
6 |
Configure the database security store by running the |
|
7 |
Configure the Node Manager. |
|
8 |
Start the WebLogic Administration Server. |
|
9 |
Stop the OAAM Managed Servers (OAAM Admin Server, OAAM Server, and OAAM Offline Server). |
|
10 |
Upgrade the OAAM middle tier using Upgrade Assistant. |
|
11 |
Start the OAAM Managed Servers (OAAM Admin Server, OAAM Server, and OAAM Offline Server). |
|
12 |
Verify the migration. |
You must complete the following prerequisites for migrating Oracle Adaptive Access Manager 10g to Oracle Adaptive Access Manager 11.1.2:
Read the Oracle Fusion Middleware System Requirements and Specifications document to ensure that your environment meets the minimum requirements for the products you are installing, upgrading, and migrating.
Note:
For information about Oracle Fusion Middleware concepts and directory structure, see "Understanding Oracle Fusion Middleware Concepts and Directory Structure" in the Oracle Fusion Middleware Installation Planning Guide for Oracle Identity and Access Management.
Verify that the Oracle Adaptive Access Manager 10g version that you are using is supported for migration. For information about supported starting points for Oracle Adaptive Access Manager 10g migration, see Section 11.3, "Supported Starting Points for Oracle Adaptive Access Manager 10g Migration".
As part of the migration process, you must install Oracle Identity and Access Management 11g Release 2 (11.1.2).
For information about installing Oracle Identity and Access Management 11.1.2, see "Installing Oracle Identity and Access Management (11.1.2)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Create the following schemas by running the Repository Creation utility (RCU) 11.1.2. IAU (Audit Schema) is optional.
Oracle Platform Security Services (OPSS) - (mandatory)
Metadata Services (MDS) - (mandatory)
IAU (Audit Schema) - (optional)
For more information about creating schemas, see "Creating Schemas" in the Using Repository Creation Utility.
You must upgrade the OAAM 10g schema to 11.1.2 using a WLST command. To do this, complete the following steps:
You must update the access_upgrade.properties
file available at the following location with the right database connection details:
On UNIX: MW_HOME
/
IAM_HOME
/common/wlst/access_upgrade.properties
On Windows: MW_HOME
\
IAM_HOME
\common\wlst\access_upgrade.properties
In the access_upgrade.properties
file, specify the right values for the following properties:
OAAM_DB_SCHEMA_USERNAME=
OAAM_Database_schema_username
OAAM_DB_URL=
OAAM_Database_URL
OAAM_DB_SYS_USERNAME=
OAAM_DB_sys_username
OAAM_DB_10g=true
where
OAAM_Database_schema_username
is the username of the OAAM database schema
OAAM_Database_URL
is the URL of the database where schemas are used. It must be specified in the format hostname
:port
:sid
.
OAAM_DB_sys_username
is the username of the database system administrator
You must set the value of the property OAAM_DB_10g
to true,
as you are upgrading OAAM 10g
Run the following command to launch the WebLogic Scripting Tool (WLST):
On UNIX:
Move from your present working directory to the IAM_HOME
/common/bin
directory by running the following command on the command line:
cd
IAM_HOME
/common/bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
./wlst.sh
On Windows:
Move from your present working directory to the IAM_HOME
\common\bin
directory by running the following command on the command line:
cd
IAM_HOME
\common\bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
wlst.cmd
Run the following WLST command offline, to upgrade the OAAM 10g schema to 11.1.2:
On UNIX:
upgradeAccessSchema(filePath="MW_HOME/IAM_HOME/common/wlst/access_upgrade.properties")
On Windows:
upgradeAccessSchema(filePath="MW_HOME\\IAM_HOME\\common\\wlst\\access_upgrade.properties")
After you install the software, you must configure Oracle Adaptive Access Manager 11.1.2. You can configure OAAM either in a new or in an existing domain. For more information, see "Configuring Oracle Adaptive Access Manager" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Note:
Ensure that you specify the Oracle Adaptive Access Manager 10g database details in the screen where it prompts you to enter the Oracle Adaptive Access Manager 11g database details. You must enter the 10g credentials because there is no separate 11g database. It checks the database for a few system tables, which are not present in Oracle Adaptive Access Manager 10g database.
After you configure OAAM 11.1.2 in a domain, you must run the configuresecuritystore.py
script to configure the Database Security Store. For more information, see "Configuring Database Security Store for an Oracle Identity and Access Management Domain" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Note:
If you have already run the configuresecuritystore.py
script as part of the OAAM 11.1.2 configuration in Section 13.8, ignore this task.
If you wish to start and stop the Managed Servers through the WebLogic Administration console, you must configure the Node Manager, and start it. For information about configuring Node Manager, see "Configuring Node Manager to Start Managed Servers" in the Oracle Fusion Middleware Administrator's Guide.
