You can upgrade the OAM environment by installing the Oracle Identity and Access Management and Oracle Fusion Middleware Infrastructure 14c (14.1.2.1.0) software, applying the latest bundle patch, and copying the required files.

1. Shut down all of the pre-upgrade processes and servers, including the Administration Server, any Managed Servers, and Node Manager. For more information, see Stopping Servers and Processes in Upgrading Oracle Identity and Access Management.
2. Back up and rename the 12.2.1.3.0 OAM Oracle home (ORACLE_HOME).

   An Oracle home consists of product homes, such as the WebLogic Server home, an Oracle Common home ( Contain the OAM binaries), and the user_projects directories (Contains Oracle WebLogic Server domains).

   Example:

   /u01/app/fmw/ORACLE_HOME_old

3. Complete the pre-upgrade tasks, as described in Pre-Upgrade Requirements in Upgrading Oracle Identity and Access Management.
4. Install the 14c (14.1.2.1.0) OAM binaries in the existing 12c (12.2.1.3.0) OAM Oracle home (/u01/app/fmw/ORACLE_HOME) using:
   • Oracle Fusion Middleware Infrastructure (fmw_12.2.1.4.0_infrastructure.jar)
   • Oracle Identity and Access Management (fmw_12.2.1.4.0_idm.jar)

   For more information about installing the Oracle Access Manager, see Installing Product Distributions in Upgrading Oracle Identity and Access Management.

   Note:

   OAM 14.1.2.1.0 requires Java Development Kit (JDK) 1.8.0_211 and later. You must update the JDK, as described in About Updating the JDK Location After Installing an Oracle Fusion Middleware Product in Upgrading Oracle Identity and Access Management.
5. Copy the user_projects folder from the backup of 12.2.1.3.0 OAM Oracle home (/u01/app/fmw/ORACLE_HOME_old/user_projects/) to the 14.1.2.1.0 OAM Oracle home (/u01/app/fmw/ORACLE_HOME).

   Note:

   Perform the above step, if your existing 12.2.1.3.0 DOMAIN_HOME reside within the 12.2.1.3.0 Oracle home directory.
6. Run OPatch to apply the OAM bundle patch 12.2.1.4.200327 or the latest bundle patch available for your release.
   See Applying the Bundle Patch in the Oracle Access Management Bundle Patch Readme.
7. Start the Administration Server and the OAM Managed Server, as described in Starting the Servers in Installing and Configuring Oracle Identity and Access Management.

You can upgrade the OIG environment by installing the required 14c (14.1.2.1.0) software, applying the bundle patch, and running the Upgrade Assistant to upgrade product schemas and domain component configurations.

1. Run the pre-upgrade report utility before you begin the upgrade process for Oracle Identity Manager. For more information about the pre-upgrade report utility, see Generating and Analysing Pre-Upgrade Report for Oracle Identity Manager in Upgrading Oracle Identity and Access Management.
2. Complete the tasks described in Completing the Pre-Upgrade Tasks for Oracle Identity Manager in Upgrading Oracle Identity and Access Management.
3. Shut down all of the pre-upgrade processes and servers, including the Administration Server, any Managed Servers, and Node Manager.

   See Stopping Servers and Processes in Upgrading Oracle Identity and Access Management.

4. Back up and rename the 12.2.1.3.0 OIG Oracle home (ORACLE_HOME).

   Example:

   /u01/app/fmw/ORACLE_HOME_old

5. Install the 14c (14.1.2.1.0) OIG binaries in the existing 12c (12.2.1.3.0) OIG Oracle home (/u01/app/fmw/ORACLE_HOME) using the generic Installer or the quickstart Installer.

   If you are using the generic installer, then obtain the following distributions:

   • Oracle Fusion Middleware Infrastructure (fmw_14.1.2.1.0_infrastructure.jar)
   • Oracle SOA Suite (fmw_14.1.2.1.0_soa_generic.jar)
   • Oracle Identity and Access Management (fmw_14.1.2.1.0_idm.jar)

   If you are using quickstart installer to install all the software in one go, obtain the following distributions:

   • fmw_14.1.2.1.0_idmquickstart_generic.jar

   Note:

   It is recommended that you use the simplified installation process to install the product, using the quickstart installer.

   For more information, see Installing Oracle Identity Governance Using Quickstart Installer in Installing and Configuring Oracle Identity and Access Management.

