2 Securing Datastores

The following sections explain how to upgrade security artifacts from 11g releases 11.1.1.7, 11.1.1.8, and 11.1.1.9 or 12c releases 12.1.2.0.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0, and 12.2.1.2.0 to release12c (12.2.1.3.0):

Note:

Before starting the procedures documented in this section, be sure that you have read and understand the tasks and concepts documented in the following:

2.1 About Upgrading Security to 12c (12.2.1.3.0)

An upgraded system uses newly created data sources and will not use old data sources. After upgrading, you may see duplicate OPSS data sources: one that existed before upgrading and another created during the upgrade process. This duplication poses no functional impact and the old data source is not used by the upgraded system.

After upgrading, consider moving the keystore from Java Keystore (JKS) to the keystore service (KSS) keystore. In domains upgraded to 12.2.1.0 or later, KSS keystores under the system stripe differ from those in previous releases.

The Keystore Service (KSS) keystore supports the Java Keystore (JKS), Java Cryptography Extension Keystore (JCEKS), and Oracle wallet certificate formats. Typical certificate management tasks include the following:

  • Creating a certificate for a key pair.

  • Generating a Certificate Signing Request (CSR) for the certificate and saving it to a file.

  • Sending the CSR to a certificate authority who verifies the sender, and signs and returns the certificate.

  • Importing user and trusted certificates into the keystore, by either pasting it into a text field or importing it from the file system.

    Note:

    Keystore Service supports importing PEM/BASE64-encoded certificates only. You cannot import DER-encoded certificates or trusted certificates into a keystore.

  • Exporting certificates or trusted certificates from the keystore to a file.

  • Deleting certificates or trusted certificates from the keystore.

The following points regarding public CA certificates apply to domains upgraded to 12.2.1 and to new 12.2.1 Java Required Files (JRF) domains:

  • Well-known public CA certificates are no longer available in the trust keystore in the system stripe.

  • Use instead the publiccacerts keystore in the system stripe, which has been previously seeded with well-known public CA certificates from the Java SE Development Kit (JDK) cacerts file. Alternatively, import your own certificates as needed.

  • The merge.jdkcacerts.with.trust property specifies whether to return public CA certificates in the kss://system/ubliccacerts keystore when you query the kss://system/trust keystore. Set to true, to have all publicacerts certificates returned with the query. Do not set or set to false, to have no publicacerts certificates returned with the query.

2.1.1 Before Upgrading the Security Store

Before upgrading the security store:

  • Perform a readiness check on the older version of Fusion Middleware to determine if it is suitable for upgrading to version 12c (12.2.1.3.0).

  • Create a complete backup so that you can recover it in case the upgrade fails.

2.1.2 Compatibility Table for 11g and 12c Versions

This section presents the compatible versions of binaries, configurations, schemas, and stores for releases 11.1.1.5.0, 11.1.1.6.0, 11.1.1.7.0, 11.1.1.9.0, 12.1.2.0.0, 12.1.3.0.0 and 12.2.1.x. The compatible versions of these artifacts apply to both DB and LDAP security stores. In DB stores, exactly one security store is assumed per database schema.

The following table shows the versions compatible and it applies to both DB and LDAP security stores. Note the following terminology symbols:

  • The prefix => next to a version number denotes a version equal to or higher than the stated version number.

  • The prefix > next to a version number denotes a version higher than the stated version number.

  • The prefix < next to a version number denotes a version lower than the stated version number.

Binary Configuration Schema Store Status

11.1.1.5.0

11.1.1.5.0

=>11.1.1.5.0

11.1.1.5.0

Certified

11.1.1.5.0

11.1.1.5.0

>11.1.1.5.0

>11.1.1.5.0

Not supported

11.1.1.6.0

11.1.1.5.0

=>11.1.1.5.0

11.1.1.5.0

Certified

11.1.1.6.0

11.1.1.5.0

>11.1.1.5.0

>11.1.1.5.0

Not supported

11.1.1.6.0

11.1.1.6.0

=>11.1.1.6.0

11.1.1.6.0

Certified

11.1.1.6.0

11.1.1.6.0

>11.1.1.6.0

>11.1.1.6.0

Not supported

11.1.1.7.0

11.1.1.7.0

=>11.1.1.6.0

<11.1.1.7.0

Not supported

11.1.1.7.0

11.1.1.6.0

=>11.1.1.6.0

11.1.1.6.0

Certified

11.1.1.7.0

11.1.1.6.0

>11.1.1.6.0

>11.1.1.6.0

Not supported

11.1.1.7.0

11.1.1.7.0

=>11.1.1.7.0

11.1.1.7.0

Certified

11.1.1.9.0

11.1.1.7.0

11.1.1.6.0

11.1.1.5.0

11.1.1.9.0

=>11.1.1.7.0

=>11.1.1.6.0

=>11.1.1.5.0

=>11.1.1.9.0

11.1.1.7.0

11.1.1.6.0

11.1.1.5.0

11.1.1.9.0

Certified

12.1.2.0.0

12.1.2.0.0

=>12.1.2.0.0

12.1.2.0.0

Certified (schema only upgrade)

