This chapter describes how to upgrade your existing Oracle Identity Manager 11g Release 1 (11.1.1.5.0) and 11g Release 1 (11.1.1.7.0) environments to Oracle Identity Manager 11g Release 2 (11.1.2.2.0) on Oracle WebLogic Server.
Note:
For information about upgrading Oracle Identity Manager on IBM WebSphere, see "Upgrading Oracle Identity Manager on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide.Note:
This chapter refers to Oracle Identity Manager 11g Release 1 (11.1.1.5.0) and 11g Release 1 (11.1.1.7.0) environments as 11.1.1.x.x.This chapter includes the following sections:
Note:
Oracle Identity Manager upgrade scripts from 11.1.1.x.x to 11.1.2.2.0 create application instances during the upgrade process. The application instances that are created will be based on the existing accounts and their data. For active accounts that have an IT Resource field on the process form, whose value is populated on the process form, corresponding application instances will be created for the specific Resource Object+ITResource combination.The procedure for upgrading Oracle Identity Manager 11.1.1.x.x to 11.1.2.2.0 involves the following high-level steps:
Pre-Upgrade Steps: This step involves tasks like generating the pre-upgrade report, analyzing the report and performing the necessary pre-upgrade tasks described in the report, shutting down the servers, backing up the 11.1.1.x.x environment and so on.
Upgrading the Oracle Home and Database Schemas: This step involves tasks like upgrading Oracle SOA Suite, upgrading 11.1.1.x.x Oracle Home to 11.1.2.2.0, creating Oracle Platform Security Services schema using Repository Creation Utility, upgrading Oracle Platform Security Services, configuring the security store, upgrading Oracle Identity Manager using Patch Set Assistant and so on.
Upgrading the Oracle Identity Manager Middle Tier: This step involves tasks like upgrading Oracle Identity Manager middle tier, starting the servers, patching the Oracle Identity Manager MDS metadata and so on.
Upgrading Other Oracle Identity Manager Installed Components: This step involves tasks like upgrading Oracle Identity Manager Design Console, Oracle Identity Manager Remote Manger, and configuring BI Publisher Reports.
Post-Upgrade Steps: This step involves the post-upgrade tasks like enabling Oracle Identity Manager - Oracle Access Manager integration, upgrading user UDF, customizing event handlers, upgrading SOA composites and so on.
Table 11-1 lists the steps to upgrade Oracle Identity Manager 11.1.1.x.x.
Note:
If you do not follow the exact sequence provided in this task table, your Oracle Identity Manager upgrade may not be successful.Sl No | Task | For More Information |
---|---|---|
Pre-Upgrade Steps |
||
1 |
Review the changes in the features of Oracle Identity Manager 11.1.2.2.0. |
See, Feature Comparison |
2 |
Review system requirements and certifications. |
|
3 |
Generate the pre-upgrade report by running the |
|
4 |
Ensure that |
See, Ensuring That getPlatformTransactionManager() Method is Not Used in Custom Code |
5 |
Empty the |
|
6 |
Complete all of the pre-requisite tasks. |
See, Other Prerequisites |
7 |
Ensure that the JRF is upgraded. |
|
8 |
In Oracle Identity Manager 11.1.1.x.x, if you do not have at least one reconciliation field of type |
|
9 |
Back up your environment. |
See, Backing Up Oracle Identity Manager 11g Release 1 (11.1.1.x.x) |
10 |
Set the JVM properties for the Oracle Identity Manager Server(s) using the WebLogic Administration console. |
See, Setting JVM Properties for Oracle Identity Manager Server(s) |
11 |
Shut down all servers. This includes Administration Server, SOA Managed Servers, and Oracle Identity Manager Managed Servers. |
See, Shutting Down Node Manager, Administration Server and Managed Servers |
Upgrading the Oracle Home and Database Schemas |
||
12 |
Upgrade Oracle WebLogic Server 10.3.5 to Oracle WebLogic Server 10.3.6. |
|
13 |
Upgrade SOA suite used by Oracle Identity Manager. |
|
14 |
Upgrade Oracle Identity Manager binaries to 11.1.2.2.0. |
See, Upgrading Oracle Identity Manager Binaries to 11.1.2.2.0 |
15 |
Run Oracle Fusion Middleware Repository Creation Utility (RCU) to create and load OPSS schema for Oracle Identity and Access Management products. |
|
16 |
Upgrade the Oracle Platform Security Services schemas. |
|
17 |
Extend your Oracle Identity Manager 11.1.1.x.x domain with the OPSS template. |
See, Extending Oracle Identity Manager 11.1.1.x.x Component Domains with OPSS Template |
18 |
Upgrade Oracle Platform Security Services. |
|
19 |
Run the |
|
20 |
Upgrade Oracle Identity Manager using the Patch Set Assistant. |
See, Upgrading Oracle Identity Management Schemas Using Patch Set Assistant |
21 |
Start the WebLogic Administration Server and the SOA Managed Server(s). |
See, Starting the Administration Server and SOA Managed Server |
Upgrading the Oracle Identity Manager Middle Tier |
||
22 |
Upgrade Oracle Identity Manager Middle Tier. |
|
23 |
Verify the Oracle Identity Manager Middle Tier Upgrade. |
|
24 |
Change the deployment order of Oracle Identity Manager from 47 to 48. |
See, Changing the Deployment Order of Oracle Identity Manager EAR |
25 |
Restart the Administration Server and SOA Managed Servers. |
See, Restarting the Administration Server and SOA Managed Server |
26 |
Patch the Oracle Identity Manager MDS metadata by starting the Oracle Identity Manager Managed Servers. |
|
Upgrading Other Oracle Identity Manager Installed Components |
||
27 |
Upgrade Oracle Identity Manager Design Console. |
|
28 |
Upgrade Oracle Identity Manager Remote Manager. |
|
29 |
Configure Oracle BI Publisher 11g Release 1 (11.1.1.7.1). |
|
30 |
Deploy the Oracle Identity Manager BI Publisher Reports. |
|
Post-Upgrade Steps |
||
31 |
Complete the post-upgrade steps. |
See, Post-Upgrade Steps |
32 |
Verify the upgrade. |
This section contains the following topics:
Ensuring That getPlatformTransactionManager() Method is Not Used in Custom Code
Backing Up Oracle Identity Manager 11g Release 1 (11.1.1.x.x)
Setting JVM Properties for Oracle Identity Manager Server(s)
Shutting Down Node Manager, Administration Server and Managed Servers
Table 11-2 lists the key differences in functionality between Oracle Identity Manager 11.1.1.x.x and 11g Release 2 (11.1.2.2.0).
Table 11-2 Features Comparison
Oracle Identity Manager 11.1.1.5.0 and/or 11.1.1.7.0 | Oracle Identity Manager 11.1.2.2.0 |
---|---|
Oracle Identity Manager 11.1.1.x.x provided Identity Attestation to periodically review a user's access. For advanced access review capabilities such as role or data owner certification, OIM 11.1.1.x had to be integrated with Oracle Identity Analytics (OIA) to leverage the advanced access review capabilities that OIA provided. |
In Oracle Identity Manager 11.1.2.1.0 and 11.1.2.2.0, the advanced access review capabilities of OIA are converged into OIM to provide a complete identity governance platform that enables an enterprise to do enterprise grade access request, provisioning, and access review from a single product. After upgrading to Oracle Identity Manager 11.1.2.2.0, you can use the new access review capabilities. This feature is disabled by default. Therefore, you must ensure that you have relevant licenses before enabling this new feature. |
In Oracle Identity Manager 11.1.1.x.x, users are assigned to organizations by specifying an organization name in the |
In Oracle Identity Manager 11.1.2.2.0, in addition to the existing feature, you can dynamically assign users to organizations based on user-membership rules, which you can define in the Members tab of the organization details page. All users who satisfy the user-membership rule are dynamically associated with the organization, irrespective of the organization hierarchy the users statically belong to. With this new capability, a user can gain membership of one home organization via static membership and multiple secondary organizations via user-membership rules that are dynamically evaluated. |
In Oracle Identity Manager 11.1.1.x.x, administrators configured request templates to control what an end user could request. End users have to navigate through a series of menus to select entitlement before they can submit and access request. An end user's access to request templates was controlled by his/her role memberships. |
Oracle Identity Manager 11.1.2.2.0 provides a new user interface with a shopping cart-type request model through which end users can search and browse through the catalog and directly request any item such as roles, entitlements, or applications, without having to navigate through a series of menus. In addition to this, several business-friendly metadata such as description, audit objective, tags, owner, approver, technical glossary, and so on can be associated to each access item, to display business-friendly and rich contextual information to a business user at the time of self service access request and access review. An end user's access to entities is controlled by a combination of user-to-organization publishing and entity-to-organization publishing. Post upgrade, administrators need to run the catalog synchronization job to populate the catalog with request-able entities and entity metadata. Post upgrade, administrators need to define entity to organization publishing to control what an end user can request. |
Resource and IT resource names tend to be named in a manner that makes it easy for the IT users to manage them. The problem with this approach is that if a business user has to request access, the resource name will not make sense. These incomprehensible Resource and IT resource names make the access request process non-intuitive. |
Oracle Identity Manager 11.1.2.2.0 provides an abstraction entity called Application Instance. It is a combination of IT resource instance (target connectivity and connector configuration) and resource object (provisioning mechanism). Administrators can assign business-friendly names to Application instances and map them to corresponding IT resources and Resource Objects. End users who request for accounts through the catalog will search for an account by providing the business-friendly Application Instance Name. Application instances are automatically created as part of the upgrade procedure. Administrators are expected to define organization publishing for these Application Instances to control who has access to requests for access to the application. |
In Oracle Identity Manager 11.1.1.x.x, authorization policies are used to control a user's access to the functions within Oracle Identity Manager. Policy administration was done through a UI that was built specifically for Oracle Identity Manager. |
Oracle Identity Manager 11.1.2.2.0 leverages Oracle Entitlement Server for authorization policy enforcement and administration. This is the standards-based platform for authorization policy enforcement and administration across all IDM components. Administration of Authorization Policies is now done through the Authorization Policy Manager, which is the main tool for lifecycle management of Authorization Policies. Post upgrade to Oracle Identity Manager 11.1.2.2.0 authorization policy definition and administration will have to be done from the Authorization Policy Manager console and any customizations made to out of the box 11.1.1.x authorization policies will have to be reapplied. |
In Oracle Identity Manager 11.1.1.x.x, access to policy evaluation is done instantly for each user when they are updated. |
In Oracle Identity Manager 11.1.2.2.0, access to policy evaluation is done when the Evaluate User Policies scheduled job is run. This gives you the flexibility to control when heavy operations such as access policy evaluation and provisioning are triggered. Post upgrade to Oracle Identity Manager 11.1.2.2.0, administrators will have to schedule this job to run in predefined intervals based on their business requirements. |
Oracle Identity Manager 11.1.1.x.x provided separate interfaces for end user self-service and delegated administration. |
In Oracle Identity Manager 11.1.2.2.0, the end user self-service and delegated administration consoles have been unified into a single self service console to simplify administration and self service. Oracle Identity Manager 11.1.2.2.0 also uses the Skyros skin, which is a light weight skin. Any customization added to the 11.1.1.x.x User Interface (UI) will have to be reapplied on the 11.1.2.2.0 User Interface post upgrade. For an overview of UI customization in Oracle Identity Manager 11.1.2.2.0, see "Customizing the Interface" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager. |
Before you start the upgrade process, you must read the system requirements and certification document to ensure that your system meets the minimum requirements for the products you are installing or upgrading. For more information see Section 2.1, "Reviewing System Requirements and Certification".
You must run the pre-upgrade utility before you begin the upgrade process, and address all the issues listed as part of this report with the solution provided in the report.
The pre-upgrade utility analyzes your existing Oracle Identity Manager 11.1.1.x.x environment, and provides information about the mandatory prerequisites that you must complete before you upgrade environment. The information in the pre-upgrade report is related to the invalid approval policies, requests and event handlers that are affected by the upgrade, list of mandatory Database components that need to be installed before upgrade, cyclic groups in LDAP directory, deprecated authorization policies, and issues in creating potential application instance.
Note:
It is important to address all the issues listed in the pre-upgrade report, before you can proceed with the upgrade, as upgrade might fail if the issues are not fixed.Run this report until no pending issues are listed in the report.
To generate and analyze the pre-upgrade report, complete the tasks described in the following sections:
You must download the pre-upgrade utility from Oracle Technology Network (OTN). The utility is available in two zip files named PreUpgradeReport.zip.001
and PreUpgradeReport.zip.002
, along with ReadMe.doc
at the following location on My Oracle Support:
My Oracle Support document ID 1599043.1.
The ReadMe.doc
contains information about how to generate and analyze the pre-upgrade reports.
To generate the pre-upgrade report for Oracle Identity Manager 11.1.1.x.x upgrade, do the following:
Create a directory at any location and extract the contents of PreUpgradeReport.zip.001
and PreUpgradeReport.zip.002
in the newly created directory.
Create a directory where pre-upgrade reports need to be generated. For example, name the directory OIM_preupgrade_reports
.
Go to the directory where you extracted PreUpgradeReport.zip.001
and PreUpgradeReport.zip.002
, and open the preupgrade_report_input.properties
file in a text editor. Update the properties file by specifying the appropriate values for the parameters listed in Table 11-3:
Table 11-3 Parameters to be Specified in the preupgrade_report_input.properties File
Parameter | Description |
---|---|
|
Specify |
|
Specify the JDBC URL for Oracle Identity Manager in the following format:
|
|
Specify the name of the OIM schema owner. |
|
Specify the MDS JDBC URL in the following format:
|
|
Specify the name of the MDS schema owner. |
|
Specify the user with DBA privilege. For example, |
|
Specify the absolute path to the directory that you created in step-2 (directory with name Make sure that the output report folder has read and write permissions. |
|
Specify the absolute path to the OIM Home. |
|
Specify the absolute path to the WLS Home. |
|
Specify the absolute path to the Oracle Identity Manager domain home. For example:
|
Set the environment variables JAVA_HOME
, MW_HOME
, WL_HOME
, and OIM_HOME
by running the following commands:
On UNIX:
export JAVA_HOME=
<jdk_location>
export MW_HOME=
<absolute_path_to_middleware_home>
export OIM_HOME=
<absolute_path_to_middleware_home>
/Oracle_IDM1/
export WL_HOME=<absolute_path_to_middleware_home>/WL_HOME/
On Windows:
set JAVA_HOME="
<jdk_location>
"
set MW_HOME="
<absolute_path_to_middleware_home>
"
set OIM_HOME="
<absolute_path_to_middleware_home>
\Oracle_IDM1\"
set WL_HOME="<absolute_path_to_middleware_home>\WL_HOME\"
Run the following command from the location where you extracted the contents of PreUpgradeReport.zip.001
and PreUpgradeReport.zip.002
:
On UNIX:
sh generatePreUpgradeReport.sh
On Windows:
generatePreUpgradeReport.bat
Provide the details when the following is prompted:
OIM Schema Password
You must enter the password of the OIM schema.
