14 Oracle Adaptive Access Manager

This chapter includes detailed Oracle Adaptive Access Manager component upgrade instructions and documentation updates. For information on resolved issues and database changes, refer to the most current Readme available.

14.1 Full Installation Packages

From Oracle Adaptive Access Manager, Release 10.1.4.5.bp3 onwards, a complete deployment package to set up the Oracle Adaptive Access Manager application and the database schema is no longer available as part of the bundle patches.

In order to perform a complete deployment Oracle Adaptive Access Manager at the most current revision, you will need to download the base 10.1.4.5 deployment package from OTN and then apply the latest bundle patch and the database patches.

14.2 Bundle Patch Contents

A bundle patch is an official Oracle patch for Oracle Access Manager components on baseline platforms. Bundle patches are released on a regular basis, after one product release and before the next.

Starting with Oracle Adaptive Access Manager, Release 10.1.4.5.bp4, each bundle patch includes:

component patches that incorporate all the changes distributed in any patch release since 10.1.4.5.0
incremental databases patches that contain changes for each bundle patch release, starting from 10.1.4.5.0 up to the most recent version

14.3 General Upgrade Instructions

General upgrade instructions are provided below.

To upgrade the components that pertain to your 10.1.4.5 installation, you must follow the detailed instructions in Section 14.4, "Component and Database Upgrade Procedures."

Determine Current Patch Level

To determine your current patch level, follow these instructions:

Log in to Adaptive Risk Manager.
Click HELP.
Select ONLINE HELP.
Select ABOUT.

The About panel should indicate the version you are running with "Welcome to Oracle Adaptive Access Manager version - 10.1.4.5.xxxxxxx"

Database Upgrade

All the database changes are included as part of the bundle patch. The database patches are incremental.

Each database patch performs an incremental upgrade in which the database is only updated with the data that has changed since the previous release.

It is highly recommended that you take a full backup of the database, and then apply all incremental updates, in sequential order, to upgrade your current database to the most recent version.

Application Upgrade

To upgrade the Oracle Adaptive Access Manager application:

Back up the application.
Follow the upgrade instructions for the components that pertain to your 10.1.4.5 application installation.

14.4 Component and Database Upgrade Procedures

Procedures to upgrade Oracle Adaptive Access Manager components and the database are provided in this section.

14.4.1 Upgrading Command Line Interface

To upgrade the Command Line Interface:

Back up all customized properties, .xml and keystore files.

Some commonly customized files are: bharosa_server.properties, bharosa_client.properties, bharosa_common.properties, bharosauio_client.properties, sessions.xml, log4j.xml and keystore files.

The files will be used later in the upgrade process.
It is highly recommended for you to take a backup of the entire install directory should you need to use it to revert back the patch.
Unzip patch_oaam_cli.zip.
Copy the contents of patch_oaam_cli.zip into the current Command Line Interface installation.
Restore your customized files to the updated Command Line Interface installation.

14.4.2 Upgrading the Database

Note:

Before you start the upgrade process, it is strongly recommended that you perform a full database backup.

Follow the instructions from the most current bundle patch Readmes, which contains complete directions for the application of the database changes.

For example, if you were at 10.1.4.5.bp4 and want to upgrade to 10.1.4.5.bp12, and there were database changes in 10.1.4.5.bp5 and 10.1.4.5.bp8, the 10.1.4.5.bp12 Readme will contain directions about what needs to be applied for the 10.1.4.5.bp5 and 10.1.4.5.bp8 database changes and 10.1.4.5.bp12 software. The 10.1.4.5.bp12 bundle patch will contain separate directories with the individual database patches.

Instructions for updates from 10.1.4.5.bp1 to 10.1.4.5.bp6 are also included in this chapter.

Note that if you want to set up purging routines, you will have to perform additional steps, which are documented in the Readme.

Note:

The database must be upgraded before you upgrade the application.

14.4.3 Upgrading the Location Loader

To upgrade the Location Loader:

Back up all customized properties, .xml and keystore files.

Some commonly customized files are: bharosa_server.properties, bharosa_client.properties, bharosa_common.properties, bharosauio_client.properties, sessions.xml, log4j.xml, and keystore files.

The files will be used later in the upgrade process.
It is highly recommended for you to take a backup of the entire install directory should you need to use it to revert back the patch.
Unzip patch_oaam_location_etl.zip.
Copy the contents of patch_oaam_location_etl.zip into the current Location Loader installation.
Restore your customized files to the updated application.
Verify that all the files have been copied into the directories

14.4.4 Applying the Patch for Native Integration

To apply the patch for native integration (soap):

Back up all customized properties, .xml and keystore files.

Some commonly customized files are: bharosa_server.properties, bharosa_client.properties, bharosa_common.properties, bharosauio_client.properties, sessions.xml, log4j.xml and keystore files.
It is highly recommended for you to take a backup of the entire install directory should you need to use it to revert back the patch.

Note:
Many of the steps below are for replacing the files in the web application directory.
Unzip the patch_oaam_native_soap.zip file, which is located in the oaam_native directory, into the same folder.
Copy all the files from conf and its subfolders to your web application's WEB-INF/classes directory.
Copy all the jar files from the lib directory to your web application's WEB-INF/lib directory.
Copy all the files from bharosa_web and its subfolder to your web application directory.
Copy the jars from the thirdparty directory to the web application's WEB-INF/lib directory. Make sure all the jars are copied into the lib directory.

To apply the patch for native integration inproc, perform the same steps as above, but take the patch from the oaam_native_inproc.zip file.

14.4.5 Upgrading the Oracle Adaptive Access Manager-Oracle Access Manager Integration

If SOAP was used to communicate within Adaptive Strong Authenticator and Adaptive Risk Manager, replace the content of the previous installation with the oasa directory.

If Static-Linking was used, replace the content of the previous installation with the oasa_static directory.

14.4.6 Upgrading the Oracle Adaptive Access Manager BIP Reports

To upgrade the BIP Reports:

Back up all customized report templates (.rtf files) files.

The files will be used later in the upgrade process.
Unzip patch_oaam_bipreports_oradb.zip.
Copy the contents of patch_oaam_bipreports_oradb.zip into the current BIP reports installation.
Restore your customized files to their directories in the updated application.
Verify that all the files have been copied into the directories

14.4.7 Upgrading Adaptive Risk Manager Offline

In order to upgrade the Oracle Adaptive Access Manager Offline application, follow the steps documented in this section.

14.4.7.1 Pre-requisites

Before applying the patch:

Ensure that you have access to the webapps directory of the Adaptive Risk Manager Offline application.
Shut down the Adaptive Risk Manager Offline application.
Shut down the Oracle Adaptive Access Manager database instance.
Back up all customized properties, .xml and keystore files.

Some commonly customized files are: bharosa_server.properties, bharosa_client.properties, bharosa_common.properties, bharosauio_client.properties, sessions.xml, log4j.xml, and keystore files.

The files will be used later in the upgrade process.
It is highly recommended for you to take a backup of the entire install directory should you need to use it to revert back the patch.

14.4.7.2 Steps

To upgrade Adaptive Risk Manager Offline:

Unzip patch_oarm_offline_war.zip.
Copy the contents of patch_oarm_offline_war.zip into the existing webapps directory.
Restore your customized files to their directories in the updated application.
Verify that all the files have been copied into the directories

14.4.8 Upgrading Adaptive Risk Manager Online

In order to upgrade the Oracle Adaptive Access Manager Online application, follow the steps documented in this section.

14.4.8.1 Pre-requisites

Before applying the patch:

Shut down the Adaptive Risk Manager application.
Shut down the Oracle Adaptive Access Manager database instance.
Back up all customized properties, .xml and keystore files.

Some commonly customized files are: bharosa_server.properties, bharosa_client.properties, bharosa_common.properties, bharosauio_client.properties, sessions.xml, log4j.xml, and keystore files.

The files will be used later in the upgrade process.
It is highly recommended for you to take a backup of the entire install directory should you need to use it to revert back the patch.
Ensure that you have access to the webapps directory of the Adaptive Risk Manager Online application.
Ensure that you have applied the database patch.

