14 Upgrading Oracle Identity Manager 9.1.x.x Environments

This chapter describes how to upgrade Oracle Identity Manager 9.1.x.x to Oracle Identity Manager 11g Release 2 (11.1.2.2.0) on Oracle WebLogic Server.

This chapter includes the following sections:

• Upgrade Roadmap for Oracle Identity Manager

• Pre-Upgrade Steps

• Installing New Oracle Home and Upgrading Database Schemas

• Configuring Other Oracle Identity Manager Installed Components

• Upgrading Oracle Identity Manager 9.1.x.x Middle Tier

• Post-Upgrade Steps

14.1 Upgrade Roadmap for Oracle Identity Manager

The procedure for upgrading Oracle Identity Manager 9.1.x.xx to 11.1.2.2.0 involves the following high-level steps

1. Pre-Upgrade Steps: This step involves the necessary pre-upgrade tasks like reviewing system requirements and certification, generating the pre-upgrade report, analyzing the report and performing the necessary pre-upgrade tasks described in the report, backing up the existing 9.1.x.x environment.

2. Installing New Oracle Home and Upgrading Database Schemas: This step involves tasks like installing Oracle WebLogic Server, installing Oracle SOA Suite, installing Oracle Identity Manager binaries, upgrading Oracle Platform Security Services, upgrading JRF, upgrading Oracle Identity Manager and Oracle Platform Security Services schemas, creating the Oracle Identity Manager 11.1.2.2.0 domain, configuring database security store.

3. Configuring Other Oracle Identity Manager Installed Components: This step involves configuring Oracle Identity Manager Server, .

4. Upgrading the Oracle Identity Manager Middle Tier: This step involves tasks like upgrading Oracle Identity Manager middle tier.

5. Post-Upgrade Steps: This step involves any post-upgrade tasks like configuring Oracle Identity Manager Design Console, Oracle Identity Manager Remote Manger, and any other mandatory post-upgrade manual steps. This also invloves steps to verify the upgrade.

Table 14-1 lists the tasks to be completed to upgrade Oracle Identity Manager 9.1.x.x to 11.1.2.2.0.

Table 14-1 Roadmap for Upgrading Oracle Identity Manager 9.1.x.x to 11.1.2.2.0

Sl No	Task	For More Information
	Pre-Upgrade Steps
1	Review the changes in the features of Oracle Identity Manager 11.1.2.2.0.	See, Feature Comparison
2	Review system requirements and certifications.	See, Reviewing System Requirements and Certification
3	Back up the Database used by your existing Oracle Identity Manager.	See, Backing Up Database Used by Oracle Identity Manager 9.1.x.x
4	Generate the pre-upgrade report, analyze the information provided in the report, and perform the necessary tasks described in the report before you proceed with the upgrade process.	See, Generating and Analyzing the Pre-Upgrade Report
5	Upgrade the OSI data by running the OSI data upgrade utility. If you have already performed this task as part of Generating and Analyzing the Pre-Upgrade Report, skip this section.	See, Upgrading the OSI Data
6	Ensure that xlconfig.xml has the correct values for the parameters DirectDb and MultiCastAddress.	See, Validating xlconfig.xml File
7	In Oracle Identity Manager 9.1.x.x, if you do not have at least one reconciliation field of type ITResource, then you must create one for all account type profiles.	See, Creating Reconciliation Field of Type IT Resource
	Installing New Oracle Home and Upgrading Database Schemas
8	Create the necessary schemas required for the upgrade, using Repository Creation Utility.	See, Creating the Necessary Schemas
9	Install Oracle WebLogic Server 10.3.6.	See, Installing Oracle WebLogic Server 10.3.6
10	Install Oracle SOA Suite 11.1.1.7.0 which is used by Oracle Identity Manager 11.1.2.2.0. After you install SOA 11.1.1.7.0, you must apply mandatory SOA patches required for Oracle Identity Manager 11.1.2.2.0.	See, Installing Oracle SOA Suite 11.1.1.7.0 and Applying Mandatory SOA Patches
11	Install Oracle Identity Manager 11.1.2.2.0 using the Oracle Identity and Access Management 11.1.2.2.0 installer.	See, Installing Oracle Identity Manager 11.1.2.2.0
12	Upgrade Oracle Identity Manager schema using Upgrade Assistant.	See, Upgrading Oracle Identity Manager Schema
13	Upgrade Oracle Platform Security Services schema using Patch Set Assistant.	See, Upgrading Oracle Platform Security Services Schema
14	Create a domain for Oracle Identity Manager 11.1.2.2.0 using the configuration wizard.	See, Creating a Domain for Oracle Identity Manager 11.1.2.2.0
15	Configure the Database security store.	See, Configuring Database Security Store
16	Start the WebLogic Administration Server and the SOA Managed Server(s).	See, Starting Administration Server and SOA Managed Server(s)
	Configuring Other Oracle Identity Manager Installed Components
17	Configure the Oracle Identity Manager Server 11.1.2.2.0.	See, Configuring Oracle Identity Manager Server 11.1.2.2.0
18	Restart the WebLogic Administration Server and the SOA Managed Server(s).	See, Restarting the Administration Server and SOA Managed Server
	Upgrading the Oracle Identity Manager Middle Tier
19	Start the Oracle Identity Manager Managed Server(s).	See, Starting and Stopping Oracle Identity Manager Managed Server(s)
20	Upgrade the Oracle Identity Manager middle tier.	See, Upgrading the Oracle Identity Manager Middle Tier
21	Restart the WebLogic Administration Server, SOA Managed Server(s), and the Oracle Identity Manager Managed Server(s).	See, Restarting all the Servers
	Post-Upgrade Steps
22	Configure the Oracle Identity Manager Design Console 11.1.2.2.0.	See, Optional: Configuring the Oracle Identity Manager Design Console 11.1.2.2.0
23	Configure the Oracle Identity Manager Remote Manager 11.1.2.2.0.	See, Optional: Configuring the Oracle Identity Manager Remote Manager 11.1.2.2.0
24	Perform all the necessary post-upgrade tasks.	See, Performing Post-Upgrade Tasks
25	Verify the Oracle Identity Manager 9.1.x.x upgrade.	See, Verifying the Upgrade

14.2 Pre-Upgrade Steps

This section describes all the pre-upgrade steps that you must complete before you start upgrading the Oracle Identity Manager 9.1.x.x environment. This section includes the following topics:

• Feature Comparison

• Reviewing System Requirements and Certification

• Backing Up Database Used by Oracle Identity Manager 9.1.x.x

• Generating and Analyzing the Pre-Upgrade Report

• Upgrading the OSI Data

• Validating xlconfig.xml File

• Creating Reconciliation Field of Type IT Resource

14.2.1 Feature Comparison

Table 14-2 lists key differences in functionality between Oracle Identity Manager 9.1.x.x and Oracle Identity Manager 11.1.2.2.0.

