This chapter describes how to upgrade your existing Oracle Identity Manager 11g Release 1 (11.1.1.5.0) environment to Oracle Identity Manager 11g Release 2 (11.1.2).
This chapter contains the following sections:
Read the Oracle Fusion Middleware System Requirements and Specifications document to ensure that your environment meets the minimum requirements for the products you are installing or upgrading.
Table 6-1 lists the key differences in functionality between Oracle Identity Manager 11g Release 1 (11.1.1.5.0) and Oracle Identity Manager 11g Release 2 (11.1.2).
| Oracle Identity Manager 11g Release 1 (11.1.1.5.0) | Oracle Identity Manager 11g Release 2 (11.1.2) |
|---|---|
|
Separate interfaces for end-user self-service and delegated administration. |
A unified interface for end user self service and delegated administration. |
|
Search for access items, such as roles, entitlements, or applications through a complex set of menus. |
OIM users can navigate to the OIM catalog directly, search for access items, and submit a request. They can also associate metadata with each of the access items. |
|
Incomprehensible resource and IT resource names that make the access request process difficult. |
Intuitive, easy-to-understand resource names through an abstraction named Application Instances, which are a combination of an IT resource instance and a resource object. |
|
Manual, tedious process of creating and configuring disconnected applications. |
Simplified onboarding of disconnecting applications that enables system integrators to create and manage access to disconnected applications. |
|
Users' access controlled by request templates granted to users, based on their role membership. |
A user's access controlled by a combination of end-user's publishing and the access items publishing in organizations. |
|
OIM-specific user interface to administer end user "authorization policies". |
Authorization Policy Manager, a standards-based UI, used to administer authorization policies. This standardized UI allows administrators to administer and manage policies across the Oracle Identity Management suite of products. |
|
Evaluation of access policies for each user as soon as the user is updated. |
Evaluation of access policies in a fixed set of time intervals when the Evaluate User Policies scheduled job is run. |
The procedure for upgrading Oracle Identity Manager 11.1.1.5.0 to 11.1.2 involves the following high-level steps:
Pre-Upgrade Steps: This step involves tasks like generating the pre-upgrade report, analyzing the report and performing the necessary pre-upgrade tasks described in the report, shutting down the servers, backing up the 11.1.1.5.0 environment and so on.
Upgrading the Oracle Home and Database Schemas: This step involves tasks like upgrading Oracle SOA Suite, upgrading 11.1.1.5.0 Oracle Home to 11.1.2, creating Oracle Platform Security Services schema using Repository Creation Utility, upgrading Oracle Platform Security Services, configuring the security store, upgrading Oracle Identity Manager using Patch Set Assistant and so on.
Upgrading the Oracle Identity Manager Middle Tier: This step involves tasks like upgrading Oracle Identity Manager middle tier, starting the servers, patching the Oracle Identity Manager MDS metadata and so on.
Upgrading Other Oracle Identity Manager Installed Components: This step involves tasks like upgrading Oracle Identity Manager Design Console, Oracle Identity Manager Remote Manger, and configuring BI Publisher Reports.
Post-Upgrade Steps: This step involves the post-upgrade tasks like enabling Oracle Identity Manager - Oracle Access Manager integration, upgrading user UDF, customizing event handlers, upgrading SOA composites and so on.
Table 6-2 lists the steps to upgrade Oracle Identity Manager 11.1.1.5.0.
Note:
If you do not follow the exact sequence provided in this task table, your Oracle Identity Manager upgrade may not be successful.
| Sl No | Task | For More Information |
|---|---|---|
|
Pre-Upgrade Steps |
||
|
1 |
Review the changes in the features of Oracle Identity Manager 11.1.2. |
See, Feature Comparison |
|
2 |
Generate the pre-upgrade report by running the |
|
|
3 |
Analyze the report and complete the pre-upgrade actions described in the report. |
|
|
4 |
Empty the |
|
|
5 |
Complete all of the pre-requisite tasks. |
See, Other Prerequisites |
|
6 |
Shut down all servers. This includes Administration Server, SOA Managed Servers, and Oracle Identity Manager Managed Servers. |
See, Shutting Down Administration Server and Managed Servers |
|
7 |
Back up your environment. |
See, Backing Up Oracle Identity Manager 11g Release 1 (11.1.1.5.0) |
|
8 |
Ensure that the JRF is upgraded. |
|
|
Upgrading the Oracle Home and Database Schemas |
||
|
9 |
Optional - Upgrade Oracle WebLogic Server 10.3.5 to Oracle WebLogic Server 10.3.6. |
|
|
10 |
Upgrade SOA suite used by Oracle Identity Manager. |
See, Upgrading Oracle SOA Suite Used by Oracle Identity Manager |
|
11 |
Upgrade 11.1.1.5.0 Oracle Home to 11.1.2. |
See, Upgrading Oracle Identity Manager 11g Release 2 (11.1.2) |
|
12 |
Run Oracle Fusion Middleware Repository Creation Utility (RCU) to create and load OPSS schema for Oracle Identity and Access Management products. |
|
|
13 |
Extend your Oracle Identity Manager 11.1.1.5.0 domain with the OPSS template. |
See, Extending Oracle Identity Manager 11.1.1.5.0 Component Domains with OPSS Template |
|
14 |
Upgrade Oracle Platform Security Services. |
|
|
15 |
Run the |
|
|
16 |
Upgrade Oracle Identity Manager using the Patch Set Assistant. |
See, Upgrading Oracle Identity Management Schemas Using Patch Set Assistant |
|
17 |
Start the WebLogic Administration Server. |
See, Starting the Administration Server and SOA Managed Servers |
|
Upgrading the Oracle Identity Manager Middle Tier |
||
|
18 |
Set Oracle Identity Manager Environment variables. |
|
|
19 |
Upgrade Oracle Identity Manager Middle Tier. |
|
|
20 |
Verify the Oracle Identity Manager Middle Tier Upgrade. |
|
|
21 |
Change the deployment order of Oracle Identity Manager from 47 to 48. |
See, Changing the Deployment Order of Oracle Identity Manager EAR |
|
22 |
Restart the Administration Server and SOA Managed Servers. |
See, Restarting the Administration Server and SOA Managed Server |
|
23 |
Patch the Oracle Identity Manager MDS metadata by starting the Oracle Identity Manager Managed Servers. |
|
|
Upgrading Other Oracle Identity Manager Installed Components |
||
|
24 |
Upgrade Oracle Identity Manager Design Console. |
|
|
25 |
Upgrade Oracle Identity Manager Remote Manager. |
|
|
26 |
Configure BI Publisher Reports |
|
|
Post-Upgrade Steps |
||
|
27 |
Complete the post-upgrade steps. |
Post upgrade tasks include the following: |
|
28 |
Verify the upgrade. |
This section contains the following topics:
Ensuring That getPlatformTransactionManager() Method is Not Used in Custom Code
Backing Up Oracle Identity Manager 11g Release 1 (11.1.1.5.0)
The Pre-UpgradeReport utility analyses your existing Oracle Identity Manager 11.1.1.5.0 environment, and provides information about the mandatory prerequisites that you must complete before you upgrade 11.1.1.5.0 environment. The information in the pre-upgrade report is related to the invalid approval policies, requests and event handlers that are affected by the upgrade, list of mandatory Database components that need to be installed before upgrade, cyclic groups in LDAP directory, deprecated authorization policies, and issues in creating potential application instance.
You must run the PreUpgradeReport utility before you begin the upgrade process, and address all the issues listed as part of this report with the solution provided in the report. Run this report until no pending issues are listed in the report.
Note:
It is important to address all the issues listed in the pre-upgrade report, before you can proceed with the upgrade, as upgrade might fail if the issues are not fixed.
Download the pending transaction report utility, as described in the My Oracle Support document ID 1471905.1.
Run generatePreUpgradeReport.sh on UNIX, or generatePreUpgradeReport.bat on Windows, and provide the following details:
Oracle Identity Manager schema JDBC URL
[jdbc:oracle:thin:@hostname:portnumber/service name]
Oracle Identity Manager schema username
Oracle Identity Manager schema password
MDS schema JDBC URL
[jdbc:oracle:thin:@hostname:portnumber/service name]
MDS schema User Name
MDS schema Password
Database Administrator username
SYSDBA password
Enter report output directory
The pending transaction report utility generates seven different reports, which includes the information outlined in Table 6-3.
Note:
You must review all the reports, and perform the tasks described in each of the reports.
Table 6-3 Pre-Upgrade Utility Reports
| Report Name | Description | For More Information |
|---|---|---|
|
|
The index.html provides links to all the seven reports generated by the pre-upgrade utility. |
- |
|
|
This report lists the request approval policies that has a rule defined on the non existing template. |
See, Section 6.3.2.1, "Description of APPROVALPOLICYPreUpgradeReport.html Report". |
|
|
This report lists all of the invalid authorization policies. Oracle Identity Manager 11.1.2 does not use the authorization policies created in Oracle Identity Manager 11.1.1.5.0. Therefore, all of the authorization policies created in Oracle Identity Manager 11.1.1.5.0 are invalid in this release. |
See, Section 6.3.2.2, "Description of AUTHORIZATIONPOLICYPreUpgradeReport.html Report". |
|
|
This report detects the list of cyclic groups in LDAP. The report includes a list of cyclic groups and instructions to remove cyclic dependency. It is mandatory to remove all cyclic dependencies running in the Oracle Identity Manager 11.1.1.5.0 environment. |
See, Section 6.3.2.3, "Description of CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html Report". |
|
|
This report captures all user customizations related to Event Handler in Oracle Identity Manager 11.1.1.5.0. |
See, Section 6.3.2.4, "Description of EVENT_HANDLERPreUpgradeReport.html Report". |
|
|
This report lists the mandatory Database components that needs to be installed before you proceed with the upgrade. |
See, Section 6.3.2.5, "Description of ORACLE_TEXTPreUpgradeReport.html Report". |
|
|
This report lists the potential application instance creation issues. |
See, Section 6.3.2.6, "Description of PROVISIONINGPreUpgradeReport.html Report". |
|
|
This report lists any invalid requests and the actions to be taken. |
See, Section 6.3.2.7, "Description of REQUESTPreUpgradeReport.html Report". |
The report APPROVALPOLICYPreUpgradeReport.html lists the invalid approval policies. This report contains the following sections:
This report also contains an additional note on approval policy based on deprecated request type. You must review the report completely, before you start upgrading the Oracle Identity Manager 11.1.1.5.0 environment.
This section lists the Oracle Identity Manager 11.1.1.5.0 approval policies whose rules are defined based on the request template.The Request templates feature is not supported in Oracle Identity Manager 11.1.2. Therefore, if your Oracle Identity Manager 11.1.1.5.0 contains approval policies having rules based on request template, you must reconfigure the request approval policies by following the steps described in the report.
This section lists the 11.1.1.5.0 approval policies that need to be associated with different approval process before you start the upgrade process.
The approval process default/ResourceAdministratorApproval, default/ResourceAuthorizerApproval are not supported in 11.1.2. Therefore, if your Oracle Identity Manager 11.1.1.5.0 contains approval policies having these approval process, you must associate them with different approval process.
This section provides information about the request types that are not supported in 11.1.2.
The following 11.1.1.5.0 request types are not supported in 11.1.2, and they are changed to non-self request type in 11.1.2:
Self Assign Roles
Modify Self Profile
Self Remove Roles
Self De-Provision Resource
Self Modify Provisioned Resource
Self-Request Resource
Self-request type mapping to Non-Self request type is shown Table 6-4.
Table 6-4 Mapping of Self request type to Non-Self request type
| Self Request Type | Non-Self Request Type |
|---|---|
|
Self-Request Resource |
Provision Resource |
|
Self Modify Provisioned Resource |
Modify Provisioned Resource |
|
Self Remove Roles |
Remove from Roles |
|
Modify Self Profile |
Modify User Profile |
|
Self De-Provision Resource |
De-Provision Resource |
|
Self Assign Roles |
Assign Roles |
The report AUTHORIZATIONPOLICYPreUpgradeReport.html lists the deprecated authorization policies.
Oracle Identity Manager 11.1.2 uses a new authorization policy framework that is standards based, and is used by the entire Oracle stack. Any changes made to authorization policies in Oracle Identity Manager 11.1.1.5 must be reapplied post upgrade.
You must review the table in this report that lists the authorization policies of the 11.1.1.5.0 environment that are deprecated in 11.1.2.
The report CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html provides information about the Cyclic groups in LDAP directory.
