Accelerate Your Identity

3... 2... 1...

Upgrade #Oracle #OIF to #IDM #Identity

We installed Oracle Identity Federation (OIF) a few months ago and had to move on to some other, more pressing IDM-related issues.  We finally came back to the Federation tasks at the beginning of September.  The first thing I did was take an inventory of where we left off and compared to what the current released version was from Oracle.  I found that we were now a version behind with both Weblogic Server (WLS) and OIF.  I initially put off upgrading because we were in a hurry to integrate with one of their business partners.  We were able to configure the Circle of Trust with the Relying Party (RP, aka Service Provider) with just a few issues.   This particular partner is using OpenSAML as their software of choice.  The only issue for us is that they didn’t (or don’t) create metadata files.  This is their choice because OpenSAML has a module for doing this.  The metadata files is a feature in SAML 2.0 that allows for easy (…easier) integration with your Federation partners.  I was able to create one manually for them by using the sp.xml file that was created when using the OpenSSO Fedlet (that’s for another post).

So, finally on to the point of this post.  The only issues that we have had with OIF is that when trying to search for local users (we are using OVD as our User Data Store … OVD front’s two different AD instances) we have some issues with the search function and not all users can authenticate.  Yes, this is actually a major problem.

I noticed via http://support.oracle.com that there are a lot of patches available for  I ended up downloading the version from OTN (here).

(Note:  I talked to my contact at Oracle Support who said that is coming very soon)

This version requires that Weblogic be at least 10.1.3.  I went back to the support site and downloaded the 10.1.3 patch from there.  It’s a jar file that is run and will open up as an OUI installer.  I found this site which I used as a guide.  It’s pretty simple and painless.  Make sure that you restart WLS after upgrading and before upgrading OIF.  When the OIF upgrade is complete you should restart the managed service.

After restarting OIF I noticed in Enterprise Manager (EM) that OIF is still displaying as  I am running the Upgrade Assistant (Oracle_Home/bin/ua).  On the second screen you can select “Verify Instance”.  This will walk you through and verify that your OIF instance is upgraded to the correct version.  In my case the status is showing as “Failed”.    One thing that seems odd to me is that the port shown (on the error message) is 7499.  It looks like it’s trying to access the URL to the metadata file and is trying to go on 7499. (i.e., http://hostname:7499/fed/idp/metadata).  I can get to the file via 7777 and not 7499.  So, I’ll need to check later as to why the Upgrade Assistant is using that port.

I just tried to re-run the patch installer.  It complained that the patch had already been applied to this Oracle_Home.  So, now I am perplexed.  Let’s try rebooting the box and restarting the WLS and OIF services.

Interestingly, after the reboot the OIF version is still showing as … but my OIF LDAP Authentication Engine error is no longer occurring.  So, maybe it did get patched??  I am working on confirming this … maybe the version number doesn’t get updated?  … that doesn’t sound right though.

5 thoughts on “Upgrade #Oracle #OIF to #IDM #Identity

  1. HI Brad, this is Barry Ghotra again! I finally got my OVD/OID upgraded to Some points to share:
    a) the ORACLE_HOME/bin/ua seems to work only if you had a prior 10g installation.
    b) I simply did the WLS upgrade to 10.3.5 , the upgraded the OID/OVD SOFTWARE to and then ran the PATCH SET ASSISTANT to upgrade the schema.
    c) Everything got upgraded and the versions indeed showed in schema_version_registry as well as ODSM console. But EM still showed I saw a note about registering the components using opmnctl in another blog:
    /opmnctl updatecomponentregistration -componentName oid1 -Sport 3131 -Port 3060 , but that did not do anything. It’s also mentioned in the PATCHING guide.

    Opened a SR with Oracle and they are saying it’s by design…go figure!!!

  2. Hi Brad, I noticed that you are using AD as your underlying LDAP adapters with OVD. The key question I have is what are you mapping the orclguid to in AD. Is it objectGUID or objectSID and if you are doing one of the other what does your mapping look like if you don’t mind. We are using SAML 2.0 to SSO with Salesforce PRM and Remedy Force. We had been using OID so far and all was good, but we need to add AD for internal users for Remedy Force. But experiencing some issues without the proper GUID or orclFedGUID variables. I would appreciate any help/feedback please. Thank You.

Leave a Reply