This chapter describes how to upgrade Oracle Identity Manager 11g Release 2 (11.1.2.2.0), 11g Release 2 (11.1.2.1.0), and 11g Release 2 (11.1.2) environments to Oracle Identity Manager 11g Release 2 (11.1.2.3.0) on Oracle WebLogic Server, using the manual upgrade procedure.
Note:
If your existing Oracle Identity and Access Management environment was deployed using the Life Cycle Management (LCM) Tools, you must use the automated upgrade procedure to upgrade to Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0).For information about automated upgrade procedure, supported starting points and topologies, see Chapter 2, "Understanding the Oracle Identity and Access Management Automated Upgrade".
Note:
This chapter refers to Oracle Identity Manager 11g Release 2 (11.1.2), 11g Release 2 (11.1.2.1.0), and 11g Release 2 (11.1.2.2.0) environments as 11.1.2.x.x.This chapter includes the following sections:
The procedure for upgrading Oracle Identity Manager 11.1.2.x.x to 11.1.2.3.0 involves the following high-level steps
Performing the Required Pre-Upgrade Tasks: This step involves the necessary pre-upgrade tasks like reviewing system requirements and certification, generating the pre-upgrade report, analyzing the report and performing the necessary pre-upgrade tasks described in the report, backing up the existing 11.1.2.x.x environment.
Upgrading the Oracle Home: This step involves tasks like upgrading Oracle WebLogic Server to 10.3.6, upgrading Oracle SOA Suite to 11.1.1.9.0, and upgrading Oracle Identity Manager to 11.1.2.3.0.
Creating Necessary Schemas and Upgrading the Existing Schemas: This step involves tasks like creating Oracle BI Publisher (BIP) schema using Repository Creation Utility 11.1.2.3.0, and upgrading the existing schemas using the Patch Set Assistant.
Upgrading Oracle Identity Manager Middle Tier: This step involves upgrading Oracle Identity Manager middle tier.
Upgrading Other Oracle Identity Manager Installed Components: This step involves tasks like upgrading Oracle Identity Manager Design Console and Oracle Identity Manager Remote Manger to 11.1.2.3.0.
Performing the Required Post-Upgrade Tasks: This step involves any post-upgrade tasks, and the steps to verify the upgrade.
Table 10-1 lists the steps to upgrade Oracle Identity Manager 11.1.2.x.x to 11.1.2.3.0.
Table 10-1 Roadmap for Upgrading Oracle Identity Manager 11.1.2.x.x to 11.1.2.3.0
| Sl No | Task | For More Information |
|---|---|---|
|
1 |
Complete the following pre-upgrade tasks:
|
|
|
2 |
Upgrade the Oracle Home by completing the following tasks:
|
|
|
3 |
Create the Oracle BI Publisher (BIP) schema using the Repository Creation Utility (RCU), and upgrade your existing database schemas using the Patch Set Assistant (PSA). |
See, Creating Necessary Schemas and Upgrading Existing Schemas |
|
4 |
Upgrade the Oracle Identity Manager middle tier. This is done by running the OIM middle tier upgrade utility |
|
|
5 |
Upgrade other Oracle Identity Manager installed components like Oracle Identity Manager Design Console and Oracle Identity Manager Remote Manager to 11.1.2.3.0. |
See, Upgrading Other Oracle Identity Manager Installed Components |
|
6 |
Complete the required post-upgrade tasks. |
|
|
7 |
Verify the upgraded environment. |
This section describes all the pre-upgrade steps that you must complete before you start upgrading the Oracle Identity Manager 11.1.2.x.x environment. This section includes the following topics:
Reviewing the Customizations that are Lost or Overwritten as Part of Upgrade
Shutting Down Node Manager, Administration Server and Managed Server(s)
Table 10-2 lists the key differences in functionality between Oracle Identity Manager 11g Release 2 (11.1.2.x.x) and Oracle Identity Manager 11g Release 2 (11.1.2.3.0).
