11 Upgrading Oracle Identity Manager 11g Release 1 (11.1.1.x.x) Environments

This chapter describes how to upgrade your existing Oracle Identity Manager 11g Release 1 (11.1.1.5.0) and 11g Release 1 (11.1.1.7.0) environments to Oracle Identity Manager 11g Release 2 (11.1.2.2.0) on Oracle WebLogic Server.

Note:

For information about upgrading Oracle Identity Manager on IBM WebSphere, see "Upgrading Oracle Identity Manager on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide.

Note:

This chapter refers to Oracle Identity Manager 11g Release 1 (11.1.1.5.0) and 11g Release 1 (11.1.1.7.0) environments as 11.1.1.x.x.

This chapter includes the following sections:

Note:

Oracle Identity Manager upgrade scripts from 11.1.1.x.x to 11.1.2.2.0 create application instances during the upgrade process. The application instances that are created will be based on the existing accounts and their data. For active accounts that have an IT Resource field on the process form, whose value is populated on the process form, corresponding application instances will be created for the specific Resource Object+ITResource combination.

11.1 Upgrade Roadmap for Oracle Identity Manager

The procedure for upgrading Oracle Identity Manager 11.1.1.x.x to 11.1.2.2.0 involves the following high-level steps:

  1. Pre-Upgrade Steps: This step involves tasks like generating the pre-upgrade report, analyzing the report and performing the necessary pre-upgrade tasks described in the report, shutting down the servers, backing up the 11.1.1.x.x environment and so on.

  2. Upgrading the Oracle Home and Database Schemas: This step involves tasks like upgrading Oracle SOA Suite, upgrading 11.1.1.x.x Oracle Home to 11.1.2.2.0, creating Oracle Platform Security Services schema using Repository Creation Utility, upgrading Oracle Platform Security Services, configuring the security store, upgrading Oracle Identity Manager using Patch Set Assistant and so on.

  3. Upgrading the Oracle Identity Manager Middle Tier: This step involves tasks like upgrading Oracle Identity Manager middle tier, starting the servers, patching the Oracle Identity Manager MDS metadata and so on.

  4. Upgrading Other Oracle Identity Manager Installed Components: This step involves tasks like upgrading Oracle Identity Manager Design Console, Oracle Identity Manager Remote Manger, and configuring BI Publisher Reports.

  5. Post-Upgrade Steps: This step involves the post-upgrade tasks like enabling Oracle Identity Manager - Oracle Access Manager integration, upgrading user UDF, customizing event handlers, upgrading SOA composites and so on.

Table 11-1 lists the steps to upgrade Oracle Identity Manager 11.1.1.x.x.

Note:

If you do not follow the exact sequence provided in this task table, your Oracle Identity Manager upgrade may not be successful.

Table 11-1 Upgrade Flow

Sl No Task For More Information
 

Pre-Upgrade Steps

  

1

Review the changes in the features of Oracle Identity Manager 11.1.2.2.0.

See, Feature Comparison

2

Review system requirements and certifications.

See, Reviewing System Requirements and Certification

3

Generate the pre-upgrade report by running the PreUpgradeReport utility.

See, Generating and Analyzing the Pre-Upgrade Report

4

Ensure that getPlatformTransactionManager() method is not used in custom code.

See, Ensuring That getPlatformTransactionManager() Method is Not Used in Custom Code

5

Empty the oimProcessQueue JMS queue to ensure that JMS messages are processed before you start upgrading.

See, Emptying the oimProcessQueue JMS Queue

6

Complete all of the pre-requisite tasks.

See, Other Prerequisites

7

Ensure that the JRF is upgraded.

See, Ensuring That JRF is Upgraded

8

In Oracle Identity Manager 11.1.1.x.x, if you do not have at least one reconciliation field of type IT Resource, then you must create one for all account type profiles.

See, Creating Reconciliation Field of Type IT Resource

9

Back up your environment.

See, Backing Up Oracle Identity Manager 11g Release 1 (11.1.1.x.x)

10

Set the JVM properties for the Oracle Identity Manager Server(s) using the WebLogic Administration console.

See, Setting JVM Properties for Oracle Identity Manager Server(s)

11

Shut down all servers. This includes Administration Server, SOA Managed Servers, and Oracle Identity Manager Managed Servers.

See, Shutting Down Node Manager, Administration Server and Managed Servers
     
 

Upgrading the Oracle Home and Database Schemas

  

12

Upgrade Oracle WebLogic Server 10.3.5 to Oracle WebLogic Server 10.3.6.

See, Upgrading Oracle WebLogic Server

13

Upgrade SOA suite used by Oracle Identity Manager.

See, Upgrading Oracle SOA Suite to 11.1.1.7.0

14

Upgrade Oracle Identity Manager binaries to 11.1.2.2.0.

See, Upgrading Oracle Identity Manager Binaries to 11.1.2.2.0

15

Run Oracle Fusion Middleware Repository Creation Utility (RCU) to create and load OPSS schema for Oracle Identity and Access Management products.

See, Creating Oracle Platform Security Services Schema

16

Upgrade the Oracle Platform Security Services schemas.

See, Upgrading Oracle Platform Security Services Schemas

17

Extend your Oracle Identity Manager 11.1.1.x.x domain with the OPSS template.

See, Extending Oracle Identity Manager 11.1.1.x.x Component Domains with OPSS Template

18

Upgrade Oracle Platform Security Services.

See, Upgrading Oracle Platform Security Services

19

Run the configuresecuritystore.py script to configure policy stores.

See, Configuring OPSS Security Store

20

Upgrade Oracle Identity Manager using the Patch Set Assistant.

See, Upgrading Oracle Identity Management Schemas Using Patch Set Assistant

21

Start the WebLogic Administration Server and the SOA Managed Server(s).

See, Starting the Administration Server and SOA Managed Server
     
 

Upgrading the Oracle Identity Manager Middle Tier

  

22

Upgrade Oracle Identity Manager Middle Tier.

See, Upgrading Oracle Identity Manager Middle Tier

23

Verify the Oracle Identity Manager Middle Tier Upgrade.

See, Verifying Oracle Identity Manager Middle Tier Upgrade

24

Change the deployment order of Oracle Identity Manager from 47 to 48.

See, Changing the Deployment Order of Oracle Identity Manager EAR

25

Restart the Administration Server and SOA Managed Servers.

See, Restarting the Administration Server and SOA Managed Server

26

Patch the Oracle Identity Manager MDS metadata by starting the Oracle Identity Manager Managed Servers.

See, Patching Oracle Identity Management MDS Metadata
     
 

Upgrading Other Oracle Identity Manager Installed Components

  

27

Upgrade Oracle Identity Manager Design Console.

See, Upgrading Oracle Identity Manager Design Console

28

Upgrade Oracle Identity Manager Remote Manager.

See, Upgrading Oracle Identity Manager Remote Manager

29

Configure Oracle BI Publisher 11g Release 1 (11.1.1.7.1).

See, Configuring Oracle BI Publisher 11.1.1.7.1

30

Deploy the Oracle Identity Manager BI Publisher Reports.

See, Deploying Oracle Identity Manager BI Publisher Reports
     
 

Post-Upgrade Steps

  

31

Complete the post-upgrade steps.

See, Post-Upgrade Steps

32

Verify the upgrade.

See, Verifying the Upgrade

11.2 Pre-Upgrade

This section contains the following topics:

11.2.1 Feature Comparison

Table 11-2 lists the key differences in functionality between Oracle Identity Manager 11.1.1.x.x and 11g Release 2 (11.1.2.2.0).

Table 11-2 Features Comparison

Oracle Identity Manager 11.1.1.5.0 and/or 11.1.1.7.0 Oracle Identity Manager 11.1.2.2.0

Oracle Identity Manager 11.1.1.x.x provided Identity Attestation to periodically review a user's access. For advanced access review capabilities such as role or data owner certification, OIM 11.1.1.x had to be integrated with Oracle Identity Analytics (OIA) to leverage the advanced access review capabilities that OIA provided.

In Oracle Identity Manager 11.1.2.1.0 and 11.1.2.2.0, the advanced access review capabilities of OIA are converged into OIM to provide a complete identity governance platform that enables an enterprise to do enterprise grade access request, provisioning, and access review from a single product.

After upgrading to Oracle Identity Manager 11.1.2.2.0, you can use the new access review capabilities. This feature is disabled by default. Therefore, you must ensure that you have relevant licenses before enabling this new feature.

In Oracle Identity Manager 11.1.1.x.x, users are assigned to organizations by specifying an organization name in the Organization attribute of the user details. This is a static organization membership. A user can only be a member of one organization.

In Oracle Identity Manager 11.1.2.2.0, in addition to the existing feature, you can dynamically assign users to organizations based on user-membership rules, which you can define in the Members tab of the organization details page.

All users who satisfy the user-membership rule are dynamically associated with the organization, irrespective of the organization hierarchy the users statically belong to. With this new capability, a user can gain membership of one home organization via static membership and multiple secondary organizations via user-membership rules that are dynamically evaluated.

In Oracle Identity Manager 11.1.1.x.x, administrators configured request templates to control what an end user could request.

End users have to navigate through a series of menus to select entitlement before they can submit and access request.

An end user's access to request templates was controlled by his/her role memberships.

Oracle Identity Manager 11.1.2.2.0 provides a new user interface with a shopping cart-type request model through which end users can search and browse through the catalog and directly request any item such as roles, entitlements, or applications, without having to navigate through a series of menus.

In addition to this, several business-friendly metadata such as description, audit objective, tags, owner, approver, technical glossary, and so on can be associated to each access item, to display business-friendly and rich contextual information to a business user at the time of self service access request and access review.

An end user's access to entities is controlled by a combination of user-to-organization publishing and entity-to-organization publishing.

Post upgrade, administrators need to run the catalog synchronization job to populate the catalog with request-able entities and entity metadata.

Post upgrade, administrators need to define entity to organization publishing to control what an end user can request.

Resource and IT resource names tend to be named in a manner that makes it easy for the IT users to manage them. The problem with this approach is that if a business user has to request access, the resource name will not make sense. These incomprehensible Resource and IT resource names make the access request process non-intuitive.

Oracle Identity Manager 11.1.2.2.0 provides an abstraction entity called Application Instance. It is a combination of IT resource instance (target connectivity and connector configuration) and resource object (provisioning mechanism). Administrators can assign business-friendly names to Application instances and map them to corresponding IT resources and Resource Objects.

End users who request for accounts through the catalog will search for an account by providing the business-friendly Application Instance Name.

Application instances are automatically created as part of the upgrade procedure. Administrators are expected to define organization publishing for these Application Instances to control who has access to requests for access to the application.

In Oracle Identity Manager 11.1.1.x.x, authorization policies are used to control a user's access to the functions within Oracle Identity Manager. Policy administration was done through a UI that was built specifically for Oracle Identity Manager.

Oracle Identity Manager 11.1.2.2.0 leverages Oracle Entitlement Server for authorization policy enforcement and administration. This is the standards-based platform for authorization policy enforcement and administration across all IDM components.

Administration of Authorization Policies is now done through the Authorization Policy Manager, which is the main tool for lifecycle management of Authorization Policies.

Post upgrade to Oracle Identity Manager 11.1.2.2.0 authorization policy definition and administration will have to be done from the Authorization Policy Manager console and any customizations made to out of the box 11.1.1.x authorization policies will have to be reapplied.

In Oracle Identity Manager 11.1.1.x.x, access to policy evaluation is done instantly for each user when they are updated.

In Oracle Identity Manager 11.1.2.2.0, access to policy evaluation is done when the Evaluate User Policies scheduled job is run. This gives you the flexibility to control when heavy operations such as access policy evaluation and provisioning are triggered.

Post upgrade to Oracle Identity Manager 11.1.2.2.0, administrators will have to schedule this job to run in predefined intervals based on their business requirements.

Oracle Identity Manager 11.1.1.x.x provided separate interfaces for end user self-service and delegated administration.

In Oracle Identity Manager 11.1.2.2.0, the end user self-service and delegated administration consoles have been unified into a single self service console to simplify administration and self service.

Oracle Identity Manager 11.1.2.2.0 also uses the Skyros skin, which is a light weight skin.

Any customization added to the 11.1.1.x.x User Interface (UI) will have to be reapplied on the 11.1.2.2.0 User Interface post upgrade. For an overview of UI customization in Oracle Identity Manager 11.1.2.2.0, see "Customizing the Interface" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

11.2.2 Reviewing System Requirements and Certification

Before you start the upgrade process, you must read the system requirements and certification document to ensure that your system meets the minimum requirements for the products you are installing or upgrading. For more information see Section 2.1, "Reviewing System Requirements and Certification".

11.2.3 Generating and Analyzing the Pre-Upgrade Report

You must run the pre-upgrade utility before you begin the upgrade process, and address all the issues listed as part of this report with the solution provided in the report.

The pre-upgrade utility analyzes your existing Oracle Identity Manager 11.1.1.x.x environment, and provides information about the mandatory prerequisites that you must complete before you upgrade environment. The information in the pre-upgrade report is related to the invalid approval policies, requests and event handlers that are affected by the upgrade, list of mandatory Database components that need to be installed before upgrade, cyclic groups in LDAP directory, deprecated authorization policies, and issues in creating potential application instance.

Note:

It is important to address all the issues listed in the pre-upgrade report, before you can proceed with the upgrade, as upgrade might fail if the issues are not fixed.

Run this report until no pending issues are listed in the report.

To generate and analyze the pre-upgrade report, complete the tasks described in the following sections:

11.2.3.1 Obtaining Pre-Upgrade Report Utility

You must download the pre-upgrade utility from Oracle Technology Network (OTN). The utility is available in two zip files named PreUpgradeReport.zip.001 and PreUpgradeReport.zip.002, along with ReadMe.doc at the following location on My Oracle Support:

My Oracle Support document ID 1599043.1.

The ReadMe.doc contains information about how to generate and analyze the pre-upgrade reports.

11.2.3.2 Generating the Pre-Upgrade Report

To generate the pre-upgrade report for Oracle Identity Manager 11.1.1.x.x upgrade, do the following:

  1. Create a directory at any location and extract the contents of PreUpgradeReport.zip.001 and PreUpgradeReport.zip.002 in the newly created directory.

  2. Create a directory where pre-upgrade reports need to be generated. For example, name the directory OIM_preupgrade_reports.

  3. Go to the directory where you extracted PreUpgradeReport.zip.001 and PreUpgradeReport.zip.002, and open the preupgrade_report_input.properties file in a text editor. Update the properties file by specifying the appropriate values for the parameters listed in Table 11-3:

    Table 11-3 Parameters to be Specified in the preupgrade_report_input.properties File

    Parameter Description

    oim.targetVersion

    Specify 11.1.2.2.0 for this parameter, as 11.1.2.2.0 is the target version for which pre-upgrade utility needs to be run.

    oim.jdbcurl

    Specify the JDBC URL for Oracle Identity Manager in the following format:

    <host>:<port>/<service_name>

    oim.oimschemaowner

    Specify the name of the OIM schema owner.

    oim.mdsjdbcurl

    Specify the MDS JDBC URL in the following format:

    <host>:<port>/<service_name>

    oim.mdsschemaowner

    Specify the name of the MDS schema owner.

    oim.databaseadminname

    Specify the user with DBA privilege. For example, sys as sysdba.

    oim.outputreportfolder

    Specify the absolute path to the directory that you created in step-2 (directory with name OIM_preupgrade_reports), where the pre-upgrade reports need to be generated.

    Make sure that the output report folder has read and write permissions.

    oim.oimhome

    Specify the absolute path to the OIM Home.

    oim.wlshome

    Specify the absolute path to the WLS Home.

    oim.domain

    Specify the absolute path to the Oracle Identity Manager domain home.

    For example:

    /Middleware/user_projects/domains/base_domain

  4. Set the environment variables JAVA_HOME, MW_HOME, WL_HOME, and OIM_HOME by running the following commands:

    On UNIX:

    export JAVA_HOME=<jdk_location>

    export MW_HOME=<absolute_path_to_middleware_home>

    export OIM_HOME=<absolute_path_to_middleware_home>/Oracle_IDM1/

    export WL_HOME=<absolute_path_to_middleware_home>/WL_HOME/

    On Windows:

    set JAVA_HOME="<jdk_location>"

    set MW_HOME="<absolute_path_to_middleware_home>"

    set OIM_HOME="<absolute_path_to_middleware_home>\Oracle_IDM1\"

    set WL_HOME="<absolute_path_to_middleware_home>\WL_HOME\"

  5. Run the following command from the location where you extracted the contents of PreUpgradeReport.zip.001 and PreUpgradeReport.zip.002:

    • On UNIX:

      sh generatePreUpgradeReport.sh

    • On Windows:

      generatePreUpgradeReport.bat

  6. Provide the details when the following is prompted:

    • OIM Schema Password

      You must enter the password of the OIM schema.

    • MDS Schema Password

      You must enter the password of the MDS schema.

    • DBA Password

      You must enter the password of the Database Administrator.

