7 Upgrading Oracle Privileged Account Manager 11g Release 2 (11.1.2.x.x) Environments

This chapter describes how to upgrade Oracle Privileged Account Manager (OPAM) 11g Release 2 (11.1.2.2.0), 11g Release 2 (11.1.2.1.0) and 11g Release 2 (11.1.2) environments to Oracle Privileged Account Manager 11g Release 2 (11.1.2.3.0) on Oracle WebLogic Server, using the manual upgrade procedure.

Note:

If your existing Oracle Identity and Access Management environment was deployed using the Life Cycle Management (LCM) Tools, you must use the automated upgrade procedure to upgrade to Oracle Identity and Access Management 11g Release 2 (11.1.2.3.0).

For information about automated upgrade procedure, supported starting points and topologies, see Chapter 2, "Understanding the Oracle Identity and Access Management Automated Upgrade".

Note:

This chapter refers to Oracle Privileged Account Manager 11g Release 2 (11.1.2), 11g Release 2 (11.1.2.1.0), and 11g Release 2 (11.1.2.2.0) environments as 11.1.2.x.x.

This chapter includes the following sections:

• Section 7.1, "Upgrade Roadmap for Oracle Privileged Account Manager"

• Section 7.2, "Performing the Required Pre-Upgrade Tasks"

• Section 7.3, "Exporting the Pre-Upgrade Data"

• Section 7.4, "Stopping the Administration Servers and the Managed Server(s)"

• Section 7.5, "Upgrading Oracle WebLogic Server to 10.3.6"

• Section 7.6, "Updating Oracle Privileged Account Manager Binaries to 11.1.2.3.0"

• Section 7.7, "Upgrading the Database Schemas"

• Section 7.8, "Start the Administration Server and the Managed Server(s)"

• Section 7.9, "Redeploying the Applications"

• Section 7.10, "Enabling TDE or Non-TDE Mode in OPAM Data Store"

• Section 7.11, "Importing the Pre-Upgrade Data"

• Section 7.12, "Clearing Pre-Upgrade OPSS Artifacts"

• Section 7.13, "Optional: Configuring the Oracle Privileged Account Manager 11.1.2.3.0 Session Manager"

• Section 7.14, "Optional: Configuring Oracle Privileged Account Manager Console Application on OPAM Managed Server"

• Section 7.15, "Verifying the Oracle Privileged Account Manager Upgrade"

7.1 Upgrade Roadmap for Oracle Privileged Account Manager

Table 7-1 lists the tasks to be performed to upgrade Oracle Privileged Account Manager 11.1.2.x.x to Oracle Privileged Account Manager 11.1.2.3.0.

Table 7-1 Roadmap for Upgrading Oracle Privileged Account Manager 11.1.2.x.x to 11.1.2.3.0

Sl No	Task	For More Information
1	Complete the necessary pre-upgrade tasks before you begin with the upgrade process.	See, Performing the Required Pre-Upgrade Tasks
2	If you are upgrading Oracle Privileged Account Manager 11.1.2 to Oracle Privileged Account Manager 11.1.2.3.0, you must export the pre-upgrade data. If you are upgrading Oracle Privileged Account Manager 11.1.2.1.0 to Oracle Privileged Account Manager 11.1.2.3.0, skip this task.	See, Section 7.3, "Exporting the Pre-Upgrade Data"
3	Stop the Administration Server and all the Managed Servers.	See, Stopping the Administration Servers and the Managed Server(s)
4	If you are not using Oracle WebLogic Server 10.3.6, and you must upgrade Oracle WebLogic Server to 10.3.6.	See, Upgrading Oracle WebLogic Server to 10.3.6
5	Upgrade the Oracle Privileged Account Manager binaries to 11.1.2.3.0.	See, Updating Oracle Privileged Account Manager Binaries to 11.1.2.3.0
6	Upgrade the 11.1.2.x.x Database schemas.	See, Upgrading the Database Schemas
7	Start all the servers.	See, Start the Administration Server and the Managed Server(s)
8	Redeploy the Oracle Privileged Account Manager Console application, Oracle Privileged Account Manager applications, and Oracle Privileged Account Manager Session Manager application.	See, Redeploying the Applications
9	If your starting point is 11g Release 2 (11.1.2), complete the following tasks: Set up either TDE mode or non-TDE mode in the OPAM Data Store. Import the pre-upgrade data. Clear the pre-upgrade OPSS artifacts If your starting point is 11g Release 2 (11.1.2.2.0) or 11g Release 2 (11.1.2.1.0), skip the above tasks.	See: Enabling TDE or Non-TDE Mode in OPAM Data Store Importing the Pre-Upgrade Data Clearing Pre-Upgrade OPSS Artifacts
10	If your starting point is 11g Release 2 (11.1.2.1.0) or 11g Release 2 (11.1.2), complete the following tasks: Configure the Oracle Privileged Account Manager session manager (if required) Configure the Oracle Privileged Account Manager Console application (if required).	See: Optional: Configuring the Oracle Privileged Account Manager 11.1.2.3.0 Session Manager Optional: Configuring Oracle Privileged Account Manager Console Application on OPAM Managed Server
11	Verify the upgrade.	See, Verifying the Oracle Privileged Account Manager Upgrade

