13 Upgrading Oracle Identity Navigator 11g Release 1 (11.1.1.x.x) Environments

This chapter describes how to upgrade your existing Oracle Identity Navigator 11g Release 1 (11.1.1.5.0) and 11g Release 1 (11.1.1.7.0) environments to Oracle Identity Navigator 11g Release 2 (11.1.2.2.0) on Oracle WebLogic Server.

Note:

This chapter refers to Oracle Identity Navigator 11g Release 1 (11.1.1.5.0) and 11g Release 1 (11.1.1.7.0) environments as 11.1.1.x.x.

This chapter includes the following sections:

13.1 Upgrade Roadmap for Oracle Identity Navigator

Note:

If you do not follow the exact sequence provided in this task table, your Oracle Identity Navigator upgrade may not be successful.

Table 13-1 lists the steps to upgrade Oracle Identity Navigator.

Table 13-1 Upgrade Flow

So. No. Task For More Information

1

Review system requirements and certifications.

See, Reviewing System Requirements and Certification

2

Export Oracle Identity Navigator data.

See, Exporting Oracle Identity Navigator 11.1.1.x.x Metadata

3

Shut down all servers. This includes both Administration Server and Managed Servers.

See, Shutting Down Administration Server and Managed Servers

4

Optional - Upgrade Oracle WebLogic Server 10.3.5 to Oracle WebLogic Server 10.3.6.

See, Optional: Upgrading Oracle WebLogic Server

5

Upgrade 11.1.1.x.x Oracle Home to 11.1.2.2.0.

See, Upgrading Oracle Identity Navigator 11g Release 2 (11.1.2.2.0)

6

Run Oracle Fusion Middleware Repository Creation Utility (RCU) to create and load OPSS schema for Oracle Identity and Access Management products.

See, Creating Oracle Platform Security Services Schema

7

Extend your Oracle Identity Navigator 11.1.1.x.x domain with the OPSS template.

See, Extending Oracle Identity Navigator 11.1.1.x.x Component Domains with Oracle Platform Security Services Template

8

Upgrade Oracle Platform Security Services.

See, Upgrading Oracle Platform Security Services

9

Run the configuresecuritystore.py script to configure policy stores.

See, Configuring Oracle Platform Security Services Security Store

10

Start the Administration Server.

See, Starting the Administration Server

11

Verify the deployments summary.

See, Verifying the Deployment Summary

12

Upgrade Oracle Identity Navigator.

See, Upgrading Oracle Identity Navigator Application

13

Import data.

See, Importing the Oracle Identity Navigator 11.1.2.2.0 Metadata

14

Verify the Oracle Identity Navigator upgrade.

See, Verifying the Upgrade

15

Optional - Configure Oracle Identity Navigator on the Oracle Privileged Account Manager Managed Server

See, Optional: Configuring Oracle Identity Navigator on OPAM Managed Server

13.2 Reviewing System Requirements and Certification

Before you start the upgrade process, you must read the system requirements and certification document to ensure that your system meets the minimum requirements for the products you are installing or upgrading. For more information see Section 2.1, "Reviewing System Requirements and Certification".

13.3 Exporting Oracle Identity Navigator 11.1.1.x.x Metadata

OINAV uses MDS as its metadata store. During upgrade, when you update the application, the metadata gets overwritten. Therefore, you need to export it and keep it in a temporary location so that it can be used to import original metadata after upgrade.

On the computer where Oracle Identity Navigator 11.1.1.x.x is installed, export the Oracle Identity Navigator metadata to an export directory using WLST as follows:

On UNIX:

  1. Move from your present working directory to the <IAM_HOME>/common/bin directory by running the following command on the command line:

    cd <IAM_HOME>/common/bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    ./wlst.sh

  3. Connect to the Administration Server using the following command:

    connect('weblogic-username','weblogic-password','weblogic-url')

  4. At the WLST prompt, run the following WLST (online) command:

    exportMetadata(application='oinav',server='AdminServer',toLocation='export_directory')

    where

    export_directory is the directory where you want to export Oracle Identity Navigator metadata to.

On Windows:

  1. Move from your present working directory to the <IAM_HOME>\common\bin directory by running the following command on the command line:

    cd <IAM_HOME>\common\bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    wlst.cmd

  3. Connect to the Administration Server using the following command:

    connect('weblogic-username','weblogic-password','weblogic-url')

  4. At the WLST prompt, run the following WLST (online) command:

    exportMetadata(application='oinav',server='AdminServer',toLocation='export_directory')

    where

    export_directory is the directory where you want to export Oracle Identity Navigator metadata to.

13.4 Shutting Down Administration Server and Managed Servers

The upgrade process involves changes to the binaries and to the schema. So, before you begin the upgrade process, you must shut down the Administration Server and Managed Servers.

For information about stopping the servers, see "Stopping the Servers".

