21 Moving From Test to Production

Configurations and customizations in Oracle Identity Manager can be migrated from one deployment to another deployment. For example, you might want to migrate the configurations and customizations from a test environment to a production environment. This is referred to as Test to Production (T2P).

T2P can be performed in the following ways:

  • Incremental T2P: In this type of T2P, you use the Deployment Manager tool for exporting and importing Oracle Identity Manager configurations and customizations. This is used when target/production setup is already configured and you want to move certain specific artifacts/configuration incrementally into the target setup.

  • Full T2P: Fusion Middleware Framework-based movement scripts are used for this type of T2P. These scripts are used to move all the properties of an environment to another environment without the environment-specific attributes, which can be reconfigured. The full T2P process is done when you want to create a new production/target setup out of a test/source setup. During this process, all transactional and instance-specific data, such as users, provisioned/reconciled accounts, request data, reconciliation data, and audit data, is not moved to production setup, and the rest of the configurations/data are moved and made available for use on target setup.

    Note:

    Movement scripts support only Oracle WebLogic Application Server, and full T2P of Oracle Identity Manager on other application servers is not supported.

This chapter describes T2P in the following sections:

21.1 Migrating Incrementally Using the Deployment Manager

The Deployment Manager is a tool for exporting and importing Oracle Identity Manager configurations. Usually, you use the Deployment Manager to migrate a configuration from one deployment to another, for example, from a test to a production deployment, or to create a backup of your system.

Important:

To use Deployment Manager, JRE 1.4.2 or a higher version must be installed on any computer that is running the Oracle Identity System Administration.

You can save some or all of the objects in your configuration. This lets you develop and test your configurations in a test environment, and then import the tested objects into your production environment. You can export and import an object and all of its dependent and related objects at the same time. Alternatively, you can export and import each object individually.

The Deployment Manager allows you to retrieve configuration information and binary data from the source system, store the information in an XML file, and then import the information from the XML file to the target system. The binary data includes plug-ins, JARs, and custom resource bundles.

An object exported from one type of repository is imported to the same type of repository.

Note:

In addition to the Deployment Manager, you can use the sandbox feature to migrate configurations and customizations from one deployment to another. See "Managing Sandboxes" in Developing and Customizing Applications for Oracle Identity Manager for information about working with sandboxes.

This section includes the following topics:

Note:

Importing and exporting deployments by using the Deployment Manager can only be performed by the System Administrator.

21.1.1 Features of the Deployment Manager

The Deployment Manager helps you to migrate Oracle Identity Manager deployments from one server environment to another, such as from a testing environment to a staging environment, or from a staging environment to a production environment.

The Deployment Manager enables you to:

  • Update individual components of a deployment in different test environments

  • Identify objects associated with components to be exported, so that those resources can be included

  • Provide information about exported files

  • Add comments

The Deployment Manager handles the following types of configuration artifacts:

  • Access policies

  • Admin roles

  • Application instances

  • Approval policies

  • Attestation processes

  • Catalog metadata

  • Certification configurations

  • Certification definitions

  • Custom resource bundles

  • E-mail definitions

  • Error codes

  • Event handlers

  • Generic Technology Connectors (GTC)

  • GTC providers

  • Identity Audit configuration

  • Identity Audit rules

  • Identity Audit scan definitions

  • IT resource definition

  • IT resources

  • JAR files

  • Lookup definitions

  • Notification templates

  • Organization metadata

  • Organizations

  • Password policies

  • Policies

  • Plug-ins

  • Prepopulation adapters

  • Process definitions

  • Process forms

  • Provisioning workflows and process task adapters

  • Request datasets

  • Resource objects

  • Risk configuration

  • Role metadata

  • Roles

  • Scheduled jobs

  • Scheduled tasks

  • System properties

  • User metadata

Note:

  • On the source, the following artifacts that are being exported might contain references to specific users, roles, application instances, entitlements, or organizations:

    • Certification definitions

    • Policies

    • Identity Audit configurations

    • Identity Audit scan definitions

    These specific references are scrubbed while exporting the artifacts and then importing them on the target setup. On the target, the artifact must be opened and updated for selection of these entities on the target. The artifacts cannot be used unless they are updated and will result in errors if used without updating. Any artifact that is generic and do not contain specific references can be used as it is after importing. For example, remediator name for Identity Audit policy is scrubbed off while export, and must be reselected on the target environment.

  • All rules other than Identity Audit Rules are exported and imported implicitly with their policy by using Policy export/import and cannot be exported/imported independently because their existence is with their policy only.

The following are limitations of the Deployment Manager:

  • Merge Utility: The Deployment Manager is not a merge utility.

    It cannot handle modifications done in both production and test environments. It replaces the object in the target system with that in the XML file.

  • Version Control Utility: The Deployment Manager does not track versions of imported files, and does not provide rollback functionality.

    You can only use it as a means to move data between environments.

21.1.2 Exporting Deployments

You can export objects from your Oracle Identity Manager system and save them in an XML file. The Deployment Manager has an Export Wizard that lets you create your export file. Add objects by type, one type at a time, for example, roles, then forms, then processes, and so on.

Note:

Application instances are exported and imported without the datasets. The datasets are migrated as a part of UI customization.

If you select an object that has child objects or dependencies, you have the option to add them or not. After adding objects of one type, you can go back and add other objects to your XML files. When you have all the objects you want, the Deployment Manager saves them all at once in a single XML file.

