This chapter lists the tasks that are common to different upgrade scenarios.
Note:
You do not have to perform all the tasks described in this chapter. Refer to the Section 3.4, "Documentation Roadmap" for the upgrade roadmap.Note:
In this chapter,11.1.2.x.x refers to the versions 11g Release 2 (11.1.2.2.0), 11g Release 2 (11.1.2.1.0), and 11g Release 2 (11.1.2).
11.1.1.x.x refers to the versions 11g Release 1 (11.1.1.7.0) and 11g Release 1 (11.1.1.5.0).
This chapter includes the following topics:
This section contains the generic tasks common to some of the Oracle Identity and Access Management components upgrade. This section includes the following topics:
Verifying Certification, System Requirements, and Interoperability
Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.3.0)
The certification matrix and system requirements documents should be used in conjunction with each other to verify that your environment meets the necessary requirements for installation or upgrade.
Step 1 Verifying Your Environment Meets Certification Requirements
Make sure that you are installing your product on a supported hardware and software configuration. For more information, see the certification document for your release on the Oracle Fusion Middleware Supported System Configurations page.
Oracle has tested and verified the performance of your product on all certified systems and environments; whenever new certifications occur, they are added to the proper certification document right away. New certifications can occur at any time, and for this reason the certification documents are kept outside of the documentation libraries and are available on Oracle Technology Network.
Step 2 Using the System Requirements Document to Verify Certification
The Oracle Fusion Middleware System Requirements and Specifications document should be used to verify that the requirements of the certification are met. For example, if the certification document indicates that your product is certified for installation on 64-Bit Oracle Linux 5, this document should be used to verify that your Oracle Linux 5 system has met the required minimum specifications, like disk space, available memory, specific platform packages and patches, and other operating system-specific items. System requirements can be updated at any time, and for this reason the system requirement documents are kept outside of the documentation libraries and are available on Oracle Technology Network.
Step 3 Verifying Interoperability Among Multiple Products
The Oracle Fusion Middleware Interoperability and Compatibility Guide for Oracle Identity and Access Management document defines interoperability, defines compatibility, and describes how multiple Fusion Middleware products from the same release or mixed releases may be used with each other. You should read this document if you are planning to install multiple Fusion Middleware products on your system.
To back up the existing environment, you must stop all the servers, and back up the following:
MW_HOME directory, including the Oracle Home directories inside Middleware Home
Domain Home directory
Database schemas
For more information about backing up schemas, see Oracle Database Backup and Recovery User's Guide.
To create 11.1.2.3.0 Database schemas, you must use Repository Creation Utility (RCU) 11.1.1.9.0. When you create new schemas, do not delete your existing schemas, and do not use the old schema name, as you will need the old schema credentials while exporting the Access Data.
To create the database schemas, perform the following tasks:
Download the Repository Creation Utility. For information about obtaining Repository Creation Utility, see "Obtaining RCU" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
Start the Repository Creation Utility from the location where you downloaded it. For information about starting Repository Creation Utility, see "Starting RCU" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
Create the necessary schemas using Repository Creation Utility. For information about creating schemas, see "Creating Schemas" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
To upgrade the existing schemas to 11.1.2.3.0, you must use the Patch Set Assistant. To upgrade the database schemas, perform the following tasks:
Before running Patch Set Assistant, you should make sure that your database is running and that the schemas are supported for upgrade. To check this, run the following SQL command:
SELECT OWNER, VERSION, STATUS, UPGRADED FROM SCHEMA_VERSION_REGISTRY;
Table 24-1 lists the schemas and their versions supported for upgrade:
Table 24-1 Schemas and Their Versions Supported for Upgrade
| Schema Name | Schema Version(s) Supported for Upgrade |
|---|---|
|
Oracle Access Manager (OAM) |
11.1.1.3.0 11.1.2.1.0 11.1.2.2.0 |
|
Oracle Adaptive Access Manager (OAAM) |
11.1.1.3.0 11.1.2.0.0 |
|
Oracle Identity Manager (OIM) |
11.1.1.5.0 11.1.1.7.0 11.1.2.0.0 11.1.2.1.0 11.1.2.2.0 |
|
Oracle Privileged Account Manager (OPAM) |
11.1.2.0.0 11.1.2.1.0 |
|
Oracle Platform Security Services (OPSS) |
11.1.1.6.0 11.1.1.7.2 |
|
Oracle Audit Services (IAU) |
11.1.1.6.0 11.1.1.7.0 |
To start Patch Set Assistant, do the following:
Move from your present working directory to the <MW_HOME>/oracle_common/bin directory by running the following command on the command line:
cd <MW_HOME>/oracle_common/bin
Run the following command:
./psa
Move from your present working directory to the <MW_HOME>\oracle_common\bin directory by running the following command on the command line:
cd <MW_HOME>\oracle_common\bin
Execute the following command:
psa.bat
After starting the Patch Set Assistant Installer, follow the instructions on the screen to update your schemas.
Follow the instructions in Table 24-2 to update your schemas:
Table 24-2 Patch Set Assistant Screens
| Screen | Description |
|---|---|
|
Welcome |
This page introduces you to the Patch Set Assistant. |
|
Select Component |
Select the component you wish to upgrade. |
|
Prerequisite |
Verify that you have satisfied the database prerequisites. |
|
Schema |
Specify your database credentials to connect to your database, then select the schema you want to update. Note that this screen appears once for each schema that must be updated as a result of the component you selected on the Select Component screen. |
|
Examine |
This page displays the status of the Patch Set Assistant as it examines each component schema. Verify that your schemas have a "successful" indicator in the Status column. |
|
Upgrade Summary |
Verify that the schemas are the ones you want to upgrade. |
|
Upgrade Progress |
This screen shows the progress of the schema upgrade. |
|
Upgrade Success |
Once the upgrade is successful, you get this screen. |
You can verify the schema upgrade by checking out the log files. The Patch Set Assistant writes log files in the following locations:
On UNIX:
<MW_HOME>/oracle_common/upgrade/logs/psa/psatimestamp.log
On Windows:
<MW_HOME>\oracle_common\upgrade\logs\psa\psatimestamp.log
Some components create a second log file named psatimestamp.out in the same location.
The timestamp reflects the actual date and time when Patch Set Assistant was run.
If any failures occur when running Patch Set Assistant, you can use these log files to help diagnose and correct the problem. Do not delete them. You can alter the contents of the log files by specifying a different -logLevel from the command line.
Some of the operations performed by Patch Set Assistant may take longer to complete than others. If you want to see the progress of these long operations, you can see this information in the log file, or you can use the following query:
SELECT VERSION, STATUS, UPGRADED FROM SCHEMA_VERSION_REGISTRY WHERE OWNER='schema_name';
In the query results, the STATUS field is either UPGRADING or UPGRADED during the schema patching operation, and becomes VALID when the operation is completed.
To upgrade Oracle WebLogic Server to 11g Release 1 (10.3.6), complete the following steps:
Download the WebLogic 10.3.6 Upgrade Installer from Oracle Technology Network.
For more information, see "Downloading an Upgrade Installer From My Oracle Support" in the Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.
Run the Upgrade Installer in graphical mode to upgrade your WebLogic Server.
For more information, see "Running the Upgrade Installer in Graphical Mode" in the Oracle Fusion Middleware Installation Guide for Oracle WebLogic Server.
Note:
After you upgrade Oracle WebLogic Server to 10.3.6, you must apply some mandatory patches to fix specific issues with Oracle WebLogic Server 10.3.6.To identify the required patches that you must apply for Oracle WebLogic Server, see "Downloading and Applying Required Patches" in the Oracle Fusion Middleware Infrastructure Release Notes.
The patches listed in the release notes are available from My Oracle Support. The patching instructions are mentioned in the README.txt file that is provided with each patch.
To update the existing Oracle Identity and Access Management binaries to 11.1.2.3.0, you must use the Oracle Identity and Access Management 11.1.2.3.0 installer. To do this, perform the following tasks:
Starting the Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) Installer
Installing Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0)
For more information on obtaining Oracle Fusion Middleware 11g software, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.
This topic explains how to start the Oracle Identity and Access Management Installer.
Notes:
If you are installing on an IBM AIX operating system, you must run the rootpre.sh script from the Disk1 directory before you start the Installer.
Starting the Installer as the root user is not supported.
Start the Installer by doing the following:
On UNIX:
Move from your present working directory to the directory where you extracted the contents of the Installer to.
Move to the following location:
cd Disk1
Run the following command:
./runInstaller -jreLoc <full path to the JRE directory>
For example:
./runInstaller -jreLoc <MW_HOME>/jdk160_29/jre
On Windows:
Move from your present working directory to the directory where you extracted the contents of the Installer to.
Move to the following location:
cd Disk1
Run the following command:
setup.exe -jreLoc <full path to the JRE directory>
For Example:
setup.exe -jreLoc <MW_HOME>\jdk160_29\jre
Note:
If you do not specify the-jreLoc option on the command line when using the Oracle JRockit JDK, the following warning message is displayed:
-XX:MaxPermSize=512m is not a valid VM option. Ignoring
This warning message does not affect the installation. You can continue with the installation.
On 64-bit platforms, when you install Oracle WebLogic Server using the generic jar file, the jrockit_1.6.0_29 directory is not created in your Middleware Home. You must enter the absolute path to the JRE folder from where your JDK is located.
Use the Oracle Identity and Access Management 11.1.2.3.0 Installer to upgrade existing Oracle Identity and Access Management binaries to 11.1.2.3.0:
After you start the Installer, the Welcome screen appears.
Click Next on the Welcome screen. The Install Software Updates screen appears. Select whether or not you want to search for updates. Click Next.The Prerequisite Checks screen appears. If all prerequisite checks pass inspection, click Next. The Specify Installation Location screen appears.
On the Specify Installation Location screen, point to the Middleware Home to your existing Middleware Home installed on your system.
In the Oracle Home Directory field, specify the path of the existing Oracle Identity and Access Management Home. This directory is also referred to as <IAM_HOME> in this book.
Click Next. The Installation Summary screen appears.
The Installation Summary screen displays a summary of the choices that you made. Review this summary and decide whether you want to proceed with the installation. If you want to modify any of the configuration settings at this stage, select a topic in the left navigation page and modify your choices. To continue installing Oracle Identity and Access Management, click Install. The Installation Progress screen appears.
Monitor the progress of your installation. The location of the installation log file is listed for reference. After the installation progress reaches 100%, click OK. If you encounter any issue, check the log file. For information about locating the log files, see "Locating Installation Log Files" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Note:
If you cancel or abort when the installation is in progress, you must manually delete the<IAM_HOME> directory before you can reinstall the Oracle Identity and Access Management software.
To invoke online help at any stage of the installation process, click Help on the installation wizard screens.
The Installation Complete screen appears. On the Installation Complete screen, click Finish.
This installation process copies the 11.1.2.3.0 Oracle Identity and Access Management software to your system.
For more information, see "Installing and Configuring Oracle Identity and Access Management (11.1.2.3.0)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
This section describes how to upgrade Oracle Platform Security Services (OPSS).
Upgrading Oracle Platform Security Services is required to upgrade the configuration and policy stores to 11.1.2.3.0. It upgrades the jps-config.xml file and policy stores.
To upgrade Oracle Platform Security Services for LDAP- or DB-based store, complete the following steps:
Run the following command from the location MW_HOME/oracle_common/common/bin to launch the WebLogic Scripting Tool (WLST):
On UNIX:
./wlst.sh
On Windows:
wlst.cmd
Run the following command to upgrade OPSS:
upgradeOpss(jpsConfig="<absolute_path_to_old_version_jps-config.xml_file>",
jaznData="<absolute_path_to_new_version_OOTB_JAZN_data_file>",
auditStore="<absolute_path_to_OOTB_audit-store.xml_file>",
jdbcDriver="<jdbc_driver>",
url="<jdbc_ldap_url>",
user="<jdbc_ldap_user>",
password="<jdbc_ldap_password>"],
upgradeJseStoreType="true/false"])
Table 24-3 describes the arguments of the upgradeOpss command:
Table 24-3 Arguments to be Specified While Running upgradeOpss command
| Argument | When to Use? | Mandatory/Optional | Description |
|---|---|---|---|
|
|
Use this argument if you are upgrading Oracle Identity and Access Management 11g Release 1 (11.1.1.x.x) or 11g Release 2 (11.1.2.x.x) to 11g Release 2 (11.1.2.3.0). |
This argument is mandatory for both DB-based and LDAP-based store. |
Specify the absolute path to the The The |
|
|
Use this argument if you are upgrading Oracle Identity and Access Management 11g Release 1 (11.1.1.x.x) or 11g Release 2 (11.1.2.x.x) to 11g Release 2 (11.1.2.3.0). |
This argument is mandatory for both DB-based and LDAP-based store. |
Specify the absolute path to the location of out-of-the-box The system-jazn-data.xml file is typically located in the directory |
|
|
Use this argument if you are upgrading Oracle Identity and Access Management 11g Release 2 (11.1.2.x.x) to 11g Release 2 (11.1.2.3.0). |
This argument is optional for both DB-based and LDAP-based store. |
Specify the absolute path to the location of 11.1.2.x.x out-of-the-box If unspecified, it defaults to the file |
|
|
Use this argument if you are upgrading Oracle Identity and Access Management 11g Release 2 (11.1.2.x.x) to 11g Release 2 (11.1.2.3.0). |
This argument is required only in case of DB-based store. |
Specify the JDBC driver to the store. For example:
|
|
|
Use this argument if you are upgrading Oracle Identity and Access Management 11g Release 2 (11.1.2.x.x) to 11g Release 2 (11.1.2.3.0). |
This argument is mandatory for both DB-based and LDAP-based store. |
Specify the JDBC URL or the LDAP URL for this parameter. The following are the formats of the JDBC URL:
The following is the format of the LDAP URL:
The LDAP URL must be used only if LDAP-based Policy Store is configured in your environment. If this property is unspecified, the JDBC URL or LDAP URL is read from the configuration file. |
|
|
Use this argument if you are upgrading Oracle Identity and Access Management 11g Release 2 (11.1.2.x.x) to 11g Release 2 (11.1.2.3.0). |
This argument is mandatory in case of DB-based store, whereas it is optional for LDAP-based store. |
Specify the name of the Oracle Platform Security Services (OPSS) schema. For example:
|
|
|
Use this argument if you are upgrading Oracle Identity and Access Management 11g Release 2 (11.1.2.x.x) to 11g Release 2 (11.1.2.3.0). |
This argument is mandatory in case of DB-based store, whereas it is optional for LDAP-based store. |
Specify the password of the Oracle Platform Security Services (OPSS) schema. |
|
|
Use this argument if you are upgrading Oracle Identity and Access Management 11g Release 2 (11.1.2.x.x) to 11g Release 2 (11.1.2.3.0). |
This argument is optional for both LDAP-based and DB-based store. |
Specify The default value is |
For example:
On UNIX:
upgradeOpss(jpsConfig="/Oracle/Middleware/user_projects/domains/oes_domain/config/fmwconfig/jps-config.xml", jaznData="/oracle/middleware/oracle_common/modules/oracle.jps_11.1.1/domain_config/system-jazn-data.xml", jdbcDriver="oracle.jdbc.OracleDriver", url="jdbc:oracle:thin:@host:1234:db123", user="R2_OPSS", password="password123", upgradeJseStoreType="true")
On Windows:
upgradeOpss(jpsConfig="C:\\Oracle\\Middleware\\user_projects\\domains\\oes_domain\\config\\fmwconfig\\jps-config.xml", jaznData="C:\\oracle\\middleware\\oracle_common\\modules\\oracle.jps_11.1.1\\domain_config\\system-jazn-data.xml", jdbcDriver="oracle.jdbc.OracleDriver", url="jdbc:oracle:thin:@host:1234/db123", user="R2_OPSS", password="password123", upgradeJseStoreType="true")
To start the WebLogic Administration Server and the Managed Server(s), refer to the following sections:
Note:
You must start the Node Manager, the WebLogic Administration Server, and the Managed Servers with Java Secure Socket Extension (JSSE) enabled, if you have applied the following Oracle WebLogic Server patches to your Middleware home:13964737 (YVDZ)
14174803 (IMWL)
These patches are available from My Oracle Support.
For information on how to start the Node Manager with JSSE enabled, see the "Set the Node Manager Environment Variables" topic in the Oracle Fusion Middleware Administering the Node Manager for Oracle WebLogic Server.
After starting Node Manager with JSSE enabled, you must start the Administration Server and Managed Servers with JSSE enabled. For more information, see the "Using the JSSE-Enabled SSL Implementation" topic in Oracle Fusion Middleware Administering Security for Oracle WebLogic Server.
To start the Node Manager, you must run the command startNodeManager.sh (on UNIX) or startNodeManager.cmd (on Windows) from the location $WL_HOME/server/bin.
For more information, see "startNodeManager" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
To start the WebLogic Administration Server, do the following:
On UNIX:
Run the following commands:
cd MW_HOME/user_projects/domains/domain_name/bin
./startWebLogic.sh
On Windows:
Run the following commands:
cd MW_HOME\user_projects\domains\domain_name\bin
startWebLogic.cmd
To start the Managed Server(s), do the following:
On UNIX:
Move from your present working directory to the MW_HOME/user_projects/domains/domain_name/bin directory by running the following command on the command line:
cd MW_HOME/user_projects/domains/domain_name/bin
Run the following command to start the Managed Servers:
./startManagedWebLogic.sh managed_server_name admin_url admin_username password
where
managed_server_name is the name of the Managed Server
admin_url is URL of the administration console. Specify it in the format http://host:port/console. Specify only if the WebLogic Administration Server is on a different computer.
admin_username is the username of the WebLogic Administration Server.
password is the password of the WebLogic Administration Server.
