This chapter describes how to upgrade your existing Oracle Access Management 11g Release 2 (11.1.2.2.0), 11g Release 2 (11.1.2.1.0) and 11g Release 2 (11.1.2) environments to Oracle Access Management 11g Release 2 (11.1.2.3.0) on Oracle WebLogic Server, using the manual upgrade procedure.
Note:
If your existing Oracle Identity and Access Management environment was deployed using the Life Cycle Management (LCM) Tools, you must use the automated upgrade procedure to upgrade to Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0). For information about automated upgrade procedure, supported starting points and topologies, see Chapter 2, "Understanding the Oracle Identity and Access Management Automated Upgrade".If you wish to upgrade Oracle Access Management multi-data center environments, refer to Chapter 18, "Upgrading Oracle Access Management Multi-Data Center Environments".
Note:
This chapter refers to Oracle Access Management Access Manager 11g Release 2 (11.1.2), 11g Release 2 (11.1.2.1.0), 11g Release 2 (11.1.2.2.0) environments as 11.1.2.x.x.This chapter contains the following sections:
Note:
If you do not follow the exact sequence provided in this task table, your Oracle Access Management upgrade may not be successful.Table 8-1 lists the steps to upgrade Oracle Access Management 11.1.2.x.x environments to 11.1.2.3.0.
Table 8-1 Roadmap for Upgrading Oracle Access Management 11.1.2.x.x to 11.1.2.3.0.
| Task No. | Task | For More Information |
|---|---|---|
|
1 |
Complete the pre-upgrade tasks before you start the upgrade process. |
|
|
2 |
Upgrade Oracle Home by upgrading Oracle WebLogic Server to 10.3.6 (if you are not using Oracle WebLogic Server 10.3.6), applying mandatory patches for Oracle Access Manager, and upgrading Oracle Access Manager binaries to 11.1.2.3.0. |
|
|
3 |
Create Oracle Mobile Security Manager (OMSM) schema, if you wish to configure Oracle Mobile Security Suite post upgrade. |
See, Creating OMSM Schema |
|
4 |
Upgrade the following schemas using the Patch Set Assistant:
When you select Oracle Access Manager (OAM) schema, the OPSS and IAU schemas are also selected. |
|
|
5 |
Upgrade Oracle Platform Security Services (OPSS). It is highly recommended that you perform this step. |
|
|
6 |
If you are upgrading Oracle Access Management 11.1.2 to 11.1.2.3.0, you must copy the modified system or domain mbean configurations. If you are upgrading Oracle Access Management 11.1.2.1.0 or 11.1.2.2.0 to 11.1.2.3.0, skip this task. |
|
|
7 |
Restart the WebLogic Administration Server and the Access Manager Managed Server(s). |
|
|
8 |
Undeploy the |
|
|
9 |
Upgrade the system configuration of Oracle Access Management. This step is required for the 11.1.2.3.0 features to work. If you do not perform this step, the upgraded environment will still work, as compatibility mode is supported for Oracle Access Management 11.1.2.x.x upgrade. |
|
|
10 |
Extend the Oracle Access Management domain to include Oracle Mobile Security Suite and Policy Manager. |
See, Extending the Oracle Access Management Domain to Include Mobile Security Suite and Policy Manager |
|
11 |
Start the WebLogic Administration Server and the Oracle Access Management Access Manager (Access Manager) Managed Server(s). |
See, Starting the Servers |
|
12 |
Perform the required post-upgrade tasks. |
|
|
13 |
Verify the Oracle Access Management upgrade. |
Before you begin with the upgrade, you must complete the following prerequisites:
Review the Oracle Fusion Middleware System Requirements and Specifications and Oracle Fusion Middleware Supported System Configurations documents to ensure that your system meets the minimum requirements for the products you are installing or upgrading to. For more information see Section 24.1.1, "Verifying Certification, System Requirements, and Interoperability".
Ensure that you are using a Java Development Kit (JDK) version that is supported and certified with Oracle Identity and Access Management 11.1.2.3.0.
You can verify the required JDK version by reviewing the certification information on the Oracle Fusion Middleware Supported System Configurations page.
The JDK can be downloaded from the Java SE Development Kit 7 Downloads page on Oracle Technology Network (OTN).