Oracle Identity Manager 11.1.2 does not support cyclic groups in the LDAP directory. Therefore, you must remove the cyclic dependency from Oracle Identity Manager 11.1.1.5.0 setup before you proceed with the upgrade. For more information about removing the cyclic groups dependent on LDAP, see Removing Cyclical Groups Dependent on LDAP. The procedure for removing cyclic groups is also described in this report.
Removing Cyclical Groups Dependent on LDAP
If the LDAP in your Oracle Identity Manager 11.1.1.5.0 environment has cyclic groups loaded, you must remove the cyclic groups by doing the following:.
Use JEXplorer or Softerra LDAP Administrator and navigate to the cyclic groups.
Look for uniquemember attribute.
Remove all values from the attribute.
Save the group.
Run LDAPConfigPostSetup.sh on UNIX and LDAPConfigPostSetup.bat on Windows to sync data from LDAP to Oracle Identity Manager database.
If you have cyclic group dependency between two groups: Group1 and Group2, do the following to remove cyclic dependency:
Connect to LDAP using JEXplorer or Softerra LDAP.
Go to the group container of Group1.
Go to the uniquemember attribute under Group1.
Remove the value of Group2, from unique members, and save the change made.
Run LDAPConfigPostSetup.sh on UNIX and LDAPConfigPostSetup.bat on Windows to synchronize data from LDAP to Oracle Identity Manager database.
The report EVENT_HANDLERPreUpgradeReport.html provides information about event handlers. When you upgrade Oracle Identity Manager 11.1.1.5.0 to Oracle Identity Manager 11.1.2, the customizations made to the OOTB event handlers XMLs in 11.1.1.5.0 will not be preserved in 11.1.2. All the customizations defined in a separate XML (non OOTB) in 11.1.1.5.0 will be preserved in 11.1.2. You must redo all the customizations after upgrading to 11.1.2. This report contains the following sections:
Refer to the table in the report for more details about the event handlers.
This section provides information about the new event handlers added in the OOTB (11.1.1.5.0).
The event handler newly added in the OOTB (11.1.1.5.0) Event Handler Metadata XML will not be available after you upgrade to 11.1.2. Oracle Identity Manager 11.1.2 event handlers will replace the 11.1.1.5.0 event handlers. Therefore, you must add the event handler again in a new file after the upgrade.
Note:
Do not add new event handler in the same OOTB Event Handler XML. You must create a new XML and add the new event handler to it.
This section provides information about the event handlers that are modified in the OOTB (11.1.1.5.0).
You must redo all the customizations that you did to the event handlers in OOTB (11.1.1.5.0), after you upgrade Oracle Identity Manager 11.1.1.5.0 to 11.1.2.
This section provides information about the event handlers that were deleted in OOTB (11.1.1.5.0).
The deleted event handlers are restored after you upgrade to 11.1.2. Therefore, you must delete them again as per requirement.
The report ORACLE_TEXTPreUpgradeReport.html provides information about the installation status of the mandatory database components.
Before you upgrade Oracle Identity Manager 11.1.1.5.0 to 11.1.2, you must install certain Database components. The table in this report lists the database components that need to be installed before you upgrade. The table also shows the status of the installation, and the solution. Review the table, and perform the actions required.
The report PROVISIONINGPreUpgradeReport.html lists the potential application instances creation issues. The report contains the following sections:
Provisioning, Entitlement, and Access Policy Configuration Details
List of Resource Objects without ITResource field Type in Process Form
List of Resource Objects with multiple ITResource Lookup fields in Process Form
List of Access Policies without ITResource value set in default policy data
List of Access Policies with Revoke If No Longer Applies flag unchecked
This sections describes the steps you must complete before you upgrade Oracle Identity Manager 11.1.1.5.0 to 11.1.2. These steps are related to provisioning, entitlement, and access policy configuration. Complete all the steps described in this section of the report.
This section provides information about the resource objects in Oracle Identity Manager 11.1.1.5.0 that do not have process form. Each resource object must have a process form associated with it. Therefore, if a resource object is not associated with a process form, you must associate the resource object with a process form before you start the upgrade process. Review the table in this section of the report, that lists the details of the resource objects without process form.
This section provides information about the resource objects without ITResource field type in their respective process forms. Review the table in this section of the report, which contains more details. If your Oracle Identity Manager 11.1.1.5.0 has resource objects without ITResource field in their process forms, do the following:
Create appropriate IT resource definition.
Create IT resource instance for the same corresponding to the target that is being provisioned.
Edit the process form and add a field of type "ITResource" to the process form. Set the following properties:
Type=IT Resource definition created in step-1
ITResource=true
Activate the form.
Update the IT resource field on existing provisioned accounts using FVC Utility.
Once the above steps are completed, you can create application instances corresponding to the Resource Object+ITResource combination.
This section provides information about the resource objects that have multiple lookup fields in their process form. In the Oracle Identity Manager 11.1.1.5.0 environment, if you have resource objects with multiple ITResource set in the process form, you must set the value of the property ITResource Type to true for at least one of the attributes.
This section lists the access policies for which the ITResource values of the resource objects should be set in the default policy data. The table in this section lists the access policies in Oracle Identity Manager 11.1.1.5.0 for which ITResource field is missing. You must set the values of ITResurce field for each of the access policy listed in the table.
This section lists the access policies that have Revoke If No Longer Applies flag unchecked. The table in this section contains the list of access policies that will be updated to Disable If No Longer Applies, during upgrade. The table also indicates if tasks for enable, disable, revoke actions are not defined for these policies. You must add the missing tasks before you proceed with the upgrade. Also, if you want the behavior of the policy to change to RNLA checked, you must check the RNLA flag for the respective policy.
This section lists entitlements stored in lookup definitions that do not have IT Resource Key pretended to their encoding values using "~". Entitlements stored in lookup definitions need IT Resource Key prepended to the encoded values using "~". Review the table in this section of the pre-upgrade report, which contains more details.
The report REQUESTPreUpgradeReport.html lists requests that are affected because of the upgrade. This report contains the following sections:
This section lists the requests that are in one of the following unsupported request stages:
Obtaining Template Approval
Template Approval Approved
Template Approval Rejected
Template Approval Auto Approved
Manual intervention is required to move these requests to the next stage by approving, withdrawing, or closing such requests. Otherwise, requests are moved to request closed stage as part of the upgrade.
Review the list of requests that are in the unsupported request stage.
This section lists the requests that are based on one of the following request types will be changed to the corresponding non-self request type after the upgrade:
Self Assign Roles
Modify Self Profile
Self Remove Roles
Self De-Provision Resource
Self Modify Provisioned Resource
Self-Request Resource
Request types for these requests are automatically changed to the corresponding non-self request type as part of the upgrade.
Self-request type mapping to non-self request type is shown in Table 6-5:
Table 6-5 Mapping of Self-Request Type to Non-Self Request Type
| Self request type | Non-Self request type |
|---|---|
|
Self-Request Resource |
Provision Resource |
|
Self Modify Provisioned Resource |
Modify Provisioned Resource |
|
Self Remove Roles |
Remove from Roles |
|
Modify Self Profile |
Modify User Profile |
|
Self De-Provision Resource |
De-Provision Resource |
|
Self Assign Roles |
Assign Roles |
Ensure that the method getPlatformTransactionManager() is not used in the custom event handler code, as this method is not available in 11.1.2.
If you are using the method getPlatformTransactionManager() in the custom event handler code, set the attribute tx to TRUE in the event handler XML definition.
For more information on setting the attributes in the event handler XML definition, see "Defining Custom Events Definition XML" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Offline Provisioning is not supported in Oracle Identity Manager 11.1.2, as it is no longer needed on Oracle Identity Manager 11.1.2.
Empty the oimProcessQueue JMS queue to ensure that JMS messages are processed before you start upgrading. To do so, complete the following:
Shut down applications to disable accessing of Oracle Identity Manager offline provisioning by end-users, SPML, and API clients.
Monitor the oimProcessQueue JMS queue from the Weblogic Administration Console and allow Oracle Identity Manager to run, till oimProcessQueue JMS queue is empty.
This is a list of checks you must run and set before you begin upgrading:
Check if oracle.soa.worklist.webapp is targeted to Oracle Identity Manager server in 11.1.1.5.0. If not, targeted it to Oracle Identity Manager Managed Server.
The OOTB applications in Oracle Identity Manager are deployed in NO_STAGE mode. Check if oracle.idm.uishell is in No Stage mode. If oracle.idm.uishell is in Stage mode, you must re-deploy it.
Complete the following steps to change the mode to No Stage:
Set the WL_HOME and OIM_HOME.
Undeploy oracle.idm.uishell by running the following command:
java -cp $WL_HOME/server/lib/weblogic.jar weblogic.Deployer -adminurl t3://localhost:8005 -username weblogic -password weblogic1 -undeploy -name oracle.idm.uishell
Deploy oracle.idm.uishell in stage mode by running the following command:
java -cp $WL_HOME/server/lib/weblogic.jar weblogic.Deployer -adminurl t3://localhost:8005 -username weblogic -password weblogic1 -deploy -name oracle.idm.uishell -source $OIM_HOME/modules/oracle.idm.uishell_11.1.1/oracle.idm.uishell.war -nostage -library -targets AdminServer,$OIM_SERVER_NAME
Ensure that all pending requests are addressed before you upgrade.
In case of a migrated, upgraded, or restored database in the Oracle Identity Manager enviornment, you must synchronize all the Oracle Identity Manager Schema Privileges (SYSTEM and OBJECT Grants) from the source to the target (restored) schema by doing the following:
Capture the OIM Database Schema user constituent grants from the source schema by executing the following SQLs as SYS database user:
SELECT DBMS_METADATA.GET_GRANTED_DDL ('SYSTEM_GRANT','<OIM_Schema_Name>') FROM DUAL;
SELECT DBMS_METADATA.GET_GRANTED_DDL ('OBJECT_GRANT', '<OIM_Schema_Name>') FROM DUAL;
In the schema restoration phase prior to schema upgrade, execute the grants output of the SQLs captured in step-1, as post schema restoration step.
Recompile any INVALID objects in the OIM schema using the following steps:
a. Identify INVALID schema objects as SYS user by running the following SQL:
SELECT owner,object_type,object_name,status FROM dba_objects WHERE status = 'INVALID' AND owner in ('<OIM_Schema_Name1>') ORDER BY owner, object_type, object_name;
b. Compile the INVALID schema objects using any appropriate method. The following is an example of compiling INVALID schema objects by executing the method UTL_RECOMP as SYS user for the OIM schema:
UTL_RECOMP.recomp_serial('<OIM_Schema_Name>');
END;
Repeat step-a until there are no INVALID objects.
Note:
For information on schema backup and restoration using Data Pump Client Utility for Oracle Identity Manager 11g Release 1, see My Oracle Support document ID 1359656.1.
For information on schema backup and restoration using Data Pump Client Utility for Oracle Identity Manager 11g Release 2, see My Oracle Support document ID 1492129.1.
Before starting the upgrade process, you must ensure that Java Required Files (JRF) is upgraded. To do this, complete the following steps:
Log in to the WebLogic Administration console using the following URL:
http://host:port/console
In this URL, host refers to the name of the host on which WebLogic Administration Server is running, and port refers to the port number.
Click Deployments on the left navigation pane for the OIM_Domain.
Ensure that the following libraries are present:
oracle.adf.desktopintegration(1.0,11.1.1.2.0)
oracle.adf.desktopintegration.model(1.0,11.1.1.2.0)
oracle.bi.adf.model.slib(1.0,11.1.1.2.0)
oracle.bi.adf.view.slib(1.0,11.1.1.2.0)
oracle.bi.adf.webcenter.slib(1.0,11.1.1.2.0)
oracle.bi.composer(11.1.1,0.1)
oracle.bi.jbips(11.1.1,0.1)
If the above libraries are not present, you must upgrade JRF. For more information about upgrading JRF, see "Updating Fusion Middleware Shared Libraries" in the Oracle Fusion Middleware Patching Guide.
The upgrade process involves changes to the binaries and to the schema. Therefore, before you begin the upgrade process, you must shut down the Managed Servers and the Administration Server.
To shut down the Servers, do the following:
To stop the Managed Servers, do the following:
On UNIX:
Move from your present working directory to the <MW_HOME>/user_projects/domains/<domain_name>/bin directory by running the following command on the command line:
cd <MW_HOME>/user_projects/domains/<domain_name>/bin
Run the following command to stop the servers:
./stopManagedWebLogic.sh <server_name> <admin_url> <user_name> <password>
where
<server_name> is the name of the Managed Server.
<admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.
<user_name> is the username of the WebLogic Administration Server.
<password> is the password of the WebLogic Administration Server.
On Windows:
Move from your present working directory to the <MW_HOME>\user_projects\domains\<domain_name>\bin directory by running the following command on the command line:
cd <MW_HOME>\user_projects\domains\<domain_name>\bin
Run the following command to stop the Managed Servers:
stopManagedWebLogic.cmd <server_name> <admin_url> <username> <password>
where
<server_name> is the name of the Managed Server.
<admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.
<username> is the username of the WebLogic Administration Server.
<password> is the password of the WebLogic Administration Server.
For more information, see "Stopping the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Stopping the Administration Server
To stop the Administration Server, do the following:
On UNIX:
Run the following command:
cd <MW_HOME>/user_projects/domains/<domain_name>/bin
./stopWebLogic.sh
On Windows:
Run the following command:
cd <MW_HOME>\user_projects\domains\<domain_name>\bin
stopWebLogic.cmd
You must back up your old Oracle Identity Manager 11.1.1.5.0 environment before you upgrade to Oracle Identity Manager 11g Release 2 (11.1.2).
After stopping the servers, back up the following:
MW_HOME directory, including the Oracle Home directories inside Middleware Home
Domain Home directory
Oracle Identity Manager schemas
MDS schema
ORASDPM schema
SOAINFRA schemas
For more information about backing up schemas, see Oracle Database Backup and Recovery User's Guide.
This section describes different tasks involved in the upgrade process, like upgrading Oracle Identity Manager and Oracle SOA Suite 11.1.1.5.0 binaries, creating 11.1.2 schemas, configuring the security store, upgrading the Oracle Identity Manager middle tier, verifying the upgrade and so on. The tasks in this section should be performed after you complete all the prerequisites described in section Pre-Upgrade.
This section contains the following topics:
Extending Oracle Identity Manager 11.1.1.5.0 Component Domains with OPSS Template
Upgrading Oracle Identity Management Schemas Using Patch Set Assistant
Changing the Deployment Order of Oracle Identity Manager EAR
Note:
Upgrading Oracle WebLogic Server is not mandatory. However, Oracle recommends that you upgrade Oracle WebLogic Server to 10.3.6.
You can upgrade WebLogic Server 10.3.5 to Oracle WebLogic Server 10.3.6 by using the WebLogic 10.3.6 Upgrade Installer. Complete the following steps:
Download the WebLogic 10.3.6 Upgrade Installer from Oracle Technology Network.
For more information, see "Downloading an Upgrade Installer From My Oracle Support" in the Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.
Run the Upgrade Installer in graphical mode to upgrade your WebLogic Server.
For more information, see "Running the Upgrade Installer in Graphical Mode" in the Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.
You must update your existing Oracle SOA 11.1.1.5.0 to Oracle SOA 11.1.1.6.0. To do so, complete the tasks listed in Table 6-6:
| Task | For More Information |
|---|---|
|
Obtain the Oracle SOA Suite 11.1.1.6.0 installer. |
See, Oracle Fusion Middleware Download, Installation, and Configuration ReadMe |
|
Start the installer. |
See, "Start the Installer" in the Oracle Fusion Middleware Patching Guide |
|
Upgrade SOA to the latest version. |
See, "Patch Set Installer Instructions" in the Oracle Fusion Middleware Patching Guide |
|
Upgrade your SOA schemas using Patch Set Assistant. |
|
|
Perform post-patching tasks only after starting the Administration Server and the SOA Managed Servers as described in Section 6.4.9, "Starting the Administration Server and SOA Managed Servers". Do not perform the post-patching tasks for SOA until you complete all the tasks till Section 6.4.9. |
See, "Post-Patching Tasks" for Oracle SOA Suite |
This section consists of the following topics:
Before running Patch Set Assistant, you should make sure that your database is running and that the schemas are supported. To check this, run the following SQL command:
SELECT OWNER, VERSION, STATUS, UPGRADED FROM SCHEMA_VERSION_REGISTRY;
If the number in the "VERSION" column is 11.1.1.5.0, then the schema is supported for upgrade.
To start Patch Set Assistant, do the following:
Move from your present working directory to the <MW_HOME>/oracle_common/bin directory by running the following command on the command line:
cd <MW_HOME>/oracle_common/bin
Run the following command:
./psa
Move from your present working directory to the <MW_HOME>\oracle_common\bin directory by running the following command on the command line:
cd <MW_HOME>\oracle_common\bin
Execute the following command:
psa.bat
Note:
Even if you upgrade your schemas from 11.1.1.5.0 to 11.1.2, you will see the Patch Set Assistant version number as 11.1.1.6.1 on the Welcome screen.
This is not an error. The discrepancy is caused by a difference between how Patch Set Assistant and Identity Access Management releases are tracked internally.
After starting the Patch Set Assistant Installer, follow the instructions on the screen to update your schemas.
Follow the instructions in Table 6-7 to update your schemas:
Table 6-7 Patch Set Assistant Screens
| Screen | Description |
|---|---|
|
Welcome |
This page introduces you to the Patch Set Assistant. |
|
Select Component |
Select the top-level component you want to upgrade. |
|
Prerequisite |
Verify that you have satisfied the database prerequisites. |
|
Schema |
Specify your database credentials to connect to your database, then select the schema you want to update. Note that this screen appears once for each schema that must be updated as a result of the component you selected on the Select Component screen. |
|
Examine |
This page displays the status of the Patch Set Assistant as it examines each component schema. Verify that your schemas have a "successful" indicator in the Status column. |
|
Upgrade Summary |
Verify that the schemas are the ones you want to upgrade. |
|
Upgrade Progress |
This screen shows the progress of the schema upgrade. |
|
Upgrade Success |
Once the upgrade is successful, you get this screen. |
You can verify the schema upgrade by checking out the log files. The Patch Set Assistant writes log files in the following locations:
On UNIX:
<MW_HOME>/oracle_common/upgrade/logs/psa/psatimestamp.log
On Windows:
<MW_HOME>\oracle_common\upgrade\logs\psa\psatimestamp.log
Some components create a second log file named psatimestamp.out in the same location.
The timestamp reflects the actual date and time when Patch Set Assistant was run.
If any failures occur when running Patch Set Assistant, you can use these log files to help diagnose and correct the problem. Do not delete them. You can alter the contents of the log files by specifying a different -logLevel from the command line.
Some of the operations performed by Patch Set Assistant may take longer to complete than others. If you want to see the progress of these long operations, you can see this information in the log file, or you can use the following query:
SELECT VERSION, STATUS, UPGRADED FROM SCHEMA_VERSION_REGISTRY WHERE OWNER='schema_name';
In the query results, the STATUS field is either UPGRADING or UPGRADED during the schema patching operation, and becomes VALID when the operation is completed.
To upgrade Oracle Identity Manager, you must use the Oracle Identity and Access Management 11g Release 2 (11.1.2) Installer. During the procedure, point the Middleware Home to your existing 11.1.1.5.0 Middleware Home. Your Oracle Home is upgraded from 11.1.1.5.0 to 11.1.2.
This section contains the following topics:
Starting the Oracle Identity and Access Management 11g Release 2 (11.1.2) Installer
Installing Oracle Identity and Access Management 11g Release 2 (11.1.2)
For more information on obtaining Oracle Fusion Middleware 11g software, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.
This topic explains how to start the Oracle Identity and Access Management 11.1.2 Installer.
Notes:
If you are installing on an IBM AIX operating system, you must run the rootpre.sh script from the Disk1 directory before you start the Installer.
Starting the Installer as the root user is not supported.
Start the Installer from the location where you extracted the contents of the installer (for example, <unzipped_folder>/Disk1) by doing the following:
On UNIX:
Run the following command:
./runInstaller -jreLoc <complete path to the JRE directory>
For example:
./runInstaller -jreLoc <MW_HOME>/jdk160_29/jre
On Windows:
Run the following command:
setup.exe -jreLoc <complete path to the JRE directory>
For example:
setup.exe jreLoc <MW_HOME>\jdk160_29\jre
Note:
If you do not specify the -jreLoc option on the command line when using the Oracle JRockit JDK, the following warning message is displayed:
-XX:MaxPermSize=512m is not a valid VM option. Ignoring
This warning message does not affect the installation. You can continue with the installation.
On 64-bit platforms, when you install Oracle WebLogic Server using the generic jar file, the jrockit_1.6.0_29 directory is not created under your Middleware Home. You must enter the absolute path to the JRE folder from where your JDK is located.
Use the Oracle Identity and Access Management 11.1.2 Installer to upgrade Oracle Identity Management 11.1.1.5.0 to Oracle Identity Management 11.1.2:
After you start the Installer, the Welcome screen appears.
Click Next on the Welcome screen. The Install Software Updates screen appears. Select whether or not you want to search for updates. Click Next.The Prerequisite Checks screen appears. If all prerequisite checks pass inspection, click Next. The Specify Installation Location screen appears.
On the Specify Installation Location screen, point the Middleware Home to your existing 11.1.1.5.0 Middleware Home installed on your system.
In the Oracle Home Directory field, specify the path of the existing Oracle Identity and Access Management Home. This directory is also referred to as <IAM_HOME> in this book.
Click Next. The Installation Summary screen appears.
The Installation Summary screen displays a summary of the choices that you made. Review this summary and decide whether you want to proceed with the installation. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing Oracle Identity and Access Management, click Install. The Installation Progress screen appears. Click Next.
Note:
If you cancel or abort when the installation is in progress, you must manually delete the <IAM_HOME> directory before you can reinstall the Oracle Identity and Access Management software.
To invoke online help at any stage of the installation process, click Help on the installation wizard screens.
The Installation Complete screen appears. On the Installation Complete screen, click Finish.
This installation process copies the 11.1.2 Oracle Identity and Access Management software to your system.
For more information, see "Installing and Configuring Oracle Identity and Access Management (11.1.2)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
You must create Oracle Platform Security Services (OPSS) schema using Repository Creation Utility (RCU), as Oracle Identity Manager upgrade process involves OPSS schema policy store changes. Keys, roles, permissions, and other artifacts used by the applications must migrate to the policy store.
To create OPSS schema using Repository Creation utility, do the following:
Obtain the RCU.
For information about obtaining the RCU software, see "Obtaining RCU" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
Start the RCU.
For information about starting the RCU, see "Starting RCU" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
Create the OPSS schema.
For information about creating schemas, see "Creating Schemas" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
Note:
In the Select Components screen, expand AS Common Schemas and select Oracle Platform Security Services. Make sure you do not select any other components.
Oracle Identity Manager 11.1.2 uses the database to store Oracle Entitlements Server policies. This requires extending the 11.1.1.5.0 Oracle Identity Manager domain to include the OPSS data source.
To do so, complete the following steps:
Run the following command to launch the Oracle Fusion Middleware configuration wizard:
On UNIX:
./config.sh
It is located in the <MW_HOME>/<Oracle_IDM1>/common/bin directory.
On Windows:
config.cmd
It is located in the <MW_HOME>\<Oracle_IDM1>\common\bin directory.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next.
On the Select a WebLogic Domain Directory screen, browse to the directory that contains the WebLogic domain in which you configured the components. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the Oracle Platform Security Service - 11.1.1.0 [Oracle_IDM1] option. After selecting the domain configuration options, click Next.
The Configure JDBC Data Sources screen is displayed. Configure the opssDS data source, as required. After the test succeeds, the Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select the Oracle Platform Security Services schema.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next.
The Test JDBC Component Schema screen is displayed. After the test succeeds, the Select Optional Configuration screen is displayed.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines and Deployments and Services. Do not select anything as you have already configured in your Oracle Identity Manager 11.1.1.5.0 environment. Click Next.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Manager domain is extended to support Oracle Platform Security Services (OPSS).
To upgrade Oracle Platform Security Services (OPSS) schema, do the following:
Move from your present working directory to the <MW_HOME>/oracle_common/common/bin directory by running the following command on the command line:
cd <MW_HOME>/oracle_common/common/bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
./wlst.sh
At the WLST prompt, run the following command:
upgradeOpss(jpsConfig="existing_jps_config_file", jaznData="system_jazn_data_file")
For example:
upgradeOpss(jpsConfig="<MW_HOME>/user_projects/domains/<DOMAIN>/config/fmwconfig/jps-config.xml",jaznData="<MW_HOME>/oracle_common/modules/oracle.jps_11.1.1/domain_config/system-jazn-data.xml")
Exit the WLST console using the exit()command.