14.4.8.2 Steps

To upgrade Adaptive Risk Manager Online:

Unzip patch_oarm_online_war.zip.
Copy the contents of patch_oarm_online_war.zip into the existing webapps directory.
Restore your customized files to their directories in the updated application.
Verify that all the files have been copied into the directories.

14.4.9 Upgrading Rule Conditions

In order to upgrade the rule conditions, follow the steps documented in this section.

14.4.9.1 Pre-requisites

Before applying the patch:

Ensure that you have applied the Adaptive Risk Manager Online/Offline patches.
Ensure that the updated applications are running.

14.4.9.2 Steps

To import patch_oaam_rule_conditions.zip:

On the Admin menu, point to Rule Templates, point to Conditions, then click Import Conditions.
Click Browse and locate patch_oaam_rule_conditions.zip.
Click Import.

All the conditions in the zip are imported into the server.

Note: If models are using the conditions, the conditions will be upgraded.

14.4.10 Upgrading Adaptive Strong Authenticator

To upgrade Adaptive Strong Authenticator

Ensure that you have access to the webapps directory.
Shut down the Adaptive Strong Authenticator application.
Back up all customized properties, .xml and keystore files.

Some commonly customized files are: bharosa_server.properties, bharosa_client.properties, bharosa_common.properties, bharosauio_client.properties, sessions.xml, log4j.xml, and keystore files.

The files will be used later in the upgrade process.
It is highly recommended for you to take a backup of the entire install directory should you need to use it to revert back the patch.
Unzip patch_oasa_static_war.zip or patch_oasa_war.zip.
Copy the contents of the patch into the current installation.
Restore your customized files to their directories in the updated application.
Verify that all the files have been copied into the directories.

14.4.11 Upgrading the Oracle Adaptive Access Manager Proxy for Apache

The Oracle Adaptive Access Manager patch contains updates for the Oracle Adaptive Access Manager Proxy for Apache for Microsoft Windows and Linux (rhel4). Follow the instructions in the Oracle Adaptive Access Manager Developer's Guide to replace the mod_uio.so and related .dlls (on MS Windows) and .so (on Linux) libraries with those released as part of this patch release.

14.4.11.1 Oracle Adaptive Access Manager Proxy for Apache Patch Installation Instructions

Installation of a patch is similar to installing the Oracle Adaptive Access Manager Proxy package using the instructions in the Oracle Adaptive Access Manager Developer's Guide. A patch will contain only the modified files. It is good practice to back up all your existing files since the patch will overwrite some or all of the files.

General instructions are given below. A patch contains only the modified files; so if a file is not available in the patch, skip that step. The steps are to be performed manually by the patch installer.

For both MS Windows and Linux:

Shut down the instance of Apache that you are updating

Note:
Ensure that you are using Apache httpd, version 2.2.8 with mod_ssl.
Back up existing files: binary, .rng and .xml files
Copy the binary files from the patch (additionally on Linux, you need to set soft-links to .so files appropriately)
Copy UIO_Settings.rng and UIO_Config.rng files from the patch
Compare your existing UIO_Settings.xml and UIO_log4j.xml files with those given in the patch and verify that you have got the correct settings. Refer to the sections that apply to this patch in the Oracle Adaptive Access Manager Developer's Guide to ensure that you have the correct settings. The same also applies to your configuration XML files.
Start Apache and run your sanity tests
- For Windows,
  - The binary files are: mod_uio.so, log4cxx.dll, libxml2.dll, apr_memcache.dll (apr_memcache.dll was introduced in 10.1.4.5.bp1)
  - The configuration files are: UIO_Settings.rng, UIO_Config.rng, UIO_Settings.xml, UIO_log4j.xml and application configuration XML files
- For Linux,
  - The binary files are: mod_uio.so, liblog4cxx.so.0.10.0.0, libxml2.so.2.6.32, libapr_memcache.so.0.0.1
  - The binary configuration files are: UIO_Settings.rng, UIO_Config.rng, UIO_Settings.xml, UIO_log4j.xml and application configuration XML files

14.4.11.2 Oracle Adaptive Access Manager Proxy for Apache Patch Backout Instructions

Restore the files that you had backed up before you installed the patch.

14.4.12 Upgrading the Oracle Adaptive Access Manager Proxy for Microsoft ISA

To upgrade the Oracle Adaptive Access Manager Proxy for Microsoft ISA:

Stop the Microsoft ISA server with the following command:
```
net stop fwsrv
```
Back up the current Oracle Adaptive Access Manager Proxy for Microsoft ISA DLL. The DLL should usually be at: %ProgramFiles%\Microsoft ISA Server\BharosaProxy.dll.
Overwrite the existing DLL with the one from the patch.
Start Microsoft ISA server with the following command:
```
net start fwsrv
```

14.4.13 Upgrading .NET API

To apply the upgrade the .NET API, follow the instructions below.

14.4.13.1 Overview

The oaam_native\oaam_native_dot_net\bin directory contains the Oracle OAAM 10.1.4.5.bp2 .NET DLLs with the fix for the timestamp issue described in SR 7702452.994.

14.4.13.2 Applying the Fix

To apply the fix, replace the following two OAAM 10.1.4.5.bp2 DLLs that are currently in use with the files included in this fix. Please note that the fix includes Oracle OAAM .NET DLLs for .NET versions 1.1 and 2.0. Please use the version suitable for your environment.

Bharosa.VCrypy.Common.dll
Bharosa.VCrypy.Client.dll

Oracle strongly advises you to back up the existing files before applying the fix.

14.4.13.3 Fix Details

The previous version added the timestamp text to the authenticators by default, that is, the timestamp was added even if the "AuthentiPad.TimeStampText" property was not explicitly set by the API user.

The fix is to add the timestamp text only if the "AuthentiPad.TimeStampText" property was set by the API user.

14.4.14 Upgrading the Keystore Util Package

If you have already created your keystore, regenerating or applying this patch is not required.

To upgrade the keystore install package:

Back up all customized properties, .xml and keystore files.

Some commonly customized files are: bharosa_server.properties, bharosa_client.properties, bharosa_common.properties, bharosauio_client.properties, sessions.xml, log4j.xml, and keystore files.

The files will be used later in the upgrade process.
It is highly recommended for you to take a backup of the entire install directory should you need to use it to revert back the patch.
Unzip oaam_keystore_util.zip.
Copy the contents of oaam_keystore_util.zip into the keystore_util directory of the current installation.
Restore your customized files to their directories in the updated application.
Verify that all the files have been copied into the directories

14.5 Creating a Database for an Oracle Database with the Partition Option

Information about creating an OAAM database in Oracle databases with the partition option.

Creating a Oracle Adaptive Access Manager Database Schema for an Oracle Database with the Partition Option
Partition Reference

Patches after 10.1.4.5.bp1 contain the oracle_partition_rm_database_setup.zip file with the scripts to create the Oracle Adaptive Access Manager database schema for an Oracle database with the partition option.

After applying the update, it will be possible to create the Oracle Adaptive Access Manager database schema with partitions in the Oracle database.

14.5.1 Creating a Oracle Adaptive Access Manager Database Schema for an Oracle Database with the Partition Option

To create the Oracle Adaptive Access Manager database schema for an Oracle database with the partition option, follow the steps below:

Replace the oracle_partition_rm_database_setup.zip file in the 10.1.4.5.bp1 with the file included in this patch.
Then, follow the database schema creation instructions to create an Oracle Adaptive Access Manager database schema in the Oracle database.

Please refer to Chapter 3, "Creating an Oracle Database Schema," in the Oracle Adaptive Access Manager Installation and Configuration Guide.

Instructions for an Oracle database with the partition option are the same as those for one without the option.

For information on the partition tables and scripts to maintain the partition, refer to Chapter 3, "Creating an Oracle Database Schema," in the Oracle Adaptive Access Manager Installation and Configuration Guide.