Table 10-2 Features Comparison
| Oracle Identity Manager 11.1.2.x.x | Oracle Identity Manager 11.1.2.3.0 |
|---|---|
|
Oracle Identity Manager 11.1.2.2.0 uses Skyros skin. |
Oracle Identity Manager 11.1.2.3.0 uses Alta skin which is business friendly (mobile, cloud). Oracle Identity Manager 11.1.2.3.0 has new Home page, new My Profile page with user friendly Inbox. Most of the UI customizations need to be redone post upgrade, to match the look and feel of 11.1.2.3.0. |
|
In Oracle Identity Manager 11.1.2, the Access Catalog was introduced to provide meaningful and contextual information to end users during the request and access review. |
Oracle Identity Manager 11.1.2.3.0 has a new advanced search catalog, where UDFs that are marked as searchable will automatically be part of advance search form. You can also customize the search form. Attributes can be used to search catalog items. The catalog includes enhanced pagination and categories to simplify resource searches. |
|
In Oracle Identity Manager 11.1.2.1.0, certification was introduced and the workflow supported one level of access in each phase. Certification workflow in 11.1.2.2.0 enables business to define more robust processes for compliance, enabling more granular oversight of "who has access to what". Certification reviews can mirror access request workflow, where they can be reviewed or approved by multiple sets of business and IT owners before they are deemed complete in each phase. This ensures improved visibility of user access privileges, and all review decisions are captured in a comprehensive audit trail that is recorded live during the certification as well as in reports. |
Certification feature of Oracle Identity Manager 11.1.2.3.0 uses the Alta UI and has been enhanced to provide inline SoD violation checks. |
|
Till 11.1.2.2.0, BI Publisher was a separate standalone Managed Server. |
Oracle Identity Manager 11.1.2.3.0 has embedded BI Publisher, and therefore all BI reports are embedded in OIM. A business user now can launch a custom report from within OIM Self Service Console. |
|
Oracle Identity Manager 11.1.2.0.0 had to be integrated with Oracle Identity Analytics (OIA) to leverage the advanced access review capabilities. In Oracle Identity Manager 11.1.2.1.0 and 11.1.2.2.0, the advanced access review capabilities of OIA were converged into OIM to provide a complete identity governance platform that enables an enterprise to do enterprise grade access request, provisioning, and access review from a single product. |
OIA functionality is now ported into Oracle Identity Governance (OIG). Customers can define and manage identity audit policies based on IDA rules. Customers can define owners and remediators for a policy, which can be a specific user, a list of users or an OIM role. Customers can use preventive and detective scan capabilities which can create actionable policy violations. Oracle Identity Manager 11.1.2.3.0 has comprehensive role lifecycle management and workflow approval capabilities with direct involvement from business, featuring a business friendly UI. It also includes detailed Role Analytics to aid with the composition and modifications of roles. |
|
Till Oracle Identity Manager 11.1.2.2.0, policies were implemented and customized using OIM plug-in and pre-pop adapters implemented via plug-in framework, which required writing custom java code to extend and customize OOTB policies. |
Oracle Identity Manager 11.1.2.3.0 introduces declarative policies that enable you to define and configure various policy types that are evaluated at run time. Policy is configured via a UI/API rather than customized via Java plug-in or pre-pop adapter. |
|
The existing 11.1.2.x.x certification feature provides certifier selection based on User Manager, Organization Manager, Catalog Owner, and Selected User. |
Oracle Identity Manager 11.1.2.3.0 introduces additional certifier selection where role can be used to define certifiers. All members of a certifier role can see the certification in their inbox, but the first member who |
|
In Oracle Identity Manager 11.1.2.x.x, the concept of request profile was introduced. You could draft and save the request. Request has to go through two levels of approval process. |
Oracle Identity Manager 11.1.2.3.0 includes a number of enhancements to the request workflow.Temporal grants allow the requester to specify the start and end date (grant duration) of the role, account, and entitlements at the time of assignment.Administrators can configure approvals by creating workflow policy rules instead of approval policies.It also supports role requests (create, modify, delete etc). In 11.1.2.3.0, enabling SOA is optional. |
|
Till Oracle Identity Manager 11.1.2.2.0, only out-of-the box admin roles were available. |
Oracle Identity Manager 11.1.2.3.0 provides a fine grained authorization engine to help you create various admin roles. For example, by using attributes to define membership, you can restrict an administrator to managing home organization members only. |
Before you start the upgrade process, review the Oracle Fusion Middleware System Requirements and Specifications and Oracle Fusion Middleware Supported System Configurations documents to ensure that your system meets the minimum requirements for the products you are installing or upgrading to. For more information see Section 24.1.1, "Verifying Certification, System Requirements, and Interoperability".
