4 Upgrading Oracle Identity Manager Highly Available Environments

Describes the process of upgrading an Oracle Identity Manager highly available environment from 11g Release 2 (11.1.2.3.0) to Oracle Identity Governance 12c (12.2.1.3.0).

Note:

The product Oracle Identity Manager is referred to as Oracle Identity Manager (OIM) and Oracle Identity Governance (OIG) interchangeably in the guide.

Topics

• About the Oracle Identity Manager Multinode Upgrade Process
  Review the topology and the roadmap for an overview of the upgrade process for Oracle Identity Manager highly available environments.
• Completing the Pre-Upgrade Tasks for Oracle Identity Manager
  Complete the pre-upgrade tasks described in this section before you upgrade Oracle Identity Manager.
• Creating 12c Oracle Home Folder on OIMHOST1 and OIMHOST2
  Create a folder for 12c Oracle Home on both OIMHOST1 and OIMHOST2.
• Installing Product Distributions on OIMHOST1 and OIMHOST2
  Install the 12c binaries onto OIMHOST1 and OIMHOST2 or onto shared storage accessible by both. If you are using redundant binaries ensure you install into each of the redundant locations
• Installing the Latest Stack Patch Bundle
  After you install the product distributions, Oracle strongly recommends you to apply the latest IDM Stack Patch Bundle (SPB) 12.2.1.3.0 before proceeding with the upgrade process. You can apply the patch by using the Opatch tool. Applying the SPB helps eliminate most of the upgrade issues or workarounds.
• Running a Pre-Upgrade Readiness Check
  To identify potential issues with the upgrade, Oracle recommends that you run a readiness check before you start the upgrade process. Be aware that the readiness check may not be able to discover all potential issues with your upgrade. An upgrade may still fail, even if the readiness check reports success.
• Creating the Required 12c Schemas Using RCU
  When upgrading from 11g, you must create the required 12c schemas. If your setup is not SSL enabled, you can use the Upgrade Assistant to create schemas by using the default schema settings. In case of SSL enabled setup, you can use the Repository Creation Utility (RCU) to create customized schemas. This procedure describes how to create schemas using the RCU. Information about using the Upgrade Assistant to create schemas is covered in the upgrade procedures.
• Stopping Servers and Processes
  Before you run the Upgrade Assistant to upgrade your schemas and configurations, you must shut down all of the pre-upgrade processes and servers, including the Administration Server, Node manager, and any managed servers.
• Upgrading Schemas on OIMHOST1
  Upgrade all of the necessary schemas for Oracle Identity Manager, on OIMHOST1 by using the Upgrade Assistant.
• Reconfiguring the Domain on OIMHOST1
  Run the Reconfiguration Wizard on OIMHOST1 to reconfigure your domain component configurations to 12c (12.2.1.3.0).
• Upgrading Domain Component Configurations on OIMHOST1
  Use the Upgrade Assistant to upgrade the domain component’s configurations inside the domain to match the updated domain configuration.
• Replicating the Domain Configurations on each OIMHOST
  Replicate the domain configurations on OIMHOST2. This involves packing the upgraded domain on OIMHOST1 and unpacking it on OIMHOST2.
• Starting the Servers for Initial Post-Upgrade Bootstrap Processing
  After you upgrade Oracle Identity Manager, start the servers to bootstrap the domain configuration.
• Fully Deploy the oracle.iam.ui.custom-dev-starter-pack.war
  Validate that the Upgrade Assistant has automatically copied the oracle.iam.ui.custom-dev-starter-pack.war file from the 11g MW_HOME to the 12c ORACLE_HOME on the AdminServer host.
• Starting the Servers on OIMHOST1 and OIMHOST2
  After you upgrade Oracle Identity Manager on both OIMHOST1 and OIMHOST2, start the servers.
• Upgrading Oracle Identity Manager Design Console
  Upgrade the Oracle Identity Manager Design Console after you upgrade the Oracle Identity Manager (OIM) domain component configurations.
• Performing the Post-Patch Install Steps
  After completing the upgrade, you have to perform the post-patch installation steps.
• Completing the Post-Upgrade Tasks for SSL Enabled Setup
  If you are upgrading an Oracle Identity Manager SSL enabled setup, you must perform the required post-upgrade tasks to complete the upgrade process.
• Increasing the Maximum Message Size for WebLogic Server Session Replication
  
• Changing the JMS and TLOG Persistence Store After the Upgrade
  
• Installing Standalone Oracle BI Publisher
  When you upgrade Oracle Identity Manager 11.1.2.3.0 to Oracle Identity Governance 12c (12.2.1.3.0), the embedded Oracle BI Publisher present in the 11.1.2.3.0 deployment, is removed. Therefore, you must install a new standalone Oracle BI Publisher 12c (12.2.1.3.0) post upgrade, for configuring the Oracle Identity Governance reports.

About the Oracle Identity Manager Multinode Upgrade Process

Review the topology and the roadmap for an overview of the upgrade process for Oracle Identity Manager highly available environments.

The steps you take to upgrade your existing domain will vary depending on how your domain is configured and which components are being upgraded. Follow only those steps that are applicable to your deployment.

Upgrade Topology

The following topology shows the Oracle Identity Manager cluster set up that can be upgraded to 12c (12.2.1.3.0) by following the procedure described in this chapter.

Note:

As required, you can upgrade OHS independently of this OIM upgrade process.

Figure 4-1 Oracle Identity Manager High Availability Upgrade Topology

Description of "Figure 4-1 Oracle Identity Manager High Availability Upgrade Topology"

On OIMHOST1, the following installations have been performed:

• An Oracle Identity Manager instance has been installed in the WLS_OIM1 Managed Server and a SOA instance has been installed in the WLS_SOA1 Managed Server.

• A WebLogic Server Administration Server has been installed. Under normal operations, this is the active Administration Server.

On OIMHOST2, the following installations have been performed:

• An Oracle Identity Manager instance has been installed in the WLS_OIM2 Managed Server and a SOA instance has been installed in the WLS_SOA2 Managed Server.

• A WebLogic Server Administration Server has been installed. Under normal operations, this is the passive Administration Server. You make this Administration Server active if the Administration Server on OIMHOST1 becomes unavailable.

The instances in the WLS_OIM1 and WLS_OIM2 Managed Servers on OIMHOST1 and OIMHOST2 are configured as the OIM_CLUSTER cluster.

The instances in the WLS_SOA1 and WLS_SOA2 Managed Servers on OIMHOST1 and OIMHOST2 are configured as the SOA_CLUSTER cluster.

Table 4-1 Tasks for Upgrading Oracle Identity Manager Highly Available Environments

Task	Description
Required If you have not done so already, review the introductory topics in this guide and complete the required pre-upgrade tasks.	See: Introduction to Upgrading Oracle Identity Manager to 12c (12.2.1.3.0) Pre-Upgrade Requirements
Required Complete the necessary pre-upgrade tasks specific to Oracle Identity Manager.	See Completing the Pre-Upgrade Tasks for Oracle Identity Manager.
Required Create the 12c Middleware Home Folder on both OIMHOST1 and OIMHOST2, so that you can use the location for installing the product distributions.	See Creating 12c Middleware Home Folder on OIMHOST1 and OIMHOST2.
Required Install Oracle SOA Suite12c (12.2.1.3.0) and Oracle Identity Manager12c (12.2.1.3.0) in the new Oracle home.	See Installing Product Distributions on OIMHOST1 and OIMHOST2.
Required Apply the latest bundle patches	See Installing the Latest Stack Patch Bundle.
Required Run a pre-upgrade readiness check.	See Running a Pre-Upgrade Readiness Check.
Required Start the Repository Creation Utility (RCU) to create the required 12c database schemas. Note: This step is not required for non-SSL setup, as the Upgrade Assistant creates the necessary 12c schemas during the upgrade process. For SSL enabled setup, you must run the RCU to create the necessary 12c schemas.	The schemas you create will vary depending on your existing schema configuration. See Creating the Required 12c Schemas with the RCU.
Required Shut down the 11g servers. This includes the Administration Server, Managed Servers, Node Manager, and system components like Oracle HTTP Server. Ensure that the Database is up during the upgrade.	See Stopping Servers and Processes.
Required Upgrade the necessary schemas on OIMHOST1.	See Upgrading Schemas on OIMHOST1.
Required Reconfigure the Oracle Identity Manager domain on OIMHOST1.	See Reconfiguring the Domain on OIMHOST1.
Required Upgrade the Oracle Identity Manager configurations on both OIMHOST1, using the Upgrade Assistant.	The Upgrade Assistant is used to update the reconfigured domain’s component configurations. See Upgrading Domain Component Configurations on OIMHOST1 and OIMHOST2.
Required Replicate the domain configurations on OIMHOST2.	This includes packing the domain on OIMHOST1 and unpacking it on OIMHOST2. See Replicating the Domain Configurations on OIMHOST2.
Required Start the servers.	See Starting the Servers for Initial Post-Upgrade Bootstrap Processing.
Required Deploy the oracle.iam.ui.custom-dev-starter-pack.war from 11g Middleware Home to 12c Middleware Home.	See Fully Deploy the oracle.iam.ui.custom-dev-starter-pack.war.
Required Start the servers on OIMHOST1 and OIMHOST2.	See Starting the Servers on OIMHOST1 and OIMHOST2.
Required Upgrade the Oracle Identity Manager Design Console to 12c (12.2.1.3.0).	See Upgrading Oracle Identity Manager Design Console.
Required Complete the post-patch install steps.	See Performing the Post-Patch Install Steps.
Required Perform the post-upgrade tasks for SSL enabled setup. Note: This step is not required for non-SSL setup.	See Completing the Post-Upgrade Tasks for SSL Enabled Setup.
Required To replicate the session data across the nodes, increase the Maximum Message Size for WebLogic Server.	See Increasing the Maximum Message Size for WebLogic Server Session Replication.
Optional Change the JMS and TLOG persistence stores from files-based to database-based.	See Changing the JMS and TLOG Persistence Store After the Upgrade
Optional When you upgrade to Oracle Identity Governance 12c (12.2.1.3.0), the embedded Oracle BI Publisher present in the 11.1.2.3.0 deployment is removed. Therefore, you must install a new standalone Oracle BI Publisher 12c (12.2.1.3.0) on OIMHOST1 and OIMHOST2, post upgrade. After you install, integrate it with Oracle Identity Governance 12c (12.2.1.3.0) to configure the Oracle Identity Governance reports.	See Installing Standalone Oracle BI Publisher.

Completing the Pre-Upgrade Tasks for Oracle Identity Manager

Complete the pre-upgrade tasks described in this section before you upgrade Oracle Identity Manager.

• Upgrading SOA Composites
  If your starting point is Oracle Identity Manager 11.1.1.x.x, you must manually upgrade custom composites that you have built.
• Updating Server Wallets to Remove MD5 Algorithm
  OIM 12c (12.2.1.3.0) uses JDK 8, which does not support MD5 signing algorithm. If the existing keystore has a certificate which is invalid with JDK8 (that is, using disabled algorithm) used to install the 12c (12.2.1.3.0) binaries, you must generate the keystore and place it in the DOMAIN_HOME/config/fmwconfig directory.
• Updating DB Wallets to Remove MD5 Algorithm (For SSL Enabled Setup)
  If you have SSL enabled setup, update all of the DB wallets to remove any MD5 algorithms, as 12c (12.2.1.3.0) uses JDK 8 which does not support MD5 algorithm.
• Verifying the Memory Settings
  To avoid the memory issues for Oracle Identity Manager, ensure that the memory settings are updated as per the requirements.
• Opening the Non-SSL Ports for SSL Enabled Setup
  If you have an SSL enabled and non-SSL disabled setup, you must open the non-SSL ports for Servers and Database before you proceed with the Oracle Identity Manager upgrade.
• Backing Up the metadata.mar File Manually
  

Upgrading SOA Composites

If your starting point is Oracle Identity Manager 11.1.1.x.x, you must manually upgrade custom composites that you have built.

Complete the following steps to upgrade SOA composites:

1. Open the SOA composite project in JDeveloper (Use Jdeveloper 11.1.1.9.0).
2. Open ApprovalTask.task file in designer mode.
3. Select General.
4. Change Owner to Group, SYSTEM ADMINISTRATORS, STATIC.
5. Select Outcomes lookup.

   An Outcomes Dialog opens.

6. Select Outcomes Requiring Comment.
7. Select Reject and click OK.
8. Click OK again.
9. Select Notification.
10. Click on the update icon under Notification.

    Update any old URLs in notification with the corresponding new URL in 11.1.2.3.0.

    Following is an example notification content:

    A <%/task:task/task:payload/task:RequestModel%> request has been assigned to you for approval. <BR><BR>
    Request ID: <%/task:task/task:payload/task:RequestID%> <BR>
    Request type: <%/task:task/task:payload/task:RequestModel%> <BR>
    <BR>
    Access this task in the 
    <A 
    style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/home?tf=approval_details
    >
    Identity Self Service
    </A>
     application or take direct action using the links below. Approvers are required to provide a justification when rejecting the request

11. Click Advanced.
12. Deselect Show worklist/workspace URL in notifications.

    Provide the URL to Pending Approvals in identity application as listed in the example in step 10.

13. Repeat step 1 to step12 for other human tasks, if any, in the composite, and then save your work.
14. Right click Project and select Deploy > Deploy to Application Server.
15. Provide revision ID.

    Select Mark revision as default and Overwrite any existing composite with same revision ID.

    Note:

    You can also deploy the composites with different revision ID. In that case, you have to modify all approval policies using this composite.
16. Select your application server connection, if it already exists, and click Next.

    Create an application server connection if it does not exist.

17. Click Next.
18. Click Finish.
19. Repeat the procedure for the remaining custom composites.

Updating Server Wallets to Remove MD5 Algorithm

OIM 12c (12.2.1.3.0) uses JDK 8, which does not support MD5 signing algorithm. If the existing keystore has a certificate which is invalid with JDK8 (that is, using disabled algorithm) used to install the 12c (12.2.1.3.0) binaries, you must generate the keystore and place it in the DOMAIN_HOME/config/fmwconfig directory.

If the default keystore has MD5 algorithm, then the upgrade readiness check and the examine phase of OIM configuration upgrade will fail.

To verify the validity of the certificate, do the following:

1. Check for the jdk.certpath.disabledAlgorithms property in the JAVA_HOME/jre/lib/security/java.security file.
   For example:

   jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

2. Check for the certificate algorithm in the existing keystore by doing the following:
   1. For default keystore, DOMAIN_HOME/config/fmwconfig/default-keystore.jks, run the following command from the JAVA_HOME/jre/bin directory:

      ./keytool -list -v -keystore DOMAIN_HOME/config/fmwconfig/default-keystore.jks

      If you are using the custom keystores, that is, DOMAIN_HOME/config/fmwconfig/name_of_custom_store, run the following command from the JAVA_HOME/jre/bin directory:

      ./keytool -list -v -keystore DOMAIN_HOME/config/fmwconfig/custom_keystore.jks

      This command displays the keystore data. Enter the keystore password when prompted.

   2. Check for the Signature algorithm name field value in the output of the above command. If the value of Signature algorithm name field and the jdk.certpath.disabledAlgorithms property has MD5 algorithm, then the given keystore will not be valid after upgrade.
      If the keystore is not valid after upgrade, the following error in seen in the server logs while executing the request use cases after upgrade, and none of the request use cases will be successful:

      Caused by: java.security.cert.CertPathValidatorException: Algorithm 
      constraints check failed: MD5withRSA 
      

3. If required, replace the certificates in the keystore with new ones using a valid signing algorithm with the following steps. Replace the placeholder values as described.

   Table 4-2 List of Placeholder Values with Description

   Placeholder Value	Description
   temporary_directory	A directory with write access to store the temporary keystore and csr files. For example: /tmp
   cert_req_file_name	A descriptive filename for the certificate signing request (CSR). For example: xell.csr
   certificate_name	A descriptive filename for the certificate. For example: xell.cert.
   key_password	A unique credential string. (Unknown if needs to match pre-existing Oracle defaults or not.)
   keystore_password	A credential that matches the credential for the existing 11g keystore being updated.
   key_size	A value of 2048 when using -genkeypair, and -keyalg is RSA.
   supported_algorithm_name	A valid signing algorithm NOT on the jdk.certpath.disabledAlgorithms list. For example: SHA256withRSA.
   validity_period	A validity period in days according to your organization's security requirements
   valid_name	Quoted string; When provided, it is used as the subject of the generated certificate. Otherwise, the one from the certificate request is used. For example: "CN=IADGovernanceDomain, OU=CustomerOrg, O=Customer, L=City, ST=NY, C=US")

   1. Generate the keypair using SHA256withRSA signing algorithm.

      ./keytool -genkeypair -alias xell \
                    -keypass key_password \
                    -keystore /temporary_dir/temp_keystore_name.jks \
                    -storepass keystore_password \
                    -keyalg supported_algorithm_name \
                    -keysize key_size \
                    -sigalg supported_algorithm_name \
                    -validity validity_period \
                    -dname vaild_name

      For example:

      ./keytool -genkeypair -alias xell \
                    -keypass yourkeypassword \
                    -keystore /tmp/default-keystore.jks \
                    -storepass yourkeystorepassword \
                    -keyalg RSA \
                    -keysize 2048 \
                    -sigalg SHA256withRSA \
                    -validity 3600 \
                    -dname "CN=IADGovernanceDomain, OU=CustomerOrg, O=Customer, L=City, ST=NY, C=US"

   2. Generate CSR to be used to replace the certificate used for both the xell and xeltrusted aliases in the updated keystore.