14.5.2 Partition Reference

Database tables in the Oracle Adaptive Access Manager database are divided into three different categories. The composite partition (RANGE,HASH) is in all the tables. The Range partition is created using CREATE_TIME while the HASH key is defined as per application logic.

14.5.2.1 Tables

Details about partitioned and non-partitioned tables are provided below.

14.5.2.1.1 Static Partition Tables

Frequency: Monthly

Tables:

V_USER_QA
V_USER_QA_HIST

14.5.2.1.2 Transactional Partition Tables

Frequency: Monthly

Tables:

VCRYPT_TRACKER_NODE_HISTORY
VCRYPT_TRACKER_USERNODE_LOGS
VCRYPT_TRACKER_NODE
VT_USER_DEVICE_MAP
V_MONITOR_DATA
VT_SESSION_ACTION_MAP
VT_ENTITY_ONE
VT_ENTITY_ONE_PROFILE
VT_USER_ENTITY1_MAP
VT_ENT_TRX_MAP
VT_TRX_DATA
VT_TRX_LOGS

Frequency: Weekly

Tables:

VR_POLICYSET_LOGS
VR_POLICY_LOGS
VR_RULE_LOGS
VR_MODEL_LOGS

Other than the tables mentioned above, all other tables are non-partitioned.

14.5.2.2 Partition Maintenance Scripts

After the initial Oracle Adaptive Access Manager Repository setup, use the following scripts to maintain the partition.

14.5.2.2.1 Add_Monthly_Partition_tables.sql

This script should be used to add partitions for tables with the Monthly frequency.

The script should be run at the end of each month to create partitions for the following month. To add partitions for subsequent months at the same time, run this script multiple times; when you run the script multiple times, partitions are added based on their previous month's partition.

If you fail to run the script to create monthly partitions (if your monthly partition is missing), the database errors, "ORA-14400 and ORA-14401," are encountered, forcing the Oracle Adaptive Access Manager application to stop.

To avoid errors, it is recommend that you schedule this script as an automated job.

14.5.2.2.2 Add_Weekly_Partition_tables.sql

This script should be used to add partitions for tables with the Weekly frequency.

The script should be run at the end of each month to create partitions for the following week. To add partitions for subsequent weeks at the same time, run this script multiple times; when you run the script multiple times, partitions are added based on their previous week's partition.

If you fail to run the script to create weekly partitions (if your weekly partition is missing), the database errors, "ORA-14400 and ORA-14401," are encountered, forcing the Oracle Adaptive Access Manager application to stop.

To avoid errors, it is recommend that you schedule this script as an automated job.

14.5.2.2.3 Drop_Monthly_Partition_tables.sql

Use this script to drop partitions for tables with the monthly frequency. Run this script at the end of each month to drop partitions that are older than sixth months as per the Oracle Adaptive Access Manager application requirement. Eventually, these tables will have six partitions at any point.

14.5.2.2.4 Drop_Weekly_Partition_tables.sql

Use this script to drop partitions for tables with the weekly frequency. Run this script at the end of every two weeks, starting from your database creation date, to drop partitions older than two weeks as per the Oracle Adaptive Access Manager application requirement.

14.6 Upgrading the Database from 10.1.4.5.0 to 10.1.4.5.bp1

This section provides instructions for upgrading the database from 10.1.4.5.0 to 10.1.4.5.bp1.

Note:

Before you start the upgrade process, it is strongly recommended that you perform a full database backup.

14.6.1 Database Patch Requirement

The database patch should be installed on systems where the base 10.1.4.5 Oracle Adaptive Access Manager database schema is created.

14.6.2 Database Patch Details

This incremental upgrade will perform the following tasks for database performance:

Create additional indexes for performance
Remove foreign keys from Transactional tables
Change VCRYPT_TRACKER_USERNODE_LOGS to modify the column TRACKER_NODE_HISTORY_ID to null

For more information on the indexes created and the foreign keys that are removed, refer to Section 14.7, "10.1.4.5.bp1 Database Patch Details."

14.6.3 Database Patch Installation Instructions

Before applying the database patch:

Unzip oaam_bundle_patch_10_1_4_5_bp5.zip.
Copy the database script (for Oracle database or Microsoft SQL Server) from the oaam_db/db_patches/bp01 directory to your database server.
Bring down your system.

For Oracle

To install the database patch for an Oracle Adaptive Access Manager database on an Oracle server:

Create a patch directory, oaam_db_patch_oracle_10.1.4.5_01.
Move oaam_db_patch_oracle_10_1_4_5_01.sql to your patch directory.
Login to the database using the Oracle Adaptive Access Manager schema username and password.
```
sqlplus <OAAM>/<PASSWORD>
```
Run the oaam_db_patch_oracle_10_1_4_5_01.sql script.

For example:
```
SQL > @oaam_db_patch_oracle_10_1_4_5_01.sql
```
Check the oaam_db_patch_oracle_10_1_4_5_01.log for any error. Please contact Oracle Support if you experience any ORA- errors in the log.

For Microsoft SQL Server

To install the database patch for an Oracle Adaptive Access Manager database on a Microsoft SQL Server:

Create a patch directory, oaam_db_patch_mssql_10.1.4.5_01.
Move oaam_db_patch_mssql_10_1_4_5_01.sql to your patch directory.
Login to OAAM database using Microsoft SQL Server Management Studio.
Open the patch file: from the File menu, point to Open, click File. Then, navigate to the patch directory, oaam_db_patch_mssql_10.1.4.5_01, and select oaam_db_patch_mssql_10_1_4_5_01.sql.
In the Query Window, please change following lines:
```
USE [DATABASE_NAME]
```
to
```
USE <your OAAM Database>
```
Execute the script.
Contact Oracle Support for any errors.

14.6.4 Database Patch Execution Time

It would take approximately 5 minutes to run the scripts. However, if the database has not been regularly purged, it may take longer time.

14.6.5 Database Patch Special Instruction

N/A

14.6.6 Best Practices

The system should be brought down before applying the database patch.

After the patch has been applied, restart the system.

14.7 10.1.4.5.bp1 Database Patch Details

Changes and additions to the database as a result of installing the database patch are listed below.

14.7.1 Create additional indexes for performance

This patch creates additional indexes for the performance of the Oracle Adaptive Access Manager system. The following indexes will be created:

VCRYPT_TRACKER_USERNODE_LOGS("CREATE_TIME")
VT_TRX_DATA("DATA1","ROW_ORDER")
VT_TRX_DATA("DATA2","ROW_ORDER")
VT_TRX_DATA("DATA3","ROW_ORDER")
VT_ENTITY_ONE("ENTITY_KEY")
VT_ENT_TRX_MAP("TRX_ID")
VT_ENTITY_ONE_PROFILE (DATA3)
VT_ENTITY_ONE_PROFILE (DATA2)
VT_ENTITY_ONE_PROFILE (DATA1)
VT_ENTITY_ONE_PROFILE (ROW_ORDER)
VT_ENTITY_ONE_PROFILE (ROW_ORDER,DATA1,EXPIRE_TIME)
VT_TRX_DATA (TRX_ID, ROW_ORDER)
VT_TRX_DATA (NUM_DATA0)
VT_TRX_DATA (NUM_DATA1)
VT_TRX_DATA (NUM_DATA2)
VT_TRX_LOGS (TRX_DEF_ID)
VT_TRX_LOGS (CREATE_TIME)
VT_ENT_TRX_MAP (DEF_MAP_ID)
VT_ENT_TRX_MAP (MAP_OBJ_ID)

14.7.2 Remove foreign keys from Transactional tables

This patch will remove the following foreign keys from the Transactional tables:

