This chapter describes the Universal Risk Snapshot feature, which is new in Oracle Adaptive Access Manager 11g.
This section introduces you to the concept of snapshots and how they are used in Oracle Adaptive Access Manager.
Using Universal Risk Snap shot, system snapshots can be created allowing security administrators to simply and easily migrate security data across environments or restore security configuration to a known state.
A snapshot is a backup of the current system configuration. In the event of an error on the original system, you can restore the system to a pre-defined point.
Universal Risk Snapshot only handle configuration data (metadata). It does not handle runtime data, such as sessions, transaction data, cases, rule logs, action logs, and others.
Universal Risk Snapshot enables System Administrators to store and manage a system image. They can:
Back up the system configuration for safety, security, or versioning purposes
Replicate the system configuration for use with other servers--for example, from test to production environment, for production troubleshooting, and others.
Restore the system configuration from a pre-defined point
When the snapshot is created, the OAAM Server metadata is copied from the database.
A snapshot can be restored from a file or from the database depending on where it was stored.
For snapshots, the metadata is stored with the following items:
| Artifact | Comments | Additional clarifications | 
|---|---|---|
| Policy Sets | Policy Set overrides | |
| Policies | All Policies | Trigger combinations are included | 
| Rule Instances | All rule instances | |
| Conditions | All rule conditions | |
| Groups | Group Definitions for all groups whether linked or not | Group Members for alerts and actions only will be exported | 
| Patterns | All patterns | |
| Transaction Definitions | All transaction definitions | |
| Entities | All entities whether linked or not | |
| Properties | Only the ones in the database | |
| Enums | Only the ones in the database | |
| Configurable Actions | ||
| Challenge Questions | Includes validations, categories, and configurations (Answer Logic and others) | 
A backup saves all the existing configurations (both active and inactive items) including all group definitions. Only Action and Alert group members are included in the backup. Other group members can be exported using the group user interface if needed.
You can choose to create a backup snapshot in the database or to a local file system or both.
You can restore the new system configuration from a file or database.
Restore replaces the current system configuration with the restored configuration and also deletes and disables the additional configurations in the existing system.
Note:
The exception is when a group definition is imported into the system. The restore does not delete the additional group members that are already available.
When you create a snapshot, all the configurations for functional areas are selected, both active and disabled. For example, if you have ten policies within your policy set, and five of them are active and five of them are disabled, all policies, their configuration, and their status information are included when the snapshot is created.
Snapshots do not include the members of any groups with the exception of actions and alerts. However the groups themselves are included in the snapshot. To back up group members, the export groups function must be used separate from snapshot. These group members must be imported using the Group user interface if needed
Though configurable action definitions are included on restore, you must ensure that the necessary java classes are manually copied into the required folders.
The status of the items are preserved on backup and restore. For example. disabled items should remain disabled on backup and restore.
You cannot selectively select individual items to include in a snapshot or perform selective restoration. If you only want to include certain configurations in your snapshot, you can export them from their module (separate user interfaces), and import them back and then create the snapshot.
The metadata existing in the system is deactivated. Data cannot be deleted (policies or patterns) because it would violate database constraints. Therefore, all the active artifacts are set to an "inactive" or a "deleted" state as appropriate.
Afterward, the artifacts being imported are inserted into the current database.
During this insert process, if there are artifacts in the old system and also in the incoming snapshot, the artifacts are re-stored as they appear in the incoming snapshot.
Groups in the incoming snapshot do not contain members. If the same group exists (by name) in the existing system, after the system restore, the restored group contains members.
To go to the System Snapshot Search page, perform the following steps:
Log in to OAAM Admin as a system administration.
In the Navigation tree, select System Snapshots under Environment.
Alternative methods to open search pages are listed in Section 3.9, "Search, Create, and Import."
On the System Snapshot Search page, you can perform the following tasks:
Search for a snapshot
Restore a snapshot from the database
Restore a snapshot from a file
Back up the current system to a file or database
Delete selected snapshots from the database
In the System Snapshots Search page, you search for a snapshot by specifying criteria in the Search filter.
When the System Snapshot Search page first appears, the Search Results table shows a list of snapshots in the Oracle Adaptive Access Manager environment.
