| Oracle® Fusion Middleware Upgrade Guide for Oracle Identity and Access Management 11g Release 1 (11.1.1.7.0) Part Number E27996-01 |
|
|
PDF · Mobi · ePub |
| Oracle® Fusion Middleware Upgrade Guide for Oracle Identity and Access Management 11g Release 1 (11.1.1.7.0) Part Number E27996-01 |
|
|
PDF · Mobi · ePub |
This chapter describes how to upgrade your existing Oracle Adaptive Access Manager 10g (10.1.4.5) to Oracle Adaptive Access Manager 11g Release 1 (11.1.1.7.0).
This chapter contains the following sections:
Task 5: Use Upgrade Assistant to Upgrade the Oracle Adaptive Access Manager Schema
Task 6: Configure Oracle Adaptive Access Manager in a New or Existing Oracle WebLogic Domain
Task 8: Stop the Administration Server and Oracle Adaptive Access Manager Managed Servers
Task 9: Use Upgrade Assistant to Upgrade Oracle Adaptive Access Manager Middle Tier
Task 10: Start the Administration Server and Oracle Adaptive Access Manager Managed Servers
Task 11: Complete Any Required Oracle Adaptive Access Manager Post-Upgrade Tasks
When you run Upgrade Assistant to upgrade from Oracle Adaptive Access Manager 10g, the Upgrade Assistant upgrades most of the Oracle Adaptive Access Manager 10g configuration to Oracle Adaptive Access Manager 11g. In some cases, you have to upgrade manually after you run the Upgrade Assistant.
When you run Upgrade Assistant to upgrade from Oracle Adaptive Access Manager 10g, the Upgrade Assistant upgrades the following:
Symmetric keys (used for encryption and decryption) in the Adaptive Risk Manager Web Application (ARM) keystores, system_config.keystore, and system_db.keystoreKeys are migrated to the Credential Store Framework (CSF) with the same aliases under the credential map oaam.
The following Oracle Adaptive Access Manager properties files of Authenticator Web Application (ASA):
bharosauio.properties
bharosa_client.properties
bharosa_common.properties
The following Oracle Adaptive Access Manager properties files of Adaptive Risk Manager Web Application (ARM):
bharosa_server.properties
bharosa_common.properties
The following components are not upgraded to the Oracle Adaptive Access Manager 11g environment when you run Upgrade Assistant to upgrade from Oracle Adaptive Access Manager 10g:
ARM WebApp User Roles and Users
Log4j settings
Client-side Web Service configuration/settings in the ASA Web Application
Client-side SOAP keystore with SOAP user password
Any customizations, such as the following:
Custom Web Content (JSPs, CSS, etc)
Custom images
Custom Dynamic actions
Custom Loaders
Custom property files
You must upgrade such configuration manually after running Upgrade Assistant. For more information, see Task 11: Complete Any Required Oracle Adaptive Access Manager Post-Upgrade Tasks, Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager, and Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager.
Table 4-0 compares a typical Oracle Adaptive Access Manager topology in Oracle Application Server 10g with a similar topology in Oracle Fusion Middleware 11g.
Figure 4-1 Comparison of Typical Oracle Adaptive Access Manager Topologies in Oracle Application Server 10g and Oracle Fusion Middleware 11g
You must complete the following prerequisites for upgrading to the Oracle Adaptive Access Manager 11g environment:
Ensure that you have applied the Bundle Patch 07 to the Oracle Adaptive Access Manager 10g (10.1.4.5) and to the Oracle Database.
Ensure that your database meets the system requirements. For more information see Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. If it does not meet the requirement, then you must upgrade the database software before upgrading to Oracle Adaptive Access Manager 11g.
Make sure that the Oracle Adaptive Access Manager 10g web applications are in exploded format.
Ensure that Oracle Adaptive Access Manager 10g webapp folders and files can be accessed by Upgrade Assistant.
If you are upgrading an Oracle Adaptive Access Manager environment, you must ensure that the version of the database where you plan to install the Oracle Adaptive Access Manager schemas is supported by Oracle Fusion Middleware 11g.
For instructions on verifying that your database meets the requirements of Oracle Fusion Middleware 11g, see "Upgrading and Preparing Your Databases" in the Oracle Fusion Middleware Upgrade Planning Guide.
Run the Repository Creation Utility to create the Oracle Meta Data Services (MDS) schema into a supported database and complete the following:
Running Repository Creation Utility in Preparation for an Oracle Adaptive Access Manager Upgrade
Selecting the Schemas Required for Oracle Adaptive Access Manager Upgrade
For information about running Repository Creation Utility to install the Oracle Adaptive Access Manager schema, refer to the following documents:
After you start the Repository Creation Utility, follow the instructions on the Repository Creation Utility screens to connect to the database and create the required schemas.