V_FP_MAP(V_FP_MAP_FK0)
V_FPRINTS(V_FPRINTS_FK0)
VCRYPT_TRACKER_NODE(VCRYPT_TRACKER_NODE_FK0)
VCRYPT_TRACKER_NODE(VCRYPT_TRACKER_NODE_FK1)
VCRYPT_TRACKER_NODE_HISTORY(VCRYPT_TRACKER_NODE_HISTORY_FK0)
VCRYPT_TRACKER_NODE_HISTORY(VCRYPT_TRACKER_NODE_HISTORY_FK1)
VCRYPT_TRACKER_USERNODE_LOGS(VCRYPT_TRACKER_USERNODE_LOGS_FK0
VCRYPT_TRACKER_USERNODE_LOGS(VCRYPT_TRACKER_USERNODE_LOGS_FK1)
VCRYPT_TRACKER_USERNODE_LOGS(VCRYPT_TRACKER_USERNODE_LOGS_FK2)
VCRYPT_TRACKER_USERNODE_LOGS(VCRYPT_TRACKER_USERNODE_LOGS_FK3)
VT_ENT_TRX_MAP(VT_ENT_TRX_MAP_FK0)
VT_ENTITY_ONE(VT_ENTITY_ONE_FK0)
VT_ENTITY_ONE_PROFILE(VT_ENTITY_ONE_PROFILE_FK0)
VT_ENTITY_ONE_PROFILE(VT_ENTITY_ONE_PROFILE_FK1)
VT_TRX_DATA(VT_TRX_DATA_FK0)
VT_TRX_DATA(VT_TRX_DATA_FK1)
VT_TRX_LOGS(VT_TRX_LOGS_FK0)
VT_TRX_LOGS(VT_TRX_LOGS_FK1)
VT_USER(VT_USER_FK0)
VT_USER_DEVICE_MAP(VT_USER_DEVICE_MAP_FK0)
VT_USER_DEVICE_MAP(VT_USER_DEVICE_MAP_FK1)
VT_USER_DEVICE_MAP(VT_USER_DEVICE_MAP_FK2)
VT_USER_DEVICE_MAP(VT_USER_DEVICE_MAP_FK3)
VT_WF_DAYS(VT_WF_DAYS_FK0)
VT_WF_DAYS(VT_WF_DAYS_FK1)
VT_WF_HOURS(VT_WF_HOURS_FK0)
VT_WF_HOURS(VT_WF_HOURS_FK1)
VT_WF_MONTHS(VT_WF_MONTHS_FK0)
VT_WF_MONTHS(VT_WF_MONTHS_FK1)
VT_WF_YEARS(VT_WF_YEARS_FK0)
VT_WF_YEARS(VT_WF_YEARS_FK1)

14.7.3 Change VCRYPT_TRACKER_USERNODE_LOGS

The patch will also change VCRYPT_TRACKER_USERNODE_LOGS to modify the column TRACKER_NODE_HISTORY_ID to null.

14.8 Upgrading the Database from 10.1.4.5.bp1 to 10.1.4.5.bp2

This section provides information about the setup and execution of the database patch to upgrade Oracle Adaptive Access Manager 10.1.4.5.bp1 to 10.1.4.5.bp2.

Note:

Before you start the upgrade process, it is strongly recommended that you perform a full database backup.

14.8.1 Database Patch Requirement

This patch should be applied where the Oracle Adaptive Access Manager 10.1.4.5.bp2 database patch is already installed.

14.8.2 Database Pre-requisite

Ensure that the database server is not connected to the application server(s).

14.8.3 Database Patch Details

This patch introduces new tables, indexes, and columns related to the Scheduler and Auto-learning features of Oracle Adaptive Access Manager.

The list of changes is provided in Section 14.9, "10.1.4.5.bp2 Database Patch Details."

14.8.4 Database Patch Installation Instructions

Instructions to install the 10.1.4.5.bp2 database patch are provided below.

For Oracle

To install the database patch for an Oracle Adaptive Access Manager database on an Oracle server:

Create a patch directory, oaam_db_patch_oracle_10.1.4.5_02.
Copy all the scripts from the oaam_db/db_patches/bp02 directory to the patch directory.

You will be copying the following scripts:
- db_upgrade.sql
- oaam_db_patch_oracle_10_1_4_5_02.sql
- oaam_db_oracle_CreateMonitorDataRollupTask.sql
- oaam_db_patch_oracle_10_1_4_5_02_oneoff.sql
  
  Note:
  The one-off script, oaam_db_patch_oracle_10_1_4_5_02_oneoff.sql, is not required. It should only be used if there are ORA-01758 or ORA-00904 exceptions in oaam_db_patch_oracle_10_1_4_5_02.log.
Log in to the database using the Oracle Adaptive Access Manager schema username and password.
```
sqlplus <OAAM>/<PASSWORD>
```
Run the db_upgrade.sql script.

For example:
```
SQL > @db_upgrade.sql
```
Check the oaam_db_patch_oracle_10_1_4_5_02.log file and create_monitor_rollup.lst spool for any errors. Please contact Oracle Support if you experience any ORA- errors in the log.

For Microsoft SQL Server

To install the database patch for an Oracle Adaptive Access Manager database on a Microsoft SQL Server:

Create a patch directory, oaam_db_patch_mssql_10_1_4_5_02.
For a non- Unicode database, copy all the scripts from the oaam_db/db_patches/bp02/msql_db_nonunicode directory to your patch directory.

You will be copying the following scripts:
- 01_oaam_db_patch_mssql_10_1_4_5_02.sql
- 02_oaam_db_CreateMonitorDataRollupTask_mssql.sql
For a Unicode database, copy all the scripts from the oaam_db/db_patches/bp02/msql_db_unicode directory to your patch directory.

You will be copying the following scripts:
- 01_oaam_db_patch_mssql_unicode_10_1_4_5_02.sql
- 02_oaam_db_CreateMonitorDataRollupTask_mssql.sql
Log in to the OAAM database using Microsoft SQL Server Management Studio.
For a non- Unicode database:
1. Open the patch file and then navigate to the patch directory, oaam_db_patch_mssql_10_1_4_5_02.
  
  To open the patch file, from the File menu, point to Open, click File.
  
  Note:
  In the Query Window, ensure that you change USE <DATABASE_NAME> to USE <YOUR_OAAM_DATABASE_NAME> before executing the scripts.
2. Select 01_oaam_db_patch_mssql_10_1_4_5_02.sql and Execute.
3. Select 02_oaam_db_CreateMonitorDataRollupTask_mssql.sql and Execute.
For a Unicode database:
1. Open the patch file and then navigate to the patch directory, oaam_db_patch_mssql_10_1_4_5_02.
  
  To open the patch file, from the File menu, point to Open, click File.
  
  Note:
  In the Query Window, ensure that you change USE <DATABASE_NAME> to USE <YOUR_OAAM_DATABASE_NAME> before executing the scripts.
2. Select oaam_db_patch_mssql_unicode_10_1_4_5_02.sql and Execute.
3. Select 02_oaam_db_CreateMonitorDataRollupTask_mssql.sql and Execute.
Contact Oracle Support for any errors.

Note:

If streams replication is enabled, run the scripts only on the active master node or run the scripts on all the nodes using tag.

14.8.5 Validation

To test that the scripts executed successfully to install the database patch, follow the steps listed below.

For Oracle

To validate that the scripts are successfully executed, check the oaam_db_patch_oracle_10_1_4_5_02.log file for any error.

For the Microsoft SQL Server Database

To validate that the scripts are successfully executed, check the output of the Microsoft SQL Server Management Studio.

14.8.6 Server Restart

After the upgrade process, restart the application server.

You will not have to restart the database server.

14.9 10.1.4.5.bp2 Database Patch Details

Database patch details are listed below.

14.9.1 Objects Altered or Added

The following objects are altered or added.

14.9.1.1 Columns

The following columns are altered or added.

