1. Oracle Identity and Access Management Upgrade Strategies
  2. Out-of-Place Upgrade

3 Out-of-Place Upgrade

An out-of-place upgrade is described as creating a new system and migrating the data from your existing system to the new system.

The new system may have different host names and different application URLs.

This chapter contains information about the out-of-place upgrade strategies for Oracle Identity Management, Oracle Internet Directory, and Oracle Unified Directory.

The sections below show the high level steps to perform an out-of-place upgrade. For detailed instructions, see the product-specific upgrade guides for the version you are upgrading.

This chapter includes the following topics:

Planning the Out-of-Place Upgrade

Before you start the out-of-place upgrade of OIG, OAM, OID, or OUD, you must do the following:

  • Verify that you are running the supported hardware and software versions. For more information, see Oracle Fusion Middleware 12c Certifications.

  • Ensure that the database and JDK versions are up-to-date. You must have the latest JDK version installed in the source environment. For more information, see Oracle Fusion Middleware 12c Certifications.

  • Upgrade timelines and resources should also factor in topology complexities such as high availability configuration, SSL, firewalls, and so on.

  • Ensure that the upgrade does not compromise functionalities such as OAM Administration console, OAM SSO login, Identity Federation SSO, session management, custom OAM authentication plug-in, OAM custom page configurations (login, error, logout), Custom API solutions, and performance.
  • Plan for system downtime during the upgrade process.

Parent topic: Out-of-Place Upgrade

Out-of-Place Upgrade Considerations

When performing an out-of-place upgrade, you are creating an entirely new system based on existing data. You may choose to keep your existing application URLs, or create new ones. If you choose to have the same URLs, then migrating your existing system interfaces will be easier. However having different URLs means that you can run both your installations in parallel and can phase your cutover.

Because you have an entirely new system, you will have different host names. As a best practice, Oracle recommends that you use virtual host names rather than physical host names. Using virtual host names makes it easier for disaster recovery, transportability, and deployment into virtual environments.

Parent topic: Out-of-Place Upgrade

Performing an Out-of-Place Upgrade of Oracle Internet Directory

When using an out-of-place upgrade of Oracle Internet Directory, it is possible to perform the upgrade in one step. You can have a source system based on OID 11g (11.1.1.9), export the data from it, and import it directly into OID 12c.

To perform an out-of-place upgrade of OID:

  1. Complete the pre-upgrade assessment check to ensure the environment is ready for an upgrade.

  2. Install OID 12c in your target environment.

  3. Place the source directory in read-only mode.

  4. Export the data from the existing directory to an LDIF file.

  5. Perform a bulk load of the data from the LDIF file.

    You new directory is now available for use.

  6. Validate that OID is functioning correctly using in-house tests.

Note:

Complete these steps as a one-time operation. There is no ongoing data synchronization, at this time.

For instructions, see Upgrading Oracle Internet Directory for the release you want to upgrade.

Parent topic: Out-of-Place Upgrade

Performing an Out-of-Place Upgrade of Oracle Unified Directory

When using an out-of-place upgrade of Oracle Unified Directory, it is possible to perform the upgrade in one step. You can have a source system based on OUD 11g (11.1.2.3), export the data from it, and import it directly into OUD 12c.

To perform an out-of-place upgrade of OUD:

  1. Install OUD 12c in your target environment.

  2. Create a replication agreement between your source system and the destination system. OUD supports replication across releases.

  3. Create any indexes on your destination system that are not covered in the replication.

  4. Create any global ACIs on your destination system that are not covered in the replication.

    You new directory is now available for use and changes made on the source system will continue to be propagated to the destination system.

  5. Validate that OUD is functioning correctly using in-house tests.

  6. When ready for cutover, remove the source directory from the replication agreement.

Note:

The OUD replication does not replicate global ACIs or local indexes, so these need to be created manually.

