21 Installing and Configuring Oracle Advanced Authentication, Oracle Adaptive Risk Management, and Oracle Universal Authenticator
Oracle Advanced Authentication and Risk Management (OAA and OARM) authenticates users by using multi-factor authentication. It integrates with Oracle Access Manager for OAuth authentication.
For details about installing Oracle Access Manager, see Configuring Oracle Access Manager Using WDT. If you have an existing OAM deployment, you can use the same deployment. Unlike the traditional Oracle Identity and Access Management products, Oracle Advanced Authentication is deployed as a series of microservices.
In this release, Oracle uses a standalone container image to install and configure OAA. The container image is started manually in the Kubernetes cluster.
This chapter includes the following topics:
- About Oracle Advanced Authentication
Oracle Advanced Authentication (OAA) is a standalone microservice that supports establishing and asserting the identity of users. - About Oracle Adaptive Risk Management (OARM)
Oracle Adaptive Risk Management (OARM) is an integrated system that aggregates risk data associated with users and user activities, analyzes and evaluates business risks posed by users and their activities, and provides advice to be acted upon to mitigate them. - About Oracle Universal Authenticator (OUA)
Oracle Universal Authenticator allows end users to login to their devices using Oracle Access Management (OAM) credentials which enables end users to access OAM protected applications and other Single-Sign On (SSO) enabled applications via SSO. - Variables Used in this Chapter
The later sections of this chapter provide instructions to create a number of files. These sample files contain variables which you need to substitute with values applicable to your deployment. - Characteristics of the OAA Installation
This section lists the key characteristics of the OAA installation that you are about to create. Review these characteristics to understand the purpose and context of the procedures that are used to configure OAA. - Kubernetes Services
If you are using NodePort Services, the Kubernetes services are created as part of the OAA installation. - Before You Begin
Before you begin the installation, you have to ensure that all the required tasks listed in this topic are complete. - Creating Kubernetes Namespaces
The Kubernetes namespaces are used to store the OAA Objects. - Creating a Container Registry Secret
If you are using a container registry and want to pull the Oracle container images on demand, you must create a secret that contains the login details of the container registry. - Creating a Kubernetes Secret for Docker Hub Images
This secret allows Kubernetes to pull an image fromhub.docker.comwhich contains third-party images such ashelm,kubectl, andlogstashcommands. - Creating a GitHub Secret
OAA is dependent on some containers in GitHub. If you want to pull these images directly from GitHub, you should create a secret with your GitHub credentials. - Creating the Management Container
- Copying Production Certificates to the Management Container
- Starting the Management Container
Before starting the Management Container, ensure that you have created the persistent volumes. - Obtaining the OAM Certificate
- Registering OAM TAP Partners
You must register OAM Tap partners that are used to enable OAA and OUA to authenticate with OAM in a more secure manner. - Creating the OAA Property File
The OAA deployment is dependent on the values in a property file. This file is used for creating the database schemas and to deploy OAA itself. The steps to create the file is performed inside the OAA-MGMT pod. - Creating the OAA Override File
The OAA Override file is used to determine the number of each type of container that is started. In a highly available deployment, there should be a minimum of two for each container type. - Creating the Database Schemas
Oracle Advanced Authentication automatically creates the schemas in the database. - Deploying Oracle Advanced Authentication
To deploy the OAuth application, you should perform the steps inside the OAA-MGMT pod. - Resolving Timeouts
Your deployment may fail if it takes longer than the expected time to pull the container images from the container registry. You will see the error in the deployment log. - Configuring Email/SMS Servers and Automatic User Creation
OAA has built-in email/SMS integration. You have to configure OAA to use the Email SMTP client and the SMS client. - Validating OAA
- Configuring Oracle Universal Authentication
This section describes various tasks related to configuring Oracle Universal Authentication.
Parent topic: Configuring the Enterprise Deployment
About Oracle Advanced Authentication
OAA supports integration with Oracle Access Management (OAM) to provide MFA capabilities.
Features of OAA
- Runs as a standalone microservice on a Kubernetes platform and is deployed using Helm charts.
- Supports integration with the following clients to
enable Multi-factor Authentication (MFA):
- Clients that provide web-based user login flows, such as Oracle Access Management (OAM). OAA integrates with OAM through the Trusted Authentication Protocol (TAP).
- Clients that provide API-based user login flows, such as Oracle Radius Agent (ORA). OAA integrates with ORA through REST APIs. This type of integration enables clients to manage its own user flow orchestration.
- Provides
OAAAuthnPluginfor integrating with OAM. The plug-in also enables migration of user data from the identity store on OAM to OAA. - Provides web UI (Administration UI Console) for administrators to create and manage client registrations, assurance levels, and rules. Administrators can also achieve all the administration tasks using the REST APIs.
- Provides web UI (User Preferences UI) for end-users to manage and register their challenge factors. User self-registration and management can also be performed using REST APIs.
- Web UIs are secured by OAM OAuth and OpenID Connect (OIDC).
- Provides the following challenge-factors
out-of-the-box:
- TOTP (Time-based One Time Password) with Oracle Mobile Authenticator (OMA), Google, and Microsoft
- OTP (One Time Password) with E-MAIL and SMS
- Yubikey OTP
- FIDO2
- Knowledge-based Authentication (KBA)
- Push notifications
About Oracle Adaptive Risk Management (OARM)
Oracle Adaptive Risk Management (OARM) is an integrated system that aggregates risk data associated with users and user activities, analyzes and evaluates business risks posed by users and their activities, and provides advice to be acted upon to mitigate them.
The system works best when integrated with Oracle Advanced Authentication (OAA), which executes risk mitigation actions to Block, Challenge, or Allow user activities based on the risk assessment associated with it.
The system can also work in a stand-alone mode where it can be consulted for remedial actions by consuming applications. OARM system is highly extensible owing to its microservices-based architecture, allowing additional capabilities to be added without having to indulge in a costly upgrade process.
Features of OARM
- OARM system revolves around user activities, which are secured using business friendly rules.
- OARM is shipped with an out-of-the-box user authentication activity, which is baked in with a rich set of rules that can readily be used to secure the business. The system also provides the capability to augment the user authentication activity with additional rules, remove rules not applicable to business, or add net new user activities to be monitored. OARM supports seeding data feeds from certified external sources that would also be used in risk analytics. This, combined with OARM's profiling capability, provides the right mix of seed data for running analytics.
- Configuration of rules and managing and monitoring user activities can be achieved with an intuitively designed Administration Console. The Administration Console allows administrators to implement rules applicable to their organization without being concerned with the nuances of the underlying system.
- OARM, in conjunction with OAA, provides a large set of modern, multi-factor challenge methods enabling administrators to choose challenge mechanisms that fit their business requirements. OAA also makes integration of OARM with existing Identity Management systems such as Oracle Access Management Suite (OAM), very easy to achieve.
About Oracle Universal Authenticator (OUA)
Oracle Universal Authenticator allows end users to login to their devices using Oracle Access Management (OAM) credentials which enables end users to access OAM protected applications and other Single-Sign On (SSO) enabled applications via SSO.
Oracle Universal Authenticator addresses both client-side and server-side requirements. This guide only provides information related to aspects of the server-side configuration.
Note:
You must ensure that the April 2024 Stack Patch Bundle is applied to your OAM Installation before installing OUA.Variables Used in this Chapter
The later sections of this chapter provide instructions to create a number of files. These sample files contain variables which you need to substitute with values applicable to your deployment.
Variables are formatted as <VARIABLE_NAME>. The following table provides the values you should set for each of these variables.