You can use Repository Creation Utility to install the schemas required for all of the Oracle Fusion Middleware software components that require a schema. However, there is no need to install all the schemas unless you plan to install a complete Oracle Fusion Middleware environment and you plan to use the same database for all the Oracle Fusion Middleware component schemas.
For Oracle Adaptive Access Manager upgrade, you must select the following schemas when prompted by the Repository Creation Utility:
Expand AS Common Schemas, and select Metadata Services and Audit Services.
This schema supports Oracle Fusion Middleware Metadata Services (MDS), which is required by the Oracle Adaptive Access Manager component.
Note:
The MDS Schema can be installed in a database other than the one where the Oracle Adaptive Access Manager schema is installed. However, ensure that the Oracle Adaptive Access Manager Managed Server can access your MDS schema.
Before you upgrade to Oracle Fusion Middleware 11g, you must install and configure an Oracle Fusion Middleware environment that is similar to the topology you set up for Oracle Application Server 10g. To do so, complete the following steps:
Installing Oracle WebLogic Server and Creating a Middleware Home
Installing Oracle Adaptive Access Manager 11g Release 1 (11.1.1.7.0)
Before you can install Oracle Identity and Access Management 11g Release 1 (11.1.1.7.0) components, you must install Oracle WebLogic Server and create the Oracle Middleware Home directory.
For more information, see "Install Oracle WebLogic Server" in Oracle Fusion Middleware Installation Planning Guide for Oracle Identity and Access Management.
In addition, see Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server for complete information about installing Oracle WebLogic Server.
For information about installing Oracle Adaptive Access Manager 11g Release 1 (11.1.1.7.0), refer to "Installing and Configuring Oracle Identity and Access Management (11.1.1.7.0)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Note:
Do not configure the Oracle Adaptive Access Manager domain during the installation process.
To upgrade the Oracle Adaptive Access Manager schema using Upgrade Assistant, perform the following steps:
Enter the following command to start the Upgrade Assistant:
On UNIX systems (Located at MW_HOME/Oracle_<IDM_Home>/bin):
./ua
On Windows systems (Located at MW_HOME\Oracle_<IDM_Home>\bin):
ua.bat
The Oracle Fusion Middleware Upgrade Assistant Welcome screen is displayed, as shown in Figure 4-2.
Figure 4-2 Upgrade Assistant Welcome Screen
Click Next.
The Specify Operation screen is displayed, as shown in Figure 4-3.
Figure 4-3 Upgrade Assistant Specify Operation Screen
Select the Upgrade Oracle Adaptive Access Manager Schema option.
Click Next.
The Prerequisites screen is displayed.
Select the Database Schema backup completed and Database version is certified by Oracle for Fusion Middleware upgrade options.
Note:
Ensure that the database has been upgraded before checking the Database Schema backup completed option. For more information, see Task 2: If Necessary, Upgrade the Oracle Database That Contains Oracle Adaptive Access Manager Schemas.
For instructions on verifying that your database meets the requirements of Oracle Fusion Middleware 11g, see http://www.oracle.com/technology/software/products/ias/files/fusion_certification.html.
Click Next.
The Specify OAAM Source Database screen is displayed.
Enter the following information:
Database Type: Select the database type from the drop-down list.
Connect String: Enter the connect string for the database.
For example:
host:port:sid
OAAM Schema User: Specify the Oracle Adaptive Access Manager 10g schema user name.
DBA User: Enter the user name for your database.
DBA Password: Enter the password for your database user.
Click Next.
The Examining Components screen is displayed.
Upgrade Assistant examines the components and checks that the source and target schemas contain the expected columns.
Under the Status column, the word succeeded should appear. If instead, the word failed appears, inspect the log file for details.
Note:
If you want to view the log file for the current session, click on the link at the bottom of the screen to view the ua.log file.
Click Next.
The Upgrade Summary screen is displayed.
Click Upgrade.
The Upgrade Progress screen is displayed. This screen provides the following information:
Status of the upgrade
Any errors or problems that occur during the upgrade
See Also:
"Troubleshooting Your Upgrade" in the Oracle Fusion Middleware Upgrade Planning Guide for specific instructions for troubleshooting problems that occur while running the Upgrade Assistant
Click Next.
The Upgrade Complete screen is displayed. This screen confirms that the upgrade was complete.
Click Close.
To configure Oracle Adaptive Access Manager in a new or existing Oracle WebLogic domain, refer to the "Configuring Oracle Adaptive Access Manager" section in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management. When you run the Oracle Fusion Middleware Configuration Wizard ensure that you configure the Managed Servers and assign them to machine.
Note:
Ensure that you specify the Oracle Adaptive Access Manager 10g database details in the screen where it prompts you to enter the Oracle Adaptive Access Manager 11g database details. You must enter the 10g credentials because there is no separate 11g database. It checks the database for a few system tables, which will not be present in Oracle Adaptive Access Manager 10g database. You can ignore these errors and complete the Oracle Adaptive Access Manager 11g installation.