Parent topic: Out-of-Place Upgrade

Out-of-Place Upgrade of Oracle Access Manager

Oracle does not support an out-of-place upgrade for Oracle Access Manager. Oracle recommends that you perform an out-of-place upgrades of Oracle Access Manager using the cloned approach. For instructions, see Upgrading Oracle Access Manager for the release you want to upgrade.

Parent topic: Out-of-Place Upgrade

Performing an Out-of-Place Upgrade of Oracle Identity Manager

When using an out-of-place upgrade of Oracle Identity Manager (Oracle Identity Governance) it is possible to perform the upgrade in one step. That is to say, you can have a source system based on OIM 11g (11.1.2.3), export the data from it, and import it directly into OIG 12c.

To perform an out-of-place upgrade of OIG:

  1. Complete the pre-upgrade assessment check to ensure the environment is ready for an upgrade.

  2. Install Oracle Identity Governance 12c in your target environment.

  3. Migrate your Data from 11g to 12c. Data migration includes: Organizations, Connectors, Accounts, Roles, Users, and Customizations.

  4. Tune the database / Application Server

  5. Validate your installation including, interactions with Dependent Directories, Oracle Access Manager (if used), and any other connected systems.

    For instructions, see Upgrading Oracle Identity Manager for the release you want to upgrade.

Parent topic: Out-of-Place Upgrade

Migration Considerations

After you have installed the OIG 12c environment as per your requirements, migrate the following entities from 11g to 12c environment:

Parent topic: Performing an Out-of-Place Upgrade of Oracle Identity Manager

Organizations

Following options are available to migrate Organization records from the current OIM 11g (11.1.2.3) environment to 12c:

Option 1- Organization Bulk Load Utility

This option involves creating a source database table or a CSV file that contains the data you want to migrate.

For more information on using CSV files or creating database tables, see Creating the Input Source for the Bulk Load Operation in Developing and Customizing Applications for Oracle Identity Governance.

Option 2- Export And Import Feature In Sysadmin Console

After you have created your source data, you need to import the source data into the new 12c target system. For more information, see Migrating Incrementally Using the Deployment Manager.

Parent topic: Migration Considerations

Connectors

You should review the latest version of the connector available for 12c and use Application on Boarding (AoB) to create such connectors.

A new installation enables you to upgrade your targets to newer versions that are certified with 12c connectors.

If 12c connectors are not available, you can export or import existing user data as long as those connectors are supported in the 12c OIM server.

For more information, see Oracle Identity Governance 12c Connectors documentation.

For downloading connectors, see the Oracle Identity Governance Connector Downloads page.

For certification information for Oracle Identity Manager Connectors, see Oracle Identity Governance Connectors Certification.

Note:

If the connectors installed on 11g (11.1.2.3) have no 12c version, you must check the certification, and then upgrade the existing connector to make it compatible with OIG 12c.

Parent topic: Migration Considerations

Accounts
After you set up the connectors as applications, you should start loading the account data from the target systems.

Note:

Target systems are applications such as database, LDAP, and so on, which OIM connects to using the OIM connectors.

Following options are available to load your accounts:

  • Option 1: If the target system has account data, you can bulk load the account details (or data) by using the Bulk Load Utility. See Loading Account Data in Developing and Customizing Applications for Oracle Identity Governance guide.

  • Option 2: You can load the target system account data into the new environment by using connector the reconciliation jobs.

Parent topic: Migration Considerations

Roles (Role, Role Membership, and Categories)

You can use the OIM Bulk Load Utility to import roles, role membership, and categories from a table or a CSV file. Export the relevant data files from the source OIM database.

For information on how to export and import this data, see Loading Role, Role Hierarchy, Role Membership, and Role Category Data in Developing and Customizing Applications for Oracle Identity Governance.

Parent topic: Migration Considerations

User Records

Following options are available to migrate user records from current OIM 11g (11.1.2.3) environment to 12c:

Option 1 - User Bulk Load Utility

This option includes exporting the user records to a table or a CSV file that will act as a source. See Loading OIM User Data in Developing and Customizing Applications for Oracle Identity Governance guide.