MDS Schema Password
You must enter the password of the MDS schema.
DBA Password
You must enter the password of the Database Administrator.
The following are the reports generated by the pre-upgrade report utility:
Pre-Upgrade Reports Generated for 11.1.1.x.x Starting Point
index.html
APPROVALPOLICYPreUpgradeReport.html
ChallengeQuesPreUpgradeReport.html
CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html
DomainReassocAuthorization.html
EVENT_HANDLERPreUpgradeReport.html
ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html
ORACLE_ONLINE_PURGE_PreUpgradeReport.html
PasswordPolicyPreUpgradeReport.html
PROVISIONINGBYREQUESTPreUpgradeReport.html
PROVISIONINGPreUpgradeReport.html
REQUESTPreUpgradeReport.html
UDFPreUpgradeReport.html
WLSMBEANPreUpgradeReport.html
The PreUpgradeReport utility generates several reports, which are outlined in Table 11-4.
Note:
You must review all the reports, and perform the tasks described in each of the reports.Table 11-4 Pre-Upgrade Utility Reports
Report Name | Description | For More Information |
---|---|---|
|
The index.html provides links to all the seven reports generated by the pre-upgrade utility. |
- |
|
This report lists the request approval policies that has a rule defined on the non existing template. |
See, Description of APPROVALPOLICYPreUpgradeReport.html Report |
|
This report provides information about upgrading localized challenge questions data. When you upgrade Oracle Identity Manager 11.1.1.x.x to 11.1.2.2.0, the existing localization data for challenge questions is lost. Therefore, before proceeding with the upgrade process, you must backup the existing localized challenge questions data. After you upgrade to Oracle Identity Manager 11.1.2.2.0, you must perform the tasks described in this report. |
See, Description of ChallengeQuesPreUpgradeReport.html Report |
|
This report detects the list of cyclic groups in LDAP. The report includes a list of cyclic groups and instructions to remove cyclic dependency. It is mandatory to remove all cyclic dependencies running in the Oracle Identity Manager 11.1.1.x.x environment. |
See, Description of CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html Report |
|
This report lists the checks executed for authorization feature data upgrade. It checks if the Oracle Identity Manager is reassociated with the DB-based policy store. Review the table that lists the checks executed and the status of the checks. |
|
|
This report captures all user customizations related to Event Handler in Oracle Identity Manager 11.1.1.x.x. |
See, Description of EVENT_HANDLERPreUpgradeReport.html Report |
|
This report provides the status of the mandatory database components or settings for Oracle Identity Manager upgrade. Verify the installation or setup status for each of the mandatory component or setting. If any of the component or setting is not setup correctly, follow the recommendations provided in the report to fix them. Note: This report will not be generated if there is no action item related to purge. |
See, Description of ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html Report |
|
This report lists the pre-requisites for Online Purge that needs to be addressed before you proceed with the upgrade. Note: This report will not be generated if there is no action item related to purge. |
See, Description of ORACLE_ONLINE_PURGE_PreUpgradeReport.html Report |
|
This report lists the potential upgrade issues for password policies. |
See, Description of PasswordPolicyPreUpgradeReport.html Report |
|
This report lists the requests that are not viewable in Track Requests page. |
See, Description of PROVISIONINGBYREQUESTPreUpgradeReport.html Report |
|
This report lists the potential application instance creation issues. |
See, Description of PROVISIONINGPreUpgradeReport.html Report |
|
This report lists any invalid requests and the actions to be taken. |
|
|
This report provides information about the steps that must be performed prior to upgrade to ensure that the User Defined Fields (UDFs) are upgraded seamlessly. |
|
|
This report provides information about the status of mandatory deletion of OIM Authenticator Jar(s). |
The report APPROVALPOLICYPreUpgradeReport.html
lists the invalid approval policies. This report contains the following sections:
This report also contains an additional note on approval policy based on deprecated request type. You must review the report completely, before you start upgrading the Oracle Identity Manager 11.1.1.x.x environment.
Approval Policy rule defined on template
This section lists the Oracle Identity Manager 11.1.1.x.x approval policies whose rules are defined based on the request template.The Request templates feature is not supported in Oracle Identity Manager 11.1.2.2.0. Therefore, if your Oracle Identity Manager 11.1.1.x.x contains approval policies having rules based on request template, you must reconfigure the request approval policies by following the steps described in the report.
List of Approval Polices which needs to be updated with custom approval process
This section lists the 11.1.1.x.x approval policies that need to be associated with different approval process before you start the upgrade process.
The approval process default/ResourceAdministratorApproval
, default/ResourceAuthorizerApproval
are not supported in 11.1.2.2.0. Therefore, if your Oracle Identity Manager 11.1.1.x.x contains approval policies having these approval process, you must associate them with different approval process.
Approval policy based on unsupported request type
This section provides information about the request types that are not supported in 11.1.2.2.0.
The following 11.1.1.x.x request types are not supported in 11.1.2.2.0, and they are changed to non-self request type in 11.1.2.2.0:
Self Assign Roles
Modify Self Profile
Self Remove Roles
Self De-Provision Resource
Self Modify Provisioned Resource
Self-Request Resource
Self-request type mapping to Non-Self request type is shown Table 11-5.
Table 11-5 Mapping of Self request type to Non-Self request type
Self Request Type | Non-Self Request Type |
---|---|
Self-Request Resource |
Provision Resource |
Self Modify Provisioned Resource |
Modify Provisioned Resource |
Self Remove Roles |
Remove from Roles |
Modify Self Profile |
Modify User Profile |
Self De-Provision Resource |
De-Provision Resource |
Self Assign Roles |
Assign Roles |
Approval policy based on deprecated request type
This section provides information about deprecated request types in 11.1.2.2.0.
The following 11.1.1.x.x request types are deprecated in 11.1.2.2.0:
Provision Resource
De-Provision Resource
Disable Provisioned Resource
Enable Provisioned Resource
Modify Provisioned Resource
Approval policies based on these deprecated request types will continue to work for any pending requests based on these request types even after upgrade. But, these policies will not work for requests created for Application Instance based request types such as - Provision ApplicationInstance, Revoke Account, Disable Account, Enable Account, and Modify Account.
In addition, approval policies for Application Instance based request types need to be explicitly created for the request based on Application Instance.
The report ChallengeQuesPreUpgradeReport.html
is generated for both 11.1.2 and 11.1.2.1.0 starting points.
When you upgrade Oracle Identity Manager 11.1.2.x.x to 11.1.2.2.0, the existing localization data for challenge questions is lost as it is not upgrade-safe. Therefore, before you upgrade to Oracle Identity Manager 11.1.2.2.0, you must backup the existing localized challenge questions data.
After you upgrade to 11.1.2.2.0, perform the tasks described in this report to localize challenge questions. Follow the instructions in the section applicable for your starting point.
Note:
If you have already migrated the localized challenge questions data per localization model provided in Oracle Identity Manager 11g Release 2 (11.1.2.0.11) or (11.1.2.1.3), ignore the tasks described in this report.The report CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html
provides information about the Cyclic groups in LDAP directory.
Oracle Identity Manager 11.1.2.2.0 does not support cyclic groups in the LDAP directory. Therefore, you must remove the cyclic dependency from Oracle Identity Manager 11.1.1.x.x setup and reconcile data from LDAP to Oracle Identity Manager Database, before you proceed with the upgrade. For more information about removing the cyclic groups dependent on LDAP, see Removing Cyclical Groups Dependent on LDAP and Reconciling Data From LDAP to OIM Database. The procedure for removing cyclic groups is also described in this report.
Removing Cyclical Groups Dependent on LDAP and Reconciling Data From LDAP to OIM Database
If the LDAP in your Oracle Identity Manager 11.1.1.x.x environment has cyclic groups loaded, you must remove the cyclic groups by doing the following:.
Use JEXplorer or Softerra LDAP Administrator and navigate to the cyclic groups.
Look for uniquemember attribute.
Remove all values from the attribute.
Save the group.
Reconcile the data from LDAP to Oracle Identity Manager Database by running the following command:
On UNIX: LDAPConfigPostSetup.sh
On Windows: LDAPConfigPostSetup.bat
If you have cyclic group dependency between two groups: Group1 and Group2, do the following to remove cyclic dependency:
Connect to LDAP using JEXplorer or Softerra LDAP.
Go to the group container of Group1.
Go to the uniquemember attribute under Group1.
Remove the value of Group2, from unique members, and save the change made.
Run LDAPConfigPostSetup.sh
on UNIX and LDAPConfigPostSetup.bat
on Windows to synchronize data from LDAP to Oracle Identity Manager database.
The report DomainReassocAuthorization.html
is generated for both 11.1.2 and 11.1.2.1.0 starting points.
It checks if the Oracle Identity Manager domain is reassociated to Database based policy store and displays the result in the Result column. Review the checks executed and the result of the checks.
The report EVENT_HANDLERPreUpgradeReport.html
provides information about event handlers. When you upgrade Oracle Identity Manager 11.1.1.x.x to Oracle Identity Manager 11.1.2.2.0, the customizations made to the OOTB event handlers XMLs in 11.1.1.x.x will not be preserved in 11.1.2.2.0. All the customizations defined in a separate XML (non OOTB) in 11.1.1.x.x will be preserved in 11.1.2.2.0. You must redo all the customizations after upgrading to 11.1.2.2.0. This report contains the following sections:
Refer to the table in the report for more details about the event handlers.
New Event Handler Added by the customer in the OOTB (11.1.1.5.0) Event Handler Metadata XML
This section provides information about the new event handlers added in the OOTB (11.1.1.5.0).
The event handler newly added in the OOTB (11.1.1.5.0) Event Handler Metadata XML will not be available after you upgrade to 11.1.2.2.0. Oracle Identity Manager 11.1.2.2.0 event handlers will replace the 11.1.1.x.x event handlers. Therefore, you must add the event handler again in a new file after the upgrade.
Note:
Do not add new event handler in the same OOTB Event Handler XML. You must create a new XML and add the new event handler to it.OOTB(11.1.1.5.0) Event Handler modified by the Customer
This section provides information about the event handlers that are modified in the OOTB (11.1.1.5.0).
You must redo all the customizations that you did to the event handlers in OOTB (11.1.1.5.0), after you upgrade Oracle Identity Manager 11.1.1.x.x to 11.1.2.2.0.
OOTB(11.1.1.5.0) Event Handler deleted by Customer
This section provides information about the event handlers that were deleted in OOTB (11.1.1.5.0).
The deleted event handlers are restored after you upgrade to 11.1.2.2.0. Therefore, you must delete them again as per requirement.
The report ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html
is generated for both 11.1.2 and 11.1.2.1.0 starting points.
This report lists all the mandatory database components or settings for Oracle Identity Manager 11.1.2.x.x upgrade. This report contains a table which lists the component or setting, it's installation or setup status, and recommendations if any. You must review the installation or setup status for each of the mandatory component or setting listed in the table. If the component or setting is not setup correctly, follow the recommendations specified in the Note column of the table in the report to fix them.
Before you upgrade Oracle Identity Manager 11.1.2.x.x to 11.1.2.2.0, you must complete the pre-requisites for online purge.
The table in this report lists the database tables on which the mentioned pre-upgrade steps need to be performed before you upgrade. The table also shows the status of the database tables in OIM schema and Note section. Review the table, and perform the actions required.
If you are using 9.1.x.x password policy model you must update to new password policies. The 9.1.x.x password policy model is no longer supported for Users
, and any such customizations done are not migrated to the new password policy model.
Following password policies are attached to the Xellerate User
resource object according to the 9.1.x.x password policy model and must be assigned to appropriate organization(s):
The following table provides information about the requests that are not viewable in Track Requests page:
Request Key | Beneficiary Key | Entity Type | Entity Name | Entity Key | Request Model Name | Issue |
---|---|---|---|---|---|---|
81 |
83 |
Resource |
AD User |
7 |
Access Policy Based Provisioning |
No process form entry found for process instance. Cannot update |
82 |
85 |
Resource |
AD User |
7 |
Access Policy Based Provisioning |
No process form entry found for process instance. Cannot update |
86 |
99 |
Resource |
AD User |
7 |
Provision Resource |
No process form entry found for process instance. Cannot update |
The report PROVISIONINGPreUpgradeReport.html lists the potential application instances creation issues. The report contains the following sections:
Provisioning, Entitlement, and Access Policy Configuration Details
List of Resource Objects without ITResource field Type in Process Form
List of Resource Objects with multiple ITResource Lookup fields in Process Form
List of Access Policies without ITResource value set in default policy data
List of Access Policies with Revoke If No Longer Applies flag unchecked
Provisioning, Entitlement, and Access Policy Configuration Details
This sections describes the steps you must complete before you upgrade Oracle Identity Manager 11.1.1.x.x to 11.1.2.2.0. These steps are related to provisioning, entitlement, and access policy configuration. Complete all the steps described in this section of the report.
List of Resource Objects without Process Form
This section provides information about the resource objects in Oracle Identity Manager 11.1.1.x.x that do not have process form. Each resource object must have a process form associated with it. Therefore, if a resource object is not associated with a process form, you must associate the resource object with a process form before you start the upgrade process. Review the table in this section of the report, that lists the details of the resource objects without process form.
List of Resource Objects without ITResource field Type in Process Form
This section provides information about the resource objects without ITResource field type in their respective process forms. Review the table in this section of the report, which contains more details. If your Oracle Identity Manager 11.1.1.x.x has resource objects without ITResource field in their process forms, do the following:
Create appropriate IT resource definition.
Create IT resource instance for the same corresponding to the target that is being provisioned.
Edit the process form and add a field of type "ITResource
" to the process form. Set the following properties:
Type=
IT Resource definition created in step-1
ITResource=true
Activate the form.
Update the IT resource field on existing provisioned accounts using FVC Utility.
Once the above steps are completed, you can create application instances corresponding to the Resource Object+ITResource combination.