You must start the WebLogic Administration Server, do the following:
On UNIX:
Move from your present working directory to the MW_HOME
/user_projects/domains/
domain_name
/bin
directory using the command:
cd MW_HOME/user_projects/domains/domain_name/bin/
Run the following command:
./startWebLogic.sh
When prompted, enter the WebLogic Administration Server username and password.
On Windows:
Move from your present working directory to the MW_HOME
\user_projects\domains\
domain_name
\bin
directory using the following command on the command line:
cd MW_HOME\user_projects\domains\domain_name\bin\
Run the following command:
startWebLogic.cmd
When prompted, enter the WebLogic Administration Server username and password.
If you have started the OAAM Admin Server, OAAM Offline Server (if present), and OAAM Server, you must stop all of them before you can upgrade the OAAM middle tier in section 13.10. To stop these servers, do the following:
On UNIX:
Move from your present working directory to the directory MW_HOME
/user_projects/domains/
domain_name
/bin
directory using the command:
cd MW_HOME/user_projects/domains/domain_name/bin/
Run the following command to stop the OAAM Admin Server:
./stopManagedWebLogic.sh oaam_admin_server admin_url username password
In this command,
oaam_admin_server
is the name of the OAAM Admin Server.
admin_url
is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://
host
:
port
/console
.
username
is the username of WebLogic Administration Server.
password
is the password of WebLogic Administration Server.
Run the following command to stop the OAAM Offline Server:
./stopManagedWebLogic.sh oaam_offline_server admin_url username password
In this command,
oaam_offline_server
is the name of the OAAM Offline Server.
admin_url
is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://
host
:
port
/console
.
username
is the username of WebLogic Administration Server.
password
is the password of WebLogic Administration Server.
Run the following command to stop the OAAM Server:
./stopManagedWebLogic.sh oaam_server admin_url username password
In this command,
oaam_server
is the name of the OAAM Server.
admin_url
is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://
host
:
port
/console
.
username
is the username of WebLogic Administration Server.
password
is the password of WebLogic Administration Server.
On Windows:
Move from the present working directory to the MW_HOME
\user_projects\domains\
domain_name
\bin
directory using the following command on the command line:
cd MW_HOME\user_projects\domains\domain_name\bin\
Run the following command to stop the OAAM Admin Server:
stopManagedWebLogic.cmd oaam_admin_server admin_url username password
In this command,
oaam_admin_server
is the name of the OAAM Admin Server
admin_url
is the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://
host
:
port
/console
.
username
is the username of WebLogic Administration Server.
password
is the password of WebLogic Administration Server.
Run the following command to stop the OAAM Offline Server:
stopManagedWebLogic.cmd oaam_offline_server admin_url username password
In this command,
oaam_offline_server
is the name of the OAAM Offline Server.
admin_url
is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://
host
:
port
/console
.
username
is the username of WebLogic Administration Server.
password
is the password of WebLogic Administration Server.
Run the following command to stop the OAAM Server:
stopManagedWebLogic.cmd oaam_server admin_url username password
In this command,
oaam_server
is the name of the OAAM Server.
admin_url
is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://
host
:
port
/console
.
username
is the username of WebLogic Administration Server.
password
is the password of WebLogic Administration Server.
Note:
If you have more than one OAAM Server, you must stop all of them.
You must upgrade the OAAM 10g middle tier using Upgrade Assistant. To do this, complete the following steps:
If you have started the Oracle Adaptive Access Manager Managed Servers, they auto-generate symmetric keys required for encryption or decryption. You must delete the keys before performing middle tier upgrade. To do so, complete the following steps:
Log in to Oracle Enterprise Manager using the URL:
host
:
port
/em
Expand the WebLogic Domain on the left pane, and select the OAAM domain.
The OAAM domain page is displayed.
From the OAAM Domain, select Security, and then Credentials.
The Credentials page is displayed.
Expand oaam and delete the entries related to symmetric keys.
Launch Upgrade Assistant by doing the following:
On UNIX:
Move from your present working directory to the MW_HOME
/
IAM_HOME
/bin
directory using the following command:
cd MW_HOME/IAM_HOME/bin
Run the following command:
./ua
On Windows:
Move from your present working directory to the MW_HOME
\
IAM_HOME
\bin
directory using the following command on the command line:
cd MW_HOME\IAM_HOME\bin
Run the following command:
ua.bat
The Oracle Fusion Middleware Upgrade Assistant Welcome screen is displayed.
Click Next.
The Specify Operation screen is displayed.
Select Upgrade Oracle Adaptive Access Manager Middle Tier.
The options available in Upgrade Assistant are specific to the Oracle home from which it started. When you start Upgrade Assistant from an Oracle Application Server Identity Management Oracle home, the options shown on the Specify Operation screen are the valid options for an Oracle Application Server Identity Management Oracle home.
