Stack Patch Bundle for Oracle Identity Management Products (Doc ID 2657920.1)

Oracle Unified Directory - Version 12.2.1.3.0 and later
Oracle Internet Directory - Version 12.2.1.3.0 and later
Oracle Access Manager - Version 12.2.1.3.0 and later
Oracle Identity Management Suite
Identity Manager - Version 12.2.1.3.0 and later
Information in this document applies to any platform.

Details

Background

Most 12.2.1.x Identity Management product installations require an Oracle Fusion Middleware product installation. In addition to the Oracle Fusion Middleware installation, Oracle Identity Governance also requires an Oracle SOA Suite installation.

Together with the actual Identity Management product installation, these dependent installed products share certain underlying tech stack components which can be impacted by updates or patches.

Starting in January 2020, quarterly testing and certification is provided for the applicable underlying component patches indicated for select Oracle Identity Management 12c products. This was announced in Document 2627261.1.

Details

To further simplify the patching process, starting with the July 2020 quarterly release, a Stack Patch Bundle (SPB) was made available for select version 12.2.1.4 Identity Management Products on Linux based platforms.
Starting with the January 2021, SPB availability was extended to the 12.2.1.3 version and with the April 2021 release, SPB was made available for Solaris, Solaris on SPARC and Windows platforms as well.

The quarterly SPB includes the bundle patches for each of the select Identity Management products as well as the patches for their respective underlying components.

The SPB also includes the SPBAT tool which can be used to apply all of the patches for a single product with a single command by using a phased approach.

The phases for patch application include:

Preparation (or prerequisite) Phase where you'll download, stage and verify the details needed for SPB and the SPBAT commands.

Analysis (or prestop) Phase where analysis is performed to identify corrective actions needed to address any conflicts or prerequisite requirements prior to starting the patch application process.

The result of this phase is an HTML report showing whether or not there are any missing prerequisite steps or patch conflicts requiring intervention (such as new one offs that might be needed as a result of the patch applications) and verification that you can proceed to apply the patches using the downtime command.

Patching (or downtime) Phase where the product specific patches are applied.

This phase is entered only after you've verified through the analysis phase that you're ready to apply the patches and after you've taken the necessary steps to back up the environment.

Poststart Phase where any additional required patching steps are performed.

System Overview Note: The following install scenarios are considered.

The ORACLE_HOME (Middleware Home) setup for IDM 12.2.1.x is broken down in to the following categories:

With respect to the SPB, the above categories are described as separate install types, each containing a dedicated ORACLE_HOME deployed in dedicated VMs/Hosts.

In case the setup is spread across multiple VMs/Hosts, then perform the phased patch application steps for each ORACLE_HOME on the respective VMs/Hosts.
If there are multiple ORACLE_HOME locations on the same VM, then perform the phased patch application steps for each ORACLE_HOME separately.
In the case that future functional support allows for two or more install types share the same ORACLE_HOME, then perform the phased patch application steps for each install type against the ORACLE_HOME.

Limitations

The SPBAT utility automates the binary patch apply for the patches that are obtained through the SPB bundle only. It excludes the configuration actions and server restart operations.
The SPBAT utility does not handle the start, stop, and postpatching configuration operations of the servers. The user can use either custom startup/shutdown scripts or the ones available with the product. The post patch configuration operations, if any, must be manually performed, as documented in the SPB README.txt
The SPBAT utility has minimalistic error handling, and it relies on the correctness of the input values provided by the user while using the tool.
The SPBAT utility does not create any backup of the environment/application/configuration/data prior to individual patching of the product or component.
The SPBAT utility does not provide rollback support. For any issues, use the backups (created during downtime) to restore the environment. However, while applying SPB, existing one-offs present in the ORACLE_HOME can be rolled back. Manually review the ORACLE_HOME inventory and re-apply any one-offs that might have been rolled back during the application of IDM SPB.

As all of the patches included and applied with SPB are not Zero-Downtime (ZDT) patches, SPB is also not ZDT eligible.

