This chapter describes how to upgrade Oracle Privileged Account Manager highly available environments to 11g Release 2 (11.1.2.3.0) on Oracle WebLogic Server, using the manual upgrade procedure.
Note:
If your existing Oracle Identity and Access Management environment was deployed using the Life Cycle Management (LCM) Tools, you must use the automated upgrade procedure to upgrade to Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0).For information about automated upgrade procedure, supported starting points and topologies, see Chapter 2, "Understanding the Oracle Identity and Access Management Automated Upgrade".
Note:
Before proceeding, check if your existing Oracle Privileged Account Manager version is supported for high availability upgrade. For more information on supported starting points for high availability upgrade, see Section 3.3, "Supported Starting Points for Oracle Identity and Access Management Manual Upgrade".This chapter includes the following sections:
Section 22.1, "Understanding Oracle Privileged Account Manager High Availability Upgrade Topology"
Section 22.3, "Shutting Down all Servers on OPAMHOST1 and OPAMHOST2"
Section 22.10, "Optional: Configuring Oracle Privileged Account Manager Session Manager"
Figure 22-1 shows the Oracle Privileged Account Manager cluster set up that can be upgraded to 11.1.2.3.0 by following the procedure described in this chapter.
Figure 22-1 Oracle Privileged Account Manager High Availability Upgrade Topology
The host OPAMMHOST1
has the following installations:
An Oracle Privileged Account Manager instance in the WLS_OPAM1
Managed Server.
A WebLogic Server Administration Server. Under normal operations, this is the active Administration Server.
The host OPAMMHOST2
has the following installations:
An Oracle Privileged Account Manager instance in the WLS_OPAM2
Managed Server.
A WebLogic Server Administration Server. Under normal operations, this is the passive Administration Server. You make this Administration Server active if the Administration Server on OPAMHOST1
becomes unavailable.
The instances in the WLS_OPAM1
and WLS_OPAM2
Managed Servers on OPAMHOST1
and OPAMHOST2
are configured as the cluster named OPAM_CLUSTER
.
Table 22-1 lists the steps to upgrade Oracle Privileged Account Manager high availability environment illustrated in Figure 22-1 to 11.1.2.3.0.
Table 22-1 Oracle Privileged Account Manager High Availability Upgrade Roadmap
Task No | Task | For More Information |
---|---|---|
1 |
Review the Oracle Privileged Account Manager high availability upgrade topology, and identify |
See, Understanding Oracle Privileged Account Manager High Availability Upgrade Topology |
2 |
Shut down the Administration Server, Oracle Privileged Account Manager Managed Servers, and the Node Manager on |
|
3 |
Back up the Middleware Home, the Oracle Home, and the Database schemas on |
|
4 |
Update the binaries of WebLogic Server and Oracle Privileged Account Manager on |
|
5 |
Upgrade the OPAM and OPSS schema on |
|
6 |
Start the WebLogic Administration Server and all the Managed Servers on |
See, Starting Administration Server, Node Manager, and Managed Servers on OPAMHOST1 and OPAMHOST2 |
7 |
Redeploy the Oracle Privileged Account Manager Console application, Oracle Privileged Account Manager applications, and Oracle Privileged Account Manager Session Manager application on |
|
8 |
Verify the domain upgrade. |
|
9 |
If you are upgrading Oracle Privileged Account Manager 11g Release 2 (11.1.2.1.0) or 11g Release 2 (11.1.2), and if you wish to configure Oracle Privileged Account Manager session manager, you can do so by running the WLST command This step is optional. |
See, Optional: Configuring Oracle Privileged Account Manager Session Manager |
10 |
If you wish to configure Oracle Privileged Account Manager Console application on the Oracle Privileged Account Manager Managed Servers This step is optional. |
Before you begin the upgrade process, you must stop the WebLogic Administration Server, Oracle Privileged Account Manager Managed Servers, and Node Manager on OPAMHOST1
and OPAMHOST2
in the following order:
Stop the Oracle Privileged Account Manager Managed Servers on both OPAMHOST1
and OPAMHOST2
.
Stop the WebLogic Administration Server on OPAMHOST1
.
Stop the Node Manager on OPAMHOST1
and OPAMHOST2
.
For information about stopping the Managed Server, see Section 24.1.9.1, "Stopping the Managed Server(s)".
For information about stopping the Administration Server, see Section 24.1.9.2, "Stopping the WebLogic Administration Server".
For information about stopping the Node Manager, see Section 24.1.9.3, "Stopping the Node Manager".
After stopping all the servers, you must back up the following before proceeding with the upgrade process:
MW_HOME
directory (Middleware home directory), including the Oracle Home directories inside Middleware home on both OPAMHOST1
and OPAMHOST2
.
