Skip Headers
Oracle® Application Server Upgrade and Compatibility Guide
10g Release 2 (10.1.2) for Microsoft Windows
Part No. B14096-05
  Go To Documentation Library
Home
Go To Table Of Contents
Contents
Go To Index
Index

Previous
Previous
Next
Next
 

5 Upgrading Identity Management Services

This chapter contains the following sections:


Note:

If you are upgrading a distributed OracleAS Identity Management environment, an OracleAS Identity Management replication environment, or if you are interested in the data migration method of upgrading OracleAS Identity Management, see Chapter 6, "Additional OracleAS Identity Management Upgrade Procedures".

5.1 Overview of the OracleAS Identity Management Components

OracleAS Identity Management is part of the Oracle Application Server Infrastructure. It consists of:


See Also:

Oracle Application Server Concepts for an overview of the OracleAS Infrastructure

Oracle Application Server Installation Guide for information about installing OracleAS Identity Management


5.2 Task 1: Review Your OracleAS Identity Management Configuration

Before you upgrade OracleAS Identity Management, you should be familiar with the various configurations that you may have implemented at your site.

The OracleAS Identity Management you want to upgrade will vary depending upon whether you are running Oracle Application Server Release 2 (9.0.2) or Oracle Application Server 10g (9.0.4). The following sections describe the configuration options available for each version of Oracle Application Server:

5.2.1 Oracle Application Server Release 2 (9.0.2) OracleAS Identity Management Configuration Options

In Oracle Application Server Release 2 (9.0.2), the components of OracleAS Identity Management are always installed with a OracleAS Metadata Repository. As a result, each Oracle Application Server Release 2 (9.0.2) Infrastructure installations is a colocated Infrastructure.


See Also:

Section 1.1.2, "Reviewing Your Current OracleAS Infrastructure Configuration" for definitions of colocated and non-colocated OracleAS Infrastructure installations

However, even though all Release 2 (9.0.2) OracleAS Identity Management installations include an OracleAS Metadata Repository, the Release 2 (9.0.2) Identity Management configuration can still be non-distributed or distributed.

In a non-distributed Release 2 (9.0.2) OracleAS Identity Management installation, Oracle Application Server Single Sign-On and Oracle Internet Directory share a metadata repository, as shown in Figure 5-1.

Alternatively, the Release 2 (9.0.2) Identity Management configuration can be distributed, in which Oracle Application Server Single Sign-On and Oracle Internet Directory each use a separate metadata repository. This is depicted in Figure 5-2.


Notes:

If, in Oracle9iAS Release 2 (9.0.2), you had a Oracle Delegated Administration Services (DAS) or Oracle Directory Integration and Provisioning (DIP) operating in a middle tier, and you want to set up DAS or DIP in 10g Release 2 (10.1.2), you must perform a DAS-only or DIP-only installation in a separate Oracle home.

See the section titled "Installing Identity Management Components Only" in the chapter "Installing OracleAS Infrastructure 10g" in the Oracle Application Server Installation Guide.

In addition, if the Release 2 (9.0.2) OracleAS Single Sign-On server was using a middle tier other than the default middle-tier installation with the SSO server, then you can install a new 10g Release 2 (10.1.2) OracleAS Single Sign-On middle tier and decommission the non-default, old OracleAS Single Sign-On middle tier.


Figure 5-1 Non-Distributed Identity Management

Description of Figure 5-1  follows
Description of "Figure 5-1 Non-Distributed Identity Management"

Figure 5-2 Distributed Identity Management in Release 2 (9.0.2)

Description of Figure 5-2  follows
Description of "Figure 5-2 Distributed Identity Management in Release 2 (9.0.2)"

5.2.2 Oracle Application Server 10g (9.0.4) OracleAS Identity Management Configuration Options

Oracle Application Server 10g (9.0.4) introduced three OracleAS Infrastructure installation types. These installation types are also available in Oracle Application Server 10g Release 2 (10.1.2). These installation types allow you to install:

  • Identity Management and OracleAS Metadata Repository

  • Identity Management

  • OracleAS Metadata Repository

Selecting the Identity Management and OracleAS Metadata Repository installation type results in a colocated Infrastructure, where both the OracleAS Metadata Repository and OracleAS Identity Management are in the same Oracle home.

If you install only OracleAS Identity Management, you must provide connection details and logon credentials for a valid OracleAS Metadata Repository.

The option you choose when you install the OracleAS Infrastructure determines whether or not you are installing a colocated Infrastructure or a non-colocated Infrastructure.


See Also:

Section 1.1.2, "Reviewing Your Current OracleAS Infrastructure Configuration" for more information about colocated Infrastructure and non-colocated Infrastructure installations

As with Oracle Application Server Release 2 (9.0.2), your 10g (9.0.4) OracleAS Identity Management configuration can be distributed or non-distributed. The 10g (9.0.4) non-distributed configuration is the same as Release 2 (9.0.2) non-distributed OracleAS Identity Management configuration shown in Figure 5-1.

However, in 10g (9.0.4), the OracleAS Identity Management components do not require an OracleAS Metadata Repository in the same Oracle home. Consider the following examples of distributed OracleAS Identity Management installations:

  • Figure 5-3 shows how the OracleAS Single Sign-On component of OracleAS Identity Management can be installed in a separate 10g (9.0.4) Oracle home from the Oracle Internet Directory, but share the same OracleAS Metadata Repository.

  • Figure 5-4 shows an extension of the previous example. It introduces a third host, which is used to host an Oracle Application Server Certificate Authority (OCA) installation. The OCA installation uses the same Oracle Internet Directory as OracleAS Single Sign-On, but it has its own OracleAS Metadata Repository to store the OCA schema.

Figure 5-3 Distributed Identity Management in 10g (9.0.4) - Example 1

Description of Figure 5-3  follows
Description of "Figure 5-3 Distributed Identity Management in 10g (9.0.4) - Example 1"

Figure 5-4 Distributed Identity Management in 10g (9.0.4) - Example 2

Description of Figure 5-4  follows
Description of "Figure 5-4 Distributed Identity Management in 10g (9.0.4) - Example 2"

5.2.3 About Oracle Application Server Certificate Authority

Oracle Application Server Certificate Authority (OCA) is an OracleAS Identity Management component that was introduced in 10g (9.0.4).

If you are upgrading from 10g (9.0.4) and you have installed and configured OCA, the OracleAS Identity Management upgrade procedure will also upgrade OCA.

However, if you are upgrading from Release 2 (9.0.2), and you would like to add OCA to your OracleAS Identity Management installation, you must install OCA into its own Oracle home after upgrading the other OracleAS Identity Management components to 10g Release 2 (10.1.2.0.2).

Specifically, you can add OCA to your existing OracleAS Identity Management Oracle environment as follows:

  1. Upgrade the OracleAS Identity Management components to 10g Release 2 (10.1.2.0.2) as described later in this chapter.

  2. Use the instructions in Chapter 7, "Upgrading the OracleAS Metadata Repository" to run the Metadata Repository Upgrade Assistant (MRUA).

    If the OCA schema does not exist in the OracleAS Metadata Repository, MRUA will create the OCA schema.

  3. Do one of the following:

    • Install OCA into a new 10g Release 2 (10.1.2.0.2) Oracle home that uses the existing Oracle Internet Directory, OracleAS Single Sign-On, and the upgraded OracleAS Metadata Repository where the new OCA schema now exists.

      OR

    • Install OCA into a new 10g Release 2 (10.1.2.0.2) Oracle home with its own OracleAS Metadata Repository, but using the existing Oracle Internet Directory and OracleAS Single Sign-On.

5.3 Task 2: Understand the OracleAS Identity Management Database Requirements

Regardless of the OracleAS Identity Management configuration, all OracleAS Identity Management installations require access to an OracleAS Metadata Repository. The OracleAS Metadata Repository is required because OracleAS Identity Management depends upon specific schemas that are created in the OracleAS Metadata Repository during the OracleAS Metadata Repository installation.

When you upgrade OracleAS Identity Management, the upgrade procedure upgrades the OracleAS Identity Management schemas in the OracleAS Metadata Repository. However, it can only do so if the database that hosts the OracleAS Metadata Repository is upgraded to a database version supported by Oracle Application Server 10g Release 2 (10.1.2).

How you upgrade the database depends upon the whether or not the OracleAS Identity Management is part of a colocated or non-colocated Infrastructure.


See Also:

Section 1.1.2, "Reviewing Your Current OracleAS Infrastructure Configuration" for a definition of colocated and non-colocated Infrastructures

The following sections provide more details about the database requirements when upgrading OracleAS Identity Management:

5.3.1 Database Upgrade Requirements When the OracleAS Identity Management is Part of a Colocated Infrastructure

If the OracleAS Identity Management you are upgrading is part of a colocated Infrastructure, Oracle Universal Installer automatically upgrades the OracleAS Metadata Repository database to a supported version when you upgrade OracleAS Identity Management.

After you upgrade OracleAS Identity Management in a colocated Infrastructure, refer to the following sections for information about post-upgrade tasks you should consider performing to help you manage and maintain the upgraded database:


Note:

After you upgrade Release 2 (9.0.2) OracleAS Identity Management in a colocated Infrastructure, the upgraded database contains invalid objects and represents an unsupported configuration. As a result, you must run the Metadata Repository Upgrade Assistant (MRUA) immediately after the database upgrade.

See Chapter 7, "Upgrading the OracleAS Metadata Repository" for more information about running MRUA.

See Section 1.7, "Understanding Transitional, Stable, and Unsupported Configurations" for more information about transitional, stable, and unsupported configurations while upgrading to 10g Release 2 (10.1.2).


5.3.2 Database Upgrade Requirements When the OracleAS Identity Management is Part of Non-Colocated Infrastructure

If the OracleAS Identity Management you are upgrading is part of a non-colocated Infrastructure, you must upgrade the OracleAS Metadata Repository database first, before upgrading the OracleAS Identity Management installation.

The procedure you use to upgrade the database depends upon whether or not the database is a seed database or a OracleAS Metadata Repository Creation Assistant database.

Consider the following when upgrading a OracleAS Metadata Repository database in a non-colocated Infrastructure:

  • If the OracleAS Metadata Repository was installed in a seed database, as part of a 10g (9.0.4) OracleAS Metadata Repository installation, you can use Oracle Universal Installer to upgrade the database automatically.

  • On the other hand, if you used the OracleAS Metadata Repository Creation Assistant to create the OracleAS Metadata Repository, you must upgrade the database manually, using the standard Oracle database upgrade procedures.

5.3.3 Stopping the Database Listener When Prompted During the OracleAS Identity Management Upgrade

Depending upon the OracleAS Identity Management configuration you are upgrading, you might be prompted to stop the database listener during the OracleAS Identity Management upgrade. Specifically, you should receive this prompt if you are upgrading a colocated Infrastructure, where the OracleAS Metadata Repository and OracleAS Identity Management are installed in the same Oracle home.

You should not stop the listener until you are prompted to do so. However, when such a prompt appears, use the lsnrctl utility to stop the database listener as follows:

  1. Set the ORACLE_HOME environment variable to the Oracle home of the listener you want to stop.

  2. Verify the version of the listener you are about to stop by entering the following command:

    %ORACLE_HOME%\bin\lsnrctl version
    
    

    The lsnrctl utility displays information about the current database listener. Review the information to verify that you are stopping the correct listener.

  3. Stop the listener by entering the following command:

    %ORACLE_HOME%\bin\lsnrctl stop
    

5.3.4 Summary of the OracleAS Identity Management Database Upgrade Requirements

In summary, before you upgrade OracleAS Identity Management, the database that hosts the OracleAS Identity Management schemas must be a version of the database supported by 10g Release 2 (10.1.2.0.2).

For more information, refer to Section 7.1, "Task 1: Upgrade the Database That Hosts the OracleAS Metadata Repository". Information about database support requirements is also available in the Oracle Application Server Metadata Repository Creation Assistant User's Guide.


See Also:

Section 7.1.2, "Using OracleMetaLink to Obtain the Latest Oracle Application Server Software Requirements" for information about obtaining the very latest information on the OracleAS Metadata Repository database requirements

5.4 Task 3: Back Up the OracleAS Identity Management Installation

Before you begin upgrading your OracleAS Identity Management installation, perform a backup of the OracleAS Identity Management Oracle home, and perform a backup of the database that hosts the OracleAS Identity Management schemas.