List of Resource Objects with multiple ITResource Lookup fields in Process Form
This section provides information about the resource objects that have multiple lookup fields in their process form. In the Oracle Identity Manager 11.1.1.x.x environment, if you have resource objects with multiple ITResource set in the process form, you must set the value of the property ITResource Type
to true
for at least one of the attributes.
List of Access Policies without ITResource value set in default policy data
This section lists the access policies for which the ITResource values of the resource objects should be set in the default policy data. The table in this section lists the access policies in Oracle Identity Manager 11.1.1.x.x for which ITResource field is missing. You must set the values of ITResource field for each of the access policy listed in the table.
List of Access Policies with Revoke If No Longer Applies flag unchecked
This section lists the access policies that have Revoke If No Longer Applies
flag unchecked. The table in this section contains the list of access policies that will be updated to Disable If No Longer Applies
, during upgrade. The table also indicates if tasks for enable
, disable
, revoke
actions are not defined for these policies. You must add the missing tasks before you proceed with the upgrade. Also, if you want the behavior of the policy to change to RNLA checked, you must check the RNLA flag for the respective policy.
List of Entitlements stored in Lookup definitions that do not have IT Resource Key in the lookup encode value
This section lists entitlements stored in lookup definitions that do not have IT Resource Key pretended to their encoding values using "~". Entitlements stored in lookup definitions need IT Resource Key prepended to the encoded values using "~". Review the table in this section of the pre-upgrade report, which contains more details.
The report REQUESTPreUpgradeReport.html
lists requests that are affected because of the upgrade. This report contains the following sections:
Requests with unsupported request stages
This section lists the requests that are in one of the following unsupported request stages:
Obtaining Template Approval
Template Approval Approved
Template Approval Rejected
Template Approval Auto Approved
Manual intervention is required to move these requests to the next stage by approving, withdrawing, or closing such requests. Otherwise, requests are moved to request closed
stage as part of the upgrade.
Review the list of requests that are in the unsupported request stage.
Requests which will be automatically changed to corresponding non-self request type
This section lists the requests that are based on one of the following request types will be changed to the corresponding non-self request type after the upgrade:
Self Assign Roles
Modify Self Profile
Self Remove Roles
Self De-Provision Resource
Self Modify Provisioned Resource
Self-Request Resource
Request types for these requests are automatically changed to the corresponding non-self request type as part of the upgrade.
Self-request type mapping to non-self request type is shown in Table 11-8:
Table 11-8 Mapping of Self-Request Type to Non-Self Request Type
Self request type | Non-Self request type |
---|---|
Self-Request Resource |
Provision Resource |
Self Modify Provisioned Resource |
Modify Provisioned Resource |
Self Remove Roles |
Remove from Roles |
Modify Self Profile |
Modify User Profile |
Self De-Provision Resource |
De-Provision Resource |
Self Assign Roles |
Assign Roles |
This section provides information about the steps that must be performed prior to upgrade to ensure that the User Defined Fields/Attributes (UDFs) are upgraded seamlessly. Note that you may have to edit the entity xml file manually. To edit a file in MDS, you need to export the file from Metadata Services (MDS) repository and after making the required changes file must be imported back to MDS.
The following table lists the path of the entity xml file in MDS corresponding to a particular entity type.
Table 11-9 Path of Entity XML File in MDS
Entity type | Path in MDS |
---|---|
User |
/file/User.xml |
Role |
/db/identity/entity-definition/Role.xml |
Organization |
/db/identity/entity-definition/Organization.xml |
The report also includes information about the list of UDFs with inconsistent max-size and UDFs with inconsistent default value.
The Jar(s) present in WebLogic Server mbeans path must be deleted before executing Mid-Tier Upgrade as listed in the below table.
Table 11-10 Jars and their Status
File Name | Status |
---|---|
|
|
|
|
|
|
Note:
As a pre-upgrade step, delete the JarsOIMAuthenticator.jar
and oimsignaturembean.jar
from <MW_HOME>/wlserver_10.3/server/lib/mbeantypes/.
Ensure that the method getPlatformTransactionManager()
is not used in the custom event handler code, as this method is not available in 11.1.2.2.0.
If you are using the method getPlatformTransactionManager() in the custom event handler code, set the attribute tx
to TRUE
in the event handler XML definition.
For more information on setting the attributes in the event handler XML definition, see "Defining Custom Events Definition XML" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Offline Provisioning is not supported in Oracle Identity Manager 11.1.2.2.0, as it is no longer needed on Oracle Identity Manager 11.1.2.2.0.
Empty the oimProcessQueue
JMS queue to ensure that JMS messages are processed before you start upgrading. To do so, complete the following:
Shut down applications to disable accessing of Oracle Identity Manager offline provisioning by end-users, SPML, and API clients.
Monitor the oimProcessQueue
JMS queue from the Weblogic Administration Console and allow Oracle Identity Manager to run, till oimProcessQueue
JMS queue is empty.
This is a list of checks you must run and set before you begin upgrading:
Check if oracle.soa.worklist.webapp
is targeted to Oracle Identity Manager server in 11.1.1.x.x. If not, target it to Oracle Identity Manager Managed Server. If you are upgrading Oracle Identity Manager high availability environments, you must target oracle.soa.worklist.webapp
to the oim_cluster
.
The OOTB applications in Oracle Identity Manager are deployed in NO_STAGE
mode. Check if oracle.idm.uishell
is in No Stage
mode. If oracle.idm.uishell
is in Stage
mode, you must re-deploy it to NO_STAGE
mode.
Complete the following steps to change the mode to No Stage
:
Set the WL_HOME
and OIM_HOME
.
Undeploy oracle.idm.uishell
by running the following command:
java -cp $WL_HOME/server/lib/weblogic.jar weblogic.Deployer -adminurl t3://localhost:8005 -username weblogic -password weblogic1 -undeploy -name oracle.idm.uishell
Deploy oracle.idm.uishell
in stage mode by running the following command:
java -cp $
WL_HOME
/server/lib/weblogic.jar weblogic.Deployer -adminurl t3://localhost:8005 -username weblogic -password weblogic1 -deploy -name oracle.idm.uishell -source $
OIM_HOME
/modules/oracle.idm.uishell_11.1.1/oracle.idm.uishell.war -nostage -library -targets AdminServer,$
OIM_SERVER_NAME
Ensure that all pending requests are addressed before you upgrade.
In case of a migrated, upgraded, or restored database in the Oracle Identity Manager environment, you must synchronize all the Oracle Identity Manager Schema Privileges (SYSTEM and OBJECT Grants) from the source to the target (restored) schema by doing the following:
Capture the OIM Database Schema user constituent grants from the source schema by executing the following SQLs as SYS
database user:
SELECT DBMS_METADATA.GET_GRANTED_DDL ('SYSTEM_GRANT','<
OIM_Schema_Name
>') FROM DUAL;
SELECT DBMS_METADATA.GET_GRANTED_DDL ('OBJECT_GRANT', '<
OIM_Schema_Name
>') FROM DUAL;
In the schema restoration phase prior to schema upgrade, execute the grants output of the SQLs captured in step-1, as post schema restoration step.
Recompile any INVALID
objects in the OIM schema using the following steps:
a. Identify INVALID
schema objects as SYS
user by running the following SQL:
SELECT owner,object_type,object_name,status FROM dba_objects WHERE status = 'INVALID' AND owner in ('<
OIM_Schema_Name1
>') ORDER BY owner, object_type, object_name;
b. Compile the INVALID
schema objects using any appropriate method. The following is an example of compiling INVALID
schema objects by executing the method UTL_RECOMP
as SYS
user for the OIM schema:
UTL_RECOMP.recomp_serial('<
OIM_Schema_Name
>');
END;
Repeat step-a until there are no INVALID
objects.
Note:
For information on schema backup and restoration using Data Pump Client Utility for Oracle Identity Manager 11g Release 1, see My Oracle Support document ID 1359656.1.For information on schema backup and restoration using Data Pump Client Utility for Oracle Identity Manager 11g Release 2, see My Oracle Support document ID 1492129.1.
Before starting the upgrade process, you must ensure that Java Required Files (JRF) is upgraded. To do this, complete the following steps:
Log in to the WebLogic Administration console using the following URL:
http://
host
:
port
/console
In this URL, host
refers to the name of the host on which WebLogic Administration Server is running, and port
refers to the port number.
Click Deployments on the left navigation pane for the OIM_Domain
.
Ensure that the following libraries are present:
oracle.adf.desktopintegration(1.0,11.1.1.2.0)
oracle.adf.desktopintegration.model(1.0,11.1.1.2.0)
oracle.bi.adf.model.slib(1.0,11.1.1.2.0)
oracle.bi.adf.view.slib(1.0,11.1.1.2.0)
oracle.bi.adf.webcenter.slib(1.0,11.1.1.2.0)
oracle.bi.composer(11.1.1,0.1)
oracle.bi.jbips(11.1.1,0.1)
If the above libraries are not present, you must upgrade JRF. For more information about upgrading JRF, see "Updating Fusion Middleware Shared Libraries" in the Oracle Fusion Middleware Patching Guide.
All account reconciliation Field Mapping configurations must have at least one Reconciliation field of type ITResource
defined. This can be done by adding a mapping from the Oracle Identity Manager Design Console. Complete the following steps for those resource objects which do not have ITResource
filed in reconciliation field mapping:
Create reconciliation field of type IT Resource
by doing the following:
Log in to the Oracle Identity Manager Design Console by running the following command from the location ORACLE_HOME
/designconsole/
:
On UNIX: ./xlclient.sh
On Windows: xlclient.cmd
Expand Resource Management.
Click Resource Objects.
Search for and select the Resource Object that you wish to modify.
Go to the Object Reconciliation tab.
Click Add Field under Reconciliation Fields tab.
Enter the Field Name, and select IT Resource as the Field Type.
Click Save icon.
Define mapping for the field ITResource
by doing the following:
On the Oracle Identity Manager Design Console, expand Process Management on the left navigation pane.
Click Process Definition.
Go to the Reconciliation Field Mapping tab in the Process Definition form.
Search for the Resource Object.
Define mapping for the field IT Resource.
Save the form.
Note:
This step is required if you are using connector for account reconciliation or if you wish to use connector for account reconciliation after you upgrade to 11.1.2.2.0.You must back up your old Oracle Identity Manager 11.1.1.x.x environment before you upgrade to Oracle Identity Manager 11g Release 2 (11.1.2.2.0).
After stopping the servers, back up the following:
MW_HOME directory, including the Oracle Home directories inside Middleware Home
Domain Home directory
Oracle Identity Manager schemas
MDS schema
ORASDPM schema
SOAINFRA schemas
For more information about backing up schemas, see Oracle Database Backup and Recovery User's Guide.
You must set additional JVM properties for the Oracle Identity Manager Server(s) using the WebLogic Administration console. To do this, complete the following steps:
Log in to the WebLogic Administration console using the following URL:
http://
admin_host
:
admin_port
/console
Click Servers.
Select the Oracle Identity Manager server.
Click Server Start, and then click Arguments.
Add the following application module settings for the Oracle Identity Manager Server(s):
-Djbo.ampool.doampooling=true
-Djbo.ampool.minavailablesize=1
-Djbo.ampool.maxavailablesize=120
-Djbo.recyclethreshold=60
-Djbo.ampool.timetolive=-1
-Djbo.load.components.lazily=true
-Djbo.doconnectionpooling=true
-Djbo.txn.disconnect_level=1
-Djbo.connectfailover=false
-Djbo.max.cursors=5
-Doracle.jdbc.implicitStatementCacheSize=5
-Doracle.jdbc.maxCachedBufferSize=19
Note:
The recommended values for the arguments specified assume 100 concurrent users per node. Therefore, the value specified for the argument-Djbo.ampool.maxavailablesize
is 120
(that is, 100 * 1.20
). If the number of concurrent users per node is different, use the following formula to calculate the value that you must specify for the argument -Djbo.ampool.maxavailablesize
:
-Djbo.ampool.maxavailablesize = <Number_of_concurrent_users> * 1.20
Restart the Oracle Identity Manager Server(s). To restart Managed Server(s), stop the server(s) first and start them again.
For more information about stopping a Managed Server, see Section 2.8.1, "Stopping the Managed Server(s)".
For more information about starting a Managed Server, see Section 2.9.3, "Starting the Managed Server(s)".
The upgrade process involves changes to the binaries and to the schema. Therefore, before you begin the upgrade process, you must shut down the Managed Servers, Administration Server, and the Node Manager.
Note:
When shutting down the servers, the following error message might be displayed:** SOA specific environment is already set. Skipping ... *********************************************************** OIM specific environment is already set. Skipping ... The input line is too long. The syntax of the command is incorrect.
It is recommended that you open a new command prompt and then run the commands for shutting down the servers.
For information about stopping the servers, see "Stopping the Servers".
This section describes different tasks involved in the upgrade process, like upgrading Oracle Identity Manager and Oracle SOA Suite 11.1.1.x.x binaries, creating 11.1.2.2.0 schemas, configuring the security store, upgrading the Oracle Identity Manager middle tier, verifying the upgrade and so on. The tasks in this section should be performed after you complete all the prerequisites described in section Pre-Upgrade.
This section contains the following topics:
Extending Oracle Identity Manager 11.1.1.x.x Component Domains with OPSS Template
Upgrading Oracle Identity Management Schemas Using Patch Set Assistant
Changing the Deployment Order of Oracle Identity Manager EAR
You can upgrade WebLogic Server 10.3.5 to Oracle WebLogic Server 10.3.6 by using the WebLogic 10.3.6 Upgrade Installer. For information about upgrading Oracle WebLogic Server, see "Upgrading to Oracle WebLogic Server 10.3.6".
Note:
Oracle Identity Manager 11.1.2.2.0 supports Oracle SOA Suite 11.1.1.7.0. Therefore, you must upgrade Oracle SOA Suite to 11.1.1.7.0 if you are not using Oracle SOA Suite 11.1.1.7.0 already.Oracle Identity Manager 11.1.1.5.0 uses Oracle SOA Suite 11.1.1.5.0, and Oracle Identity Manager 11.1.2.2.0 uses Oracle SOA Suite 11.1.1.7.0. Therefore, this task is needed only if you are upgrading Oracle Identity Manager 11.1.1.5.0 to 11.1.2.2.0.
For information about applying the mandatory Oracle SOA Suite patches for Oracle Identity Manager 11.1.1.7.0, see "Mandatory Patches Required for Installing Oracle Identity Manager" in the Oracle Fusion Middleware Release Notes.