Table 14-2 Features Comparison

Oracle Identity Manager 9.1.x.x	Oracle Identity Manager 11.1.2.2.0
Oracle Identity Manager 9.1.x.x provides Identity Attestation to periodically review a user's access. For advanced access review capabilities such as role or data owner certification, OIM 9.1.x.x had to be integrated with Oracle Identity Analytics (OIA) to leverage the advanced access review capabilities that OIA provided.	In Oracle Identity Manager 11.1.2.2.0, the advanced access review capabilities of OIA are converged into OIM to provide a complete identity governance platform that enables an enterprise to do enterprise grade access request, provisioning, and access review from a single product. After upgrading to Oracle Identity Manager 11.1.2.2.0, you can use the new access review capabilities. This feature is disabled by default. You must ensure that you have relevant licenses before enabling this new feature.
In Oracle Identity Manager 9.1.x.x, users are assigned to organizations by specifying an organization name in the Organization attribute of the user details. This is a static organization membership. A user can only be a member of one organization.	In Oracle Identity Manager 11.1.2.2.0, in addition to the existing feature, you can dynamically assign users to organizations based on user-membership rules, which you can define in the Members tab of the organization details page. All users who satisfy the user-membership rule are dynamically associated with the organization, irrespective of the organization hierarchy the users statically belong to. With this new capability, a user can gain membership of one home organization via static membership and multiple secondary organizations via user-membership rules that are dynamically evaluated. Post upgrade, organization can uptake this new capability by defining membership rules for each organization.
Oracle Identity Manager 9.1.x.x provides basis self service capabilities such as password reset and account request.	Oracle Identity Manager 11.1.2.2.0 provides a new user interface with a shopping cart type request model through which end users can search and browse through the catalog and directly request any item like roles, entitlements, or applications without having to navigate through a series of menus. In addition to this, additional business friendly metadata such as description, audit objective, tags, owner, approver, and technical glossary can be associated to each access item to display business friendly and rich contextual information to a business user at the time of self service access request and access review. An end user access to request-able entities is controlled by a combination of user to organization publishing and entity to organization publishing. Post upgrade, administrators need to run the catalog synchronization job to populate the catalog with request-able entities and entity metadata. Post upgrade administrators need to define entity to organization publishing to control what an end user can request for.
Oracle Identity Manager 9.1.x.x Resource and IT resource names tend to be named in a manner such that it is easy for the IT users to manage them. The problem with this approach is that if a business user has to request access the resource name will not make sense to him/her. These incomprehensible Resource and IT resource names make the access request process non-intuitive.	Oracle Identity Manager 11.1.2.2.0 provides an abstraction entity called Application Instance. It is a combination of IT resource instance (target connectivity and connector configuration) and resource object (provisioning mechanism). Administrators can assign business friendly names to Application instances and map them to corresponding IT resources and Resource Objects. End user who request for accounts through the catalog will search for an account by providing the business friendly Application Instance Name. Application instances are automatically created as part of the Upgrade procedure. Administrators are expected to define organization publishing for these Application Instances to control who has access to request for access to the application. Any changes in the display names of request-able entities should be added to the end user training program.
Oracle Identity Manager 9.1.x.x security model gives an organization the ability to grant and manage delegated administration of entities, such as users, organizations, and roles. Delegation is managed via Administrative Groups and permission granted to those administrative groups.	Oracle Identity Manager 11.1.2.2.0 leverages Oracle Entitlement Server for authorization policy enforcement and administration. This is the standards based platform for authorization policy enforcement and administration across all IDM components. An end user's authorization to business functions is scoped based on admin roles that have been granted to him/her within the scope of an organization. Post upgrade to Oracle Identity Manager 11.1.2.2.0 an administrator will have to assign admin roles to an end user to enable delegated administration; they will have to assign these admin roles within the scope of an organization. Administration of Authorization Policies is done via the Authorization Policy Manager which is the de facto tool for lifecycle management of Authorization policies. Post upgrade, authorization policy definition and administration needs to be done from the Authorization Policy Manager.
In Oracle Identity Manager 9.1.x.x, access policy evaluation is done instantly for each user when they were updated.	In Oracle Identity Manager 11.1.2.2.0, access policy evaluation is done when the Evaluate User Policies scheduled job is run. This gives you the flexibility to control when heavy operations such as access policy evaluation and provisioning are triggered. Post upgrade to Oracle Identity Manager 11.1.2.2.0, you must schedule this job to run in predefined intervals based on their business requirements.
The Oracle Identity Manager 9.1.x.x User Interface is built on the struts framework. It provides basic self service interfaces.	Oracle Identity Manager 11.1.2.2.0 provides a rich and business friendly UI that is built on Oracle ADF and Web Composer technology Any customization added to the 9.1.x.x UI needs to be reapplied on the 11.1.2.2.0 UI post upgrade. Refer to the Customizing the Interface section in the Developers Guide for an overview of UI customization in Oracle Identity Manager 11.1.2.2.0.
Oracle Identity Manager 9.1.x.x access policies provides the option to revoke or do nothing to an account when a user loses membership of a role that provisioned the user's account via the access policy.	Oracle Identity Manager 11.1.2.2.0 access policies provides the option to revoke or disable an account when a user loses membership of a role that provisioned the user's account via the access policy. When you upgrade to Oracle Identity Manager 11.1.2.2.0, policies which had the Revoke if no longer applies option deselected will be converted to Disable if no longer applies. Users associated with these policies will not be updated, but any future updates to the policy will result in the user being marked with a Disable if no longer applies flag. Access policies have also been significantly enhanced to support improved automated provisioning of multiple accounts in the same instance of target application to the same user, as well as automated provisioning of multiple accounts in different instances of the same target application. This added capability reduces the need for cloning of objects and improve performance.
Oracle Identity Manager 9.1.x.x requires administrators to define approval processes from the design console and one approval process must be configured per managed Application or Resource object.	Oracle Identity Manager 11.1.2.2.0 uses SOA composite for Approval orchestration and notifications. The benefit with this model is that administrators can define a single approval workflow (SOA Composite) and use is for multiple Applications. SOA infrastructure also provides a robust monitoring, diagnostics and management platform that can be immediately leveraged post upgrade. Post upgrade, you must transform 9.1.x.x approval processes to SOA composites and configure notification within these composites.
In Oracle Identity Manager 9.1.x.x, Entity Adapters and Event handlers are used to customize operations on entities like User and Role. They are frequently used to populate attributes for entities like User and Role at various lifecycle events like pre-update, pre-delete, pre-insert, post-insert, post-update, or post-delete.	Oracle Identity Manager 11.1.2.2.0 uses the plug-in framework to support customizations to operations on entities. The Plug-in Framework allows customers to easily extend and customize the capabilities of the out-of-the-box Oracle Identity Manager features. The features expose specific plug-in points in the business logic where extensibility can be provided. An interface definition accompanies each such point and is called the plug-in interface. Customers can create code that extends these plug-in interfaces and defines customizations based on their business needs. These plug-ins are deployed and registered with Oracle Identity Manager by using the Plug-in Manager. Oracle Identity Manager then incorporates the plug-ins into the feature processing from that point onward. Post upgrade, the organization needs to transform 9.1.x.x event handlers, entity adapters, and pre populate adapters into plug-ins.

14.2.2 Reviewing System Requirements and Certification

Before you start the upgrade process, you must read the system requirements and certification document to ensure that your system meets the minimum requirements for the products you are installing or upgrading to. For more information see Section 2.1, "Reviewing System Requirements and Certification".

14.2.3 Backing Up Database Used by Oracle Identity Manager 9.1.x.x

You must back up your existing Oracle Identity Manager 9.1.x.x environment before you upgrade to Oracle Identity Manager 11.1.2.2.0.

After stopping the servers, back up the following:

• MW_HOME directory, including the Oracle Home directories inside Middleware Home

• Domain Home directory

• Oracle Identity Manager schemas

For more information about backing up schemas, see Oracle Database Backup and Recovery User's Guide.

14.2.4 Generating and Analyzing the Pre-Upgrade Report

You must run the PreUpgradeReport utility before you begin the upgrade process, and address all the issues listed as part of this report with the solution provided in the report. The Pre-UpgradeReport utility analyzes your existing Oracle Identity Manager 9.1.x.x environment, and provides information about the mandatory prerequisites that you must complete before you upgrade the existing Oracle Identity Manager environment.

The information in the pre-upgrade report is related to the pending audit tasks, cyclic dependencies in LDAP that need to be removed, tasks related to offline provisioning, status of the mandatory database components and settings, status of OSI data upgrade, potential application instance creation issues, pending reconciliation events, and pending requests.

Note:

Run this report until no pending issues are listed in the report.

It is important to address all the issues listed in the pre-upgrade report, before you can proceed with the upgrade, as upgrade might fail if the issues are not fixed.

To generate and analyze the pre-upgrade report, complete the tasks described in the following sections:

• Obtaining Pre-Upgrade Report Utility

• Generating the Pre-Upgrade Report

• Analyzing the Pre-Upgrade Report

14.2.4.1 Obtaining Pre-Upgrade Report Utility

You must download the pre-upgrade utility from Oracle Technology Network (OTN). The utility is available in two zip files named PreUpgradeReport.zip.001 and PreUpgradeReport.zip.002, along with ReadMe.doc at the following location on My Oracle Support:

My Oracle Support document ID 1599043.1

The ReadMe.doc contains information about how to generate and analyze the pre-upgrade reports.

14.2.4.2 Generating the Pre-Upgrade Report

To generate the pre-upgrade report for Oracle Identity Manager 9.1.x.x upgrade, do the following:

1. Create a directory at any location and extract the contents of PreUpgradeReport.zip.001 and PreUpgradeReport.zip.002 in the newly created directory.

2. Create a directory where pre-upgrade reports need to be generated. For example, name the directory OIM_preupgrade_reports.

3. Go to the directory where you extracted PreUpgradeReport.zip.001 and PreUpgradeReport.zip.002, and open the preupgrade_report_input.properties file in a text editor. Update the properties file by specifying the appropriate values for the parameters listed in Table 14-3:

   Table 14-3 Parameters to be Specified in the preupgrade_report_input.properties File

   Parameter	Description
   oim.targetVersion	Specify 11.1.2.2.0 for this parameter, as 11.1.2.2.0 is the target version for which pre-upgrade utility needs to be run.
   oim.jdbcurl	Specify the JDBC URL for Oracle Identity Manager in the following format: <host>:<port>/<service_name>
   oim.oimschemaowner	Specify the name of the OIM schema owner.
   oim.databaseadminname	Specify the user with DBA privilege. For example, sys as sysdba.
   oim.outputreportfolder	Specify the absolute path to the directory that you created in step-2 (directory with name OIM_preupgrade_reports), where the pre-upgrade reports need to be generated. Make sure that the output report folder has read and write permissions.
   oim.domain	Specify the absolute path to the Oracle Identity Manager domain home. For example: /Middleware/user_projects/domains/base_domain

   
   

4. Set the environment variables JAVA_HOME by running the following command:

   On UNIX:

   export JAVA_HOME=<absolute_path_to_jdk_location>

   On Windows:

   set JAVA_HOME="<absolute_path_to_jdk_location>"

5. Run the following command from the location where you extracted the contents of PreUpgradeReport.zip.001 and PreUpgradeReport.zip.002:

   • On UNIX:

     sh generatePreUpgradeReport.sh

   • On Windows:

     generatePreUpgradeReport.bat

6. Provide the details when the following is prompted:

   • OIM Schema Password

     You must enter the password of the OIM schema.