Move from your present working directory to the <MW_HOME>\oracle_common\common\bin directory by running the following command on the command line:
cd <MW_HOME>\oracle_common\common\bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
wlst.cmd
At the WLST prompt, run the following command:
upgradeOpss(jpsConfig="existing_jps_config_file", jaznData="system_jazn_data_file")
For example:
upgradeOpss(jpsConfig="<MW_HOME>\\user_projects\\domains\\base_domain\\config\\fmwconfig\\jps-config.xml",jaznData="<MW_HOME>\\oracle_common\\modules\\oracle.jps_11.1.1\\domain_config\\system-jazn-data.xml")
Exit the WLST console using the exit() command.
Table 6-8 describes the parameters you need to specify on the command line:
Table 6-8 Parameters for Upgrading OPSS
| Parameter | Description |
|---|---|
|
|
Specify the path to the On UNIX, it is located in the On Windows, it is located in the |
|
|
Specify the path to the system-jazn-data.xml file in your 11.1.2 installation. The following example shows the complete path: On UNIX, it is located in the On Windows, it is located in the |
You must configure the database Security Store as it is the only security store type supported by Oracle Identity and Access Management 11g Release 2 (11.1.2). This is done by running the configureSecurityStore.py script.
For information about configuring Oracle Platform Security Services, see "Configuring Database Security Store for an Oracle Identity and Access Management Domain" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
You must upgrade Oracle Identity Manager schema using Patch Set Assistant (PSA). When you select the Oracle Identity Manager Schema, it automatically selects all dependent schemas and upgrades them too.
Complete the tasks listed in Table 6-9 to upgrade your schemas:
Table 6-9 Upgrade Oracle Identity Manager Schemas Using PSA
| Task | For More Information |
|---|---|
|
Check the database and schemas in your system. |
|
|
Start the Patch Set Assistant to run the Installer. |
|
|
Use the Patch Set Assistant's graphic interface to upgrade your schemas to the current version. |
|
|
Verify the schemas you have upgraded. |
See, Verifying Schema Upgrade and Version Numbers After Upgrading Schemas |
Run select version,status,upgraded from schema_version_registry where owner=<SCHEMA_NAME>; and ensure that the version numbers are upgraded, as listed in Table 6-10:
Table 6-10 Component Version Numbers After Upgrading the Schemas
| Component | Version No. |
|---|---|
|
APM |
11.1.1.3.0 |
|
MDS |
11.1.1.6.0 |
|
Oracle Identity Manager |
11.1.2.0.0 |
|
ORASDPM |
11.1.1.2.0 |
|
SOAINFRA |
11.1.1.6.0 (Make sure that you have upgraded SOA schemas as described in Section 6.4.2.1, "Upgrading Schemas using Patch Set Assistant") |
Note:
Do not start the Oracle Identity Manager Managed Servers.
After the upgrade is complete, start the WebLogic Administration Server, the Administration Server for the domain that contains Oracle Identity Management, and SOA Managed Servers.
To start the Administration Server, do the following:
On UNIX:
Run the following command:
cd <MW_HOME>/user_projects/domains/<domain_name>/bin
./startWebLogic.sh
On Windows:
Run the following command:
cd <MW_HOME>\user_projects\domains\<domain_name>\bin
startWebLogic.cmd
To start the Managed Servers, do the following:
On UNIX:
Move from your present working directory to the <MW_HOME>/user_projects/domains/<domain_name>/bin directory by running the following command on the command line:
cd <MW_HOME>/user_projects/domains/<domain_name>/bin
Run the following command to start the SOA Managed Servers:
./startManagedWebLogic.sh <managed_server_name> <admin_url> <user_name> <password>
where
<managed_server_name> is the name of the Managed Server
<admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.
<user_name> is the username of the WebLogic Administration Server.
<password> is the password of the WebLogic Administration Server.
On Windows:
Move from your present working directory to the <MW_HOME>\user_projects\domains\<domain_name>\bin directory by running the following command on the command line:
cd <MW_HOME>\user_projects\domains\<domain_name>\bin
Run the following command to start the SOA Managed Servers:
startManagedWebLogic.cmd <managed_server_name> <admin_url> <user_name> <password>
where
<managed_server_name> is the name of the Managed Server.
<admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.
<user_name> is the username of the WebLogic Administration Server.
<password> is the password of the WebLogic Administration Server.
For more information, see "Starting the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
You must set environment variables, before you upgrade the Oracle Identity Manager middle tier. Follow the steps described in Table 6-11 to set the environment variables.
Table 6-11 Environment Variables for Oracle Identity Manager
| Environment Variable | Values |
|---|---|
|
|
Specify the path to the Oracle Identity Manager's Middleware Home. The following example shows the complete path: On UNIX, it is located in the On Windows, it is located in the |
|
|
Specify the path to the Oracle WebLogic Server home. The following example shows the complete path: On UNIX, it is located in the On Windows, it is located in the |
|
|
Specify the path to the Java home. The following example shows the complete path: On UNIX, it is located in the On Windows, it is located in the |
|
|
Specify the path to the Oracle Identity Manager 11g Release 1 (11.1.1.5.0) Server home. The following example shows the complete path: On UNIX, it is located in the On Windows, it is located in the |
|
|
Specify the path to the SOA Home. The following example shows the complete path: On UNIX, it is located in the On Windows, it is located in the |
This section contains the following topics:
Additional Task for Windows 64-Bit Users Before Upgrading Middle Tier
Upgrading Oracle Identity Manager Middle Tier Using Property File
Upgrading Oracle Identity Manager Middle Tier on the Command Line
If you are running the upgrade in a 64-bit Windows platform, complete the following task to run Middle Tier upgrade successfully:
Add a JAVA_HOME entry to the environment variable pointing to a JDK installation, not to a JRE installation.
Note:
This path should be without spaces or like C:\Progra~1\Java\jdk1.6.0_29.
Hard code the value of JAVA_HOME in <WL_HOME>\server\bin\setWLSEnv.cmd file to avoid any Middle Tier upgrade failures.
Note:
The execution is reentrant and will resume with correct execution even if there is any interruption in between.
To upgrade Oracle Identity Manager Middle Tier using property file, complete the following steps:
Move from your present working directory to the <OIM_HOME>/server/bin directory by running the following command on the command line:
cd <OIM_ORACLE_HOME>/server/bin
Change the path to <OIM_ORACLE_HOME>/bin.
Open the following file in a text editor:
oim_upgrade_input.properties
Add the parameters, as listed in Table 6-12.
Move from your present working directory to the <MW_HOME>/Oracle_IDM1/server/bin directory by running the following command on the command line:
cd <MW_HOME>/Oracle_IDM1/server/bin
Run the following command:
./OIMUpgrade.sh
Note:
The following warning is displayed:
[WARN ][jrockit] PermSize=128M ignored: Not a valid option for JRockit
[WARN ][jrockit] MaxPermSize=256M ignored: Not a valid option for JRockit
You can ignore this message.
Move from your present working directory to the <OIM_HOME>\server\bin directory by running the following command on the command line:
cd <OIM_ORACLE_HOME>\server\bin
Change the path to <OIM_ORACLE_HOME>\bin.
Open the following file in a text editor:
oim_upgrade_input.properties
Add the parameters, as listed in Table 6-12.
Move from your present working directory to the <MW_HOME>\<OIM_ORACLE_HOME>\server\bin directory by running the following command on the command line:
cd <MW_HOME>\<OIM_ORACLE_HOME>\server\bin
Run the following command:
OIMUpgrade.bat
Note:
The following warning is displayed:
[WARN ][jrockit] PermSize=128M ignored: Not a valid option for JRockit
[WARN ][jrockit] MaxPermSize=256M ignored: Not a valid option for JRockit
You can ignore this message.
Table 6-12 Oracle Identity Manager Middle Tier Upgrade Parameters
| Parameter | Description |
|---|---|
|
|
Specify the Oracle Identity Manager JDBC URL. |
|
|
Specify the Oracle Identity Manager schema owner. |
|
|
Specify the MDS JDBC URL. |
|
|
Specify the MDS schema owner name. |
|
|
Specify the Oracle WebLogic Server Administration host name. |
|
|
Specify the Oracle WebLogic Server Administration port. |
|
|
Specify the username that is used to log in to the Oracle WebLogic Server Administration Console. |
|
|
Specify the SOA host name where SOA Server is running. |
|
|
Specify the SOA Server port. |
|
|
Specify the SOA Managed Server username. |
|
|
Specify the Oracle Identity Manager domain location. |
Example Parameters
oim.jdbcurl=db.example.com:5521/dbmode.example.com oim.oimschemaowner=test_oim23 oim.oimmdsjdbcurl=db.example.com:5521/dbmode.example.com oim.mdsschemaowner=test_mds oim.adminport=7001 oim.adminhostname=<oim_host>:<oim_port> oim.adminUserName=weblogic oim.soahostmachine=<oim_soa_host>:<oim_soa_port> oim.soaportnumber=8001 oim.soausername=weblogic oim.domain=/<MW_HOME>/user_projects/domains/<base_domain>
You can also upgrade Oracle Identity Manager Middle Tier by running the OIMUpgrade command on the Command Line Interface (CLI):
Move from your present working directory to the <MW_HOME>/<OIM_ORACLE_HOME>/server/bin directory by running the following command on the command line:
cd <MW_HOME>/<OIM_ORACLE_HOME>/server/bin
Run the following command:
./OIMUpgrade.sh <oim connection string> <oim_schema_owner_name> <mds conection string> <mds schema owner name> <admin_hostname> <admin_port> <admin_username> <soa_host_machine_name> <soa_port_number> <soa_username> <domain_location_directory>
Specify the parameters, as listed in Table 6-12.
Move from your present working directory to the <MW_HOME>\<OIM_ORACLE_HOME>\server\bin directory by running the following command on the command line:
cd <MW_HOME>\<OIM_ORACLE_HOME>\server\bin
Run the following command:
OIMUpgrade.bat <oim connection string> <oim_schema_owner_name> <mds_conection_string> <mds_schema_owner_name> <admin_hostname> <admin_port> <admin_username> <soa_host_machine_name> <soa_port_number> <soa_username> <domain_location_directory>
Specify the parameters, as listed in Table 6-12.
Complete the following steps to verify the Oracle Identity Manager Middle Tier upgrade:
Verify the log files at the following location, by looking for error or warning messages:
On UNIX:
<OIM_HOME>/server/upgrade/logs/MT
On Windows:
<OIM_HOME>\server\upgrade\logs\MT
The following log files are generated:
ant_JRF.log
ant_PatchClasspath.log
OIMUpgrade<timestamp>.log
SeedSchedulerData.log
No error message is displayed if the middle tier upgrade was successful.
OIMupgrade.sh creates a detailed report. Complete the following steps to verify the Oracle Identity Manager Middle Tier upgrade:
Go to the following path:
On UNIX:
<Oracle_IDM1>/server/upgrade/logs/MT/oimUpgradeReportDir
On Windows:
<Oracle_IDM1>\server\upgrade\logs\MT\oimUpgradeReportDir
Click index.html.
This contains list of all Oracle Identity Manager features and upgrade status of the last middle tier run, in a table format.
Click on the corresponding link of each feature for a detailed feature report.
Table 6-13 Middle Tier Upgrade Report
| Feature | Name | Description |
|---|---|---|
|
|
This report provides a list of features and their upgrade status, from the last run. Access the detailed feature report through the corresponding link on each feature. |
|
|
|
|
This report provides details of all domain related changes during the upgrade process. The changes are:
|
|
|
|
This report provides details of roles processed on the basis of Search Rule, prepared from Rule Elements, defined in the Rules. |
|
|
|
The following request stages are no longer supported:
This report lists the following:
|
|
|
|
This report lists object names processed during upgrade with names of the associated Horizontal Table Name, Recon Profile Name, and Entity Definition Name. |
|
|
NA |
New OOTB SOA Composites deployed:
|
|
|
NA |
This report lists the addition of the following Task Definition's and Scheduler Jobs:
|
|
|
|
This report provides a list of access policy names and the corresponding resource objects, processed during upgrade along with DNLA flag value. Set the value as 1 if DNLA is set, 0 if RNLA is set. |
|
|
NA |
Oracle Identity Manager Metadata present in Oracle Identity Manager MDS is updated with the latest namespace to keep them in consoance with changes in XSD Schemas. |
|
|
NA |
Oracle Identity Manager Application configuration, kept in the metadata location |
|
|
NA |
DDL changes in the ORCHPRCESS TABLE. Data from the old context columns (ContextId) is transformed and moved to new context column (ContextVal). |
You must change the deployment order of oim.ear from 47 to 48. Complete the following steps to do so:
Log in to the WebLogic console.