To upgrade your existing Oracle SOA Suite to 11.1.1.7.0, complete the tasks listed in Table 11-11:
Table 11-11 Tasks to Update SOA
Sl No | Task | For More Information |
---|---|---|
1 |
Review the system requirements and specifications before you start upgrading Oracle SOA Suite to 11.1.1.7.0. |
See, Oracle Fusion Middleware System Requirements and Specifications |
2 |
Obtain the Oracle SOA Suite 11.1.1.7.0 installer. |
See, Oracle Fusion Middleware Download, Installation, and Configuration ReadMe |
3 |
Start the Oracle SOA Suite 11.1.1.7.0 installer. |
See, "Start the Installer" in the Oracle Fusion Middleware Patching Guide |
4 |
Update the Oracle SOA Suite binaries to 11.1.1.7.0. |
See, "Applying the Patch Set" in the Oracle Fusion Middleware Patching Guide |
5 |
Apply the mandatory Oracle SOA Suite patches. |
See, "Mandatory Patches Required for Installing Oracle Identity Manager" in the Oracle Fusion Middleware Release Notes |
6 |
Perform the following post-patching tasks for Oracle SOA Suite:
Make sure you have started the WebLogic Administration Server and the SOA Managed Servers before you perform the post-patching tasks. |
See the following sections in the Oracle Fusion Middleware Patching Guide for 11g Release 1 (11.1.1.7.0):
Post-patching tasks for SOA are not required out-of-the-box. However, you must review them and apply per your functional requirements. |
To upgrade Oracle Identity Manager binaries to 11.1.2.2.0, you must use the Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) Installer. During the procedure, point the Middleware Home to your existing 11.1.1.x.x Middleware Home. Your Oracle Home is upgraded from 11.1.1.x.x to 11.1.2.2.0.
Note:
Before upgrading the Oracle Identity Manager binaries to 11g Release 2 (11.1.2.2.0), you must ensure that the OPatch version inORACLE_HOME
and MW_HOME
/oracle_common
is 11.1.0.9.9. Different OPatch version might cause patch application failure. If you have upgraded opatch to a newer version, you will have to roll back to version 11.1.0.9.9.For information about upgrading Oracle Identity Manager 11g Release 1 (11.1.1.x.x), see Section 2.4, "Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.2.0)".
After the binary upgrade, check the installer logs at the following location:
On UNIX: ORACLE_INVENTORY_LOCATION
/logs
To find the location of the Oracle Inventory directory on UNIX, check the file ORACLE_HOME
/oraInst.loc
.
On Windows: ORACLE_INVENTORY_LOCATION
\logs
The default location of the Oracle Inventory Directory on Windows is C:\Program Files\Oracle\Inventory\logs
.
The following install log files are written to the log directory:
install
DATE-TIME_STAMP
.log
install
DATE-TIME_STAMP
.out
installActions
DATE-TIME_STAMP
.log
installProfile
DATE-TIME_STAMP
.log
oraInstall
DATE-TIME_STAMP
.err
oraInstall
DATE-TIME_STAMP
.log
You must create Oracle Platform Security Services (OPSS) schema using Repository Creation Utility (RCU) 11.1.2.2.0, as Oracle Identity Manager upgrade process involves OPSS schema policy store changes. Keys, roles, permissions, and other artifacts used by the applications must migrate to the policy store.
To create OPSS schema using Repository Creation utility, do the following:
Obtain the RCU.
For information about obtaining the RCU software, see Oracle Identity and Access Management Download, Installation, and Configuration ReadMe for 11g Release 2 (11.1.2.2.0).
Start the RCU.
For information about starting the RCU, see "Starting RCU" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
Create the OPSS schema.
For information about creating schemas, see "Creating Schemas" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
Note:
In the Select Components screen, expand AS Common Schemas and select Oracle Platform Security Services. Make sure you do not select any other components.The Metadata Services schema is selected automatically. Deselect it and ignore the following message:
Following components require Metadata Services schema: Oracle Platform Security Services.
You must upgrade the Oracle Platform Security Services schemas using Patch Set Assistant. To do this, complete the following steps:
Note:
Before you upgrade Oracle Platform Security Services schemas, make sure that you have execute privileges to theSOAINFRA
schema owner on sys.dbms_lob
. If not, grant execute privileges to the SOAINFRA
schema owner on sys.dbms_lob
by running the following command:
grant execute on sys.dbms_lob to *_SOAINFRA;
Start the Patch Set Assistant from the location MW_HOME
/oracle_common/bin
using the following command:
./psa
Select opss.
Specify the Database connection details, and select the schema to be upgraded.
After you upgrade Oracle Platform Security Services schema, verify the upgrade by checking the log file at the location MW_HOME
/oracle_common/upgrade/logs/psa<
timestamp
>.log
.
The timestamp
refers to the actual date and time when Patch Set Assistant was run. If the upgrade fails, check the log files to rectify the errors and run the Patch Set Assistant again.
Oracle Identity Manager 11.1.2.2.0 uses the database to store Oracle Platform Security Service policies. This requires extending the 11.1.1.x.x Oracle Identity Manager domain to include the OPSS data source.
To do so, complete the following steps:
Run the following command to launch the Oracle Fusion Middleware configuration wizard:
On UNIX:
./config.sh
It is located in the <MW_HOME>/<Oracle_IDM1>/common/bin
directory.
On Windows:
config.cmd
It is located in the <MW_HOME>\<Oracle_IDM1>\common\bin
directory.
On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next.
On the Select a WebLogic Domain Directory screen, browse to the directory that contains the WebLogic domain in which you configured the components. Click Next. The Select Extension Source screen is displayed.
On the Select Extension Source screen, select the Oracle Platform Security Service - 11.1.1.0 [Oracle_IDM1] option. After selecting the domain configuration options, click Next.
The Configure JDBC Data Sources screen is displayed. Configure the opssDS data source, as required. After the test succeeds, the Configure JDBC Component Schema screen is displayed.
On the Configure JDBC Component Schema screen, select the Oracle Platform Security Services schema.
You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next.
The Test JDBC Component Schema screen is displayed. After the test succeeds, the Select Optional Configuration screen is displayed.
On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines and Deployments and Services. Do not select anything as you have already configured in your Oracle Identity Manager 11.1.1.x.x environment. Click Next.
On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.
Your existing Oracle Identity Manager domain is extended to support Oracle Platform Security Services (OPSS).
After you extend the Oracle Identity Manager component domains with OPSS template, you must upgrade Oracle Platform Security Services (OPSS).
Upgrading Oracle Platform Security Services is required to upgrade the configuration and policy stores of Oracle Identity Manager to 11.1.2.2.0. It upgrades the jps-config.xml
file and policy stores.
For information about upgrading Oracle Platform Security Services, see Section 2.7, "Upgrading Oracle Platform Security Services".
You must configure the database Security Store as it is the only security store type supported by Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0). This is done by running the configureSecurityStore.py
script.
For information about configuring Oracle Platform Security Services, see "Configuring Database Security Store for an Oracle Identity and Access Management Domain" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
You must upgrade Oracle Identity Manager schema using Patch Set Assistant (PSA). When you select the Oracle Identity Manager Schema, it automatically selects all dependent schemas and upgrades them too.
For information about upgrading schemas using the Patch Set Assistant, see Upgrading Schemas Using Patch Set Assistant.
After you upgrade schemas, verify the upgrade by checking the version numbers of the schemas as described in Version Numbers After Upgrading Schemas.
Run select version,status,upgraded from schema_version_registry where owner=<SCHEMA_NAME>;
and ensure that the version numbers are upgraded, as listed in Table 11-12:
Table 11-12 Component Version Numbers After Upgrading the Schemas
Component | Version No. |
---|---|
OPSS |
11.1.1.7.2 |
MDS |
11.1.1.7.0 |
Oracle Identity Manager |
11.1.2.2.0 |
ORASDPM |
11.1.1.7.0 |
SOAINFRA |
11.1.1.7.0 (Make sure that you have upgraded SOA schemas as described in Section 2.6, "Upgrading Schemas Using Patch Set Assistant") |
Note:
Do not start the Oracle Identity Manager Managed Servers.After the upgrade is complete, start the WebLogic Administration Server, the Administration Server for the domain that contains Oracle Identity Management, and SOA Managed Server.
Note:
If you are upgrading Oracle Identity Manager high availability environments and if you are using Oracle Automatic Storage Management Cluster File System (Oracle ACFS), you must start only one SOA Managed Server before running the middle tier upgrade utility.Note:
When you start the servers, the following error message might be displayed:** SOA specific environment is already set. Skipping ... *********************************************************** OIM specific environment is already set. Skipping ... The input line is too long. The syntax of the command is incorrect.
It is recommended that you open a new command prompt and then run the commands for starting the servers.
For information about starting the Administration Server and SOA Managed server, see Section 2.9, "Starting the Servers".
To upgrade the Oracle Identity Manager middle tier, you must update the properties file with the necessary parameters, and then run the command as described in this section.
Note:
Before you upgrade the Oracle Identity Manager middle tier, make sure that the WebLogic Administration Server and the SOA Managed Server(s) are running. It is recommended that the Oracle Identity Manager Managed Server is not running at this point.Note:
The execution is re-entrant and will resume with correct execution even if there is any interruption in between.To upgrade Oracle Identity Manager Middle Tier to 11.1.2.2.0, do the following:
Move from your present working directory to the <OIM_ORACLE_HOME>/server/bin
directory by running the following command on the command line:
cd <OIM_ORACLE_HOME>/server/bin
Edit the following upgrade properties file in a text editor:
oim_upgrade_input.properties
Add the parameters, as listed in Table 11-13.
Run the following command:
./OIMUpgrade.sh
When you run this command, you will need to enter password for OIM schema user, MDS schema user, WebLogic admin user and SOA admin user.
Note:
The following warning is displayed:[WARN] [jrockit] PermSize=128M ignored: Not a valid option for JRockit
[WARN] [jrockit] MaxPermSize=256M ignored: Not a valid option for JRockit
You can ignore this message.
Move from your present working directory to the <OIM_ORACLE_HOME>\server\bin
directory by running the following command on the command line:
cd <OIM_ORACLE_HOME>\server\bin
Edit the following upgrade properties file in a text editor:
oim_upgrade_input.properties
Add the parameters, as listed in Table 11-13.
Run the following command:
OIMUpgrade.bat
When you run this command, you will need to enter password for OIM schema user, MDS schema user, WebLogic admin user and SOA admin user.
Note:
The following warning is displayed:[WARN] [jrockit] PermSize=128M ignored: Not a valid option for JRockit
[WARN] [jrockit] MaxPermSize=256M ignored: Not a valid option for JRockit
You can ignore this message.
Table 11-13 Oracle Identity Manager Middle Tier Upgrade Parameters
Parameter | Description |
---|---|
|
Specify the JAVA HOME location. |
|
Specify the Application Server that you are using. For example, if you are using Oracle WebLogic Server, specify As this document describes the procedure to upgrade Oracle Identity Manager on WebLogic, you must specify |
|
Specify the Oracle Identity Manager JDBC URL. |
|
Specify the Oracle Identity Manager schema owner. |
|
Specify the MDS JDBC URL. |
|
Specify the MDS schema owner name. |
|
Specify the Oracle WebLogic Server Administration host name. |
|
Specify the Oracle WebLogic Server Administration port. |
|
Specify the username that is used to log in to the Oracle WebLogic Server Administration Console. |
|
Specify the SOA host name where SOA Server is running. |
|
Specify the SOA Server port. |
|
Specify the SOA Managed Server username. |
|
Specify the Oracle Identity Manager domain location. |
|
Specify the Oracle OIM Home location. |
|
Specify the Oracle Middleware Home location. |
|
Specify the Oracle SOA Home location. |
|
Specify the WebLogic Home location. |
Example Parameters
java.home=/u01/jrockit-jdk1.6.0_24-R28.1.3-4.0.1 server.type=wls oim.jdbcurl=db.example.com:1522:oimdb oim.oimschemaowner=test_oim oim.oimmdsjdbcurl=db.example.com:1522:oimdb oim.mdsschemaowner=test_mds oim.adminport=7001 oim.adminhostname=oimhost.example.com oim.adminUserName=weblogic oim.soahostmachine=soahost.example.com oim.soaportnumber=8001 oim.soausername=weblogic oim.domain=/scratch/Oracle/Middleware/user_projects/domains/base_domain oim.home=/scratch/Oracle/Middleware/Oracle_IDM1 oim.mw.home=/scratch/Oracle/Middleware soa.home=/scratch/Oracle/Middleware/Oracle_SOA1 wl.home=/scratch/Oracle/Middleware/wlserver_10.3
Complete the following steps to verify the Oracle Identity Manager Middle Tier upgrade:
Verify the log files at the following location, by looking for error or warning messages:
On UNIX:
<OIM_HOME>/server/upgrade/logs/MT
On Windows:
<OIM_HOME>\server\upgrade\logs\MT
The following log files are generated:
ant_ApplicationDB.log
ant_grantPermissionsUpgrade.log
ant_JRF.log
ant_PatchClasspath.log
ant_soaOIMLookupDB.log
OIMUpgrade<timestamp>.log
SeedSchedulerData.log
No error message is displayed if the middle tier upgrade was successful.
OIMupgrade.sh
creates a detailed report. Complete the following steps to verify the Oracle Identity Manager Middle Tier upgrade:
Go to the following path:
On UNIX:
<Oracle_IDM1>/server/upgrade/logs/MT/oimUpgradeReportDir
On Windows:
<Oracle_IDM1>\server\upgrade\logs\MT\oimUpgradeReportDir
Click index.html.
This contains list of all Oracle Identity Manager features and upgrade status of the last middle tier run, in a table format.
Click on the corresponding link of each feature for a detailed feature report.
