5 Upgrading Oracle Access Manager Multi-Data Center Environments
You can upgrade Oracle Access Manager deployed across multi-data centers (MDC) from 11g Release 2 (11.1.2.3.0) to 12c (12.2.1.3.0).
- Stop Replication
- Direct all traffic to one of the deployments
- Upgrade the other deployment(s)
- Direct traffic to the newly upgraded deployment
- Upgrade the remaining deployment
- Re-establish replication
Note:
To upgrade Oracle Access Manager MDC environments to 12c (12.2.1.3.0), ensure that all of the data centers (DC) are at the same Patch Set level.
When you plan to upgrade to 12c (12.2.1.3.0), you can choose to have zero down time by stopping the data center that needs to be upgraded, and routing all the traffic to the other data centers. Once the upgrade has been completed on one data center, it can start and function as an independent data center. You can then redirect all the traffic to the upgraded data center. MDC Single Sign-On works between 11g and 12c Servers if backward compatibility flag is enabled. Therefore, all of the servers (upgraded and non-upgraded ones) can continue to participate in MDC.
Note:
For information about enabling the backward compatibility flag, see Modifying Backward Compatibility Flag in Administering Oracle Access Manager.- About the Oracle Access Manager Multi-Data Center Topology
The sample Oracle Access Manager Multi-Data Center topology has two data centers — Master data center and Clone data center. - Roadmap for Upgrading Oracle Access Manager MDC Setup
Use the upgrade roadmap to upgrade your Oracle Access Manager multi-data center setup to 12c (12.2.1.3.0). - Backing Up the Existing MDC Environment
Before you begin with the upgrade, take a back up of your existing environment. - Enabling Write Permission to Master and Clones (If Necessary)
Before you start the upgrade, you must enable modifications to the system and policy configurations on both Master and Clones. - Disabling and Deleting All Replication Agreements Between Master and Clone
Disable all replication agreements between the Master and the Clone data centers. - Redirecting Traffic to Master Data Center
An in-line upgrade procedure is used to upgrade the Clone data center which requires downtime. Therefore, all traffic must be rerouted to the Master data center. - Upgrading Oracle Access Manager on Clone Data Center
Upgrade Oracle Access Manager on Clone data center to 12c (12.2.1.3.0) after you redirect the traffic to Master data center. - Redirecting Traffic to Clone Data Center
An in-line upgrade procedure is used to upgrade the Master data center which requires downtime. Therefore, all traffic must be rerouted to the Clone data centers (also referred to as, the backup data centers or the secondary data centers). - Upgrading Oracle Access Manager on Master Data Center
Upgrade Oracle Access Manager on Master data center to 12c (12.2.1.3.0) after you redirect the traffic to clone data center. - Freezing all Changes to Clones (if Necessary)
After you upgrade Oracle Access Manager on all of the Clone data center(s), it is recommended that you freeze the changes to the Clone data center(s). This is to avoid any inadvertent writes. - Syncing Access Metadata
Oracle Access Manager metadata stored in Unified Data Model (UDM) needs to be synced from Master to Clone. - Creating Replication Agreement
Create the replication agreement again after upgrading the Master and the Clone data centers. - Updating the java.security File
If you have multiple components of Oracle Identity and Access Management (Oracle Access Manager, Oracle Identity Manager, WebGates and so on) deployed, until you upgrade all of the components to 12c (12.2.1.3.0), you must update thejava.securityfile with the changes described in this section. - Bringing up the Master and Clone Data Centers Online
After successful upgrade, both Master and Clone data centers can be brought up online. Traffic can be routed to both data centers based on existing routing rules.
Parent topic: In-Place Upgrade of Oracle Access Manager
About the Oracle Access Manager Multi-Data Center Topology
The sample Oracle Access Manager Multi-Data Center topology has two data centers — Master data center and Clone data center.
The procedure in this chapter describes how to upgrade Oracle Access Manager in a MDC setup similar to the reference topology provided in this section. You can use this upgrade procedure to upgrade your environment with any number of data centers.
Figure 5-1 Oracle Access Manager in Multi—Data Center Setup
Description of "Figure 5-1 Oracle Access Manager in Multi—Data Center Setup"
This figure shows a Master data center and a Clone data center, each of them including a full Access Manager installation. In this topology, GTM refers to the global load balancer, LTM refers to the local load balancer, and WG refers to the WebGate. The S2S OAP is the Oracle Access Protocol.
Roadmap for Upgrading Oracle Access Manager MDC Setup
Use the upgrade roadmap to upgrade your Oracle Access Manager multi-data center setup to 12c (12.2.1.3.0).
