5 Upgrading Oracle Identity and Access Management Highly Available Environments Deployed Using Life Cycle Management (LCM) Tools

This chapter describes how to upgrade Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) highly available (HA) environments that are deployed using the Life Cycle Management (LCM) Tools, to 11g Release 2 (11.1.2.3.0) using the automated upgrade procedure.

If you wish to upgrade Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) environments that are deployed using the Life Cycle Management (LCM) Tools on a single node, see Chapter 4, "Upgrading Oracle Identity and Access Management Environments Deployed Using Life Cycle Management (LCM) Tools on a Single Node".

Note:

The upgrade procedure described in this chapter cannot be used to upgrade the Oracle Identity and Access Management environments that are configured manually, using the Oracle Universal Installer and Fusion Middleware Configuration wizard.

For information about upgrading Oracle Identity and Access Management environments that configured manually, see Chapter 1, "Introduction to Oracle Identity and Access Management Upgrade".

Before you proceed, review the automated upgrade overview, deployment topologies supported for automated upgrade, and the supported starting points described in Chapter 2, "Understanding the Oracle Identity and Access Management Automated Upgrade".

Note:

For information about any latest patches, see "Downloading and Applying Required Patches" in the Oracle Fusion Middleware Release Notes for Identity Management.

This chapter includes the following sections:

5.1 Variables Used in This Chapter

Table 5-1 lists the variables used in this chapter.

Table 5-1 Variables Used in This Chapter With Their Descriptions

Variable Description

SCRIPT_FILE_LOCATION

This is the location where you copied the upgrade tool idmUpgrade.zip, and extracted the files.

OAMHOST1

OAMHOST2

This is the host on which Oracle Access Manager is configured.

OIMHOST1

OIMHOST2

This is the host on which Oracle Identity Manager is configured.

LDAPHOST1

LDAPHOST2

This is the host on which Oracle Unified Directory is configured.

WEBHOST1

WEBHOST2

This is the host on which Oracle HTTP Server is configured.

5.2 Upgrade Scenario Covered in this Chapter

This chapter describes how to upgrade the following Oracle Identity and Access Management topologies deployed using the Life Cycle Management (LCM) Tools:

Note:

Isolated upgrade is not supported for OIM-OAM Integrated with Oracle Unified Directory (OUD) Topology on a highly available (HA) setup. For information about isolated upgrade, Section 2.3, "Isolated Upgrade Overview".

For the list of scenarios supported for automated upgrade, see Section 2.2, "Deployment Topologies Supported for Automated Upgrade".

5.3 Upgrading Oracle Identity Manager (OIM) Only on Multiple Nodes

This section describes how to upgrade Oracle Identity Manager only 11g Release 2 (11.1.2.2.0) highly available environments to 11.1.2.3.0. As part of the Oracle Identity Manager upgrade, Oracle BI Publisher will be installed and configured with Oracle Identity Manager. Therefore, after upgrading to Oracle Identity Manager 11.1.2.3.0, you do not have to use an external standalone Oracle BI Publisher to publish reports.

To upgrade Oracle Identity Manager highly available environments, perform the following tasks:

  1. Completing the Prerequisites

  2. Obtaining the Software

  3. Setting the Environment Variables

  4. Updating the Properties File

  5. Performing Pre-Validation Checks on OIMHOST1, OIMHOST2, WEBHOST1, and WEBHOST2

  6. Creating BIP Schema for OIM Upgrade (Only on Solaris, IBM AIX, and HP Itanium Platforms)

  7. Stopping All Servers

  8. Backing Up Database and WebLogic Domain

  9. Upgrading Binaries and Configuration on OIMHOST1, OIMHOST2, WEBHOST1, and WEBHOST2

  10. Performing Post-Validation Checks on OIMHOST1, OIMHOST2, WEBHOST1, and WEBHOST2

  11. Verifying the Upgrade

5.3.1 Completing the Prerequisites

Before you start with the upgrade process, you must complete the following prerequisites:

  1. Review the system requirements and certification document and make sure that your existing environment meets all hardware and software requirements necessary for 11g Release 2 (11.1.2.3.0) software. For more information, see Section 6.2, "Reviewing System Requirements and Certifications".

  2. On OIMHOST1 and OIMHOST2, ensure that the /etc/hosts file contains both canonical hostnames (fully qualified host names) along with the hostname entry. For more information, see "Section 6.5, "Verifying Hostnames in the Hosts File".

  3. If you are using the following RAC datasources, then make they are enabled before you start the upgrade:

    • ApplicationDB

    • soaOIMLookupDB

    • opss-dbds

    • bip_datasource

    To enable the RAC databases, see Converting Single-Instance Oracle Databases to Oracle RAC and Oracle RAC One Node in the Real Application Clusters Administration and Deployment Guide.

5.3.2 Obtaining the Software

Obtain the file idmUpgrade.zip that contains the upgrade scripts. Copy the script to OIMHOST1, OIMHOST2, WEBHOST1, and WEBHOST2. Extract the contents of the zip file on all of the hosts. For more information about obtaining the zip file, and extracting the contents, see Section 6.6, "Obtaining the Automated Upgrade Tool".