Click Deployments in the left pane.
Click oim.ear.
Update the deployment order from 47 to 48, click Save.
To restart the Administration Server and Managed Servers, you must stop them first before starting them again.
To stop the servers, see Shutting Down Administration Server and Managed Servers.
To start the servers, see Starting the Administration Server and SOA Managed Servers.
Things to Check on the WebLogic Console After Starting the Administration Server
Check the new data source added:
Log in to Weblogic console.
Click Data Sources.
Verify the data source data source given below:
| Name | Type | JNDI Name | Targets |
|---|---|---|---|
|
oimApplicationDBDS |
Generic |
|
|
Check for SOA Foreign JNDI provider
Log in to Weblogic console.
Click Foreign JNDI Providers.
Verify the existence of Foreign JNDI providers given below:
| Name | Initial Context Factory | Provider URL | User | Targets |
|---|---|---|---|---|
|
ForeignJNDIProvider-SOA |
weblogic.jndi.WLInitialContextFactory |
|
WebLogic |
|
Check the order of the EARs
Log in to Weblogic console.
Click Deployments.
Verify the deployment order for the following list respectively:
| Name | State | Health | Type | Deployment Order |
|---|---|---|---|---|
|
oim (11.1.1.3.0) |
Active |
OK |
Enterprise Application |
48 |
|
OIMAppMetadata (11.1.2.0.0) |
Active |
OK |
Enterprise Application |
47 |
|
OIMMetadata (11.1.1.3.0) |
Active |
OK |
Enterprise Application |
46 |
|
oracle.iam.console.identity.sysadmin.ear (V2.0) |
Active |
OK |
Enterprise Application |
406 |
|
oracle.iam.console.identity.self-service.ear (V2.0) |
Active |
OK |
Enterprise Application |
405 |
|
oracle.iam.ui.custom(11.1.1,11.1.1) |
Active |
Library |
404 |
|
|
oracle.iam.ui.oia-view(11.1.1,11.1.1) |
Active |
Library |
403 |
|
|
oracle.iam.ui.view(11.1.1,11.1.1) |
Active |
Library |
402 |
|
|
oracle.iam.ui.model(1.0,11.1.1.5.0) |
Active |
Library |
401 |
Oracle Identity Manager 11.1.1.5.0 MDS metadata must be upgraded to Oracle Identity Manager 11.1.2 MDS metadata. Starting the Oracle Identity Manager Managed Servers patches the MDS metadata.
To start the Managed Servers, do the following:
On UNIX:
Move from your present working directory to the <MW_HOME>/user_projects/domains/<domain_name>/bin directory by running the following command on the command line:
cd <MW_HOME>/user_projects/domains/<domain_name>/bin
Run the following command to start the Servers:
./startManagedWebLogic.sh <managed_server_name> <admin_url> <user_name> <password>
where
<managed_server_name> is the name of the Managed Server
<admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.
<user_name> is the username of the WebLogic Administration Server.
<password> is the password of the WebLogic Administration Server.
On Windows:
Move from your present working directory to the <MW_HOME>\user_projects\domains\<domain_name>\bin directory by running the following command on the command line:
cd <MW_HOME>\user_projects\domains\<domain_name>\bin
Run the following command to start the Managed Servers:
startManagedWebLogic.cmd <managed_server_name> <admin_url> <user_name> <password>
where
<managed_server_name> is the name of the Managed Server.
<admin_url> is URL of the administration console. Specify it in the format http://<host>:<port>/console. Specify only if the WebLogic Administration Server is on a different computer.
<user_name> is the username of the WebLogic Administration Server.
<password> is the password of the WebLogic Administration Server.
For more information, see "Starting the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Check MDS reports in the following location:
On UNIX:
<OIM_ORACLE_HOME>/server/logs/MDS_REPORT_DIRECTORY/MDSReport.html
On Windows:
<OIM_ORACLE_HOME>\server\logs\MDS_REPORT_DIRECTORY\MDSReport.html
The Oracle Identity Manager Design Console is used to configure system settings that control the system-wide behavior of Oracle Identity Manager and affect its users. The Design Console allows you to perform user management, resource management, process management, and other administration and development tasks. For more information about the Design Console, see "Design Console Overview" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Oracle recommends that you install Oracle Identity Manager and the Design Console in different directory paths, regardless of whether the Design Console is on the same system as the Oracle Identity Management server.
To upgrade Design Console, complete the following steps:
Back up the following files:
On UNIX, $<XLDC_HOME>/xlclient.sh
$<XLDC_HOME>/config/xlconfig.xml
On Windows, <XLDC_HOME>\xlclient.cmd
<XLDC_HOME>\config\xlconfig.xml
Run the Oracle Identity and Access Management 11.1.2 Installer to upgrade the Design Console home <XLDC_HOME>.
For more information, see "Installing and Configuring Oracle Identity and Access Management (11.1.2)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Restore the backed up files in the upgraded Design Console home.
Build and copy the wlfullclient.jar file as follows:
Go to WebLogic_Home/server/lib directory on UNIX and WebLogic_Home\server\lib directory on Windows.
Set the JAVA_HOME environment variable and add the JAVA_HOME variable to the PATH environment variable.
For example, you can set the JAVA_HOME to the jdk160_21 directory inside the Middleware home.
Run the following command to build the wlfullclient.jar file:
java -jar <MW_HOME>/modules/com.bea.core.jarbuilder_1.7.0.0.jar
Copy the wlfullclient.jar file to the <IAM_HOME> where you installed the Design Console. For example:
On UNIX:
cp wlfullclient.jar <Oracle_IDM2>/designconsole/ext
On Windows:
copy wlfullclient.jar <Oracle_IDM2>\designconsole\ext
Complete the following steps to upgrade Remote Manager:
Back up configuration files
Before starting the Remote Manager upgrade, back up the following Remote Manager configuration files:
On UNIX, $<XLREMOTE_HOME>/remotemanager.sh
$<XLREMOTE_HOME>/xlremote/config/xlconfig.xml file.
On Windows, <XLREMOTE_HOME>\remotemanager.bat
<XLREMOTE_HOME>\xlremote\config\xlconfig.xml file.
Run the Oracle Identity and Access Management Installer to upgrade the Remote Manager home.
For more information, see "Installing and Configuring Oracle Identity and Access Management (11.1.2)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Restore configuration files.
Restore the backed up configuration files in the upgraded Remote Manager home.
Complete the following steps to configure the BI Publisher Reports:
Obtain the reports bundle oim_product_BIP11gReports_11_1_2_0_0.zip. from the following location:
MW_HOME/IAM_HOME/server/reports/oim_product_BIP11gReports_11_1_2_0_0.zip
Unzip oim_product_BIP11gReports_11_1_2_0_0.zip at the following location:
IAM_HOME/Middleware/user_projects/domains/domain_name/config/bipublisher/repository/Reports/
Configure reports by following the instructions in "Configuring Oracle Identity Manager Reports" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
This section contains the following topics:
Impact of Removing Approver-Only Attribute in Request Data Set
Changes to Request API After Upgrading to Oracle Identity Manager 11g Release 2 (11.1.2)
Provisioning Oracle Identity Management Login Modules Under WebLogic Server Library Directory
After upgrading from Oracle Identity Manager 11.1.1.5.0 to Oracle Identity Manager 11.1.2:
The name of the following EARs remain unchanged from Oracle Identity Manager 11.1.1.5.0 to Oracle Identity Manager 11.1.2:
Oracle Identity Manager Metadata (11.1.1.3.0)
Oracle Identity Manager (11.1.1.3.0)
There is no functional loss.
Resource Object flags are not supported in Oracle Identity Manager 11.1.2. Update all non-system resources with the following values:
Allow All: True
Provision By Object Admin Only: False
Self Request Allowed: True
All of the resources provisioned to an organization in Oracle Identity Manager 11.1.1.5.0 is available in Provisioned Accounts, after upgrading to Oracle Identity Manager 11.1.2. To view, go to the following path:
Connect to the Oracle Identity Manager Identity console.
Go to Administration.
Select Organizations.
Search for organizations.
Select any organization.
Go to Provisioned Accounts to see all Oracle Identity Manager 11.1.1.5.0 based resources, provisioned to an organization.
In Oracle Identity Manager 11.1.1.5.0, data object permission was shown in the Administration Console under Roles.
In Oracle Identity Manager 11.1.2, data object permission is not shown.
Oracle Identity Manager 11.1.2 based Oracle Identity Manager reports is supported in BI Publisher 11g.
If you are using Oracle Database, you must check for the INVALID schema objects, and compile them if there are any. To do this, complete the following steps:
Identify the INVALID schema objects by running the following SQL query as SYS user:
SELECT owner,object_type,object_name,status FROM dba_objects WHERE status='INVALID' AND owner in ('<OIM_Schema_Name1>') ORDER BY owner, object_type, object_name;
If there are any INVALID schema objects, you must compile them by connecting to the database as SYS user, and running the following from SQL*Plus:
@<$Oracle_Database_Home_Location>/rdbms/admin/utlrp.sql
After running the utlrp.sql, run the SQL query described in step-1 to ensure that there are no INVALID Database objects.
After you upgrade OIM 11.1.1.5.0 to 11.1.2, you must manually create the sysadmin key using Oracle Enterprise Manager console. To do this, complete the following steps:
Log in to the Oracle Enterprise Manager console using the following URL:
http://<host>:<port>/em
Select Farm_base_domain.
Expand WebLogic Domain on the Target Navigation pane.
Click base_domain.
Click on the WebLogic Domain drop-down list.
Click Security, and then click Credentials.
Select oracle.wsm.security.
Click Create Key.
Specify the right values for the following fields:
Select Map: Select oracle.wsm.security for this field.
*Key: Specify OIMAdmin.
Type: Select Password.
*User Name: Specify the username of the system administrator. For example, xelsysadm.
*Password: Specify the password of the system administrator.
*Confirm Password: Retype the password to confirm.
Click OK.
Removing approver-only attribute in the Request Data Set results in the following:
Before upgrade: The requester cannot see attributes approver-only='true', during request submission.
After upgrade: The requester must provide the value during request submission.
All attributes in the request data sets marked with required=true and approver-only=true should be marked as required=false in the data set.
Make the required fields mandatory in the approver screen through user interface customization.
For attributes in the request data sets marked with required=true, see Section 6.5.11.2, "User Interface Customization for 11.1.1.5.0 Mandatory UDF and OOTB Attributes" for more information.
You must manually add LDAP Sync Validation Handler. To do so, complete the following steps:
Export the EventHandlers.xml file by running the following WLST offline command:
On UNIX:
exportAccessData("/db/ldapMetadata/EventHandlers.xml")
On Windows:
exportAccessData("\\db\\ldapMetadata\\EventHandlers.xml")
Add the following section of the EventHandlers.xml by editing the file in a text editor. Save the file:
<validation-handler class="oracle.iam.ldapsync.impl.eventhandlers.user.UserCommonNameValidationHandler" entity-type="User" operation="MODIFY" name="UserCommonNameValidationHandler" order="1005" sync="TRUE">
</validation-handler>
<validation-handler class="oracle.iam.ldapsync.impl.eventhandlers.user.UserCommonNameValidationHandler" entity-type="User" operation="CREATE" name="UserCommonNameValidationHandler" order="1005" sync="TRUE">
</validation-handler>
Import the EventHandlers.xml file by running the following WLST offline command:
On UNIX:
importAccessData("/db/ldapMetadata/EventHandlers.xml")
On Windows:
importAccessData("\\db\\ldapMetadata\\EventHandlers.xml")
You must manually remove the RDN pre-process handler. To do so, complete the following steps:
Export the EventHandlers.xml file by running the following WLST offline command:
On UNIX:
exportAccessData("/db/ldapMetadata/EventHandlers.xml")
On Windows:
exportAccessData("\\db\\ldapMetadata\\EventHandlers.xml")
Remove the following section of the EventHandlers.xml by editing the file in a text editor. Save the file:
<action-handler orch-target="oracle.iam.platform.kernel.vo.EntityOrchestration" class="oracle.iam.ldapsync.impl.eventhandlers.user.RDNPreProcessHandler" entity-type="User" operation="CREATE" name="CreateUserRDNPreProcessHandler" stage="preprocess" sync="TRUE" order="10000">
</action-handler>
<action-handler orch-target="oracle.iam.platform.kernel.vo.EntityOrchestration" class="oracle.iam.ldapsync.impl.eventhandlers.user.RDNPreProcessHandler" entity-type="User" operation="MODIFY"name="ModifyUserRDNPreProcessHandler" stage="preprocess" sync="TRUE" order="10000">
</action-handler>
Import the EventHandlers.xml file by running the following WLST offline command:
On UNIX:
importAccessData("/db/ldapMetadata/EventHandlers.xml")
On Windows:
importAccessData("\\db\\ldapMetadata\\EventHandlers.xml")
If you have any custom validation handlers in your environment, ensure that the validation is re-entrant. For more information, see "Writing Custom Validation Event Handlers" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
If you have any custom user name policy configured in your environment, see "Writing Custom User Name Policy" in the Oracle Fusion Middleware User's Guide for Oracle Identity Manager to ensure the following:
Use the recommended oracle.iam.identity.usermgmt.api.UserNameGenerationPolicy interface to implement policy, instead of using oracle.iam.identity.usermgmt.api.UserNamePolicy.
