This chapter describes how to upgrade your existing Oracle Entitlements Server 11g Release 1 (11.1.1.5.0) environment to Oracle Entitlements Server 11g Release 2 (11.1.2.3.0) on Oracle WebLogic Server, using the manual upgrade procedure.
Note:
If your existing Oracle Identity and Access Management environment was deployed using the Life Cycle Management (LCM) Tools, you must use the automated upgrade procedure to upgrade to Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0).For information about automated upgrade procedure, supported starting points and topologies, see Chapter 2, "Understanding the Oracle Identity and Access Management Automated Upgrade".
This chapter includes the following sections:
Section 15.1, "Upgrading Oracle Entitlements Server Administration Server"
Section 15.2, "Upgrading Oracle Entitlements Server Client Server"
This section contains the following topics:
Section 15.1.1, "Upgrade Roadmap for Oracle Entitlements Server Administration Server"
Section 15.1.3, "Shutting Down Administration Server and Managed Servers"
Section 15.1.4, "Backing Up Oracle Entitlements Server 11g Release 1 (11.1.1.5.0)"
Section 15.1.5, "Upgrading Oracle WebLogic Server to 10.3.6"
Section 15.1.7, "Creating Oracle Platform Security Service Schema"
Section 15.1.9, "Creating New Oracle Entitlements Server Domain"
Section 15.1.13, "Upgrading Oracle Platform Security Services"
Section 15.1.14, "Starting the Administration Server and Oracle Entitlements Server Managed Servers"
Note:
If you do not follow the exact sequence provided in this task table, your Oracle Entitlements Server Administration Server upgrade may not be successful.Table 15-1 lists the steps to upgrade Oracle Entitlements Server Administration Server upgrade.
Task No. | Task | For More Information |
---|---|---|
1 |
Review system requirements and certifications. |
|
2 |
Shut down all servers. This includes both Administration Server and Managed Servers. |
See, Shutting Down Administration Server and Managed Servers |
3 |
Back up your environment. |
See, Backing Up Oracle Entitlements Server 11g Release 1 (11.1.1.5.0) |
4 |
Upgrade Oracle WebLogic Server 10.3.5 to Oracle WebLogic Server 10.3.6. |
|
5 |
Upgrade 11.1.1.5.0 Oracle Home to 11.1.2.3.0. |
See, Upgrading Oracle Entitlements Server Administration Server 11g Release 2 (11.1.2.3.0) |
6 |
Create new Oracle Platform Security Services schema. |
|
8 |
Execute R2_Upgrade.sql |
|
9 |
Create new Oracle Entitlements Server domain. |
|
10 |
Using the |
|
11 |
Run the |
|
12 |
Delete all the |
|
13 |
Upgrade Oracle Platform Security Services. |
|
14 |
Start the Administration Server and Oracle Entitlements Server Managed servers. |
See, Starting the Administration Server and Oracle Entitlements Server Managed Servers |
15 |
Redeploy APM. |
See, Redeploying APM |
16 |
Verify the Oracle Entitlements Server upgrade. |
Before you begin with the upgrade, you must complete the following prerequisites:
Review the Oracle Fusion Middleware System Requirements and Specifications and Oracle Fusion Middleware Supported System Configurations documents to ensure that your system meets the minimum requirements for the products you are installing or upgrading to. For more information see Section 24.1.1, "Verifying Certification, System Requirements, and Interoperability".
Ensure that you are using a Java Development Kit (JDK) version that is supported and certified with Oracle Identity and Access Management 11.1.2.3.0.
You can verify the required JDK version by reviewing the certification information on the Oracle Fusion Middleware Supported System Configurations page.
The JDK can be downloaded from the Java SE Development Kit 7 Downloads page on Oracle Technology Network (OTN).
Note:
For more information about JDK version requirements, see the "Oracle WebLogic Server and JDK Considerations" topic in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management 11g Release 2 (11.1.2) document.The upgrade process involves changes to the binaries and to the schema. Therefore, before you begin the upgrade process, you must shut down the Administration Server and Managed Servers.
For information about stopping the servers, see "Stopping the Servers".
You must back up your Oracle Entitlements Server 11.1.1.5.0 environment before you upgrade to Oracle Entitlements Server 11.1.2.3.0.