Product Specific Patches Included In the Current SPB

12.2.1.4 Identity Management

October 2023 SPB

Current Version: 12.2.1.4.231031

As of November 6, 2023 the OIG bundle patch and stack patch bundle have been re-released. See Note 2985511.1, October 2023 Identity Management (IDM) SPB Patch 35964058 (12.2.1.4.231031) Replaces Patch 35916732 (12.2.1.4.231017

Oracle Access Manager

IMPORTANT NOTE FOR OAM PATCH:

Per October 2023 OAM BP ReadMe:

Oracle Access Management 12.2.1.4.231005 BP includes the following new features and enhancements:

New parameter to fetch the authorization grant details

Added a new parameter response_mode to fetch the authorization grants to redirect_uri.

Support for authentication in multiple browser tabs

OAM supports multi-tab feature when serverRequestCacheType parameter is set to COOKIE. For details, see Supporting Authentication in Multiple Browser Tabs.
OAM OAuth2 runtime endpoint to support domain as a query parameter
A new query parameter identityDomain is added to the oauth2 runtime endpoint instead of the header parameter X-OAUTH-IDENTITY-DOMAIN-NAME. The header parameter X-OAUTH-IDENTITY-DOMAIN-NAME is not required when identityDomain is provided. If both parameters are used, X-OAUTH-IDENTITY-DOMAIN-NAME will take precedence over identityDomain.

OAM OAuth2 token validation URL supports passing access_token both as a header and as a query parameter

The access_token can be passed either as a header parameter or as a query parameter in the token validation URL. New syntax to initiate access_token as a header and as a query parameter are included in the REST API for OAuth.

Oracle Identity Governance

With this SPB release, both OIG and OAM BP's are applied for each product even if you are not using one of them. As both sets of binaries are installed, this is by design to prevent false postive during security scans.

IMPORTANT NOTE FOR OIM PATCH:

Per October 2023 OIG BP ReadMe:
The following are the major enhancements in Oracle Identity Governance 12.2.1.4.231009:

The unwanted accounts that are stuck in the Provisioning status can now be purged continuously using Real-time Provisioning Status based on the options or choices that are made during configuration.

Admin users can create membership rules by assigning members to a role using an SQL query.

IMPORTANT NOTE FOR SOA PATCH:
If this is the first time you are applying any SPB after a One-Hop Upgrade to 12.2.1.4 or this is a fresh install of OIG 12.2.1.4 where no SOA Bundle Patch or SPB has been previously applied, please review and apply the Section 6: Post-Installation Instructions in the SOA Bundle Patch README.html within the extracted SPB/Binary Patches/soa/generic/.

Oracle Unified Directory
Collocated Only

Oracle Internet Directory
Collocated Only

Note: The latest OID BP is compatible with 19c Client. The last 12c Client OID binaries are from July 2022.

BEFORE UPGRADING TO THE 19C CLIENT, BE SURE TO REMOVE PERL PATCH 34830313 FOR THE 12C CLIENT.

The upgrade for the Database Client to 19c is only supported on Red Hat / Oracle Linux version 7.4 and higher. Customers on earlier versions are expected to upgrade the OS before running this installer.

Note: After installing the January 2023 OID stack patch bundle, if you have upgraded Oracle Database Client 12c to 19c, apply the latest patch. For more information refer to the following document for the announcement and further requirements of the Database Client 19c upgrade:
Doc ID 2921245.1 - New Database Client 19c Upgrade for Oracle Fusion Middleware 12.2.1.4 - OID, OHS, OTD

Note: Note: For OID Stand-Standalone, you cannot use the Stack Patch Bundle Process as there is no Weblogic instance install. Please follow the CPU article 2806740.2.

Actions

Overview

The Stack Patch Bundle contains a README.txt file with the steps needed to apply the patches. The following information is provided to assist in planning and understanding the end-to-end patching process.