To search for snapshots:
In the Navigation tree, open System Snapshots under Environment.
The System Snapshots Search page is displayed.
Specify criteria in the Search Filter to locate the snapshot and click Search.
Searches are not case sensitive
Searches can return results if you enter part of the name in the search.
Searches trim the spaces entered.
Clicking Reset instead of Search will reset the search criteria.
The search result is shown based on the entered search criteria.
Table 16-1 System Search Filter Criteria
| Filter and fields | Description | 
|---|---|
| Snapshot Name | Name of the snapshot. For a snapshot from a database, it is the name provided by the user; for file based backups, it is the file name. The snapshot with the specified name is displayed in the Results Table. | 
| Notes | Notes describing why the snapshot was created. All backup names with the specified Notes keyword is displayed in the Results Table. | 
| Backup date | Date at which the backup was taken. To locates a backup taken within a given create date range, enter the start and end dates you want for the range. All backup names that were backed up during the specified date range is displayed. | 
To view details for a snapshot:
In the Navigation tree, select System Snapshots under Environment.
The System Snapshots Search page is displayed.
Specify criteria in the Search Filter to locate the snapshot and click Search.
Clicking Reset instead of Search will reset the search criteria.
Click the snapshot name in the Results table, the Snapshot Details page for the specific snapshot is displayed.
The backup name, notes, system user, client IP, server IP, and server name for the backup is displayed in the Summary tab.
The Snapshot Preview tab displays the configuration details for the following
Answer Hint
Question Category
Conditions
Validations
Questions
Groups
Policies
Entity Definition
Scheduler Task Group
Pattern
In the Navigation tree, open System Snapshots under Environment.
The System Snapshots Search page is displayed.
Click the Backup button on the right upper corner of the page or Back up from the Actions menu.
The Backup Current System page is displayed.From this page, you can choose an option and provide the necessary information.
The current system can be backed up to the system database or to a file or to both.
Select Backup type.
Database
Database and File
File
To back up the current system to the system database:
From the Backup Current System page, select Database for the Backup Type.
Enter a name for the backup.
Enter notes for the backup.
Click Back Up.
A dialog appears with a message that the current system has been successfully stored in the database.
Click OK.
The system snapshot is created in the database.
To back up the current system in a database and file:
From the Backup Current System page, select Database and File for the Backup Type.
Enter a name for the backup.
Enter notes for the backup.
Enter a file name for the ZIP file.
Click Back Up.
A dialog appears with a message that the current system has been successfully stored in the database.
Click OK.
The system snapshot is created in the database and file.
Verify that the snapshot is saved in database and file
Search by the snapshot name in the System Snapshots Search page.
If backup is saved in the database, the snapshot name is listed in the results table.
To back up the current system to a file:
From the Backup Current System page, select File for the Backup Type.
Enter a name for the backup.
Enter notes for the backup.
Enter a file name for the ZIP file.
Click Back Up.
A dialog appears with a message that the current system has been successfully stored in the database.
Click OK.
The system snapshot is created in the file.
You can restore a system configuration from a snapshot of the same system or another system. You cannot choose to restore only a subset of the snapshot.
Restoring a snapshot replaces the system configuration completely.
If an error occurs during an operation, you can restore the system to a snapshot that predates the error.
To perform the restore operation:
Open System Snapshot under Environment in the Navigation tree.
The System Snapshots Search page is displayed.
Click Search to populate the Results tab or search for the snapshot you want to use to restore the system.
Select a snapshot from the Results table.
Click Restore or select Restore from the Actions menu.
A Back Up Current Configuration dialog appears, which offer you the option to back up the current system before replacing it. You can press Back up, Skip, or Cancel.
Enter a name for the backup.
Enter notes for the backup.
If you press Back up and the backup is successful, a message appears with a message that the current system was successfully stored in the database.
Click Restore.
A summary displays a list of items being imported and the status of the operation.
Click OK.
An error message appears if the file was in the wrong format.
To load a snapshot into the system database:
Open System Snapshot under Environment in the Navigation tree.
The System Snapshots Search page is displayed.
Click the Load from File button.
A Load and Restore Snapshot dialog appears for you to enter the name and notes for the current system configuration you are backing up in the database.
Enter the name and notes for the current system configuration and click Continue.
