2 Securing Datastores
The following sections explain how to upgrade security artifacts from 11g releases 11.1.1.7, 11.1.1.8, and 11.1.1.9 or 12c releases 12.1.2.0.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0, and 12.2.1.3.0 to release12c (12.2.1.4.0):
Note:
Before starting the procedures documented in this section, be sure that you have read and understand the tasks and concepts documented in the following:-
Reconfiguring a WebLogic Domain in Upgrading Oracle WebLogic Server
About Upgrading Security to 12c (12.2.1.4.0)
An upgraded system uses newly created data sources and will not use old data sources. After upgrading, you may see duplicate OPSS data sources: one that existed before upgrading and another created during the upgrade process. This duplication poses no functional impact and the old data source is not used by the upgraded system.
After upgrading, consider moving the keystore from Java Keystore (JKS) to the keystore service (KSS) keystore. In domains upgraded to 12.2.1.0 or later, KSS keystores under the system
stripe differ from those in previous releases.
The Keystore Service (KSS) keystore supports the Java Keystore (JKS), Java Cryptography Extension Keystore (JCEKS), and Oracle wallet certificate formats. Typical certificate management tasks include the following:
-
Creating a certificate for a key pair.
-
Generating a Certificate Signing Request (CSR) for the certificate and saving it to a file.
-
Sending the CSR to a certificate authority who verifies the sender, and signs and returns the certificate.
-
Importing user and trusted certificates into the keystore, by either pasting it into a text field or importing it from the file system.
Note:
Keystore Service supports importing PEM/BASE64-encoded certificates only. You cannot import DER-encoded certificates or trusted certificates into a keystore.
-
Exporting certificates or trusted certificates from the keystore to a file.
-
Deleting certificates or trusted certificates from the keystore.
The following points regarding public CA certificates apply to domains upgraded to 12.2.1 and to new 12.2.1 Java Required Files (JRF) domains:
-
Well-known public CA certificates are no longer available in the
trust
keystore in thesystem
stripe. -
Use instead the
publiccacerts
keystore in thesystem
stripe, which has been previously seeded with well-known public CA certificates from the Java SE Development Kit (JDK)cacerts
file. Alternatively, import your own certificates as needed. -
The
merge.jdkcacerts.with.trust
property specifies whether to return public CA certificates in thekss://system/ubliccacerts
keystore when you query thekss://system/trust
keystore. Set totrue
, to have allpublicacerts
certificates returned with the query. Do not set or set tofalse
, to have nopublicacerts
certificates returned with the query.
- Before Upgrading the Security Store
- Compatibility Table for 11g and 12c Versions
- Upgrading Security: Main Steps
- Reconfiguring Domains with the Fusion Middleware Reconfiguration Wizard
Parent topic: Securing Datastores
Before Upgrading the Security Store
Before upgrading the security store:
-
Perform a readiness check on the older version of Fusion Middleware to determine if it is suitable for upgrading to version 12c (12.2.1.4.0).
-
Create a complete backup so that you can recover it in case the upgrade fails.
Parent topic: About Upgrading Security to 12c (12.2.1.4.0)
Compatibility Table for 11g and 12c Versions
This section presents the compatible versions of binaries, configurations, schemas, and stores for releases 11.1.1.5.0, 11.1.1.6.0, 11.1.1.7.0, 11.1.1.9.0, 12.1.2.0.0, 12.1.3.0.0 and 12.2.1.x. The compatible versions of these artifacts apply to both DB and LDAP security stores. In DB stores, exactly one security store is assumed per database schema.
The following table shows the versions compatible and it applies to both DB and LDAP security stores. Note the following terminology symbols:
-
The prefix => next to a version number denotes a version equal to or higher than the stated version number.
-
The prefix > next to a version number denotes a version higher than the stated version number.
-
The prefix < next to a version number denotes a version lower than the stated version number.
Binary | Configuration | Schema | Store | Status |
---|---|---|---|---|
11.1.1.5.0 |
11.1.1.5.0 |
=>11.1.1.5.0 |
11.1.1.5.0 |
Certified |
11.1.1.5.0 |
11.1.1.5.0 |
>11.1.1.5.0 |
>11.1.1.5.0 |
Not supported |
11.1.1.6.0 |
11.1.1.5.0 |
=>11.1.1.5.0 |
11.1.1.5.0 |
Certified |
11.1.1.6.0 |
11.1.1.5.0 |
>11.1.1.5.0 |
>11.1.1.5.0 |
Not supported |
11.1.1.6.0 |
11.1.1.6.0 |
=>11.1.1.6.0 |
11.1.1.6.0 |
Certified |
11.1.1.6.0 |
11.1.1.6.0 |
>11.1.1.6.0 |
>11.1.1.6.0 |
Not supported |
11.1.1.7.0 |
11.1.1.7.0 |
=>11.1.1.6.0 |
<11.1.1.7.0 |
Not supported |
11.1.1.7.0 |
11.1.1.6.0 |
=>11.1.1.6.0 |
11.1.1.6.0 |
Certified |
11.1.1.7.0 |
11.1.1.6.0 |
>11.1.1.6.0 |
>11.1.1.6.0 |
Not supported |
11.1.1.7.0 |
11.1.1.7.0 |
=>11.1.1.7.0 |
11.1.1.7.0 |
Certified |
11.1.1.9.0 |
11.1.1.7.0 11.1.1.6.0 11.1.1.5.0 11.1.1.9.0 |
=>11.1.1.7.0 =>11.1.1.6.0 =>11.1.1.5.0 =>11.1.1.9.0 |
11.1.1.7.0 11.1.1.6.0 11.1.1.5.0 11.1.1.9.0 |
Certified |
12.1.2.0.0 |