For example:
./startManagedWebLogic.sh oim_server1 http://host.example.com:7001/console weblogic password123
On Windows:
Move from your present working directory to the MW_HOME\user_projects\domains\domain_name\bin directory by running the following command on the command line:
cd MW_HOME\user_projects\domains\domain_name\bin
Run the following command to start the Managed Servers:
startManagedWebLogic.cmd managed_server_name admin_url admin_username password
where
managed_server_name is the name of the Managed Server.
admin_url is URL of the administration console. Specify it in the format http://host:port/console. Specify only if the WebLogic Administration Server is on a different computer.
admin_username is the username of the WebLogic Administration Server.
password is the password of the WebLogic Administration Server.
For example:
startManagedWebLogic.cmd oim_server1 http://host.example.com:7001/console weblogic password123
For more information, see "Starting the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
To stop the WebLogic Administration Server and the Managed Server(s), refer to the following sections:
You must stop the Managed Server(s) first, and then the WebLogic Administration Server.
To stop the Managed Server(s), do the following:
On UNIX:
Move from your present working directory to the MW_HOME/user_projects/domains/domain_name/bin directory by running the following command on the command line:
cd MW_HOME/user_projects/domains/domain_name/bin
Run the following command to stop the servers:
./stopManagedWebLogic.sh managed_server_name admin_url admin_username password
where
managed_server_name is the name of the Managed Server.
admin_url is URL of the WebLogic administration console. Specify it in the format http://host:port/console. Specify only if the WebLogic Administration Server is on a different computer.
admin_username is the username of the WebLogic Administration Server.
password is the password of the WebLogic Administration Server.
For example:
./stopManagedWebLogic.sh oim_server1 http://host.example.com:7001/console weblogic password123
On Windows:
Move from your present working directory to the MW_HOME\user_projects\domains\domain_name\bin directory by running the following command on the command line:
cd MW_HOME\user_projects\domains\domain_name\bin
Run the following command to stop the Managed Servers:
stopManagedWebLogic.cmd managed_server_name admin_url admin_username password
where
managed_server_name is the name of the Managed Server.
admin_url is URL of the WebLogic administration console. Specify it in the format http://host:port/console. specify only if the WebLogic Administration Server is on a different computer.
admin_username is the username of the WebLogic Administration Server.
password is the password of the WebLogic Administration Server.
For example:
stopManagedWebLogic.cmd oim_server1 http://host.example.com:7001/console weblogic password123
For more information, see "Stopping the Stack" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
To stop the WebLogic Administration Server, do the following:
On UNIX:
Run the following commands:
cd MW_HOME/user_projects/domains/domain_name/bin
./stopWebLogic.sh
On Windows:
Run the following commands:
cd MW_HOME\user_projects\domains\domain_name\bin
stopWebLogic.cmd
To stop the Node Manager, close the command shell in which it is running.
Alternatively, after having set the attribute QuitEnabled to true (the default is false) in nodemanager.properties file, you can use WLST command to connect to the Node Manager and shut it down. For more information, see "stopNodeManager" in the Oracle Fusion Middleware WebLogic Scripting Tool Command Reference.
This section includes the topics common to various Oracle Identity Manager upgrade starting points. This section contains the following topics:
Protected Metadata Files for Which Customization will be Retained After Upgrade
Generating and Analyzing Pre-Upgrade Report for Oracle Identity Manager
Upgrading Other Oracle Identity Manager Installed Components
If you had done any customization to the unprotected metadata files pre-upgrade, the customization will be lost after you upgrade to Oracle Identity Manager 11.1.2.3.0.
Customization done to the following protected metadata files are retained after upgrade:
/file/User.xml
/db/identity/entity-definition/RoleUserMembership.xml
/db/identity/entity-definition/RoleCategory.xml
/db/identity/entity-definition/OIMRoleGrantRelationProvider.xml
/db/identity/entity-definition/Role.xml
/db/identity/entity-definition/OIMRoleDataProvider.xml
/db/identity/entity-definition/RoleRoleRelationship.xml
/db/identity/entity-definition/OIMRoleCategoryDataProvider.xml
/db/identity/entity-definition/OIMRoleRelationshipRelationProvider.xml
/db/identity/entity-definition/OIMOrgDataProvider.xml
/db/identity/entity-definition/UserDataProvider.xml
/db/identity/entity-definition/Organization.xml
/file/RECON_USER_OLDSTATE.xml
/db/task.xml
/metadata/iam-features-requestactions/model-data/SelfCreateUserDataset.xml
/metadata/iam-features-requestactions/model-data/CreateRoleDataSet.xml
/metadata/iam-features-requestactions/model-data/ModifyUserDataset.xml
/metadata/iam-features-requestactions/model-data/CreateUserDataSet.xml
/metadata/iam-features-requestactions/model-data/DisableUserDataset.xml
/metadata/iam-features-requestactions/model-data/ModifyRoleDataSet.xml
/metadata/iam-features-requestactions/model-data/DeleteUserDataset.xml
/metadata/iam-features-requestactions/model-data/AssignRolesDataset.xml
/metadata/iam-features-requestactions/model-data/RemoveRolesDataset.xml
/metadata/iam-features-requestactions/model-data/EnableUserDataset.xml
/metadata/iam-features-requestactions/model-data/DeleteRoleDataSet.xml
/metadata/iam-features-requestactions/model-data/ResourceCommonDataset.xml
/metadata/iam-features-sil/db/Registration.xml
/metadata/iam-features-sil/db/SILConfig.xml
/metadata/iam-features-callbacks/event_configuration/EventHandlers.xml
/metadata/iam-features-tasklist/EventHandlers.xml
/metadata/iam-features-transUI/EventHandlers.xml
/metadata/iam-features-reconciliation/event-definition/EventHandlers.xml
/metadata/iam-features-asyncwsclient/EventHandlers.xml
/metadata/iam-features-OIMMigration/EventHandlers.xml
/metadata/iam-features-accesspolicy/event-definition/EventHandlers.xml
/metadata/iam-features-request/event-definition/EventHandlers.xml
/metadata/iam-features-system-configuration/EventHandlers.xml
/metadata/iam-features-templatefeature/EventHandlers.xml
/metadata/iam-features-passwordmgmt/event-definition/EventHandlers.xml
/metadata/iam-features-sod/EventHandlers.xml
/metadata/iam-features-notification/EventHandlers.xml
/metadata/iam-features-Scheduler/EventHandlers.xml
/metadata/iam-features-autoroles/event-definition/EventHandlers.xml
/metadata/iam-features-identity/event-definition/EventHandlers.xml
/metadata/iam-features-selfservice/event-definition/EventHandlers.xml
/metadata/iam-features-selfservice/event-definition/EventHandlers.xml
/metadata/iam-features-requestactions/event-definition/EventHandlers.xml
/metadata/iam-features-configservice/event-definition/EventHandlers.xml
/db/GTC/ProviderDefinitions/IsValidDateValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsIntValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsShortValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsFloatValidatorProvider.xml
/db/GTC/ProviderDefinitions/OnetoOne.xml
/db/GTC/ProviderDefinitions/WSProvisioningTransport.xml
/db/GTC/ProviderDefinitions/CSVReconFormat.xml
/db/GTC/ProviderDefinitions/SharedDriveReconTransport.xml
/db/GTC/ProviderDefinitions/MaxLengthValidatorProvider.xml
/db/GTC/ProviderDefinitions/SPMLProvisioningFormat.xml
/db/GTC/ProviderDefinitions/IsLongValidatorProvider.xml
/db/GTC/ProviderDefinitions/Concatenation.xml
/db/GTC/ProviderDefinitions/IsDoubleValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsByteValidatorProvider.xml
/db/GTC/ProviderDefinitions/ValidateDateFormat.xml
/db/GTC/ProviderDefinitions/MatchRegexpValidatorProvider.xml
/db/GTC/ProviderDefinitions/MinLengthValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsInRangeValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsBlankOrNullValidatorProvider.xml
/db/GTC/ProviderDefinitions/Translation.xml
/metadata/iam-features-ldap-sync/LDAPRoleMembership.xml
/metadata/iam-features-ldap-sync/LDAPUserMembership.xml
/metadata/iam-features-ldap-sync/LDAPUser.xml
/metadata/iam-features-ldap-sync/LDAPRole.xml
/metadata/iam-features-ldap-sync/LDAPDataProvider.xml
/metadata/iam-features-ldap-sync/LDAPRelationshipProvider.xml
/metadata/iam-features-oimupgrade/UpgradeVersionInfo.xml
/metadata/iam-features-notification/NotificationProviders.xmltion/EventHandlers.xml
/metadata/iam-features-identity/event-definition/EventHandlers.xml
/metadata/iam-features-selfservice/event-definition/EventHandlers.xml
/metadata/iam-features-requestactions/event-definition/EventHandlers.xml
/metadata/iam-features-configservice/event-definition/EventHandlers.xml
/db/GTC/ProviderDefinitions/IsValidDateValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsIntValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsShortValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsFloatValidatorProvider.xml
/db/GTC/ProviderDefinitions/OnetoOne.xml
/db/GTC/ProviderDefinitions/WSProvisioningTransport.xml
/db/GTC/ProviderDefinitions/CSVReconFormat.xml
/db/GTC/ProviderDefinitions/SharedDriveReconTransport.xml
/db/GTC/ProviderDefinitions/MaxLengthValidatorProvider.xml
/db/GTC/ProviderDefinitions/SPMLProvisioningFormat.xml
/db/GTC/ProviderDefinitions/IsLongValidatorProvider.xml
/db/GTC/ProviderDefinitions/Concatenation.xml
/db/GTC/ProviderDefinitions/IsDoubleValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsByteValidatorProvider.xml
/db/GTC/ProviderDefinitions/ValidateDateFormat.xml
/db/GTC/ProviderDefinitions/MatchRegexpValidatorProvider.xml
/db/GTC/ProviderDefinitions/MinLengthValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsInRangeValidatorProvider.xml
/db/GTC/ProviderDefinitions/IsBlankOrNullValidatorProvider.xml
/db/GTC/ProviderDefinitions/Translation.xml
/metadata/iam-features-ldap-sync/LDAPRoleMembership.xml
/metadata/iam-features-ldap-sync/LDAPUserMembership.xml
/metadata/iam-features-ldap-sync/LDAPUser.xml
/metadata/iam-features-ldap-sync/LDAPRole.xml
/metadata/iam-features-ldap-sync/LDAPDataProvider.xml
/metadata/iam-features-ldap-sync/LDAPRelationshipProvider.xml
/metadata/iam-features-oimupgrade/UpgradeVersionInfo.xml
/metadata/iam-features-notification/NotificationProviders.xml
To generate and analyze the pre-upgrade report for Oracle Identity Manager, complete the tasks described in the following sections:
You must download the pre-upgrade utility from Oracle Technology Network (OTN). The utility is available in two zip files named PreUpgradeReport.zip.001 and PreUpgradeReport.zip.002, along with ReadMe.doc at the following location on My Oracle Support:
My Oracle Support document ID 1599043.1
The ReadMe.doc contains information about how to generate and analyze the pre-upgrade reports.
To generate the pre-upgrade report for Oracle Identity Manager 11.1.2.x.x upgrade, do the following:
Create a directory at any location and extract the contents of PreUpgradeReport.zip.001 and PreUpgradeReport.zip.002 in the newly created directory.
Create a directory where pre-upgrade reports need to be generated. For example, name the directory OIM_preupgrade_reports.
Go to the directory where you extracted PreUpgradeReport.zip.001 and PreUpgradeReport.zip.002, and open the preupgrade_report_input.properties file in a text editor. Update the properties file by specifying the appropriate values for the parameters listed in Table 24-4:
Table 24-4 Parameters to be Specified in the preupgrade_report_input.properties File
| Parameter | Description |
|---|---|
|
|
Specify |
|
|
Specify the JDBC URL for Oracle Identity Manager in the following format:
|
|
|
Specify the name of the OIM schema owner. |
|
|
Specify the MDS JDBC URL in the following format:
|
|
|
Specify the name of the MDS schema owner. |
|
|
Specify the user with DBA privilege. For example, |
|
|
Specify the absolute path to the directory that you created in step-2 (directory with name Make sure that the output report folder has read and write permissions. |
|
|
Specify the absolute path to the OIM home. |
|
|
Specify the absolute path to the Oracle Identity Manager domain home. For example:
|
|
|
Specify the absolute path to the WebLogic Server home. For example:
|
|
|
Specify the absolute path to the Middleware home. For example:
This property is not required if you are upgrading Oracle Identity Manager 9.1.x.x environments. |
|
|
Specify the absolute path to the Java home. |
Run the following command from the location where you extracted the contents of PreUpgradeReport.zip.001 and PreUpgradeReport.zip.002.
On UNIX:
sh generatePreUpgradeReport.sh
On Windows:
generatePreUpgradeReport.bat
Provide the details when the following is prompted:
OIM Schema Password
Enter the password of the Oracle Identity Manager (OIM) schema.
MDS Schema Password
Enter the password of the Metadata Services (MDS) schema.
DBA Password
Enter the password of the Database Administrator.
The reports are generated as HTML pages at the location you specified for the parameter oim.outputreportfolder in the preupgrade_report_input.properties file. The logs are stored in the log file preUpgradeReport<time>.log in the folder logs at the same location.
For the list of pre-upgrade reports generated for various starting points, and for information about analyzing the pre-upgrade reports, see Section 24.2.2.3, "Analyzing the Pre-Upgrade Report".
After you generate the pre-upgrade report, you must review each of the reports, and perform all the tasks described in them. If you do not perform the mandatory tasks described in the report before you upgrade, the upgrade might fail.
Table 24-5 provides the description for all of the pre-upgrade reports generated for Oracle Identity Manager. The column Generated for the Starting Points in Table 24-5 specifies the starting point(s) for which the pre-upgrade report is generated.
Table 24-5 Pre-Upgrade Reports Generated for Oracle Identity Manager
| Sl No | HTML Report Name | Generated for the Starting Points | Description | For Detailed Description |
|---|---|---|---|---|
|
1 |
|
|
This report provides links to all the other reports generated by the pre-upgrade report utility. It also states that you must run the pre-upgrade report utility till no pending issues are listed in this report. |
|
|
2 |
|
|
This report lists the request approval policies that has a rule defined on the non existing template. |
See, Description of APPROVALPOLICYPreUpgradeReport.html Report |
|
3 |
|
|
This report provides a list of the home-org policies, self-service policies, and the rule condition for OrclOIMUserManagementChainApprovalPolicy that will be replaced with the out-of-the-box secure rule. |
See, Description of AUTHORIZATION_R2PS3PreUpgradeReport.html Report |
|
3 |
|
|
This report lists the certification records processed during the upgrade of snapshot data. You must review the information provided in this report. |
|
|
4 |
|
|
This report provides information about upgrading localized challenge questions data. This report is generated for Oracle Identity Manager upgrade on WebLogic Server only. When you upgrade Oracle Identity Manager 11.1.2.x.x to 11.1.2.3.0, the existing localization data for challenge questions is lost. Therefore, before proceeding with the upgrade process, you must backup the existing localized challenge questions data. After you upgrade to Oracle Identity Manager 11.1.2.3.0, you must perform the tasks described in this report. If you have already migrated the localized challenge questions data per new localization model provided in Oracle Identity Manager 11g Release 2 (11.1.2.0.11) or (11.1.2.1.3), then skip the tasks described in this report. |
See, Description of ChallengeQuesPreUpgradeReport.html Report |
|
5 |
|
|
This report detects and displays the list of cyclic groups in LDAP. Cyclic groups in LDAP directory are not supported in 11.1.2.2.0. Therefore, you must remove the cyclic dependency from existing Oracle Identity Manager setup and reconcile data from LDAP to Oracle Identity Manager Database. The procedure for doing this is described in the report. |
See, Description of CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html Report |
|
6 |
|
|
This report lists the applications in Stage mode. This is only applicable for Out of the Box applications; not for the custom applications. |
See, Description of DOMAIN_CONFIG_CHECKPreUpgradeReport.html Report |
|
7 |
|
|
This report lists the checks executed for authorization feature data upgrade. It checks if the Oracle Identity Manager is reassociated with the DB-based policy store. Review the table that lists the checks executed and the status of the checks. |
|
|
8 |
|
|
This report lists the event handlers that are affected by the upgrade. Review the details in the report, and perform any necessary resolution tasks specified in the report. |
See, Description of EVENT_HANDLERPreUpgradeReport.html Report |
|
9 |
|
|
This report lists the Database privileges that should be given to the schema owner before you perform schema upgrade. |
See, Description of MANDATORY_DATABASE_PRIVILEGE_CHECKPreUpgradeReport.html Report |
|
10 |
|
|
This report provides the status of the mandatory database components or settings for Oracle Identity Manager upgrade. Verify the installation or setup status for each of the mandatory component or setting. If any of the component or setting is not setup correctly, follow the recommendations provided in the report to fix them. |
See, Description of ORACLE_MANDATORY_COMPONENT_CHKPreUpgradeReport.html Report |
|
11 |
|
|
This report lists the pre-requisites for Online Purge that needs to be addressed before you proceed with the upgrade. This report will not be generated if there is no action item related to purge. |
See, Description of ORACLE_ONLINE_PURGEPreUpgradeReport.html Report |
|
12 |
|
|
This report lists the potential upgrade issues for password policies. If you are relying on 9.1.x.x password policy model, you must update to new password policies, as 9.1.x.x password policy model is not supported in 11.1.2.3.0. Review the report and assign the password policies listed in the report to appropriate organization(s). |
See, Description of PasswordPolicyPreUpgradeReport.html Report |
|
13 |
|
|
This report lists the requests that are not viewable in Track Requests page. |
See, Description of PROVISIONINGBYREQUESTPreUpgradeReport.html Report |
|
14 |
|
|
This report lists the potential application instance creation issues. It provides information about the following:
Review all the sections in the report and perform necessary tasks. |
See, Description of PROVISIONINGPreUpgradeReport.html Report |
|
15 |
|
|
This report lists any invalid requests and the actions to be taken. |
|
|
16 |
|
|
This report lists the tasks that you must perform prior to upgrade to ensure that the User Defined Fields (UDFs) are upgraded seamlessly. Perform all the necessary tasks described in this report. |
|
|
17 |
|
|
This report lists the customizations that are impacted by the upgrade. It also provides the workaround for the known issues related to customizations. |
See, Description of UISimplificationUpgradeImpactReport.html Report |
|
18 |
|
|
This report lists the |
The index.html report is an index page that contains the names of pre-upgrade reports generated for your starting point, and provides links to their corresponding HTML report. You can navigate to various reports from the index page.