For information about configuring Node Manager, refer to the "Configuring Node Manager to Start Managed Servers" section in the Oracle Fusion Middleware Administrator's Guide.
If you have started the Oracle Adaptive Access Manager Administration Server and the Oracle Adaptive Access Manager Managed Servers, then you must stop the Oracle Adaptive Access Manager Administration Server and Managed Servers by running the following command on the command line:
Windows
stopManagedWebLogic.cmd oaam_admin_server1 stopManagedWebLogic.cmd oaam_server_server1
UNIX
stopManagedWebLogic.sh oaam_admin_server1 stopManagedWebLogic.sh oaam_server_server1
To upgrade the Oracle Adaptive Access Manager middle tier:
Note:
You can also use the Upgrade Assistant command-line interface to upgrade your Oracle Application Server 10g Oracle homes. For more information, see "Using the Upgrade Assistant Command-Line Interface" in the Oracle Fusion Middleware Upgrade Planning Guide.
If you have started the Oracle Adaptive Access Manager Managed Servers, then they will auto-generate symmetric keys required for encryption or decryption. You must delete keys before performing middle tier upgrade. To do so, complete the following steps:
Log in to Oracle Enterprise Manager.
Expand the WebLogic Domain on the left pane, and select the OAAM domain.
The OAAM domain page is displayed.
From the OAAM Domain, select Security, and then Credentials.
The Credentials page is displayed.
Expand oaam and delete the symmetric key related entries.
Run the following command to launch Upgrade Assistant:
On UNIX systems (Located at MW_HOME/Oracle_<IDM_Home>/bin):
./ua
On Windows systems (Located at MW_HOME\Oracle_<IDM_Home>\bin):
ua.bat
The Oracle Fusion Middleware Upgrade Assistant Welcome screen is displayed, as shown in Figure 4-4.
Figure 4-4 Upgrade Assistant Welcome Screen
Click Next.
The Specify Operation screen is displayed, as shown in Figure 4-5.
Figure 4-5 Upgrade Assistant Specify Operation Screen
Select Upgrade Oracle Adaptive Access Manager Middle Tier.
The options available in Upgrade Assistant are specific to the Oracle home from which it started. When you start Upgrade Assistant from an Oracle Application Server Identity Management Oracle home, the options shown on the Specify Operation screen are the valid options for an Oracle Application Server Identity Management Oracle home.
Click Next.
The Specify Source Details screen is displayed.
Enter the following information:
Click Browse and enter the directory location for Oracle Adaptive Access Manager Adaptive Strong Authenticator Web Application 10g (ASA) and Adaptive Risk Manager Web Application 10g (ARM) applications.
Database Type: Select the database type from the drop-down list.
Connect String: Enter the name of the server where your database is running. Use one of the following format for Oracle Database:
//host:port/service or host:port:sid
Schema User Name: Enter the user name for the schema.
Schema Password: Enter the password for the schema.
Click Next.
The Specify WebLogic Server screen is displayed.
Enter the following information about your Oracle WebLogic Server domain:
Host: The host name of the Oracle WebLogic Server domain.
Port: The listening port of the administration server. The default administration server port is 7001.
Username: The user name that is used to log in to the administration server. This is the same username you use to log in to the Administration Console for the domain.
Password: The password for the administrator account that is used to log in to the administration server. This is the same password you use to log in to the Administration Console for the domain.
Click Next.
The Specify Upgrade Options screen is displayed.
Select Start destination components after successful upgrade, and click Next.
The Examining Components screen is displayed.
Note:
Ensure that Node Manager is running, before you select Start destination components after successful upgrade.
Click Next.
The Upgrade Summary screen is displayed.
Click Upgrade.
The Upgrade Progress screen is displayed. This screen provides the following information:
The status of the upgrade
Any errors or problems that occur during the upgrade
See Also:
"Troubleshooting Your Upgrade" in the Oracle Fusion Middleware Upgrade Planning Guide for specific instructions for troubleshooting problems that occur while running the Upgrade Assistant.
Click Next.
The Upgrade Complete screen is displayed. This screen confirms that the upgrade was complete.
Click Close.
You must start the Oracle Adaptive Access Manager Administration Server and the Oracle Adaptive Access Manager Managed Servers by running the following command on the command line:
Windows
startManagedWebLogic.cmd oaam_admin_server1 startManagedWebLogic.cmd oaam_server_server1
UNIX
startManagedWebLogic.sh oaam_admin_server1 startManagedWebLogic.sh oaam_server_server1
You must perform the following additional post-upgrade tasks after upgrading your Oracle Adaptive Access Manager 10g environment to Oracle Adaptive Access Manager 11g:
If you have any customizations in Oracle Adaptive Access Manager 10g, then you can migrate these customizations using the customizations or extensions shared library for Oracle Adaptive Access Manager. For more information, see the Oracle Fusion Middleware Developer's Guide for Oracle Adaptive Access Manager.