5.5 Task 4: Perform the OracleAS Identity Management Upgrade

The following sections describe how to perform the OracleAS Identity Management upgrade for the typical OracleAS Identity Management configurations.


See Also:

Chapter 6, "Additional OracleAS Identity Management Upgrade Procedures" for information about upgrading more advanced OracleAS Identity Management configurations

5.5.1 Upgrading OracleAS Identity Management in a Colocated Infrastructure

If OracleAS Identity Management is installed as part of a colocated Infrastructure, you can use Oracle Universal Installer to do all of the following as part of the Oracle Application Server 10g Release 2 (10.1.2) installation procedure:

  • Upgrade the OracleAS Metadata Repository database.

  • Upgrade the OracleAS Identity Management program, configuration, and data files.

  • Upgrade the OracleAS Identity Management schemas in the OracleAS Metadata Repository.

To upgrade OracleAS Identity Management in a colocated Infrastructure Oracle home:

  1. If you are upgrading from Release 2 (9.0.2), make sure you have applied the latest Release 2 (9.0.2) patchsets.

    The OracleAS Identity Management upgrade procedures have been tested using the latest patchsets available from OracleMetaLink. Therefore, before you upgrade Release 2 (9.0.2) OracleAS Identity Management, apply the latest Oracle Application Server 9.0.2 patchsets.

    The OracleMetaLink Web site is at the following URL:

    http://metalink.oracle.com/
    
    

    At the time this document was published the most recent Oracle9iAS patchset release was the Oracle9iAS 9.0.2.3 patchset (3038037). To locate this patchset, search for patch number 3038037 on OracleMetaLink.


    Note:

    After applying Oracle9iAS 9.0.2.3 patchset (3038037), verify that the patchset was applied successfully before proceeding with the 10g Release 2 (10.1.2) upgrade. For example, verify that the Application Server Control, your deployed applications, and the components you use are functioning properly after you apply the patchset.

  2. Stop all the middle tiers that are using the services of the OracleAS Identity Management installation.

  3. Log in to the computer on which Release 2 (9.0.2) or 10g (9.0.4) instance is installed, as the same operating system user that performed the Release 2 (9.0.2) or 10g (9.0.4) installation.


    Note:

    The account you log in to install or upgrade the OracleAS Metadata Repository must be listed as a member of the Administrators group.

  4. Make sure that the OracleAS Metadata Repository database and database listener are up and running.

  5. Make sure the Oracle Internet Directory server is up and running.

    To verify that Oracle Internet Directory is running, enter one of the following commands.


    Note:

    You may have to temporarily set the ORACLE_HOME environment variable to the Oracle Internet Directory Oracle home before running the ldapbind command.

    After you verify that the Oracle Internet Directory is running, you must then make sure the ORACLE_HOME environment variable is not defined before you start the 10g Release 2 (10.1.2) installer, as directed in Step 6.


    If you are running Oracle Internet Directory on a non-secure port:

    SOURCE_ORACLE_HOME\bin\ldapbind -p Non-SSL_port -h
    
    

    If you are running Oracle Internet Directory on a secure port:

    SOURCE_ORACLE_HOME\bin\ldapbind -p SSL_port -h -U 1
    
    

    These commands should return a "bind successful" message.


    See Also:

    "Syntax for LDIF and Command-Line Tools" in the Oracle Internet Directory Administrator's Guide for more information about the ldapbind utility


    Note:

    Oracle Internet Directory 10g (9.0.4) allows you to start and stop the directory service using OPMN or the oidctl utility.

    Before upgrading a 10g (9.0.4) OracleAS Identity Management Oracle home that contains Oracle Internet Directory, start the Oracle Internet Directory instance using the opmnctl utility or the Application Server Control Console. Do not use the oidctl utility to start and stop Oracle Universal Installer in a 10g (9.0.4) Oracle home; otherwise, Oracle Universal Installer will not be able to start and stop Oracle Internet Directory automatically during the upgrade process.

    The correct use of opmnctl and oidctl is described in the Chapter "Oracle Internet Directory Process Control–Best Practices" in the Oracle Internet Directory Administrator's Guide.


  6. Set the required environment variables, as defined in the section "Environment Variables" in the "Requirements" chapter of the Oracle Application Server Installation Guide.

    In particular, be sure to set following variables so they do not reference any Oracle home directories:

    • PATH

    • CLASSPATH

    In addition, be sure the following environment variables are not set:

    • TNS_ADMIN

    • ORACLE_HOME

    • ORACLE_SID

  7. If you the ORACLE_HOME environment variable was previously set, restart the host computer after unsetting the variable.

    The system restart is necessary to clear the ORACLE_HOME variable from the system registry. If you do not restart the computer after clearing the ORACLE_HOME variable, the installation might report an error and prevent you from finishing the installation.

  8. Mount the media and start the installer.


    See Also:

    Oracle Application Server Installation Guide for detailed instructions about starting Oracle Universal Installer on your platform

  9. Refer to Table 5-1 for information on the options you should select on each screen.

  10. After the End of Installation screen appears, exit Oracle Universal Installer and then verify that Oracle Internet Directory and Oracle Application Server Single Sign-On are functioning and accessible in the new 10g Release 2 (10.1.2) Oracle home.


    See Also:

    Oracle Application Server Administrator's Guide, Chapter 1, "Accessing the Single Sign-On Server"

  11. If you are upgrading from Release 2 (9.0.2), immediately run the Metadata Repository Upgrade Assistant (MRUA) to upgrade the OracleAS Metadata Repository component schemas.

    After you upgrade Release 2 (9.0.2) OracleAS Identity Management in a colocated Infrastructure, the upgraded database contains invalid objects and represents an unsupported configuration. As a result, you must run the Metadata Repository Upgrade Assistant (MRUA) immediately after the database upgrade.


    See Also:

    Chapter 7, "Upgrading the OracleAS Metadata Repository" for more information about running MRUA.

    Section 1.7, "Understanding Transitional, Stable, and Unsupported Configurations" for more information about transitional, stable, and unsupported configurations while upgrading to 10g Release 2 (10.1.2).


Table 5-1 Summary of the Oracle Universal Installer Screens During the OracleAS Identity Management Upgrade in a Colocated infrastructure

Screen Description and Recommended Options to Select

Welcome

Welcomes you to Oracle Universal Installer and the Oracle Application Server 10g Release 2 (10.1.2) installation procedure.

Specify File Locations

Enter a name and path for the new Oracle home.

This new Oracle home will be the destination Oracle home for your Oracle Application Server 10g Release 2 (10.1.2) upgrade.

Select a Product to Install

Select Oracle Application Server Infrastructure 10g.

If multiple languages are used in the OracleAS Infrastructure you are upgrading, then click Product Languages.

Language Selection

The screen appears only if you clicked Product Languages on the Select a Product to Install screen.

If multiple languages are used in the OracleAS Infrastructure you are upgrading, select those languages.

If you are not sure which languages were installed, but want languages other than English, click the double arrow button (>>) to select all languages.

Select Installation Type

Select Identity Management and Metadata Repository.

Note: It is very important that you select the same installation type that is used in the Oracle home you are upgrading.

Upgrade Existing Infrastructure

This screen appears when Oracle Universal Installer detects an existing Oracle Application Server installation of the same type as the one you selected on the Select Installation Type screen.

Select the option to upgrade an existing OracleAS Infrastructure, and then select the Oracle home you want to upgrade from the drop-down list. (If there is only one Infrastructure of the selected time on the computer, then the drop-down list is inactive.)

Figure 5-5 shows an example of the Upgrade Existing Infrastructure screen when you are upgrading from a Release 2 (9.0.2) OracleAS Infrastructure.

Specify Oracle Internet Directory Login

Enter the Oracle Internet Directory superuser distinguished name (DN) in the Username field. The superuser DN cn=orcladmin is the default for this field; change this value if the Oracle Internet Directory superuser DN is not cn=orcladmin.

Enter the password for the superuser DN in the Password field.

Specify Infrastructure Database Connection Information

Enter SYS in the Username field and the SYS user's password in the Password field.

Warning dialog box

This dialog box warns you that all the clients of the OracleAS Metadata Repository database must now be stopped. Oracle Universal Installer will automatically stop any clients within the source Oracle home.Foot 1 

However, you must manually stop any database clients and OracleAS Metadata Repository clients that reside in another Oracle home.

Clients of the OracleAS Metadata Repository include:

  • OracleAS Identity Management components that use this OracleAS Metadata Repository.

  • Middle tier instances that use this OracleAS Metadata Repository

Within each middle tier that uses this OracleAS Metadata Repository, you must be sure to stop all components, including Oracle HTTP Server and OracleAS Web Cache.

For more information, see the chapter "Starting and Stopping " in the Oracle Application Server Administrator's Guide.

Database Listener Warning Dialog Box

Review the dialog box determine whether or not you need to stop the listener manually.

For more information, see Section 5.3.3, "Stopping the Database Listener When Prompted During the OracleAS Identity Management Upgrade".

Specify Instance Name and ias_admin Password

Enter a name for the new Oracle Application Server 10g Release 2 (10.1.2) instance and a password for the ias_admin Administrator account.

You use the ias_admin password to log on to Application Server Control Console to manage Oracle Application Server.

In general, the minimum length of the ias_admin password is five alphanumeric characters. At least one of the characters must be a number and the password cannot start with a number.

For more information, see the section "The ias_admin User and Restrictions on its Password" in the Oracle Application Server Installation Guide.

Summary

Use this screen to confirm the choices you've made. Click Install to begin upgrading to the new 10g Release 2 (10.1.2) Oracle home.

The Configuration Assistants

After the initial software is installed, a set of configuration assistants automatically set up the components in the new 10g Release 2 (10.1.2) Oracle home. Use this screen to follow the progress of each assistant and to identify any problems during this phase of the installation.

Notes:

  • The Database Upgrade Assistant (DBUA) can take a significant amount of time to upgrade the database. For more information how long it takes to upgrade your database, see Section 3.3, "Planning for System Downtime".

  • While Database Upgrade Assistant is running, do not use the Stop button to interrupt the execution of Database Upgrade Assistant. If you press Stop, the underlying processes for Database Upgrade Assistant will continue to run. Also, Oracle Universal Installer will wait until those processes complete before returning control to the user.

End of Installation

When the installation and upgrade is complete, this screen provides important details about the 10g Release 2 (10.1.2) Oracle home, such as the URL for the Application Server Control Console and the location of the setupinfo.txt file.

After you review the information on this screen, you can exit Oracle Universal Installer and proceed to the post-upgrade tasks.


Footnote 1 You can access a log of the automated shutdown procedure executed by Oracle Universal Installer in the shutdownprocesses.log file, which is located in the cfgtoollogs directory in the destination Oracle home.

Figure 5-5 Upgrade Existing OracleAS Infrastructure Screen

Description of Figure 5-5  follows
Description of "Figure 5-5 Upgrade Existing OracleAS Infrastructure Screen"

5.5.2 Upgrading OracleAS Identity Management in a Non-Colocated 10g (9.0.4) Infrastructure

To upgrade OracleAS Identity Management in a non-colocated Infrastructure, you use Oracle Universal Installer just as you do when OracleAS Identity Management is in a colocated Infrastructure.

This section applies only to 10g (9.0.4) OracleAS Identity Management upgrades; Release 2 (9.0.2) did not support non-colocated Infrastructure installations.

Before you can upgrade OracleAS Identity Management in a non-colocated Infrastructure, you must verify that the OracleAS Metadata Repository that hosts the OracleAS Identity Management schemas is running in a supported version of the Oracle database.

If the OracleAS Metadata Repository is not hosted by a supported database version, you must upgrade the database. The method you use to upgrade the OracleAS Metadata Repository database varies, depending upon whether the database is a seed database or a OracleAS Metadata Repository Creation Assistant database.

After you determine whether or not the database is a seed database or an OracleAS Metadata Repository Creation Assistant database, you can upgrade the database by following the instructions for upgrading the OracleAS Metadata Repository database.