6. Copy the user_projects folder from the backup of 12.2.1.3.0 Oracle home (/u01/app/fmw/ORACLE_HOME_old/user_projects/) to the 14.1.2.1.0 Oracle home (/u01/app/fmw/ORACLE_HOME).

   Note:

   Perform the above step, if your existing 12.2.1.3.0 DOMAIN_HOME reside within the 12.2.1.3.0 Oracle home directory.
7. Run OPatch to apply the OIM bundle patch 12.2.1.4.200505 or the latest bundle patch available for your release, as described in Patching the Oracle Binaries (OPatch Stage) in Oracle Identity Governance Bundle Patch Readme.

   Note:

   Do not start the OIG servers after applying the bundle patch.
8. Update the latest JDK version in the domain home. See Updating the JDK location in Upgrading Oracle Identity and Access Management.
9. Run a readiness check before you start the upgrade process. See Running a Pre-Upgrade Readiness Check in Upgrading Oracle Identity and Access Management.
10. Tune the Database parameters for Oracle Identity Manager. See Tuning Database Parameters for Oracle Identity Manager in Upgrading Oracle Identity and Access Management.
11. Run the Upgrade Assistant from the 14c ( 14.1.2.1.0) Oracle home to upgrade product schemas, as described in Upgrading Product Schemas in Upgrading Oracle Identity and Access Management.

    Note:

    Ensure that you select All Schemas Used by a Domain in the Selected Schemas screen.
12. Run the Upgrade Assistant from the 14c ( 14.1.2.1.0) Oracle home to upgrade domain component configurations, as described in Upgrading Domain Component Configurations in Upgrading Oracle Identity and Access Management.
13. Start the WebLogic Admin Server, SOA Managed Servers, and Oracle Identity Governance Managed Server. For more information about starting the servers, see Starting the Servers in Installing and Configuring Oracle Identity and Access Management.

    Note:

    When you start the Oracle Identity Governance server, the bootstrap report is generated at DOMAIN_HOME/servers/oim_server1/logs/BootStrapReportPreStart.html. For more information about the bootstrap report, see Analyzing the Bootstrap Report in Installing and Configuring Oracle Identity and Access Management.
14. Open the patch_oim_wls.profile file (Located in the ORACLE_HOME/idm/server/bin/ directory) in a text editor, and change the values in the file to match your environment.

    See Filling in the patch_oim_wls.profile File in Oracle Identity Governance Bundle Patch Readme.

15. Patch the OIG Managed Servers on WebLogic by performing the following steps:

    1. Set the following environment variables:

       UNIX

       setenv PATH $JAVA_HOME/bin:$PATH

       Windows

       set JAVA_HOME=VALUE_OF_JAVA_HOME
       set ANT_HOME=\PATH_TO_ANT_DIRECTORY\ant
       set ORACLE_HOME=%MW_HOME%\idm

       Note:

       Make sure to set the reference to JDK binaries in your PATH before running the patch_oim_wls.sh (UNIX) or patch_oim_wls.bat (Microsoft Windows) script. This JAVA_HOME must be of the same version that is being used to run the WebLogic servers. The JAVA_HOME version from /usr/bin/ or the default is usually old and must be avoided. You can verify the version by running the following command:

    2. Execute patch_oim_wls.sh (UNIX) or patch_oim_wls.bat (Microsoft Windows) to apply the configuration changes to the Oracle Identity Governance server.

    3. Delete the following directory in domain home:

       DOMAIN_HOME//servers/oim_server1/tmp/_WL_user/oracle.iam.console.identity.self-service.ear_V2.0

       Here, oim_server1 is the weblogic manged server used for OIG.

    4. To verify that the patch_oim_wls script has completed successfully, check the ORACLE_HOME/idm/server/bin/patch_oim_wls.log log file.

16. Restart the Administration Server, Oracle SOA Suite Managed Server, and the OIG Managed Server. See Starting the Servers in the Upgrading Oracle Identity and Access Management.

    Note:

    Depending on your OIG environment, you may need to perform additional post-upgrade task. See Post-Upgrade Task in Upgrading Oracle Identity and Access Management.

1. Upgrade your existing 11g Release 2 (11.1.2.3.0) integrated environment to Oracle Identity and Access Management 12c (12.2.1.3.0).

