A Understanding installOAA.properties Parameters

The following sections provide a complete list of all the parameters in the default installOAA.properties file.

A.1 Common Deployment Configuration

This section provides details about the common deployment configuration properties that can be set in the installOAA.properties.

Common Deployment Configuration

Properties Mandatory/Optional Installation Type Description
common.dryrun Optional All If enabled and set to true, the helm installation will only display generated values and will not actually perform the OAA/OARM/OUA installation on the Kubernetes cluster.

This is equivalent to --dry-run --debug option in the helm command.

common.deployment.name Mandatory All Name of the OAA installation. It is unique per kubernetes cluster and namespace when the helm install command is run.

The value given must be in lowercase.
common.deployment.overridefile Optional All Override file for chart parameters override. The helm charts are present in helmcharts directory inside the management container. All the parameters defined in values.yaml can be overridden by this file, if enabled. The format of this file should be YAML only. A sample oaaoverride.yaml file is present in the ~/installsettings directory inside the management container. See, Advanced Configuration with OAA Override File.
common.kube.context Optional All Name of the Kubernetes context to be used.

If the context is not provided, the default Kubernetes context is used.
common.kube.namespace Optional All The namespace where you want to create the deployment. This should be the namespace created in Creating a Kubernetes Namespace and Secret. If the parameter is not set it will deploy to the default namespace.
common.deployment.sslcert Mandatory All The server certificate PKCS12 file to be used in the installation. The file name, for example cert.p12, is the same file name as the one generated in Generating Server Certificates and Trusted Certificates. The PATH should not change as this is the internal path mapped inside the container.

The file is seeded into the vault and downloaded by all OAA/OARM/OUA microservices
common.deployment.trustcert Mandatory All The trusted certificate PKCS12 file to be used in the installation. The file name, for example trust.p12, is the same file name as the one generated in Generating Server Certificates and Trusted Certificates. The PATH should not change as this is the internal path mapped inside the container.

The file is seeded into the vault and downloaded by all OAA/OARM/OUA microservices
common.deployment.importtruststore Mandatory All If this is enabled then the trusted certificate is imported in the JRE truststore.
common.deployment.keystorepassphrase Mandatory All Passphrase for the certificate PKCS12 file. This is the passphrase used when creating the keystore in Generating Server Certificates and Trusted Certificates.

If you do not specify the value here, you are prompted for the value during installation.
common.deployment.truststorepassphrase Mandatory All Passphrase for the trusted certificate PKCS12 file. This is the passphrase used when creating the trusted keystore in Generating Server Certificates and Trusted Certificates

If you do not specify the value here you are prompted for the value during installation.
common.deployment.generate.secret Mandatory All If set to true, the installation generates three symmetric keys and adds them to the cert.p12 referenced by the parameter common.deployment.sslcert.
The encryption keys generated are:
  • spui-enckey - This key is used by the SPUI service for encryption.
  • aes256_db_key_alias - This key is used for encrypting user runtime information in the database such as users questions/answers for Knowledge Based Authentication (KBA).
  • aes256_config_key_alias - This key is for encrypting all the system related configuration.
If you create these keys yourself then the value must be set to false. To create the keys, run the following command:
keytool -genseckey -alias $keynametouse -keyalg $KEYALGO -keystore $KEYSTORE -storepass $STOREPASS -storetype $STORETYPE -keysize $KEYSIZE
for example:
keytool -genseckey -alias spui-enckey -keyalg AES -keystore cert.p12 -storepass <password> -storetype PKCS12 -keysize 256
common.deployment.mode Mandatory All The following values can be set in installOAA.properties
  • Both - install OAA and OARM.
  • OAA - install OAA only.
  • Risk - install OARM only.
  • OUA - install OAA, OARM, and OUA.
common.migration.configkey Optional All Base64 encoded config key from the transitioning system. If enabled, the value is placed in the vault and used for transitioning of legacy data. Use this only if you transition from Oracle Adaptive Access Manager 11gR2PS3.
common.migration.dbkey Optional All Base64 encoded Database key from the transitioning system. If enabled, the value is placed in the vault and used for transitioning of database data. Use this only if you transition from Oracle Adaptive Access Manager 11gR2PS3.
common.oim.integration Optional All except OARM only installations To integrate with OIM, set the property to true. This also enables the forgot password functionality. Use this only if you transition from Oracle Adaptive Access Manager 11gR2PS3.
common.deployment.push.apnsjksfile Optional All except OARM only installations File used when enabling push factor for the Apple Push Notification Service. You need to set this only if you have already configured the JKS file prior to install. Else, you can configure this post installation. The JKS file should be copied to the <NFS_VAULT_PATH>/ChallengeOMAPUSH/apns/ directory. The value should be set to /u01/oracle/service/store/oaa/ChallengeOMAPUSH/apns/APNSCertificate.jks. For more details, see Configuring Oracle Mobile Authenticator Push Notification for iOS.
common.deployment.push.gcmjsonfile Optional All except OARM only installations File used when enabling push notifications for Android devices. You need to set this only if you have already have created your Google Firebase project and downloaded the service account json file prior to install. Else, you can configure this post installation. The service-account.json file should be copied to the <NFS_VAULT_PATH>/ChallengeOMAPUSH/gcm/ directory. The value should be set to /u01/oracle/service/store/oaa/ChallengeOMAPUSH/gcm/service-account.json. For more details, see Configuring Oracle Mobile Authenticator Push Notification for Android.