Note:

The instructions for performing an automated upgrade of Oracle Identity and Access Management to 11g Release 2 (11.1.2.3.0) assume you have applied the Oracle Identity and Access Management Automated Upgrade Tool Bundle Patch 2 (11.1.2.3.2). To download this patch, go to the following URL:

https://updates.oracle.com/download/21419345.html

5.3.3 Setting the Environment Variables

Before you start with the upgrade process, you must set the required environment variables depending on the platform on which you are upgrading Oracle Identity and Access Management. For more information, see Section 6.4, "Setting the Required Environment Variables Necessary for Upgrade".

5.3.4 Updating the Properties File

You must update the upgrade.properties file located at SCRIPT_FILE_LOCATION/r2ps3/idmUpgrade/upgrade.properties on OIMHOST1 and OIMHOST2 with the values for the required properties.

For information about the properties that you must update for upgrading Oracle Identity Manager (OIM) Only topology on multiple nodes, see Section 6.7, "Updating the upgrade.properties File".

5.3.5 Performing Pre-Validation Checks on OIMHOST1, OIMHOST2, WEBHOST1, and WEBHOST2

After you update the properties file, you must perform pre-validation checks on OIMHOST1, OIMHOST2, WEBHOST1, and WEBHOST2. To perform the pre-validation checks, you must run the preValidate.pl script.

To perform the pre-validation checks, do the following:

  • On OIMHOST1, run the preValidate.pl script to perform pre-validation checks. While running the command, specify OIM as the value for -node argument.

  • On OIMHOST2, run the preValidate.pl script to perform pre-validation checks. While running the command, specify OIM as the value for -node argument.

  • On WEBHOST1, run the preValidate.pl script to perform pre-validation checks. While running the command, specify WEBTIER as the value for -node argument.

  • On WEBHOST2, run the preValidate.pl script to perform pre-validation checks. While running the command, specify WEBTIER as the value for -node argument.

For general syntax of the preValidate.pl script and for information about running the script, see Section 6.8, "Performing Pre-Validation Checks Using preValidate.pl Script".

5.3.6 Creating BIP Schema for OIM Upgrade (Only on Solaris, IBM AIX, and HP Itanium Platforms)

If you are upgrading Oracle Identity Manager on platforms such as Solaris, IBM AIX, and HP Itanium using the automated upgrade tool, you must create the Oracle BI Publisher (BIPLATFORM) schema manually using the Repository Creation Utility (RCU) 11.1.2.3.0 from the machine that is running Linux or Windows operating system.

For more information about creating schema using RCU, see Section 6.9, "Creating BIP Schema for Oracle Identity Manager Upgrade on Solaris, IBM AIX, and HP Itanium Platforms".

Note:

If you are upgrading Oracle Identity Manager on Linux, skip this step, as the automated upgrade tool creates the BIPLATFORM schema on Linux.

5.3.7 Stopping All Servers

You must stop the following server(s):

  1. Oracle HTTP Server on WEBHOST2.

  2. Oracle HTTP Server on WEBHOST1.

  3. Oracle Identity Manager Managed Server(s) on OIMHOST2.

  4. Oracle SOA Suite Managed Server(s) on OIMHOST2.

  5. Oracle Identity Manager Managed Server(s) on OIMHOST1.

  6. Oracle SOA Suite Managed Server(s) on OIMHOST1.

  7. WebLogic Administration Server on OIMHOST1.

To stop all servers on a host, you must run stopall.sh script on that host.

Complete the following steps to stop all of the servers:

  1. On WEBHOST2, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

  2. On WEBHOST1, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

  3. On OIMHOST2, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

  4. On OIMHOST1, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

For more information about running the stopall.sh script to stop the servers, see Section 6.12, "Stopping All Servers Using stopall.sh Script".

5.3.8 Backing Up Database and WebLogic Domain

Before you run the upgrade script, you must backup your Database schemas and the WebLogic domain(s). For more information, see Section 6.3, "Backing up the Existing Environment".

5.3.9 Upgrading Binaries and Configuration on OIMHOST1, OIMHOST2, WEBHOST1, and WEBHOST2

You must upgrade binaries and configuration on OIMHOST1, OIMHOST2, WEBHOST1, and WEBHOST2 by running the idmUpgrade.pl script.

The idmUpgrade.pl script must be used for upgrading both binaries and configuration. The argument -mode represents the type of upgrade. You must perform binary upgrade on each of the nodes followed by the configuration upgrade.

Note:

Make sure that the Database services are up and running before you run the upgrade script.

If you do not specify any value for the argument -mode, the value will be taken as both, which is the default value of the -mode argument. In this case, the script performs the binary upgrade first followed by the configuration upgrade. For more information about running the idmUpgrade.pl command, see Section 6.10, "Upgrading Oracle Identity and Access Management Binaries and Configuration Using idmUpgrade.pl script".

If you have shared binaries, you must perform binary upgrade on one node only. For example, if Oracle Identity Manager binaries are shared between OIMHOST1 and OIMHOST2, you can perform binary upgrade on either of these hosts. Binary upgrade on both the hosts is not required.

To upgrade binaries and configuration, complete the following tasks:

  1. On OIMHOST1, run idmUpgrade.pl script to upgrade binaries. While running this command, specify binary as the value for the -mode argument, and OIM as the value for the -node argument.