Note:
For more information about JDK version requirements, see the "Oracle WebLogic Server and JDK Considerations" topic in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management 11g Release 2 (11.1.2) document.If you are upgrading Oracle Access Management 11g Release 2 (11.1.2.0, 11.1.2.1, 11.1.2.2) environments and/or if this was upgraded from 11g Release 1, then check whether the upgrade.properties file exists under DOMAIN_HOME/config/fmwconfig. If it does, then rename the file to some other name, before you start with the upgrade.
Back up all files under the DOMAIN_HOME/config/fmwconfig directory.
Oracle Access Management 11.1.2.3.0 has additional components configured in its Administration Server. Therefore, ensure that the WebLogic domain memory settings are updated to suite the machine configurations.
If the servers are started using command line, you must update the memory settings in the setDomainEnv.sh file. If the servers are started using Node Manager, you must update the memory settings using the WebLogic Administration console. It is recommended to do both.
To update the memory settings in the setDomainEnv.sh file, complete the following steps:
Go to the DOMAIN_HOME/bin directory.
Take a backup of file setDomainEnv.sh (on UNIX) or setDomainEnv.cmd (on Windows).
Open the setDomainEnv.sh (on UNIX) or setDomainEnv.cmd (on Windows) in an editor, and search for the following lines:
On UNIX:
# IF USER_MEM_ARGS the environment variable is set, use it to override ALL
# MEM_ARGS values
if [ "${USER_MEM_ARGS}" != "" ] ; then
MEM_ARGS="${USER_MEM_ARGS}"
export MEM_ARGS
fi
On Windows:
@REM IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values if NOT "%USER_MEM_ARGS%"=="" ( set MEM_ARGS=%USER_MEM_ARGS% )
Add the USER_MEM_ARGS settings as shown in the following example:
On UNIX:
# IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values
# Added for OAM 11.1.2.3 upgrade
USER_MEM_ARGS="-Xms4096m -Xmx4096m -XX:MaxPermSize=512m"
export USER_MEM_ARGS
if [ "${USER_MEM_ARGS}" != "" ] ; then
MEM_ARGS="${USER_MEM_ARGS}"
export MEM_ARGS
fi
On Windows:
@REM IF USER_MEM_ARGS the environment variable is set, use it to override ALL MEM_ARGS values @REM Added for OAM 11.1.2.3 upgrade set USER_MEM_ARGS=-Xms4096m -Xmx4096m -XX:MaxPermSize=512m if NOT "%USER_MEM_ARGS%"=="" ( set MEM_ARGS=%USER_MEM_ARGS% )
Save the changes to the file
To update the memory settings using the WebLogic Administration console, complete the following steps:
Log in to the WebLogic Administration Console using the following URL:
http://host:port/console
Click Servers on the left navigation pane.
Select the OAM Server.
Go to the Server Start tab.
Click Arguments.
Set the value of JVM arguments for the OAM Server. For example:
-Xms4096m -Xmx4096m
Save the changes.
For more information about the memory requirements for Oracle Identity and Access Management, see "Memory and Space Requirements for Oracle Fusion Middleware and Oracle Identity and Access Management" in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management for 11g Release 2 (11.1.2).
Shut down the WebLogic Administration Server and Access Manager Managed Servers. For information about stopping the servers, see Section 24.1.9, "Stopping the Servers".
Back up the following before you proceed with the upgrade:
MW_HOME directory, including the Oracle Home directories inside Middleware Home
Domain Home directory
Oracle Access Manager schemas
MDS schemas
Audit and any other dependent schemas
Database instance using Oracle Recovery Manager (RMAN). For more information about backing up the database instance as repository database backup, see Overview of the Backup Strategies in the Fusion Middleware Administrator's Guide.
For information about backing up the Middleware Home and schemas, see Section 24.1.2, "Backing up the Existing Environment".
This section describes the tasks to be completed to upgrade the existing Oracle home.
This section includes the following topics:
Oracle Identity and Access Management 11.1.2.3.0 is certified with Oracle WebLogic Server 11g Release 1 (10.3.6). Therefore, if your existing Oracle Access Management environment is using Oracle WebLogic Server 10.3.5 or any earlier version, you must upgrade it to Oracle WebLogic Server 10.3.6.