A.2 Database Configuration

This section provides details about the database configuration properties that can be set in the installOAA.properties.

Database Configuration

Properties Mandatory/Optional Description
database.createschema Mandatory

Enables creation of the schema during installation.

If this is set to false, the schema is not created. However, irrespective of this flag, database validation is performed.

database.host Mandatory Specify the database hostname or IP address.
database.port Mandatory Specify the database port..
database.sysuser Mandatory Specify the sysdba user of the database.
database.syspassword Mandatory Specify the sys password.

If you do not specify the value here, you are prompted for value during installation.
database.schema Mandatory Specify the name of the database schema to be used for installation.

Note:

The schema name cannot exceed twelve characters and must be in uppercase.
database.tablespace Mandatory Specify the tablespace name to be used for the installation.
database.schemapassword Mandatory Specify the schema password.

If you do not specify the value here, you are prompted for value during installation.
database.svc Mandatory Specify the database service name.
database.name Mandatory Specify the database name. This can be the same as database service name.

This parameter is not required if using a RAC database.

Configuring SSL between OAA and the Database

If required, you can configure one-way SSL between OAA and the Oracle Database. The database can use a certificate from either a commercial Certificate Authority (CA), a certificate from a private CA, or a self-signed certificate.

If the database is using a certificate issued by a private CA, or is using a self-signed certificate, then you must create an Oracle Wallet for use with OAA.

To configure OAA to use SSL communication to the database, perform the following steps:
  1. If the database is using a certificate issued by a private CA, or is using a self-signed certificate, you must create an Oracle Wallet. Consult your usual Oracle Database documentation for instructions for how to perform these steps:

    Note:

    If the database is using a certificate issued by a commercial CA, there is no need to create a wallet as OAA contains commercial CA's by default.
    1. If your database uses a certificate issued by a private CA, import the CA certificate(s) that signed the database certificate as a Trusted Certificate in the Wallet. If your database uses a self-signed certificate, import the self-signed certificate as a Trusted Certificate in the Wallet.
    2. Once imported, save the Wallet, and add the Wallet to a zip file, for example wallet.zip.
    3. Copy the wallet.zip file to the <INSTALL_HOST>.
  2. Follow Creating the Management Container and run as follows:
    ./installManagementContainer.sh -E -s <path_to>/wallet.zip -t ./<oaa-image>.tar

    Note:

    If your database is using a certificate issued by a commercial CA you do not need to pass the -s <path_to>/wallet.zip parameter.
    The installManagementContainer.sh command will automatically add two new parameters to the installOAA.properties:
    • database.protocol=tcps
    • database.wallet_location - This will only be added if -s <path_to>/wallet.zip is used.
  3. Install OAA by following Deploying OAA, OARM, and OUA.

A.3 OAM OAuth Configuration

This section provides details about the OAM OAuth configuration properties that can be set in the installOAA.properties.

OAM OAuth Configuration

Ensure you have followed the prerequisite steps for configuring OAM for OAuth. For details, see Configuring OAuth and Oracle HTTP Server .

Properties Mandatory/Optional Description
oauth.enabled Mandatory

OAuth is required if you want to use the Administration Console and Self-Service Portal.

If access to the Administration Console and Self-Service Portal is required, you must set this to true to enable OAuth in the OAA installation.