The report APPROVALPOLICYPreUpgradeReport.html lists the invalid approval policies. This report contains the following sections:
This report also contains an additional note on approval policy based on deprecated request type. You must review the report completely, before you start upgrading the Oracle Identity Manager 11.1.1.x.x environment.
Approval Policy rule defined on template
This section lists the Oracle Identity Manager approval policies whose rules are defined based on the request template.The Request templates feature is not supported in Oracle Identity Manager 11.1.2.3.0. Therefore, if your existing Oracle Identity Manager contains approval policies having rules based on request template, you must reconfigure the request approval policies by following the steps described in the report.
List of Approval Polices which needs to be updated with custom approval process
This section lists the existing approval policies that need to be associated with different approval process before you start the upgrade process.
The approval process default/ResourceAdministratorApproval, default/ResourceAuthorizerApproval are not supported in 11.1.2.3.0. Therefore, if your existing Oracle Identity Manager contains approval policies having these approval process, you must associate them with different approval process.
Approval policy based on unsupported request type
This section provides information about the request types that are not supported in 11.1.2.3.0.
The following request types are not supported in 11.1.2.3.0, and they are changed to non-self request type in 11.1.2.3.0:
Self Assign Roles
Modify Self Profile
Self Remove Roles
Self De-Provision Resource
Self Modify Provisioned Resource
Self-Request Resource
Self-request type mapping to Non-Self request type is shown Table 24-6.
Table 24-6 Mapping of Self request type to Non-Self request type
| Self Request Type | Non-Self Request Type |
|---|---|
|
Self-Request Resource |
Provision Resource |
|
Self Modify Provisioned Resource |
Modify Provisioned Resource |
|
Self Remove Roles |
Remove from Roles |
|
Modify Self Profile |
Modify User Profile |
|
Self De-Provision Resource |
De-Provision Resource |
|
Self Assign Roles |
Assign Roles |
Approval policy based on deprecated request type
This section provides information about deprecated request types in 11.1.2.3.0.
The following request types are deprecated in 11.1.2.3.0:
Provision Resource
De-Provision Resource
Disable Provisioned Resource
Enable Provisioned Resource
Modify Provisioned Resource
Approval policies based on these deprecated request types will continue to work for any pending requests based on these request types even after upgrade. But, these policies will not work for requests created for Application Instance based request types such as - Provision ApplicationInstance, Revoke Account, Disable Account, Enable Account, and Modify Account.
In addition, approval policies for Application Instance based request types need to be explicitly created for the request based on Application Instance.
The AUTHORIZATION_R2PS3PreUpgradeReport.html report provides a list of the home-org policies, self-service policies, and the rule condition for OrclOIMUserManagementChainApprovalPolicy that will be replaced with the out-of-the-box secure rule. Review the information provided in the report.
The report CertificationUpgradeReport.html lists the certification records processed during the upgrade of snapshot data. This report displays a table that contains the certification record ID, column name, current value, and the new value. Review the information provided in the table.
The report ChallengeQuesPreUpgradeReport.html is generated for both 11.1.2 and 11.1.2.1.0 starting points.
When you upgrade Oracle Identity Manager 11.1.2.x.x to 11.1.2.3.0, the existing localization data for challenge questions is lost as it is not upgrade-safe. Therefore, before you upgrade to Oracle Identity Manager 11.1.2.3.0, you must backup the existing localized challenge questions data.
After you upgrade to 11.1.2.3.0, perform the tasks described in this report to localize challenge questions. Follow the instructions in the section applicable for your starting point.
Note:
If you have already migrated the localized challenge questions data per localization model provided in Oracle Identity Manager 11g Release 2 (11.1.2.0.11) or (11.1.2.1.3), ignore the tasks described in this report.The report CYCLIC_GROUP_MEMBERSHIP_CHKPreUpgradeReport.html provides information about the Cyclic groups in LDAP directory.
Oracle Identity Manager 11.1.2.3.0 does not support cyclic groups in the LDAP directory. Therefore, you must remove any cyclic dependency from your existing setup and reconcile data from LDAP to Oracle Identity Manager Database, before you proceed with the upgrade.
For more information about removing the cyclic groups dependent on LDAP, see Removing Cyclical Groups Dependent on LDAP and Reconciling Data From LDAP to OIM Database. The procedure for removing cyclic groups is also described in this report.
Removing Cyclical Groups Dependent on LDAP and Reconciling Data From LDAP to OIM Database
If the LDAP in your existing Oracle Identity Manager environment has cyclic groups loaded, you must remove the cyclic groups by doing the following:.
Use JEXplorer or Softerra LDAP Administrator and navigate to the cyclic groups.
Look for uniquemember attribute.
Remove all values from the attribute.
Save the group.
Reconcile the data from LDAP to Oracle Identity Manager Database by running the following command:
On UNIX: LDAPConfigPostSetup.sh
On Windows: LDAPConfigPostSetup.bat
If you have cyclic group dependency between two groups: Group1 and Group2, do the following to remove cyclic dependency:
Connect to LDAP using JEXplorer or Softerra LDAP.
Go to the group container of Group1.
Go to the uniquemember attribute under Group1.
Remove the value of Group2, from unique members, and save the change made.
Run LDAPConfigPostSetup.sh (on UNIX) or LDAPConfigPostSetup.bat (on Windows) to reconcile data from LDAP to Oracle Identity Manager database.
This report lists the applications in Stage mode.
This is only applicable for Out of the Box applications; not for the custom applications.
The pre-upgrade report utility checks if the Oracle Identity Manager domain is reassociated to Database based policy store and generates the DomainReassocAuthorization.html report. The result of this check is displayed in the Result column of this report. Review the checks executed and the result of the checks.
This report lists all the event handlers that are affected during upgrade. It displays a table with information related to the event handler XML, event handler name, entity type, operation, and stage. The table also contains a Resolution/Information column which provides any resolution tasks that need to be completed. Review the information in the table.
This report lists the Database privileges that should be given to the schema owner before you perform schema upgrade.
This report lists all the mandatory database components or settings for Oracle Identity Manager upgrade. This report contains a table which lists the component or setting, it's installation or setup status, and recommendations if any. You must review the installation or setup status for each of the mandatory component or setting listed in the table. If the component or setting is not setup correctly, follow the recommendations specified in the Note column of the table in the report to fix them.
Before you upgrade Oracle Identity Manager to 11.1.2.3.0, you must complete the pre-requisites for online purge.
The table in this report lists the database tables on which the mentioned pre-upgrade steps need to be performed before you upgrade. The table also shows the status of the database tables in OIM schema and Note section. Review the table, and perform the actions required.
The report PasswordPolicyPreUpgradeReport.html lists the potential upgrade issues for password policies. If you are using 9.1.x.x password policy model, you must update them to new password policies. The 9.1.x.x password policy model is no longer supported for Users, and any such customizations done are not migrated to the new password policy model. A default password policy is seeded at TOP organization that needs to be revisited.
This report contains a table that lists the password policies that are attached to the Xellerate User resource object according to the 9.1.x.x password policy model. You must assign those password policies to appropriate organization(s).
The following table provides information about the requests that are not viewable in Track Requests page:
| Request Key | Beneficiary Key | Entity Type | Entity Name | Entity Key | Request Model Name | Issue |
|---|---|---|---|---|---|---|
|
81 |
83 |
Resource |
AD User |
7 |
Access Policy Based Provisioning |
No process form entry found for process instance. Cannot update |
|
82 |
85 |
Resource |
AD User |
7 |
Access Policy Based Provisioning |
No process form entry found for process instance. Cannot update |
|
86 |
99 |
Resource |
AD User |
7 |
Provision Resource |
No process form entry found for process instance. Cannot update |
This report lists the potential application instances creation issues. The report contains the following sections:
Provisioning, Entitlement, and Access Policy Configuration Details
List of Resource Objects without ITResource field Type in Process Form
List of Resource Objects with multiple ITResource Lookup fields in Process Form
List of Access Policies without ITResource value set in default policy data
List of Access Policies with Revoke If No Longer Applies flag unchecked
Provisioning, Entitlement, and Access Policy Configuration Details
This section describes the steps you must complete before you upgrade Oracle Identity Manager 11.1.2.3.0. These steps are related to provisioning, entitlement, and access policy configuration. Complete all the steps described in this section of the report.
List of Resource Objects without Process Form
This section provides information about the resource objects in your existing Oracle Identity Manager that do not have process form. Each resource object must have a process form associated with it. Therefore, if a resource object is not associated with a process form, you must associate the resource object with a process form before you start the upgrade process. Review the table in this section of the report, that lists the details of the resource objects without process form.
List of Resource Objects without ITResource field Type in Process Form
This section provides information about the resource objects without ITResource field type in their respective process forms. Review the table in this section of the report, which contains more details. If your existing Oracle Identity Manager has resource objects without ITResource field in their process forms, do the following:
Create appropriate IT resource definition.
Create IT resource instance for the same corresponding to the target that is being provisioned.
Edit the process form and add a field of type "ITResource" to the process form. Set the following properties:
Type=IT Resource definition created in step-1
ITResource=true
Activate the form.
Update the IT resource field on existing provisioned accounts using FVC Utility.
Once the above steps are completed, you can create application instances corresponding to the Resource Object+ITResource combination.
List of Resource Objects with multiple ITResource Lookup fields in Process Form
This section provides information about the resource objects that have multiple lookup fields in their process form. In your existing Oracle Identity Manager environment, if you have resource objects with multiple ITResource set in the process form, you must set the value of the property ITResource Type to true for at least one of the attributes.
List of Access Policies without ITResource value set in default policy data
This section lists the access policies for which the ITResource values of the resource objects should be set in the default policy data. The table in this section lists the access policies in your existing Oracle Identity Manager for which ITResource field is missing. You must set the values of ITResurce field for each of the access policy listed in the table.
List of Access Policies with Revoke If No Longer Applies flag unchecked
This section lists the access policies that have Revoke If No Longer Applies flag unchecked. The table in this section contains the list of access policies that will be updated to Disable If No Longer Applies, during upgrade. The table also indicates if tasks for enable, disable, revoke actions are not defined for these policies. You must add the missing tasks before you proceed with the upgrade. Also, if you want the behavior of the policy to change to RNLA checked, you must check the RNLA flag for the respective policy.
List of Entitlements stored in Lookup definitions that do not have IT Resource Key in the lookup encode value
This section lists entitlements stored in lookup definitions that do not have IT Resource Key pretended to their encoding values using "~". Entitlements stored in lookup definitions need IT Resource Key prepended to the encoded values using "~". Review the table in this section of the pre-upgrade report, which contains more details.
The report REQUESTPreUpgradeReport.html lists requests that are affected because of the upgrade. This report contains the following sections:
Requests with unsupported request stages
This section lists the requests that are in one of the following unsupported request stages:
Obtaining Template Approval
Template Approval Approved
Template Approval Rejected
Template Approval Auto Approved
Manual intervention is required to move these requests to the next stage by approving, withdrawing, or closing such requests. Otherwise, requests are moved to request closed stage as part of the upgrade.
Review the list of requests that are in the unsupported request stage.
Requests which will be automatically changed to corresponding non-self request type
This section lists the requests that are based on one of the following request types will be changed to the corresponding non-self request type after the upgrade:
Self Assign Roles
Modify Self Profile
Self Remove Roles
Self De-Provision Resource
Self Modify Provisioned Resource
Self-Request Resource
Request types for these requests are automatically changed to the corresponding non-self request type as part of the upgrade.
Self-request type mapping to non-self request type is shown in Table 24-8:
Table 24-8 Mapping of Self-Request Type to Non-Self Request Type
| Self request type | Non-Self request type |
|---|---|
|
Self-Request Resource |
Provision Resource |
|
Self Modify Provisioned Resource |
Modify Provisioned Resource |
|
Self Remove Roles |
Remove from Roles |
|
Modify Self Profile |
Modify User Profile |
|
Self De-Provision Resource |
De-Provision Resource |
|
Self Assign Roles |
Assign Roles |
The report UDFPreUpgradeReport.html lists the steps that you must complete before you proceed with the upgrade process, to ensure that the User Defined Fields/Attributes (UDFs) are upgraded seamlessly.
Note that you may have to edit the entity xml file manually. To edit a file in MetaData Services (MDS), you must export the file from MDS repository. After making the required changes, you must import the file back to MDS.
This report contains the following tables:
Table that lists the path to the entity XML file in MDS corresponding to a particular entity type
Table that lists the UDFs with inconsistent max-size. You must edit the entity xml file per the list provided in the table, to change the max-size of the attributes to expected values, and re-import the file back into MDS.
Table that lists the UDFs with inconsistent default values. You must edit the corresponding entity xml file manually to change the default value to one of the allowed values.
Oracle Identity Manager 11.1.2.3.0 comes with improved and simplified Self-Service UI. Some of the changes include simplified workspace based navigation model, new OIM-alta skin enforcing uniform look and feel across the UI, flow based UI rendering, usage of pagination instead of scroll bars, and improved search pattern on Self-Service search pages. Therfore some of the UI customizations must be reimplemented post upgrade. Review the information provided in this report, and redo the UI customizations as required after upgrade.
The report WLSMBEANPreUpgradeReport.html lists the .jar files in WebLogic mbeans path that need to be deleted prior to middle tier upgrade. The report contains a table that lists the .jar files, their status whether they are present in the WebLogic mbean path, and the action required. Review the information provided in the table, and perform necessary action.
Oracle Identity Manager 11.1.2.3.0 is certified with Oracle SOA Suite 11g Release 1 (11.1.1.9.0). If you are not using Oracle SOA Suite 11.1.1.9.0, you must upgrade your existing Oracle SOA Suite to 11.1.1.9.0 by completing the following steps:
Review the Oracle Fusion Middleware System Requirements and Specifications for 11g Release 1 (11.1.1) at the following link:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-requirements-100147.html
Complete the steps described in the section "Special Instructions for Patching Oracle SOA Suite" in the Oracle Fusion Middleware Patching Guide for 11g Release 1 (11.1.1.9.0), before you upgrade Oracle SOA Suite to 11.1.1.9.0.
Download the Oracle SOA Suite 11.1.1.9.0 installer. This installer can also function as upgrade installers. For more information about downloading Oracle SOA Suite 11.1.1.9.0 installer, see "Downloading Oracle Fusion Middleware Patches for an Existing 11g Release 1 Installation" in the Oracle Fusion Middleware Download, Installation, and Configuration Readme for 11g Release 1 (11.1.1.9.0).
Start the installer and apply the patch. For more information, see "Patching Oracle Fusion Middleware" in the Oracle Fusion Middleware Patching Guide for 11g Release 1 (11.1.1.9.0).
Upgrade the SOAINFRA schema by running the Patch Set Assistant (PSA). For more information, see "Upgrading Your Schemas with Patch Set Assistant" in the Oracle Fusion Middleware Patching Guide for 11g Release 1 (11.1.1.9.0).
After you upgrade Oracle SOA Suite to 11.1.1.9.0, you must perform the necessary post-patching tasks depending on your SOA starting point.
Table 24-9 lists the post-patching tasks for Oracle SOA Suite, and the SOA starting point they are applicable for.
Table 24-9 Post-Patching Tasks for Oracle SOA Suite
| Sl No | Post-Patching Task | Perform if Your SOA Starting Point is |
|---|---|---|
|
1 |
Removing the tmp Folder for SOA Composer, BPM Workspace and B2B |
|
|
2 |
Upgrading the "BPEL Message Recovery Required" Warning Message Duration |
|
|
3 |
|
|
|
4 |
|
|
|
5 |
Extending the SOA Domain with Business Process Management Features |
|
|
6 |
Upgrading the Oracle Data Integrator Clients if BAM-ODI Integration is Enabled |
|
|
7 |
|
Start the WebLogic Administration Server and the SOA Managed Server(s). For information about starting the servers, Section 24.1.8, "Starting the Servers".
Verify the Patch Set installation by following the instructions described in the section "Verifying Your Patch Set Installation" in the Oracle Fusion Middleware Patching Guide for 11g Release 1 (11.1.1.9.0).
Middle tier upgrade is performed using the OIMUpgrade.sh utility. Oracle Identity Manager middle tier upgrade is carried out in two stages:
Middle tier upgrade offline
This is the first stage where OIMUpgrade.sh is run in offline mode, that is, with the Administration Server and the Managed Server(s) in shutdown state.
Middle tier upgrade online
This is the second stage where OIMUpgrade.sh is run in online mode, that is with the Administration Server and the SOA Managed Server(s) in running state.