You must manually configure the Java logging setting because log4j is not used in Oracle Adaptive Access Manager 11g.
Configure application logging using Oracle Fusion Middleware Enterprise Manager or configure the logging properties file that is used by the servers.
You must reconfigure users with relevant Oracle Adaptive Access Manager groups in Oracle Adaptive Access Manager domain by using the Oracle WebLogic Administration console. These users can then use the oaam_admin application. The User Group roles used in Oracle Adaptive Access Manager 10g use a different set of names in Oracle Adaptive Access Manager 11g. Table 4-1 lists the role mapping from 10g to 11g.
Table 4-1 User Group Mapping
| Oracle Adaptive Access Manager 10.1.4.5 User Group | Oracle Adaptive Access Manager 11G User Group |
|---|---|
|
CSRGroup |
OAAMCSRGroup |
|
CSRManagerGroup |
OAAMCSRManagerGroup |
|
CSRInvestigator |
OAAMCSRInvestigatorGroup |
|
Investigator |
OAAMInvestigatorGroup |
|
InvestigationManager |
OAAMInvestigationManagerGroup |
|
RuleAdministratorsGroup |
OAAMRuleAdministratorGroup |
|
EnvAdminGroup |
OAAMEnvAdminGroup |
|
AuditorsGroup |
Not Available |
|
SOAPServicesGroup |
OAAMSOAPServicesGroup |
Basic required entities are shipped along with Oracle Adaptive Access Manager in the Auth_EntityDefinition.zip file, which is located in the MW_HOME/IDM_ORACLE_HOME/oaam/init directory.You must import the basic entities into your system by completing the following steps:
Log in to the Oracle Adaptive Access Manager Administration Console.
Navigate to the Entities search page, by clicking Entities in the Navigation tree, or right-click Entities in the Navigation tree and select Open from the context menu that is displayed.
In the Entities search page, click Import.
In the Entities Import screen, click Browse and locate the Auth_EntityDefinition.zip file.
Click OK.
You must back-up the symmetric keys used for encryption and decryption. You may need this keys, if you have to recreate the Oracle Adaptive Access Manager 11g domain. Steps to access these keys
Log in to Oracle Enterprise Manager.
Expand the WebLogic Domain on the left pane, and select OAAM domain.
The OAAM domain page is displayed.
From the OAAM Domain, select Security, and then Credentials.
The Credentials page is displayed.
Expand oaam and select the symmetric key related entries associated with the Type Generic.
Click Edit.
Go to the Credentials section then copy the symmetric key related entries and note the key name.
Note:
Repeat the above steps to back-up database and configuration keys.
To verify that your Oracle Adaptive Access Manager upgrade was successful:
Run Upgrade Assistant again, and select Verify Instance on the Specify Operation page.
Follow the instructions on the screen for information about how to verify that specific Oracle Fusion Middleware components are up and running.
Use the following URL to verify that Oracle Adaptive Access Manager 11g is up and running:
Oracle Adaptive Access Manager Administration Server:
http://hostname:oaam_admin_port/oaam_admin/ping
Oracle Adaptive Access Manager Managed Server:
http://hostname:oaam_server_port/oaam_server/ping
Alternatively, you can check the upgrade log file for any error messages or use Fusion Middleware Control to verify that Oracle Adaptive Access Manager and any other Oracle Identity Management components are up and running in the Oracle Fusion Middleware environment.
For more information, see "Getting Started Using Oracle Enterprise Manager Fusion Middleware Control" in the Oracle Fusion Middleware Administrator's Guide.
To verify that the Symmetric keys are created in CSF, perform the following:
Log in to Oracle Enterprise Manager.
Expand the WebLogic Domain on the left pane, and select OAAM domain.
The OAAM domain page is displayed.
From the OAAM Domain, select Security, and then Credentials.
The Credentials page is displayed.
Verify that oaam is listed in the Credential Store Provider table. Expand oaam and ensure that it includes the DESede_db_key_alias and DESede_config_key_alias entries.
Check the Oracle Adaptive Access Manager schema version, to ensure that the schema upgrade was successful.
Log in to the Oracle Adaptive Access Manager Administration Console as an existing user and ensure that you are able to access it.
To verify that you can search and view existing Sessions, perform the following:
Log in to the Oracle Adaptive Access Manager Administration Console.
In the Navigation tree, select Sessions. The Sessions search page is displayed.
Search for the session by the details you are interested in.
For more information, see the chapter "Using Session Details" in Oracle Fusion Middleware Administrator's Guide for Oracle Adaptive Access Manager.
|
 Copyright © 2013, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