Table 21-1 The Variables to be Changed
| Variable | Sample Value | Description |
|---|---|---|
|
<REGISTRY_ADDRESS> |
|
The location of the registry. |
|
<REGISTRY_SECRET_NAME> |
|
The name of the Kubernetes secret you created with the stored registry credentials. See Creating a Container Registry Secret. |
|
<REG_USER> |
|
The name of the user you use to log in to the registry. |
|
<REG_PWD> |
<password> |
The registry user password. |
|
<OAA_MGT_REPOSITORY> |
|
The name of the OAA management image file. If you have downloaded and staged a container image,
this value will be: If you use the Oracle container registry, the value
will be
If you use a container registry, the value will be
the name of the registry with the product name:
|
|
<OAAMGT_VER> |
|
The version of the image you want to use. |
|
<OAA_DEPLOYMENT_TYPE> |
|
To deploy only OAA, set to To deploy both OAA and RISK, set to To deploy OAA, RISK, and OUA, set to |
|
<OAA_DEPLOYMENT> |
|
Name used for the deployment. Each pod created will be prefixed by this value. |
|
<PVSERVER> |
|
The name or IP address of the NFS server hosting the persistent volumes. |
|
<OAANS> |
|
The Kubernetes namespace to hold OAA objects. |
|
<WORKDIR> |
|
The location where you want to create the working directory for OAA. |
|
<OAA_CONFIG_SHARE> |
|
The NFS mount location for the OAA configuration persistent volume. |
|
<OAA_CRED_SHARE> |
|
The NFS mount location for the OAA credential persistent volume. |
|
<OAA_LOG_SHARE> |
|
The NFS mount of the OAA logs persistent volume. |
|
<OAA_VAULT_SHARE> |
|
The NFS mount of the OAA vault persistent volume. |
|
<OAA_DB_SID> |
|
The ORACLE_SID of the database instance that you are using. This value is required because the schemas are created by using the Oracle Data Pump Import program (impdp). |
|
<OAA_KEYSTORE_PWD> |
|
The password to be used for OAA keystores. |
|
<OAA_API_PWD> |
|
The password assigned to protect OAA APIs. |
|
<UMS_SERVER_URL> |
|
The URL of the email server. If you are using Oracle Unified Messaging (either standalone or as part of OIG):
|
|
<UMS_ADMIN_USER> |
|
The user name of the SMTP service. For instance, in a Unified Messaging System (UMS) installation, it is the name of the WebLogic administration user. |
|
<UMS_ADMIN_ PASSWORD> |
<password> |
The password of the <UMS ADMIN USER> account. |
|
<SSL_COUNTRY> |
|
Your country code. |
|
<SSL_STATE> |
|
The name of your state or locality. |
|
<SSL_CITY> |
|
The name of your city. |
|
<SSL_ORG> |
|
The name of your organization. |
|
<LDAP_OAMADMIN_USER> |
|
The name of the user who administers OAM. |
|
<LDAP_USER_PWD> |
|
Password to be assigned to all the LDAP user accounts. |
|
<OAA_OAM_TAP_PARTNER> |
|
The name you want to give to the OAA partner application. |
|
<OAA_OUA_TAP_PARTNER> |
|
The name you want to give to the OUA partner application. This is required only if you deploy OUA. |
|
<OAM_LOGIN_LBR_PROTOCOL> |
|
The type of access protocol used for the login load
balancer. In an SSL terminated environment, this value will be
|
|
<OAM_LOGIN_LBR_HOST> |
|
The name of your login load balancer virtual name. |
|
<OAM_LOGIN_LBR_PORT> |
|
The port of the login load balancer virtual name. |
|
<OAA_ADMIN_K8> |
|
The NodePort Service of the OAA administration pod. |
|
<OAMNS> |
oamns |
The domain namespace to be used to store OAM objects. |
|
<OAM_DOMAIN_NAME> |
|
The name of the domain to be created. |
|
<OAM_ADMIN_LBR_HOST> |
|
The virtual host of the OAM administration functions. |
|
<OAM_ADMIN_LBR_PORTT> |
|
The virtual port of the OAM administration functions. |
|
<OIG_DOMAIN_NAME> |
|
The name of the domain to be created. |
|
<ELK_HOST> |
|
The host and port of the centralized Elasticsearch deployment. This host can be inside the Kubernetes cluster or external to it. This host is used only when Elasticsearch is used. |
|
<ELK_VER> |
|
The version of Elasticsearch you want to use. |
|
<LDAP_WLSADMIN_USER> |
|
The WebLogic Administration user defined in LDAP. |
|
<LDAP_WLSADMIN_PWD> |
|
The WebLogic Administration user password defined in LDAP. |
|
<OAM_WEBLOGIC_USER> |
|
The Internal WebLogic Administration user. |
|
<OAM_WEBLOGIC_PWD> |
|
The Internal WebLogic Administration user password. |
|
<OAA_SPUI_URL> |
|
The URL for the OAA Self Service Console. |
|
<OAA_POLICY_URL> |
|
The URL for the OAA Policy REST APIs. |
Characteristics of the OAA Installation
This section lists the key characteristics of the OAA installation that you are about to create. Review these characteristics to understand the purpose and context of the procedures that are used to configure OAA.
Table 21-2 Key Characteristics of the OAA Installation
| Characteristics of OAA | More Information |
|---|---|
|
Each microservice is deployed into a pod in the Kubernetes cluster. |
|
|
Places the OAA components in a dedicated Kubernetes namespace. |
|
|
Uses a vault which can be file-based or OCI-based. |
See Creating a Vault. |
|
Uses the Kubernetes services to interact with microservices. |
|
|
Uses the Kubernetes persistent volumes to hold configuration information. |
See unresolvable-reference.html#GUID-CF07EE44-34D9-4F36-97BE-6B3FBB4FCEA8. |
|
Each Kubernetes pod is built from a pre-built Oracle container image. |
See Identifying and Obtaining Software Distributions for an Enterprise Deployment. |
|
Requires Oracle Access Manager to be installed and configured. |
|
| Installation can be standalone or integrated. |
Kubernetes Services
If you are using NodePort Services, the Kubernetes services are created as part of the OAA installation.
Table 21-3 Kubernetes NodePort Services
| Service Name | Type | Service Port | Mapped Port |
|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Before You Begin
Before you begin the installation, you have to ensure that all the required tasks listed in this topic are complete.
The following tasks have to complete:
-
Obtain the required Oracle container images staged on each of the Kubernetes worker nodes, or hosted in a container registry to which you have access. For a list of the container images, see Procuring Software for an Enterprise Deployment.
Note:
The instructions in this section relate to the December 2024 release onwards. - Configured Oracle HTTP Server as described in Installing and Configuring Oracle HTTP Server.
- Configured Oracle Unified Directory as describer in Installing and Configuring Oracle Unified Directory.
- Configured Oracle Access Manager as described in Configuring Oracle Access Manager Using WDT.
- Enabled WebGate as described in Configuring Single Sign-On for an Enterprise Deployment.
Note:
If you are adding to an existing deployment, you should revisit the above sections to ensure that you have the entries in place for Oracle Advanced Authentication.Creating Kubernetes Namespaces
The Kubernetes namespaces are used to store the OAA Objects.
kubectl create namespace <OAANS>kubectl create namespace oaansCreating a Container Registry Secret
If you are using a container registry and want to pull the Oracle container images on demand, you must create a secret that contains the login details of the container registry.
This step is not required if you have staged the container images locally. Oracle strongly recommends the use of a container registry.
kubectl create secret -n <OAANS> docker-registry <REGISTRY_SECRET_NAME> --docker-server=<REGISTRY_ADDRESS> --docker-username=<REG_USER> --docker-password=<REG_PWD>kubectl create secret -n oaans docker-registry regcred --docker-server=iad.ocir.io/mytenancy --docker-username=mytenancy/oracleidentitycloudservice/myemail@email.com --docker-password=<password>Note:
You should create a registry secret in the OAA namespace.Creating a Kubernetes Secret for Docker Hub Images
This secret allows Kubernetes to pull an image from
hub.docker.com which contains third-party images such as helm, kubectl, and
logstash commands.
You should have an account on hub.docker.com. If you
want to stage the images in your own repository, you can do so and modify the
helm override file as appropriate.
To create a Kubernetes secret for hub.docker.com, use the following
command:
$ kubectl create secret docker-registry dockercred --docker-server="https://index.docker.io/v1/" --docker-username="<DH_USER>" --docker-password="<DH_PWD>" --namespace=<OUDNS>$ kubectl create secret docker-registry dockercred --docker-server="https://index.docker.io/v1/" --docker-username="username" --docker-password="<mypassword>" --namespace=oudnsCreating a GitHub Secret
gitcred in your namespace, use
the following
command:kubectl create secret -n oaans docker-registry gitcred --docker-server=ghcr.io --docker-username=mygituser --docker-password="mytoken"You should create this secret in the 'oaa' namespace.
Copying Production Certificates to the Management Container
For production systems, Oracle strongly recommends use of commercial
certificates rather than self-signed certificates for setting up OAA communication.
After obtaining these certificates, you must copy them to the directory
/u01/oracle/scripts/creds inside the management container
common.deployment.keystorepassphrase and
common.deployment.truststorepassphrase.
After copying the certificates ensure that the
installOAA.property values
common.deployment.sslcert and
common.deployment.trustcert point to the location of these
certificates. Set the parameters common.deployment.keystorepassphrase
and common.deployment.truststorepassphrase to the value of the
passphrase that you set when encoding the certifcates. This file is part of the OAA
deployment and will be explained in more detail later in this chapter in Creating the OAA Property File.
