|
Oracle® Application Server 10g Upgrading to 10g (9.0.4)
10g (9.0.4) for UNIX Part No. B10429-01 |
|
|
|
|
Oracle® Application Server 10g Upgrading to 10g (9.0.4)
10g (9.0.4) for UNIX Part No. B10429-01 |
|
|
|
|
This chapter explains how to upgrade Identity Management services. Before you perform the tasks in this chapter, you must perform the steps in Section 4.2, "Preparing to Upgrade the Metadata Repository".
The chapter consists of the following sections:
Section 5.1, "Upgrading Identity Management"
Section 5.2, "Performing an Oracle Internet Directory Multi-Master Replication Upgrade"
Section 5.3, "Upgrading Oracle Internet Directory v. 9.2.0.x to 10g (9.0.4)"
Section 5.4, "Performing Infrastructure Post-Upgrade Tasks"
Section 5.5, "Decommissioning the Release 2 (9.0.2) Oracle Home"
Identity Management comprises Oracle Application Server Single Sign-On and Oracle Internet Directory. This section describes possible configurations for Identity Management, and explains how to upgrade it using the Oracle Universal Installer. The following topics are included:
Section 5.1.1, "Identity Management Configuration Overview"
Section 5.1.2, "Understanding the Identity Management Upgrade Processes"
Section 5.1.3, "Using Oracle Universal Installer to Upgrade Identity Management"
In Oracle9iAS Release 2 (9.0.2), a database tier is required to operate Oracle Application Server Single Sign-On and Oracle Internet Directory. The Metadata Repository contains the necessary schemas for these components.
An Oracle9iAS Release 2 (9.0.2) Identity Management configuration can be non-distributed, in which Oracle Application Server Single Sign-On and Oracle Internet Directory share a metadata repository. This is depicted in Figure 5-1. Alternatively, the Identity Management configuration can be distributed, in which Oracle Application Server Single Sign-On and Oracle Internet Directory each use a separate metadata repository. This is depicted inFigure 5-2.
In Oracle Application Server 10g (9.0.4), the distributed configuration is different from that in Release 2 (9.0.2), in that a single Metadata Repository is shared between Oracle Application Server Single Sign-On and Oracle Internet Directory, and Oracle Application Server Single Sign-On accesses it from a different computer. This is shown in Figure 5-3.
|
Notes: As shown in Figure 5-1, the non-distributed configuration in the 10g (9.0.4) release is similar to that in Oracle9iAS Release 2 (9.0.2)If, in Oracle9iAS Release 2 (9.0.2), you had a Delegated Administration Services (DAS) or Directory Integration and Provisioning (DIP) operating in a middle tier, and you want to set up a DAS or DIP in 10g (9.0.4), you must perform a DAS-only or DIP-only installation in a separate Oracle home. See the section titled "Installing Identity Management Components Only" in the chapter "Installing OracleAS Infrastructure 10g" in the Oracle Application Server 10g Installation Guide. |
Figure 5-1 Non-Distributed Identity Management in Release 2 (9.0.2) and 10g (9.0.4)
Figure 5-2 Distributed Identity Management in Release 2 (9.0.2)
Figure 5-3 Distributed Identity Management in 10g (9.0.4)
|
Note: If the Release 2 (9.0.2) Oracle Application Server Single Sign-On server was using a midle tier other than the default mid-tier installation with the SSO server, then that middle tier must be re-configured to point to the upgraded Oracle Application Server Single Sign-On server. |
The Identity Management schemas are contained in the Metadata Repository, along with other component schemas (such as those for OracleAS Portal and Oracle Ultra Search). However, the upgrade process for the Identity Management schemas (labeled OID/SSO in Figure 5-4) is different from the upgrade process for the component schemas (labeled MRC in Figure 5-4). The Identity Management schemas are upgraded by the Oracle Universal Installer, as shown in Figure 5-4, "Identity Management Upgrade". The component schemas are upgraded by individual scripts.
The Identity Management upgrade consists of these steps:
The Metadata Repository Container Upgrade script is run.
|
Note: The Metadata Repository Container Upgrade script upgrades the Metadata Repository that is in use by the Identity Management services being upgraded. After this script is run, no new Oracle9iAS Release 2 (9.0.2) middle tier installations may use this Metdata Repository. However, existing Oracle9iAS Release 2 (9.0.2) middle tier installations will continue to function. |
The Oracle Universal Installer is started; Oracle Internet Directory and Oracle Application Server Single Sign-On are installed in the new Oracle home and Oracle Internet Directory and Oracle Application Server Single Sign-On schemas are upgraded in the Metadata Repository.
All post-upgrade steps that are applicable to the upgraded configuration are performed, as described in Section 5.4, "Performing Infrastructure Post-Upgrade Tasks".
|
Note: Do not manually delete any database (*.dbf) files that remain in the Oracle9iAS Release 2 (9.0.2) Infrastructure Oracle home (labeled OH1 in Figure 5-4) after Identity Management is upgraded to Oracle Application Server 10g (9.0.4). The Identity Management upgrade process does not copy or relocate any (*.dbf) files or redo log files to the destination Oracle home. If the (*.dbf) files were located in the source Oracle home before the Identity Management upgrade, they will remain there after the upgrade, unless you relocate them. For information on relocating the database files to the destination Oracle home, see Section 5.5, "Decommissioning the Release 2 (9.0.2) Oracle Home".
|
The Identity Management upgrade is performed by Oracle Universal Installer. Oracle Universal Installer launches configuration assistants that upgrade the Oracle Internet Directory and Oracle Application Server Single Sign-On database schema. This upgrade can only be performed by a user with SYS credentials.
Before you start the Identity Management upgrade, ensure that:
The steps in Section 4.2, "Preparing to Upgrade the Metadata Repository" have been performed.
The database server is running.
The database listener is running.
The Oracle Internet Directory server is running. To verify this, issue the following commands (each should return "bind successful"):
<source_Infra_OH>/bin/ldapbind -p <Non-SSL port>
<source_Infra_OH>/bin/ldapbind -p <SSL port> -U 1
Follow these steps to upgrade a non-distributed Identity Management configuration (depicted in Figure 5-1, "Non-Distributed Identity Management in Release 2 (9.0.2) and 10g (9.0.4)"). Oracle Universal Installer will prompt you to stop and start certain components during the upgrade.
