5 Upgrading Identity Management Services

5.5.3.1 Upgrading Release 2 (9.0.2) Distributed OracleAS Identity Management Configurations

A distributed OracleAS Identity Management configuration consists of multiple Oracle homes. One of the Oracle homes contains the Oracle Internet Directory.

In a Release 2 (9.0.2) distributed OracleAS Identity Management installation, the other Oracle home contains OracleAS Single Sign-On and its own OracleAS Metadata Repository (Figure 5-2).

To upgrade a Release 2 (9.0.2) distributed OracleAS Identity Management configuration:

1. Review Section 5.5.3.3, "Verifying Whether OracleAS Identity Management Components are Enabled or Disabled" to determine exactly which OracleAS Identity Management components will be upgraded.

2. Use the procedure in Section 5.5.1, "Upgrading OracleAS Identity Management in a Colocated Infrastructure" to upgrade the Oracle home that includes the Oracle Internet Directory and its OracleAS Metadata Repository.

   You must upgrade the Oracle Internet Directory first before upgrading the other distributed OracleAS Identity Management components.

   
   

   Note: If you are running only Oracle Internet Directory from the Oracle home, check to be sure the other OracleAS Identity Management components are disabled so they will not be upgraded or started in the destination 10g Release 2 (10.1.2) Oracle home. For more information, see Section 5.5.3.3, "Verifying Whether OracleAS Identity Management Components are Enabled or Disabled".

   
   

3. Make sure you have applied the latest Release 2 (9.0.2) patchsets to the OracleAS Identity Management Oracle home you are about to upgrade.

   The OracleAS Identity Management upgrade procedures have been tested using the latest patchsets available from OracleMetaLink. As a result, before you upgrade Release 2 (9.0.2) OracleAS Identity Management, apply the latest Oracle Application Server 9.0.2 patchsets.

   The OracleMetaLink Web site is at the following URL:

   http://metalink.oracle.com/
   
   

   At the time this document was published the most recent Oracle9iAS patchset release was the Oracle9iAS 9.0.2.3 patchset (3038037). To locate this patchset, search for patch number 3038037 on OracleMetaLink.

   
   

   Note: After applying Oracle9iAS 9.0.2.3 patchset (3038037), verify that the patchset was applied successfully before proceeding with the 10g Release 2 (10.1.2) upgrade. For example, verify that the Application Server Control, your deployed applications, and the components you use are functioning properly after you apply the patchset.

   
   

4. Make sure that the OracleAS Metadata Repository database being used by Oracle Application Server Single Sign-On and its database listener are up and running.

5. Log in to the computer on which the other distributed OracleAS Identity Management components are installed, as the same operating system user that performed the Release 2 (9.0.2) installation.

   
   

   Note: The account you log in to install or upgrade the OracleAS Metadata Repository must be listed as a member of the Administrators group.

   
   

6. Make sure the Oracle Internet Directory Server has been upgraded to 10g Release 2 (10.1.2) and that it is up and running.

   To verify that Oracle Internet Directory is running, enter one of the following commands.

   
   

   Note: You may have to temporarily set the ORACLE_HOME environment variable to the Oracle Internet Directory Oracle home before running the ldapbind command. After you verify that the Oracle Internet Directory is running, you must then make sure the ORACLE_HOME environment variable is not defined before you start the 10g Release 2 (10.1.2) installer, as directed in Step 6.

   
   

   If you are running Oracle Internet Directory on a non-secure port:

   SOURCE_ORACLE_HOME\bin\ldapbind -p Non-SSL_port
   
   

   If you are running Oracle Internet Directory on a secure port:

   SOURCE_ORACLE_HOME\bin\ldapbind -p SSL_port -U 1
   
   

   These commands should return a "bind successful" message.

   
   

   See Also: "Syntax for LDIF and Command-Line Tools" in the Oracle Internet Directory Administrator's Guide for more information about the ldapbind utility

   
   

7. Be sure to set the environment variables, as defined in the section "Environment Variables" in the "Requirements" chapter of the Oracle Application Server Installation Guide.

   In particular, be sure to set following variables so they do not reference any Oracle home directories:

   • PATH

   • CLASSPATH

   In addition, be sure the following environment variables are not set:

   • TNS_ADMIN

   • ORACLE_HOME

   • ORACLE_SID

8. Mount the Oracle Application Server 10g Release 2 (10.1.2) CD–ROM and start the installer.

   
   

   See Also: Oracle Application Server Installation Guide for detailed instructions about starting Oracle Universal Installer on your platform

   
   

9. Refer to Table 5-3 for information on the options you should select on each screen.

10. After the End of Installation screen appears, exit Oracle Universal Installer and then verify that Oracle Internet Directory and Oracle Application Server Single Sign-On are functioning and accessible in the new 10g Release 2 (10.1.2) Oracle home.

    
    

    See Also: "Accessing the Single Sign-On Server" in the Oracle Application Server Single Sign-On Administrator's Guide

    
    

5.5.3.2 Upgrading 10g (9.0.4) Distributed OracleAS Identity Management Configurations

A distributed OracleAS Identity Management configuration consists of multiple Oracle homes. One of the Oracle homes contains the Oracle Internet Directory.