      /keytool -certreq -alias xell \
                    -keypass key_password \
                    -keyalg RSA \
                    -file /tmp/cert_req_file_name.csr \
                    -keystore /temporary_dir/temp_keystore_name.jks \
                    -storepass keystore_password \
                    -storetype jks

      For example:

      ./keytool -certreq -alias xell \
                    -keypass yourkeypassword \
                    -keyalg RSA \
                    -file /tmp/xell.csr \
                    -keystore /tmp/default-keystore.jks \
                    -storepass yourkeystorepassword \
                    -storetype jks

   3. Export the Certificate for the xell alias.

      ./keytool -exportcert -alias xell \
                    -file /temporary_dir/certificate_name.cer \
                    -keystore new_keystore_location/temp_keystore_name.jks \
                    -storepass keystore_password \
                    -rfc

      For example:

      ./keytool -exportcert -alias xell \
                    -file /tmp/xell.cer \
                    -keystore /tmp/default-keystore.jks \
                    -storepass yourkeystorepassword \
                    -rfc

   4. Import the same certificate with a second alias as xeltrusted. Respond with "yes" when prompted to confirm adding the same certificate under a new alias.

      ./keytool -importcert -alias xeltrusted \
                    -file /temporary_dir/certificate_name.cer \
                    -keystore /temporary_dir/temp_keystore_name.jks \
                    -storepass keystore_password

      For example:

      ./keytool -importcert -alias xeltrusted \
                    -file /tmp/xell.cer \
                    -keystore /tmp/default-keystore.jks \
                    -storepass yourkeystorepassword
      
      Certificate already exists in keystore under alias <xell>
      Do you still want to add it? [no]: yes
      Certificate was added to keystore

4. Import the newly generated keystore into the existing keystore DOMAIN_HOME/config/fmwconfig/default-keystore.jks by running the following command:

   ./keytool —importkeystore —srckeystore new_keystore_location/new_keystore_name.jks -destkeystore DOMAIN_HOME/config/fmwconfig/default-keystore.jks -srcstorepass source_keystore_password -deststorepass destination_keystore_password -noprompt

   For example:

   ./keytool -importkeystore -srckeystore /tmp/default-keystore.jks -destkeystore DOMAIN_HOME/config/fmwconfig/default-keystore.jks -srcstorepass password -deststorepass password -noprompt

5. Log in to Enterprise Manager console and update the xell named CSF key under oim map, with the password value which is used above to generate the new key in keystore. In the above example, the password used is password.
6. Move the <export file>.cert and the <cert_req>.csr to the DOMAIN_HOME/config/fmwconfig/ location.
   cp /tm/xell.csr  DOMAIN_HOME/config/fmwconfig/
   cp /tmp/xell.cert  DOMAIN_HOME/config/fmwconfig/
7. If in an HA/Enterprise Deployment Guide Reference Architecture topology with multiple DOMAIN_HOME, copy the updated files to the Managed Server DOMAIN_HOMEs on each host.

   For example:

   cd ASERVER_DOMAIN_HOME/config/fmwconfig/
   
   scp ./default-keystore.jks ./xell.csr .xlserver.cert OIMHOST1:MSERVER_DOMAIN_HOME/config/fmwconfig/.
   
   scp ./default-keystore.jks ./xell.csr .xlserver.cert OIMHOST2:MSERVER_DOMAIN_HOME/config/fmwconfig/.

Note:

• For more information about using the keytool command, see keytool in the Java Platform, Standard Edition Tools Reference.

• The procedure described in this section for regenerating the default-keystore.jks or custom keystore includes self-signed certificates. If CA signed certificate is required, follow the standard process for the same, that is, generate the CSR and import the signed certificates in the keystore.

  During bootstrap process in OIM, the default-keystore.jks keystore will be configured in Keystore Service (KSS) out-of-the-box. In case of custom keystore,upload the given custom keystore to KSS after completing the upgrade. After you upload the given custom keystore to KSS, restart the servers.

  For more information about the Keystore Service commands, see OPSS Keystore Service Commands in WLST Command Reference for Infrastructure Security.

Updating DB Wallets to Remove MD5 Algorithm (For SSL Enabled Setup)

If you have SSL enabled setup, update all of the DB wallets to remove any MD5 algorithms, as 12c (12.2.1.3.0) uses JDK 8 which does not support MD5 algorithm.

Note:

All these steps in this procedure must performed on the Database server. That is, on the server where OIM database is installed.

To update the DB wallet, do the following:

1. Create an Oracle Wallet with default trusted certificate using the following command:
   ./orapki wallet create -wallet <trust_wallet_name> -pwd password 
   For example:

   ./orapki wallet create -wallet trust_wallet.p12 -pwd password

2. Add a self-signed certificate in the wallet with the distinguished name (DN) as CN=root_test,C=US using the following command:
   ./orapki wallet add -wallet trust_wallet_name -dn 'dn_name'-keysize 2048 -sign_alg sha256  -self_signed -validity 3650 -pwd password_of_wallet
   For example:

   ./orapki wallet add -wallet trust_wallet.p12 -dn 'CN=root_test,C=US' -keysize 2048 -sign_alg sha256 -self_signed -validity 3650 -pwd password

3. Export the self-signed trust certificate from the Oracle wallet to use it to sign other certificates, using the following command:
   ./orapki wallet export -wallet trust_wallet_name -dn 'dn_name' -cert trust_cert_file_name -pwd password_of_wallet
   For example:

   ./orapki wallet export -wallet trust_wallet.p12 -dn 'CN=root_test,C=US' -cert wallet_trusted.cert -pwd password 

4. You already have an Oracle Wallet with User Certificate identified. The user wallet is, DB_HOME/bin/user_wallet.p12. The DN of this user certificate is CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US. Remove the existing user certificate from this wallet using the following command:
   Where, DB_HOME is the server where OIM database is installed.
   ./orapki wallet  remove -wallet user_wallet_name -pwd password_of_existing_wallet -dn 'DN_name' -user_cert
   For example:

   ./orapki wallet remove -wallet user_wallet.p12 -pwd password -dn ' CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US ' -user_cert

5. You already have an Oracle Wallet with Requested Certificate identified. The user wallet is, DB_HOME/bin/user_wallet.p12. The DN of this requested certificate is CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US. Remove the existing requested certificate from this wallet using the following command:
   ./orapki wallet  remove -wallet user_wallet_name -dn 'DN_name' —cert_req -pwd password_of_existing_wallet
   For example:

   ./orapki wallet remove -wallet user_wallet.p12 -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -cert_req -pwd password 

6. You already have an Oracle Wallet with Trust Certificate identified. The user wallet is, DB_HOME/bin/user_wallet.p12. The DN of this trust certificate is CN=root_test,C=US. Remove the existing trust certificate from this wallet using the following command:
   ./orapki  wallet  remove  -wallet user_wallet_name -pwd password-of-existing_wallet  -dn  'DN_name' -trusted_cert 
   For example:

   ./orapki wallet remove ¿wallet user_wallet.p12 -pwd password -dn  ' CN=root_test,C=US' -trusted_cert

7. Add a user certificate in the existing user wallet with a distinguished name as CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US using the following command:
   ./orapki wallet add -wallet user_wallet_name -dn 'dn_name' -keysize 2048 -sign_alg sha256 -pwd password_of_existing_wallet
   For example:

   ./orapki wallet add —wallet user_wallet.p12 -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -keysize 2048 -sign_alg sha256 -pwd password

8. Export the user certificate request to a file using the following command:
   ./orapki wallet export -wallet user_wallet_name -dn 'dn_name' —request CSR_file_name -pwd password_of_existing_wallet 
   For example:

   ./orapki wallet export -wallet user_wallet.p12 -dn 'CN=Customer,OU=Customer,O=Customer,L=City,ST=NY,C=US' -request server_creq.csr -pwd password

9. Sign the user certificate request using the trusted wallet that was created above, using the following command:
   ./orapki cert create -wallet trusted_wallet_name-request CSR_file_name -cert user_cert_file_name sign_alg sha256 -pwd password_of_exiting_user_wallet
   For example:

   ./orapki cert create -wallet trust_wallet.p12 -request server_creq.csr -cert wallet_user.cert  -sign_alg sha256 - validity 3650  -pwd password

10. Add the trusted certificate wallet_trusted.cert that you created using the above procedure to the wallet, by running the following command:
    ./orapki wallet add -wallet user_wallet_name -trusted_cert -cert trust_cert_file_name  -pwd password_of_exiting_user_wallet 
    For example:

    ./orapki wallet add -wallet user_wallet.p12 -trusted_cert -cert wallet_trusted.cert -pwd  password

11. Add the signed user certificate to the Oracle wallet using the following command:
    ./orapki wallet add -wallet user_wallet -user_cert -cert user_cert_file_name -pwd password_of_exiting_user_wallet
    ./orapki wallet add ¿wallet user_wallet.p12 -user_cert -cert wallet_user.cert -pwd password
12. Remove the DB trusted certificate from server keystore. In case of demo identity and demo trust, remove from default-keystore.jks, and in case of custom identity and custom trust, remove it from the custom trust keystore, using the following command:
    ./keytool -delete -alias alias_of_db_cert -keystore custom_trust_store -storepass password-of-existing-trust-keystore
    For example:

    ./keytool -delete -alias dbtrusted -keystore DOMAIN_HOME/config/fmwconfig/custom_trust_store.jks -storepass password

13. Import self signed DB certifiacte in trust wallet using the following command:
    keytool -import -trustcacerts -alias <alias_of_db_cert>  -noprompt -keystore custom_trust_store -file DB_Trust_cert_file —storepass password_of_existing_trust_keystore 
    For example:

    keytool -import -trustcacerts -alias dbtrusted -noprompt -keystore DOMAIN_HOME/config/fmwconfig/custom_trust_store.jks -file /DB_HOME/bin/wallet_trusted.cert -storepass password

Verifying the Memory Settings

To avoid the memory issues for Oracle Identity Manager, ensure that the memory settings are updated as per the requirements.

On Linux, as a root user, do the following:

1. Ensure that you set the following parameters in the /etc/security/limits.conf or /etc/security/limits.d file, to the specified values:

   FUSION_USER_ACCOUNT soft nofile 32767
   FUSION_USER_ACCOUNT hard nofile 327679

2. Ensure that you set UsePAM to Yes in the /etc/ssh/sshd_config file.
3. Restart sshd.
4. Check the maxproc limit and increase it to a minimum of 16384, if needed. Increasing the limit will ensure you do not run into memory issues.

   Use the following command to check the limit:

   ulimit -u

   If less than 16384, use following command to increase the limit of open files:

   ulimit -u 16384

   Note:

   You can verify that the limit has been set correctly by reissuing the command ulimit -u.

   To ensure that the settings persist at reboot, add the following line to the /etc/security/limits.conf file or /etc/security/limits.d file:

   oracle hard nproc 16384

   Where, oracle is the install user.

5. Log out (or reboot) and log in to the system again.

Opening the Non-SSL Ports for SSL Enabled Setup

If you have an SSL enabled and non-SSL disabled setup, you must open the non-SSL ports for Servers and Database before you proceed with the Oracle Identity Manager upgrade.

To enable non-SSL ports for servers, complete the following steps:

1. Log in to the WebLogic Server Administration Console.
2. Click Environment > Servers > and select the required admin server.
3. On the Settings for Server page, click the Configuration tab, and then click General.
4. Click Lock & Edit.
5. Select Listen Port Enabled. The default port is 14000.
6. Repeat the step 1 through step 5 for each required server in the domain.

Note:

After you complete the upgrade, you can undo these changes as required.

For database: Ensure that database listener is listening on the same TCP port for database servers that you provided to upgrade assistant as parameters. For more information, see Enabling SSL for Oracle Identity Governance DB.

Backing Up the metadata.mar File Manually

After you install the 12c (12.2.1.3.0) binaries in a new Oracle Home, take a backup of the 12c (12.2.1.3.0)_ORACLE_HOME>/idm/server/apps/oim.ear/metadata.mar file before the upgrade.

Creating 12c Oracle Home Folder on OIMHOST1 and OIMHOST2

Create a folder for 12c Oracle Home on both OIMHOST1 and OIMHOST2.

It is recommended that you have the identical directory structure on OIMHOST1 and OIMHOST2.

For example:

/home/Oracle/product/ORACLE_HOME

Installing Product Distributions on OIMHOST1 and OIMHOST2

Install the 12c binaries onto OIMHOST1 and OIMHOST2 or onto shared storage accessible by both. If you are using redundant binaries ensure you install into each of the redundant locations

Install the following products on both OIMHOST1 and OIMHOST2:

• Oracle Fusion Middleware Infrastructure 12c (12.2.1.3.0)

• Oracle SOA Suite 12c (12.2.1.3.0)

• Oracle Identity Manager 12c (12.2.1.3.0)

Note:

If you have redundant Oracle_Home installations, then install the binaries into each of the redundant locations.

• Installing Product Distributions
  Before beginning your upgrade, download Oracle Fusion Middleware Infrastructure, Oracle SOA Suite, and Oracle Identity Manager 12c (12.2.1.3.0) distributions on the target system and install them using Oracle Universal Installer.

Installing Product Distributions

Before beginning your upgrade, download Oracle Fusion Middleware Infrastructure, Oracle SOA Suite, and Oracle Identity Manager 12c (12.2.1.3.0) distributions on the target system and install them using Oracle Universal Installer.

Note:

The 12c binaries are installed in a different location from the previous 11g binaries. You can install 12c binaries before any planned downtime for upgrade.

It is recommended that you use the simplified installation process to install the products mentioned above, using the quick installer (fmw_12.2.1.3.0_idmquickstart_generic.jar). The quick installer installs the Infrastructure, Oracle SOA Suite, and Oracle Identity Manager 12c (12.2.1.3.0) in one go.

Note:

If you are using Redundant binary locations, ensure that you install the software into each of those redundant locations.

See Installing Oracle Identity Governance Using Quick Installer in the Installing and Configuring Oracle Identity and Access Management.

The other option is to install the required product distributions — Infrastructure, Oracle SOA Suite, and Oracle Identity Manager 12c (12.2.1.3.0) separately. To do this, complete the following steps:

1. Sign in to the target system.
2. Download the following from Oracle Technical Resources or Oracle Software Delivery Cloud to your target system:
   • Oracle Fusion Middleware Infrastructure (fmw_12.2.1.3.0_infrastructure_generic.jar)
   • Oracle SOA Suite (fmw_12.2.1.3.0_soa_generic.jar)
   • Oracle Identity Manager (fmw_12.2.1.3.0_idm_generic.jar)
3. Change to the directory where you downloaded the 12c (12.2.1.3.0) product distribution.
4. Start the installation program for Oracle Fusion Middleware Infrastructure:
   • (UNIX) JAVA_HOME/bin/java -jar fmw_12.2.1.3.0_infrastructure_generic.jar
   • (Windows) JAVA_HOME\bin\java -jar fmw_12.2.1.3.0_infrastructure_generic.jar
5. On UNIX operating systems, the Installation Inventory Setup screen appears if this is the first time you are installing an Oracle product on this host.
   Specify the location where you want to create your central inventory. Make sure that the operating system group name selected on this screen has write permissions to the central inventory location, and click Next.

   Note:

   The Installation Inventory Setup screen does not appear on Windows operating systems.
6. On the Welcome screen, review the information to make sure that you have met all the prerequisites. Click Next.
7. On the Auto Updates screen, select an option:

   • Skip Auto Updates: If you do not want your system to check for software updates at this time.

   • Select patches from directory: To navigate to a local directory if you downloaded patch files.

   • Search My Oracle Support for Updates: To automatically download software updates if you have a My Oracle Support account. You must enter Oracle Support credentials then click Search. To configure a proxy server for the installer to access My Oracle Support, click Proxy Settings. Click Test Connection to test the connection.

   Click Next.
8. On the Installation Location screen, specify the location for the Oracle home directory and click Next.
   For more information about Oracle Fusion Middleware directory structure, see About the Directories for Installation and Configuration in Planning an Installation of Oracle Fusion Middleware.
9. On the Installation Type screen, select the following:
   • For Infrastructure, select Fusion Middleware Infrastructure
   • For Oracle SOA Suite, select Oracle SOA Suite
   • For Oracle Identity Manager, select Oracle Identity and Access Management
   Click Next.
10. The Prerequisite Checks screen analyzes the host computer to ensure that the specific operating system prerequisites have been met.
    To view the list of tasks that are verified, select View Successful Tasks. To view log details, select View Log. If any prerequisite check fails, then an error message appears at the bottom of the screen. Fix the error and click Rerun to try again. To ignore the error or the warning message and continue with the installation, click Skip (not recommended).
11. On the Installation Summary screen, verify the installation options that you selected.
    If you want to save these options to a response file, click Save Response File and enter the response file location and name. The response file collects and stores all the information that you have entered, and enables you to perform a silent installation (from the command line) at a later time.

    Click Install to begin the installation.

