9.2 Performing the Transition
Prerequisites: Ensure you have followed the prerequisites before starting the transition. For details, see Prerequisite Configurations for Installing OAA, OARM, and OUA.
Perform the following steps to transition from OAAM to OAA, OARM, and OUA.
- Obtain the
bharosa.uio.default.user.group
property value from the OAAM Administration console.- Login to the OAAM Administration console. For example:
http://oaam.example.com:14200/oaam_admin
. - In the left hand navigation menu select Properties and search for the property
bharosa.uio.default.user.group
. - In the Search Results make note of the value returned. This value will be set later for
oauth.applicationid
ininstallOAA.properties
.
- Login to the OAAM Administration console. For example:
- Obtain the OAAM schema details. You must have the following information prior to performing the transition
- The hostname and listener port of the cloned OAAM database
- The name of the OAAM schema (for example, DEV_OAAM) and the schema password
- The SYS schema password
- Export OAAM Config Keys from Oracle Fusion Middleware Enterprise Manager 11g.
- Login to the Oracle Fusion Middleware Enterprise Manager 11g for OAAM. For
example,
http://oaam.example.com:7001/em
- In the left hand navigation menu expand WebLogic Domain. Right click on the domain and select Security and then Credentials.
- In the Credentials pane expand oaam and make sure the
keys
DESede_db_key_alias
andDESede_config_key_alias
exist. - Select
DESede_db_key_alias
key and click Edit. Make note of the value under "Credential." - Select
DESede_config_key_alias
key and click Edit. Make note of the value under "Credential".
- Login to the Oracle Fusion Middleware Enterprise Manager 11g for OAAM. For
example,
- Set the following properties in the
installOAA.properties
. For details about theinstalOAA.properties
file, see Preparing the Properties file for Installation- Set
oauth.applicationid
to the value returned earlier forbharosa.uio.default.user.group
. - The following database parameters must be set to the cloned
OAAM database and
schemas:
database.createschema=false database.host=<OAAM_DB_HOST> database.port=<OAAM_DB_PORT> database.sysuser=sys database.syspassword=<SYS_PASSWORD> database.schema=<OAAM_SCHEMA> database.schemapassword=<OAM_SCHEMA_PASSWORD> database.svc=<OAAM_DB_SERVICE_NAME> database.name=<OAAM_DB_NAME>
For example,database.createschema=false database.host=oaamdb.example.com database.port=1521 database.sysuser=sys database.syspassword=<password> database.schema=DEV_OAAM database.schemapassword=<password> database.svc=oaamdb.example.com database.name=oaamdb
Note:
database.tablespace=DEV_OAA_TBS
is not required becausedatabase.createschema=false
. - Set the deployment mode based on the install type. Possible
values are
OAA
,Both
, orOUA
. Default mode isBoth
, which installs OAA integrated with OARM.For example:common.deployment.mode=Both
- Set the OAAM configuration keys:
- Base64 encoded config key from the migrating
system:
common.migration.configkey=
If enabled, the value is placed in the vault and used for migration of legacy data.
Set the parametercommon.migration.configkey
to the value returned forDESede_config_key_alias
in Oracle Fusion Middleware Enterprise Manager 11. For example:common.migration.configkey=Z147tibEm2iDoV5o5kwV0BUIvCo0Auxu
- Base64 encoded db key from the migrating system:
common.migration.dbkey=
If enabled, the value is placed in the vault and used for migration of DB data.
Set the parametercommon.migration.dbkey
to the value returned forDESede_db_key_alias
in Oracle Fusion Middleware Enterprise Manager 11. For example:common.migration.dbkey=8b/3zUb0Bz3qIz5uwg0jUW77W3oZtVtK
- Base64 encoded config key from the migrating
system:
- If the OAAM environment is integrated with OIM 12cPS4 then set
the following parameter:
common.oim.integration=true
This also enables the forgot password functionality.
- Set
- If you intend to install OUA, you must change the following in the
installOAA.properties
:common.deployment.mode=OUA
install.global.drssapikey=drssapikeytobesetduringinstallation
.Note:
Changedrssapikeytobesetduringinstallation
to a value of your choice.- Edit the OUA Configuration section as per Oracle Universal Authenticator Configuration.
- Deploy OAA, OARM, and OUA. For details, see Deploying OAA, OARM, and OUA.
- Set the
vcryptuser.groupid.lowercase
configuration property so that OAA and OAAM use the same groupid convention. Use the<PolicyUrl>/policy/config/property/v1
REST API as shown in the following sample request.curl --location -g --request PUT '<PolicyUrl>/policy/config/property/v1' \ --header 'Content-Type: application/json' \ --header 'Authorization: Basic <Base64Encoded(<username>:<password>)>' \ --data '[ { "name": "vcryptuser.groupid.lowercase", "value": "false" } ]'
Note:
In this case remove/oaa-policy
from the<PolicyUrl>
, for example usehttps://<host>:<port>/policy/config/property/v1
nothttps://<host>:<port>/oaa-policy/policy/config/property/v1
For details about finding the
PolicyUrl
and authenticating, see OAA Admin API.For details about the REST API, see Configuration Properties REST Endpoints
- If you installed OUA, follow Post Installation Steps for Oracle Universal Authenticator.
- If you were previously using an OAM-OAAM integrated environment then OAM 12cPS4 must
be rewired to use OAA. For details see, Integrate Oracle Access Management with Oracle
Advanced Authentication.
Note:
In the sectionUpdate the WebGate to use the OAA MFA Scheme for the protected application
, update your protected applications to use the new Authentication Policy:OAA_MFA-Policy
.