To upgrade OracleAS Identity Management in a non-colocated Infrastructure:

  1. Verify that the version of the database that hosts the OracleAS Identity Management schemas is a supported version for 10g Release 2 (10.1.2) OracleAS Identity Management.

    The OracleAS Identity Management schemas are stored in an OracleAS Metadata Repository.

    If necessary, upgrade the database by using the instructions in Section 7.1, "Task 1: Upgrade the Database That Hosts the OracleAS Metadata Repository".

  2. Make sure that the OracleAS Metadata Repository database and database listener are up and running.

  3. Log in to the computer on which the 10g (9.0.4) instance is installed, as the same operating system user that performed the 10g (9.0.4) installation.

  4. Make sure the Oracle Internet Directory server is up and running.

    To verify that Oracle Internet Directory is running, enter one of the following commands.


    Note:

    You may have to temporarily set the ORACLE_HOME environment variable to the Oracle Internet Directory Oracle home before running the ldapbind command.

    After you verify that the Oracle Internet Directory is running, you must then make sure the ORACLE_HOME environment variable is not defined before you start the 10g Release 2 (10.1.2) installer, as directed in Step 6.


    If you are running Oracle Internet Directory on a non-secure port:

    SOURCE_ORACLE_HOME\bin\ldapbind -p Non-SSL_port
    
    

    If you are running Oracle Internet Directory on a secure port:

    SOURCE_ORACLE_HOME\bin\ldapbind -p SSL_port -U 1
    
    

    These commands should return a "bind successful" message.


    See Also:

    "Syntax for LDIF and Command-Line Tools" in the Oracle Internet Directory Administrator's Guide for more information about the ldapbind utility


    Note:

    Oracle Internet Directory 10g (9.0.4) allows you to start and stop the directory service using OPMN or the oidctl utility.

    Before upgrading an OracleAS Identity Management Oracle home that contains Oracle Internet Directory, start the Oracle Internet Directory instance using the opmnctl utility or the Application Server Control Console. Do not use the oidctl utility; otherwise, Oracle Universal Installer will not be able to start and stop Oracle Internet Directory automatically during the upgrade process.

    The correct use of opmnctl and oidctl is described in the Chapter "Oracle Internet Directory Process Control–Best Practices" in the Oracle Internet Directory Administrator's Guide.


  5. Be sure to set the environment variables, as defined in the section "Environment Variables" in the "Requirements" chapter of the Oracle Application Server Installation Guide.

    In particular, be sure to set following variables so they do not reference any Oracle home directories:

    • PATH

    • CLASSPATH

    In addition, be sure the following environment variables are not set:

    • TNS_ADMIN

    • ORACLE_HOME

    • ORACLE_SID

  6. If you the ORACLE_HOME environment variable was previously set, restart the host computer after unsetting the variable.

    The system restart is necessary to clear the ORACLE_HOME variable from the system registry. If you do not restart the computer after clearing the ORACLE_HOME variable, the installation might report an error and prevent you from finishing the installation.

  7. Mount the Oracle Application Server 10g Release 2 (10.1.2) CD–ROM and start the installer.


    See Also:

    Oracle Application Server Installation Guide for detailed instructions about starting Oracle Universal Installer on your platform

  8. Refer to Table 5-2 for information on the options you should select on each screen.

  9. After the End of Installation screen appears, exit Oracle Universal Installer and then verify that Oracle Internet Directory and Oracle Application Server Single Sign-On are functioning and accessible in the new 10g Release 2 (10.1.2) Oracle home.


    See Also:

    Oracle Application Server Administrator's Guide, Chapter 1, "Accessing the Single Sign-On Server"

Table 5-2 Summary of the Oracle Universal Installer Screens During the OracleAS Identity Management Upgrade in a 10g (9.0.4) Non-Colocated infrastructure

Screen Description and Recommended Options to Select

Welcome

Welcomes you to Oracle Universal Installer and the Oracle Application Server 10g Release 2 (10.1.2) installation procedure.

Specify File Locations

Enter a name and path for the new Oracle home.

This new Oracle home will be the destination Oracle home for your Oracle Application Server 10g Release 2 (10.1.2) upgrade.

Select a Product to Install

Select OracleAS Infrastructure 10g.

If multiple languages are used in the OracleAS Infrastructure you are upgrading, then click Product Languages.

Language Selection

The screen appears only if you clicked Product Languages on the Select a Product to Install screen.

If multiple languages are used in the OracleAS Infrastructure you are upgrading, select those languages.

If you are not sure which languages were installed, but want languages other than English, click the double arrow button (>>) to select all languages.

Select Installation Type

Select Identity Management.

Note: It is very important that you select the same installation type that is used in the Oracle home you are upgrading.

Upgrade Existing Infrastructure

This screen (Figure 5-5) appears when Oracle Universal Installer detects an existing Oracle Application Server installation of the same type as the one you selected on the Select Installation Type screen.

Select the option to upgrade an existing OracleAS Infrastructure, and then select the Oracle home you want to upgrade from the drop-down list. (If there is only one Infrastructure of the selected time on the computer, then the drop-down list is inactive.)

Specify OID Login

Enter the Oracle Internet Directory superuser distinguished name (DN) in the Username field. The superuser DN cn=orcladmin is the default for this field; change this value if the Oracle Internet Directory superuser DN is not cn=orcladmin.

Enter the password for the superuser DN in the Password field.

Specify Infrastructure Database Connection Information

Enter SYS in the Username field and the SYS user's password in the Password field.

Warning dialog box

This dialog box warns you that all the clients of the OracleAS Identity Management installation must now be stopped. Oracle Universal Installer will automatically stop any clients within the source Oracle home automatically.Foot 1 

However, you must manually stop any OracleAS Identity Management clients that reside in another Oracle home

Clients of an OracleAS Identity Management instance include:

  • OracleAS Identity Management components that are distributed and installed in another Oracle home

  • Middle tier instances that use this OracleAS Identity Management instance for authentication or identity services

Within each middle tier that uses this OracleAS Identity Management instance, you must be sure to stop all components, including Oracle HTTP Server and OracleAS Web Cache.

For more information, see the chapter "Starting and Stopping " in the Oracle Application Server Administrator's Guide.

Database Listener Warning Dialog Box

If a database listener is running on the host, a warning dialog box displays. Review the dialog box determine whether or not you need to stop the listener manually.

For more information, see Section 5.3.3, "Stopping the Database Listener When Prompted During the OracleAS Identity Management Upgrade".

Specify Instance Name and ias_admin Password

Enter a name for the new Oracle Application Server 10g Release 2 (10.1.2) instance and a password for the ias_admin Administrator account.

You use the ias_admin password to log on to the Application Server Control Console to manage the Oracle Application Server instance.

In general, the minimum length of the ias_admin password is five alphanumeric characters. At least one of the characters must be a number and the password cannot start with a number.

For more information, see the section "The ias_admin User and Restrictions on its Password" in the Oracle Application Server Installation Guide.

Summary

Use this screen to confirm the choices you've made. Click Install to begin upgrading to the new 10g Release 2 (10.1.2) Oracle home. The install screen shows you the progress of the installation as it copies files to your local disk.

The Configuration Assistants

After the initial software is installed, a set of configuration assistants automatically set up the components in the new 10g Release 2 (10.1.2) Oracle home. Use this screen to follow the progress of each assistant and to identify any problems during this phase of the installation.

End of Installation

When the installation and upgrade is complete, this screen provides important details about the 10g Release 2 (10.1.2) Oracle home, such as the URL for the Application Server Control Console and the location of the setupinfo.txt file.

After you review the information on this screen, you can exit Oracle Universal Installer and proceed to the post-upgrade tasks.


Footnote 1 You can access a log of the automated shutdown procedure executed by Oracle Universal Installer in the shutdownprocesses.log file, which is located in the cfgtoollogs directory in the destination Oracle home.

5.5.3 Upgrading Distributed OracleAS Identity Management Configurations

The following sections describe how to upgrade a distributed OracleAS Identity Management configuration:

5.5.3.1 Upgrading Release 2 (9.0.2) Distributed OracleAS Identity Management Configurations

A distributed OracleAS Identity Management configuration consists of multiple Oracle homes. One of the Oracle homes contains the Oracle Internet Directory.

In a Release 2 (9.0.2) distributed OracleAS Identity Management installation, the other Oracle home contains OracleAS Single Sign-On and its own OracleAS Metadata Repository (Figure 5-2).

To upgrade a Release 2 (9.0.2) distributed OracleAS Identity Management configuration:

  1. Review Section 5.5.3.3, "Verifying Whether OracleAS Identity Management Components are Enabled or Disabled" to determine exactly which OracleAS Identity Management components will be upgraded.

  2. Use the procedure in Section 5.5.1, "Upgrading OracleAS Identity Management in a Colocated Infrastructure" to upgrade the Oracle home that includes the Oracle Internet Directory and its OracleAS Metadata Repository.

    You must upgrade the Oracle Internet Directory first before upgrading the other distributed OracleAS Identity Management components.


    Note:

    If you are running only Oracle Internet Directory from the Oracle home, check to be sure the other OracleAS Identity Management components are disabled so they will not be upgraded or started in the destination 10g Release 2 (10.1.2) Oracle home.

    For more information, see Section 5.5.3.3, "Verifying Whether OracleAS Identity Management Components are Enabled or Disabled".


  3. Make sure you have applied the latest Release 2 (9.0.2) patchsets to the OracleAS Identity Management Oracle home you are about to upgrade.

    The OracleAS Identity Management upgrade procedures have been tested using the latest patchsets available from OracleMetaLink. As a result, before you upgrade Release 2 (9.0.2) OracleAS Identity Management, apply the latest Oracle Application Server 9.0.2 patchsets.

    The OracleMetaLink Web site is at the following URL:

    http://metalink.oracle.com/
    
    

    At the time this document was published the most recent Oracle9iAS patchset release was the Oracle9iAS 9.0.2.3 patchset (3038037). To locate this patchset, search for patch number 3038037 on OracleMetaLink.


    Note:

    After applying Oracle9iAS 9.0.2.3 patchset (3038037), verify that the patchset was applied successfully before proceeding with the 10g Release 2 (10.1.2) upgrade. For example, verify that the Application Server Control, your deployed applications, and the components you use are functioning properly after you apply the patchset.

  4. Make sure that the OracleAS Metadata Repository database being used by Oracle Application Server Single Sign-On and its database listener are up and running.

  5. Log in to the computer on which the other distributed OracleAS Identity Management components are installed, as the same operating system user that performed the Release 2 (9.0.2) installation.


    Note:

    The account you log in to install or upgrade the OracleAS Metadata Repository must be listed as a member of the Administrators group.

  6. Make sure the Oracle Internet Directory Server has been upgraded to 10g Release 2 (10.1.2) and that it is up and running.

    To verify that Oracle Internet Directory is running, enter one of the following commands.


    Note:

    You may have to temporarily set the ORACLE_HOME environment variable to the Oracle Internet Directory Oracle home before running the ldapbind command.

    After you verify that the Oracle Internet Directory is running, you must then make sure the ORACLE_HOME environment variable is not defined before you start the 10g Release 2 (10.1.2) installer, as directed in Step 6.


    If you are running Oracle Internet Directory on a non-secure port:

    SOURCE_ORACLE_HOME\bin\ldapbind -p Non-SSL_port
    
    

    If you are running Oracle Internet Directory on a secure port:

    SOURCE_ORACLE_HOME\bin\ldapbind -p SSL_port -U 1
    
    

    These commands should return a "bind successful" message.


    See Also:

    "Syntax for LDIF and Command-Line Tools" in the Oracle Internet Directory Administrator's Guide for more information about the ldapbind utility

  7. Be sure to set the environment variables, as defined in the section "Environment Variables" in the "Requirements" chapter of the Oracle Application Server Installation Guide.