Note:

When user-defined fields are associated with a specific resource object, during the export process one of the following events can occur:

  • If the user-defined fields contain values (entered information), then the Deployment Manager will consider them to be dependencies.

  • If the user-defined fields contain no values (the fields are blank), then the Deployment Manager will not consider them to be dependencies.

To export a deployment:

  1. Login to Oracle Identity System Administration.

  2. In the left pane, under System Management, click Export. The Deployment Manager opens and the Search Objects page of the Export Wizard is displayed.

    Note:

    • To open the Deployment Manager by using Mozilla Firefox Web browser, an additional authentication dialog box might be displayed. Providing authentication in this dialog box allows access to the Deployment Manager. To avoid this additional authentication:

      1. In Mozilla Firefox Web browser, from the Tools menu, select Options. The Options dialog box is displayed.

      2. Click Privacy.

      3. Select the Accept third-party cookies option.

      4. Click OK.

      The additional authentication is not required when the Deployment Manager is opened by using Microsoft Internet Explorer, Google Chrome, and Apple Safari web browsers.

    • Apple Safari web browser overrides the applet security settings to impose restrictions on unsafe behavior, which stops any file reads/writes by applets. Therefore, run the applet in unsafe mode.

  3. On the Search Objects page, select an object type from the menu, and enter search criteria. If you leave the criteria field blank, an asterisk (*) is displayed automatically to find all the objects of the selected type.

    All the objects supported by Deployment Manager for migration are available for exporting. See "Features of the Deployment Manager" for the list of objects supported by Deployment Manager for migration.

  4. Click Search to find objects of the selected type.

    To select an object, select the option of the object.

  5. Click Select Children.

    The Select Children page is displayed with the selected objects and all of their child objects.

  6. Select the child objects that you want to export.

    To select or remove an item, select the appropriate option.

    Click Back to go to the Search Objects page.

  7. Click Select Dependencies.

    The Select Dependencies page is displayed with any objects required by the selected objects.

  8. Select the dependent objects that you want to export.

    To select or remove an item, select the option of the item.

    Click Back to go to the Select Children page.

  9. Click Confirmation.

    The Confirmation page is displayed.

  10. Ensure that all the required items are selected, then click Add for Export.

    After you click Add for Export, you can still add more items to this export file.

    Select Add More and click OK to go to Search Objects Page to add more objects for export.

  11. Use the wizard to add more items, or finish and exit the wizard. Select the appropriate option and click OK.

    If you select Add more, repeat Steps 3 through 10. Otherwise, the Export page is displayed.

    The Export page displays your current selections for export. Your selections have icons next to them that indicate what types of objects are selected. The Summary information pane shows the objects you are exporting. The Unselected Dependencies pane displays the list of dependent or child objects that you did not select for export.

  12. Make any adjustments to your export file as follows:

    • Click Reset to clear the form.

    • Click Legend to see icon definitions.

    • Click Add Objects to restart the wizard and add more items to your export file.

    To remove an object from the Current Selections list:

    • Right-click the object to remove and select Remove from the shortcut menu. If the object has child objects, then select Remove including children from the shortcut menu to remove the child objects all at the same time.

    • Click Remove to confirm. If the object is a child or dependency of a selected item, then it is added to the Unselected Children or Unselected Dependencies list.

    To add an object back to the Current Selections list from the Unselected Children or Unselected Dependencies list,

    1. Right-click the object, and select Add.

    2. Click Confirmation.

      The Confirmation page is displayed.

    3. Click Add for Export.

  13. Click Export.

    The Add Description dialog box is displayed.

  14. Enter a description for the file.

    This description is displayed when the file is imported.

  15. Click Export.

    The Save As dialog box is displayed.

  16. Enter a file name.

    You can browse to find a location.

  17. Click Save.

    The Export Success dialog box is displayed.

  18. Click Close.

21.1.3 Importing Deployments

Objects that were exported into an XML file by using the Deployment Manager can be imported into Oracle Identity Manager by using the Deployment Manager. You can import all or part of the XML file, and you can import multiple XML files at once. The Deployment Manager ensures that the dependencies for any objects you are importing are available, either in the import or in your system. During an import, you can substitute an object you are importing for one in your system. For example, you can substitute a group specified in the XML file for a group in your system.

Note:

  • If a user belongs to a group to which the Import menu item has been assigned, then that user must also have the necessary permissions for the objects that the user wants to import. Without these object-specific permissions, the Import operation fails. The user must be a Deployment Manager Administrator to be able to see Deployment Manager menu items on the UI based on menu permissioning model.

  • When more than 1000 resources, process definitions, parent forms, child forms, access policies, roles, and rules are imported by using the Deployment Manager, the size of the EIF table increases. The data can be truncated from this table by running a simple SQL query such as Delete from EIF.

To import an XML file:

Note:

Before importing data that contains references to menu items, you must first create the menu items in the target system.

  1. Login to Oracle Identity System Administration.

  2. In the left pane, under System Management, click Import. The Deployment Manager opens.

    If another import from any other session is in progress, then a dialog box is displayed stating that the Deployment Manager import utility is currently used by another user. Click Get Lock to start the import process.