In a 10g (9.0.4) distributed OracleAS Identity Management installation, the other Oracle homes contain additional OracleAS Identity Management components, such as OracleAS Single Sign-On, Delegated Administration Services, Oracle Directory Integration and Provisioning, and OracleAS Certificate Authority.

To upgrade a 10g (9.0.4) distributed OracleAS Identity Management configuration (as shown in Figure 5-3), do the following:

1. Review Section 5.5.3.3, "Verifying Whether OracleAS Identity Management Components are Enabled or Disabled" to determine exactly which OracleAS Identity Management components will be upgraded.

2. Synchronize the system clocks on all nodes where the OracleAS Identity Management components reside so they are running within 250 seconds of each other.

   When synchronizing the system clocks, make sure the clocks are set to the same time zone.

3. Upgrade the Oracle home that includes the Oracle Internet Directory used by the other OracleAS Identity Management components.

   You must upgrade the Oracle Internet Directory first before upgrading the other distributed OracleAS Identity Management components.

   To upgrade the Oracle Internet Directory Oracle home, use one of the following procedures, depending upon the type of installation used for the Oracle Internet Directory Oracle home:

   • If the Oracle Internet Directory Oracle home includes its OracleAS Metadata Repository, then use the procedure in Section 5.5.1, "Upgrading OracleAS Identity Management in a Colocated Infrastructure"

   • If the Oracle Internet Directory is in its own Oracle home, and the its OracleAS Metadata Repository resides in a different Oracle home, use the procedure in Section 5.5.2, "Upgrading OracleAS Identity Management in a Non-Colocated 10g (9.0.4) Infrastructure"

   
   

   Note: If you are running only Oracle Internet Directory from the Oracle home, check to be sure the other OracleAS Identity Management components are disabled so they will not be upgraded or started in the destination 10g Release 2 (10.1.2) Oracle home. For more information, see Section 5.5.3.3, "Verifying Whether OracleAS Identity Management Components are Enabled or Disabled".

   
   

4. Make sure that the OracleAS Metadata Repository database and database listener used by the distributed components are up and running.

5. Log in to the computer on which the distributed OracleAS Identity Management components are installed, as the same operating system user that performed the 10g (9.0.4) installation.

   
   

   Note: The account you log in to install or upgrade the OracleAS Metadata Repository must be listed as a member of the Administrators group.

   
   

6. Make sure the Oracle Internet Directory server is upgraded to 10g Release 2 (10.1.2) and that it is up and running.

   To verify that Oracle Internet Directory is running, enter one of the following commands.

   
   

   Note: You may have to temporarily set the ORACLE_HOME environment variable to the Oracle Internet Directory Oracle home before running the ldapbind command. After you verify that the Oracle Internet Directory is running, you must then make sure the ORACLE_HOME environment variable is not defined before you start the 10g Release 2 (10.1.2) installer, as directed in Step 6.

   
   

   If you are running Oracle Internet Directory on a non-secure port:

   SOURCE_ORACLE_HOME\bin\ldapbind -p Non-SSL_port
   
   

   If you are running Oracle Internet Directory on a secure port:

   SOURCE_ORACLE_HOME\bin\ldapbind -p SSL_port -U 1
   
   

   These commands should return a "bind successful" message.

7. Be sure to set the environment variables, as defined in the section "Environment Variables" in the "Requirements" chapter of the Oracle Application Server Installation Guide.

   In particular, be sure to set following variables so they do not reference any Oracle home directories:

   In addition, be sure the following environment variables are not set:

   • TNS_ADMIN

   • ORACLE_HOME

   • ORACLE_SID

8. If you the ORACLE_HOME environment variable was previously set, restart the host computer after unsetting the variable.

   The system restart is necessary to clear the ORACLE_HOME variable from the system registry. If you do not restart the computer after clearing the ORACLE_HOME variable, the installation might report an error and prevent you from finishing the installation.

9. Mount the Oracle Application Server 10g Release 2 (10.1.2) CD–ROM and start the installer.

   
   

   See Also: Oracle Application Server Installation Guide for detailed instructions about starting Oracle Universal Installer on your platform

   
   

10. Refer to Table 5-4 for information on the options you should select on each screen.

11. After the End of Installation screen appears, exit Oracle Universal Installer and then verify that Oracle Internet Directory and Oracle Application Server Single Sign-On are functioning and accessible.

    
    

    See Also: "Accessing the Single Sign-On Server" in the Oracle Application Server Single Sign-On Administrator's Guide

    
    

5.5.3.3 Verifying Whether OracleAS Identity Management Components are Enabled or Disabled

When you upgrade a distributed OracleAS Identity Management configuration, the 10g Release 2 (10.1.2) installer will upgrade any OracleAS Identity Management components that are enabled in the source Oracle home.

An OracleAS Identity Management component is considered enabled when it is marked as such in the following configuration file in the source Oracle home:

SOURCE_ORACLE_HOME\config\ias.properties

Before you upgrade your Oracle Internet Directory installation in a distributed OracleAS Identity Management configuration, you can check the contents of this file to verify which components are enabled. If necessary, modify the entries to reflect exactly which components you have enabled, and as a result, which components will be upgraded.