Log in to the computer on which Oracle9iAS Release 2 (9.0.2) is installed, as the same operating system user that performed the Oracle9iAS Release 2 (9.0.2) installation.
Mount the CD-ROM.
Start the installer.
The Welcome screen appears as shown in Figure 5-5.
Click Next.
The Specify File Locations screen appears as shown in Figure 5-6.
Enter a new Oracle home name and a path for the 10g (9.0.4) upgrade and click Next.
The Select a Product To Install screen appears as shown in Figure 5-7.
Select OracleAS Infrastructure 10g. If multiple languages are used in the Oracle9iAS Release 2 (9.0.2) Infrastructure, then click Product Languages. If you want only English to be installed in Oracle Application Server 10g (9.0.4), then click Next and continue with Step 8.
The Language Selection screen appears as shown in Figure 5-8.
Select the languages you want to install and click OK.
|
Note: If multiple languages were installed in Oracle9iAS Release 2 (9.0.2), select those languages. If you are not sure which languages were installed, but want languages other than English, click the double arrow button (>>) to select all languages. |
The Select a Product to Install screen appears again.
Click Next.
The Select Installation Type screen appears as shown in Figure 5-9.
Select Identity Management and OracleAS Metadata Repository and click Next.
The Upgrade Existing Infrastructure screen appears as shown in Figure 5-10.
Figure 5-10 Upgrade Existing OracleAS Infrastructure Screen
Select Upgrade Selected Oracle9iAS 9.0.2 Infrastructure.
Select the Infrastructure you want to upgrade from the drop-down list, then click Next. (If there is only one Infrastructure on the computer, then the drop-down list is inactive.)
The Specify Login for Oracle Internet Directory screen appears as shown in Figure Figure 5-11.
Figure 5-11 Specify Login for Oracle Internet Directory Screen
Enter the OID superuser DN in the Username field. The superuser DN cn=orcladmin is the default for this field; change this value if the OID superuser DN is not cn=orcladmin.
Enter the password in the Password field and click Next.
The Specify Infrastructure Database Connection screen appears as shown in Figure 5-27.
Figure 5-12 Specify Infrastructure Database Connection Information Screen
Enter SYS in the Username field and the SYS user’s password in the Password field and click Next.
A warning dialog appears as shown in Figure 5-13, instructing you to stop processes in the Oracle home.
Stop Oracle Internet Directory and the Metadata Repository database listener.
Stop all processes in the Oracle home.
Ensure that the Metadata Repository database is running, then click OK.
The Specify Instance Name and ias_admin Password screen appears as shown in Figure 5-14.
Figure 5-14 Specify Instance Name and ias_admin Password Screen
Complete the Instance Name, ias_admin Password, and Confirm Password fields and click Next.
The Summary screen appears as shown in Figure 5-15.
Click Install.
The Install screen appears as shown in Figure 5-17, and the upgrade starts. The processing time varies, but it will be several minutes before you are prompted to take any action.
The Setup Privileges dialog appears as shown in Figure 5-17.
Open a window and run the script, then click OK in the dialog.
The script may take a few minutes to complete, depending on the speed and workload of the computer on which it is running. After the script completes, the Configuration Assistants screen appears as shown in Figure 5-18. The configuration process is lengthy.
Click Next.
After several minutes, the End of Installation screen appears as shown in Figure 5-18.
Verify that Oracle Internet Directory and Oracle Application Server Single Sign-On are functioning and accessible.
|
See Also: Oracle Application Server 10g Administrator's Guide, Chapter 1, "Accessing the Single Sign-On Server". |
Follow the steps below to upgrade a distributed Identity Management configuration (depicted in Figure 5-2, "Distributed Identity Management in Release 2 (9.0.2)").This upgrade includes separate processes for Oracle Internet Directory and OracleAS Single Sign-On.
Perform the steps in Section 5.1.3, "Using Oracle Universal Installer to Upgrade Identity Management", and Section 5.1.3.1, "Upgrading a Non-Distributed Identity Management Configuration".
After the upgrade, the Oracle Internet Directory server is running in the new Oracle home.
Perform the steps below to upgrade the Oracle Application Server Single Sign-On server. Before you begin, ensure that:
The Oracle Internet Directory upgrade is complete.
You have credentials for the Oracle Application Server Single Sign-On database.
You have credentials for the Oracle Internet Directory database.
The Oracle Internet Directory database is running.
Log in to the computer on which Oracle9iAS Release 2 (9.0.2) Oracle Application Server Single Sign-On is installed.
Mount the CD-ROM.
Start the installer.
The Welcome screen appears as shown in Figure 5-20.
Click Next.
The Specify File Locations screen appears as shown in Figure 5-21.
Enter a new Oracle home name and path for the 10g (9.0.4) upgrade and click Next.
The Select a Product To Install screen appears as shown in Figure 5-22.
Select OracleAS Infrastructure 10g. If multiple languages are used in the Oracle9iAS Release 2 (9.0.2) Infrastructure, then click Product Languages. If you want only English to be installed in Oracle Application Server 10g (9.0.4), then click Next and continue with Step 8.
The Language Selection screen appears as shown in Figure 5-23.
Select the languages you want and click OK.
|
Note: If multiple languages were installed in Oracle9iAS Release 2 (9.0.2), select those languages. If you are not sure which languages were installed, but want languages other than English, click the double arrow button (>>) to select all languages. |
The Select a Product To Install screen appears again.
Click Next.
The Select Installation Type screen appears as shown in Figure 5-24.
Select Identity Management and OracleAS Metadata Repository and click Next.
The Upgrade Existing Infrastructure screen appears as shown in Figure 5-25.
Figure 5-25 Upgrade Existing OracleAS Infrastructure Screen
Ensure that the database listener in the Oracle9iAS Release 2 (9.0.2) Oracle Application Server Single Sign-On Oracle home is running.
Select Upgrade Selected Oracle9iAS 9.0.2 Infrastructure.
Select the Infrastructure you want to upgrade from the drop-down list, then click Next. (If there is only one Infrastructure, the drop-down list is inactive.)
The Specify Login for Oracle Internet Directory screen appears as shown in Figure Figure 5-26.