   • DBA Password

     You must enter the password of the Database Administrator.

7. The pre-upgrade report utility generates the reports as HTML pages at the location you specified for the parameter oim.outputreportfolder in the preupgrade_report_input.properties file. The logs are stored in the log file preUpgradeReport<time>.log in the folder logs at the same location.

   The following are the reports generated by the pre-upgrade report utility:

   • index.html

   • AUDITPreUpgradeReport.html

   • CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html

   • JMSPreUpgradeReport.html

   • ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html

   • OSIPreUpgradeReport.html

   • PasswordPolicyPreUpgradeReport.html

   • PROVISIONINGPreUpgradeReport.html

   • RECONPreUpgradeReport.html

   • REQUESTPreUpgradeReport.html

14.2.4.3 Analyzing the Pre-Upgrade Report

After you generate the pre-upgrade reports, you must review each of the reports, and perform all the tasks described in them. If you do not perform the mandatory tasks described in the report before you upgrade, the upgrade might fail.

Table 14-4 lists all the pre-upgrade reports, describes what information each report contains, and provides links to the detailed description of each report.

Table 14-4 Description of Pre-Upgrade Reports

HTML Report Name	Description	For Detailed Description
index.html	This report provides links to all the other reports generated by the pre-upgrade report utility. It also states that you must run the pre-upgrade report utility till no pending issues are listed in this report.	See, Description of index.html Report
AUDITPreUpgradeReport.html	This report lists the pending audit tasks that you need to perform before you start the upgrade process.	See, Description of AUDITPreUpgradeReport.html Report
CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html	This report detects and displays the list of cyclic groups in LDAP. Cyclic groups in LDAP directory are not supported in 11.1.2.2.0. Therefore, you must remove the cyclic dependency from Oracle Identity Manager 9.1.x.x setup and reconcile data from LDAP to Oracle Identity Manager Database. The procedure for doing this is described in the report.	See, Description of CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html Report
JMSPreUpgradeReport.html	This report lists the pending tasks related to offline provisioning.	See, Description of JMSPreUpgradeReport.html Report
ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html	This report provides the status of the mandatory database components or settings for Oracle Identity Manager upgrade. Verify the installation or setup status for each of the mandatory component or setting. If any of the component or setting is not setup correctly, follow the recommendations provided in the report to fix them.	See, Description of ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html Report
OSIPreUpgradeReport.html	This report gives the status of the OSI data upgrade. If the report states that the OSI data upgrade is not applied, then upgrade OSI data as described in Section 14.2.5, "Upgrading the OSI Data".	See, Description of OSIPreUpgradeReport.html Report
PasswordPolicyPreUpgradeReport.html	This report lists the potential upgrade issues for password policies. If you are relying on 9.1.x.x password policy model, you must update to new password policies, as 9.1.x.x password policy model is not supported in 11.1.2.2.0. Review the report and assign the password policies listed in the report to appropriate organization(s).	See, Description of PasswordPolicyPreUpgradeReport.html Report
PROVISIONINGPreUpgradeReport.html	This report lists the potential application instance creation issues. It provides information about the following: Provisioning Configuration Entitlement Configuration Access Policy Configuration List of Resource Objects without Process Form List of Resource Objects without ITResource field Type in Process Form List of Resource Objects with multiple ITResource Lookup fields in Process Form List of Access Policies without ITResource value set in default policy data List of Access Policies with Revoke If No Longer Applies flag unchecked List of Entitlements stored in Lookup definitions that do not have IT Resource Key in the lookup encode value Review all the sections in the report and perform necessary tasks.	See, Description of PROVISIONINGPreUpgradeReport.html Report
RECONPreUpgradeReport.html	This report lists all the pending reconciliation events. Review the information provided in the report.	See, Description of RECONPreUpgradeReport.html Report
REQUESTPreUpgradeReport.html	This report lists all the pending requests. Review the information provided in the report.	See, Description of REQUESTPreUpgradeReport.html Report
ORACLE_ONLINE_PURGE_PreUpgradeReport.html	This report lists the pre-requisites for Online Purge that needs to be addressed before you proceed with the upgrade. This report will not be generated if they is no action item related to purge.	See, Description of ORACLE_ONLINE_PURGE_PreUpgradeReport.html Report

14.2.4.3.1 Description of index.html Report

This index.html is the index page that contains links to the other reports.

Table 14-5 lists the reports displayed in index.html and their corresponding HTML report names.

Table 14-5 Reports Listed in index.html and Their Corresponding HTML Report Names

Report Name in index.html	Corresponding HTML Report
Installation Status of Mandatory Database Components	ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html
Pending Audit Tasks	AUDITPreUpgradeReport.html
Pending Recon Events	RECONPreUpgradeReport.html
Pending Approval Tasks	REQUESTPreUpgradeReport.html
Pending Offline Provisioning Tasks	JMSPreUpgradeReport.html
OSI Data Upgrade Utility Status	OSIPreUpgradeReport.html
List of invalid Password Policies	PasswordPolicyPreUpgradeReport.html
List of cyclic groups in LDAP directory	CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html
List of potential app instance creation issues	PROVISIONINGPreUpgradeReport.html

14.2.4.3.2 Description of AUDITPreUpgradeReport.html Report

The report AUDITPreUpgradeReport.html lists all the pending audit tasks.

14.2.4.3.3 Description of CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html Report

The report CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html provides information about the Cyclic groups in LDAP directory.

Oracle Identity Manager 11.1.2.2.0 does not support cyclic groups in the LDAP directory. Therefore, you must remove the cyclic dependency from Oracle Identity Manager 9.1.x.x setup and reconcile data from LDAP to Oracle Identity Manager Database, before you proceed with the upgrade.

For more information about removing the cyclic groups dependent on LDAP, see Removing Cyclical Groups Dependent on LDAP and Reconciling Data From LDAP to OIM Database. The procedure for removing cyclic groups is also described in this report.

Removing Cyclical Groups Dependent on LDAP and Reconciling Data From LDAP to OIM Database

If the LDAP in your Oracle Identity Manager 9.1.x.x environment has cyclic groups loaded, you must remove the cyclic groups by doing the following:.

1. Use JEXplorer or Softerra LDAP Administrator and navigate to the cyclic groups.

2. Look for uniquemember attribute.

3. Remove all values from the attribute.

4. Save the group.

5. Reconcile the data from LDAP to Oracle Identity Manager Database by running the following command:

   On UNIX: LDAPConfigPostSetup.sh

   On Windows: LDAPConfigPostSetup.bat

Example Scenario

If you have cyclic group dependency between two groups: Group1 and Group2, do the following to remove cyclic dependency:

1. Connect to LDAP using JEXplorer or Softerra LDAP.

2. Go to the group container of Group1.

3. Go to the uniquemember attribute under Group1.

4. Remove the value of Group2, from unique members, and save the change made.

5. Run LDAPConfigPostSetup.sh (on UNIX) or LDAPConfigPostSetup.bat (on Windows) to reconcile data from LDAP to Oracle Identity Manager database.

14.2.4.3.4 Description of JMSPreUpgradeReport.html Report

The report JMSPreUpgradeReport.html lists all the pending offline provisioning tasks. The report contains a table with the package name, task status key, offline flag, request key, and object key. You must review the information provided in this report.

14.2.4.3.5 Description of ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html Report

The report ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html lists all the mandatory database components or settings for Oracle Identity Manager 9.1.x.x upgrade. This report contains a table which lists the component or setting, it's installation or setup status, and recommendations if any. You must review the installation or setup status for each of the mandatory component or setting listed in the table. If the component or setting is not setup correctly, follow the recommendations specified in the Note column of the table in the report to fix them.

14.2.4.3.6 Description of OSIPreUpgradeReport.html Report

The report OSIPreUpgradeReport.html provides the status of the OSI data upgrade. If the report states that the OSI data upgrade utility is not applied yet, you must run the OSI data upgrade utility to upgrade OSI data as described in Section 14.2.5, "Upgrading the OSI Data".

If the reports states that the OSI data upgrade utility is already applied, no action is required.

14.2.4.3.7 Description of PasswordPolicyPreUpgradeReport.html Report

The report PasswordPolicyPreUpgradeReport.html lists the potential upgrade issues for password policies. If you are using 9.1.x.x password policy model, you must update them to new password policies. The 9.1.x.x password policy model is no longer supported for Users, and any such customizations done are not migrated to the new password policy model. A default password policy is seeded at TOP organization that needs to be revisited.

This report contains a table that lists the password policies that are attached to the Xellerate User resource object according to the 9.1.x.x password policy model. You must assign those password policies to appropriate organization(s).