    In particular, be sure to set following variables so they do not reference any Oracle home directories:

    • PATH

    • CLASSPATH

    In addition, be sure the following environment variables are not set:

    • TNS_ADMIN

    • ORACLE_HOME

    • ORACLE_SID

  8. Mount the Oracle Application Server 10g Release 2 (10.1.2) CD–ROM and start the installer.


    See Also:

    Oracle Application Server Installation Guide for detailed instructions about starting Oracle Universal Installer on your platform

  9. Refer to Table 5-3 for information on the options you should select on each screen.

  10. After the End of Installation screen appears, exit Oracle Universal Installer and then verify that Oracle Internet Directory and Oracle Application Server Single Sign-On are functioning and accessible in the new 10g Release 2 (10.1.2) Oracle home.


    See Also:

    "Accessing the Single Sign-On Server" in the Oracle Application Server Single Sign-On Administrator's Guide

Table 5-3 Summary of the Oracle Universal Installer Screens During a Release 2 (9.0.2) Distributed OracleAS Identity Management Upgrade

Screen Description and Recommended Options to Select

Welcome

Welcomes you to Oracle Universal Installer and the Oracle Application Server 10g Release 2 (10.1.2) installation procedure.

Specify File Locations

Enter a name and path for the new Oracle home.

This new Oracle home will be the destination Oracle home for your Oracle Application Server 10g Release 2 (10.1.2) upgrade.

Select a Product to Install

Select Oracle Application Server Infrastructure 10g.

If multiple languages are used in the OracleAS Infrastructure you are upgrading, then click Product Languages.

Language Selection

The screen appears only if you clicked Product Languages on the Select a Product to Install screen.

If multiple languages are used in the OracleAS Infrastructure you are upgrading, select those languages.

If you are not sure which languages were installed, but want languages other than English, click the double arrow button (>>) to select all languages.

Select Installation Type

Select Identity Management and Metadata Repository.

Note: It is very important that you select the same installation type that is used in the Oracle home you are upgrading. In this case, the Release 2 (9.0.2) OracleAS Single Sign-On installation includes its own OracleAS Metadata Repository, so you must select the colocated OracleAS Identity Management and OracleAS Metadata Repository installation type.

Upgrade Existing Infrastructure

This screen (Figure 5-5) appears when Oracle Universal Installer detects an existing Oracle Application Server installation of the same type as the one you selected on the Select Installation Type screen.

Select the option to upgrade an existing OracleAS Infrastructure, and then select the Oracle home you want to upgrade from the drop-down list. (If there is only one Infrastructure of the selected time on the computer, then the drop-down list is inactive.)

Specify Oracle Internet Directory Login

Enter the Oracle Internet Directory superuser distinguished name (DN) in the Username field. The superuser DN cn=orcladmin is the default for this field; change this value if the Oracle Internet Directory superuser DN is not cn=orcladmin.

Enter the password for the superuser DN in the Password field.

Specify Infrastructure Database Connection Information

Enter SYS in the Username field and the SYS user's password in the Password field.

These are the login credentials for the database installed in the OracleAS Single Sign-On Oracle home. See Figure 5-2, "Distributed Identity Management in Release 2 (9.0.2)".

Specify OID Database Login

Enter SYS in the Username field and the SYS user's password for the Oracle Internet Directory database in the Password field.

These are login credentials for the database where Oracle Internet Directory has been installed. See Figure 5-2, "Distributed Identity Management in Release 2 (9.0.2)".

Warning dialog box

This dialog box warns you that all the clients of the OracleAS Identity Management installation must now be stopped. Oracle Universal Installer will automatically stop any clients within the source Oracle home automatically.Foot 1 

However, you must manually stop any OracleAS Identity Management clients that reside in another Oracle home

Clients of an OracleAS Identity Management instance include:

  • OracleAS Identity Management components that are distributed and installed in another Oracle home

  • Middle tier instances that use this OracleAS Identity Management instance for authentication or identity services

Within each middle tier that uses this OracleAS Identity Management instance, you must be sure to stop all components, including Oracle HTTP Server and OracleAS Web Cache.

For more information, see the chapter "Starting and Stopping " in the Oracle Application Server Administrator's Guide.

Database Listener Warning Dialog Box

If a database listener is running on the host, a warning dialog box displays. Review the dialog box determine whether or not you need to stop the listener manually.

For more information, see Section 5.3.3, "Stopping the Database Listener When Prompted During the OracleAS Identity Management Upgrade".

Specify Instance Name and ias_admin Password

Enter a name for the new Oracle Application Server 10g Release 2 (10.1.2) instance and a password for the ias_admin Administrator account.

You use the ias_admin password to log on to Application Server Control Console to manage Oracle Application Server.

In general, the minimum length of the ias_admin password is five alphanumeric characters. At least one of the characters must be a number and the password cannot start with a number.

For more information, see the section "The ias_admin User and Restrictions on its Password" in the Oracle Application Server Installation Guide.

Summary

Use this screen to confirm the choices you've made. Click Install to begin upgrading to the new 10g Release 2 (10.1.2) Oracle home.

The Configuration Assistants

After the initial software is installed, a set of configuration assistants automatically set up the components in the new 10g Release 2 (10.1.2) Oracle home. Use this screen to follow the progress of each assistant and to identify any problems during this phase of the installation.

Notes:

  • The Database Upgrade Assistant (DBUA) can take a significant amount of time to upgrade the database. For more information how long it takes to upgrade your database, see Section 3.3, "Planning for System Downtime".

  • While Database Upgrade Assistant is running, do not use the Stop button to interrupt the execution of Database Upgrade Assistant. If you press Stop, the underlying processes for Database Upgrade Assistant will continue to run. Also, Oracle Universal Installer will wait until those processes complete before returning control to the user.

End of Installation

When the installation and upgrade is complete, this screen provides important details about the 10g Release 2 (10.1.2) Oracle home, such as the URL for the Application Server Control Console and the location of the setupinfo.txt file.

After you review the information on this screen, you can exit Oracle Universal Installer and proceed to the post-upgrade tasks.


Footnote 1 You can access a log of the automated shutdown procedure executed by Oracle Universal Installer in the shutdownprocesses.log file, which is located in the cfgtoollogs directory in the destination Oracle home.

5.5.3.2 Upgrading 10g (9.0.4) Distributed OracleAS Identity Management Configurations

A distributed OracleAS Identity Management configuration consists of multiple Oracle homes. One of the Oracle homes contains the Oracle Internet Directory.

In a 10g (9.0.4) distributed OracleAS Identity Management installation, the other Oracle homes contain additional OracleAS Identity Management components, such as OracleAS Single Sign-On, Delegated Administration Services, Oracle Directory Integration and Provisioning, and OracleAS Certificate Authority.

To upgrade a 10g (9.0.4) distributed OracleAS Identity Management configuration (as shown in Figure 5-3), do the following:

  1. Review Section 5.5.3.3, "Verifying Whether OracleAS Identity Management Components are Enabled or Disabled" to determine exactly which OracleAS Identity Management components will be upgraded.

  2. Synchronize the system clocks on all nodes where the OracleAS Identity Management components reside so they are running within 250 seconds of each other.

    When synchronizing the system clocks, make sure the clocks are set to the same time zone.

  3. Upgrade the Oracle home that includes the Oracle Internet Directory used by the other OracleAS Identity Management components.

    You must upgrade the Oracle Internet Directory first before upgrading the other distributed OracleAS Identity Management components.

    To upgrade the Oracle Internet Directory Oracle home, use one of the following procedures, depending upon the type of installation used for the Oracle Internet Directory Oracle home:


    Note:

    If you are running only Oracle Internet Directory from the Oracle home, check to be sure the other OracleAS Identity Management components are disabled so they will not be upgraded or started in the destination 10g Release 2 (10.1.2) Oracle home.

    For more information, see Section 5.5.3.3, "Verifying Whether OracleAS Identity Management Components are Enabled or Disabled".


  4. Make sure that the OracleAS Metadata Repository database and database listener used by the distributed components are up and running.

  5. Log in to the computer on which the distributed OracleAS Identity Management components are installed, as the same operating system user that performed the 10g (9.0.4) installation.


    Note:

    The account you log in to install or upgrade the OracleAS Metadata Repository must be listed as a member of the Administrators group.

  6. Make sure the Oracle Internet Directory server is upgraded to 10g Release 2 (10.1.2) and that it is up and running.

    To verify that Oracle Internet Directory is running, enter one of the following commands.


    Note:

    You may have to temporarily set the ORACLE_HOME environment variable to the Oracle Internet Directory Oracle home before running the ldapbind command.

    After you verify that the Oracle Internet Directory is running, you must then make sure the ORACLE_HOME environment variable is not defined before you start the 10g Release 2 (10.1.2) installer, as directed in Step 6.


    If you are running Oracle Internet Directory on a non-secure port:

    SOURCE_ORACLE_HOME\bin\ldapbind -p Non-SSL_port
    
    

    If you are running Oracle Internet Directory on a secure port:

    SOURCE_ORACLE_HOME\bin\ldapbind -p SSL_port -U 1
    
    

    These commands should return a "bind successful" message.

  7. Be sure to set the environment variables, as defined in the section "Environment Variables" in the "Requirements" chapter of the Oracle Application Server Installation Guide.

    In particular, be sure to set following variables so they do not reference any Oracle home directories:

    In addition, be sure the following environment variables are not set:

    • TNS_ADMIN

    • ORACLE_HOME

    • ORACLE_SID

  8. If you the ORACLE_HOME environment variable was previously set, restart the host computer after unsetting the variable.

    The system restart is necessary to clear the ORACLE_HOME variable from the system registry. If you do not restart the computer after clearing the ORACLE_HOME variable, the installation might report an error and prevent you from finishing the installation.

  9. Mount the Oracle Application Server 10g Release 2 (10.1.2) CD–ROM and start the installer.


    See Also:

    Oracle Application Server Installation Guide for detailed instructions about starting Oracle Universal Installer on your platform

  10. Refer to Table 5-4 for information on the options you should select on each screen.

  11. After the End of Installation screen appears, exit Oracle Universal Installer and then verify that Oracle Internet Directory and Oracle Application Server Single Sign-On are functioning and accessible.


    See Also:

    "Accessing the Single Sign-On Server" in the Oracle Application Server Single Sign-On Administrator's Guide

Table 5-4 Summary of the Oracle Universal Installer Screens During a 10g (9.0.4) Distributed OracleAS Identity Management Upgrade

Screen Description and Recommended Options to Select

Welcome

Welcomes you to Oracle Universal Installer and the Oracle Application Server 10g Release 2 (10.1.2) installation procedure.

Specify File Locations

Enter a name and path for the new Oracle home.

This new Oracle home will be the destination Oracle home for your Oracle Application Server 10g Release 2 (10.1.2) upgrade.

Select a Product to Install

Select Oracle Application Server Infrastructure 10g.

If multiple languages are used in the OracleAS Infrastructure you are upgrading, then click Product Languages.

Language Selection

The screen appears only if you clicked Product Languages on the Select a Product to Install screen.

If multiple languages are used in the OracleAS Infrastructure you are upgrading, select those languages.

If you are not sure which languages were installed, but want languages other than English, click the double arrow button (>>) to select all languages.

Select Installation Type

Select Identity Management or Identity Management and Metadata Repository, depending upon the installation type you selected when you installed the distributed OracleAS Identity Management components.

Note: It is very important that you select the same installation type that is used in the Oracle home you are upgrading. In this case, you are upgrading a non-colocated OracleAS Identity Management installation, so you must select Identity Management.

Upgrade Existing Infrastructure

This screen (Figure 5-5) appears when Oracle Universal Installer detects an existing Oracle Application Server installation of the same type as the one you selected on the Select Installation Type screen.

Select the option to upgrade an existing OracleAS Infrastructure, and then select the Oracle home you want to upgrade from the drop-down list. (If there is only one Infrastructure of the selected time on the computer, then the drop-down list is inactive.)

Specify OID Login

Enter the Oracle Internet Directory superuser distinguished name (DN) in the Username field. The superuser DN cn=orcladmin is the default for this field; change this value if the Oracle Internet Directory superuser DN is not cn=orcladmin.

Enter the password for the superuser DN in the Password field.

Specify Infrastructure Database Connection Information

Enter SYS in the Username field and the SYS user's password in the Password field.