The following are the reports generated by the pre-upgrade report utility:

Pre-Upgrade Reports Generated for 11.1.1.x.x Starting Point

  • index.html

  • APPROVALPOLICYPreUpgradeReport.html

  • ChallengeQuesPreUpgradeReport.html

  • CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html

  • DomainReassocAuthorization.html

  • EVENT_HANDLERPreUpgradeReport.html

  • ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html

  • ORACLE_ONLINE_PURGE_PreUpgradeReport.html

  • PasswordPolicyPreUpgradeReport.html

  • PROVISIONINGBYREQUESTPreUpgradeReport.html

  • PROVISIONINGPreUpgradeReport.html

  • REQUESTPreUpgradeReport.html

  • UDFPreUpgradeReport.html

  • WLSMBEANPreUpgradeReport.html

11.2.3.3 Analyzing Pre-Upgrade Report

The PreUpgradeReport utility generates several reports, which are outlined in Table 11-4.

Note:

You must review all the reports, and perform the tasks described in each of the reports.

Table 11-4 Pre-Upgrade Utility Reports

Report Name Description For More Information

index.html

The index.html provides links to all the seven reports generated by the pre-upgrade utility.

-

APPROVALPOLICYPreUpgradeReport.html

This report lists the request approval policies that has a rule defined on the non existing template.

See, Description of APPROVALPOLICYPreUpgradeReport.html Report

ChallengeQuesPreUpgradeReport.html

This report provides information about upgrading localized challenge questions data.

When you upgrade Oracle Identity Manager 11.1.1.x.x to 11.1.2.2.0, the existing localization data for challenge questions is lost. Therefore, before proceeding with the upgrade process, you must backup the existing localized challenge questions data.

After you upgrade to Oracle Identity Manager 11.1.2.2.0, you must perform the tasks described in this report.

See, Description of ChallengeQuesPreUpgradeReport.html Report

CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html

This report detects the list of cyclic groups in LDAP.

The report includes a list of cyclic groups and instructions to remove cyclic dependency. It is mandatory to remove all cyclic dependencies running in the Oracle Identity Manager 11.1.1.x.x environment.

See, Description of CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html Report

DomainReassocAuthorization.html

This report lists the checks executed for authorization feature data upgrade. It checks if the Oracle Identity Manager is reassociated with the DB-based policy store.

Review the table that lists the checks executed and the status of the checks.

See, Description of DomainReassocAuthorization.html Report

EVENT_HANDLERPreUpgradeReport.html

This report captures all user customizations related to Event Handler in Oracle Identity Manager 11.1.1.x.x.

See, Description of EVENT_HANDLERPreUpgradeReport.html Report

ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html

This report provides the status of the mandatory database components or settings for Oracle Identity Manager upgrade. Verify the installation or setup status for each of the mandatory component or setting. If any of the component or setting is not setup correctly, follow the recommendations provided in the report to fix them.

Note: This report will not be generated if there is no action item related to purge.

See, Description of ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html Report

ORACLE_ONLINE_PURGE_PreUpgradeReport.html

This report lists the pre-requisites for Online Purge that needs to be addressed before you proceed with the upgrade.

Note: This report will not be generated if there is no action item related to purge.

See, Description of ORACLE_ONLINE_PURGE_PreUpgradeReport.html Report

PasswordPolicyPreUpgradeReport.html

This report lists the potential upgrade issues for password policies.

See, Description of PasswordPolicyPreUpgradeReport.html Report

PROVISIONINGBYREQUESTPreUpgradeReport.html

This report lists the requests that are not viewable in Track Requests page.

See, Description of PROVISIONINGBYREQUESTPreUpgradeReport.html Report

PROVISIONINGPreUpgradeReport.html

This report lists the potential application instance creation issues.

See, Description of PROVISIONINGPreUpgradeReport.html Report

REQUESTPreUpgradeReport.html

This report lists any invalid requests and the actions to be taken.

See, Description of REQUESTPreUpgradeReport.html Report

UDFPreUpgradeReport.html

This report provides information about the steps that must be performed prior to upgrade to ensure that the User Defined Fields (UDFs) are upgraded seamlessly.

See, Description of UDFPreUpgradeReport.html Report

WLSMBEANPreUpgradeReport.html

This report provides information about the status of mandatory deletion of OIM Authenticator Jar(s).

See, Description of WLSMBEANPreUpgradeReport.html Report

11.2.3.3.1 Description of APPROVALPOLICYPreUpgradeReport.html Report

The report APPROVALPOLICYPreUpgradeReport.html lists the invalid approval policies. This report contains the following sections:

This report also contains an additional note on approval policy based on deprecated request type. You must review the report completely, before you start upgrading the Oracle Identity Manager 11.1.1.x.x environment.

Approval Policy rule defined on template

This section lists the Oracle Identity Manager 11.1.1.x.x approval policies whose rules are defined based on the request template.The Request templates feature is not supported in Oracle Identity Manager 11.1.2.2.0. Therefore, if your Oracle Identity Manager 11.1.1.x.x contains approval policies having rules based on request template, you must reconfigure the request approval policies by following the steps described in the report.

List of Approval Polices which needs to be updated with custom approval process

This section lists the 11.1.1.x.x approval policies that need to be associated with different approval process before you start the upgrade process.

The approval process default/ResourceAdministratorApproval, default/ResourceAuthorizerApproval are not supported in 11.1.2.2.0. Therefore, if your Oracle Identity Manager 11.1.1.x.x contains approval policies having these approval process, you must associate them with different approval process.

Approval policy based on unsupported request type

This section provides information about the request types that are not supported in 11.1.2.2.0.

The following 11.1.1.x.x request types are not supported in 11.1.2.2.0, and they are changed to non-self request type in 11.1.2.2.0:

  • Self Assign Roles

  • Modify Self Profile

  • Self Remove Roles

  • Self De-Provision Resource

  • Self Modify Provisioned Resource

  • Self-Request Resource

Self-request type mapping to Non-Self request type is shown Table 11-5.

Table 11-5 Mapping of Self request type to Non-Self request type

Self Request Type Non-Self Request Type

Self-Request Resource

Provision Resource

Self Modify Provisioned Resource

Modify Provisioned Resource

Self Remove Roles

Remove from Roles

Modify Self Profile

Modify User Profile

Self De-Provision Resource

De-Provision Resource

Self Assign Roles

Assign Roles

Approval policy based on deprecated request type

This section provides information about deprecated request types in 11.1.2.2.0.

The following 11.1.1.x.x request types are deprecated in 11.1.2.2.0:

  • Provision Resource

  • De-Provision Resource

  • Disable Provisioned Resource

  • Enable Provisioned Resource

  • Modify Provisioned Resource

Approval policies based on these deprecated request types will continue to work for any pending requests based on these request types even after upgrade. But, these policies will not work for requests created for Application Instance based request types such as - Provision ApplicationInstance, Revoke Account, Disable Account, Enable Account, and Modify Account.

In addition, approval policies for Application Instance based request types need to be explicitly created for the request based on Application Instance.

11.2.3.3.2 Description of ChallengeQuesPreUpgradeReport.html Report

The report ChallengeQuesPreUpgradeReport.html is generated for both 11.1.2 and 11.1.2.1.0 starting points.

When you upgrade Oracle Identity Manager 11.1.2.x.x to 11.1.2.2.0, the existing localization data for challenge questions is lost as it is not upgrade-safe. Therefore, before you upgrade to Oracle Identity Manager 11.1.2.2.0, you must backup the existing localized challenge questions data.

After you upgrade to 11.1.2.2.0, perform the tasks described in this report to localize challenge questions. Follow the instructions in the section applicable for your starting point.

Note:

If you have already migrated the localized challenge questions data per localization model provided in Oracle Identity Manager 11g Release 2 (11.1.2.0.11) or (11.1.2.1.3), ignore the tasks described in this report.
11.2.3.3.3 Description of CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html Report

The report CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html provides information about the Cyclic groups in LDAP directory.

Oracle Identity Manager 11.1.2.2.0 does not support cyclic groups in the LDAP directory. Therefore, you must remove the cyclic dependency from Oracle Identity Manager 11.1.1.x.x setup and reconcile data from LDAP to Oracle Identity Manager Database, before you proceed with the upgrade. For more information about removing the cyclic groups dependent on LDAP, see Removing Cyclical Groups Dependent on LDAP and Reconciling Data From LDAP to OIM Database. The procedure for removing cyclic groups is also described in this report.

Removing Cyclical Groups Dependent on LDAP and Reconciling Data From LDAP to OIM Database

If the LDAP in your Oracle Identity Manager 11.1.1.x.x environment has cyclic groups loaded, you must remove the cyclic groups by doing the following:.

  1. Use JEXplorer or Softerra LDAP Administrator and navigate to the cyclic groups.

  2. Look for uniquemember attribute.

  3. Remove all values from the attribute.

  4. Save the group.

  5. Reconcile the data from LDAP to Oracle Identity Manager Database by running the following command:

    On UNIX: LDAPConfigPostSetup.sh

    On Windows: LDAPConfigPostSetup.bat

Example Scenario

If you have cyclic group dependency between two groups: Group1 and Group2, do the following to remove cyclic dependency:

  1. Connect to LDAP using JEXplorer or Softerra LDAP.

  2. Go to the group container of Group1.

  3. Go to the uniquemember attribute under Group1.

  4. Remove the value of Group2, from unique members, and save the change made.

  5. Run LDAPConfigPostSetup.sh on UNIX and LDAPConfigPostSetup.bat on Windows to synchronize data from LDAP to Oracle Identity Manager database.

11.2.3.3.4 Description of DomainReassocAuthorization.html Report

The report DomainReassocAuthorization.html is generated for both 11.1.2 and 11.1.2.1.0 starting points.

It checks if the Oracle Identity Manager domain is reassociated to Database based policy store and displays the result in the Result column. Review the checks executed and the result of the checks.

11.2.3.3.5 Description of EVENT_HANDLERPreUpgradeReport.html Report

The report EVENT_HANDLERPreUpgradeReport.html provides information about event handlers. When you upgrade Oracle Identity Manager 11.1.1.x.x to Oracle Identity Manager 11.1.2.2.0, the customizations made to the OOTB event handlers XMLs in 11.1.1.x.x will not be preserved in 11.1.2.2.0. All the customizations defined in a separate XML (non OOTB) in 11.1.1.x.x will be preserved in 11.1.2.2.0. You must redo all the customizations after upgrading to 11.1.2.2.0. This report contains the following sections:

Refer to the table in the report for more details about the event handlers.

New Event Handler Added by the customer in the OOTB (11.1.1.5.0) Event Handler Metadata XML

This section provides information about the new event handlers added in the OOTB (11.1.1.5.0).

The event handler newly added in the OOTB (11.1.1.5.0) Event Handler Metadata XML will not be available after you upgrade to 11.1.2.2.0. Oracle Identity Manager 11.1.2.2.0 event handlers will replace the 11.1.1.x.x event handlers. Therefore, you must add the event handler again in a new file after the upgrade.

Note:

Do not add new event handler in the same OOTB Event Handler XML. You must create a new XML and add the new event handler to it.

OOTB(11.1.1.5.0) Event Handler modified by the Customer

This section provides information about the event handlers that are modified in the OOTB (11.1.1.5.0).

You must redo all the customizations that you did to the event handlers in OOTB (11.1.1.5.0), after you upgrade Oracle Identity Manager 11.1.1.x.x to 11.1.2.2.0.

OOTB(11.1.1.5.0) Event Handler deleted by Customer

This section provides information about the event handlers that were deleted in OOTB (11.1.1.5.0).

The deleted event handlers are restored after you upgrade to 11.1.2.2.0. Therefore, you must delete them again as per requirement.

11.2.3.3.6 Description of ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html Report

The report ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html is generated for both 11.1.2 and 11.1.2.1.0 starting points.

This report lists all the mandatory database components or settings for Oracle Identity Manager 11.1.2.x.x upgrade. This report contains a table which lists the component or setting, it's installation or setup status, and recommendations if any. You must review the installation or setup status for each of the mandatory component or setting listed in the table. If the component or setting is not setup correctly, follow the recommendations specified in the Note column of the table in the report to fix them.

11.2.3.3.7 Description of ORACLE_ONLINE_PURGE_PreUpgradeReport.html Report

Before you upgrade Oracle Identity Manager 11.1.2.x.x to 11.1.2.2.0, you must complete the pre-requisites for online purge.

The table in this report lists the database tables on which the mentioned pre-upgrade steps need to be performed before you upgrade. The table also shows the status of the database tables in OIM schema and Note section. Review the table, and perform the actions required.

11.2.3.3.8 Description of PasswordPolicyPreUpgradeReport.html Report

If you are using 9.1.x.x password policy model you must update to new password policies. The 9.1.x.x password policy model is no longer supported for Users, and any such customizations done are not migrated to the new password policy model.

Following password policies are attached to the Xellerate User resource object according to the 9.1.x.x password policy model and must be assigned to appropriate organization(s):

Table 11-6 Password Policies

Policy Key Policy Name

1

Default Policy

11.2.3.3.9 Description of PROVISIONINGBYREQUESTPreUpgradeReport.html Report

The following table provides information about the requests that are not viewable in Track Requests page:

Table 11-7 Password Policies

Request Key Beneficiary Key Entity Type Entity Name Entity Key Request Model Name  Issue

81

83

Resource

AD User

7

Access Policy Based Provisioning

No process form entry found for process instance. Cannot update rbe_entity_key in request_beneficiary_entities table since application instance for the entry is not created.

82

85

Resource

AD User

7

Access Policy Based Provisioning

No process form entry found for process instance. Cannot update rbe_entity_key in request_beneficiary_entities table since application instance for the entry is not created.

86

99

Resource

AD User

7

Provision Resource

No process form entry found for process instance. Cannot update rbe_entity_key in request_beneficiary_entities table since application instance for the entry is not created.

11.2.3.3.10 Description of PROVISIONINGPreUpgradeReport.html Report

The report PROVISIONINGPreUpgradeReport.html lists the potential application instances creation issues. The report contains the following sections:

Provisioning, Entitlement, and Access Policy Configuration Details

This sections describes the steps you must complete before you upgrade Oracle Identity Manager 11.1.1.x.x to 11.1.2.2.0. These steps are related to provisioning, entitlement, and access policy configuration. Complete all the steps described in this section of the report.

List of Resource Objects without Process Form

This section provides information about the resource objects in Oracle Identity Manager 11.1.1.x.x that do not have process form. Each resource object must have a process form associated with it. Therefore, if a resource object is not associated with a process form, you must associate the resource object with a process form before you start the upgrade process. Review the table in this section of the report, that lists the details of the resource objects without process form.

List of Resource Objects without ITResource field Type in Process Form

This section provides information about the resource objects without ITResource field type in their respective process forms. Review the table in this section of the report, which contains more details. If your Oracle Identity Manager 11.1.1.x.x has resource objects without ITResource field in their process forms, do the following:

  1. Create appropriate IT resource definition.

  2. Create IT resource instance for the same corresponding to the target that is being provisioned.

  3. Edit the process form and add a field of type "ITResource" to the process form. Set the following properties:

    Type=IT Resource definition created in step-1

    ITResource=true

  4. Activate the form.

  5. Update the IT resource field on existing provisioned accounts using FVC Utility.

  6. Once the above steps are completed, you can create application instances corresponding to the Resource Object+ITResource combination.

List of Resource Objects with multiple ITResource Lookup fields in Process Form

This section provides information about the resource objects that have multiple lookup fields in their process form. In the Oracle Identity Manager 11.1.1.x.x environment, if you have resource objects with multiple ITResource set in the process form, you must set the value of the property ITResource Type to true for at least one of the attributes.

List of Access Policies without ITResource value set in default policy data

This section lists the access policies for which the ITResource values of the resource objects should be set in the default policy data. The table in this section lists the access policies in Oracle Identity Manager 11.1.1.x.x for which ITResource field is missing. You must set the values of ITResource field for each of the access policy listed in the table.

List of Access Policies with Revoke If No Longer Applies flag unchecked

This section lists the access policies that have Revoke If No Longer Applies flag unchecked. The table in this section contains the list of access policies that will be updated to Disable If No Longer Applies, during upgrade. The table also indicates if tasks for enable, disable, revoke actions are not defined for these policies. You must add the missing tasks before you proceed with the upgrade. Also, if you want the behavior of the policy to change to RNLA checked, you must check the RNLA flag for the respective policy.

List of Entitlements stored in Lookup definitions that do not have IT Resource Key in the lookup encode value

This section lists entitlements stored in lookup definitions that do not have IT Resource Key pretended to their encoding values using "~". Entitlements stored in lookup definitions need IT Resource Key prepended to the encoded values using "~". Review the table in this section of the pre-upgrade report, which contains more details.

11.2.3.3.11 Description of REQUESTPreUpgradeReport.html Report

The report REQUESTPreUpgradeReport.html lists requests that are affected because of the upgrade. This report contains the following sections:

Requests with unsupported request stages

This section lists the requests that are in one of the following unsupported request stages:

  • Obtaining Template Approval

  • Template Approval Approved

  • Template Approval Rejected

  • Template Approval Auto Approved

Manual intervention is required to move these requests to the next stage by approving, withdrawing, or closing such requests. Otherwise, requests are moved to request closed stage as part of the upgrade.

Review the list of requests that are in the unsupported request stage.

Requests which will be automatically changed to corresponding non-self request type

This section lists the requests that are based on one of the following request types will be changed to the corresponding non-self request type after the upgrade:

  • Self Assign Roles

  • Modify Self Profile

  • Self Remove Roles

  • Self De-Provision Resource

  • Self Modify Provisioned Resource

  • Self-Request Resource

Request types for these requests are automatically changed to the corresponding non-self request type as part of the upgrade.