Oracle Privileged Account Manager Domain Home directory on both OPAMHOST1
and OPAMHOST2
.
Following Database schemas:
Oracle Privileged Account Manager schema
Oracle Platform Security Services schema
For more information about backing up schemas, see Oracle Database Backup and Recovery User's Guide.
Oracle Identity and Access Management is certified with Oracle WebLogic Server 10.3.6. Therefore, if you are not using Oracle WebLogic Server 10.3.6, you must upgrade Oracle WebLogic Server to 10.3.6 on OPAMHOST1
and OPAMHOST2
. For information about upgrading Oracle WebLogic Server to 10.3.6, see Section 24.1.5, "Upgrading Oracle WebLogic Server to 11g Release 1 (10.3.6)".
After you upgrade Oracle WebLogic Server to 10.3.6, update the binaries of Oracle Privileged Account Manager to 11.1.2.3.0 on both OPAMHOST1
and OPAMHOST2
using the Oracle Identity and Access Management 11.1.2.3.0 installer. For information about upgrading Oracle Privileged Account Manager binaries, see Section 24.1.6, "Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.3.0)".
On OPAMHOST1
, you must upgrade the following schemas by running the Patch Set Assistant:
OPAM schema
OPSS schema - OPSS schema is selected as a dependency when you select OPAM.
For information about upgrading schemas using Patch Set Assistant, see Section 24.1.4, "Upgrading Schemas Using Patch Set Assistant".
After you upgrade the OPAM and OPSS schemas, the version of the OPAM schema will be 11.1.2.3.0.
After upgrading the database schemas on OPAMHOST1
, you must start the WebLogic Administration Server, Node Manager, and the Oracle Privileged Account Manager Managed Servers on OPAMHOST1
and OPAMHOST2
in the following order:
On OPAMHOST1
. start the WebLogic Administration Server, Node Manager, and Oracle Privileged Account Manager Managed Server.
On OPAMHOST2
, start the Node Manager, and the Oracle Privileged Account Manager Managed Server.
For more information about starting the WebLogic Administration Server, see Section 24.1.8.2, "Starting the WebLogic Administration Server".
For more information about starting the Node Manager, see Section 24.1.8.1, "Starting the Node Manager".
For more information about starting the Managed Servers, see Section 24.1.8.3, "Starting the Managed Server(s)".
After you start the servers, you must redeploy Oracle Identity Navigator and Oracle Privileged Account Manager applications on OPAMHOST1
namely oinav.ear
and opam.ear
. You can do this using either the WebLogic Administration console or the WebLogic Scripting Tool (WLST).
For more information about redeploying Oracle Identity Navigator and Oracle Privileged Account Manager applications, see Section 7.9, "Redeploying the Applications".
Verify that the Oracle Privileged Account Manager domain was upgraded successfully by doing the following:
Log in to the Oracle Privileged Account Manager 11.1.2.3.0 console using the following URL:
http://
adminserver_host
:
adminserver_port
/oinav/opam
Verify that the pre-upgrade data, targets, accounts, grants are present, and working as expected.
The Oracle Privileged Account Manager session manager application named opamsessionmgr
was introduced in 11.1.2.2.0. If you are upgrading Oracle Privileged Account Manager 11g Release 2 (11.1.2.1.0) or 11g Release 2 (11.1.2), and if want to configure the Oracle Privileged Account Manager session manager application, you must run the WebLogic Scripting Tool (WLST) command configureSessionManager.py
on OPAMHOST1
, and target it to the OPAM_CLUSTER
.
For more information about configuring Oracle Privileged Account Manager session manager, see Section 7.13, "Optional: Configuring the Oracle Privileged Account Manager 11.1.2.3.0 Session Manager".
After you configure Oracle Privileged Account Manager session manager, start all the servers on OPAMHOST1
and OPAMHOST2
. For more information about starting all the servers, see Starting Administration Server, Node Manager, and Managed Servers on OPAMHOST1 and OPAMHOST2.
If you wish to configure Oracle Privileged Account Manager console application on the Oracle Privileged Account Manager Managed Servers WLS_OPAM1
and WLS_OPAM2
in order to achieve high availability use cases for the Oracle Privileged Account Manager console, complete the steps described in Section 7.14, "Optional: Configuring Oracle Privileged Account Manager Console Application on OPAM Managed Server".
After you complete the upgrade, start all the servers on OPAMHOST1
and OPAMHOST2
. For more information about starting all the servers, see Starting Administration Server, Node Manager, and Managed Servers on OPAMHOST1 and OPAMHOST2.
To verify the upgrade, follow the instructions described in Section 7.15, "Verifying the Oracle Privileged Account Manager Upgrade".