    Note:

    To open the Deployment Manager by using Mozilla Firefox Web browser, an additional authentication dialog box might be displayed. Providing authentication in this dialog box allows access to the Deployment Manager. To avoid this additional authentication:

    1. In Mozilla Firefox, from the Tools menu, select Options. The Options dialog box is displayed.

    2. Click Privacy.

    3. Select the Accept third-party cookies option.

    4. Click OK.

    The additional authentication is not required when the Deployment Manager is opened by using Microsoft Internet Explorer, Google Chrome, and Apple Safari Web browsers.

  3. Select a file.

    The Import dialog box is displayed.

  4. Click Open.

    The File Preview page is displayed.

  5. Click Add File.

    The Substitutions page is displayed

  6. To substitute a name, click the New Name field adjacent to the item you want to replace, and enter the name.

    You can substitute only items that exist in the target system.

  7. Click Next. If you are exporting an IT resource instance, then the Provide IT Resource Instance Data page is displayed. Otherwise, you are redirected to the Confirmation page.

  8. Modify the values in the current resource instance and click Next, or click Skip to skip the current resource instance, or click New Instance to create a new resource instance.

    The Confirmation page is displayed.

  9. Confirm that the information displayed on the Confirmation page is correct.

    To go back and make changes, click Back, or click View Selections.

    The Deployment Manager Import page displays your current selections.

    The Import page also displays icons next to your current selections. The icons indicate what types of objects are selected. The icons on the right indicate the status of your selections. The file names of any selected files, summary information about the objects you are importing, and substitution information are displayed on the left side of the page. On the right, the Objects Removed from Import list displays any objects in the XML file that will not be imported.

  10. Make any of the following adjustments:

    • Click Reset to clear the form.

    • Click Legend to see icon definitions.

    • To remove an object from the Current Selections list, right-click the object, select Remove from the shortcut menu, and then click Remove to confirm that you want to remove the object.

      If the object has child objects, then select Remove including children from the shortcut menu to remove all the child objects at the same time. The item is added to the Objects Removed From Import list.

    • To add an item back to the Current Selections list, right-click the list, and click Add.

      If the object has child objects, then select Add including children from the shortcut menu to add all the child objects at the same time.

    • To make substitutions, click Add Substitutions.

    • To add objects from another XML file, click Add File and repeat Steps 3 through 9.

    • Click Show Information to see information about your imported information.

      The Information page is displayed.

      To see more information, select the Show Info Level Messages option, and then click Show Messages. Click Close to close the Information page.

  11. To import the current selections, click Import.

    A confirmation dialog box is displayed.

  12. Click Import.

    The Import Success dialog box is displayed.

  13. Click OK.

    The objects are imported into Oracle Identity Manager.

21.1.4 Best Practices Related to Using the Deployment Manager

The following are some of the suggested practices and pitfalls to avoid while using the Deployment Manager:

21.1.4.1 Do Not Export System Objects

You should export or import system objects, for example, Request, Xellerate User, and System Administrator, only when it is absolutely necessary. Exporting system objects from the testing and staging environments into production can cause problems. If possible, exclude system objects when exporting or importing data.

You may want to export or import system objects when, for example, you define trusted source reconciliation on Xellerate User resource objects.

Caution:

The Deployment Manager keeps track of imported components and structures, but not of completed imports. After an import is completed, you cannot roll it back to a previous version. A new import is required.

21.1.4.2 Exporting Related Groups of Objects

Oracle recommends that you use the Deployment Manager to export sets of related objects. A unit of export should be a collection of logical items that you want to group together.

Avoid exporting everything in the database in one operation, or exporting items one at a time. For example, suppose that you manage an integration between Oracle Identity Manager and a target system that includes processes, resource objects, adapters, IT resource type definitions, IT resource definitions, scheduled tasks, and so on. For this environment, you should create groups of related objects before exporting.

For example, if you use the same e-mail definitions in multiple integrations, you should export the e-mail definitions as one unit, and the integrations as a different unit. This enables you to import changes to e-mail definitions independently of target system integration changes. Or, if multiple resources use the same IT resource type definition, you can export and import the type definition separately from other data.

You can import one or more sets of exported data at a time. For example, you can import a resource object definition, an e-mail definition, and an IT resource type definition in a single operation.

21.1.4.3 Using Logical Naming Conventions for Versions of a Form

You often revise forms multiple times before exporting them. Avoid generic names, for example, "v23," to differentiate among versions of a form. Create meaningful names, for example, "Before Production" or "After Production Verification." Do not use special characters, including double quotation marks, in version names.

21.1.4.4 Exporting Root to Preserve a Complete Organizational Hierarchy

When you export a leaf or an organization in an organizational hierarchy, only one dependency level is exported. To export a complete organizational hierarchy, you must export the root of the hierarchy.

21.1.4.5 Providing Clear Export Descriptions

The Deployment Manager records some information automatically, for example, the date of the export, who performed the export, and the source database. You must also provide a meaningful description of the content of the export, for example, "resource definition after xxx attributes added in reconciliation." This informs the importer of the file of the contents of the data being imported.

21.1.4.6 Checking All Warnings Before Importing

When importing information to the production environment, check all the warnings before completing the import operation. Treat each warning seriously.

21.1.4.7 Checking Dependencies Before Exporting Data

The wizard in the top right pane shows resources that must be available in the target system.

Consider the following types of dependencies:

  • If the resources are already available in the target system, they do not need to be exported.

  • If the resources are new (not in the target system), they must be exported.

  • If the target system does not include the resources, such as lookups, IT resource definitions, or others that are reused, then record the data and export it in a separate file so it can be imported if necessary.