To upgrade the Oracle Identity Manager middle tier, complete the following tasks:
Additional Task for Windows 64-Bit Users Before Upgrading Middle Tier
Performing Oracle Identity Manager Middle Tier Upgrade Offline
Performing Oracle Identity Manager Middle Tier Upgrade Online
Starting the Oracle Identity Manager Managed Server(s) and the BIP Server
Changing the Deployment Order of Oracle Identity Manager EAR
If you are upgrading Oracle Identity Manager on a 64-bit Windows platform and if you have installed JAVA in a directory where there is a space in the installed classpath (for example, C:\Program File\Java), then you must complete the following steps:
Add a JAVA_HOME entry to the environment variable pointing to a JDK installation, not to a JRE installation.
Note:
This path should be without spaces or likeC:\Progra~1\Java\jdk1.6.0_29.Hard code the value of JAVA_HOME in <WL_HOME>\server\bin\setWLSEnv.cmd file to avoid any Middle Tier upgrade failures.
If you are upgrading an SSL enabled middleware, that is, if you would be specifying SSL ports for WebLogic Administration Server and SOA Managed Servers during middle tier upgrade, you must create a truststore that contains the public certificates for all SSL enabled servers (which can be WebLogic Administration Server, SOA Managed Servers, OIM Managed Servers) irrespective of the node on which the server is running. This truststore will be used a client side store by the upgrade script to communicate with various servers during upgrade.
To create a truststore, complete the following steps:
Export the public certificate from the identity store for each server, and place all of them in a single directory.
Import all of the public certificates to a single truststore.
Copy the truststore to a location accessible by upgrade script.
Specify the truststore location and type for the properties wls.trustStore.loc and wls.trustStore.type respectively, when updating the properties file as described in Section 24.2.4.3, "Updating the Properties File".
You must update the oim_upgrade_input.properties file with the values for the properties required for middle tier upgrade. To do this, complete the following steps:
Open the oim_upgrade_input.properties file located at ORACLE_OIM_HOME/server/bin/ in a text editor.
Specify the values for all of the properties required for the middle tier upgrade.
Table 24-10 lists the properties and their descriptions:
Table 24-10 Parameters to be specified in the Properties File
| Parameter | Used for SSL or Non-SSL Environment? | Description |
|---|---|---|
|
|
Both SSL and Non-SSL |
Specify the JAVA HOME location. |
|
|
Both SSL and Non-SSL |
Specify the Application Server that you are using. For example, if you are using Oracle WebLogic Server, specify As this document describes the procedure to upgrade Oracle Identity Manager on WebLogic, you must specify |
|
|
Both SSL and Non-SSL |
Specify the Oracle Identity Manager JDBC URL in the format:
|
|
|
Both SSL and Non-SSL |
Specify the Oracle Identity Manager schema owner. |
|
|
Both SSL and Non-SSL |
Specify the MDS JDBC URL. |
|
|
Both SSL and Non-SSL |
Specify the Oracle Platform Security Services (OPSS) schema owner. This property is required only if you are upgrading Oracle Identity Manager 11.1.1.x.x environments. |
|
|
Both SSL and Non-SSL |
Specify the JDBC URL of the Oracle Platform Security Services. This property is required only if you are upgrading Oracle Identity Manager 11.1.1.x.x environments. |
|
|
Both SSL and Non-SSL |
Specify the MDS schema owner name. |
|
|
Both SSL and Non-SSL |
Specify the Oracle WebLogic Server Administration host name. |
|
|
Both SSL and Non-SSL |
Specify the Oracle WebLogic Server Administration port. |
|
|
Both SSL and Non-SSL |
Specify the username that is used to log in to the Oracle WebLogic Server Administration Console. |
|
|
Both SSL and Non-SSL |
Specify the SOA host name where SOA Server is running. |
|
|
Both SSL and Non-SSL |
Specify the SOA Server port. |
|
|
Both SSL and Non-SSL |
Specify the SOA Managed Server username. |
|
|
Both SSL and Non-SSL |
Specify the Oracle Identity Manager domain location. |
|
|
Both SSL and Non-SSL |
Specify the Oracle OIM Home location. |
|
|
Both SSL and Non-SSL |
Specify the Oracle Middleware Home location. |
|
|
Both SSL and Non-SSL |
Specify the Oracle SOA Home location. |
|
|
Both SSL and Non-SSL |
Specify the WebLogic Home location. |
|
|
SSL only |
Specify the client-side trust store location which contains the public certificate of the WebLogic Administration Server, SOA Managed Server(s), and the OIM Managed server(s). For example:
In case of SSL enabled environment with DEMO keystore, specify For example:
This property is required only in case of SSL enabled environment with custom keystore. In case of non-SSL environment, do not specify any value for this property. |
|
|
SSL only |
Specify the type of the truststore, that you specified for the property For example:
|
|
|
Both SSL and Non-SSL |
The value for this property will be existing already. Verify if the BIP server name is correct. Modify the value if required. |
|
|
Both SSL and Non-SSL |
Specify the name of the BIP cluster. |
|
|
Both SSL and Non-SSL |
Specify the fully qualified hostname of the Oracle BI Publisher server. |
|
|
Both SSL and Non-SSL |
The value for this property will be existing already. Verify if the BIP server port is correct. Modify the value if required. |
|
|
SSL only |
Specify the SSL port of the Oracle BI Publisher server. |
|
|
Both SSL and Non-SSL |
Set the value of this property to |
|
|
Both SSL and Non-SSL |
Specify the BIP server JDBC URL. |
|
|
Both SSL and Non-SSL |
Specify the name of the BIP schema. |
|
|
Both SSL and Non-SSL |
This property is required if you are upgrading Oracle Identity Manager - Oracle Access Manager integrated environments. Specify the Oracle Access Manager version for this property. For example, if the Oracle Access Manager version that you are using is 11g Release 2 (11.1.2.3.0), specify |
|
|
Both SSL and Non-SSL |
This property is required if you are upgrading Oracle Identity Manager - Oracle Access Manager integrated environments. Specify the WebLogic Administration Server host name for Oracle Access Manager. |
|
|
Both SSL and Non-SSL |
This property is required if you are upgrading Oracle Identity Manager - Oracle Access Manager integrated environments. Specify the WebLogic Administration Server port for Oracle Access Manager. |
|
|
Both SSL and Non-SSL |
This property is required if you are upgrading Oracle Identity Manager - Oracle Access Manager integrated environments. Specify the username of the Oracle Access Manager administrator. This is the user who has admin access to the Oracle Access Manager console. |
|
|
SSL only |
This property is required if you are upgrading Oracle Identity Manager - Oracle Access Manager integrated environments. If SSL is enabled in Oracle Access Manager Administration Server and SSL port is specified for the property If you have specified a value for the property If SSL is enabled and SSL port is specified for both Oracle Identity Manager and Oracle Access Manager, you must import Oracle Access Manager certificate to Oracle Identity Manager trust store, or import both Oracle Access Manager and Oracle Identity Manager certificates to a common trust store and specify the location of the trust store for the property wls.trustStore.loc. If |
|
|
SSL only |
This property is required if you are upgrading Oracle Identity Manager - Oracle Access Manager integrated environments. Specify the trust store type. The trust store can be |
The following is a sample of the oim_upgrade_input.properties file:
#The user inputs are taken from this property file #Please enter the appropriate values. #1. JAVA HOME #java.home=/scratch/wars2install/was/java/ java.home=/scratch/jdk1.7.0_11/ #2. Server type Weblogic/Websphere #server.type=wls/was server.type=wls #OIM SCHEMA DETAILS #3. Oim Connection String #GIVE ONLY NON-SSL DB PORT #host:port/serviceName (SID Not Supported) #oim.jdbcurl=localhost:1521/oim123.example.com oim.jdbcurl=myhost.example.com:1522/oimdb.example.com #4. Oim Schema owner #oim.oimschemaowner=hhs_oim oim.oimschemaowner=OES_11.1.1.5.0_oim #----------------------------------------------------------------------------- ------- #MDS SCHEMA DETAILS #5. MDS Connection String #GIVE ONLY NON-SSL DB PORT #host:port/serviceName (SID Not Supported) #oim.oimmdsjdbcurl=localhost:1521/oim123.example.com oim.oimmdsjdbcurl=myhost.example.com:1522/oimdb.example.com #6. MDS Schema Owner #oim.mdsschemaowner=hhs_mds oim.mdsschemaowner=OES_11.1.1.5.0_mds #------------------------------------------------------------------------------------- #ADMIN SERVER DETAILS #7. Admin Host name #oim.adminhostname=localhost oim.adminhostname=myhost.example.com #8. Admin Port #oim.adminport=7001 oim.adminport=7002 #9. Admin User name #oim.adminUserName=weblogic oim.adminUserName=weblogic #------------------------------------------------------------------------------------- #SOA DETAILS #10. SOA Host name #oim.soahostmachine=localhost oim.soahostmachine=myhost.example.com #11. SOA Port #oim.soaportnumber=8001 oim.soaportnumber=8002 #12. SOA User name #oim.soausername=weblogic oim.soausername=weblogic #------------------------------------------------------------------------------------- #DOMAIN LOCATION #13. Domain Location #oim.domain=/u01/oim/user_projects/domains/base_domain oim.domain=/u01/oim/user_projects/domains/base_domain #14. Oracle OIM Home #oim.home=/u01/oim/Oracle_IDM1 oim.home=/u01/oim/Oracle_IDM1 #15. Middleware Home #oim.mw.home=/u01/oim oim.mw.home=/u01/oim #16. SOA Home #soa.home=/u01/oim/Oracle_SOA1 soa.home=/u01/oim/Oracle_SOA1 ### Weblogic specific Properties #17 Weblogic Home #wl.home= wl.home=/u01/oim/wlserver_10.3/ ### Websphere specific properties #19 CSFSeed=true/false to make MT run in two modes i.e PRE_OIM_CONFIG and POST_OIMCONFIG respectively #Choose CSFSeed=true to run in PRE_OIM_Config and CSFSeed=false to run in POST_OIMCONFIG mode. CSFSeed=<true/false> #20 OIM 91 Home Location oim91Home=<oim 91 home directory> #21 Management bootstrap port #oim.bootstrapport=9813 oim.bootstrapport=<Management bootstrap port> #22 SOA Bootstrap port #soa.bootstrapport=2801 soa.bootstrapport=<SOA bootstrap port> #23 Websphere Home #ws.home=/scratch/wars2install/was ws.home=<websphere home directory> #24 Websphere Custom profile path #ws.custom.path=/scratch/wars2install/was/profiles/Custom05 ws.custom.path=<websphere custom path> ####################################### ssl env only properties ######################### #25. Client-side trust store location which contains the public certificate of WLS, SOA, OIM servers #Fill in trust store location and type only in case of ssl enabled env with custom keystore #wls.trustStore.loc=/u01/client_store.jks #In Case of ssl enabled env with DEMO keystore, give "DemoTrust" #wls.trustStore.loc=DemoTrust #In case of non-ssl env, leave blank #wls.trustStore.loc= #wls.trustStore.loc=/u01/oim/user_projects/domains/base_domain/config/fmwconfig/client_store.jks wls.trustStore.loc=/u01/oim/user_projects/domains/base_domain/config/fmwconfig/client_store.jks #26 Type of above trust store #wls.trustStore.type=JKS wls.trustStore.type=JKS ############ BIP Properties ########## #27 BIP Server Name #bip.server.name=bi_server1 bip.server.name=bi_server1 #28 BIP Cluster Name #bip.cluster.name=bi_cluster bip.cluster.name=bi_cluster #29 BIP Server Port #bip.server.port=9704 bip.server.port=9704 #30 BIP Server SSL Port #bip.server.ssl.port=9804 bip.server.ssl.port=9804 #31 BIP Server SSL Enabled #bip.server.ssl.enabled=false bip.server.ssl.enabled=false #32 BIP JDBC URL #host:port/serviceName (SID Not Supported) #bip.jdbc.url=localhost:1521/oim123.example.com bip.jdbc.url=myhost.example.com:1522/oimdb.example.com #34 BIP Schema Name #bip.schema=BIP_BIPLATFORM bip.schema=BIP_BIPLATFORM ####################################### R1 track##################################### # Fill in these values only If you havent extended the domain with OPSS template # applicable for source 11.1.1.5.0 and 11.1.1.7.0 # If OPSS datasource (name : opss-DBDS) is already created, these values will be autodiscovered and not required to be filled. #36.oim.opssschemaowner=OES_11.1.1.5.0_opss oim.opssschemaowner=DEV2_OPSS #37. oim.opssjdbcurl=localhost:1521:oim123 oim.oimopssjdbcurl=myhost.example.com:1522/oimdb.example.com ####################################### OAM Integrated ##################################### # Fill in these values only if you have OIM-OAM integrated environment # Make sure OAM admin server (OracleAdminServer in case of Websphere in OAM Node) # is running before executing OIMUpgrade.sh/OIMUpgrade.bat command #37 Specify target OAM version #If target OAM is 11gR2PS2 then, version is 11.1.2.2.0 #If target OAM is 11gR2PS3 then, version is 11.1.2.3.0 #oam.version=11.1.2.3.0 oam.version=<oam version> #38 Specify OAM WLS Admin Server Host Name #oam.wls.admin.host=localhost oam.wls.admin.host=<oam wls admin host> #39 OAM WLS Admin Server port #oam.wls.admin.port=7001 oam.wls.admin.port=<oam wls admin port> #40 user who is has administrator access in OAM (The user who has admin access to oamconsole.) #oam.admin.username=oamAdminUser oam.admin.username=<user who is has administrator access in OAM> #41 If SSL is enabled in OAM admin server and SSL port is specified in the property # 'oam.wls.admin.port' then, specify the trust store file location else ignore this. # # NOTE:- If OIM property - 'wls.trustStore.loc' is specified then, any value for 'oam.admin.trust.store.loc' # property would be IGNORED and 'wls.trustStore.loc' value would be taken. In such case where both for # OIM and OAM, SSL is enabled and SSL port is specified then, import OAM certificate to OIM truststore # or both OIM and OAM certificates to a common trust store and specify the same 'wls.trustStore.loc' value here. # # If 'wls.trustStore.loc' is DemoTrust then, specify full path of DemoTrust.jks file, which is usually # present in '$WL_HOME/server/lib' location. # #oam.admin.trust.store.loc=/net/oam_machine/u01/idm/trust/oamtrust.jks
Perform the middle tier upgrade offline by doing the following:
Make sure that you have stopped the WebLogic Administration Server, the Oracle Identity Manager Managed Server(s), and the SOA Managed Server(s).
Run the following command from the location OIM_ORACLE_HOME/server/bin:
On UNIX: ./OIMUpgrade.sh offline
On Windows: OIMUpgrade.bat offline
Enter the passwords of the following schemas, when prompted:
[input]OIM Schema Password: Enter the password of the Oracle Identity Manager (OIM) schema.
[input]MDS Password: Enter the password of the Metadata Services (MDS) schema.
[input]OPSS Schema Password: Enter the password of the Oracle Platform Security Services (OPSS) schema. You will be prompted for OPSS schema password only if you are upgrading Oracle Identity Manager 11.1.1.x.x environments.
[input]SOA Schema Password: Enter the password of the SOA Infrastructure (SOAINFRA) schema.
[input]BIP Schema Password: Enter the password of the Oracle BI Publisher (BIP) schema.
Verify the middle tier offline upgrade by doing the following:
Check the HTML reports generated at ORACLE_HOME/server/upgrade/logs/MT/oimUpgradeReportDir_offline.
Check the logs files generated at ORACLE_HOME/server/upgrade/logs/MT/ to verify if the middle tier offline upgrade was successful.
Table 24-11 lists the log files generated for Oracle Identity Manager middle tier offline upgrade at the location ORACLE_HOME/server/upgrade/logs/MT/.
Table 24-11 Logs Generated for OIM Middle Tier Offline Upgrade
| Log File Name | Generated for |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
After you upgrade middle tier offline, you must start the WebLogic Administration Server and the SOA Managed Server(s) in order to perform middle tier upgrade online.
Note:
Before you start the servers, you must add the following property below theJAVA_PROPERTIES entry in the DOMAIN_HOME/bin/setDomainEnv.sh (on UNIX) or DOMAIN_HOME/bin/setDomainEnv.cmd (on Windows) file, to ignore hostname verification:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
If you are starting the servers on command line, pass the above argument on command line.
This argument can be removed after you complete the upgrade.
For information about starting the servers, see Section 24.1.8, "Starting the Servers".
Note:
Make sure that you do not start the Oracle Identity Manager Managed Server(s).Perform the middle tier upgrade online by doing the following:
Make sure that the WebLogic Administration Server and the SOA Managed Server(s) are up and running. Also, make sure that the Oracle Identity Manager Managed Server(s) and the BIP Managed Server(s) are not in running state.
Note:
Ensure that the SOA Managed Server is up and running by verifying the message "SOA Platform is running and accepting requests" in the soa_server-diagnostic.log file located at DOMAIN_HOME/servers/soa_server1/logs/.Make sure that the offline middle tier upgrade was run successfully.
Run the following command from the location OIM_ORACLE_HOME/server/bin:
On UNIX: ./OIMUpgrade.sh online
On Windows: OIMUpgrade.bat online
Enter the passwords of the following schemas, when prompted:
[input]OIM Schema Password: Enter the password of the Oracle Identity Manager (OIM) schema.
[input]MDS Password: Enter the password of the Metadata Services (MDS) schema.
[input]Weblogic Admin Password: Enter the password of the Oracle WebLogic Server Administrator.
[input]SOA Admin Password: Enter the password of the Oracle SOA Suite Administrator.
[input]SOA Schema Password: Enter the password of the SOA Infrastructure (SOAINFRA) schema.
[input]BIP Schema Password: Enter the password of the Oracle BI Publisher (BIP) schema.
