1. Administering Oracle Advanced Authentication and Oracle Adaptive Risk Management
  2. Installing Oracle Advanced Authentication, Oracle Adaptive Risk Management, and Oracle Universal Authenticator
  3. Procedure for Installing OAA, OARM, and OUA
  4. Preparing the Properties file for Installation

5.3 Preparing the Properties file for Installation

You can customize the OAA, OARM, and OUA installation by setting properties in the installOAA.properties file. The installOAA.properties is used by the Management Container installation script and is copied to the <NFS_CONFIG_PATH> during the installation of the Management Container pod. The installOAA.properties file is later passed as an argument to the OAA.sh script when deploying OAA, OARM, and OUA.

The following sections show how to prepare the installOAA.properties file based on deploying using the Oracle recommended sandbox architecture in Supported Architectures:

5.3.1 Gathering Variables

List of Variables

Throughout the Prerequisite Configurations for Installing OAA, OARM, and OUA chapter, you should have gathered variables during the Configuration Checkpoints sections. These variables will be used to populate the parameters in the installOAA.properties. The variables required for the installOAA.properties are shown below for completeness:

Note:

The variables are listed in the order they were collected in the Configuration Checkpoints sections.
Variable Your Value Sample Value Description
<NFS_HOST>   nfs.example.com The fully qualified hostname of the NFS Server used by the Kubernetes Cluster.
<NFS_CONFIG_PATH>   /nfs/mountOAApv/OAAConfig The path on NFS server to the <NFS_CONFIG_PATH>
<NFS_CREDS_PATH>   /nfs/mountOAApv/OAACreds The path on NFS server to the <NFS_CREDS_PATH>
<NFS_LOGS_PATH>   /nfs/mountOAApv/OAALogs The path on NFS server to the <NFS_LOGS_PATH>
<NFS_VAULT_PATH>   /nfs/mountOAApv/OAAVault The path on NFS server to the <NFS_VAULT_PATH>
<INSTALL_HOST> install.example.com Fully qualified hostname of the installation host.
<WORKDIR>   /workdir The working directory created on the installation host.
<DB_HOST>   db.example.com The fully qualified hostname of the database server.
<DB_PORT>   1521 The database listener port.
<DB_SERVICE>   orcl.example.com The database service name.
<DB_NAME>   orcl The database name.
<SYS_PWD>   password The password of the SYS user in the database.
<WEB_HOST>   https://ohs.oracle.com

The fully qualified hostname of the OHS server that is used as the entry point to OAM.

If you are using a load balancer in front of OHS, also collect the fully qualified hostname of the load balancer <LBR_HOST>.

<OAM_ADMIN_USER>   oamadmin The username of the OAM administration user who logs into the OAM Administration console (/oamconsole).
<OAM_ADMIN_PASSWORD>   password The password for the OAM administration user.
<OAM_ADMIN_BASE64>   b2FtYWRtaW46cGFzc3dvcmQ= The BASE64 encoded value of<OAM_ADMIN_USER>:<OAM_ADMIN_PASSWORD>
<IDSTORE>   OUDStore The Default User Identity Store used by OAM.
<OUA_TAPFILE_LOCATION>   /workdir/OAMOUAKeyStore.jks The location of the <WORKDIR>/OAMOUAKeyStore.jks on the <INSTALL_HOST>.
<OUA_TAPFILE_PASSWORD>   cGFzc3dvcmQ= The BASE64 encoded password of the OAMOUAKeyStore.jks.
<OAA_TAPFILE_LOCATION>   /workdir/ OAMOAAKeyStore.jks The location of the <WORKDIR>/OAMOAAKeyStore.jks on the <INSTALL_HOST>.
<OAA_TAPFILE_PASSWORD>   cGFzc3dvcmQ= The BASE64 encoded password of the OAMOAAKeyStore.jks.
<LDAP_SERVER>   ldap://oud.example.com:1389 The LDAP server protocol, hostname and port.
<LDAP_ADMIN_USER>   cn=oudadmin The user name of the directory administrator.
<LDAP_ADMIN_PWD>   password The password of the directory administrator.
<LDAP_USER_SEARCHBASE>   cn=Users,dc=example,dc=com The location in the directory where names of users are stored.
<LDAP_GROUP_SEARCHBASE>   cn=Groups,dc=example,dc=com The location in the directory where groups/roles are stored.
<CIR_HOST> cir.example.com The fully qualified hostname of the Container Image Registry
<CIR_REPOSITORY>   cir.example.com/repository/oaa The repository where the OAA images will be pushed to.
<USER_CERT_P12> /workdir/cert.p12 The location of the <WORKDIR>/cert.p12 on the <INSTALL_HOST>. This is only required if you generated third party certificates.
<USER_CERT_P12_PWD>   password The password for the cert.p12. This is only required if you generated third party certificates.
<TRUST_CERT_P12>   /workdir/trust.p12 The location of the <WORKDIR>/trust.p12 on the <INSTALL_HOST>. This is only required if you generated third party certificates.
<TRUST_CERT_P12_PWD>   password The password for the trust.p12. This is only required if you generated third party certificates.