Table 11-14 Middle Tier Upgrade Report
Feature | Name | Description |
---|---|---|
|
This report provides a list of features and their upgrade status, from the last run. Access the detailed feature report through the corresponding link on each feature. |
|
|
|
This report provides details of all domain related changes during the upgrade process. The changes are:
|
|
|
This report provides details of roles processed on the basis of Search Rule, prepared from Rule Elements, defined in the Rules. |
|
|
The following request stages are no longer supported:
This report lists the following:
|
|
|
This report lists object names processed during upgrade with names of the associated Horizontal Table Name, Recon Profile Name, and Entity Definition Name. |
|
NA |
New OOTB SOA Composites deployed:
|
|
NA |
This report lists the addition of the following Task Definition's and Scheduler Jobs:
|
|
|
This report provides a list of access policy names and the corresponding resource objects, processed during upgrade along with DNLA flag value. Set the value as 1 if DNLA is set, 0 if RNLA is set. |
|
NA |
Oracle Identity Manager Metadata present in Oracle Identity Manager MDS is updated with the latest namespace to keep them in consoance with changes in XSD Schemas. |
|
NA |
Oracle Identity Manager Application configuration, kept in the metadata location |
|
NA |
DDL changes in the ORCHPRCESS TABLE. Data from the old context columns (ContextId) is transformed and moved to new context column (ContextVal). |
|
|
This report provides a list of the certification records processed during the upgrade of snapshot data. |
|
|
This report provides the list of the requests that are in request or operational level approval stage. In addition, the report provides upgrade status. |
|
|
This report provides the list of the inflight requests in 11.1.1.x.x requests that are in either request or operational level approval stage. In addition, the report provides upgrade status. |
PREFIX_NOT_AVLBL_ReconUpgrade |
|
This report provides the list of the success/failure of 11.1.2.2.0-based Recon Profile creation for the resource objects defined in 11.1.1.x.x. |
PREFIX_NOT_AVLBL_ACCESSPOLICY |
|
This report provides the list of the access policy names and the corresponding resource objects processed during upgrade along with DNLA flag value (set to 1 if DNLA is set, 0 if RNLA is set). |
You must change the deployment order of oim.ear
from 47 to 48. Complete the following steps to do so:
Log in to the WebLogic console.
Click Deployments in the left pane.
Click oim.ear.
Update the deployment order from 47 to 48, click Save.
To restart the Administration Server and Managed Servers, you must stop them first before starting them again.
To stop the servers, see Shutting Down Node Manager, Administration Server and Managed Servers.
To start the servers, see Starting the Administration Server and SOA Managed Server.
Things to Check on the WebLogic Console After Starting the Administration Server
Check the new data source added:
Log in to Weblogic console.
Click Data Sources.
Verify the data source data source given below:
Name | Type | JNDI Name | Targets |
---|---|---|---|
ApplicationDBDS | Generic | jdbc/ApplicationDBDS |
oim_server1 (for single node upgrade)
|
Check for SOA Foreign JNDI provider
Log in to Weblogic console.
Click Foreign JNDI Providers.
Verify the existence of Foreign JNDI providers given below:
Name | Initial Context Factory | Provider URL | User | Targets |
---|---|---|---|---|
ForeignJNDIProvider-SOA | weblogic.jndi.WLInitialContextFactory | For single node upgrade:
For cluster upgrade:
|
WebLogic | oim_server1 (for single node upgrade)
|
Note:
If you are upgrading Oracle Identity Manager High Availability environments, the Provider URL may contain the host and port ofsoa_server1
only. In that case, you must add the host and port of soa_server2
to the Provider URL manually.Check the order of the EARs
Log in to Weblogic console.
Click Deployments.
Verify the deployment order for the following list respectively:
Name | State | Health | Type | Deployment Order |
---|---|---|---|---|
oim (11.1.1.3.0) | Active | OK | Enterprise Application | 48 |
OIMAppMetadata (11.1.2.0.0) | Active | OK | Enterprise Application | 47 |
OIMMetadata (11.1.1.3.0) | Active | OK | Enterprise Application | 46 |
oracle.iam.console.identity.sysadmin.ear (V2.0) | Active | OK | Enterprise Application | 406 |
oracle.iam.console.identity.self-service.ear (V2.0) | Active | OK | Enterprise Application | 405 |
oracle.iam.ui.custom(11.1.1,11.1.1) | Active | Library | 404 | |
oracle.iam.ui.oia-view(11.1.1,11.1.1) | Active | Library | 403 | |
oracle.iam.ui.view(11.1.1,11.1.1) | Active | Library | 402 | |
oracle.iam.ui.model(1.0,11.1.1.5.0) | Active | Library | 401 |
Oracle Identity Manager 11.1.1.x.x MDS metadata must be upgraded to Oracle Identity Manager 11.1.2.2.0 MDS metadata. Starting the Oracle Identity Manager Managed Servers patches the MDS metadata.
To start the Managed Servers, do the following:
On UNIX:
Move from your present working directory to the <MW_HOME>/user_projects/domains/<domain_name>/bin
directory by running the following command on the command line:
cd <MW_HOME>/user_projects/domains/<domain_name>
/bin
Run the following command to start the Servers:
Note:
Enter the username and password when prompted../startManagedWebLogic.sh <managed_server_name>
where
<managed_server_name>
is the name of the Managed Server.
On Windows:
Move from your present working directory to the <MW_HOME>\user_projects\domains\<domain_name>\bin
directory by running the following command on the command line:
cd <MW_HOME>\user_projects\domains\<domain_name>
\bin
Run the following command to start the Managed Servers:
Note:
Enter the username and password when prompted.startManagedWebLogic.cmd <managed_server_name>
where
<managed_server_name>
is the name of the Managed Server.
For more information, see "Starting the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Check MDS reports in the following location:
On UNIX:
<OIM_ORACLE_HOME>/server/logs/MDS_REPORT_DIRECTORY/MDSReport.html
On Windows:
<OIM_ORACLE_HOME>\server\logs\MDS_REPORT_DIRECTORY\MDSReport.html
The Oracle Identity Manager Design Console is used to configure system settings that control the system-wide behavior of Oracle Identity Manager and affect its users. The Design Console allows you to perform user management, resource management, process management, and other administration and development tasks.
Oracle recommends that you install Oracle Identity Manager and the Design Console in different directory paths, if the Design Console is on the same system as Oracle Identity Manager server.
To upgrade Design Console, complete the following steps:
Back up the following files:
On UNIX, $<XLDC_HOME>/xlclient.sh
$<XLDC_HOME>/config/xlconfig.xml
On Windows, <XLDC_HOME>\xlclient.cmd
<XLDC_HOME>\config\xlconfig.xml
Run the Oracle Identity and Access Management 11.1.2.2.0 Installer to upgrade the Design Console home <XLDC_HOME>
.
For more information, see "Installing and Configuring Oracle Identity and Access Management (11.1.2)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Restore the backed up files xlclient.sh
/xlclient.cmd
and xlconfig.xml
to the upgrade design console home.
Build and copy the wlfullclient.jar
file as follows:
Go to WebLogic_Home/server/lib
directory on UNIX and WebLogic_Home\server\lib
directory on Windows.
Set the JAVA_HOME
environment variable and add the JAVA_HOME
variable to the PATH
environment variable.
For example, you can set the JAVA_HOME
to the jdk160_21
directory inside the Middleware home.
On UNIX:
setenv JAVA_HOME $MW_HOME/jdk160_29
On Windows:
SET JAVA_HOME=<MW_HOME>\jdk160_29
Run the following command to build the wlfullclient.jar
file:
java -jar <MW_HOME>/modules/com.bea.core.jarbuilder_1.7.0.0.jar
Copy the wlfullclient.jar
file to the <IAM_HOME>
where you installed the Design Console. For example:
On UNIX:
cp wlfullclient.jar <Oracle_IDM2>/designconsole/ext
On Windows:
copy wlfullclient.jar <Oracle_IDM2>\designconsole\ext
Complete the following steps to upgrade Remote Manager:
Back up configuration files.
Before starting the Remote Manager upgrade, back up the following Remote Manager configuration files:
On UNIX, $<XLREMOTE_HOME>/remotemanager.sh
$<XLREMOTE_HOME>/xlremote/config/xlconfig.xml
file.
On Windows, <XLREMOTE_HOME>\remotemanager.bat
<XLREMOTE_HOME>\xlremote\config\xlconfig.xml
file.
Run the Oracle Identity and Access Management Installer to upgrade the Remote Manager home.
For more information, see "Installing and Configuring Oracle Identity and Access Management (11.1.2.2.0)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Restore the backed up configuration files, remotemanager.sh
/remotemanager.bat
and xlconfig.xml
, in the upgraded Remote Manager home.
To use reports on Oracle Identity Manager 11g Release 2 (11.1.2.2.0), you must install Oracle BI Publisher 11g Release 1 (11.1.1.7.1). To install Oracle BI Publisher 11g Release 1 (11.1.1.7.1), you must first install Oracle BI Publisher 11g Release 1 (11.1.1.7.0), and then apply the patch for Oracle BI Publisher 11g Release 1 (11.1.1.7.1) using OPATCH. To do this, complete the following steps:
Back up the following Oracle Identity Manager reports directories:
$BI_PUBLISHER_HOME
/Middleware/user_projects/domains/bifoundation_domain/config/bipublisher/repository/Reports/Oracle Identity Manager/
$ORACLE_BI_PUBLISHER_HOME
/Middleware/user_projects/domains/bifoundation_domain/config/bipublisher/repository/Reports/BIP Sample Data/
Note:
The location of Oracle Business Intelligence Reports directory may differ based on the installation location of BI Publisher.Obtain Oracle BI Publisher 11g Release 1 (11.1.1.7.0) from the following location:
Install Oracle BI Publisher 11g Release 1 (11.1.1.7.0). For more information about installing Oracle BI Publisher 11g Release 1 (11.1.1.7.0), see Oracle Fusion Middleware Installation Guide for Oracle Business Intelligence.
Apply the patch number 16556157
to patch Oracle BI Publisher 11g Release 1 (11.1.1.7.0) to Oracle BI Publisher 11g Release 1 (11.1.1.7.1). The patch 16556157
can be downloaded at the following URL:
For patching instructions, refer to the README.txt
file that is provided with the patch.
Note:
For more information about deploying BI Reports, see "Deploying Oracle Identity Manager Reports" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.For more information about using the reporting features, see "Using Reporting Features" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Complete the following steps to deplpoy Oracle Identity Manager BI Publisher Reports:
Obtain the reports bundle oim_product_BIP11gReports_11_1_2_0_0.zip
. from the following location:
MW_HOME
/
IAM_HOME
/server/reports/oim_product_BIP11gReports_11_1_2_0_0.zip
Unzip oim_product_BIP11gReports_11_1_2_0_0.zip
at the following location:
IAM_HOME
/Middleware/user_projects/domains/
domain_name
/config/bipublisher/repository/Reports/
Configure reports by following the instructions in "Configuring Oracle Identity Manager Reports" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
This section contains the following topics:
Impact of Removing Approver-Only Attribute in Request Data Set
Changes to Request API After Upgrading to Oracle Identity Manager 11g Release 2 (11.1.2.2.0)
Provisioning Oracle Identity Management Login Modules Under WebLogic Server Library Directory
After upgrading from Oracle Identity Manager 11.1.1.x.x to Oracle Identity Manager 11.1.2.2.0:
The name of the following EARs remain unchanged from Oracle Identity Manager 11.1.1.x.x to Oracle Identity Manager 11.1.2.2.0:
Oracle Identity Manager Metadata (11.1.1.3.0)
Oracle Identity Manager (11.1.1.3.0)
There is no functional loss.
All of the resources provisioned to an organization in Oracle Identity Manager 11.1.1.x.x is available in Provisioned Accounts, after upgrading to Oracle Identity Manager 11.1.2.2.0. To view, go to the following path:
Connect to the Oracle Identity Manager Identity console.
Go to Administration.
Select Organizations.
Search for organizations.
Select any organization.
Go to Provisioned Accounts to see all Oracle Identity Manager 11.1.1.x.x based resources, provisioned to an organization.
In Oracle Identity Manager 11.1.1.x.x, data object permission was shown in the Administration Console under Roles.
In Oracle Identity Manager 11.1.2.2.0, data object permission is not shown.
Oracle Identity Manager 11.1.2.2.0 based Oracle Identity Manager reports is supported in BI Publisher 11g.
If you are using Oracle Database, you must check for the INVALID
schema objects, and compile them if there are any. To do this, complete the following steps:
Identify the INVALID
schema objects by running the following SQL query as SYS
user:
SELECT owner,object_type,object_name,status FROM dba_objects WHERE status='INVALID' AND owner in ('<
OIM_Schema_Name1
>') ORDER BY owner, object_type, object_name;
If there are any INVALID
schema objects, you must compile them by connecting to the database as SYS
user, and running the following from SQL*Plus:
@<$
Oracle_Database_Home_Location
>/rdbms/admin/utlrp.sql
After running the utlrp.sql
, run the SQL query described in step-1 to ensure that there are no INVALID
Database objects.
After you upgrade OIM 11.1.1.x.x to 11.1.2.2.0, you must manually create the sysadmin
key using Oracle Enterprise Manager console. To do this, complete the following steps:
Log in to the Oracle Enterprise Manager console using the following URL:
http://<host>:<port>/em
Select Farm_base_domain.
Expand WebLogic Domain on the Target Navigation pane.
Click base_domain.
Click on the WebLogic Domain drop-down list.
Click Security, and then click Credentials.
Select oracle.wsm.security.
Click Create Key.
Specify the right values for the following fields:
Select Map: Select oracle.wsm.security for this field.
*Key: Specify OIMAdmin.
Type: Select Password.
*User Name: Specify the username of the system administrator. For example, xelsysadm
.
*Password: Specify the password of the system administrator.
*Confirm Password: Retype the password to confirm.
Click OK.
Removing approver-only
attribute in the Request Data Set results in the following:
Before upgrade: The requester cannot see attributes approver-only='true'
, during request submission.
After upgrade: The requester must provide the value during request submission.
All attributes in the request data sets marked with required=true
and approver-only=true
should be marked as required=false
in the data set.
Make the required fields mandatory in the approver screen through user interface customization.
For information about attributes in the request data sets marked with required=true
, see Section 11.4.11.2, "User Interface Customization for 11.1.1.x.x Mandatory UDF and OOTB Attributes".