12. On the Installation Progress screen, when the progress bar displays 100%, click Finish to dismiss the installer, or click Next to see a summary.
13. The Installation Complete screen displays the Installation Location and the Feature Sets that are installed. Review this information and click Finish to close the installer.
14. After you have installed Oracle Fusion Middleware Infrastructure, enter the following command to start the installer for your product distribution and repeat the steps above to navigate through the installer screens:

    For installing Oracle SOA Suite 12c (12.2.1.3.0), run the following installer:

    • (UNIX) JAVA_HOME/bin/java -jar fmw_12.2.1.3.0_soa_generic.jar

    • (Windows) JAVA_HOME\bin\java -jar fmw_12.2.1.3.0_soa_generic.jar

    For installing Oracle Identity Manager 12c (12.2.1.3.0), run the following installer:

    • (UNIX) JAVA_HOME/bin/java -jar fmw_12.2.1.3.0_idm_generic.jar

    • (Windows) JAVA_HOME\bin\java -jar fmw_12.2.1.3.0_idm_generic.jar

For more information about installing Oracle Identity Manager 12c (12.2.1.3.0), see Installing the Oracle Identity and Access Management Software in the Installing and Configuring Oracle Identity and Access Management.

Installing the Latest Stack Patch Bundle

After you install the product distributions, Oracle strongly recommends you to apply the latest IDM Stack Patch Bundle (SPB) 12.2.1.3.0 before proceeding with the upgrade process. You can apply the patch by using the Opatch tool. Applying the SPB helps eliminate most of the upgrade issues or workarounds.

Following are the high-level tasks you should complete to apply the Stack Patch Bundle:

• Initial Preparation: In this phase, you stage the software, read the README.txt file, and verify and/or update the Opatch tool to the appropriate versions.
• Analysis Phase: In this phase, you run the prestop command with the variables from the README.txt file to determine if the system is ready for patching.
• Patching Phase: In this phase, you backup MW_HOME and DOMAIN_HOME, run the downtime command for OIG with the variables from the README.txt file, and then clear any temporary files.

Note:

At this point, you will not restart the servers. There is currently no link between the schemas, the local configuration, and the new bits. The remainder of the patching process will happen after the bootstrap.

To avoid a false failure during the domain Reconfiguration Phase of the upgrade, after completing the Patching Phase, update the following entries in the config.xml for the com.oracle.cie.comdev_7.8.2.0 and com.oracle.cie.xmldh_3.4.2.0 libraries:

<name>com.oracle.cie.comdev#3.0.0.0@7.8.2.0</name>
com.oracle.cie.comdev_7.8.2.0.jar

<name>com.oracle.cie.xmldh#2.0.0.0@3.4.2.0</name>
com.oracle.cie.xmldh_3.4.2.0.jar

From:

<library>
<name>com.oracle.cie.comdev#3.0.0.0@7.8.2.0</name>
<target>oim_cluster</target>
<source-path><MW_HOME>/oracle_common/modules/com.oracle.cie.comdev_7.8.2.0.jar
</source-path>
<deployment-order>511</deployment-order>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</library>

<library>
<name>com.oracle.cie.xmldh#2.0.0.0@3.4.2.0</name>
<target>oim_cluster</target>
<source-path><MW_HOME>/oracle_common/modules/com.oracle.cie.xmldh_3.4.2.0.jar<
/source-path>
<deployment-order>511</deployment-order>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</library>

To this:

<library>
<name>com.oracle.cie.comdev#3.0.0.0@7.8.4.0</name>
<target>oim_cluster</target>
<source-path><MW_HOME>/oracle_common/modules/com.oracle.cie.comdev_7.8.4.0.jar
</source-path>
<deployment-order>511</deployment-order>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</library>

<library>
<name>com.oracle.cie.xmldh#2.0.0.0@3.4.4.0</name>
<target>oim_cluster</target>
<source-path><MW_HOME>/oracle_common/modules/com.oracle.cie.xmldh_3.4.4.0.jar<
/source-path>
<deployment-order>511</deployment-order>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</library>

This update to the config.xml file changes the name of the libraries and version of the jar file in each library to the one that will be used post the patching process. Ensure that both nodes have the same settings.

For more information on the patching process, see Doc ID 2657920.1.

Note:

If you are using Windows or Solaris OS, download the individual Bundle Patches (BPs) from Doc ID 2457034.1.

After completing the upgrade, you have to perform the post-patch install steps. See Performing the Post-Patch Install Steps.

Running a Pre-Upgrade Readiness Check

To identify potential issues with the upgrade, Oracle recommends that you run a readiness check before you start the upgrade process. Be aware that the readiness check may not be able to discover all potential issues with your upgrade. An upgrade may still fail, even if the readiness check reports success.

• About Running a Pre-Upgrade Readiness Check
  You can run the Upgrade Assistant in -readiness mode to detect issues before you perform the actual upgrade. You can run the readiness check in GUI mode using the Upgrade Assistant or in silent mode using a response file.
• Starting the Upgrade Assistant in Readiness Mode
  Use the -readiness parameter to start the Upgrade Assistant in readiness mode.
• Performing a Readiness Check with the Upgrade Assistant
  Navigate through the screens in the Upgrade Assistant to complete the pre-upgrade readiness check.
• Understanding the Readiness Report
  After performing a readiness check for your domain, review the report to determine whether you need to take any action for a successful upgrade.

About Running a Pre-Upgrade Readiness Check

You can run the Upgrade Assistant in -readiness mode to detect issues before you perform the actual upgrade. You can run the readiness check in GUI mode using the Upgrade Assistant or in silent mode using a response file.

The Upgrade Assistant readiness check performs a read-only, pre-upgrade review of your Fusion Middleware schemas and WebLogic domain configurations that are at a supported starting point. The review is a read-only operation.

The readiness check generates a formatted, time-stamped readiness report so you can address potential issues before you attempt the actual upgrade. If no issues are detected, you can begin the upgrade process. Oracle recommends that you read this report thoroughly before performing an upgrade.

You can run the readiness check while your existing Oracle Fusion Middleware domain is online (while other users are actively using it) or offline.

You can run the readiness check any number of times before performing any actual upgrade. However, do not run the readiness check after an upgrade has been performed, as the report results may differ from the result of pre-upgrade readiness checks.

Note:

To prevent performance from being affected, Oracle recommends that you run the readiness check during off-peak hours.

Starting the Upgrade Assistant in Readiness Mode

Use the -readiness parameter to start the Upgrade Assistant in readiness mode.

To perform a readiness check on your pre-upgrade environment with the Upgrade Assistant:

1. Go to the oracle_common/upgrade/bin directory:
   • (UNIX) ORACLE_HOME/oracle_common/upgrade/bin
   • (Windows) ORACLE_HOME\oracle_common\upgrade\bin

   Where, ORACLE_HOME is the 12c Oracle Home.

2. Start the Upgrade Assistant.
   • (UNIX) ./ua -readiness
   • (Windows) ua.bat -readiness

   Note:

   If the DISPLAY environment variable is not set up properly to allow for GUI mode, you may encounter the following error:

   Xlib: connection to ":1.0" refused by server
   Xlib: No protocol specified 

   To resolve this issue you need to set the DISPLAY variable to the host and desktop where a valid X environment is working.

   For example, if you are running an X environment inside a VNC on the local host in desktop 6, then you would set DISPLAY=:6. If you are running X on a remote host on desktop 1 then you would set this to DISPLAY=remoteHost:1.

   For information about other parameters that you can specify on the command line, see:

• Upgrade Assistant Parameters
  

Upgrade Assistant Parameters

When you start the Upgrade Assistant from the command line, you can specify additional parameters.

Table 4-3 Upgrade Assistant Command-Line Parameters

Parameter	Required or Optional	Description
-readiness	Required for readiness checks Note: Readiness checks cannot be performed on standalone installations (those not managed by the WebLogic Server).	Performs the upgrade readiness check without performing an actual upgrade. Schemas and configurations are checked. Do not use this parameter if you have specified the -examine parameter.
-threads	Optional	Identifies the number of threads available for concurrent schema upgrades or readiness checks of the schemas. The value must be a positive integer in the range 1 to 8. The default is 4.
-response	Required for silent upgrades or silent readiness checks	Runs the Upgrade Assistant using inputs saved to a response file generated from the data that is entered when the Upgrade Assistant is run in GUI mode. Using this parameter runs the Upgrade Assistant in silent mode (without displaying Upgrade Assistant screens).
-examine	Optional	Performs the examine phase but does not perform an actual upgrade. Do not specify this parameter if you have specified the -readiness parameter.
-logLevel attribute	Optional	Sets the logging level, specifying one of the following attributes: TRACE NOTIFICATION WARNING ERROR INCIDENT_ERROR The default logging level is NOTIFICATION. Consider setting the -logLevel TRACE attribute to so that more information is logged. This is useful when troubleshooting a failed upgrade. The Upgrade Assistant's log files can become very large if -logLevel TRACE is used.
-logDir location	Optional	Sets the default location of upgrade log files and temporary files. You must specify an existing, writable directory where the Upgrade Assistant creates log files and temporary files. The default locations are: (UNIX) ORACLE_HOME/oracle_common/upgrade/logs ORACLE_HOME/oracle_common/upgrade/temp (Windows) ORACLE_HOME\oracle_common\upgrade\logs ORACLE_HOME\oracle_common\upgrade\temp
-help	Optional	Displays all of the command-line options.

Performing a Readiness Check with the Upgrade Assistant

Navigate through the screens in the Upgrade Assistant to complete the pre-upgrade readiness check.

Readiness checks are performed only on schemas or component configurations that are at a supported upgrade starting point.

To complete the readiness check:

1. On the Welcome screen, review information about the readiness check. Click Next.
2. On the Readiness Check Type screen, select the readiness check that you want to perform:
   • Individually Selected Schemas allows you to select individual schemas for review before upgrade. The readiness check reports whether a schema is supported for an upgrade or where an upgrade is needed.

     When you select this option, the screen name changes to Selected Schemas.

   • Domain Based allows the Upgrade Assistant to discover and select all upgrade-eligible schemas or component configurations in the domain specified in the Domain Directory field.

     When you select this option, the screen name changes to Schemas and Configuration.

     Leave the default selection if you want the Upgrade Assistant to check all schemas and component configurations at the same time, or select a specific option:

     • Include checks for all schemas to discover and review all components that have a schema available to upgrade.

     • Include checks for all configurations to review component configurations for a managed WebLogic Server domain.

   Click Next.

3. If you selected Individually Selected Schemas: On the Available Components screen, select the components that have a schema available to upgrade for which you want to perform a readiness check.
   If you selected Domain Based: On the Component List screen, review the list of components that are present in your domain for which you want to perform a readiness check.
   If you select a component that has dependent components, those components are automatically selected. For example, if you select Oracle Platform Security Services, Oracle Audit Services is automatically selected.

   Depending on the components you select, additional screens may display. For example, you may need to:

   • Specify the Administrator server domain directory.

     Ensure that you specify the 11.1.2.3.0 Administrator server domain directory.

   • Specify schema credentials to connect to the selected schema: Database Type, DBA User Name, and DBA Password. As part of the pre-upgrade requirements, you had created the required user, see Creating a Non-SYSDBA User to Run the Upgrade Assistant.

     Then click Connect.

     Note:

     Oracle database is the default database type. Make sure that you select the correct database type before you continue. If you discover that you selected the wrong database type, do not go back to this screen to change it to the correct type. Instead, close the Upgrade Assistant and restart the readiness check with the correct database type selected to ensure that the correct database type is applied to all schemas.

   • Select the Schema User Name option and specify the Schema Password.

   Click Next to start the readiness check.
4. On the Readiness Summary screen, review the summary of the readiness checks that will be performed based on your selections.
   If you want to save your selections to a response file to run the Upgrade Assistant again later in response (or silent) mode, click Save Response File and provide the location and name of the response file. A silent upgrade performs exactly the same function that the Upgrade Assistant performs, but you do not have to manually enter the data again.

   Note:

   When performing a silent execution by specifying the response file on the Upgrade Advisor command line, some tests in the upgrade advisor may dynamically look-up the JDBC URL connection strings directly from the source domain, regardless of values stored in the response file. If the DB connection strings in the response file needs to be customized in any way, changes to the response file may not effect execution. If this occurs, the source domain datasource JDBC URLs may need to be edited directly.

   For a detailed report, click View Log.

   Click Next.

5. On the Readiness Check screen, review the status of the readiness check. The process can take several minutes.
   If you are checking multiple components, the progress of each component displays in its own progress bar in parallel.
   When the readiness check is complete, click Continue.
6. On the End of Readiness screen, review the results of the readiness check (Readiness Success or Readiness Failure):

   • If the readiness check is successful, click View Readiness Report to review the complete report. Oracle recommends that you review the Readiness Report before you perform the actual upgrade even when the readiness check is successful. Use the Find option to search for a particular word or phrase within the report. The report also indicates where the completed Readiness Check Report file is located.

   • If the readiness check encounters an issue or error, click View Log to review the log file, identify and correct the issues, and then restart the readiness check. The log file is managed by the command-line options you set.

Understanding the Readiness Report

After performing a readiness check for your domain, review the report to determine whether you need to take any action for a successful upgrade.

The format of the readiness report file is:

readiness_timestamp.txt

where timestamp indicates the date and time of when the readiness check was run.

A readiness report contains the following information:

Table 4-4 Readiness Report Elements

Report Information	Description	Required Action
Overall Readiness Status: SUCCESS or FAILURE	The top of the report indicates whether the readiness check passed or completed with one or more errors.	If the report completed with one or more errors, search for FAIL and correct the failing issues before attempting to upgrade. You can re-run the readiness check as many times as necessary before an upgrade.
Timestamp	The date and time that the report was generated.	No action required.
Log file location ORACLE_HOME/oracle_common/upgrade/logs	The directory location of the generated log file.	No action required.
Readiness report location ORACLE_HOME/oracle_common/upgrade/logs	The directory location of the generated readiness report.	No action required.
Names of components that were checked	The names and versions of the components included in the check and status.	If your domain includes components that cannot be upgraded to this release, such as SOA Core Extension, do not attempt an upgrade.
Names of schemas that were checked	The names and current versions of the schemas included in the check and status.	Review the version numbers of your schemas. If your domain includes schemas that cannot be upgraded to this release, do not attempt an upgrade.
Individual Object Test Status: FAIL	The readiness check test detected an issue with a specific object.	Do not upgrade until all failed issues have been resolved.
Individual Object Test Status: PASS	The readiness check test detected no issues for the specific object.	If your readiness check report shows only the PASS status, you can upgrade your environment. Note, however, that the Readiness Check cannot detect issues with externals such as hardware or connectivity during an upgrade. You should always monitor the progress of your upgrade.
Completed Readiness Check of <Object> Status: FAILURE	The readiness check detected one or more errors that must be resolved for a particular object such as a schema, an index, or datatype.	Do not upgrade until all failed issues have been resolved.
Completed Readiness Check of <Object> Status: SUCCESS	The readiness check test detected no issues.	No action required.

Here is a sample Readiness Report file. Your report may not include all of these checks.

Note:

If the following warning occurs, install Patch 27830741 and re-run the readiness check to ensure that this warning is eliminated before continuing.

[oracle] [WARNING] [] [com.oracle.cie.domain.template.catalog.impl.LocalTemplateCat] [tid: 13] [ecid: 7b6f129a-3761-461b-a64a-fb41fa79c822-00000002,0] Couldn't load [/u01/oracle/products/12c/identity/soa/common/templates/wls/oracle.bpm.jms.reconfig_template_12.2.1.3.0.jar].[[
java.util.MissingResourceException: Not managing namespace: (config).
      at com.oracle.cie.common.util.ResourceBundleManager.getPublishedMessage(ResourceBundleManager.java:249

Upgrade readiness check completed with one or more errors.

This readiness check report was created on Tue May 30 11:15:52 EDT 2016
Log file is located at: ORACLE_HOME/oracle_common/upgrade/logs/ua2016-05-30-11-14-06AM.log
Readiness Check Report File: ORACLE_HOME/oracle_common/upgrade/logs/readiness2016-05-30-11-15-52AM.txt

Starting readiness check of components.