The Load and Restore Snapshot dialog appears with a message that the current system has been successfully stored in the database.
Click OK.
The Load and Restore Snapshot page appears for you to choose a snapshot to load.
Browse for a snapshot, and click the Load button to load the snapshot into the system database.
If you press Load, the loaded snaphot is restored and becomes the current snapshot. If you select this option, you cannot preview the snapshot before restoring it.
Click OK.
Click Restore.
Snapshot restore considerations are described in this section.
Snapshot ZIP files will have the server version from which it was taken. When re-storing if the version is determined to be in-compatible then the snapshot restore fails.
If the snapshot is restored in a system that is running, the effect is applicable in about 30 seconds when all the database artifacts are reloaded.
When the snapshot is restored in a system running with multiple servers connected to the same database, the snapshot is effective in approximately 20 seconds when servers reload their database artifacts.
All the servers are running on the same version of Oracle Adaptive Access Manager.
The snapshot restore is checked by the server in which the restore was performed. If a server in a cluster is not compatible with the snapshot being restored, the server does not function since it is trying to read information from a database that it does not understand. The database schema might be compatible, but servers could differ in interpretation of features/ column value.
To import a snapshot for use in the system, follow the instructions in Section 16.6.2, "Loading and Restoring a Snapshot."
To delete snapshots:
In the Navigation tree, select System Snapshots under Environment.
Click Search to view a list of snapshots in the system.
Select the snapshot to delete and click the Delete icon or Delete Selected from the Action menu.
A Confirm Dialog appears with the message, "Are you sure you want to delete the selected Snapshot?"
Click Delete.
A confirmation dialog appears with the message, "Selected Snapshots are deleted successfully."
Click OK.
The following limitations apply to snapshots:
Data that is not stored or restored is listed as:
Runtime data (examples: user-node logs, session and transaction logs, fingerprints, pattern collected data, generated alerts data, rule / policy logs data)
Geolocation data.
User action logs as related to server API logs
The command-line utility is not available for this feature
All the logs related to snapshot creation and restoration are contained in the server log.
This section describes example use cases for using snapshots.
Jeff a Security Administrator must migrate the policy changes and all dependent items from the test environment to the production environment.
Jeff goes into OAAM Admin in the test environment and exports the policy set
As part of the export process the policies, rules, conditions, linked patterns, linked groups (alert and action groups have members included by default. Other group types do not include member unless specified), enumerations used in policies, transactions and entities used in the policies and configurable actions used in the policies are all selected for export to a file.
On import into the production environment a warning message alerts Jeff to the files that will be overwritten.
A snapshot is a record of how the rules and policies were configured; it contains the session information.
The user creates a snapshot so that historical data can be viewed later and research conducted using an offline system.
A timestamp is put on the snapshot.
Later, the user restores the older snapshot to perform fraud analysis.
The user runs rules and policies to find out how the system acted at that time in the past.
The user has multiple snapshots saved from different points in time and re-uses them in an offline system for performing research.
A snapshot is a copy of the system configuration and contains the configuration for policies, rules, groups, and other elements in the system.
The user makes modifications to the policy set in the production system.
The user realizes that the changes were not the ones wanted.
The user restores the snapshot, replacing the entire system all together.
The user is working on several snapshots offline, testing the rules and ensuring that the policies work as expected. He has finished work on SnapshotID 1 and SnapshotID 3, and he is now working on another configuration. Out of all the snapshots he has worked on, he wants to restore SnapshotID 3. He identifies SnapshotID 3 by Snapshot ID and restores it in the production system.
This section outlines some best practices for using snapshots.
Before you perform a restore in a production system, you should be aware that you are about to replace the entire system configuration in the production system. Create a snapshot of the current policy set before the actual restore since you do not want to lose the current configuration if the restore fails or if there are any other issues that you did not anticipate. After you have restored the snapshot, there is no way for you to perform an undo. When you have a backup available, you can restore that configuration into your system immediately if the restore fails.
Only when a snapshot is successfully created, should you restore the snapshot from an offline system to the online system.
When the configurable actions are included with a snapshot. You should copy the Java classes to the specified directory after the snapshot creation so that the configurable actions are not broken when they are brought back into a system.