7.2 Performing the Required Pre-Upgrade Tasks

Before you begin with the upgrade, you must complete the following prerequisites:

• Review the Oracle Fusion Middleware System Requirements and Specifications and Oracle Fusion Middleware Supported System Configurations documents to ensure that your system meets the minimum requirements for the products you are installing or upgrading to. For more information see Section 24.1.1, "Verifying Certification, System Requirements, and Interoperability".

• Ensure that you are using a Java Development Kit (JDK) version that is supported and certified with Oracle Identity and Access Management 11.1.2.3.0.

  You can verify the required JDK version by reviewing the certification information on the Oracle Fusion Middleware Supported System Configurations page.

  The JDK can be downloaded from the Java SE Development Kit 7 Downloads page on Oracle Technology Network (OTN).

  Note:

  For more information about JDK version requirements, see the "Oracle WebLogic Server and JDK Considerations" topic in the Oracle Fusion Middleware System Requirements and Specifications for Oracle Identity and Access Management 11g Release 2 (11.1.2) document.

7.3 Exporting the Pre-Upgrade Data

If you are upgrading Oracle Privileged Account Manager 11.1.2 to 11.1.2.3.0, you must export the pre-upgrade Oracle Privileged Account Manager data before you start the upgrade process.

Note:

If you are upgrading Oracle Privileged Account Manager 11.1.2.1.0 to 11.1.2.3.0, skip this task.

You must export the pre-upgrade OPAM data such as targets, accounts, and users, before you upgrade Oracle Privileged Account Manager 11.1.2 to 11.1.2.3.0. The steps provided in this section describes the process to export the OPAM data to an XML file. A manual export is required because the back end data store will be moved from the OPSS schema to a native OPAM data store in the new version.

Use the following procedure to export the OPAM data:

1. Set the following environment variables:

   Variable	Description
   ORACLE_HOME	Where Oracle Privileged Account Manager is installed.
   JAVA_HOME	Location of JDK used for the WebLogic installation.

   
   

2. Navigate to ORACLE_HOME/opam/bin.

3. Execute the following command with all the parameters mentioned:

   On UNIX:

   ./opam.sh 
   [-url <OPAM server url>]] (defaults to https://localhost:18102/opam)
   -u [user name] (the user should have OPAM_SECURITY_ADMIN and OPAM_USER_MANAGER roles)
   -p <password>
   -x export -f [export xml file]
   [-encpassword <encryption/decryption password>] (provide a value for encpassword for better security)
   [-enckeylen <Key Length for encryption/decryption of password>] (defaults to 128)
   [-log <log file Location>] (defaults to opamlog_<timestamp>.txt)
   

   On Windows:

   ./opam.bat 
   [-url <OPAM server url>]] (defaults to https://localhost:18102/opam)
   -u [user name] (the user should have OPAM_SECURITY_ADMIN and OPAM_USER_MANAGER roles)
   -p <password>
   -x export -f [export xml file]
   [-encpassword <encryption/decryption password>] (provide a value for encpassword for better security)
   [-enckeylen <Key Length for encryption/decryption of password>] (defaults to 128)
   [-log <log file Location>] (defaults to opamlog_<timestamp>.txt)
   

   Note:

   If the data was exported without an encryption password, then specify this with the parameter "-noencrypt true" while importing the data.