VCRYPT_TRACKER_USERNODE_LOGS.CACHE
VR_RULESET_ROW.CHAIN_POLICY
VR_RULESET_ROW_HIST.CHAIN_POLICY
V_ACTION_LOG_SESS.CLIENT_ID
V_ACTION_LOG_SESS.CLIENT_SESS_ID
V_ACTION_LOG_SESS.CLIENT_VER
VCRYPT_ALERT.EXEC_TIME
VT_SESSION_ACTION_MAP.EXEC_TIME_MS
VT_IP_CLUSTER.GLOBAL_ID
VT_IP_CLUSTER_GROUP.GLOBAL_ID
VRA_SESS_SET_HIST.GLOBAL_ID
VRA_SESS_SET.GLOBAL_ID
VCRYPT_ALERT.GLOBAL_ID
VT_IP_CLUSTER_GROUPMAP.GLOBAL_ID
VT_DYN_ACT_EXEC_LOG.OBJECT_ID
VT_DYN_ACT_EXEC_LOG.OBJECT_TYPE
VR_DYN_ACTION_INST_HIST.REF_ID
VR_DYN_ACTION_INST.REF_ID
VR_DYN_ACTION_INST_HIST.REF_TYPE
VR_DYN_ACTION_INST.REF_TYPE
VT_ENTITY_ONE_PROFILE.RENEW_TIME
VT_SESSION_ACTION_MAP.RULE_TRACE_FP_ID
V_ACTION_LOG_SESS.SERVER_ID
VT_DYN_ACT_EXEC_LOG.TRX_DEF_ID
VT_DYN_ACT_EXEC_LOG.TRX_ID
V_ACTION_LOG_SESS.USER_AGENT

14.9.1.2 Constraints

The following constraints are added or modified.

PK_VR_DA_RT_CRIT on VR_DA_RT_CRIT
PK_VR_DA_RT_CRIT_HIST on VR_DA_RT_CRIT_HIST
PK_VR_POST_ACTION on VR_POST_ACTION
PK_VR_POST_ACTION_HIST on VR_POST_ACTION_HIST
PK_VS_GRP_EXEC_LOG on VS_GRP_EXEC_LOG
PK_VS_GRP_EXEC_REC on VS_GRP_EXEC_REC
PK_VS_GRP_QUEUED on VS_GRP_QUEUED
PK_VS_TASK on VS_TASK
PK_VS_TASK_EXEC_LOG on VS_TASK_EXEC_LOG
PK_VS_TASK_EXEC_REC on VS_TASK_EXEC_REC
PK_VS_TASK_GRP on VS_TASK_GRP
PK_VS_TASK_GRP_HIST on VS_TASK_GRP_HIST
PK_VS_TASK_HIST on VS_TASK_HIST
PK_VS_TASK_PROP on VS_TASK_PROP
PK_VS_TASK_PROP_HIST on VS_TASK_PROP_HIST
PK_VT_SESS_AUTH_MAP on VT_SESS_AUTH_MAP
PK_VT_WF on VT_WF
PK_V_LOCK on V_LOCK
PK_V_SESS_TRACE_LOG on V_SESS_TRACE_LOG
VRA_SESS_SET_UK0 on VRA_SESS_SET
VR_DA_RT_CRIT_FK0 on VR_DA_RT_CRIT
VR_DA_RT_CRIT_FK1 on VR_DA_RT_CRIT
VR_DA_RT_CRIT_FK2 on VR_DA_RT_CRIT
VR_DA_RT_CRIT_FK3 on VR_DA_RT_CRIT
VR_DA_RT_CRIT_FK4 on VR_DA_RT_CRIT
VR_DA_RT_CRIT_HIST_FK0 on VR_DA_RT_CRIT_HIST
VR_DA_RT_CRIT_HIST_UK0 on VR_DA_RT_CRIT_HIST
VR_DA_RT_CRIT_UK0 on VR_DA_RT_CRIT
VR_DYN_ACTION_INST_FK1 on VR_DYN_ACTION_INST
VR_POST_ACTION_UK0 on VR_POST_ACTION
VS_GRP_EXEC_LOG_FK0 on VS_GRP_EXEC_LOG
VS_GRP_EXEC_REC_FK0 on VS_GRP_EXEC_REC
VS_GRP_QUEUED_FK0 on VS_GRP_QUEUED
VS_TASK_EXEC_LOG_FK0 on VS_TASK_EXEC_LOG
VS_TASK_EXEC_REC_FK0 on VS_TASK_EXEC_REC
VS_TASK_EXEC_REC_FK1 on VS_TASK_EXEC_REC
VS_TASK_FK0 on VS_TASK
VS_TASK_GRP_UK0 on VS_TASK_GRP
VS_TASK_PROP_FK0 on VS_TASK_PROP
VS_TASK_PROP_UK0 on VS_TASK_PROP
VS_TASK_UK0 on VS_TASK
V_SESS_TRACE_LOG_FK0 on V_SESS_TRACE_LOG

14.9.1.3 Indexes

The following indexes are added or modified.

PK_VR_DA_RT_CRIT on VR_DA_RT_CRIT
PK_VR_DA_RT_CRIT_HIST on VR_DA_RT_CRIT_HIST
PK_VR_POST_ACTION on VR_POST_ACTION
PK_VR_POST_ACTION_HIST on VR_POST_ACTION_HIST
PK_VS_GRP_EXEC_LOG on VS_GRP_EXEC_LOG
PK_VS_GRP_EXEC_REC on VS_GRP_EXEC_REC
PK_VS_GRP_QUEUED on VS_GRP_QUEUED
PK_VS_TASK on VS_TASK
PK_VS_TASK_EXEC_LOG on VS_TASK_EXEC_LOG
PK_VS_TASK_EXEC_REC on VS_TASK_EXEC_REC
PK_VS_TASK_GRP on VS_TASK_GRP
PK_VS_TASK_GRP_HIST on VS_TASK_GRP_HIST
PK_VS_TASK_HIST on VS_TASK_HIST
PK_VS_TASK_PROP on VS_TASK_PROP
PK_VS_TASK_PROP_HIST on VS_TASK_PROP_HIST
PK_VT_SESS_AUTH_MAP on VT_SESS_AUTH_MAP
PK_VT_WF on VT_WF
PK_V_LOCK on V_LOCK
PK_V_SESS_TRACE_LOG on V_SESS_TRACE_LOG
VRA_SESS_SET_UK0 on VRA_SESS_SET
VR_DA_RT_CRIT_HIST_UK0 on VR_DA_RT_CRIT_HIST
VR_DA_RT_CRIT_UK0 on VR_DA_RT_CRIT
VR_POST_ACTION_UK0 on VR_POST_ACTION
VS_GRP_EXEC_LOG_IDX0 on VS_GRP_EXEC_LOG
VS_GRP_EXEC_REC_IDX0 on VS_GRP_EXEC_REC
VS_GRP_EXEC_REC_IDX1 on VS_GRP_EXEC_REC
VS_GRP_QUEUED_IDX0 on VS_GRP_QUEUED
VS_TASK_EXEC_LOG_IDX0 on VS_TASK_EXEC_LOG
VS_TASK_EXEC_REC_IDX0 on VS_TASK_EXEC_REC
VS_TASK_EXEC_REC_IDX1 on VS_TASK_EXEC_REC
VS_TASK_GRP_IDX0 on VS_TASK_GRP
VS_TASK_GRP_IDX1 on VS_TASK_GRP
VS_TASK_GRP_IDX2 on VS_TASK_GRP
VS_TASK_GRP_UK0 on VS_TASK_GRP
VS_TASK_IDX0 on VS_TASK
VS_TASK_IDX1 on VS_TASK
VS_TASK_IDX2 on VS_TASK
VS_TASK_PROP_IDX0 on VS_TASK_PROP
VS_TASK_PROP_UK0 on VS_TASK_PROP
VS_TASK_UK0 on VS_TASK
VT_SESS_AUTH_MAP_IDX1 on VT_SESS_AUTH_MAP
VT_WF_IDX0 on VT_WF
V_ALERT_IDX2 on VCRYPT_ALERT
V_ALERT_IDX3 on VCRYPT_ALERT
V_LOCK_IDX0 on V_LOCK
V_SESS_TRACE_LOG_IDX0 on V_SESS_TRACE_LOG

14.9.1.4 Sequences

The following sequences are added or modified.