Ensure that you are using a Java Development Kit (JDK) version that is supported and certified with Oracle Identity and Access Management 11.1.2.3.0.
You can verify the required JDK version by reviewing the certification information on the Oracle Fusion Middleware Supported System Configurations page.
The JDK can be downloaded from the Java SE Development Kit 7 Downloads page on Oracle Technology Network (OTN).
Note:
For more information about JDK version requirements, see the "Oracle WebLogic Server and JDK Considerations" topic in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management 11g Release 2 (11.1.2) document.This section lists the customizations that will be lost or overwritten as part of the upgrade process.
The following customizations will be lost or overwritten as part of the Oracle Identity Manager upgrade process:
The configuration files like web.xml that are directly manipulated for changing the session time out will be overwritten as part of the binary upgrade.
The custom JARs included in the OIM Home will be lost as part of the binary upgrade.
Oracle Identity Manager Design Console configuration settings will be lost as part of the binary upgrade.
Oracle Identity Manager Remote Manager configuration settings will be lost as part of the binary upgrade.
UI war file oracle.iam.ui.custom-dev-starter-pack.war that is used for custom UI will be lost as part of the binary upgrade.
Customization done to Email Validation Pattern will be overwritten as part of the upgrade process.
The following scripts will be modified as part of the Oracle Identity Manager middle tier upgrade offline.
Startup scripts - startWebLogic.sh and startManagedWebLogic.sh located at DOMAIN_HOME/bin/ (on UNIX), startWebLogic.cmd and startManagedWebLogic.cmd located at DOMAIN_HOME\bin\ (on Windows)
Domain environment script - setDomainEnv.sh located at DOMAIN_HOME/bin/(on UNIX), setDomainEnv.bat located at DOMAIN_HOME\bin\ (on Windows)
Unprotected Metadata files
For the list of protected metadata files for which the customizations will be retained after upgrade, see Section 24.2.1, "Protected Metadata Files for Which Customization will be Retained After Upgrade".
Any manual edits done to these scripts will be overwritten. Therefore, you must revisit these after middle tier upgrade offline.
If you have SSL configured environment, the file ORACLE_HOME\designconsole\config\xl.policy will be overwritten as part of the Oracle Identity Manager binary upgrade. Therefore, backup the xl.policy file if you have customized it, before you begin with the upgrade process.
You must run the pre-upgrade report utility before you begin the upgrade process, and address all the issues listed as part of this report with the solution provided in the report. The pre-upgrade report utility analyzes your existing Oracle Identity Manager 11.1.2.x.x environment, and provides information about the mandatory prerequisites that you must complete before you upgrade the existing Oracle Identity Manager environment.
The information in the pre-upgrade report include challenge questions localization, authorization feature data upgrade, event handlers that are affected by upgrade, mandatory database components or settings, cyclic groups in LDAP that need to be removed, certification records processed during the upgrade, and the potential application instance creation issues.
For information about generating the pre-upgrade report, and analyzing it, see Section 24.2.2, "Generating and Analyzing Pre-Upgrade Report for Oracle Identity Manager".
Note:
Run this report until no pending issues are listed in the report.It is important to address all the issues listed in the pre-upgrade report, before you can proceed with the upgrade, as upgrade might fail if the issues are not fixed.
The upgrade process involves changes to the binaries and to the schema. Therefore, before you begin the upgrade process, you must shut down the Oracle Identity Manager Managed Server(s), SOA Managed Server(s), WebLogic Administration Server, and the Node Manager.
For information about stopping the WebLogic Administration Server, Managed Server(s), and the Node Manager, see Section 24.1.9, "Stopping the Servers".
Note:
If you are upgrading highly available environment, you must shut down the servers on all of the hosts.You must back up your existing Oracle Identity Manager 11.1.2.x.x environment before you upgrade to Oracle Identity Manager 11.1.2.3.0.
After stopping the servers, back up the following:
MW_HOME directory, including the Oracle Home directories inside Middleware Home
Domain Home directory
Oracle Identity Manager schema
MDS schema
ORASDPM schema
SOAINFRA schemas
OPSS schema
For more information about backing up schemas, see Oracle Database Backup and Recovery User's Guide.