7.4 Stopping the Administration Servers and the Managed Server(s)

The upgrade process involves changes to the binaries and to the schema. So, before you begin the upgrade process, you must shut down the WebLogic Administration Server and the Oracle Privileged Account Manager Managed Server(s).

For information about stopping the WebLogic Administration Server and the Managed Servers, see Section 24.1.9, "Stopping the Servers".

7.5 Upgrading Oracle WebLogic Server to 10.3.6

Oracle Identity and Access Management 11.1.2.3.0 is certified with Oracle WebLogic Server 11g Release 1 (10.3.6). Therefore, if your existing Oracle Privileged Account Manager environment is using Oracle WebLogic Server 10.3.5 or any earlier version, you must upgrade Oracle WebLogic Server to 10.3.6.

Note:

If you are already using Oracle WebLogic Server 10.3.6, ensure that you apply the mandatory patches to fix specific issues with Oracle WebLogic Server 10.3.6.

To identify the required patches that you must apply for Oracle WebLogic Server 10.3.6, see "Downloading and Applying Required Patches" in the Oracle Fusion Middleware Infrastructure Release Notes.

The patches listed in the release notes are available from My Oracle Support. The patching instructions are mentioned in the README.txt file that is provided with each patch.

For information about upgrading Oracle WebLogic Server to 10.3.6, see Section 24.1.5, "Upgrading Oracle WebLogic Server to 11g Release 1 (10.3.6)".

7.6 Updating Oracle Privileged Account Manager Binaries to 11.1.2.3.0

To update Oracle Privileged Account Manager 11.1.2.x.x binaries to 11.1.2.3.0, you must use the Oracle Identity and Access Management 11.1.2.3.0 Installer. During the procedure, point the Middleware Home to your existing 11.1.2.x.x Oracle Privileged Account Manager Middleware Home. Your Oracle Home is upgraded from 11.1.2.x.x to 11.1.2.3.0.

For information about updating the Oracle Privileged Account Manager binaries to 11.1.2.3.0, see Section 24.1.6, "Updating Oracle Identity and Access Management Binaries to 11g Release 2 (11.1.2.3.0)".

7.7 Upgrading the Database Schemas

Upgrade the following schemas using the Patch Set Assistant.

• OPAM

• OPSS - OPSS is selected as a dependency when you select OPAM.

For information about upgrading schemas using Patch Set Assistant, see Section 24.1.4, "Upgrading Schemas Using Patch Set Assistant".

After you upgrade the OPAM and OPSS schemas, the version of the OPAM schema will be 11.1.2.3.0.

7.8 Start the Administration Server and the Managed Server(s)

After you upgrade the schemas, start the WebLogic Administration Server and the Oracle Privileged Account Manager Managed Server(s).

For information about starting the WebLogic Administration Server and the Managed Servers, see Section 24.1.8, "Starting the Servers".

7.9 Redeploying the Applications

After you start the WebLogic Administration Server and the Oracle Privileged Account Manager Managed Servers, you must redelpoy the Oracle Privileged Account Manager console and Oracle Privileged Account Manager applications. To do this, complete the following tasks:

• Redeploying Oracle Privileged Account Manager Console Application

• Redeploying Oracle Privileged Account Manager Application

• Redeploying Oracle Privileged Account Manager Session Manager Application

7.9.1 Redeploying Oracle Privileged Account Manager Console Application

Updating oinav.ear redeploys Oracle Privileged Account Manager Console application. There are two ways of updating the oinav.ear - using the WebLogic Administration console, and using the WebLogic Scripting Tool.