Oracle Metadata Services
   Starting readiness check of Oracle Metadata Services.
     Schema User Name: DEV11_MDS
     Database Type: Oracle Database
     Database Connect String: machinename@yourcompany.com
     VERSION Schema DEV11_MDS is currently at version 12.1.1.1.0.  Readiness checks will now be performed.
   Starting schema test:  TEST_REQUIRED_TABLES  Test that the schema contains all the required tables
   Completed schema test: TEST_REQUIRED_TABLES --> Test that the schema contains all the required tables +++ PASS
   Starting schema test:  TEST_REQUIRED_PROCEDURES  Test that the schema contains all the required stored procedures
     EXCEPTION     Schema is missing a required procedure: GETREPOSITORYFEATURES
   Completed schema test: TEST_REQUIRED_PROCEDURES --> Test that the schema contains all the required stored procedures +++ FAIL
   Starting schema test:  TEST_REQUIRED_VIEWS  Test that the schema contains all the required database views
   Completed schema test: TEST_REQUIRED_VIEWS --> Test that the schema contains all the required database views +++ PASS
   Starting index test for table MDS_ATTRIBUTES:  TEST_REQUIRED_INDEXES --> Test that the table contains all the required indexes
   Completed index test for table MDS_ATTRIBUTES: TEST_REQUIRED_INDEXES --> Test that the table contains all the required indexes +++ PASS
   Starting index test for table MDS_COMPONENTS:  TEST_REQUIRED_INDEXES --> Test that the table contains all the required indexes
   Completed index test for table MDS_TXN_LOCKS: TEST_REQUIRED_INDEXES --> Test that the table contains all the required indexes +++ PASS
   Starting schema test:  TEST_REQUIRED_TRIGGERS  Test that the schema has all the required triggers
   Completed schema test: TEST_REQUIRED_TRIGGERS --> Test that the schema has all the required triggers +++ PASS
   Starting schema test:  TEST_MISSING_COLUMNS  Test that tables and views are not missing any required columns
   Completed schema test: TEST_MISSING_COLUMNS --> Test that tables and views are not missing any required columns +++ PASS
   Starting schema test:  TEST_UNEXPECTED_TABLES  Test that the schema does not contain any unexpected tables
   Completed schema test: TEST_UNEXPECTED_TABLES --> Test that the schema does not contain any unexpected tables +++ PASS
   Starting schema test:  TEST_UNEXPECTED_PROCEDURES  Test that the schema does not contain any unexpected stored procedures
   Completed schema test: TEST_UNEXPECTED_PROCEDURES --> Test that the schema does not contain any unexpected stored procedures +++ PASS
   Starting schema test:  TEST_UNEXPECTED_VIEWS  Test that the schema does not contain any unexpected views
   Completed schema test: TEST_UNEXPECTED_VIEWS --> Test that the schema does not contain any unexpected views +++ PASS
   Starting index test for table MDS_ATTRIBUTES:  TEST_UNEXPECTED_INDEXES --> Test that the table does not contain any unexpected indexes
   Completed index test for table MDS_ATTRIBUTES: TEST_UNEXPECTED_INDEXES --> Test that the table does not contain any unexpected indexes +++ PASS
   Completed index test for table MDS_LABELS: TEST_UNEXPECTED_INDEXES --> Test that the table does not contain any unexpected indexes +++ PASS
   Starting index test for table MDS_LARGE_ATTRIBUTES:  TEST_UNEXPECTED_INDEXES --> Test that the table does not contain any unexpected indexes
   Starting schema test:  TEST_UNEXPECTED_TRIGGERS  Test that the schema does not contain any unexpected triggers
   Completed schema test: TEST_UNEXPECTED_TRIGGERS --> Test that the schema does not contain any unexpected triggers +++ PASS
   Starting schema test:  TEST_UNEXPECTED_COLUMNS  Test that tables and views do not contain any unexpected columns
   Completed schema test: TEST_UNEXPECTED_COLUMNS --> Test that tables and views do not contain any unexpected columns +++ PASS
   Starting datatype test for table MDS_ATTRIBUTES:  TEST_COLUMN_DATATYPES_V2 --> Test that all table columns have the proper datatypes
   Completed datatype test for table MDS_ATTRIBUTES: TEST_COLUMN_DATATYPES_V2 --> Test that all table columns have the proper datatypes +++ PASS
   Starting datatype test for table MDS_COMPONENTS:  TEST_COLUMN_DATATYPES_V2 --> Test that all table columns have the proper datatypes
   Starting permissions test:  TEST_DBA_TABLE_GRANTS  Test that DBA user has privilege to view all user tables
   Completed permissions test: TEST_DBA_TABLE_GRANTS --> Test that DBA user has privilege to view all user tables +++ PASS
   Starting schema test:  TEST_ENOUGH_TABLESPACE  Test that the schema tablespaces automatically extend if full
   Completed schema test: TEST_ENOUGH_TABLESPACE --> Test that the schema tablespaces automatically extend if full +++ PASS
   Starting schema test:  TEST_USER_TABLESPACE_QUOTA  Test that tablespace quota for this user is sufficient to perform the upgrade
   Completed schema test: TEST_USER_TABLESPACE_QUOTA --> Test that tablespace quota for this user is sufficient to perform the upgrade +++ PASS
   Starting schema test:  TEST_ONLINE_TABLESPACE  Test that schema tablespaces are online
   Completed schema test: TEST_ONLINE_TABLESPACE --> Test that schema tablespaces are online +++ PASS
   Starting schema test:  TEST_DATABASE_VERSION  Test that the database server version number is supported for upgrade
     INFO   Database product version: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
   Completed schema test: TEST_DATABASE_VERSION --> Test that the database server version number is supported for upgrade +++ PASS
   Finished readiness check of Oracle Metadata Services with status: FAILURE.

Some errors may be related to the Oracle Fusion Middleware Infrastructure product components rather than Identity and Access Management product components. If errors occur, see Troubleshooting the Infrastructure Upgrade in the Upgrading to the Oracle Fusion Middleware Infrastructure Guide for potential workarounds.

If you are running the 12.1.3.0 version of Oracle Fusion Middleware IAU Schemas, and those schemas were upgraded from 11g (11.1.1.7 and later) or 12c (12.1.2.0), your readiness check may fail with the following error:

Note:

This is not applicable for Oracle Identity Manager.

Starting index test for table IAU_COMMON:  TEST_REQUIRED_INDEXES --> Test 
that the table contains all the required indexes 
     INFO Audit schema index DYN_EVENT_CATEGORY_INDEX in table IAU_COMMON is 
missing the required columns or index itself is missing. This maybe caused by 
a known issue, anyway, this missing index will be added in 12.2.2 upgrade. 
     INFO Audit schema index DYN_EVENT_TYPE_INDEX in table IAU_COMMON is 
missing the required columns or index itself is missing. This maybe caused by 
a known issue, anyway, this missing index will be added in 12.2.2 upgrade. 
     INFO Audit schema index DYN_TENANT_INDEX in table IAU_COMMON is missing 
the required columns or index itself is missing. This maybe caused by a known 
issue, anyway, this missing index will be added in 12.2.2 upgrade. 
     INFO Audit schema index DYN_USER_INDEX in table IAU_COMMON is missing 
the required columns or index itself is missing. This maybe caused by a known 
issue, anyway, this missing index will be added in 12.2.2 upgrade. 
     INFO Audit schema index DYN_COMPONENT_TYPE_INDEX in table IAU_COMMON is 
missing the required columns or index itself is missing. This maybe caused by 
a known issue, anyway, this missing index will be added in 12.2.2 upgrade. 
     INFO Audit schema index DYN_USER_TENANT_INDEX in table IAU_COMMON is 
missing the required columns or index itself is missing. This maybe caused by 
a known issue, anyway, this missing index will be added in 12.2.2 upgrade. 
   Completed index test for table IAU_COMMON: TEST_REQUIRED_INDEXES --> Test 
that the table contains all the required indexes +++ FAIL

Note:

You can ignore the missing index error in the readiness report. This is a known issue. The corresponding missing index is added during the schema upgrade operation. This error does not occur if the schema to be upgraded was created in 12c using the RCU.

Creating the Required 12c Schemas Using RCU

When upgrading from 11g, you must create the required 12c schemas. If your setup is not SSL enabled, you can use the Upgrade Assistant to create schemas by using the default schema settings. In case of SSL enabled setup, you can use the Repository Creation Utility (RCU) to create customized schemas. This procedure describes how to create schemas using the RCU. Information about using the Upgrade Assistant to create schemas is covered in the upgrade procedures.

Note:

This step is not required for non-SSL setup, as the Upgrade Assistant creates the necessary 12c schemas during the upgrade process.

For SSL enabled setup, you must run the RCU to create the necessary 12c schemas.

Note:

If you are upgrading from a previous 12c release of Oracle Fusion Middleware, you do not need to re-create these schemas if they already exist. Refer to the steps below to identify the existing schemas in your domain.

The following schemas must exist before you upgrade to 12c. If you are upgrading from 11g, and you are not sure which schemas you currently have, refer to the steps below to identify the existing schemas in your domain. You do not need to re-create these schemas if they already exist.

• Service Table schema (prefix_STB). This schema is new in 12c and is required for domain-based upgrades. It stores basic schema configuration information (for example, schema prefixes and passwords) that can be accessed and used by other Oracle Fusion Middleware components during the domain creation. This schema is automatically created when you run the Repository Creation Utility (RCU), where you specify the existing schema owner prefix that you used for your other 11g schemas.

  Note:

  If the Service Table schema does not exist, you may encounter the error message UPGAST-00328 : The schema version registry table does not exist on this database. If that happens it is necessary to create the service table schema in order to run Upgrade Assistant

• Oracle Platform Security Services (OPSS) schema (prefix_OPSS). This schema is required if you are using an OID-based security store in 11g. This schema is automatically created when you run the Repository Creation Utility (RCU). The only supported LDAP-based OPSS security store is Oracle Internet Directory (OID). An LDAP-based policy store is typically used in production environments. You do not need to reassociate an OID-based security store before upgrade. While the Upgrade Assistant is running, you can select the OPSS schema. The Upgrade Assistant upgrades the OID-based security store automatically.

  Note:

  The 12c OPSS database schema is required so that you can reference the 12c schema during the reconfiguration of the domain. Your domain continues to use the OID-based security store after the upgrade is complete.

To create the 12c schemas with the RCU:

1. (Optional) If you are upgrading from 11g, and you wish to confirm the schemas which are present in your existing domain, then connect to the database as a user with DBA privileges, and run the following code from SQL*Plus:

   SET LINE 120
   COLUMN MRC_NAME FORMAT A14
   COLUMN COMP_ID FORMAT A20
   COLUMN VERSION FORMAT A12
   COLUMN STATUS FORMAT A9
   COLUMN UPGRADED FORMAT A8
   SELECT MRC_NAME, COMP_ID, OWNER, VERSION, STATUS, UPGRADED FROM SCHEMA_VERSION_REGISTRY ORDER BY MRC_NAME, COMP_ID ;
   

2. Verify that a certified JDK already exists on your system by running java -version from the command line. For 12c (12.2.1.3.0), the certified JDK is 1.8.0_131 and later.
   Ensure that the JAVA_HOME environment variable is set to the location of the certified JDK. For example:
   • (UNIX) setenv JAVA_HOME=/home/Oracle/Java/jdk1.8.0_131
   • (Windows) set JAVA_HOME=C:\home\Oracle\Java\jdk1.8.0_131
   Add $JAVA_HOME/bin to $PATH.
3. Go to the oracle_common/bin directory:
   • (UNIX) NEW_ORACLE_HOME/oracle_common/bin
   • (Windows) NEW_ORACLE_HOME\oracle_common\bin
4. Start the RCU:
   • (UNIX) ./rcu
   • (Windows) rcu.bat
5. On the Welcome screen, click Next.
6. On the Create Repository screen, select Create Repository and then select System Load and Product Load.
   If you do not have DBA privileges, select Prepare Scripts for System Load. This will generate a SQL script containing all the same SQL statements and blocks that would have been called if the RCU were to execute the actions for the selected components. After the script is generated, a user with the necessary SYS or SYSDBA privileges can execute the script to complete the system load phase.

   Click Next.

7. On the Database Connection Details screen, select the Database Type and enter the connection information for the database that hosts the 11g schemas. See the table below:

   Note:

   If using a recent database version and you have validated your database version as recommended, you may ignore the following popup warning and proceed with RCU execution.

   The selected database is more recent than the supported list of certified databases for this version of Oracle Fusion Middleware. See Oracle Fusion Middleware Supported System Configurations on the Oracle Technical Resources for the most recent list of certified databases.

   Table 4-5 Connection Credentials for Oracle Databases and Oracle Databases with Edition-Based Redefinition

   Option	Description and Example
   Host Name	Specify the name of the server where your database is running in the following format: examplehost.exampledomain.com For Oracle RAC databases, specify the SCAN name or one of the node names in this field.
   Port	Specify the port number for your database. The default port number for Oracle databases is 1521.
   Service Name	Specify the service name for the database. Typically, the service name is the same as the global database name. For Oracle RAC databases, specify the service name of one of the nodes in this field. For example: examplehost.exampledomain.com
   Username	Specify the FMW user created for the upgrade process, or specify another SYSDBA user account for your database. The Oracle Database default SYSDBA account is SYS.
   Password	Enter the password for your database user.
   Role	Select the database user's role from the drop-down list: Normal or SYSDBA

8. On the Select Components screen, select Select existing prefix and select the prefix that was used to create the existing 11g schemas from the drop-down menu (for example, DEV11G). This prefix is used to logically group schemas together for use in this domain. Select the following schemas:

   • If you are upgrading an SSL enabled setup, select the following schemas:

     • User Messaging Service (prefix_UMS)

     • Weblogic Services (prefix_WLS)

     • Audit services (prefix_IAU_APPEND and prefix_IAU_VIEWER)

     Note:

     The Common Infrastructure Services (prefix_STB) and Oracle Platform Security Services (prefix_OPSS) schemas are selected by default. IAU is greyed out if 11g is configured for Audit Data Store.

   • If you are upgrading a non-SSL enabled setup, select the following schemas:

     • Weblogic Services (prefix_WLS)

     • Audit services (prefix_IAU_APPEND and prefix_IAU_VIEWER)

     Note:

     The User Messaging Service (prefix_UMS) should be un-checked when upgrading a non-SSL enabled setup. The existing 11g prefix_ORASDPM schema will be upgraded in-place. The prefix_UMS schema would be orphaned by the upgrade process and is unnecessary.

   Note:

   All the required schemas will be created by the Upgrade Assistant (UA) at the time of upgrading the schemas, if they are not created in this step using RCU.
   Make a note of the prefix and schema names for the components you are installing as you will need this information when you configure the installation. Click Next.
9. In the Checking Prerequisites dialog, verify that the prerequisites check is successful, then click OK.
10. On the Schema Passwords screen, specify the passwords for your schema owners.
    Make a note of the passwords you enter on this screen as you will need this information while configuring your product installation.
11. On the Map Tablespaces screen, configure the required tablespace mapping for the schemas to be created. Also, select the Encrypt Tablespace checkbox if it appears, and then click Next. Click OK in the confirmation dialog when it appears. Finally, click OK when the progress dialog shows that the tablespace creation is complete.

    Note:

    The Encrypt Tablespace checkbox will appear if your Oracle or Oracle EBR database has Transparent Data Encryption (TDE) enabled when you start the RCU.
12. Verify the information on the Summary screen and click Create to begin schema creation.
    This screen contains information about the log files that were created from this RCU operation. Click on the name of a particular log file to view the contents of that file.
13. Review the information on the Completion Summary screen to verify that the operation is completed successfully. Click Close to complete the schema creation.

Stopping Servers and Processes

Before you run the Upgrade Assistant to upgrade your schemas and configurations, you must shut down all of the pre-upgrade processes and servers, including the Administration Server, Node manager, and any managed servers.

An Oracle Fusion Middleware environment can consist of an Oracle WebLogic Server domain, an Administration Server, multiple managed servers, Java components, system components such as Identity Management components, and a database used as a repository for metadata. The components may be dependent on each other, so they must be stopped in the correct order.

Note:

The procedures in this section describe how to stop the existing, pre-upgrade servers and processes using the WLST command-line utility or a script. You can also use the Oracle Fusion Middleware Control and the Oracle WebLogic Server Administration Console. See Starting and Stopping Administration and Managed Servers and Node Manager.

Note:

Stop all of the servers in your deployment, except for the Database. The Database must be up during the upgrade process.

To stop your pre-upgrade Fusion Middleware environment, navigate to the pre-upgrade domain and follow the steps below.

Step 1: Stop System Components

To stop 11g system components, such as Oracle HTTP Server, use the opmnctl script:

Note:

If the Oracle HTTP server is shared with other services, then you can choose not to stop the Oracle HTTP server.

• (UNIX) OHS_INSTANCE_HOME/bin/opmnctl stopall

• (Windows) OHS_INSTANCE_HOME\bin\opmnctl stopall

You can stop system components in any order.

Step 2: Stop the Managed Servers

Depending on the method you followed to start the managed servers, follow one of the following methods to stop the WebLogic Managed Server:

When prompted, enter your user name and password.

Method 1: To stop a WebLogic Server Managed Server by using the Weblogic Console:

• Log into Weblogic console as a weblogic Admin.
• Go to Servers > Control tab.
• Select the required managed server.
• Click Shutdown.

Method 2: To stop a WebLogic Server Managed Server using node manager, run the following commands:

wls:/offline>nmConnect('nodemanager_username','nodemanager_password',
            'AdminServerHostName','5556','domain_name',
            'DOMAIN_HOME')

wls:/offline>nmKill('ManagedServerName')

Step 3: Stop the Administration Server

When you stop the Administration Server, you also stop the processes running in the Administration Server, including the WebLogic Server Administration Console and Fusion Middleware Control.

Follow one of the following methods to stop the Administration Server:

When prompted, enter your user name, password, and the URL of the Administration Server.

Method 1: To stop a Administration Server by using the Weblogic Console:

• Log into Weblogic console as a weblogic Admin.
• Go to Servers > Control tab.
• Select the required admin server.
• Click Shutdown.

Method 2: To stop a WebLogic Server Managed Server using node manager, run the following commands:

wls:/offline>nmConnect('nodemanager_username','nodemanager_password',
            'AdminServerHostName','5556','domain_name',
            'DOMAIN_HOME')

wls:/offline>nmKill('AdminServer')

Step 4: Stop Node Manager

To stop Node Manager, run the following command:

kill $(ps -ef | grep nodemanager | | awk '{print $2}')

Upgrading Schemas on OIMHOST1

Upgrade all of the necessary schemas for Oracle Identity Manager, on OIMHOST1 by using the Upgrade Assistant.