Note:
This is the location inside the container.The following section describes how to create and convert a commercial certificate to the p12 format required by OAA.
Create a Certificate Signing Request
There are many way of requesting a certificate. If you are required to create a signing request and submit this to a signing authority then perform the steps in this section.
-
Once you receive the certificate from the CA, rename the file to
oaa.pemand copy it to the$WORKDIR/oaa_ssldirectory.Note:
The certificateoaa.pemneeds to be in PEM format. If not in PEM format convert it to PEM using openssl. For example, to convert from DER format to PEM:openssl x509 -inform der -in oaa.der -out oaa.pem
Perform the following steps to use a third party Certificate Authority (CA) for generating your certificates:
-
On the node where you will run the management container installation, create a directory and navigate to that folder, for example:
mkdir <workdir>/oaa_ssl export WORKDIR=<workdir> cd $WORKDIR/oaa_ssl -
Generate a 4096 bit private key (
oaa.key) for the server certificate:openssl genrsa -out oaa.key 4096 -
Create a Certificate Signing Request (
oaa.csr):openssl req -new -key oaa.key -out oaa.csrWhen prompted enter details to create your Certificate Signing Request (CSR). For example:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Redwood City Organization Name (eg, company) [Default Company Ltd]:Example Company Organizational Unit Name (eg, section) []:Security Common Name (eg, your name or your server's hostname) []:oaa.example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: -
Send the CSR (
oaa.csr) to the third party CA. -
Copy the Trusted Root CA certificate (
rootca.pem), and any other CA certificates in the chain (rootca1.pem,rootca2.pem, etc) that signed theoaa.pemto the$WORKDIR/oaa_ssldirectory. As per above, the CA certificates must be in PEM format, so convert if necessary.Note:
This may be provided by your certificate authority in the form of an intermediary and root certificate file. For example, digicert provides a file as follows:CombinedSHA-1RootSHA-256Intermediate-<DATE>.txt
-
If your CA has multiple certificates in a chain, create a
bundle.pemthat contains all the CA certificates:cat rootca.pem rootca1.pem rootca2.pem >>bundle.pem -
Create a Trusted Certificate PKCS12 file (
trust.p12) from the files as followsopenssl pkcs12 -export -out trust.p12 -nokeys -in bundle.pemWhen prompted enter and verify the Export Password.
Note:
Administrators should be aware of the following:-
Setting an export password is mandatory.
-
If your CA does not have a certificate chain replace
bundle.pemwithrootca.pem.
-
-
Create a Server Certificate PKCS12 file (
cert.p12) as follows:openssl pkcs12 -export -out cert.p12 -inkey oaa.key -in oaa.pem -chain -CAfile bundle.pemWhen prompted enter and verify the Export Password.
Note:
Administrators should be aware of the following:-
Setting an export password is mandatory.
-
If your CA does not have a certificate chain replace
bundle.pemwithrootca.pem.
-
Starting the Management Container
Before starting the Management Container, ensure that you have created the persistent volumes.
See Creating File Systems and Mount Targets.
To start the Management Container:
Note:
When the examples instruct you to "use the following command from within the OAA-MGMT", it means that you should connect to the running container as described in this section, and then run the commands as specified.- Granting the Management Container Access to the Kubernetes Cluster
The OAA Management Container has built-in commands to interact with the Kubernetes cluster. You must provide the Management Container with details on how to access the Kubernetes cluster. - Creating the Helm Configuration File
The OAA installation procedure is dependent on ahelmconfigfile being present. This file is almost always an empty file.
Granting the Management Container Access to the Kubernetes Cluster
The OAA Management Container has built-in commands to interact with the Kubernetes cluster. You must provide the Management Container with details on how to access the Kubernetes cluster.
To provide access, perform the following steps on any node which has a working
kubectl command:
- Creating a Kubernetes Service Secret
- Creating a Kubernetes Service Account
- Generating the ca.crt Certificate
- Creating a Kubernetes Configuration File for OAA
- Copying Files to the OAA-MGMT Container
- Validating the kubectl Command
Parent topic: Starting the Management Container
Creating a Kubernetes Service Secret
kubectl create -f <WORKDIR>/create_svc_secret.yamlkubectl create -f /workdir/OIRI/create_svc_secret.yaml<WORKDIR>/create_svc_secret.yaml has the following content:apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: oaa-service-account
namespace: <OAANS>
annotations:
kubernetes.io/service-account.name: "oaa-service-account"Creating a Kubernetes Service Account
kubectl apply -f <WORKDIR>/create_svc.yamlFor example:
kubectl apply -f /workdir/OAA/create_svc.yaml<WORKDIR>/create_svc.yaml has the following
content:apiVersion: v1
kind: ServiceAccount
metadata:
name: oaa-service-account
namespace: <OAANS>
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: oaa-ns-role
namespace: <OAANS>
rules:
- apiGroups: ["*"]
resources: ["*","secrets"]
verbs: ["*"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: oaa-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:persistent-volume-provisioner
subjects:
- namespace: <OAANS>
kind: ServiceAccount
name: oaa-service-account
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: oaa-clusteradmin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- namespace: <OAANS>
kind: ServiceAccount
name: oaa-service-account
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: oaa-rolebinding
namespace: <OAANS>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: oaa-ns-role
subjects:
- namespace: <OAANS>
kind: ServiceAccount
name: oaa-service-accountGenerating the ca.crt Certificate
Obtain the Kubernetes certificate using the following commands:
OAANS=oaans
WORKDIR=/workdir/OAAFor Kubernetes releases up to 1.23, use the command:
TOKENNAME=`kubectl -n $OAANS get serviceaccount/oaa-service-account -o jsonpath='{.secrets[0].name}'`TOKENNAME=oaa-service-accountTOKEN=`kubectl -n $OAANS get secret $TOKENNAME -o jsonpath='{.data.token}'| base64 --decode`kubectl -n $OAANS get secret $TOKENNAME -o jsonpath='{.data.ca\.crt}'| base64 --decode > $WORKDIR/ca.crtCreating a Kubernetes Configuration File for OAA
Generate a Kubernetes configuration file to instruct OAA on how to interact with
kubectl.
Note:
Ensure that you have set KUBECONFIG to the Kubernetes configuration file before starting.OAANS=oaans
WORKDIR=/workdir/OAA
TOKEN=`kubectl -n $OAANS get secret $TOKENNAME -o jsonpath='{.data.token}'| base64 --decode`
K8URL=`grep server: $KUBECONFIG | sed 's/server://;s/ //g'`kubectl config --kubeconfig=$WORKDIR/oaa_config set-cluster oaa-cluster --server=$K8URL --certificate-authority=$WORKDIR/ca.crt --embed-certs=truekubectl config --kubeconfig=$WORKDIR/oaa_config set-credentials oaa-service-account --token=$TOKENkubectl config --kubeconfig=$WORKDIR/oaa_config set-context oaa --user=oaa-service-account --cluster=oaa-clusterkubectl config --kubeconfig=$WORKDIR/oaa_config use-context oaaThese commands generate a file called oaa_config in the
<WORKDIR> location. This file contains the Kubernetes
cluster details.
Copying Files to the OAA-MGMT Container
ca.crt (see Generating the ca.crt Certificate) and oaa_config (see Creating a Kubernetes Configuration File for OAA) files to the OAA-MGMT Container, using the following
commands:OAANS=oaans
WORKDIR=/workdir/OAAkubectl cp $WORKDIR/ca.crt $OAANS/oaa-mgmt:/u01/oracle/scripts/credskubectl cp $WORKDIR/oaa_config $OAANS/oaa-mgmt:/u01/oracle/scripts/creds/k8sconfigoaa-mgmt, run the following
command:chmod 400 /u01/oracle/scripts/creds/k8sconfigCreating the Helm Configuration File
The OAA installation procedure is dependent on a
helmconfig file being present. This file is almost always an empty
file.
helmconfig file:
Parent topic: Starting the Management Container
Obtaining the OAM Certificate
The OAM server is configured using SSL and this will most likely be terminated at the load balancer, especially if you have followed the instructions in this guide for deploying OAM. See Configuring Oracle Access Manager Using WDT. For OAA to successfully communicate with OAM, it has to trust OAM. To build this trust, you have to add the OAM certificate into the OAA trust store you will create in the next step.
openssl command. The syntax of the command is as
follows:openssl s_client -connect LOADBALANCER -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM >/workdir/OAA/LOADBALANCER.pemopenssl s_client -connect login.example.com:443 -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM >/workdir/OAA/login.example.com.pemThe openssl command saves the certificate to a file called
login.example.com.pem in the
/workdir/OAA directory.