Self-request type mapping to non-self request type is shown in Table 11-8:

Table 11-8 Mapping of Self-Request Type to Non-Self Request Type

Self request type Non-Self request type

Self-Request Resource

Provision Resource

Self Modify Provisioned Resource

Modify Provisioned Resource

Self Remove Roles

Remove from Roles

Modify Self Profile

Modify User Profile

Self De-Provision Resource

De-Provision Resource

Self Assign Roles

Assign Roles

11.2.3.3.12 Description of UDFPreUpgradeReport.html Report

This section provides information about the steps that must be performed prior to upgrade to ensure that the User Defined Fields/Attributes (UDFs) are upgraded seamlessly. Note that you may have to edit the entity xml file manually. To edit a file in MDS, you need to export the file from Metadata Services (MDS) repository and after making the required changes file must be imported back to MDS.

The following table lists the path of the entity xml file in MDS corresponding to a particular entity type.

Table 11-9 Path of Entity XML File in MDS

Entity type Path in MDS

User

/file/User.xml

Role

/db/identity/entity-definition/Role.xml

Organization

/db/identity/entity-definition/Organization.xml

The report also includes information about the list of UDFs with inconsistent max-size and UDFs with inconsistent default value.

11.2.3.3.13 Description of WLSMBEANPreUpgradeReport.html Report

The Jar(s) present in WebLogic Server mbeans path must be deleted before executing Mid-Tier Upgrade as listed in the below table.

Table 11-10 Jars and their Status

File Name Status

OIMAuthenticator.jar

OIMAuthenticator.jar is present.

oimsignaturembean.jar

oimsignaturembean.jar is present.

oimsigmbean.jar

oimsigmbean.jar is not present.

Note:

As a pre-upgrade step, delete the Jars OIMAuthenticator.jar and oimsignaturembean.jar from <MW_HOME>/wlserver_10.3/server/lib/mbeantypes/.

11.2.4 Ensuring That getPlatformTransactionManager() Method is Not Used in Custom Code

Ensure that the method getPlatformTransactionManager() is not used in the custom event handler code, as this method is not available in 11.1.2.2.0.

If you are using the method getPlatformTransactionManager() in the custom event handler code, set the attribute tx to TRUE in the event handler XML definition.

For more information on setting the attributes in the event handler XML definition, see "Defining Custom Events Definition XML" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

11.2.5 Emptying the oimProcessQueue JMS Queue

Offline Provisioning is not supported in Oracle Identity Manager 11.1.2.2.0, as it is no longer needed on Oracle Identity Manager 11.1.2.2.0.

Empty the oimProcessQueue JMS queue to ensure that JMS messages are processed before you start upgrading. To do so, complete the following:

  1. Shut down applications to disable accessing of Oracle Identity Manager offline provisioning by end-users, SPML, and API clients.

  2. Monitor the oimProcessQueue JMS queue from the Weblogic Administration Console and allow Oracle Identity Manager to run, till oimProcessQueue JMS queue is empty.

11.2.6 Other Prerequisites

This is a list of checks you must run and set before you begin upgrading:

  • Check if oracle.soa.worklist.webapp is targeted to Oracle Identity Manager server in 11.1.1.x.x. If not, target it to Oracle Identity Manager Managed Server. If you are upgrading Oracle Identity Manager high availability environments, you must target oracle.soa.worklist.webapp to the oim_cluster.

  • The OOTB applications in Oracle Identity Manager are deployed in NO_STAGE mode. Check if oracle.idm.uishell is in No Stage mode. If oracle.idm.uishell is in Stage mode, you must re-deploy it to NO_STAGE mode.

    Complete the following steps to change the mode to No Stage:

    1. Set the WL_HOME and OIM_HOME.

    2. Undeploy oracle.idm.uishell by running the following command:

      java -cp $WL_HOME/server/lib/weblogic.jar weblogic.Deployer -adminurl t3://localhost:8005 -username weblogic -password weblogic1 -undeploy -name oracle.idm.uishell

    3. Deploy oracle.idm.uishell in stage mode by running the following command:

      java -cp $WL_HOME/server/lib/weblogic.jar weblogic.Deployer -adminurl t3://localhost:8005 -username weblogic -password weblogic1 -deploy -name oracle.idm.uishell -source $OIM_HOME/modules/oracle.idm.uishell_11.1.1/oracle.idm.uishell.war -nostage -library -targets AdminServer,$OIM_SERVER_NAME

  • Ensure that all pending requests are addressed before you upgrade.

  • In case of a migrated, upgraded, or restored database in the Oracle Identity Manager environment, you must synchronize all the Oracle Identity Manager Schema Privileges (SYSTEM and OBJECT Grants) from the source to the target (restored) schema by doing the following:

    1. Capture the OIM Database Schema user constituent grants from the source schema by executing the following SQLs as SYS database user:

      • SELECT DBMS_METADATA.GET_GRANTED_DDL ('SYSTEM_GRANT','<OIM_Schema_Name>') FROM DUAL;

      • SELECT DBMS_METADATA.GET_GRANTED_DDL ('OBJECT_GRANT', '<OIM_Schema_Name>') FROM DUAL;

    2. In the schema restoration phase prior to schema upgrade, execute the grants output of the SQLs captured in step-1, as post schema restoration step.

    3. Recompile any INVALID objects in the OIM schema using the following steps:

      a. Identify INVALID schema objects as SYS user by running the following SQL:

      SELECT owner,object_type,object_name,status FROM dba_objects WHERE status = 'INVALID' AND owner in ('<OIM_Schema_Name1>') ORDER BY owner, object_type, object_name;

      b. Compile the INVALID schema objects using any appropriate method. The following is an example of compiling INVALID schema objects by executing the method UTL_RECOMP as SYS user for the OIM schema:

      UTL_RECOMP.recomp_serial('<OIM_Schema_Name>');

      END;

      Repeat step-a until there are no INVALID objects.

    Note:

    For information on schema backup and restoration using Data Pump Client Utility for Oracle Identity Manager 11g Release 1, see My Oracle Support document ID 1359656.1.

    For information on schema backup and restoration using Data Pump Client Utility for Oracle Identity Manager 11g Release 2, see My Oracle Support document ID 1492129.1.

11.2.7 Ensuring That JRF is Upgraded

Before starting the upgrade process, you must ensure that Java Required Files (JRF) is upgraded. To do this, complete the following steps:

  1. Log in to the WebLogic Administration console using the following URL:

    http://host:port/console

    In this URL, host refers to the name of the host on which WebLogic Administration Server is running, and port refers to the port number.

  2. Click Deployments on the left navigation pane for the OIM_Domain.

  3. Ensure that the following libraries are present:

    • oracle.adf.desktopintegration(1.0,11.1.1.2.0)

    • oracle.adf.desktopintegration.model(1.0,11.1.1.2.0)

    • oracle.bi.adf.model.slib(1.0,11.1.1.2.0)

    • oracle.bi.adf.view.slib(1.0,11.1.1.2.0)

    • oracle.bi.adf.webcenter.slib(1.0,11.1.1.2.0)

    • oracle.bi.composer(11.1.1,0.1)

    • oracle.bi.jbips(11.1.1,0.1)

    If the above libraries are not present, you must upgrade JRF. For more information about upgrading JRF, see "Updating Fusion Middleware Shared Libraries" in the Oracle Fusion Middleware Patching Guide.

11.2.8 Creating Reconciliation Field of Type IT Resource

All account reconciliation Field Mapping configurations must have at least one Reconciliation field of type ITResource defined. This can be done by adding a mapping from the Oracle Identity Manager Design Console. Complete the following steps for those resource objects which do not have ITResource filed in reconciliation field mapping:

  1. Create reconciliation field of type IT Resource by doing the following:

    1. Log in to the Oracle Identity Manager Design Console by running the following command from the location ORACLE_HOME/designconsole/:

      On UNIX: ./xlclient.sh

      On Windows: xlclient.cmd

    2. Expand Resource Management.

    3. Click Resource Objects.

    4. Search for and select the Resource Object that you wish to modify.

    5. Go to the Object Reconciliation tab.

    6. Click Add Field under Reconciliation Fields tab.

    7. Enter the Field Name, and select IT Resource as the Field Type.

    8. Click Save icon.

  2. Define mapping for the field ITResource by doing the following:

    1. On the Oracle Identity Manager Design Console, expand Process Management on the left navigation pane.

    2. Click Process Definition.

    3. Go to the Reconciliation Field Mapping tab in the Process Definition form.

    4. Search for the Resource Object.

    5. Define mapping for the field IT Resource.

    6. Save the form.

Note:

This step is required if you are using connector for account reconciliation or if you wish to use connector for account reconciliation after you upgrade to 11.1.2.2.0.

11.2.9 Backing Up Oracle Identity Manager 11g Release 1 (11.1.1.x.x)

You must back up your old Oracle Identity Manager 11.1.1.x.x environment before you upgrade to Oracle Identity Manager 11g Release 2 (11.1.2.2.0).

After stopping the servers, back up the following:

  • MW_HOME directory, including the Oracle Home directories inside Middleware Home

  • Domain Home directory

  • Oracle Identity Manager schemas

  • MDS schema

  • ORASDPM schema

  • SOAINFRA schemas

For more information about backing up schemas, see Oracle Database Backup and Recovery User's Guide.

11.2.10 Setting JVM Properties for Oracle Identity Manager Server(s)

You must set additional JVM properties for the Oracle Identity Manager Server(s) using the WebLogic Administration console. To do this, complete the following steps:

  1. Log in to the WebLogic Administration console using the following URL:

    http://admin_host:admin_port/console

  2. Click Servers.

  3. Select the Oracle Identity Manager server.

  4. Click Server Start, and then click Arguments.

  5. Add the following application module settings for the Oracle Identity Manager Server(s):

    -Djbo.ampool.doampooling=true

    -Djbo.ampool.minavailablesize=1

    -Djbo.ampool.maxavailablesize=120

    -Djbo.recyclethreshold=60

    -Djbo.ampool.timetolive=-1

    -Djbo.load.components.lazily=true

    -Djbo.doconnectionpooling=true

    -Djbo.txn.disconnect_level=1

    -Djbo.connectfailover=false

    -Djbo.max.cursors=5

    -Doracle.jdbc.implicitStatementCacheSize=5

    -Doracle.jdbc.maxCachedBufferSize=19

    Note:

    The recommended values for the arguments specified assume 100 concurrent users per node. Therefore, the value specified for the argument -Djbo.ampool.maxavailablesize is 120 (that is, 100 * 1.20). If the number of concurrent users per node is different, use the following formula to calculate the value that you must specify for the argument -Djbo.ampool.maxavailablesize:

    -Djbo.ampool.maxavailablesize = <Number_of_concurrent_users> * 1.20

  6. Restart the Oracle Identity Manager Server(s). To restart Managed Server(s), stop the server(s) first and start them again.

    For more information about stopping a Managed Server, see Section 2.8.1, "Stopping the Managed Server(s)".

    For more information about starting a Managed Server, see Section 2.9.3, "Starting the Managed Server(s)".

11.2.11 Shutting Down Node Manager, Administration Server and Managed Servers

The upgrade process involves changes to the binaries and to the schema. Therefore, before you begin the upgrade process, you must shut down the Managed Servers, Administration Server, and the Node Manager.

Note:

When shutting down the servers, the following error message might be displayed: 
** SOA specific environment is already set. Skipping ...
***********************************************************
OIM specific environment is already set. Skipping ...
The input line is too long.
The syntax of the command is incorrect.

It is recommended that you open a new command prompt and then run the commands for shutting down the servers.

For information about stopping the servers, see "Stopping the Servers".

11.3 Upgrade Procedure

This section describes different tasks involved in the upgrade process, like upgrading Oracle Identity Manager and Oracle SOA Suite 11.1.1.x.x binaries, creating 11.1.2.2.0 schemas, configuring the security store, upgrading the Oracle Identity Manager middle tier, verifying the upgrade and so on. The tasks in this section should be performed after you complete all the prerequisites described in section Pre-Upgrade.

This section contains the following topics:

11.3.1 Upgrading Oracle WebLogic Server

You can upgrade WebLogic Server 10.3.5 to Oracle WebLogic Server 10.3.6 by using the WebLogic 10.3.6 Upgrade Installer. For information about upgrading Oracle WebLogic Server, see "Upgrading to Oracle WebLogic Server 10.3.6".

11.3.2 Upgrading Oracle SOA Suite to 11.1.1.7.0

Note:

Oracle Identity Manager 11.1.2.2.0 supports Oracle SOA Suite 11.1.1.7.0. Therefore, you must upgrade Oracle SOA Suite to 11.1.1.7.0 if you are not using Oracle SOA Suite 11.1.1.7.0 already.

Oracle Identity Manager 11.1.1.5.0 uses Oracle SOA Suite 11.1.1.5.0, and Oracle Identity Manager 11.1.2.2.0 uses Oracle SOA Suite 11.1.1.7.0. Therefore, this task is needed only if you are upgrading Oracle Identity Manager 11.1.1.5.0 to 11.1.2.2.0.

For information about applying the mandatory Oracle SOA Suite patches for Oracle Identity Manager 11.1.1.7.0, see "Mandatory Patches Required for Installing Oracle Identity Manager" in the Oracle Fusion Middleware Release Notes.

To upgrade your existing Oracle SOA Suite to 11.1.1.7.0, complete the tasks listed in Table 11-11:

Table 11-11 Tasks to Update SOA

Sl No Task For More Information

1

Review the system requirements and specifications before you start upgrading Oracle SOA Suite to 11.1.1.7.0.

See, Oracle Fusion Middleware System Requirements and Specifications

2

Obtain the Oracle SOA Suite 11.1.1.7.0 installer.

See, Oracle Fusion Middleware Download, Installation, and Configuration ReadMe

3

Start the Oracle SOA Suite 11.1.1.7.0 installer.

See, "Start the Installer" in the Oracle Fusion Middleware Patching Guide

4

Update the Oracle SOA Suite binaries to 11.1.1.7.0.

See, "Applying the Patch Set" in the Oracle Fusion Middleware Patching Guide

5

Apply the mandatory Oracle SOA Suite patches.

See, "Mandatory Patches Required for Installing Oracle Identity Manager" in the Oracle Fusion Middleware Release Notes

6

Perform the following post-patching tasks for Oracle SOA Suite:

  • Remove the tmp folder for SOA composer, BPM workspace, and B2B.

  • If you upgraded Oracle SOA Suite 11g Release 1 (11.1.1.6.0) to 11g Release 1 (11.1.1.7.0), update the message duration of the warning BPEL Message Recovery Required.

  • Update the MAXRECOVERATTEMPT attribute to 2.

  • Update your Oracle Data Integrator clients if you are using Oracle BAM and Oracle Data Integrator integration.

  • Save and restore XEngine customizations for Oracle B2B, if B2B server is integrated with B2B EDI endpoints.

  • Extending the SOA domain with UMS Adapter features.

  • Extend the SOA domain with Business Process Management features

Make sure you have started the WebLogic Administration Server and the SOA Managed Servers before you perform the post-patching tasks.

See the following sections in the Oracle Fusion Middleware Patching Guide for 11g Release 1 (11.1.1.7.0):

Post-patching tasks for SOA are not required out-of-the-box. However, you must review them and apply per your functional requirements.

11.3.3 Upgrading Oracle Identity Manager Binaries to 11.1.2.2.0

To upgrade Oracle Identity Manager binaries to 11.1.2.2.0, you must use the Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) Installer. During the procedure, point the Middleware Home to your existing 11.1.1.x.x Middleware Home. Your Oracle Home is upgraded from 11.1.1.x.x to 11.1.2.2.0.

Note:

Before upgrading the Oracle Identity Manager binaries to 11g Release 2 (11.1.2.2.0), you must ensure that the OPatch version in ORACLE_HOME and MW_HOME/oracle_common is 11.1.0.9.9. Different OPatch version might cause patch application failure. If you have upgraded opatch to a newer version, you will have to roll back to version 11.1.0.9.9.

For information about upgrading Oracle Identity Manager 11g Release 1 (11.1.1.x.x), see Section 2.4, "Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.2.0)".

After the binary upgrade, check the installer logs at the following location:

  • On UNIX: ORACLE_INVENTORY_LOCATION/logs

    To find the location of the Oracle Inventory directory on UNIX, check the file ORACLE_HOME/oraInst.loc.

  • On Windows: ORACLE_INVENTORY_LOCATION\logs

    The default location of the Oracle Inventory Directory on Windows is C:\Program Files\Oracle\Inventory\logs.

The following install log files are written to the log directory:

  • installDATE-TIME_STAMP.log

  • installDATE-TIME_STAMP.out

  • installActionsDATE-TIME_STAMP.log

  • installProfileDATE-TIME_STAMP.log

  • oraInstallDATE-TIME_STAMP.err

  • oraInstallDATE-TIME_STAMP.log

11.3.4 Creating Oracle Platform Security Services Schema

You must create Oracle Platform Security Services (OPSS) schema using Repository Creation Utility (RCU) 11.1.2.2.0, as Oracle Identity Manager upgrade process involves OPSS schema policy store changes. Keys, roles, permissions, and other artifacts used by the applications must migrate to the policy store.

To create OPSS schema using Repository Creation utility, do the following:

  1. Obtain the RCU.

    For information about obtaining the RCU software, see Oracle Identity and Access Management Download, Installation, and Configuration ReadMe for 11g Release 2 (11.1.2.2.0).

  2. Start the RCU.

    For information about starting the RCU, see "Starting RCU" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.

  3. Create the OPSS schema.

    For information about creating schemas, see "Creating Schemas" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.

