E Understanding OAA/OARM Backup and Recovery
This chapter contains information on backup and recovery techniques. It contains the following sections:
E.1 Backing Up OAA/OARM
Oracle recommends that you periodically take a full backup OAA/OARM data so that you can recover from any unforeseen event and restore your OAA/OARM system.
- File system data is stored in the NFS volumes. This data includes wallets, the vault, installation properties, and logs.
- Policy and configuration data is stored in the database. This data includes assurance levels, rules, policies, actions, groups, customized configuration properties, and transaction definitions.
- Runtime data is stored in the database, This data includes user preferences, user sessions, custom user activities, and online transaction and processing data.
A full backup consists of file system data, and a backup of the database.
Oracle also recommends taking policy and configuration data snapshots at various intervals, or when significant policy or configuration changes are made.
E.1.1 Backing Up File System Data
Oracle recommends that you periodically backup OAA/OARM file system data so that you can recover from any unforeseen event and restore your OAA/OARM system.
OAA/OARM file system data is stored in the NFS volumes;
<NFS_CONFIG_PATH>
,
<NFS_CREDS_PATH>
, <NFS_LOGS_PATH>
,
and <NFS_VAULT_PATH>
.
You must backup the contents of these NFS volumes, by copying, or creating a compressed zip or tar file, and storing the files in a safe and secure location.
For more information on the NFS volumes, see: Configuring NFS Volumes.
E.1.2 Backing Up Runtime Data
Oracle recommends that you periodically backup OAA/OARM runtime data so that you can recover from any unforeseen event and restore your OAA/OARM system.
To backup runtime data use standard database backup techniques.
For OCI based databases, see Backup Data in Your Databases .
For non OCI based databases, see Backup and Recovery User's Guide.
E.1.3 Backing Up Policy and Configuration Data
Oracle recommends that you periodically backup OAA/OARM policy and configuration data so that you can recover from any unforeseen event and restore your OAA/OARM system.
To backup policy and configuration data:
- Create a snapshot of the configuration using the
<PolicyUrl>/policy/risk/v1/snapshots
REST API endpoint. For example:curl --location --request POST '<PolicyUrl>/policy/risk/v1/snapshots/' \ --header 'Content-Type: application/json' \ --header 'Authorization: Basic <Base64Encoded(<username>:<password>)>' \ --data '{ "name":"Backup Snapshot <DATE>", "description": "This is a snapshot from <DATE>" }'
For details about finding the
PolicyUrl
and authenticating, see OAA Admin API.For more details about the snapshot endpoint, see Snapshot REST Endpoints.
The above command will return asnapshotId
, for example:{ "status": "201", "message": "Snapshot created successfully.", "snapshot": { "name": "Backup Snapshot <DATE>", "description": "This is a snapshot from <DATE>", "snapshotId": "3", "createTime": "<DATE>" } }
- Export the snapshot to a zip file using the
snapshotId
returned above, as follows:curl --location --request GET '<PolicyUrl>/policy/risk/v1/snapshots/<snapshotId>' \ --header 'Authorization: Basic <Base64Encoded(<username>:<password>)>' >snapshot<DATE>.zip
Store the downloaded zip file in a safe and secure location.
E.2 Restoring OAA/OARM
In order to restore system or runtime data, you must first have created a backup. See Backing Up OAA/OARM.
The steps to restore OAA/OARM depend on the reasons for restoring and whether you are restoring to the same OAA/OARM installation and/or database installation, or to a new installation and/or database installation . The sections below outline the recovery steps based on different scenarios:
E.2.1 Restoring to an Existing Installation
- A full system restore, where you need to perform a full restore of the file system data, the database (runtime data), and policy and configuration data, to the existing installation. This will restore the environment to the point the last full backup was taken.
- A partial restore, where you only need to restore one of either system data, policy and configuration data, the database, or a combination thereof, to the existing installation.
- If the database needs to be restored, restore the database using standard database recovery techniques. Consult your Oracle Database documentation for further details.
- If OAA/OARM file system data needs to be restored, follow section Restoring file system data to an existing installation in Restoring OAA/OARM File System Data.
- Restart the OAA/OARM pods by running the following
command:
For example:kubectl get deployment -n <namespace> | grep <deployment-name> | awk '{print $1}' | xargs kubectl rollout restart deployment -n <namespace>
kubectl get deployment -n oaans | grep oaainstall | awk '{print $1}' | xargs kubectl rollout restart deployment -n oaans
The output will look similar to the following:deployment.apps/oaainstall-email restarted deployment.apps/oaainstall-fido restarted deployment.apps/oaainstall-oaa restarted deployment.apps/oaainstall-oaa-admin-ui restarted deployment.apps/oaainstall-oaa-kba restarted deployment.apps/oaainstall-oaa-policy restarted deployment.apps/oaainstall-push restarted deployment.apps/oaainstall-risk restarted deployment.apps/oaainstall-risk-cc restarted deployment.apps/oaainstall-sms restarted deployment.apps/oaainstall-spui restarted deployment.apps/oaainstall-totp restarted deployment.apps/oaainstall-yotp restarted deployment.apps/oaamgmt-oaa-mgmt restarted
The above command starts new OAA/OARM pods first, before shutting down the original pods.