Warning dialog box

This dialog box warns you that all the clients of the OracleAS Identity Management installation must now be stopped. Oracle Universal Installer will automatically stop any clients within the source Oracle home automatically.Foot 1 

However, you must manually stop any OracleAS Identity Management clients that reside in another Oracle home

Clients of an OracleAS Identity Management instance include:

  • OracleAS Identity Management components that are distributed and installed in another Oracle home

  • Middle tier instances that use this OracleAS Identity Management instance for authentication or identity services

Within each middle tier that uses this OracleAS Identity Management instance, you must be sure to stop all components, including Oracle HTTP Server and OracleAS Web Cache.

For more information, see the chapter "Starting and Stopping " in the Oracle Application Server Administrator's Guide.

Database Listener Warning Dialog Box

If a database listener is running on the host, a warning dialog box displays. Review the dialog box determine whether or not you need to stop the listener manually.

For more information, see Section 5.3.3, "Stopping the Database Listener When Prompted During the OracleAS Identity Management Upgrade".

Specify Instance Name and ias_admin Password

Enter a name for the new Oracle Application Server 10g Release 2 (10.1.2) instance and a password for the ias_admin Administrator account.

You use the ias_admin password to log on to Application Server Control Console to manage Oracle Application Server.

In general, the minimum length of the ias_admin password is five alphanumeric characters. At least one of the characters must be a number and the password cannot start with a number.

For more information, see the section "The ias_admin User and Restrictions on its Password" in the Oracle Application Server Installation Guide.

Summary

Use this screen to confirm the choices you've made. Click Install to begin upgrading to the new 10g Release 2 (10.1.2) Oracle home.

The Configuration Assistants

After the initial software is installed, a set of configuration assistants automatically set up the components in the new 10g Release 2 (10.1.2) Oracle home. Use this screen to follow the progress of each assistant and to identify any problems during this phase of the installation.

Notes:

  • The Database Upgrade Assistant (DBUA) can take a significant amount of time to upgrade the database. For more information how long it takes to upgrade your database, see Section 3.3, "Planning for System Downtime".

  • While Database Upgrade Assistant is running, do not use the Stop button to interrupt the execution of Database Upgrade Assistant. If you press Stop, the underlying processes for Database Upgrade Assistant will continue to run. Also, Oracle Universal Installer will wait until those processes complete before returning control to the user.

End of Installation

When the installation and upgrade is complete, this screen provides important details about the 10g Release 2 (10.1.2) Oracle home, such as the URL for the Application Server Control Console and the location of the setupinfo.txt file.

After you review the information on this screen, you can exit Oracle Universal Installer and proceed to the post-upgrade tasks.


Footnote 1 You can access a log of the automated shutdown procedure executed by Oracle Universal Installer in the shutdownprocesses.log file, which is located in the cfgtoollogs directory in the destination Oracle home.

5.5.3.3 Verifying Whether OracleAS Identity Management Components are Enabled or Disabled

When you upgrade a distributed OracleAS Identity Management configuration, the 10g Release 2 (10.1.2) installer will upgrade any OracleAS Identity Management components that are enabled in the source Oracle home.

An OracleAS Identity Management component is considered enabled when it is marked as such in the following configuration file in the source Oracle home:

SOURCE_ORACLE_HOME\config\ias.properties

Before you upgrade your Oracle Internet Directory installation in a distributed OracleAS Identity Management configuration, you can check the contents of this file to verify which components are enabled. If necessary, modify the entries to reflect exactly which components you have enabled, and as a result, which components will be upgraded.

The entries in the ias.properties file vary, depending upon whether you are upgrading a Release 2 (9.0.2) Oracle home or a 10g (9.0.4) Oracle home. Refer to the following sections for more information:

5.5.3.3.1 Verifying Enabled OracleAS Identity Management Components in a Release 2 (9.0.2) Oracle Home

If you are running only Oracle Internet Directory in a Release 2 (9.0.2) Oracle home, the ias.properties file should contain the following entries:

SSO.LaunchSuccess=False
OID.LaunchSuccess=True

If there were other OracleAS Identity Management components configured in the Release 2 (9.0.2) source Oracle home after Release 2 (9.0.2) was installed, those other components, such as Oracle Delegated Administration Services (DAS), will not be upgraded to 10g Release 2 (10.1.2) in the destination Oracle home. If you want to run those other components in the 10g Release 2 (10.1.2) home, configure those components to the 10g Release 2 (10.1.2) destination Oracle home.

5.5.3.3.2 Verifying Enabled OracleAS Identity Management Components in a 10g (9.0.4) Oracle Home

If you are running only Oracle Internet Directory in a 10g (9.0.4) Oracle home, the ias.properties file should contain the following entries:

SSO.LaunchSuccess=False
OID.LaunchSuccess=True
DAS.LaunchSuccess=False
DIP.LaunchSuccess=False
OCA.LaunchSuccess=False

On the other hand, if you are running OracleAS Single Sign-On, Oracle Delegated Administration Services, and Oracle Directory Integration and Provisioning in one Oracle home, but using Oracle Internet Directory in another Oracle home, the entries would appear as follows:

SSO.LaunchSuccess=True
OID.LaunchSuccess=False
DAS.LaunchSuccess=True
DIP.LaunchSuccess=True
OCA.LaunchSuccess=False

5.6 Task 5: Complete the OracleAS Identity Management Upgrade

This section details the post-upgrade procedures which will complete the Infrastructure upgrade to 10g Release 2 (10.1.2). It is organized into these sections:

5.6.1 Verifying the Application Server Control Console Port

After you upgrade your OracleAS Identity Management, you can use the Oracle Enterprise Manager 10g Application Server Control Console to manage the upgraded 10g Release 2 (10.1.2) OracleAS Identity Management instance.

However, the port used for the Application Server Control Console will be the port assigned by Oracle Universal Installer during the 10g Release 2 (10.1.2) installation. You will not be able to use the port number that was previously used by Enterprise Manager in the source Oracle home.


See Also:

Section 4.6.1, "About Port Values and the portlist.ini File After Upgrade" for information about how port numbers are changed during the upgrade process

"Managing Ports" in the Oracle Application Server Administrator's Guide for information about changing the Application Server Control Console port after upgrade


5.6.2 About Administration Passwords After Upgrade

After you upgrade your Oracle Application Server instance, use the following passwords in the destination Oracle home:

  • To log in to the Application Server Control Console, use the ias_admin password you defined during the installation of the destination Oracle home.

  • To log in to the OracleAS Web Cache Manager, use the OracleAS Web Cache Administrator password you used in the OracleAS Web Cache source Oracle home.

5.6.3 Enabling Secure Sockets Layer (SSL) for OracleAS Identity Management Components

If you are upgrading distributed OracleAS Identity Management components that were configured to use SSL, you must re-enable SSL for the OracleAS Single Sign-On and Oracle Delegated Administration Services after the upgrade. For more information, see the following sections:

5.6.3.1 Enabling SSL for Oracle Internet Directory After Upgrade

There is no need to enable SSL for Oracle Internet Directory, since the upgrade procedure automatically re-enables SSL for Oracle Internet Directory in the destination Oracle home if you were using SSL with Oracle Internet Directory in the source Oracle home.

5.6.3.2 Enabling SSL for OracleAS Single Sign-On After Upgrade

To enable SSL for OracleAS Single Sign-On, use the procedure described in the section "Enabling SSL" in the "Advanced Deployment Options" chapter of the Oracle Application Server Single Sign-On Administrator's Guide.

In particular, you must perform the following steps as described in that section of the Oracle Application Server Single Sign-On Administrator's Guide:

  1. Enable SSL on the Single Sign-On middle tier.

  2. Update targets.xml.

  3. Protect Single Sign-On URLs.

  4. Restart the Oracle HTTP Server and the Single Sign-On Middle Tier.

  5. Register mod_osso with the SSL virtual host as documented in the section "Configuring mod_osso with Virtual Hosts" in the Oracle Application Server Single Sign-On Administrator's Guide.

5.6.3.3 Enabling SSL for Oracle Delegated Administration Services After Upgrade

If you have also configured Oracle Delegated Administration Services in the upgraded Oracle home, you must reconfigure the Oracle Delegated Administration Services URL.

To reconfigure the Oracle Delegated Administration Services URL:

  1. Start the Oracle Directory Manager in the Oracle Delegated Administration Services Oracle home:

    From the Start menu, choose Programs, then ORACLE_HOME, then Integrated Management, then Oracle Directory Manager.

  2. Use the Navigator Pane to expand the directory tree until you locate the following entry:

    cn=OperationUrls,cn=DAS,cn=Products,cn=OracleContext
    
    
  3. Select the entry in the tree.

    Oracle Directory Manager displays the attributes of the entry in the right pane of the Directory Manager window.

  4. Change the orcldasurlbase attribute so it references the HTTPS, SSL URL for the Oracle Delegated Administration Services:

    https://hostname:http_ssl_port_number/
    
    

    For example:

    https://mgmt42.acme.com:4489/
    

See Also:

"Using Oracle Directory Manager" in the Oracle Internet Directory Administrator's Guide

5.6.4 Completing the Oracle Internet Directory Upgrade

To complete the Oracle Internet Directory Upgrade, you must perform the following tasks:

5.6.4.1 Running the oidpu904.sql Script to Recreate the orclnormdn Catalog

After you upgrade Oracle Internet Directory from Release 2 (9.0.2) to 10g Release 2 (10.1.2), you must run the oidpu904.sql script and recreate the orclnormdn catalog in the Oracle Internet Directory; otherwise, some Oracle Application Server components will not work correctly with the Oracle Internet Directory server.

Note that this procedure is not necessary if you have upgraded from Oracle Internet Directory 10g (9.0.4).

To perform this procedure:

  1. Ensure that the ORACLE_HOME environment variable is set to destination Oracle home and the ORACLE_SID environment variable is set to the system identifier (SID) of the Infrastructure database.

  2. Run following command:

    sqlplus ods/ods_password@net_service_name_for_OID_database @DESTINATION_ORACLE_HOME\ldap\admin\oidpu904.sql
    
    

    For example:

    sqlplus ods/welcome1@iasdb @DESTINATION_ORACLE_HOME\ldap\admin\oidpu904.sql
    
    

    Note:

    When you upgrade Oracle Internet Directory to 10g Release 2 (10.1.2), the password for the Oracle Internet Directory schema (ODS) is reset to the password for the ias_admin password.

  3. Re-create the index for the orclnormdn attribute by executing the catalog.sh script, which drops and re-creates the catalog for the orclnormdn attribute.

    1. Ensure that the Oracle Internet Directory server is operating in read-only mode.

      To set the server to read-only mode, first create an LDIF file named readonly.ldif that contains the following lines:

      dn:
      changetype:modify
      replace:orclservermode
      orclservermode:r
      
      

      Then, run the following command:

      ORACLE_HOME\bin\ldapmodify -p oid_port -D cn=orcladmin
            -w orcladmin_passwd -v -f readonly.ldif
      
      

      In the example, replace oid_port with the listening port of the directory server and replace orcladmin_password with the password of the superuser DN (cn=orcladmin).

    2. Set the PATH variable to include the DESTINATION_ORACLE_HOME/bin directory.

    3. Issue these commands to re-create the index for the orclnormdn attribute:

      DESTINATION_ORACLE_HOME\ldap\bin\catalog.sh -connect oid_database_net_service_name -delete -attr orclnormdn
      
      DESTINATION_ORACLE_HOME\ldap\bin\catalog.sh -connect oid_database_net_service_name -add -attr orclnormdn
      
      

      See Also:

      Section "1.1.2 UNIX Emulation Utilities for Windows" in the Oracle Identity Management User Reference for information about running the catalog.sh script on Microsoft Windows

  4. Reset the Oracle Internet Directory server to operate in read-write mode.

    To set the server to read-write mode, first create an LDIF file named readwrite.ldif that contains the following lines:

    dn:
    changetype:modify
    replace:orclservermode
    orclservermode:rw
    
    

    Then, run the following command:

    ORACLE_HOME\bin\ldapmodify -p oid_port -D cn=orcladmin
          -w orcladmin_passwd -v -f readwrite.ldif
    
    

    In the example, replace oid_port with the listening port of the directory server and replace orcladmin_password with the password of the superuser DN (cn=orcladmin).