    Note:

    In the Select Components screen, expand AS Common Schemas and select Oracle Platform Security Services. Make sure you do not select any other components.

    The Metadata Services schema is selected automatically. Deselect it and ignore the following message:

    Following components require Metadata Services schema: Oracle Platform Security Services.

11.3.5 Upgrading Oracle Platform Security Services Schemas

You must upgrade the Oracle Platform Security Services schemas using Patch Set Assistant. To do this, complete the following steps:

Note:

Before you upgrade Oracle Platform Security Services schemas, make sure that you have execute privileges to the SOAINFRA schema owner on sys.dbms_lob . If not, grant execute privileges to the SOAINFRA schema owner on sys.dbms_lob by running the following command:

grant execute on sys.dbms_lob to *_SOAINFRA;

  1. Start the Patch Set Assistant from the location MW_HOME/oracle_common/bin using the following command:

    ./psa

  2. Select opss.

  3. Specify the Database connection details, and select the schema to be upgraded.

After you upgrade Oracle Platform Security Services schema, verify the upgrade by checking the log file at the location MW_HOME/oracle_common/upgrade/logs/psa<timestamp>.log.

The timestamp refers to the actual date and time when Patch Set Assistant was run. If the upgrade fails, check the log files to rectify the errors and run the Patch Set Assistant again.

11.3.6 Extending Oracle Identity Manager 11.1.1.x.x Component Domains with OPSS Template

Oracle Identity Manager 11.1.2.2.0 uses the database to store Oracle Platform Security Service policies. This requires extending the 11.1.1.x.x Oracle Identity Manager domain to include the OPSS data source.

To do so, complete the following steps:

  1. Run the following command to launch the Oracle Fusion Middleware configuration wizard:

    On UNIX:

    ./config.sh

    It is located in the <MW_HOME>/<Oracle_IDM1>/common/bin directory.

    On Windows:

    config.cmd

    It is located in the <MW_HOME>\<Oracle_IDM1>\common\bin directory.

  2. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next.

  3. On the Select a WebLogic Domain Directory screen, browse to the directory that contains the WebLogic domain in which you configured the components. Click Next. The Select Extension Source screen is displayed.

  4. On the Select Extension Source screen, select the Oracle Platform Security Service - 11.1.1.0 [Oracle_IDM1] option. After selecting the domain configuration options, click Next.

  5. The Configure JDBC Data Sources screen is displayed. Configure the opssDS data source, as required. After the test succeeds, the Configure JDBC Component Schema screen is displayed.

  6. On the Configure JDBC Component Schema screen, select the Oracle Platform Security Services schema.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next.

    The Test JDBC Component Schema screen is displayed. After the test succeeds, the Select Optional Configuration screen is displayed.

  7. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines and Deployments and Services. Do not select anything as you have already configured in your Oracle Identity Manager 11.1.1.x.x environment. Click Next.

  8. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

Your existing Oracle Identity Manager domain is extended to support Oracle Platform Security Services (OPSS).

11.3.7 Upgrading Oracle Platform Security Services

After you extend the Oracle Identity Manager component domains with OPSS template, you must upgrade Oracle Platform Security Services (OPSS).

Upgrading Oracle Platform Security Services is required to upgrade the configuration and policy stores of Oracle Identity Manager to 11.1.2.2.0. It upgrades the jps-config.xml file and policy stores.

For information about upgrading Oracle Platform Security Services, see Section 2.7, "Upgrading Oracle Platform Security Services".

11.3.8 Configuring OPSS Security Store

You must configure the database Security Store as it is the only security store type supported by Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0). This is done by running the configureSecurityStore.py script.

For information about configuring Oracle Platform Security Services, see "Configuring Database Security Store for an Oracle Identity and Access Management Domain" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

11.3.9 Upgrading Oracle Identity Management Schemas Using Patch Set Assistant

You must upgrade Oracle Identity Manager schema using Patch Set Assistant (PSA). When you select the Oracle Identity Manager Schema, it automatically selects all dependent schemas and upgrades them too.

For information about upgrading schemas using the Patch Set Assistant, see Upgrading Schemas Using Patch Set Assistant.

After you upgrade schemas, verify the upgrade by checking the version numbers of the schemas as described in Version Numbers After Upgrading Schemas.

11.3.9.1 Version Numbers After Upgrading Schemas

Run select version,status,upgraded from schema_version_registry where owner=<SCHEMA_NAME>; and ensure that the version numbers are upgraded, as listed in Table 11-12:

Table 11-12 Component Version Numbers After Upgrading the Schemas

Component Version No.

OPSS

11.1.1.7.2

MDS

11.1.1.7.0

Oracle Identity Manager

11.1.2.2.0

ORASDPM

11.1.1.7.0

SOAINFRA

11.1.1.7.0 (Make sure that you have upgraded SOA schemas as described in Section 2.6, "Upgrading Schemas Using Patch Set Assistant")

11.3.10 Starting the Administration Server and SOA Managed Server

Note:

Do not start the Oracle Identity Manager Managed Servers.

After the upgrade is complete, start the WebLogic Administration Server, the Administration Server for the domain that contains Oracle Identity Management, and SOA Managed Server.

Note:

If you are upgrading Oracle Identity Manager high availability environments and if you are using Oracle Automatic Storage Management Cluster File System (Oracle ACFS), you must start only one SOA Managed Server before running the middle tier upgrade utility.

Note:

When you start the servers, the following error message might be displayed: 
** SOA specific environment is already set. Skipping ...
***********************************************************
OIM specific environment is already set. Skipping ...
The input line is too long.
The syntax of the command is incorrect.

It is recommended that you open a new command prompt and then run the commands for starting the servers.

For information about starting the Administration Server and SOA Managed server, see Section 2.9, "Starting the Servers".

11.3.11 Upgrading Oracle Identity Manager Middle Tier

To upgrade the Oracle Identity Manager middle tier, you must update the properties file with the necessary parameters, and then run the command as described in this section.

Note:

Before you upgrade the Oracle Identity Manager middle tier, make sure that the WebLogic Administration Server and the SOA Managed Server(s) are running. It is recommended that the Oracle Identity Manager Managed Server is not running at this point.

Note:

The execution is re-entrant and will resume with correct execution even if there is any interruption in between.

To upgrade Oracle Identity Manager Middle Tier to 11.1.2.2.0, do the following:

On UNIX:

  1. Move from your present working directory to the <OIM_ORACLE_HOME>/server/bin directory by running the following command on the command line:

    cd <OIM_ORACLE_HOME>/server/bin

  2. Edit the following upgrade properties file in a text editor:

    oim_upgrade_input.properties

  3. Add the parameters, as listed in Table 11-13.

  4. Run the following command:

    ./OIMUpgrade.sh

    When you run this command, you will need to enter password for OIM schema user, MDS schema user, WebLogic admin user and SOA admin user.

    Note:

    The following warning is displayed:

    [WARN] [jrockit] PermSize=128M ignored: Not a valid option for JRockit

    [WARN] [jrockit] MaxPermSize=256M ignored: Not a valid option for JRockit

    You can ignore this message.

On Windows:

  1. Move from your present working directory to the <OIM_ORACLE_HOME>\server\bin directory by running the following command on the command line:

    cd <OIM_ORACLE_HOME>\server\bin

  2. Edit the following upgrade properties file in a text editor:

    oim_upgrade_input.properties

  3. Add the parameters, as listed in Table 11-13.

  4. Run the following command:

    OIMUpgrade.bat

    When you run this command, you will need to enter password for OIM schema user, MDS schema user, WebLogic admin user and SOA admin user.

    Note:

    The following warning is displayed:

    [WARN] [jrockit] PermSize=128M ignored: Not a valid option for JRockit

    [WARN] [jrockit] MaxPermSize=256M ignored: Not a valid option for JRockit

    You can ignore this message.

Table 11-13 Oracle Identity Manager Middle Tier Upgrade Parameters

Parameter Description

java.home

Specify the JAVA HOME location.

server.type

Specify the Application Server that you are using.

For example, if you are using Oracle WebLogic Server, specify wls for this parameter.

As this document describes the procedure to upgrade Oracle Identity Manager on WebLogic, you must specify wls for this parameter.

oim.jdbcurl

Specify the Oracle Identity Manager JDBC URL.

oim.oimschemaowner

Specify the Oracle Identity Manager schema owner.

oim.oimmdsjdbcurl

Specify the MDS JDBC URL.

oim.mdsschemaowner

Specify the MDS schema owner name.

oim.adminhostname

Specify the Oracle WebLogic Server Administration host name.

oim.adminport

Specify the Oracle WebLogic Server Administration port.

oim.adminUserName

Specify the username that is used to log in to the Oracle WebLogic Server Administration Console.

oim.soahostmachine

Specify the SOA host name where SOA Server is running.

oim.soaportnumber

Specify the SOA Server port.

oim.soausername

Specify the SOA Managed Server username.

oim.domain

Specify the Oracle Identity Manager domain location.

oim.home

Specify the Oracle OIM Home location.

oim.mw.home

Specify the Oracle Middleware Home location.

soa.home

Specify the Oracle SOA Home location.

wl.home

Specify the WebLogic Home location.

Example Parameters

java.home=/u01/jrockit-jdk1.6.0_24-R28.1.3-4.0.1
server.type=wls
oim.jdbcurl=db.example.com:1522:oimdb
oim.oimschemaowner=test_oim
oim.oimmdsjdbcurl=db.example.com:1522:oimdb
oim.mdsschemaowner=test_mds
oim.adminport=7001
oim.adminhostname=oimhost.example.com
oim.adminUserName=weblogic
oim.soahostmachine=soahost.example.com
oim.soaportnumber=8001
oim.soausername=weblogic
oim.domain=/scratch/Oracle/Middleware/user_projects/domains/base_domain
oim.home=/scratch/Oracle/Middleware/Oracle_IDM1
oim.mw.home=/scratch/Oracle/Middleware
soa.home=/scratch/Oracle/Middleware/Oracle_SOA1
wl.home=/scratch/Oracle/Middleware/wlserver_10.3

11.3.12 Verifying Oracle Identity Manager Middle Tier Upgrade

Complete the following steps to verify the Oracle Identity Manager Middle Tier upgrade:

  1. Verify the log files at the following location, by looking for error or warning messages:

    On UNIX:

    <OIM_HOME>/server/upgrade/logs/MT

    On Windows:

    <OIM_HOME>\server\upgrade\logs\MT

    The following log files are generated:

    • ant_ApplicationDB.log

    • ant_grantPermissionsUpgrade.log

    • ant_JRF.log

    • ant_PatchClasspath.log

    • ant_soaOIMLookupDB.log

    • OIMUpgrade<timestamp>.log

    • SeedSchedulerData.log

    No error message is displayed if the middle tier upgrade was successful.

  2. OIMupgrade.sh creates a detailed report. Complete the following steps to verify the Oracle Identity Manager Middle Tier upgrade:

    1. Go to the following path:

      On UNIX:

      <Oracle_IDM1>/server/upgrade/logs/MT/oimUpgradeReportDir

      On Windows:

      <Oracle_IDM1>\server\upgrade\logs\MT\oimUpgradeReportDir

    2. Click index.html.

      This contains list of all Oracle Identity Manager features and upgrade status of the last middle tier run, in a table format.

    3. Click on the corresponding link of each feature for a detailed feature report.

    Table 11-14 Middle Tier Upgrade Report

    Feature Name Description
     

    index.html

    This report provides a list of features and their upgrade status, from the last run.

    Access the detailed feature report through the corresponding link on each feature.

    PatchDomain

    PatchDomain.html

    This report provides details of all domain related changes during the upgrade process.

    The changes are:

    • New EAR or shared libraries deployed during the upgrade process.

    • New server resources.

    • Foreign JNDI Provider Creation.

    • Application of upgrade template for creating the following resources:

      • New data sources

        For example:

        Application DBDS

      • jrf-async queuesDomain Classpath Upgrade

    • OPSS upgrade.

    • JRF upgrade.

    ROLE_RULE_MEMB

    PS1R2UPG.ROLE_RULE_MEMB.html

    This report provides details of roles processed on the basis of Search Rule, prepared from Rule Elements, defined in the Rules.

    REQUEST_STAGES

    PS1R2UPG.REQUEST_STAGES.html

    The following request stages are no longer supported:

    • Obtaining Template Approval

    • Template Approval Approved

    • Template Approval Rejected

    • Template Approval Auto Approved

    This report lists the following:

    • Requests for unsupported request stages, processed during upgrade.

    • Tasks associated to request with unsupported request stages, processed during upgrade.

    • SOA tasks associated to request with unsupported request stages, processed during upgrade.

    ReconUpgrade

    ReconUpgradeUpgradeReport.html

    This report lists object names processed during upgrade with names of the associated Horizontal Table Name, Recon Profile Name, and Entity Definition Name.

    SOAUpgrade

    NA

    New OOTB SOA Composites deployed:

    • sca_DisconnectedProvisioning_rev1.0.jar

    • sca_DefaultSODApproval_rev1.0.jar

    Scheduler

    NA

    This report lists the addition of the following Task Definition's and Scheduler Jobs:

    • Account Application Instance Update Task.

    • Catalog Synchronization Task.

    • Application Instance Post Delete. Processing Task.

    • Entitlement Post Delete Processing Task.

    ACCESSPOLICY

    ACCESSPOLICYUpgradeReport.html

    This report provides a list of access policy names and the corresponding resource objects, processed during upgrade along with DNLA flag value.

    Set the value as 1 if DNLA is set, 0 if RNLA is set.

    MDSNSUpdate

    NA

    Oracle Identity Manager Metadata present in Oracle Identity Manager MDS is updated with the latest namespace to keep them in consoance with changes in XSD Schemas.

    OIMConfig

    NA

    Oracle Identity Manager Application configuration, kept in the metadata location /db/oim-config.xml, is updated as per the latest configuration changes in Oracle Identity Manager 11.1.2.2.0.

    CONTEXT

    NA

    DDL changes in the ORCHPRCESS TABLE.

    Data from the old context columns (ContextId) is transformed and moved to new context column (ContextVal).

    Certification

    CertificationUpgradeReport.html

    This report provides a list of the certification records processed during the upgrade of snapshot data.

    Request

    PS12R2UPG.InflightRequest.html

    This report provides the list of the requests that are in request or operational level approval stage. In addition, the report provides upgrade status.

    InflightRequest

    REFIX_NOT_AVLBL.InflightRequest.html

    This report provides the list of the inflight requests in 11.1.1.x.x requests that are in either request or operational level approval stage. In addition, the report provides upgrade status.

    PREFIX_NOT_AVLBL_ReconUpgrade

    PREFIX_NOT_AVLBL.ReconUpgrade.html

    This report provides the list of the success/failure of 11.1.2.2.0-based Recon Profile creation for the resource objects defined in 11.1.1.x.x.

    PREFIX_NOT_AVLBL_ACCESSPOLICY

    PREFIX_NOT_AVLBL.ACCESSPOLICY.html

    This report provides the list of the access policy names and the corresponding resource objects processed during upgrade along with DNLA flag value (set to 1 if DNLA is set, 0 if RNLA is set).

11.3.13 Changing the Deployment Order of Oracle Identity Manager EAR

You must change the deployment order of oim.ear from 47 to 48. Complete the following steps to do so:

  1. Log in to the WebLogic console.

  2. Click Deployments in the left pane.

  3. Click oim.ear.

  4. Update the deployment order from 47 to 48, click Save.

11.3.14 Restarting the Administration Server and SOA Managed Server

To restart the Administration Server and Managed Servers, you must stop them first before starting them again.

To stop the servers, see Shutting Down Node Manager, Administration Server and Managed Servers.

To start the servers, see Starting the Administration Server and SOA Managed Server.

Things to Check on the WebLogic Console After Starting the Administration Server

  • Check the new data source added:

    1. Log in to Weblogic console.

    2. Click Data Sources.

    3. Verify the data source data source given below:

      Name Type JNDI Name Targets
      ApplicationDBDS Generic jdbc/ApplicationDBDS oim_server1 (for single node upgrade)

      oim_cluster (for cluster upgrade)

  • Check for SOA Foreign JNDI provider

    1. Log in to Weblogic console.

    2. Click Foreign JNDI Providers.

    3. Verify the existence of Foreign JNDI providers given below:

      Name Initial Context Factory Provider URL User Targets
      ForeignJNDIProvider-SOA weblogic.jndi.WLInitialContextFactory For single node upgrade:

      t3://soa_server_host:soa_server_port

      For cluster upgrade:

      t3://soa_server1_host:soa_server1_port,soa_server2_host:soa_server2_port

      		 WebLogic oim_server1 (for single node upgrade)

      oim_cluster (for cluster upgrade)

    Note:

    If you are upgrading Oracle Identity Manager High Availability environments, the Provider URL may contain the host and port of soa_server1 only. In that case, you must add the host and port of soa_server2 to the Provider URL manually.