If you do not want access to the Administration Console and Self-Service Portal set this to false. If you set oauth.enabled=false you must also set the following properties to false, otherwise the installation fails:
  • oauth.createdomain
  • oauth.createresource
  • oauth.createclient
If oauth.enabled=false you must also set these parameters to false under Optional Configuration:
  • install.spui.enabled
  • install.oaa-admin-ui.enabled
  • install.fido.enabled
  • install.oaa-kba.enabled
install.global.service.security.oauth.enabled Optional Controls whether to turn on OAuth for REST API calls. The default value is false and should not be changed during initial installation. Post installation, this value should not be set to true before reading and understanding Configuring OAuth JWT for REST APIs.
install.global.service.security.basic.enabled Optional Controls whether to use basic authentication for REST API calls. The default value is true. This value should not be changed during initial installation. Post installation, this value should not be set to false before reading and understanding Configuring OAuth JWT for REST APIs.
oauth.createdomain Optional Creates the OAuth domain.

The OAuth domain is required to create OAuth resource and client.
oauth.createresource Optional Creates the OAuth resource.

The OAuth resource is required to create the OAuth client.
oauth.domainname

Mandatory if oauth.createdomain is set to true

Specify the OAuth domain name. This must be same as the <DomainName> provided in Configuring OAuth and Oracle HTTP Server.
oauth.identityprovider Mandatory if oauth.createdomain is set to true Specify the identity provider for the OAM OAuth Domain. This is the name of the User Identity Store used in OAM.
oauth.resourcename Mandatory if oauth.enabled=true Specify the OAuth resource name to be created during installation. Also used for validation of the OAuth setup.
oauth.resourcescope Mandatory if oauth.enabled=true Specify the OAuth resource scope to be created during installation. Also used for validation of the OAuth setup.
oauth.redirecturl Mandatory if oauth.createclient is set to true Specify the client redirect URL. Post authentication redirecturl is required. This is used for validating configuration of OAuth services in OAM by generating an access token.
oauth.applicationid Mandatory if oauth.createclient is set to true Application ID of OAA protected by oauth. The value can be any valid string. It is required to setup runtime integration between OAM and OAA post OAA installation. See Integrating OAA with OAM.
oauth.adminurl Mandatory if oauth.enabled=true Specify the OAuth Administration URL This is the URL of the OAM Administration Server, for example http://oam.example.com:7001..
oauth.basicauthzheader Mandatory if oauth.enabled=true Base64 encoded authorization header for the OAM Administration Server. The value can be found by executing: echo -n weblogic:<password> | base64.
oauth.identityuri Mandatory if oauth.enabled=true URL of the identity server used to retrieve OIDC metadata using /.well-known/openid-configuration endpoint. This is the front-end URL of the OAM Managed server providing runtime support for OAuth Services. For example : http://ohs.example.com:7777.
oauth.createclient Optional Creates the OAuth client.

The OAuth client is required if oauth.enabled is set to true.

oauth.clientname

Mandatory if oauth.createclient is set to true

Specify the OAuth client name that will be created during the installation.
oauth.clientgrants Mandatory if oauth.createclient is set to true Specify the client grants for the OAuth client. OAuth client must have CLIENT_CREDENTIALS, which is used during validation stage to check OAuth status. Values must be:

"PASSWORD","CLIENT_CREDENTIALS","JWT_BEARER","REFRESH_TOKEN","AUTHORIZATION_CODE","IMPLICIT".
oauth.clienttype Mandatory if oauth.createclient is set to true Specify the OAuth Client Type. OAM OAuth supports the following client types:

PUBLIC_CLIENT, CONFIDENTIAL_CLIENT, MOBILE_CLIENT.