5.6.4.2 Running the Certificate Upgrade Tool (upgradecert.pl)

Starting with release 10.1.2, a certificate hash value can be used to bind to Oracle Internet Directory. The introduction of this hash value requires that user certificates issued before release 10.1.2 be updated in the directory. This is a post-upgrade step and it is required only if user certificates are provisioned in the directory. The upgradecert.pl tool is used for this purpose.

Complete instructions for running the Certificate Upgrade Tool are available in Appendix A, "Syntax for LDIF and Command-Line Tools," in the Oracle Internet Directory Administrator's Guide.

5.6.4.3 Configuring Oracle Internet Directory 10g Release 2 (10.1.2) for Release 2 (9.0.2) Middle Tiers

Before you can use Release 2 (9.0.2) middle tiers against the upgraded 10g Release 2 (10.1.2) Oracle Internet Directory, you must run configure Oracle Internet Directory using the imconfig script.

For information on using the imconfig script, see Section 4.2.1, "Before Installing the 10g Release 2 (10.1.2) Middle Tier Against a Release 2 (9.0.2) Oracle Internet Directory".

5.6.4.4 Modifying Access Policies After Oracle Internet Directory Upgrade

During the Oracle Internet Directory upgrade, LDAP objects within the directory are modified or added to the Oracle Internet Directory. These updates often include access control information.

In a production environment, customized access control policies are often enforced in the directory. For this reason, the upgrade process leaves certain entries in the directory untouched intentionally to retain any customized behaviour you may have implemented in the directory.

Further, in some cases, the default, out-of-the-box access control settings are required for Oracle components to function properly. As a result, after the Oracle Internet Directory upgrade, you should analyze the differences between the default, out-of-the-box access control policies and any custom policies you have implemented. The result of this task should be a new set of customized access control policies that will meet the requirements of Oracle components, as well as the access control polices of your organization.

Even if you have not implemented any customized access control polices, Oracle strongly recommends that you manually update the ACLs with the new default values after an upgrade.

The following example uses "dc=acme, dc=com" as a default realm DN. In this example, consider the following when analyzing the ACL policy for your directory:

  • Realm DN (eg. dc=acme, dc=com)

  • Parent of the Realm DN. This is also known as the Realm Search Base, for example, "dc=com".

  • Realm User container. This is also known as the Realm User Search Base, for examle, "cn=Users, dc=acme, dc=com". Depending on the deployment requirement, this can be customized.

  • Realm Group container. This is also known as the Realm Group Search Base, for example, "cn=Groups, dc=acme, dc=com". Depending on the deployment requirement, this can be customized.

The out-of-the-box access control policies is available in the following files:

  • Policies for the Parent of Realm DN can be found in the following file:

    $ORACLE_HOME/ldap/schema/oid/oidDefaultSubscriberConfig.sbs
    
    
  • Policies for the Realm DN, Realm User container, and Realm Group container can be found in:

    $ORACLE_HOME/ldap/schema/oid/oidSubscriberCreateAuxDIT.sbs
    
    

The default ACL policy is described in the Oracle Internet Directory Administrator's Guide, in Chapter 17, in the section on "Default Privileges for Reading Common Group Attributes".

5.6.4.5 Resetting the Replication Wallet Password

If you upgrade a 9.0.x node to 10g Release 2 (10.1.2) and then try to set up replication for this node, the replication server will fail to come up and the replication setup itself may fail. Therefore, before setting up replication, reset the replication wallet password on the upgraded 10g Release 2 (10.1.2) node by using the following command:

DESTINATION_ORACLE_HOME\bin\remtool -presetpwd -v -bind host:port

This step ensures that the upgrade node can be configured in replication, if required.

5.6.4.6 Completing the Upgrade for the Oracle Directory Integration and Provisioning

If you had an older version (9.0.2 or 9.0.4) of the Directory Integration Platform (DIP) operating in a different Oracle home, on a different computer, and using the Oracle Internet Directory you are currently upgrading, and you want to continue using the DIP, you must re-register the DIP server.


See Also:

Oracle Identity Management Integration Guide for instructions on registering the DIP server.

5.6.4.7 Oracle Internet Directory Post-Upgrade Steps Required for OracleAS Portal

The following post-upgrade steps are required if you have configured OracleAS Portal against this Identity Management and Oracle Internet Directory was upgraded directly from Release 2 (9.0.2):

5.6.4.7.1 Apply Interoperability Patches for Oracle9iAS Portal Release 2 (9.0.2)

If Oracle Internet Directory was upgraded directly from Release 2 (9.0.2), and you are operating Oracle9iAS Portal Release 2 (9.0.2 or 9.0.2.3), an interoperability patch must be applied to the Oracle9iAS repository, as explained below. This step can be skipped if the Oracle9iAS Portal version is 9.0.2.6 or later:

  • If you are operating Portal version 9.0.2.0 or 9.0.2.2 (Oracle9iAS 9.0.2.0.1): You must apply Patch 3238095, which corrects problems with registering users and groups in Oracle9iAS Release 2 (9.0.2) Identity Management configuration, and resolves interoperability issues.

  • If you are operating Portal 9.0.2.3 (Oracle9iAS 9.0.2.3): You must apply Patch 3076511 to resolve interoperability issues.

To apply the patches:

  1. Log in to Oracle MetaLink at:

    http://metalink.oracle.com

  2. Locate the patch specified for the Portal version you are operating.

  3. Follow the instructions in the patch Readme file.

5.6.4.7.2 Reconfigure the OracleAS Portal Instances for the Oracle Internet Directory Server

If Oracle Internet Directory was upgraded directly from Release 2 (9.0.2), and if there are any OracleAS Portal instances using the upgraded Oracle Internet Directory server, they should be reconfigured. Follow these steps to reconfigure OracleAS Portal from a middle tier whose version is 10g (10.1.2):

  1. Change directory to the following location in the destination middle tier Oracle home:

    DESTINATION_ORACLE_HOME\portal\conf
    
    
  2. Run the following command:

    ptlconfig -dad portal_DAD -oid
    

If the version of your middle-tier is lower than 10.1.2, you must use the Oracle Portal Configuration Assistant command line utility ptlasst to reconfigure OracleAS Portal instances to work with Oracle Internet Directory. Refer to the appropriate version of the Oracle Application Server Portal Configuration Guide for instructions on how to use ptlasst.

5.6.4.7.3 Refresh the Oracle Delegated Administration Services (DAS) URL Cache

The URLs for the Delegated Administration Services are different in Oracle9iAS Release 2 (9.0.2) Oracle Internet Directory server and the Oracle Application Server 10g Release 2 (10.1.2) Oracle Internet Directory server. When the Oracle Internet Directory server is upgraded, these URLs are updated to the correct values. However, OracleAS Portal maintains a cache of these URLs, which does not get upgraded, and is therefore inconsistent with the set of URLs in 10g Release 2 (10.1.2).

If Oracle Internet Directory was upgraded directly from Release 2 (9.0.2), the DAS URL cache will have to be refreshed. The procedure for refreshing the cache is dependent on the OracleAS Portal version you have. To refresh the cache, follow the steps in one of the sections below:

To refresh the URL cache in Version 9.0.2.6 or later:

  1. Log in to the Portal as a Portal administrator.

  2. Click the Administer tab.

  3. Click the Global Settings link in the Services portlet.

  4. Click the SSO/OID tab.

  5. Note the values that appear under the section Cache for OID Parameters.

  6. Click the check box next to Refresh Cache for OID Parameters.

  7. Click Apply.

  8. Verify that the values displayed under Cache for OID Parameters have changed.

  9. Click OK.

To refresh the URL cache in versions prior to 9.0.2.6:

  1. Apply the one-off patch 3225970. This patch is available at:

    http://metalink.oracle.com.

  2. Clear the Web Cache by performing these steps:

    1. Log in to the Portal as a Portal Administrator.

    2. Click the Administer tab.

    3. Click the Global Settings link in the Services portlet.

    4. Click the Cache tab.

    5. Click the check box next to Clear the Entire Web Cache.

    6. Click OK.

  3. Clear the middle tier cache by performing a recursive delete of all the files and subdirectories inside the following directory:

    DESTINATION_ORACLE_HOME\Apache\modplsql\cache
    

5.6.4.8 Running the oidstats.sql Script After Upgrading Oracle Internet Directory from 10g (9.0.4)

After you upgrade Oracle Internet Directory from 10g (9.0.4) to 10g Release 2 (10.1.2), you could observe some degradation in the performance of some LDAP queries.

To remedy this issue, perform the following procedure, which updates some database statistics in the Oracle Database 10g database that hosts the Oracle Internet Directory server:

  1. In the newly upgraded Oracle Internet Directory Oracle home, execute the following SQL script by connecting to the OID database as the ODS database user:

    sqlplus ods/<passwd> @%ORACLE_HOME%/ldap/admin/oidstats.sql
    
    
  2. Restart the Oracle Internet Directory server as follows:

    1. Run the following command to stop the Oracle Internet Directory server:

      opmnctl stopproc ias-component=OID
      
      
    2. Wait a few seconds for the Oracle Internet Directory server to shut down completely.

    3. Run the following command to start the Oracle Internet Directory server:

      opmnctl startproc ias-component=OID
      
      

Similarly, if you are running in an environment where the database that hosts the Oracle Internet Directory is upgraded before you upgrade the Oracle Internet Directory, you should gather the database statistics immediately after the database upgrade by running the following SQL command on the database:

exec dbms_stats.gather_schema_stats('ODS'); 

5.6.4.9 Modifying DSA Configuration Entries After Upgrade

When you upgrade Oracle Internet Directory from 10g (9.0.4) to 10g Release 2 (10.1.2), all attributes in the DSA Configuration entry are reset to their default values. For example:

cn=dsaconfig,cn=configsets,cn=oracle internet directory

As a result, if any attributes in this entry were modified before the upgrade, you must reconfigure them to their values before the upgrade.

5.6.4.10 Recreating Oracle Internet Directory Indexes After Upgrade

When you upgrade Oracle Internet Directory from 10g (9.0.4) to 10g Release 2 (10.1.2), some indexes are recreated automatically by the upgrade procedure. For example, the EI_attrstore index is recreated automatically during the upgrade.

As a result, if you recreated the EI_attrstore index before the upgrade, then the index will have to be recreated again after the upgrade. Note that recreating the EI_attrstore index is part of the performance recommendation for large group entry lookups described in section "21.8.1 Optimizing Searches for Large Group Entries" of the Oracle Internet Directory Administrator's Guide. If you performed this procedure prior to the upgrade to 10g Release 2 (10.1.2), you will need to perform this task again after the upgrade.

5.6.5 Completing the OracleAS Single Sign-On Upgrade

To complete the OracleAS Single Sign-On upgrade, depending on the configuration upgraded, you may need to perform the tasks described in the following sections:

5.6.5.1 Re-configuring the OracleAS Single Sign-On Middle Tier

If the Release 2 (9.0.2) or 10g (9.0.4) middle tier for the Single Sign-On server had custom configurations (for example, Oracle HTTP Server configured for SSL, or the Oracle Application Server Single Sign-On server Database Access Descriptor had any custom configuration), then you must re-configure the upgraded 10g Release 2 (10.1.2) middle tier in a like manner.


See Also:

Oracle Application Server Single Sign-On Administrator's Guide for instructions on configuring the middle tier.

If you are using OracleAS Portal and you reconfigure the 10g Release 2 (10.1.2) middle tier for SSL, the URL used for Oracle Delegated Administration Services might not be up-to-date. To remedy this problem, force a refresh of the portal cache, which holds the relevant Oracle Internet Directory information:

  1. Logon to OracleAS Portal as a user with administrator privileges.

  2. Go to the Builder.

  3. Click the Administration tab.

  4. From the Portal tab, open Global Settings and navigate to the SSO/OID tab.

  5. Scroll to the bottom of the page.

  6. Check Refresh Cache for the Oracle Internet Directory parameters.

  7. Click Apply.

    The page should refresh with the appropriate value in the DAS Host Name field.

5.6.5.2 Configuring Third-party Authentication

If the Release 2 (9.0.2) or 10g (9.0.4) middle tier was configured to authenticate with a user certificate or third party authentication mechanism, then you must re-configure the 10g Release 2 (10.1.2) OracleAS Single Sign-On server in a like manner.