14.2.4.3.8 Description of PROVISIONINGPreUpgradeReport.html Report

The report PROVISIONINGPreUpgradeReport.html lists the potential application instances creation issues. The report contains the following sections:

• Provisioning, Entitlement, and Access Policy Configuration Details

• List of Resource Objects without Process Form

• List of Resource Objects without ITResource field Type in Process Form

• List of Resource Objects with multiple ITResource Lookup fields in Process Form

• List of Access Policies without ITResource value set in default policy data

• List of Access Policies with Revoke If No Longer Applies flag unchecked

• List of Entitlements stored in Lookup definitions that do not have IT Resource Key in the lookup encode value

Provisioning, Entitlement, and Access Policy Configuration Details

This section describes the steps you must complete before you upgrade Oracle Identity Manager 9.1.x.x to 11.1.2.2.0. These steps are related to provisioning, entitlement, and access policy configuration. Complete all the steps described in this section of the report.

List of Resource Objects without Process Form

This section provides information about the resource objects in Oracle Identity Manager 9.1.x.x that do not have process form. Each resource object must have a process form associated with it. Therefore, if a resource object is not associated with a process form, you must associate the resource object with a process form before you start the upgrade process. Review the table in this section of the report, that lists the details of the resource objects without process form.

List of Resource Objects without ITResource field Type in Process Form

This section provides information about the resource objects without ITResource field type in their respective process forms. Review the table in this section of the report, which contains more details. If your Oracle Identity Manager 9.1.x.x has resource objects without ITResource field in their process forms, do the following:

1. Create appropriate IT resource definition.

2. Create IT resource instance for the same corresponding to the target that is being provisioned.

3. Edit the process form and add a field of type "ITResource" to the process form. Set the following properties:

   Type=IT Resource definition created in step-1

   ITResource=true

4. Activate the form.

5. Update the IT resource field on existing provisioned accounts using FVC Utility.

6. Once the above steps are completed, you can create application instances corresponding to the Resource Object+ITResource combination.

List of Resource Objects with multiple ITResource Lookup fields in Process Form

This section provides information about the resource objects that have multiple lookup fields in their process form. In the Oracle Identity Manager 9.1.x.x environment, if you have resource objects with multiple ITResource set in the process form, you must set the value of the property ITResource Type to true for at least one of the attributes.

List of Access Policies without ITResource value set in default policy data

This section lists the access policies for which the ITResource values of the resource objects should be set in the default policy data. The table in this section lists the access policies in Oracle Identity Manager 9.1.x.x for which ITResource field is missing. You must set the values of ITResurce field for each of the access policy listed in the table.

List of Access Policies with Revoke If No Longer Applies flag unchecked

This section lists the access policies that have Revoke If No Longer Applies flag unchecked. The table in this section contains the list of access policies that will be updated to Disable If No Longer Applies, during upgrade. The table also indicates if tasks for enable, disable, revoke actions are not defined for these policies. You must add the missing tasks before you proceed with the upgrade. Also, if you want the behavior of the policy to change to RNLA checked, you must check the RNLA flag for the respective policy.

List of Entitlements stored in Lookup definitions that do not have IT Resource Key in the lookup encode value

This section lists entitlements stored in lookup definitions that do not have IT Resource Key pretended to their encoding values using "~". Entitlements stored in lookup definitions need IT Resource Key prepended to the encoded values using "~". Review the table in this section of the pre-upgrade report, which contains more details.

14.2.4.3.9 Description of RECONPreUpgradeReport.html Report

The report RECONPreUpgradeReport.html lists all the pending reconciliation events. The report contains a table that lists all the pending reconconciliation events with their recon ID, recon date, recon status, and recon-by data. You must review the information provided in the table.

14.2.4.3.10 Description of REQUESTPreUpgradeReport.html Report

The report REQUESTPreUpgradeReport.html lists all the pending requests. The report contains a table that lists all the pending requests with their request ID, request date, request-by details, request status, and request data. You must review the information provided in the table.

14.2.4.3.11 Description of ORACLE_ONLINE_PURGE_PreUpgradeReport.html Report

Before you upgrade Oracle Identity Manager 9.1.x.x to 11.1.2.2.0, you must complete the pre-requisites for online purge.

The table in this report lists the database tables on which the mentioned pre-upgrade steps need to be performed before you upgrade. The table also shows the status of the database tables in OIM schema and Note section. Review the table, and perform the actions required.

14.2.5 Upgrading the OSI Data

This section describes how to upgrade OSI data.

Note:

If you have already performed this task as part of Section 14.2.4, "Generating and Analyzing the Pre-Upgrade Report", skip this section.

The format of values stored in the internal column osi_note which contains transient values used in processes, is different in Oracle Identity Manager 11.1.2.2.0 when compared to Oracle Identity Manager 9.1.x.x. As the format of the values are incompatible, you must clean the existing values using the OSI Data Upgrade utility before you proceed with the upgrade. The OSI Data Upgrade utility upgrades the OSI data.

Note:

OIM 9.1.0.x server is not expected to be running after you upgrade the OSI data.

Depending on the amount of data in OSI, the OSI data upgrade may take some time.

For information about obtaining the OSI Data Upgrade utility and running the utility to upgrade OSI data, see My Oracle Support Document ID 1303215.1.

14.2.6 Validating xlconfig.xml File

Before you start the upgrade process, ensure that the xlconfig.xml file at the location $9.1.x.x_HOME/xellerate/config/xlconfig.xml has the correct values for the parameters DirectDb and MultiCastAddress.

14.2.7 Creating Reconciliation Field of Type IT Resource

All account reconciliation Field Mapping configurations must have at least one Reconciliation field of type IT Resource defined. This can be done by adding a mapping from the Oracle Identity Manager Design Console. To do this, complete the following steps:

1. Create reconciliation field of type IT Resource by doing the following:

   1. Log in to the Oracle Identity Manager Design Console by running the following command from the location ORACLE_HOME/designconsole/:

      On UNIX: ./xlclient.sh

      On Windows: xlclient.cmd

   2. Expand Resource Management.

   3. Click Resource Objects.

   4. Search for and select the Resource Object that you wish to modify.

   5. Go to the Object Reconciliation tab.

   6. Click Add Field under Reconciliation Fields tab.

   7. Enter the Field Name, and select IT Resource as the Field Type.

   8. Click Save icon.

2. Define mapping for the field ITResource by doing the following:

   1. On the Oracle Identity Manager Design Console, expand Process Management on the left navigation pane.

   2. Click Process Definition.

   3. Go to the Reconciliation Field Mapping tab in the Process Definition form.

   4. Search for the Resource Object.

   5. Define mapping for the field IT Resource.

   6. Save the form.

Note:

This step is required if you are using connector for account reconciliation or if you wish to use connector for account reconciliation after you upgrade to 11.1.2.2.0.

14.3 Installing New Oracle Home and Upgrading Database Schemas

This section describes the tasks to be completed to upgrade the existing Oracle home and Database schemas.

This section includes the following topics:

• Creating the Necessary Schemas

• Installing Oracle WebLogic Server 10.3.6

• Installing Oracle SOA Suite 11.1.1.7.0 and Applying Mandatory SOA Patches

• Installing Oracle Identity Manager 11.1.2.2.0

• Upgrading Oracle Identity Manager Schema

• Upgrading Oracle Platform Security Services Schema

• Creating a Domain for Oracle Identity Manager 11.1.2.2.0

• Configuring Database Security Store

• Starting Administration Server and SOA Managed Server(s)

14.3.1 Creating the Necessary Schemas

Create the following schemas by using the Repository Creation Utility (RCU) 11.1.2.2.0:

• MDS schema for Oracle Identity Manager

• SOA schema

• MDS schema for Oracle SOA Suite

• OPSS schema

• ORASDPM schema

For information about creating schemas using Repository Creation Utility, refer to the following sections in the Oracle Fusion Middleware Repository Creation Utility User's Guide:

• "Obtaining RCU"

• "Starting RCU"

• "Creating Schemas"

14.3.2 Installing Oracle WebLogic Server 10.3.6

Oracle Identity and Access Management 11.1.2.2.0 is certified with Oracle WebLogic Server 11g Release 1 (10.3.6). Therefore, you must install Oracle WebLogic Server 10.3.6.

To install Oracle WebLogic Server 10.3.6, do the following steps:

1. Download the WebLogic 10.3.6 Installer from Oracle Technology Network.

   For more information, see "Downloading the Installer From Oracle Technology Network" in the Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.

2. Run the installer in graphical mode.

   For more information, see "Starting the Installation Program in Graphical Mode" in the Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.

14.3.3 Installing Oracle SOA Suite 11.1.1.7.0 and Applying Mandatory SOA Patches

Oracle Identity Manager 11.1.2.2.0 is certified with Oracle SOA Suite 11.1.1.7.0. Therefore, you must install Oracle SOA Suite 11.1.1.7.0.

For information about installing Oracle SOA Suite 11.1.1.7.0, see "Installing Oracle SOA Suite and Oracle Business Process Management Suite" in the Oracle Fusion Middleware Installation Guide for Oracle SOA Suite and Oracle Business Process Management Suite.