Note:

For SSL enabled setup, it is mandatory to run the Repository Creation Utility (RCU) to create the necessary 12c schemas. See Creating the Required 12c Schemas Using RCU (Optional) For a non-SSL enabled setup, running the RCU to create the 12c schemas is optional.

• Upgrading Product Schemas
  After stopping servers and processes, use the Upgrade Assistant to upgrade supported product schemas to the current release of Oracle Fusion Middleware.

Upgrading Product Schemas

After stopping servers and processes, use the Upgrade Assistant to upgrade supported product schemas to the current release of Oracle Fusion Middleware.

The Upgrade Assistant allows you to upgrade individually selected schemas or all schemas associated with a domain. The option you select determines which Upgrade Assistant screens you will use.

Note:

High waits and performance degradation may be seen due to 'library cache lock' (cycle)<='library cache lock' for DataPump Worker (DW) processes in the 12.2 RAC environment. To resolve this issue, you should disable S-Optimization by using the following command:

ALTER SYSTEM SET "_lm_share_lock_opt"=FALSE SCOPE=SPFILE SID='*';

After running the above command, restart all the RAC instances. After the upgrade is complete, you can reset the parameter by using the following command:

alter system reset "_lm_share_lock_opt" scope=spfile sid='*';

• Identifying Existing Schemas Available for Upgrade
  This optional task enables you to review the list of available schemas before you begin the upgrade by querying the schema version registry. The registry contains schema information such as version number, component name and ID, date of creation and modification, and custom prefix.
• Starting the Upgrade Assistant
  Run the Upgrade Assistant to upgrade product schemas, domain component configurations, or standalone system components to 12c (12.2.1.3.0). Oracle recommends that you run the Upgrade Assistant as a non-SYSDBA user, completing the upgrade for one domain at a time.
• Upgrading Oracle Identity Manager Schemas Using the Upgrade Assistant
  Navigate through the screens in the Upgrade Assistant to upgrade the product schemas.
• Verifying the Schema Upgrade
  After completing all the upgrade steps, verify that the upgrade was successful by checking that the schema version in schema_version_registry has been properly updated.

Identifying Existing Schemas Available for Upgrade

This optional task enables you to review the list of available schemas before you begin the upgrade by querying the schema version registry. The registry contains schema information such as version number, component name and ID, date of creation and modification, and custom prefix.

You can let the Upgrade Assistant upgrade all of the schemas in the domain, or you can select individual schemas to upgrade. To help decide, follow these steps to view a list of all the schemas that are available for an upgrade:

1. If you are using an Oracle database, connect to the database by using an acount that has Oracle DBA privileges, and run the following from SQL*Plus:

   SET LINE 120
   SET PAGESIZE 20
   COLUMN MRC_NAME FORMAT A14
   COLUMN COMP_ID FORMAT A20
   COLUMN VERSION FORMAT A12
   COLUMN STATUS FORMAT A9
   COLUMN UPGRADED FORMAT A8
   SELECT MRC_NAME, COMP_ID, OWNER, VERSION, STATUS, UPGRADED FROM SCHEMA_VERSION_REGISTRY ORDER BY VERSION, MRC_NAME, COMP_ID;

2. Examine the report that is generated.

   If an upgrade is not needed for a schema, the schema_version_registry table retains the schema at its pre-upgrade version.

3. Note the schema prefix name that was used for your existing schemas. If you are using RCU for creating new 12c schemas, use the same prefix.

Notes:

• If you used an OID-based policy store in 11g, make sure to create a new OPSS schema before you perform the upgrade. After the upgrade, the OPSS schema remains an LDAP-based store.

• You can only upgrade schemas for products that are available for upgrade in Oracle Fusion Middleware release 12c (12.2.1.3.0). Do not attempt to upgrade a domain that includes components that are not yet available for upgrade to 12c (12.2.1.3.0).

Starting the Upgrade Assistant

Run the Upgrade Assistant to upgrade product schemas, domain component configurations, or standalone system components to 12c (12.2.1.3.0). Oracle recommends that you run the Upgrade Assistant as a non-SYSDBA user, completing the upgrade for one domain at a time.

To start the Upgrade Assistant:

Note:

Before you start the Upgrade Assistant, make sure that the JVM character encoding is set to UTF-8 for the platform on which the Upgrade Assistant is running. If the character encoding is not set to UTF-8, then you will not be able to download files containing Unicode characters in their names. This can cause the upgrade to fail.

To ensure that UTF-8 is used by the JVM, use the JVM option -Dfile.encoding=UTF-8.

1. Go to the oracle_common/upgrade/bin directory:
   • (UNIX) ORACLE_HOME/oracle_common/upgrade/bin
   • (Windows) ORACLE_HOME\oracle_common\upgrade\bin
2. Set a parameter for the Upgrade Assistant to include the JVM encoding requirement:
   • (UNIX) export UA_PROPERTIES="-Dfile.encoding=UTF-8"
   • (Windows) set UA_PROPERTIES="-Dfile.encoding=UTF-8"
3. Start the Upgrade Assistant:
   • (UNIX) ./ua
   • (Windows) ua.bat

Note:

In the above command, ORACLE_HOME refers to the 12c (12.2.1.3.0) Oracle Home.

For information about other parameters that you can specify on the command line, such as logging parameters, see:

Upgrading Oracle Identity Manager Schemas Using the Upgrade Assistant

Navigate through the screens in the Upgrade Assistant to upgrade the product schemas.

Note:

• If the pre-upgrade environment has 11g Audit schema (IAU), you must first upgrade Audit schema only, using the Individually Selected Schema option on the Selected Schemas screen, and selecting Oracle Audit Services schema. Ensure that you select the appropriate IAU schema from the list of available IAU schemas. The upgrade assistant will not detect the corresponding IAU schema from the provided domain directory automatically. Hence, you must select it manually. Once the IAU schema is upgraded, run the Upgrade Assistant again to upgrade the remaining schemas using the All Schema Used by a domain option on the Selected Schemas screen.

• If there is no Audit schema (IAU) in your pre-upgrade environment, use the All Schema Used by a Domain option on the Selected Schemas screen and proceed.

• To check whether the pre-upgrade environment has the IAU schema and its version, run the following SQL command using a user with sysdba privileges:

  SET LINE 120
  COLUMN MRC_NAME FORMAT A14
  COLUMN COMP_ID FORMAT A20
  COLUMN VERSION FORMAT A12
  COLUMN STATUS FORMAT A9
  COLUMN UPGRADED FORMAT A8
  SELECT MRC_NAME, COMP_ID, OWNER, VERSION, STATUS, UPGRADED FROM SCHEMA_VERSION_REGISTRY WHERE COMP_ID LIKE '%IAU%' ORDER BY VERSION, MRC_NAME, COMP_ID ;

  This command lists the IAU schemas available in your configured database, and their version.

Note:

For SSL enabled setup, it is mandatory to run the Repository Creation Utility (RCU) to upgrade the existing schemas. For more information, see Creating the Required 12c Schemas Using RCU (Optional). For non-SSL enabled setup, running RCU to upgrade schemas is optional.

To upgrade product schemas with the Upgrade Assistant:

1. On the Welcome screen, review an introduction to the Upgrade Assistant and information about important pre-upgrade tasks. Click Next.

   Note:

   For more information about any Upgrade Assistant screen, click Help on the screen.
2. On the Selected Schemas screen, select the schema upgrade operation that you want to perform:
   • Individually Selected Schemas if you want to select individual schemas for upgrade and you do not want to upgrade all of the schemas used by the domain.

     Caution:

     Upgrade only those schemas that are used to support your 12c (12.2.1.3.0) components. Do not upgrade schemas that are currently being used to support components that are not included in Oracle Fusion Middleware 12c (12.2.1.3.0).
   • All Schemas Used by a Domain to allow the Upgrade Assistant to discover and select all components that have a schema available to upgrade in the domain specified in the Domain Directory field. This is also known as a domain assisted schema upgrade. Additionally, the Upgrade Assistant pre-populates connection information on the schema input screens.

     Note:

     Oracle recommends that you select All Schemas Used by a Domain for most upgrades to ensure all of the required schemas are included in the upgrade.

   Note:

   If your OIM database has only the SSL port open, select Individually Selected Schemas option, and then select Oracle Identity Manager schema only. This automatically selects the dependant schemas. For upgrading SSL enabled setup, you must provide the non-SSL Database connection details on the Schema Credentials screen.

   Click Next.

3. If you selected Individually Selected Schemas: On the Available Components screen, select the components for which you want to upgrade schemas. When you select a component, the schemas and any dependencies are automatically selected.

   Note:

   For the individual schema option, the domain configuration is not accessed, and therefore password values are carried forward from the previous screen. If you encounter any connection failure, check the cause and fix it.

4. On the Prerequisites screen, acknowledge that the prerequisites have been met by selecting all the check boxes. Click Next.

   Note:

   The Upgrade Assistant does not verify whether the prerequisites have been met.
5. On the Schema Credentials screen(s), specify the database connection details for each schema you are upgrading (the screen name changes based on the schema selected):

   • Select the database type from the Database Type drop-down menu.

   • Enter the database connection details, and click Connect.

   • Select the schema you want to upgrade from the Schema User Name drop-down menu, and then enter the password for the schema. Be sure to use the correct schema prefix for the schemas you are upgrading.

     Note:

     The component ID or schema name is changed for UCSUMS schema as of release 12.1.2, which means the Upgrade Assistant does not automatically recognize the possible schemas and display them in a drop-down list. You must manually enter the name in a text field. The name can be either prefix_ORASDPM or prefix_UMS, depending on the starting point for the upgrade.

     11g to 12c Upgrades Only: The UCSUMS schema is not auto-populated. Enter prefix_ORASDPM as the user. The upgrade environment uses _ORASDPM as the schema name, whereas in the 12c environment it is referred to as _UMS.

6. On the Examine screen, review the status of the Upgrade Assistant as it examines each schema, verifying that the schema is ready for upgrade. If the status is Examine finished, click Next.
   If the examine phase fails, Oracle recommends that you cancel the upgrade by clicking No in the Examination Failure dialog. Click View Log to see what caused the error and refer to Troubleshooting Your Upgrade in Upgrading with the Upgrade Assistant for information on resolving common upgrade errors.

   Note:

   • If you resolve any issues detected during the examine phase without proceeding with the upgrade, you can start the Upgrade Assistant again without restoring from backup. However, if you proceed by clicking Yes in the Examination Failure dialog box, you need to restore your pre-upgrade environment from backup before starting the Upgrade Assistant again.

   • Canceling the examination process has no effect on the schemas or configuration data; the only consequence is that the information the Upgrade Assistant has collected must be collected again in a future upgrade session.

7. On the Upgrade Summary screen, review the summary of the options you have selected for schema upgrade.
   Verify that the correct Source and Target Versions are listed for each schema you intend to upgrade.
   If you want to save these options to a response file to run the Upgrade Assistant again later in response (or silent) mode, click Save Response File and provide the location and name of the response file. A silent upgrade performs exactly the same function that the Upgrade Assistant performs, but you do not have to manually enter the data again.
   Click Upgrade to start the upgrade process.
8. On the Upgrade Progress screen, monitor the status of the upgrade.

   Caution:

   Allow the Upgrade Assistant enough time to perform the upgrade. Do not cancel the upgrade operation unless absolutely necessary. Doing so may result in an unstable environment.
   If any schemas are not upgraded successfully, refer to the Upgrade Assistant log files for more information.

   Note:

   The progress bar on this screen displays the progress of the current upgrade procedure. It does not indicate the time remaining for the upgrade.

   Click Next.

9. After the upgrade completes successfully, the Upgrade Assistant provides the upgrade status and lists the next steps to take in the upgrade process. You should review the Upgrade Success screen of the Upgrade Assistant to determine the next steps based on the information provided. The wizard shows the following information:

   Upgrade Succeeded.
   
   Log File: /u01/oracle/products/12c/identity/oracle_common/upgrade/logs/ua2020-09-15-18-27-29PM.txt
   Post Upgrade Text file: /u01/oracle/products/12c/identity/oracle_common/upgrade/logs/postupgrade2020-09-15-18-27-29PM.txt
   Next Steps
   
   Oracle SOA
   1. The Upgrade Assistant has successfully upgraded all active instances. You can now close the Upgrade Assistant.
   2. The automated upgrade of closed instances will continue in the background after the Upgrade Assistant is exited and until the SOA server is started,at which point the upgrade will stop. You can schedule the upgrade of any remaining closed instances for a time when the SOA server is less busy.
      Close the Upgrade Assistant and use the instance data administration scripts to administer and monitor the overall progress of this automated upgrade. For more information see "Administering and Monitoring the Upgrade of SOA Instance Data" in Upgrading SOA Suite and Business Process Management.

   Click Close to complete the upgrade and close the wizard.

   If the upgrade fails: On the Upgrade Failure screen, click View Log to view and troubleshoot the errors. The logs are available at ORACLE_HOME/oracle_common/upgrade/logs.

   Note:

   If the upgrade fails, you must restore your pre-upgrade environment from backup, fix the issues, then restart the Upgrade Assistant.

Verifying the Schema Upgrade

After completing all the upgrade steps, verify that the upgrade was successful by checking that the schema version in schema_version_registry has been properly updated.

If you are using an Oracle database, connect to the database as a user having Oracle DBA privileges, and run the following from SQL*Plus to get the current version numbers:

SET LINE 120
COLUMN MRC_NAME FORMAT A14
COLUMN COMP_ID FORMAT A20
COLUMN VERSION FORMAT A12
COLUMN STATUS FORMAT A9
COLUMN UPGRADED FORMAT A8
SELECT MRC_NAME, COMP_ID, OWNER, VERSION, STATUS, UPGRADED FROM SCHEMA_VERSION_REGISTRY ORDER BY MRC_NAME, COMP_ID ;

In the query result:

• Check that the number in the VERSION column matches the latest version number for that schema. For example, verify that the schema version number is 12.2.1.3.0.

  Here is a sample output:

  MRC_NAME    COMP_ID            OWNER              VERSION     STATUS   UPGRADED
  --------  -----------     ------------------    -----------  --------  --–------
   PREFIX    BIPLATFORM     PREFIX_BIPLATFORM     11.1.1.9.0     VALID       N
   PREFIX    OPSS           PREFIX_OPSS           12.2.1.0.0     VALID       Y  
   PREFIX    UCSUMS         PREFIX_ORASDPM        12.2.1.0.0     VALID       Y
   PREFIX    WLS            PREFIX_WLS            12.2.1.0.0     VALID       N
   PREFIX    IAU            PREFIX_IAU            12.2.1.2.0     VALID       N  
   PREFIX    IAU_APPEND     PREFIX_IAU_APPEND     12.2.1.2.0     VALID       N
   PREFIX    IAU_VIEWER     PREFIX_IAU_VIEWER     12.2.1.2.0     VALID       N  
   PREFIX    MDS            PREFIX_MDS            12.2.1.3.0     VALID       Y
   PREFIX    OIM            PREFIX_OIM            12.2.1.3.0     VALID       Y      
   PREFIX    SOAINFRA       PREFIX_SOAINFRA       12.2.1.3.0     VALID       Y
   PREFIX    STB            PREFIX_STB            12.2.1.3.0     VALID       N
  
  11 rows selected.

  Note:

  Some schema versions may remain at the pre-upgrade version number and others may have various 12.2.1.x.y version numbers listed.

  BIPLATFORM - is not upgraded and remains 11.1.1.9.0
  Audit schemas (IAU*) may not upgrade if pre-exist in 11g, otherwise will be created at version 12.2.1.2.0.
  WLS schema will be created new at version 12.2.1.0.0
  STB schema will be created new at 12.2.1.3.0
  

• The STATUS field will be either UPGRADING or UPGRADED during the schema patching operation, and will become VALID when the operation is completed.

• If the status appears as INVALID, the schema update failed. You should examine the logs files to determine the reason for the failure.

• Synonym objects owned by IAU_APPEND and IAU_VIEWER may appear as INVALID, but that does not indicate a failure. In the case where the IAU schemas are created rather than upgraded, they will show up as VALID.

  They become invalid because the target object changes after the creation of the synonym. The synonyms objects will become valid when they are accessed. You can safely ignore these INVALID objects.

Reconfiguring the Domain on OIMHOST1

Run the Reconfiguration Wizard on OIMHOST1 to reconfigure your domain component configurations to 12c (12.2.1.3.0).

• About Reconfiguring the Domain
  Run the Reconfiguration Wizard to reconfigure your domain component configurations to 12c (12.2.1.3.0).

About Reconfiguring the Domain

Run the Reconfiguration Wizard to reconfigure your domain component configurations to 12c (12.2.1.3.0).

Note:

• If custom applications are deployed in OIM 11g, the Reconfiguration Wizard will display a warning message along with the list of custom applications and libraries (if present). These applications/libraries will continue pointing to the 11g location even after upgrade to OIM 12c (12.2.1.3). You have to update them manually after the upgrade.
• After reconfiguration, the domain continues to remain in the same location (that is, the 11g DOMAIN_HOME). It will not be moved or copied to 12c $ORACLE_HOME/user_projects/domains/.

When you reconfigure a WebLogic Server domain, the following items are automatically updated, depending on the applications in the domain:

• WebLogic Server core infrastructure

• Domain version

Note:

Before you begin the domain reconfiguration, note the following limitations:

• The Reconfiguration Wizard does not update any of your own applications that are included in the domain.