The entries in the ias.properties file vary, depending upon whether you are upgrading a Release 2 (9.0.2) Oracle home or a 10g (9.0.4) Oracle home. Refer to the following sections for more information:

• Verifying Enabled OracleAS Identity Management Components in a Release 2 (9.0.2) Oracle Home

• Verifying Enabled OracleAS Identity Management Components in a 10g (9.0.4) Oracle Home

SSO.LaunchSuccess=False
OID.LaunchSuccess=True

SSO.LaunchSuccess=False
OID.LaunchSuccess=True
DAS.LaunchSuccess=False
DIP.LaunchSuccess=False
OCA.LaunchSuccess=False

SSO.LaunchSuccess=True
OID.LaunchSuccess=False
DAS.LaunchSuccess=True
DIP.LaunchSuccess=True
OCA.LaunchSuccess=False

5.6.3.1 Enabling SSL for Oracle Internet Directory After Upgrade

There is no need to enable SSL for Oracle Internet Directory, since the upgrade procedure automatically re-enables SSL for Oracle Internet Directory in the destination Oracle home if you were using SSL with Oracle Internet Directory in the source Oracle home.

5.6.3.2 Enabling SSL for OracleAS Single Sign-On After Upgrade

To enable SSL for OracleAS Single Sign-On, use the procedure described in the section "Enabling SSL" in the "Advanced Deployment Options" chapter of the Oracle Application Server Single Sign-On Administrator's Guide.

In particular, you must perform the following steps as described in that section of the Oracle Application Server Single Sign-On Administrator's Guide:

1. Enable SSL on the Single Sign-On middle tier.

2. Update targets.xml.

3. Protect Single Sign-On URLs.

4. Restart the Oracle HTTP Server and the Single Sign-On Middle Tier.

5. Register mod_osso with the SSL virtual host as documented in the section "Configuring mod_osso with Virtual Hosts" in the Oracle Application Server Single Sign-On Administrator's Guide.

5.6.3.3 Enabling SSL for Oracle Delegated Administration Services After Upgrade

If you have also configured Oracle Delegated Administration Services in the upgraded Oracle home, you must reconfigure the Oracle Delegated Administration Services URL.

To reconfigure the Oracle Delegated Administration Services URL:

1. Start the Oracle Directory Manager in the Oracle Delegated Administration Services Oracle home:

   From the Start menu, choose Programs, then ORACLE_HOME, then Integrated Management, then Oracle Directory Manager.

2. Use the Navigator Pane to expand the directory tree until you locate the following entry:

   cn=OperationUrls,cn=DAS,cn=Products,cn=OracleContext
   
   

3. Select the entry in the tree.

   Oracle Directory Manager displays the attributes of the entry in the right pane of the Directory Manager window.

4. Change the orcldasurlbase attribute so it references the HTTPS, SSL URL for the Oracle Delegated Administration Services:

   https://hostname:http_ssl_port_number/
   
   

   For example:

   https://mgmt42.acme.com:4489/
   

5.6.4.1 Running the oidpu904.sql Script to Recreate the orclnormdn Catalog

After you upgrade Oracle Internet Directory from Release 2 (9.0.2) to 10g Release 2 (10.1.2), you must run the oidpu904.sql script and recreate the orclnormdn catalog in the Oracle Internet Directory; otherwise, some Oracle Application Server components will not work correctly with the Oracle Internet Directory server.

Note that this procedure is not necessary if you have upgraded from Oracle Internet Directory 10g (9.0.4).

To perform this procedure:

1. Ensure that the ORACLE_HOME environment variable is set to destination Oracle home and the ORACLE_SID environment variable is set to the system identifier (SID) of the Infrastructure database.

2. Run following command:

   sqlplus ods/ods_password@net_service_name_for_OID_database @DESTINATION_ORACLE_HOME\ldap\admin\oidpu904.sql
   
   

   For example:

   sqlplus ods/welcome1@iasdb @DESTINATION_ORACLE_HOME\ldap\admin\oidpu904.sql
   
   

   
   

   Note: When you upgrade Oracle Internet Directory to 10g Release 2 (10.1.2), the password for the Oracle Internet Directory schema (ODS) is reset to the password for the ias_admin password.

   
   

3. Re-create the index for the orclnormdn attribute by executing the catalog.sh script, which drops and re-creates the catalog for the orclnormdn attribute.

   1. Ensure that the Oracle Internet Directory server is operating in read-only mode.

      To set the server to read-only mode, first create an LDIF file named readonly.ldif that contains the following lines:

      dn:
      changetype:modify
      replace:orclservermode
      orclservermode:r
      
      

      Then, run the following command:

      ORACLE_HOME\bin\ldapmodify -p oid_port -D cn=orcladmin
            -w orcladmin_passwd -v -f readonly.ldif
      
      

      In the example, replace oid_port with the listening port of the directory server and replace orcladmin_password with the password of the superuser DN (cn=orcladmin).