After you install SOA 11.1.1.7.0, you must apply mandatory SOA patches required for Oracle Identity Manager 11.1.2.2.0. For information about applying mandatory SOA patches, see "Mandatory Patches Required for Installing Oracle Identity Manager" in the Oracle Fusion Middleware Release Notes.

14.3.4 Installing Oracle Identity Manager 11.1.2.2.0

You must install Oracle Identity Manager 11.1.2.2.0 using the Oracle Identity and Access Management 11.1.2.2.0 installer.

For information about installing Oracle Identity Manager 11.1.2.2.0, see "Installing Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0)" Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

14.3.5 Upgrading Oracle Identity Manager Schema

You must upgrade the existing Oracle Identity Manager schema to 11.1.2.2.0 using the Upgrade Assistant. To do this, complete the following steps:

1. Run the following command from the location MW_HOME/OIM_HOME/bin to launch the Upgrade Assistant:

   On UNIX: ./ua

   On Windows: ua.bat

2. The Oracle Fusion Middleware Upgrade Assistant Welcome screen is displayed.

   Click Next.

3. The Specify Operation screen is displayed.

   Select Upgrade Oracle Identity Manager Schema.

   Click Next.

4. The Prerequisite screen is displayed.

   Select the following check boxes:

   • Database Schema backup completed: Ensure that you have backed up your Oracle Identity Manager repositories on the database before upgrading. The Upgrade Assistant does not verify that the repositories have been backed up, so this option serves as a reminder.

   • Database version is certified by Oracle for Fusion Middleware upgrade: The Upgrade Assistant requires that the Oracle Data Integrator repositories reside on a supported database. For more information about the Database requirements, see Oracle Fusion Middleware System Requirements and Specifications.

   • OSI Data Upgrade Performed: Ensure that you have upgraded OSI data as described in Section 14.2.5, "Upgrading the OSI Data".

   Click Next.

5. The Specify OIM Database screen is displayed.

   Specify the following details:

   • Host: Enter the name of the host where database is running.

   • Port: Enter the port number for the host running database. The default port number for Oracle databases is 1521.

   • Service Name: Specify the service name for the database. Typically, the service name is the same as the global database name.

   • OIM Schema: Specify the Oracle Identity Manager schema name.

   • SYS Password: Enter the password of the SYS user.

   Click Next.

6. The Examining Components screen is displayed.

   Click Next.

7. The Upgrade Summary screen is displayed.

   Click Upgrade.

8. The Upgrade Progress screen is displayed. This screen provides the following information:

   • The status of the upgrade

   • Any errors or problems that occur during the upgrade

   Click Next.

9. The Upgrade Complete screen is displayed. This screen confirms that the upgrade was complete. The Upgrade Assistant generates log file at the location OIM_HOME/upgrade/logs/uaTimestamp.log. Check the log file for any errors or warnings.

   Click Close.

14.3.6 Upgrading Oracle Platform Security Services Schema

After you upgrade Oracle Identity Manager schema, you must upgrade the Oracle Platform Security Services schema using Patch Set Assistant. To do this, complete the following steps:

1. Start the Patch Set Assistant from the location $ORACLE_HOME/bin using the following command:

   ./psa

2. Select opss.

3. Specify the Database connection details, and select the schema to be upgraded.

For more information about upgrading schemas using Patch Set Assistant, see Section 2.6, "Upgrading Schemas Using Patch Set Assistant".

After you upgrade Oracle Platform Security Services schema, verify the upgrade by checking the log file at the location MW_HOME/oracle_common/upgrade/logs/psa<timestamp>.log. The timestamp refers to the actual date and time when Patch Set Assistant was run. If the upgrade fails, check the log files to rectify the errors and run the Patch Set Assistant again.

Also follow the instructions described in Section 2.6.4, "Verifying Schema Upgrade" to verify the Oracle Platform Security Services schema upgrade.

14.3.7 Creating a Domain for Oracle Identity Manager 11.1.2.2.0

Create a WebLogic domain for Oracle Identity Manager 11.1.2.2.0 by running the configuration wizard from the Oracle Identity Manager 11.1.2.2.0 home.

For information about configuring Oracle Identity Manager 11.1.2.2.0, see "Creating a new WebLogic Domain for Oracle Identity Manager and SOA" Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

14.3.8 Configuring Database Security Store

After you create a domain for Oracle Identity Manager 11.1.2.2.0, you must configure the database security store for the Oracle Identity Manager 11.1.2.2.0 domain.

For information about configuring database security store, see "Configuring Database Security Store for an Oracle Identity and Access Management Domain" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

14.3.9 Starting Administration Server and SOA Managed Server(s)

Note:

Do not start the Oracle Identity Manager Managed Server(s).

After you configure the database security store, start the WebLogic Administration Server and the SOA Managed Server(s).

For more information about starting the servers, see Section 2.9, "Starting the Servers".

14.4 Configuring Other Oracle Identity Manager Installed Components

This section describes how to configure other Oracle Identity Manager installed components like Oracle Identity Manager 11.1.2.2.0 Server.

This section includes the following topics:

• Configuring Oracle Identity Manager Server 11.1.2.2.0

• Restarting the Administration Server and SOA Managed Server

14.4.1 Configuring Oracle Identity Manager Server 11.1.2.2.0

You must configure the Oracle Identity Manager 11.1.2.2.0 Server using the configuration wizard. For information about configuring Oracle Identity Manager Server, see "Configuring Oracle Identity Manager Server" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Note:

When configuring Oracle Identity Manager Server 11.1.2.2.0, ensure that you do not select the Enable LDAP Sync option on the Oracle Identity Manager Configuration Wizard. LDAP Sync should not be enabled or picked up as an option while upgrading. It can be enabled post upgrade after system verification and other post upgrade steps are completed.

14.4.2 Restarting the Administration Server and SOA Managed Server

To restart the Administration Server and SOA Managed Servers, you must stop them first and start them again in the following order:

1. Stop the SOA Managed Server(s).

2. Stop the WebLogic Administration Server.

3. Start the WebLogic Administration Server.

4. Start the SOA Managed Server(s).

For more information about stopping the servers, see Section 2.8, "Stopping the Servers".

For more information about starting the servers, see Section 2.9, "Starting the Servers".

14.5 Upgrading Oracle Identity Manager 9.1.x.x Middle Tier

This section describes the tasks to be completed to upgrade the Oracle Identity Manager middle tier.

This section includes the following topics:

• Starting and Stopping Oracle Identity Manager Managed Server(s)

• Upgrading the Oracle Identity Manager Middle Tier

• Restarting all the Servers

14.5.1 Starting and Stopping Oracle Identity Manager Managed Server(s)

Before you start upgrading the Oracle Identity Manager 9.1.x.x middle tier, you must start and stop the Oracle Identity Manager Managed Server(s).

For information about starting the Oracle Identity Manager Managed Server, see Section 2.9.3, "Starting the Managed Server(s)".

For information about stopping the Oracle Identity Manager Managed Server, see Section 2.8.1, "Stopping the Managed Server(s)".

14.5.2 Upgrading the Oracle Identity Manager Middle Tier

Upgrade the Oracle Identity Manager middle tier using the Upgrade Assistant. To do this, complete the following steps:

1. Run the following command from the location MW_HOME/OIM_HOME/bin to launch the Upgrade Assistant.

   On UNIX: ./ua -invPtrLoc $OIM_HOME/oraInst.loc

   On Windows: ua.bat -invPtrLoc $OIM_HOME\oraInst.loc

2. The Oracle Fusion Middleware Upgrade Assistant Welcome screen is displayed.

   Click Next.

3. The Specify Operation screen is displayed.

   Select Upgrade Oracle Identity Manager Middle Tier.

   Click Next.

4. The Specify Source Directory screen is displayed.

   Click Browse and enter the directory location of your Oracle Identity Manager 9.1 installation.

   Click Next.

5. The Specify OIM Database screen is displayed.

   Enter the following information:

   • Host: Enter the name of the host where the database resides.

   • Port: Enter the listening port of the database. For example, 1521.

   • Service Name: Enter the service name of the database. Note that the service name typically consists of the system identifier (SID) and the network domain address of the database.

   • OIM Schema: Enter the name of the Oracle Identity Manager 9.1.x.x schema that resides in the database.

   • SYS Password: Enter the password for the SYS database account of the database that hosts the Oracle Identity Manager 9.1.x.x schema. The Upgrade Assistant needs these login credentials to connect to the database and read the contents of the Oracle Identity Manager schema.

   Click Next.

6. The Specify MDS Database screen is displayed.

   Enter the following information:

   • Host: Enter the name of the host computer where the database resides.

   • Port: Enter the listening port of the database; for example, 1521.

   • Service Name: Enter the service name of the database. Note that the service name typically consists of the system identifier (SID) and the network domain address of the database.

   • SYS Password: Enter the password of the database SYS user. The Upgrade Assistant needs these login credentials to connect to the database and read the contents of the MDS schema.