  • Check the order of the EARs

    1. Log in to Weblogic console.

    2. Click Deployments.

    3. Verify the deployment order for the following list respectively:

      Name State Health Type Deployment Order
      oim (11.1.1.3.0) Active OK Enterprise Application 48
      OIMAppMetadata (11.1.2.0.0) Active OK Enterprise Application 47
      OIMMetadata (11.1.1.3.0) Active OK Enterprise Application 46
      oracle.iam.console.identity.sysadmin.ear (V2.0) Active OK Enterprise Application 406
      oracle.iam.console.identity.self-service.ear (V2.0) Active OK Enterprise Application 405
      oracle.iam.ui.custom(11.1.1,11.1.1) Active   Library 404
      oracle.iam.ui.oia-view(11.1.1,11.1.1) Active   Library 403
      oracle.iam.ui.view(11.1.1,11.1.1) Active   Library 402
      oracle.iam.ui.model(1.0,11.1.1.5.0) Active   Library 401

11.3.15 Patching Oracle Identity Management MDS Metadata

Oracle Identity Manager 11.1.1.x.x MDS metadata must be upgraded to Oracle Identity Manager 11.1.2.2.0 MDS metadata. Starting the Oracle Identity Manager Managed Servers patches the MDS metadata.

To start the Managed Servers, do the following:

On UNIX:

  1. Move from your present working directory to the <MW_HOME>/user_projects/domains/<domain_name>/bin directory by running the following command on the command line:

    cd <MW_HOME>/user_projects/domains/<domain_name>/bin

  2. Run the following command to start the Servers:

    Note:

    Enter the username and password when prompted.

    ./startManagedWebLogic.sh <managed_server_name>

    where

    <managed_server_name> is the name of the Managed Server.

On Windows:

  1. Move from your present working directory to the <MW_HOME>\user_projects\domains\<domain_name>\bin directory by running the following command on the command line:

    cd <MW_HOME>\user_projects\domains\<domain_name>\bin

  2. Run the following command to start the Managed Servers:

    Note:

    Enter the username and password when prompted.

    startManagedWebLogic.cmd <managed_server_name>

    where

    <managed_server_name> is the name of the Managed Server.

For more information, see "Starting the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Verifying MDS Patch

Check MDS reports in the following location:

On UNIX:

<OIM_ORACLE_HOME>/server/logs/MDS_REPORT_DIRECTORY/MDSReport.html

On Windows:

<OIM_ORACLE_HOME>\server\logs\MDS_REPORT_DIRECTORY\MDSReport.html

11.3.16 Upgrading Oracle Identity Manager Design Console

The Oracle Identity Manager Design Console is used to configure system settings that control the system-wide behavior of Oracle Identity Manager and affect its users. The Design Console allows you to perform user management, resource management, process management, and other administration and development tasks.

Oracle recommends that you install Oracle Identity Manager and the Design Console in different directory paths, if the Design Console is on the same system as Oracle Identity Manager server.

To upgrade Design Console, complete the following steps:

  1. Back up the following files:

    • On UNIX, $<XLDC_HOME>/xlclient.sh

    • $<XLDC_HOME>/config/xlconfig.xml

    • On Windows, <XLDC_HOME>\xlclient.cmd

    • <XLDC_HOME>\config\xlconfig.xml

  2. Run the Oracle Identity and Access Management 11.1.2.2.0 Installer to upgrade the Design Console home <XLDC_HOME>.

    For more information, see "Installing and Configuring Oracle Identity and Access Management (11.1.2)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

  3. Restore the backed up files xlclient.sh/xlclient.cmd and xlconfig.xml to the upgrade design console home.

  4. Build and copy the wlfullclient.jar file as follows:

    1. Go to WebLogic_Home/server/lib directory on UNIX and WebLogic_Home\server\lib directory on Windows.

    2. Set the JAVA_HOME environment variable and add the JAVA_HOME variable to the PATH environment variable.

      For example, you can set the JAVA_HOME to the jdk160_21 directory inside the Middleware home.

      On UNIX:

      setenv JAVA_HOME $MW_HOME/jdk160_29

      On Windows:

      SET JAVA_HOME=<MW_HOME>\jdk160_29

    3. Run the following command to build the wlfullclient.jar file:

      java -jar <MW_HOME>/modules/com.bea.core.jarbuilder_1.7.0.0.jar

    4. Copy the wlfullclient.jar file to the <IAM_HOME> where you installed the Design Console. For example:

      On UNIX:

      cp wlfullclient.jar <Oracle_IDM2>/designconsole/ext

      On Windows:

      copy wlfullclient.jar <Oracle_IDM2>\designconsole\ext

11.3.17 Upgrading Oracle Identity Manager Remote Manager

Complete the following steps to upgrade Remote Manager:

  1. Back up configuration files.

    Before starting the Remote Manager upgrade, back up the following Remote Manager configuration files:

    • On UNIX, $<XLREMOTE_HOME>/remotemanager.sh

    • $<XLREMOTE_HOME>/xlremote/config/xlconfig.xml file.

    • On Windows, <XLREMOTE_HOME>\remotemanager.bat

    • <XLREMOTE_HOME>\xlremote\config\xlconfig.xml file.

  2. Run the Oracle Identity and Access Management Installer to upgrade the Remote Manager home.

    For more information, see "Installing and Configuring Oracle Identity and Access Management (11.1.2.2.0)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

  3. Restore the backed up configuration files, remotemanager.sh/remotemanager.bat and xlconfig.xml, in the upgraded Remote Manager home.

11.3.18 Configuring Oracle BI Publisher 11.1.1.7.1

To use reports on Oracle Identity Manager 11g Release 2 (11.1.2.2.0), you must install Oracle BI Publisher 11g Release 1 (11.1.1.7.1). To install Oracle BI Publisher 11g Release 1 (11.1.1.7.1), you must first install Oracle BI Publisher 11g Release 1 (11.1.1.7.0), and then apply the patch for Oracle BI Publisher 11g Release 1 (11.1.1.7.1) using OPATCH. To do this, complete the following steps:

  1. Back up the following Oracle Identity Manager reports directories:

    • $BI_PUBLISHER_HOME/Middleware/user_projects/domains/bifoundation_domain/config/bipublisher/repository/Reports/Oracle Identity Manager/

    • $ORACLE_BI_PUBLISHER_HOME/Middleware/user_projects/domains/bifoundation_domain/config/bipublisher/repository/Reports/BIP Sample Data/

    Note:

    The location of Oracle Business Intelligence Reports directory may differ based on the installation location of BI Publisher.

  2. Obtain Oracle BI Publisher 11g Release 1 (11.1.1.7.0) from the following location:

    http://www.oracle.com/technetwork/middleware/bi-enterprise-edition/downloads/bi-downloads-1923016.html

  3. Install Oracle BI Publisher 11g Release 1 (11.1.1.7.0). For more information about installing Oracle BI Publisher 11g Release 1 (11.1.1.7.0), see Oracle Fusion Middleware Installation Guide for Oracle Business Intelligence.

  4. Apply the patch number 16556157 to patch Oracle BI Publisher 11g Release 1 (11.1.1.7.0) to Oracle BI Publisher 11g Release 1 (11.1.1.7.1). The patch 16556157 can be downloaded at the following URL:

    https://support.oracle.com

    For patching instructions, refer to the README.txt file that is provided with the patch.

Note:

For more information about deploying BI Reports, see "Deploying Oracle Identity Manager Reports" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

For more information about using the reporting features, see "Using Reporting Features" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.

11.3.19 Deploying Oracle Identity Manager BI Publisher Reports

Complete the following steps to deplpoy Oracle Identity Manager BI Publisher Reports:

  1. Obtain the reports bundle oim_product_BIP11gReports_11_1_2_0_0.zip. from the following location:

    MW_HOME/IAM_HOME/server/reports/oim_product_BIP11gReports_11_1_2_0_0.zip

  2. Unzip oim_product_BIP11gReports_11_1_2_0_0.zip at the following location:

    IAM_HOME/Middleware/user_projects/domains/domain_name/config/bipublisher/repository/Reports/

  3. Configure reports by following the instructions in "Configuring Oracle Identity Manager Reports" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

11.4 Post-Upgrade Steps

This section contains the following topics:

11.4.1 After You Upgrade

After upgrading from Oracle Identity Manager 11.1.1.x.x to Oracle Identity Manager 11.1.2.2.0:

  • The name of the following EARs remain unchanged from Oracle Identity Manager 11.1.1.x.x to Oracle Identity Manager 11.1.2.2.0:

    • Oracle Identity Manager Metadata (11.1.1.3.0)

    • Oracle Identity Manager (11.1.1.3.0)

    There is no functional loss.

  • All of the resources provisioned to an organization in Oracle Identity Manager 11.1.1.x.x is available in Provisioned Accounts, after upgrading to Oracle Identity Manager 11.1.2.2.0. To view, go to the following path:

    1. Connect to the Oracle Identity Manager Identity console.

    2. Go to Administration.

    3. Select Organizations.

    4. Search for organizations.

    5. Select any organization.

    6. Go to Provisioned Accounts to see all Oracle Identity Manager 11.1.1.x.x based resources, provisioned to an organization.

  • In Oracle Identity Manager 11.1.1.x.x, data object permission was shown in the Administration Console under Roles.

    In Oracle Identity Manager 11.1.2.2.0, data object permission is not shown.

  • Oracle Identity Manager 11.1.2.2.0 based Oracle Identity Manager reports is supported in BI Publisher 11g.

11.4.2 Validating the Database Objects

If you are using Oracle Database, you must check for the INVALID schema objects, and compile them if there are any. To do this, complete the following steps:

  1. Identify the INVALID schema objects by running the following SQL query as SYS user:

    SELECT owner,object_type,object_name,status FROM dba_objects WHERE status='INVALID' AND owner in ('<OIM_Schema_Name1>') ORDER BY owner, object_type, object_name;

  2. If there are any INVALID schema objects, you must compile them by connecting to the database as SYS user, and running the following from SQL*Plus:

    @<$Oracle_Database_Home_Location>/rdbms/admin/utlrp.sql

    After running the utlrp.sql, run the SQL query described in step-1 to ensure that there are no INVALID Database objects.

11.4.3 Creating sysadmin Key

After you upgrade OIM 11.1.1.x.x to 11.1.2.2.0, you must manually create the sysadmin key using Oracle Enterprise Manager console. To do this, complete the following steps:

  1. Log in to the Oracle Enterprise Manager console using the following URL:

    http://<host>:<port>/em

  2. Select Farm_base_domain.

  3. Expand WebLogic Domain on the Target Navigation pane.

  4. Click base_domain.

  5. Click on the WebLogic Domain drop-down list.

  6. Click Security, and then click Credentials.

  7. Select oracle.wsm.security.

  8. Click Create Key.

  9. Specify the right values for the following fields:

    • Select Map: Select oracle.wsm.security for this field.

    • *Key: Specify OIMAdmin.

    • Type: Select Password.

    • *User Name: Specify the username of the system administrator. For example, xelsysadm.

    • *Password: Specify the password of the system administrator.

    • *Confirm Password: Retype the password to confirm.

  10. Click OK.

11.4.4 Impact of Removing Approver-Only Attribute in Request Data Set

Removing approver-only attribute in the Request Data Set results in the following:

  • Before upgrade: The requester cannot see attributes approver-only='true', during request submission.

    After upgrade: The requester must provide the value during request submission.

  • You must manually add LDAP Sync Validation Handler. To do so, complete the following steps:

    1. Export the EventHandlers.xml file by running the following WLST offline command:

      On UNIX:

      exportAccessData("/db/ldapMetadata/EventHandlers.xml")

      On Windows:

      exportAccessData("\\db\\ldapMetadata\\EventHandlers.xml")

    2. Add the following section of the EventHandlers.xml by editing the file in a text editor. Save the file:

      <validation-handler class="oracle.iam.ldapsync.impl.eventhandlers.user.UserCommonNameValidationHandler" entity-type="User" operation="MODIFY" name="UserCommonNameValidationHandler" order="1005" sync="TRUE">

      </validation-handler>

      <validation-handler class="oracle.iam.ldapsync.impl.eventhandlers.user.UserCommonNameValidationHandler" entity-type="User" operation="CREATE" name="UserCommonNameValidationHandler" order="1005" sync="TRUE">

      </validation-handler>

    3. Import the EventHandlers.xml file by running the following WLST offline command:

      On UNIX:

      importAccessData("/db/ldapMetadata/EventHandlers.xml")

      On Windows:

      importAccessData("\\db\\ldapMetadata\\EventHandlers.xml")

  • You must manually remove the RDN pre-process handler. To do so, complete the following steps:

    1. Export the EventHandlers.xml file by running the following WLST offline command:

      On UNIX:

      exportAccessData("/db/ldapMetadata/EventHandlers.xml")

      On Windows:

      exportAccessData("\\db\\ldapMetadata\\EventHandlers.xml")

    2. Remove the following section of the EventHandlers.xml by editing the file in a text editor. Save the file:

      <action-handler orch-target="oracle.iam.platform.kernel.vo.EntityOrchestration" class="oracle.iam.ldapsync.impl.eventhandlers.user.RDNPreProcessHandler" entity-type="User" operation="CREATE" name="CreateUserRDNPreProcessHandler" stage="preprocess" sync="TRUE" order="10000">

      </action-handler>

      <action-handler orch-target="oracle.iam.platform.kernel.vo.EntityOrchestration" class="oracle.iam.ldapsync.impl.eventhandlers.user.RDNPreProcessHandler" entity-type="User" operation="MODIFY"name="ModifyUserRDNPreProcessHandler" stage="preprocess" sync="TRUE" order="10000">

      </action-handler>

    3. Import the EventHandlers.xml file by running the following WLST offline command:

      On UNIX:

      importAccessData("/db/ldapMetadata/EventHandlers.xml")

      On Windows:

      importAccessData("\\db\\ldapMetadata\\EventHandlers.xml")

  • If you have any custom validation handlers in your environment, ensure that the validation is re-entrant. For more information, see "Writing Custom Validation Event Handlers" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

  • If you have any custom user name policy configured in your environment, see "Writing Custom User Name Policy" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager to ensure the following:

    • Use the recommended oracle.iam.identity.usermgmt.api.UserNameGenerationPolicy interface to implement policy, instead of using oracle.iam.identity.usermgmt.api.UserNamePolicy.

    • Ensure that Custom User Name policy return is the same user login when the approver updates an attribute that does not contribute in generating user login.

11.4.5 Changes to Request API After Upgrading to Oracle Identity Manager 11g Release 2 (11.1.2.2.0)

As part of Oracle Identity Manager 11g Release 2 (11.1.2.2.0) architecture, changes are introduced to RequestService and UnauthenticatedRequestService APIs in terms of usage and in terms of concepts involved. Request Template concept is no longer part of Oracle Identity Manager 11g Release 2 (11.1.2.2.0) and some methods in these APIs are deprecated. Also, RequestTemplateService API is completely deprecated.

This section contains the following topics:

11.4.5.1 API Methods Deprecated in RequestService

The following is a list of API methods deprecated in RequestService:

  • public List<String> getTemplateNames() throws RequestServiceException

  • public RequestModel getModelForTemplate(String templateName) throws RequestServiceException

  • public RequestDataSet getRestrictedDataSet(String templateName, String entityType) throws RequestServiceException

  • public RequestTemplate getTemplate(String templateName) throws RequestServiceException

  • public void updateApproverOnlyData(String reqId, List<RequestBeneficiaryEntity> benEntities, List<RequestEntity> reqEntities) throws RequestServiceException

  • public List<String> getTemplateNamesForSelf() throws RequestServiceException

  • public List<RequestTemplate> getRequestTemplates(RequestTemplateSearchCriteria searchCriteria, Set<String> returnAttrs, Map<String,Object> configParams) throws RequestServiceException

The following is a list of API methods deprecated due to storing comments in SOA Human Task comments feature:

  • public void addRequestComment(String reqId, RequestComment comment) throws RequestServiceException

  • public List<RequestComment> getRequestComments(String reqId) throws RequestServiceException

  • public List<RequestComment> getRequestComments(String reqId, RequestComment.TYPE type) throws RequestServiceException

  • public List<RequestComment> getRequestComments(String reqId, String taskId, RequestComment.TYPE type) throws RequestServiceException

11.4.5.2 API Methods Deprecated in UnauthenticatedRequestService

The following is a list of API methods deprecated in UnauthenticatedRequestService:

  • public List<String> getTemplateNames() throws RequestServiceException

  • public RequestTemplate getTemplate(String templateName) throws RequestServiceException

  • public RequestDataSet getRestrictedDataSet(String templateName, String entitySubType) throws RequestServiceException

11.4.5.3 SELF Request Types Deprecated

Request types which were used to perform SELF operations have been deprecated. These operations include the following:

  • Self Modify User

  • Self Assign Roles

  • Self Remove Roles

  • Self Provision Resource

  • Self De-provision Resource

  • Self Modify Resource

You can continue with these operations by using the corresponding non-self request types.

11.4.5.4 API Methods That Have Changed in Terms of Usage

The only method that have changes in usage is RequestService.submitRequest()/UnauthenticatedRequestService.submitRequest(). The API method signature remains the same. However, the way RequestData Value Objects are created, have changed. The changes are covered in the following sections:

11.4.5.4.1 Changes to Entity-Type

Changes to entity-type includes the following:

  • Resource entity-type is replaced with Application Instance.

    Beginning from Oracle Identity Manager 11g Release 2 (11.1.2.2.0), in order to create any provision, revoke, disable, and enable account type of request, the entityType property must be set to ApplicationInstance instead of Resource.

  • A new entity-type called Entitlement is introduced in Oracle Identity Manager 11g Release 2 (11.1.2.2.0). Oracle Identity Manager supports creating Provision Entitlement and Revoke Entitlement type of requests.

11.4.5.4.2 Changes to Value Objects

Changes to value objects, related to RequestData includes the following:

  • requestTemplateName property which was a part of oracle.iam.request.vo.RequestData value objects is deprecated. Even if you set this property, it is not honoured.