   2. Set the PATH variable to include the DESTINATION_ORACLE_HOME/bin directory.

   3. Issue these commands to re-create the index for the orclnormdn attribute:

      DESTINATION_ORACLE_HOME\ldap\bin\catalog.sh -connect oid_database_net_service_name -delete -attr orclnormdn
      
      DESTINATION_ORACLE_HOME\ldap\bin\catalog.sh -connect oid_database_net_service_name -add -attr orclnormdn
      
      

      
      

      See Also: Section "1.1.2 UNIX Emulation Utilities for Windows" in the Oracle Identity Management User Reference for information about running the catalog.sh script on Microsoft Windows

      
      

4. Reset the Oracle Internet Directory server to operate in read-write mode.

   To set the server to read-write mode, first create an LDIF file named readwrite.ldif that contains the following lines:

   dn:
   changetype:modify
   replace:orclservermode
   orclservermode:rw
   
   

   Then, run the following command:

   ORACLE_HOME\bin\ldapmodify -p oid_port -D cn=orcladmin
         -w orcladmin_passwd -v -f readwrite.ldif
   
   

   In the example, replace oid_port with the listening port of the directory server and replace orcladmin_password with the password of the superuser DN (cn=orcladmin).

5.6.4.2 Running the Certificate Upgrade Tool (upgradecert.pl)

Starting with release 10.1.2, a certificate hash value can be used to bind to Oracle Internet Directory. The introduction of this hash value requires that user certificates issued before release 10.1.2 be updated in the directory. This is a post-upgrade step and it is required only if user certificates are provisioned in the directory. The upgradecert.pl tool is used for this purpose.

Complete instructions for running the Certificate Upgrade Tool are available in Appendix A, "Syntax for LDIF and Command-Line Tools," in the Oracle Internet Directory Administrator's Guide.

5.6.4.3 Configuring Oracle Internet Directory 10g Release 2 (10.1.2) for Release 2 (9.0.2) Middle Tiers

Before you can use Release 2 (9.0.2) middle tiers against the upgraded 10g Release 2 (10.1.2) Oracle Internet Directory, you must run configure Oracle Internet Directory using the imconfig script.

For information on using the imconfig script, see Section 4.2.1, "Before Installing the 10g Release 2 (10.1.2) Middle Tier Against a Release 2 (9.0.2) Oracle Internet Directory".

5.6.4.4 Modifying Access Policies After Oracle Internet Directory Upgrade

During the Oracle Internet Directory upgrade, LDAP objects within the directory are modified or added to the Oracle Internet Directory. These updates often include access control information.

In a production environment, customized access control policies are often enforced in the directory. For this reason, the upgrade process leaves certain entries in the directory untouched intentionally to retain any customized behaviour you may have implemented in the directory.

Further, in some cases, the default, out-of-the-box access control settings are required for Oracle components to function properly. As a result, after the Oracle Internet Directory upgrade, you should analyze the differences between the default, out-of-the-box access control policies and any custom policies you have implemented. The result of this task should be a new set of customized access control policies that will meet the requirements of Oracle components, as well as the access control polices of your organization.

Even if you have not implemented any customized access control polices, Oracle strongly recommends that you manually update the ACLs with the new default values after an upgrade.

The following example uses "dc=acme, dc=com" as a default realm DN. In this example, consider the following when analyzing the ACL policy for your directory:

• Realm DN (eg. dc=acme, dc=com)

• Parent of the Realm DN. This is also known as the Realm Search Base, for example, "dc=com".

• Realm User container. This is also known as the Realm User Search Base, for examle, "cn=Users, dc=acme, dc=com". Depending on the deployment requirement, this can be customized.

• Realm Group container. This is also known as the Realm Group Search Base, for example, "cn=Groups, dc=acme, dc=com". Depending on the deployment requirement, this can be customized.

The out-of-the-box access control policies is available in the following files:

• Policies for the Parent of Realm DN can be found in the following file:

  $ORACLE_HOME/ldap/schema/oid/oidDefaultSubscriberConfig.sbs
  
  

• Policies for the Realm DN, Realm User container, and Realm Group container can be found in:

  $ORACLE_HOME/ldap/schema/oid/oidSubscriberCreateAuxDIT.sbs
  
  

The default ACL policy is described in the Oracle Internet Directory Administrator's Guide, in Chapter 17, in the section on "Default Privileges for Reading Common Group Attributes".

5.6.4.5 Resetting the Replication Wallet Password

If you upgrade a 9.0.x node to 10g Release 2 (10.1.2) and then try to set up replication for this node, the replication server will fail to come up and the replication setup itself may fail. Therefore, before setting up replication, reset the replication wallet password on the upgraded 10g Release 2 (10.1.2) node by using the following command:

DESTINATION_ORACLE_HOME\bin\remtool -presetpwd -v -bind host:port

This step ensures that the upgrade node can be configured in replication, if required.

5.6.4.6 Completing the Upgrade for the Oracle Directory Integration and Provisioning

If you had an older version (9.0.2 or 9.0.4) of the Directory Integration Platform (DIP) operating in a different Oracle home, on a different computer, and using the Oracle Internet Directory you are currently upgrading, and you want to continue using the DIP, you must re-register the DIP server.

5.6.4.7 Oracle Internet Directory Post-Upgrade Steps Required for OracleAS Portal

The following post-upgrade steps are required if you have configured OracleAS Portal against this Identity Management and Oracle Internet Directory was upgraded directly from Release 2 (9.0.2):

• Apply Interoperability Patches for Oracle9iAS Portal Release 2 (9.0.2)

• Reconfigure the OracleAS Portal Instances for the Oracle Internet Directory Server

• Refresh the Oracle Delegated Administration Services (DAS) URL Cache

5.6.4.8 Running the oidstats.sql Script After Upgrading Oracle Internet Directory from 10g (9.0.4)

After you upgrade Oracle Internet Directory from 10g (9.0.4) to 10g Release 2 (10.1.2), you could observe some degradation in the performance of some LDAP queries.