   Click Next.

7. The Specify MDS Schema screen is displayed.

   Complete the following:

   • Select the MDS schemas from the drop-down menu.

   • Enter the password for the schema in the Password field. This password is required so that the Upgrade Assistant can upgrade and modify the schema. This is the Oracle MDS schema password that you set in the Repository Creation Utility (RCU) when you installed the schema in the database.

   Click Next.

8. The Specify WebLogic Server screen is displayed.

   Enter the following information:

   • Host: The host where the Oracle WebLogic Server domain resides.

     Ensure to include the full host name; for example:

     IDMHost1.example.com
     

   • Port: The listening port of the administration server. Typically, the administration server listens on port 7001.

   • Username: The user name that is used to log in to the Administration Server. This is the same username you use to log in to the Administration Console for the domain.

   • Password: The password for the administrator account that is used to log in to the administration server. This is the same password you use to log in to the Administration Console for the domain.

   Click Next.

9. The Specify SOA Server screen is displayed.

   Enter the following information:

   • Host: The host where the SOA Managed Server resides.

   • Port: The listening port of the SOA Managed Server.

   • Username: The user name that is used to log in to the SOA Managed Server. This is the same username you use to log in to the Administration Console for the domain.

   • Password: The password for the administrator account that is used to log in to the SOA Managed Server. This is the same password you use to log in to the Administration Console for the domain.

   Click Next.

10. The Specify Upgrade Options screen is displayed.

    Click Next.

    Note:

    This screen has an option Start destination components after successful upgrade to start all the servers after successful upgrade; However, Oracle Identity Manager does not support the option of starting destination components after successful upgrade.

    The Examining Components screen is displayed.

    Click Next.

11. The Upgrade Summary screen is displayed.

    Click Upgrade.

12. The Upgrade Progress screen is displayed. This screen provides the following information:

    • The status of upgrade

    • Any errors or problems that occur during the upgrade

    Click Next.

13. The Upgrade Complete screen is displayed. This screen confirms that the upgrade was complete.

    Click Close.

    The middle tier upgrade summary report is generated at the location OIM_HOME/upgrade/logs/oimUpgradeReportDir. This report gives detail on the feature name, its upgrade status and feature related report. Verify this report to ensure that the middle tier upgrade was successful.

14. Verify the middle tier upgrade as described in Verifying the Middle Tier Upgrade.

Verifying the Middle Tier Upgrade

Middle tier upgrade utility creates log file and HTML reports with upgrade details for feature. To verify that the Oracle Identity Manager middle tier upgrade was successful, verify the log file oimUpgradeReportDir generated at the location OIM_HOME/upgrade/logs. Also, review the HTML upgrade reports generated at the location OIM_HOME/upgrade/logs/oimUpgradeReportDir. The index.html report in this directory lists all the features upgraded during the middle tier upgrade.:

14.5.3 Restarting all the Servers

After you upgrade the Oracle Identity Manager middle tier, you must restart the WebLogic Administration Server, Oracle Identity Manager Managed Server(s), and the SOA Managed Server(s).

To restart the servers, you must stop the servers first and start them again in the following order:

1. Stop the SOA Managed Server(s).

2. Stop the WebLogic Administration Server.

3. Start the WebLogic Administration Server.

4. Start the SOA Managed Server(s).

5. Start the Oracle Identity Manager Managed Server(s).

For more information about stopping the servers, see Section 2.8, "Stopping the Servers".

For more information about starting the servers, see Section 2.9, "Starting the Servers".

14.6 Post-Upgrade Steps

This section describes the tasks that you need to perform after you upgrade Oracle Identity Manager 9.1.x.x to Oracle Identity Manager 11.1.2.2.0.

This section includes the following topics:

• Optional: Configuring the Oracle Identity Manager Design Console 11.1.2.2.0

• Optional: Configuring the Oracle Identity Manager Remote Manager 11.1.2.2.0

• Performing Post-Upgrade Tasks

• Verifying the Upgrade

14.6.1 Optional: Configuring the Oracle Identity Manager Design Console 11.1.2.2.0

If you wish to configure Oracle Identity Manager Design Console 11.1.2.2.0, follow the instructions described in the section "Optional: Configuring Oracle Identity Manager Design Console" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

14.6.2 Optional: Configuring the Oracle Identity Manager Remote Manager 11.1.2.2.0

If you wish to configure Oracle Identity Manager Remote Manager 11.1.2.2.0, follow the instructions described in the section "Optional: Configuring Oracle Identity Manager Remote Manager" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

14.6.3 Performing Post-Upgrade Tasks

After you upgrade Oracle Identity Manager 9.1.x.x to 11.1.2.2.0, you must perform the following mandatory post-upgrade tasks:

• Reviewing Performance Tuning Recommendations

• Running the Entitlement List Schedule

• Running the Entitlement Assignments Schedule Job

• Running the Evaluate User Policies Scheduled Task

• Running Catalog Synchronization

• UMS Notification Provider

• Upgrading User UDF

• Upgrading Application Instances

• Redeploying XIMDD

• Redeploying SPML-DSML

• Customizing Event Handlers

• Recompiling Adapters

• Rewriting Prepopulate Adapters

• Disabling User Login

• Upgrading Oracle Identity Management Reports

• Creating New SOA Composites

• Configuring Auto-Approval for Self-Registration

• Generating an Audit Snapshot

• Enabling Audit

• Creating Password Policies

• Reviewing OIM Data Purge Job Parameters

• Reviewing Connector Certification

• Verifying the Functionality of Connectors

14.6.3.1 Reviewing Performance Tuning Recommendations

After you upgrade to Oracle Identity Manager 11.1.2.2.0, you must review the Oracle Identity Manager specific performance tuning recommendations described in "Oracle Identity Manager Performance Tuning" in the Oracle Fusion Middleware Performance and Tuning Guide.

14.6.3.2 Running the Entitlement List Schedule

You must run the Entitlement List Schedule task in order to use catalog features.

Complete the following steps to run the Entitlement List Schedule job:

1. Log in to the following location:

   http://<OIM_HOST>:<OIM_PORT>/sysadmin

2. Click System Management.

3. Select Scheduler.

4. Enter "Entitlement List" in the Search Scheduled Jobs field and click Search.

5. Select Entitlement List.

6. Click Run Now. Wait till the job is complete.

14.6.3.3 Running the Entitlement Assignments Schedule Job

You must run the Entitlement Assignments schedule task in order to ensure that the existing entitlement grants are shown properly in the My Entitlements tab. Complete the following steps to run the Entitlement Assignments schedule job:

1. Log in to the following location:

   http://<OIM_HOST>:<OIM_PORT>/sysadmin

2. Click System Management.

3. Select Scheduler.

4. Enter Entitlement Assignments in the Search Scheduled Jobs field, and click Search.

5. Select Entitlement Assignments.

6. Click Run Now. Wait till the job is complete.

14.6.3.4 Running the Evaluate User Policies Scheduled Task

You must run the Evaluate User Policies scheduled task to start provisioning based on access policy after the role grant. This scheduled task can be configured to run every 10 minutes, or you can run this scheduled task manually.

To start the scheduler, see "Starting and Stopping the Scheduler" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

14.6.3.5 Running Catalog Synchronization

Resource objects are transformed during the upgrade process. In order to provision the resource of an object, called App instance, with Oracle Identity Manager 11.1.2.2.0, you must run the Catalog Synchronization job.

For more information, see "Bootstrapping the Catalog" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

Note:

If no Entitlements show up, make sure that the Entitlements field in the child tables is set to Entitlement=true.and reloaded into the parent form. After setting Entitlement=true, regenerate the view and run the Entitlement List scheduler job.

14.6.3.6 UMS Notification Provider

This is a new Oracle Identity Manager 11.1.2.2.0 feature for notification. If you want to use this new notification model, after upgrading to 11.1.2.2.0, complete the following steps:

1. Configure Email driver from Enterprise Manager user interface:

   1. Log in to Oracle Enterprise Manager Fusion Middleware Control and do the following:

      i. Expand Application Deployments.

      ii. Expand User Messaging Service.

      iii. Select usermessagingdriver-email (<soa_server1>).

      iv. Select Email Driver Properties.

      v. Select in Driver-Specific Configuration.

   2. Configure the values, as listed in Table 14-6:

      Table 14-6 UMS Parameters and Description

      Parameter	Description
      OutgoingMailServer	Name of the SMTP server. For example: abc.example.com
      OutgoingMailServerPort	Port of the SMTP server. For example: 456
      OutgoingMailServerSecurity	The security setting used by the SMTP server Possible values can be None/TLS/SSL.
      OutgoingUsername	Provide a valid username. For example: abc.eg@example.com
      OutgoingPassword	Complete the following: Select Indirect Password. Create a new user. Provide a unique string for indirect Username/Key. For example: OIMEmailConfig. This mask the password and prevent it from exposing it in cleartext, in the config file. Provide valid password for this account.

