5 Performing an Out-of-Place Upgrade of Oracle Identity Manager

The starting points for an out-of-place upgrade to Oracle Identity Manager 14c (14.1.2.1.0) is Oracle Identity Manager 12c (12.2.1.4.0).

To prepare for the upgrade of Oracle Identity Manager, verify that your system meets the basic requirements discussed in Pre-Upgrade Assessments.

This chapter includes the following topics:

Pre-Upgrade Assessments

Before starting the out-of-place upgrade of Oracle Identity Manager, you must check the cross-product interoperability and compatibility, system requirements, and certification requirements.

Install the 14c (14.1.2.1.0) version of Oracle Identity Governance as per your requirements (large, medium, or small deployment) on new hardware.

For installation instructions, see Installing and Configuring the Oracle Identity Governance Software. You must configure the new system by integrating components, as necessary.

The pre-upgrade check includes reviewing the current OIM environment (depending on the starting point) before starting the upgrade to OIM 14c (14.1.2.1.0), and then creating a list of features or components currently being used, such as OIM workflows, connectors, provisioning, targets, workflow policies, and admin roles/capabilities.

For more information, see Pre-Upgrade Requirements.

Migrating Entities from 12c to 14c

After you have installed the OIG 14c (14.1.2.1.0) environment as per your requirements, migrate the following entities from 12c to 14c environment:

Organizations

The following options are available to migrate Organization records:

Option 1- Organization Bulk Load Utility

This option involves creating a source database table or a CSV file that contains the data you want to migrate.

For more information on using CSV files or creating database tables, see Creating the Input Source for the Bulk Load Operation in Developing and Customizing Applications for Oracle Identity Governance.

Option 2- Export And Import Feature In Sysadmin Console

After you have created your source data, you need to import the source data into the new 14c target system. For more information, see Migrating Incrementally Using the Deployment Manager.

Connectors

You should review the latest version of the connector available and use Application on Boarding (AoB) to create such connectors.

A new installation enables you to upgrade your targets to newer versions that are certified with 14c connectors.

Note:

After the server upgrade, data from the $MW_HOME/idm/server/ConnectorDefaultDirectory will NOT be copied from 12c (12.2.1.4.0) MW_HOME to 14c (14.1.2.1.0) MW_HOME. It should be manually copied or required connectors should be downloaded. You can export or import existing user data as long as those connectors are supported in the 14.1.2.1.0 OIM server.

For more information, see Oracle Identity Governance Connectors documentation.

For downloading connectors, see the Oracle Identity Governance Connector Downloads page.

For certification information for Oracle Identity Manager Connectors, see Oracle Identity Governance Connectors Certification.

Note:

If the connectors installed have no 14c version, you must check the certification, and then upgrade the existing connector to make it compatible with OIG 14c.

Accounts

After you set up the connectors as applications, you should start loading the account data from the target systems.

Note:

Target systems are applications such as database, LDAP, and so on, which OIM connects to using the OIM connectors.

Following options are available to load your accounts:

  • Option 1: If the target system has account data, you can bulk load the account details (or data) by using the Bulk Load Utility. See Loading Account Data in Developing and Customizing Applications for Oracle Identity Governance guide.

  • Option 2: You can load the target system account data into the new environment by using connector the reconciliation jobs.

  • Option 3: You can use a flat file to load the data, similar to bulk load but using AoB directly. See Configuring Flat Files in Performing Self Service Tasks with Oracle Identity Governance.

Roles (Role, Role Membership, and Categories)

You can use the OIM Bulk Load Utility to import roles, role membership, and categories from a table or a CSV file. Export the relevant data files from the source OIM database.

For information on how to export and import this data, see Loading Role, Role Hierarchy, Role Membership, and Role Category Data in Developing and Customizing Applications for Oracle Identity Governance.

User Records

Following options are available to migrate user records from current OIM 12c environment to 14c:

  • Option 1 - User Bulk Load Utility

    This option includes exporting the user records to a table or a CSV file that will act as a source. See Loading OIM User Data in Developing and Customizing Applications for Oracle Identity Governance guide.

  • Option 2 - Trusted Recon of Users from 12c to 14c

    This option includes using the Database User Management (DBUM) connector or a flat file connector to migrate the user records.