Registering OAM TAP Partners
You must register OAM Tap partners that are used to enable OAA and OUA to authenticate with OAM in a more secure manner.
Registering OAA as OAM TAP Partner
Parent topic: Registering OAM TAP Partners
Registering OUA as OAP Tap Partner
Parent topic: Registering OAM TAP Partners
Creating the OAA Property File
The OAA deployment is dependent on the values in a property file. This file is used for creating the database schemas and to deploy OAA itself. The steps to create the file is performed inside the OAA-MGMT pod.
Complete the following steps to create the property file:
Copying the Template File
cp /u01/oracle/installsettings/installOAA.properties /u01/oracle/scripts/settings/installOAA.propertiescp /u01/oracle/installsettings/oaaoverride.yaml /u01/oracle/scripts/settings/oaaoverride.yamlParent topic: Creating the OAA Property File
Updating the Property File
Update the values in the property file as described in this section. If you are modifying a parameter, ensure that the parameter is not put within a comment in the property file.
You should update the
/u01/oracle/scripts/settings/installOAA.properties
file.
- Common Deployment Parameters
- Database Parameters
- LDAP Parameters
- Ingress Parameters
- File Based Vault
- OCI Based Vault
- OUA Parameters
- Generic Parameters
- Sample installOAA.properties File
Parent topic: Creating the OAA Property File
Common Deployment Parameters
Table 21-4 Common Deployment Parameters
| Parameter | Sample Value | Comments |
|---|---|---|
|
|
OAA both OUA |
Types of deployments include:
|
|
|
edg |
The name of the deployment as it will appear in Helm. Note: Do not use |
|
|
oaans |
The name of the namespace you will use to hold your OAA objects. |
|
|
/u01/oracle/scripts/creds/cert.p12 |
The location inside the container where you have placed a commercial SSL certificate. |
|
|
/u01/oracle/scripts/creds/trust.p12 |
The location inside the container where you have placed a commercial SSL certificate authority, this should include any intermediate certificates. |
|
|
- |
The password you used when encrypting the commercial certificates. |
|
|
- |
The password you used when encrypting the trust store. |
|
|
- |
The password you used when encrypting the certificate store. |
|
|
- |
The password you used when you created your server certificate. See unresolvable-reference.html#GUID-7896EB82-A903-4F77-A01A-F94FE178CC9A. |
|
|
- |
The password you used when you created the trust store. See unresolvable-reference.html#GUID-BAD7960F-E90B-4251-A826-2E6FDBF3B5EE. |
|
|
/u01/oracle/scripts/settings/oaaoverride.yaml |
Ensure that this value is not put within a comment. |
|
|
true |
The October release does not seed the database schemas. You must set this value to true in this release. Note: After importing the snapshot, set
this value to |
|
|
/u01/oracle/scripts/oarm-12.2.1.4.1-base-snapshot.zip |
The October release does not seed the database schemas. You must set this value to the location of a snapshot file that exists in the management container. The file mentioned is the default value. If you want to download the latest version from My Oracle Support, see Doc ID 2723908.1. |
|
|
OAADomain |
Use the same value you added in OHS Rewrite Rules. See Step 4 of Configuring Oracle HTTP Server for Oracle Advanced Authentication, Oracle Adaptive Risk Management, and Oracle Universal Authenticator. |
|
|
OAMIDSTORE |
The name of the OAM ID Store. See Creating a Configuration File. |
|
|
- |
The password you want to use for OAM Oauth interactions. |
|
|
http://accessdomain-adminserver.oamns.svc.cluster.local:7001 http://iadadmin.example.com/ |
The URL you use to access the Oracle Access Manager Administration Server. If OAM is inside the Kubernetes cluster, you should use the internal OAM service name otherwise you should use the OAM adminsitration URL. |
|
|
- |
The encoded username and password value of the OAM Administration user (*). |
|
|
https://login.example.com:443/ |
The public entry point into OAM. |
|
|
https://login.example.com:443/ |
The public entry point into OAM. |
|
|
https://login.example.com:443/ |
The main entry point for the OAA application for runtime operations. |
|
|
http://iadadmin.example.com:80 |
The main entry point for the OAA application for administrative operations. |
echo -n <LDAP_OAMADMIN_USER>:<LDAP_USER_PWD> | base64echo -n oamadmin:mypassword | base64Parent topic: Updating the Property File
Database Parameters
Table 21-5 Database Parameters
| Parameter | Sample Value | Comments |
|---|---|---|
|
|
|
Set this value to create the OAA schemas. |
|
|
dbscan.example.com |
Set this value to the database server SCAN address. |
|
|
1521 |
The database listener port. |
|
|
oaaedg.example.com |
The name of the OAA database service. |
|
|
- |
Set this value to the SYS password of the database. Ensure that the parameter is not put within a comment. |
|
|
EDG_OAA |
The database schema prefix to use. |
|
|
EDG_OAA_OAA_TB |
The name of the tablespace to be created. Include the schema prefix to aid manageability. |
|
|
- |
The password to be assigned to the OAA database schema. |
|
|
- |
Ensure that there is no value added to this parameter. |
Parent topic: Updating the Property File
LDAP Parameters
Table 21-6 LDAP Parameters
| Parameter | Sample Value | Comments |
|---|---|---|
|
|
ldap://edg-oud-ds-rs-lbr-ldap.oudns.svc.cluster.local:1389 |
The host name of your LDAP Server. |
|
|
cn=oudadmin |
The DN of the LDAP Administrator. |
|
|
myLDAPPassword |
The password of the LDAP Administrator. |
|
|
cn=oaaadmin,cn=Users,dc=example,dc=com |
The name of the OAA Administrator Account. |
|
|
myOAAAdminPassword |
Password of the |
|
|
cn=OAA-Admin-Role,cn=Groups,dc=example,dc=com |
The LDAP role used by OAA Administrators. |
|
|
cn=OAA-App-User,cn=Groups,dc=example,dc=com |
The LDAP Role used to identify users who can log in using OAA. |
|
|
yes |
If set to yes, existing LDAP users will automatically be added to the OAA User Group. |
Parent topic: Updating the Property File
Ingress Parameters
If you use an Ingress controller, the installation creates the Ingress services for you. Provide these values to configure OAA for Ingress.
Table 21-7 Ingress Parameters
| Parameter | Value | Description |
|---|---|---|
|
install.global.ingress.enabled |
|
Set this value to true to create the Ingress services. |
|
install.global.ingress.runtime.host |
|
Set this value to the name of the virtual host used for runtime operations. |
|
install.global.ingress.admin.host |
|
Set this value to the name of the virtual host used for administration operations. |
Parent topic: Updating the Property File
File Based Vault
You have two choices for creating a vault for OAA. You can use either a file based vault or an OCI vault. Oracle recommends you to use the OCI vault. However, if yo want to use the file based vault, you have to set the following parameters in the property file:
Table 21-8 Parameters for the File Based Vault
| Parameter | Value | Comments |
|---|---|---|
|
|
oaavault |
The name of the vault. |
|
|
fks |
The type of vault. Fks is a file-based vault. |
|
|
0.0.0.0 |
The name or IP address of the NFS server. |
|
vault.fks.path |
/exports/IAMPVS/oaavaultpv |
The NFS export name of the file system. |
|
vault.fks.key |
- |
The password to be used for accessing the vault. |
Parent topic: Updating the Property File
OCI Based Vault
If you want to use an OCI based vault, you have to set the following parameters in the property file:
Note:
Each of the vault.oci parameters listed in Table 21-9 should be encoded in Base64. To encode in Base64, run the following command:echo -n "value" | base64Table 21-9 Parameters for the OCI Based Vault
| Parameter | Value | Comments |
|---|---|---|
|
vault.deploy.name |
oaavault |
The name of the vault. |
|
vault.provider |
oci |
The type of vault. |
|
vault.oci.uasoperator |
- |
To obtain this value, encode the value of the API key that you downloaded at the time of creating the vault. See Creating a Vault. |
|
vault.oci.tenancyId |
- |
To obtain this value, log in to the OCI console, navigate to Profile and click Tenancy. Use the OCID value encoded as Base64. |
|
vault.oci.userId |
- |
To obtain this value, log in to the OCI console, navigate to Profile and click Username. Use the OCID value encoded as Base64. |
|
vault.oci.compartmentId |
- |
To obtain this value, log in to the OCI console, navigate to Identity and Security and click Compartments. Select the compartment in which you created the vault and use the OCID value encoded as Base64. |
|
vault.oci.fpId |
- |
To obtain this value, log in to the OCI console, navigate to Profiles, select User Settings and then click API Keys. Use the value of the fingerprint for the API Key you created earlier. See Creating a Vault. |
|
vault.oci.vaultId |
- |
To obtain this value, log in to the OCI console, navigate to Identity and Security and select Vault. Click the vault you created earlier. See Creating a Vault. Use the OCID value encoded as Base64. |
|
vault.oci.keyId |
- |
To obtain this value, log in to the OCI console, navigate to Identity and Security, select Vault, and then click the vault you created earlier. See Creating a Vault. Click the key you created earlier. For example, masterkey. Use the OCID value encoded as Base64. |
Parent topic: Updating the Property File
OUA Parameters
You must set the following parameters when you deploy Oracle Universal Authenticator.