Note:

When you export a resource, groups with Data Object permissions on that form are not exported with the resource.

21.1.4.8 Matching Scheduled Task Parameters

Scheduled tasks depend on certain parameters to run properly. You can import scheduled task parameters to the production server. Table 21-1 shows the rules for determining how to import scheduled tasks. Note that parameters may be available for tasks that no longer reside on the target system.

Table 21-1 Parameter Import Rules

Parameter Exists in Target System Parameter Exists in the XML File Action Taken

Yes

No

Remove the parameter from the target system.

No

Yes

Add the parameter and current value from the XML file.

Yes

Yes

Use the more recent value of the parameter.

21.1.4.9 Deployment Manager Actions on Reimported Scheduled Tasks

A scheduled task is one of the objects that you can import by using the Deployment Manager. Typically, you import a scheduled task into your Oracle Identity Manager environment and later change the values of the scheduled attributes to meet your production requirements. However, if you import the same scheduled task a second time into the same Oracle Identity Manager server, the Deployment Manager does not overwrite the attribute values in the database. Instead, the Deployment Manager compares the attribute value of the reimported XML file to any corresponding attribute values in the database.

The following table summarizes the actions performed by the Deployment Manager during a scheduled task re-import:

Does the Scheduled Task have attribute values in the XML file being imported? Are there any corresponding attribute values in the database? Deployment Manager Action
Yes No Store attribute values in the database
No Yes Delete existing attribute values in the database
Yes Yes (Newer attribute values indicated by time stamp) No change in the database
Yes (New attribute values indicated by time stamp) Yes Update the database with the new attribute values

21.1.4.10 Compiling Adapters and Enable Scheduled Tasks

After an import operation, the adapters are set to recompile and the scheduled tasks are disabled. After importing the classes and adjusting the task attributes, manually recompile the adapters and enable the scheduled tasks.

21.1.4.11 Checking Permissions for Roles

When you export roles, the role permissions on different data objects are also exported. However, when you import data, any permissions for missing data objects are ignored. If the role is exported as a way of exporting role permission setup, then check the warnings carefully to ensure that permission requirements are met. For example, if a role has permissions for objects A, B, and C, but the target system only has objects A and B, the permissions for object C are ignored. If object C is added later, the role permissions for C must be added manually, or the role must be imported again.

When you export role that have permissions for viewing certain reports, ensure that the reports exist in the target environment. If the reports are missing, then consider removing the permissions before exporting the role.

21.1.4.12 Creating a Backup of the Database

Before you import data into a production environment, back up the database. This enables you to restore the data if anything goes wrong with the import. Backing up the database is always a good precaution before making significant changes.

Note:

When you import forms and user-defined fields, you add entries to the database. These database entries cannot be rolled back or deleted. Before each import operation, ensure that the correct form version is active.

21.1.4.13 Importing Data When the System Is Quiet

You cannot complete an import operation in a single transaction because it includes schema changes. These changes affect currently running transactions on the system. To limit the effect of an import operation, temporarily disable the Web application for general use and perform the operation when the system has the least activity, for example, overnight.

21.1.4.14 Exporting and Importing Data in Bulk

The Deployment Manager is not a tool for data movement or migration of large volumes of data. Use your judgement while using the Deployment Manager to export/import objects. Entities, such as users, organizations, and roles, must be exported/imported by using other bulk tools, especially when the data volume is large.

In addition, ensure that users, roles, and organizations are always loaded and/or synchronized before moving of configuration objects, such as policies, rules, application instances, and connector configuration, to avoid exporting/importing them as dependencies.

Note:

When exporting/importing large volumes of data, timeouts can occur in the UI.

21.1.4.15 Exporting Entity Publications

When exporting/importing an entity by using the Deployment Manager, any publication previously associated to the entity is removed, and no publication is assigned by default if you do not export the publication. For example, when you import an admin role that is published to an organization in the source environment, the admin role's publication information is lost in the target environment. Therefore, you must import the entity publication along with the admin role.

21.1.5 Troubleshooting the Deployment Manager

This section contains the following topics:

21.1.5.1 Troubleshooting Deployment Manager Issues

While importing data by using the Deployment Manager, the following information is displayed on the UI for an import failure:

  • The entity for which the import failed

  • The type of the entity for which the import failed

  • The specific error message from the exception object

This information is also printed in logs along with the exception trace.

Figure 21-1 shows a sample error message that is displayed when Deployment Manager import fails.

Figure 21-1 Deployment Manager Import Failure

Description of Figure 21-1 follows
Description of ''Figure 21-1 Deployment Manager Import Failure''

This helps the user in identifying which entity is causing the failure and why, and the user can try removing that particular entity and importing again if it is not necessary to be imported on the target system. This also helps the support team and developers in identifying the issue if it happens.

Table 21-2 lists the troubleshooting steps that you can perform if you encounter a failure:

Table 21-2 Troubleshooting Deployment Manager

Problem Solution

In Oracle Identity Manager 11g Release 2 (11.1.2.3.0), scheduled job has a dependency on scheduled task. Therefore, scheduled task must be imported prior to scheduled job.As a result, if a XML file has scheduled job entries prior to scheduled task entries, then importing the XML file using Deployment Manager fails with the following error message:

[exec] Caused By: oracle.iam.scheduler.exception.SchedulerException: InvalidScheduleTask definition
[exec] com.thortech.xl.ddm.exception.DDMException

Open the XML file and move all scheduled task entries above the scheduled job entries.