Initial Preparation:
  1. Create or designate a directory where you will extract the contents of the SPB. The location should be accessible to all IDM hosts and have read, write and execute permissions enabled and since the SPB contains many patches, it's large - so this location should also have plenty of space. The path to this location will be used to build one of the required inputs to the SPB patching commands, .
  2. Create or designate a directory for the logs and reports which will be generated by the patching tool. This location will be a required input to the SPB patching commands, .
  3. Identify the ORACLE_HOME directory for your product. This location is synonymous with the ORACLE_HOME directory which is used in the SPB README.txt file and will also be a required input to the SPB patching commands, .
  4. Download the SPB and extract it to the directory indicated in step 1.

Note: Extract SPB zip file using the 'jar -xvf' command (rather than the unzip command).

Reference:
WLS Of SPB Prerequisite Check "CheckApplicable" Failed. Commons-io-2.6.jar" Is Not Writeable. (Doc ID 2855861.1)

Analysis Phase:
  1. Using the variables identified earlier and the instructions in the SPB README.txt file, run the SPBAT prestop command for your product.
    For example, consider the case where you have a single node Oracle Identity Governance environment with the ORACLE_HOME at /opt/oracle/IAM12c , the SPB has been downloaded and staged in /home/oracle/Downloads and a log directory OIGlogs has been created in the same location.
    In that case, the command to run prestop will be like:
  2. While downtime is running, you'll see some output in the terminal window - which you'll need to keep open until it completes.
    The output includes information about logs which are generated as the patches are applied and details about a command you can run in a different terminal to know the status.
    When downtime completes it will show a message indicating either success or failure.
  3. After the downtime command has completed, follow the "Before Server Startup" instructions for your product as provided in the SPB README.txt file.
    For example, the instructions for OIG are like:
    After applying patches, clear out the contents of any cache/tmp/stage/dc directories which exist in all $DOMAIN_HOME/servers/ locations, prior to restarting.
  4. In case the setup is spread across multiple VMs/Hosts, repeat these steps for each ORACLE_HOME on the respective VMs/Hosts.
Poststart Phase:
  1. Start all of the products related services (including the WebLogic Servers) running on the products hosts and verify that the URLs are accessible.
  2. Using the variables identified earlier and the instructions in the SPB README.txt file, run the SPBAT poststart command for your product.
    For example, using the same OIG environment and details from the earlier phase examples, the command to run poststart will be like:[oracle@machine SPBAT]$ ./spbat.sh -type oig -phase poststart -mw_home /opt/oracle/IAM12c -spb_download_dir /home/oracle/Downloads/IDM_SPB_12.2.1.4.200714 -log_dir /home/oracle/Downloads/OIGlogs
  3. While poststart is running, you'll see some output in the terminal window - which you'll need to keep open until it completes.
    The output includes information about logs which are generated as the command is run and details about an additional command you can run in a different terminal to know the status.
    When poststart completes it will show a message indicating either success or failure.
  4. After the poststart command has completed, follow the "After Server Startup" instructions for your product as provided in the SPB README.txt file.
    For example, the instructions for OIG are like:
    B) After Server Startup
    i. Update $OIM_ORACLE_HOME/server/bin/patch_oim_wls.profile
    For detailed instructions, please refer to the section 'Stage 2: Filling in the patch_oim_wls.profile File' in IDM_SPB_12.2.1.4./etc/OIG_Bundle_Patch_Readme_12.2.1.4.200624.htm .
    ii.Execute $OIM_ORACLE_HOME/server/bin/patch_oim_wls.sh.
  5. As indicated in the OIG readme referenced above, for OIG installs, you'll need to clear out the contents of the tmp directory in each of the OIG managed servers $DOMAIN_HOME/servers/ locations.
  6. In case the setup is spread across multiple VMs/Hosts, repeat these steps for each ORACLE_HOME on the respective VMs/Hosts.
  7. Complete Validation - Once the SPB patching activity is complete, restart and verify the environment and URLs.

Contacts

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.

Oracle offers a comprehensive and fully integrated stack of cloud applications and platform services. For more information about Oracle (NYSE:ORCL), visit oracle.com. � Oracle | Contact and Chat | Support | Communities | Connect with us | | | | Legal Notices | Terms of Use