You must manually add LDAP Sync Validation Handler. To do so, complete the following steps:
Export the EventHandlers.xml
file by running the following WLST offline command:
On UNIX:
exportAccessData("/db/ldapMetadata/EventHandlers.xml")
On Windows:
exportAccessData("\\db\\ldapMetadata\\EventHandlers.xml")
Add the following section of the EventHandlers.xml
by editing the file in a text editor. Save the file:
<validation-handler class="oracle.iam.ldapsync.impl.eventhandlers.user.UserCommonNameValidationHandler" entity-type="User" operation="MODIFY" name="UserCommonNameValidationHandler" order="1005" sync="TRUE">
</validation-handler>
<validation-handler class="oracle.iam.ldapsync.impl.eventhandlers.user.UserCommonNameValidationHandler" entity-type="User" operation="CREATE" name="UserCommonNameValidationHandler" order="1005" sync="TRUE">
</validation-handler>
Import the EventHandlers.xml
file by running the following WLST offline command:
On UNIX:
importAccessData("/db/ldapMetadata/EventHandlers.xml")
On Windows:
importAccessData("\\db\\ldapMetadata\\EventHandlers.xml")
You must manually remove the RDN pre-process handler. To do so, complete the following steps:
Export the EventHandlers.xml
file by running the following WLST offline command:
On UNIX:
exportAccessData("/db/ldapMetadata/EventHandlers.xml")
On Windows:
exportAccessData("\\db\\ldapMetadata\\EventHandlers.xml")
Remove the following section of the EventHandlers.xml
by editing the file in a text editor. Save the file:
<action-handler orch-target="oracle.iam.platform.kernel.vo.EntityOrchestration" class="oracle.iam.ldapsync.impl.eventhandlers.user.RDNPreProcessHandler" entity-type="User" operation="CREATE" name="CreateUserRDNPreProcessHandler" stage="preprocess" sync="TRUE" order="10000">
</action-handler>
<action-handler orch-target="oracle.iam.platform.kernel.vo.EntityOrchestration" class="oracle.iam.ldapsync.impl.eventhandlers.user.RDNPreProcessHandler" entity-type="User" operation="MODIFY"name="ModifyUserRDNPreProcessHandler" stage="preprocess" sync="TRUE" order="10000">
</action-handler>
Import the EventHandlers.xml
file by running the following WLST offline command:
On UNIX:
importAccessData("/db/ldapMetadata/EventHandlers.xml")
On Windows:
importAccessData("\\db\\ldapMetadata\\EventHandlers.xml
")
If you have any custom validation handlers in your environment, ensure that the validation is re-entrant. For more information, see "Writing Custom Validation Event Handlers" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
If you have any custom user name policy configured in your environment, see "Writing Custom User Name Policy" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager to ensure the following:
Use the recommended oracle.iam.identity.usermgmt.api.UserNameGenerationPolicy
interface to implement policy, instead of using oracle.iam.identity.usermgmt.api.UserNamePolicy
.
Ensure that Custom User Name policy return is the same user login when the approver updates an attribute that does not contribute in generating user login.
As part of Oracle Identity Manager 11g Release 2 (11.1.2.2.0) architecture, changes are introduced to RequestService
and UnauthenticatedRequestService
APIs in terms of usage and in terms of concepts involved. Request Template concept is no longer part of Oracle Identity Manager 11g Release 2 (11.1.2.2.0) and some methods in these APIs are deprecated. Also, RequestTemplateService
API is completely deprecated.
This section contains the following topics:
The following is a list of API methods deprecated in RequestService
:
public List<String> getTemplateNames()
throws RequestServiceException
public RequestModel getModelForTemplate(String templateName)
throws RequestServiceException
public RequestDataSet getRestrictedDataSet(String templateName, String entityType)
throws RequestServiceException
public RequestTemplate getTemplate(String templateName)
throws RequestServiceException
public void updateApproverOnlyData(String reqId, List<RequestBeneficiaryEntity> benEntities, List<RequestEntity> reqEntities)
throws RequestServiceException
public List<String> getTemplateNamesForSelf()
throws RequestServiceException
public List<RequestTemplate> getRequestTemplates(RequestTemplateSearchCriteria searchCriteria, Set<String> returnAttrs, Map<String,Object> configParams)
throws RequestServiceException
The following is a list of API methods deprecated due to storing comments in SOA Human Task comments feature:
public void addRequestComment(String reqId, RequestComment comment)
throws RequestServiceException
public List<RequestComment> getRequestComments(String reqId)
throws RequestServiceException
public List<RequestComment> getRequestComments(String reqId, RequestComment.TYPE type)
throws RequestServiceException
public List<RequestComment> getRequestComments(String reqId, String taskId, RequestComment.TYPE type)
throws RequestServiceException
The following is a list of API methods deprecated in UnauthenticatedRequestService
:
public List<String> getTemplateNames()
throws RequestServiceException
public RequestTemplate getTemplate(String templateName)
throws RequestServiceException
public RequestDataSet getRestrictedDataSet(String templateName, String entitySubType)
throws RequestServiceException
Request types which were used to perform SELF
operations have been deprecated. These operations include the following:
Self Modify User
Self Assign Roles
Self Remove Roles
Self Provision Resource
Self De-provision Resource
Self Modify Resource
You can continue with these operations by using the corresponding non-self request types.
The only method that have changes in usage is RequestService.submitRequest()/UnauthenticatedRequestService.submitRequest()
. The API method signature remains the same. However, the way RequestData
Value Objects are created, have changed. The changes are covered in the following sections:
Changes to entity-type includes the following:
Resource
entity-type is replaced with Application Instance
.
Beginning from Oracle Identity Manager 11g Release 2 (11.1.2.2.0), in order to create any provision, revoke, disable, and enable account type of request, the entityType
property must be set to ApplicationInstance
instead of Resource
.
A new entity-type called Entitlement
is introduced in Oracle Identity Manager 11g Release 2 (11.1.2.2.0). Oracle Identity Manager supports creating Provision Entitlement
and Revoke Entitlement
type of requests.
Changes to value objects, related to RequestData
includes the following:
requestTemplateName
property which was a part of oracle.iam.request.vo.RequestData
value objects is deprecated. Even if you set this property, it is not honoured.
A new property called operation
is introduced in oracle.iam.request.vo.RequestEntity
and oracle.iam.request.vo.RequestBeneficiaryEntity
value objects. It is mandatory to set this property while creating the value objects. You can use the following constants defined in oracle.iam.request.vo.RequestConstants
class.
MODEL_CREATE_OPERATION
– Create User operation
MODEL_MODIFY_OPERATION
– Modify User operation
MODEL_DELETE_OPERATION
– Delete User operation
MODEL_ENABLE_OPERATION
– Enable User operation
MODEL_DISABLE_OPERATION
– Disable User operation
MODEL_ASSIGN_ROLES_OPERATION
– Assign Roles operation
MODEL_REMOVE_ROLES_OPERATION
– Remove Roles operation
MODEL_PROVISION_APPLICATION_INSTANCE_OPERATION
– Provision Application Instance operation
MODEL_MODIFY_ACCOUNT_OPERATION
– Modify Account operation
MODEL_REVOKE_ACCOUNT_OPERATION
– Revoke Account operation
MODEL_ENABLE_ACCOUNT_OPERATION
– Enable Account operation
MODEL_DISABLE_ACCOUNT_OPERATION
– Disable Account operation
MODEL_PROVISION_ENTITLEMENT_OPERATION
– Provision Entitlement operation
MODEL_REVOKE_ENTITLEMENT_OPERATION
– Revoke Entitlement operation
MODEL_ACCESS_POLICY_PROVISION_APPINSANCE_OPERATION
– Access Policy based provisioning operation
While creating RequestEntity
or RequestBeneficiaryEntity
value objects, you can also use the following method to set the entityType
property:
public void setRequestEntityType(oracle.iam.platform.utils.vo.OIMType type
)
type - OIMType.Role/ OIMType.ApplicationInstance/OIMType.Entitlement/ OIMType.User
Listed below are some code examples:
Create a RequestData
for a Create User operation as follows:
RequestData requestData = new RequestData("Create User");
requestData.setJustification("Creating User John Doe");
String usr = "John Doe";
RequestEntity ent = new RequestEntity();
ent.setEntityType(RequestConstants.USER);
ent.setOperation(RequestConstants.MODEL_CREATE_OPERATION); //New in R2
List<RequestEntityAttribute> attrs = new ArrayList<RequestEntityAttribute>();
RequestEntityAttribute attr = new RequestEntityAttribute("Last Name", usr, RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("First Name", usr, RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("User Login", usr, RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("Password", "Welcome123", RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("Organization", 1L, RequestEntityAttribute.TYPE.Long);
attrs.add(attr);
attr = new RequestEntityAttribute("User Type", false, RequestEntityAttribute.TYPE.Boolean);
attrs.add(attr);
attr = new RequestEntityAttribute("Role", "Full-Time", RequestEntityAttribute.TYPE.String);
attrs.add(attr);
ent.setEntityData(attrs);
List<RequestEntity> entities = new ArrayList<RequestEntity>();
entities.add(ent);
requestData.setTargetEntities(entities);
//Submit the request with the above requestData
Create a RequestData
for an Assign Roles operation as follows:
RequestData requestData = new RequestData(); requestData.setJustification("Assigning IDC ADMIN Role(role key 201) to user with key 121"); RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity(); ent1. setRequestEntityType (oracle.iam.platform.utils.vo.OIMType.Role); ent1.setOperation(oracle.iam.request.vo.RequestConstants.MODEL_ASSIGN_ROLES_OPERATION); //New in R2 ent1.setEntitySubType("IDC ADMIN"); ent1.setEntityKey("201"); List<RequestBeneficiaryEntity> entities = new ArrayList<RequestBeneficiaryEntity>(); entities.add(ent1); Beneficiary beneficiary = new Beneficiary(); beneficiary.setBeneficiaryKey("121"); beneficiary.setBeneficiaryType (Beneficiary.USER_BENEFICIARY); beneficiary.setTargetEntities(entities); List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>(); beneficiaries.add(beneficiary); requestData.setBeneficiaries(beneficiaries); //Submit the request with the above requestData
Create a RequestData
for a Provision Application Instance operation as follows:
RequestData requestData = new RequestData(); requestData.setJustification("Creating AD User (app instance key 201) account to user with key 121"); RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity(); ent1. setRequestEntityType (oracle.iam.platform.utils.vo.OIMType.ApplicationInstance); ent1.setOperation(oracle.iam.request.vo.RequestConstants.MODEL_PROVISION_APPLICATION_INSTANCE_OPERATION); ent1.setEntitySubType("AD User"); ent1.setEntityKey("201"); List<RequestBeneficiaryEntityAttribute> attrs = new ArrayList<RequestBeneficiaryEntityAttribute>(); //Update 'attrs' above with all the data specific to AD User form. ent1.setEntityData(attrs); List<RequestBeneficiaryEntity> entities = new ArrayList<RequestBeneficiaryEntity>(); entities.add(ent1); Beneficiary beneficiary = new Beneficiary(); beneficiary.setBeneficiaryKey("121"); beneficiary.setBeneficiaryType(Beneficiary.USER_BENEFICIARY); beneficiary.setTargetEntities(entities); List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>(); beneficiaries.add(beneficiary); requestData.setBeneficiaries(beneficiaries); //Submit the request with the above requestData
Create a RequestData
for a Provision Entitlement operation as follows:
RequestData requestData = new RequestData();
Beneficiary beneficiary1 = new Beneficiary();
beneficiary1.setBeneficiaryKey("222");
beneficiary1.setBeneficiaryType(Beneficiary.USER_BENEFICIARY);
RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity();
ent1.setEntityType(RequestConstants.ENTITLEMENT);
ent1.setEntitySubType("AD USER ENTITLEMENT1");
ent1.setEntityKey("122");
ent1.setOperation(RequestConstants.MODEL_PROVISION_ENTITLEMENT_OPERATION);
List<RequestBeneficiaryEntity> entities1 = new ArrayList<RequestBeneficiaryEntity>();
entities1.add(ent1);
beneficiary1.setTargetEntities(entities1);
List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
beneficiaries.add(beneficiary1);
requestData.setBeneficiaries(beneficiaries);
//Submit the request with the above requestData
Note:
Perform this task only if you want to integrate Oracle Identity Manager with Oracle Access Manager for single sign-on, after upgrading to Oracle Identity Manager 11.1.2.2.0.Ensure that Oracle Access Manager is at release 11.1.1.5.2 or later.
If you want to integrate Oracle Identity Manager 11.1.2.2.0 with Oracle Access Manager for single sign-on, then you must upgrade Oracle Access Manager to 11.1.1.5.2 or later. If your Oracle Access Manager version is less than 11.1.1.5.2, the auto-login functionality does not work.
After upgrading to Oracle Identity Manager 11.1.2.2.0, upgrade Oracle Identity Manager and Oracle Access Manager configurations for auto-login functionality to work. After upgrading the configurations, NAP protocol is replaced by TAP protocol for communication between Oracle Identity Manager and Oracle Access Manager.
The following topics provide upgrade instructions for two possible scenarios:
Using 10g WebGate for Oracle Identity Manager-Oracle Access Manager Integration
Using 11g WebGate for Oracle Identity Manager-Oracle Access Manager Integration
Before you begin with the upgrade configuration procedures, refer to the "Using the idmConfigTool Command" for more about the IdmConfigTool in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.
If you are using 10g WebGate, complete the following steps to upgrade Oracle Identity Manager and Oracle Access Manager configurations:
In the idmConfigTool, run configOAM
. This creates a 10g WebGate agent and an 11g WebGate agent in Oracle Access Manager. Ensure that the artifacts corresponding to both WebGates are created in <DOMAIN_HOME>/output directory
.
In the idmConfigTool, run configOIM
. In a cross-domain setup where Oracle Identity Manager and Oracle Access Manager are in two different WebLogic domains, specify the following additional properties before running this option:
OAM11G_WLS_ADMIN_HOST: <host name of OAM admin server machine>
OAM11G_WLS_ADMIN_PORT: <OAM admin server port>
OAM11G_WLS_ADMIN_USER: <admin user of OAM domain>
Note:
When running theconfigOIM
option, ensure that you provide the same properties that you provided in the configOAM
option for OAM_TRANSFER_MODE
and ACCESS_GATE_ID
properties.
The WEBGATE_TYPE
property should be specified as ohsWebgate10g
.
Restart the Administration and Managed Servers. In the case of a cross domain setup, restart servers from both the domains.
Restart the Oracle Identity Manager Administration Server and Managed server as follows:
On UNIX:
<MW_HOME>/user_projects/domains/domain_name/startWebLogic.sh
<MW_HOME>/user_projects/domains/domain_name/bin/startManagedWebLogic.sh <managed_server
1>
On Windows:
<MW_HOME>\user_projects\domains\domain_name\startWebLogic.cmd
MW_HOME\user_projects\domains\domain_name\bin\startManagedWebLogic.cmd <oim_server>
For more information, see "Restarting Servers" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
If you are using 11g WebGate, complete the following steps to upgrade Oracle Identity Manager and Oracle Access Manager configurations:
In the idmConfigTool, run configOAM
. This creates a 10g WebGate agent and an 11g WebGate agent in Oracle Access Manager. Ensure that the artifacts corresponding to both WebGates are created in the <DOMAIN_HOME>/output directory
.