Note:
If you are upgrading highly available environment, you must back up the Oracle Home directories and the domain home directories on all of the hosts.Before you upgrade the OIM schemas, disable the materialized view 'OIM_RECON_CHANGES_BY_RES_MV' view. This view is created by the oim_mview_recon_changes_by_res.sql script, and is used for the ”Fine Grained Exception by Resource” report.
To disable the view creation:
Stop the Oracle Fusion Middleware Patch Set Assistant.
Comment the reference to oim_mview_recon_changes_by_res.sqlfrom the sequence.properties file. The sequence.properties file is located at: OIM_ORACLE_HOME/server/db/oim/oracle/StoredProcedures/MaterializedViews.
Start the Oracle Fusion Middleware Patch Set Assistant.
After the OIM schema upgrade is complete, restore the reference to oim_mview_recon_changes_by_res.sqlfrom the sequence.properties file.
This section describes the tasks to be completed to upgrade the existing Oracle home.
Note:
Before you begin with the upgrade process, make sure that you have read and write permission to the domain including the/security/SerializedSystemIni.dat file.This section includes the following topics:
Oracle Identity and Access Management 11.1.2.3.0 is certified with Oracle WebLogic Server 11g Release 1 (10.3.6). Therefore, if your existing Oracle Identity Manager environment is using Oracle WebLogic Server 10.3.5 or the earlier version, you must upgrade Oracle WebLogic Server to 10.3.6.
Note:
If you are already using Oracle WebLogic Server 10.3.6, ensure that you apply the mandatory patches to fix specific issues with Oracle WebLogic Server 10.3.6.To identify the required patches that you must apply for Oracle WebLogic Server 10.3.6, see "Downloading and Applying Required Patches" in the Oracle Fusion Middleware Infrastructure Release Notes.
The patches listed in the release notes are available from My Oracle Support. The patching instructions are mentioned in the README.txt file that is provided with each patch.
For information about upgrading Oracle WebLogic Server to 10.3.6, see Section 24.1.5, "Upgrading Oracle WebLogic Server to 11g Release 1 (10.3.6)".
Oracle Identity Manager 11.1.2.3.0 is certified with Oracle SOA Suite 11.1.1.9.0. Therefore, you must upgrade Oracle SOA Suite to 11.1.1.9.0 if you are using any earlier version of Oracle SOA Suite.
For information about upgrading Oracle SOA Suite, see Section 24.2.3, "Upgrading Oracle SOA Suite to 11g Release 1 (11.1.1.9.0)".
You must upgrade the Oracle Identity Manager 11.1.2.x.x binaries Oracle Identity Manager 11.1.2.3.0 using the Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0) Installer. During the procedure, point the Middleware Home to your existing 11.1.2.x.x Middleware Home. This upgrades the Oracle Identity Manager binaries 11.1.2.3.0.
Note:
ORACLE_HOME and MW_HOME/oracle_common is 11.1.0.10.3. Different OPatch version might cause patch application failure. If you have upgraded opatch to a newer version, you will have to roll back to version 11.1.0.10.3.For information about updating Oracle Identity Manager binaries to 11.1.2.3.0, see Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.3.0).
After the binary upgrade, check the installer logs at the following location:
On UNIX: ORACLE_INVENTORY_LOCATION/logs
To find the location of the Oracle Inventory directory on UNIX, check the file ORACLE_HOME/oraInst.loc.
On Windows: ORACLE_INVENTORY_LOCATION\logs
The default location of the Oracle Inventory Directory on Windows is C:\Program Files\Oracle\Inventory\logs.
The following install log files are written to the log directory:
installDATE-TIME_STAMP.log
installDATE-TIME_STAMP.out
installActionsDATE-TIME_STAMP.log
installProfileDATE-TIME_STAMP.log
oraInstallDATE-TIME_STAMP.err
oraInstallDATE-TIME_STAMP.log
You must create new Oracle BI Publisher schema by running the Repository Creation Utility (RCU). Also, you must upgrade the existing database schemas using the Patch Set Assistant (PSA). To do this, complete the following steps:
You must create Oracle BI Publisher schema 11.1.1.9.0 using the Repository Creation Utility (RCU) 11.1.2.3.0. For information about creating schemas using RCU, see Section 24.1.3, "Creating Database Schemas Using Repository Creation Utility".
Note:
When you create schema using Repository Creation Utility, select only Business Intelligence Platform (BIPLATFORM) under Oracle Business Intelligence on the Select Components screen.Do not select any other schema.