After stopping the servers, back up the following:
MW_HOME directory, including the Oracle Home directories inside Middleware Home
Domain Home directory
Oracle Entitlements Server schemas
Oracle Identity and Access Management 11.1.2.3.0 is certified with Oracle WebLogic Server 11g Release 1 (10.3.6). Therefore, if your existing Oracle Entitlements Server environment is using Oracle WebLogic Server 10.3.5 or any earlier version, you must upgrade it to Oracle WebLogic Server 10.3.6.
Note:
If you are already using Oracle WebLogic Server 10.3.6, ensure that you apply the mandatory patches to fix specific issues with Oracle WebLogic Server 10.3.6.To identify the required patches that you must apply for Oracle WebLogic Server 10.3.6, see "Downloading and Applying Required Patches" in the Oracle Fusion Middleware Infrastructure Release Notes.
The patches listed in the release notes are available from My Oracle Support. The patching instructions are mentioned in the README.txt
file that is provided with each patch.
Note:
If you upgrade Oracle WebLogic Server from 10.3.5 to 10.3.6, weblogic.policy
will be overwritten. Hence, you must backup/restore some of the policies in weblogic.policy
.
After the upgrade procedure, add the following WebLogic Server SM policy:
grant codeBase "file:${oes.client.home}/-" { permission java.security.AllPermission; };
In addition, if you had added any policies in 11.1.1.5.0, these policies must be backed up and restored after upgrading to 11.1.2.3.0.
For information about upgrading to Oracle WebLogic Server 10.3.6, see Section 24.1.5, "Upgrading Oracle WebLogic Server to 11g Release 1 (10.3.6)".
To upgrade Oracle Entitlements Server Administration Server, you must use the Oracle Identity and Access Management 11.1.2.3.0 Installer. During the procedure, point the Middleware Home to your existing 11.1.1.5.0 Middleware Home. Your Oracle Home is upgraded from 11.1.1.5.0 to 11.1.2.3.0.
For information about upgrading Oracle Entitlements Server Administration Server 11g Release 1 (11.1.1.5.0), see Section 24.1.6, "Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.3.0)".
Note:
You must preform the following task only if your policy store is database.Oracle Entitlements Server 11.1.1.5.0 schema is bound with APM. From Oracle Entitlements Server 11.1.2 release onwards, Oracle Entitlements Server security store relies on Oracle Platform Security Services for database. In order to access the Oracle Platform Security Services database, you need to create OPSS schema.
To create Oracle Platform Security Store (OPSS) schema, run the Repository Creation utility (RCU) 11.1.1.9.0. For more information, see "Creating Schemas" in the Oracle Fusion Middleware Repository Creation Utility User's Guide.
Complete the following steps to migrate data from old store to new store.
Log in to the database as SYS
.
Go to the following path:
On UNIX:
<IAM_HOME>/oes/upgrade/sql
ON Windows:
<IAM_HOME>\oes\upgrade\sql
Run the following SQL script. Note that when you run this script, you must provide the 11.1.2.3.0 opss schema and 11.1.1.x.x APM schema details.
R2_Upgrade.sql
This SQL script copies the user data from Oracle Entitlements Server 11.1.1.5.0 to Oracle Platform Security Services.
Note:
In order to execute theR2_Upgrade.sql
command, you need to install a database client or execute the script in another computer that has a database client installed on it.Oracle Entitlements Server 11.1.2.3.0 Administration applications requires a JRF domain. But Oracle Entitlements Server 11.1.1.5.0 does not support JRF. Therefore, in order to deploy Oracle Entitlements Server 11.1.2.3.0 applications, you must create a new Oracle Entitlements Server domain.
For more information, see "Configuring Oracle Entitlements Server in a New WebLogic Domain" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
Credential data are encrypted and stored in the database. The encryption key is domain specific. Since you are moving to Oracle Entitlements Server 11.1.2.3.0 domain from Oracle Entitlements Server 11.1.1.5.0 domain, you must export the key to a keyfile and then import the key to the Oracle Entitlements Server 11.1.2.3.0 domain.
You must run the exportEncryptionKey()
command to extract the encryption key from Oracle Entitlements Server 11.1.1.5.0 domain's bootstrap wallet.
Run the following command:
On UNIX:
Move from your present working directory to the <MW_HOME>/oracle_common/common/bin
directory by running the following command on the command line:
cd <MW_HOME>/oracle_common/common/bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
./wlst.sh
At the WLST prompt, run the following command:
exportEncryptionKey(jpsConfigFile="<domaindir>/config/fmwconfig/jps-config.xml",keyFilePath="/tmp/key",keyFilePassword="<password>")
where
<domaindir>
is the complete path of the Oracle Entitlements Server 11.1.1.5.0 domain location.