In the idmConfigTool, run configOIM
. In cross-domain setup where Oracle Identity Manager and Oracle Access Manager are in two different WebLogic domains, specify the following additional properties before running this option:
OAM11G_WLS_ADMIN_HOST: <host name of OAM admin server machine>
OAM11G_WLS_ADMIN_PORT: <OAM admin server port>
OAM11G_WLS_ADMIN_USER: <admin user of OAM domain>
Note:
When running theconfigOIM
option, ensure that you provide the same properties that you provided in the configOAM
option for OAM_TRANSFER_MODE
and ACCESS_GATE_ID
properties.
The WEBGATE_TYPE
property should be specified as ohsWebgate11g
.
Restart the Administration and Managed servers. In the case of a cross domain setup, restart servers from both the domains.
Restart the Oracle Identity Manager Administration Server and Managed server as follows:
On UNIX:
<MW_HOME>/user_projects/domains/domain_name/startWebLogic.sh
<MW_HOME>/user_projects/domains/domain_name/bin/startManagedWebLogic.sh <managed_server
1>
On Windows:
<MW_HOME>\user_projects\domains\domain_name\startWebLogic.cmd
MW_HOME\user_projects\domains\domain_name\bin\startManagedWebLogic.cmd <oim_server>
For more information, see "Restarting Servers" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
You must run the Entitlement List Schedule task in order to use catalog features.
Complete the following steps to run the Entitlement List Schedule job:
Log in to the following location:
http://<OIM_HOST>:<OIM_PORT>/sysadmin
Click System Management.
Select Scheduler.
Enter "Entitlement List" in the Search Scheduled Jobs field and click Search.
Select Entitlement List.
Click Run Now. Wait till the job is complete.
You must run the Evaluate User Policies scheduled task to start provisioning based on access policy after the role grant. This scheduled task can be configured to run every 10 minutes, or you can run this scheduled task manually.
To start the scheduler, see "Starting and Stopping the Scheduler" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Resource objects are transformed during the upgrade process. In order to provision the resource of an object, called App instance, with Oracle Identity Manager 11.1.2.2.0, you must run the Catalog Synchronization job.
For more information, see "Bootstrapping the Catalog" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Note:
If no Entitlements show up, make sure that the entitlements field in the child tables is set toEntitlement=true
and reloaded into the parent form.This is a new Oracle Identity Manager 11.1.2.2.0 feature for notification. If you want to use this new notification model, after upgrading to 11.1.2.2.0, complete the following steps:
Configure E-mail driver from Enterprise Manager user interface:
Log in to Oracle Enterprise Manager Fusion Middleware Control and do the following:
i. Expand Application Deployments.
ii. Expand User Messaging Service.
iii. Select usermessagingdriver-email (<soa_server1>).
iv. Select Email Driver Properties.
v. Select in Driver-Specific Configuration.
Configure the values, as listed in Table 11-15:
Table 11-15 UMS Parameters and Description
Parameter | Description |
---|---|
OutgoingMailServer |
Name of the SMTP server. For example:
|
OutgoingMailServerPort |
Port of the SMTP server. For example: 456 |
OutgoingMailServerSecurity |
The security setting used by the SMTP server Possible values can be None/TLS/SSL. |
OutgoingUsername |
Provide a valid username. For example:
|
OutgoingPassword |
Complete the following:
|
Configure the Notification provider XML through the Enterprise Manager user interface:
Log in to Enterprise Manager and do the following:
i. Expand Application Deployments.
ii. Select OIMAppMetadata(11.1.1.3.0)(oim_server1) and right-click.
iii. Select System MBean Browser.
iv. Expand Application Defined MBeans.
v. Expand oracle.iam.
vi. Expand Server_OIM_Server1
vii. Expand Application: oim.
viii. Expand IAMAppRuntimeMBean.
ix. Select UMSEmailNotificationProviderMBean.
Configure the values, as listed in Table 11-16:
Table 11-16 Parameter for Configuring Notification Provider
Parameter | Description |
---|---|
Web service URL |
Start the URL of UMS web service. Any SOA server can be used. For example:
|
Policies |
The OWSM Policy is attached to the given web service, leave it blank. |
Username |
The username is given in the security header of web service. If there is no policy attached, leave it blank. |
Password |
The password given in the security header of web service. If there is no policy attached, leave it blank. |
After upgrading to 11.1.2.2.0, if you want to use SMTP notification provider instead of the default UMS notification provider, do the following:
Log in to Enterprise Manager and do the following:
Expand Application Deployments.
Select OIMAppMetadata(11.1.1.3.0)(oim_server1) and Right click.
Select System MBean Browser.
Expand Application Defined MBeans.
Expand oracle.iam.
Expand Server_OIM_Server1
Expand Application: oim.
Expand IAMAppRuntimeMBean.
Select UMSEmailNotificationProviderMBean.
Ensure that the value of the attribute Enabled
is set to true
.
Provide the configuration values in MBean (username, password, mailServerName) or the name of IT Resource in MBean.
The IT Resource name is the name given in XL.MailServer
system property, before you upgrade Oracle Identity Manager 11.1.1.x.x to Oracle Identity Manager 11.1.2.2.0.
You must have UDF in your environment because if you do not update your User Interface with UDFs, several features like user creation, role creation, and self registration request where UDFs are involved fails.
This section contains the following topics:
For an Oracle Identity Manager 11.1.2.2.0 environment that has been upgraded from Oracle Identity Manager 11.1.1.x.x, the custom attributes for user entity already exist in the back-end. These attributes are not present as form fields on the Oracle Identity Manager 11.1.2.2.0 user interface screens until the user screens are customized to add the custom fields.
However, before you can customize the screens, you must first complete upgrading the custom attributes using the Upgrade User Form link in the System Administration console.
After completing the Upgrade User Form, the User value object (VO) instances in various Data Components like DataComponent-Catalog, DataComponent-My Information, DataComponent-User Registration shows the custom attributes. This includes all custom attributes available for Web Composer (Customized) and can be added to User user interface screens.
For more information, see "Customizing the Interface" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Complete the following steps to render UDFs:
Log in to the Identity System Administration console.
Click Sandboxes. Click Create Sandbox. A Create Sandbox window appears.
Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
Go to Upgrade. Select Upgrade User Form. Click Upgrade Now.
Note:
If an error message is displayed after clickingUpgrade Now
button, it is important that you analyze the error. You must also export the Sandbox for analysis and then discard (Delete) the sandbox. This note also applies to Upgrade Role Form
and Upgrade Organization Form
.Publish the Sandbox.
Log out from Identity System Administration console.
Log in to Identity Self Service console.
Click Create Sandbox. A Create Sandbox window appears.
Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
From the left navigation pane, select Users.
Click Create User. A Create User page opens. Fill up all the mandatory fields. Add the same UDFs in Modify User and User Detail screen. Select the correct Data Component and UserVO Name as listed in Table 11-17.
For example:
From the left navigation pane, click Users. Click User to go to the Create User screen and fill all mandatory fields.
Click Customize on top right. Select View. Select Source.
Select Name in Basic Information and click Edit on the confirmation window.
Select panelFormLayout. Click Add Content.
Select the correct Data Component and VO Name as listed in Table 11-17:
Table 11-17 UDF Screens and Description
Screen Name | Data Component | VO Name | Procedure |
---|---|---|---|
Create User |
Data Component - Catalog |
UserVO |
Do the following:
|
Modify User |
Data Component - Catalog |
UserVO |
Do the following:
|
View User Details |
Data Component - Manage Users |
UserVO1 |
Do the following:
|
Bulk Modify User Flow |
Data Component - Catalog |
UserVO |
Do the following:
|
My Information |
Data Component - My Information |
UserVO1 |
Do the following:
|
Customizing Search Results |
Data Component - Manage Users |
UserVO1 |
Do the following:
|
User Registration |
Data Component - User Registration |
UserVO1 |
Do the following:
|
Adding UDF in Search Panel |
NA |
NA |
Do the following:
|
Customizing Request Summary/Details |
NA |
NA |
Requests created after Create User, Modify User, My Information, Self Registration. |
Click Close.
Click Sandboxes. Export the sandbox using Export Sandbox.
Publish the sandbox.
Log out from Identity Self Service, and log in again. The added UDF in the screen is seen.
Note:
You can upgrade and customize Role UDF and Organization UDF by following the instructions described in the table "Entities and Corresponding Data Components and View Objects" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.If you have rendered the OOTB attributes as mandatory in Oracle Identity Manager 11.1.1.x.x, you must customize the user interface in order to achieve the same customizations after upgrade.
Log in to Identity System Administration console.
Click Sandboxes. Click Create Sandbox. A Create Sandbox window appears.
Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
Go to Upgrade. Select Upgrade User Form. Click Upgrade Now.
Publish the Sandbox.
Log out from Identity System Administration console.
Log in to Identity Self Service console.
Click Create Sandbox. A Create Sandbox window appears.
Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
From the left navigation pane, click Users. Click User to go to the Create User screen and fill all the mandatory fields.
Click Customize on top right. Select View. Select Source.
Select Name in Basic Information and click Edit on the confirmation window.
Select panelFormLayout. Click Add Content.
Click Input Component and click Edit.
On the Component Properties dialogue, select Show Required check box. In the Required field, select Expression Editor, and in the Expression Editor field, enter the value as true.
Click Close.
Click Sandboxes. Export the sandbox using Export Sandbox.
Publish the sandbox.
Log out from Identity Self Service, and log in again. The added UDF on the screen with an asterix (*) symbol is seen.
In user customization upgrade, multiple values for the Save Column may exist in User.xml
. Based on the possible values; single, multiple, and null, do the following in the upgraded environment:
Use Single
value for Save Column: User creation is successful, and the value of the field is also saved in database.
Use Multiple
or NULL
value for Save Column: User creation is successful, but the value is not saved in database.
Update the Lookup By Query metadata definition attached to an attribute in User or Role through Config Service or Design Console.
For more information, see Section 11.3.16, "Upgrading Oracle Identity Manager Design Console".
After you complete the upgrade, you must complete the following steps to upgrade Application Instances:
Log in to the following console:
http://<
OIM_HOST
>:<
OIM_PORT
>/sysadmin
Expand Upgrade on the left navigation pane.
Click Upgrade Application Instances.
This creates the U/I Forms and Datasets for the Application Instances, and seeds to MDS.
Note:
This section is required only if the Diagnostic Dashboard services for AD Password Sync were deployed in 11.1.1.x.x and if your application is deployed in staging mode in 11.1.1.x.x.Before you can re-deploy, you must undeploy XIMDD from the 11.1.1.x.x Oracle Identity Manager Managed Server or from the cluster. To do so, complete the following steps:
Log in to the WebLogic Server Administration console:
host:admin port/console
If you are running in production mode, click Lock and Edit.
Click Deployments.
In the resulting list, look for XIMDD.
If they are running, select XIMDD.
Click Delete.
Activate the changes.
To redeploy, complete the following steps:
Log in to the WebLogic Server Administration console:
host:admin port/console
Click Lock & Edit.
Click Deployments.
Click Install.
In the path, provide the path for XIMDD.ear.
The default path is in the following location:
On UNIX, $<OIM_HOME>/server/webapp/optional
On Windows, <OIM_HOME>\server\webapp\optional
Select XIMDD.ear. Click Next.
Select Install this deployment as an application. Click Next.
In Select deployment targets page, select oim server. Click Next.
In the Optional Setting page, click Finish.
Click Deployments.
Select XIMDD. Click Start.
From the options, select Service All Requests.
Note:
This section is required only if the DSML web services for AD Password Sync were deployed in 11.1.1.x.x.Before you can redeploy, you must undeploy SPML-DSML from the 11.1.1.x.x Oracle Identity Manager Managed Server or from the cluster. To do so, complete the following steps:
Log in to the WebLogic Server Administration console:
host:admin port/console
If you are running in production mode, obtain the Lock in order to make updates.
Click Deployments.
In the resulting list, look for spml.
If they are running, select spml.
Click Delete.
Activate the changes.
To redeploy, complete the following steps:
Log in to WebLogic Server Administration console through the following path:
host:admin port/console
Click Lock & Edit.
Click Deployments.
Click Install.
In the path provide the path for spml.ear.
The default path is in the following location:
On UNIX, $<OIM_HOME>/server/apps
On Windows, <OIM_HOME>\server\apps
Select spml-dsml.ear. Click Next.
Select Install this deployment as an application. Click Next.
In Select deployment targets page, select oim server. Click Next.
In the Optional Setting page, click Finish.
Click Deployments.
Select spml. Click Start.
From the options, select Service All Requests.
If you have used any event handlers in Oracle Identity Manager 11.1.1.x.x, you must re-customize the event handler for Oracle Identity Manager 11.1.2.2.0.
For more information, see "Developing Custom Event Handlers" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
You must manually upgrade OOTB composites and custom composites built before upgrading to 11.1.2.2.0.
This section contains the following topics:
Note:
Redeploying a composite moves all pending tasks toSTALE
state. Oracle recommends you to close any pending task before upgrading the composites.Upgrade OOTB composites that are not modified, using either JDeveloper or SOA Composer, before upgrading to Oracle Identity Manager 11.1.2.2.0. Complete the following steps to upgrade DefaultRequestApproval
composite:
Move from your present working directory to the <OIM_ORACLE_HOME>/server/workflows
directory by running the following command on the command line:
On UNIX:
cd <OIM_ORACLE_HOME>/server/workflows
On Windows:
cd <OIM_ORACLE_HOME>\server\workflows
Unzip DefaultRequestApproval.zip
.
Log in to the Oracle Enterprise Manager console:
http://<host>:<port>/em
Expand Farm_<oim_domain_name>_d > SOA -> soa-infra -> default.
Right click DefaultRequestApproval[1.0] and select SOA Deployment -> Redeploy.
Select Archive is on the machine where Enterprise Manager is running.
Provide the absolute path to the sca
jar for DefaultRequestApproval
composite:
On UNIX:
<OIM_HOME>/server/workflows/composites/DefaultRequestApproval/deploy/sca_DefaultRequestApproval_rev1.0.jar
On Windows:
<OIM_HOME>server\workflows\composites\DefaultRequestApproval\deploy\sca_DefaultRequestApproval_rev1.0.jar
Select No Configuration plan is required.
Click Next.
Select Deploy as default revision.
Click Redeploy.
Repeat steps 2 to 11 for the remaining composites, which were not modified before upgrading to Oracle Identity Manager 11.1.2.2.0.