As OAuth is used for the OAA Administration and User Preference consoles, PUBLIC_CLIENT should be used.
oauth.clientpassword Mandatory if oauth.enabled=true Specify the password that will be used for the OAuth client. The client password must conform to regex ^[a-zA-Z0-9.\-\/+=@_ ]*$ with a maximum length of 500.
oauth.tokenexpiry Mandatory if both the following properties are set as: install.global.service.security.oauth.enabled=true and install.global.service.security.basic.enabled=false. UI OAuth token expiry in seconds. Default value is 3600 seconds (one hour). This should only be configured post installation. See Configuring OAuth JWT for REST APIs.
api.oauth.tokenexpiry Mandatory if both the following properties are set as: install.global.service.security.oauth.enabled=true and install.global.service.security.basic.enabled=false. API OAuth token expiry in seconds. Default value is 3600 seconds (one hour). This should only be configured post installation. See Configuring OAuth JWT for REST APIs.
oauth.adminname Mandatory if both the following properties are set as: install.global.service.security.oauth.enabled=true and install.global.service.security.basic.enabled=false. Value must be set to an Administration user that is a member of the OAA-Admin-Role group. This should only be configured post installation. See Configuring OAuth JWT for REST APIs.
oauth.adminpassword Mandatory if both the following properties are set as: install.global.service.security.oauth.enabled=true and install.global.service.security.basic.enabled=false. Value must be set to the base64 password of the Administration user set for oauth.adminname. This should only be configured post installation. See Configuring OAuth JWT for REST APIs.
oauth.appusername Mandatory if both the following properties are set as: install.global.service.security.oauth.enabled=true and install.global.service.security.basic.enabled=false. Value must be set to any user that is a member of the OAA-App-User group. This should only be configured post installation. See Configuring OAuth JWT for REST APIs.
oauth.appuserpassword Mandatory if both the following properties are set as: install.global.service.security.oauth.enabled=true and install.global.service.security.basic.enabled=false. Value must be set to the base64 password of the Administration user set for oauth.appuserpassword. This should only be configured post installation. See Configuring OAuth JWT for REST APIs.
oauth.provider Mandatory The OAuth provider. The only valid value is OAM.
oauth.serverapprole Optional

The LDAP group(s) that contain the users who are permitted to access the Self-Service Portal.

The default value if not set is OAA-App-User.

The following values can also be set:
  • OAA-All-Role - Users can be members of any LDAP group.
  • group1,group2,group3,etc - Users must be members of the LDAP groups listed. Groups must be provided in a comma separated list.

In case of custom groups, the group names must be correct and not contain forbidden characters. If you choose to disable access to a custom group, you must adjust this property accordingly and run OAA.sh again to pick up the changes. See Deploying OAA, OARM, and OUA.

A.4 Vault configuration

This section provides details about the vault configuration properties that can be set in the installOAA.properties.

Vault Configuration

If you are using OCI vault, you can ignore the properties to be set for file-based vault.

Properties Description
vault.deploy.name

Name to be used in the vault for this deploymemt. If the name is already present in the vault it will be reused.

vault.create.deploy If the value is set to true, vault creation is performed. However, if a vault with the name provided in vault.deploy.name already exists then vault creation is skipped.
vault.provider Specify if the vault is OCI or file based.
Specify one of the following values:
  • fks
  • oci
The following properties are mandatory for OCI-based vault configurations if you have set vault.provider=oci. For for information about creating OCI vault, see Managing Vaults. The OCI vault must exist before setting the parameters below.
vault.oci.uasoperator Specify the Base64 encoded private key of the user with read and write permission on OCI vault.
vault.oci.tenancyId Specify the Base64 encoded OCI ID of the tenancy id.
vault.oci.userId Specify the Base64 encoded OCID of the user with read and write permission on OCI vault.
vault.oci.fpId Specify the Base64 encoded finger print of the user with read and write permission on OCI vault.
vault.oci.compartmentId Specify the Base64 encoded OCID of the compartment where the vault exists in OCI.
vault.oci.vaultId Specify the Base64 encoded OCID of the vault on OCI.
vault.oci.keyId Specify the Base64 encoded OCID of the master secret key in OCI vault used to encrypt the secrets in the vault.
The following properties are mandatory for file-based vault configurations if you have set vault.provider=fks.
vault.fks.server Specify the NFS server host name or IP address for the <NFS_VAULT_PATH>.

For more details, see Configuring NFS Volumes.

vault.fks.path Specify the <NFS_VAULT_PATH> which will store the file based vault.

For more details, see Configuring NFS Volumes.

vault.fks.key Specify a Base64 encoded password for the file based vault. To find the Base64 encoded version of the password use: echo -n weblogic:<password> | base64.
vault.fks.mountpath The mount path in the management container and for installed services where the vault exists. The value of this property must be the same as the value passed through the helm chart. Do not change this value: /u01/oracle/service/store/oaa.

A.5 Helm Chart Configuration

This section provides details about the helm chart configuration properties that can be set in the installOAA.properties.

Helm Chart Configuration

These properties are passed as input to the helm chart during installation.