  • A new property called operation is introduced in oracle.iam.request.vo.RequestEntity and oracle.iam.request.vo.RequestBeneficiaryEntity value objects. It is mandatory to set this property while creating the value objects. You can use the following constants defined in oracle.iam.request.vo.RequestConstants class.

    • MODEL_CREATE_OPERATION – Create User operation

    • MODEL_MODIFY_OPERATION – Modify User operation

    • MODEL_DELETE_OPERATION – Delete User operation

    • MODEL_ENABLE_OPERATION – Enable User operation

    • MODEL_DISABLE_OPERATION – Disable User operation

    • MODEL_ASSIGN_ROLES_OPERATION – Assign Roles operation

    • MODEL_REMOVE_ROLES_OPERATION – Remove Roles operation

    • MODEL_PROVISION_APPLICATION_INSTANCE_OPERATION – Provision Application Instance operation

    • MODEL_MODIFY_ACCOUNT_OPERATION – Modify Account operation

    • MODEL_REVOKE_ACCOUNT_OPERATION – Revoke Account operation

    • MODEL_ENABLE_ACCOUNT_OPERATION – Enable Account operation

    • MODEL_DISABLE_ACCOUNT_OPERATION – Disable Account operation

    • MODEL_PROVISION_ENTITLEMENT_OPERATION – Provision Entitlement operation

    • MODEL_REVOKE_ENTITLEMENT_OPERATION – Revoke Entitlement operation

    • MODEL_ACCESS_POLICY_PROVISION_APPINSANCE_OPERATION – Access Policy based provisioning operation

  • While creating RequestEntity or RequestBeneficiaryEntity value objects, you can also use the following method to set the entityType property:

    public void setRequestEntityType(oracle.iam.platform.utils.vo.OIMType type)

    type - OIMType.Role/ OIMType.ApplicationInstance/OIMType.Entitlement/ OIMType.User

11.4.5.4.3 Code Examples

Listed below are some code examples:

  • Create a RequestData for a Create User operation as follows:

    RequestData requestData = new RequestData("Create User");
requestData.setJustification("Creating User John Doe");
String usr = "John Doe";

RequestEntity ent = new RequestEntity();
ent.setEntityType(RequestConstants.USER);
ent.setOperation(RequestConstants.MODEL_CREATE_OPERATION); //New in R2
List<RequestEntityAttribute> attrs = new ArrayList<RequestEntityAttribute>();
 
RequestEntityAttribute attr = new RequestEntityAttribute("Last Name", usr, RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("First Name", usr, RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("User Login", usr, RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("Password", "Welcome123", RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("Organization", 1L, RequestEntityAttribute.TYPE.Long);
attrs.add(attr);
attr = new RequestEntityAttribute("User Type", false, RequestEntityAttribute.TYPE.Boolean);
attrs.add(attr);
attr = new RequestEntityAttribute("Role", "Full-Time", RequestEntityAttribute.TYPE.String);
attrs.add(attr);
ent.setEntityData(attrs);
 
List<RequestEntity> entities = new ArrayList<RequestEntity>();
entities.add(ent);
requestData.setTargetEntities(entities);
 
//Submit the request with the above requestData

  • Create a RequestData for an Assign Roles operation as follows:

    RequestData requestData = new RequestData();

requestData.setJustification("Assigning IDC ADMIN Role(role key 201) to user with key 121");
 
RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity();
ent1. setRequestEntityType (oracle.iam.platform.utils.vo.OIMType.Role);
ent1.setOperation(oracle.iam.request.vo.RequestConstants.MODEL_ASSIGN_ROLES_OPERATION); //New in R2
ent1.setEntitySubType("IDC ADMIN");
ent1.setEntityKey("201");
 
List<RequestBeneficiaryEntity> entities = new ArrayList<RequestBeneficiaryEntity>();
entities.add(ent1);
 
Beneficiary beneficiary = new Beneficiary();
beneficiary.setBeneficiaryKey("121");
beneficiary.setBeneficiaryType (Beneficiary.USER_BENEFICIARY);
beneficiary.setTargetEntities(entities);
 
List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
beneficiaries.add(beneficiary);
requestData.setBeneficiaries(beneficiaries);
 
//Submit the request with the above requestData

  • Create a RequestData for a Provision Application Instance operation as follows:

    RequestData requestData = new RequestData();
 
requestData.setJustification("Creating AD User (app instance key 201) account to user with key 121");
 
RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity();
ent1. setRequestEntityType (oracle.iam.platform.utils.vo.OIMType.ApplicationInstance);
ent1.setOperation(oracle.iam.request.vo.RequestConstants.MODEL_PROVISION_APPLICATION_INSTANCE_OPERATION);
ent1.setEntitySubType("AD User");
ent1.setEntityKey("201");

List<RequestBeneficiaryEntityAttribute> attrs = new ArrayList<RequestBeneficiaryEntityAttribute>();
//Update 'attrs' above with all the data specific to AD User form.
ent1.setEntityData(attrs);
 
List<RequestBeneficiaryEntity> entities = new ArrayList<RequestBeneficiaryEntity>();
entities.add(ent1);

Beneficiary beneficiary = new Beneficiary();
beneficiary.setBeneficiaryKey("121");
beneficiary.setBeneficiaryType(Beneficiary.USER_BENEFICIARY);
beneficiary.setTargetEntities(entities);
 
List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
beneficiaries.add(beneficiary);
requestData.setBeneficiaries(beneficiaries);
//Submit the request with the above requestData

  • Create a RequestData for a Provision Entitlement operation as follows:

    RequestData requestData = new RequestData();
Beneficiary beneficiary1 = new Beneficiary();
beneficiary1.setBeneficiaryKey("222");
beneficiary1.setBeneficiaryType(Beneficiary.USER_BENEFICIARY);
 
RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity();
ent1.setEntityType(RequestConstants.ENTITLEMENT);
ent1.setEntitySubType("AD USER ENTITLEMENT1");
ent1.setEntityKey("122");
ent1.setOperation(RequestConstants.MODEL_PROVISION_ENTITLEMENT_OPERATION);
 
List<RequestBeneficiaryEntity> entities1 = new ArrayList<RequestBeneficiaryEntity>();
entities1.add(ent1);
beneficiary1.setTargetEntities(entities1);
 
List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
beneficiaries.add(beneficiary1);
requestData.setBeneficiaries(beneficiaries);
//Submit the request with the above requestData

    • 













11.4.6 Enabling Oracle Identity Manager-Oracle Access Manager Integration After Upgrading to Oracle Identity Manager 11g Release 2 (11.1.2.2.0)




Note:

Perform this task only if you want to integrate Oracle Identity Manager with Oracle Access Manager for single sign-on, after upgrading to Oracle Identity Manager 11.1.2.2.0.

Ensure that Oracle Access Manager is at release 11.1.1.5.2 or later.




If you want to integrate Oracle Identity Manager 11.1.2.2.0 with Oracle Access Manager for single sign-on, then you must upgrade Oracle Access Manager to 11.1.1.5.2 or later. If your Oracle Access Manager version is less than 11.1.1.5.2, the auto-login functionality does not work.


After upgrading to Oracle Identity Manager 11.1.2.2.0, upgrade Oracle Identity Manager and Oracle Access Manager configurations for auto-login functionality to work. After upgrading the configurations, NAP protocol is replaced by TAP protocol for communication between Oracle Identity Manager and Oracle Access Manager.


The following topics provide upgrade instructions for two possible scenarios:



Before you begin with the upgrade configuration procedures, refer to the "Using the idmConfigTool Command" for more about the IdmConfigTool in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.





11.4.6.1 Using 10g WebGate for Oracle Identity Manager-Oracle Access Manager Integration


If you are using 10g WebGate, complete the following steps to upgrade Oracle Identity Manager and Oracle Access Manager configurations:


    

  1. 

    In the idmConfigTool, run configOAM. This creates a 10g WebGate agent and an 11g WebGate agent in Oracle Access Manager. Ensure that the artifacts corresponding to both WebGates are created in <DOMAIN_HOME>/output directory.
    

    2. 

  2. 

    In the idmConfigTool, run configOIM. In a cross-domain setup where Oracle Identity Manager and Oracle Access Manager are in two different WebLogic domains, specify the following additional properties before running this option:
    

      

    • 

      OAM11G_WLS_ADMIN_HOST: <host name of OAM admin server machine>
      

      • 

    • 

      OAM11G_WLS_ADMIN_PORT: <OAM admin server port>
      

      • 

    • 

      OAM11G_WLS_ADMIN_USER: <admin user of OAM domain>
      

      • 

    

    

    Note:
    
When running the configOIM option, ensure that you provide the same properties that you provided in the configOAM option for OAM_TRANSFER_MODE and ACCESS_GATE_ID properties.

    The WEBGATE_TYPE property should be specified as ohsWebgate10g.
    

    

    3. 

  3. 

    Restart the Administration and Managed Servers. In the case of a cross domain setup, restart servers from both the domains.
    

    Restart the Oracle Identity Manager Administration Server and Managed server as follows:
    

    On UNIX:
    

    <MW_HOME>/user_projects/domains/domain_name/startWebLogic.sh
    

    <MW_HOME>/user_projects/domains/domain_name/bin/startManagedWebLogic.sh <managed_server1>
    

    On Windows:
    

    <MW_HOME>\user_projects\domains\domain_name\startWebLogic.cmd
    

    MW_HOME\user_projects\domains\domain_name\bin\startManagedWebLogic.cmd <oim_server>
    

    For more information, see "Restarting Servers" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
    

    4. 









11.4.6.2 Using 11g WebGate for Oracle Identity Manager-Oracle Access Manager Integration


If you are using 11g WebGate, complete the following steps to upgrade Oracle Identity Manager and Oracle Access Manager configurations:


    

  1. 

    In the idmConfigTool, run configOAM. This creates a 10g WebGate agent and an 11g WebGate agent in Oracle Access Manager. Ensure that the artifacts corresponding to both WebGates are created in the <DOMAIN_HOME>/output directory.
    

    2. 

  2. 

    In the idmConfigTool, run configOIM. In cross-domain setup where Oracle Identity Manager and Oracle Access Manager are in two different WebLogic domains, specify the following additional properties before running this option:
    

      

    • 

      OAM11G_WLS_ADMIN_HOST: <host name of OAM admin server machine>
      

      • 

    • 

      OAM11G_WLS_ADMIN_PORT: <OAM admin server port>
      

      • 

    • 

      OAM11G_WLS_ADMIN_USER: <admin user of OAM domain>
      

      • 

    

    

    Note:
    
When running the configOIM option, ensure that you provide the same properties that you provided in the configOAM option for OAM_TRANSFER_MODE and ACCESS_GATE_ID properties.

    The WEBGATE_TYPE property should be specified as ohsWebgate11g.
    

    

    3. 

  3. 

    Restart the Administration and Managed servers. In the case of a cross domain setup, restart servers from both the domains.
    

    Restart the Oracle Identity Manager Administration Server and Managed server as follows:
    

    On UNIX:
    

    <MW_HOME>/user_projects/domains/domain_name/startWebLogic.sh
    

    <MW_HOME>/user_projects/domains/domain_name/bin/startManagedWebLogic.sh <managed_server1>
    

    On Windows:
    

    <MW_HOME>\user_projects\domains\domain_name\startWebLogic.cmd
    

    MW_HOME\user_projects\domains\domain_name\bin\startManagedWebLogic.cmd <oim_server>
    

    For more information, see "Restarting Servers" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
    

    4. 











11.4.7 Running the Entitlement List Schedule


You must run the Entitlement List Schedule task in order to use catalog features.


Complete the following steps to run the Entitlement List Schedule job:


    

  1. 

    Log in to the following location:
    

    http://<OIM_HOST>:<OIM_PORT>/sysadmin
    

    2. 

  2. 

    Click System Management.
    

    3. 

  3. 

    Select Scheduler.
    

    4. 

  4. 

    Enter "Entitlement List" in the Search Scheduled Jobs field and click Search.
    

    5. 

  5. 

    Select Entitlement List.
    

    6. 

  6. 

    Click Run Now. Wait till the job is complete.
    

    7. 









11.4.8 Running the Evaluate User Policies Scheduled Task


You must run the Evaluate User Policies scheduled task to start provisioning based on access policy after the role grant. This scheduled task can be configured to run every 10 minutes, or you can run this scheduled task manually.


To start the scheduler, see "Starting and Stopping the Scheduler" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.








11.4.9 Running Catalog Synchronization


Resource objects are transformed during the upgrade process. In order to provision the resource of an object, called App instance, with Oracle Identity Manager 11.1.2.2.0, you must run the Catalog Synchronization job.


For more information, see "Bootstrapping the Catalog" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.




Note:

If no Entitlements show up, make sure that the entitlements field in the child tables is set to Entitlement=true and reloaded into the parent form.








11.4.10 UMS Notification Provider


This is a new Oracle Identity Manager 11.1.2.2.0 feature for notification. If you want to use this new notification model, after upgrading to 11.1.2.2.0, complete the following steps:


    

  1. 

    Configure E-mail driver from Enterprise Manager user interface:
    

      

    1. 

      Log in to Oracle Enterprise Manager Fusion Middleware Control and do the following:
      

      i. Expand Application Deployments.
      

      ii. Expand User Messaging Service.
      

      iii. Select usermessagingdriver-email (<soa_server1>).
      

      iv. Select Email Driver Properties.
      

      v. Select in Driver-Specific Configuration.
      

      2. 

    2. 

      Configure the values, as listed in Table 11-15:
      

      

      Table 11-15 UMS Parameters and Description
      

      


      
Parameter
Description

      
      


      


      OutgoingMailServer
      
      		


      Name of the SMTP server.
      

      For example:
      

      abc.example.com
      
      		

      

      


      OutgoingMailServerPort
      
      		


      Port of the SMTP server.
      

      For example:
      

      456
      
      		

      

      


      OutgoingMailServerSecurity
      
      		


      The security setting used by the SMTP server Possible values can be None/TLS/SSL.
      
      		

      

      


      OutgoingUsername
      
      		


      Provide a valid username.
      

      For example:
      

      abc.eg@example.com
      
      		

      

      


      OutgoingPassword
      
      		


      Complete the following:
      

        

      1. 

        Select Indirect Password. Create a new user.
        

        2. 

      2. 

        Provide a unique string for indirect Username/Key.
        

        For example:
        

        OIMEmailConfig. This mask the password and prevent it from exposing it in cleartext, in the config file.
        

        3. 

      3. 

        Provide valid password for this account.
        

        4. 

      
      		

      
      

      

      

      3. 

    

    2. 

  2. 

    Configure the Notification provider XML through the Enterprise Manager user interface:
    

      

    1. 

      Log in to Enterprise Manager and do the following:
      

      i. Expand Application Deployments.
      

      ii. Select OIMAppMetadata(11.1.1.3.0)(oim_server1) and right-click.
      

      iii. Select System MBean Browser.
      

      iv. Expand Application Defined MBeans.
      

      v. Expand oracle.iam.
      

      vi. Expand Server_OIM_Server1
      

      vii. Expand Application: oim.
      

      viii. Expand IAMAppRuntimeMBean.
      

      ix. Select UMSEmailNotificationProviderMBean.
      

      2. 

    2. 

      Configure the values, as listed in Table 11-16:
      

      

      Table 11-16 Parameter for Configuring Notification Provider
      

      


      
Parameter
Description

      
      


      


      Web service URL
      
      		


      Start the URL of UMS web service. Any SOA server can be used.
      

      For example:
      

      http://<SOA_host>:<SOA_Port>/ucs/messaging/webservice
      
      		

      

      


      Policies
      
      		


      The OWSM Policy is attached to the given web service, leave it blank.
      
      		

      

      


      Username
      
      		


      The username is given in the security header of web service. If there is no policy attached, leave it blank.
      
      		

      

      


      Password
      
      		


      The password given in the security header of web service. If there is no policy attached, leave it blank.
      
      		

      
      

      

      

      3. 

    

    3. 



After upgrading to 11.1.2.2.0, if you want to use SMTP notification provider instead of the default UMS notification provider, do the following:


    

  1. 

    Log in to Enterprise Manager and do the following:
    

      

    1. 

      Expand Application Deployments.
      

      2. 

    2. 

      Select OIMAppMetadata(11.1.1.3.0)(oim_server1) and Right click.
      

      3. 

    3. 

      Select System MBean Browser.
      

      4. 

    4. 

      Expand Application Defined MBeans.
      

      5. 

    5. 

      Expand oracle.iam.
      

      6. 

    6. 

      Expand Server_OIM_Server1
      

      7. 

    7. 

      Expand Application: oim.
      

      8. 

    8. 

      Expand IAMAppRuntimeMBean.
      

      9. 

    9. 

      Select UMSEmailNotificationProviderMBean.
      

      10. 

    

    2. 

  2. 

    Ensure that the value of the attribute Enabled is set to true.
    

    3. 

  3. 

    Provide the configuration values in MBean (username, password, mailServerName) or the name of IT Resource in MBean.
    

    The IT Resource name is the name given in XL.MailServer system property, before you upgrade Oracle Identity Manager 11.1.1.x.x to Oracle Identity Manager 11.1.2.2.0.
    

    4. 









11.4.11 Upgrading User UDF


You must have UDF in your environment because if you do not update your User Interface with UDFs, several features like user creation, role creation, and self registration request where UDFs are involved fails.