  2. On OIMHOST2, run idmUpgrade.pl script to upgrade binaries. While running this command, specify binary as the value for the -mode argument, and OIM as the value for the -node argument.

    This step is required only if binaries are not shared between OIMHOST1 and OIMHOST2.

  3. On WEBHOST1, run idmUpgrade.pl script to upgrade binaries. While running this command, specify binary as the value for the -mode argument, and WEBTIER as the value for the -node argument.

  4. On WEBHOST2, run idmUpgrade.pl script to upgrade binaries. While running this command, specify binary as the value for the -mode argument, and WEBTIER as the value for the -node argument.

    This step is required only if binaries are not shared between WEBHOST1 and WEBHOST2.

  5. On OIMHOST1, run idmUpgrade.pl script to upgrade configuration. While running this command, specify config as the value for the -mode argument, and OIM as the value for the -node argument.

  6. On OIMHOST2, run idmUpgrade.pl script to upgrade configuration. While running this command, specify config as the value for the -mode argument, and OIM as the value for the -node argument.

  7. On WEBHOST1, run idmUpgrade.pl script to upgrade configuration. While running this command, specify config as the value for the -mode argument, and WEBTIER as the value for the -node argument.

  8. On WEBHOST2, run idmUpgrade.pl script to upgrade configuration. While running this command, specify config as the value for the -mode argument, and WEBTIER as the value for the -node argument.

For general syntax of the idmUpgrade.pl script and for information about running the script, see Section 6.10, "Upgrading Oracle Identity and Access Management Binaries and Configuration Using idmUpgrade.pl script".

5.3.10 Performing Post-Validation Checks on OIMHOST1, OIMHOST2, WEBHOST1, and WEBHOST2

After you upgrade binaries and configuration, you must perform post-validation checks on OIMHOST1, OIMHOST2, WEBHOST1, and WEBHOST2. To perform the post-validation checks, you must run the postValidate.pl script.

To perform the post-validation checks, do the following:

  • On OIMHOST1, run the postValidate.pl script to perform post-validation checks. While running the command, specify OIM as the value for -node argument.

  • On OIMHOST2, run the postValidate.pl script to perform post-validation checks. While running the command, specify OIM as the value for -node argument.

  • On WEBHOST1, run the postValidate.pl script to perform post-validation checks. While running the command, specify WEBTIER as the value for -node argument.

  • On WEBHOST2, run the postValidate.pl script to perform post-validation checks. While running the command, specify WEBTIER as the value for -node argument.

For general syntax of the postValidate.pl script and for information about running the script, see Section 6.11, "Performing Post-Validation Checks Using postValidate.pl Script".

5.3.11 Verifying the Upgrade

After you perform the post-validation checks, verify the Oracle Identity Manager upgrade by checking the log files on each of the nodes. Log files are created at the location you specified for LOG_DIR parameter in the upgrade.properties file.

5.4 Upgrading Oracle Access Manager Suite (OAM) Only on Multiple Nodes

This section describes how to upgrade Oracle Access Manager only 11g Release 2 (11.1.2.2.0) highly available environments to 11.1.2.3.0. If your OAM 11.1.2.2.0 domain contains Oracle Adaptive Access Manager, then the upgrade script upgrades Oracle Adaptive Access Manager to 11.1.2.3.0 along with Oracle Access Manager.

Note:

Upgrade is supported on OAM only environment with non-embedded LDAP -OUD. Upgrading OAM only environment with embedded LDAP is NOT supported.

To upgrade Oracle Access Manager and Oracle Adaptive Access Manager on multiple nodes, perform the following tasks:

  1. Completing the Prerequisites

  2. Obtaining the Software

  3. Setting the Environment Variables

  4. Updating the Properties File

  5. Performing Pre-Validation Checks on OAMHOST1, OAMHOST2, WEBHOST1, and WEBHOST2

  6. Stopping All Servers

  7. Backing Up Database and WebLogic Domain

  8. Upgrading Binaries and Configuration on OAMHOST1, OAMHOST2, WEBHOST1, and WEBHOST2

  9. Performing Post-Validation Checks on OAMHOST1, OAMHOST2, WEBHOST1, and WEBHOST2

  10. Verifying the Upgrade

5.4.1 Completing the Prerequisites

Before you start with the upgrade process, you must complete the following prerequisites:

  1. Review the system requirements and certification document and make sure that your existing environment meets all hardware and software requirements necessary for 11g Release 2 (11.1.2.3.0) software. For more information, see Section 6.2, "Reviewing System Requirements and Certifications".

  2. On OAMHOST1 and OAMHOST2, ensure that the /etc/hosts file contains both canonical hostnames (fully qualified host names) along with the hostname entry. For more information, see "Section 6.5, "Verifying Hostnames in the Hosts File".

5.4.2 Obtaining the Software

Obtain the file idmUpgrade.zip that contains the upgrade scripts. Copy the script to OAMHOST1, OAMHOST2, WEBHOST1, and WEBHOST2. Extract the contents of the zip file on all of the hosts. For more information about obtaining the zip file, and extracting the contents, see Section 6.6, "Obtaining the Automated Upgrade Tool".