Note:
If you are upgrading Oracle Identity Manager - Oracle Access Manager integrated environments, you will be prompted for[input]OAM 'oamAdminUser' Password.Verify the middle tier online upgrade by doing the following:
Check the HTML reports generated at ORACLE_HOME/server/upgrade/logs/MT/oimUpgradeReportDir_online.
Check the following log files generated at the location ORACLE_HOME/server/upgrade/logs/MT/:
OIMUpgrade_online<timestamp>.log
ant_createUserInSecurityRealm_BISystemUser.log
ant_updateBIPJmsSecurity.log
ant_importOwSMPolicySCIM.log
ant_create_UserInSecurityRealm_BISystemUser.log
Note:
Any customizations done tosetDomainEnv.sh, startManagedWeblogic.sh, and startWeblogic.sh will be lost after middle tier online upgrade. These customizations include any changes done to these .sh and .cmd files manually, that is, without using the WLST templates. Examples of customizations are tnsnames.ora, jvm or performance arguments, ssl parameters and so on.
After middle tier upgrade, you must re-apply the customizations, if any.
After you upgrade the Oracle Identity Manager middle tier online, you must start the Oracle Identity Manager Managed Server (s) and the BIP Server.
Note:
JAVA_PROPERTIES entry in the DOMAIN_HOME/bin/setDomainEnv.sh (on UNIX) or DOMAIN_HOME/bin/setDomainEnv.cmd (on Windows) file, to ignore hostname verification:
-Dweblogic.security.SSL.ignoreHostnameVerification=true
When you start the Managed Servers for the first time after middle tier upgrade, the servers must be connected to the non-SSL Administration Server port. To do this, complete the following steps:
Before you start the Managed Servers, enable the non-SSL port for the Administration Server.
Ensure that the Managed Servers connect to the non-SSL admin port while starting. For example, if managed server is started using startManagedWebLogic.sh script, update the ADMIN_URL in this script to use the non SSL url.
These changes can be reverted back once the servers are up.
For more information about starting the servers, see Section 24.1.8, "Starting the Servers".
If you are upgrading Oracle Identity Manager 11.1.1.x.x environments, change the deployment order of oim.ear from 47 to 48. To do this, complete the following steps:
Log in to the WebLogic Administration console using the following URL:
http://wls_admin_host:wls_admin_port/console
Click Deployments on the left pane.
Click oim.ear.
Update the deployment order from 47 to 48.
Click Save.
This section describes how to upgrade other Oracle Identity Manager installed components such as Oracle Identity Manager Design Console and Oracle Identity Manager Remote Manager to 11.1.2.3.0.
This section includes the following sections:
The Oracle Identity Manager Design Console is used to configure system settings that control the system-wide behavior of Oracle Identity Manager and affect its users. The Design Console allows you to perform user management, resource management, process management, and other administration and development tasks.
Oracle recommends that Oracle Identity Manager and Design Console are installed in different directory paths, if the Design console is on the same system as the Oracle Identity Manager server.
To upgrade Design Console, complete the following steps:
Back up the following files:
On UNIX, $<XLDC_HOME>/xlclient.sh
$<XLDC_HOME>/config/xlconfig.xml
On Windows, <XLDC_HOME>\xlclient.cmd
<XLDC_HOME>\config\xlconfig.xml
Run the Oracle Identity and Access Management 11.1.2.2.0 Installer to upgrade the Design Console home <XLDC_HOME>.
For more information, see "Optional: Configuring Oracle Identity Manager Design Console" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Restore the following backed up files in the upgraded Design Console home:
On UNIX:
xlclient.sh
xlconfig.xml
On Windows:
xlclient.cmd
xlconfig.xml
Build and copy the wlfullclient.jar file as follows:
Go to WebLogic_Home/server/lib directory on UNIX and WebLogic_Home\server\lib directory on Windows.
Set the JAVA_HOME environment variable and add the JAVA_HOME variable to the PATH environment variable. You can set the JAVA_HOME to the jdk160_21 directory inside the Middleware home.
For example:
On UNIX: setenv JAVA_HOME $MW_HOME/jdk160_29
On Windows: SET JAVA_HOME="MW_HOME\jdk160_29"
Run the following command to build the wlfullclient.jar file:
java -jar <MW_HOME>/modules/com.bea.core.jarbuilder_1.7.0.0.jar
Copy the wlfullclient.jar file to the <IAM_HOME> where you installed the Design Console. For example:
On UNIX:
cp wlfullclient.jar <Oracle_IDM2>/designconsole/ext
On Windows:
copy wlfullclient.jar <Oracle_IDM2>\designconsole\ext
If the Design Console is SSL enabled, do the following:
Copy the webserviceclient+ssl.jar file from the directory WL_HOME/server/lib/ to the directory ORACLE_HOME/designconsole/ext/.
Copy the cryptoj.jar file from the directory MW_HOME/modules/ to the directory ORACLE_HOME/designconsole/ext/.
If DESIGN_CONSOLE_HOME/config/xl.policy does not contain the default grant policy for all, then add the following permission for cryptoj.jar at the end of the xl.policy file:
grant codeBase "file:DIRECTORY_PATH_TO_cryptoj.jar"{permission java.security.AllPermission;};
Open the xlclient.sh file (located at XLDC_HOME/xlclient.sh on UNIX) or xlclient.cmd file (located at XLDC_HOME\xlclient.cmd on Windows) in a text editor, and add the following argument to the java command:
-DAPPSERVER_TYPE=wls
Complete the following steps to upgrade Remote Manager:
Back up configuration files
Before starting the Remote Manager upgrade, back up the following Remote Manager configuration files:
On UNIX, $<XLREMOTE_HOME>/remotemanager.sh
$<XLREMOTE_HOME>/xlremote/config/xlconfig.xml file.
On Windows, <XLREMOTE_HOME>\remotemanager.bat
<XLREMOTE_HOME>\xlremote\config\xlconfig.xml file.
Run the Oracle Identity and Access Management Installer to upgrade the Remote Manager home.
For more information, see "Installing and Configuring Oracle Identity and Access Management (11.1.2.3.0)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Restore the following backed up configuration files in the upgraded Remote Manager home.
On UNIX:
remotemanager.sh
xlconfig.xml
On Windows:
remotemanager.bat
xlconfig.xml
This section describes all the post-upgrade tasks applicable for both Oracle Identity Manager 11.1.2.x.x and 11.1.1.x.x upgrade. You must perform the necessary post-upgrade tasks that are relevant to your starting point.
Table 24-12 lists the post-upgrade tasks and the Oracle Identity Manager upgrade starting points that they are applicable for.
Table 24-12 Post-Upgrade Tasks for Oracle Identity Manager
| Task No | Post-Upgrade Task | Applicable for |
|---|---|---|
|
1 |
|
|
|
2 |
|
|
|
3 |
|
|
|
4 |
|
|
|
5 |
|
|
|
6 |
|
|
|
7 |
|
|
|
8 |
|
|
|
9 |
|
|
|
10 |
Impact of Removing Approver-Only Attribute in Request Data Set |
|
|
11 |
Changes to Request API After Upgrading to Oracle Identity Manager 11g Release 2 (11.1.2.3.0) |
|
|
12 |
Verifying the Compatibility of Oracle Identity Manager Integrated with Oracle Access Manager |
|
|
13 |
|
|
|
14 |
|
|
|
15 |
|
|
|
16 |
|
|
|
17 |
|
|
|
18 |
|
|
|
19 |
|
|
|
20 |
|
|
|
21 |
|
|
|
22 |
|
|
|
23 |
|
|
|
24 |
|
|
|
25 |
Migrating Customized Oracle Identity Manager Reports Built on BI Publisher 10g to BI Publisher 11g |
|
|
26 |
|
|
|
27 |
Rebuilding the Indexes of Oracle Identity Manager Table to Change to Reverse Type |
|
|
28 |
|
|
|
29 |
|
|
|
30 |
|
|
|
31 |
Updating the URI of the Human Task Service Component with Oracle HTTP Server Details |
|
|
32 |
|
|
|
33 |
|
|
|
34 |
|
|
|
35 |
Enabling Certification Using the System Property OIG.IsIdentityAuditorEnabled |
|
|
36 |
Updating the OHS Configuration File After Upgrading OIM 11.1.1.x.x Highly Available Environments |
|
|
37 |
|
After upgrading from Oracle Identity Manager 11.1.1.x.x to Oracle Identity Manager 11.1.2.3.0:
The name of the following EARs remain unchanged from Oracle Identity Manager 11.1.1.x.x to Oracle Identity Manager 11.1.2.3.0:
Oracle Identity Manager Metadata (11.1.1.3.0)
Oracle Identity Manager (11.1.1.3.0)
There is no functional loss.
All of the resources provisioned to an organization in Oracle Identity Manager 11.1.1.x.x is available in Provisioned Accounts, after upgrading to Oracle Identity Manager 11.1.2.3.0. To view, go to the following path:
Connect to the Oracle Identity Manager Identity console.
Go to Administration.
Select Organizations.
Search for organizations.
Select any organization.
Go to Provisioned Accounts to see all Oracle Identity Manager 11.1.1.x.x based resources, provisioned to an organization.
In Oracle Identity Manager 11.1.1.x.x, data object permission was shown in the Administration Console under Roles.
In Oracle Identity Manager 11.1.2.3.0, data object permission is not shown.
In Oracle Identity Manager 11g Release 2 (11.1.2.x.x) and 11g Release 1 (11.1.1.x.x), you would have configured Oracle BI Publisher (BIP) as a standalone product wired to Oracle Identity Manager database. In that case, there would be a separate domain for BIP, where Administration Server and BIP Managed Server(s) are configured. After you upgrade to Oracle Identity Manager 11.1.2.3.0, embedded BIP Server will be enabled by default, and the embedded BIP will be available in the OIM domain, along with the standalone BIP setup.
Therefore, post-upgrade, you have the following two options:
Option 1: Using the Embedded BIP
To start using embedded BIP, complete the following steps:
Update the BIP URL in Oracle Identity Manager if it is pointing to the standalone BIP or if it is empty. To do this, complete the following steps:
Log in to Oracle Enterprise Manager using the following URL:
http://hostname:portnumber/em
Expand Identity and Access on the left navigation pane, and then expand OIM.
Right click on oim(11.1.2.0.0) and select System MBean Browser.
On the left navigation pane under System MBean Browser, expand the following in the same order:
Application Defined MBeans
oracle.iam
Server: oim_server1
Application: oim
XML Config
Config
XMLConfig.DiscoveryConfig
Discovery
Go to the Attributes tab, and specify the BI Publisher URL for the field BIPublisherURL. For example:
http://host:port
Click Apply to apply the changes.
Move the customized reports from the standalone BIP deployment to the new Embedded BIP manually by doing the following:
Copy the customized reports from the location DOMAIN_HOME/config/bipublisher/repository/Reports/Oracle Identity Manager/ on the standalone BIP deployment to the location DOMAIN_HOME/config/bipublisher/repository/Reports/Oracle Identity Manager/ on the Embedded BIP deployment.
Log in to BI Publisher using the following URL:
http://host:port/xmlpserver
You must use the credentials of the OIM system administrator. For example, xelsysadm. The default port for BI Publisher is 9704.
Click Catalog.
Click Shared Folders, and then click Oracle Identity Manager.
Verify if all of the reports including the customized reports are showing up.
If you wish to start the BIP server using Node Manager, you must assign a machine to the BIP server by completing the following steps:
Stop the BIP server if already running.
Log in to the WebLogic Administration console using the following URL:
http://weblogic_host:weblogic_port/console
In the Change Center, click Lock & Edit.
Expand Environment under Domain Structure on the left navigation pane.
Click Servers. The Summary of Servers screen is displayed.
Click BIP Server.
Go to the General tab under Configuration.
Select the machine name from the Machine drop-down list.
Click Save, and then click Activate Changes.
Enable the diagnostic-context for the BIP Server using WebLogic Administration console, if you have not done already. To do this, complete the following steps:
Log in to the WebLogic Administration console using the following URL:
http://weblogic_host:weblogic_port/console
In the Change Center, click Lock & Edit.
In the left navigation pane, expand Diagnostics and then click Context.
Select the BIP Server for which you want to enable diagnostic context.
Select Enable.
Click Activate Changes to activate the changes.
Option 2: Using the Existing Standalone BIP
You can retain the existing deployment of Oracle BI Publisher, whose domain is separate from the Oracle Identity Manager. The embedded BIP set up by the upgrade process can be ignored. You can continue to use your existing standalone BIP after upgrade.
To start using your existing standalone BIP, complete the following steps:
Copy the new reports available as part of 11.1.2.3.0 (if any) to your existing standalone BIP deployment repository at the following location:
DOMAIN_HOME/config/bipublisher/repository
Stop the embedded BIP Managed Server (if running).
After you upgrade to Oracle Identity Manager 11.1.2.3.0, you must review the Oracle Identity Manager specific performance tuning recommendations described in "Oracle Identity Manager Performance Tuning" in the Oracle Fusion Middleware Performance and Tuning Guide.
If you are upgrading Oracle Identity Manager 11.1.2 with PeopleSoft connector to Oracle Identity Manager 11.1.2.3.0, you must create PeopleSoft HRMS reconciliation profile after you upgrade to 11.1.2.3.0. For information about creating reconciliation profile, see "Updating Reconciliation Profiles Manually" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
This post-upgrade task is optional.
In Oracle Identity Manager 11g Release 2 (11.1.2.2.0), a unified automated scheduled purge job named OIM Data Purge Job was introduced to handle data growth of few modules. This job archive or purges data from the following modules:
Orchestration
Reconciliation
Provisioning Task
Request
In Oracle Identity Manager 11.1.2.3.0, the modules Orchestration, Reconciliation, and Provisioning Task are enabled by default out of the box. After upgrading to Oracle Identity Manager 11.1.2.3.0, ensure that the modules are set as shown in the following table:
| Module Name | Enabled (By Default) |
|---|---|
| Reconciliation | Y |
| Orchestration | Y |
| Provisioning Task | Y |
| Request | N |
To verify that the modules are set correctly, complete the following steps:
Log in to the SYSADMIN console using the following URL:
http://OIM_HOST:OIM_PORT/sysadmin
Select Scheduler under System Configuration on the left pane.
Check for OIM Data Purge Job schedule Job.
Check if the radio buttons against Yes for the modules Orchestration, Reconciliation, and Provisioning Task are selected.
If not, select the radio buttons against Yes for the modules Orchestration, Reconciliation, and Provisioning Task, and click Apply. Click Refresh to ensure that the changes are saved.
The OIM Data Purge Job archives or purges data from modules listed in Table 24-13 with the mentioned purge criteria, by default.
Table 24-13 Modules and Their Purge Criteria
| Module Name | Enabled (By Default) | Type of Operation | Retention Period | Purge Criteria |
|---|---|---|---|---|
|
Reconciliation |
Y |
Purge |
30 Days |
Closed Recon Events |
|
Orchestration |
Y |
Purge |
1 Day |
Completed Orchestrations |
|
Provisioning Task |
Y |
Purge |
90 Days |
Completed Prov. Task |
|
Request |
N |
Purge |
N/A |
N/A |
If there is any custom report or logic build on older data, then based on the functional (custom) requirement, amend the Retention Period and Purge Criteria accordingly.
For more information about purge criteria, see "Using the Archival and Purge Utilities for Controlling Data Growth" in the Oracle Fusion Middleware Administering Oracle Identity Manager.
For information about the user-configurable attributes, see "Configuring Real-Time Purge and Archival" in the Oracle Fusion Middleware Administering Oracle Identity Manager.
If you had User Defined Fields (UDF) of type lookup or drop-down as outputText field in your 11.1.2.x.x environment, you will see backend value for that UDF on the View User Details page. Therefore, you must complete the following steps to set the right customizations:
Log in to the Identity console using the following URL:
http://host:port/identity
Click Sandboxes on the top navigation pane, and then click Create Sandbox.
Enter the Sandbox Name and the Sandbox Description. Select the check box Activate Sandbox, and then click Save and Close. Click OK to confirm.
Click Customize on the top navigation pane.
Click Users on the left navigation pane, and select the user to open the User Details page.
Click Structure on the top left corner of the console.
Select the existing outputText field. Click Delete to delete this field.
Close the customize mode, and publish the sandbox by clicking Publish Sandbox.
Export the metadata file userDetailsPageDef.xml to MDS. The following is the full path to the file to be exported:
/oracle/iam/ui/manageusers/pages/mdssys/cust/site/site/userDetailsPageDef.xml
The UI modifications should be done via sandbox export/import, which is available in OIM UI. For information about exporting metadata files to MDS, see My Oracle Support document ID 1594327.1 - "How To Export OIM-UI Metadata Using Enterprise Manager".
Open the exported file in a text editor.
Search for the drop-down or lookup attribute that was added as outputText. For example, if the attribute name is lovattr, search for a snippet similar to the following:
<mds:insert parent="..." position="..."> <attributeValues IterBinding="..." id="lovattr__c" xmlns="..."> <AttrNames> <Item Value="lovattr__c"/> </AttrNames> </attributeValues> </mds:insert>
Delete the snippet, that is, delete the lines starting from the <mds:insert .... > tag till the </mds:insert> tag.
Repeat this step for all drop-down or lookup attributes.
Save the file.
Import the userDetailsPageDef.xml back into the MDS. For information about importing metadata file, see "Importing Metadata Files from MDS" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Log in to the Identity console again.
Create another sandbox by clicking Create Sandbox. Enter the Sandbox Name and the Sandbox Description. Select the check box Activate Sandbox, and then click Save and Close. Click OK to confirm.
Click Customize on the top navigation pane.
Click Users on the left navigation pane, and select the user to open the User Details page.
Click Structure on the top left corner of the console.