This section contains the following topics:






11.4.11.1 Rendering the UDFs


For an Oracle Identity Manager 11.1.2.2.0 environment that has been upgraded from Oracle Identity Manager 11.1.1.x.x, the custom attributes for user entity already exist in the back-end. These attributes are not present as form fields on the Oracle Identity Manager 11.1.2.2.0 user interface screens until the user screens are customized to add the custom fields.


However, before you can customize the screens, you must first complete upgrading the custom attributes using the Upgrade User Form link in the System Administration console.


After completing the Upgrade User Form, the User value object (VO) instances in various Data Components like DataComponent-Catalog, DataComponent-My Information, DataComponent-User Registration shows the custom attributes. This includes all custom attributes available for Web Composer (Customized) and can be added to User user interface screens.


For more information, see "Customizing the Interface" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.


Complete the following steps to render UDFs:


    

  1. 

    Log in to the Identity System Administration console.
    

    2. 

  2. 

    Click Sandboxes. Click Create Sandbox. A Create Sandbox window appears.
    

    3. 

  3. 

    Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
    

    4. 

  4. 

    Go to Upgrade. Select Upgrade User Form. Click Upgrade Now.
    

    

    Note:
    
If an error message is displayed after clicking Upgrade Now button, it is important that you analyze the error. You must also export the Sandbox for analysis and then discard (Delete) the sandbox. This note also applies to Upgrade Role Form and Upgrade Organization Form.
    

    5. 

  5. 

    Publish the Sandbox.
    

    6. 

  6. 

    Log out from Identity System Administration console.
    

    7. 

  7. 

    Log in to Identity Self Service console.
    

    8. 

  8. 

    Click Create Sandbox. A Create Sandbox window appears.
    

    9. 

  9. 

    Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
    

    10. 

  10. 

    From the left navigation pane, select Users.
    

    11. 

  11. 

    Click Create User. A Create User page opens. Fill up all the mandatory fields. Add the same UDFs in Modify User and User Detail screen. Select the correct Data Component and UserVO Name as listed in Table 11-17.
    

    For example:
    

    From the left navigation pane, click Users. Click User to go to the Create User screen and fill all mandatory fields.
    

    12. 

  12. 

    Click Customize on top right. Select View. Select Source.
    

    13. 

  13. 

    Select Name in Basic Information and click Edit on the confirmation window.
    

    14. 

  14. 

    Select panelFormLayout. Click Add Content.
    

    15. 

  15. 

    Select the correct Data Component and VO Name as listed in Table 11-17:
    

    

    Table 11-17 UDF Screens and Description
    

    


    
Screen Name
Data Component
VO Name
Procedure

    
    


    


    Create User
    
    		


    Data Component - Catalog
    
    		


    UserVO
    
    		


    Do the following:
    

      

    1. 

      Click User.
      

      2. 

    2. 

      Click Create, it launches the Create User screen.
      

      3. 

    
    		

    

    


    Modify User
    
    		


    Data Component - Catalog
    
    		


    UserVO
    
    		


    Do the following:
    

      

    1. 

      Click User and search.
      

      2. 

    2. 

      Select a single user from search results.
      

      3. 

    3. 

      Click Edit, it launches the Modify User screen.
      

      4. 

    
    		

    

    


    View User Details
    
    		


    Data Component - Manage Users
    
    		


    UserVO1
    
    		


    Do the following:
    

      

    1. 

      Click User and search.
      

      2. 

    2. 

      Select a single user from search results.
      

      3. 

    
    		

    

    


    Bulk Modify User Flow
    
    		


    Data Component - Catalog
    
    		


    UserVO
    
    		


    Do the following:
    

      

    1. 

      Click User and search.
      

      2. 

    2. 

      Select more than a single user from search results.
      

      3. 

    
    		

    

    


    My Information
    
    		


    Data Component - My Information
    
    		


    UserVO1
    
    		


    Do the following:
    

      

    1. 

      Click Identity.
      

      2. 

    2. 

      Select the My Information sub-tab.
      

      3. 

    
    		

    

    


    Customizing Search Results
    
    		


    Data Component - Manage Users
    
    		


    UserVO1
    
    		


    Do the following:
    

      

    1. 

      Click Identity.
      

      2. 

    2. 

      Click Users.
      

      3. 

    3. 

      Click Customizations, it opens the Web Composer.
      

      4. 

    
    		

    

    


    User Registration
    
    		


    Data Component - User Registration
    
    		


    UserVO1
    
    		


    Do the following:
    

      

    1. 

      Click Customize to open Web Composer.
      

      2. 

    2. 

      Enable the left navigation links for unauthenticated pages.
      

      3. 

    3. 

      Click User Registration.
      

      4. 

    4. 

      Select User Registration.
      

      5. 

    
    		

    

    


    Adding UDF in Search Panel
    
    		


    NA
    
    		


    NA
    
    		


    Do the following:
    

      

    1. 

      Log in to Identity
      

      2. 

    2. 

      Click User.
      

      3. 

    3. 

      Search for "Add Fields" in the search box. It shows all searchable fields to the user.
      

      4. 

    
    		

    

    


    Customizing Request Summary/Details
    
    		


    NA
    
    		


    NA
    
    		


    Requests created after Create User, Modify User, My Information, Self Registration.
    
    		

    
    

    

    

    16. 

  16. 

    Click Close.
    

    17. 

  17. 

    Click Sandboxes. Export the sandbox using Export Sandbox.
    

    18. 

  18. 

    Publish the sandbox.
    

    19. 

  19. 

    Log out from Identity Self Service, and log in again. The added UDF in the screen is seen.
    

    

    Note:
    
You can upgrade and customize Role UDF and Organization UDF by following the instructions described in the table "Entities and Corresponding Data Components and View Objects" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
    

    20. 









11.4.11.2 User Interface Customization for 11.1.1.x.x Mandatory UDF and OOTB Attributes


If you have rendered the OOTB attributes as mandatory in Oracle Identity Manager 11.1.1.x.x, you must customize the user interface in order to achieve the same customizations after upgrade.


    

  1. 

    Log in to Identity System Administration console.
    

    2. 

  2. 

    Click Sandboxes. Click Create Sandbox. A Create Sandbox window appears.
    

    3. 

  3. 

    Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
    

    4. 

  4. 

    Go to Upgrade. Select Upgrade User Form. Click Upgrade Now.
    

    5. 

  5. 

    Publish the Sandbox.
    

    6. 

  6. 

    Log out from Identity System Administration console.
    

    7. 

  7. 

    Log in to Identity Self Service console.
    

    8. 

  8. 

    Click Create Sandbox. A Create Sandbox window appears.
    

    9. 

  9. 

    Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
    

    10. 

  10. 

    From the left navigation pane, click Users. Click User to go to the Create User screen and fill all the mandatory fields.
    

    11. 

  11. 

    Click Customize on top right. Select View. Select Source.
    

    12. 

  12. 

    Select Name in Basic Information and click Edit on the confirmation window.
    

    13. 

  13. 

    Select panelFormLayout. Click Add Content.
    

    14. 

  14. 

    Click Input Component and click Edit.
    

    15. 

  15. 

    On the Component Properties dialogue, select Show Required check box. In the Required field, select Expression Editor, and in the Expression Editor field, enter the value as true.
    

    16. 

  16. 

    Click Close.
    

    17. 

  17. 

    Click Sandboxes. Export the sandbox using Export Sandbox.
    

    18. 

  18. 

    Publish the sandbox.
    

    19. 

  19. 

    Log out from Identity Self Service, and log in again. The added UDF on the screen with an asterix (*) symbol is seen.
    

    20. 









11.4.11.3 Lookup Query Modification


In user customization upgrade, multiple values for the Save Column may exist in User.xml. Based on the possible values; single, multiple, and null, do the following in the upgraded environment:


    

  • 

    Use Single value for Save Column: User creation is successful, and the value of the field is also saved in database.
    

    • 

  • 

    Use Multiple or NULL value for Save Column: User creation is successful, but the value is not saved in database.
    

    • 



Recommendation


Update the Lookup By Query metadata definition attached to an attribute in User or Role through Config Service or Design Console.


For more information, see Section 11.3.16, "Upgrading Oracle Identity Manager Design Console".










11.4.12 Upgrading Application Instances


After you complete the upgrade, you must complete the following steps to upgrade Application Instances:


    

  1. 

    Log in to the following console:
    

    http://<OIM_HOST>:<OIM_PORT>/sysadmin
    

    2. 

  2. 

    Expand Upgrade on the left navigation pane.
    

    3. 

  3. 

    Click Upgrade Application Instances.
    

    4. 



This creates the U/I Forms and Datasets for the Application Instances, and seeds to MDS.








11.4.13 Redeploying XIMDD




Note:

This section is required only if the Diagnostic Dashboard services for AD Password Sync were deployed in 11.1.1.x.x and if your application is deployed in staging mode in 11.1.1.x.x.


Before you can re-deploy, you must undeploy XIMDD from the 11.1.1.x.x Oracle Identity Manager Managed Server or from the cluster. To do so, complete the following steps:


    

  1. 

    Log in to the WebLogic Server Administration console:
    

    host:admin port/console
    

    2. 

  2. 

    If you are running in production mode, click Lock and Edit.
    

    3. 

  3. 

    Click Deployments.
    

    4. 

  4. 

    In the resulting list, look for XIMDD.
    

    5. 

  5. 

    If they are running, select XIMDD.
    

    6. 

  6. 

    Click Delete.
    

    7. 

  7. 

    Activate the changes.
    

    8. 



To redeploy, complete the following steps:


    

  1. 

    Log in to the WebLogic Server Administration console:
    

    host:admin port/console
    

    2. 

  2. 

    Click Lock & Edit.
    

    3. 

  3. 

    Click Deployments.
    

    4. 

  4. 

    Click Install.
    

    5. 

  5. 

    In the path, provide the path for XIMDD.ear.
    

    The default path is in the following location:
    

    On UNIX, $<OIM_HOME>/server/webapp/optional
    

    On Windows, <OIM_HOME>\server\webapp\optional
    

    6. 

  6. 

    Select XIMDD.ear. Click Next.
    

    7. 

  7. 

    Select Install this deployment as an application. Click Next.
    

    8. 

  8. 

    In Select deployment targets page, select oim server. Click Next.
    

    9. 

  9. 

    In the Optional Setting page, click Finish.
    

    10. 

  10. 

    Click Deployments.
    

    11. 

  11. 

    Select XIMDD. Click Start.
    

    12. 

  12. 

    From the options, select Service All Requests.
    

    13. 









11.4.14 Redeploying SPML-DSML




Note:

This section is required only if the DSML web services for AD Password Sync were deployed in 11.1.1.x.x.


Before you can redeploy, you must undeploy SPML-DSML from the 11.1.1.x.x Oracle Identity Manager Managed Server or from the cluster. To do so, complete the following steps:


    

  1. 

    Log in to the WebLogic Server Administration console:
    

    host:admin port/console
    

    2. 

  2. 

    If you are running in production mode, obtain the Lock in order to make updates.
    

    3. 

  3. 

    Click Deployments.
    

    4. 

  4. 

    In the resulting list, look for spml.
    

    5. 

  5. 

    If they are running, select spml.
    

    6. 

  6. 

    Click Delete.
    

    7. 

  7. 

    Activate the changes.
    

    8. 



To redeploy, complete the following steps:


    

  1. 

    Log in to WebLogic Server Administration console through the following path:
    

    host:admin port/console
    

    2. 

  2. 

    Click Lock & Edit.
    

    3. 

  3. 

    Click Deployments.
    

    4. 

  4. 

    Click Install.
    

    5. 

  5. 

    In the path provide the path for spml.ear.
    

    The default path is in the following location:
    

    On UNIX, $<OIM_HOME>/server/apps
    

    On Windows, <OIM_HOME>\server\apps
    

    6. 

  6. 

    Select spml-dsml.ear. Click Next.
    

    7. 

  7. 

    Select Install this deployment as an application. Click Next.
    

    8. 

  8. 

    In Select deployment targets page, select oim server. Click Next.
    

    9. 

  9. 

    In the Optional Setting page, click Finish.
    

    10. 

  10. 

    Click Deployments.
    

    11. 

  11. 

    Select spml. Click Start.
    

    12. 

  12. 

    From the options, select Service All Requests.
    

    13. 









11.4.15 Customizing Event Handlers


If you have used any event handlers in Oracle Identity Manager 11.1.1.x.x, you must re-customize the event handler for Oracle Identity Manager 11.1.2.2.0.


For more information, see "Developing Custom Event Handlers" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.








11.4.16 Upgrading SOA Composites


You must manually upgrade OOTB composites and custom composites built before upgrading to 11.1.2.2.0.


This section contains the following topics:





Note:

Redeploying a composite moves all pending tasks to STALE state. Oracle recommends you to close any pending task before upgrading the composites.





11.4.16.1 OOTB Composites Not Modified Before Upgrading


Upgrade OOTB composites that are not modified, using either JDeveloper or SOA Composer, before upgrading to Oracle Identity Manager 11.1.2.2.0. Complete the following steps to upgrade DefaultRequestApproval composite:


    

  1. 

    Move from your present working directory to the <OIM_ORACLE_HOME>/server/workflows directory by running the following command on the command line:
    

    On UNIX:
    

    cd <OIM_ORACLE_HOME>/server/workflows
    

    On Windows:
    

    cd <OIM_ORACLE_HOME>\server\workflows
    

    2. 

  2. 

    Unzip DefaultRequestApproval.zip.
    

    3. 

  3. 

    Log in to the Oracle Enterprise Manager console:
    

    http://<host>:<port>/em
    

    4. 

  4. 

    Expand Farm_<oim_domain_name>_d > SOA -> soa-infra -> default.
    

    5. 

  5. 

    Right click DefaultRequestApproval[1.0] and select SOA Deployment -> Redeploy.
    

    6. 

  6. 

    Select Archive is on the machine where Enterprise Manager is running.
    

    7. 

  7. 

    Provide the absolute path to the sca jar for DefaultRequestApproval composite:
    

    On UNIX:
    

    <OIM_HOME>/server/workflows/composites/DefaultRequestApproval/deploy/sca_DefaultRequestApproval_rev1.0.jar
    

    On Windows:
    

    <OIM_HOME>server\workflows\composites\DefaultRequestApproval\deploy\sca_DefaultRequestApproval_rev1.0.jar
    

    8. 

  8. 

    Select No Configuration plan is required.
    

    9. 

  9. 

    Click Next.
    

    10. 

  10. 

    Select Deploy as default revision.
    

    11. 

  11. 

    Click Redeploy.
    

    12. 



Repeat steps 2 to 11 for the remaining composites, which were not modified before upgrading to Oracle Identity Manager 11.1.2.2.0.




Note:

DefaultResourceAuthorizer and DefaultResourceAdministrator are no longer supported in 11.1.2.2.0.








11.4.16.2 OOTB Composites Modified Before Upgrading And Custom Composites


Upgrade custom composites created before upgrading to Oracle Identity Manager 11.1.2.2.0 and OOTB composites modified, using either JDeveloper or SOA Composer, before upgrading to Oracle Identity Manager 11.1.2.2.0. Complete the following steps to upgrade DefaultRequestApproval composite:


    

  1. 

    Open the SOA composite project in JDeveloper (Use Jdeveloper 11.1.1.6.0).
    

    2. 

  2. 

    Open ApprovalTask.task file in designer mode.
    

    3. 

  3. 

    Select General.
    

    4. 

  4. 

    Change Owner to Group, SYSTEM ADMINISTRATORS, STATIC.
    

    5. 

  5. 

    Select Outcomes lookup. An Outcomes Dialog opens.
    

    6. 

  6. 

    Select Outcomes Requiring Comment.
    

    7. 

  7. 

    Select Reject and click Ok.
    

    8. 

  8. 

    Click Ok again.
    

    9. 

  9. 

    Select Notification.
    

    10. 

  10. 

    Click on the update icon under Notification. Update any old URLs in notification with the corresponding new URL in 11.1.2.2.0. An example notification content is given below:
    

    A <%/task:task/task:payload/task:RequestModel%> request has been assigned to you for approval. <BR><BR>
Request ID: <%/task:task/task:payload/task:RequestID%> <BR>
Request type: <%/task:task/task:payload/task:RequestModel%> <BR>
<BR>
Access this task in the 
<A 
style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/home?tf=approval_details
>
Identity Self Service
</A>
 application or take direct action using the links below. Approvers are required to provide a justification when rejecting the request

    11. 

  11. 

    Click Advanced.
    

    12. 

  12. 

    Deselect Show worklist/workspace URL in notifications. Provide the URL to Pending Approvals in identity application as shown in the example in step 10.
    

    13. 

  13. 

    Repeat step 1 to 12 for other human tasks, if any, in the composite. Save your work.
    

    14. 

  14. 

    Right click Project and select Deploy -> Deploy to Application Server.
    

    15. 

  15. 

    Provide revision ID. Select Mark revision as default and Overwrite any existing composite with same revision ID.
    

    

    Note:
    
You can also deploy the composites with different revision ID. In that case you have to modify all approval policies using this composite.
    

    16. 

  16. 

    Select your application server connection, if it already exists, and click Next. Create an application server connection if it does not exist.
    

    17. 

  17. 

    Click Next.
    

    18. 

  18. 

    Click Finish.
    

    19. 



Repeat the procedure for the remaining custom composites and modified OOTB composites as well.










11.4.17 Provisioning Oracle Identity Management Login Modules Under WebLogic Server Library Directory




Note:

This task is required only if OIMAuthenticator.jar is already present under the <MW_HOME>/wlserver_10.3/server/lib/mbeantypes directory.