Option 2- Trusted Recon of Users from 11g to 12c

This option includes using the Database User Management (DBUM) connector or a flat file connector to migrate the user records.

Note:

You cannot migrate user passwords by using the above options. You can set up SSO or LDAP as an authentication provider.

Parent topic: Migration Considerations

User Customizations

If you have added the custom User Defined Fields (UDF) in OIM 11g (11.1.2.3), you must create those UDFs in 12c as well.

WARNING:

Oracle does not support UDF migration (Deployment Manager and ADF Sandboxes).

Note:

To check if import or export from 11g (11.1.2.3) to 12c works, export the user metadata from the 11g (11.1.2.3) environment and import it to 12c, get the corresponding ADF sandbox, and then import it to 12c.

Parent topic: Migration Considerations

Others

You can also migrate the following items from your 11g (11.1.2.3) environmen to 12c environment by using the Export/Import option in the sysadmin console:

  • Access policies
  • Admin roles
  • Application instances
  • Approval policies
  • Catalog UDFs
  • Certification configurations
  • Certification definitions
  • Custom resource bundles
  • E-mail definitions
  • Error codes
  • Event handlers
  • Identity Audit configuration
  • Identity Audit rules
  • Identity Audit scan definitions
  • IT resource definition
  • IT resources
  • JAR files
  • Lookup definitions
  • Notification templates
  • Organization metadata
  • Organizations
  • Password policies
  • Policies
  • Plug-ins
  • Prepopulation adapters
  • Process definitions
  • Process forms
  • Provisioning workflows and process task adapters
  • Request datasets
  • Resource objects
  • Risk configuration
  • Role metadata
  • Roles
  • Scheduled jobs
  • Scheduled tasks
  • System properties
  • User metadata

For more information, see Moving from a Test to a Production Environment and Using the Movement Scripts in the Fusion Middleware Administrator's Guide.

Parent topic: Migration Considerations

Tuning Considerations

As a post-upgrade step, you must follow the performance tuning guidelines provided in the tuning documentation. See Oracle Identity Governance Performance Tuning.

Also, you should check the existing 11g (11.1.2.3) system for custom indexes and create them in the 12c system.

Parent topic: Performing an Out-of-Place Upgrade of Oracle Identity Manager

Performing an Out-of-Place Upgrade of Oracle HTTP Server

You can perform an out-of-place upgrade of Oracle HTTP Server in one step. Export the configuration from the source system that is based on OHS 11g (11.1.2.3) and import it directly into the OHS 12c (12.2.1.4).

To perform an out-of-place upgrade of OHS:

  1. Install Oracle HTTP Server 12.2.1.4 in your target environment.

  2. Migrate your configuration from the source environment to the destination environment.

  3. Disable Webgate.

  4. Validate the configuration using in-house tests.

  5. Copy the 12c Webgate Artifacts from your OAM 12c deployment to your Oracle HTTP 12c server installation.

  6. Enable Webgate.

  7. Validate your installation using in-house tests.

Note:

Oracle HTTP Server 12c comes with an embedded webgate. This webgate will not work out-of-the box with Oracle Access Manager 11g. It is possible to make it work but it is recommended that you do not enable Webgate until you have upgraded to Oracle Access Manager 12c. If you are using an SSL enabled Oracle HTTP server, you will need to either create a new certificate or copy your existing certificate to the new Oracle HTTP installation.

Parent topic: Out-of-Place Upgrade

Interfaces

If you have any external applications, which interact with Oracle Identity Manager, then you need to ensure that they work with the new installation. This may include:

  • Changing URLs if your URLs have changed.

  • Upgrading any third party agents, if you are using any. For example, BIG-IP.

  • Changing any load balancers/DNS servers to point to the new application.

Parent topic: Out-of-Place Upgrade