Note:

The instructions for performing an automated upgrade of Oracle Identity and Access Management to 11g Release 2 (11.1.2.3.0) assume you have applied the Oracle Identity and Access Management Automated Upgrade Tool Bundle Patch 2 (11.1.2.3.2). To download this patch, go to the following URL:

https://updates.oracle.com/download/21419345.html

5.4.3 Setting the Environment Variables

Before you start with the upgrade process, you must set the required environment variables depending on the platform on which you are upgrading Oracle Identity and Access Management. For more information, see Section 6.4, "Setting the Required Environment Variables Necessary for Upgrade".

5.4.4 Updating the Properties File

You must update the upgrade.properties file located at SCRIPT_FILE_LOCATION/r2ps3/idmUpgrade/upgrade.properties on OAMHOST1 and OAMHOST2 with the values for the required properties.

For information about the properties that you must update for upgrading Oracle Access Manager (OAM) Only topology on multiple nodes, see Section 6.7, "Updating the upgrade.properties File".

5.4.5 Performing Pre-Validation Checks on OAMHOST1, OAMHOST2, WEBHOST1, and WEBHOST2

After you update the properties file, you must perform pre-validation checks on OAMHOST1, OAMHOST2, WEBHOST1, and WEBHOST2. To perform the pre-validation checks, you must run the preValidate.pl script.

To perform the pre-validation checks, do the following:

  • On OAMHOST1, run the preValidate.pl script to perform pre-validation checks. While running the command, specify OAM as the value for -node argument.

  • On OAMHOST2, run the preValidate.pl script to perform pre-validation checks. While running the command, specify OAM as the value for -node argument.

  • On WEBHOST1, run the preValidate.pl script to perform pre-validation checks. While running the command, specify WEBTIER as the value for -node argument.

  • On WEBHOST2, run the preValidate.pl script to perform pre-validation checks. While running the command, specify WEBTIER as the value for -node argument.

For general syntax of the preValidate.pl script and for information about running the script, see Section 6.8, "Performing Pre-Validation Checks Using preValidate.pl Script".

5.4.6 Stopping All Servers

You must stop the following server(s):

  1. Oracle HTTP Server on WEBHOST2.

  2. Oracle HTTP Server on WEBHOST1.

  3. Oracle Access Manager Managed Server(s) on OAMHOST2.

  4. Oracle Access Manager Managed Server(s) on OAMHOST1.

  5. WebLogic Administration Server on OAMHOST1.

To stop all servers on a host, you must run stopall.sh script on that host.

Complete the following steps to stop all of the servers:

  1. On WEBHOST2, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

  2. On WEBHOST1, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

  3. On OAMHOST2, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

  4. On OAMHOST1, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

For more information about running the stopall.sh script to stop the servers, see Section 6.12, "Stopping All Servers Using stopall.sh Script".

5.4.7 Backing Up Database and WebLogic Domain

Before you run the upgrade script, you must backup your Database schemas and the WebLogic domain(s). For more information, see Section 6.3, "Backing up the Existing Environment".

5.4.8 Upgrading Binaries and Configuration on OAMHOST1, OAMHOST2, WEBHOST1, and WEBHOST2

You must upgrade binaries and configuration on OAMHOST1, OAMHOST2, WEBHOST1, and WEBHOST2 by running the idmUpgrade.pl script.

The idmUpgrade.pl script must be used for upgrading both binaries and configuration. The argument -mode represents the type of upgrade. You must perform binary upgrade on each of the nodes followed by the configuration upgrade.

Note:

Make sure that the Database services are up and running before you run the upgrade script.

If you have shared binaries, you must perform binary upgrade on one node only. For example, if Oracle Identity Manager binaries are shared between OAMHOST1 and OAMHOST2, you can perform binary upgrade on either of these hosts. Binary upgrade on both the hosts is not required.

To upgrade binaries and configuration, complete the following tasks:

  1. On OAMHOST1, run idmUpgrade.pl script to upgrade binaries. While running this command, specify binary as the value for the -mode argument, and OAM as the value for the -node argument.

  2. On OAMHOST2, run idmUpgrade.pl script to upgrade binaries. While running this command, specify binary as the value for the -mode argument, and OAM as the value for the -node argument.

    This step is required only if binaries are not shared between OAMHOST1 and OAMHOST2.

  3. On WEBHOST1, run idmUpgrade.pl script to upgrade binaries. While running this command, specify binary as the value for the -mode argument, and WEBTIER as the value for the -node argument.

  4. On WEBHOST2, run idmUpgrade.pl script to upgrade binaries. While running this command, specify binary as the value for the -mode argument, and WEBTIER as the value for the -node argument.

    This step is required only if binaries are not shared between WEBHOST1 and WEBHOST2.

  5. On OAMHOST1, run idmUpgrade.pl script to upgrade configuration. While running this command, specify config as the value for the -mode argument, and OAM as the value for the -node argument.

  6. On OAMHOST2, run idmUpgrade.pl script to upgrade configuration. While running this command, specify config as the value for the -mode argument, and OAM as the value for the -node argument.

  7. On WEBHOST1, run idmUpgrade.pl script to upgrade configuration. While running this command, specify config as the value for the -mode argument, and WEBTIER as the value for the -node argument.

  8. On WEBHOST2, run idmUpgrade.pl script to upgrade configuration. While running this command, specify config as the value for the -mode argument, and WEBTIER as the value for the -node argument.