Run the following command to check the status of the pods:kubectl get pods -n <namespace>
For example:kubectl gets pods -n oaans
Once all the previous pods are terminated, and the new pods are atREADY 1/1
, the system is restored:NAME READY STATUS RESTARTS AGE oaainstall-email-75cccd89f8-9xrgs 1/1 Running 0 5m34s oaainstall-fido-68777f8cc8-pfw8c 1/1 Running 0 5m34s oaainstall-oaa-74d5669788-lj5cp 1/1 Running 0 5m34s oaainstall-oaa-admin-ui-585d55c45b-fzdvk 1/1 Running 0 5m34s oaainstall-oaa-kba-5b9db9f8db-zwkh2 1/1 Running 0 5m34s oaainstall-oaa-policy-559fb4d777-qjvwm 1/1 Running 0 5m34s oaainstall-push-6898c6cb56-l4mg2 1/1 Running 0 5m34s oaainstall-risk-cc-db558dc5c-qlh8q 1/1 Running 0 5m34s oaainstall-risk-f48b794bc-j46pz 1/1 Running 0 5m34s oaainstall-sms-659677b84b-wf7sn 1/1 Running 0 5m34s oaainstall-spui-6fc8685df9-fhp9w 1/1 Running 0 5m33s oaainstall-totp-cccd94786-622qd 1/1 Running 0 5m33s oaainstall-yotp-5fbfd55d4c-d6wqn 1/1 Running 0 5m33s oaamgmt-oaa-mgmt-94f84ccc6-gwdp2 1/1 Running 0 5m32s
- If you need to import any policy and configuration data from snapshots taken after the last database backup, follow Restoring OAA/OARM Policy and Configuration Data.
E.2.2 Restoring to a New Installation
The instructions below can be used to perform the following:
- A full system restore, where you need to perform a full restore of the file system data, the database (runtime data), and policy and configuration data, to a new installation and database environment. This will restore all file system data, policy and configuration data, and runtime data to the point the last full backup was taken.
- A partial restore where you only need to restore one of either
system data, policy and configuration data, the database (runtime data), or a
combination thereof, to a new installation.
Note:
If you are only restoring the database to a new database installation, you still need to follow step 3 to restore the OAA/OARM file system data.
Note:
The instructions below assume that if file system data is to be restored to a new installation environment, that the necessary installation prerequsites for that new environment are met. See, Prerequisite Configurations for Installing OAA, OARM, and OUA- If the database needs to be restored to a new environment, restore the database using standard database recovery techniques. Consult your Oracle Database documentation for further details.
- If you need to restore the file system data to a new installation environment, download the OAA/OARM installation files to that environment. See Obtaining the Installation Software.
- Restore OAA/OARM file system data by following section Restoring file system data to a new installation in Restoring OAA/OARM File System Data.
- If you need to import any policy and configuration data from snapshots taken after the last database backup, follow Restoring OAA/OARM Policy and Configuration Data.
E.2.3 Cloning an Installation
Note:
The instructions below assume that if file system data is to be cloned to a new installation, the necessary installation prerequsites for that new environment are met. See, Prerequisite Configurations for Installing OAA, OARM, and OUA- Download the OAA/OARM installation files to the new system. See Obtaining the Installation Software.
- Restore OAA/OARM file system data to the new system by following section Restoring file system data to a new installation in Restoring OAA/OARM File System Data.
- Restore policy and configuration data by following Restoring OAA/OARM Policy and Configuration Data.
E.2.4 Restoring OAA/OARM File System Data
In order to restore OAA/OARM file system data, you must first have created a backup. See Backing Up File System Data.
Restoring file system data to an existing installation
- Copy the file system data from the backup to the NFS volumes
<NFS_CONFIG_PATH>
,<NFS_CREDS_PATH>
,<NFS_LOGS_PATH>
, and<NFS_VAULT_PATH>
. - Review the
<NFS_CONFIG_PATH>/installOAA.properties
file and ensure all the external resources such as NFS, the Oracle Database, and OAM OAuth endpoints are available and running. - Check if the OAA Management container is running:
For example:kubectl get pods -n <namespace> | grep oaamgmt
kubectl get pods -n oaans | grep oaamgmt
- If the OAA Management container isn't running, you must perform
the following steps:
- Copy the installOAA.properties from the
<NFS_CONFIG_PATH>
to the$WORKDIR/oaaimages/oaa-install
directory. - Start the OAA Management by following: Creating the Management Container.
- Copy the installOAA.properties from the
- Continue with the instructions to restart the OAA/OARM pods in section Restoring to an Existing Installation .