Redeploy Oracle Privileged Account Manager Console applications using one of the following ways:

• Redeploying OPAM Console Application Using WebLogic Server Administration Console

• Redeploying OPAM Console Application Using WebLogic Scripting Tool (WLST)

Redeploying OPAM Console Application Using WebLogic Server Administration Console

Complete the following steps to redeploy Oracle Privileged Account Manager Console Application through the WebLogic Administration console:

1. Log in to WebLogic Administration console:

   http://admin_server_host:admin_server_port/console

2. Under Domain Structure, click Deployments.

3. Select oinav (11.1.1.3.0) from the Name table.

4. Click Update and click Finish in the Update Application Assistant screen after verifying the source path.

   Note:

   If WebLogic is running in production mode, click Lock & Edit before clicking Update.

Redeploying OPAM Console Application Using WebLogic Scripting Tool (WLST)

Complete the following steps to redeploy Oracle Privileged Account Manager Console application through the WLST console:

On UNIX

1. Run the following command to launch the WebLogic Scripting Tool (WLST) from the location MW_HOME/wlserver_10.3/common/bin:

   On UNIX: ./wlst.sh

   On Windows: wlst.cmd

2. Connect to the Administration Server using the following command:

   connect('weblogic-username','weblogic-password','weblogic-url')

3. At the WLST prompt, run the following command:

   redeploy('oinav#11.1.1.3.0')

4. Exit the WLST console using the exit() command.

7.9.2 Redeploying Oracle Privileged Account Manager Application

Note:

The OPAM application version number is 11.1.2.0.0 while the actual Oracle Privileged Account Manager version number should be 11.1.2.3.0.

This is not an error. The discrepancy is caused by a difference between how OPAM and Identity Access Management releases are tracked internally.

Updating opam.ear redeploys Oracle Privileged Account Manager. There are two ways of updating the opam.ear - using the WebLogic Administration console, and using the WebLogic Scripting Tool.

Redeploy Oracle Privileged Account Manager applications using one of the following ways:

• Redeploying OPAM Applications Using WebLogic Server Administration Console

• Redeploying OPAM Applications Using WebLogic Scripting Tool (WLST)

Redeploying OPAM Applications Using WebLogic Server Administration Console

Complete the following steps to upgrade Oracle Privileged Account Manager through the WebLogic Administration console:

1. Log in to WebLogic Administration console:

   http://admin_server_host:admin_server_port/console

2. Under Domain Structure, click Deployments.

3. Select opam (11.1.2.0.0) from the Name table.

4. Click Update and click Finish in the Update Application Assistant screen after verifying the source path.

   Note:

   If WebLogic is running in production mode, click Lock & Edit before clicking Update.

Redeploying OPAM Applications Using WebLogic Scripting Tool (WLST)

Complete the following steps to upgrade Oracle Privileged Account Manager through the WLST console:

1. Run the following command to launch the WebLogic Scripting Tool (WLST) from the location MW_HOME/wlserver_10.3/common/bin:

   On UNIX: ./wlst.sh

   On Windows: wlst.cmd

2. Connect to the Administration Server using the following command:

   connect('weblogic-username','weblogic-password','weblogic-url')

3. At the WLST prompt, run the following command:

   redeploy('opam#11.1.2.0.0')

4. Exit the WLST console using the exit() command.

7.9.3 Redeploying Oracle Privileged Account Manager Session Manager Application

Updating opamsessionmgr.ear redeploys Oracle Privileged Account Manager Session Manager. There are two ways of updating the opamsessionmgr.ear - using the WebLogic Administration console, and using the WebLogic Scripting Tool.

Redeploy Oracle Privileged Account Manager Session Manager applications using one of the following ways:

• Redeploying OPAM Session Manager Using WebLogic Server Administration Console

• Redeploying OPAM Session Manager Using WebLogic Server Administration Console

Redeploying OPAM Session Manager Using WebLogic Server Administration Console

Complete the following steps to upgrade Oracle Privileged Account Manager Session Manager through the WebLogic Administration console:

1. Log in to WebLogic Administration console:

   http://admin_server_host:admin_server_port/console

2. Under Domain Structure, click Deployments.

3. Select opamsessionmgr from the Name table.

4. Click Update and click Finish in the Update Application Assistant screen after verifying the source path.

   Note:

   If WebLogic is running in production mode, click Lock & Edit before clicking Update.

Redeploying OPAM Session Manager Using WebLogic Scripting Tool (WLST)

Complete the following steps to upgrade Oracle Privileged Account Manager Session Manager through the WLST console:

1. Run the following command to launch the WebLogic Scripting Tool (WLST) from the location MW_HOME/wlserver_10.3/common/bin:

   On UNIX: ./wlst.sh

   On Windows: wlst.cmd

2. Connect to the Administration Server using the following command:

   connect('weblogic-username','weblogic-password','weblogic-url')

3. At the WLST prompt, run the following command:

   redeploy('opamsessionmgr')

4. Exit the WLST console using the exit() command.

7.10 Enabling TDE or Non-TDE Mode in OPAM Data Store

If you are upgrading Oracle Privileged Account Manager 11.1.2 to 11.1.2.3.0, you must enable TDE or non-TDE mode in the Oracle Privileged Account Manager data store.

Note:

If you are upgrading Oracle Privileged Account Manager 11.1.2.1.0 to 11.1.2.3.0, skip this task.

Oracle Privileged Account Manager can operate with Oracle Database TDE (Transparent Data Encryption) mode. You can choose to either enable or disable the TDE mode. Oracle strongly recommends to enable the TDE mode for enhanced security. Depending upon what mode you wish to enable, complete one of the following tasks:

• Configuring TDE Mode in Data Store

• Configuring Non-TDE Mode in Data Store

7.10.1 Configuring TDE Mode in Data Store

To enable TDE mode in Oracle Privileged Account Manager data store, complete the following steps:

1. Enabling TDE in the Database

2. Enabling Encryption in OPAM Schema

7.10.1.1 Enabling TDE in the Database

For information about enabling Transparent Data Encryption (TDE) in the database for Oracle Privileged Account Manager, see "Enabling Transparent Data Encryption" in the Oracle Database Advanced Security Administrator's Guide.

For more information, see "Securing Stored Data Using Transparent Data Encryption" in the Oracle Database Advanced Security Administrator's Guide

After enabling TDE in the database for Oracle Privileged Account Manager, you must enable encryption in OPAM schema, as described in "Enabling Encryption in OPAM Schema" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

7.10.1.2 Enabling Encryption in OPAM Schema

To enable encryption in the OPAM schema, run the opamxencrypt.sql script with the OPAM schema user, using sqlplus or any other client.

IAM_HOME/opam/sql/opamxencrypt.sql

Example:

sqlplus DEV_OPAM/welcome1 @IAM_HOME/opam/sql/opamxencrypt.sql

7.10.2 Configuring Non-TDE Mode in Data Store

Note:

This step is only necessary if you did not enable TDE as described in Section 7.10.1, "Configuring TDE Mode in Data Store".

While it is not recommended, if non-TDE mode is required by the user, the flag "tdemode" must be set to false. For more information, see "Setting Up Non-TDE Mode" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.

Caution:

Oracle recommends that you always use Transparent Data Encryption(TDE). Without TDE, your data is not secure.

For more information on switching between the two modes, see "Securing Data On Disk" in the Oracle Fusion Middleware Administrator's Guide for Oracle Privileged Account Manager.

7.11 Importing the Pre-Upgrade Data

If you are upgrading Oracle Privileged Account Manager 11.1.2 to 11.1.2.3.0, you must export the pre-upgrade Oracle Privileged Account Manager data after you upgrade to 11.1.2.3.0.

Note:

If you are upgrading Oracle Privileged Account Manager 11.1.2.1.0 to 11.1.2.3.0, skip this task.

To import the pre-upgrade OPAM data, do the following:

1. Set the following environment variables:

   Variable	Description
   ORACLE_HOME	Oracle Privileged Account Manager is installed.
   JAVA_HOME	Location of JDK used for the WebLogic installation.

   
   

2. Navigate to ORACLE_HOME/opam/bin.

3. Execute the opam.sh script with the following parameters:

   ./opam.sh 
   -url <OPAM server url> (defaults to https://localhost:18102/opam)
   -u <user name> (the user should have OPAM_SECURITY_ADMIN and OPAM_USER_MANAGER roles)
   -p <password>
   -x import -f <import xml file>
   -encpassword <encryption/decryption password> 
   -enckeylen <Key Length for encryption/decryption of password> (Defaults to 128)
   -log <log file Location> (defaults to opamlog_<timestamp>.txt)
   

7.12 Clearing Pre-Upgrade OPSS Artifacts

If you are upgrading Oracle Privileged Account Manager 11.1.2 to 11.1.2.3.0, you must clear the pre-upgrade OPSS artifacts after you upgrade to 11.1.2.3.0.

Note:

If you are upgrading Oracle Privileged Account Manager 11.1.2.1.0 to 11.1.2.3.0, skip this task.

To clear the OPSS artifacts of the pre-upgrade instance, do the following:

On UNIX:

$ORACLE_HOME/common/bin/wlst.sh $ORACLE_HOME/opam/config/clean-opss.py <WebLogic Administrator Username> <WebLogic Administrator Password> <t3://<adminserver-host>:<adminserver-port>

On Windows:

$ORACLE_HOME\common\bin\wlst.cmd $ORACLE_HOME\opam\config\clean-opss.py <WebLogic Administrator Username> <WebLogic Administrator Password> <t3://<adminserver-host>:<adminserver-port>

7.13 Optional: Configuring the Oracle Privileged Account Manager 11.1.2.3.0 Session Manager

If you are upgrading Oracle Privileged Account Manager 11g Release 2 (11.1.2.2.0) to 11.1.2.3.0, this step is not required.

If you wish to configure the Oracle Privileged Account Manager 11.1.2.3.0 session manager, complete the following steps:

1. Stop the WebLogic Administration Server and the Oracle Privileged Account Manager Managed Servers.

   For information about stopping the servers, see Section 7.4, "Stopping the Administration Servers and the Managed Server(s)".

2. Run the WLST script configureSessionManager.py from the location ORACLE_HOME/opam/tools as shown in the following example:

   On UNIX:

   ./wlst.sh ORACLE_HOME/opam/tools/configureSessionManager.py -d <Path_to_WebLogic_Domain_Directory> -o <Path_to_Oracle_Home_Directory>

   On Windows:

   wlst.cmd ORACLE_HOME\opam\tools\configureSessionManager.py -d <Path_to_WebLogic_Domain_Directory> -o <Path_to_Oracle_Home_Directory>

7.14 Optional: Configuring Oracle Privileged Account Manager Console Application on OPAM Managed Server

If you are upgrading Oracle Privileged Account Manager 11g Release 2 (11.1.2.2.0) to 11.1.2.3.0, this step is not required.

If you wish to configure Oracle Privileged Account Manager Console application on the Oracle Privileged Account Manager Managed Server, complete the following steps:

1. Stop the WebLogic Administration Server and the Oracle Privileged Account Manager Managed Server(s). For information about stopping the servers, see Section 24.1.9, "Stopping the Servers".

2. Run the following WLST command from the location MW_HOME/oracle_common/common/bin:

   On UNIX:

   ./wlst.sh ORACLE_HOME/opam/tools/configureOPAMConsole.py -d DOMAIN_HOME -o ORACLE_HOME

   On Windows:

   wlst.cmd ORACLE_HOME/opam/tools/configureOPAMConsole.py -d DOMAIN_HOME -o ORACLE_HOME

7.15 Verifying the Oracle Privileged Account Manager Upgrade

Verify the Oracle Privileged Account Manager upgrade by doing the following:

1. Log in to the Oracle Privileged Account Manager 11.1.2.3.0 console using the following URL:

   http://adminserver_host:adminserver_port/oinav/opam

   If you have configured Oracle Identity Navigator on the Oracle Privileged Account Manager Managed Server, you can also use the following URL to log in to the Oracle Privileged Account Manager 11.1.2.3.0 console:

   http://opamserver_host:opamserver_nonssl_port/oinav/opam

2. Verify that the pre-upgrade data, targets, accounts, grants are present, and working as expected.