For general syntax of the idmUpgrade.pl script and for information about running the script, see Section 6.10, "Upgrading Oracle Identity and Access Management Binaries and Configuration Using idmUpgrade.pl script".

5.4.9 Performing Post-Validation Checks on OAMHOST1, OAMHOST2, WEBHOST1, and WEBHOST2

After you upgrade binaries and configuration, you must perform post-validation checks on OAMHOST1, OAMHOST2, WEBHOST1, and WEBHOST2. To perform the post-validation checks, you must run the postValidate.pl script.

To perform the post-validation checks, do the following:

  • Restart the Oracle HTTP Servers on both WEBHOST1 and WEBHOST2.

  • On OAMHOST1, run the postValidate.pl script to perform post-validation checks. While running the command, specify OAM as the value for -node argument.

  • On OAMHOST2, run the postValidate.pl script to perform post-validation checks. While running the command, specify OAM as the value for -node argument.

  • On WEBHOST1, run the postValidate.pl script to perform post-validation checks. While running the command, specify WEBTIER as the value for -node argument.

  • On WEBHOST2, run the postValidate.pl script to perform post-validation checks. While running the command, specify WEBTIER as the value for -node argument.

For general syntax of the postValidate.pl script and for information about running the script, see Section 6.11, "Performing Post-Validation Checks Using postValidate.pl Script".

5.4.10 Verifying the Upgrade

After you perform the post-validation checks, verify the Oracle Access Manager upgrade by checking the log files on each of the nodes. Log files are created at the location you specified for LOG_DIR parameter in the upgrade.properties file.

5.5 Upgrading OIM-OAM Integrated with Oracle Unified Directory (OUD) Topology on a Highly Available (HA) setup

This section describes how to upgrade OIM-OAM Integrated with Oracle Unified Directory (OUD) topology on a highly available (HA) setup deployed using LCM tool, from 11g Release 2 (11.1.2.2.0) to 11g Release 2 (11.1.2.3.0).

This topology contains the following hosts:

  • OIMHOST1 and OIMHOST2 - These are the hosts on which Oracle Identity Manager is configured.

  • OAMHOST1 and OAMHOST2 - These are the hosts on which Oracle Access Manager is configured.

  • LDAPHOST1 and LDAPHOST2 - These are the hosts on which Oracle Unified Directory is configured.

  • WEBHOST1 and WEBHOST2 - These are the hosts on which Oracle HTTP Server is configured.

As part of the Oracle Identity Manager upgrade, the embedded Oracle BI Publisher (BIP) will be installed and configured with Oracle Identity Manager. Therefore, after upgrading to Oracle Identity Manager 11.1.2.3.0, you can choose to either use the embedded BI Publisher or continue to use the standalone Oracle BI Publisher. If you choose to use the embedded BI Publisher and discontinue using the standalone BIP, then you must migrate the existing BIP reports to embedded BIP.

Oracle Access Manager 11g Release 2 (11.1.2.3.0) has a new feature called Oracle Mobile Security Suite. You can enable Oracle Mobile Security Suite post-upgrade. For an introduction to Oracle Mobile Security Suite, see "Understanding Oracle Mobile Security Suite" in Oracle Fusion Middleware Administering Oracle Mobile Security Suite.

To upgrade OIM-OAM Integrated with Oracle Unified Directory (OUD) topology on a highly available (HA) setup, from 11g Release 2 (11.1.2.2.0) to 11g Release 2 (11.1.2.3.0), perform the following tasks:

  1. Completing the Prerequisites

  2. Obtaining the Software

  3. Setting the Environment Variables

  4. Updating the Properties File

  5. Performing Pre-Validation Checks all of the Hosts

  6. Creating BIP Schema for OIM Upgrade (Only on Solaris, IBM AIX, and HP Itanium Platforms)

  7. Stopping All Servers

  8. Backing Up Database and WebLogic Domain

  9. Upgrading Binaries and Configuration on all of the Hosts

  10. Performing Post-Validation Checks on all of the Hosts

  11. Performing the Required Post-Upgrade Tasks

  12. Verifying the Upgrade

5.5.1 Completing the Prerequisites

Before you start with the upgrade process, you must complete the following prerequisites:

  1. Review the system requirements and certification document and make sure that your existing environment meets all hardware and software requirements necessary for 11g Release 2 (11.1.2.3.0) software. For more information, see Section 6.2, "Reviewing System Requirements and Certifications".

  2. On LDAPHOST1, LDAPHOST2, OAMHOST1, OAMHOST2, OIMHOST1, OIMHOST2, WEBHOST1, and WEBHOST2, ensure that the /etc/hosts file contains both canonical hostnames (fully qualified host names) along with the hostname entry. For more information, see "Section 6.5, "Verifying Hostnames in the Hosts File".

  3. Verify that the Oracle Adaptive Access Manager (OAAM) Administration Server is accessible at the following URL:

    http://OAM_HOST:OAAM_ADMIN_PORT/oaam_admin

    Use the OAAM admin username and OAAM admin password to access the OAAM Administration Server.