      
      

2. Configure the Notification provider XML through the Enterprise Manager user interface:

   1. Log in to Enterprise Manager and do the following:

      i. Expand Application Deployments.

      ii. Select OIMAppMetadata(11.1.1.3.0)(oim_server1) and right-click.

      iii. Select System MBean Browser.

      iv. Expand Application Defined MBeans.

      v. Expand oracle.iam.

      vi. Expand Server_OIM_Server1

      vii. Expand Application: oim.

      viii. Expand IAMAppRuntimeMBean.

      ix. Select UMSEmailNotificationProviderMBean.

   2. Configure the values, as listed in Table 14-7:

      Table 14-7 Parameter for Configuring Notification Provider

      Parameter	Description
      Web service URL	Start the URL of UMS web service. Any SOA server can be used. For example: http://<SOA_host>:<SOA_Port>/ucs/messaging/webservice
      Policies	The OWSM Policy is attached to the given web service, leave it blank.
      Username	The username is given in the security header of web service. If there is no policy attached, leave it blank.
      Password	The password given in the security header of web service. If there is no policy attached, leave it blank.

      
      

After upgrading to 11.1.2.2.0, if you want to use SMTP notification provider instead of the default UMS notification provider, do the following:

1. Log in to Enterprise Manager and do the following:

   1. Expand Application Deployments.

   2. Select OIMAppMetadata(11.1.1.3.0)(oim_server1) and Right click.

   3. Select System MBean Browser.

   4. Expand Application Defined MBeans.

   5. Expand oracle.iam.

   6. Expand Server_OIM_Server1

   7. Expand Application: oim.

   8. Expand IAMAppRuntimeMBean.

   9. Select UMSEmailNotificationProviderMBean.

2. Ensure that the value of the attribute Enabled is set to true.

3. Provide the configuration values in MBean (username, password, mailServerName) or the name of IT Resource in MBean.

   The IT Resource name is the name given in XL.MailServer system property, before you upgrade Oracle Identity Manager 9.1.x.x to Oracle Identity Manager 11.1.2.2.0.

14.6.3.7 Upgrading User UDF

You must have UDF in your environment because if you do not update your User Interface with UDFs, several features like user creation, role creation, and self registration request where UDFs are involved fails.

This section contains the following topics:

• Rendering the UDFs

• User Interface Customization for 9.1.x.x Mandatory UDF and OOTB Attributes

• Lookup Query Modification

14.6.3.7.1 Rendering the UDFs

For an Oracle Identity Manager 11.1.2.2.0 environment that has been upgraded from Oracle Identity Manager 9.1.x.x, the custom attributes for user entity already exist in the back-end. These attributes are not present as form fields on the Oracle Identity Manager 11.1.2.2.0 user interface screens until the user screens are customized to add the custom fields.

However, before you can customize the screens, you must first complete upgrading the custom attributes using the Upgrade User Form link in the System Administration console.

After completing the Upgrade User Form, the User value object (VO) instances in various Data Components like DataComponent-Catalog, DataComponent-My Information, DataComponent-User Registration shows the custom attributes. This includes all custom attributes available for Web Composer (Customized) and can be added to User user interface screens.

For more information, see "Customizing the Interface" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

Complete the following steps to render UDFs:

1. Log in to the Identity System Administration console.

2. Click Sandboxes. Click Create Sandbox. A Create Sandbox window appears.

3. Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.

4. Go to Upgrade. Select Upgrade User Form. Click Upgrade Now.

   Note:

   If you encounter any error popup or ERROR/WARNING level logs after clicking Upgrade Now button, you must analyze the error, and then export the sandbox for analysis and discard (Delete) the sandbox.

5. Publish the Sandbox.

6. Log out from Identity System Administration console.

7. Log in to Identity Self Service console.

8. Click Create Sandbox. A Create Sandbox window appears.

9. Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.

10. From the left navigation pane, select Users.

11. Click Create User. A Create User page opens. Fill up all the mandatory fields, and add UDFs. Add the same UDFs in Modify User and User Detail screen. Select the correct Data Component and UserVO Name as listed in Table 14-8.

    For example:

    From the left navigation pane, click Users. Click User to go to the Create User screen and fill all mandatory fields.

12. Click Customize on top right. Select View. Select Source.

13. Select Name in Basic Information and click Edit on the confirmation window.

14. Select panelFormLayout. Click Add Content.

15. Select the correct Data Component and VO Name as listed in Table 14-8:

    Table 14-8 UDF Screens and Description

    Screen Name	Data Component	VO Name	Procedure
    Create User	Data Component - Catalog	UserVO	Do the following: Click User. Click Create, it launches the Create User screen.
    Modify User	Data Component - Catalog	UserVO	Do the following: Click User and search. Select a single user from search results. Click Edit, it launches the Modify User screen.
    View User Details	Data Component - Manage Users	UserVO1	Do the following: Click User and search. Select a single user from search results.
    Bulk Modify User Flow	Data Component - Catalog	UserVO	Do the following: Click User and search. Select more than a single user from search results.
    My Information	Data Component - My Information	UserVO1	Do the following: Click Identity. Select the My Information sub-tab.
    Customizing Search Results	Data Component - Manage Users	UserVO1	Do the following: Click Identity. Click Users. Click Customizations, it opens the Web Composer.
    User Registration	Data Component - User Registration	UserVO1	Do the following: Click Customize to open Web Composer. Enable the left navigation links for unauthenticated pages. Click User Registration. Select User Registration.
    Adding UDF in Search Panel	NA	NA	Do the following: Log in to Identity Click User. Search for "Add Fields" in the search box. It shows all searchable fields to the user.
    Customizing Request Summary/Details	NA	NA	Requests created after Create User, Modify User, My Information, Self Registration

    
    

16. Click Close.

17. Click Sandboxes. Export the sandbox using Export Sandbox.

18. Publish the sandbox.

19. Log out from Identity Self Service, and log in again. The added UDF in the screen is seen.

Note:

You can upgrade and customize Role UDF and Organization UDF by following the instructions described in the table "Entities and Corresponding Data Components and View Objects" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

14.6.3.7.2 User Interface Customization for 9.1.x.x Mandatory UDF and OOTB Attributes

If you have rendered the OOTB attributes as mandatory in Oracle Identity Manager 9.1.x.x, you must customize the user interface in order to achieve the same customizations after upgrade.

Note:

First name is a required field for user creation and self resgistration. Even if the first name field is not marked as required field (*) in the user creation and self registration forms, you must still specify the first name during user creation and self registration, after you upgrade to 11.1.2.2.0.

To customize the user interface for mandatory UDF and OOTB attributes, do the following:

1. Log in to Identity Self Service console.

2. Click Create Sandbox. A Create Sandbox window appears.

3. Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.

4. From the left navigation pane, click Users. Click User to go to the Create User screen and fill all the mandatory fields.

5. Click Customize on top right. Select View. Select Source.

6. Select Name in Basic Information and click Edit on the confirmation window.

7. Select panelFormLayout. Click Add Content.

8. Click Input Component and click Edit.

9. On the Component Properties dialogue, select Show Required checkbox. In the Required field, select Expression Editor, and in the Expression Editor field, enter the value as true.

10. Click Close.

11. Click Sandboxes. Export the sandbox using Export Sandbox.

12. Publish the sandbox.

13. Log out from Identity Self Service, and log in again. The added UDF on the screen with an asterix (*) symbol is seen.

14.6.3.7.3 Lookup Query Modification

In user customization upgrade, multiple values for the Save Column may exist in User.xml. Based on the possible values; single, multiple, and null, do the following in the upgraded environment:

• Use Single value for Save Column: User creation is successful, and the value of the field is also saved in database.

• Use Multiple or NULL value for Save Column: User creation is successful, but the value is not saved in database.

Recommendation

Update the Lookup By Query metadata definition attached to an attribute in User or Role through Config Service or Design Console.

14.6.3.8 Upgrading Application Instances

After you complete the upgrade, you must complete the following steps to upgrade Application Instances:

1. Log in to the following console:

   http://<OIM_HOST>:<OIM_PORT>/sysadmin

2. Expand Upgrade on the left navigation pane.

3. Click Upgrade Application Instances.

4. Click Upgrade Now.

This creates the U/I Forms and Datasets for the Application Instances, and seeds to MDS.

14.6.3.9 Redeploying XIMDD

Note:

This section is required only if the Diagnostic Dashboard services for AD Password Sync were deployed in 9.1.x.x and if your application is deployed in staging mode in 9.1.x.x.