• Transforming a non-dynamic cluster domain to a dynamic cluster domain during the upgrade process is not supported.

  The dynamic cluster feature is available when running the Reconfiguration Wizard, but Oracle only supports upgrading a non-dynamic cluster upgrade and then adding dynamic clusters. You cannot add dynamic cluster during the upgrade process.

• If the installation that you’re upgrading does not use Oracle Access Manager (OAM), then you must edit two files to prevent the Reconfiguration Wizard from attempting to update the nonexistent OAM Infrastructure schema, which causes the upgrade to fail.

  Comment out the lines in your $DOMAIN_HOME/init-info/domain-info.xml that are similar to this example:

  Where, DOMAIN_HOME is the Administrator server domain home.

  <!--extention-template-ref name="Oracle Identity Navigator" 
    version="11.1.1.3.0" 
    location="/u01/app/oracle/product/fmw/iam111130/common/templates/applications/oracle.oinav_11.1.1.3.0_template.jar"
  symbol=""/-->
  <!--install-comp-ref name="oracle.idm.oinav" version="11.1.1.3.0" 
    symbol="oracle.idm.oinav_11.1.1.3.0_iam111130_ORACLE_HOME" 
    product_home="/u01/app/oracle/product/fmw/iam111130"/-->

  and similarly comment out the lines in $DOMAIN_NAME/config/config.xml that are similar to this example:

  <!--app-deployment> 
    <name>oinav#11.1.1.3.0</name>
    <target>AdminServer</target>
    <module-type>ear</module-type>
  
    <source-path>/u01/app/oracle/product/fmw/iam111130/oinav/modules/oinav.ear_11.1.1.3.0/oinav.ear</source-path>
    <deployment-order>500</deployment-order>
    <security-dd-model>DDOnly</security-dd-model>
    <staging-mode>nostage</staging-mode>
  </app-deployment-->
  

Specifically, when you reconfigure a domain, the following occurs:

• The domain version number in the config.xml file for the domain is updated to the Administration Server's installed WebLogic Server version.

• Reconfiguration templates for all installed Oracle products are automatically selected and applied to the domain. These templates define any reconfiguration tasks that are required to make the WebLogic domain compatible with the current WebLogic Server version.

• Start scripts are updated.

  If you want to preserve your modified start scripts, be sure to back them up before starting the Reconfiguration Wizard.

Note:

When the domain reconfiguration process starts, you can’t undo the changes that it makes. Before running the Reconfiguration Wizard, ensure that you have backed up the domain as covered in the pre-upgrade checklist. If an error or other interruption occurs while running the Reconfiguration Wizard, you must restore the domain by copying the files and directories from the backup location to the original domain directory. This is the only way to ensure that the domain has been returned to its original state before reconfiguration.

Follow these instructions to reconfigure the existing domain using the Reconfiguration Wizard. See Reconfiguring WebLogic Domains in Upgrading Oracle WebLogic Server.

• Backing Up the Domain
  
• Starting the Reconfiguration Wizard
  
• Reconfiguring the Oracle Identity Manager Domain
  Navigate through the screens in the Reconfiguration Wizard to reconfigure your existing domain.

Backing Up the Domain

Before running the Reconfiguration Wizard, create a backup copy of the domain directory.

To create a backup of the Administration server domain directory:

1. Copy the source domain to a separate location to preserve the contents.
   (Windows) copy /Oracle/Middleware/user_projects/domains to /Oracle/Middleware/user_projects/domains_backup.
   (UNIX) cp -rf mydomain mydomain_backup
2. Before updating the domain on each remote Managed Server, create a backup copy of the domain directory on each remote machine.
3. Verify that the backed up versions of the domain are complete.

If domain reconfiguration fails for any reason, you must copy all files and directories from the backup directory into the original domain directory to ensure that the domain is returned entirely to its original state before reconfiguration.

Starting the Reconfiguration Wizard

Note:

• Shut down the administration server and all managed servers before starting the reconfiguration process. See Stopping Servers and Processes.
• If the source is a clustered environment, run the Reconfiguration Wizard on the primary node only, where, primary node is the Administration Server. Use the Pack/Unpack utility to apply the changes to other cluster members in the domain.

To start the Reconfiguration Wizard in graphical mode:

1. Open the command shell (on UNIX operating systems) or open a command prompt window (on Windows operating systems).
2. Set the following environment variables:
   • WLS_ALTERNATIVE_TYPES_DIR - Use the following command:

     (Non-Bash): setenv WLS_ALTERNATIVE_TYPES_DIR ORACLE_HOME/idm/server/loginmodule/wls

     (Bash):export WLS_ALTERNATIVE_TYPES_DIR=ORACLE_HOME/idm/server/loginmodule/wls

     Where, ORACLE_HOME is the 12c Oracle Home.

   • CONFIG_JVM_ARGS - The ./reconfig.sh command may display the following error to indicate that the default cache directory is not valid:

     *sys-package-mgr*: can't create package cache dir
     

     To avoid the error, change the cache directory by setting CONFIG_JVM_ARGS.

     For example: CONFIG_JVM_ARGS=-Dpython.cachedir=any_writable_directory.

3. Go to the oracle_common/common/bin directory:
   • (UNIX) ORACLE_HOME/oracle_common/common/bin
   • (Windows) ORACLE_HOME\oracle_common\commom\bin

   Where, ORACLE_HOME is the 12c Oracle Home.

4. Start the Reconfiguration Wizard with the following logging options:
   • (UNIX) ./reconfig.sh -log=log_file -log_priority=ALL
   • (Windows) reconfig.cmd -log=log_file -log_priority=ALL

   Where, log_file is the absolute path of the log file you'd like to create for the domain reconfiguration session. This can be helpful if you need to troubleshoot the reconfiguration process.

   The parameter -log_priority=ALL ensures that logs are logged in fine mode.

Reconfiguring the Oracle Identity Manager Domain

Navigate through the screens in the Reconfiguration Wizard to reconfigure your existing domain.

To reconfigure the domain with the Reconfiguration Wizard:

1. On the Select Domain screen, specify the location of the DOMAIN_HOME directory used by the Administration Server for the OIG domain or click Browse to navigate and select the correct OIG domain directory. Click Next.
2. On the Reconfiguration Setup Progress screen, view the progress of the setup process. When complete, click Next.
   During this process:

   • The reconfiguration templates for your installed products, including Fusion Middleware products, are automatically applied. This updates various domain configuration files such as config.xml, config-groups.xml, and security.xml (among others).

   • Schemas, scripts, and other such files that support your Fusion Middleware products are updated.

   • The domain upgrade is validated.

   • After the Setup Progress completes, check for any warning messages in the lower panel of the view.
     • If a specific error code is presented, search the log file for that error code and check Oracle Support. Some errors in the logs will directly include recommended solutions.
     • If a more generic Custom Applications were left in the original MW home and must be fixed manually:... warning message is presented, check the log for CFGFWK-40951 messages.

       For example:

       2020-09-16 18:54:22,249 WARNING [42] com.oracle.cie.domain.progress.domain.reconfig.wlscore.ValidateDomainPhase - CFGFWK-40951: An application or library was not relocated to the new MW home.
       CFGFWK-40951: Custom Applications were left in the original MW home and must be fixed manually:
       spml-dsml
       
       CFGFWK-40951: Correct source path of the applications to refer to the new installation.

3. On the Domain Mode and JDK screen, select the JDK to use in the domain or click Browse to navigate to the JDK you want to use. The supported JDK version for 12c (12.2.1.3.0) is 1.8.0_131 and later. Click Next.

   Note:

   You cannot change the Domain Mode at this stage.
   For a list of JDKs that are supported for a specific platform, see Oracle Fusion Middleware Supported System Configurations.
4. On the Database Configuration Type screen, select RCU Data to connect to the Server Table (_STB) schema.
   Enter the database connection details using the RCU service table (_STB) schema credentials and click Get RCU Configuration.
   The Reconfiguration Wizard uses this connection to automatically configure the data sources required for components in your domain.

   Note:

   By default Oracle’s Driver (Thin) for Service connections; Versions: Any is the selected driver. If you specified an instance name in your connection details — instead of the service name — you must select Oracle’s Driver (Thin) for pooled instance connections; Versions: Any If you do not change the driver type, then the connection will fail.

   Note:

   For any existing 11g datasource, the reconfiguration will preserve the existing values. For new datasources where the schema was created for 12c by the RCU, the default connection data will be retrieved from the _STB schema. If no connection data for a given schema is found in the _STB schema, then the default connection data is used.
   If the check is successful, click Next. If the check fails, reenter the connection details correctly and try again.

   Note:

   If you are upgrading from 11g, and your database has _OPSS or _IAU 11g database schemas, you must manually enter database connection details for those schemas. These schemas were not required in 11g and had to be created manually. Users could assign any name to these schemas, therefore the Reconfiguration Wizard does not recognize them. When providing connection information for _IAU, use the IAU_APPEND user information.
5. On the JDBC Component Schema screen, verify that the DBMS/Service and the Host name is correct for each component schema and click Next.

   Note:

   • For all of the schemas except for OPSS, the host, port, and service details will be auto-populated. You must enter the OPSS schema credentials manually.
   • If you are using a RAC database, then on the JDBC Component Schema screen, select all the datasources and select Convert to Grid Link.
6. On the Grid Link screen, provide the Service Name, Schema Password, ONS Host and Port, SCAN Hostname and Port, and check the FAN and SCAN checkboxes appropriately. Also, verify that the prefix for each schema owner reflects your environment. Perform this step for each RAC Component Schema.

   When complete, click Next.

   Note:

   The Grid Link screen will be displayed only if you select Convert to Grid Link in step 6.
7. On the JDBC Component Schema Test screen, the component schema connections are tested. The result of the test is indicated in the Status column.

   When the check is complete, click Next.

8. On the Node Manager screen, go for the default option or select Create New Configuration for configuring Node Manager per your requirement. In both the cases, specify the WebLogic Administration user credentials for Node Manager details.
9. On the Credentials screen, for weblogicAdminnKey, populate the Weblogic admin username and password used in 11g, and then click Next.
10. Leave the default selection and click Next.
11. On the Advanced Configuration screen, during an upgrade, it is recommended to simply leave all the options unselected and click Next. you can select all categories for which you want to perform advanced configuration. For each category you select, the appropriate configuration screen is displayed to allow you to perform advanced configuration.

    Note:

    If desired, you can select the options and review the configuration details. However, not all settings may represent the final state of the domain configuration at this time. Additional component configuration is completed in later steps by the Upgrade Assistant. Oracle recommends you to not review these details at this point, and not make any changes to the Advanced Configuration views during the upgrade process.
12. On the Configuration Summary screen, review the detailed configuration settings of the domain before continuing.
    You can limit the items that are displayed in the right-most panel by selecting a filter option from the View drop-down list.
    To change the configuration, click Back to return to the appropriate screen. To reconfigure the domain, click Reconfig.

    Note:

    The location of the domain does not change when you reconfigure it.
13. The Reconfiguration Progress screen displays the progress of the reconfiguration process.
    During this process:

    • Domain information is extracted, saved, and updated.

    • Schemas, scripts, and other such files that support your Fusion Middleware products are updated.

    When the progress bar shows 100%, click Next.
14. The End of Configuration screen indicates whether the reconfiguration process completed successfully or failed. It also displays the location of the domain that was reconfigured as well as the Administration Server URL (including the listen port). If the reconfiguration is successful, it displays Oracle WebLogic Server Reconfiguration Succeeded.
    If the reconfiguration process did not complete successfully, an error message is displayed indicates the reason. Take appropriate action to resolve the issue. If you cannot resolve the issue, contact My Oracle Support.
    Note the Domain Location and the Admin Server URL for further operations.

Upgrading Domain Component Configurations on OIMHOST1

Use the Upgrade Assistant to upgrade the domain component’s configurations inside the domain to match the updated domain configuration.

Note:

Perform this procedure OIMHOST1 only.

• Upgrading Domain Component Configurations
  After reconfiguring the domain, use the Upgrade Assistant to upgrade the domain component configurations inside the domain to match the updated domain configuration.

Upgrading Domain Component Configurations

After reconfiguring the domain, use the Upgrade Assistant to upgrade the domain component configurations inside the domain to match the updated domain configuration.

• Starting the Upgrade Assistant
  Run the Upgrade Assistant to upgrade product schemas, domain component configurations, or standalone system components to 12c (12.2.1.3.0). Oracle recommends that you run the Upgrade Assistant as a non-SYSDBA user, completing the upgrade for one domain at a time.
• Upgrading Oracle Identity Manager Domain Component Configurations
  Navigate through the screens in the Upgrade Assistant to upgrade component configurations in the WebLogic domain.

Starting the Upgrade Assistant

Run the Upgrade Assistant to upgrade product schemas, domain component configurations, or standalone system components to 12c (12.2.1.3.0). Oracle recommends that you run the Upgrade Assistant as a non-SYSDBA user, completing the upgrade for one domain at a time.

To start the Upgrade Assistant:

Note:

Before you start the Upgrade Assistant, make sure that the JVM character encoding is set to UTF-8 for the platform on which the Upgrade Assistant is running. If the character encoding is not set to UTF-8, then you will not be able to download files containing Unicode characters in their names. This can cause the upgrade to fail.

To ensure that UTF-8 is used by the JVM, use the JVM option -Dfile.encoding=UTF-8.

1. Go to the oracle_common/upgrade/bin directory:
   • (UNIX) ORACLE_HOME/oracle_common/upgrade/bin
   • (Windows) ORACLE_HOME\oracle_common\upgrade\bin
2. Set a parameter for the Upgrade Assistant to include the JVM encoding requirement:
   • (UNIX) export UA_PROPERTIES="-Dfile.encoding=UTF-8"
   • (Windows) set UA_PROPERTIES="-Dfile.encoding=UTF-8"
3. Start the Upgrade Assistant:
   • (UNIX) ./ua
   • (Windows) ua.bat

Note:

In the above command, ORACLE_HOME refers to the 12c (12.2.1.3.0) Oracle Home.

For information about other parameters that you can specify on the command line, such as logging parameters, see:

• Upgrade Assistant Parameters
  

Upgrade Assistant Parameters

When you start the Upgrade Assistant from the command line, you can specify additional parameters.

Table 4-6 Upgrade Assistant Command-Line Parameters

Parameter	Required or Optional	Description
-readiness	Required for readiness checks Note: Readiness checks cannot be performed on standalone installations (those not managed by the WebLogic Server).	Performs the upgrade readiness check without performing an actual upgrade. Schemas and configurations are checked. Do not use this parameter if you have specified the -examine parameter.
-threads	Optional	Identifies the number of threads available for concurrent schema upgrades or readiness checks of the schemas. The value must be a positive integer in the range 1 to 8. The default is 4.
-response	Required for silent upgrades or silent readiness checks	Runs the Upgrade Assistant using inputs saved to a response file generated from the data that is entered when the Upgrade Assistant is run in GUI mode. Using this parameter runs the Upgrade Assistant in silent mode (without displaying Upgrade Assistant screens).
-examine	Optional	Performs the examine phase but does not perform an actual upgrade. Do not specify this parameter if you have specified the -readiness parameter.
-logLevel attribute	Optional	Sets the logging level, specifying one of the following attributes: TRACE NOTIFICATION WARNING ERROR INCIDENT_ERROR The default logging level is NOTIFICATION. Consider setting the -logLevel TRACE attribute to so that more information is logged. This is useful when troubleshooting a failed upgrade. The Upgrade Assistant's log files can become very large if -logLevel TRACE is used.
-logDir location	Optional	Sets the default location of upgrade log files and temporary files. You must specify an existing, writable directory where the Upgrade Assistant creates log files and temporary files. The default locations are: (UNIX) ORACLE_HOME/oracle_common/upgrade/logs ORACLE_HOME/oracle_common/upgrade/temp (Windows) ORACLE_HOME\oracle_common\upgrade\logs ORACLE_HOME\oracle_common\upgrade\temp
-help	Optional	Displays all of the command-line options.

Upgrading Oracle Identity Manager Domain Component Configurations

Navigate through the screens in the Upgrade Assistant to upgrade component configurations in the WebLogic domain.

After running the Reconfiguration Wizard to reconfigure the WebLogic domain to 12c (12.2.1.3.0), you must run the Upgrade Assistant to upgrade the domain component configurations to match the updated domain configuration.

To upgrade domain component configurations with the Upgrade Assistant:

1. On the Welcome screen, review an introduction to the Upgrade Assistant and information about important pre-upgrade tasks. Click Next.

   Note:

   For more information about any Upgrade Assistant screen, click Help on the screen.
2. On the next screen:

   • Select All Configurations Used By a Domain. The screen name changes to WebLogic Components.

   • In the Domain Directory field, enter the WebLogic domain directory path.

     Where, Domain Directory is the Administration server domain directory.

   Click Next.

3. On the Component List screen, verify that the list includes all the components for which you want to upgrade configurations and click Next.
   If you do not see the components you want to upgrade, click Back to go to the previous screen and specify a different domain.
4. On the Prerequisites screen, acknowledge that the prerequisites have been met by selecting all the check boxes. Click Next.

   Note:

   The Upgrade Assistant does not verify whether the prerequisites have been met.
5.  If there are remote managed servers hosting User Messaging Services (UMS) configuration files: On the UMS Configuration screen, provide the credentials to these servers so that the Upgrade Assistant can access the configuration files.