   See:

   • Introduction to Upgrading Oracle Access Manager to 12c (12.2.1.3.0) in in Upgrading Oracle Access Manager.
   • Introduction to Upgrading Oracle Identity Manager to 12c (12.2.1.3.0) in Upgrading Oracle Identity Manager.
2. After upgrading the integrated environment to OAM-OIM 12c (12.2.1.3.0), perform the following:
   1. If you have an existing Oracle Internet Directory 11g connector or Microsoft Active Directory User Management (AD User Management) 11g connector deployed for provisioning and reconciliation then you can use the same connectors for Single sign-on (SSO). To do so, you must upgrade the connectors to 12.2.1.3.0.

      For more information about the upgrade, see the following:

      • Upgrading the Oracle Internet Directory Connector in the Configuring the Oracle Internet Directory Application.
      • Upgrading the Microsoft Active Directory User Management Connector in the Configuring the Microsoft Active Directory User Management Application.
   2. If any self-registration request is in pending state, then you must approve all pending requests using the Oracle Identity Self Service Interface.

      See Managing Pending Approvals in the Performing Self Service Tasks with Oracle Identity Governance.

3. Upgrade the OAM-OIM 12c (12.2.1.3.0) integrated environment that you have upgraded from 11g Release 2 (11.1.2.3.0) to 14c (14.1.2.1.0), as described in Upgrading an OAM-OIM Integrated Environment from a Previous 12c Release.

You can configuring the Oracle HTTP Server to front-end resources on OIG.

Configure the Oracle HTTP Server for the integrated environment, by completing the following steps:

1. Configure the Oracle HTTP Server WebGate for Oracle Access Management, as described in the section Installing Oracle HTTP Server and Configuring the Oracle HTTP Server WebGate

2. Populating the Oracle HTTP Server rules, as described in the section Populating OHS Rules Using Automated Script

3. If you have upgraded your 11g release or previous 12c release to the 14c (14.1.2.1.0) release then do the following:

   1. Open a text editor and compare the older oim.conf file from your previous release with the new oim.conf file that you generated by running the OIGOAMIntegration.sh script.

   2. Add any missing parameters from the older oim.conf file to the new oim.conf file.

   3. Save the file when done.

   4. Restart OHS Server.

Before you begin to migrate from a LDAP synchronization integrated environment to a connector-based integrated environment, you must complete the prerequisites such as setting the environment variables, updating the datasource, and downloading the connector bundle.

1. Back up all system-critical files, including the databases that host your Oracle Fusion Middleware 14.1.2.1.0 schemas. For more information, see Creating a Complete Backup in Upgrading Oracle Identity and Access Management.

   Note:

   If any step in the migration from a LDAP synchronization integrated environment to a connector-based integrated environment process fails, restore the environment to its original state using the backup files you created.
2. Before running the OIGOAMIntegration.sh script to enable connector-based integrated environment, do the following:
   1. Set the environment variables to the full path of the 14.1.2.1.0 OIG Oracle home, as shown in the following example:

      export ORACLE_HOME=/u01/Oracle_Home
      export MW_HOME=/u01/Oracle_Home
      export OIM_ORACLE_HOME=/u01/Oracle_Home/idm/
      export WL_HOME=/u01/Oracle_Home/wlserver
      export JAVA_HOME=<<Java Home location>>

   2. On UNIX, provide the executable permission for the OIGOAMIntegration.sh script in the 14.1.2.1.0 OIG Oracle home directory (Located at ORACLE_HOME/idm/server/ssointg/bin):

      chmod 777 _OIGOAMIntegration.sh
      chmod 777 OIGOAMIntegration.sh

3. Complete the prerequisites described in the section Prerequisites for the Connector-based Integration.
4. If you have upgraded the Oracle Internet Directory 11g connector or Microsoft Active Directory User Management 11g connector to 12.2.1.3.0, as describe in Step 2.a, then you must complete the following steps:
   1. Navigate to the directory (For example, OID/OUD the folder is named OID-12.2.1.3.0 and AD the folder is named activedirectory-12.2.1.3.0) that has the connector that you upgraded from 11g to 12.2.1.3.0, and then copy one of the following folders depending on the LDAP directory to the backup of 12.2.1.3.0 OIG home directory.
      • OID/OUD: OID-12.2.1.3.0
      • AD: activedirectory-12.2.1.3.0

      Example:

      OID/OUD: ORACLE_HOME_old/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0

      AD: ORACLE_HOME_old/idm/server/ConnectorDefaultDirectory/activedirectory-12.2.1.3.0