After you update Oracle Identity Manager binaries to 11.1.2.3.0, you must upgrade the following schemas using Patch Set Assistant (PSA):
Oracle Platform Security Services (OPSS) schema
Metadata Services (MDS) schema
Oracle Identity Manager (OIM) schema
ORASDPM schema
SOA Infrastructure (SOAINFRA) schema
Note:
If the you Oracle Identity Manager database access policies, you must complete the following steps before you upgrade the existing schemas:Open the oim_upg_R2PS2_R2PS3_common_policy_engine.sql file located at OIM_HOME/server/db/oim/oracle/Upgrade/oim11gR2PS2_2_R2PS3, in a text editor.
Replace the line# 280:
EXECUTE IMMEDIATE sqlstr USING v_pol_owner(idx);
with
EXECUTE IMMEDIATE sqlstr USING v_pol_owner_type(idx);
Save the modified file.
When you select the Oracle Identity Manager schema on the PSA screen, it automatically selects all dependent schemas and upgrades them too.
For information about upgrading schemas using the Patch Set Assistant, see Upgrading Schemas Using Patch Set Assistant.
After you upgrade schemas, verify the upgrade by checking the version numbers of the schemas as described in Version Numbers After Upgrading Schemas.
Version Numbers After Upgrading Schemas
Connect to oim schema as oim_schema_user, and run the following query:
select version,status,upgraded from schema_version_registry where owner=<SCHEMA_NAME>;
Ensure that the version numbers are upgraded, as listed in Table 10-3:
To upgrade Oracle Identity Manager middle tier, you must run the middle tier upgrade utility OIMUpgrade in oflfine and online mode. For more information about upgrading the Oracle Identity Manager middle tier, see Section 24.2.4, "Upgrading Oracle Identity Manager Middle Tier".
After you upgrade the Oracle Identity Manager middle tier, you must upgrade the other Oracle Identity Manager installed components like Oracle Identity Manager Design Console and Oracle Identity Manager Remote Manager to 11.1.2.3.0.
For more information about upgrading Oracle Identity Manager Design Console and Oracle Identity Manager Remote Manager, see Section 24.2.5, "Upgrading Other Oracle Identity Manager Installed Components".
After you upgrade Oracle Identity Manager 11.1.2.x.x to 11.1.2.3.0, you must perform the following post-upgrade tasks described in Section 24.2.6, "Performing Oracle Identity Manager Post-Upgrade Tasks":
Rebuilding the Indexes of Oracle Identity Manager Table to Change to Reverse Type
Updating the URI of the Human Task Service Component with Oracle HTTP Server Details
Enabling Certification Using the System Property OIG.IsIdentityAuditorEnabled
oimclient.jar Needs Update and ipf.jar for Some passwordmgmt VOs
To verify your Oracle Identity Manager upgrade, perform the following steps:
Verify that Oracle Identity Manager 11.1.2.3.0 is running using the following URLs:
http://<oim_host>:<oim_port>/sysadmin
http://<oim_host>:<oim_port>/identity
where
<oim_host> is the host on which Oracle Identity Manager is running.
<oim_port> is the port number.
Verify that Oracle BI Publisher 11.1.1.9.0 is running using the following URL:
http://<bip_host>:<bip_port>/xmlpserver
where
<bip_host> is the host on which Oracle BI Publisher is running.
<bip_port> is the port number. The default http port for BI Publisher is 9704, if not changed during upgrade.
Use Fusion Middleware Control to verify that Oracle Identity Manager and any other Oracle Identity Management components are running in the Oracle Fusion Middleware environment.
Note:
SOA compositesDefautlRequestApproval and DefaultOperationApproval are available twice with versions 1.0 and 3.0 on Oracle Enterprise Manager, after you upgrade Oracle Identity Manager 11.1.2 or 11.1.2.1.0 to Oracle Identity Manager 11.1.2.3.0. The 1.0 composites are required for processing requests generated before upgrade, or any other functionality.For the list of common issues that you might encounter during the Oracle Identity Manager upgrade process, and their workaround, see Section 25.1, "Troubleshooting Oracle Identity Manager Upgrade Issues".
For the list of known issues related to upgrade, and their workaround, see "Upgrade and Migration Issues for Oracle Identity and Access Management" in the Oracle Fusion Middleware Release Notes for Identity Management.