13.5 Optional: Upgrading Oracle WebLogic Server

Oracle Identity and Access Management 11.1.2.2.0 is certified with Oracle WebLogic Server 11g Release 1 (10.3.6). Therefore, if your existing Oracle Identity Manager environment is using Oracle WebLogic Server 10.3.5 or the previous versions, you must upgrade Oracle WebLogic Server to 10.3.6.

For information about upgrading Oracle WebLogic Server, see "Upgrading to Oracle WebLogic Server 10.3.6".

13.6 Upgrading Oracle Identity Navigator 11g Release 2 (11.1.2.2.0)

To upgrade Oracle Identity Navigator, you must use the Oracle Identity and Access Management 11.1.2.2.0 Installer. During the procedure, point the Middleware Home to your existing 11.1.1.x.x Oracle Identity Navigator Middleware Home. Your Oracle Home is upgraded from 11.1.1.x.x to 11.1.2.2.0.

For information about upgrading Oracle Identity Manager 11g Release 1 (11.1.1.x.x), see "Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.2.0)".

13.7 Creating Oracle Platform Security Services Schema

You must create Oracle Platform Security Services (OPSS) schema because Oracle Identity Navigator upgrade process involves OPSS schema policy store changes. The keys, roles, permissions, and other artifacts used by the applications must migrate to the policy store.

Run Repository Creation utility (RCU) to create OPSS schema.

For more information, see "Creating Schemas" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.

Note:

In the Select Components screen, expand AS Common Schemas and select Oracle Platform Security Services. The Metadata Services schema is selected automatically.

13.8 Extending Oracle Identity Navigator 11.1.1.x.x Component Domains with Oracle Platform Security Services Template

Oracle Identity Navigator 11.1.2.2.0 uses the database to store policies. This requires extending the 11.1.1.x.x Oracle Identity Navigator domain to include the OPSS data source.

To do so, complete the following steps:

  1. Run the following command to launch the Oracle Fusion Middleware configuration wizard:

    On UNIX:

    ./config.sh

    It is located in the <MW_HOME>/Oracle_IDM1/common/bin directory.

    On Windows:

    config.cmd

    It is located in the <MW_HOME>\Oracle_IDM1\common\bin directory.

  2. On the Welcome screen, select the Extend an existing WebLogic domain option. Click Next.

  3. On the Select a WebLogic Domain Directory screen, browse to the directory that contains the WebLogic domain in which you configured the components. Click Next. The Select Extension Source screen is displayed.

  4. On the Select Extension Source screen, select the Oracle Platform Security Service - 11.1.1.0 [Oracle_IDM1] option. After selecting the domain configuration options, click Next.

  5. The Configure JDBC Data Sources screen is displayed. Configure the opssDS data source, as required. After the test succeeds, the Configure JDBC Component Schema screen is displayed.

  6. On the Configure JDBC Component Schema screen, select the Oracle Platform Security Services schema.

    You can set values for Schema Owner, Schema Password, Database and Service, Host Name, and Port. Click Next.

    The Test JDBC Component Schema screen is displayed. After the test succeeds, the Select Optional Configuration screen is displayed.

  7. On the Select Optional Configuration screen, you can configure Managed Servers, Clusters, and Machines and Deployments and Services. Do not select anything as you have already configured in your Oracle Identity Navigator 11.1.1.x.x environment. Click Next.

  8. On the Configuration Summary screen, review the domain configuration, and click Extend to start extending the domain.

Your existing Oracle Identity Navigator domain is extended to support Oracle Platform Security Services (OPSS).

13.9 Upgrading Oracle Platform Security Services

After you upgrade schemas, you must upgrade Oracle Platform Security Services (OPSS).

Upgrading Oracle Platform Security Services is required to upgrade the configuration and policy stores of Oracle Identity Navigator to 11.1.2.2.0. It upgrades the jps-config.xml file and policy stores.

For information about upgrading Oracle Platform Security Services, see Section 2.7, "Upgrading Oracle Platform Security Services"

13.10 Configuring Oracle Platform Security Services Security Store

You must configure the Database Security Store as it is the only security store type supported by Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0).

For more information on configuring Oracle Platform Security Services, see "Configuring Database Security Store for an Oracle Identity and Access Management Domain" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

13.11 Starting the Administration Server

After the upgrade is complete, start the WebLogic Administration Server, the Administration Server that contains the Oracle Identity Navigator console.

For information about starting the Administration Server, see "Starting the Servers".

13.12 Verifying the Deployment Summary

To verify the deployment summary, do the following:

  1. Log in to the WebLogic Administration console:

    http://<admin server host>:<admin server port>/console

  2. Under Domain Structure, click Deployments. The Summary of Deployments page is displayed.

  3. Check the summary details and verify that oinav (11.1.1.3.0) is present in the Name table.

13.13 Upgrading Oracle Identity Navigator Application

Note:

The OINAV version number is 11.1.1.3.0 while the Oracle Identity Navigator version number is 11.1.2.2.0.