   Note:

   You may need to manually copy the UMS configuration files if the Upgrade Assistant is unable to locate them. See Error while Copying User Messaging Service (UMS) Configuration Files.
6. On the Old (that is,11g) OIM Home Location screen, select 11g Source, and specify the absolute path to the 11.1.2.3.0 OIM Oracle Home, which is ORACLE_HOME/Oracle_IDM.
   Click Next.
7. On the Examine screen, review the status of the Upgrade Assistant as it examines each component, verifying that the component configuration is ready for upgrade. If the status is Examine finished, click Next.
   If the examine phase fails, Oracle recommends that you cancel the upgrade by clicking No in the Examination Failure dialog. Click View Log to see what caused the error and refer to Troubleshooting Your Upgrade in Upgrading with the Upgrade Assistant for information on resolving common upgrade errors.

   Note:

   • If you resolve any issues detected during the examine phase without proceeding with the upgrade, you can start the Upgrade Assistant again without restoring from backup. However, if you proceed by clicking Yes in the Examination Failure dialog box, you need to restore your pre-upgrade environment from backup before starting the Upgrade Assistant again.

   • Canceling the examination process has no effect on the configuration data; the only consequence is that the information the Upgrade Assistant has collected must be collected again in a future upgrade session.

8. On the Upgrade Summary screen, review the summary of the options you have selected for component configuration upgrade.
   The response file collects and stores all the information that you have entered, and enables you to perform a silent upgrade at a later time. The silent upgrade performs exactly the same function that the Upgrade Assistant performs, but you do not have to manually enter the data again. If you want to save these options to a response file, click Save Response File and provide the location and name of the response file.
   Click Upgrade to start the upgrade process.
9. On the Upgrade Progress screen, monitor the status of the upgrade.

   Caution:

   Allow the Upgrade Assistant enough time to perform the upgrade. Do not cancel the upgrade operation unless absolutely necessary. Doing so may result in an unstable environment.
   If any components are not upgraded successfully, refer to the Upgrade Assistant log files for more information.

   Note:

   The progress bar on this screen displays the progress of the current upgrade procedure. It does not indicate the time remaining for the upgrade.

   Click Next.

10. If the upgrade is successful: On the Upgrade Success screen, click Close to complete the upgrade and close the wizard. The Post-Upgrade Actions window describes the manual tasks you must perform to make components functional in the new installation. This window appears only if a component has post-upgrade steps.
    If the upgrade fails: On the Upgrade Failure screen, click View Log to view and troubleshoot the errors. The logs are available at NEW_ORACLE_HOME/oracle_common/upgrade/logs.

    Note:

    If the upgrade fails you must restore your pre-upgrade environment from backup, fix the issues, then restart the Upgrade Assistant.

Replicating the Domain Configurations on each OIMHOST

Replicate the domain configurations on OIMHOST2. This involves packing the upgraded domain on OIMHOST1 and unpacking it on OIMHOST2.

To do this, complete the following steps:

1. On OIMHOST1, run the following command from the location $ORACLE_HOME/oracle_common/common/bin to pack the upgraded domain:
   • On UNIX:

     sh pack.sh -domain=<Location_of_OIM_domain> -template=<Location_where_domain_configuration_jar_to_be_created> -template_name="OIM Domain" -managed=true

   • On Windows:

     pack.cmd -domain=<Location_of_OIM_domain> -template=<Location_where_domain_configuration_jar_to_be_created> -template_name="OIM Domain" -managed=true

   Note:

   If the Pack command fails with errors about missing JAR files, see Doc ID 2427364.1 for the recommended solution. The article discusses an issue at startup rather than with Pack, though the solution is the same.
2. Copy the domain configuration jar file created by the pack command on OIMHOST1 to any accessible location on OIMHOST2.
3. On OIMHOST2, run the following command from the location $ORACLE_HOME/oracle_common/common/bin to unpack the domain:
   • On UNIX:

     sh unpack.sh -domain=<Location_of_OIM_domain> -template=<Location_where_domain_configuration_jar_to_be_created> -overwrite_domain=true

   • On Windows:

     unpack.cmd -domain=<Location_of_OIM_domain> -template=<Location_where_domain_configuration_jar_to_be_created> -overwrite_domain=true

4. If you have other OIMHOSTs, repeat step 2 and step 3 on those hosts.

Note:

If you are following the EDG methodology you also need to pack and unpack the domain in the OIM managed server location on OIMHOST1.

Starting the Servers for Initial Post-Upgrade Bootstrap Processing

After you upgrade Oracle Identity Manager, start the servers to bootstrap the domain configuration.

Before starting the servers, if you are using multiple DOMAIN_HOMES on OIMHOST1 in an Enterprise Deployment topology, perform the pack/unpack operations to replicate the domain configuration from ASERVER_HOME to MSERVER_HOME on OIMHOST1 so that the SOA and OIM Managed Server can be bootstrapped properly with the upgraded domain configuration.

Note:

The pack/unpack operations will be repeated in the next step after the bootstrap process is complete, to replicate the final domain configuration to all OIMHOSTn hosts.

1. If using multiple DOMAIN_HOMES in an Enterprise Deployment topology, pack/unpack the domain configuration from ASERVER_HOME to MSERVER_HOME on OIMHOST1.
   1. On OIMHOST1, run the following command from the location $ORACLE_HOME/oracle_common/common/bin to pack the upgraded pre-bootstrap domain:

      On UNIX:

      sh pack.sh -domain=<Location_of_OIM_domain> -template=<Location_where_domain_configuration_jar_to_be_created> -template_name="OIM Domain" -managed=true

      On Windows:

      pack.cmd -domain=<Location_of_OIM_domain> -template=<Location_where_domain_configuration_jar_to_be_created> -template_name="OIM Domain" -managed=true

      For example:

      $ ./pack.sh -managed=true \
                 -domain=/u01/oracle/config/domains/IAMGovernanceDomain \
                 -template=/u01/oracle/config/backup/IAMGovernanceDomain_upg12213prebootstrap.jar \
                 -template_name=IAMGovernanceDomain \
                 -log_priority=DEBUG \
                 -log=/u01/oracle/config/backup/pack_oig_upg12213prebootstrap.log

   2. On OIMHOST1, run the following command from the location $ORACLE_HOME/oracle_common/common/bin to unpack the domain into the MSERVER_HOME directory:

      On UNIX:

      sh unpack.sh -domain=<Location_of_OIM_domain> -template=<Location_where_domain_configuration_jar_to_be_created> -overwrite_domain=true

      On Windows:

      unpack.cmd -domain=<Location_of_OIM_domain> -template=<Location_where_domain_configuration_jar_to_be_created> -overwrite_domain=true

      For example:

      $ ./unpack.sh -domain=/u02/private/oracle/config/domains/IAMGovernanceDomain \
                  -overwrite_domain=true \
                  -template=/u01/oracle/config/backup/IAMGovernanceDomain_upg12213preboot.jar \
                  -log_priority=DEBUG \
                  -log=/u01/oracle/config/backup/unpack_oig_upg12213prebootstrap_oimhost1.log \
                  -app_dir=/u02/private/oracle/config/domains/IAMGovernanceDomain/applications

2. At the command prompt, start the Administration Server from the DOMAIN_HOME/bin folder for the Administration Server. If Node Manager is configured, do not start NodeManager.

   For example:

   /u01/oracle/config/domains/IAMGovernanceDomain/bin/startWebLogic.sh

3. At the command prompt, start the SOA Suite Managed Server from the DOMAIN_HOME/bin folder for the Managed Server. If Node Manager is configured, do not start the NodeManager. Specify the T3 protocol Administration Server URL and set the JAVA property to enable BPM for SOA Server.

   On UNIX:

   ./startManagedWebLogic.sh <SOA_Managed_server> t3://weblogic_admin_host:weblogic_admin_port -Dbpm.enabled=true

   On Windows:

   startManagedWebLogic.cmd <SOA_Managed_server> t3://weblogic_admin_host:weblogic_admin_port -Dbpm.enabled=true

   For example:

   /u02/private/oracle/config/domains/IAMGovernanceDomain/bin/startManagedWebLogic.sh WLS_SOA1 t3://IGDADMINVHN:7001 -Dbpm.enabled=true

4. Wait for the SOA Managed server to come completely to a RUNNING state before continuing.
5. At the command prompt, start the OIM Managed Server from the DOMAIN_HOME/bin folder for the Managed Server. If Node Manager is configured, do not start NodeManager. Specify the T3 protocol Administration Server URL. The OIM server will automatically shut down after the bootstrap process is successful. Monitor the standard out messages to the terminal carefully.

   On UNIX:

   ./startManagedWebLogic.sh <OIM_Managed_server> t3://weblogic_admin_host:weblogic_admin_port
   

   On Windows:

   startManagedWebLogic.cmd <OIM_Managed_server> t3://weblogic_admin_host:weblogic_admin_port
   

   For example:

   /u02/private/oracle/config/domains/IAMGovernanceDomain/bin/startManagedWebLogic.sh WLS_SOA1 t3://IGDADMINVHN:7001 -Dbpm.enabled=true

6. After the OIM Managed Server terminates, stop the SOA and AdminServer processes from the command line shells by pressing <CTRL-C> and waiting for each to terminate before executing the next. Terminate the processes in the following order: SOA, AdminServer.

Fully Deploy the oracle.iam.ui.custom-dev-starter-pack.war

Validate that the Upgrade Assistant has automatically copied the oracle.iam.ui.custom-dev-starter-pack.war file from the 11g MW_HOME to the 12c ORACLE_HOME on the AdminServer host.

If you have an Enterprise Reference topology or use multiple shared volumes for your ORACLE_HOME binaries, then also replicate this file manually to each OIMHOSTn where a distinct separate binary volume is mounted.

1. Check the 11g MW_HOME for the war file, validate it is no longer present.

   ls /u01/oracle/products/identity/iam/server/apps/oracle.iam.ui.custom-dev-starter-pack.war

2. Check the 12c ORACLE_HOME for the war file, validate it has been placed in the correct location.

   ls /u01/oracle/products/12c/identity/idm/server/apps/oracle.iam.ui.custom-dev-starter-pack.war

3. Copy the war file from the binary volume on OIMHOST1 to any other hosts with a separate binaries volume.

   For example:

   cd /u01/oracle/products/12c/identity/idm/server/apps/
   scp oracle.iam.ui.custom-dev-starter-pack.war \
   iamoracle@OIMHOST2:/u01/oracle/products/12c/identity/idm/server/apps/.

Starting the Servers on OIMHOST1 and OIMHOST2

After you upgrade Oracle Identity Manager on both OIMHOST1 and OIMHOST2, start the servers.

You must start the servers in the following order:

1. Start the Node Manager on both OIMHOST1 and OIMHOST2.
2. Start the Administration Server on OIMHOST1.
3. Start the Oracle SOA Suite Managed Server (without BPM property) and Oracle Identity Manager Managed Servers on OIMHOST1.
4. Start the Oracle SOA Suite Managed Server (without BPM property) and Oracle Identity Manager Managed Servers on OIMHOST2.

• Starting Servers and Processes
  After a successful upgrade, start all processes and servers, including the Administration Server and any Managed Servers.
• Verifying the Domain-Specific-Component Configurations Upgrade
  To verify that the domain-specific-component configurations upgrade was successful, sign in to the Administration console and the Oracle Enterprise Manager Fusion Middleware Control and verify that the version numbers for each component is 12.2.1.3.0.
• Configuring Oracle HTTP Servers to Front End OIM, and SOA Managed Servers
  

Starting Servers and Processes

After a successful upgrade, start all processes and servers, including the Administration Server and any Managed Servers.

The components may be dependent on each other so they must be started in the correct order.

Note:

The procedures in this section describe how to start servers and process using the WLST command line or a script. You can also use the Oracle Fusion Middleware Control and the Oracle WebLogic Server Administration Console. See Starting and Stopping Administration and Managed Servers and Node Manager in Administering Oracle Fusion Middleware.

To start your Fusion Middleware environment, follow the steps below.

Step 1: Start Node Manager

Start the Node Manager in the Administration Server <DOMAIN_HOME>/bin location by running the following command.

• (UNIX) nohup ./startNodeManager.sh > <DOMAIN_HOME>/nodemanager/nodemanager.out 2>&1 &

• (Windows) nohup .\startNodeManager.sh > <DOMAIN_HOME>\nodemanager\nodemanager.out 2>&1 &

Where, <DOMAIN_HOME> is the Administration server domain home.

Step 2: Start the Administration Server

When you start the Administration Server, you also start the processes running in the Administration Server, including the WebLogic Server Administration Console and Fusion Middleware Control.

Note:

Typically, the name of the Administration Server is always 'AdminServer'. If the name of your Administration Server is different from the default name 'AdminServer', you should modify the name in the <domainname>/config/config.xml file, accordingly, prior to starting the server.

To change the name:

1. Open the <domainname>/config/config.xml file and locate the following library entry:

   <library>
      <name>oracle.idm.ipf</name>
     <target>AdminServer</target>
      <module-type>jar</module-type>
   .....
   .....
    </library>

2. Note the name of the Administration Server. If the name is other than 'AdminServer', change the following entry accordingly:

   <target><name_of_your_admin_server></target>

Method 1: To start a Administration Server, run the following command:

nohup DOMAIN_HOME/bin/startWeblogic.sh &

Method 2: To start a Administration Server by using node manager, run the following commands:

cd ORACLE_COMMON_HOME/common/bin
./wlst.sh
wls:/offline> nmConnect('nodemanager_username','nodemanager_password',
                    'ADMINVHN','5556','domain_name',
                   'DOMAIN_HOME')
nmStart('AdminServer')

Step 3 (Option 1): Start the Managed Servers

Note:

In an HA environment, it is preferred to use the console or node manager to start servers.

Start a WebLogic Server Managed Server by using the Weblogic Console:

• Log into Weblogic console as a weblogic Admin.
• Go to Servers > Control tab.
• Select the required managed server.
• Click Start.

Step 3 (Option 2): Start the SOA and OIM Clusters

Continue in the WLST session from step 2 to start the clusters and verify their final state as follows:

<code block>
connect('weblogic','weblogic_passsword','t3://ADMINVHN:7001')
start('cluster_soa', 'Cluster', block='true')
start('cluster_oim', 'Cluster', block='true')
state('cluster_soa', 'Cluster')
state('cluster_oim', 'Cluster')
exit()
</code block>

Verifying the Domain-Specific-Component Configurations Upgrade

To verify that the domain-specific-component configurations upgrade was successful, sign in to the Administration console and the Oracle Enterprise Manager Fusion Middleware Control and verify that the version numbers for each component is 12.2.1.3.0.

To sign in to the Administration Console, go to: http://administration_server_host:administration_server_port/console

To sign in to the Administration Console in an EDG deployment, see Validating the Virtual Server Configuration and Access to the Consoles.

To sign in to Oracle Enterprise Manager Fusion Middleware Control Console, go to: http://administration_server_host:administration_server_port/em

Note:

• After upgrade, ensure you run the administration tools from the new 12c Oracle home directory and not from the previous Oracle home directory.
• During the upgrade process, some OWSM documents, including policy sets and predefined documents such as policies and assertion templates, may need to be upgraded. If a policy set or a predefined document is upgraded, its version number is incremented by 1.
• In the site-specific configuration, the WebLogic and EM consoles must be accessible with the URLs either directly or through proxy URLs.

Configuring Oracle HTTP Servers to Front End OIM, and SOA Managed Servers

If your installation is fronted by Oracle HTTP Server, you need to ensure that your OHS directives are as given below. Note that you may have one configuration file or several of these files will have the extention .conf and reside in:

OHS_DOMAIN_HOME/config/fmwconfig/components/OHS/instances/OHS_INSTANCE_NAME/modultconf

To configure the Oracle HTTP Server instances in the Web tier so they route requests correctly to the Oracle SOA Suite cluster, use the following procedure to create an additional Oracle HTTP Server configuration file that creates and defines the parameters of the https://igdinternal.example.com:7777 virtual server.

To validate the virtual host configuration file so requests are routed properly to the Oracle Identity Governance clusters:

1. Log in to WEBHOST1 and change directory to the configuration directory for the first Oracle HTTP Server instance (OHS_1):

   cd WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/moduleconf/
   

2. Edit the file prov_vh.conf and add the following directives inside the <VirtualHost> tags:

   Note:

   • The URL entry for /workflow is optional. It is for workflow tasks associated with Oracle ADF task forms. The /workflow URL itself can be a different value, depending on the form.

   • Configure the port numbers appropriately, as assigned for your static or dynamic cluster. Dynamic clusters with the Calculate Listen Port option selected will have incremental port numbers for each dynamic managed server that you create.

     The WebLogicCluster directive needs only a sufficient number of redundant server:port combinations to guarantee an initial contact in case of a partial outage. The actual total list of cluster members is retrieved automatically on the first contact with any given node. Any entries other than those listed below can be removed.