Click Next.
The Specify Source Details screen is displayed.
Enter the following information:
Click Browse and enter the directory location for Oracle Adaptive Access Manager Adaptive Strong Authenticator Web Application 10g (ASA) and Adaptive Risk Manager Web Application 10g (ARM) applications.
Database Type: Select the database type from the drop-down list.
Connect String: Enter the name of the server where your database is running. Use one of the following formats for Oracle Database:
//
host
:port
/service
or host
:
port
:
sid
Schema User Name: Enter the user name for the OAAM schema.
Schema Password: Enter the password for the OAAM schema.
Click Next.
The Specify WebLogic Server screen is displayed.
Enter the following information about your Oracle WebLogic Server domain:
Host: The host name of the machine where WebLogic Administration Server is running.
Port: The listening port of the Administration Server. The default Administration Server port is 7001
.
Username: The user name that is used to log in to the Administration Server. This is the same username you use to log in to the Administration Console for the domain.
Password: The password for the administrator account that is used to log in to the Administration Server. This is the same password you use to log in to the Administration Console for the domain.
Click Next.
The Specify Upgrade Options screen is displayed.
Select Start destination components after successful upgrade, and click Next.
The Examining Components screen is displayed.
Note:
Ensure that Node Manager is running, before you select Start destination components after successful upgrade.
Click Next.
The Upgrade Summary screen is displayed.
Click Upgrade.
The Upgrade Progress screen is displayed. This screen provides the following information:
The status of the upgrade
Any errors or problems that occur during the upgrade
Click Next.
The Upgrade Complete screen is displayed. This screen confirms that the upgrade was complete.
Click Close.
You must start the OAAM Managed Servers in the following order:
OAAM Admin Server
OAAM Offline Server, if you have configured OAAM Offline Server
OAAM Server
To start these servers, do the following:
On UNIX:
Move from your present working directory to the MW_HOME
/user_projects/domains/
domain_name
/bin
directory using the command:
cd MW_HOME/user_projects/domains/domain_name/bin/
Run the following command to start the OAAM Admin Server:
./startManagedWebLogic.sh oaam_admin_server admin_url
In this command,
oaam_admin_server
is the name of the OAAM Admin Server.
admin_url
is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://
host
:
port
/console
.
When prompted, enter the username and password of the WebLogic Administration Server.
Run the following command to start the OAAM OfflineServer:
./startManagedWebLogic.sh oaam_offline_server admin_url
In this command,
oaam_offline_server
is the name of the OAAM Offline Server.
admin_url
is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://
host
:
port
/console
.
When prompted, enter the username and password of the WebLogic Administration Server.
Run the following command to start the OAAM Server:
./startManagedWebLogic.sh oaam_server admin_url
In this command,
oaam_server
is the name of the OAAM Server
admin_url
is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://
host
:
port
/console
.
When prompted, enter the username and password of the WebLogic Administration Server.
On Windows:
Move from the present working directory to the MW_HOME
\user_projects\domains\
domain_name
\bin
directory using the command:
cd MW_HOME\user_projects\domains\domain_name\bin\
Run the following command to start the OAAM Admin Server:
startManagedWebLogic.cmd oaam_admin_server admin_url
In this command,
oaam_admin_server
is the name of the OAAM Admin Server.
admin_url
is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://
host
:
port
/console
.
When prompted, enter the username and password of the WebLogic Administration Server.
Run the following command to start the OAAM Offline Server:
startManagedWebLogic.cmd oaam_offline_server admin_url
In this command,
oaam_offline_server
is the name of the OAAM Offline Server.
admin_url
is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://
host
:
port
/console
.
When prompted, enter the username and password of the WebLogic Administration Server.
Run the following command to start the OAAM Server:
startManagedWebLogic.cmd oaam_server admin_url
In this command,
oaam_server
is the name of the OAAM Server.
admin_url
is the URL of the WebLogic Administration console. Specify this parameter only if the WebLogic Administration Server is on a different machine. You must specify the URL in the format http://
host
:
port
/console
.
When prompted, enter the username and password of the WebLogic Administration Server.
Note:
Make sure that the OAAM Admin Server is running before you start the OAAM Server.
To verify if the OAAM 10g migration was successful, do the following:
Log in to the administration console of Oracle Adaptive Access Manager 11.1.2, using the administration server username and password, and verify whether the OAAM 10g artifacts are migrated to OAAM 11g. Use the following URL to log in to the OAAM Admin Server:
http://host:port/oaam_admin
where
host
is the machine on which OAAM Admin Server is running
port
is the port number of the OAAM Admin Server
Create a user, and assign the Investigator
role. Log in to the OAAM Admin Server with this user, and verify that you see the Investigator UI successfully.
For more information about creating OAAM users, see "Creating OAAM Users" in the Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.