22 Upgrading Oracle Privileged Account Manager Highly Available Environments

This chapter describes how to upgrade Oracle Privileged Account Manager highly available environments to 11g Release 2 (11.1.2.3.0) on Oracle WebLogic Server, using the manual upgrade procedure.

Note:

If your existing Oracle Identity and Access Management environment was deployed using the Life Cycle Management (LCM) Tools, you must use the automated upgrade procedure to upgrade to Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0).

For information about automated upgrade procedure, supported starting points and topologies, see Chapter 2, "Understanding the Oracle Identity and Access Management Automated Upgrade".

Note:

Before proceeding, check if your existing Oracle Privileged Account Manager version is supported for high availability upgrade. For more information on supported starting points for high availability upgrade, see Section 3.3, "Supported Starting Points for Oracle Identity and Access Management Manual Upgrade".

This chapter includes the following sections:

• Section 22.1, "Understanding Oracle Privileged Account Manager High Availability Upgrade Topology"

• Section 22.2, "Upgrade Roadmap"

• Section 22.3, "Shutting Down all Servers on OPAMHOST1 and OPAMHOST2"

• Section 22.4, "Backing Up the Existing Environment"

• Section 22.5, "Updating Binaries of WebLogic Server and Oracle Privileged Account Manager on OPAMHOST1 and OPAMHOST2"

• Section 22.6, "Upgrading Database Schemas on OPAMHOST1"

• Section 22.7, "Starting Administration Server, Node Manager, and Managed Servers on OPAMHOST1 and OPAMHOST2"

• Section 22.8, "Redeploying Applications on OPAMHOST1"

• Section 22.9, "Verifying the Domain Upgrade"

• Section 22.10, "Optional: Configuring Oracle Privileged Account Manager Session Manager"

• Section 22.11, "Optional: Configuring Oracle Privileged Account Manager Console Application on WLS_OPAM1 and WLS_OPAM2"

22.1 Understanding Oracle Privileged Account Manager High Availability Upgrade Topology

Figure 22-1 shows the Oracle Privileged Account Manager cluster set up that can be upgraded to 11.1.2.3.0 by following the procedure described in this chapter.

Figure 22-1 Oracle Privileged Account Manager High Availability Upgrade Topology

Description of ''Figure 22-1 Oracle Privileged Account Manager High Availability Upgrade Topology''

The host OPAMMHOST1 has the following installations:

• An Oracle Privileged Account Manager instance in the WLS_OPAM1 Managed Server.

• A WebLogic Server Administration Server. Under normal operations, this is the active Administration Server.

The host OPAMMHOST2 has the following installations:

• An Oracle Privileged Account Manager instance in the WLS_OPAM2 Managed Server.

• A WebLogic Server Administration Server. Under normal operations, this is the passive Administration Server. You make this Administration Server active if the Administration Server on OPAMHOST1 becomes unavailable.

The instances in the WLS_OPAM1 and WLS_OPAM2 Managed Servers on OPAMHOST1 and OPAMHOST2 are configured as the cluster named OPAM_CLUSTER.

22.2 Upgrade Roadmap

Table 22-1 lists the steps to upgrade Oracle Privileged Account Manager high availability environment illustrated in Figure 22-1 to 11.1.2.3.0.