<password>
is the key file password.
On Windows:
Move from your present working directory to the <MW_HOME>\oracle_common\common\bin
directory by running the following command on the command line:
cd <MW_HOME>\orcle_common\common\bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
wlst.cmd
At the WLST prompt, run the following command:
exportEncryptionKey(jpsConfigFile="<domaindir>\config\fmwconfig\jps-config.xml",keyFilePath="C:\\tmp\key",keyFilePassword="<password>")
Where
<domaindir>
is the complete path of the Oracle Entitlements Server 11.1.1.5.0 domain location.
<password>
is the key file password.
You must re-associate policy stores to make the Oracle Entitlements Server 11.1.2.3.0 domain uptake the security store which is based on the Oracle Platform Security Services schema. Run the configuresecuritystore.py
script to re-associate policy stores as follows:
If the policy store in 11.1.1.5.0 is DB, perform the following steps to re-associate to DB based policy store and import the encryption key to the 11.1.2.3.0 domain.
Run the following WLST command:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -m join -j <OES_11.1.1.5.0 jpsroot> -f <OES_11.1.1.5.0 farmname> -p <OPSS schema password> -t <policy store type> -k <keyFilePath> -w <keyFilePassword> --create_diagnostic_data
For example:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_HOME>/user_projects/domains/<oes_domain> -m join -j cn=jpsroot -f <oes_domain> -p welcome1 -t DB_ORACLE -k /tmp/key -w myKeyPwd --create_diagnostic_data
Run the following WLST command:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -m join -j <OES 11.1.1.5.0 jpsroot> -f <OES 11.1.1.5.0 farmname> -p <OPSS schema password> -t <policy store type> -k <keyFilePath> -w <keyFilePassword> --create_diagnostic_data
For example:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_HOME>\user_projects\domains\<oes_domain> -m join -j cn=jpsroot -f oes_domain -p welcome1 -t DB_ORACLE -k C:\\tmp\key -w myKeyPwd --create_diagnostic_data
Note:
For help on the command, run the following:On UNIX:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -help
On Windows:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -help
Table 15-2 describes the parameters you need to specify on the command line.
Table 15-2 Parameters for Reassociating Policy Stores
Parameter | Description |
---|---|
|
Specify the absolute path to the Oracle Middleware home. For example: On UNIX: On Windows: |
|
Specify the absolute path to the Oracle Identity and Access Manager Home. For example:On UNIX: On Windows: |
|
Specify the path to the Identity and Access Manager's domain location. The following example shows the complete path: On UNIX, it is located in the On Windows, it is located in the |
|
The following are the two options available for the argument
|
|
Specify the password of OPSS schema. |
|
Specify the policy store type. For example: |
|
Specify the path to the |
|
Specify the |
If the policy store in 11.1.1.5.0 is OID, perform the following steps to re-associate to OID based policy store and import the encryption key to the 11.1.2.3.0 domain:
Remove the py.class
files from the oracle_common
directory by running the following command from the location MW_HOME
/oracle_common
:
find . -name "*py*class" | xargs rm
Run the following WLST command to re-associate the policy store:
On UNIX:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -m join -j cn=reassociate_r1ps1_oes_domain -f <OES_11.1.1.5.0 farmname> -t OID -a cn=orcladmin -p <OPSS schema password> -l ldap://oim.example.com:18686 --create_diagnostic_data
For example:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <MW_HOME>/user_projects/domains/<oes_domain> -m join -j cn=jpsroot -f <oes_domain> -t OID -a cn=orcladmin -p welcome1 -l ldap://oim.example.com:18686 --create_diagnostic_data
On Windows:
Run the following WLST command:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -m join -j cn=reassociate_r1ps1_oes_domain -f <OES 11.1.1.5.0 farmname> -t OID -a cn=orcladmin -p <OPSS schema password> -l ldap://oim.example.com:18686 --create_diagnostic_data
For example:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <MW_HOME>\user_projects\domains\<oes_domain> -m join -j cn=jpsroot -f oes_domain -t OID -a cn=orcladmin -p welcome1 -l ldap://oim.example.com:18686 --create_diagnostic_data
Note:
For help on the command, run the following:On UNIX:
<MW_HOME>/oracle_common/common/bin/wlst.sh <IAM_HOME>/common/tools/configureSecurityStore.py -d <domaindir> -help
On Windows:
<MW_HOME>\oracle_common\common\bin\wlst.cmd <IAM_HOME>\common\tools\configureSecurityStore.py -d <domaindir> -help
Table 15-3 describes the parameters you need to specify on the command line.