Properties Mandatory/Optional Description
install.global.repo Mandatory

Specify the Container Image Registry where the OAA container images exists.

For more details, see Setting Up a Container Image Registry (CIR)

install.global.testrepo Optional Speficies an alternate Container Image Registry where container images can be pulled. For example, OAA installs oraclelinux:8-slim from an external site (https://ghcr.io/oracle). If your Kubernetes cluster does not have access to the internet, you must pull this image and store it in your container registry. Then you must set install.global.testrepo to the location of your container registry.
install.riskdb.service.type Mandatory You must set the value of this property always to ExternalName, as the database is external to the OAA installation.
install.global.imagePullSecrets\[0\].name Mandatory Specify the Kubernetes secret reference that needs to be used while pulling the container images from the protected Container Image Registry.

Note:

This must be set to the Kubernetes secret that you set earlier e.g dockersecret. For more details, see Creating a Kubernetes Namespace and Secret.
install.global.image.tag Mandatory Update the global image tag to the image tag in your Container Image Registry.

Note:

If you copied the installOAA.properties.template to installOAA.properties this tag will be already set.
install.global.oauth.logouturl Optional Specify the logout URL for OAuth protected resource. This is the front-end URL of the OAM Managed server. For example : http://ohs.example.com:7777/oam/server/logout. Required only when oauth.enabled is set to true.
install.global.uasapikey Mandatory Specify the REST API key to be used used for protecting rest endpoints in OAA microservice.
install.global.policyapikey Mandatory Specify the REST API key to be used used for protecting REST endpoints in the OAA policy microservice.
install.global.factorsapikey Mandatory Specify the REST API key to be used for protecting REST endpoints in the OAA factor microservice.
install.global.riskapikey Mandatory for any install type that installs OARM. Specify the REST API key to be used for protecting REST endpoints in the OAA risk microservice.

This parameter is mandatory if performing an OAA-OARM installation, OARM only, or OAA-OARM-OUA installation.
install.global.drssapikey Mandatory for OAA-OARM-OUA installations. Specify the REST API key to be used for protecting REST endpoints in the OAA DRSS microservice.

This parameter is mandatory if performing an OAA-OARM-OUA installation.
In case of OCI vault, the following configurations can be overridden if provided for read-only users during helm installation. If the values are not provided in the following properties then the values are picked from Vault Configuration.
install.global.vault.mapId Optional For a pre-existing vault you can provide the Base64 mapId. If the property is set then it validates against the deploy information in the vault.
install.global.vault.oci.uasoperator Optional Specify the Base64 encoded private key of the user with the read-only permission on the vault.
install.global.vault.oci.tenancyId Optional Specify the Base64 encoded tenancy id from OCI.
install.global.vault.oci.userId Optional Specify the Base64 encoded user id from OCI.
install.global.vault.oci.fpId Optional Specify the Base64 encoded finger print id of the user from the OCI.

A.6 Optional Configuration

This section provides details about the optional configuration properties that can be set in the installOAA.properties.

Properties Mandatory/Optional Description
install.global.ingress.enabled Optional This property is used to indicate if ingress is to be enabled for the deployment. If the value is set to true, the ingress resource in the Kubernetes cluster for the deployment will be generated. If a pure NodePort based deployment is required, the value should be set to false.
install.global.ingress.runtime.host Optional You can specify the Host name to be used for ingress definition for the runtime host. If the value for the property is missing, ingress definition is created using '*' host.

The runtime host is used for accessing runtime services including all factors, oaa, spui and risk.
install.global.ingress.admin.host Optional You can specify the Host name to be used for ingress definition for the admin host. If the value for the property is missing, ingress definition is created using '*' host.

The admin host is used for accessing admin, policy and risk-cc services.
install.global.dbhost

install.global.dbport

install.global.dscredentials

install.global.dbservicename

 Optional These properties are related to the database. If the property is not specified here, the values provided in the Database Configuration are used.
install.global.oauth.oidcidentityuri

install.global.oauth.oidcaudience

install.global.oauth.oidcclientid

 Optional The following properties are related to OAuth. If they are not specified here, the values provided in the OAuth Configuration are used.
install.global.serviceurl Optional If load balancer/ingress url is present, then configure the url here. All UI services will be behind this load balancer/ingress. In case ingress installation is set to true, the appropriate service url will be fetched after ingress installation and will be used as service url. If install.global.serviceurl is provided, the service url from this property will have higher priority and override the original value.
install.oaa-admin-ui.serviceurl Optional Service URL of oaa admin, if different from install.global.serviceurl.
install.spui.enabled=false

install.fido.enabled=false

install.oaa-admin-ui.enabled=false

install.oaa-kba.enabled=false

 Optional If oauth.enabled=false the Admininistration console (oaa-admin-ui), Self-Service Portal (spui) , FIDO (fido) and KBA (oaa-kba) factors cannot be used. If oauth.enabled=false you must uncomment these properties.

