Skip to Content

SAP IDM 8.0 upgrade through side box approach Introduction:

The purpose of this blog is to share the info on a SAP IDM 8.0 upgrade from 7.2, in a DB2 environment. It also includes troubleshooting tips which may be useful for a successful IDM upgrade preparation. Most of the steps may be valid for IDM instances which are running on other DB environments too.

A SAP IDM upgrade can be done on the same box which is the traditional way by running the upgrade script. – But the side car approach is different: we need to build the IDM on new hardware again and run the upgrade.

The approach we followed is different to a typical sidecar where we need to install IDM 8.0 and perform all the required imports: – Identity store / repository / folders and jobs as required. Due to a huge data / repository we have taken a special approach where we build IDM 7.2 with the same identity store so that the same schema will be available and refresh the newly build IDM with existing IDM and run the 8.0 upgrade on top of that.

A typical audience of this blog will be basis administrators, database administrators or IDM administrators and IDM functional teams.

I am writing this blog to help and share my IDM experience to upgrade from SAP IDM 7.2 to 8.0 and to place all things at one place instead of searching the forums which may help many admins for  their IDM upgrade preparation and save their valuable time in completing the upgrades.

 

Requirement:

1) To have a new IDM 8.0 as a side box without touching the existing running IDM 7.2 SP10

2) Data needs to be retained from 7.2 to 8.0


Planning:

1) Build new IDM 8.0 and new NW 7.5 on the new hardware

 

Approach:

1) Build NW 7.5 SP8 using SWPM and SUM

2) Install IDM 7.2 SP10 with same Identity center DB name in the new landscape

3) Refresh the new landscape with the old 7.2 IDM [We will have all data/repository/jobs from the old IDM 7.2]

4) Run the IDM 8.0 upgrade script and complete the IDM upgrade

 

Steps:

1) Have sudo user access for DB2SID [DB2 DB] – This is needed for running the install and upgrade scripts

2) Change the include.sql file – Check the port where IDM DB2 SID for IDM is installed and provide that; also check the prefix and provide same as OLD IDM 7.2 from where refresh getting done

3) Install IDM 7.2 SP10 and after that request a refresh from the OLD 7.2 SP10 on the same DB; make sure that the same DB name is given as the same existing DB name where the refresh will be requested from.

4) run the upgrade script from IDM 8.0 DB2 software and update include.sql before run, it must be the same as step#2 and 4.a must be done before running the upgrade script

a) Define: devloperadmin user in CL-enable.sql

b) Define: namespace in CL-enable.sql

5) Download the Eclipse developer studio “Neon” Version Java EE; and install it.

6) Update JAVA_HOME and path variables in the local admin workstations; if CACERTS permissions are needed to change modify to have full control

7) From NWA enable the 50001 port and delete the existing SSL certificate and recreate them and download them from certificate and keys -> ICM..50001 of each server node and select the SSL-Credentials and export with PCKS#8 key pair, this will export P8 and CERT files.

8) Do the Step #7 for each active ICM node and download them to JAVA_HOME\lib\security folder

9) Run keytool -import -alias -file -keystore cacerts for all the .cert files downloaded from Step# 7

10) Create Developer studio Data source in NWA [Data source name is not case sensitive]

11) Make a connection from Developer studio to NWA using the certificate CN name as application hostname, port as 50001 [HTTPS] . The name must match exactly with step # 10 Data source name

12) Check the ROOT and refresh and select DB name and provide login info of the developer

13) Update the IDM components in NWA – IDMIC,REST,developer studio service[IDMCLMRESTAPI] and UI5 with latest patches

14) Update runtime with latest patches

15) Dispatcher utility can be accessed from idm/identitycenter – dispatcherutil.sh gui
& create dispatchers using new option.

  • create JDBC connection and also complete the runtime connection info [prefix_rt user password must be valid other wise dispatchers will not start]
  • check the service-scripts and update Java home in dispatcher file
  • start the dispatchers from the utility tool

16) Make ln-s ln-s KEY Key [Linux/unix] – this is bug fix for dispatcher util key not found error

17) copy the keys.ini from the old 7.2 install and upload it into the new IDM 8.0

18) Create IDM datasource – IDM_DataSource and alias need to be created [IDM_DataSource case sensitive same name must be given when creating datasource for IDM]

19) update JMX properties

 

Results:

From the Eclipse developer studio we can view all old IDM data/repository/Identity stores

From IDM UI /idm and idm/admin must be accessible

Dispatchers will be in running status

 

Troubleshooting Tips:

1) SWPM IDM install only works for fresh 8.0 installs, any IDM 7.2 installed manually will not get identified in SWPM.

2) Before running a manual mxmx-update.sh in 8.0, define the devloperadmin and namespace, refer to step 4.a

3) Make sure IDM DB -like Prefix_DB which is maintained in old system is the same in the new system as well

4) IDM Data source must be “IDM_DataSource” [case sensitive], otherwise /idm and idm/admin URL’s will not work ” error messages service down /access denied ”

5) Check the ID/Name in developer studio and change it in JMX properties

6) Idm apps will not start automatically after any restarts of application servers, restart them manually, fix can be done in configtool by changing lazy start properties

7) Always patch all IDM components, both design and runtime after base install of SP5

8) Dispatcher utility is not starting and showing error “class not found”: Patch update will fix this issue

9) Dispatcher utility keys.ini not found error: check step # 16

10) Dispatcher is not getting started: check the script files and check does Java home is not commented and pointing to …./sapjvm folder

11) Developer studio not connecting to NWA:

a) check the CN name provided in NWA-SSL is same as hostname provided in connection

b) check certificates are updated to cacerts using keytool

c) do not use hostname as localhost in developer studio connections

d) keytool needs jvm to be set in PATH and JAVA_HOME to set in system variables of local workstations

 

References:

1) SAP_IDM_-Install&UpgradeGuide_8.0 –https://help.sap.com/viewer/d77277f42c0b469db8794645abd954ea/8.0/en-US

2) SAP 8.0 wiki : https://wiki.scn.sap.com/wiki/display/Security/SAP+Identity+Management+8.0+Documentation

3) Common login issues for Identity Management Developer Studio-https://launchpad.support.sap.com/#/notes/2419836

4) Dispatcher utility –

https://launchpad.support.sap.com/#/notes/2523033 [keys not found fix]

5) SAP help portal IDM  8.0- https://help.sap.com/viewer/product/SAP_IDENTITY_MANAGEMENT/8.0/en-US

 

 

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Matt Pollicove

    Hi Gadde,

    I think you have a bright future ahead as a blogger, welcome to the community! (although some screenshots would have been nice, but I understand why that’s not always easy)

    It should be pointed out that your configuration is somewhat of an outlier, while more people will use Linux/Unix with 8.0, DB2 is definitely a fringe case. There’s only two companies in North America that use it to the best of my knowledge. This is important as there are some installation points which are DB2 specific and it would be good to highlight them.

    I’d like to see more blogs about installing IDM in a *nix environment.  Just out of curiosity, which distro are you using? I’ve been thinking about doing this after I’m a little more comfortable with 8.0.

    I’d be interested in more information about your troubleshooting step #6.  I know that would be of interest to most of us who follow this topic.

    Really looking forward to reading more from you in the future!

    Cheers,

    Matt

     

    (0) 
  2. Deva Prakash B

    Hi Gadde,

    Pretty Nice blog, can you please let us know how you have transported the data from old idm 7.2 to new idm 7.2 server Is it via any data transfer jobs?

    Regrads,

    Deva

    (0) 

Leave a Reply