Stack Patch Bundle for Oracle Identity Management Products
(Doc ID 2657920.1)
Last updated on NOVEMBER 06, 2023
Applies to:
Oracle Unified Directory - Version 12.2.1.3.0 and laterOracle Internet Directory - Version 12.2.1.3.0 and later
Oracle Access Manager - Version 12.2.1.3.0 and later
Oracle Identity Management Suite
Identity Manager - Version 12.2.1.3.0 and later
Information in this document applies to any platform.
Details
Background
Most 12.2.1.x Identity Management product installations require an Oracle Fusion Middleware product installation. In addition to the Oracle Fusion Middleware installation, Oracle Identity Governance also requires an Oracle SOA Suite installation.
Together with the actual Identity Management product installation, these dependent installed products share certain underlying tech stack components which can be impacted by updates or patches.
Starting in January 2020, quarterly testing and certification is provided for the applicable underlying component patches indicated for select Oracle Identity Management 12c products. This was announced in Document 2627261.1.
Details
To further simplify the patching process, starting with the July 2020 quarterly release, a Stack Patch Bundle (SPB) was made available for select version 12.2.1.4 Identity Management Products on Linux based platforms.
Starting with the January 2021, SPB availability was extended to the 12.2.1.3 version and with the April 2021 release, SPB was made available for Solaris, Solaris on SPARC and Windows platforms as well.
The quarterly SPB includes the bundle patches for each of the select Identity Management products as well as the patches for their respective underlying components.
The SPB also includes the SPBAT tool which can be used to apply all of the patches for a single product with a single command by using a phased approach.
The phases for patch application include:
Preparation (or prerequisite) Phase where you'll download, stage and verify the details needed for SPB and the SPBAT commands.
Analysis (or prestop) Phase where analysis is performed to identify corrective actions needed to address any conflicts or prerequisite requirements prior to starting the patch application process.
The result of this phase is an HTML report showing whether or not there are any missing prerequisite steps or patch conflicts requiring intervention (such as new one offs that might be needed as a result of the patch applications) and verification that you can proceed to apply the patches using the downtime command.
Patching (or downtime) Phase where the product specific patches are applied.
This phase is entered only after you've verified through the analysis phase that you're ready to apply the patches and after you've taken the necessary steps to back up the environment.
Poststart Phase where any additional required patching steps are performed.
The ORACLE_HOME (Middleware Home) setup for IDM 12.2.1.x is broken down in to the following categories:
- Oracle Access Manager
- Oracle Identity Governance
- Collocated Oracle Unified Directory
- Collocated Oracle Internet Directory
With respect to the SPB, the above categories are described as separate install types, each containing a dedicated ORACLE_HOME deployed in dedicated VMs/Hosts.
In case the setup is spread across multiple VMs/Hosts, then perform the phased patch application steps for each ORACLE_HOME on the respective VMs/Hosts.
If there are multiple ORACLE_HOME locations on the same VM, then perform the phased patch application steps for each ORACLE_HOME separately.
In the case that future functional support allows for two or more install types share the same ORACLE_HOME, then perform the phased patch application steps for each install type against the ORACLE_HOME.
Limitations
The SPBAT utility automates the binary patch apply for the patches that are obtained through the SPB bundle only. It excludes the configuration actions and server restart operations.
The SPBAT utility does not handle the start, stop, and postpatching configuration operations of the servers. The user can use either custom startup/shutdown scripts or the ones available with the product. The post patch configuration operations, if any, must be manually performed, as documented in the SPB README.txt
The SPBAT utility has minimalistic error handling, and it relies on the correctness of the input values provided by the user while using the tool.
The SPBAT utility does not create any backup of the environment/application/configuration/data prior to individual patching of the product or component.
The SPBAT utility does not provide rollback support. For any issues, use the backups (created during downtime) to restore the environment. However, while applying SPB, existing one-offs present in the ORACLE_HOME can be rolled back. Manually review the ORACLE_HOME inventory and re-apply any one-offs that might have been rolled back during the application of IDM SPB.