When common.deployment.mode=Risk the following service are not deployed: fido, push, yotp, email ,sms, totp and kba.

install.totp.enabled=false

install.push.enabled=false

install.sms.enabled=false

install.yotp.enabled=false

install.email.enabled=false

   Authentication factor services are enabled by default. To disable them uncomment the lines.

When common.deployment.mode=Risk the following service are not deployed: fido, push, yotp, email ,sms, totp and kba.

install.service.type=ClusterIP

install.oaa-admin-ui.service.type=NodePort

install.oaa-policy.service.type=NodePort

install.spui.service.type=NodePort

install.totp.service.type=NodePort

install.fido.service.type=NodePort

install.push.service.type=NodePort

install.email.service.type=NodePort

install.sms.service.type=NodePort

install.yotp.service.type=NodePort

install.risk.service.type=NodePort

install.oaa-kba.service.type=NodePort

install.oaa-drss.service.type=NodePort

install.risk.riskcc.service.type=NodePort

 Optional Default service type for services is ClusterIP.

When deployment mode is Risk the following service are not deployed : fido, push, yotp, email ,sms, totp and kba.

If install.global.ingress.enabled=true all these parameters except install.service.type=ClusterIP should be commented out.

For details on installing using ingress, see: Installing NGINX Ingress Controllers

A.7 Ingress Configuration

This section provides details about the Ingress configuration properties that can be set in the installOAA.properties.

Table A-1 Ingress Configuration

Properties Mandatory/Optional Description
ingress.install Mandatory

Set value to true if you want the installation to install an ingress controller for you.

Set to false if you do not want to install the ingress controller.

If this is set to true then install.global.ingress.enabled=true must also be set in Optional Configuration.

ingress.namespace Mandatory if ingress.install=true The Kubernetes namespace which will be used to install ingress. The install will create this namespace in Kubernetes. For example, ingress-nginx.
ingress.admissions.name=ingress-nginx-controller-admission Optional if ingress.install=true

The name of the Admissions controller.

The Admissions controller can be installed separately.

If Ingress admissions name is not present, the controller.admissionWebhooks.enabled will be set to false in the NGINX ingress chart.

ingress.class.name=nginx Mandatory if ingress.install=true Ingress class name that needs to be used for the installation. It must not be an existing class name.
ingress.service.type Mandatory if ingress.install=true

Set the value to NodePort if using a bare metal Kubernetes cluster. The ingress controller will listen on one of the nodes of the cluster on a dynamically assigned port.

ingress.install.releaseNameOverride=base Optional if ingress.install=true Anything starting with ingress.install can be additionally supplied to set the ingress chart value.

For details on installing using ingress, see: Installing NGINX Ingress Controllers

A.8 Management Container Configuration

This section provides details about the Management Container configuration properties that can be set in the installOAA.properties.

Table A-2 Management Configuration

Properties Mandatory/Optional Description
install.mount.config.path Mandatory

Set the value of <NFS_CONFIG_PATH> to the NFS mount path for the configuration.

install.mount.config.server Mandatory The IP address of the NFS server for the <NFS_CONFIG_PATH>.
install.mount.creds.path Mandatory

Set the value of <NFS_CREDS_PATH> to the NFS mount path for the credentials.

install.mount.creds.server Mandatory The IP address of the NFS server for the <NFS_CREDS_PATH>.
install.mount.logs.path Mandatory

Set the value of <NFS_LOGS_PATH> to the NFS mount path for the logs.

install.mount.logs.server Mandatory The IP address of the NFS server for the <NFS_LOGS_PATH> .
install.mgmt.release.name Optional Name of the OAA management container installation used when the helm install command is run. If not set you will be prompted for the name during the installation.