12.1.2.0.0

<12.1.2.0.0

<12.1.2.0.0

<12.1.2.0.0

Not supported

12.1.3.0.0

12.1.3.0.0

=>12.1.3.0.0

12.1.3.0.0

Certified (schema only upgrade)

12.1.3.0.0

<12.1.3.0.0

<12.1.3.0.0

<12.1.3.0.0

Not supported

12.2.1.0.0

12.2.1.0.0

12.2.1.0.0

12.2.1.0.0

Certified

12.2.1.0.0

<12.2.1.0.0

<12.2.1.0.0

<12.2.1.0.0

Not supported

12.2.1.1.0

12.2.1.1.0

12.2.1.0.0

12.2.1.1.0

Certified

12.2.1.1.0

<12.2.1.1.0

<12.2.1.0.0

<12.2.1.1.0

Not supported

12.2.1.2.0

12.2.1.2.0

12.2.1.0.0

12.2.1.2.0

Certified

12.2.1.2.0

<12.2.1.2.0

<12.2.1.0.0

<12.2.1.2.0

Not supported

12.2.1.3.0

12.2.1.3.0

12.2.1.0.0

12.2.1.3.0

Certified

12.2.1.3.0

<12.2.1.3.0

<12.2.1.0.0

<12.2.1.3.0

Not supported

2.1.3 Upgrading Security: Main Steps

The following tables describe the steps you take to upgrade a system according to the type of security and audit stores. All of the procedures assume that your binaries have been upgraded to12c (12.2.1.3.0) Oracle Fusion Middleware binaries.

Note:

Before starting the procedures documented in this section, be sure that you have read and understand the tasks and concepts documented in the following:

Note:

During the upgrade process, if you perform any OPSS runtime operations on any of the servers before you restart them, you may get errors related to operations being performed against the OPSS Security store. These errors can occur if the binary and schema have been upgraded, but the server process that is being run is still using the old classes that have not been updated or refreshed. Therefore, Oracle recommends that you always restart all of the Managed Servers in the domain after the upgrade process is complete.

Synonym objects owned by IAU_APPEND and IAU_VIEWER will appear as INVALID in the schema version registry table, but that does not indicate a failure. Synonym objects become invalid because the target object changes after the creation of the synonym. The synonyms objects will become valid when they are accessed. You can safely ignore these INVALID objects.

Table 2-1 Upgrading from 12.1.2 or 12.1.3 to 12.2.1.x

Security Store Type Audit Store Type To upgrade to 12.2.1.x:

Oracle Internet Directory

Database

  1. Upgrade the OPSS, Audit Services (IAU) and Service Table (STB) schemas. Note that in this scenario, the OPSS schema is Oracle Internet Directory-based. .

  2. Create the database-based OPSS schema using the 12.2.1.x Oracle Fusion Middleware Repository Creation Utility. Use the existing IAU and STB prefix for the OPSS schema.

  3. Reconfigure the domain to bind the OPSS data source to the newly created OPSS schema. Enter the audit schema details in the Reconfiguration Wizard.

    Note that in this case, the database-based OPSS 12.2.1.x schema is redundant.

  4. Restart all of the servers (Administration and Managed) in the domain.

Database

Database

  1. Upgrade the OPSS, Audit Services IAU, IAU_Viewer, IAU_APPEND, and Service Table STB schemas.

  2. Reconfigure the domain.

  3. Restart all of the servers (Administration and Managed) in the domain.

Note:

Upgrading from a 12c file security store is not supported.

Table 2-2 Upgrading from 11.1.1.7 or 11.1.1.9 to 12.2.1.x

Security Store Type Audit Store Type To upgrade to 12.2.1.x:

File

File

  1. Create the OPSS schema using the 12.2.1.x Oracle Fusion Middleware Repository Creation Utility. Note that the Audit Services (IAU) and Service Table (STB) schemas are created by default with the OPSS schema.

  2. Reconfigure the domain to provide the new schema details.

  3. Restart all of the servers (Administration and Managed) in the domain.

File

Database

  1. Upgrade the 11g Audit Services (IAU) schema using the Oracle Fusion Middleware Upgrade Assistant.

  2. Create the OPSS, Audit Services Viewer (IAU_VIEWER), and Audit Services Append (IAU_APPEND) schemas using the 12.2.1.x Oracle Fusion Middleware Repository Creation Utility. Use the existing IAU prefix that you upgraded in step 1 for the new schemas. Note that the Service Table (STB) schema is created automatically.

  3. Reconfigure the domain to provide the new OPSS schema details, and to enter the 11g audit schema details in Fusion Middleware Reconfiguration Wizard.

  4. Restart all of the servers (Administration and Managed) in the domain.

Oracle Internet Directory

File

  1. Upgrade the Oracle Internet Directory-based OPSS schema using the Oracle Fusion Middleware Upgrade Assistant.

  2. Create the database-based OPSS schema using the 12.2.1.x Repository Creation Utility. Note that the Audit Services (IAU, IAU_Viewer, IAU_APPEND) and Service Table (STB) schemas are created by default with the OPSS schema.