To remedy this issue, perform the following procedure, which updates some database statistics in the Oracle Database 10g database that hosts the Oracle Internet Directory server:

1. In the newly upgraded Oracle Internet Directory Oracle home, execute the following SQL script by connecting to the OID database as the ODS database user:

   sqlplus ods/<passwd> @%ORACLE_HOME%/ldap/admin/oidstats.sql
   
   

2. Restart the Oracle Internet Directory server as follows:

   1. Run the following command to stop the Oracle Internet Directory server:

      opmnctl stopproc ias-component=OID
      
      

   2. Wait a few seconds for the Oracle Internet Directory server to shut down completely.

   3. Run the following command to start the Oracle Internet Directory server:

      opmnctl startproc ias-component=OID
      
      

Similarly, if you are running in an environment where the database that hosts the Oracle Internet Directory is upgraded before you upgrade the Oracle Internet Directory, you should gather the database statistics immediately after the database upgrade by running the following SQL command on the database:

exec dbms_stats.gather_schema_stats('ODS'); 

5.6.4.9 Modifying DSA Configuration Entries After Upgrade

When you upgrade Oracle Internet Directory from 10g (9.0.4) to 10g Release 2 (10.1.2), all attributes in the DSA Configuration entry are reset to their default values. For example:

cn=dsaconfig,cn=configsets,cn=oracle internet directory

As a result, if any attributes in this entry were modified before the upgrade, you must reconfigure them to their values before the upgrade.

5.6.4.10 Recreating Oracle Internet Directory Indexes After Upgrade

When you upgrade Oracle Internet Directory from 10g (9.0.4) to 10g Release 2 (10.1.2), some indexes are recreated automatically by the upgrade procedure. For example, the EI_attrstore index is recreated automatically during the upgrade.

As a result, if you recreated the EI_attrstore index before the upgrade, then the index will have to be recreated again after the upgrade. Note that recreating the EI_attrstore index is part of the performance recommendation for large group entry lookups described in section "21.8.1 Optimizing Searches for Large Group Entries" of the Oracle Internet Directory Administrator's Guide. If you performed this procedure prior to the upgrade to 10g Release 2 (10.1.2), you will need to perform this task again after the upgrade.

5.6.5.1 Re-configuring the OracleAS Single Sign-On Middle Tier

If the Release 2 (9.0.2) or 10g (9.0.4) middle tier for the Single Sign-On server had custom configurations (for example, Oracle HTTP Server configured for SSL, or the Oracle Application Server Single Sign-On server Database Access Descriptor had any custom configuration), then you must re-configure the upgraded 10g Release 2 (10.1.2) middle tier in a like manner.

If you are using OracleAS Portal and you reconfigure the 10g Release 2 (10.1.2) middle tier for SSL, the URL used for Oracle Delegated Administration Services might not be up-to-date. To remedy this problem, force a refresh of the portal cache, which holds the relevant Oracle Internet Directory information:

1. Logon to OracleAS Portal as a user with administrator privileges.

2. Go to the Builder.

3. Click the Administration tab.

4. From the Portal tab, open Global Settings and navigate to the SSO/OID tab.

5. Scroll to the bottom of the page.

6. Check Refresh Cache for the Oracle Internet Directory parameters.

7. Click Apply.

   The page should refresh with the appropriate value in the DAS Host Name field.

5.6.5.2 Configuring Third-party Authentication

If the Release 2 (9.0.2) or 10g (9.0.4) middle tier was configured to authenticate with a user certificate or third party authentication mechanism, then you must re-configure the 10g Release 2 (10.1.2) OracleAS Single Sign-On server in a like manner.

5.6.5.3 Installing Customized Pages in the Upgraded Server

If you have customized the login, password and the sign-off pages in the Release 2 (9.0.2) or 10g (9.0.4) Single Sign-On server, then you must update those pages with 10g Release 2 (10.1.2) specifications. This is also applicable if you have enabled support for Application Service Providers and updated the deployment login page to enable the company field.

5.6.5.4 Converting External Application IDs

select version from orasso.wwc_version$;

To avoid ID conflicts while exporting and importing external application data among multiple OracleAS Single Sign-On server instances, external application IDs must be unique. In the Release 2 (9.0.2) release, external application IDs were sequential, and not unique across instances. If you are upgrading from Release 2 (9.0.2) directly to 10g Release 2 (10.1.2), then you must convert existing short external application IDs to the longer format in the OracleAS Single Sign-On schema. Follow the steps below to convert the IDs:

1. Set the ORACLE_HOME environment variable to the Oracle home of the OracleAS Single Sign-On instance.

2. Execute the following script from the OracleAS Single Sign-On Oracle home, by using the following commands:

   sqlplus orasso/password
   spool extappid.log
   @?/sso/admin/plsql/sso/ssoupeid.sql
   spool off
   

   
   

   See Also: "Obtaining the Single Sign-On Schema Password" in the Oracle Application Server Single Sign-On Administrator's Guide

   
   
   
   

   Note: The ssoupeid.sql script generates and displays the SSO_IDENTIFIER. You might need the SSO_IDENTIFIER value to apply the patches to the OracleAS Portal schema if the value cannot be generated in the OracleAS Portal schema automatically or if the OracleAS Single Sign-On server used a randomly selected value for the SSO_IDENTIFIER.