    For example:

    http://identity.example.com:14200/oaam_admin

    Username: oaamadminuser

    Password: Welcome1

5.5.2 Obtaining the Software

Obtain the file idmUpgrade.zip that contains the upgrade scripts. Copy the script to any accessible location on LDAPHOST1, LDAPHOST2, OAMHOST1, OAMHOST2, OIMHOST1, OIMHOST2, WEBHOST1, and WEBHOST2, and extract the contents of the zip file on all of the hosts. For more information about obtaining the zip file, and extracting the contents, see Section 6.6, "Obtaining the Automated Upgrade Tool".

Note:

The instructions for performing an automated upgrade of Oracle Identity and Access Management to 11g Release 2 (11.1.2.3.0) assume you have applied the Oracle Identity and Access Management Automated Upgrade Tool Bundle Patch 2 (11.1.2.3.2). To download this patch, go to the following URL:

https://updates.oracle.com/download/21419345.html

5.5.3 Setting the Environment Variables

Before you start with the upgrade process, you must set the required environment variables depending on the platform on which you are upgrading Oracle Identity and Access Management. For more information, see Section 6.4, "Setting the Required Environment Variables Necessary for Upgrade".

5.5.4 Updating the Properties File

You must update the upgrade.properties file located at SCRIPT_FILE_LOCATION/r2ps3/idmUpgrade/upgrade.properties on LDAPHOST1, LDAPHOST2, OAMHOST1, OAMHOST2, OIMHOST1, OIMHOST2, WEBHOST1 and WEBHOST2, with the values for the required properties.

For information about the properties that you must update for upgrading OIM-OAM Integrated with Oracle Unified Directory (OUD) topology, see Section 6.7, "Updating the upgrade.properties File".

5.5.5 Performing Pre-Validation Checks all of the Hosts

After you update the properties file, you must perform the pre-validation checks on WEBHOST1, WEBHOST2, LDAPHOST1, LDAPHOST2, OAMHOST1, OAMHOST2, OIMHOST1, and OIMHOST2. To perform the pre-validation checks, you must run the preValidate.pl script.

Note:

If LDAPHOST1 and LDAPHOST2 have only Oracle Unified Directory installed on them, that is, if LDAPHOST1 and LDAPHOST2 do not have Oracle Identity Manager or Oracle Access Manager installed, then you must do the following:

Copy the files libnnz11.so and libclntsh.so.11.1 from either OAMHOST, or OIMHOST, or WEBHOST to the location SCRIPT_FILE_LOCATION/r2ps3/idmUpgrade/lib/ on both LDAPHOST1 and LDAPHOST2.

The following are the locations of the files libnnz11.so and libclntsh.so.11.1 on OAMHOST, OIMHOST, and WEBHOST:

  • On OAMHOST, the files are located at IDMTOP/products/access/wlserver_10.3/server/adr.

  • On OIMHOST, the files are located at IDMTOP/products/identity/wlserver_10.3/server/adr.

  • On WEBHOST, the files are located at IDMTOP/products/web/ohs/lib.

To perform the pre-validation checks, do the following:

  • On WEBHOST1, run the preValidate.pl script to perform pre-validation checks for Oracle HTTP Server, by specifying WEBTIER for the argument -node.

  • On WEBHOST2, run the preValidate.pl script to perform pre-validation checks for Oracle HTTP Server, by specifying WEBTIER for the argument -node.

  • On LDAPHOST1, run the preValidate.pl script to perform pre-validation checks for Oracle Unified Directory, by specifying DIRECTORY for argument -node.

  • On LDAPHOST2, run the preValidate.pl script to perform pre-validation checks for Oracle Unified Directory by specifying DIRECTORY for the argument -node.

  • On OIMHOST1, run the preValidate.pl script to perform pre-validation checks for Oracle Identity Manager, by specifying OIM for the argument -node.

  • On OIMHOST2, run the preValidate.pl script to perform pre-validation checks for Oracle Identity Manager, by specifying OIM for the argument -node.

  • On OAMHOST1, run the preValidate.pl script to perform pre-validation checks for Oracle Access Manager, by specifying OAM for the argument -node.

  • On OAMHOST2, run the preValidate.pl script to perform pre-validation checks for Oracle Access Manager, by specifying OAM for the argument -node.

For general syntax of the preValidate.pl script and for information about running the script, see Section 6.8, "Performing Pre-Validation Checks Using preValidate.pl Script".

5.5.6 Creating BIP Schema for OIM Upgrade (Only on Solaris, IBM AIX, and HP Itanium Platforms)

If you are upgrading Oracle Identity Manager on platforms such as Solaris, IBM AIX, and HP Itanium using the automated upgrade tool, you must create the Oracle BI Publisher (BIPLATFORM) schema manually using the Repository Creation Utility (RCU) 11.1.2.3.0 from the machine that is running Linux or Windows operating system.

For more information about creating schema using RCU, see Section 6.9, "Creating BIP Schema for Oracle Identity Manager Upgrade on Solaris, IBM AIX, and HP Itanium Platforms".

Note:

If you are upgrading Oracle Identity Manager on Linux, skip this step, as the automated upgrade tool creates the BIPLATFORM schema on Linux.