Deployment Manager export fails for any object. User is prompted with Export Failed dialog box, and no exception is found in the server log.

When you look at the JRE console, you can see the following:

java.security.AccessControlException: access denied (java.io.FilePermission PATH_AND_NAME_OF_THE_FILE)

Perform the following steps:

  1. Modify your java.policy in the JRE_HOME/lib/security/ directory.

  2. Replace the existing policy file content with the following:

    grant{
permission java.security.AllPermission;
};

  3. Restart the browser to load the policy again. You can now export the data.

The following error occurs while importing an XML file:

Caused by:
oracle.iam.reconciliation.exception.ConfigException: Profile :Xellerate User InvalidAttributes :

Perform any one of the following:

  • Remove the attribute on which the error is generated from the XML, and then try importing.

  • Create the missing UDF or other attributes by using configuration service, and then retry the import.

  • Export the UDF shown as missing dependency. Import this UDF first before importing the current XML.

Importing approval policy might result in the following error:

weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm] [ecid:
f9e72ab2a292a346:-188377b2:12f96ae9676:-8000-0000000000000047,0] [APP:
oim#11.1.1.3.0] Exception thrown {0}[[
oracle.iam.platform.entitymgr.ProviderException: USER_NOT_FOUND

An approval policy rule is invalid if it points to an entity (user or organization) that does not exist in Oracle Identity Manager. These invalid approval rules must be corrected to point to a valid entity (user or organization) before the import.

21.1.5.2 Enabling Logging for the Deployment Manager

To enable logging for the Deployment Manager:

  1. Add a new logger for the Deployment Manager by editing the logging.xml file, which is located in the following directory path:

    DOMAIN_NAME/config/fmwconfig/servers/SERVER_NAME/

    For instance, to enable Notification-level logging for Deployment Manager, add the following logger inside the <loggers> section:

    <logger name='XELLERATE.DDM' level='NOTIFICATION:1' />

  2. Change the log level defined in the relevent <log_handler>.

    See Also:

    "Configuring Logging" for information about logging level and log handlers in Oracle Identity Manager

21.2 Moving from a Test to a New Production Environment Using Movement Scripts

Oracle Identity Manager is a part of the Fusion Middleware environment. To move Oracle Identity Manager from test to production, you use the movement scripts. These scripts copy the Oracle Identity Manager binaries, artifacts, and configurations, and configures production Oracle Identity Manager with new end-points. The movement scripts interact with Oracle Identity Manager artifacts at the test and production environments and updates the production environment to make Oracle Identity Manager functional on the production environment. For detailed information about using the movement scripts, see "Moving from a Test to a Production Environment" in the Oracle Fusion Middleware Administrator's Guide. For the complete procedure for moving Oracle Identity Manager components, see "Moving Identity Management Components to a New Target Environment" in the Oracle Fusion Middleware Administrator's Guide.

Note:

Before proceeding with migrating a source Oracle Identity Manager setup to a target setup, you can refer to "Limitations in Moving from Test to Production" in the Oracle Fusion Middleware Release Notes for information about the limitations and known issues related to moving from test to production. In addition, see "Troubleshooting Movement From Test to Production Environment Using Movement Scripts" for information about the issues that you might encounter while migrating a source Oracle Identity Manager setup and the possible solutions.

For information about troubleshooting T2P issues applicable to an upgraded environment, see rows 6, 7, and 8 in Table 21-3, "Troubleshooting Movement From Test to Production Environment Using Movement Scripts".

To migrate a source Oracle Identity Manager setup to a target setup:

  1. Migrate Oracle Identity Manager database schema data and embedded BI Publisher data from source to target DB host, as described in "Task 4 Perform Prerequisite Task for Oracle Identity Manager" under section "Moving Identity Management to a New Target Environment" in the Oracle Fusion Middleware Administrator's Guide.

    Note:

    Data movement for components, such as SOA , MDS , and OPSS, is automated as part of the whole process described in this section, and no separate steps are required be done for them unless otherwise stated by the respective component.

  2. Create the target setup by using the FMW T2P utilities. To do so:

    1. Run the following commands from the ORACLE_COMMON_HOME/bin/ directory.

      Note:

      • On Microsoft Windows, run the commands with .cmd extension, such as copyBinary.cmd and pasteBinary.cmd. For example, the copyBinary script is ORACLE_COMMON_HOME/bin/copyBinary.sh for UNIX and ORACLE_COMMON_HOME/bin/copyBinary.cmd for Microsoft Windows.

      • Some arguments might be invalid for Windows operating system. For example, the -ipl PATH_TO_ORACLE_INVENTORY_POINTER argument does not work in Windows.

      • This document provides the syntax for running the copyBinary, copyConfig, extractMovePlan, and pasteBinary scripts. For detailed information about these scripts, parameters, and example usages, see "Using the Movement Scripts" in the Oracle Fusion Middleware Administrator's Guide.