Table 21-10 OUA Parameters
| Parameter | Value | Comments |
|---|---|---|
|
|
OAM-OUA-TAP |
The Name of the OUA TAP agent created in Registering OUA as OAP Tap Partner. |
|
|
/u01/oracle/scripts/creds/OAMOUAKeyStore.jks |
The location of the Keystore File inside the OAA Management container. |
|
|
keystorepassword |
The Password for the Keystore File created in Registering OUA as OAP Tap Partner. This password value needs to be bas64 encoded. For example, echo -n keystorepassword | base64. |
|
|
https://login.example.com:443/ |
The public entry point into OAM. |
Parent topic: Updating the Property File
Generic Parameters
Table 21-11 Generic Parameters
| Parameter | Value | Comments |
|---|---|---|
|
|
iad.ocir.io/mytenancy |
The name of the container registry. |
|
|
regcred |
The name of the Kubernetes secret with the container registry credentials. |
|
|
gitcred |
The name of the Kubernetes secret with the GitHub credentials. |
|
|
12.2.1.4.1-20220127 |
The version of OAA you want to install. |
|
|
https://login.example.com:443/oam/server/logout |
The OAM logout URL. |
|
|
myAPIpassword |
The password you want to use for the OAA REST APIs. |
|
|
myAPIpassword |
The password you want to use for the Policy REST APIs. |
|
|
myAPIpassword |
The password you want to use for the Factors REST APIs. |
|
|
myAPIpassword |
The password you want to use for the Risk REST APIs. |
|
|
myAPIpassword |
The password you must use for the DRSS REST APIs. |
|
|
|
The type of Kubernetes service to create. If you are using
ingress, use |
|
|
|
The type of Kubernetes service to create. Use
|
Parent topic: Updating the Property File
Sample installOAA.properties File
##################################### 1. Common Deployment configuration#########################################
#Common configuration options
#If enabled and set to true, helm installation will only display generated values and will not actually perform the installation.
#common.dryrun=true
#Name of the helm deployment. It is unique per kubernetes cluster and namespace. Should be all lowercase.
common.deployment.name=edg
#Override file to override any char values. Must be in yaml format.
common.deployment.overridefile=/u01/oracle/scripts/settings/oaaoverride.yaml
#Kubernetes context if there are multiple contexts available
#common.kube.context=idmoci
#Kubernetes deployment namespace where all the services will be installed.
common.kube.namespace=oaans
#Certificate store used in all the services
common.deployment.sslcert=/u01/oracle/scripts/creds/cert.p12
#Trust store used in all the services
common.deployment.trustcert=/u01/oracle/scripts/creds/trust.p12
#Passphrase for cert.p12 file. If the value for the passphrase is not present in properties below, it will be prompted during installation.
common.deployment.keystorepassphrase=myPassword
#Passphrase for trust.p12 file. If the value for the passphrase is not present in properties below, it will be prompted during installation.
common.deployment.truststorepassphrase=myPassword
#If the flag is enabled then trust certificate in the JRE truststore
common.deployment.importtruststore=true
#The flag to disable the generation of secret in the keystore provided in the property common.deployment.sslcert. Following secret keys are generated and are required for installation to work which can also be pre-seeded in the keystore.
#spui-enckey , aes256_config_key_alias and aes256_db_key_alias
common.deployment.generate.secret=true
#Deployment mode. Possible values are OAA, Risk or Both. Default mode is Both which will install OAA integrated with Risk.
common.deployment.mode=Both
#Base64 encoded config key from the migrating system. If enabled the value will be placed in the vault and used for migration of legacy data
#common.migration.configkey=
#Base64 encoded db key from the migrating system. If enabled the value will be placed in the vault and used for migration of db data.
#common.migration.dbkey=
#If the integation is required with OIM set the following property to true. This also enables the forgot password functionality.
#common.oim.integration=true
#Key for Apple push notification service. Only needed when push factor is enabled.
#common.deployment.push.apnsjksfile=
#Deprecated. By default policy snapshot import is not enabled. Kindly refer document to import it post installation.
common.deployment.import.snapshot=true
##################################### 2. Database configuration#########################################
# Database setting for OAA
#The installation supports the following ways to install and configure the database:
#1. Installing database along with installing services on kubernetes cluster
#2. Installing database outside the installation of services and providing the database configuration below.
#In case of 2, set database.createschema=false
#If set to true schema will be created along with the installation.
database.createschema=true
#Host IP or name where Oracle DB is running. If hostname is provided then it should be resolvable from the container.
database.host=db-scan.example.com
#Database port
database.port=1521
#Database sysdba user required to create the schema. If database.createschema is set to false, the property is not required.
database.sysuser=sys
#Sys password will not be prompted if value is provided for the property database.syspassword. If database.createschema is set to false, the property is not required.
database.syspassword=sysPassword
#Schema name to be created in the database. The value is required.
database.schema=EDG_OAA
#Name of the tablespace. If database.createschema is set to false, the property is not required.
database.tablespace=EDG_OAA_TBS
#Schema password will not be prompted if value is provided for the property database.schemapassword
database.schemapassword=schemaPassword
#Database service name
database.svc=edgoaa.example.com
#Name of the database. In case of OCI database service, the name is present in the OCI console. If name is not present, use value of database.svc property.
database.name=iamdb1
##################################### 3. OAUTH configuration#########################################
#Oauth setting for OAA. Oauth is required for enabling spui , admin and fido.
# If oauth.enabled is set as false, install.spui.enabled , install.oaa-admin-ui.enabled and install.fido.enabled should also be set to false otherwise helm installation
# will fail. Setting the property to true enables OAM Oauth integration during installation of services.
oauth.enabled=true
#Create OAuth Domain in OAM
oauth.createdomain=true
#Create OAuth Resource in OAM
oauth.createresource=true
#Create OAuth client in OAM
oauth.createclient=true
#OAuth domain name used when creating the OAuth domain in OAM
oauth.domainname=OAADomain
#OAuth domain identity provider configured for OAuth in OAM
oauth.identityprovider=OAMIDSTORE
#OAuth client name
oauth.clientname=OAAClient
#Grants for OAuth client created during installation. CLIENT_CREDENTIALS is required for validation to pass.
oauth.clientgrants="PASSWORD","CLIENT_CREDENTIALS","JWT_BEARER","REFRESH_TOKEN","AUTHORIZATION_CODE","IMPLICIT"
#OAuth Client Type of new OAuth client
oauth.clienttype=PUBLIC_CLIENT
#Client password must conform to regex ^[a-zA-Z0-9.\-\/+=@_ ]*$ with a maximum length of 500
oauth.clientpassword=myPassword
#OAuth resouce name for new OAuth resource
oauth.resourcename=OAAResource
#Default score of OAuth resource
oauth.resourcescope=viewResource
#Post authentication redirecturl is required. Used for validating configuration of OAuth services in OAM by generating a access token.
oauth.redirecturl=https://login.example.com:443
#Application id protected by oauth. The value can be any valid string. It is required to setup runtime integration between OAM and OAA.
oauth.applicationid=edg
#OAM Admin URL where OAuth API are enabled.
oauth.adminurl=http://accessdomain-adminserver.oamns.svc.cluster.local:7001
#Base64 encoded authorization header of OAM Admin server
oauth.basicauthzheader=EncodedOAMPassord
#OAM Managed server providing runtime support for OAuth Services
oauth.identityuri=https://login.example.com:443
##################################### 4. Vault configuration#########################################
#Following vaules are possible for vault.provider : oci , fks
#If oci is the provider the oci related configuration may be required to perform the vault initialization
#Name to be used in vault for this deploymemt. If name is already present in the vault, it will be reused.
vault.deploy.name=oaavault
#Flag to control the vault creation. If vault is initialized outside the installation, it should be set to false.
vault.create.deploy=true
#Provider type of vault. Supported provider types are oci, fks.
vault.provider=fks
#oci vault configuration required for the vault. Check vault documentation on how to obtain value for following properties.