5.3.2 Editing the installOAA.properties

The following are the properties that must be changed in the installOAA.properties based on installing as per the Oracle recommended sandbox architecture in Supported Architectures. Properties not listed below should not be changed from their default values. Where variables are referenced, replace with your corresponding value.

Note:

If you are not using the Oracle recommended sandbox architecture Supported Architectures, you will need to refer to Understanding installOAA.properties Parameters, as the parameters to change may differ.

Common Deployment Configuration

Variable Sample Value Description
common.deployment.keystorepassphrase=<USER_CERT_P12_PWD> password

If using your own certificates, you must set this to <USER_CERT_P12_PWD>.

If you are going to use the self-signed certificates generated by OAA during installation, then set to a password of your choice.
common.deployment.truststorepassphrase=<TRUST_CERT_P12_PWD> password

If using your own certificates, you must set this to <TRUST_CERT_P12_PWD>.

If you are going to use the self-signed certificates generated by OAA during installation, then set to a password of your choice.
common.deployment.mode=<type> Both Determines the installation type. Set <type> to the value based on the components you wish to install:
  • Both - install OAA and OARM.
  • OUA - install OAA, OARM, and OUA.
  • OAA - install OAA only.

Database Configuration

Variable Sample Value Description
database.host=<DB_HOST> db.example.com The fully qualified hostname of the database server where you want to store your OAA schemas.
database.port=<DB_PORT> 1521 The database listener port.
database.syspassword=<SYS_PWD> password The password of the SYS user in the database.
database.schemapassword=<password> password The password you want to set for the OAA schema in the database
database.svc=<DB_SERVICE> orcl.example.com The database service name.
database.name=<DB_NAME> orcl The database name.

OAUTH Configuration

Variable Sample Value Description
oauth.identityprovider=<IDSTORE> OUDStore The Default User Identity Store used by OAM.
oauth.redirecturl=<WEB_HOST> https://ohs.example.com

The OHS URL used as the entry point to OAM.

If a load balancer front ends the OHS then this value is the load balancer <LBR_HOST>.
oauth.applicationid=default default Application ID for OAA. Can be set to any value.
oauth.adminurl=<WEB_HOST> https://ohs.example.com

The OHS URL used as the entry point to OAM.

If a load balancer front ends the OHS then this value is the load balancer <LBR_HOST>.
oauth.basicauthzheader=<OAM_ADMIN_BASE64> b2FtYWRtaW46cGFzc3dvcmQ= The BASE64 encoded value for <OAM_ADMIN_USER>:<OAM_ADMIN_PASSWORD>
oauth.identityuri=<WEB_HOST> https://ohs.example.com:443

The OHS URL used as the entry point to OAM. If a load balancer front ends the OHS then this value is the load balancer URL <LBR_HOST>.

For this value only, if the port is the default SSL port (443), you must append the port to the URL.
oauth.clientpassword=<password> password Set to a password of your choice. This will be the password for the OAuth client created during OAA installation.

Vault Configuration

Variable Sample Value Description
vault.fks.server=<NFS_HOST> nfs.example.com The fully qualified hostname of the NFS Server used by the Kubernetes cluster.
vault.fks.path=<NFS_VAULT_PATH> /nfs/mountOAApv/OAAVault The path on the NFS server to the <NFS_VAULT_PATH>
vault.fks.key=<base64_password> cGFzc3dvcmQ=

Set to a password of your choice. The password must be BASE64 encoded.

To find the BASE64 encoded version run: 
echo -n <password> | base64

Chart Configuration

Variable Sample Value Description
install.global.repo=<CIR_REPOSITORY> cir.example.com/repository/oaa The repository where the OAA images will be pushed to.
install.global.uasapikey=<password> password Set to a password of your choice.
install.global.policyapikey=<password> password Set to a password of your choice.
install.global.factorsapikey=<password> password Set to a password of your choice.
install.global.riskapikey=<password> password Set to a password of your choice.
install.global.drssapikey=<password> password Set to a password of your choice. This only needs to be set if you have set common.deployment.mode=OUA.

Optional Configuration

Variable Sample Value Description
install.global.ingress.enabled=true true Must be set to true when using your own ingress controller.
install.global.serviceurl=<WEBHOST> https://ohs.example.com

The OHS URL used as the entry point to OAM.

If a load balancer front ends the OHS then this value is the load balancer URL <LBR_HOST>.

This parameter is used for the OAA runtime URL's.
install.oaa-admin-ui.serviceurl=<WEB_HOST> https://ohs.example.com

The OHS URL used as the entry point to OAM.

If a load balancer front ends the OHS then this value is the load balancer URL <LBR_HOST>.

This parameter is used for the OAA Administration URL's.

OAA Management Configuration

Variable Sample Value Description
install.mount.config.path=<NFS_CONFIG_PATH> /nfs/mountOAApv/OAAConfig The path on NFS server to the <NFS_CONFIG_PATH>.
install.mount.config.server=<NFS_HOST> nfs.example.com The fully qualified hostname of the NFS Server used by the Kubernetes cluster.
install.mount.creds.path=<NFS_CREDS_PATH> /nfs/mountOAApv/OAACreds The path on NFS server to the <NFS_CREDS_PATH>.
install.mount.creds.server=<NFS_HOST> nfs.example.com The fully qualified hostname of the NFS Server used by the Kubernetes cluster.
install.mount.logs.path=<NFS_LOGS_PATH> /nfs/mountOAApv/OAALogs The path on NFS server to the <NFS_LOGS_PATH>.
install.mount.logs.server=<NFS_HOST> nfs.example.com The fully qualified hostname of the NFS Server used by the Kubernetes cluster.
common.local.sslcert=<WORKDIR>/cert.p12 /workdir/cert.p12 The location of the <WORKDIR>/cert.p12 on the <INSTALL_HOST>. This parameter is only required if you generated third party certificates in Generating Server Certificates and Trusted Certificates.
common.local.trustcert=<WORKDIR>/trust.p12 /workdir/trust.p12 The location of the <WORKDIR>/trust.p12 on the <INSTALL_HOST>. This parameter is only required if you generated third party certificates in Generating Server Certificates and Trusted Certificates.

OUA Configuration

The parameters in this section only have to be set if you are deploying OUA.

Variable Sample Value Description
oua.tapAgentFilePass=<OUA_TAPFILE_PASSWORD> cGFzc3dvcmQ= The BASE64 encoded password of the OAMOUAKeyStore.jks.
oua.tapAgentFileLocation=<OUA_TAPFILE_LOCATION> /workdir/OAMOUAKeyStore.jks The location of the <WORKDIR>/OAMOUAKeyStore.jks on the <INSTALL_HOST>.
oua.oamRuntimeEndpoint=<WEB_HOST> https://ohs.example.com

The OHS URL used as the entry point to OAM.

If a load balancer front ends the OHS then this value is the load balancer URL <LBR_HOST>.

LDAP Configuration

Variable Sample Value Description
ldap.server=<LDAP_SERVER> ldap://oud.example.com:1389 The LDAP server protocol, hostname and port.
ldap.username=<LDAP_ADMIN_USER> cn=oudadmin The user name of the directory administrator.
ldap.password=<LDAP_ADMIN_PWD> password The password of the directory administrator.
ldap.oaaAdminUser=cn=oaaadmin,<LDAP_USER_SEARCHBASE> cn=oaaadmin,cn=Users,dc=example,dc=com The OAA administration user to be created in the LDAP user search base.
ldap.adminRole=cn=OAA-Admin-Role,<LDAP_GROUP_SEARCHBASE> cn=OAA-Admin-Role,cn=Groups,dc=example,dc=com The OAA-Admin-Role group to be created in the LDAP group search base.
ldap.userRole=cn=OAA-App-User,cn=<LDAP_GROUP_SEARCHBASE> cn=OAA-App-User,cn=Groups,dc=example,dc=com The OAA-App-User group to be created in the LDAP group search base.
ldap.oaaAdminUserPwd=<password> password Set to a password of your choice. This will be the password for the oaaadmin user.
ldap.addExistingUsers=<yes/no> yes

Set this value to yes if you want the OAA installation to add all your existing users in your <LDAP_USER_SEARCHBASE> to the OAA-App-User group.

See Creating Users and Groups in the LDAP Store for more details.

OAA Configuration

Variable Sample Value Description
oaa.tapAgentFilePass=<OAA_TAPFILE_PASSWORD> cGFzc3dvcmQ= The BASE64 encoded password of the OAMOAAKeyStore.jks.
oaa.tapAgentFileLocation=<OAA_TAPFILE_LOCATION> /workdir/OAMOAAKeyStore.jks The location of the <WORKDIR>/OAMOAAKeyStore.jks on the <INSTALL_HOST>.

Additional Considerations

If you have pushed the additional images (oraclelinux:8-slim and oraclelinux7-instantclient:19) referenced in Setting Up a Container Image Registry (CIR) to a repository, you must add the following parameter to the ## 5. Chart configuration# section:

Note:

This parameter is not referenced in the default file so you must add it. 
install.global.testrepo=<CIR_REPOSITORY>
Next Steps: Creating the Management Container