This is not an error. The discrepancy is caused by a difference between how OINAV and Identity Access Management releases are tracked internally.

Upgrading Oracle Identity Navigator redeploys Oracle Identity Navigator using oinav.ear for Oracle Identity Navigator 11.1.2.2.0 release. There are two ways of redeploying the oinav.ear:

  • Upgrading oinav using the WebLogic Server Administration Console.

  • Upgrading oinav using the WebLogic Scripting Tool (WLST).

Using WebLogic Server Administration Console

Complete the following steps to upgrade Oracle Identity Navigator through the WebLogic Administration console:

  1. Log in to WebLogic Administration console:

    http://<admin server host>:<admin server port>/console

  2. Under Domain Structure, click Deployments.

  3. Select oinav (11.1.1.3.0) from the Name table.

  4. Click Update and click Finish in the Update Application Assistant screen after verifying the source path.

    Note:

    If WebLogic is running in production mode, click Lock & Edit before clicking Update.

Using WebLogic Scripting Tool (WLST)

Complete the following steps to upgrade Oracle Identity Navigator through the WLST console:

On UNIX

  1. Move from your present working directory to the <MW_HOME>/wlserver_10.3/common/bin directory by running the following command on the command line:

    cd <MW_HOME>/wlserver_10.3/common/bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    ./wlst.sh

  3. Connect to the Administration Server using the following command:

    connect('weblogic-username','weblogic-password','weblogic-url')

  4. At the WLST prompt, run the following command:

    redeploy('oinav#11.1.1.3.0')

  5. Exit the WLST console using the exit() command.

On Windows

  1. Move from your present working directory to the <MW_HOME>\wlserver_10.3\common\bin directory by running the following command on the command line:

    cd <MW_HOME>\wlserver_10.3\common\bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    wlst.cmd

  3. Connect to the Administration Server using the following command:

    connect('weblogic-username','weblogic-password','weblogic-url')

  4. At the WLST prompt, run the following command:

    redeploy('oinav#11.1.1.3.0')

  5. Exit the WLST console using the exit() command.

13.14 Importing the Oracle Identity Navigator 11.1.2.2.0 Metadata

You must import the metadata which was exported earlier so that Oracle Identity Navigator gets back the metadata present before upgrade. Import Oracle Identity Navigator 11.1.2.2.0 metadata by running the following WLST command:

On UNIX:

  1. Move from your present working directory to the <IAM_HOME>/common/bin directory by running the following command on the command line:

    cd <IAM_HOME>/common/bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    ./wlst.sh

  3. Connect to the Administration Server using the following command:

    connect('weblogic-username','weblogic-password','weblogic-url')

  4. At the WLST prompt, run the following WLST (online) command:

    importMetadata(application='oinav',server='AdminServer',fromLocation='export_directory')

    where

    export_directory is the directory where you have exported the Oracle Identity Navigator metadata to.

On Windows:

  1. Move from your present working directory to the <IAM_HOME>\common\bin directory by running the following command on the command line:

    cd <IAM_HOME>\common\bin

  2. Run the following command to launch the WebLogic Scripting Tool (WLST):

    wlst.cmd

  3. Connect to the Administration Server using the following command:

    connect('weblogic-username','weblogic-password','weblogic-url')

  4. At the WLST prompt, run the following WLST (online) command:

    importMetadata(application='oinav',server='AdminServer',fromLocation='export_directory')

    where

    export_directory is the directory where you have exported Oracle Identity Navigator metadata to.

Note:

Oracle Business Intelligence Publisher 10g report format is not supported in Oracle Identity Navigator 11.1.2.2.0 release. It is not mandatory, but if you want to remove the reports, see "Configuring Oracle Business Intelligence Publisher" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Navigator.

13.15 Verifying the Upgrade

To verify the Oracle Identity Navigator upgrade, do the following:

  1. Log in to the OINAV console:

    http://<admin server host>:<admin server port>/oinav

  2. In the Dashboard page, check for the version number in the bottom right corner.

    The version number should be 11.1.2.2.0.

13.16 Optional: Configuring Oracle Identity Navigator on OPAM Managed Server

To configure Oracle Identity Navigator on the Oracle Privileged Account Manager Managed server, do the following:

  1. Stop the servers.

  2. Move from your present working directory to the <IAM_HOME>/common/bin directory by running the following command on the command line:

    cd <IAM_HOME>/common/bin

  3. Run the following command to launch the Oracle Fusion Middleware configuration wizard:

    On UNIX:

    ./config.sh

    On Windows:

    config.cmd

  4. Select the Extend an existing WebLogic domain option, and select the OPAM domain.

  5. Select Oracle Identity Navigator for Managed Server from the products. Select Keep existing content whenever it detects a conflict in the wizard.

  6. Complete the configuration. Oracle Identity Navigator will run on the Oracle Privileged Account Manager Managed Server after starting the servers.