For information about upgrading Oracle WebLogic Server, see Section 24.1.5, "Upgrading Oracle WebLogic Server to 11g Release 1 (10.3.6)".
Ensure that you apply some mandatory patches to fix specific issues with Oracle WebLogic Server 10.3.6.
To identify the required patches that you must apply for Oracle WebLogic Server 10.3.6, see "Downloading and Applying Required Patches" in the Oracle Fusion Middleware Infrastructure Release Notes.
The patches listed in the release notes are available from My Oracle Support. The patching instructions are mentioned in the README.txt file that is provided with each patch.
Upgrade the Oracle Access Management binaries using the Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) installer. During the procedure, point the Middleware Home to your existing 11.1.1.x.x Oracle Access Management Middleware Home.
Note:
Before upgrading the Oracle Access Management binaries to 11g Release 2 (11.1.2.3.0), you must ensure that the OPatch version inORACLE_HOME and MW_HOME/oracle_common is 11.1.0.10.3. Different OPatch version might cause patch application failure. If you have upgraded opatch to a newer version, you will have to roll back to version 11.1.0.10.3.For information about upgrading Oracle Access Management binaries to Oracle Access Management Access Manager 11.1.2.3.0, see Section 24.1.6, "Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.3.0)".
If you wish to configure Oracle Mobile Security Suite (OMSS) post-upgrade, you must create Oracle Mobile Security Manager (OMSM) schema using the Repository Creation utility (RCU) 11.1.1.9.0.
For information about creating schemas using Run Repository Creation utility, see Section 24.1.3, "Creating Database Schemas Using Repository Creation Utility".
After you upgrade Oracle Access Management binaries to 11.1.2.3.0, you must upgrade the following schemas by running the Patch Set Assistant (PSA):
Oracle Access Manager (OAM) schema
Oracle Platform Security Services (OPSS) schema
Audit Services (IAU) schema
Oracle Metadata Services (MDS) schema
When you run the PSA to upgrade schemas, select Oracle Access Manager (OAM) schema. This automatically selects Oracle Platform Security Services (OPSS) schema and Audit Services (IAU) schema. Once you upgrade these schemas, run the PSA again to upgrade Oracle Metadata Services (MDS) schema.
Note:
Oracle Mobile Security Suite (OMSS) requires Oracle Metadata Services (MDS) schema. Therefore, to configure Oracle Mobile Security Suite (OMSS) post-upgrade, you must upgrade the Oracle Metadata Services (MDS) schema.For information about upgrading schemas using Patch Set Assistant, see Section 24.1.4, "Upgrading Schemas Using Patch Set Assistant".
After you upgrade schemas, it is highly recommended that you upgrade Oracle Platform Security Services (OPSS).
Upgrading Oracle Platform Security Services is required to upgrade the configuration and policy stores of Oracle Access Manager to 11.1.2.3.0. It upgrades the jps-config.xml file and policy stores.
For information about upgrading Oracle Platform Security Services, see Section 24.1.7, "Upgrading Oracle Platform Security Services"
If you are upgrading Oracle Access Management 11.1.2 to Oracle Access Management 11.1.2.3.0, you must copy the modified system or domain mbean configurations from the OAM_ORACLE_HOME to the DOMAIN_HOME, after you update the Access Manager binaries to 11.1.2.3.0.
Note:
If you are upgrading Oracle Access Management 11.1.2.2.0 or 11.1.2.1.0 to 11.1.2.3.0, skip this section.To do this, complete the following steps:
Run the following command to launch the WebLogic Scripting Tool (WLST) from the location $ORACLE_HOME/common/bin:
On UNIX: wlst.sh
On Windows: wlst.cmd
Run the following command:
copyMbeanXmlFiles('DOMAIN_HOME','OAM_ORACLE_HOME')
In this command, DOMAIN_HOME is the absolute path to the Access Manager WebLogic domain, and OAM_ORACLE_HOME is the absolute path to the OAM Oracle home. The second parameter OAM_ORACLE_HOME is optional.