   
   

3. If you are not upgrading OracleAS Portal to 10g Release 2 (10.1.2), but you have upgraded OracleAS Single Sign-On from Release 2 (9.0.2) directly to 10g Release 2 (10.1.2), you must apply a patch to each OracleAS Portal instance that is not going to be upgraded to 10g Release 2 (10.1.2).

   Refer to Table 5-5 for the appropriate patch number. Patches are available at:

   http://metalink.oracle.com/
   

5.6.5.5 Setting Up OracleAS Single Sign-On Replication

If you are using Oracle Internet Directory replication and want to also use OracleAS Single Sign-On replication, add the upgraded 10g Release 2 (10.1.2) tables in the replication group along with 9.0.4 Oracle Internet Directory. Follow the steps below to add OracleAS Single Sign-On tables for replication:

1. Stop the Oracle Internet Directory replication server on all replicas of the Directory Replication Group.

2. On the Master Directory replica, in %ORACLE_HOME%\ldap\admin$ORACLE_HOME/ldap/admin, issue the following command:

   sqlplus repadmin/password@<mds connect id> @oidrssou.sql
   
   

3. Start the Oracle Internet Directory replication server on all replicas of the Directory Replication Group.

   
   

   See Also: Oracle Internet Directory Administrator's Guide, Chapter 25, "Managing Directory Replication", for instructions.

   
   

5.6.5.6 Upgrading the OracleAS Single Sign-On Server with a Customized Middle Tier

If the Release 2 (9.0.2) or 10g (9.0.4) OracleAS Single Sign-On server was using a middle tier other than the default mid-tier installation along with the OracleAS Single Sign-On server, then you must configure that middle tier to point to the upgraded OracleAS Single Sign-On server.

For example, if there was a reverse proxy configured in the Release 2 (9.0.2) or 10g (9.0.4) OracleAS Single Sign-On server middle tier, then you must configure it on the 10g Release 2 (10.1.2) OracleAS Single Sign-On server middle tier.

5.6.5.7 Troubleshooting Wireless Voice Authentication

If you want to use wireless voice authentication with the 10g Release 2 (10.1.2) OracleAS Single Sign-On server, and it doesn't work, verify that the OracleAS Single Sign-On server entry is a member of the Verifier Services Group in Oracle Internet Directory (cn=verifierServices,cn=Groups,cn=OracleContext). This is a requirement for the wireless voice authentication feature. Follow the steps below to verify membership:

1. Issue the following command:

   ldapsearch -h host
       -p port 
       -D "cn=orcladmin" 
       -w password
       -b "cn=verifierServices, cn=Groups, cn=OracleContext" "objectclass=*"
   
   

   The OracleAS Single Sign-On server is a member of the Verifier Services Group if it is listed as a uniquemember in the entry, as shown in Example 5-1.

   Example 5-1 OracleAS Single Sign-On Server uniquemember Listing

   cn=verifierServices, cn=Groups,cn=OracleContext
   .
   .
   .
   uniquemember=orclApplication
   CommonName=ORASSO_SSOSERVER,cn=SSO,cn=Products,cn=OracleContext
   .
   .
   .
   

5.6.5.8 Installing Languages in the OracleAS Single Sign-On Server

If you did not select any languages during the OracleAS Single Sign-On upgrade, or you want to install additional languages after the upgrade, you can install the necessary languages by following the steps below.

1. Copy the necessary language files from the Repository Creation Assistant CD-ROM to the OracleAS Single Sign-On server Oracle home:

   copy repCA_CD\portal\admin\plsql\nlsres\ctl\lang\*.* DESTINATION_ORACLE_HOME\sso\nlsres\ctl\lang
   
   

   In this example, lang is the language code. For example, the language code for Japanese is ja.

2. Load the languages into the server.

   
   

   See Also: Oracle Application Server Single Sign-On Administrator's Guide, Chapter 2, "Configuring Globalization Support" section, for instructions on loading the languages.

   
   

5.6.5.9 Re-Registering OracleAS Portal with the Upgraded OracleAS Single Sign-On Server

After performing a distributed Identity Management upgrade (depicted in Figure 5-2 and Figure 5-3) from Oracle9iAS Release 2 (9.0.2) to Oracle Application Server 10g Release 2 (10.1.2), the OracleAS Single Sign-On schemas are relocated in the Oracle Internet Directory database. OracleAS Portal keeps a database link reference to the OracleAS Single Sign-On server password store schema ORASSO_PS. This link reference must be updated.

To re-register OracleAS Portal with the upgraded OracleAS Single Sign-On server from a middle tier whose version is 10g (10.1.2):

1. Change directory to the following location in the destination middle tier Oracle home:

   DESTINATION_ORACLE_HOME\portal\conf
   
   

2. Run the following command:

   ptlconfig -dad portal_DAD -sso
   

If the version of your middle-tier is lower than 10.1.2, you must use the Oracle Portal Configuration Assistant command line utility ptlasst to reregister OracleAS Portal with Oracle Single Sign-On. Refer to the appropriate version of the Oracle Application Server Portal Configuration Guide for instructions on how to use ptlasst.