Add the LOV drop-down field as ADF Select one choice (if NON searchable) ' , 'Input list of values (If Searchable picklist)' to the required section.
Select readonly on the Component Properties dialog box.
Close the customize mode, and publish the sandbox by clicking Publish Sandbox.
Before you upgrade your existing Oracle Identity Manager environments, you must verify if the version of the existing connector is supported for Oracle Identity Manager 11.1.2.3.0. For information about the supported connector versions for Oracle Identity Manager 11.1.2.3.0, refer to the sections "Certified Components" and "Usage Recommendation" in the respective Connector Guide in Oracle Identity Manager Identity Connectors Documentation Library.
If you are using 9.x connector or GTC connector, do the following:
If the 9.x connector that you are using is supported, you can continue to use the existing connector.
If the 9.x connector is not supported, you must upgrade the existing 9.x connector to the latest 11.x connector after you upgrade the Oracle Identity Manager server to 11.1.2.3.0.
Verify the data in the Lookup populated through lookup reconciliation that the IT Resource Key & IT Resource name is pre-fixed for code & decode respectively. If not, you must upgrade the existing connector to the latest available connector after you upgrade Oracle Identity Manager server.
If you are using 11g connector, the connector upgrade is not required.
After you upgrade Oracle Identity Manager to 11.1.2.3.0, complete the following steps to verify the functionality of connectors:
Verify if Account and Entitlement Tagging are available on the process form. For the connectors to work with Oracle Identity Manager 11.1.2.3.0, you must complete the steps described in the section "Configuring Oracle Identity Manager 11.1.2 or Later" in the respective Connector Guide.
Verify if the customizations made to the connectors are intact.
Verify if the 11.1.2.3.0 related artifacts like UI Forms and Application Instances are generated.
Ensure that all the operations of the connectors are working fine.
If there are two or more IT Resource field in the process form, complete the steps described in the following My Oracle Support note:
If there are any lookup query fields in the process form of the related connector, then you must customize the UI need to display the same.
If you are using Oracle Database, you must check for the INVALID schema objects, and compile them if there are any. To do this, complete the following steps:
Identify the INVALID schema objects by running the following SQL query as SYS user:
SELECT owner,object_type,object_name,status FROM dba_objects WHERE status='INVALID' AND owner in ('<OIM_Schema_Name1>') ORDER BY owner, object_type, object_name;
If there are any INVALID schema objects, you must compile them by connecting to the database as SYS user, and running the following from SQL*Plus:
@<$Oracle_Database_Home_Location>/rdbms/admin/utlrp.sql
After running the utlrp.sql, run the SQL query described in step-1 to ensure that there are no INVALID Database objects.
Removing approver-only attribute in the Request Data Set results in the following:
Before upgrade: The requester cannot see attributes approver-only='true', during request submission.
After upgrade: The requester must provide the value during request submission.
All attributes in the request data sets marked with required=true and approver-only=true should be marked as required=false in the data set.
Make the required fields mandatory in the approver screen through user interface customization.
For information about attributes in the request data sets marked with required=true, see Section 24.2.6.17.2, "User Interface Customization for 11.1.1.x.x Mandatory UDF and OOTB Attributes".
You must manually add LDAP Sync Validation Handler. To do so, complete the following steps:
Export the EventHandlers.xml file by running the following WLST offline command:
On UNIX:
exportAccessData("/db/ldapMetadata/EventHandlers.xml")
On Windows:
exportAccessData("\\db\\ldapMetadata\\EventHandlers.xml")
Add the following section of the EventHandlers.xml by editing the file in a text editor. Save the file:
<validation-handler class="oracle.iam.ldapsync.impl.eventhandlers.user.UserCommonNameValidationHandler" entity-type="User" operation="MODIFY" name="UserCommonNameValidationHandler" order="1005" sync="TRUE">
</validation-handler>
<validation-handler class="oracle.iam.ldapsync.impl.eventhandlers.user.UserCommonNameValidationHandler" entity-type="User" operation="CREATE" name="UserCommonNameValidationHandler" order="1005" sync="TRUE">
</validation-handler>
Import the EventHandlers.xml file by running the following WLST offline command:
On UNIX:
importAccessData("/db/ldapMetadata/EventHandlers.xml")
On Windows:
importAccessData("\\db\\ldapMetadata\\EventHandlers.xml")
You must manually remove the RDN pre-process handler. To do so, complete the following steps:
Export the EventHandlers.xml file by running the following WLST offline command:
On UNIX:
exportAccessData("/db/ldapMetadata/EventHandlers.xml")
On Windows:
exportAccessData("\\db\\ldapMetadata\\EventHandlers.xml")
Remove the following section of the EventHandlers.xml by editing the file in a text editor. Save the file:
<action-handler orch-target="oracle.iam.platform.kernel.vo.EntityOrchestration" class="oracle.iam.ldapsync.impl.eventhandlers.user.RDNPreProcessHandler" entity-type="User" operation="CREATE" name="CreateUserRDNPreProcessHandler" stage="preprocess" sync="TRUE" order="10000">
</action-handler>
<action-handler orch-target="oracle.iam.platform.kernel.vo.EntityOrchestration" class="oracle.iam.ldapsync.impl.eventhandlers.user.RDNPreProcessHandler" entity-type="User" operation="MODIFY"name="ModifyUserRDNPreProcessHandler" stage="preprocess" sync="TRUE" order="10000">
</action-handler>
Import the EventHandlers.xml file by running the following WLST offline command:
On UNIX:
importAccessData("/db/ldapMetadata/EventHandlers.xml")
On Windows:
importAccessData("\\db\\ldapMetadata\\EventHandlers.xml")
If you have any custom validation handlers in your environment, ensure that the validation is re-entrant. For more information, see "Writing Custom Validation Event Handlers" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
If you have any custom user name policy configured in your environment, see "Writing Custom User Name Policy" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager to ensure the following:
Use the recommended oracle.iam.identity.usermgmt.api.UserNameGenerationPolicy interface to implement policy, instead of using oracle.iam.identity.usermgmt.api.UserNamePolicy.
Ensure that Custom User Name policy return is the same user login when the approver updates an attribute that does not contribute in generating user login.
As part of Oracle Identity Manager 11g Release 2 (11.1.2.3.0) architecture, changes are introduced to RequestService and UnauthenticatedRequestService APIs in terms of usage and in terms of concepts involved. Request Template concept is no longer part of Oracle Identity Manager 11g Release 2 (11.1.2.3.0) and some methods in these APIs are deprecated. Also, RequestTemplateService API is completely deprecated.
This section contains the following topics:
The following is a list of API methods deprecated in RequestService:
public List<String> getTemplateNames() throws RequestServiceException
public RequestModel getModelForTemplate(String templateName) throws RequestServiceException
public RequestDataSet getRestrictedDataSet(String templateName, String entityType) throws RequestServiceException
public RequestTemplate getTemplate(String templateName) throws RequestServiceException
public void updateApproverOnlyData(String reqId, List<RequestBeneficiaryEntity> benEntities, List<RequestEntity> reqEntities) throws RequestServiceException
public List<String> getTemplateNamesForSelf() throws RequestServiceException
public List<RequestTemplate> getRequestTemplates(RequestTemplateSearchCriteria searchCriteria, Set<String> returnAttrs, Map<String,Object> configParams) throws RequestServiceException
The following is a list of API methods deprecated due to storing comments in SOA Human Task comments feature:
public void addRequestComment(String reqId, RequestComment comment) throws RequestServiceException
public List<RequestComment> getRequestComments(String reqId) throws RequestServiceException
public List<RequestComment> getRequestComments(String reqId, RequestComment.TYPE type) throws RequestServiceException
public List<RequestComment> getRequestComments(String reqId, String taskId, RequestComment.TYPE type) throws RequestServiceException
The following is a list of API methods deprecated in UnauthenticatedRequestService:
public List<String> getTemplateNames() throws RequestServiceException
public RequestTemplate getTemplate(String templateName) throws RequestServiceException
public RequestDataSet getRestrictedDataSet(String templateName, String entitySubType) throws RequestServiceException
Request types which were used to perform SELF operations have been deprecated. These operations include the following:
Self Modify User
Self Assign Roles
Self Remove Roles
Self Provision Resource
Self De-provision Resource
Self Modify Resource
You can continue with these operations by using the corresponding non-self request types.
The only method that have changes in usage is RequestService.submitRequest()/UnauthenticatedRequestService.submitRequest(). The API method signature remains the same. However, the way RequestData Value Objects are created, have changed. The changes are covered in the following sections:
Changes to entity-type includes the following:
Resource entity-type is replaced with Application Instance.
Beginning from Oracle Identity Manager 11g Release 2 (11.1.2.3.0), in order to create any provision, revoke, disable, and enable account type of request, the entityType property must be set to ApplicationInstance instead of Resource.
A new entity-type called Entitlement is introduced in Oracle Identity Manager 11g Release 2 (11.1.2.3.0). Oracle Identity Manager supports creating Provision Entitlement and Revoke Entitlement type of requests.
Changes to value objects, related to RequestData includes the following:
requestTemplateName property which was a part of oracle.iam.request.vo.RequestData value objects is deprecated. Even if you set this property, it is not honoured.
A new property called operation is introduced in oracle.iam.request.vo.RequestEntity and oracle.iam.request.vo.RequestBeneficiaryEntity value objects. It is mandatory to set this property while creating the value objects. You can use the following constants defined in oracle.iam.request.vo.RequestConstants class.
MODEL_CREATE_OPERATION – Create User operation
MODEL_MODIFY_OPERATION – Modify User operation
MODEL_DELETE_OPERATION – Delete User operation
MODEL_ENABLE_OPERATION – Enable User operation
MODEL_DISABLE_OPERATION – Disable User operation
MODEL_ASSIGN_ROLES_OPERATION – Assign Roles operation
MODEL_REMOVE_ROLES_OPERATION – Remove Roles operation
MODEL_PROVISION_APPLICATION_INSTANCE_OPERATION – Provision Application Instance operation
MODEL_MODIFY_ACCOUNT_OPERATION – Modify Account operation
MODEL_REVOKE_ACCOUNT_OPERATION – Revoke Account operation
MODEL_ENABLE_ACCOUNT_OPERATION – Enable Account operation
MODEL_DISABLE_ACCOUNT_OPERATION – Disable Account operation
MODEL_PROVISION_ENTITLEMENT_OPERATION – Provision Entitlement operation
MODEL_REVOKE_ENTITLEMENT_OPERATION – Revoke Entitlement operation
MODEL_ACCESS_POLICY_PROVISION_APPINSANCE_OPERATION – Access Policy based provisioning operation
While creating RequestEntity or RequestBeneficiaryEntity value objects, you can also use the following method to set the entityType property:
public void setRequestEntityType(oracle.iam.platform.utils.vo.OIMType type)
type - OIMType.Role/ OIMType.ApplicationInstance/OIMType.Entitlement/ OIMType.User
Listed below are some code examples:
Create a RequestData for a Create User operation as follows:
RequestData requestData = new RequestData("Create User");
requestData.setJustification("Creating User John Doe");
String usr = "John Doe";
RequestEntity ent = new RequestEntity();
ent.setEntityType(RequestConstants.USER);
ent.setOperation(RequestConstants.MODEL_CREATE_OPERATION); //New in R2
List<RequestEntityAttribute> attrs = new ArrayList<RequestEntityAttribute>();
RequestEntityAttribute attr = new RequestEntityAttribute("Last Name", usr, RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("First Name", usr, RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("User Login", usr, RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("Password", "Welcome123", RequestEntityAttribute.TYPE.String);
attrs.add(attr);
attr = new RequestEntityAttribute("Organization", 1L, RequestEntityAttribute.TYPE.Long);
attrs.add(attr);
attr = new RequestEntityAttribute("User Type", false, RequestEntityAttribute.TYPE.Boolean);
attrs.add(attr);
attr = new RequestEntityAttribute("Role", "Full-Time", RequestEntityAttribute.TYPE.String);
attrs.add(attr);
ent.setEntityData(attrs);
List<RequestEntity> entities = new ArrayList<RequestEntity>();
entities.add(ent);
requestData.setTargetEntities(entities);
//Submit the request with the above requestData
Create a RequestData for an Assign Roles operation as follows:
RequestData requestData = new RequestData();
requestData.setJustification("Assigning IDC ADMIN Role(role key 201) to user with key 121");
RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity();
ent1. setRequestEntityType (oracle.iam.platform.utils.vo.OIMType.Role);
ent1.setOperation(oracle.iam.request.vo.RequestConstants.MODEL_ASSIGN_ROLES_OPERATION); //New in R2
ent1.setEntitySubType("IDC ADMIN");
ent1.setEntityKey("201");
List<RequestBeneficiaryEntity> entities = new ArrayList<RequestBeneficiaryEntity>();
entities.add(ent1);
Beneficiary beneficiary = new Beneficiary();
beneficiary.setBeneficiaryKey("121");
beneficiary.setBeneficiaryType (Beneficiary.USER_BENEFICIARY);
beneficiary.setTargetEntities(entities);
List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
beneficiaries.add(beneficiary);
requestData.setBeneficiaries(beneficiaries);
//Submit the request with the above requestData
Create a RequestData for a Provision Application Instance operation as follows:
RequestData requestData = new RequestData();
requestData.setJustification("Creating AD User (app instance key 201) account to user with key 121");
RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity();
ent1. setRequestEntityType (oracle.iam.platform.utils.vo.OIMType.ApplicationInstance);
ent1.setOperation(oracle.iam.request.vo.RequestConstants.MODEL_PROVISION_APPLICATION_INSTANCE_OPERATION);
ent1.setEntitySubType("AD User");
ent1.setEntityKey("201");
List<RequestBeneficiaryEntityAttribute> attrs = new ArrayList<RequestBeneficiaryEntityAttribute>();
//Update 'attrs' above with all the data specific to AD User form.
ent1.setEntityData(attrs);
List<RequestBeneficiaryEntity> entities = new ArrayList<RequestBeneficiaryEntity>();
entities.add(ent1);
Beneficiary beneficiary = new Beneficiary();
beneficiary.setBeneficiaryKey("121");
beneficiary.setBeneficiaryType(Beneficiary.USER_BENEFICIARY);
beneficiary.setTargetEntities(entities);
List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
beneficiaries.add(beneficiary);
requestData.setBeneficiaries(beneficiaries);
//Submit the request with the above requestData
Create a RequestData for a Provision Entitlement operation as follows:
RequestData requestData = new RequestData();
Beneficiary beneficiary1 = new Beneficiary();
beneficiary1.setBeneficiaryKey("222");
beneficiary1.setBeneficiaryType(Beneficiary.USER_BENEFICIARY);
RequestBeneficiaryEntity ent1 = new RequestBeneficiaryEntity();
ent1.setEntityType(RequestConstants.ENTITLEMENT);
ent1.setEntitySubType("AD USER ENTITLEMENT1");
ent1.setEntityKey("122");
ent1.setOperation(RequestConstants.MODEL_PROVISION_ENTITLEMENT_OPERATION);
List<RequestBeneficiaryEntity> entities1 = new ArrayList<RequestBeneficiaryEntity>();
entities1.add(ent1);
beneficiary1.setTargetEntities(entities1);
List<Beneficiary> beneficiaries = new ArrayList<Beneficiary>();
beneficiaries.add(beneficiary1);
requestData.setBeneficiaries(beneficiaries);
//Submit the request with the above requestData
This post-upgrade step is applicable if your starting point is Oracle Identity Manager 11g Release 1 (11.1.1.5.x).
Perform this task if you have integrated Oracle Identity Manager with Oracle Access Manager for single sign-on. Ensure that Oracle Access Manager is at release 11.1.1.5.2 or later.
After upgrading to Oracle Identity Manager 11.1.2.3.0, upgrade Oracle Access Manager configurations for auto-login functionality to work. After upgrading the configurations, NAP protocol is replaced by TAP protocol for communication between Oracle Identity Manager and Oracle Access Manager.
The following topics provide upgrade instructions for two possible scenarios:
Using 10g WebGate for Oracle Identity Manager-Oracle Access Manager Integration
Using 11g WebGate for Oracle Identity Manager-Oracle Access Manager Integration
Before you begin with the upgrade configuration procedures, refer to the "Using the idmConfigTool Command" for more about the IdmConfigTool in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.
If you are using 10g WebGate, complete the following steps to upgrade Oracle Identity Manager and Oracle Access Manager configurations:
In the idmConfigTool, run configOAM. This creates a 10g WebGate agent and an 11g WebGate agent in Oracle Access Manager. Ensure that the artifacts corresponding to both WebGates are created in <DOMAIN_HOME>/output directory.
In the idmConfigTool, run configOIM. In a cross-domain setup where Oracle Identity Manager and Oracle Access Manager are in two different WebLogic domains, specify the following additional properties before running this option:
OAM11G_WLS_ADMIN_HOST: <host name of OAM admin server machine>
OAM11G_WLS_ADMIN_PORT: <OAM admin server port>
OAM11G_WLS_ADMIN_USER: <admin user of OAM domain>
Note:
When running theconfigOIM option, ensure that you provide the same properties that you provided in the configOAM option for OAM_TRANSFER_MODE and ACCESS_GATE_ID properties.
The WEBGATE_TYPE property should be specified as ohsWebgate10g.
Restart the Administration and Managed Servers. In the case of a cross domain setup, restart servers from both the domains.