      ./copyBinary.sh -javaHome PATH_TO_JDK -al ARCHIVE_LOCATION -smw SOURCE_MW_HOME -idw true -ipl PATH_TO_ORACLE_INVENTORY_POINTER -silent true -ldl PATH_TO_LOG_DIRECTORY

./copyConfig.sh -javaHome PATH_TO_JDK -archiveLoc ARCHIVE_LOCATION -sourceDomainLoc SOURCE_DOMAIN_LOCATION -sourceMWHomeLoc MIDDLEWARE_HOME_LOCATION -domainHostName DOMAIN_HOST_NAME -domainPortNum DOMAIN_PORT_NUMBER -domainAdminUserName DOMAIN_ADMIN_USERNAME -domainAdminPasswordFile DOMAIN_ADMIN_PASSWORD_FILE -silent true -ldl PATH_TO_LOG_DIRECTORY

./extractMovePlan.sh -javaHome PATH_TO_JDK -archiveLoc ARCHIVE_LOCATION -planDirLoc MOVE_PLAN_DIRECTORY

      In between running the extractMovePlan and pasteConfig scripts, update the moveplan with the new values for configuring the target. See "Modifying Move Plans" in the Oracle Fusion Middleware Administrator's Guide for information about common moveplan modifications. See the moveplan property descriptions in "Table 20-22 Move Plan Properties for Oracle Identity Manager" in the Oracle Fusion Middleware Administrator's Guide.

      Note:

      • While editing the moveplan, provide the listen address of the target in the Oracle Identity Manager Managed Server details.

      • The datasource JDBC URL coming from source to the moveplan can either be in SID format, which is "jdbc:oracle:thin:@HOST:PORT:SID", or in service name format, which is "jdbc:oracle:thin:HOST:PORT/SERVICE_NAME". But you must always provide the JDBC URL in the datasource details in the service name format.

    2. On the target host, create a new directory and copy pasteBinary.sh from the SOURCE_MACHINE/Middleware/oracle_common/bin/ directory. In addition, copy the cloningclient.jar file from the SOURCE_MACHINE/Middleware/oracle_common/jlib/ directory to the target host. Make sure that these two files are in the same location, for example /scratch/aime1/scripts. Then, run the following command:

      ./pasteBinary.sh -javaHome PATH_TO_JDK -al ARCHIVE_LOCATION -tmw TARGET_MW_HOME -idw true -esp true -ipl PATH_TO_ORACLE_INVENTORY_POINTER -ldl PATH_TO_LOG_DIRECTORY -silent true

    3. Go to the TARGET_MIDDLEWARE_HOME/bin/ directory, and run the following command:

      ./pasteConfig.sh -javaHome PATH_TO_JDK -archiveLoc ARCHIVE_LOCATION -targetDomainLoc TARGET_DOMAIN_PATH -targetMWHomeLoc TARGET_MIDDLEWARE_HOME_PATH -movePlanLoc MOVE_PLAN_PATH -domainAdminPasswordFile DOMAIN_ADMIN_PASSWORD_FILE -silent true -ldl PATH_TO_LOG_DIRECTORY

      Note:

      • You might need to change the permissions on the TARGET_MIDDLEWARE_HOME and the target directory on which the JAR has been placed.

      • Provide consistent directory paths for each of the parameters. For example, if you are using absolute path for MIDDLEWARE_HOME, then specify this path in the same way at all places.

  3. Verify or modify the following configurations after full T2P migration:

    • In the xlclient.cmd file, update the JDK path if the JDK library that was configured with the Design Console on the source is no longer accessible on the target.

      In the config/xlconfig.xml file, update the Application JNDI URL to point to the target application URL instead of source application URL.

    • The IT Resource configurations are not part of the moveplan in the T2P procedure. After completing the T2P steps and starting the servers on the target setup, you can configure the IT Resource parameters as per the production setup. In Oracle Identity System Administration, under Configuration, click IT Resource. On the Manage IT Resource page, click the edit icon for the IT resource that you want to modify.

    • Some entities, such as users and provisioned accounts, are not migrated from source to target during the T2P procedure, as they are considered transactional data. Therefore, user personalization settings such as sort order, saved searches, and layout changes will not be found on the target setup.

    • Some users, such as role owners, are referenced in many places in Oracle Identity Manager. After full T2P migration, references to such users are replaced with reference to SYSTEM_ADMINISTRATOR_USERNAME, the Oracle Identity Manager system administrator.

    • Check the following functionality on the target setup after the T2P process is complete:

      • User creation, by assigning an existing role tied to an access policy (role and access policy migrated from source)

      • Role creation, both enterprise role and admin role

      • Request creation and approval workflow initiation

      • Basic OIM-OAM and OIM-OAAM integration usecases if topology has the integration defined

    • Customization done on the LDAP sync configuration, such as role category container rules has to be configured on the T2P environment post migration.

21.2.1 Troubleshooting Movement From Test to Production Environment Using Movement Scripts

Table 21-3 lists the troubleshooting step that you can perform if you encounter issues related to movement from a test to a new production environment by using movement scripts.

Table 21-3 Troubleshooting Movement From Test to Production Environment Using Movement Scripts

#
 Problem Solution

1

After migrating from an Oracle Identity Manager clustered deployment to another, SOA Server is running but you are not able to access soa-infra. This is because the coherence settings are pointing to source.

Change the coherence settings accordingly by referring to "Specifying the Host Name Used by Oracle Coherence" in the Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management, and then restart the SOA Server.