Figure 5-26 Specify Login for Oracle Internet Directory Screen
Enter the Oracle Internet Directory superuser DN in the Username field. The superuser DN cn=orcladmin is the default for this field; change this value if the DN is not cn=orcladmin.
Enter the password in the Password field and click Next.
The Specify Infrastructure Database Connection screen appears as shown in Figure 5-27.
Figure 5-27 Specify Infrastructure Database Connection Information Screen
Enter the Oracle Application Server Single Sign-On SYS user name in the Username field and the SYS user’s password in the Password field and click Next. You are connecting to the Oracle Application Server Single Sign-On database.
The Specify OID Database Login screen appears as shown in Figure 5-28.
Enter the Oracle Internet Directory Database SYS user name in the Database Administrator Username field and the password in the password field, then click Next.
A warning dialog appears, instructing you to stop processes in the Oracle home.
Stop the Oracle HTTP Server and click OK.
The Specify Instance Name and ias_admin Password screen appears as shown in Figure 5-29.
Figure 5-29 Specify Instance Name and ias_admin Password Screen
Complete the Instance Name, ias_admin Password, and Confirm Password fields and click Next.
The Summary screen appears as shown in Figure 5-30.
Click Install.
The Install screen appears as shown in Figure 5-31, and the upgrade starts. The processing time varies, but it will be several minutes before you are prompted to take any action.
The Setup Privileges dialog appears as shown in Figure 5-32.
Open a window and run the script, then click OK in the dialog.
The script may take up to an hour to complete, depending on the speed and workload of the computer on which it is running. After the script completes, the Configuration Assistants screen appears as shown in Figure 5-33. The configuration process is lengthy.
Click Next.
The End of Installation screen appears as shown in Figure 5-34.
Verify that Oracle Application Server Single Sign-On is functioning and accessible.
|
See Also: Oracle Application Server 10g Administrator's Guide, Chapter 1, "Accessing the Single Sign-On Server". |
This section describes how to upgrade Oracle Internet Directory in a replicated environment. You can upgrade one computer at a time, or all of the computers at one time. Instructions are provided for each method in the following sub-sections:
Section 5.2.1, "Upgrading Oracle Internet Directory on One Replica"
Section 5.2.2, "Upgrading Oracle Internet Directory on Multiple Replicas Simultaneously"
Oracle Corporation recommends that during upgrade, in order to prevent conflicts, the replication environment be a Single Master (that is, only one replica is read/write and all others are read only).
Upgrading one computer at a time makes Oracle Internet Directory available during the upgrade for additions, modifications, and searching.
Follow these steps to upgrade one replica at a time:
Identify and upgrade the Master Definition Site (MDS).
|
See Also: Oracle Internet Directory Administrator's Guide, Chapter 25, Managing Directory Replication |
Stop the replication server, the LDAP server, and oidmon on the replica to be upgraded.
Delete all Advanced Symmetric Replication (ASR) jobs on other replicas in the replicated environment by issuing the command:
<source_Infra_OH>/ldap/admin/delasrjobs.sql
All ASR jobs on other master sites that transfer changes to the MDS are deleted. This has the effect of taking the MDS out of the replication environment, so that no changes come to it, while other replicas continue to operate and replicate changes.
Stop the database and listener on the replica to be upgraded.
Start the Oracle Universal Installer.
The database and Oracle Internet Directory are upgraded.
Start the database and the listener.
Test the connectivity to other replicas. The Net8 migration assistant might have modified listener.ora and tnsnames.ora, breaking connectivity. If connectivity is broken, identify the entries that were modified in the files, and restore the entries from the files in <source_Infra_OH>/network/admin/ to the corresponding files:
<destination_Infra_OH>/network/admin/listener.ora
<destination_Infra_OH>/network/admin/sqlnet.ora
See Section 3.8.5.3, "Upgrading the tnsnames.ora File" for instructions and cautions on modifying the tnsnames.ora file.
Create jobs on each replica, after it is upgraded, by issuing the command:
<destination_Infra_OH>/ldap/admin/remtool -asrrectify
The jobs that were deleted in Step 3 are re-created. They will begin transferring the existing changes and new changes from other replicas to the upgraded replicas.
Perform the post-upgrade procedures.
After upgrading the Infrastructure to Oracle Application Server 10g (9.0.4), include the ORACLE_SID environment variable in the <destination_Infra_OH>/opmn/conf/opmn.xml file, as shown:
<?xml version = '1.0' encoding = 'UTF-8'?> <opmn xmlns="http://www.acme.com/ias-instance"> ... </ias-component> <ias-component id="OID" status="enabled"> <process-type id="OID" module-id="OID"> <environment> <variable id="ORACLE_SID" value="value_of_oracle_sid"/> </environment> <stop timeout="1800"/> <process-set id="OID" numprocs="1"> <dependencies> ... </opmn>
Ensure that the ORACLE_SID environment variable is set to the Oracle Internet Directory replica database.
Start the LDAP server and oidmon on the replica to be upgraded.
Change the password of the replication DN of the upgraded replica by issuing the following command:
<destination_Infra_OH>/ldap/admin/remtool -presetpwd -v -bind <host>:<port>
Start the replication server.
Upgrade each of the other master site replicas by performing Steps 2 through 11.
Upgrade the database replication table by performing the steps below:
Stop the replication server on all replicas.
Quiesce the replication environment by issuing this command on the MDS replica:
<destination_Infra_OH>/ldap/admin/remtool -suspendasr
Connect as REPADMIN (the database replication administrator) on the MDS replica and issue the following command:
execute DBMS_REPCAT.ALTER_MASTER_REPOBJECT (sname=> ’ODS’, oname=> ’ASR_CHG_LOG’, type=> ’TABLE’, ddl_text=> ’alter table ods.asr_chg_log modify target_dn varchar2 (1024)’)
Execute the following SQL command repeatedly until the "no rows selected" message appears:
SELECT * from dba_repcatlog WHERE request = ’ALTER_MASTER_REPOBJECT’;
Generate replication support for the ASR_CHG_LOG table by issuing the command:
execute DBMS_REPCAT.GENERATE_REPLICATION_SUPPORT (sname=> ’ODS’, oname=> ’ASR_CHG_LOG’, type=> ’TABLE’);
Execute the following SQL command repeatedly until the "no rows selected" message appears:
SELECT * from dba_repcatlog WHERE request = ’ALTER_MASTER_REPOBJECT’;
Resume the database replication by issuing the following command:
<destination_Infra_OH>/ldap/admin/remtool -resumeasr
Start the replication server on all replicas.