5.6.5.10 Re-Registering mod_osso with the Upgraded OracleAS Single Sign-On Server

After performing a distributed Identity Management upgrade (depicted in Figure 5-2 and Figure 5-3) from Oracle9iAS Release 2 (9.0.2) to Oracle Application Server 10g Release 2 (10.1.2), you may need to re-register mod_osso in order for an Oracle9iAS Release 2 (9.0.2) middle tier to operate with the upgraded OracleAS Single Sign-On server.

You will need to do this if the Oracle HTTP Server host and port information for mod_osso was changed. Before re-registering mod_osso, you must first set the value of the ColocatedDBCommonName attribute in the following configuration file to the global database name of the new OracleAS Single Sign-On server database shared with Oracle Internet Directory (for example, iasdb.host.mydomain).

SOURCE_ORACLE_HOME\config\ias.properties

5.6.5.11 Using an Upgraded Identity Management Configuration with Oracle9iAS Discoverer Release 2 (9.0.2)

If you upgraded an Identity Management configuration that was in use by Oracle9iAS Discoverer Release 2 (9.0.2), and you want to continue operating Oracle9iAS Discoverer Release 2 (9.0.2) with the upgraded Identity Management, then you must change the value of the ColocatedDBCommonName attribute in the following configuration file:

SOURCE_ORACLE_HOME\config\ias.properties

The value must be changed to the global database name of the database used by the upgraded Oracle Internet Directory (for example, iasdb.oid_host_name.domain).

5.6.5.12 Inactivity Timeout Issues When Upgrading From Release 2 (9.0.2) to 10g Release 2 (10.1.2)

If you are upgrading OracleAS Single Sign-On server from Release 2 (9.0.2) to 10g Release 2 (10.1.2) and you are using the inactivity timeout feature, then you must do the following:

1. Upgrade associated mid-tiers used by other applications, such as Portal, to 10g Release 2 (10.1.2).

2. Re-register mod_osso to ensure that inactivity timeout cookie issued by 10g Release 2 (10.1.2) OracleAS Single Sign-On server can be interpreted and used by associated mid-tiers to enforce inactivity timeout.

5.6.5.13 Removing Obsolete OracleAS Single Sign-On Partner Applications

After the upgrade, you will notice additional partner applications on the OracleAS Single Sign-On Partner Application administration page.

For example, you will notice two Oracle Application Server Certificate Authority (OCA) partner applications and two OracleAS Wireless partner applications.

You can safely remove the 10g (9.0.4) OCA partner application that uses port 4400.

As for the OracleAS Wireless partner applications, the 10g Release 2 (10.1.2) Oracle HTTP Server configuration is changed after during the upgrade to use the 10g (9.0.4) HTTP Server port; this partner application is not valid and can be removed. The valid OracleAS Wirelesspartner application is the upgraded partner application, which existed in the 10g (9.0.4) environment.

5.6.7.1 Upgrading Wireless User Accounts in Oracle Internet Directory

In Oracle Application Server Wireless Release 2 (9.0.2), user account numbers and PINs for wireless voice authentication were stored in the Wireless repository.

In Oracle Application Server Wireless 10g Release 2 (10.1.2), new attributes are added in the object definition of the orcluserV2 object class of Oracle Internet Directory to store the account number and PIN. As part of the Oracle Application Server Wireless upgrade from Release 2 (9.0.2) to 10g Release 2 (10.1.2), user account numbers and PINs must be transferred from the Wireless repository to Oracle Internet Directory.

This upgrade step can be performed only after the Oracle Application Server Infrastructure and all middle tiers are upgraded to 10g Release 2 (10.1.2). If they are not upgraded, the Oracle Application Server Wireless server will continue to authenticate voice devices locally (without Oracle Application Server Single Sign-On).

To upgrade the account numbers and PINs:

1. Issue the command:

   DESTINATION_ORACLE_HOME\wireless\bin\migrate902VoiceAttrsToOID.bat
      DESTINATION_ORACLE_HOME 
      ldapmodify_location 
      userdn 
      password
      dif_file_location
      log_file
   
   

   In this example:

   • ldapmodify_location is the location of the ldapmodify utility, which is usually in the bin directory of the destination Oracle home.

   • user_dn is the DN of the Oracle Internet Directory administrator user

   • password is the password of the Oracle Internet Directory administrator user

   • ldif_file_location is the absolute path to the ldif (Lightweight Directory Interchange Format) file. This file contains user account numbers and PINs and is uploaded to Oracle Internet Directory by the ldapmodify utility. This temporary file may be removed after the user upgrade procedure has been completed successfully.

   • log_file is the absolute path to the log file

Example:

migrate902VoiceAttrsToOID.bat 
    c:\oracle\ias904\ 
    c:\oracle\ias904\bin\ldapmodify 
    "cn=orcladmin" 
    welcome1 
    c:\oracle\ias904\users.ldif 
    c:\oracle\ias904\users.log

5.6.7.2 Adding Unique Constraint on the orclWirelessAccountNumber Attribute in Oracle Internet Directory

In 10g Release 2 (10.1.2), Oracle Internet Directory does not automatically set unique constraints on any user attributes. Wireless voice authentication will not function properly unless a unique constraint is set on the orclWirelessAccountNumber attribute of the orclUserV2 object class.