2

The following section is logged in the cloning error logs:

NOTIFICATION: PManager instance is created without multitenancy support as
JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy
support.
Sep 24, 2013 10:26:55 PM
oracle.security.jps.internal.config.xml.XmlConfigurationFactory
initDefaultConfiguration
SEVERE: java.io.FileNotFoundException: ./config/jps-config.xml (No such file
or directory)
Sep 24, 2013 10:26:55 PM oracle.mds
NOTIFICATION: Auditing is disabled for component MDS.
Sep 24, 2013 10:26:55 PM oracle.mds
NOTIFICATION: PManager instance is created without multitenancy support as
JVM flag "oracle.multitenant.enabled" is not set to enable multitenancy
support.
Sep 24, 2013 10:26:55 PM
oracle.security.jps.internal.config.xml.XmlConfigurationFactory
initDefaultConfiguration
SEVERE: java.io.FileNotFoundException: ./config/jps-config.xml (No such file
or directory)
Sep 24, 2013 10:26:55 PM oracle.mds
NOTIFICATION: Auditing is disabled for component MDS.
Sep 24, 2013 10:26:55 PM oracle.mds

This section of the cloning error logs is benign and can be safely ignored.

3

After migrating Oracle Identity Manager to a new environment, database connection-related errors are thrown when you try one or more of the following operations:

  • Create a user

  • Search and open a user

  • Provision an application instance to a user

Set the following tuning parameters as shown:

JAVA_OPTIONS="-Djbo.ampool.doampooling=true -Djbo.ampool.minavailablesize=1  
 
-Djbo.ampool.maxavailablesize=120 -Djbo.recyclethreshold=60  
-Djbo.ampool.timetolive=-1 -Djbo.load.components.lazily=true  
-Djbo.doconnectionpooling=true -Djbo.txn.disconnect_level=1  
-Djbo.connectfailover=false -Djbo.max.cursors=5  
-Doracle.jdbc.implicitStatementCacheSize=5  
-Doracle.jdbc.maxCachedBufferSize=19 ${JAVA_OPTIONS}"

For information about these tuning parameters, see "Application Module Pooling" in the Oracle Fusion Middleware Performance and Tuning Guide.

4

The following type of error is thrown:

Caused By:
java.sql.SQLIntegrityConstraintViolationException:
ORA-00001:
unique constraint (SOURCE_OIM.PK_ORD) violated

Check impdp logs to see if there area any errors there that are not listed as to be ignored.

5

The following error is thrown:

UserConfigDataMigrationException:
oracle.bpel.services.workflow.util.tools.wfUserConfigDataMigrator.UserConfigDa
taMigrationException: ORABPEL-30511
Verification Service cannot resolve user identity.
User weblogic cannot be found in the identity repository.
Workflow Context token cannot be null in request.

Check if you have used the required parameters and parameter file during Oracle Identity Manager schema migration.

6

After migrating to the target environment, the following errors are encountered during the create user or role operation:

Error in UI:

An Error Occured while deleting LDAP User in the compensate stage

Error in the logs:

An error occurred while removing the entity in LDAP, and the corresponding
error is - {0}[[
oracle.iam.platform.entitymgr.vo.ConnectivityException:
java.lang.IllegalArgumentException: Null input buffer
at
oracle.iam.ldapsync.impl.repository.ITResourceRepository.getConnection(ITResou
rceRepository.java:40)
at
oracle.iam.platform.entitymgr.provider.ldap.LDAPDataProvider.remove(LDAPDataPr
ovider.java:1170)
at
oracle.iam.platform.entitymgr.impl.EntityManagerImpl.deleteEntity(EntityManage
rImpl.java:704)
at
oracle.iam.platform.entitymgr.impl.EntityManagerImpl.deleteEntity(EntityManage
rImpl.java:675)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.j
ava:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUti
ls.java:307)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(R
eflectiveMethodInvocation.java:182)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(Reflectiv
eMethodInvocation.java:149)
at
oracle.iam.platform.utils.DMSMethodInterceptor.invoke(DMSMethodInterceptor.jav
a:35)
...
...
Caused by: java.lang.IllegalArgumentException: Null input buffer
at javax.crypto.Cipher.doFinal(DashoA13*..)
at
com.thortech.xl.crypto.tcDefaultDBEncryptionImpl.decrypt(tcDefaultDBEncryption
Impl.java:222)
at com.thortech.xl.crypto.tcCryptoUtil.decrypt(tcCryptoUtil.java:122)
at com.thortech.xl.crypto.tcCryptoUtil.decrypt(tcCryptoUtil.java:163)
at
com.oracle.oim.gcp.pool.ConnectionServiceUtility.getITResourceDetails(Connecti
onServiceUtility.java:656)
at
com.oracle.oim.gcp.pool.ConnectionServiceUtility.getITResourcePoolConfig(Conne
ctionServiceUtility.java:413)
at
com.oracle.oim.gcp.pool.ConnectionServiceUtility.getPoolConfiguration(Connecti
onServiceUtility.java:65)
at
com.oracle.oim.gcp.pool.ConnectionService.getConnection(ConnectionService.java
:38)
at
com.oracle.oim.gcp.pool.ConnectionService.getConnection(ConnectionService.java
:176)
at
oracle.iam.ldapsync.impl.repository.ITResourceRepository.getConnection(ITResou
rceRepository.java:36)

Perform the following steps:

  1. Connect to OIM DB schema and run the following SQL query:

    UPDATE SVP SET SVP_FIELD_VALUE=NULL WHERE SVR_KEY IN (Select SVR_KEY from SVR
WHERE SVR_NAME = 'Directory Server') AND SPD_KEY IN (SELECT SPD_KEY FROM SPD
WHERE SVD_KEY IN (Select SVD_KEY from SVR WHERE SVR_NAME = 'Directory
Server') AND SPD_FIELD_NAME IN('Admin Login','Admin Password','User
Reservation Container','Search Base','Server URL','Use SSL'));

  2. Login to Oracle Enterprise Manager.

  3. Go to System MBean Browser, Application Defined MBeans, oracle.iam, IAMAppRuntimeMBean, IDStoreConfigMBean.

  4. Set the values for the following parameters:

    Admin Login

    Admin Password

    User Reservation Container

    Search Base

    Server URL

    Use SSL

7

After migrating to the target environment, the following error is encountered while performing the role update operation:

Error in UI:

IAM-3056030 : An exception occurred while performing the operation.