Table 22-1 Oracle Privileged Account Manager High Availability Upgrade Roadmap

Task No	Task	For More Information
1	Review the Oracle Privileged Account Manager high availability upgrade topology, and identify OPAMHOST1 and OPAMHOST2 on your setup.	See, Understanding Oracle Privileged Account Manager High Availability Upgrade Topology
2	Shut down the Administration Server, Oracle Privileged Account Manager Managed Servers, and the Node Manager on OPAMHOST1 and OPAMHOST2.	See, Shutting Down all Servers on OPAMHOST1 and OPAMHOST2
3	Back up the Middleware Home, the Oracle Home, and the Database schemas on OPAMHOST1 and OPAMHOST2.	See, Backing Up the Existing Environment
4	Update the binaries of WebLogic Server and Oracle Privileged Account Manager on OPAMHOST1 and OPAMHOST2.	See, Updating Binaries of WebLogic Server and Oracle Privileged Account Manager on OPAMHOST1 and OPAMHOST2
5	Upgrade the OPAM and OPSS schema on OPAMHOST1 by running the Patch Set Assistant.	See, Upgrading Database Schemas on OPAMHOST1
6	Start the WebLogic Administration Server and all the Managed Servers on OPAMHOST1 and OPAMHOST2.	See, Starting Administration Server, Node Manager, and Managed Servers on OPAMHOST1 and OPAMHOST2
7	Redeploy the Oracle Privileged Account Manager Console application, Oracle Privileged Account Manager applications, and Oracle Privileged Account Manager Session Manager application on OPAMHOST1.	See, Redeploying Applications on OPAMHOST1
8	Verify the domain upgrade.	See, Verifying the Domain Upgrade
9	If you are upgrading Oracle Privileged Account Manager 11g Release 2 (11.1.2.1.0) or 11g Release 2 (11.1.2), and if you wish to configure Oracle Privileged Account Manager session manager, you can do so by running the WLST command configureSessionManager.py, and targeting it to the OPAM_CLUSTER. This step is optional.	See, Optional: Configuring Oracle Privileged Account Manager Session Manager
10	If you wish to configure Oracle Privileged Account Manager Console application on the Oracle Privileged Account Manager Managed Servers WLS_OPAM1 and WLS_OPAM2, you can do so by running WLST script configureOPAMConsole.py on OPAMHOST1. This step is optional.	See, Optional: Configuring Oracle Privileged Account Manager Console Application on WLS_OPAM1 and WLS_OPAM2

22.3 Shutting Down all Servers on OPAMHOST1 and OPAMHOST2

Before you begin the upgrade process, you must stop the WebLogic Administration Server, Oracle Privileged Account Manager Managed Servers, and Node Manager on OPAMHOST1 and OPAMHOST2 in the following order:

1. Stop the Oracle Privileged Account Manager Managed Servers on both OPAMHOST1 and OPAMHOST2.

2. Stop the WebLogic Administration Server on OPAMHOST1.

3. Stop the Node Manager on OPAMHOST1 and OPAMHOST2.

For information about stopping the Managed Server, see Section 24.1.9.1, "Stopping the Managed Server(s)".

For information about stopping the Administration Server, see Section 24.1.9.2, "Stopping the WebLogic Administration Server".

For information about stopping the Node Manager, see Section 24.1.9.3, "Stopping the Node Manager".

22.4 Backing Up the Existing Environment

After stopping all the servers, you must back up the following before proceeding with the upgrade process:

• MW_HOME directory (Middleware home directory), including the Oracle Home directories inside Middleware home on both OPAMHOST1 and OPAMHOST2.

• Oracle Privileged Account Manager Domain Home directory on both OPAMHOST1 and OPAMHOST2.

• Following Database schemas:

  • Oracle Privileged Account Manager schema

  • Oracle Platform Security Services schema

  For more information about backing up schemas, see Oracle Database Backup and Recovery User's Guide.

22.5 Updating Binaries of WebLogic Server and Oracle Privileged Account Manager on OPAMHOST1 and OPAMHOST2

Oracle Identity and Access Management is certified with Oracle WebLogic Server 10.3.6. Therefore, if you are not using Oracle WebLogic Server 10.3.6, you must upgrade Oracle WebLogic Server to 10.3.6 on OPAMHOST1 and OPAMHOST2. For information about upgrading Oracle WebLogic Server to 10.3.6, see Section 24.1.5, "Upgrading Oracle WebLogic Server to 11g Release 1 (10.3.6)".

After you upgrade Oracle WebLogic Server to 10.3.6, update the binaries of Oracle Privileged Account Manager to 11.1.2.3.0 on both OPAMHOST1 and OPAMHOST2 using the Oracle Identity and Access Management 11.1.2.3.0 installer. For information about upgrading Oracle Privileged Account Manager binaries, see Section 24.1.6, "Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.3.0)".

22.6 Upgrading Database Schemas on OPAMHOST1

On OPAMHOST1, you must upgrade the following schemas by running the Patch Set Assistant:

• OPAM schema

• OPSS schema - OPSS schema is selected as a dependency when you select OPAM.

For information about upgrading schemas using Patch Set Assistant, see Section 24.1.4, "Upgrading Schemas Using Patch Set Assistant".

After you upgrade the OPAM and OPSS schemas, the version of the OPAM schema will be 11.1.2.3.0.

22.7 Starting Administration Server, Node Manager, and Managed Servers on OPAMHOST1 and OPAMHOST2

After upgrading the database schemas on OPAMHOST1, you must start the WebLogic Administration Server, Node Manager, and the Oracle Privileged Account Manager Managed Servers on OPAMHOST1 and OPAMHOST2 in the following order:

1. On OPAMHOST1. start the WebLogic Administration Server, Node Manager, and Oracle Privileged Account Manager Managed Server.

2. On OPAMHOST2, start the Node Manager, and the Oracle Privileged Account Manager Managed Server.

For more information about starting the WebLogic Administration Server, see Section 24.1.8.2, "Starting the WebLogic Administration Server".

For more information about starting the Node Manager, see Section 24.1.8.1, "Starting the Node Manager".

For more information about starting the Managed Servers, see Section 24.1.8.3, "Starting the Managed Server(s)".

22.8 Redeploying Applications on OPAMHOST1

After you start the servers, you must redeploy Oracle Identity Navigator and Oracle Privileged Account Manager applications on OPAMHOST1 namely oinav.ear and opam.ear. You can do this using either the WebLogic Administration console or the WebLogic Scripting Tool (WLST).

For more information about redeploying Oracle Identity Navigator and Oracle Privileged Account Manager applications, see Section 7.9, "Redeploying the Applications".

22.9 Verifying the Domain Upgrade

Verify that the Oracle Privileged Account Manager domain was upgraded successfully by doing the following:

1. Log in to the Oracle Privileged Account Manager 11.1.2.3.0 console using the following URL:

   http://adminserver_host:adminserver_port/oinav/opam

2. Verify that the pre-upgrade data, targets, accounts, grants are present, and working as expected.

22.10 Optional: Configuring Oracle Privileged Account Manager Session Manager

The Oracle Privileged Account Manager session manager application named opamsessionmgr was introduced in 11.1.2.2.0. If you are upgrading Oracle Privileged Account Manager 11g Release 2 (11.1.2.1.0) or 11g Release 2 (11.1.2), and if want to configure the Oracle Privileged Account Manager session manager application, you must run the WebLogic Scripting Tool (WLST) command configureSessionManager.py on OPAMHOST1, and target it to the OPAM_CLUSTER.

For more information about configuring Oracle Privileged Account Manager session manager, see Section 7.13, "Optional: Configuring the Oracle Privileged Account Manager 11.1.2.3.0 Session Manager".

After you configure Oracle Privileged Account Manager session manager, start all the servers on OPAMHOST1 and OPAMHOST2. For more information about starting all the servers, see Starting Administration Server, Node Manager, and Managed Servers on OPAMHOST1 and OPAMHOST2.

22.11 Optional: Configuring Oracle Privileged Account Manager Console Application on WLS_OPAM1 and WLS_OPAM2

If you wish to configure Oracle Privileged Account Manager console application on the Oracle Privileged Account Manager Managed Servers WLS_OPAM1 and WLS_OPAM2 in order to achieve high availability use cases for the Oracle Privileged Account Manager console, complete the steps described in Section 7.14, "Optional: Configuring Oracle Privileged Account Manager Console Application on OPAM Managed Server".

After you complete the upgrade, start all the servers on OPAMHOST1 and OPAMHOST2. For more information about starting all the servers, see Starting Administration Server, Node Manager, and Managed Servers on OPAMHOST1 and OPAMHOST2.

To verify the upgrade, follow the instructions described in Section 7.15, "Verifying the Oracle Privileged Account Manager Upgrade".