#vault.oci.uasoperator=
#vault.oci.tenancyId=
#vault.oci.userId=
#vault.oci.fpId=
#vault.oci.compartmentId=
#vault.oci.vaultId=
#vault.oci.keyId=
#fks related configuration. Check the documentation on how to obtain value for properties below.
#NFS server ip or resolvable hostname.
vault.fks.server=dbdevfssmnt-shared01.dev2fss1iad.databasede2iad.oraclevcn.com
#Path on NFS server to be mapped to folder in the running containers.
vault.fks.path=/export/IAMPVS/oaavaultpv
#Base64 encoded vault password.
vault.fks.key=TWFuYWdlcjE=
#The value in this property need to be same as the value passed through the helm chart. Do not change it
vault.fks.mountpath=/u01/oracle/service/store/oaa
##################################### 5. Chart configuration#########################################
#Note: Any property that starts with install. will be provided as input to the helm chart using --set parameter.
#Container image repositories where the images can be pulled by the cluster nodes.
install.global.repo=iad.ocir.io/mytenancy
#Kubernetes secret reference to be used while pulling the docker images from the protected docker registries.
install.global.imagePullSecrets\[0\].name=regcred
install.global.imagePullSecrets\[1\].name=gitcred
#Chart Database properties
install.riskdb.service.type=ExternalName
#Image tags to be used
install.global.image.tag=12.2.1.4.1_20220419
#Oauth logout URL
install.global.oauth.logouturl=https://login.example.com:443/oam/server/logout
#Installation api key
#Rest Api key for OAA service.
install.global.uasapikey=myAPIpassword
#Rest Api key for policy service.
install.global.policyapikey=myAPIpassword
#Rest API key for all factor services.
install.global.factorsapikey=myAPIpassword
#Rest API key for risk and risk customer care services.
install.global.riskapikey=myAPIpassword
#Rest API key for DRSS service.
install.global.drssapikey=myAPIpassword
#In case of OCI vault, the following configuration can be overridden if provided for read-only users during helm installation.
#If the value is not provided in the properties below then it will be picked from vault section.
#All the values in the section below is optional.
#install.global.vault.mapId=b2NpZDEudmF1bHRzZWNyZXQub2MxLmlhZC5hbWFhYWFhYWRjeHl1dXFha2xmejVkbW9rcnpkajZva2Rtdmt0bGp2Y2tyZGIyd3B0emt6bHlkbTN1emEK
#install.global.vault.oci.uasoperator=
#install.global.vault.oci.tenancyId=
#install.global.vault.oci.userId=
#install.global.vault.oci.fpId=
##################################### 6. Optional configuration#########################################
##Ingress properties that can be used to enable ingress for services begin deployed.
#Deprecated property. Will be removed in future. Use install.global.ingress.enabled instead.
#install.ingress.enabled=true
#Enable ingress for all services.
install.global.ingress.enabled=true
#Ingress resource hostname. Should be all lowercase. If provided, dedicated hostname will be used to access the deployment. Otherwise can use any hostname or IP Address.
#Following configurations are deprecated. Use install.global.ingress.runtime.host and install.global.ingress.admin.host for specifying runtime and admin host
#install.global.ingress.hosts\[0\].host=oaainstall-host
#install.global.ingress.hosts\[1\].host=oaaadmin-host
#Runtime host used for accessing runtime services including all factors, oaa ,spui and risk.
install.global.ingress.runtime.host=login.example.com
#Admin host used for accessing admin, policy and risk-cc services.
install.global.ingress.admin.host=iadadmin.example.com
##Following properties are picked from database related properties if not present below.
#install.global.dbhost=
#install.global.dbport=
#install.global.dscredentials=
#install.global.dbservicename=
##Following properties are picked from oauth related properties if not present below.
#install.global.oauth.oidcidentityuri=
#install.global.oauth.oidcaudience=
#install.global.oauth.oidcclientid=
#if load balancer/ingress url is present, then configure the url here. All UI service will be behind this load balancer/ingress.
#In case ingress installation is set to true, the appropriate service url will be fetch after ingress installation
# and will be used as service url. If provided, service url from the property below will have higher priority.
install.global.serviceurl=https://login.example.com:443
#Service URL of oaa admin, if different from the service url of global oauth.
install.oaa-admin-ui.serviceurl=http://iadadmin.example.com:80
#If oauth.enabled is set to false, uncomment following properties. Also when deployment mode is Risk spui, fido and oaa-kba services are not required.
#install.spui.enabled=false
#install.fido.enabled=false
#install.oaa-admin-ui.enabled=false
#install.oaa-kba.enabled=false
#Also authentication factor Services are enabled by default. To disable them uncomment the lines below.
#When deployment mode is Risk, the following configurations is not required.
#install.totp.enabled=false
#install.push.enabled=false
#install.sms.enabled=false
#install.yotp.enabled=false
#install.email.enabled=false
#Default service type for services is NodePort. When deployment mode is Risk following service are not deployed :
#OAA, SPUI, All Factors (fido, push, yotp, email ,sms, totp and kba)
#install.service.type=ClusterIP
#install.oaa-admin-ui.service.type=ClusterIP
#install.oaa-policy.service.type=ClusterIP
#install.spui.service.type=ClusterIP
#install.totp.service.type=ClusterIP
#install.fido.service.type=ClusterIP
#install.push.service.type=ClusterIP
#install.email.service.type=ClusterIP
#install.sms.service.type=ClusterIP
#install.yotp.service.type=ClusterIP
#install.risk.service.type=ClusterIP
#install.oaa-kba.service.type=ClusterIP
#install.risk.riskcc.service.type=ClusterIP
#Properties used to install ingress using the ingress chart present in helmcharts folder
##################################### 7. Ingress configuration#########################################
#To install the ingress controller along with the services set the following flag to true.
ingress.install=false
#Kubernetes name space which will be used to install ingress
ingress.namespace=ingress-nginx
#Admissions controller can be installed seperately.
#Ingress admissions name is not present the controller.admissionWebhooks.enabled will be set to false in the nginx ingress chart.
#ingress.admissions.name=ingress-nginx-controller-admission
#Ingress class name that would be used for installation. Must not be existing
ingress.class.name=ingress-nginx-class
ingress.service.type=NodePort
#anything starting with ingress.install can be additionally supplied to set the ingress chart value.
#ingress.install.releaseNameOverride=base
##################################### 8. OAA management configuration#########################################
#NFS volumes
#install.mount.config.path=<NFS_CONFIG_PATH>
#install.mount.config.server=<NFS_CONFIG_SERVER>
#install.mount.creds.path=<NFS_CREDS_PATH>
#install.mount.creds.server=<NFS_CREDS_SERVER>
#install.mount.logs.path=<NFS_LOGS_PATH>
#install.mount.logs.server=<NFS_LOGS_SERVER>
#OAA mgmt chart release name, default can be used for most installations
install.mgmt.release.name=oaamgmt
#Location of kube credentials to use for installation.
#If not provide credentials in $KUBECONFIG or ~/.kube/config will be used
#install.kube.creds=<LOCAL_PATH>/<KUBE_CREDS>
#SSL certificates
#common.local.sslcert=<LOCAL_PATH>/<LOCAL_CERT_FILE>
#common.local.trustcert=<LOCAL_PATH>/<LOCAL_TRUST_FILE>
common.deployment.import.snapshot=true
common.deployment.import.snapshot.file=/u01/oracle/scripts/oarm-12.2.1.4.1-base-snapshot.zip
##################################### 9. OUA Configuration ###################
# OUA properties needed for integration with OAA.
# OUA Agent Name. Has to be the same as the TAP Partner in OAM.
oua.tapAgentName=OAM-OUA-TAP
# OUA Password for the jks file (Base 64 Encoded)
oua.tapAgentFilePass=keystorepassword
# OUA JKS File Location
oua.tapAgentFileLocation=/u01/oracle/scripts/creds/OAMOUAKeyStore.jks
# OUA OAM Runtime Endpoint
oua.oamRuntimeEndpoint=https://login.example.com:443
##################################### 10. LDAP configuration#########################################
ldap.server=ldap://edg-oud-ds-rs-lbr-ldap.oudns.svc.cluster.local:1389
ldap.username=cn=oudadmin
ldap.password=******
ldap.oaaAdminUser=cn=oaaadmin,cn=Users,dc=edg,dc=com
ldap.adminRole=cn=OAA-Admin-Role,cn=Groups,dc=edg,dc=com
ldap.userRole=cn=OAA-App-User,cn=Groups,dc=edg,dc=com
ldap.oaaAdminUserPwd=******
ldap.addExistingUsers=yesParent topic: Updating the Property File
Creating the OAA Override File
The OAA Override file is used to determine the number of each type of container that is started. In a highly available deployment, there should be a minimum of two for each container type.