Ensure that Custom User Name policy return is the same user login when the approver updates an attribute that does not contribute in generating user login.
As part of Oracle Identity Manager 11g Release 2 (11.1.2) architecture, changes are introduced to RequestService and UnauthenticatedRequestService APIs in terms of usage and in terms of concepts involved. Request Template concept is no longer part of Oracle Identity Manager 11g Release 2 (11.1.2) and some methods in these APIs are deprecated. Also, RequestTemplateService API is completely deprecated.
This section contains the following topics:
The following is a list of API methods deprecated in RequestService:
public List<String> getTemplateNames() throws RequestServiceException
public RequestModel getModelForTemplate(String templateName) throws RequestServiceException
public RequestDataSet getRestrictedDataSet(String templateName, String entityType) throws RequestServiceException
public RequestTemplate getTemplate(String templateName) throws RequestServiceException
public void updateApproverOnlyData(String reqId, List<RequestBeneficiaryEntity> benEntities, List<RequestEntity> reqEntities) throws RequestServiceException
public List<String> getTemplateNamesForSelf() throws RequestServiceException
public List<RequestTemplate> getRequestTemplates(RequestTemplateSearchCriteria searchCriteria, Set<String> returnAttrs, Map<String,Object> configParams) throws RequestServiceException
The following is a list of API methods deprecated due to storing comments in SOA Human Task comments feature:
public void addRequestComment(String reqId, RequestComment comment) throws RequestServiceException
public List<RequestComment> getRequestComments(String reqId) throws RequestServiceException
public List<RequestComment> getRequestComments(String reqId, RequestComment.TYPE type) throws RequestServiceException
public List<RequestComment> getRequestComments(String reqId, String taskId, RequestComment.TYPE type) throws RequestServiceException
The following is a list of API methods deprecated in UnauthenticatedRequestService:
public List<String> getTemplateNames() throws RequestServiceException
public RequestTemplate getTemplate(String templateName) throws RequestServiceException
public RequestDataSet getRestrictedDataSet(String templateName, String entitySubType) throws RequestServiceException
Request types which were used to perform SELF operations have been deprecated. These operations include the following:
Self Modify User
Self Assign Roles
Self Remove Roles
Self Provision Resource
Self De-provision Resource
Self Modify Resource
You can continue with these operations by using the corresponding non-self request types.
The only method that have changes in usage is RequestService.submitRequest()/UnauthenticatedRequestService.submitRequest(). The API method signature remains the same. However, the way RequestData Value Objects are created, have changed. The changes are covered in the following sections:
Changes to entity-type includes the following:
Resource entity-type is replaced with Application Instance.
Beginning from Oracle Identity Manager 11g Release 2 (11.1.2), in order to create any provision, revoke, disable, and enable account type of request, the entityType property must be set to ApplicationInstance instead of Resource.
A new entity-type called Entitlement is introduced in Oracle Identity Manager 11g Release 2 (11.1.2). Oracle Identity Manager supports creating Provision Entitlement and Revoke Entitlement type of requests.
Changes to value objects, related to RequestData includes the following:
requestTemplateName property which was a part of oracle.iam.request.vo.RequestData value objects is deprecated. Even if you set this property, it is not honoured.
A new property called operation is introduced in oracle.iam.request.vo.RequestEntity and oracle.iam.request.vo.RequestBeneficiaryEntity value objects. It is mandatory to set this property while creating the value objects. You can use the following constants defined in oracle.iam.request.vo.RequestConstants class.
MODEL_CREATE_OPERATION – Create User operation
MODEL_MODIFY_OPERATION – Modify User operation
MODEL_DELETE_OPERATION – Delete User operation
MODEL_ENABLE_OPERATION – Enable User operation
MODEL_DISABLE_OPERATION – Disable User operation
MODEL_ASSIGN_ROLES_OPERATION – Assign Roles operation
MODEL_REMOVE_ROLES_OPERATION – Remove Roles operation
MODEL_PROVISION_APPLICATION_INSTANCE_OPERATION – Provision Application Instance operation
MODEL_MODIFY_ACCOUNT_OPERATION – Modify Account operation
MODEL_REVOKE_ACCOUNT_OPERATION – Revoke Account operation
MODEL_ENABLE_ACCOUNT_OPERATION – Enable Account operation
MODEL_DISABLE_ACCOUNT_OPERATION – Disable Account operation
MODEL_PROVISION_ENTITLEMENT_OPERATION – Provision Entitlement operation
MODEL_REVOKE_ENTITLEMENT_OPERATION – Revoke Entitlement operation
MODEL_ACCESS_POLICY_PROVISION_APPINSANCE_OPERATION – Access Policy based provisioning operation
While creating RequestEntity or RequestBeneficiaryEntity value objects, you can also use the following method to set the entityType property:
public void setRequestEntityType(oracle.iam.platform.utils.vo.OIMType type)
type - OIMType.Role/ OIMType.ApplicationInstance/OIMType.Entitlement/ OIMType.User
Listed below are some code examples:
Create a RequestData for a Create User operation as follows:
RequestData requestData = new RequestData("Create User");
requestData.setJustification("Creating User John Doe");
String usr = "John Doe";
RequestEntity ent = new RequestEntity();
ent.setEntityType(RequestConstants.USER);
ent.setOperation(RequestConstants.MODEL_CREATE_OPERATION); //New in R2
List<RequestEntityAttribute> attrs = new ArrayList<RequestEntityAttribute>();
RequestEntityAttribute attr = new RequestEntityAttribute("Last Name", usr, RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("First Name", usr, RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("User Login", usr, RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("Password", "Welcome123", RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("Organization", 1L, RequestEntityAttribute.TYPE.Long);
attrs.add(attr);
attr = new RequestEntityAttribute("User Type", false, RequestEntityAttribute.TYPE.Boolean);
attrs.add(attr);
attr = new RequestEntityAttribute("Role", "Full-Time", RequestEntityAttribute.TYPE.String);
attrs.add(attr);
ent.setEntityData(attrs);
List<RequestEntity> entities = new ArrayList<RequestEntity>();
entities.add(ent);
requestData.setTargetEntities(entities);
//Submit the request with the above requestData
Create a RequestData for an Assign Roles operation as follows:
RequestData requestData = new RequestData();
requestData.setJustification("Assigning IDC ADMIN Role(role key 201) to user with key 121");
RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity();
ent1. setRequestEntityType (oracle.iam.platform.utils.vo.OIMType.Role);
ent1.setOperation(oracle.iam.request.vo.RequestConstants.MODEL_ASSIGN_ROLES_OPERATION); //New in R2
ent1.setEntitySubType("IDC ADMIN");
ent1.setEntityKey("201");
List<RequestBeneficiaryEntity> entities = new ArrayList<RequestBeneficiaryEntity>();
entities.add(ent1);
Beneficiary beneficiary = new Beneficiary();
beneficiary.setBeneficiaryKey("121");
beneficiary.setBeneficiaryType (Beneficiary.USER_BENEFICIARY);
beneficiary.setTargetEntities(entities);
List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
beneficiaries.add(beneficiary);
requestData.setBeneficiaries(beneficiaries);
//Submit the request with the above requestData
Create a RequestData for a Provision Application Instance operation as follows:
RequestData requestData = new RequestData();
requestData.setJustification("Creating AD User (app instance key 201) account to user with key 121");
RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity();
ent1. setRequestEntityType (oracle.iam.platform.utils.vo.OIMType.ApplicationInstance);
ent1.setOperation(oracle.iam.request.vo.RequestConstants.MODEL_PROVISION_APPLICATION_INSTANCE_OPERATION);
ent1.setEntitySubType("AD User");
ent1.setEntityKey("201");
List<RequestBeneficiaryEntityAttribute> attrs = new ArrayList<RequestBeneficiaryEntityAttribute>();
//Update 'attrs' above with all the data specific to AD User form.
ent1.setEntityData(attrs);
List<RequestBeneficiaryEntity> entities = new ArrayList<RequestBeneficiaryEntity>();
entities.add(ent1);
Beneficiary beneficiary = new Beneficiary();
beneficiary.setBeneficiaryKey("121");
beneficiary.setBeneficiaryType(Beneficiary.USER_BENEFICIARY);
beneficiary.setTargetEntities(entities);
List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
beneficiaries.add(beneficiary);
requestData.setBeneficiaries(beneficiaries);
//Submit the request with the above requestData
Create a RequestData for a Provision Entitlement operation as follows:
RequestData requestData = new RequestData();
Beneficiary beneficiary1 = new Beneficiary();
beneficiary1.setBeneficiaryKey("222");
beneficiary1.setBeneficiaryType(Beneficiary.USER_BENEFICIARY);
RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity();
ent1.setEntityType(RequestConstants.ENTITLEMENT);
ent1.setEntitySubType("AD USER ENTITLEMENT1");
ent1.setEntityKey("122");
ent1.setOperation(RequestConstants.MODEL_PROVISION_ENTITLEMENT_OPERATION);
List<RequestBeneficiaryEntity> entities1 = new ArrayList<RequestBeneficiaryEntity>();
entities1.add(ent1);
beneficiary1.setTargetEntities(entities1);
List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
beneficiaries.add(beneficiary1);
requestData.setBeneficiaries(beneficiaries);
//Submit the request with the above requestData
Note:
Perform this task only if you want to integrate Oracle Identity Manager with Oracle Access Manager for single sign-on, after upgrading to Oracle Identity Manager 11.1.2.
Ensure that Oracle Access Manager is at release 11.1.1.5.2 or later.
If you want to integrate Oracle Identity Manager 11.1.2 with Oracle Access Manager for single sign-on, then you must upgrade Oracle Access Manager to 11.1.1.5.2 or later. If your Oracle Access Manager version is less than 11.1.1.5.2, the auto-login functionality does not work.
After upgrading to Oracle Identity Manager 11.1.2, upgrade Oracle Identity Manager and Oracle Access Manager configurations for auto-login functionality to work. After upgrading the configurations, NAP protocol is replaced by TAP protocol for communication between Oracle Identity Manager and Oracle Access Manager.
The following topics provide upgrade instructions for two possible scenarios:
Using 10g WebGate for Oracle Identity Manager-Oracle Access Manager Integration
Using 11g WebGate for Oracle Identity Manager-Oracle Access Manager Integration
Before you begin with the upgrade configuration procedures, refer to the "Using the idmConfigTool Command" for more about the IdmConfigTool in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.
If you are using 10g WebGate, complete the following steps to upgrade Oracle Identity Manager and Oracle Access Manager configurations:
In the idmConfigTool, run configOAM. This creates a 10g WebGate agent and an 11g WebGate agent in Oracle Access Manager. Ensure that the artifacts corresponding to both WebGates are created in <DOMAIN_HOME>/output directory.
In the idmConfigTool, run configOIM. In a cross-domain setup where Oracle Identity Manager and Oracle Access Manager are in two different WebLogic domains, specify the following additional properties before running this option:
OAM11G_WLS_ADMIN_HOST: <host name of OAM admin server machine>
OAM11G_WLS_ADMIN_PORT: <OAM admin server port>
OAM11G_WLS_ADMIN_USER: <admin user of OAM domain>
Note:
When running the configOIM option, ensure that you provide the same properties that you provided in the configOAM option for OAM_TRANSFER_MODE and ACCESS_GATE_ID properties.
The WEBGATE_TYPE property should be specified as ohsWebgate10g.
Restart the Administration and Managed Servers. In the case of a cross domain setup, restart servers from both the domains.