Set the unique constraint by performing the steps below after the middle tier and infrastructure upgrades are complete.

1. Execute the script addAccountNumberUniqueConstraint.bataddAccountNumberUniqueConstraint.sh, which is located in the following directory:

   DESTINATION_ORACLE_HOME\wireless\bin
   
   

   The script takes one argument, the full path to the Oracle home. For example:

   addAccountNumberUniqueConstraint.bat DESTINATION_ORACLE_HOME
   
   

2. Restart the Oracle Internet Directory server.

5.6.7.3 Disabling Oracle Application Server Wireless Upgrade Triggers in the Infrastructure Repository

When Oracle Application Server Wireless 10g Release 2 (10.1.2) is installed against an Oracle9iAS Release 2 (9.0.2) infrastructure, a number of triggers are automatically installed, that ensure that both Oracle9iAS Wireless Release 2 (9.0.2) and Oracle Application Server Wireless 10g Release 2 (10.1.2) middle tiers can function correctly. Once all Oracle9iAS Wireless Release 2 (9.0.2) middle tiers and the infrastructure tier have been upgraded to Oracle Application Server Wireless 10g Release 2 (10.1.2), you must execute the following script to disable any upgrade-related triggers.

disable902-904_trg.bat

This script is located in the following directory:

DESTINATION_ORACLE_HOME\wireless\bin

You must set the ORACLE_HOME environment variable before you execute the script.

5.6.7.4 Activating All OracleAS Wireless 10g Release 2 (10.1.2) Features

When Oracle Application Server Wireless 10g Release 2 (10.1.2) is installed against an Oracle9iAS Release 2 (9.0.2) Infrastructure, a number of features are disabled by default, as they are not compatible with existing Oracle9iAS Wireless Release 2 (9.0.2) middle tiers that are installed against the same Infrastructure. After all Oracle9iAS Wireless Release 2 (9.0.2) middle tiers have been upgraded to Oracle Application Server Wireless10g Release 2 (10.1.2), you can manually enable these features. Once you have enabled these features, the Oracle9iAS Wireless Release 2 (9.0.2) middle tiers will no longer function correctly.

Enable the Oracle Application Server Wireless 10g Release 2 (10.1.2) features by executing the following script from any of the Oracle Application Server Wireless 10g Release 2 (10.1.2) middle tiers, using the command below. This script is in the following directory of the destination Oracle home:

DESTINATION_ORACLE_HOME\wireless\bin

The command takes the following arguments:

upload.bat wireless_repository_location  -l wireless_user_name/wireless_password

In this example:

• wireless_repository_location is the relative path to the OracleAS Wireless XML-based repository

• wireless_user_name is the name of the Oracle Application Server Wireless user

• wireless_password is the password of the Oracle Internet Administrator

For example:

upload.bat  ..\repository\xml\activate-9040.xml -l orcladmin/welcome1

5.6.7.5 Assigning Change Password Privilege to OracleAS Wireless

In Oracle Application Server 10g Release 2 (10.1.2), by default, the OracleAS Wireless application entity does not have the privileges to change the user password. Consequently, upon installation, users cannot change the password to the OracleAS Wireless server. However, you can enable functionality to change passwords by assigning the UserSecurityAdmins privilege to the OracleAS Wireless application entity.

To do this, execute the following script:

DESTINATION_ORACLE_HOME\wireless\bin\assignUserSecurityAdminsPrivilege.bat

The syntax is:

assignUserSecurityAdminsPrivilege.bat oid_super_user_dn user_password

In this example:

• oid_super user_dn is the Distinguished Name of the Oracle Internet Directory super user. This user should have privileges to grant UserSecurityAdmins privileges to application entities.

• user_password is the password of the Oracle Internet Directory super user.

For example:

assignUserSecurityAdminsPrivilege.bat "cn=orcladmin" welcome1

5.6.7.6 Specifying URL Query Parameters for Wireless Services That Use the HTTP Adapter

When you use the HTTP adapter to build Wireless services, one of the service parameters that you must specify is the URL to a back-end application. In some cases, you may send some query parameters to the back-end application. There are two ways to do this from OracleAS Wireless, shown in Example 5-2 and Example 5-3. In Example 5-2, the parameter name is fn and the value is Joe.

http://localhost:7777/myapp/home.jsp?fn=Joe

The query parameter is sent only in the request for the first page of that service. If there is a link from the first page to some other pages, then the parameter is not added to the request for those pages.

http://localhost:7777/myapp/home.jsp 

Instead of modifying the URL, you add an extra service parameter with name fn and value Joe. The the parameter is sent to all pages, not just the first one. The parameter is also sent with all HTTP redirect requests. However, this method also sends extra URL parameters to the OracleAS Single Sign-On server, which causes the server to return an error.

The error occurs when the back-end application is protected by mod_osso. In that case, the request to that application is intercepted and redirected to the Oracle SSO server for user authentication. The OracleAS Single Sign-On server has restrictive rules concerning query parameters that can be sent to it. Consequently, for back-end applications protected by mod_osso, you must change the Wireless service and add the query parameter to the URL as shown in Example 5-2.