Before you can re-deploy, you must undeploy XIMDD from the 9.1.x.x Oracle Identity Manager Managed Server or from the cluster. To do so, complete the following steps:

1. Log in to the WebLogic Server Administration console:

   host:admin port/console

2. If you are running in production mode, click Lock and Edit.

3. Click Deployments.

4. In the resulting list, look for XIMDD.

5. If they are running, select XIMDD.

6. Click Delete.

7. Activate the changes.

To redeploy, complete the following steps:

1. Log in to the WebLogic Server Administration console:

   host:admin port/console

2. Click Lock & Edit.

3. Click Deployments.

4. Click Install.

5. In the path, give the path for XIMDD.ear

   The default path is in the following location:

   On UNIX, $<OIM_HOME>/server/webapp/optional

   On Windows, <OIM_HOME>\server\webapp\optional

6. Select XIMDD.ear. Click Next.

7. Select Install this deployment as an application. Click Next .

8. In Select deployment targets page, select oim server. Click Next.

9. In the Optional Setting page, click Finish.

10. Click Deployments.

11. Select XIMDD. Click Start.

12. From the options, select Service All Requests.

14.6.3.10 Redeploying SPML-DSML

Note:

This section is required only if the DSML web services for AD Password Sync were deployed in 9.1.x.x.

To redeploy SPML-DSML, you must first undeploy SPML-DSML from the 9.1.x.x Oracle Identity Manager Managed Server or from the cluster. To undeploy SPML-DSML, complete the following steps:

1. Log in to the WebLogic Server Administration console:

   host:admin port/console

2. If you are running in production mode, obtain the Lock in order to make updates.

3. Click Deployments.

4. In the resulting list, look for spml.

5. If they are running, select spml.

6. Click Delete.

7. Activate the changes.

To redeploy SPML-DSML, complete the following steps:

1. Log in to WebLogic Server Administration console through the following path:

   host:admin port/console

2. Click Lock & Edit.

3. Click Deployments.

4. Click Install.

5. In the path give the path for spml.ear

   The default path is in the following location:

   On UNIX, $<OIM_HOME>/server/apps

   On Windows, <OIM_HOME>\server\apps

6. Select spml-dsml.ear. Click Next.

7. Select Install this deployment as an application. Click Next .

8. In Select deployment targets page, select oim server. Click Next.

9. In the Optional Setting page, click Finish.

10. Click Deployments.

11. Select spml. Click Start.

12. From the options, select Service All Requests.

14.6.3.11 Customizing Event Handlers

If you have used any event handlers in Oracle Identity Manager 9.1.x.x, you must re-customize the event handler for Oracle Identity Manager 11.1.2.2.0.

For more information, see "Developing Custom Event Handlers" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

14.6.3.12 Recompiling Adapters

After you upgrade to Oracle Identity Management 11g, you must recompile the adapters as described in "Compiling Adapters" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager. Some of your adapters may fail to compile. You must identify and recompile the adapters as described in the note 1311574.1 note at https://support.oracle.com.

14.6.3.13 Rewriting Prepopulate Adapters

After you upgrade to Oracle Identity Management 11g, you must rewrite the prepopulate adapter as described in "Prepopulation of an Attribute Value During Request Creation" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

14.6.3.14 Disabling User Login

In Oracle Identity Manager 11.1.2.2.0, the User login field is not mandatory. You must disable the user login mandatory option by completing the following steps:

1. Export the following files to MDS:

   • /metadata/iam-features-requestactions/model-data/CreateUserDataSet.xml

   • /metadata/iam-features-requestactions/model-data/SelfCreateUserDataset.xml

   For information about exporting metadat files, see "Exporting Metadata Files to MDS" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

2. Open the file CreateUserDataSet.xml in a text editor. Search for <AttributeReference name="User Login"..>, and set required="false".

3. Open the file SelfCreateUserDataset.xml in a text editor. Search for <AttributeReference name="User Login"..>, and set required="false".

4. Import the files CreateUserDataSet.xml and SelfCreateUserDataset.xml back to MDS. For information about importing metadata files, see "Importing Metadata Files from MDS" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

14.6.3.15 Upgrading Oracle Identity Management Reports

If you have a configured Oracle Identity Management Reports in Oracle Identity Manager 9.1 then you must upgrade the reports as described in "Upgrading to 11g Release 1 (11.1.1)" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for 11g Release 1 (11.1.1).

Note:

BI Publisher cannot be accessed through the Oracle Identity Manager Administrative and User Console. You must open BI Publisher explicitly to access the Oracle Identity Manager 11g reports.

14.6.3.16 Creating New SOA Composites

You must create new SOA composites for all the 9.1.x.x approval processes after you upgrade to 11.1.2.2.0. It is recommended that you create reusable SOA Composites that can be used as approval workflows for different operations and entities.

For information about creating new SOA composites, see "Creating New SOA Composites" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

14.6.3.17 Configuring Auto-Approval for Self-Registration

After upgrading from Oracle Identity Manager 9.1.x.x, the auto approval feature is disabled for Oracle Identity Manager 11g. You must enable auto-approval for self-registration as described in "Enabling Auto-Approval for Self Registration Requests" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

14.6.3.18 Generating an Audit Snapshot

You must generate an audit snapshot of the audit tables as described in "Generating an Audit Snapshot" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

14.6.3.19 Enabling Audit

The audit features will not be enabled after upgrade if it was not there in Oracle Identity Manager 9.1. You can enable audit as described in "Modifying System Properties" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

14.6.3.20 Creating Password Policies

When you upgrade Oracle Identity Manager 9.1.x.x to 11.1.2.2.0, a default password policy will be seeded at the TOP organization. As a result, any password policy rules created using the older password policy model in Oracle Identity Manager 9.1.x.x environment will not be supported. The upgrade utility does not migrate the password policies od Oracle Identity Manager 9.1.x.x to 11.1.2.2.0. If you had made any password policy customizations on the older password policy rules, you must create equivalent password policies using the newer password policy model, and attach it to the respective organization.

For information about creating password policies, see "Managing Password Policies" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

14.6.3.21 Reviewing OIM Data Purge Job Parameters

This post-upgrade task is optional.

While upgrading Oracle Identity Manager to 11.1.2.2.0, the OIM Data Purge Job will be seeded in enabled state. By default, it will purge platform data with a retention period of 1 day for complete orchestration. To enable purge of request, reconciliation, and provisioning task, you must revisit the OIM Data Purge Job parameters.

For information about the user-configurable attributes, see "Configuring Real-Time Purge and Archival" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

14.6.3.22 Reviewing Connector Certification

Before you upgrade your existing Oracle Identity Manager environments, you must verify if the version of the existing connector is supported for Oracle Identity Manager 11.1.2.2.0. For information about the supported connector versions for Oracle Identity Manager 11.1.2.2.0, refer to the sections "Certified Components" and "Usage Recommendation" in the respective Connector Guide in Oracle Identity Manager Identity Connectors Documentation Library.

If you are using 9.x connector or GTC connector, do the following:

• If the 9.x connector that you are using is supported, you can continue to use the existing connector.

• If the 9.x connector is not supported, you must upgrade the existing 9.x connector to the latest 11.x connector after you upgrade the Oracle Identity Manager server to 11.1.2.2.0.

• Verify the data in the Lookup populated through lookup reconciliation that the IT Resource Key & IT Resource name is pre-fixed for code & decode respectively. If not, you must upgrade the existing connector to the latest available connector after you upgrade Oracle Identity Manager server.

If you are using 11g connector, the connector upgrade is not required.

14.6.3.23 Verifying the Functionality of Connectors

After you upgrade Oracle Identity Manager to 11.1.2.2.0, complete the following steps to verify the functionality of connectors:

• Verify if Account and Entitlement Tagging are available on the process form. For the connectors to work with Oracle Identity Manager 11.1.2.2.0, you must complete the steps described in the section "Configuring Oracle Identity Manager 11.1.2 or Later" in the respective Connector Guide.

• Verify if the customizations made to the connectors are intact.

• Verify if the 11.1.2.2.0 related artifacts like UI Forms and Application Instances are generated.

• Ensure that all the operations of the connectors are working fine.

• If there are two or more IT Resource field in the process form, complete the steps described in the following My Oracle Support note:

  My Oracle Support document ID 1535369.1

• If there are any lookup query fields in the process form of the related connector, then you must customize the UI need to display the same. For more information, see 'Lookup Query' section in "General Customization Concepts" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

14.6.4 Verifying the Upgrade

To verify the Oracle Identity Manager upgrade, do the following:

1. Review the middle tier upgrade summary report at the location OIM_HOME/upgrade/logs/oimUpgradeReportDir. The index.html lists all the features upgraded during this process.

2. Install the Diagnostic Dashboard and run the following tests:

   • Oracle Database Connectivity Check

   • Account Lock Status

   • Data Encryption Key Verification

   • Scheduler Service Status

   • JMS Messaging Verification

   • SOA-Oracle Identity Manager Configuration Check

   • SPML Web Service

   • Test OWSM setup

   • Test SPML to Oracle Identity Manager request invocation

   • SPML attributes to Oracle Identity Manager attributes

   • Username Test

3. Use the following URL in a web browser to verify that Oracle Identity Manager 11.1.2.2.0 is running:

   http://<oim_host>:<oim_port>/sysadmin

   http://<oim_host>:<oim_port>/identity

   where

   <oim_host> is the hostname of the machine running the administration server.

   <oim_port> is the port number.

4. Use Fusion Middleware Control to verify that Oracle Identity Manager and any other Oracle Identity Management components are running in the Oracle Fusion Middleware environment.