Restart the Oracle Identity Manager Administration Server and Managed server as follows:
On UNIX:
<MW_HOME>/user_projects/domains/domain_name/startWebLogic.sh
<MW_HOME>/user_projects/domains/domain_name/bin/startManagedWebLogic.sh <managed_server1>
On Windows:
<MW_HOME>\user_projects\domains\domain_name\startWebLogic.cmd
MW_HOME\user_projects\domains\domain_name\bin\startManagedWebLogic.cmd <oim_server>
For more information, see "Restarting Servers" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
If you are using 11g WebGate, complete the following steps to upgrade Oracle Identity Manager and Oracle Access Manager configurations:
In the idmConfigTool, run configOAM. This creates a 10g WebGate agent and an 11g WebGate agent in Oracle Access Manager. Ensure that the artifacts corresponding to both WebGates are created in the <DOMAIN_HOME>/output directory.
In the idmConfigTool, run configOIM. In cross-domain setup where Oracle Identity Manager and Oracle Access Manager are in two different WebLogic domains, specify the following additional properties before running this option:
OAM11G_WLS_ADMIN_HOST: <host name of OAM admin server machine>
OAM11G_WLS_ADMIN_PORT: <OAM admin server port>
OAM11G_WLS_ADMIN_USER: <admin user of OAM domain>
Note:
When running the configOIM option, ensure that you provide the same properties that you provided in the configOAM option for OAM_TRANSFER_MODE and ACCESS_GATE_ID properties.
The WEBGATE_TYPE property should be specified as ohsWebgate11g.
Restart the Administration and Managed servers. In the case of a cross domain setup, restart servers from both the domains.
Restart the Oracle Identity Manager Administration Server and Managed server as follows:
On UNIX:
<MW_HOME>/user_projects/domains/domain_name/startWebLogic.sh
<MW_HOME>/user_projects/domains/domain_name/bin/startManagedWebLogic.sh <managed_server1>
On Windows:
<MW_HOME>\user_projects\domains\domain_name\startWebLogic.cmd
MW_HOME\user_projects\domains\domain_name\bin\startManagedWebLogic.cmd <oim_server>
For more information, see "Restarting Servers" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
You must run the Entitlement List Schedule task in order to use catalog features.
Complete the following steps to run the Entitlement List Schedule job:
Log in to the following location:
http://<OIM_HOST>:<OIM_PORT>/sysadmin
Click System Management.
Select Scheduler.
Enter "Entitlement List" in the Search Scheduled Jobs field and click Search.
Select Entitlement List.
Click Run Now. Wait till the job is complete.
You must run the Evaluate User Policies scheduled task to start provisioning based on access policy after the role grant. This scheduled task can be configured to run every 10 minutes, or you can run this scheduled task manually.
To start the scheduler, see "Starting and Stopping the Scheduler" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Resource objects are transformed during the upgrade process. In order to provision the resource of an object, called App instance, with Oracle Identity Manager 11.1.2, you must run the Catalog Synchronization job.
For more information, see "Bootstrapping the Catalog" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Note:
If no Entitlements show up, make sure that the entitlements field in the child tables is set to Entitlement=true and reloaded into the parent form.
This is a new Oracle Identity Manager 11.1.2 feature for notification. If you want to use this new notification model, after upgrading to 11.1.2, complete the following steps:
Configure Email driver from Enterprise Manager user interface:
Log in to Oracle Enterprise Manager Fusion Middleware Control and do the following:
i. Expand Application Deployments.
ii. Expand User Messaging Service.
iii. Select usermessagingdriver-email (<soa_server1>).
iv. Select Email Driver Properties.
v. Select in Driver-Specific Configuration.
Configure the values, as listed in Table 6-14:
Table 6-14 UMS Parameters and Description
| Parameter | Description |
|---|---|
|
OutgoingMailServer |
Name of the SMTP server. For example:
|
|
OutgoingMailServerPort |
Port of the SMTP server. For example: 456 |
|
OutgoingMailServerSecurity |
The security setting used by the SMTP server Possible values can be None/TLS/SSL. |
|
OutgoingUsername |
Provide a valid username. For example:
|
|
OutgoingPassword |
Complete the following:
|
Configure the Notification provider XML through the Enterprise Manager user interface:
Log in to Enterprise Manager and do the following:
i. Expand Application Deployments.
ii. Select OIMAppMetadata(11.1.1.3.0)(oim_server1) and right-click.
iii. Select System MBean Browser.
iv. Expand Application Defined MBeans.
v. Expand oracle.iam.
vi. Expand Server_OIM_Server1
vii. Expand Application: oim.
viii. Expand IAMAppRuntimeMBean.
ix. Select UMSEmailNotificationProviderMBean.
Configure the values, as listed in Table 6-15:
Table 6-15 Parameter for Configuring Notification Provider
| Parameter | Description |
|---|---|
|
Web service URL |
Start the URL of UMS web service. Any SOA server can be used. For example:
|
|
Policies |
The OWSM Policy is attached to the given web service, leave it blank. |
|
Username |
The username is given in the security header of web service. If there is no policy attached, leave it blank. |
|
Password |
The password given in the security header of web service. If there is no policy attached, leave it blank. |
After upgrading to 11.1.2, if you want to use SMTP notification provider instead of the default UMS notification provider, do the following:
Log in to Enterprise Manager and do the following:
Expand Application Deployments.
Select OIMAppMetadata(11.1.1.3.0)(oim_server1) and Right click.
Select System MBean Browser.
Expand Application Defined MBeans.
Expand oracle.iam.
Expand Server_OIM_Server1
Expand Application: oim.
Expand IAMAppRuntimeMBean.
Select UMSEmailNotificationProviderMBean.
Ensure that the value of the attribute Enabled is set to true.
Provide the configuration values in MBean (username, password, mailServerName) or the name of IT Resource in MBean.
The IT Resource name is the name given in XL.MailServer system property, before you upgrade Oracle Identity Manager 11.1.1.5.0 to Oracle Identity Manager 11.1.2.
You must have UDF in your environment because if you do not update your User Interface with UDFs, several features like user creation, role creation, and self registration request where UDFs are involved fails.
This section contains the following topics:
For an Oracle Identity Manager 11.1.2 environment that has been upgraded from Oracle Identity Manager 11.1.1.5.0, the custom attributes for user entity already exist in the back-end. These attributes are not present as form fields on the Oracle Identity Manager 11.1.2 user interface screens until the user screens are customized to add the custom fields.
However, before you can customize the screens, you must first complete upgrading the custom attributes using the Upgrade User Form link in the System Administration console.
After completing the Upgrade User Form, the User value object (VO) instances in various Data Components like DataComponent-Catalog, DataComponent-My Information, DataComponent-User Registration shows the custom attributes. This includes all custom attributes available for Web Composer (Customized) and can be added to User user interface screens.
For more information, see "Customizing the Interface" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Complete the following steps to render UDFs:
Log in to the Identity System Administration console.
Click Sandboxes. Click Create Sandbox. A Create Sandbox window appears.
Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
Go to Upgrade. Select Upgrade User Form. Click Upgrade Now.
Publish the Sandbox.
Log out from Identity System Administration console.
Log in to Identity Self Service console.
Click Create Sandbox. A Create Sandbox window appears.
Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
From the left navigation pane, select Users.
Click Create User. A Create User page opens. Fill up all the mandatory fields. Add the same UDFs in Modify User and User Detail screen. Select the correct Data Component and UserVO Name as listed in Table 6-16.
For example:
From the left navigation pane, click Users. Click User to go to the Create User screen and fill all mandatory fields.
Click Customize on top right. Select View. Select Source.
Select Name in Basic Information and click Edit on the confirmation window.
Select panelFormLayout. Click Add Content.
Select the correct Data Component and VO Name as listed in Table 6-16:
Table 6-16 UDF Screens and Description
| Screen Name | Data Component | VO Name | Procedure |
|---|---|---|---|
|
Create User |
Data Component - Catalog |
UserVO |
Do the following:
|
|
Modify User |
Data Component - Catalog |
UserVO |
Do the following:
|
|
View User Details |
Data Component - Manage Users |
UserVO1 |
Do the following:
|
|
Bulk Modify User Flow |
Data Component - Catalog |
UserVO |
Do the following:
|
|
My Information |
Data Component - My Information |
UserVO1 |
Do the following:
|
|
Customizing Search Results |
Data Component - Manage Users |
UserVO1 |
Do the following:
|
|
User Registration |
Data Component - User Registration |
UserVO1 |
Do the following:
|
|
Adding UDF in Search Panel |
NA |
NA |
Do the following:
|
|
Customizing Request Summary/Details |
NA |
NA |
Requests created after Create User, Modify User, My Information, Self Registration |
Click Close.
Click Sandboxes. Export the sandbox using Export Sandbox.
Publish the sandbox.
Log out from Identity Self Service, and log in again. The added UDF in the screen is seen.
If you have rendered the OOTB attributes as mandatory in Oracle Identity Manager 11.1.1.5.0, you must customize the user interface in order to achieve the same customizations after upgrade.
Log in to Identity System Administration console.
Click Sandboxes. Click Create Sandbox. A Create Sandbox window appears.
Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
Go to Upgrade. Select Upgrade User Form. Click Upgrade Now.
Publish the Sandbox.
Log out from Identity System Administration console.
Log in to Identity Self Service console.
Click Create Sandbox. A Create Sandbox window appears.
Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
From the left navigation pane, click Users. Click User to go to the Create User screen and fill all the mandatory fields.
Click Customize on top right. Select View. Select Source.
Select Name in Basic Information and click Edit on the confirmation window.
Select panelFormLayout. Click Add Content.
Click Input Component and click Edit.
On the Component Properties dialogue, select Show Required checkbox. In the Required field, select Expression Editor, and in the Expression Editor field, enter the value as true.
Click Close.
Click Sandboxes. Export the sandbox using Export Sandbox.
Publish the sandbox.
Log out from Identity Self Service, and log in again. The added UDF on the screen with an asterix (*) symbol is seen.
In user customization upgrade, multiple values for the Save Column may exist in User.xml. Based on the possible values; single, multiple, and null, do the following in the upgraded environment:
Use Single value for Save Column: User creation is successful, and the value of the field is also saved in database.
Use Multiple or NULL value for Save Column: User creation is successful, but the value is not saved in database.
Update the Lookup By Query metadata definition attached to an attribute in User or Role through Config Service or Design Console.
For more information, see Section 6.4.16, "Upgrading Oracle Identity Manager Design Console".
Note:
You can customize Role UDF and Organization UDF, as done in Section 6.5.11, "Upgrading User UDF".
After you complete the upgrade, you must complete the following steps to upgrade Application Instances:
Log in to the following console:
http://<OIM_HOST>:<OIM_PORT>/sysadmin
Expand Upgrade on the left navigation pane.
Click Upgrade Application Instances.
This creates the U/I Forms and Datasets for the Application Instances, and seeds to MDS.
Note:
This section is required only if the Diagnostic Dashboard services for AD Password Sync were deployed in 11.1.1.5.0 and if your application is deployed in staging mode in 11.1.1.5.0.
Before you can re-deploy, you must undeploy XIMDD from the 11.1.1.5.0 Oracle Identity Manager Managed Server or from the cluster. To do so, complete the following steps:
Log in to the WebLogic Server Administration console:
host:admin port/console
If you are running in production mode, click Lock and Edit.
Click Deployments.
In the resulting list, look for XIMDD.
If they are running, select XIMDD.
Click Delete.
Activate the changes.
To redeploy, complete the following steps:
Log in to the WebLogic Server Administration console:
host:admin port/console
Click Lock & Edit.
Click Deployments.
Click Install.
In the path, give the path for XIMDD.ear
The default path is in the following location:
On UNIX, $<OIM_HOME>/server/webapp/optional
On Windows, <OIM_HOME>\server\webapp\optional
Select XIMDD.ear. Click Next.
Select Install this deployment as an application. Click Next .
In Select deployment targets page, select oim server. Click Next.
In the Optional Setting page, click Finish.
Click Deployments.
Select XIMDD. Click Start.
From the options, select Service All Requests.
Note:
This section is required only if the DSML web services for AD Password Sync were deployed in 11.1.1.5.0.
Before you can redeploy, you must undeploy SPML-DSML from the 11.1.1.5.0 Oracle Identity Manager Managed Server or from the cluster. To do so, complete the following steps:
Log in to the WebLogic Server Administration console:
host:admin port/console
If you are running in production mode, obtain the Lock in order to make updates.