Restart the Oracle Identity Manager Administration Server and Managed server as follows:
On UNIX:
<MW_HOME>/user_projects/domains/domain_name/startWebLogic.sh
<MW_HOME>/user_projects/domains/domain_name/bin/startManagedWebLogic.sh <managed_server1>
On Windows:
<MW_HOME>\user_projects\domains\domain_name\startWebLogic.cmd
MW_HOME\user_projects\domains\domain_name\bin\startManagedWebLogic.cmd <oim_server>
For more information, see "Restarting Servers" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
If you are using 11g WebGate, complete the following steps to upgrade Oracle Identity Manager and Oracle Access Manager configurations:
In the idmConfigTool, run configOAM. This creates a 10g WebGate agent and an 11g WebGate agent in Oracle Access Manager. Ensure that the artifacts corresponding to both WebGates are created in the <DOMAIN_HOME>/output directory.
In the idmConfigTool, run configOIM. In cross-domain setup where Oracle Identity Manager and Oracle Access Manager are in two different WebLogic domains, specify the following additional properties before running this option:
OAM11G_WLS_ADMIN_HOST: <host name of OAM admin server machine>
OAM11G_WLS_ADMIN_PORT: <OAM admin server port>
OAM11G_WLS_ADMIN_USER: <admin user of OAM domain>
Note:
When running theconfigOIM option, ensure that you provide the same properties that you provided in the configOAM option for OAM_TRANSFER_MODE and ACCESS_GATE_ID properties.
The WEBGATE_TYPE property should be specified as ohsWebgate11g.
Restart the Administration and Managed servers. In the case of a cross domain setup, restart servers from both the domains.
Restart the Oracle Identity Manager Administration Server and Managed server as follows:
On UNIX:
<MW_HOME>/user_projects/domains/domain_name/startWebLogic.sh
<MW_HOME>/user_projects/domains/domain_name/bin/startManagedWebLogic.sh <managed_server1>
On Windows:
<MW_HOME>\user_projects\domains\domain_name\startWebLogic.cmd
MW_HOME\user_projects\domains\domain_name\bin\startManagedWebLogic.cmd <oim_server>
For more information, see "Restarting Servers" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
You must run the Entitlement List Schedule task in order to use catalog features.
Complete the following steps to run the Entitlement List Schedule job:
Log in to the SYSADMIN console using the following URL:
http://<OIM_HOST>:<OIM_PORT>/sysadmin
Click System Management.
Select Scheduler.
Enter "Entitlement List" in the Search Scheduled Jobs field and click Search.
Select Entitlement List.
Click Run Now. Wait till the job is complete.
You must run the Evaluate User Policies scheduled task to start provisioning based on access policy after the role grant. This scheduled task can be configured to run every 10 minutes, or you can run this scheduled task manually.
To start the scheduler, see "Starting and Stopping the Scheduler" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Resource objects are transformed during the upgrade process. In order to provision the resource of an object, called App instance, with Oracle Identity Manager 11.1.2.3.0, you must run the Catalog Synchronization job.
For more information, see "Bootstrapping the Catalog" in the Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager.
Note:
If no Entitlements show up, make sure that the entitlements field in the child tables is set toEntitlement=true and reloaded into the parent form.This is a new Oracle Identity Manager 11.1.2.3.0 feature for notification. If you want to use this new notification model, after upgrading to 11.1.2.3.0, complete the following steps:
Configure E-mail driver from Enterprise Manager user interface:
Log in to Oracle Enterprise Manager Fusion Middleware Control and do the following:
i. Expand Application Deployments.
ii. Expand User Messaging Service.
iii. Select usermessagingdriver-email (<soa_server1>).
iv. Select Email Driver Properties.
v. Select in Driver-Specific Configuration.
Configure the values, as listed in Table 24-14:
Table 24-14 UMS Parameters and Description
| Parameter | Description |
|---|---|
|
OutgoingMailServer |
Name of the SMTP server. For example:
|
|
OutgoingMailServerPort |
Port of the SMTP server. For example: 456 |
|
OutgoingMailServerSecurity |
The security setting used by the SMTP server Possible values can be None/TLS/SSL. |
|
OutgoingUsername |
Provide a valid username. For example:
|
|
OutgoingPassword |
Complete the following:
|
Configure the Notification provider XML through the Enterprise Manager user interface:
Log in to Enterprise Manager and do the following:
i. Expand Application Deployments.
ii. Select OIMAppMetadata(11.1.1.3.0)(oim_server1) and right-click.
iii. Select System MBean Browser.
iv. Expand Application Defined MBeans.
v. Expand oracle.iam.
vi. Expand Server_OIM_Server1
vii. Expand Application: oim.
viii. Expand IAMAppRuntimeMBean.
ix. Select UMSEmailNotificationProviderMBean.
Configure the values, as listed in Table 24-15:
Table 24-15 Parameter for Configuring Notification Provider
| Parameter | Description |
|---|---|
|
Web service URL |
Start the URL of UMS web service. Any SOA server can be used. For example:
|
|
Policies |
The OWSM Policy is attached to the given web service, leave it blank. |
|
Username |
The username is given in the security header of web service. If there is no policy attached, leave it blank. |
|
Password |
The password given in the security header of web service. If there is no policy attached, leave it blank. |
After upgrading to 11.1.2.3.0, if you want to use SMTP notification provider instead of the default UMS notification provider, do the following:
Log in to Enterprise Manager and do the following:
Expand Application Deployments.
Select OIMAppMetadata(11.1.1.3.0)(oim_server1) and Right click.
Select System MBean Browser.
Expand Application Defined MBeans.
Expand oracle.iam.
Expand Server_OIM_Server1
Expand Application: oim.
Expand IAMAppRuntimeMBean.
Select UMSEmailNotificationProviderMBean.
Ensure that the value of the attribute Enabled is set to true.
Provide the configuration values in MBean (username, password, mailServerName) or the name of IT Resource in MBean.
The IT Resource name is the name given in XL.MailServer system property, before you upgrade Oracle Identity Manager 11.1.1.x.x to Oracle Identity Manager 11.1.2.3.0.
You must have UDF in your environment because if you do not update your User Interface with UDFs, several features like user creation, role creation, and self registration request where UDFs are involved fails.
This section contains the following topics:
For an Oracle Identity Manager 11.1.2.3.0 environment that has been upgraded from Oracle Identity Manager 11.1.1.x.x, the custom attributes for user entity already exist in the back-end. These attributes are not present as form fields on the Oracle Identity Manager 11.1.2.3.0 user interface screens until the user screens are customized to add the custom fields.
However, before you can customize the screens, you must first complete upgrading the custom attributes using the Upgrade User Form link in the System Administration console.
After completing the Upgrade User Form, the User value object (VO) instances in various Data Components like DataComponent-Catalog, DataComponent-My Information, DataComponent-User Registration shows the custom attributes. This includes all custom attributes available for Web Composer (Customized) and can be added to User user interface screens.
For more information, see "Customizing the Interface" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
Complete the following steps to render UDFs:
Log in to the Identity System Administration console.
Click Sandboxes. Click Create Sandbox. A Create Sandbox window appears.
Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
Go to Upgrade. Select Upgrade User Form. Click Upgrade Now.
Note:
If an error message is displayed after clickingUpgrade Now button, it is important that you analyze the error. You must also export the Sandbox for analysis and then discard (Delete) the sandbox. This note also applies to Upgrade Role Form and Upgrade Organization Form.Publish the Sandbox.
Log out from Identity System Administration console.
Log in to Identity Self Service console.
Click Create Sandbox. A Create Sandbox window appears.
Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
From the left navigation pane, select Users.
Click Create User. A Create User page opens. Fill up all the mandatory fields. Add the same UDFs in Modify User and User Detail screen. Select the correct Data Component and UserVO Name as listed in Table 24-16.
For example:
From the left navigation pane, click Users. Click User to go to the Create User screen and fill all mandatory fields.
Click Customize on top right. Select View. Select Source.
Select Name in Basic Information and click Edit on the confirmation window.
Select panelFormLayout. Click Add Content.
Select the correct Data Component and VO Name as listed in Table 24-16:
Table 24-16 UDF Screens and Description
| Screen Name | Data Component | VO Name | Procedure |
|---|---|---|---|
|
Create User |
Data Component - Catalog |
UserVO |
Do the following:
|
|
Modify User |
Data Component - Catalog |
UserVO |
Do the following:
|
|
View User Details |
Data Component - Manage Users |
UserVO1 |
Do the following:
|
|
Bulk Modify User Flow |
Data Component - Catalog |
UserVO |
Do the following:
|
|
My Information |
Data Component - My Information |
UserVO1 |
Do the following:
|
|
Customizing Search Results |
Data Component - Manage Users |
UserVO1 |
Do the following:
|
|
User Registration |
Data Component - User Registration |
UserVO1 |
Do the following:
|
|
Adding UDF in Search Panel |
NA |
NA |
Do the following:
|
|
Customizing Request Summary/Details |
NA |
NA |
Requests created after Create User, Modify User, My Information, Self Registration. |
Click Close.
Click Sandboxes. Export the sandbox using Export Sandbox.
Publish the sandbox.
Log out from Identity Self Service, and log in again. The added UDF in the screen is seen.
Note:
You can upgrade and customize Role UDF and Organization UDF by following the instructions described in the table "Entities and Corresponding Data Components and View Objects" in the Oracle Fusion Middleware Administering Oracle Identity Manager.If you have rendered the OOTB attributes as mandatory in Oracle Identity Manager 11.1.1.x.x, you must customize the user interface in order to achieve the same customizations after upgrade.
Log in to Identity System Administration console.
Click Sandboxes. Click Create Sandbox. A Create Sandbox window appears.
Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
Go to Upgrade. Select Upgrade User Form. Click Upgrade Now.
Publish the Sandbox.
Log out from Identity System Administration console.
Log in to Identity Self Service console.
Click Create Sandbox. A Create Sandbox window appears.
Enter the Sandbox Name. Select Activate Sandbox. Click Save and Close.
From the left navigation pane, click Users. Click User to go to the Create User screen and fill all the mandatory fields.
Click Customize on top right. Select View. Select Source.
Select Name in Basic Information and click Edit on the confirmation window.
Select panelFormLayout. Click Add Content.
Click Input Component and click Edit.
On the Component Properties dialogue, select Show Required check box. In the Required field, select Expression Editor, and in the Expression Editor field, enter the value as true.
Click Close.
Click Sandboxes. Export the sandbox using Export Sandbox.
Publish the sandbox.
Log out from Identity Self Service, and log in again. The added UDF on the screen with an asterix (*) symbol is seen.
In user customization upgrade, multiple values for the Save Column may exist in User.xml. Based on the possible values; single, multiple, and null, do the following in the upgraded environment:
Use Single value for Save Column: User creation is successful, and the value of the field is also saved in database.
Use Multiple or NULL value for Save Column: User creation is successful, but the value is not saved in database.
Note:
Lookup by Query is not supported in the Oracle Identity Manager 11g Release 2 (11.1.2) and later releases. Therefore, if your starting point is Oracle Identity Manager 11.1.1.x.x, you must changes Lookup by Query to Lookup by Code, post upgrade. If you do not perform this task, the Lookup by Query will be a text field in 11.1.2.3.0.After you complete the upgrade, you must complete the following steps to upgrade Application Instances:
Log in to the following console:
http://<OIM_HOST>:<OIM_PORT>/sysadmin
Expand Upgrade on the left navigation pane.
Click Upgrade Application Instances.
This creates the U/I Forms and Datasets for the Application Instances, and seeds to MDS.
Note:
This section is required only if the Diagnostic Dashboard services for AD Password Sync were deployed in 11.1.1.x.x and if your application is deployed in staging mode in 11.1.1.x.x.Before you can re-deploy, you must undeploy XIMDD from the 11.1.1.x.x Oracle Identity Manager Managed Server or from the cluster. To do so, complete the following steps:
Log in to the WebLogic Server Administration console:
host:admin port/console
If you are running in production mode, click Lock and Edit.
Click Deployments.
In the resulting list, look for XIMDD.
If they are running, select XIMDD.
Click Delete.
Activate the changes.
To redeploy, complete the following steps:
Log in to the WebLogic Server Administration console:
host:admin port/console
Click Lock & Edit.
Click Deployments.
Click Install.
In the path, provide the path for XIMDD.ear.
The default path is in the following location:
On UNIX, $<OIM_HOME>/server/webapp/optional
On Windows, <OIM_HOME>\server\webapp\optional
Select XIMDD.ear. Click Next.
Select Install this deployment as an application. Click Next.
In Select deployment targets page, select oim server. Click Next.
In the Optional Setting page, click Finish.
Click Deployments.
Select XIMDD. Click Start.
From the options, select Service All Requests.
Note:
This section is required only if the DSML web services for AD Password Sync were deployed in 11.1.1.x.x.Before you can redeploy, you must undeploy SPML-DSML from the 11.1.1.x.x Oracle Identity Manager Managed Server or from the cluster. To do so, complete the following steps:
Log in to the WebLogic Server Administration console:
host:admin port/console
If you are running in production mode, obtain the Lock in order to make updates.
Click Deployments.
In the resulting list, look for spml.
If they are running, select spml.
Click Delete.
Activate the changes.
To redeploy, complete the following steps:
Log in to WebLogic Server Administration console through the following path:
host:admin port/console
Click Lock & Edit.
Click Deployments.
Click Install.
In the path provide the path for spml.ear.
The default path is in the following location:
On UNIX, $<OIM_HOME>/server/apps
On Windows, <OIM_HOME>\server\apps
Select spml-dsml.ear. Click Next.
Select Install this deployment as an application. Click Next.
In Select deployment targets page, select oim server. Click Next.
In the Optional Setting page, click Finish.
Click Deployments.
Select spml. Click Start.
From the options, select Service All Requests.
If you have used any event handlers in Oracle Identity Manager 11.1.1.x.x, you must re-customize the event handler for Oracle Identity Manager 11.1.2.3.0.
For more information, see "Developing Custom Event Handlers" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.
If your starting point is Oracle Identity Manager 11.1.1.x.x, you must manually upgrade custom composites that you have built. Complete the following steps to upgrade SOA composites:
Open the SOA composite project in JDeveloper (Use Jdeveloper 11.1.1.9.0).
Open ApprovalTask.task file in designer mode.
Select General.
Change Owner to Group, SYSTEM ADMINISTRATORS, STATIC.
Select Outcomes lookup. An Outcomes Dialog opens.
Select Outcomes Requiring Comment.
Select Reject and click Ok.
Click Ok again.
Select Notification.
Click on the update icon under Notification. Update any old URLs in notification with the corresponding new URL in 11.1.2.3.0. An example notification content is given below:
A <%/task:task/task:payload/task:RequestModel%> request has been assigned to you for approval. <BR><BR> Request ID: <%/task:task/task:payload/task:RequestID%> <BR> Request type: <%/task:task/task:payload/task:RequestModel%> <BR> <BR> Access this task in the <A style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/home?tf=approval_details > Identity Self Service </A> application or take direct action using the links below. Approvers are required to provide a justification when rejecting the request
Click Advanced.
Deselect Show worklist/workspace URL in notifications. Provide the URL to Pending Approvals in identity application as shown in the example in step 10.
Repeat step 1 to 12 for other human tasks, if any, in the composite. Save your work.
Right click Project and select Deploy -> Deploy to Application Server.
Provide revision ID. Select Mark revision as default and Overwrite any existing composite with same revision ID.
Note:
You can also deploy the composites with different revision ID. In that case you have to modify all approval policies using this composite.Select your application server connection, if it already exists, and click Next. Create an application server connection if it does not exist.
Click Next.
Click Finish.
Repeat the procedure for the remaining custom composites.
If you have custom Authorization Policies in Oracle Identity Manager in 11g Release 1 (11.1.1.5.0), in order to create or modify users, you must assign new administrator roles in relation to User Administration, Role Administration, or Help Desk.
Table 24-17 lists the Administration roles in Oracle Identity Manager 11g, either removed or consolidated into the System Administrator Administration role for all system administrative operations in Oracle Identity Manager 11.1.2.3.0:
Table 24-17 Changes in Role from Oracle Identity Manager 11g to 11.1.2.3.0
| Sl No. | Roles in Oracle Identity Manager 11g | Roles Removed and Replaced in Oracle Identity Manager 11.1.2.3.0 |
|---|---|---|
|
1 |
SCHEDULER ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
2 |
DEPLOYMENT MANAGER ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
3 |
NOTIFICATION TEMPLATE ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
4 |
SOD ADMINISTRATORS |
Removed and replaced with SYSTEM ADMINISTRATORS. |
|
5 |
SYSTEM CONFIGURATION ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
6 |
GENERATE_USERNAME_ROLE |
Removed and replaced with SYSTEM ADMINISTRATORS. |
|
7 |
IDENTITY USER ADMINISTRATORS |
Removed and replaced with USER ADMIN. |
|
8 |
USER CONFIGURATION ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
9 |
ACCESS POLICY ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
10 |
RECONCILIATION ADMINISTRATORS |
Removed and replaced with SYSTEM ADMINISTRATORS. |
|
11 |
RESOURCE ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
12 |
GENERIC CONNECTOR ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
13 |
APPROVAL POLICY ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
14 |
REQUEST ADMINISTRATORS |
Removed and replaced with SYSTEM ADMINISTRATORS. |
|
15 |
REQUEST TEMPLATE ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
16 |
PLUGIN ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
17 |
ATTESTATION CONFIGURATION ADMINISTRATORS |
Removed and replaced with SYSTEM CONFIGURATORS. |
|
18 |
ATTESTATION EVENT ADMINISTRATORS |
Removed and replaced with SYSTEM ADMINISTRATORS. |
|
19 |
ROLE ADMINISTRATORS |
Removed and replaced with ROLE ADMIN. |
|
20 |
USER NAME ADMINISTRATOR |
Removed and now depends on administration roles. |
|
21 |
IDENTITY ORGANIZATION ADMINISTRATORS |
Removed and replaced with ORGANIZATION ADMIN. |
|
22 |
IT RESOURCE ADMINISTRATORS |
Removed and replaced with APPLICATION INSTANCE ADMIN. |
|
23 |
REPORT ADMINISTRATORS |
No link to reports from Oracle Identity Manager. |
|
24 |
SPML_APP_ROLE |
There is no change in this enterprise role and a corresponding role with the privileges is seeded in Oracle Entitlements Server. |
|
25 |
ALL USERS |
This is an enterprise role, not an administrator role. |
|
26 |
SYSTEM CONFIGURATORS |
All privileges as System Administrator role, except for the ability to manage Users, Roles, Organizations and Provisioning remains unchanged. |
|
27 |
SYSTEM ADMINISTRATORS |
Remains unchanged. |
When you upgrade Oracle Identity Manager 11.1.1.x.x to 11.1.2.3.0, a default password policy will be seeded at the TOP organization. As a result, any password policy rules created using the older password policy model in Oracle Identity Manager 11.1.1.x.x environment will not be supported. The upgrade utility does not migrate the password policies of Oracle Identity Manager 11.1.1.x.x to 11.1.2.3.0. If you had made any password policy customizations on the older password policy rules, you must create equivalent password policies using the newer password policy model, and attach it to the respective organization.