   2. Navigate to the directory (For example, OID/OUD the folder is named OID-12.2.1.3.0 and AD the folder is named activedirectory-12.2.1.3.0), and then copy one of the following folders depending on you LDAP directory to the 14.1.2.1.0 OIG home directory.
      • OID/OUD: OID-12.2.1.3.0
      • AD: activedirectory-12.2.1.3.0

      Example:

      OID/OUD: ORACLE_HOME/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0

      AD: ORACLE_HOME/idm/server/ConnectorDefaultDirectory/activedirectory-12.2.1.3.0

   3. Open the configureLDAPConnector.config file from the 14.1.2.1.0 OIG Oracle home directory in a text editor and update the CONNECTOR_MEDIA_PATH parameter with the full path of the 12.2.1.3.0 backup OIG folder as shown in the following example:
      • OID/OUD: CONNECTOR_MEDIA_PATH=/u01/app/fmw/ORACLE_HOME/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0
      • AD: CONNECTOR_MEDIA_PATH=/u01/app/fmw/ORACLE_HOME/idm/server/ConnectorDefaultDirectory/activedirectory -12.2.1.3.0

This section describes how to disable the LDAP synchronization.

1. Open the migrateOIMOAMIntegration.config file from the 14.1.2.1.0 OIG Oracle home directory (Located at ORACLE_HOME/idm/server/ssointg/config) in a text editor and update the parameters.

   Example migrateOIMOAMIntegration.config File

   IDSTORE_DIRECTORYTYPE 
   OIM_WLSHOST 
   OIM_WLSPORT 
   OIM_WLSADMIN 
   OIM_WLSADMIN_PWD 
   OIM_SERVER_NAME 
   OIM_HOST 
   OIM_PORT 
   WLS_OIM_SYSADMIN_USER 
   WLS_OIM_SYSADMIN_USER_PWD 
   MDS_EXPORT_PATH

   The following table describes the parameters that you can set in the migrateOIMOAMIntegration.config file.

   Table F-1 Parameters in migrateOIMOAMIntegration.config File

   Parameters	Description	Sample Value
   IDSTORE_DIRECTORYTYPE	Enter the identity store directory type. Valid options are OID, OUD, and AD.	OUD
   OIM_WLSHOST	Enter the OIG admin server host name.	oimadminhost.example.com
   OIM_WLSPORT	Enter the OIG admin server port.	17001
   OIM_WLSADMIN	Enter the weblogic administrator user in OIM domain.	weblogic
   OIM_WLSADMIN_PWD	Enter the password for the weblogic admin user in OIM domain.	password
   OIM_SERVER_NAME	Enter the OIG server name.	oim_server1
   OIM_HOST	Enter the host name for OIG managed server.	oimhost.example.com
   OIM_PORT	Enter the port for OIG Server.	14000
   WLS_OIM_SYSADMIN_USER	Enter the system admin user to be used to connect to OIG while configuring SSO. This user needs to have system admin role.	xelsysadm
   WLS_OIM_SYSADMIN_USER_PWD	Enter the password for OIG system administrator user.	Password
   MDS_EXPORT_PATH	Specify location to export MDS.	/u01/app/upgrade/backup

2. Run the OIGOAMIntegration.sh script from the 14.1.2.1.0 ORACLE_HOME (Located at ORACLE_HOME/idm/server/ssointg/bin) to delete the EventHandlers.xml file from MDS and disable all LDAP scheduled jobs:

   ./OIGOAMIntegration.sh -migrateOIMOAMIntegration

3. Delete the adapters configured for the libOVD configuration:
   1. Invoke WLST interactively by running the following command from the 14.1.2.1.0 OIG Oracle home directory:
      ORACLE_HOME/oracle_common/common/bin/wlst.sh
   2. Connect to the WebLogic Administration Server:
      connect('Weblogic_User', 'Weblogic_password', 't3://Weblogic_Host:Weblogic_AdminServer_Port')

      Example:

      connect('weblogic', 'Password', 't3://example.com:7001')
   3. Lists the name and type of all adapters that are configured.

      listAdapters([contextName])

      Example:

      listAdapters(contextName='oim')

      See listAdapters in the WebLogic Scripting Tool Command Reference for Identity and Access Management.

   4. Deletes all the existing adapter for the libOVD configuration:

      deleteAdapter(adapterName, [contextName])

      Example:

      deleteAdapter(adapterName='oud1', contextName='oim')
      deleteAdapter(adapterName='CHANGELOG_oud1', contextName='oim')

      See deleteAdapter in WebLogic Scripting Tool Command Reference for Identity and Access Management.