Error in the logs:

[2015-04-01T22:57:17.451-07:00] [oim_server1] [WARNING] []
[oracle.adf.controller.faces.lifecycle.Utils] [tid: [ACTIVE].ExecuteThread:
'3' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: xelsysadm]
[ecid: 0000Klsh7XMFW7KpISP5if1L6xnV0000^G,0] [APP:
oracle.iam.console.identity.self-service.ear#V2.0] [DSID:
0000Klsbh6yFW7KpISP5if1L6xnV0000Yj] ADF: Adding the following JSF error
message: IAM-3056030 : An exception occurred while performing the
operation.[[
oracle.iam.ui.platform.exception.OIMRuntimeException: IAM-3056030 : An
exception occurred while performing the operation.
        at
oracle.iam.ui.platform.exception.OIMErrorHandler.reportServiceException(OIMErr
orHandler.java:178)
        at
oracle.iam.ui.platform.exception.OIMErrorHandler.reportException(OIMErrorHandl
er.java:66)
        at
oracle.adf.model.binding.DCDataControl.reportException(DCDataControl.java:413)
.
        at
oracle.adf.model.binding.DCBindingContainer.reportException(DCBindingContainer
.java:425)
        at
oracle.adf.model.binding.DCBindingContainer.reportException(DCBindingContainer
.java:480)
        at
oracle.adf.model.binding.DCControlBinding.reportException(DCControlBinding.jav
a:201)
        at
oracle.jbo.uicli.binding.JUCtrlActionBinding.reportException(JUCtrlActionBindi
ng.java:2101)
        at
oracle.jbo.uicli.binding.JUCtrlActionBinding.doIt(JUCtrlActionBinding.java:173
3)
        at
oracle.adf.model.binding.DCDataControl.invokeOperation(DCDataControl.java:2188
)
        at
oracle.jbo.uicli.binding.JUCtrlActionBinding.invoke(JUCtrlActionBinding.java:7
89)
        at
oracle.adf.controller.v2.lifecycle.PageLifecycleImpl.executeEvent(PageLifecycl
eImpl.java:410)
        at
oracle.adfinternal.view.faces.model.binding.FacesCtrlActionBinding._execute(Fa
cesCtrlActionBinding.java:252)
        at
oracle.adfinternal.view.faces.model.binding.FacesCtrlActionBinding.execute(Fac
esCtrlActionBinding.java:210)
        at
oracle.iam.ui.platform.utils.FacesUtils.executeOperationBinding(FacesUtils.jav
a:182)
        at
oracle.iam.ui.role.view.backing.RolesCRUDEventsBean.loadRoleDetails(RolesCRUDE
ventsBean.java:3494)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.j
ava:25)

Connect to Oracle Identity Manager database schema, and run the following SQL query:

update ugp set ugp_role_owner_key = (select usr_key from usr where usr_login = 'XELSYSADM' ) where ugp_role_owner_key is null;

8

After migrating to the target environment, request creation fails, and the following error is encountered:

Error in UI:

Request not raised, no other error seen as such

Error in the logs:

<Apr 1, 2015 5:28:17 AM PDT> <Error> <oracle.iam> <BEA-000000> <
ORABPEL-30509
.
Insufficient privileges to authenticate on behalf of another user.
User weblogic cannot authenticate on behalf of user xelsysadm without admin
privileges.
Only users with admin privileges can authenticate on behalf of another user.
.
        at weblogic.rjvm.ResponseImpl.unmarshalReturn(ResponseImpl.java:237)
        at
weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:348
)
        at
weblogic.rmi.cluster.ClusterableRemoteRef.invoke(ClusterableRemoteRef.java:259
)
        at
oracle.bpel.services.workflow.query.ejb.TaskQueryService_oz1ipg_EOImpl_1036_WL
Stub.authenticateOnBehalfOf(Unknown Source)
        at
oracle.bpel.services.workflow.query.client.TaskQueryServiceRemoteClient.authen
ticateOnBehalfOf(TaskQueryServiceRemoteClient.java:63)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.j
ava:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at
oracle.bpel.services.workflow.client.WFClientRetryInvocationHandler.invokeTarg
et(WFClientRetryInvocationHandler.java:144)
        at
oracle.bpel.services.workflow.client.WFClientRetryInvocationHandler.invoke(WFC
lientRetryInvocationHandler.java:82)
        at $Proxy436.authenticateOnBehalfOf(Unknown Source)

Connect to Oracle Identity Manager database schema, and run the following SQL query:

update usg set ugp_key = (select ugp_key from ugp where ugp_name =
'Administrators' ) where usr_key = ( select usr_key from usr where usr_login
= 'WEBLOGIC') and ugp_key != (select ugp_key from ugp where ugp_name = 'ALL
USERS') and ugp_key not in (select ugp_key from ugp);