VR_DA_RT_CRIT_HIST_SEQ
VR_DA_RT_CRIT_SEQ
VR_POST_ACTION_HIST_SEQ
VR_POST_ACTION_SEQ
VS_GRP_EXEC_LOG_SEQ
VS_GRP_EXEC_REC_SEQ
VS_GRP_QUEUED_SEQ
VS_TASK_EXEC_LOG_SEQ
VS_TASK_EXEC_REC_SEQ
VS_TASK_GRP_HIST_SEQ
VS_TASK_GRP_SEQ
VS_TASK_HIST_SEQ
VS_TASK_PROP_HIST_SEQ
VS_TASK_PROP_SEQ
VS_TASK_SEQ
VT_SESS_AUTH_MAP_SEQ
VT_WF_SEQ
V_LOCK_SEQ
V_SESS_TRACE_LOG_SEQ

14.9.1.5 Tables

The following tables are added or modified.

VR_DA_RT_CRIT
VR_DA_RT_CRIT_HIST
VR_POST_ACTION
VR_POST_ACTION_HIST
VS_GRP_EXEC_LOG
VS_GRP_EXEC_REC
VS_GRP_QUEUED
VS_TASK
VS_TASK_EXEC_LOG
VS_TASK_EXEC_REC
VS_TASK_GRP
VS_TASK_GRP_HIST
VS_TASK_HIST
VS_TASK_PROP
VS_TASK_PROP_HIST
VT_SESS_AUTH_MAP
VT_WF
V_LOCK
V_SESS_TRACE_LOG

14.9.2 Seed Data

The database upgrade patch will also insert seed data into Scheduler-related tables.

14.10 Setting Up Database Archive and Purge Routines (10.1.4.5.bp3)

Archive and purge scripts were added as part of 10.1.4.5.bp3.

If you want to set up purging routines, you will have to perform additional steps, which are documented in the Readme. Otherwise, skip this section and go on to Section 14.12, "Upgrading the Database from 10.1.4.5.bp2 to 10.1.4.5.bp5."

The files are located in the oaam_db\db_patches\bp03\purge_scripts directory

Note:

Before you start the upgrade process, it is strongly recommended that you perform a full database backup.

Please refer to Section 14.10, "Setting Up Database Archive and Purge Routines (10.1.4.5.bp3)" for instructions.

Note:

You must be running a 10.1.4.5.bp2 Oracle Adaptive Access Manager database before you can set up the archive and purging routines.

Information about setting up purging routines are additions or corrections to Appendix E, "Archive and Purge," in the Oracle Adaptive Access Manager Installation and Configuration Guide.

This section presents the concepts, prerequisites, policy, and post-process procedures in archiving and purging the Oracle Adaptive Access Manager database. A DBA or system administrator, who performs routine maintenance and the archiving and purging of the Oracle Adaptive Access Manager database, should follow the instructions in this chapter.

Note:

Users can run the purging scripts online in the Enterprise version of MS SQL server 2005.

14.10.1 Purge Process

Purging is the process of freeing up space in the database or of deleting obsolete data that is not required by the system. The purge process can be based on the age of the data or the type of data.

14.10.2 Archive Process

Archiving is the process of backing up the obsolete data that will be deleted during the purge process. During the archive process, data will be moved from the main transactional tables to the backup tables. By default the Oracle Adaptive Access Manager purge scripts will archive data that will be deleted during the purge process.

14.10.3 Archive and Purge Data Classification

Oracle Adaptive Access Manager has different sets of transactional tables that will be archived and purged. These sets are documented below. The tables in the transaction table sets are listed in Section 14.11.1, "List of Tables and the Corresponding Archived Tables."

14.10.3.1 Device Fingerprinting

The device fingerprinting data is archived and purged based on the following criteria:

archive and purge the device fingerprinting logs that are older than a specified period first.
archive and purge user device maps that are not used after the data from the device fingerprinting logs is purged.
archive and purge the device history that is not used after the data from the device fingerprinting logs is purged.
archive and purge the device data that is not used after the data from the device fingerprinting logs is purged.

Note:

The VT_SESSION_ACTION_MAP table is not purged using the partition drop maintenance script. This table stores the device fingerprinting session information; therefore the purging of this table is performed using the manual purge stored procedure (SP_SESS_ACT_MAP_PROC) which is called by the exec_sp_purge_tracker_data.sql script.

14.10.3.2 Transaction In-Session Based Data

The in-session transaction data is archived and purged based on the following criteria:

archive and purge the in-session transactional-based data that is older than a specified period first.
archive and purge transaction data that is not used in the transaction data after the transactions logs are purged for a specific time period.
archive and purge the entity, entity profile, user entity map and entity transaction map after the transactions logs are purged for a specific time period.

14.10.3.3 Auto-learning Profile Data

The Auto-learning and profile data is archived and purged based on the following criteria:

archive and purge the Workflow tables based on a specific time period.
- HOURS based Workflow tables will retain 3 days' worth of data.
- DAYS based Workflow tables will retain 32 days' worth of data.
- MONTHS based Workflow tables will retain 1 year's worth of data.
- YEARS based Workflow tables will retain 5 years' worth of data.
These values are hard-coded. The profile data value can be changed in the execution script for no of days.
archive and purge fingerprinting data with fingerprint type 11, 12, and no child records in the Workflow tables
```
vcrypt.fingerprint.type.enum.autolearning.auth=11
vcrypt.fingerprint.type.enum.autolearning.transaction=12
```
- 11 is the enum value for the Auto-learning AUTH type. Change these values in the script if another value was used during integration.
- 12 is enum value for the Auto-learning TRANSACTION type. Change these values in the script if another value was used during integration.
archive and purge profile related data that is 183 days old and profiles type 2 (Auto-learning Profile) from the Auto-learning profiles tables.

14.10.3.4 Rule Log Data

The rule log transaction data is archived and purged based on the following criteria:

archive and purge the rule log data that is 30 days old

14.10.4 Archive and Purge Process

Updated procedures for the archive and purge process are provided below.

14.10.4.1 Archive and Purge Process - Special Recommendations for Schemas with Partitioned Objects

Special recommendations are listed below for schemas with partitioned objects.

14.10.4.1.1 Schema with Partitioned Objects (Oracle Databases Only) Without a Separate Reporting Database

If you are using an Oracle Adaptive Access Manager schema with the partition option enabled and do not have a separate reporting and administrative environment, perform only manual purging, as described in this document. Partition drop scripts are part of the partition base package. These scripts are not shipped with the purging scripts.

Follow the steps below:

Set up archive and purge routines.
Schedule archive and purge routines.

14.10.4.1.2 Schema with Partitioned Objects (Oracle Databases Only) With a Separate Reporting Database

If you are using an Oracle Adaptive Access Manager schema with the partition option enabled and have a separate reporting and administrative environment, you must perform manual purging, as described below, as well as run the partition maintenance scripts that are shipped with the Oracle Adaptive Access Manager database setup package.

Note:

Please make sure replication is not enable during the archive and purge process.

Follow the steps below:

Set up archive and purge routines.
Schedule monthly/weekly partition drops. Refer to Section 14.11.4, "Drop Scripts for Partitioned Tables."
Schedule archive and purge routines.

14.10.4.2 Archive and Purge Process - Setting Up for Users with an Existing Process In Place

The setup scripts are one-time scripts that are required to create objects for the archive and purge process. The setup scripts will create the archived tables and store procedure required to execute during the routine archive and purge process.

If you are already using the Oracle Adaptive Access Manager Archive and Purge process, you should back up your existing archived tables (listed in Section 14.11.1, "List of Tables and the Corresponding Archived Tables") on disk before setting up a new archive and purge process. With 10.1.4.5.bp2, the structure of the old tables has changed; the setup scripts will recreate these tables.

14.10.4.3 Archive and Purge Process - Setting Up for the Oracle Database

The Create_purge_proc.sql script is required to set up the archive and purge routines for the Oracle database. For more information on this script, refer to Section 14.11.2.1, "Scripts for the Oracle Database."

14.10.4.3.1 Prerequisite

Important

You must ensure that the Oracle Adaptive Access Manager schema has the following privileges granted before the execution of the purging/archiving scripts and revoked after the execution of the purging/archiving scripts:

Create procedure
Execute procedure
Create any procedure
Create any table
Create any index

The purging/archiving scripts need CREATE Any privilege to create and execute purge related stored procedures.