Click Deployments.
In the resulting list, look for spml.
If they are running, select spml.
Click Delete.
Activate the changes.
To redeploy, complete the following steps:
Log in to WebLogic Server Administration console through the following path:
host:admin port/console
Click Lock & Edit.
Click Deployments.
Click Install.
In the path give the path for spml.ear
The default path is in the following location:
On UNIX, $<OIM_HOME>/server/webapp/optional
On Windows, <OIM_HOME>\server\webapp\optional
Select spml.ear. Click Next.
Select Install this deployment as an application. Click Next .
In Select deployment targets page, select oim server. Click Next.
In the Optional Setting page, click Finish.
Click Deployments.
Select spml. Click Start.
From the options, select Service All Requests.
If you have used any event handlers in Oracle Identity Manager 11.1.1.5.0, you must re-customize the event handler for Oracle Identity Manager 11.1.2.
For more information, see "Developing Custom Event Handlers" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
You must manually upgrade OOTB composites and custom composites built before upgrading to 11.1.2.
This section contains the following topics:
Note:
Redeploying a composite moves all pending tasks to STALE state. Oracle recommends you to close any pending task before upgrading the composites.
Upgrade OOTB composites that are not modified, using either JDeveloper or SOA Composer, before upgrading to Oracle Identity Manager 11.1.2. Complete the following steps to upgrade DefaultRequestApproval composite:
Move from your present working directory to the <OIM_ORACLE_HOME>/server/workflows directory by running the following command on the command line:
On UNIX:
cd <OIM_ORACLE_HOME>/server/workflows
On Windows:
cd <OIM_ORACLE_HOME>\server\workflows
Unzip DefaultRequestApproval.zip.
Log in to the Oracle Enterprise Manager console:
http://<host>:<port>/em
Expand Farm_<oim_domain_name>_d > SOA -> soa-infra -> default
Right click DefaultRequestApproval[1.0] and select SOA Deployment -> Redeploy
Select Archive is on the machine where Enterprise Manager is running.
Provide the absolute path to the sca jar for DefaultRequestApproval composite:
On UNIX:
<OIM_HOME>/server/workflows/composites/DefaultRequestApproval/deploy/sca_DefaultRequestApproval_rev1.0.jar
On Windows:
<OIM_HOME>server\workflows\composites\DefaultRequestApproval\deploy\sca_DefaultRequestApproval_rev1.0.jar
Select No Configuration plan is required.
Click Next.
Select Deploy as default revision.
Click Redeploy.
Repeat steps 2 to 11 for the remaining composites, which were not modified before upgrading to Oracle Identity Manager 11.1.2.
Note:
DefaultResourceAuthorizer and DefaultResourceAdministrator are no longer supported in 11.1.2.
Upgrade custom composites created before upgrading to Oracle Identity Manager 11.1.2 and OOTB composites modified, using either JDeveloper or SOA Composer, before upgrading to Oracle Identity Manager 11.1.2. Complete the following steps to upgrade DefaultRequestApproval composite:
Open the SOA composite project in JDeveloper (Use Jdeveloper 11.1.1.6.0).
Open ApprovalTask.task file in designer mode.
Select General.
Change Owner to Group, SYSTEM ADMINISTRATORS, STATIC.
Select Outcomes lookup. An Outcomes Dialog opens.
Select Outcomes Requiring Comment.
Select Reject and click Ok.
Click Ok again.
Select Notification.
Click on the update icon under Notification. Update any old URLs in notification with the corresponding new URL in 11.1.2. An example notification content is given below:
A <%/task:task/task:payload/task:RequestModel%> request has been assigned to you for approval. <BR><BR> Request ID: <%/task:task/task:payload/task:RequestID%> <BR> Request type: <%/task:task/task:payload/task:RequestModel%> <BR> <BR> Access this task in the <A style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/home?tf=approval_details > Identity Self Service </A> application or take direct action using the links below. Approvers are required to provide a justification when rejecting the request
Click Advanced.
Deselect Show worklist/workspace URL in notifications. Provide the URL to Pending Approvals in identity application as shown in the example in step 10.
Repeat step 1 to 12 for other human tasks, if any, in the composite. Save your work.
Right click Project and select Deploy -> Deploy to Application Server.
Provide revision ID. Select Mark revision as default and Overwrite any existing composite with same revision ID.
Note:
You can also deploy the composites with different revision ID. In that case you have to modify all approval policies using this composite.
Select your application server connection, if it already exists, and click Next. Create an application server connection if it does not exist.
Click Next.
Click Finish.
Repeat the procedure for the remaining custom composites and modified OOTB composites as well.
Note:
This task is required only if OIMAuthenticator.jar is already present under the <MW_HOME>/wlserver_10.3/server/lib/mbeantypes directory.
Apply the following steps across all the WebLogic Server homes in the domain :
On UNIX:
Copy OIMAuthenticator.jar, oimmbean.jar, oimsigmbean.jar, and oimsignaturembean.jar files located under <OIM_ORACLE_HOME>/server/loginmodule/wls directory to <MW_HOME>/wlserver_10.3/server/lib/mbeantypes directory by running the following command on the command line:
cp <OIM_ORACLE_HOME>/server/loginmodule/wls/* <MW_HOME>/wlserver_10.3/server/lib/mbeantypes/
Move from your present working directory to the <MW_HOME>/wlserver_10.3/server/lib/mbeantypes directory by running the following command on the command line:
cd <MW_HOME>/wlserver_10.3/server/lib/mbeantypes
Change the permissions on these files to 750 by using the chmod command:
chmod 750 *
Restart all servers in the domain.
On Windows:
Copy OIMAuthenticator.jar, oimmbean.jar, oimsigmbean.jar, and oimsignaturembean.jar files located under <OIM_ORACLE_HOME>\server\loginmodule\wls directory to <MW_HOME>\wlserver_10.3\server\lib\mbeantypes directory by running the following command on the command line:
cp <OIM_ORACLE_HOME>\server\loginmodule\wls\* <MW_HOME>\wlserver_10.3\server\lib\mbeantypes
Move from your present working directory to the <MW_HOME>\wlserver_10.3\server\lib\mbeantypes directory by running the following command on the command line:
cd <MW_HOME>\wlserver_10.3\server\lib\mbeantypes
Change the permissions on these files to 750 by using the chmod command:
chmod 750 *
Restart all servers in the domain.
If you have custom Authorization Policies in Oracle Identity Manager in 11g Release 1 (11.1.1.5.0), in order to create or modify users, you must assign new administrator roles in relation to User Administration, Role Administration, or Help Desk.
Table 6-17 lists the Administration roles in Oracle Identity Manager 11g, either removed or consolidated into the System Administrator Administration role for all system administrative operations in Oracle Identity Manager 11.1.2:
Table 6-17 Changes in Role from Oracle Identity Manager 11g to 11.1.2
| Sl No. | Roles in Oracle Identity Manager 11g | Roles Removed and Replaced in Oracle Identity Manager 11.1.2 |
|---|---|---|
|
1 |
SCHEDULER ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
2 |
DEPLOYMENT MANAGER ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
3 |
NOTIFICATION TEMPLATE ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
4 |
SOD ADMINISTRATORS |
Removed and replaced with SYSTEM ADMINISTRATORS. |
|
5 |
SYSTEM CONFIGURATION ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
6 |
GENERATE_USERNAME_ROLE |
Removed and replaced with SYSTEM ADMINISTRATORS. |
|
7 |
IDENTITY USER ADMINISTRATORS |
Removed and replaced with USER ADMIN. |
|
8 |
USER CONFIGURATION ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
9 |
ACCESS POLICY ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
10 |
RECONCILIATION ADMINISTRATORS |
Removed and replaced with SYSTEM ADMINISTRATORS. |
|
11 |
RESOURCE ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
12 |
GENERIC CONNECTOR ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
13 |
APPROVAL POLICY ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
14 |
REQUEST ADMINISTRATORS |
Removed and replaced with SYSTEM ADMINISTRATORS. |
|
15 |
REQUEST TEMPLATE ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
16 |
PLUGIN ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
17 |
ATTESTATION CONFIGURATION ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
18 |
ATTESTATION EVENT ADMINISTRATORS |
Removed and replaced with SYSTEM ADMINISTRATORS. |
|
19 |
ROLE ADMINISTRATORS |
Removed and replaced with ROLE ADMIN. |
|
20 |
USER NAME ADMINISTRATOR |
Removed and now depends on administration roles. |
|
21 |
IDENTITY ORGANIZATION ADMINISTRATORS |
Removed and replaced with ORGANIZATION ADMIN. |
|
22 |
IT RESOURCE ADMINISTRATORS |
Removed and replaced with APPLICATION INSTANCE ADMIN. |
|
23 |
REPORT ADMINISTRATORS |
No link to reports from Oracle Identity Manager. |
|
24 |
SPML_APP_ROLE |
There is no change in this enterprise role and a corresponding role with the privileges is seeded in Oracle Entitlements Server. |
|
25 |
ALL USERS |
This is an enterprise role, not an administrator role. |
|
26 |
SYSTEM CONFIGURATORS |
All privileges as System Administrator role, except for the ability to manage Users, Roles, Organizations and Provisioning remains unchanged. |
|
27 |
SYSTEM ADMINISTRATORS |
Remains unchanged. |
To verify your Oracle Identity Manager upgrade, perform the following steps:
Use the following URL in a web browser to verify that Oracle Identity Manager 11.1.2 is running:
http://<oim.example.com>:<oim_port>/sysadmin
http://oim.example.com:14000/identity
where
<oim.example.com> is the path of the administration console.
<oim_port> is the port number.
Use Fusion Middleware Control to verify that Oracle Identity Manager and any other Oracle Identity Management components are running in the Oracle Fusion Middleware environment.
Install the Diagnostic Dashboard and run the following tests:
Oracle Database Connectivity Check
Account Lock Status
Data Encryption Key Verification
JMS Messaging Verification
SOA-Oracle Identity Manager Configuration Check
SPML Web Service
Test OWSM setup
Test SPML to Oracle Identity Manager request invocation
SPML attributes to Oracle Identity Manager attributes
Username Test
For troubleshooting information, see Table 6-18:
Table 6-18 Oracle Identity Manager Troubleshooting - Problems and Solutions
| Problem | Solution |
|---|---|
|
Patch Set Assistant fails. |
Check logs located at: On UNIX:
On Windows:
Fix the problem, and run Patch Set Assistant again. |
|
Middle Tier upgrade fails |
Check logs located at: On UNIX:
On Windows:
|
|
All feature not upgrade in Middle Tier upgrade. |
Check the Upgrade Report located at: On UNIX:
On Windows:
|
|
Oracle Identity Manager upgrade control points. |
Set the property value to On UNIX:
On Windows:
For more information, see Section 6.6.1, "Oracle Identity Manager Upgrade Control Points". |
|
MDS patching issues. |
Check the MDS Patching Report located at: On UNIX:
On Windows:
|
|
Some MDS documents not merged correctly. |
Merge manually from the following locations: On UNIX:
On Windows:
|
|
JDBC errors: ORA-01882: timezone region not found |
Add an additional environment variable, TZ, which is the time zone name, like GMT for example. The environment variable has to be set with older database or else you get an error. For more information, see My Oracle Support document ID 1460281.1. |
Oracle Identity Manager Upgrade has provided some control points in the oimupgrade.properties. On UNIX, it is located in the <OIM_ORACLE_HOME>/server/bin/directory, on Windows, it is located in the <OIM_ORACLE_HOME>\server\bin\ directory.
You can selectively disable the feature upgrade by setting the property as false.
If any feature fails, you can continue with the upgrade by disabling the failed feature by setting the corresponding feature upgrade property as false.
As and when the solution is available for the failed feature, enable the feature for upgrade by setting the property to true.
By default, all the properties are set as true.
Set the following property to false if you do not want to run Oracle Identity Manager configuration upgrade:
oim.ps1.config.patch=true
Set the following property to false if you do not want to run SOA composite upgrade:
oim.ps1.soacomposite.patch=true
Set the following property to false if you do not want to run Patch JNDI provider:
oim.domainextension.jndiprovider.patch=true
Set the following property to false if you do not want to run Patch ClassPath:
oim.domainextension.classpath.patch=true
Set the following property to false if you do not want to run Patch OPSS:
oim.domainextension.opss.patch=true
Set the following property to false if you do not want to run Patch ears:
oim.domainextension.ear.patch=true
Set the following property to false if you do not want to run Patch JRF:
oim.domainextension.jrf.patch=true