12.1.2.0.0 |
=>12.1.2.0.0 |
12.1.2.0.0 |
Certified (schema only upgrade) |
12.1.2.0.0 |
<12.1.2.0.0 |
<12.1.2.0.0 |
<12.1.2.0.0 |
Not supported |
12.1.3.0.0 |
12.1.3.0.0 |
=>12.1.3.0.0 |
12.1.3.0.0 |
Certified (schema only upgrade) |
12.1.3.0.0 |
<12.1.3.0.0 |
<12.1.3.0.0 |
<12.1.3.0.0 |
Not supported |
12.2.1.0.0 |
12.2.1.0.0 |
12.2.1.0.0 |
12.2.1.0.0 |
Certified |
12.2.1.0.0 |
<12.2.1.0.0 |
<12.2.1.0.0 |
<12.2.1.0.0 |
Not supported |
12.2.1.1.0 |
12.2.1.1.0 |
12.2.1.0.0 |
12.2.1.1.0 |
Certified |
12.2.1.1.0 |
<12.2.1.1.0 |
<12.2.1.0.0 |
<12.2.1.1.0 |
Not supported |
12.2.1.2.0 |
12.2.1.2.0 |
12.2.1.0.0 |
12.2.1.2.0 |
Certified |
12.2.1.2.0 |
<12.2.1.2.0 |
<12.2.1.0.0 |
<12.2.1.2.0 |
Not supported |
12.2.1.3.0 |
12.2.1.3.0 |
12.2.1.0.0 |
12.2.1.3.0 |
Certified |
12.2.1.3.0 |
<12.2.1.3.0 |
<12.2.1.0.0 |
<12.2.1.3.0 |
Not supported |
Parent topic: About Upgrading Security to 12c (12.2.1.4.0)
Upgrading Security: Main Steps
The following tables describe the steps you take to upgrade a system according to the type of security and audit stores. All of the procedures assume that your binaries have been upgraded to12c (12.2.1.4.0) Oracle Fusion Middleware binaries.
Note:
Before starting the procedures documented in this section, be sure that you have read and understand the tasks and concepts documented in the following:-
Reconfiguring a WebLogic Domain in Upgrading Oracle WebLogic Server
Note:
During the upgrade process, if you perform any OPSS runtime operations on any of the servers before you restart them, you may get errors related to operations being performed against the OPSS Security store. These errors can occur if the binary and schema have been upgraded, but the server process that is being run is still using the old classes that have not been updated or refreshed. Therefore, Oracle recommends that you always restart all of the Managed Servers in the domain after the upgrade process is complete.
Synonym objects owned by IAU_APPEND and IAU_VIEWER will appear as INVALID in the schema version registry table, but that does not indicate a failure. Synonym objects become invalid because the target object changes after the creation of the synonym. The synonyms objects will become valid when they are accessed. You can safely ignore these INVALID objects.
Table 2-1 Upgrading from 12.1.2 or 12.1.3 to 12.2.1.x
Security Store Type | Audit Store Type | To upgrade to 12.2.1.x: |
---|---|---|
Oracle Internet Directory |
Database |
|
Database |
Database |
|
Note:
Upgrading from a 12c file security store is not supported.
Table 2-2 Upgrading from 11.1.1.7 or 11.1.1.9 to 12.2.1.x
Security Store Type | Audit Store Type | To upgrade to 12.2.1.x: |
---|---|---|
File |
File |
|
File |
Database |
|
Oracle Internet Directory |
File |
|
Oracle Internet Directory |
Database |
|
Database |
File |
|
Database |
Database |
|
Note:
An 11g file security store is automatically upgraded to a database-based security store.
Parent topic: About Upgrading Security to 12c (12.2.1.4.0)
Reconfiguring Domains with the Fusion Middleware Reconfiguration Wizard
Run the procedure in this section to reconfigure a domain using the Fusion Middleware Reconfiguration Wizard. For complete details about the Reconfiguration Wizard, see Reconfiguring WebLogic Domains in Upgrading Oracle WebLogic Server.
Note:
In some configurations, you may get an invalid key size exception when running the Reconfiguration Wizard. Oracle recommends that you check your configuration before running the Reconfiguration Wizard, and if necessary, install the JCE Unlimited Strength Jurisdiction Policy Files.
Parent topic: About Upgrading Security to 12c (12.2.1.4.0)
Upgrading a Shared Security Store
To upgrade a security store shared (joined) by several domains, use one of the following tasks:
Parent topic: Securing Datastores
Upgrading a Shared 12c Security Store
Run the procedure in this section to upgrade to12c (12.2.1.4.0) from a previous 12c shared security store.
- Shut down all domains that share the store you want to upgrade.
- Run the Upgrade Assistant to upgrade the OPSS schema of the shared security store and the audit schema if the source audit data is a database store.
- In each of the domains sharing the security store, run Fusion Middleware Reconfiguration Wizard to reconfigure the domain and to upgrade OPSS data, directory information tree, and product security artifacts.
- Restart all domains sharing the security store.
Parent topic: Upgrading a Shared Security Store
Upgrading a Shared 11g Security Store
Run the procedure in this section to upgrade to 12.2.1.x from an 11.1.1.7 or 11.1.1.9 shared security store.
- Shut down all domains sharing the store you want to upgrade.
- Run the Upgrade Assistant to upgrade the OPSS schema of the shared security store, and the audit schema if the source audit is a database store.
- Run the Reconfiguration Wizard in each of the domains sharing the security store. When first run, it upgrades the data of the security store and configuration of the domain. When run from any other domain, it will upgrade only the configuration of that domain.
- Restart all upgraded domains.
Parent topic: Upgrading a Shared Security Store