Best practice for upgrading or migrating Tivoli Federated Identity Manager

Answer

The best practice is to use a two-system method. This procedure is written toward the use case where the Point Of Contact is WebSEAL. This procedure is written to ensure that the any customizations made to TFIM, such as STS modules, pages, and the hostnames used to access the machine will continue to work. In a normal production environment, TFIM is only installed on the deployment manager, and then pushed to the nodes later as part of the domain create and runtime config.

1. The first step is to back up the configuration of your existing environment. This will be used to restore the configuration in the new server.
1. Select Tivoli Federated Identity Manager -> Domain Management -> Import and Export Configuration.
2. Select the appropriate domain.
3. Click Export Configuration.
4. When prompted, specify the location where you want to save the exported configuration JAR file. Make a note of this files location.
5. Click OK.
2. On the new server install a new copy of WebSphere, you can use this opportunity to change WebSphere versions to a currently supported version
1. Create the desired server profiles, and apply recommended WebSphere FixPack level. For more information on the current WebSphere FixPack level, see the following
   Recommended fixes for WebSphere Application Server
2. If using IHS you may install that now as well.
3. Restart the Dmgr and do not log into ISC before attempting a TFIM product install.
4. On the new server install TFIM. When you are given the option to use an existing version of WebSphere Application Server, select Yes for both the management service and console. If you are using a cluster enter the information for the new Dmgr or if using a stand alone WebSphere profile provide the values you set in that profile.
5. Download the latest WebSphere update installer version 7.0.0.x 32 bit (Issues have been reported with 7.0.0.31). As of April 2016 we recommend the use of WAS UI 7.0.0.29 if you have not applied POODLE fixes to WebSphere and 7.0.0.41 if you have applied POODLE fixes and WebSphere is only using the TLS protocol. To avoid some WebSphere authorization issues we recommend you temporarily disable global security on the Dmgr. Please note that even if you are using WebSphere 8.0 or higher you still need to use the WebSphere 7 UI to apply TFIM FixPacks. This will not cause a problem with the IBM Installation Manager used to install WebSphere versions 8.0 and above. The IBM Installation Manager will continue to be used to apply WebSphere FixPacks for 8.0 and above. The UI 7 is only for TFIM patches.
6. Optionally you may chose to create the TFIM domain now or after applying the FixPack
7. If you logged into ISC after installing TFIM and in general before applying any TFIM FixPacks we recommend you restart the Dmgr and install the FixPack before anyone logs into ISC, this is needed before you attempt the FP install to avoid any locked files.
8. If WAS is not running as the same account you are using to run the Update Installer ensure that groups are set correctly to allow access. In any case, ensure the umask is set to at least 022.
9. Apply the latest TFIM FixPack from FixCentral
   Quick link to TFIM FixPacks on FixCentral
   NOTE: If a domain is not created before application of Tivoli Federated Identity Manager fix pack, the fix pack installation completes successfully with a "Partially Successful" message. You can safely ignore this error. If you get any other errors, do not close the Update Installer with Ctrl-C use the finish buttons so that the Update Installer can finish and clean up.
10. Create and deploy a domain.
1. Log on to the WebSphere Application Server administrative console.
2. Select Tivoli Federated Identity Manager > Domains.
3. Click Create to create a domain. The Domain creation wizard prompts you for domain information.
4. Verify that the Tivoli Access Manager domain properties that you entered are correct.
5. In the Create Domain Complete panel, select the Make this domain the active management domain check box to make the domain active.
6. Select Tivoli Federated Identity Manager > Domain Management > Runtime Node Management.
   Note: If the following error shows, you can ignore it and continue with the next step:
   FBTCON166E: An error was encountered while retrieving environmental settings. Check the environmental settings and try again.
7. Click Deploy Runtime.
8. Select each runtime in the table.
9. Click Configure.
11. Copy any existing custom plugins you have written, migrating them if needed into the new servers to the <TFIM install dir>/plugins, for example the /opt/IBM/FIM/plugins directory
    If you are migrating from TFIM 6.1.1 you will need to update any plugins before you can use them in newer versions of TFIM. Please see the following for more detail:
    Developing a custom Java module
12. Copy any changed pages from the old machine to the new machines <TFIM install dir>/pages directory
13. From the WebSphere Application Server administrative console, select Tivoli Federated Identity Manager > Domain Management > Runtime Node Management.
14. Click both the Publish Plug-ins and Publish Pages buttons you can dismiss the message about loading the configuration for the moment.
15. Import the configuration that you exported from the old machine
1. From the WebSphere Application Server administrative console, select Tivoli Federated Identity Manager > Domain Management > Import and Export Configuration > Import Configuration to import the configuration archive.
2. Select the domain into which you want to import the configuration archive.
3. Click the Browse button under Configuration Archive and select the previously exported JAR file in step 1.
4. Click Import Configuration.
16. Review your configuration to ensure that the importing process completed successfully.
17. From the WAS console goto the WAS System administration tab on the left and click Nodes select the nodes and click full resynchronize. Give this a few moments to complete.
18. Go back to Runtime Node Management and click on the "Load configuration changes to Tivoli Federated Identity Manager runtime" button if present from previous steps, if you dismissed this dialog in previous in step 13 you can click on the Reload Configurations button both buttons perform the same function.
19. Then there are additional steps that may need to be done if upgrading such as the following:
    If you are using the alias service you MUST migrate the aliases to the new 6.2.2. format. This will update the live data in LDAP but both versions of TFIM will be able to use it:
    Upgrading LDAP aliases for FIM 6.2.2
20. After you have done that you may optionally covert the aliases to the longer form. This step is not required, but recommended:
    Migrating SAML 2.0 alias service entries
21. If you are calling Java modules in your XSL rules:
    Making Java calls made from XSL work after upgrading
22. Update your database schema if needed for RBA and OTP.
23. You may now test the new ENV by pointing the WebSEAL to the new server. No changes are required in the TFIM config as the URL that that client accesses is through WebSEAL.
24. When you are satisfied that the new environment is working as expected you may proceed to uninstall the previous version of Tivoli Federated Identity Manager.