The value given must be in lowercase.
install.kube.creds Optional Set the value to the local PATH where kubeconfig resides. If not set the management container will use $KUBECONFIG or ~/.kube/config for Kubernetes credentials.
common.local.sslcert Mandatory Set the value to the local PATH where the server certificate PKCS12 file (cert.p12) resides.

This only needs to be set If you have generated your own certificates as per Generating Server Certificates and Trusted Certificates. If you want to use self signed certificates, do not set this.

common.local.trustcert Mandatory Set the value to the local PATH where the trusted certificate PKCS12 file (trust.p12) resides.

This only needs to be set If you have generated your own certificates as per Generating Server Certificates and Trusted Certificates. If you want to use self signed certificates, do not set this.

For details on NFS mounts, see: Configuring NFS Volumes

A.9 Oracle Universal Authenticator Configuration

This section provides details about the Oracle Universal Authenticator (OUA) configuration properties that can be set in the installOAA.properties.

Table A-3 Oracle Universal Authenticator Configuration

Properties Mandatory/Optional Description
oua.tapAgentName Mandatory for OUA

The default value is OAM-OUA-TAP. This should not be changed.

This should be set to the value of the TAP partner name created in section Registering OUA as a TAP Partner in OAM in Registering OAM TAP Partners.

oua.tapAgentFileLocation Mandatory for OUA Set the value to the local PATH and file name of the keystore for the OAM OAA TAP partner created in section Registering OUA as a TAP Partner in OAM in Registering OAM TAP Partners.

Note:

The PATH must accessible to the OAA management container.
oua.tapAgentFilePass Mandatory for OUA

Set the value to the Base64 encoded password of the TAP partner keystore generated in section Registering OUA as a TAP Partner in OAM in Registering OAM TAP Partners.

oua.oamRuntimeEndpoint Mandatory for OUA The OHS URL used as the entry point to OAM. If a load balancer front ends the OHS then this value is the load balancer URL.

A.10 LDAP Configuration

This section provides details about the LDAP configuration properties that can be set in the installOAA.properties.

Table A-4 LDAP Configuration

Properties Mandatory/Optional Description
ldap.server Mandatory for OAA The LDAP server protocol, hostname and port for the LDAP server used by OAM.
ldap.username Mandatory for OAA The user name of the directory administrator.
ldap.password Mandatory for OAA The password of the directory administrator.
ldap.oaaAdminUser Mandatory for OAA The OAA administration user to be created in the LDAP user search base.
ldap.adminRole Mandatory for OAA The OAA-Admin-Role group to be created in the LDAP group search base.
ldap.userRole Mandatory for OAA The OAA-App-User group to be created in the LDAP group search base.
ldap.oaaAdminUserPwd Mandatory for OAA Set to a password of your choice. This will be the password for the ldap.oaaAdminUser.
ldap.addExistingUsers Mandatory for OAA Set this value to yes if you want the OAA installation to add all your existing users in your <LDAP_USER_SEARCHBASE> to the OAA-App-User group. See Creating Users and Groups in the LDAP Store for more details.

A.11 Oracle Advanced Authentication TAP Configuration

This section provides details about the Oracle Advanced Authentication TAP configuration properties that can be set in the installOAA.properties.

Table A-5 Oracle Advanced Authentication TAP Configuration

Properties Mandatory/Optional Description
oaa.tapAgentName Mandatory for OAA

The default value is OAM-OAA-TAP. This should not be changed if doing a new installation from December 24 onwards.

This should be set to the value of the TAP partner name created in section Registering OAA as a TAP Partner in OAM in Registering OAM TAP Partners.

If performing an upgrade from a release prior to December 24, seeUpgrading OAA, OARM, and OUA before upgrading.

oaa.tapAgentFileLocation Mandatory for OAA Set the value to the local PATH and file name of the keystore for the TAP partner created in section Registering OAA as a TAP Partner in OAM in Registering OAM TAP Partners.

Note:

The PATH must accessible to the OAA management container.
oaa.tapAgentFilePass Mandatory for OAA

Set the value to the Base64 encoded password of the TAP partner keystore generated in section Registering OAA as a TAP Partner in OAM in Registering OAM TAP Partners.

oaa.authFactors Mandatory for OAA The authentication factors to be created for the OAA OAM integration agent during a new installation. The default value is ChallengeEmail,ChallengeSMS,ChallengeOMATOTP,ChallengeYubicoOTP,ChallengeOMAPUSH,ChallengeFIDO2.