Table 15-3 Parameters for Reassociating Policy Stores
Parameter | Description |
---|---|
|
Specify the path to the Oracle Identity and Access Manager's Middleware Home. For example: On UNIX: On Windows: |
|
Specify the path to the Oracle Identity and Access Manager Home. The following example shows the complete path:On UNIX, it is located in the On Windows, it is located in the |
|
Specify the path to the Identity and Access Manager's domain location. The following example shows the complete path: On UNIX, it is located in the On Windows, it is located in the |
|
The following are the two options available for the argument
|
|
Specify the password of OPSS schema. |
|
Specify the path to the |
|
Specify the security store farm name. |
|
Specify the distinguished name of |
|
Specify the policy store type. For example: |
|
Specify the administrator username for OID. |
|
Specify the url for OID. |
Delete all the files with postfix py.class
in the newly installed Oracle Entitlements Server home.
After you upgrade schemas, you must upgrade Oracle Platform Security Services (OPSS) of the new Oracle Entitlements Server domain.
Upgrading Oracle Platform Security Services is required to upgrade the configuration and policy stores of Oracle Entitlements Server to 11.1.2.3.0. It upgrades the jps-config.xml
file and policy stores.
For information about upgrading Oracle Platform Security Services, see Section 24.1.7, "Upgrading Oracle Platform Security Services"
After the upgrade is complete, start the WebLogic Administration Server, the Administration Server for the domain that contains Oracle Entitlements Server, and the Oracle Entitlements Server Managed Server. For more information, see Section 24.1.8, "Starting the Servers".
To get the latest APM policies into the policy store, you must redeploy the APM applications.
Complete the following steps to redeploy APM:
Move from your present working directory to the <MW_HOME>/wlserver_10.3/common/bin
directory by running the following command on the command line:
cd <MW_HOME>/wlserver_10.3/common/bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
./wlst.sh
Connect to the Administration Server using the following command:
connect('weblogic-username','weblogic-password','weblogic-url')
At the WLST prompt, run the following command:
redeploy(appName='oracle.security.apm')
Exit the WLST console using the exit()
command.
Move from your present working directory to the <MW_HOME>\wlserver_10.3\common\bin
by running the following command on the command line:
cd <MW_HOME>\wlserver_10.3\common\bin
Run the following command to launch the WebLogic Scripting Tool (WLST):
wlst.cmd
Connect to the Administration Server using the following command:
connect('weblogic-username','weblogic-password','weblogic-url')
At the WLST prompt, run the following command:
<domaindir>\serverConfig\redeploy(appName='oracle.security.apm
')
where
<domaindir>
is the complete path to the Oracle Entitlements Server 11.1.2.3.0 domain.
For example:
<MW_HOME>\user_projects\domains\<oes_domain>\serverConfig\ redeploy(appName='oracle.security.apm')
Exit the WLST console using the exit()
command.
To verify the Oracle Entitlements Server upgrade, do the following:
Log in to LDAP or database and verify the schema version in the Policy Store. The OPSS schema version should be 11.1.1.9.0.
The application MAPI works with both old and new functionality.
Create a new policy to see if CRUD operations on the policy store artifacts, using their entity managers, are working.
For more information, see "Creating Fine Grained Elements for a Simple Policy" in the Oracle Fusion Middleware Developer's Guide for Oracle Entitlements Server.
The Application Runtime Authorization continues working.
To verify, create an authorization, as mentioned in "Using the PEP API" in the Oracle Fusion Middleware Developer's Guide for Oracle Entitlements Server, and see if it works correctly.
This section contains the following topics:
Section 15.2.1, "Upgrade Roadmap for Oracle Entitlements Server Client Server"
Section 15.2.3, "Upgrading Oracle Entitlements Server Client 11g Release 2 (11.1.2.3.0)"
Section 15.2.4, "Changing Username and Password for the New Schemas"
Note:
If you do not follow the exact sequence provided in this task table, your Oracle Entitlements Server Client Server upgrade may not be successful.Table 15-4 lists the steps for upgrading Oracle Entitlements Server Client Server upgrade.