  • Option 3 - Data Load Using Flat Files

    If the trusted source is an AoB application, this option includes loading data using flat files in AoB directly. See Configuring Flat Files in Performing Self Service Tasks with Oracle Identity Governance.

Note:

You cannot migrate user passwords by using the above options. You can set up SSO or LDAP as an authentication provider.

User Customizations

If you have added the custom User Defined Fields (UDF) in 12c, then you must create those UDFs in 14c as well.

WARNING:

Oracle does not support UDF migration (Deployment Manager and ADF Sandboxes).

Note:

To check if import or export from 12c to 14c works, export the user metadata from the 12c environment and import it to 14c, get the corresponding ADF sandbox, and then import it to 14c.

Others

You can also migrate the following items from your 12c environment to the 14c environment by using the Export/Import option in the System Administration console:

  • Access policies
  • Admin roles
  • Application instances
  • Approval policies
  • Catalog UDFs
  • Certification configurations
  • Certification definitions
  • Custom resource bundles
  • E-mail definitions
  • Error codes
  • Event handlers
  • Identity Audit configuration
  • Identity Audit rules
  • Identity Audit scan definitions
  • IT resource definition
  • IT resources
  • JAR files
  • Lookup definitions
  • Notification templates
  • Organization metadata
  • Organizations
  • Password policies
  • Policies
  • Plug-ins
  • Prepopulation adapters
  • Process definitions
  • Process forms
  • Provisioning workflows and process task adapters
  • Request datasets
  • Resource objects
  • Risk configuration
  • Role metadata
  • Roles
  • Scheduled jobs
  • Scheduled tasks
  • System properties
  • User metadata

For more information, see Moving from a Test to a Production Environment and Using the Movement Scripts in the Fusion Middleware Administrator's Guide.

Post Upgrade Steps

As part of the post upgrade steps, you should follow the tuning guidelines and complete the sanity test.

Tuning Considerations

Follow the performance tuning guidelines provided in the tuning documentation. See Oracle Identity Governance Performance Tuning.

Also, you should check the existing 12c system for custom indexes and create them in the 14c system.

Performing a Sanity Test

Perform a sanity test to ensure that the software and processes have been successfully upgraded and the system performs as expected. See Tab 5 of Doc ID 2667893.2.

Reinstalling the ADF DI Excel Plug-in

After you upgrade Oracle Identity Manager to 14c (14.1.2.1.0), uninstall and reinstall the ADF DI Excel plug-in, and then re-download the Excel.

Defining System Properties for Legacy Connectors

As part of post-upgrade tasks, for legacy connectors such as Resource Access Control Facility (RACF) that use the tcITResourceInstanceOperationsBean.getITResourceInstanceParameters method, you should create the following two system properties and update their values to True:
  • Service Account Encrypted Parameter Value
  • Service Account Parameters Value Store

For more information about these system properties, see Table 18-2 of section Non-Default System Properties in Oracle Identity Governance in Administering Oracle Identity Governance.

Oracle recommends creating these system properties only if a legacy connector or an old custom code requires the legacy behavior.

Increasing the Maximum Message Size for WebLogic Server Session Replication

Oracle recommends you to modify the Maximum Message Size from the default value of 10 MB to 100 MB. This value is used to replicate the session data across the nodes. You should perform this step for all the Managed servers and the Administration server.

  1. Log in to the WebLogic Server Administration Console.
  2. Navigate to Servers, select Protocols, and then click General.
  3. Set the value of Maximum Message Size to 100 MB.

Increasing the maxdepth Value in setDomainEnv.sh

The recommended value for the maxdepth parameter is 250. To update this value:
  1. Open the $DOMAIN_HOME/bin/setDomainEnv.sh file in a text editor.
  2. Locate the following code block:
    ALT_TYPES_DIR="${OIM_ORACLE_HOME}/server/loginmodule/wls,${OAM_ORACLE_HOME}/a
gent/modules/oracle.oam.wlsagent_11.1.1,${ALT_TYPES_DIR}"
export ALT_TYPES_DIR
CLASS_CACHE="true"
export CLASS_CACHE
  3. Add the following lines at the end of the above code block:
    JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.oif.serialFilter=maxdepth=250"
export JAVA_OPTIONS
  4. Save and close the setDomainEnv.sh file.