See Also:

Oracle Application Server Single Sign-On Administrator's Guide, Chapter 13, for instructions on configuring the middle tier.

5.6.5.3 Installing Customized Pages in the Upgraded Server

If you have customized the login, password and the sign-off pages in the Release 2 (9.0.2) or 10g (9.0.4) Single Sign-On server, then you must update those pages with 10g Release 2 (10.1.2) specifications. This is also applicable if you have enabled support for Application Service Providers and updated the deployment login page to enable the company field.


See Also:

Oracle Application Server Single Sign-On Administrator's Guide, Chapter 12, for instructions on configuring the middle tier.

5.6.5.4 Converting External Application IDs


Note:

You do not need to perform this task if you upgraded from an OracleAS Single Sign-On version of 9.0.2.5 or later.

You can verify the version of OracleAS Single Sign-On you are running by running the following SQL statement against the OracleAS Single Sign-On database:

select version from orasso.wwc_version$;

It should return a value like 9.0.2.5.x.


To avoid ID conflicts while exporting and importing external application data among multiple OracleAS Single Sign-On server instances, external application IDs must be unique. In the Release 2 (9.0.2) release, external application IDs were sequential, and not unique across instances. If you are upgrading from Release 2 (9.0.2) directly to 10g Release 2 (10.1.2), then you must convert existing short external application IDs to the longer format in the OracleAS Single Sign-On schema. Follow the steps below to convert the IDs:

  1. Set the ORACLE_HOME environment variable to the Oracle home of the OracleAS Single Sign-On instance.

  2. Execute the following script from the OracleAS Single Sign-On Oracle home, by using the following commands:

    sqlplus orasso/password
    spool extappid.log
    @?/sso/admin/plsql/sso/ssoupeid.sql
    spool off
    

    See Also:

    "Obtaining the Single Sign-On Schema Password" in the Oracle Application Server Single Sign-On Administrator's Guide


    Note:

    The ssoupeid.sql script generates and displays the SSO_IDENTIFIER. You might need the SSO_IDENTIFIER value to apply the patches to the OracleAS Portal schema if the value cannot be generated in the OracleAS Portal schema automatically or if the OracleAS Single Sign-On server used a randomly selected value for the SSO_IDENTIFIER.

  3. If you are not upgrading OracleAS Portal to 10g Release 2 (10.1.2), but you have upgraded OracleAS Single Sign-On from Release 2 (9.0.2) directly to 10g Release 2 (10.1.2), you must apply a patch to each OracleAS Portal instance that is not going to be upgraded to 10g Release 2 (10.1.2).

    Refer to Table 5-5 for the appropriate patch number. Patches are available at:

    http://metalink.oracle.com/
    

Table 5-5 OracleAS Portal Patches for Converting to Long Format Application IDs

OracleAS Portal Version Patch Number

3.0.9.8.4

2769007

3.0.9.8.5

2665597

9.0.2, 9.0.2.3

2665607

9.0.2.6

4029584

9.0.4

4037687

9.0.4.1

4029587


5.6.5.5 Setting Up OracleAS Single Sign-On Replication

If you are using Oracle Internet Directory replication and want to also use OracleAS Single Sign-On replication, add the upgraded 10g Release 2 (10.1.2) tables in the replication group along with 9.0.4 Oracle Internet Directory. Follow the steps below to add OracleAS Single Sign-On tables for replication:

  1. Stop the Oracle Internet Directory replication server on all replicas of the Directory Replication Group.

  2. On the Master Directory replica, in %ORACLE_HOME%\ldap\admin$ORACLE_HOME/ldap/admin, issue the following command:

    sqlplus repadmin/password@<mds connect id> @oidrssou.sql
    
    
  3. Start the Oracle Internet Directory replication server on all replicas of the Directory Replication Group.


    See Also:

    Oracle Internet Directory Administrator's Guide, Chapter 25, "Managing Directory Replication", for instructions.

5.6.5.6 Upgrading the OracleAS Single Sign-On Server with a Customized Middle Tier

If the Release 2 (9.0.2) or 10g (9.0.4) OracleAS Single Sign-On server was using a middle tier other than the default mid-tier installation along with the OracleAS Single Sign-On server, then you must configure that middle tier to point to the upgraded OracleAS Single Sign-On server.

For example, if there was a reverse proxy configured in the Release 2 (9.0.2) or 10g (9.0.4) OracleAS Single Sign-On server middle tier, then you must configure it on the 10g Release 2 (10.1.2) OracleAS Single Sign-On server middle tier.

5.6.5.7 Troubleshooting Wireless Voice Authentication

If you want to use wireless voice authentication with the 10g Release 2 (10.1.2) OracleAS Single Sign-On server, and it doesn't work, verify that the OracleAS Single Sign-On server entry is a member of the Verifier Services Group in Oracle Internet Directory (cn=verifierServices,cn=Groups,cn=OracleContext). This is a requirement for the wireless voice authentication feature. Follow the steps below to verify membership:

  1. Issue the following command:

    ldapsearch -h host
        -p port 
        -D "cn=orcladmin" 
        -w password
        -b "cn=verifierServices, cn=Groups, cn=OracleContext" "objectclass=*"
    
    

    The OracleAS Single Sign-On server is a member of the Verifier Services Group if it is listed as a uniquemember in the entry, as shown in Example 5-1.

    Example 5-1 OracleAS Single Sign-On Server uniquemember Listing

    cn=verifierServices, cn=Groups,cn=OracleContext
    .
    .
    .
    uniquemember=orclApplication
    CommonName=ORASSO_SSOSERVER,cn=SSO,cn=Products,cn=OracleContext
    .
    .
    .
    

5.6.5.8 Installing Languages in the OracleAS Single Sign-On Server

If you did not select any languages during the OracleAS Single Sign-On upgrade, or you want to install additional languages after the upgrade, you can install the necessary languages by following the steps below.

  1. Copy the necessary language files from the Repository Creation Assistant CD-ROM to the OracleAS Single Sign-On server Oracle home:

    copy repCA_CD\portal\admin\plsql\nlsres\ctl\lang\*.* DESTINATION_ORACLE_HOME\sso\nlsres\ctl\lang
    
    

    In this example, lang is the language code. For example, the language code for Japanese is ja.

  2. Load the languages into the server.


    See Also:

    Oracle Application Server Single Sign-On Administrator's Guide, Chapter 2, "Configuring Globalization Support" section, for instructions on loading the languages.

5.6.5.9 Re-Registering OracleAS Portal with the Upgraded OracleAS Single Sign-On Server

After performing a distributed Identity Management upgrade (depicted in Figure 5-2 and Figure 5-3) from Oracle9iAS Release 2 (9.0.2) to Oracle Application Server 10g Release 2 (10.1.2), the OracleAS Single Sign-On schemas are relocated in the Oracle Internet Directory database. OracleAS Portal keeps a database link reference to the OracleAS Single Sign-On server password store schema ORASSO_PS. This link reference must be updated.

To re-register OracleAS Portal with the upgraded OracleAS Single Sign-On server from a middle tier whose version is 10g (10.1.2):

  1. Change directory to the following location in the destination middle tier Oracle home:

    DESTINATION_ORACLE_HOME\portal\conf
    
    
  2. Run the following command:

    ptlconfig -dad portal_DAD -sso
    

See Also:

Oracle Application Server Portal Configuration Guide, for more information about the ptlconfig tool

If the version of your middle-tier is lower than 10.1.2, you must use the Oracle Portal Configuration Assistant command line utility ptlasst to reregister OracleAS Portal with Oracle Single Sign-On. Refer to the appropriate version of the Oracle Application Server Portal Configuration Guide for instructions on how to use ptlasst.

5.6.5.10 Re-Registering mod_osso with the Upgraded OracleAS Single Sign-On Server

After performing a distributed Identity Management upgrade (depicted in Figure 5-2 and Figure 5-3) from Oracle9iAS Release 2 (9.0.2) to Oracle Application Server 10g Release 2 (10.1.2), you may need to re-register mod_osso in order for an Oracle9iAS Release 2 (9.0.2) middle tier to operate with the upgraded OracleAS Single Sign-On server.

You will need to do this if the Oracle HTTP Server host and port information for mod_osso was changed. Before re-registering mod_osso, you must first set the value of the ColocatedDBCommonName attribute in the following configuration file to the global database name of the new OracleAS Single Sign-On server database shared with Oracle Internet Directory (for example, iasdb.host.mydomain).

SOURCE_ORACLE_HOME\config\ias.properties

5.6.5.11 Using an Upgraded Identity Management Configuration with Oracle9iAS Discoverer Release 2 (9.0.2)

If you upgraded an Identity Management configuration that was in use by Oracle9iAS Discoverer Release 2 (9.0.2), and you want to continue operating Oracle9iAS Discoverer Release 2 (9.0.2) with the upgraded Identity Management, then you must change the value of the ColocatedDBCommonName attribute in the following configuration file:

SOURCE_ORACLE_HOME\config\ias.properties

The value must be changed to the global database name of the database used by the upgraded Oracle Internet Directory (for example, iasdb.oid_host_name.domain).

5.6.5.12 Inactivity Timeout Issues When Upgrading From Release 2 (9.0.2) to 10g Release 2 (10.1.2)

If you are upgrading OracleAS Single Sign-On server from Release 2 (9.0.2) to 10g Release 2 (10.1.2) and you are using the inactivity timeout feature, then you must do the following:

  1. Upgrade associated mid-tiers used by other applications, such as Portal, to 10g Release 2 (10.1.2).

  2. Re-register mod_osso to ensure that inactivity timeout cookie issued by 10g Release 2 (10.1.2) OracleAS Single Sign-On server can be interpreted and used by associated mid-tiers to enforce inactivity timeout.

5.6.5.13 Removing Obsolete OracleAS Single Sign-On Partner Applications

After the upgrade, you will notice additional partner applications on the OracleAS Single Sign-On Partner Application administration page.

For example, you will notice two Oracle Application Server Certificate Authority (OCA) partner applications and two OracleAS Wireless partner applications.

You can safely remove the 10g (9.0.4) OCA partner application that uses port 4400.

As for the OracleAS Wireless partner applications, the 10g Release 2 (10.1.2) Oracle HTTP Server configuration is changed after during the upgrade to use the 10g (9.0.4) HTTP Server port; this partner application is not valid and can be removed. The valid OracleAS Wirelesspartner application is the upgraded partner application, which existed in the 10g (9.0.4) environment.

5.6.6 Completing the Oracle Application Server Certificate Authority Upgrade

After you use Oracle Universal Installer and the 10g Release 2 (10.1.2.0.2) installation procedure to upgrade Oracle Application Server Certificate Authority (OCA), verify the following database settings:

  • Verify that the Database Pool Size is set to 20

  • Verify that the Database Pool Scheme is set to Dynamic scheme.


See Also:

"Configuring Oracle Application Server Certificate Authority" in the Oracle Application Server Certificate Authority Administrator's Guide

5.6.7 Completing the OracleAS Wireless Upgrade

The following sections describe the tasks you must perform in order to complete the Oracle Application Server Wireless upgrade:

5.6.7.1 Upgrading Wireless User Accounts in Oracle Internet Directory

In Oracle Application Server Wireless Release 2 (9.0.2), user account numbers and PINs for wireless voice authentication were stored in the Wireless repository.

In Oracle Application Server Wireless 10g Release 2 (10.1.2), new attributes are added in the object definition of the orcluserV2 object class of Oracle Internet Directory to store the account number and PIN. As part of the Oracle Application Server Wireless upgrade from Release 2 (9.0.2) to 10g Release 2 (10.1.2), user account numbers and PINs must be transferred from the Wireless repository to Oracle Internet Directory.

This upgrade step can be performed only after the Oracle Application Server Infrastructure and all middle tiers are upgraded to 10g Release 2 (10.1.2). If they are not upgraded, the Oracle Application Server Wireless server will continue to authenticate voice devices locally (without Oracle Application Server Single Sign-On).