Upgrading multiple replicas simultaneously ensures that the entire network is upgraded without a transient stage. The procedure is simpler than that for upgrading one replica at a time, but involves directory service downtime.
Follow these steps to upgrade multiple replicas simultaneously:
Stop the replication server, the LDAP server, and oidmon on all replicas in the Directory Replication Group.
Stop the database and listener on on all replicas in the DRG.
Start the Oracle Universal Installer.
The database and Oracle Internet Directory are upgraded.
Start the database and the listener on all replicas.
Test the connectivity to other replicas. The Net8 migration assistant might have modified listener.ora and tnsnames.ora, breaking connectivity. If connectivity is broken, identify the entries that were modified in the files, and restore the entries from the files in <source_Infra_OH>/network/admin/ to the corresponding files:
<destination_Infra_OH>/network/admin/listener.ora
<destination_Infra_OH>/network/admin/sqlnet.ora
See Section 3.8.5.3, "Upgrading the tnsnames.ora File" for instructions and cautions on modifying the tnsnames.ora file.
Perform the post-upgrade procedures.
Upgrade the database replication table by performing the steps below:
Stop the replication server on all replicas.
Quiesce the replication environment by issuing this command on the MDS replica:
<destination_Infra_OH>/ldap/admin/remtool -suspendasr
Connect as REPADMIN (database replication administrator) on the MDS replica and issue the following command:
execute DBMS_REPCAT.ALTER_MASTER_REPOBJECT (sname=> ’ODS’, oname=> ’ASR_CHG_LOG’, type=> ’TABLE’, ddl_text=> ’alter table ods.asr_chg_log modify target_dn varchar2 (1024)’)
Execute the following SQL command repeatedly until the "no rows selected" message appears:
SELECT * from dba_repcatlog WHERE request = ’ALTER_MASTER_REPOBJECT’;
Generate replication support for the ASR_CHG_LOG table by issuing the command:
execute DBMS_REPCAT.GENERATE_REPLICATION_SUPPORT (sname=> ’ODS’, oname=> ’ASR_CHG_LOG’, type=> ’TABLE’);
Execute the following SQL command repeatedly until the "no rows selected" message appears:
SELECT * from dba_repcatlog WHERE request = ’ALTER_MASTER_REPOBJECT’;
Resume the database replication by issuing the following command:
<destination_Infra_OH>/ldap/admin/remtool -resumeasr
Verify that the replication environment is set up correctly by issuing the following command:
<destination_Infra_OH>/ldap/admin/remtool -asrverify [-v -conn @<repadmin>/<password>@<connect string for the mds replica>]
After upgrading the Infrastructure to Oracle Application Server 10g (9.0.4), include the ORACLE_SID environment variable in the <destination_Infra_OH>/opmn/conf/opmn.xml file, as shown:
<?xml version = '1.0' encoding = 'UTF-8'?> <opmn xmlns="http://www.acme.com/ias-instance"> ... </ias-component> <ias-component id="OID" status="enabled"> <process-type id="OID" module-id="OID"> <environment> <variable id="ORACLE_SID" value="value_of_oracle_sid"/> </environment> <stop timeout="1800"/> <process-set id="OID" numprocs="1"> <dependencies> ... </opmn>
Change the password of the replication DN by issuing this command on each replica:
<destination_Infra_OH>/ldap/admin/remtool -presetpwd -v -bind <host>:<port>
Ensure that the ORACLE_SID environment variable is set to the Oracle Internet Directory replica database.
Start the replication server, the LDAP server, and oidmon on all the replicas.
Oracle Internet Directory version 9.2.0.x, shipped with the Oracle9i Release 2 database, was a standalone release of Oracle Internet Directory. The Oracle Internet Directory database repository contained only Oracle Internet Directory schema.
The 10g (9.0.4) release supports upgrade of a v. 9.2.0.x Oracle Internet Directory deployed with the Oracle 9.2 database repository. Follow the steps below to perform this upgrade.
Stop all processes in the Oracle home.
Back up the database.
If the Oracle Internet Directory database was created with the Oracle9i Management and Integration installation type, you must install the Oracle9i Database 9.2.0.1.0 Software Only installation type into the same Oracle home, over the database created with the Management and Integration installation type. The Software Only installation type has the options required to use a 9.2 database as a metadata repository.
Use the Repository Creation Assistant to convert the 9.2 database to a metadata repository. See Chapter 10, "Installing the OracleAS Metadata Repository in an Existing Database" in the Oracle Application Server 10g Installation Guide.
|
Note: On the Register with Oracle Internet Directory screen of the Repository Creation Assistant, select Register Later. |
The metadata repository now has the 10g (9.0.4) version of the schema for all OracleAS components except Oracle Internet Directory. The Oracle Internet Directory schema is still at version 9.2.
Create the Oracle Internet Directory tablespaces olts_svrmgstore and olts_battrstore in the 9.2.0.4 Oracle Internet Directory database repository by executing the following SQL statements as SYS:
create tablespace olts_svrmgstore datafile ’svrmg1_oid.dbf’ size 1M reuse autoextend on MAXSIZE UNLIMITED EXTENT MANAGEMENT LOCAL;
create tablespace olts_battrstore datafile ’battrs1_oid.dbf’ size 500K reuse autoextend on EXTENT MANAGEMENT LOCAL AUTOALLOCATE;
Perform a 10g (9.0.4) Identity Management-only installation in a separate Oracle home, or on a different computer. (Select Oracle Internet Directory only), specifying the 9.2 database as the metadata repository database.
|
See Also: Oracle Application Server 10g Installation Guide, Chapter 6, "Installing Oracle Internet Directory Only". |
During the installation, the Oracle Internet Directory Configuration Assistant is invoked. It performs a version check on the Oracle Internet Directory schema; if the version is 9.2.0.x, then it upgrades Oracle Internet Directory to 10g (9.0.4). The other configuration tools function as they would when a new installation is performed.