   <Location /identity>
       WLSRequest ON
       WLCookieName oimjsessionid 
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
       WLProxySSL ON
       WLProxySSLPassThrough ON
   </Location>
   
   # xlWebApp - Legacy 9.x webapp (struts based)
   <Location /xlWebApp>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
       WLProxySSL ON
       WLProxySSLPassThrough ON
   </Location>
   
   <Location /HTTPClnt>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
       WLProxySSL ON
       WLProxySSLPassThrough ON
   </Location>
   
   # Requests webservice URL
   <Location /reqsvc>
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLProxySSL ON
       WLProxySSLPassThrough ON
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   <Location /FacadeWebApp>
       SetHandler weblogic-handler
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
       WLProxySSL ON
       WLProxySSLPassThrough ON 
   </Location>
   
   <Location /iam>
       SetHandler weblogic-handler
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
       WLProxySSL ON
       WLProxySSLPassThrough ON 
   </Location>
   
   <Location /OIGUI>
       SetHandler weblogic-handler
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
       WLProxySSL ON
       WLProxySSLPassThrough ON
   </Location>
   

   The prov_vh.conf file will appear as it does in Step 2.

3. In the igdadmin_vh.conf file, ensure that you have the following OHS directives. Any entries other than those listed below can be removed.

   ## Entries Required by Oracle Identity Governance
   <Location /oim>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   <Location /iam>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   <Location /sysadmin>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   <Location /admin>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster oimhost1.example.com:14000,oimhost2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   # xlWebApp - Legacy 9.x webapp (struts based)
   <Location /xlWebApp>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   # OIM self service console
   <Location /identity>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   <Location /OIGUI>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   # Nexaweb WebApp - used for workflow designer and DM
   <Location /Nexaweb>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   <Location /FacadeWebApp>
       SetHandler weblogic-handler
       WLCookieName oimjsessionid
       WebLogicCluster oimhost1.example.com:14000,oimhost2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   # Scheduler webservice URL
   <Location /SchedulerService-web>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   

4. In the igdinternal_vh.conf file, ensure that you have the following OHS directives. Any entries other than those listed below can be removed.

   ## Entries Required by Oracle Identity Governance
   #SOA Callback webservice for SOD - Provide the SOA Managed Server Ports
   
   <Location /sodcheck>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:8001,OIMHOST2.example.com:8001
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/soa_component.log"
   </Location>
   
   # OIM, role-sod profile
   <Location /role-sod>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   # Callback webservice for SOA. SOA calls this when a request is approved/rejected
   # Provide the SOA Managed Server Port
   <Location /workflowservice>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/soa_component.log"
   </Location>
   
   # used for FA Callback service.
   <Location /callbackResponseService>
       WLSRequest ON
       WLCookieName    oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   # spml xsd profile
   <Location /spml-xsd>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   # OIM, spml dsml profile
   <Location /spmlws>
       WLSRequest ON
       PathTrim /weblogic
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   <Location /reqsvc>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/soa_component.log"
   </Location>
   
   # SOA Infra
   <Location /soa-infra>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:8001,OIMHOST2.example.com:8001
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/component/oim_component.log"
   </Location>
   
   # UMS Email Support
   <Location /ucs>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:8001,OIMHOST2.example.com:8001
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/component/oim_component.log"
   </Location>
   
   <Location /provisioning-callback>
       WLSRequest ON
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   <Location /CertificationCallbackService>
      WLSRequest ON
      WLCookieName oimjsessionid
      WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
      WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   <Location /IdentityAuditCallbackService>
      WLSRequest ON
      WLCookieName oimjsessionid
      WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
      WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   # SOA Callback webservice for SOD - Provide the SOA Managed Server Ports
     <Location /soa/composer>
       SetHandler weblogic-handler
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:8001,OIMHOST2.example.com:8001
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/soa_component.log"
     </Location>
   
     <Location /integration>
       SetHandler weblogic-handler
       WebLogicCluster OIMHOST1.example.com:8001,OIMHOST2.example.com:8001
       WLCookieName oimjsessionid
     </Location>
   
     <Location /sdpmessaging/userprefs-ui>
       SetHandler weblogic-handler
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:8001,OIMHOST2.example.com:8001
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/soa_component.log"
     </Location>
   
   <Location /iam>
       SetHandler weblogic-handler
       WLCookieName oimjsessionid
       WebLogicCluster OIMHOST1.example.com:14000,OIMHOST2.example.com:14000
       WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>
   
   <Location /ws_utc>
   SetHandler weblogic-handler
     WLCookieName oimjsessionid
     WebLogicCluster OIMHOST1:8001,OIMHOST2:8001
     WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/mod_wl/oim_component.log"
   </Location>

5. Copy the igdadmin_vh.conf, igdinternal_vh.conf, and prov_vh.conf files to the configuration directory for the second Oracle HTTP Server instance (ohs2):

   WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs2/moduleconf/
   

6. Edit the igdadmin_vh.conf, prov_vh.conf, and igdinternal_vh.conf files and change any references to WEBHOST1 to WEBHOST2 in the <VirtualHost> directives.
7. Restart the Oracle HTTP servers on WEBHOST1 and WEBHOST2 using the following commands:
   1. Restart the ohs1 instance by doing the following:
      1. Change directory to the following location:

         cd WEB_DOMAIN_HOME/bin

      2. Enter the following commands to stop and start the instance:

         ./stopComponent.sh ohs1
         ./startComponent.sh ohs1

   2. Restart the ohs2 instance by doing the following:
      1. Change directory to the following location:

         cd WEB_DOMAIN_HOME/bin

      2. Enter the following commands to stop and start the instance:

         ./stopComponent.sh ohs2
         ./startComponent.sh ohs2

Note:

If internal invocations are going to be used in the system, add the appropriate locations to the soainternal virtual host.

Upgrading Oracle Identity Manager Design Console

Upgrade the Oracle Identity Manager Design Console after you upgrade the Oracle Identity Manager (OIM) domain component configurations.

To upgrade the Oracle Identity Manager Design Console, replace the 12c (12.2.1.3.0) ORACLE_HOME/idm/designconsole/config/xlconfig.xml file with the 11.1.2.3.0 ORACLE_HOME/Oracle_IDM1/designconsole/config/xlconfig.xml file.

After copying the file to the 12c ORACLE_HOME location on OIMHOST1, copy the file to any remote OIMHOSTn that use a different copy of the ORACLE_HOME binaries volume.

Performing the Post-Patch Install Steps

After completing the upgrade, you have to perform the post-patch installation steps.

The post-patch installation steps comprises the following:

• Running the Poststart Command to Confirm Successful Binary Patching
  
• Filling in the patch_oim_wls.profile File
  
• Patching the Oracle Identity Governance Managed Servers (patch_oim_wls Stage)
  
• Performing a Clean Restart of the Servers
  

Running the Poststart Command to Confirm Successful Binary Patching

Use the variables and the instructions in the Stack Patch Bundle README.txt file to run the poststart command for your product, as shown below:

$ ./spbat.sh -type oig -phase poststart -mw_home /<INSTALLATION_DIRECTORY>/IAM12c -spb_download_dir /<DOWNLOAD_LOCATION>/IDM_SPB_12.2.1.4.200714 -log_dir /<DOWNLOAD_LOCATION>/OIGlogs

For details, see Doc ID 2657920.1.

Filling in the patch_oim_wls.profile File

Using a text editor, edit the file patch_oim_wls.profile located in the ORACLE_HOME/idm/server/bin/ directory and change the values in the file to match your environment. The patch_oim_wls.profile file contains sample values.

Table 4-7 lists the information to be entered for the patch_oim_wls.profile file. This file is used in the next stage of the bundle patch process.

Table 4-7 Parameters of the patch_oim_wls.profile File

Parameter	Description	Sample Value
ant_home	Location of the ANT installation. It is usually under MW_HOME.	For Linux: $MW_HOME/oracle_common/modules/thirdparty/org.apache.ant/1.10.5.0.0/apache-ant-1.10.5/ For Windows: %MW_HOME%/oracle_common/modules/thirdparty/org.apache.ant/1.10.5.0.0/apache-ant-1.10.5/
java_home	Location of the JDK/JRE installation that is being used to run the Oracle Identity Governance domain.	For Linux: <JAVA_HOME_PATH> consumed by $MW_HOME For Windows: <JAVA_HOME_PATH> consumed by %MW_HOME%
mw_home	Location of the middleware home location on which Oracle Identity Governance is installed.	For Linux: /u01/Oracle/Middleware For Windows: C:\Oracle\MW_HOME\
oim_oracle_home	Location of the Oracle Identity Governance installation.	For Linux: $MW_HOME/idm For Windows: %MW_HOME%\idm
soa_home	Location of the SOA installation.	For Linux: $MW_HOME/soa For Windows: %MW_HOME%\soa
weblogic.server.dir	Directory on which WebLogic server is installed.	For Linux: $MW_HOME/wlserver For Windows: %MW_HOME%\wlserver
domain_home	Location of the domain home on which Oracle Identity Governance is installed.	$MW_HOME/user_projects/domains/base_domain
weblogic_user	Domain administrator user name. Normally it is weblogic, but could be different as well.	weblogic
weblogic_password	Domain admin user's password. If this line is commented out, then password will be prompted.	NA
soa_host	Listen address of the SOA Managed Server, or the hostname on which the SOA Managed Server is listening. Note: If the SOA Managed Server is configured to use a virtual IP address, then the virtual host name must be supplied.	oimhost.example.com
soa_port	Listen port of the SOA Managed Server, or SOA Managed Server port number.	8001 Only Non-SSL Listen port must be provided.
operationsDB.user	Oracle Identity Governance database schema user.	DEV_OIM
OIM.DBPassword	Oracle Identity Governance database schema password. If this line is commented out, then the password will be prompted when the script is executed.	NA
operationsDB.host	Host name of the Oracle Identity Governance database.	oimdbhost.example.com
operationsDB.serviceName	Database service name of the Oracle Identity Governance schema/database. This is not the hostname and it can be a different value as well.	oimdb.example.com
operationsDB.port	Database listener port number for the Oracle Identity Governance database.	1521
mdsDB.user	MDS schema user	DEV_MDS
mdsDB.password	MDS schema password. If this line is commented out, then password will be prompted.	NA
mdsDB.host	MDS database host name	oimdbhost.example.com
mdsDB.port	MDS database/Listen port	1521
mdsDB.serviceName	MDS database service name	oimdb.example.com
oim_username	Oracle Identity Governance username.	System administrator username
oim_password	Oracle Identity Governance password. This is optional. If this is commented out, then you will be prompted for the password when the script is executed.	NA
oim_serverurl	URL to navigate to Oracle Identity Governance.	t3://oimhost.example.com:14000
wls_serverurl	URL to navigate to WLS Console	t3://wlshost.example.com:7001
opss_customizations_present=false	Enables customizations related to authorization or custom task flow. Set this value to true to enable customization.	true

Note:

Update the parameter value as per the setup used, and then execute the patch_oim_wls.sh file.

Patching the Oracle Identity Governance Managed Servers (patch_oim_wls Stage)

Patching the Oracle Identity Governance Managed Servers is the process of copying the staged files to the correct locations, running SQL scripts, importing event handlers, and deploying SOA composite. For making MBean calls, the script automatically starts the Oracle Identity Governance Managed Server and SOA Managed Server specified in the patch_oim_wls.profile file.

This step is performed by running patch_oim_wls.sh (on UNIX) and patch_oim_wls.bat (on Microsoft Windows) script by using the inputs provided in the patch_oim_wls.profile file. As prerequisites, the WebLogic Admin Server, SOA Managed Servers, and Oracle Identity Governance Managed Server must be running.

To patch Oracle Identity Governance Managed Servers on WebLogic:

1. Ensure that the WebLogic Administration Server, SOA Managed Servers, and Oracle Identity Governance Managed Server are running.
2. Set the following environment variables:

   For LINUX or Solaris, set the JAVA_HOME environment variable:

   export JAVA_HOME=<JAVA_HOME_PATH>
   export PATH=$JAVA_HOME/bin:$PATH

   For Microsoft Windows:

   set JAVA_HOME=<JAVA_HOME_PATH>
   set ANT_HOME=\PATH_TO_ANT_DIRECTORY\ant
   set ORACLE_HOME=%MW_HOME%\idm

   Note:

   Ensure that you set the reference to JDK binaries in your PATH before running the patch_oim_wls.sh (on UNIX) or patch_oim_wls.bat (on Microsoft Windows) script. This JAVA_HOME must be of the same version that is being used to run the WebLogic servers. The JAVA_HOME version from /usr/bin/ or the default is usually old and must be avoided. You can verify the version by running the following command:

   java -version

3. Execute patch_oim_wls.sh (on UNIX) or patch_oim_wls.bat (on Microsoft Windows) to apply the configuration changes to the Oracle Identity Governance server. On Linux systems, you must run the script in a shell environment using the following command:

   sh patch_oim_wls.sh

   Note:

   For EDG implementations, this script must be run against the mserver domain directory rather than the server domain directory.
4. Delete the following directory from OIG domain home:

   $DOMAIN_HOME/servers/oim_server1/tmp/_WL_user/oracle.iam.console.identity.self-service.ear_V2.0

   Here, oim_server1 is the WebLogic Managed Server used for OIG.

5. To verify that the patch_oim_wls script has completed successfully, check the ORACLE_HOME/idm/server/bin/patch_oim_wls.log log file.

   Note:

   On running the patch_oim_wls script, the $DOMAIN_HOME/servers/MANAGED_SERVER/security/boot.properties file might be deleted. If you use a script to start the Managed Server and use the boot.properties file to eliminate the need of entering the password in the script, then create a new boot.properties file.

   In an EDG environment, the boot.properties file is in MSERVER_HOME/servers/MANAGED_SERVER/security.

6. Stop and start the WebLogic Administration Server, SOA Server, and Oracle Identity Governance Server.

   • Shutting down Oracle Identity Governance Server might take a long time if it is done with force=false option. It is recommended that you force shutdown Oracle Identity Governance Server.

   • The patch_oim_wls script is re-entrant and can be run again if a failure occurs.

Performing a Clean Restart of the Servers

Restart all the servers including the Administration Server and any Managed Servers. See Starting Servers and Processes.

Completing the Post-Upgrade Tasks for SSL Enabled Setup

If you are upgrading an Oracle Identity Manager SSL enabled setup, you must perform the required post-upgrade tasks to complete the upgrade process.

Complete the following tasks if you have upgraded an SSL enabled setup:

1. Changes done for SSL settings in setDomainEnv.sh, startWeblogic.sh, startManagedWeblogic.sh, and datasources are lost after upgrade. Re-do all of the changes.
2. Start the WebLogic Administration Server. To start the Administration Server, use the startWebLogic script:

   • (UNIX) DOMAIN_HOME/bin/startWebLogic.sh

   • (Windows) DOMAIN_HOME\bin\startWebLogic.cmd

   Where, DOMAIN_HOME is the Administration domain.

   When prompted, enter your user name, password, and the URL of the Administration Server.

3. Make necessary changes to the following newly created datasources, for SSL settings:
   • LocalSvcTblDataSource
   • opss-audit-DBDS
   • opss-audit-viewDS
   • opss-data-source
   • WLSSchemaDataSource
   For information about updating the newly created datasources, see Updating Datasource oimOperationsDB Configuration in Administering Oracle Identity Governance
4. In case of Customer Identity and Java Standard Trust, import your identity trust certificate to the new JDK home. The 12c (12.2.1.3.0) uses jdk1.8.0_131. To import the identity trust certificate to the new JDK home, use the following command:
   ./keytool -importcert -alias startssl -keystore JAVA_HOME/jre/lib/security/cacerts -storepass <password> -file supportcert.pem
5. Verify that all of the SSL configuration changes including the SSL port related changes done in 11g (pre upgrade), are present post upgrade. If the changes are lost, you must redo them post upgrade. Some of the SSL configuration changes include:

   • OimFrontEndURL

   • backOfficeURL

   • SOA Server URL

   • ForeignJNDIProvider-SOA

   For more information about configuring SSL for Oracle Identity Goverenance, see Updating Oracle Identity Governance in Administering Oracle Identity Governance.

Increasing the Maximum Message Size for WebLogic Server Session Replication

Oracle recommends you to modify the Maximum Message Size from the default vale of 10 MB to 100 MB. This value is used to replicate the session data across the nodes. You should perform this step for all the Managed servers and the Administration server.

1. Log in to the WebLogic Server Administration Console.
2. Navigate to Servers, select Protocols, and then click General.
3. Set the value of Maximum Message Size to 100 MB.

Changing the JMS and TLOG Persistence Store After the Upgrade

The JMS and TLOG persistent store remain the same after the upgrade to Oracle Identity Manager 12c (12.2.1.3.0). That is, if the persistence store is file-based prior to the upgrade, it will be file-based after the upgrade as well.

If you want to change the persistence stores from a file-based system to a database-based system, you have to perform the steps manually. See Using Persistent Stores for TLOGs and JMS in an Enterprise Deployment.

Installing Standalone Oracle BI Publisher

When you upgrade Oracle Identity Manager 11.1.2.3.0 to Oracle Identity Governance 12c (12.2.1.3.0), the embedded Oracle BI Publisher present in the 11.1.2.3.0 deployment, is removed. Therefore, you must install a new standalone Oracle BI Publisher 12c (12.2.1.3.0) post upgrade, for configuring the Oracle Identity Governance reports.

For information about installing and configuring Oracle BI Publisher 12c (12.2.1.3.0), see Installing and Configuring Oracle BI Publisher in Developing and Customizing Applications for Oracle Identity Governance.

For information about integrating standalone Oracle BI Publisher with Oracle Identity Governance 12c (12.2.1.3.0), see Integrating Standalone BI Publisher with Oracle Identity Governance in Developing and Customizing Applications for Oracle Identity Governance.