  3. Reconfigure the domain to provide the new schema details to bind the OPSS data source to the newly created OPSS schema.

    Note that in this case, the 12.2.1.x OPSS schema is redundant.

  4. Restart all of the servers (Administration and Managed) in the domain.

Oracle Internet Directory

Database

  1. Upgrade the 11g OPSS and audit schemas using the Oracle Fusion Middleware Upgrade Assistant. Note that in this scenario, the OPSS schema is Oracle Internet Directory-based.

  2. Create the database-based OPSS schema using the 12.2.1.x Repository Creation Utility. Use the existing IAU prefix that you upgraded in step 1 for the new schemas. Note that the Service Table (STB) schema is created automatically.

  3. Reconfigure the domain to bind the OPSS data source to the newly created OPSS schema. Enter the 11g audit schema details in Fusion Middleware Reconfiguration Wizard.

    Note that in this case, both the OPSS 12.2.1.x schema and the 12.2.1.x IAU schema are redundant.

  4. Restart all of the servers (Administration and Managed) in the domain.

Database

File

  1. Create the Audit Services IAU, IAU_Viewer, IAU_APPEND schemas with 12.2.1.x Repository Creation Utility. Use the existing OPSS schema prefix. Note that the Service Table (STB) schema is created automatically.

  2. Upgrade the 11g OPSS schema using the Oracle Fusion Middleware Upgrade Assistant..

  3. Reconfigure the domain to provide the new audit schema details, and to enter the 11g OPSS schema details.

  4. Restart all of the servers (Administration and Managed) in the domain.

Database

Database

  1. Create the Audit Services Viewer and Append schemas (IAU_VIEWER and IAU_APPEND) and Service Table (STB) schemas with the 12.2.1.x Repository Creation Utility. Use the same prefix as that used for the existing OPSS and IAU schemas.

  2. Upgrade the OPSS and Audit Services (IAU) schemas using the Oracle Fusion Middleware Upgrade Assistant.Use the existing prefix for the schemas. .

  3. Reconfigure the domain to provide the 11g OPSS schema details.

  4. Restart all of the servers (Administration and Managed) in the domain.

Note:

An 11g file security store is automatically upgraded to a database-based security store.

2.1.4 Reconfiguring Domains with the Fusion Middleware Reconfiguration Wizard

Run the procedure in this section to reconfigure a domain using the Fusion Middleware Reconfiguration Wizard. For complete details about the Reconfiguration Wizard, see Reconfiguring WebLogic Domains in Upgrading Oracle WebLogic Server.

Note:

In some configurations, you may get an invalid key size exception when running the Reconfiguration Wizard. Oracle recommends that you check your configuration before running the Reconfiguration Wizard, and if necessary, install the JCE Unlimited Strength Jurisdiction Policy Files.

  1. Start the Fusion Middleware Reconfiguration Wizard:
    > cd oracle_common/common/bin
    > ./reconfig.sh
    
  2. In the Select Domain page, specify the directory of the domain to reconfigure, and then click Next.
  3. In the Database Configuration Type page, select RCU Data, enter the database connection details, and click Get RCU Configuration. The results of the retrieval are displayed.
  4. Click Next.
  5. The JDBC Component Schema page displays the table of schemas affected. Check rows as appropriate, and then click Next.
  6. In the JDBC Component Schema Test page, click Test Selected Connections. The results of the test are displayed. Click Next.
  7. In the Advanced Configuration page, check boxes as appropriate, and then click Next.

    Additional pages are displayed depending on the options you selected.

  8. When you have finished providing all the required information in the remaining pages, the Configuration Summary page displays the options you chose. Click Reconfigure.

2.2 Upgrading a Shared Security Store

To upgrade a security store shared (joined) by several domains, use one of the following tasks:

2.2.1 Upgrading a Shared 12c Security Store

Run the procedure in this section to upgrade to12c (12.2.1.3.0) from a previous 12c shared security store.

  1. Shut down all domains that share the store you want to upgrade.
  2. Run the Upgrade Assistant to upgrade the OPSS schema of the shared security store and the audit schema if the source audit data is a database store.
  3. In each of the domains sharing the security store, run Fusion Middleware Reconfiguration Wizard to reconfigure the domain and to upgrade OPSS data, directory information tree, and product security artifacts.
  4. Restart all domains sharing the security store.

2.2.2 Upgrading a Shared 11g Security Store

Run the procedure in this section to upgrade to 12.2.1.x from an 11.1.1.7 or 11.1.1.9 shared security store.

  1. Shut down all domains sharing the store you want to upgrade.
  2. Run the Upgrade Assistant to upgrade the OPSS schema of the shared security store, and the audit schema if the source audit is a database store.
  3. Run the Reconfiguration Wizard in each of the domains sharing the security store. When first run, it upgrades the data of the security store and configuration of the domain. When run from any other domain, it will upgrade only the configuration of that domain.
  4. Restart all upgraded domains.