To upgrade the account numbers and PINs:

  1. Issue the command:

    DESTINATION_ORACLE_HOME\wireless\bin\migrate902VoiceAttrsToOID.bat
       DESTINATION_ORACLE_HOME 
       ldapmodify_location 
       userdn 
       password
       dif_file_location
       log_file
    
    

    In this example:

    • ldapmodify_location is the location of the ldapmodify utility, which is usually in the bin directory of the destination Oracle home.

    • user_dn is the DN of the Oracle Internet Directory administrator user

    • password is the password of the Oracle Internet Directory administrator user

    • ldif_file_location is the absolute path to the ldif (Lightweight Directory Interchange Format) file. This file contains user account numbers and PINs and is uploaded to Oracle Internet Directory by the ldapmodify utility. This temporary file may be removed after the user upgrade procedure has been completed successfully.

    • log_file is the absolute path to the log file

Example:

migrate902VoiceAttrsToOID.bat 
    c:\oracle\ias904\ 
    c:\oracle\ias904\bin\ldapmodify 
    "cn=orcladmin" 
    welcome1 
    c:\oracle\ias904\users.ldif 
    c:\oracle\ias904\users.log

5.6.7.2 Adding Unique Constraint on the orclWirelessAccountNumber Attribute in Oracle Internet Directory

In 10g Release 2 (10.1.2), Oracle Internet Directory does not automatically set unique constraints on any user attributes. Wireless voice authentication will not function properly unless a unique constraint is set on the orclWirelessAccountNumber attribute of the orclUserV2 object class.

Set the unique constraint by performing the steps below after the middle tier and infrastructure upgrades are complete.

  1. Execute the script addAccountNumberUniqueConstraint.bataddAccountNumberUniqueConstraint.sh, which is located in the following directory:

    DESTINATION_ORACLE_HOME\wireless\bin
    
    

    The script takes one argument, the full path to the Oracle home. For example:

    addAccountNumberUniqueConstraint.bat DESTINATION_ORACLE_HOME
    
    
  2. Restart the Oracle Internet Directory server.

5.6.7.3 Disabling Oracle Application Server Wireless Upgrade Triggers in the Infrastructure Repository

When Oracle Application Server Wireless 10g Release 2 (10.1.2) is installed against an Oracle9iAS Release 2 (9.0.2) infrastructure, a number of triggers are automatically installed, that ensure that both Oracle9iAS Wireless Release 2 (9.0.2) and Oracle Application Server Wireless 10g Release 2 (10.1.2) middle tiers can function correctly. Once all Oracle9iAS Wireless Release 2 (9.0.2) middle tiers and the infrastructure tier have been upgraded to Oracle Application Server Wireless 10g Release 2 (10.1.2), you must execute the following script to disable any upgrade-related triggers.

disable902-904_trg.bat

This script is located in the following directory:

DESTINATION_ORACLE_HOME\wireless\bin

You must set the ORACLE_HOME environment variable before you execute the script.

5.6.7.4 Activating All OracleAS Wireless 10g Release 2 (10.1.2) Features

When Oracle Application Server Wireless 10g Release 2 (10.1.2) is installed against an Oracle9iAS Release 2 (9.0.2) Infrastructure, a number of features are disabled by default, as they are not compatible with existing Oracle9iAS Wireless Release 2 (9.0.2) middle tiers that are installed against the same Infrastructure. After all Oracle9iAS Wireless Release 2 (9.0.2) middle tiers have been upgraded to Oracle Application Server Wireless10g Release 2 (10.1.2), you can manually enable these features. Once you have enabled these features, the Oracle9iAS Wireless Release 2 (9.0.2) middle tiers will no longer function correctly.

Enable the Oracle Application Server Wireless 10g Release 2 (10.1.2) features by executing the following script from any of the Oracle Application Server Wireless 10g Release 2 (10.1.2) middle tiers, using the command below. This script is in the following directory of the destination Oracle home:

DESTINATION_ORACLE_HOME\wireless\bin

The command takes the following arguments:

upload.bat wireless_repository_location  -l wireless_user_name/wireless_password

In this example:

  • wireless_repository_location is the relative path to the OracleAS Wireless XML-based repository

  • wireless_user_name is the name of the Oracle Application Server Wireless user

  • wireless_password is the password of the Oracle Internet Administrator

For example:

upload.bat  ..\repository\xml\activate-9040.xml -l orcladmin/welcome1

5.6.7.5 Assigning Change Password Privilege to OracleAS Wireless

In Oracle Application Server 10g Release 2 (10.1.2), by default, the OracleAS Wireless application entity does not have the privileges to change the user password. Consequently, upon installation, users cannot change the password to the OracleAS Wireless server. However, you can enable functionality to change passwords by assigning the UserSecurityAdmins privilege to the OracleAS Wireless application entity.

To do this, execute the following script:

DESTINATION_ORACLE_HOME\wireless\bin\assignUserSecurityAdminsPrivilege.bat

The syntax is:

assignUserSecurityAdminsPrivilege.bat oid_super_user_dn user_password

In this example:

  • oid_super user_dn is the Distinguished Name of the Oracle Internet Directory super user. This user should have privileges to grant UserSecurityAdmins privileges to application entities.

  • user_password is the password of the Oracle Internet Directory super user.

For example:

assignUserSecurityAdminsPrivilege.bat "cn=orcladmin" welcome1

See Also:

"Resetting the Password" in Oracle Application Server Wireless Administrator's Guide

5.6.7.6 Specifying URL Query Parameters for Wireless Services That Use the HTTP Adapter

When you use the HTTP adapter to build Wireless services, one of the service parameters that you must specify is the URL to a back-end application. In some cases, you may send some query parameters to the back-end application. There are two ways to do this from OracleAS Wireless, shown in Example 5-2 and Example 5-3. In Example 5-2, the parameter name is fn and the value is Joe.

Example 5-2 URL Using a Query Parameter

http://localhost:7777/myapp/home.jsp?fn=Joe

The query parameter is sent only in the request for the first page of that service. If there is a link from the first page to some other pages, then the parameter is not added to the request for those pages.

Example 5-3 URL Using an Extra Service Parameter

http://localhost:7777/myapp/home.jsp 

Instead of modifying the URL, you add an extra service parameter with name fn and value Joe. The the parameter is sent to all pages, not just the first one. The parameter is also sent with all HTTP redirect requests. However, this method also sends extra URL parameters to the OracleAS Single Sign-On server, which causes the server to return an error.

The error occurs when the back-end application is protected by mod_osso. In that case, the request to that application is intercepted and redirected to the Oracle SSO server for user authentication. The OracleAS Single Sign-On server has restrictive rules concerning query parameters that can be sent to it. Consequently, for back-end applications protected by mod_osso, you must change the Wireless service and add the query parameter to the URL as shown in Example 5-2.

5.6.8 Configuring Oracle Enterprise Manager 10g Database Control After OracleAS Identity Management Upgrade

The Oracle Enterprise Manager 10g Database Control provides a Web-based console you can use to manage Oracle Database 10g. When your OracleAS Metadata Repository is installed in an Oracle Database 10g instance, you can use the Database Control to manage your OracleAS Metadata Repository database.


See Also:

"Managing the OracleAS Metadata Repository Database with Database Control" in the Oracle Application Server Administrator's Guide

However, after you use Oracle Universal Installer to upgrade OracleAS Identity Management in a colocated Infrastructure, the OracleAS Metadata Repository database is automatically upgraded to Oracle Database 10g, but the Database Control is not configured automatically.

Instead, if you want to use the Database Control to manage your upgraded OracleAS Metadata Repository database, you must configure the Database Control manually using the Enterprise Manager Configuration Assistant (EMCA).


See Also:

"Configuring the Database Control with EMCA" in Oracle Enterprise Manager Advanced Configuration

5.7 Task 6: Validate the Identity Management Upgrade

This section describes the steps you must perform after the Identity Management Upgrade to ensure that the upgrade was successful.

5.7.1 Testing OracleAS Single Sign-On Connectivity

After the Identity Management upgrade is complete, log in to Oracle Application Server Single Sign-On as user ORCLADMIN. A successful login indicates that Oracle Application Server Single Sign-On and Oracle Internet Directory are functioning after the Identity Management upgrade.

  1. In a browser, access the Oracle Enterprise Manager 10g Application Server Control Console in the destination Infrastructure Oracle home by entering its URL. Ensure that you provide the correct host name and port number. For example:

    http://infrahost.mycompany.com:1812

    Oracle Enterprise Manager 10g displays the Farm page, with the Oracle Application Server 10g Release 2 (10.1.2) Identity Management instance in the Standalone Instances section.

  2. Click the link for the Identity Management instance.

    The System Components page appears.

  3. Verify that the status of the Oracle HTTP Server, Oracle Internet Directory, and Oracle Application Server Single Sign-On components is Up.

  4. In the browser, access the ORASSO page by entering its URL. Ensure that you enter the correct host name and port number for the upgraded Oracle HTTP Server. For example:

    http://infrahost.mycompany.com:7777/pls/orasso/ORASSO.home

    The ORASSO page appears.

  5. Click the Login link (in the upper right corner of the page).

    A page appears with User Name and Password fields.

  6. Enter ORCLADMIN in the User Name field, and the password you have selected for ORCLADMIN in the Password field.

  7. Click Login.

    The Oracle Application Server Single Sign-On Server Administration page appears, thus validating the basic operation of the upgraded Identity Management components (Oracle Application Server Single Sign-On and Oracle Internet Directory).

5.7.2 Testing Oracle Application Server Certificate Authority After Upgrade

If you have upgraded Oracle Application Server Certificate Authority (OCA), you can verify that the upgrade completed successfully by accessing the OCA User page.

Open your Web browser and enter the following URL:

https://infrahost.mycompany.com:6600/oca/user

Check to be sure that you can log in as a regular user and view the user's existing certificates. This ensures that OCA is working with Oracle Internet Directory and OracleAS Single Sign-On.


Note:

After the upgrade, you will notice two OCA partner applications in the OracleAS Single Sign-On Partner Application administration page. One is the partner application for the 10g (9.0.4) OCA installation and the other is the partner application for the upgraded 10g Release 2 (10.1.2) OCA installation.

The original partner application can be removed. The upgraded OCA will be running on port 6600 after upgrade, instead of port 4400.


5.8 Task 7: Decommission the OracleAS Identity Management Source Oracle Home

After you upgrade your OracleAS Identity Management Oracle home, the source Oracle home can eventually be deinstalled. However, before you deinstall the source Oracle home, review the following sections carefully:

5.8.1 Relocating the Database Datafiles, Control Files, and Log Files After Upgrading a Colocated Infrastructure

If you upgraded OracleAS Identity Management as part of a colocated Infrastructure, then you also upgraded the OracleAS Metadata Repository database to a supported database version.

After you upgrade the OracleAS Metadata Repository database using the OracleAS Upgrade Assistant, the datafiles, control files, and log files for the database remain in the source Oracle home. Before you deinstall or remove the Oracle home, you must first relocate the database files.

5.8.2 Preserving Application Files and Log Files

If there are application files or log files in the source Oracle home that are being referenced or used by the destination Oracle home, you should move them to another location before you decommission the source Oracle home, and, in the destination Oracle home, change any references to the files to the new location.

5.8.3 Before You Deinstall Release 2 (9.0.2) OracleAS Identity Management from a Computer that Also Contains 10g Release 2 (10.1.2) Instances

If you have 9.0.2 or 9.0.3 and 10g Release 2 (10.1.2) instances on the same computer, and you want to deinstall a 9.0.2 instance, review the information in Section 4.9.4, "Deinstalling a Release 2 (9.0.2) or Release 2 (9.0.3) Source Oracle Home".

5.8.4 Deinstalling the OracleAS Identity Management Source Oracle Home

When you are certain that the upgrade was successful, you have all of the necessary backups, and have no plans to revert to the source Oracle home, you may elect to remove the files from the source Oracle home. Use the Oracle Universal Installer to deinstall the instance.

Note, however, that deinstalling an Oracle9iAS Release 2 (9.0.2) or (9.0.3) instance when there is also an OracleAS 10g Release 2 (10.1.2) instance on the computer requires a patch. Before you deinstall such an instance, be aware of the issues associated with this deinstallation that may apply to your configuration.