Sl. No. | Task | For More Information |
---|---|---|
1 |
Shut down all security modules. This includes shutting down the Administration Server and Managed Servers too. |
|
2 |
Upgrade 11.1.1.5.0 Oracle Home to 11.1.2.3.0. |
See, Upgrading Oracle Entitlements Server Client 11g Release 2 (11.1.2.3.0) |
3 |
Change the username and password. |
|
4 |
Start the security modules. |
|
5 |
Verify the Oracle Entitlements Server Client Server upgrade. |
Bring down all security module instances, Administration Server, and Managed Servers.
The security module instances shuts down when the Administration Server and Managed Servers are shut down.
To stop the servers, see Section 15.1.3, "Shutting Down Administration Server and Managed Servers".
To upgrade Oracle Entitlements Server Client Server, you must use the 11.1.2.3.0 installer. During the procedure, point the Middleware Home to your existing 11.1.1.5.0 Oracle Entitlements Server Middleware Home. This upgrades your Middleware Home and Oracle Home from 11.1.1.5.0 to 11.1.2.3.0.
This section contains the following topics:
You must install and configure Oracle Entitlements Server Administration Server, as described in Section 15.1.6, "Upgrading Oracle Entitlements Server Administration Server 11g Release 2 (11.1.2.3.0)".
For more information on obtaining Oracle Fusion Middleware 11g software, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.
For more information on installing Oracle Entitlements Server Client Server 11.1.2.3.0, see "Installing Oracle Entitlements Server Client" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
To verify that your Oracle Entitlements Server Client install was successful, go to your Oracle Home directory which you specified during installation and verify that the Oracle Entitlements Server Client installation files are created.
If Oracle Entitlements Server client is running in a controlled-pull mode or in an uncontrolled mode, the jps-config.xml
of the Security Module instance must be changed to reflect the schema changes done during the Administration Server upgrade.
Before running the oessmconfig.sh
command, you need to modify jps-config.xml
of the controlled-pull or uncontrolled security module.
Note:
For Java, RMI and Web Service security modules,jps-config.xml
is located at:
<OES_CLIENT_HOME>/oes_sm_instances/<SM_NAME>/config
For Oracle WebLogic Server security module, jps-config.xml
is located at:
<WLS_DOMAIN_HOME>/config/oeswlssmconfig/<SERVER_NAME>
Note:
For controlled-push security module, you do not have to add any parameters to thepdp.service
instance.Controlled-Pull Security Module
For controlled-pull security module, add the following to the pdp.service
instance:
<property name="oracle.security.jps.runtime.pd.client.SMinstanceType" value="<sm_type>"/>
Replace "<sm_type>"
with the actual type.
For example:
"java"
For uncontrolled security module, add the following to the pdp.service
instance:
<property name="oracle.security.jps.runtime.pd.client.policyDistributionMode" value="non-controlled"/>
<property name="oracle.security.jps.runtime.pd.client.sm_name" value="<sm_name>"/>
<property name="oracle.security.jps.runtime.pd.client.SMinstanceType" value="<sm_type>"/>
Replace "<sm_name>" "<sm_type>"
with the actual values.
Do the following to change the username and password of the new schemas:
Go to the following path:
On UNIX, <CLIENT_HOME>/oesclient/oessm/enroll/bin
On Windows, <CLIENT_HOME>\oesclient\oessm\enroll\bin
Run the following command:
On UNIX:
./oessmconfig.sh -jpsconfig <path to the jps-config.xml>
On Windows:
oessmconfig.cmd -jpsconfig <path to the jps-config.xml>
A Graphic User Interface displays. See Figure 15-1.
Click SM Configuration.
Click the Policy Store sub-tab.
Enter the new schema user name and password.
Click Test Connection
When you get the successful security module test message, click Save & Close.
You must start the security modules by starting the Administration Server and Managed Servers.
To start the servers, see Section 15.1.14, "Starting the Administration Server and Oracle Entitlements Server Managed Servers".
Note:
When starting the Oracle Service Bus Security Module, you must use the parameter-Doracle.oes.osbresource.converter.distinguishtransportprivilege=false
while running the script.To verify, create an authorization, as mentioned in "Using the PEP API" in the Oracle Fusion Middleware Developer's Guide for Oracle Entitlements Server, and see if it works correctly.
The Application Runtime Authorization continues working.