5.5.7 Stopping All Servers

You must stop the following server(s):

  1. Oracle HTTP Server on WEBHOST1 and WEBHOST2.

  2. Oracle Access Manager Managed Server(s) on OAMHOST1 and OAMHOST2.

  3. Oracle Identity Manager Managed Server(s) on OIMHOST1 and OIMHOST2.

  4. Oracle SOA Suite Managed Server(s) on OIMHOST1 and OIMHOST2.

  5. WebLogic Administration Server(s).

  6. Oracle Unified Directory on LDAPHOST1 and LDAPHOST2.

To stop all the servers on a host, you must run stopall.sh script on that host.

Complete the following steps to stop the servers:

  1. On WEBHOST2, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

  2. On WEBHOST1, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

  3. On OAMHOST2, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

  4. On OAMHOST1, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

  5. On OIMHOST2, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

  6. On OIMHOST1, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

  7. On LDAPHOST2, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

  8. On LDAPHOST1, run the following command from the location SHARED_CONFIG_DIR/config/scripts:

    ./stopall.sh

For more information about running the stopall.sh script to stop the servers, see Section 6.12, "Stopping All Servers Using stopall.sh Script".

5.5.8 Backing Up Database and WebLogic Domain

Before you run the upgrade script, you must backup your Database schemas and the file system. For more information, see Section 6.3, "Backing up the Existing Environment".

5.5.9 Upgrading Binaries and Configuration on all of the Hosts

After you back up your existing environment, upgrade the binaries and configuration of Oracle HTTP Server, Oracle Unified Directory, Oracle Identity Manager, and Oracle Access Manager. To do this, you must run the idmUpgrade.pl script.on WEBHOST1, WEBHOST2, LDAPHOST1, LDAPHOST2, OIMHOST1, OIMHOST2, OAMHOST1, and OAMHOST2.

The idmUpgrade.pl script must be used for upgrading both binaries and configuration. The argument -mode represents the type of upgrade. You must perform binary upgrade on each of the nodes followed by the configuration upgrade.

Note:

Make sure that the Database services are up and running before you run the upgrade script.

If you have shared binaries, you must perform binary upgrade on one node only. For example, if Oracle Identity Manager binaries are shared between OIMHOST1 and OIMHOST2, you can perform binary upgrade on either of these hosts. Binary upgrade on both the hosts is not required.

To upgrade binaries and configuration, complete the following tasks in the same order specified:

  1. On WEBHOST1, run the idmUpgrade.pl script to upgrade the binaries of Oracle HTTP Server, by specifying binary for the argument -mode, and WEBTIER for the argument -node.

  2. On WEBHOST2, run the idmUpgrade.pl script to upgrade the binaries of Oracle HTTP Server, by specifying binary for the argument -mode, and WEBTIER for the argument -node.

    This step is required only if binaries are not shared between WEBHOST1 and WEBHOST2.

  3. On LDAPHOST1, run the idmUpgrade.pl script to upgrade the binaries of Oracle Unified Directory, by specifying binary for the argument -mode, and DIRECTORY for the argument -node.

  4. On LDAPHOST2, run the idmUpgrade.pl script to upgrade the binaries of Oracle Unified Directory, by specifying binary for the argument -mode, and DIRECTORY for the argument -node.

    This step is required only if binaries are not shared between LDAPHOST1 and LDAPHOST2.

  5. On OAMHOST1, run the idmUpgrade.pl script to upgrade the binaries of Oracle Access Manager, by specifying binary for the argument -mode, and OAM for the argument -node.

  6. On OAMHOST2, run the idmUpgrade.pl script to upgrade the binaries of Oracle Access Manager, by specifying binary for the argument -mode, and OAM for the argument -node.

    This step is required only if binaries are not shared between OAMHOST1 and OAMHOST2.

  7. On OIMHOST1, run the idmUpgrade.pl script to upgrade the binaries of Oracle Identity Manager, by specifying binary for the argument -mode, and OIM for the argument -node.

  8. On OIMHOST2, run the idmUpgrade.pl script to upgrade the binaries of Oracle Identity Manager, by specifying binary for the argument -mode, and OIM for the argument -node.

    This step is required only if binaries are not shared between OIMHOST1 and OIMHOST2.

  9. On WEBHOST1, run the idmUpgrade.pl script to upgrade the configuration of Oracle HTTP Server, by specifying config for the argument -mode, and WEBTIER for the argument -node.

  10. On WEBHOST2, run the idmUpgrade.pl script to upgrade the configuration of Oracle HTTP Server, by specifying config for the argument -mode, and WEBTIER for the argument -node.

  11. On LDAPHOST1, run the idmUpgrade.pl script to upgrade the configuration of Oracle Unified Directory, by specifying config for the argument -mode, and DIRECTORY for the argument -node.

  12. On LDAPHOST2, run the idmUpgrade.pl script to upgrade the configuration of Oracle Unified Directory, by specifying config for the argument -mode, and DIRECTORY for the argument -node.

  13. On OAMHOST1, run the idmUpgrade.pl script to upgrade the configuration of Oracle Access Manager, by specifying config for the argument -mode, and OAM for the argument -node.

  14. On OAMHOST2, run the idmUpgrade.pl script to upgrade the configuration of Oracle Access Manager, by specifying config for the argument -mode, and OAM for the argument -node.