After the installation, the following conditions are in effect:
The Oracle Internet Directory server is running on the non-SSL and SSL ports, as determined by the 10g (9.0.4) installation process. The Oracle Internet Directory ports in use are identified in the <destination_Infra_OH>/config/ias.properties, in the OIDport and OIDsslport properties.
The Oracle Internet Directory superuser and Oracle Internet Directory database schema (ODS) password are set to the same value as the ias_admin password specified during the Identity Management installation.
Set up appropriate access control policies required for the 10g (9.0.4) DAS and middle tier installation to operate with the upgraded Oracle Internet Directory by following the steps below:
Create an ldif (upgrade92.ldif) file with the entry shown below. Each value of the orclaci attribute (shown in bold below) must be a single line, without any line breaks, or an error will occur.
#--- BEGIN LDIF file contents--- dn: cn=Attribute Configuration, cn=DAS,cn=Products,cn=OracleContext changetype: modify add: orclaci orclaci: access to entry by group="cn=OracleDASConfiguration, cn=Groups,cn=OracleContext" (add,delete,browse) by * (noadd,nodelete) orclaci: access to attr=(*) by group="cn=OracleDASConfiguration, cn=Groups, cn=OracleContext" (read,write,search,compare) by * (nowrite,nocompare) dn: cn=Attribute Configuration, cn=DAS,cn=Products,cn=OracleContext,%rlmDN% changetype: modify add: orclaci orclaci: access to entry by group="cn=OracleDASConfiguration, cn=Groups,cn=OracleContext,%rlmDN%" (add,delete,browse) by * (noadd,nodelete) orclaci: access to attr=(*) by group="cn=OracleDASConfiguration, cn=Groups, cn=OracleContext,%rlmDN%" (read,write,search,compare) by * (nowrite,nocompare) #---END LDIF file contents------
Replace all occurrences of %rlmDN% in the upgrade92.ldif with the default realm DN. You can determine the default realm DN with the ldapsearch command shown below:
ldapsearch -h <oid host> -p <oid port> -D <OID superuser DN> -w <OID superuser password> -b "cn=common,cn=products,cn=oraclecontext" -s base "objectclass=*" orcldefaultsubscriber
Issue the ldapmodify command below:
<destination_Infra_OH>/bin/ldapmodify -p <oid port> -h <oid host> -D <OID superuser name> -w <OID superuser password> -v -f upgrade92.ldif
Perform the tasks in Section 5.4.1, "Completing the Oracle Internet Directory Upgrade".
This section details the post-upgrade procedures which will complete the Infrastructure upgrade to 10g (9.0.4). It is organized into these sections:
Section 5.4.1, "Completing the Oracle Internet Directory Upgrade"
Section 5.4.2, "Completing the Oracle Application Server Single Sign-On Upgrade"
Section 5.4.3, "Completing the Oracle Application Server Wireless Upgrade"
To complete the Oracle Internet Directory Upgrade, you should reconfigure all associated OracleAS Portal 10g (9.0.4) instances, if applicable, and refresh the Delegated Administration Services (DAS) URL cache. You may also want to execute performance enhancement scripts, and, if applicable, install a new DAS or Directory Integration and Provisioning (DIP) service.
Some Portal versions require that you apply a patch to the Metadata Repository, as explained below:
You are operating Portal version 9.0.2.2.14 (9.0.2 Production in Oracle9iAS 9.0.2.0.1): You must apply Patch 3238095, which corrects problems with registering users and groups in Oracle9iAS Release 2 (9.0.2) Identity Management configuration, and resolves interoperability issues.
You are operating Portal 9.0.2.3 (Oracle9iAS 9.0.2.3): You must apply Patch 2802414 to resolve interoperability issues.
To apply the patches:
Log in to Oracle MetaLink at:
Locate the patch specified for the Portal version you are operating.
Follow the instructions in the patch Readme file.
If there are any OracleAS Portal 10g (9.0.4) instances using the upgraded Oracle Internet Directory server, they should be reconfigured for the Oracle Internet Directory server, as described in Section 4.5.8.2, "Reconfiguring the OracleAS Portal for the Oracle Internet Directory". This step is required to ensure that the OracleAS Portal entries in Oracle Internet Directory are properly updated, and that t0he correct provisioning events required by Oracle Application Server 10g (9.0.4) are sent to the Portal.
|
Note: This step is required only for the OracleAS Portal 10g (9.0.4) instances. If there are multiple instances using the upgraded Oracle Internet Directory server, you must repeat this step for each instance. |
The URLs for the Delegated Administration Services are different in Oracle9iAS Release 2 (9.0.2) Oracle Internet Directory server and the Oracle Application Server 10g (9.0.4) Oracle Internet Directory server. When the Oracle Internet Directory server is upgraded, these URLs are updated to the correct values. However, OracleAS Portal maintains a cache of these URLs, which does not get upgraded, and is thus inconsistent with the set of URLs in 10g (9.0.4).
The procedure for refreshing the cache is dependent on the version you have. To refresh the cache, follow the steps in one of the sections below.
Follow these steps to refresh the URL cache:
Log in to the Portal as a Portal administrator.
Click the Administer tab.
Click the Global Settings link in the Services portlet.
Click the SSO/OID tab.
Note the values that appear under the section Cache for OID Parameters.
Click the checkbox next to Refresh Cache for OID Parameters.
Click Apply.
Verify that the values displayed under Cache for OID Parameters have changed.
Click OK.
Follow these steps to refresh the URL cache:
Apply the one-off patch 3225970. This patch is available at:
Clear the Web Cache by performing these steps:
Log in to the Portal as a Portal Administrator.
Click the Administer tab.
Click the Global Settings link in the Services portlet.
Click the Cache tab.
Click the checkbox next to Clear the Entire Web Cache.
Click OK.
Clear the middle tier cache by performing these steps:
Navigate to <destination_MT_OH>/Apache/modplsql/cache.
Perform a recursive delete of all files under this directory.
In 10g (9.0.4), Oracle Internet Directory provides some performance enhancements that Oracle Corporation recommends that you implement after upgrading. The implementation involves running two scripts: oidpu904.sql and catalog.sh, as described below. In the 10g (9.0.4) Oracle home:
Ensure that the ORACLE_HOME environment variable is set to <destination_Infra_OH> and the ORACLE_SID environment variable is set to the infrastructure database SID. If they are not, follow the instructions in Section 4.2.1, "Setting the Environment for Upgrading the Metadata Repository".