As all of the patches included and applied with SPB are not Zero-Downtime (ZDT) patches, SPB is also not ZDT eligible.
Product Specific Patches Included In the Current SPB
| SPB Patch ID and Version | Identity Management Product | Patches Included and Applied Using SPB | Reference/Details |
|---|---|---|---|
|
Note : 12.2.1.3 Identity Management Terminal BP for 12.2.1.3
12.2.1.4 Identity Management October 2023 SPB Current Version: 12.2.1.4.231031 As of November 6, 2023 the OIG bundle patch and stack patch bundle have been re-released. See Note 2985511.1, October 2023 Identity Management (IDM) SPB Patch 35964058 (12.2.1.4.231031) Replaces Patch 35916732 (12.2.1.4.231017
|
Oracle Access Manager 12.2.1.4 |
|
IMPORTANT NOTE FOR SPB PATCH:
IMPORTANT NOTE FOR OAM PATCH: Per October 2023 OAM BP ReadMe: Oracle Access Management 12.2.1.4.231005 BP includes the following new features and enhancements: New parameter to fetch the authorization grant details Added a new parameter response_mode to fetch the authorization grants to redirect_uri.
OAM supports multi-tab feature when serverRequestCacheType parameter is set to COOKIE. For details, see Supporting Authentication in Multiple Browser Tabs.
The access_token can be passed either as a header parameter or as a query parameter in the token validation URL. New syntax to initiate access_token as a header and as a query parameter are included in the REST API for OAuth.
|
|
Oracle Identity Governance 12.2.1.4 |
|
IMPORTANT NOTE FOR SPB PATCH: With this SPB release, both OIG and OAM BP's are applied for each product even if you are not using one of them. As both sets of binaries are installed, this is by design to prevent false postive during security scans. IMPORTANT NOTE FOR OIM PATCH: Per October 2023 OIG BP ReadMe: The unwanted accounts that are stuck in the Provisioning status can now be purged continuously using Real-time Provisioning Status based on the options or choices that are made during configuration.
IMPORTANT NOTE FOR SOA PATCH: |
|
|
Oracle Unified Directory 12.2.1.4 |
|
Note: For OUD Stand-Standalone, you cannot use the Stack Patch Bundle Process as there is no Weblogic instance install. Please follow the CPU article 2806740.2. | |
|
Oracle Internet Directory 12.2.1.4 |
|
Note: The latest OID BP is compatible with 19c Client. The last 12c Client OID binaries are from July 2022. BEFORE UPGRADING TO THE 19C CLIENT, BE SURE TO REMOVE PERL PATCH 34830313 FOR THE 12C CLIENT. The upgrade for the Database Client to 19c is only supported on Red Hat / Oracle Linux version 7.4 and higher. Customers on earlier versions are expected to upgrade the OS before running this installer. Note: After installing the January 2023 OID stack patch bundle, if you have upgraded Oracle Database Client 12c to 19c, apply the latest patch. For more information refer to the following document for the announcement and further requirements of the Database Client 19c upgrade:
Note: Note: For OID Stand-Standalone, you cannot use the Stack Patch Bundle Process as there is no Weblogic instance install. Please follow the CPU article 2806740.2.
|
Actions
Overview
The Stack Patch Bundle contains a README.txt file with the steps needed to apply the patches. The following information is provided to assist in planning and understanding the end-to-end patching process.
Initial Preparation:
- Create or designate a directory where you will extract the contents of the SPB. The location should be accessible to all IDM hosts and have read, write and execute permissions enabled and since the SPB contains many patches, it's large - so this location should also have plenty of space. The path to this location will be used to build one of the required inputs to the SPB patching commands, <spb_download_dir>.
- Create or designate a directory for the logs and reports which will be generated by the patching tool. This location will be a required input to the SPB patching commands, <log_dir>.