For example:
On UNIX:
copyMbeanXmlFiles('/Oracle/Middleware/user_projects/domains/base_domain','/Oracle/Middleware/Oracle_IDM1')
On Windows:
copyMbeanXmlFiles('C:\\Oracle\\Middleware\\user_projects\domains\\base_domain','C:\\Oracle\\Middleware\\Oracle_IDM1')
If the modified system or domain mbean configurations are copied successfully, the following status is displayed on the command line:
STATUS: SUCCESS The mbean xml files have been upgraded to new version. The original mbean xml is saved in "<domain_directory>/output/upgrade". Please restart the admin and oam servers.
If the STATUS shows SUCCESS, start the WebLogic Administration Server and the Access Manager Managed Server(s).
For information about starting the servers, see Section 24.1.8, "Starting the Servers".
After you upgrade the system configurations, you must undeploy the coherence#3.7.1.1 library, as it is not shipped with Access Manager 11.1.2.3.0. You can undeploy the coherence#3.7.1.1 library either by running the WLST command undeploy() or using the WebLogic Administration console.
Note:
The deployments for any application that references this library must be stopped and deleted before you undeploy the library.For the list of applications that reference this library, log in to the WebLogic Administration Console, navagate to Deployments in the Domain Structure, click coherence(3.7.1.1,3.7.1.1), and go to the Overview tab. The applications that reference this library are listed at the bottom of the page.
To undeploy the coherence#3.7.1.1 library using the WLST command, complete the following steps:
Start the WebLogic Administration Server and the Access Manager Managed Server(s), if you have not done already.
For more information about starting the servers, see Section 24.1.8, "Starting the Servers".
Launch the WebLogic Scripting Tool (WLST) by running the following command from the location ORACLE_HOME/common/bin:
On UNIX: ./wlst.sh
On Windows: wlst.cmd
Connect to the WebLogic Administration Server by running the following command:
connect('wls_admin_username','wls_admin_password','t3://hostname:port')
In this command,
wls_admin_username is the username used to connect to the WebLogic Administration Server.
wls_admin_password is the password used to connect to the WebLogic Administration Server.
hostname is the host on which the WebLogic Administration Server is running.
port is the port of the WebLogic Administration Server.
Run the following command to undeploy the coherence#3.7.1.1 library:
undeploy('coherence#3.7.1.1@3.7.1.1')
To undeploy the coherence#3.7.1.1 library using the WebLogic Administration Console, complete the following steps:
Log in to the WebLogic Administration Console using the following URL:
http://host:port/console
In the Change Center of the Administration Console, click Lock & Edit.
Click Deployments under Domain Structure on the left navigation pane.
Select coherence(3.7.1.1,3.7.1.1) library, and click Delete.
Click Activate Changes.
Note:
Before you restart the servers, add the oam_server and oam_admin servers after you have upgraded coherence.Restart the WebLogic Administration Server and the Access Manager Managed Server(s).
For information about stopping the servers, see Section 24.1.9, "Stopping the Servers".
For information about starting the servers, see Section 24.1.8, "Starting the Servers".
For the Oracle Access Management 11.1.2.3.0 features to work, you must run the upgradeConfig() utility on the machine that hosts Administration Server. This utility upgrades the system configuration and policy store of Oracle Access Management to 11.1.2.3.0.
Note:
If you are upgrading Oracle Access Management 11.1.2.1.0 to 11.1.2.3.0, then you must do the following before running theupgradeConfig.sh command:
Go to the directory ORACLE_HOME/common/script_handlers.
Remove all the .class files by running the following command:
rm *.class
To upgrade the system configuration of Oracle Access Management, do the following:
Stop the WebLogic Administration Server and the Access Manager Managed Server(s). For more information, see Section 24.1.9, "Stopping the Servers".
The upgradeConfig command needs to be run using the IPv4 stack. Therefore, you must add the following property to the wlst.sh file (on UNIX) or wlst.cmd file (on Windows) located at ORACLE_HOME/common/bin:
-Djava.net.preferIPv4Stack=true
To do this, open the wlst.sh or wlst.cmd file in a text editor, add the property, and save the file.
Run the following command to launch the WebLogic Scripting Tool (WLST) from the location ORACLE_HOME/common/bin:
On UNIX: ./wlst.sh
On Windows: wlst.cmd
Before you run the upgradeConfig() command, ensure that the output of upgradeConfig command is captured in a log file, for review in case of upgrade issues. To do this, run the following command:
redirect('outputFile')
In this command, outpufFile is the name of the log file.
For example:
redirect('wlst.log')
Run the following command in offline mode:
upgradeConfig("domain_home", "sysdbaUser", "sysdbaPwd", "oamSchemaOwner", "oamdbJdbcUrl")
In this command,
domain_home is the absolute path to the Oracle Access Management WebLogic domain.
sysdbauser is the database username having sysdba privileges.
sysdbapwd is the password of the database user having sysdba privileges.
oamSchemaOwner is the database username for OAM schema.
oamdbjdbcUrl is the JDBC URL to connect to the Access Manager database. The JDBC URL must be in specified in the format "jdbc:oracle:thin:@<server_host>:<server_port>/<service_name>".
For example:
On UNIX:
upgradeConfig("/Oracle/Middleware/user_projects/domains/base_domain", "sys", "pwd", "PREFIX_OAM", "jdbc:oracle:thin:@localhost:1521/orcl")
On Windows:
upgradeConfig("C:\\Oracle\\Middleware\\user_projects\\domains\\base_domain", "sys", "pwd", "PREFIX_OAM", "jdbc:oracle:thin:@localhost:1521/orcl")
Extend the Oracle Access Management domain to include Oracle Mobile Security Suite and Policy Manager. Using the functionality of Oracle Mobile Security Suite is optional. However, you must perform this step to enable the Policy Manager.
For more information, see Section 24.3.1, "Extending the 11.1.2.3.0 Access Manager Domain to Include Mobile Security Suite and Policy Manager".
Before you start the servers, restore the .oamkeystore file that you had backed up from the DOMAIN_HOME/config/fmwconfig directory before starting the upgrade.
Start the WebLogic Administration Server, Oracle Access Management Access Manager Managed Server(s), and the OMSS Server.
For more information about starting the servers, see Section 24.1.8, "Starting the Servers".
This section describes the post-upgrade tasks required to enable the features of Oracle Access Management 11.1.2.3.0. These tasks are optional.
This section includes the following topics:
Optional: Upgrading Oracle Access Management Mobile and Service
Optional: Upgrading Oracle Access Management Identity Federation
If you wish to use the functionality of Oracle Mobile Security Suite, you must enable Oracle Mobile Security Suite after extending the Oracle Access Management domain with Oracle Mobile Security Suite component.
For more information, see Section 24.3.2, "Enabling Oracle Mobile Security Suite".
If you are using the Social Identity feature in Oracle Access Management Mobile and Service, you must update the Social Identity configuration by running the msUpgrade() command. To do this, complete the following steps:
Run the following command to launch the WebLogic Scripting Tool (WLST) from the location $ORACLE_HOME/common/bin:
On UNIX: ./wlst.sh
On Windows: wlst.cmd
Run the following command to update the Social Identity configuration:
msUpgrade()
If you have configured Oracle Access Management Identity Federation, you must upgrade Oracle Access Management Identity Federation to 11.1.2.3.0.
For more information about upgrading Oracle Access Management Identity Federation to 11.1.2.3.0, see Section 24.3.3, "Upgrading Oracle Access Management Identity Federation".
Ensure that you assign necessary roles to the global role Admin, by setting the role conditions as IDM Administrators, Administrators, or OAMAdministrators.
For more information about creating and managing global security roles, see "Create global security roles" in the Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help for 11g Release 1 (10.3.6).
Verify the Oracle Access Management upgrade by accessing the Oracle Access Management Administration Console 11g Release 2 (11.1.2.3.0).
If you have enabled Oracle Mobile Security Suite (OMSS) and wish to use the functionality of OMSS, use the following URL to access the Oracle Access Management Administration Console:
http://<oam_admin_server_host>:<oam_admin_server_port>/access
If you have not enabled Oracle Mobile Security Suite (OMSS), use the following URL to access the Oracle Access Management Administration Console:
http://<oam_admin_server_host>:<oam_admin_server_port>/oamconsole
For the list of common issues that you might encounter during the Oracle Access Management upgrade process, and their workaround, see Section 25.2, "Troubleshooting Oracle Access Management Upgrade Issues".
For the list of known issues related to upgrade, and their workaround, see "Upgrade and Migration Issues for Oracle Identity and Access Management" in the Oracle Fusion Middleware Release Notes for Identity Management.