Note:
DefaultResourceAuthorizer
and DefaultResourceAdministrator
are no longer supported in 11.1.2.2.0.Upgrade custom composites created before upgrading to Oracle Identity Manager 11.1.2.2.0 and OOTB composites modified, using either JDeveloper or SOA Composer, before upgrading to Oracle Identity Manager 11.1.2.2.0. Complete the following steps to upgrade DefaultRequestApproval
composite:
Open the SOA composite project in JDeveloper (Use Jdeveloper 11.1.1.6.0).
Open ApprovalTask.task
file in designer mode.
Select General.
Change Owner to Group, SYSTEM ADMINISTRATORS, STATIC.
Select Outcomes lookup. An Outcomes Dialog opens.
Select Outcomes Requiring Comment.
Select Reject and click Ok.
Click Ok again.
Select Notification.
Click on the update icon under Notification. Update any old URLs in notification with the corresponding new URL in 11.1.2.2.0. An example notification content is given below:
A <%/task:task/task:payload/task:RequestModel%> request has been assigned to you for approval. <BR><BR> Request ID: <%/task:task/task:payload/task:RequestID%> <BR> Request type: <%/task:task/task:payload/task:RequestModel%> <BR> <BR> Access this task in the <A style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/home?tf=approval_details > Identity Self Service </A> application or take direct action using the links below. Approvers are required to provide a justification when rejecting the request
Click Advanced.
Deselect Show worklist/workspace URL in notifications. Provide the URL to Pending Approvals in identity application as shown in the example in step 10.
Repeat step 1 to 12 for other human tasks, if any, in the composite. Save your work.
Right click Project and select Deploy -> Deploy to Application Server.
Provide revision ID. Select Mark revision as default and Overwrite any existing composite with same revision ID.
Note:
You can also deploy the composites with different revision ID. In that case you have to modify all approval policies using this composite.Select your application server connection, if it already exists, and click Next. Create an application server connection if it does not exist.
Click Next.
Click Finish.
Repeat the procedure for the remaining custom composites and modified OOTB composites as well.
Note:
This task is required only ifOIMAuthenticator.jar
is already present under the <MW_HOME>/wlserver_10.3/server/lib/mbeantypes
directory.Apply the following steps across all the WebLogic Server homes in the domain:
On UNIX:
Copy OIMAuthenticator.jar
, oimmbean.jar
, oimsigmbean.jar
, and oimsignaturembean.jar
files located under <OIM_ORACLE_HOME>/server/loginmodule/wls
directory to <MW_HOME>/wlserver_10.3/server/lib/mbeantypes
directory by running the following command on the command line:
cp <OIM_ORACLE_HOME>/server/loginmodule/wls/* <MW_HOME>/wlserver_10.3/server/lib/mbeantypes/
Move from your present working directory to the <MW_HOME>/wlserver_10.3/server/lib/mbeantypes
directory by running the following command on the command line:
cd <MW_HOME>/wlserver_10.3/server/lib/mbeantypes
Change the permissions on these files to 750 by using the chmod
command:
chmod 750 *
Restart all servers in the domain.
On Windows:
Copy OIMAuthenticator.jar
, oimmbean.jar
, oimsigmbean.jar
, and oimsignaturembean.jar
files located under <OIM_ORACLE_HOME>\server\loginmodule\wls
directory to <MW_HOME>\wlserver_10.3\server\lib\mbeantypes
directory by running the following command on the command line:
cp <OIM_ORACLE_HOME>\server\loginmodule\wls\* <MW_HOME>\wlserver_10.3\server\lib\mbeantypes
Move from your present working directory to the <MW_HOME>\wlserver_10.3\server\lib\mbeantypes
directory by running the following command on the command line:
cd <MW_HOME>\wlserver_10.3\server\lib\mbeantypes
Change the permissions on these files to 750 by using the chmod
command:
chmod 750 *
Restart all servers in the domain.
After you upgrade to Oracle Identity Manager 11.1.2.2.0, you must review the Oracle Identity Manager specific performance tuning recommendations described in "Oracle Identity Manager Performance Tuning" in the Oracle Fusion Middleware Performance and Tuning Guide.
If you have custom Authorization Policies in Oracle Identity Manager in 11g Release 1 (11.1.1.5.0), in order to create or modify users, you must assign new administrator roles in relation to User Administration, Role Administration, or Help Desk.
Table 11-18 lists the Administration roles in Oracle Identity Manager 11g, either removed or consolidated into the System Administrator Administration role for all system administrative operations in Oracle Identity Manager 11.1.2.2.0:
Table 11-18 Changes in Role from Oracle Identity Manager 11g to 11.1.2.2.0
Sl No. | Roles in Oracle Identity Manager 11g | Roles Removed and Replaced in Oracle Identity Manager 11.1.2.2.0 |
---|---|---|
1 |
SCHEDULER ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
2 |
DEPLOYMENT MANAGER ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
3 |
NOTIFICATION TEMPLATE ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
4 |
SOD ADMINISTRATORS |
Removed and replaced with SYSTEM ADMINISTRATORS. |
5 |
SYSTEM CONFIGURATION ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
6 |
GENERATE_USERNAME_ROLE |
Removed and replaced with SYSTEM ADMINISTRATORS. |
7 |
IDENTITY USER ADMINISTRATORS |
Removed and replaced with USER ADMIN. |
8 |
USER CONFIGURATION ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
9 |
ACCESS POLICY ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
10 |
RECONCILIATION ADMINISTRATORS |
Removed and replaced with SYSTEM ADMINISTRATORS. |
11 |
RESOURCE ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
12 |
GENERIC CONNECTOR ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
13 |
APPROVAL POLICY ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
14 |
REQUEST ADMINISTRATORS |
Removed and replaced with SYSTEM ADMINISTRATORS. |
15 |
REQUEST TEMPLATE ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
16 |
PLUGIN ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
17 |
ATTESTATION CONFIGURATION ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
18 |
ATTESTATION EVENT ADMINISTRATORS |
Removed and replaced with SYSTEM ADMINISTRATORS. |
19 |
ROLE ADMINISTRATORS |
Removed and replaced with ROLE ADMIN. |
20 |
USER NAME ADMINISTRATOR |
Removed and now depends on administration roles. |
21 |
IDENTITY ORGANIZATION ADMINISTRATORS |
Removed and replaced with ORGANIZATION ADMIN. |
22 |
IT RESOURCE ADMINISTRATORS |
Removed and replaced with APPLICATION INSTANCE ADMIN. |
23 |
REPORT ADMINISTRATORS |
No link to reports from Oracle Identity Manager. |
24 |
SPML_APP_ROLE |
There is no change in this enterprise role and a corresponding role with the privileges is seeded in Oracle Entitlements Server. |
25 |
ALL USERS |
This is an enterprise role, not an administrator role. |
26 |
SYSTEM CONFIGURATORS |
All privileges as System Administrator role, except for the ability to manage Users, Roles, Organizations and Provisioning remains unchanged. |
27 |
SYSTEM ADMINISTRATORS |
Remains unchanged. |
When you upgrade Oracle Identity Manager 11.1.1.x.x to 11.1.2.2.0, a default password policy will be seeded at the TOP organization. As a result, any password policy rules created using the older password policy model in Oracle Identity Manager 11.1.1.x.x environment will not be supported. The upgrade utility does not migrate the password policies of Oracle Identity Manager 11.1.1.x.x to 11.1.2.2.0. If you had made any password policy customizations on the older password policy rules, you must create equivalent password policies using the newer password policy model, and attach it to the respective organization.
For information about creating password policies, see "Managing Password Policies" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
If you are upgrading Oracle Identity Manager 11.1.1.x.x with PeopleSoft connector to Oracle Identity Manager 11.1.2.2.0, you must create PeopleSoft HRMS reconciliation profile after you upgrade to 11.1.2.2.0. For information about creating reconciliation profile, see "Updating Reconciliation Profiles Manually" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
This post-upgrade task is optional.
While upgrading Oracle Identity Manager to 11.1.2.2.0, the OIM Data Purge Job
will be seeded in enabled
state. By default, it will purge platform data with a retention period of 1 day for complete orchestration. To enable purge of request, reconciliation, and provisioning task, you must revisit the OIM Data Purge Job
parameters.
For information about the user-configurable attributes, see "Configuring Real-Time Purge and Archival" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
For customized reports built on any version of Oracle BI Publisher between 11g Release 1 (11.1.1.5.0) and 11g Release 1 (11.1.1.6.4), you do not need to upgrade the custom reports. You can export your customized reports from your existing report repository and import the reports into your new 11.1.1.7.1 repository.
Customized reports built on Oracle BI Publisher 10g Release 3 (10.1.3.X) or later must be upgraded before they can be consumed by Oracle BI Publisher 11.1.1.7.1. You must use the Upgrade Assistant to upgrade the reports in the BI Publisher 10g repository. For more information, see "Task 5: Upgrade the BI Publisher Repository" in the Oracle Fusion Middleware Upgrade Guide for Oracle Business Intelligence.
Before you upgrade your existing Oracle Identity Manager environments, you must verify if the version of the existing connector is supported for Oracle Identity Manager 11.1.2.2.0. For information about the supported connector versions for Oracle Identity Manager 11.1.2.2.0, refer to the sections "Certified Components" and "Usage Recommendation" in the respective Connector Guide in Oracle Identity Manager Identity Connectors Documentation Library.
If you are using 9.x connector or GTC connector, do the following:
If the 9.x connector that you are using is supported, you can continue to use the existing connector.
If the 9.x connector is not supported, you must upgrade the existing 9.x connector to the latest 11.x connector after you upgrade the Oracle Identity Manager server to 11.1.2.2.0.
Verify the data in the Lookup
populated through lookup reconciliation that the IT Resource Key & IT Resource name is pre-fixed for code & decode respectively. If not, you must upgrade the existing connector to the latest available connector after you upgrade Oracle Identity Manager server.
If you are using 11g connector, the connector upgrade is not required.
After you upgrade Oracle Identity Manager to 11.1.2.2.0, complete the following steps to verify the functionality of connectors:
Verify if Account and Entitlement Tagging are available on the process form. For the connectors to work with Oracle Identity Manager 11.1.2.2.0, you must complete the steps described in the section "Configuring Oracle Identity Manager 11.1.2 or Later" in the respective Connector Guide.
Verify if the customizations made to the connectors are intact.
Verify if the 11.1.2.2.0 related artifacts like UI Forms and Application Instances are generated.
Ensure that all the operations of the connectors are working fine.
If there are two or more IT Resource field in the process form, complete the steps described in the following My Oracle Support note:
If there are any lookup query fields in the process form of the related connector, then you must customize the UI need to display the same. For more information, see 'Lookup Query' section in "General Customization Concepts" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
If the environment is running in SSL mode, you must change the Provider URL for ForeignJNDIProvider-SOA to SSL Provider URL. To do this, complete the following steps:
Log in to the WebLogic Administration console using the following URL:
http://
weblogic_host
:
weblogic_port
/console
Expand Services under Domain Structure.
Click Foreign JNDI Providers.
Click ForeignJNDIProvider-SOA to bring up the Settings for ForeignJNDIProvider-SOA page.
Click Lock & Edit on the top-left pane.
In Provider URL, change t3 to t3s.
Click Save, and then click Activate Changes.
To verify your Oracle Identity Manager upgrade, perform the following steps:
Use the following URL in a web browser to verify that Oracle Identity Manager 11.1.2.2.0 is running:
http://<oim.example.com>:<oim_port>/sysadmin
http://oim.example.com:14000/identity
where
<oim.example.com>
is the path of the administration console.
<oim_port>
is the port number.
Use Fusion Middleware Control to verify that Oracle Identity Manager and any other Oracle Identity Management components are running in the Oracle Fusion Middleware environment.
Install the Diagnostic Dashboard and run the following tests:
Oracle Database Connectivity Check
Account Lock Status
Data Encryption Key Verification
JMS Messaging Verification
SOA-Oracle Identity Manager Configuration Check
SPML Web Service
Test OWSM setup
Test SPML to Oracle Identity Manager request invocation
SPML attributes to Oracle Identity Manager attributes
Username Test
Note:
For information about the issues that you might encounter during the upgrade process, and their workarounds, see Oracle Fusion Middleware Release Notes.Table 11-19 lists some of the problems that might occur during the upgrade process, and their solutions:
Table 11-19 Oracle Identity Manager Troubleshooting - Problems and Solutions
Problem | Solution |
---|---|
Patch Set Assistant fails. |
Check logs located at: On UNIX:
On Windows:
Fix the problem, and run Patch Set Assistant again. |
Middle Tier upgrade fails |
Check logs located at: On UNIX:
On Windows:
|
All features not upgraded in Middle Tier upgrade. |
Check the Upgrade Report located at: On UNIX:
On Windows:
|
Oracle Identity Manager upgrade control points. |
Set the property value to On UNIX:
On Windows:
For more information, see Section 11.5.1, "Oracle Identity Manager Upgrade Control Points". |
MDS patching issues. |
Check the MDS Patching Report located at: On UNIX:
On Windows:
|
Some MDS documents not merged correctly. |
Merge manually from the following locations: On UNIX:
On Windows:
|
JDBC errors: ORA-01882: timezone region not found |
Add an additional environment variable, TZ, which is the time zone name, like GMT for example. The environment variable has to be set with older database or else you get an error. For more information, see My Oracle Support document ID 1460281.1. |
Oracle Identity Manager Upgrade has provided some control points in the oimupgrade.properties
. On UNIX, it is located in the <OIM_ORACLE_HOME>/server/bin/
directory, on Windows, it is located in the <OIM_ORACLE_HOME>\server\bin\
directory.
You can selectively disable the feature upgrade by setting the property as false
.
If any feature fails, you can continue with the upgrade by disabling the failed feature by setting the corresponding feature upgrade property as false
.
As and when the solution is available for the failed feature, enable the feature for upgrade by setting the property to true
.
By default, all the properties are set as true
.
Set the following property to false
if you do not want to run Oracle Identity Manager configuration upgrade:
oim.ps1.config.patch=true
Set the following property to false
if you do not want to run SOA composite upgrade:
oim.ps1.soacomposite.patch=true
Set the following property to false
if you do not want to run Patch JNDI provider:
oim.domainextension.jndiprovider.patch=true
Set the following property to false
if you do not want to run Patch ClassPath:
oim.domainextension.classpath.patch=true
Set the following property to false
if you do not want to run Patch OPSS:
oim.domainextension.opss.patch=true
Set the following property to false
if you do not want to run Patch ears:
oim.domainextension.ear.patch=true
Set the following property to false
if you do not want to run Patch JRF:
oim.domainextension.jrf.patch=true