- Identify the ORACLE_HOME directory for your product. This location is synonymous with the ORACLE_HOME directory which is used in the SPB README.txt file and will also be a required input to the SPB patching commands, <ORACLE_HOME>.
- Download the SPB and extract it to the directory indicated in step 1.
Note: Extract SPB zip file using the 'jar -xvf' command (rather than the unzip command).
Reference:
WLS Of SPB Prerequisite Check "CheckApplicable" Failed. Commons-io-2.6.jar" Is Not Writeable. (Doc ID 2855861.1) - Verify the OPatch version in your products ORACLE_HOME. If it does not meet the minimum requirement (check the SPB README for the minimum OPatch version being applied), unzip the included OPatch patch as indicated in the SPB README.txt file, perform a cold backup of the ORACLE_HOME and update opatch using the steps in the opatch readme file.
- In case the setup is spread across multiple VMs/Hosts, repeat these steps for each ORACLE_HOME on the respective VMs/Hosts.
Analysis Phase:
- Using the variables identified earlier and the instructions in the SPB README.txt file, run the SPBAT prestop command for your product.
For example, consider the case where you have a single node Oracle Identity Governance environment with the ORACLE_HOME at /opt/oracle/IAM12c, the SPB has been downloaded and staged in /home/oracle/Downloads and a log directory OIGlogs has been created in the same location.
In that case, the command to run prestop will be like: - While downtime is running, you'll see some output in the terminal window - which you'll need to keep open until it completes.
The output includes information about logs which are generated as the patches are applied and details about a command you can run in a different terminal to know the status.
When downtime completes it will show a message indicating either success or failure. - After the downtime command has completed, follow the "Before Server Startup" instructions for your product as provided in the SPB README.txt file.
For example, the instructions for OIG are like:
After applying patches, clear out the contents of any cache/tmp/stage/dc directories which exist in all $DOMAIN_HOME/servers/<SERVER_NAME> locations, prior to restarting. - In case the setup is spread across multiple VMs/Hosts, repeat these steps for each ORACLE_HOME on the respective VMs/Hosts.
Poststart Phase:
- Start all of the products related services (including the WebLogic Servers) running on the products hosts and verify that the URLs are accessible.
- Using the variables identified earlier and the instructions in the SPB README.txt file, run the SPBAT poststart command for your product.
For example, using the same OIG environment and details from the earlier phase examples, the command to run poststart will be like:[oracle@machine SPBAT]$ ./spbat.sh -type oig -phase poststart -mw_home /opt/oracle/IAM12c -spb_download_dir /home/oracle/Downloads/IDM_SPB_12.2.1.4.200714 -log_dir /home/oracle/Downloads/OIGlogs - While poststart is running, you'll see some output in the terminal window - which you'll need to keep open until it completes.
The output includes information about logs which are generated as the command is run and details about an additional command you can run in a different terminal to know the status.
When poststart completes it will show a message indicating either success or failure. - After the poststart command has completed, follow the "After Server Startup" instructions for your product as provided in the SPB README.txt file.
For example, the instructions for OIG are like:
B) After Server Startup
i. Update $OIM_ORACLE_HOME/server/bin/patch_oim_wls.profile
For detailed instructions, please refer to the section 'Stage 2: Filling in the patch_oim_wls.profile File' in IDM_SPB_12.2.1.4./etc/OIG_Bundle_Patch_Readme_12.2.1.4.200624.htm .
ii.Execute $OIM_ORACLE_HOME/server/bin/patch_oim_wls.sh. - As indicated in the OIG readme referenced above, for OIG installs, you'll need to clear out the contents of the tmp directory in each of the OIG managed servers $DOMAIN_HOME/servers/<SERVER_NAME> locations.
- In case the setup is spread across multiple VMs/Hosts, repeat these steps for each ORACLE_HOME on the respective VMs/Hosts.
- Complete Validation - Once the SPB patching activity is complete, restart and verify the environment and URLs.
Contacts
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |