Understanding installOAA.properties Parameters

A.1 Common Deployment Configuration

This section provides details about the common deployment configuration properties that can be set in the installOAA.properties.

Common Deployment Configuration

Properties	Mandatory/Optional	Installation Type	Description
`common.dryrun`	Optional	All	If enabled and set to true, the helm installation will only display generated values and will not actually perform the OAA/OARM/OUA installation on the Kubernetes cluster. This is equivalent to `--dry-run --debug` option in the helm command.
`common.deployment.name`	Mandatory	All	Name of the OAA installation. It is unique per kubernetes cluster and namespace when the helm install command is run. The value given must be in lowercase.
`common.deployment.overridefile`	Optional	All	Override file for chart parameters override. The helm charts are present in `helmcharts` directory inside the management container. All the parameters defined in `values.yaml` can be overridden by this file, if enabled. The format of this file should be YAML only. A sample `oaaoverride.yaml` file is present in the `~/installsettings` directory inside the management container. See, Advanced Configuration with OAA Override File.
`common.kube.context`	Optional	All	Name of the Kubernetes context to be used. If the context is not provided, the default Kubernetes context is used.
`common.kube.namespace`	Optional	All	The namespace where you want to create the deployment. This should be the namespace created in Creating a Kubernetes Namespace and Secret. If the parameter is not set it will deploy to the default namespace.
`common.deployment.sslcert`	Mandatory	All	The server certificate PKCS12 file to be used in the installation. The file name, for example `cert.p12`, is the same file name as the one generated in Generating Server Certificates and Trusted Certificates. The PATH should not change as this is the internal path mapped inside the container. The file is seeded into the vault and downloaded by all OAA/OARM/OUA microservices
`common.deployment.trustcert`	Mandatory	All	The trusted certificate PKCS12 file to be used in the installation. The file name, for example `trust.p12`, is the same file name as the one generated in Generating Server Certificates and Trusted Certificates. The PATH should not change as this is the internal path mapped inside the container. The file is seeded into the vault and downloaded by all OAA/OARM/OUA microservices
`common.deployment.importtruststore`	Mandatory	All	If this is enabled then the trusted certificate is imported in the JRE truststore.
`common.deployment.keystorepassphrase`	Mandatory	All	Passphrase for the certificate PKCS12 file. This is the passphrase used when creating the keystore in Generating Server Certificates and Trusted Certificates. If you do not specify the value here, you are prompted for the value during installation.
`common.deployment.truststorepassphrase`	Mandatory	All	Passphrase for the trusted certificate PKCS12 file. This is the passphrase used when creating the trusted keystore in Generating Server Certificates and Trusted Certificates If you do not specify the value here you are prompted for the value during installation.
`common.deployment.generate.secret`	Mandatory	All	If set to true, the installation generates three symmetric keys and adds them to the `cert.p12` referenced by the parameter `common.deployment.sslcert`. The encryption keys generated are: spui-enckey - This key is used by the SPUI service for encryption. aes256_db_key_alias - This key is used for encrypting user runtime information in the database such as users questions/answers for Knowledge Based Authentication (KBA). aes256_config_key_alias - This key is for encrypting all the system related configuration. If you create these keys yourself then the value must be set to `false`. To create the keys, run the following command: `keytool -genseckey -alias $keynametouse -keyalg $KEYALGO -keystore $KEYSTORE -storepass $STOREPASS -storetype $STORETYPE -keysize $KEYSIZE` for example: `keytool -genseckey -alias spui-enckey -keyalg AES -keystore cert.p12 -storepass <password> -storetype PKCS12 -keysize 256`
`common.deployment.mode`	Mandatory	All	The following values can be set in `installOAA.properties` `Both` - install OAA and OARM. `OAA` - install OAA only. `Risk` - install OARM only. `OUA` - install OAA, OARM, and OUA.
`common.migration.configkey`	Optional	All	Base64 encoded config key from the transitioning system. If enabled, the value is placed in the vault and used for transitioning of legacy data. Use this only if you transition from Oracle Adaptive Access Manager 11gR2PS3.
`common.migration.dbkey`	Optional	All	Base64 encoded Database key from the transitioning system. If enabled, the value is placed in the vault and used for transitioning of database data. Use this only if you transition from Oracle Adaptive Access Manager 11gR2PS3.
`common.oim.integration`	Optional	All except OARM only installations	To integrate with OIM, set the property to true. This also enables the forgot password functionality. Use this only if you transition from Oracle Adaptive Access Manager 11gR2PS3.
`common.deployment.push.apnsjksfile`	Optional	All except OARM only installations	File used when enabling push factor for the Apple Push Notification Service. You need to set this only if you have already configured the JKS file prior to install. Else, you can configure this post installation. The JKS file should be copied to the `<NFS_VAULT_PATH>/ChallengeOMAPUSH/apns/` directory. The value should be set to `/u01/oracle/service/store/oaa/ChallengeOMAPUSH/apns/APNSCertificate.jks`. For more details, see Configuring Oracle Mobile Authenticator Push Notification for iOS.
`common.deployment.push.gcmjsonfile`	Optional	All except OARM only installations	File used when enabling push notifications for Android devices. You need to set this only if you have already have created your Google Firebase project and downloaded the service account json file prior to install. Else, you can configure this post installation. The `service-account.json` file should be copied to the `<NFS_VAULT_PATH>/ChallengeOMAPUSH/gcm/` directory. The value should be set to `/u01/oracle/service/store/oaa/ChallengeOMAPUSH/gcm/service-account.json`. For more details, see Configuring Oracle Mobile Authenticator Push Notification for Android.

A.2 Database Configuration

This section provides details about the database configuration properties that can be set in the installOAA.properties.

Database Configuration

Properties	Mandatory/Optional	Description
`database.createschema`	Mandatory	Enables creation of the schema during installation. If this is set to `false`, the schema is not created. However, irrespective of this flag, database validation is performed.
`database.host`	Mandatory	Specify the database hostname or IP address.
`database.port`	Mandatory	Specify the database port..
`database.sysuser`	Mandatory	Specify the `sysdba` user of the database.
`database.syspassword`	Mandatory	Specify the sys password. If you do not specify the value here, you are prompted for value during installation.
`database.schema`	Mandatory	Specify the name of the database schema to be used for installation. Note: The schema name cannot exceed twelve characters and must be in uppercase.
`database.tablespace`	Mandatory	Specify the tablespace name to be used for the installation.
`database.schemapassword`	Mandatory	Specify the schema password. If you do not specify the value here, you are prompted for value during installation.
`database.svc`	Mandatory	Specify the database service name.
`database.name`	Mandatory	Specify the database name. This can be the same as database service name. This parameter is not required if using a RAC database.

Note:

If using a secure connection to an Oracle Database via SSL, then additional configuration steps are required. These steps must be performed after the Management Container is started, and before: Deploying OAA, OARM, and OUA:

Obtain the Oracle Wallet for the Database:
1. For a standard Oracle database refer to your Database specific documentation for details on how to find the Oracle Database Wallet.
2. For an Oracle Autonomous Database on Shared Exadata Infrastructure (ATP-S) database follow: Download Client Credentials.
Create a db_wallet directory in the <NFS_CONFIG_PATH> used by the OAA deployment. Copy the wallet file(s) to the <NFS_CONFIG_PATH>/db_wallet directory.

Enter a bash shell for the OAA management pod:

kubectl exec -n <namespace> -ti <oaamgmt-pod> -- /bin/bash

For example:

kubectl exec -n oaans -ti oaamgmt-oaa-mgmt-7dfccb7cb7-lj6sv9 -- /bin/bash

Inside the container set the TNS_ADMIN environment variable:
```
export TNS_ADMIN=<NFS_CONFIG_PATH>/db_wallet
```
The db_wallet directory must have the correct read and write access privileges to be accessible from inside the container.
Deploy OAA as per Deploying OAA, OARM, and OUA.

A.3 OAM OAuth Configuration

This section provides details about the OAM OAuth configuration properties that can be set in the installOAA.properties.

OAM OAuth Configuration

Ensure you have followed the prerequisite steps for configuring OAM for OAuth. For details, see Configuring OAuth and Oracle HTTP Server .

Properties	Mandatory/Optional	Description
`oauth.enabled`	Mandatory	OAuth is required if you want to use the Administration Console and Self-Service Portal. If access to the Administration Console and Self-Service Portal is required, you must set this to `true` to enable OAuth in the OAA installation. If you do not want access to the Administration Console and Self-Service Portal set this to `false`. If you set `oauth.enabled=false` you must also set the following properties to `false`, otherwise the installation fails: `oauth.createdomain` `oauth.createresource` `oauth.createclient` If `oauth.enabled=false` you must also set these parameters to `false` under Optional Configuration: `install.spui.enabled` `install.oaa-admin-ui.enabled` `install.fido.enabled` `install.oaa-kba.enabled`
`install.global.service.security.oauth.enabled`	Optional	Controls whether to turn on OAuth for REST API calls. The default value is false and should not be changed during initial installation. Post installation, this value should not be set to true before reading and understanding Configuring OAuth JWT for REST APIs.
`install.global.service.security.basic.enabled`	Optional	Controls whether to use basic authentication for REST API calls. The default value is true. This value should not be changed during initial installation. Post installation, this value should not be set to false before reading and understanding Configuring OAuth JWT for REST APIs.
`oauth.createdomain`	Optional	Creates the OAuth domain. The OAuth domain is required to create OAuth resource and client.
`oauth.createresource`	Optional	Creates the OAuth resource. The OAuth resource is required to create the OAuth client.
`oauth.domainname`	Mandatory if `oauth.createdomain` is set to `true`	Specify the OAuth domain name. This must be same as the `<DomainName>` provided in Configuring OAuth and Oracle HTTP Server.
`oauth.identityprovider`	Mandatory if `oauth.createdomain` is set to `true`	Specify the identity provider for the OAM OAuth Domain. This is the name of the User Identity Store used in OAM.
`oauth.resourcename`	Mandatory if `oauth.enabled=true`	Specify the OAuth resource name to be created during installation. Also used for validation of the OAuth setup.
`oauth.resourcescope`	Mandatory if `oauth.enabled=true`	Specify the OAuth resource scope to be created during installation. Also used for validation of the OAuth setup.
`oauth.redirecturl`	Mandatory if `oauth.createclient` is set to `true`	Specify the client redirect URL. Post authentication redirecturl is required. This is used for validating configuration of OAuth services in OAM by generating an access token.
`oauth.applicationid`	Mandatory if `oauth.createclient` is set to `true`	Application ID of OAA protected by oauth. The value can be any valid string. It is required to setup runtime integration between OAM and OAA post OAA installation. See Integrating OAA with OAM.
`oauth.adminurl`	Mandatory if `oauth.enabled=true`	Specify the OAuth Administration URL This is the URL of the OAM Administration Server, for example `http://oam.example.com:7001`..
`oauth.basicauthzheader`	Mandatory if `oauth.enabled=true`	Base64 encoded authorization header for the OAM Administration Server. The value can be found by executing: `echo -n weblogic:<password> \| base64`.
`oauth.identityuri`	Mandatory if `oauth.enabled=true`	URL of the identity server used to retrieve OIDC metadata using `/.well-known/openid-configuration` endpoint. This is the front-end URL of the OAM Managed server providing runtime support for OAuth Services. For example : `http://ohs.example.com:7777`.
`oauth.createclient`	Optional	Creates the OAuth client. The OAuth client is required if `oauth.enabled` is set to `true`.
`oauth.clientname`	Mandatory if `oauth.createclient` is set to `true`	Specify the OAuth client name that will be created during the installation.
`oauth.clientgrants`	Mandatory if `oauth.createclient` is set to `true`	Specify the client grants for the OAuth client. OAuth client must have `CLIENT_CREDENTIALS`, which is used during validation stage to check OAuth status. Values must be: "PASSWORD","CLIENT_CREDENTIALS","JWT_BEARER","REFRESH_TOKEN","AUTHORIZATION_CODE","IMPLICIT".
`oauth.clienttype`	Mandatory if `oauth.createclient` is set to `true`	Specify the OAuth Client Type. OAM OAuth supports the following client types: PUBLIC_CLIENT, CONFIDENTIAL_CLIENT, MOBILE_CLIENT. As OAuth is used for the OAA Administration and User Preference consoles, PUBLIC_CLIENT should be used.
`oauth.clientpassword`	Mandatory if `oauth.enabled=true`	Specify the password that will be used for the OAuth client. The client password must conform to regex `^[a-zA-Z0-9.\-\/+=@_ ]*$` with a maximum length of 500.
`oauth.tokenexpiry`	Mandatory if both the following properties are set as: `install.global.service.security.oauth.enabled=true` and `install.global.service.security.basic.enabled=false`.	UI OAuth token expiry in seconds. Default value is 3600 seconds (one hour). This should only be configured post installation. See Configuring OAuth JWT for REST APIs.
`api.oauth.tokenexpiry`	Mandatory if both the following properties are set as: `install.global.service.security.oauth.enabled=true` and `install.global.service.security.basic.enabled=false`.	API OAuth token expiry in seconds. Default value is 3600 seconds (one hour). This should only be configured post installation. See Configuring OAuth JWT for REST APIs.
`oauth.adminname`	Mandatory if both the following properties are set as: `install.global.service.security.oauth.enabled=true` and `install.global.service.security.basic.enabled=false`.	Value must be set to an Administration user that is a member of the `OAA-Admin-Role` group. This should only be configured post installation. See Configuring OAuth JWT for REST APIs.
`oauth.adminpassword`	Mandatory if both the following properties are set as: `install.global.service.security.oauth.enabled=true` and `install.global.service.security.basic.enabled=false`.	Value must be set to the base64 password of the Administration user set for `oauth.adminname`. This should only be configured post installation. See Configuring OAuth JWT for REST APIs.
`oauth.appusername`	Mandatory if both the following properties are set as: `install.global.service.security.oauth.enabled=true` and `install.global.service.security.basic.enabled=false`.	Value must be set to any user that is a member of the `OAA-App-User` group. This should only be configured post installation. See Configuring OAuth JWT for REST APIs.
`oauth.appuserpassword`	Mandatory if both the following properties are set as: `install.global.service.security.oauth.enabled=true` and `install.global.service.security.basic.enabled=false`.	Value must be set to the base64 password of the Administration user set for `oauth.appuserpassword`. This should only be configured post installation. See Configuring OAuth JWT for REST APIs.
`oauth.provider`	Mandatory	The OAuth provider. The only valid value is `OAM`.

A.4 Vault configuration

This section provides details about the vault configuration properties that can be set in the installOAA.properties.

Vault Configuration

If you are using OCI vault, you can ignore the properties to be set for file-based vault.

Properties	Description
`vault.deploy.name`	Name to be used in the vault for this deploymemt. If the name is already present in the vault it will be reused.
`vault.create.deploy`	If the value is set to `true`, vault creation is performed. However, if a vault with the name provided in `vault.deploy.name` already exists then vault creation is skipped.
`vault.provider`	Specify if the vault is OCI or file based. Specify one of the following values: `fks` `oci`
The following properties are mandatory for OCI-based vault configurations if you have set `vault.provider=oci`. For for information about creating OCI vault, see Managing Vaults. The OCI vault must exist before setting the parameters below.
`vault.oci.uasoperator`	Specify the Base64 encoded private key of the user with read and write permission on OCI vault.
`vault.oci.tenancyId`	Specify the Base64 encoded OCI ID of the tenancy id.
`vault.oci.userId`	Specify the Base64 encoded OCID of the user with read and write permission on OCI vault.
`vault.oci.fpId`	Specify the Base64 encoded finger print of the user with read and write permission on OCI vault.
`vault.oci.compartmentId`	Specify the Base64 encoded OCID of the compartment where the vault exists in OCI.
`vault.oci.vaultId`	Specify the Base64 encoded OCID of the vault on OCI.
`vault.oci.keyId`	Specify the Base64 encoded OCID of the master secret key in OCI vault used to encrypt the secrets in the vault.
The following properties are mandatory for file-based vault configurations if you have set `vault.provider=fks`.
`vault.fks.server`	Specify the NFS server host name or IP address for the `<NFS_VAULT_PATH>`. For more details, see Configuring NFS Volumes.
`vault.fks.path`	Specify the `<NFS_VAULT_PATH>` which will store the file based vault. For more details, see Configuring NFS Volumes.
`vault.fks.key`	Specify a Base64 encoded password for the file based vault. To find the Base64 encoded version of the password use: `echo -n weblogic:<password> \| base64`.
`vault.fks.mountpath`	The mount path in the management container and for installed services where the vault exists. The value of this property must be the same as the value passed through the helm chart. Do not change this value: `/u01/oracle/service/store/oaa`.

A.5 Helm Chart Configuration

This section provides details about the helm chart configuration properties that can be set in the installOAA.properties.

Helm Chart Configuration

These properties are passed as input to the helm chart during installation.

Properties	Mandatory/Optional	Description
`install.global.repo`	Mandatory	Specify the Container Image Registry where the OAA container images exists. For more details, see Setting Up a Container Image Registry (CIR)
`install.global.testrepo`	Optional	Speficies an alternate Container Image Registry where container images can be pulled. For example, OAA installs the `oraclelinux:8-slim` and `oraclelinux7-instantclient` images from an external site (`https://ghcr.io/oracle`). If your Kubernetes cluster does not have access to the internet, you must pull the images and store them in your container registry. Then you must set `install.global.testrepo` to the location of your container registry.
`install.riskdb.service.type`	Mandatory	You must set the value of this property always to `ExternalName`, as the database is external to the OAA installation.
`install.global.imagePullSecrets\[0\].name`	Mandatory	Specify the Kubernetes secret reference that needs to be used while pulling the container images from the protected Container Image Registry. Note: This must be set to the Kubernetes secret that you set earlier e.g `dockersecret`. For more details, see Creating a Kubernetes Namespace and Secret.
`install.global.image.tag`	Mandatory	Update the global image tag to the image tag in your Container Image Registry. Note: If you copied the `installOAA.properties.template` to `installOAA.properties` this tag will be already set.
`install.global.oauth.logouturl`	Optional	Specify the logout URL for OAuth protected resource. This is the front-end URL of the OAM Managed server. For example : `http://ohs.example.com:7777/oam/server/logout`. Required only when `oauth.enabled` is set to `true`.
`install.global.uasapikey`	Mandatory	Specify the REST API key to be used used for protecting rest endpoints in OAA microservice.
`install.global.policyapikey`	Mandatory	Specify the REST API key to be used used for protecting REST endpoints in the OAA policy microservice.
`install.global.factorsapikey`	Mandatory	Specify the REST API key to be used for protecting REST endpoints in the OAA factor microservice.
`install.global.riskapikey`	Mandatory for any install type that installs OARM.	Specify the REST API key to be used for protecting REST endpoints in the OAA risk microservice. This parameter is mandatory if performing an OAA-OARM installation, OARM only, or OAA-OARM-OUA installation.
`install.global.drssapikey`	Mandatory for OAA-OARM-OUA installations.	Specify the REST API key to be used for protecting REST endpoints in the OAA DRSS microservice. This parameter is mandatory if performing an OAA-OARM-OUA installation.
In case of OCI vault, the following configurations can be overridden if provided for read-only users during helm installation. If the values are not provided in the following properties then the values are picked from Vault Configuration.
`install.global.vault.mapId`	Optional	For a pre-existing vault you can provide the Base64 mapId. If the property is set then it validates against the deploy information in the vault.
`install.global.vault.oci.uasoperator`	Optional	Specify the Base64 encoded private key of the user with the read-only permission on the vault.
`install.global.vault.oci.tenancyId`	Optional	Specify the Base64 encoded tenancy id from OCI.
`install.global.vault.oci.userId`	Optional	Specify the Base64 encoded user id from OCI.
`install.global.vault.oci.fpId`	Optional	Specify the Base64 encoded finger print id of the user from the OCI.

A.6 Optional Configuration

This section provides details about the optional configuration properties that can be set in the installOAA.properties.

Properties	Mandatory/Optional	Description
`install.global.ingress.enabled`	Optional	This property is used to indicate if ingress is to be enabled for the deployment. If the value is set to true, the ingress resource in the Kubernetes cluster for the deployment will be generated. If a pure NodePort based deployment is required, the value should be set to false.
`install.global.ingress.runtime.host`	Optional	You can specify the Host name to be used for ingress definition for the runtime host. If the value for the property is missing, ingress definition is created using '*' host. The runtime host is used for accessing runtime services including all factors, oaa, spui and risk.
`install.global.ingress.admin.host`	Optional	You can specify the Host name to be used for ingress definition for the admin host. If the value for the property is missing, ingress definition is created using '*' host. The admin host is used for accessing admin, policy and risk-cc services.
`install.global.dbhost` `install.global.dbport` `install.global.dscredentials` `install.global.dbservicename`	Optional	These properties are related to the database. If the property is not specified here, the values provided in the Database Configuration are used.
`install.global.oauth.oidcidentityuri` `install.global.oauth.oidcaudience` `install.global.oauth.oidcclientid`	Optional	The following properties are related to OAuth. If they are not specified here, the values provided in the OAuth Configuration are used.
`install.global.serviceurl`	Optional	If load balancer/ingress url is present, then configure the url here. All UI services will be behind this load balancer/ingress. In case ingress installation is set to true, the appropriate service url will be fetched after ingress installation and will be used as service url. If `install.global.serviceurl` is provided, the service url from this property will have higher priority and override the original value.
`install.oaa-admin-ui.serviceurl`	Optional	Service URL of oaa admin, if different from `install.global.serviceurl`.
`install.spui.enabled=false` `install.fido.enabled=false` `install.oaa-admin-ui.enabled=false` `install.oaa-kba.enabled=false`	Optional	If `oauth.enabled=false` the Admininistration console (`oaa-admin-ui`), Self-Service Portal (`spui`) , FIDO (`fido`) and KBA (`oaa-kba`) factors cannot be used. If `oauth.enabled=false` you must uncomment these properties. When `common.deployment.mode=Risk` the following service are not deployed: fido, push, yotp, email ,sms, totp and kba.
`install.totp.enabled=false` `install.push.enabled=false` `install.sms.enabled=false` `install.yotp.enabled=false` `install.email.enabled=false`		Authentication factor services are enabled by default. To disable them uncomment the lines. When `common.deployment.mode=Risk` the following service are not deployed: fido, push, yotp, email ,sms, totp and kba.
`install.service.type=ClusterIP` `install.oaa-admin-ui.service.type=NodePort` `install.oaa-policy.service.type=NodePort` `install.spui.service.type=NodePort` `install.totp.service.type=NodePort` `install.fido.service.type=NodePort` `install.push.service.type=NodePort` `install.email.service.type=NodePort` `install.sms.service.type=NodePort` `install.yotp.service.type=NodePort` `install.risk.service.type=NodePort` `install.oaa-kba.service.type=NodePort` `install.oaa-drss.service.type=NodePort` `install.risk.riskcc.service.type=NodePort`	Optional	Default service type for services is ClusterIP. When deployment mode is Risk the following service are not deployed : fido, push, yotp, email ,sms, totp and kba. If `install.global.ingress.enabled=true` all these parameters except `install.service.type=ClusterIP` should be commented out.

For details on installing using ingress, see: Installing NGINX Ingress Controllers

A.7 Ingress Configuration

This section provides details about the Ingress configuration properties that can be set in the installOAA.properties.

Table A-1 Ingress Configuration

Properties	Mandatory/Optional	Description
`ingress.install`	Mandatory	Set value to `true` if you want the installation to install an ingress controller for you. Set to `false` if you do not want to install the ingress controller. If this is set to `true` then `install.global.ingress.enabled=true` must also be set in Optional Configuration.
`ingress.namespace`	Mandatory if ingress.install=true	The Kubernetes namespace which will be used to install ingress. The install will create this namespace in Kubernetes. For example, `ingress-nginx`.
`ingress.admissions.name=ingress-nginx-controller-admission`	Optional if ingress.install=true	The name of the Admissions controller. The Admissions controller can be installed separately. If Ingress admissions name is not present, the `controller.admissionWebhooks.enabled` will be set to `false` in the NGINX ingress chart.
`ingress.class.name=nginx`	Mandatory if ingress.install=true	Ingress class name that needs to be used for the installation. It must not be an existing class name.
`ingress.service.type`	Mandatory if ingress.install=true	Set the value to `NodePort` if using a bare metal Kubernetes cluster. The ingress controller will listen on one of the nodes of the cluster on a dynamically assigned port.
`ingress.install.releaseNameOverride=base`	Optional if ingress.install=true	Anything starting with `ingress.install` can be additionally supplied to set the ingress chart value.

For details on installing using ingress, see: Installing NGINX Ingress Controllers

A.8 Management Container Configuration

This section provides details about the Management Container configuration properties that can be set in the installOAA.properties.

Table A-2 Management Configuration

Properties	Mandatory/Optional	Description
`install.mount.config.path`	Mandatory	Set the value of `<NFS_CONFIG_PATH>` to the NFS mount path for the configuration.
`install.mount.config.server`	Mandatory	The IP address of the NFS server for the `<NFS_CONFIG_PATH>`.
`install.mount.creds.path`	Mandatory	Set the value of `<NFS_CREDS_PATH>` to the NFS mount path for the credentials.
`install.mount.creds.server`	Mandatory	The IP address of the NFS server for the `<NFS_CREDS_PATH>`.
`install.mount.logs.path`	Mandatory	Set the value of `<NFS_LOGS_PATH>` to the NFS mount path for the logs.
`install.mount.logs.server`	Mandatory	The IP address of the NFS server for the `<NFS_LOGS_PATH>` .
`install.mgmt.release.name`	Optional	Name of the OAA management container installation used when the helm install command is run. If not set you will be prompted for the name during the installation. The value given must be in lowercase.
`install.kube.creds`	Optional	Set the value to the local PATH where `kubeconfig` resides. If not set the management container will use `$KUBECONFIG` or `~/.kube/config` for Kubernetes credentials.
`common.local.sslcert`	Mandatory	Set the value to the local PATH where the server certificate PKCS12 file (`cert.p12`) resides. This only needs to be set If you have generated your own certificates as per Generating Server Certificates and Trusted Certificates. If you want to use self signed certificates, do not set this.
`common.local.trustcert`	Mandatory	Set the value to the local PATH where the trusted certificate PKCS12 file (`trust.p12`) resides. This only needs to be set If you have generated your own certificates as per Generating Server Certificates and Trusted Certificates. If you want to use self signed certificates, do not set this.

For details on NFS mounts, see: Configuring NFS Volumes

A.9 Oracle Universal Authenticator Configuration

This section provides details about the Oracle Universal Authenticator (OUA) configuration properties that can be set in the installOAA.properties.

Table A-3 Oracle Universal Authenticator Configuration

Properties	Mandatory/Optional	Description
`oua.tapAgentName`	Mandatory for OUA	The default value is `OAM-OUA-TAP`. This should not be changed. This should be set to the value of the TAP partner name created in section Registering OUA as a TAP Partner in OAM in Registering OAM TAP Partners.
`oua.tapAgentFileLocation`	Mandatory for OUA	Set the value to the local PATH and file name of the keystore for the OAM OAA TAP partner created in section Registering OUA as a TAP Partner in OAM in Registering OAM TAP Partners. Note: The PATH must accessible to the OAA management container.
`oua.tapAgentFilePass`	Mandatory for OUA	Set the value to the Base64 encoded password of the TAP partner keystore generated in section Registering OUA as a TAP Partner in OAM in Registering OAM TAP Partners.
`oua.oamRuntimeEndpoint`	Mandatory for OUA	The OHS URL used as the entry point to OAM. If a load balancer front ends the OHS then this value is the load balancer URL.

A.10 LDAP Configuration

This section provides details about the LDAP configuration properties that can be set in the installOAA.properties.

Table A-4 LDAP Configuration

Properties	Mandatory/Optional	Description
`ldap.server`	Mandatory for OAA	The LDAP server protocol, hostname and port for the LDAP server used by OAM.
`ldap.username`	Mandatory for OAA	The user name of the directory administrator.
`ldap.password`	Mandatory for OAA	The password of the directory administrator.
`ldap.oaaAdminUser`	Mandatory for OAA	The OAA administration user to be created in the LDAP user search base.
`ldap.adminRole`	Mandatory for OAA	The OAA-Admin-Role group to be created in the LDAP group search base.
`ldap.userRole`	Mandatory for OAA	The OAA-App-User group to be created in the LDAP group search base.
`ldap.oaaAdminUserPwd`	Mandatory for OAA	Set to a password of your choice. This will be the password for the `ldap.oaaAdminUser`.
`ldap.addExistingUsers`	Mandatory for OAA	Set this value to `yes` if you want the OAA installation to add all your existing users in your <LDAP_USER_SEARCHBASE> to the OAA-App-User group. See Creating Users and Groups in the LDAP Store for more details.

A.11 Oracle Advanced Authentication TAP Configuration

This section provides details about the Oracle Advanced Authentication TAP configuration properties that can be set in the installOAA.properties.

Table A-5 Oracle Advanced Authentication TAP Configuration

Properties	Mandatory/Optional	Description
`oaa.tapAgentName`	Mandatory for OAA	The default value is `OAM-OAA-TAP`. This should not be changed if doing a new installation from December 24 onwards. This should be set to the value of the TAP partner name created in section Registering OAA as a TAP Partner in OAM in Registering OAM TAP Partners. If performing an upgrade from a release prior to December 24, seeUpgrading OAA, OARM, and OUA before upgrading.
`oaa.tapAgentFileLocation`	Mandatory for OAA	Set the value to the local PATH and file name of the keystore for the TAP partner created in section Registering OAA as a TAP Partner in OAM in Registering OAM TAP Partners. Note: The PATH must accessible to the OAA management container.
`oaa.tapAgentFilePass`	Mandatory for OAA	Set the value to the Base64 encoded password of the TAP partner keystore generated in section Registering OAA as a TAP Partner in OAM in Registering OAM TAP Partners.
`oaa.authFactors`	Mandatory for OAA	The authentication factors to be created for the OAA OAM integration agent during a new installation. The default value is `ChallengeEmail,ChallengeSMS,ChallengeOMATOTP,ChallengeYubicoOTP,ChallengeOMAPUSH,ChallengeFIDO2`.