Issue this command:
sqlplus ods/<ods password>@<net service name for OID database>@<destination_Infra_OH>/ldap/admin/oidpu904.sql
for example:
sqlplus ods/welcome1@iasdb@<destination_Infra_OH>/ldap/admin/oidpu904.sql
Re-create the index for the orclnormdn attribute by executing the catalog.sh script, which drops and re-creates the catalog for the orclnormdn attribute.
Ensure that the OID server is operating in read-only mode. You can do this with the Oracle Directory Manager.
Issue these commands to re-create the index for the orclnormdn attribute:
<destination_Infra_OH>/ldap/bin/catalog.sh -connect <net service name for OID database> -delete -attr orclnormdn
<destination_Infra_OH>/ldap/bin/catalog.sh -connect <net service name for OID database> -add -attr orclnormdn
Reset the OID server to operate in read-write mode. You can do this with the Oracle Directory Manager.
|
See Also: Oracle Internet Directory Administrator's Guide, Table C-34, System Operation Attributes (Server Mode field), for instructions on how to make the server operate in read-write mode. |
|
Note: If you had an older version (9.0.2 or 9.2) of DIP operating in a different Oracle home (on a different computer) and using the Oracle Internet Directory you are upgrading now, and you want to continue using the DIP, you must re-register the DIP server. See Oracle Internet Directory Administrator's Guide for instructions on registering the DIP server. |
To complete the Oracle Application Server Single Sign-On upgrade, depending on the configuration ugpraded, you may need to perform the tasks below.
If the Release 2 (9.0.2) middle tier for the Single Sign-On server had custom configurations (e.g., Oracle HTTP Server configured for SSL, or the Oracle Application Server Single Sign-On server Database Access Descriptor had any custom configuration), then you must re-configure the upgraded 10g (9.0.4) middle tier in a like manner.
|
See Also: Oracle Application Server Single Sign-On Administrator's Guide, Chapter 9 |
If the Release 2 (9.0.2) middle tier was configured to authenticate with a user certificate or third party authentication mechanism, then you must re-configure the 10g (9.0.4) OracleAS Single Sign-On server in a like manner.
|
See Also: Oracle Application Server Single Sign-On Administrator's Guide, Chapter 13 |
If you have customized the login, password and the sign-off pages in the Release 2 (9.0.2) Single Sign-On server, then you must update those pages with 10g (9.0.4) specifications.
|
See Also: Oracle Application Server Single Sign-On Administrator's Guide, Chapter 12 |
|
Note: You do not need to perform this task if you upgraded from an OracleAS Single Sign-On version of 9.0.2.5 or later. |
To avoid ID conflicts while exporting and importing external application data among multiple OracleAS Single Sign-On server instances, external application IDs must be unique. In the Release 2 (9.0.2) release, external application IDs were sequential, and not unique across instances. If you are upgrading from Release 2 (9.0.2) directly to 10g (9.0.4), then you must convert existing short external application IDs to the longer format in the OracleAS Single Sign-On schema. Follow the steps below to convert the IDs:
Execute the orasso script from the OracleAS Single Sign-On schema directory using these commands:
sqlplus orasso/<password>
spool extappid.log
@?/sso/admin/plsql/sso/ssoupeid.sql
spool off
If you have OracleAS Portal versions that are lower than 9.0.2.6 and that use the upgraded OracleAS Single Sign-On server, then you must apply patches to each instance according to the table below. Patches are available at:
If you are using Oracle Internet Directory replication and want to also use OracleAS Single Sign-On replication, add the upgraded 10g (9.0.4) tables in the replication group along with 9.0.4 OID. Follow the steps below to add OracleAS Single Sign-On tables for replication:
Stop the Oracle Internet Directory replication server on all replicas of the Directory Replication Group.
On the Master Directory replica, in $ORACLE_HOME/ldap/admin, issue the following command:
sqlplus repadmin/<password>@<mds connect id> @oidrssou.sql
Start the Oracle Internet Directory replication server on all replicas of the Directory Replication Group.
|
See Also: Oracle Internet Directory Administrator's Guide, Chapter 25, Managing Directory Replication |
If the Release 2 (9.0.2) OracleAS Single Sign-On server was using a middle tier other than the default mid-tier installation along with the OracleAS Single Sign-On server, then you must configure that middle tier to point to the upgraded OracleAS Single Sign-On server. For example, if there was a reverse proxy configured in the Release 2 (9.0.2) OracleAS Single Sign-On server middle tier, then you must configure it on the 10g (9.0.4) OracleAS Single Sign-On server middle tier.
If you want to use wireless voice authentication with the 10g (9.0.4) OracleAS Single Sign-On server, and it doesn’t work, verify that the OracleAS Single Sign-On server entry is a member of the Verifier Services Group in Oracle Internet Directory (cn=verifierServices,cn=Groups,cn=OracleContext). This is a requirement for the wireless voice authentication feature. Follow the steps below to verify membership:
Issue the following command:
ldapsearch -h <host> -p <port> -D cn=orcladmin -w <password> -b "cn=verifierServices,cn=Groups,cn=OracleContext" "objectclass=*"
The OracleAS Single Sign-On server is a member of the Verifier Services Group if it is listed as a uniquemember in the entry, as shown in Example 5-1.
If you did not select any languages during the OracleAS Single Sign-On upgrade, or you want to install additional languages after the upgrade, you can install the necessary languages by following the steps below.
Copy the necessary language files from the Repository Creation Assistant CD-ROM Oracle home to the OracleAS Single Sign-On server Oracle home:
cp <repCA_CD>/portal/admin/plsql/nlsres/ctl/<lang>/*.* <destination_Infra_OH>/sso/nlsres/ctl/<lang>/
where <lang> is the language code. For example, the language code for Japanese is ja.