Restoring file system data to a new installation
- Copy the file system data from the backup to the NFS volumes
<NFS_CONFIG_PATH>
,<NFS_CREDS_PATH>
,<NFS_LOGS_PATH>
, and<NFS_VAULT_PATH>
. - Review the
<NFS_CONFIG_PATH>/installOAA.properties
file and ensure all the external resources such as NFS, the Oracle Database, and OAM OAuth endpoints are available and running.Note:
If you are restoring to a new system and/or database, make sure all the relevant parameters reference the new system and/or database. - Remove the
<NFS_LOGS_PATH>/status.info
file. - Copy the installOAA.properties from the
<NFS_CONFIG_PATH>
to the$WORKDIR/oaaimages/oaa-install
directory. - Start the OAA Management Container by following: Creating the Management Container.
- Run the OAA install script from inside the OAA Management container. See Deploying OAA, OARM, and OUA. This will create a new deployment based on your restored OAA/OARM file system data.
E.2.5 Restoring OAA/OARM Policy and Configuration Data
In order to restore policy and configuration data, you must have either previously created a snapshot, or have the snapshot zip file from a prior backup.
Note:
It is recommended to take a snapshot of the current policy and configuration data before following the steps below. See, Backing Up Policy and Configuration Data.Restoring from a previous snapshotId
snapshotId
:curl --location --request POST '<PolicyUrl>/policy/risk/v1/snapshots/<snapshotId>/apply' \
--header 'Authorization: Basic <Base64Encoded(<username>:<password>)>' \
--data ''
For details about finding the PolicyUrl
and
authenticating, see OAA Admin API.
For more details about the snapshot endpoint, see Snapshot REST Endpoints.
Restoring from a snapshot zip file
- Import the snapshot zip
file:
curl --location --request POST '<PolicyUrl>/policy/risk/v1/snapshots/' \ --header 'Content-Type: application/octet-stream' \ --header 'Authorization: Basic <Base64Encoded(<username>:<password>)>' \ --data-binary '@<PATH>/snapshot<DATE>.zip'
This will return asnapshotId
:{ "status": "201", "message": "Snapshot created successfully.", "snapshot": { "name": "Backup Snapshot <DATE>", "description": "This is a snapshot from <DATE>", "snapshotId": "4", "createTime": "<DATE>" } }
- Apply the
snapshot:
curl --location --request POST '<PolicyUrl>/policy/risk/v1/snapshots/<snapshotId>/apply' \ --header 'Authorization: Basic <Base64Encoded(<username>:<password>)>' \ --data ''
The output will be similar to the following:{ "serverResponseTime": 1683106368000, "clientContext": { "invocationContext": { "createTime": 1683106335536, "invocationId": "d61f7f30-a264-4be0-bb2d-9e5e88c58d19", "traceDataXml": "<OARMInvocationContext><invocationId><![CDATA[d61f7f30-a264-4be0-bb2d-9e5e88c58d19]]></invocationId><locale></locale><createTime><DATE></createTime></OARMInvocationContext>" }, "sessionContext": { "sessionId": "", "clientId": "", "clientVersion": "", "userPrincipal": "", "ipAddress": "", "userAgent": "", "createTime": 1683106335537, "appName": "UASPolicyApi", "accessControlledRole": false, "orgAccessList": [], "roles": [], "traceDataXml": "<OARMSessionContextOARMSessionContext><clientId></clientId><userAgentString></userAgentString><userPrincipal></userPrincipal><roles><![CDATA[[]]]></roles><ip></ip><clientVersion></clientVersion><createTime><DATE></createTime></OARMSessionContextOARMSessionContext>" }, "taskContext": { "taskId": "d61f7f30-a264-4be0-bb2d-9e5e88c58d19", "createTime": 1683106335536, "traceDataXml": "<OARMTaskContext><taskId><![CDATA[d61f7f30-a264-4be0-bb2d-9e5e88c58d19]]></taskId><createTime><DATE></createTime></OARMTaskContext>" }, "traceDataXml": "<clientContext><OARMSessionContextOARMSessionContext><clientId></clientId><userAgentString></userAgentString><userPrincipal></userPrincipal><roles><![CDATA[[]]]></roles><ip></ip><clientVersion></clientVersion><createTime><DATE></createTime></OARMSessionContextOARMSessionContext><OARMTaskContext><taskId><![CDATA[d61f7f30-a264-4be0-bb2d-9e5e88c58d19]]></taskId><createTime><DATE></createTime></OARMTaskContext><OARMInvocationContext><invocationId><![CDATA[d61f7f30-a264-4be0-bb2d-9e5e88c58d19]]></invocationId><locale></locale><createTime><DATE></createTime></OARMInvocationContext></clientContext>" }, "object": true, "error": false, "success": true, "oarmmessages": [], "warning": false, "serverVersion": "11.1.1.2.0", "systemError": false, "serverId": "oaainstall-oaa-policy-77bccf774b-48b6s/10.244.1.206", "traceDataXml": "<OARMResponse><serverId><![CDATA[oaainstall-oaa-policy-77bccf774b-48b6s/10.244.1.206]]></serverId><status><![CDATA[SUCCESS]]></status><serverResponseTime><DATE></serverResponseTime><serverVersion><![CDATA[11.1.1.2.0]]></serverVersion><messageList></messageList></OARMResponse>"