You must configure the WLS Authentication Providers to set SSO logout for and security providers in OIG domain. So that both the SSO login and OIM client-based login, work appropriately.

Configure the WLS Authentication Providers by performing the steps described in the section Configuring WLS Authentication Providers Using Automated Script.

Configure LDAP Connector by performing the steps described in the section Configuring LDAP Connector Using Automated Script.

You must configure SSO integration to register OIM as TAP partner for OAM, add the resource policies for OIG-OAM communication, and update SSOIntegrationMXBean values in MDS.

Enable the OAM notification handlers and register OIG System Administrator to utilize OAM REST APIs.

To enable OAM notification, complete the steps described in the section Enabling OAM Notifications Using Automated Script.

Add missing object classes for existing users in LDAP directory (Oracle Internet Directory or Oracle Unified Directory) using the OIGOAMIntegration.sh automated script.

To add the missing object classes, complete the steps described in the section Adding Missing Object Classes Using Automated Script.

Restart all processes and servers, including the Administration Server and any Managed Servers for OAM and OIG.

1. Restart OHS Server. For information about starting the server, see Restarting Oracle HTTP Server Instances in Administering Oracle HTTP Server.
2. To start Node Manager, use the startNodeManager script:

   UNIX

   DOMAIN_HOME/bin/startNodeManager.sh

   Windows

   DOMAIN_HOME\bin\startNodeManager.cmd

3. To start the Administration Server, use the startWebLogic script:

   UNIX

   DOMAIN_HOME/bin/startWebLogic.sh

   Windows

   DOMAIN_HOME\bin\startWebLogic.cmd

   When prompted, enter your user name, password, and the URL of the Administration Server.

4. To start a WebLogic Server Managed Server, use the startManagedWebLogic script:

   UNIX

   DOMAIN_HOME/bin/startManagedWebLogic.sh managed_server_name admin_url

   Windows

   DOMAIN_HOME\bin\startManagedWebLogic.cmd managed_server_name admin_url

   When prompted, enter your user name, password, and the URL of the Administration Server.

   Note:

   For SOA and OIG Managed Servers, specify the URL of the Administration Server in the OIG domain.

1. Open a browser, and access the Oracle Identity System Administration Console using the following URL format:
   http://HOSTNAME:PORT/sysadmin

   In this URL, HOSTNAME represents the name of the computer hosting the Oracle HTTP Server and PORT refers to the port on which the Oracle HTTP Server is listening.

2. In the left panel, under System Configuration , click Configuration Properties.
3. Enter SSOIntegration.GroupRecon.OIGRole.Matching.RoleName in the Search field.

   Note:

   If the SSOIntegration.GroupRecon.OIGRole.Matching.RoleName property is not available, then you must create it. See Creating System Properties in the Administering Oracle Identity Governance.
4. Click the icon next to the Search field. The SSOIntegration.GroupRecon.OIGRole.Matching.RoleName system property is displayed.
5. In the Property Name column of the search results table, click the SSOIntegration.GroupRecon.OIGRole.Matching.RoleName system property. The System Property Details page is displayed.
6. Set the value to true and click Save to save the changes made.
7. Run the SSO Group Create And Update Full Reconciliation job to import the new roles from target and update the existing roles in OIG:
   1. In the left panel, under System Configuration , click Scheduler.
   2. On the left pane, in the search results table, click SSO Group Create And Update Full Reconciliation then from the Actions list, click Run Now.
8. Run the Roles Migration on Post LDAP Sync to SSO Integration job to auto seed the necessary artifacts for the existing roles in OIG:
   1. In the left panel, under System Configuration , click Scheduler.
   2. On the left pane, in the search results table, click Roles Migration on Post LDAP Sync to SSO Integration then from the Actions list, click Run Now .
9. Navigate to Configuration Properties under System Configuration , click Configuration Properties and set the value to false for the SSOIntegration.GroupRecon.OIGRole.Matching.RoleName system property.
10. Navigate to Scheduler under System Configuration and run the following reconciliation jobs:
    • SSO User Full Reconciliation
    • SSO Group Membership Full Reconciliation
    • SSO Group Hierarchy Sync Full Reconciliation

After the upgrade, you can validate the integrated environments by performing the tasks described in the section Validating the Access Manager and Oracle Identity Governance Integration.

For any common problems you might encounter, see the section Troubleshooting Common Problems in Access Manager and OIG Integration.

For known issue and limitations, see Known Limitations and Workarounds in OIG-OAM Integration.