Apply the following steps across all the WebLogic Server homes in the domain:


On UNIX:


    

  1. 

    Copy OIMAuthenticator.jar, oimmbean.jar, oimsigmbean.jar, and oimsignaturembean.jar files located under <OIM_ORACLE_HOME>/server/loginmodule/wls directory to <MW_HOME>/wlserver_10.3/server/lib/mbeantypes directory by running the following command on the command line:
    

    cp <OIM_ORACLE_HOME>/server/loginmodule/wls/* <MW_HOME>/wlserver_10.3/server/lib/mbeantypes/
    

    2. 

  2. 

    Move from your present working directory to the <MW_HOME>/wlserver_10.3/server/lib/mbeantypes directory by running the following command on the command line:
    

    cd <MW_HOME>/wlserver_10.3/server/lib/mbeantypes
    

    3. 

  3. 

    Change the permissions on these files to 750 by using the chmod command:
    

    chmod 750 *
    

    4. 

  4. 

    Restart all servers in the domain.
    

    5. 



On Windows:


    

  1. 

    Copy OIMAuthenticator.jar, oimmbean.jar, oimsigmbean.jar, and oimsignaturembean.jar files located under <OIM_ORACLE_HOME>\server\loginmodule\wls directory to <MW_HOME>\wlserver_10.3\server\lib\mbeantypes directory by running the following command on the command line:
    

    cp <OIM_ORACLE_HOME>\server\loginmodule\wls\* <MW_HOME>\wlserver_10.3\server\lib\mbeantypes
    

    2. 

  2. 

    Move from your present working directory to the <MW_HOME>\wlserver_10.3\server\lib\mbeantypes directory by running the following command on the command line:
    

    cd <MW_HOME>\wlserver_10.3\server\lib\mbeantypes
    

    3. 

  3. 

    Change the permissions on these files to 750 by using the chmod command:
    

    chmod 750 *
    

    4. 

  4. 

    Restart all servers in the domain.
    

    5. 









11.4.18 Reviewing Performance Tuning Recommendations


After you upgrade to Oracle Identity Manager 11.1.2.2.0, you must review the Oracle Identity Manager specific performance tuning recommendations described in "Oracle Identity Manager Performance Tuning" in the Oracle Fusion Middleware Performance and Tuning Guide.








11.4.19 Authorization Policy Changes


If you have custom Authorization Policies in Oracle Identity Manager in 11g Release 1 (11.1.1.5.0), in order to create or modify users, you must assign new administrator roles in relation to User Administration, Role Administration, or Help Desk.


Table 11-18 lists the Administration roles in Oracle Identity Manager 11g, either removed or consolidated into the System Administrator Administration role for all system administrative operations in Oracle Identity Manager 11.1.2.2.0:




Table 11-18 Changes in Role from Oracle Identity Manager 11g to 11.1.2.2.0






Sl No.
Roles in Oracle Identity Manager 11g
Roles Removed and Replaced in Oracle Identity Manager 11.1.2.2.0








1




SCHEDULER ADMINISTRATORS




Removed and replaced with SYSTEM CONFIGURATORS.








2




DEPLOYMENT MANAGER ADMINISTRATORS




Removed and replaced with SYSTEM CONFIGURATORS.








3




NOTIFICATION TEMPLATE ADMINISTRATORS




Removed and replaced with SYSTEM CONFIGURATORS.








4




SOD ADMINISTRATORS




Removed and replaced with SYSTEM ADMINISTRATORS.








5




SYSTEM CONFIGURATION ADMINISTRATORS




Removed and replaced with SYSTEM CONFIGURATORS.








6




GENERATE_USERNAME_ROLE




Removed and replaced with SYSTEM ADMINISTRATORS.








7




IDENTITY USER ADMINISTRATORS




Removed and replaced with USER ADMIN.








8




USER CONFIGURATION ADMINISTRATORS




Removed and replaced with SYSTEM CONFIGURATORS.








9




ACCESS POLICY ADMINISTRATORS




Removed and replaced with SYSTEM CONFIGURATORS.








10




RECONCILIATION ADMINISTRATORS




Removed and replaced with SYSTEM ADMINISTRATORS.








11




RESOURCE ADMINISTRATORS




Removed and replaced with SYSTEM CONFIGURATORS.








12




GENERIC CONNECTOR ADMINISTRATORS




Removed and replaced with SYSTEM CONFIGURATORS.








13




APPROVAL POLICY ADMINISTRATORS




Removed and replaced with SYSTEM CONFIGURATORS.








14




REQUEST ADMINISTRATORS




Removed and replaced with SYSTEM ADMINISTRATORS.








15




REQUEST TEMPLATE ADMINISTRATORS




Removed and replaced with SYSTEM CONFIGURATORS.








16




PLUGIN ADMINISTRATORS




Removed and replaced with SYSTEM CONFIGURATORS.








17




ATTESTATION CONFIGURATION ADMINISTRATORS




Removed and replaced with SYSTEM CONFIGURATORS.








18




ATTESTATION EVENT ADMINISTRATORS




Removed and replaced with SYSTEM ADMINISTRATORS.








19




ROLE ADMINISTRATORS




Removed and replaced with ROLE ADMIN.








20




USER NAME ADMINISTRATOR




Removed and now depends on administration roles.








21




IDENTITY ORGANIZATION ADMINISTRATORS




Removed and replaced with ORGANIZATION ADMIN.








22




IT RESOURCE ADMINISTRATORS




Removed and replaced with APPLICATION INSTANCE ADMIN.








23




REPORT ADMINISTRATORS




No link to reports from Oracle Identity Manager.








24




SPML_APP_ROLE




There is no change in this enterprise role and a corresponding role with the privileges is seeded in Oracle Entitlements Server.








25




ALL USERS




This is an enterprise role, not an administrator role.








26




SYSTEM CONFIGURATORS




All privileges as System Administrator role, except for the ability to manage Users, Roles, Organizations and Provisioning remains unchanged.








27




SYSTEM ADMINISTRATORS




Remains unchanged.
















11.4.20 Creating Password Policies


When you upgrade Oracle Identity Manager 11.1.1.x.x to 11.1.2.2.0, a default password policy will be seeded at the TOP organization. As a result, any password policy rules created using the older password policy model in Oracle Identity Manager 11.1.1.x.x environment will not be supported. The upgrade utility does not migrate the password policies of Oracle Identity Manager 11.1.1.x.x to 11.1.2.2.0. If you had made any password policy customizations on the older password policy rules, you must create equivalent password policies using the newer password policy model, and attach it to the respective organization.


For information about creating password policies, see "Managing Password Policies" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.








11.4.21 Creating PeopleSoft Enterprise HRMS Reconciliation Profile


If you are upgrading Oracle Identity Manager 11.1.1.x.x with PeopleSoft connector to Oracle Identity Manager 11.1.2.2.0, you must create PeopleSoft HRMS reconciliation profile after you upgrade to 11.1.2.2.0. For information about creating reconciliation profile, see "Updating Reconciliation Profiles Manually" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.








11.4.22 Reviewing OIM Data Purge Job Parameters


This post-upgrade task is optional.


While upgrading Oracle Identity Manager to 11.1.2.2.0, the OIM Data Purge Job will be seeded in enabled state. By default, it will purge platform data with a retention period of 1 day for complete orchestration. To enable purge of request, reconciliation, and provisioning task, you must revisit the OIM Data Purge Job parameters.


For information about the user-configurable attributes, see "Configuring Real-Time Purge and Archival" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.








11.4.23 Migrating Customized Oracle Identity Manager Reports


For customized reports built on any version of Oracle BI Publisher between 11g Release 1 (11.1.1.5.0) and 11g Release 1 (11.1.1.6.4), you do not need to upgrade the custom reports. You can export your customized reports from your existing report repository and import the reports into your new 11.1.1.7.1 repository.


Customized reports built on Oracle BI Publisher 10g Release 3 (10.1.3.X) or later must be upgraded before they can be consumed by Oracle BI Publisher 11.1.1.7.1. You must use the Upgrade Assistant to upgrade the reports in the BI Publisher 10g repository. For more information, see "Task 5: Upgrade the BI Publisher Repository" in the Oracle Fusion Middleware Upgrade Guide for Oracle Business Intelligence.








11.4.24 Reviewing Connector Certification


Before you upgrade your existing Oracle Identity Manager environments, you must verify if the version of the existing connector is supported for Oracle Identity Manager 11.1.2.2.0. For information about the supported connector versions for Oracle Identity Manager 11.1.2.2.0, refer to the sections "Certified Components" and "Usage Recommendation" in the respective Connector Guide in Oracle Identity Manager Identity Connectors Documentation Library.


If you are using 9.x connector or GTC connector, do the following:


    

  • 

    If the 9.x connector that you are using is supported, you can continue to use the existing connector.
    

    • 

  • 

    If the 9.x connector is not supported, you must upgrade the existing 9.x connector to the latest 11.x connector after you upgrade the Oracle Identity Manager server to 11.1.2.2.0.
    

    • 

  • 

    Verify the data in the Lookup populated through lookup reconciliation that the IT Resource Key & IT Resource name is pre-fixed for code & decode respectively. If not, you must upgrade the existing connector to the latest available connector after you upgrade Oracle Identity Manager server.
    

    • 



If you are using 11g connector, the connector upgrade is not required.








11.4.25 Verifying the Functionality of Connectors


After you upgrade Oracle Identity Manager to 11.1.2.2.0, complete the following steps to verify the functionality of connectors:


    

  • 

    Verify if Account and Entitlement Tagging are available on the process form. For the connectors to work with Oracle Identity Manager 11.1.2.2.0, you must complete the steps described in the section "Configuring Oracle Identity Manager 11.1.2 or Later" in the respective Connector Guide.
    

    • 

  • 

    Verify if the customizations made to the connectors are intact.
    

    • 

  • 

    Verify if the 11.1.2.2.0 related artifacts like UI Forms and Application Instances are generated.
    

    • 

  • 

    Ensure that all the operations of the connectors are working fine.
    

    • 

  • 

    If there are two or more IT Resource field in the process form, complete the steps described in the following My Oracle Support note:
    

    My Oracle Support document ID 1535369.1
    

    • 

  • 

    If there are any lookup query fields in the process form of the related connector, then you must customize the UI need to display the same. For more information, see 'Lookup Query' section in "General Customization Concepts" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
    

    • 









11.4.26 Updating the Provider URL For ForeignJNDIProvider-SOA


If the environment is running in SSL mode, you must change the Provider URL for ForeignJNDIProvider-SOA to SSL Provider URL. To do this, complete the following steps:


    

  1. 

    Log in to the WebLogic Administration console using the following URL:
    

    http://weblogic_host:weblogic_port/console
    

    2. 

  2. 

    Expand Services under Domain Structure.
    

    3. 

  3. 

    Click Foreign JNDI Providers.
    

    4. 

  4. 

    Click ForeignJNDIProvider-SOA to bring up the Settings for ForeignJNDIProvider-SOA page.
    

    5. 

  5. 

    Click Lock & Edit on the top-left pane.
    

    6. 

  6. 

    In Provider URL, change t3 to t3s.
    

    7. 

  7. 

    Click Save, and then click Activate Changes.
    

    8. 









11.4.27 Verifying the Upgrade


To verify your Oracle Identity Manager upgrade, perform the following steps:


    

  1. 

    Use the following URL in a web browser to verify that Oracle Identity Manager 11.1.2.2.0 is running:
    

    http://<oim.example.com>:<oim_port>/sysadmin
    

    http://oim.example.com:14000/identity
    

    where
    

    <oim.example.com> is the path of the administration console.
    

    <oim_port> is the port number.
    

    2. 

  2. 

    Use Fusion Middleware Control to verify that Oracle Identity Manager and any other Oracle Identity Management components are running in the Oracle Fusion Middleware environment.
    

    3. 

  3. 

    Install the Diagnostic Dashboard and run the following tests:
    

      

    • 

      Oracle Database Connectivity Check
      

      • 

    • 

      Account Lock Status
      

      • 

    • 

      Data Encryption Key Verification
      

      • 

    • 

      JMS Messaging Verification
      

      • 

    • 

      SOA-Oracle Identity Manager Configuration Check
      

      • 

    • 

      SPML Web Service
      

      • 

    • 

      Test OWSM setup
      

      • 

    • 

      Test SPML to Oracle Identity Manager request invocation
      

      • 

    • 

      SPML attributes to Oracle Identity Manager attributes
      

      • 

    • 

      Username Test
      

      • 

    

    4. 











11.5 Troubleshooting




Note:

For information about the issues that you might encounter during the upgrade process, and their workarounds, see Oracle Fusion Middleware Release Notes.


Table 11-19 lists some of the problems that might occur during the upgrade process, and their solutions:




Table 11-19 Oracle Identity Manager Troubleshooting - Problems and Solutions






Problem
Solution








Patch Set Assistant fails.




Check logs located at:


On UNIX:


<MW_HOME>/oracle_common/upgrade/logs/psa<time_stamp>.log


On Windows:


<MW_HOME>\oracle_common\upgrade\logs\psa<time_stamp>.log


Fix the problem, and run Patch Set Assistant again.








Middle Tier upgrade fails




Check logs located at:


On UNIX:


    

  • 

    <OIM_ORACLE_HOME>/server/upgrade/logs/MT/OIMUpgrade<time_stamp>.log
    

    • 

  • 

    <OIM_ORACLE_HOME>/server/upgrade/logs/MT/ant_JRF.log
    

    • 

  • 

    <OIM_ORACLE_HOME>/server/upgrade./logs/MT/ant_PatchClasspath.log
    

    • 



On Windows:


    

  • 

    <OIM_ORACLE_HOME>\server\upgrade\logs\MT\OIMUpgrade<time_stamp>.log
    

    • 

  • 

    <OIM_ORACLE_HOME>\server\upgrade\logs\MT\ant_JRF.log
    

    • 

  • 

    <OIM_ORACLE_HOME>\server\upgrade.\logs\MT\ant_PatchClasspath.log
    

    • 









All features not upgraded in Middle Tier upgrade.




Check the Upgrade Report located at:


On UNIX:


<OIM_ORACLE_HOME>/upgrade/logs/MT/oimUpgradeReportDir/index.html


On Windows:


<OIM_ORACLE_HOME>\upgrade\logs\MT\oimUpgradeReportDir\index.html








Oracle Identity Manager upgrade control points.




Set the property value to true or false in the property file located at:


On UNIX:


<OIM_ORACLE_HOME>/server/bin/oimupgrade.properties


On Windows:


<OIM_ORACLE_HOME>\server\bin\oimupgrade.properties


For more information, see Section 11.5.1, "Oracle Identity Manager Upgrade Control Points".








MDS patching issues.




Check the MDS Patching Report located at:


On UNIX:


<OIM_ORACLE_HOME>/server/logs/MDS_REPORT_DIRECTORY/MDSReport.html


On Windows:


<OIM_ORACLE_HOME>\server\logs\MDS_REPORT_DIRECTORY\MDSReport.html








Some MDS documents not merged correctly.




Merge manually from the following locations:


On UNIX:


    

  • 

    <OIM_ORACLE_HOME>/server/logs/sourceDir (OOTB MDS data location)
    

    • 

  • 

    <OIM_ORACLE_HOME>/server/logs/targetDir (Your MDS data location)
    

    • 



On Windows:


    

  • 

    <OIM_ORACLE_HOME>\server\logs\sourceDir (OOTB MDS data location)
    

    • 

  • 

    <OIM_ORACLE_HOME>\server\logs\targetDir (Your MDS data location)
    

    • 









JDBC errors:


ORA-01882: timezone region not found




Add an additional environment variable, TZ, which is the time zone name, like GMT for example. The environment variable has to be set with older database or else you get an error.


For more information, see My Oracle Support document ID 1460281.1.














11.5.1 Oracle Identity Manager Upgrade Control Points


Oracle Identity Manager Upgrade has provided some control points in the oimupgrade.properties. On UNIX, it is located in the <OIM_ORACLE_HOME>/server/bin/directory, on Windows, it is located in the <OIM_ORACLE_HOME>\server\bin\ directory.


You can selectively disable the feature upgrade by setting the property as false.


If any feature fails, you can continue with the upgrade by disabling the failed feature by setting the corresponding feature upgrade property as false.


As and when the solution is available for the failed feature, enable the feature for upgrade by setting the property to true.


By default, all the properties are set as true.


    

  • 

    Set the following property to false if you do not want to run Oracle Identity Manager configuration upgrade:
    

    oim.ps1.config.patch=true
    

    • 

  • 

    Set the following property to false if you do not want to run SOA composite upgrade:
    

    oim.ps1.soacomposite.patch=true
    

    • 



Domain Extension Properties


    

  • 

    Set the following property to false if you do not want to run Patch JNDI provider:
    

    oim.domainextension.jndiprovider.patch=true
    

    • 

  • 

    Set the following property to false if you do not want to run Patch ClassPath:
    

    oim.domainextension.classpath.patch=true
    

    • 

  • 

    Set the following property to false if you do not want to run Patch OPSS:
    

    oim.domainextension.opss.patch=true
    

    • 

  • 

    Set the following property to false if you do not want to run Patch ears:
    

    oim.domainextension.ear.patch=true
    

    • 

  • 

    Set the following property to false if you do not want to run Patch JRF:
    

    oim.domainextension.jrf.patch=true
    

    •