Since the purging/archiving scripts use custom rebuild index stored procedures for a given table, this stored procedure requires CREATE Any Table and Create Any index privileges granted to the OAAM schema. If these privileges are not granted, the rebuild_oaam_index stored procedure will not work.

These privileges must be granted to set up and execute the OAAM purging/archiving routines and must be revoked once purge/archiving process is completed.

14.10.4.3.2 Instructions

To set up the archive and purge process for the Oracle database, follow the steps below:

Create the script directory, oaam_purge_script.
Unzip the Oracle Adaptive Access Manager purge package Oracle scripts to the script directory.
Log in to the database using the system or sys account.

Grant privileges to the Oracle Adaptive Access Manager schema:

GRANT create any procedure TO <schema_name>;
GRANT create any table TO <schema_name>;
GRANT create any index TO <schema name>;
GRANT create procedure TO <schema_name>;
GRANT execute any procedure TO <schema_name>;

Connect to database using the Oracle Adaptive Access Manager schema.
```
For example, sqlplus <OAAMADMIN>/<PASSWORD>
```
Run the create_purge_proc.sql script
```
SQL>@ create_purge_proc.sql
```

14.10.4.4 Archive and Purge Process - Setting Up for the SQL Server Database

The required scripts to setup the archive and purge routines for the SQL Server database are listed below.

If you are using Microsoft SQL Server with globalization support, please use the scripts under the msql_db_unicode directory.

If you are using Microsoft SQL Server with non-globalization support, please use the scripts under the msql_db_nonunicode directory.

The required scripts to setup the archive and purge routines for the SQL Server database are listed below. For more information on these scripts, refer to Section 14.11.2.2, "Scripts for the SQL Server Database."

cr_vcrypt_purge_tables.sql
cr_sp_arch_purge_tracker_data.sql
cr_sp_arch_purge_txn_logs.sql
cr_sp_arch_purge_workflow_data.sql
cr_sp_arch_purge_profile_data.sql
cr_sp_arch_purge_rules_log.sql

To setup the archive and purge process for the SQL Server database, follow the steps below:

Create the script directory, oaam_purge_script.
Unzip the Oracle Adaptive Access Manager purge package SQL Server scripts to the script directory.
Login to the Oracle Adaptive Access Manager database using SQL Server Management Studio.
Open the script files, which are listed below, using File > Open > File. Then, navigate to the script directory.
- cr_vcrypt_purge_tables.sql
- cr_sp_arch_purge_tracker_data.sql
- cr_sp_arch_purge_txn_logs.sql
- cr_sp_arch_purge_workflow_data.sql
- cr_sp_arch_purge_profile_data.sql
- cr_sp_arch_purge_rules_log.sql
In the Query window, change the following line for every script:
```
USE [DATABASE_NAME] to USE < your OAAM Database>
```
Execute the scripts.
In the message window of SQL Server Management Studio, save the results to a file.

14.10.5 Performing Archive and Purge

The execution of the archive and purge scripts is described below. Prior to starting the archive and purge process, go through the checklist, which is documented below, to ensure that the requirements for archive and purge are met.

Setup of the archive and purge scripts.
Enough space is available on the database server to store the archived data, if archive is enabled for the purge.
Archive and purge could be resource (like CPU) intensive. Oracle recommends running these during off peak load hours.

14.10.5.1 Oracle Databases

The required scripts to execute archive and purge routines for the Oracle database are listed below. For more information on these scripts, refer to Section 14.11.3, "Scripts to Execute Archive and Purge."

Archive and purge periods are set based on the business requirement specified for retention periods.

By default, the archive and purge scripts/routines have the following two parameters set:

p_days1 =no of days for data retention
p_archived= archived flag

To change these values per the business requirement, modify the following scripts:

exec_sp_purge_tracker_data.sql
exec_sp_purge_txn_log.sql
exec_sp_purge_workflow_data.sql
exec_sp_purge_profile_data.sql
exec_sp_purge_rule_log.sql

14.10.5.1.1 Manual Execution

To execute the scripts to archive and purge, follow the steps below:

Create the script directory, oaam_purge_script
Unzip the Oracle Adaptive Access Manager archive and purge package Oracle scripts to the script directory.
Login to the database using the Oracle Adaptive Access Manager schema

For example,
```
sqlplus <OAAMADMIN>/<PASSWORD>
```

Run the purging execution scripts:

SQL>@ exec_sp_purge_tracker_data.sql
SQL>@ exec_sp_purge_txn_log.sql
SQL>@ exec_sp_purge_workflow_data.sql
SQL>@ exec_sp_purge_profile_data.sql 
SQL>@ exec_sp_purge_rule_log.sql

14.10.5.1.2 Automatic Scheduling

Archive and purge jobs should be part of a routine schedule. These jobs can be scheduled using database jobs or OS-based scheduling utilities (crontab, at) or scheduler software (autosys, appworx).

It is recommended that these scripts are scheduled to run on regular intervals and only during off-peak hours.

14.10.5.2 SQL Server Database

The required scripts to execute archive and purge routines are listed below. For more information about these scripts, refer to Section 14.11.3, "Scripts to Execute Archive and Purge."

Archive and purge periods are set based on the business requirement specified for retention periods.

By default, the required scripts for archive and purge routines have the following two parameters set:

p_days1 =no of days for data retention
p_archived= Archived flag

To change these values per the business requirement, modify the following scripts:

exec_sp_purge_tracker_data.sql
exec_sp_purge_txn_log.sql
exec_sp_purge_workflow_data.sql
exec_sp_purge_profile_data.sql
exec_sp_purge_rule_log.sql

14.10.5.2.1 Manual Execution

To execute the scripts to archive and purge, follow the steps below:

Create the script directory, oaam_purge_script.
Unzip the Oracle Adaptive Access Manager archive and purge package SQL Server scripts to the script directory.
Login to the Oracle Adaptive Access Manager database using SQL Server Management Studio.

Open the script files listed below using File > Open > File. Then, navigate to the script directory.

exec_sp_purge_tracker_data.sql 
exec_sp_purge_txn_log.sql
exec_sp_purge_workflow_data.sql
exec_sp_purge_profile_data.sql   
exec_sp_purge_rule_log.sql

In the Query window, change the following line for every script:
```
USE [DATABASE_NAME] to USE < your OAAM Database>
```
Execute the scripts.
In the message window of the SQL Server Management Studio, save the results to a file.

14.10.5.2.2 Automatic Scheduling

Archive and purge jobs should be part of a routine schedule. These jobs can be scheduled using database jobs or OS-based scheduling utilities (crontab, at) or scheduler software (autosys, appworx).

It is recommended that these scripts are scheduled to run on regular intervals and only during off-peak hours.

14.10.6 Validating Archive and Purge

To determine if the archive and purge was successful, check the log files (for example scheduler log, script output log, and others) for any errors. When the archive and purge process has completed, users can also query the transactional log and its related purged tables to validate that the data was archived and purged.

14.10.7 Restoring Archived Data

As recommended, users should take an export backup of archived tables after the archive process has completed in case they should need to perform troubleshooting in the future.

When performing a restoration, the user should restore the desired date's data to a temporary table using Oracle's database Import feature.

Please contact Oracle Support if any data restoration is required.

14.11 10.1.4.5.bp3 Archive and Purge Details

This section contains information about the tables and their corresponding archived tables and details on the setup scripts.

14.11.1 List of Tables and the Corresponding Archived Tables

Device fingerprint, Auto-learning transactional, transaction, and rule log tables and their corresponding tables are listed below.