To set the number of containers to be started, update the
/u01/oracle/scripts/settings/oaaoverride.yaml file to
increase the replicaCount for each type of container to the
required quantity.
You can use this file to specify the resource requirements. By declaring resource requirements, you ensure that a particular OAA pod is started only on a worker node that has sufficient capacity to service a pod with these resource requirements. You can also use the HorizontalPodAutoscaler resource (see Deploying the Kubernetes HorizontalPodAutoscaler Resource), which allows the number of pods of a given type to scale up and down as demand dictates.
Note:
Add any missing entries that you require.The example below shows resource requirements added for the
oaa and spui containers.
Sample oaaoverride.yaml file:
#override file for ooa installation
#if database is external to the cluster set the flag to ExternalName
riskdb:
service:
type: ExternalName
#replica count of oaa service
replicaCount: 2
#The following properties define the dependency spui service and can be overridden here.
spui:
resources:
requests:
cpu: 200m
memory: "1Gi"
replicaCount: 2
#The following properties define the dependency totp service and can be overridden here.
totp:
resources:
requests:
cpu: 200m
memory: "1Gi"
replicaCount: 2
#The following properties define the dependency yotp service and can be overridden here.
yotp:
resources:
requests:
cpu: 200m
memory: "1Gi"
replicaCount: 2
#The following properties define the dependency fido service and can be overridden here.
fido:
resources:
requests:
cpu: 200m
memory: "1Gi"
replicaCount: 2
#The following properties define the dependency oaa-admin-ui service and can be overridden here.
oaa-admin-ui:
resources:
requests:
cpu: 200m
memory: "1Gi"
replicaCount: 2
#The following properties define the dependency email service and can be overridden here.
email:
resources:
requests:
cpu: 200m
memory: "1Gi"
replicaCount: 2
#The following properties define the dependency push service and can be overridden here.
push:
resources:
requests:
cpu: 200m
memory: "1Gi"
replicaCount: 2
#The following properties define the dependency sms service and can be overridden here.
sms:
resources:
requests:
cpu: 200m
memory: "1Gi"
replicaCount: 2
#The following properties define the dependency oaa-policy service and can be overridden here.
oaa-policy:
resources:
requests:
cpu: 200m
memory: "1Gi"
replicaCount: 2
#The following properties define the defaults of risk and riskcc services.
risk:
resources:
requests:
cpu: 200m
memory: "1Gi"
replicaCount: 2
riskcc: //Need to remove
replicaCount: 2
riskcc:
resources:
requests:
cpu: 200m
memory: "1Gi"
replicaCount: 2
#
#The following properties define the defaults of customfactor service.
customfactor:
resources:
requests:
cpu: 200m
memory: "1Gi"
replicaCount: 2
#
#The following properties define the defaults of oaa-kba service.
oaa-kba:
resources:
requests:
cpu: 200m
memory: "1Gi"
replicaCount: 2
#
#The following properties define the defaults of oaa-drss service.
oaa-drss:
resources:
requests:
cpu: 200m
memory: "1Gi"
replicaCount: 2Creating the Database Schemas
Oracle Advanced Authentication automatically creates the schemas in the database.
Deploying Oracle Advanced Authentication
To deploy the OAuth application, you should perform the steps inside the OAA-MGMT pod.
Resolving Timeouts
Your deployment may fail if it takes longer than the expected time to pull the container images from the container registry. You will see the error in the deployment log.
NAME: oaainstall
LAST DEPLOYED: Thu Apr 29 20:24:09 2021
NAMESPACE: default
STATUS: deployed
REVISION: 1
Error: timed out waiting for the condition
TEST SUITE: oaainstall-email-sanity-check
Last Started: Thu Apr 29 20:24:12 2021
Last Completed: Thu Apr 29 20:29:12 2021
Phase: Failed
NOTES:
Get the Oracle Advance Authentication(OAA) Service URL by running these commands:
bash -c 'export NODE_PORT=$(kubectl get --namespace default -o jsonpath="{.spec.ports[0].nodePort}" services oaainstall-oaa) && export NODE_IP=$(kubectl get nodes --namespace default -o jsonpath="{.items[0].status.addresses[0].address}") && echo "" && echo https://$NODE_IP:$NODE_PORT/health'
Helm test failed
Fail to install OAA. Please check the log filekubectl get podsThe output appears as follows:
NAME READY STATUS RESTARTS AGE edg-email-66944cd9d8-7vp7g 1/1 Running 0 41m edg-email-66944cd9d8-t8gcc 1/1 Running 0 41m edg-fido-66b969fb6f-9zcnr 1/1 Running 0 41m edg-fido-66b969fb6f-mzj2n 1/1 Running 0 41m edg-oaa-86cd6b4ff6-pxrmm 1/1 Running 0 41m edg-oaa-86cd6b4ff6-svlpk 1/1 Running 0 41m edg-oaa-admin-ui-764c555cf4-6xtzv 1/1 Running 0 41m edg-oaa-admin-ui-764c555cf4-rxs2c 1/1 Running 0 41m edg-oaa-kba-6d6d7bcd59-rwm5q 1/1 Running 0 41m edg-oaa-policy-7cc99c7bc5-8tpzz 1/1 Running 0 41m edg-oaa-policy-7cc99c7bc5-rsvqr 1/1 Running 0 41m edg-push-794c8d89d-6xcjt 1/1 Running 0 41m edg-push-794c8d89d-b9xl4 1/1 Running 0 41m edg-risk-768fddd6b5-6k4p4 1/1 Running 0 41m edg-risk-768fddd6b5-wrcjh 1/1 Running 0 41m edg-risk-cc-77fcd64cb5-7nfft 1/1 Running 0 41m edg-risk-cc-77fcd64cb5-bfzfn 1/1 Running 0 41m edg-sms-7bdbf58d66-kk6qq 1/1 Running 0 41m edg-sms-7bdbf58d66-lp8jj 1/1 Running 0 41m edg-spui-59649cd778-5rbgb 1/1 Running 0 41m edg-spui-59649cd778-nkl8s 1/1 Running 0 41m edg-totp-7dc888b994-m854x 1/1 Running 0 41m edg-totp-7dc888b994-zgfkw 1/1 Running 0 41m edg-yotp-569fbbc7df-27zgm 1/1 Running 0 41m edg-yotp-569fbbc7df-9qsx7 1/1 Running 0 41m oaa-mgmt 1/1 Running 0 45m
/u01/oracle/helmcharts/oaa/values.yaml file, inside the OAA
Management container. The section
are:test: # test.image -- image name that will be used to test sanity of installation. image: shared/oracle/linux:8-slim # test.timeoutsecs time for which sanity tests will run before timing out. timeoutsecs: 480 # test.waitsecs time interval between sanity checks. waitsecs: 50
Configuring Email/SMS Servers and Automatic User Creation
OAA has built-in email/SMS integration. You have to configure OAA to use the Email SMTP client and the SMS client.