Table 5-1 Oracle Access Manager MDC Upgrade Roadmap
| Task | For More Information |
|---|---|
|
Review the Oracle Access Manager multi-data center topology. |
See About the Oracle Access Manager Multi-Data Center Topology |
|
Back up your existing environment. |
|
|
Enable write permission to Master and Clone data centers, if not already done. |
See Enabling Write Permission to Master and Clones (If Necessary) |
|
Disable and delete all replication agreements between Master and Clone data centers. |
See Disabling and Deleting All Replication Agreements Between Master and Clone |
|
Redirect the traffic to the Master data center. |
|
|
Upgrade Oracle Access Manager on Clone data center. |
|
|
Redirect the traffic to the Clone data center. |
|
|
Upgrade Oracle Access Manager on Master data center. |
|
|
Freeze all changes to the Master and Clones, if required. |
|
|
Sync the access UDM data by exporting the access store data from Master data center and importing it on the Clone data center. |
|
|
Create the replication agreement again. |
|
|
Upgrade the java.security file. |
|
|
Bring up the Master and Clone data centers online. |
Backing Up the Existing MDC Environment
Before you begin with the upgrade, take a back up of your existing environment.
-
ORACLE_HOME: the Oracle Home directory. -
Oracle Access Manager Domain Home directory on all OAM hosts.
-
Following Database schemas:
-
Oracle Access Manager schema
-
Audit and any other dependent schema
-
For more information about backing up schemas, see Oracle Database Backup and Recovery User's Guide.
Enabling Write Permission to Master and Clones (If Necessary)
Before you start the upgrade, you must enable modifications to the system and policy configurations on both Master and Clones.
- Go to the
ORACLE_HOME/common/bindirectory.For example:
/home/oracle/oam/ORACLE_IDM/common/bin - Run the following command on Master and Clone data centers:
setMultiDataCenterWrite(WriteEnableFlag="true")
Disabling and Deleting All Replication Agreements Between Master and Clone
Disable all replication agreements between the Master and the Clone data centers.
Redirecting Traffic to Master Data Center
An in-line upgrade procedure is used to upgrade the Clone data center which requires downtime. Therefore, all traffic must be rerouted to the Master data center.
Upgrading Oracle Access Manager on Clone Data Center
Upgrade Oracle Access Manager on Clone data center to 12c (12.2.1.3.0) after you redirect the traffic to Master data center.
Redirecting Traffic to Clone Data Center
An in-line upgrade procedure is used to upgrade the Master data center which requires downtime. Therefore, all traffic must be rerouted to the Clone data centers (also referred to as, the backup data centers or the secondary data centers).
Upgrading Oracle Access Manager on Master Data Center
Upgrade Oracle Access Manager on Master data center to 12c (12.2.1.3.0) after you redirect the traffic to clone data center.
Freezing all Changes to Clones (if Necessary)
After you upgrade Oracle Access Manager on all of the Clone data center(s), it is recommended that you freeze the changes to the Clone data center(s). This is to avoid any inadvertent writes.
- Go to
ORACLE_HOME/common/bin. - Run the following command:
SetMultiDataCenterWrite(WriteEnableFlag="false")
Syncing Access Metadata
Oracle Access Manager metadata stored in Unified Data Model (UDM) needs to be synced from Master to Clone.
exportAccessStore and importAccessStore. These commands need to be executed after you upgrade all of the data centers and before creating the new replication agreement. This exports the UDM artifacts created till that point, from the Master data center and imports them in the Clone data center(s).
To sync the UDM metadata, complete the following steps:
Creating Replication Agreement
Create the replication agreement again after upgrading the Master and the Clone data centers.
Note:
Ensure that Master & Clone data centers REST endpoints are up and running, before you run this command.
curl -u <repluser> -H 'Content-Type: application/json' -X POST 'https://supplier.example.com/oam/services/rest/_replication/setup' -d '{"name":"DC12DC2", "source":"DC1","target":"DC2","documentType":"ENTITY"}'
For more information about creating a replication agreement, see Creating a Replication Agreement in the Administrator's Guide for Oracle Access Manager.
Updating the java.security File
If you have multiple components of Oracle Identity and Access Management (Oracle Access Manager, Oracle Identity Manager, WebGates and so on) deployed, until you upgrade all of the components to 12c (12.2.1.3.0), you must update the java.security file with the changes described in this section.
Bringing up the Master and Clone Data Centers Online
After successful upgrade, both Master and Clone data centers can be brought up online. Traffic can be routed to both data centers based on existing routing rules.