Load the languages into the server.
|
See Also: Oracle Application Server Single Sign-On Administrator's Guide, Chapter 2, "Configuring Globalization Support" section. |
After performing a distributed Identity Management upgrade (depicted in Figure 5-2 and Figure 5-3) from Oracle9iAS Release 2 (9.0.2) to Oracle Application Server 10g (9.0.4), the OracleAS Single Sign-On schemas are relocated in the Oracle Internet Directory database. OracleAS Portal keeps a database link reference to the OracleAS Single Sign-On server password store schema ORASSO_PS. This link reference must be updated. To do this, re-register the corresponding OracleAS Portal with the upgraded OracleAS Single Sign-On server.
|
See Also: Oracle Application Server Portal Configuration Guide, Appendix B. |
After performing a distributed Identity Management upgrade (depicted in Figure 5-2 and Figure 5-3) from Oracle9iAS Release 2 (9.0.2) to Oracle Application Server 10g (9.0.4), you may need to re-register mod_osso in order for an Oracle9iAS Release 2 (9.0.2) middle tier to operate with the upgraded OracleAS Single Sign-On server. You will need to do this if the Oracle HTTP Server host and port information for mod_osso was changed. Before re-registering mod_osso, you must first set the value of the ColocatedDBCommonName attribute in the <source_MT_OH>/config/ias.properties file to the global database name of the new OracleAS Single Sign-On server database shared with Oracle Internet Directory (for example, iasdb.host.mydomain).
If you upgraded an Identity Management configuration that was in use by Oracle9iAS Discoverer Release 2 (9.0.2), and you want to continue operating Oracle9iAS Discoverer Release 2 (9.0.2) with the upgraded Identity Management, then you must change the value of the ColocatedDBCommonName attribute in the <source_MT_OH>/config/ias.properties file. The value must be changed to the global database name of the database used by the upgraded Oracle Internet Directory (e.g., iasdb.oid_host_name.domain).
This section describes the tasks you must perform in order to complete the Oracle Application Server Wireless upgrade.
In Oracle Application Server Wireless Release 2 (9.0.2), user account numbers and PINs for wireless voice authentication were stored in the Wireless repository.
In Oracle Application Server Wireless 10g (9.0.4), new attributes are added in the object definition of the orcluserV2 object class of Oracle Internet Directory to store the account number and PIN. As part of the Oracle Application Server Wireless upgrade from Release 2 (9.0.2) to 10g (9.0.4), user account numbers and PINs must be transferred from the Wireless repository to Oracle Internet Directory.
This upgrade step can be performed only after the Oracle Application Server Infrastructure and all middle tiers are upgraded to 10g (9.0.4). If they are not performed, the Oracle Application Server Wireless server will continue to authenticate voice devices locally (without Oracle Application Server Single Sign-On).
To upgrade the account numbers and PINs:
Issue the command:
<destination_MT_OH>/wireless/bin/ migrate902VoiceAttrsToOID.shbat <destination_MT_OH> <ldapmodify location> <userdn> <password> <ldif file location> <log file>
where:
<ldapmodify location> is the location of the ldapmodify utility (usually <destination_MT_OH>/bin)
<user dn> is the DN of the Oracle Internet Directory administrator user
<password> is the password of the Oracle Internet Directory administrator user
<ldif file location> is the absolute path to the ldif (Lightweight Directory Interchange Format) file. This file contains user account numbers and PINs and is uploaded to Oracle Internet Directory by the ldapmodify utility. This temporary file may be removed after the user upgrade procedure has been completed successfully.
<log file> is the absolute path to the log file
Example:
migrate902VoiceAttrsToOID.sh /private/ias904/ /private/ias904/bin/ldapmodify cn=orcladmin welcome1 /private/ias904/users.ldif /private/ias904/users.log
In 10g (9.0.4), Oracle Internet Directory does not automatically set unique constraints on any user attributes. Wireless voice authentication will not function properly unless a unique constraint is set on the orclWirelessAccountNumber attribute of the orclUserV2 object class.
Set the unique constraint by performing the steps below after the middle tier and infrastructure upgrades are complete.
Execute <destination_MT_OH>/wireless/bin/ addAccountNumberUniqueConstraint.shbat. The script takes one argument, the full path to the Oracle home. For example:
addAccountNumberUniqueConstraint.shbat <destination_MT_OH>
Restart the Oracle Internet Directory server.
When Oracle Application Server Wireless 10g (9.0.4) is installed against an Oracle9iAS Release 2 (9.0.2) infrastructure, a number of triggers are automatically installed, that ensure that both Oracle9iAS Wireless Release 2 (9.0.2) and Oracle Application Server Wireless 10g (9.0.4) middle tiers can function correctly. Once all Oracle9iAS Wireless Release 2 (9.0.2) middle tiers and the infrastructure tier have been upgraded to Oracle Application Server Wireless 10g (9.0.4), you must execute the following script to disable any upgrade-related triggers.
disable902-904_trg.sh
This script is located in the <destination_MT_OH>/wireless/bin directory. You must set the ORACLE_HOME environment variable before you execute the script.
When Oracle Application Server Wireless 10g (9.0.4) is installed against an Oracle9iAS Release 2 (9.0.2) Infrastructure, a number of features are disabled by default, as they are not compatible with existing Oracle9iAS Wireless Release 2 (9.0.2) middle tiers that are installed against the same Infrastructure. After all Oracle9iAS Wireless Release 2 (9.0.2) middle tiers have been upgraded to Oracle Application Server Wireless 10g (9.0.4), you can manually enable these features. Once you have enabled these features, the Oracle9iAS Wireless Release 2 (9.0.2) middle tiers will no longer function correctly.
Enable the Oracle Application Server Wireless 10g (9.0.4) features by executing the following script from any of the Oracle Application Server Wireless 10g (9.0.4) middle tiers, using the command below. This script is in the <destination_MT_OH>/wireless/bin directory.
upload.sh ../repository/xml/activate-9040.xml -l <wireless user name>/<password>
where:
<wireless user name> is the name of the Oracle Application Server Wireless user
<password> is the password of the Oracle Internet Administrator
For example:
upload.sh ../repository/xml/activate-9040.xml -l orcladmin/welcome1
In Oracle Application Server 10g (9.0.4), by default, the OracleAS Wireless application entity does not have the privileges to change the user password. Consequently, upon installation, users cannot change the password to the OracleAS Wireless server. However, you can enable functionality to change passwords by assigning the UserSecurityAdmins privilege to the OracleAS Wireless application entity.