For information about creating password policies, see "Password Policy Management" in the Oracle Fusion Middleware Administering Oracle Identity Manager.
Customized reports built on Oracle BI Publisher 10g Release 3 (10.1.3.X) or later must be upgraded before they can be consumed by Oracle BI Publisher 11.1.1.7.1. You must use the Upgrade Assistant to upgrade the reports in the BI Publisher 10g repository. For more information, see "Task 5: Upgrade the BI Publisher Repository" in the Oracle Fusion Middleware Upgrade Guide for Oracle Business Intelligence.
If the environment is running in SSL mode, you must change the Provider URL for ForeignJNDIProvider-SOA to SSL Provider URL. To do this, complete the following steps:
Log in to the WebLogic Administration console using the following URL:
http://weblogic_host:weblogic_port/console
Expand Services under Domain Structure.
Click Foreign JNDI Providers.
Click ForeignJNDIProvider-SOA to bring up the Settings for ForeignJNDIProvider-SOA page.
Click Lock & Edit on the top-left pane.
In Provider URL, change t3 to t3s.
Click Save, and then click Activate Changes.
For high concurrent load conditions in Oracle Identity Manager, the following indexes if altered as reverse key indexes, will give better performance. These indexes are mainly on Primary columns and unique columns of the OIM table.
List of Indexes:
UK_PCQ
PK_PCQ
PK_SCH
PK_ORC
PK_OSH
PK_USR
PK_OSI
IDX_OIU_ORC_KEY
PK_AUD_JMS
IDX_UPA_UD_FORFIE_FORMS_KEY
PK_UPA_UD_FORMFIELDS
PK_UPA_FIELDS
IDX_UPA_FIELDS_UPA_USR_KEY
IDX_UPA_UD_FOR_UPA_RES_KEY
To alter the index, execute the following SQL statement for each of the indexes:
SQL> ALTER INDEX <index_name> REBUILD REVERSE;
It is recommended that you perform this task in Oracle Identity Manager downtime window.
To verify that the indexes were rebuilt successfully, check the index_type column value of these indexes from the database data dictionary view DBA_INDEXES (from SYS schema) or from USER_INDEXES (from OIM DB schema). The index_type of these indexes should be NORMAL/REV.
After you upgrade Oracle Identity Manager to 11.1.2.3.0, review the system property Allowed Back URLs and verify if it is set to the correct value.
For information about searching and modifying system properties, see "Managing System Properties" in the Oracle Fusion Middleware Administering Oracle Identity Manager.
If the Message Buffer Size for UMSJMSServer is missing in the upgraded environment, you can update it by doing the following:
Log in to the WebLogic Administration Console using the following URL:
http://host:port/console
Click Services under Domain Structure on the left navigation pane.
Click Messaging and then click JMS Servers.
Click UMSJMSServer and then click Lock and Edit.
Update the value of Message Buffer Size to 200.
Note:
If the value is of Message Buffer Size is -1, the size will be managed automatically.Click Save to activate the changes.
If you have upgraded Oracle Identity Manager in an Oracle Identity Manager, Access Manager, and Oracle Adaptive Access Manager integrated environment, change the Authentication Scheme from LDAP Scheme to TAPScheme for both Protected HigherLevel and Protected LowerLevel Policies under the IAM Suite domain. For more information, see "Changing the Authentication Scheme to TAPScheme for Upgrade of Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.
This step is for Oracle HTTP Server (OHS) enabled environment, and is applicable for Oracle Identity Manager 11.1.1.x.x, 11.1.2, and 11.1.2.1.0 starting points.
While configuring Oracle Identity Manager 11.1.2.1.0, 11.1.2, or 11.1.1.x.x, if you had specified OIM server host and port for OIM HTTP URL, then for all composites deployed, you must complete the following steps after upgrading Oracle Identity Manager to 11.1.2.3.0:
Update the task URI information to point to the OHS host and port. For more information, see "Managing the URI of the Human Task Service Component Task Details Application" in the Oracle Fusion Middleware Administrator's Guide for Oracle SOA Suite and Oracle Business Process Management Suite.
Specify the OHS details in the DiscoverConfig MBean by doing the following:
Log in to the Oracle Enterprise Manager Fusion Middleware Control using the following URL:
http://host:port/em
Navigate to OIMDomain, right-click on it, and click System MBean Browser.
Click the search icon, enter DiscoveryConfig, and click Search.
Set the value of the OimExternalFrontEndURL property to:
http://OHS_HOST:OHS_PORT
Save the changes.
After upgrading to Oracle Identity Manager 11.1.2.3.0, the approval policies will continue to work. However, you also have an option of enabling the approval workflow introduced in 11.1.2.3.0, and migrating the approval policies to approval workflow policies.
Note:
Once you enable workflow policies, the approval policies will be disabled permanentlyFor information about enabling approval workflow rules, see "Enabling the Approval Workflow Rules Feature" in the Oracle Fusion Middleware Administering Oracle Identity Manager.
After upgrading to Oracle Identity Manager 11.1.2.3.0, you can choose to disable Oracle SOA Suite (SOA) server, if required. If you do so, the Oracle Identity Manager features that are dependent on SOA will not be available.
For information about disabling SOA server, see "Disabling SOA Server" in the Oracle Fusion Middleware Administering Oracle Identity Manager.
If you had added User Defined Fields (UDF) to page(s) in Oracle Identity Manager 11.1.2.x.x or 11.1.1.x.x pre-upgrade, you would have updated the display width of the UDF components (for example, inputText, inputListOfValues) to fit them in a page. This display width is not preserved post-upgrade. Therefore, you must adjust the width of the UDF components post-upgrade. To do this, complete the following steps:
Log in to the Identity console using the following URL:
http://host:port/identity
Click Sandboxes on the top naviagtion pane, and then click Create Sandbox.
Enter the Sandbox Name and the Sandbox Description. Select the check box Activate Sandbox, and then click Save and Close. Click OK to confirm.
Open the page that needs to be adjusted.
Click Customize.
Switch to Structure mode.
Select the component that needs to be adjusted.
Open Component Properties.
Set the value of the Columns property. For example, you can set it to 20.
Verify the changes, and click Publish to publish the sandbox.
If you had enabled certification in Oracle Identity Manager 11g Release 2 (11.1.2.2.0) or 11g Release 2 (11.1.2.1.0) using the system property "Display Certification or Attestation" (OIM.ShowCertificationOrAttestation), you must re-enable the certification using the new system property "Identity Auditor Feature Set Availability" (OIG.IsIdentityAuditorEnabled) after upgrading to Oracle Identity Manager 11.1.2.3.0.
To re-enable the certification, set the system property "Identity Auditor Feature Set Availability" (OIG.IsIdentityAuditorEnabled) to TRUE post-upgrade.
After you upgrade Oracle Identity Manager 11g Release 1 (11.1.1.7.0) or 11g Release 1 (11.1.1.5.0) highly available environments, you must update the Oracle HTTP Server (OHS) configuration file mod_wl_ohs.conf, as the web context used through OHS to access self-service and sysadmin have changed in 11.1.2.3.0. To do this, complete the following steps:
Open the mod_wl_ohs.conf file in an editor.
Remove the /oim location. The following is an example of /oim location:
<Location /oim> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster OIMHOST1:OIMHOST1_Port,OIMHOST2:OIMHOST2_Port WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" WLProxySSL ON WLProxySSLPassThrough ON </Location>
Add the locations for /identity and /sysadmin as shown in the following example:
<Location /identity> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster OIMHOST1:OIMHOST1_Port,OIMHOST2:OIMHOST2_Port WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" WLProxySSL ON WLProxySSLPassThrough ON </Location> <Location /sysadmin> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster OIMHOST1:OIMHOST1_Port,OIMHOST2:OIMHOST2_Port WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log" WLProxySSL ON WLProxySSLPassThrough ON </Location>
For the new applications created in 11.1.2.3.0 and for some of the application which were created before the upgrade, Update button is seen in place of Ready to Submit button on the Catalog page. This is a design level change made in 11.1.2.3.0. Update button is a replacement for Ready to Submit button.
For some of the existing applications which were created pre-upgrade, both Ready to Submit and Update buttons appear on the Catalog page. For such cases, create a new version of the form for their respective resource types. This removes the Ready to Submit button.
Custom client applications using the previous version of the oimclient.jar will get an error similar to the following: "oracle.iam.passwordmgmt.vo.Challenge; local class incompatible: stream classdesc serialVersionUID = 7026677945288353246, local class serialVersionUID = -5258470952025280257"
To resolve this issue, update the client application to use the new version of the oimclient.jar included with this release in OIM_ORACLE_HOME/server/client/oimclient.zip, and include the additional OIM_ORACLE_HOME/modules/oracle.idm.ipf_11.1.2/ipf.jar in the lib/classpath.
This section includes the topics common to various Oracle Access Manager upgrade starting points. This section contains the following topics:
You must extend the Access Manager WebLogic domain to use Oracle Mobile Security Suite and Policy Manager features available with Access Manager 11.1.2.3.0.
In case of a highly available Oracle Access Management setup, follow the instructions described in "Configuring Oracle Mobile Security Manager on OAMHOST1" in the Oracle Fusion Middleware High Availability Guide, to extend the Access Manager WebLogic domain to include Oracle Mobile Security Suite and Policy Manager.
In case of a single node Oracle Access Management setup, complete the following steps to extend the Access Manager WebLogic domain to include Oracle Mobile Security Suite and Policy Manager:
Create the Oracle Mobile Security Manager (OMSM) schema using the Repository Creation Utility 11.1.1.9.0, if you have not done already.
For information about creating schemas, see Section 24.1.3, "Creating Database Schemas Using Repository Creation Utility".
Ensure that you have stopped the WebLogic Administration Server and the Access Manager Managed Server(s).
For information about stopping the servers, Section 24.1.9, "Stopping the Servers".
Start the Oracle Fusion Middleware Configuration Wizard by running the following command from the location WL_HOME/common/bin:
On UNIX: ./config.sh
Note:
OMSS is not supported on Windows.The Configuration Wizard's Welcome screen is displayed.
Select Extend an existing WebLogic domain, and click Next.
The Select a WebLogic Domain Directory screen is displayed.
Use the navigation tree to select the existing Access Manager domain directory, and click Next.
The Select Extension Source screen is displayed.
Select Extend my domain automatically to support the following added products, and select the following component:
Oracle Access Management and Mobile Security Suite - 11.1.2.3.0
When you select Oracle Access Management and Mobile Security Suite - 11.1.2.3.0, the following components are automatically selected:
Oracle Enterprise Manager - 11.1.1.0
Oracle WSM Policy Manager - 11.1.1.0
Note:
The Keep Existing Component message will be displayed depending on your upgrade starting point. Therefore, you may or may not see the message, depending on the OAM version you are upgrading.If the message is displayed, you must select the Keep Existing Component check box for all such occurrences.
Click Next.
The Specify Domain Name and Location screen is displayed.
Ensure that the Domain Name, Domain Location, and the Application Location is correct. Click Next.
The Configure JDBC Data Sources screen is displayed if there are any custom application datasources configured in the domain. Click Next.
The Configure JDBC Component Schema screen is displayed.
Specify the following details for all of the component schemas listed:
Vendor - Select the database vendor.
Driver - Select the JDBC driver to use to connect to the database. The list includes common JDBC drivers for the selected database vendor.
Schema Owner - Enter the username for connecting to the database.
Schema Password - Enter the password for the specified schema owner.
DBMS/Service - Enter a database DBMS name, or service name if you selected a service type driver.
Host Name - Enter the name of the server hosting the database.
Port - Enter the port number to be used to connect to the server that hosts the database.
After you enter the details, click Next.
The Test JDBC Component Schema screen is displayed.
Use the screen to test the configurations that you specified for the data sources in the previous screen. Select the check boxes adjacent to the names of the schemas to test, and then click Test Connections.
The wizard tests the configuration for each schema by attempting to connect to a URL that is constructed by using the driver, host, port, and other information that you specified while configuring the schema. The result of the test is indicated in the Status column. Details are displayed in the Connection Result Log section.
After the test connection process is completed, click Next.
The Select Optional Configuration screen is displayed.
Use this screen to add new managed servers, clusters, and machines. You can also modify the deployments and services using this screen. Depending on your action on this screen, you might have to enter additional details like the name of the new managed server, cluster and so on
Note:
Ensure that you assign the new OMSS and OAM Policy Servers to the Node Manager, if they are included in the your setup. If you do not perform this, the OMSS and OAM Policy Server cannot be started via the WebLogic Administration Console.Complete all the required steps, and click Next.
The Configuration Summary screen is displayed.
Review the detailed configuration settings of your domain, and click Extend.
The Extending Domain screen is displayed.
Monitor the progress of the domain extension process. Once completed, click Done to close the Configuration Wizard.
For more information about using the Configuration Wizard to extend your existing WebLogic domain, see "Extending WebLogic Domains" in the Oracle Fusion Middleware Creating Domains Using the Configuration Wizard.
Note:
To start using the features of Oracle Mobile Security Suite, you must enable it using the instructions described in Section 24.3.2, "Enabling Oracle Mobile Security Suite".If you wish to use the functionality of Oracle Mobile Security Suite, you must configure Oracle Mobile Security Suite after extending the Access Manager domain with Oracle Mobile Security Suite component.
To configure Oracle Mobile Security Suite, complete the following steps:
Ensure that the upgraded environment is using JDK7.
Restart the WebLogic Administration Server and the Access Manager Managed Servers.
For information about stopping the servers, see Section 24.1.8, "Starting the Servers".
For information about starting the servers, see Section 24.1.8, "Starting the Servers".
If your environment is SSL enabled, ensure that the certificate for LDAP is imported into JDK7 keystore. To do this, run the following command:
keytool -import -alias alias -file path_to_ldapcert.pem -keystore jdk7_location/jre/lib/security/cacerts
Enter the password as changeit, when prompted.
For example,
keytool -import -alias trust -file /ldapcert.pem -keystore /jdk7/jre/lib/security/cacerts
Increase the heap size of the JVM. To do this, open the setDomainEnv.sh file located at DOMAIN_HOME/bin/, and specify the correct values for the following memory arguments:
XMS_SUN_64BIT="256" export XMS_SUN_64BIT XMS_SUN_32BIT="256" export XMS_SUN_32BIT XMX_SUN_64BIT="512" export XMX_SUN_64BIT XMX_SUN_32BIT="512" export XMX_SUN_32BIT XMS_JROCKIT_64BIT="256" export XMS_JROCKIT_64BIT XMS_JROCKIT_32BIT="256" export XMS_JROCKIT_32BIT XMX_JROCKIT_64BIT="512" export XMX_JROCKIT_64BIT XMX_JROCKIT_32BIT="512" export XMX_JROCKIT_32BIT
Note:
For the 64BIT parameters, specify the value that is twice the existing value.For example, if the existing value of XMS_SUN_64BIT="256", edit it as:
XMS_SUN_64BIT="512".
Configure Oracle Mobile Security Suite. This step involves tasks like configuring Access Manager for Oracle Mobile Security Suite, configuring Oracle Mobile Security Manager, installing and configuring Oracle Mobile Security Access Server.
For information about configuring Oracle Mobile Security Suite, see "Configuring Oracle Mobile Security Suite" in the Oracle Installation Guide for Oracle Identity and Access Management.
Update the authentication module LDAPNoPasswordAuthModule to point to the identity store used by the Oracle Mobile Security Access Server. To do this, complete the following steps:
Log in to the Oracle Access Management console using the following URL:
http://oam_host:oam_port/oamconsole
Click Application Security at the top of the window.
In the Application Security console, click Authentication Modules in the Plug-ins section.
In the Search Results list, select for LDAPNoPasswordAuthModule to open its properties page.
On the properties page, update the User Identity Store to point to the OUD user store.
Click Apply to submit the changes and close the Confirmation window.
If your starting point is Access Manager 11.1.2.x.x and if you have configured Oracle Access Management Identity Federation, you must upgrade Oracle Access Management Identity Federation to 11.1.2.3.0 by complete the following steps:
Launch the WebLogic Scripting Tool (WLST) by running the following command from the location ORACLE_HOME/common/bin:
On UNIX: ./wlst.sh
On Windows: wlst.cmd
Connect to the WebLogic Administration Server by running the following command:
connect()
Navigate to the Domain Runtime by running the following command:
domainRuntime()
Upgrade the Oracle Access Management Identity Federation to by running the following command:
upgradeFedSTS111230()
Exit the WLST using the following command:
exit()