You can configure the OAA Email/SMS client using cURL. The
curl command is:
curl --location --insecure --request PUT '<OAM_LOGIN_LBR_PROTOCOL>://<OAM_LOGIN_LBR_HOST>:<OAM_LOGIN_LBR_PORT>/oaa/runtime/config/property/v1' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Encoded OAA User>' \
-d '[
{
"name": "bharosa.uio.default.challenge.type.enum.ChallengeEmail.umsClientURL",
"value": "<UMS_SERVER_URL>"
},
{
"name": "bharosa.uio.default.challenge.type.enum.ChallengeEmail.umsClientName",
"value": "<UMS_ADMIN_USER>"
},
{
"name": "bharosa.uio.default.challenge.type.enum.ChallengeEmail.umsClientPass",
"value": "<UMS_ADMIN_PASSWORD>"
},
{
"name": "bharosa.uio.default.challenge.type.enum.ChallengeSMS.umsClientURL",
"value": "<UMS_SERVER_URL>"
},
{
"name": "bharosa.uio.default.challenge.type.enum.ChallengeSMS.umsClientName",
"value": "<UMS_ADMIN_USER>"
},
{
"name": "bharosa.uio.default.challenge.type.enum.ChallengeSMS.umsClientPass",
"value": "<UMS_ADMIN_PASSWORD>"
}
{
"name": "oaa.default.spui.pref.runtime.autoCreateUser",
"value": "true"
}
]'curl --location --insecure --request PUT 'http://login.example.com/oaa/runtime/config/property/v1' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic b2FhLW9hYTphcGlrZXl0b2Jlc2V0ZHVyaW5naW5zdGFsbGF0aW9u' \
-d '[
{
"name": "bharosa.uio.default.challenge.type.enum.ChallengeEmail.umsClientURL",
"value": "http://governancedomain-cluster-soa-cluster.oigns.svc.cluster.local:8001/ucs/messaging/webservice
"
},
{
"name": "bharosa.uio.default.challenge.type.enum.ChallengeEmail.umsClientName",
"value": "weblogic"
},
{
"name": "bharosa.uio.default.challenge.type.enum.ChallengeEmail.umsClientPass",
"value": "password"
},
{
"name": "bharosa.uio.default.challenge.type.enum.ChallengeSMS.umsClientURL",
"value": "http://governancedomain-cluster-soa-cluster.oigns.svc.cluster.local:8001/ucs/messaging/webservice
"
},
{
"name": "bharosa.uio.default.challenge.type.enum.ChallengeSMS.umsClientName",
"value": "weblogic"
},
{
"name": "bharosa.uio.default.challenge.type.enum.ChallengeSMS.umsClientPass",
"value": "password"
}
]'Validating OAA
This is a simple method of validating the integration of OAM and OAA. Oracle recommends that you roll back all the steps after completing the validation.
The validation procedure comprises the following steps:
- Creating the HTML Test Page
- Creating an Oracle Resource for the Test Page
- Creating a Test User
- Validating the Deployment
- Validating OAA
After deploying OAA, ensure that OAA is working by accessing the OAA Administration Console.
Creating the HTML Test Page
On the OHS Servers located in
the
WEB_DOMAIN_HOME/config/fmwconfig/components/OHS/<instance_name>/htdocs
directory, create a test page called test_page.html with the
following content:
Parent topic: Validating OAA
Creating an Oracle Resource for the Test Page
No restarts are necessary but it can take a short time for the changes to propagate.
Parent topic: Validating OAA
Creating a Test User
Create a test user in Oracle Unified Directory (OUD). Assign this user
to the OAA-APP-User group. The user should also have a valid email
address if you want to receive One Time Pin Codes through email, and a description
if you have configured Oracle Mobile Authenticator.
ldif file to
create a test
user:dn: cn=oaauser,cn=Users,dc=example,dc=com
changetype: add
objectClass: orclUserV2
objectClass: oblixorgperson
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: oblixPersonPwdPolicy
objectClass: orclAppIDUser
objectClass: orclUser
objectClass: orclIDXPerson
objectClass: top
givenName: oaauser
uid: oaauser
orclIsEnabled: ENABLED
sn: oaauser
userPassword: password
mail: oaauser@example.com
mobile:
orclSAMAccountName: oaauser
cn: oaauser
description: oaauser
obpasswordchangeflag: false
obpsftid: true
dn:cn=OAA-App-User,cn=Groups,dc=example,dc=com
changetype: modify
add: uniqueMember
uniqueMember: cn=oaauser,cn=Users,dc=example,dc=comParent topic: Validating OAA
Validating OAA
After deploying OAA, ensure that OAA is working by accessing the OAA Administration Console.
To validate OAA, log in to the OAA Administration Console using the
http://iadadmin.example.com/oaa-admin URL.
You should be redirected to the OAM Credential Collection page. Enter the user name and password for oaaadmin. If all is well, you will be asked to accept the OAuth authentication. When you click Allow, you will see the OAA Administration page.
Parent topic: Validating OAA
Configuring Oracle Universal Authentication
This section describes various tasks related to configuring Oracle Universal Authentication.
Note:
Currently, Oracle Universal Installer only supports Microsoft Windows Clients.Microsoft Entra Domain
The following prerequisites are required while using Microsoft Windows clients to login with OUA.
- You must have a Microsoft Entra Domain Services managed domain.
- You must create a Microsoft Windows user in the domain if you want to use OUA.
Administrators must have a working knowledge of Microsoft Entra before using OUA. The following document does not contain instructions on how to setup a Microsoft Entra Domain, LDAP directories or user accounts.
The following prerequisites are required for Microsoft Windows clients to login with OUA and is applicable to any Windows Desktop or Server where the OUA client application is installed:
- A Microsoft Windows Desktop client running Windows 10 or 11, or a Windows 2016 or 2019 Server.
- The Microsoft Windows Desktop or Server must have joined the Windows domain in Microsoft Entra.
- The Microsoft Windows user who wants to login via OUA must be able to login to the Windows domain with a valid username and password.
- Chrome v88+, Microsoft Edge v92+ is required for the OUA SSO Browser Extension.
- Administrator credentials to install the OUA client application.
The Microsoft Windows user must have a user account in the User Identity Store used by Oracle Access Management (OAM). The user must be able to login with Single-Sign On (SSO) to an application protected with OAM.
Parent topic: Configuring Oracle Universal Authentication
Enabling OAM Persistent Login
Parent topic: Configuring Oracle Universal Authentication
Restarting the OAM Domain
You should restart the OAM domain to enable the OAM Managed Servers to use the OAA plug-in.
kubectl -n <OAMNS> patch domains <OAM_DOMAIN_NAME> --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "Never" }]'kubectl -n <OAMNS> patch domains <OAM_DOMAIN_NAME> --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "If_Needed" }]'Note:
Check that all the Kubernetes pods (with the exception of the helper pod) in the namespace have stopped by using the following command:kubectl -n <OAMNS> get allkubectl -n oamns patch domains accessdomain --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "Never" }]'kubectl -n oamns patch domains accessdomain --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "If_Needed" }]'Parent topic: Configuring Oracle Universal Authentication
Configuring Forgotten Password
OUA has the facility to allow the resetting of passwords in case they are forgotten. To reset your password you need to set two OUA configuration parameters, one which redirects users the forgotten password flow and the other which directs users to the change password flow
The following curl command is invoked to set the two OUA configuration parameters:
curl --location --insecure --request PUT
'<OAM_LOGIN_LBR_PROTOCOL>://<OAM_LOGIN_LBR_HOST>:<OAM_LOGIN_LBR_PORT>/oaa/runtime/config/property/v1'
\--header 'Content-Type: application/json'
\--header 'Authorization: Basic <Encoded OAA User>'
\-d '[
{
"name": "oua.drss.password.reset.forgoturl",
"value": "<FORGOTTEN_PWD_URL>"
},
{
"name": "oua.drss.password.reset.url",
"value": "<CHANGE_PWD_URL>"
}, ]'-
If you are using OAM Forgotten password functionality, set
oua.drss.password.reset.forgoturlto https://login.example.com/otpfp/pages/fp.jsp. -
If you are using OIG Forgotten password functionality, set
oua.drss.password.reset.forgoturlto https://prov.example.com/identity/faces/forgotpassword and setoua.drss.password.reset.urlto https://prov.example.com/identity.
The following is an example for OIG command:
curl --location --insecure --request PUT
'https://login.example.com/oaa/runtime/config/property/v1' \--header 'Content-Type: application/json'
\--header 'Authorization: Basic
b2FhLW9hYTphcGlrZXl0b2Jlc2V0ZHVyaW5naW5zdGFsbGF0aW9u' \-d '[
{
"name": "oua.drss.password.reset.forgoturl",
"value": "https://prov.example.com/identity/faces/forgotpassword"
},
{
"name": "oua.drss.password.reset.url",
"value": "https://prov.example.com/identity"
},]'Parent topic: Configuring Oracle Universal Authentication
Updating Test User to Add Authenticator
If you have created an OAA test user in Creating a Test User and you want to use this user to validate OUA then you must register the TOTP Authenticator against this user by adding a factor through the OAA user preference screen.
Parent topic: Configuring Oracle Universal Authentication
Installing the OUA Client Application
For more information about how to install the OUA Client application, see Installing the Oracle Universal Authenticator Client Application.
Parent topic: Configuring Oracle Universal Authentication