  15. On OIMHOST1, run the idmUpgrade.pl script to upgrade the configuration of Oracle Identity Manager, by specifying config for the argument -mode, and OIM for the argument -node.

  16. On OIMHOST2, run the idmUpgrade.pl script to upgrade the configuration of Oracle Identity Manager, by specifying config for the argument -mode, and OIM for the argument -node.

For general syntax of the idmUpgrade.pl script and for information about running the script, see Section 6.10, "Upgrading Oracle Identity and Access Management Binaries and Configuration Using idmUpgrade.pl script".

5.5.10 Performing Post-Validation Checks on all of the Hosts

After you upgrade binaries and configuration, you must perform post-validation checks on LDAPHOST1, LDAPHOST2, OAMHOST1, OAMHOST2, OIMHOST1, OIMHOST2, WEBHOST1, and WEBHOST2. To perform the post-validation checks, you must run the postValidate.pl script.

To perform the post-validation checks, do the following:

  • On LDAPHOST1, run the postValidate.pl script to perform post-validation checks for Oracle Unified Directory, by specifying DIRECTORY for the argument -node.

  • On LDAPHOST2, run the postValidate.pl script to perform post-validation checks for Oracle Unified Directory, by specifying DIRECTORY for the argument -node.

  • On OAMHOST1, run the postValidate.pl script to perform post-validation checks for Oracle Access Manager, by specifying OAM for the argument -node.

  • On OAMHOST2, run the postValidate.pl script to perform post-validation checks for Oracle Access Manager, by specifying OAM for the argument -node.

  • On OIMHOST1, run the postValidate.pl script to perform post-validation checks for Oracle Identity Manager, by specifying OIM for the argument -node.

  • On OIMHOST2, run the postValidate.pl script to perform post-validation checks for Oracle Identity Manager, by specifying OIM for the argument -node.

  • On WEBHOST1, run the postValidate.pl script to perform post-validation checks for Oracle HTTP Server, by specifying WEBTIER for the argument -node.

  • On WEBHOST2, run the postValidate.pl script to perform post-validation checks for Oracle HTTP Server, by specifying WEBTIER for the argument -node.

For general syntax of the postValidate.pl script and for information about running the script, see Section 6.11, "Performing Post-Validation Checks Using postValidate.pl Script".

5.5.11 Performing the Required Post-Upgrade Tasks

This section lists the post-upgrade tasks required for some of the features to work post-upgrade. Perform the post-upgrade tasks based on your requirement.

This section includes the following topics:

5.5.11.1 Upgrading Oracle Access Management Identity Federation and Oracle Access Management Security Token Service

Oracle Access Management Identity Federation and Oracle Access Management Security Token Service are the services provided by the Oracle Access Management suite. The automated upgrade utility does not handle the upgrade of Oracle Access Management Identity Federation and Oracle Access Management Security Token Service. Therefore, you must manually upgrade Oracle Access Management Identity Federation and Oracle Access Management Security Token Service to 11g Release 2 (11.1.2.3.0) on OAMHOST1 and OAMHOST2. For more information, see Section 6.14.1, "Upgrading Oracle Access Management Identity Federation and Oracle Access Management Security Token Service to 11.1.2.3.0".

5.5.11.2 Upgrading Server Keystore Certificate if you have Configured Oracle Adaptive Access Manager

If you have Oracle Adaptive Access Manager configured in your setup, you must upgrade the server keystore certificate by running the WLST command upgradeServerKeystoreCertificate() on OAMHOST1 and OAMHSOT2. For more information, see Section 6.14.3, "Upgrading Server Keystore Certificates".

5.5.11.3 Configuring Reverse Proxy Settings

You must configure the reverse proxy settings post-upgrade, for Oracle HTTP Server to front end BI Publisher (BIP). This can be done by protecting the following URLs by adding the required parameters in the respective files located at WEB_ORACLE_INSTANCE/config/OHS/component_name/moduleconf/ on WEBHOST1 and WEBHOST2:

  • Add the required parameters in the oimadmin_vh.conf file for OIM to protect the URL /xmlpserver.

  • Add the required parameters in the idmadmin_vh.conf file for OAM to protect the URL /access.

For more information about configuring reverse proxy settings, see Section 6.14.2, "Configuring Reverse Proxy Settings to Front End Oracle Mobile Security Suite and BI Publisher".

5.5.11.4 Adding the JAVA System Property if you have Configured OAAM

If you have configured Oracle Adaptive Access Manager in OIM-OAM Integrated with Oracle Unified Directory (OUD) topology, you must add the JAVA system property -Djava.security.auth.login.config to the setDomainEnv.sh script located in the IAMAccessDomain. For more information, see Section 6.13.1, "Adding the Java System Property for Oracle Adaptive Access Manager".

5.5.12 Verifying the Upgrade

After you perform the post-validation checks, verify the upgraded environment by checking the log files on each of the nodes. Log files are created at the location you specified for LOG_DIR parameter in the upgrade.properties file.

5.6 Troubleshooting

For any issues that you may encounter during the upgrade process, refer to Section 6.14, "Troubleshooting" for workaround.

For the list of known issues related to automated upgrade and their workaround, see "Upgrade and Migration Issues for Oracle Identity and Access Management" in the Oracle Fusion Middleware Release Notes for Identity Management.