To do this, execute the script <destination_MT_OH>wireless/bin/assignUserSecurityAdminsPrivilege.shbat
The syntax is:
assignUserSecurityAdminsPrivilege.sh <oid super user dn> <user password>
where:
<oid super user dn> is the Distinguished Name of the Oracle Internet Directory super user. This user should have privileges to grant UserSecurityAdmins privileges to application entities.
<user password> is the password of the Oracle Internet Directory super user.
For example:
assignUserSecurityAdminsPrivilege.sh cn=orcladmin welcome1
When you use the HTTP adapter to build Wireless services, one of the service parameters that you must specify is the URL to a back-end application. In some cases, you may send some query parameters to the back-end application. There are two ways to do this from OracleAS Wireless, shown in Example 5-2 and Example 5-3. In Example 5-2, the parameter name is fn and the value is Joe.
The query parameter is sent only in the request for the first page of that service. If there is a link from the first page to some other pages, then the parameter is not added to the request for those pages.
Instead of modifying the URL, you add an extra service parameter with name fn and value Joe. The the parameter is sent to all pages, not just the first one. The parameter is also sent with all HTTP redirect requests. However, this method also sends extra URL parameters to the OracleAS Single Sign-On server, which causes the server to return an error.
The error occurs when the back-end application is protected by mod_osso. In that case, the request to that application is intercepted and redirected to the Oracle SSO server for user authentication. The OracleAS Single Sign-On server has restrictive rules concerning query parameters that can be sent to it. Consequently, for back-end applications protected by mod_osso, you must change the Wireless service and add the query parameter to the URL as shown in Example 5-2.
After you complete the Identity Management upgrade, you will probably want to consider relocating the database files to a location outside of the source Oracle home. Even after the Identify Managment upgrade is complete, the database files still remain in the source Oracle home. If you decide to deinstall the source Oracle home, these database files will still remain there unless you take steps to relocate them. It is a good idea to relocate the files as a safeguard against inadvertently deleting them (for example, by deleting the entire source Oracle home directory tree). In addition, there may be performance benefits to moving the database files outside of the source Oracle home.
After the database files have been relocated and the software in the source Oracle home has been deinstalled, then you may safely delete the entire source Oracle home directory tree.
This procedure is intended to be performed by a database administrator, and is described in greater detail in the Oracle9i Database Administrator’s Guide.
If you have relocated the Release 2 (9.0.2) files, you may wish to delete the old Oracle home. To do this, deinstall the Release 2 (9.0.2) infrastructure instance in the source Oracle home using the same version of Oracle Universal Installer that was used to install it, or a later version, and then delete all files from <source_Infra_OH>.
Deinstalling an Oracle9iAS Release 2 (9.0.2) or (9.0.3) instance when there is also an OracleAS 10g (9.0.4) instance on the computer requires a patch. Before you deinstall such an instance, be aware of the issues associated with this deinstallation that may apply to your configuration.
Follow these steps to relocate data, control, and log files.
Create a directory for the relocated files in a location that is separate from the source Infrastructure Oracle home.
Copy all data files to the directory created in Step 1.
|
See Also: Oracle9i Database Administrator’s Guide, section titled "Renaming and Relocating Datafiles" |
Copy all log files to the directory created in Step 1.
|
See Also: Oracle9i Database Administrator’s Guide, section titled "Renaming and Relocating Datafiles" |
Relocate all control files to the directory created in Step 1.
|
See Also: Oracle9i Database Administrator’s Guide, section titled "Creating Additional Copies, Renaming, and Relocating Control Files" |
This section describes the steps you must perform after the Identity Management Upgrade to ensure that the upgrade was successful.
You must run the utlrp.sql utility as a post-installation step. This PL/SQL procedure recompiles all PL/SQL packages that may have been invalidated during the upgrade to 10g (9.0.4). To run this utility, do the following:
Ensure that the upgraded Metadata Repository database is running.
Ensure that the ORACLE_HOME environment variable is set to <Infra_OH> and the ORACLE_SID environment variable is set to the Infrastructure database SID. If they are not, follow the instructions in Section 4.2.1, "Setting the Environment for Upgrading the Metadata Repository".
Connect to the database in the destination Infrastructure Oracle home as SYS as SYSDBA in single user mode.
Issue the following command at the SQL*Plus prompt:
@?/rdbms/admin/utlrp.sql
Follow these steps to ensure that none of the database objects that are required by Oracle Application Server are invalid:
Connect to the database in the destination Infrastructure Oracle home as SYSDBA.
Issue the following command:
SELECT owner, object_type, object_name
FROM all_objects
WHERE status='INVALID';
The query should not return any database objects that have an Oracle Application Server component schema (such as PORTAL, WIRELESS, etc.) in the 'owner' column.
After the Identity Management upgrade is complete, log in to Oracle Application Server Single Sign-On as user ORCLADMIN. A successful login indicates that Oracle Application Server Single Sign-On and Oracle Internet Directory are functioning after the Identity Management upgrade.
In a browser, access the Oracle Enterprise Manager in the destination Infrastructure Oracle home by entering its URL. Ensure that you provide the correct host name and port number. For example:
http://infrahost.mycompany.com:1812
The Oracle Enterprise Manager page displays, withthe Oracle Application Server 10g (9.0.4) Identity Management instance in the Standalone Instances section.
Click the link for the Identity Management instance.
The System Components page appears.
Verify that the status of the Oracle HTTP Server, Oracle Internet Directory, and Oracle Application Server Single Sign-On components is Up.
In the browser, access the ORASSO page by entering its URL. Ensure that you enter the correct host name and port number for the upgraded Oracle HTTP Server. For example:
http://infrahost.mycompany.com:7777/pls/orasso/ORASSO.home
The ORASSO page appears.
Click the Login link (in the upper right corner of the page).
A page appears with User Name and Password fields.
Enter ORCLADMIN in the User Name field, and the password you have selected for ORCLADMIN in the Password field.
Click Login.
The Oracle Application Server Single Sign-On Server Administration page appears, thus validating the basic operation of the upgraded Identity Management components (Oracle Application Server Single Sign-On and Oracle Internet Directory).
|
 Copyright © 2003 Oracle Corporation All rights reserved |
|