14.11.1.1 Device Fingerprint Tables and Corresponding Archived Tables

Device Fingerprint Transaction Tables	Corresponding Archived Tables
VCRYPT_TRACKER_NODE	VCRYPT_TRACKER_NODE_PURGE
VCRYPT_TRACKER_NODE_HISTORY	VCRYPT_TRACKER_NODE_HISTORY_PURGE
VCRYPT_TRACKER_USERNODE_LOGS	VCRYPT_TRACKER_USERNODE_LOGS_PURGE
VT_DYN_ACT_EXEC_LOG	VT_DYN_ACT_EXEC_LOG_PURGE
VT_SESSION_ACTION_MAP	VT_SESSION_ACTION_MAP_PURGE
VT_USER_DEVICE_MAP	VT_USER_DEVICE_MAP_PURGE

14.11.1.2 Auto-learning Transactional Tables and Corresponding Archive Tables

Auto-learning Transactional Tables	Corresponding Archived Tables
VT_WF_DAYS	VT_WF_DAYS_PURGE
VT_WF_HOURS	VT_WF_HOURS_PURGE
VT_WF_MONTHS	VT_WF_MONTHS_PURGE
VT_WF_YEARS	VT_WF_YEARS_PURGE
V_FPRINTS	V_FPRINTS_PURGE
V_FP_MAP	V_FP_MAP_PURGE
VT_USER_PROFILE	VT_USER_PROFILE_PURGE
VT_DEVICE_PROFILE	VT_DEVICE_PROFILE_PURGE
VT_BASE_IP_PROFILE	VT_BASE_IP_PROFILE_PURGE
VT_IP_PROFILE	VT_IP_PROFILE_PURGE
VT_STATE_PROFILE	VT_STATE_PROFILE_PURGE
VT_CITY_PROFILE	VT_CITY_PROFILE_PURGE
VT_COUNTRY_PROFILE	VT_COUNTRY_PROFILE_PURGE

14.11.1.3 Transaction Tables and Corresponding Archived Tables

Transaction Tables	Corresponding Archived Tables
VT_ENTITY_ONE	VT_ENTITY_ONE_PURGE
VT_ENTITY_ONE_PROFILE	VT_ENTITY_ONE_PROFILE_PURGE
VT_USER_ENTITY1_MAP	VT_USER_ENTITY1_MAP_PURGE
VT_ENT_TRX_MAP	VT_ENT_TRX_MAP_PURGE
VT_TRX_DATA	VT_TRX_DATA_PURGE
VT_TRX_LOGS	VT_TRX_LOGS_PURGE

14.11.1.4 Rule Logs Tables and Corresponding Archived Tables

Rule Log Tables	Corresponding Archived Tables
VR_POLICYSET_LOGS	VR_POLICYSET_LOGS_PURGE
VR_RULE_LOGS	VR_RULE_LOGS_PURGE
VR_MODEL_LOGS	VR_MODEL_LOGS_PURGE
VR_POLICY_LOGS	VR_POLICY_LOGS_PURGE

14.11.2 Scripts to Set Up Archive and Purge

Archive and purge setup scripts for the Oracle and SQL server databases are listed below.

14.11.2.1 Scripts for the Oracle Database

The archive and purge setup scripts for the Oracle database are presented below.

14.11.2.1.1 create_purge_proc.sql

The create_purge_proc.sql script creates the tables (Listed in Section 14.11.1, "List of Tables and the Corresponding Archived Tables") and the following stored procedures to archive and purge data from the transaction tables:

SP_RULE_ PROC
SP_MODEL_ PROC
SP_POLICYSET_ PROC
SP_POLICY_ PROC
SP_NODE_HISTORY_ PROC
SP_NODE_PROC
SP_USER_NODE_PROC
SP_USER_DVC_PROC
SP_SESS_ACT_MAP_PROC
SP_WF_YEARS_PROC
SP_WF_MONTHS_PROC
SP_WF_DAYS_PROC
SP_WF_HOURS_PROC
SP_V_FPRINTS_PROC
SP_V_FP_MAP_PROC
SP_VT_DY_ACT_EX_LOG_PRO
SP_VT_TRX_LOGS_PROC
SP_VT_TRX_DATA_PROC
SP_VT_ENT_TRX_MAP_PROC
SP_VT_ENT_ONE_PRF_PROC
SP_VT_ENT_ONE_PROC
SP_VT_ENT_ONE_MAP_PROC
SP_VT_USER_PRF_PROC
SP_VT_DEVICE_PRF_PROC
SP_VT_IP_PRF_PROC
SP_VT_BASE_IP_PRF_PROC
SP_VT_CITY_PRF_PROC
SP_VT_COUNTRY_PRF_PROC
SP_VT_STATE_PRF_PROC

14.11.2.2 Scripts for the SQL Server Database

The archive and purge setup scripts for the SQL server database are presented below.

14.11.2.2.1 cr_vcrypt_purge_tables.sql

The cr_vcrypt_purge_tables.sql script creates the tables (Section 14.11.1, "List of Tables and the Corresponding Archived Tables") to archive and purge data from the transaction tables.

14.11.2.2.2 cr_sp_arch_purge_tracker_data.sql

The cr_vcrypt_purge_tables.sql script creates the stored procedure sp_archive_purge_tracker_data to archive and purge data from device fingerprinting transaction tables.

14.11.2.2.3 cr_sp_arch_purge_txn_logs.sql

The cr_vcrypt_purge_tables.sql script creates the stored procedure sp_archive_purge_txn_logs_data to archive and purge data from in-session transaction tables.

14.11.2.2.4 cr_sp_arch_purge_workflow_data.sql

The cr_vcrypt_purge_tables.sql script creates the stored procedure sp_archive_purge_wf_data to archive and purge data from work flow transaction tables.

14.11.2.2.5 cr_sp_arch_purge_profile_data.sql

The cr_vcrypt_purge_tables.sql script stored procedure sp_archive_purge_profile_data to archive and purge data from Auto-learning profile transaction tables.

14.11.2.2.6 cr_sp_arch_purge_rules_log.sql

The cr_vcrypt_purge_tables.sql script creates the stored procedure sp_archive_purge_rule_log to archive and purge data from rule logs transaction tables.

14.11.3 Scripts to Execute Archive and Purge

The scripts to execute the archive and purge process are documented below.

14.11.3.1 exec_sp_purge_tracker_data.sql

This script calls stored procedures to archive and purge data from device fingerprinting tables. By running this script, the following tables will be archived and purged:

VCRYPT_TRACKER_NODE
VCRYPT_TRACKER_NODE_HISTORY
VCRYPT_TRACKER_USERNODE_LOGS
VT_USER_DEVICE_MAP
VT_DYN_ACT_EXEC_LOG
VT_SESSION_ACTION_MAP

Note:

14.11.3.2 exec_sp_purge_txn_log.sql

This script calls stored procedures to archive and purge data from in-session transaction tables. By running this script, the following tables will be archived and purged:

VT_ENTITY_ONE
VT_ENTITY_ONE_PROFILE
VT_ENT_TRX_MAP
VT_TRX_DATA
VT_TRX_LOGS
VT_USER_ENTITY1_MAP

14.11.3.3 exec_sp_purge_workflow_data.sql

This script calls stored procedures to archive and purge data from the Workflow Auto-learning tables. By running this script, the following tables will be archived and purged:

VT_WF_DAYS
VT_WF_HOURS
VT_WF_MONTHS
VT_WF_YEARS
V_FPRINTS
V_FP_MAP

14.11.3.4 exec_sp_purge_profile_data.sql

This script calls stored procedures to archive and purge data from the Auto-learning profile tables. By running this script, the following tables will be archived and purged:

VT_BASE_IP_PROFILE
VT _IP_PROFILE
VT_DEVICE_PROFILE
VT_COUNTRY_PROFILE
VT_CITY_PROFILE
VT_STATE_PROFILE
VT_USER_PROFILE

14.11.3.5 exec_sp_purge_rule_log.sql

This script calls stored procedures to archive and purge data from the Rules Engine logging tables. By running this script, the following tables will be archived and purged:

VR_POLICYSET_LOGS
VR_RULE_LOGS
VR_MODEL_LOGS
VR_POLICY_LOGS

14.11.4 Drop Scripts for Partitioned Tables

Two scripts to drop partitions are listed below.

14.11.4.1 Drop_Monthly_Partition_tables.sql

14.11.4.2 Drop_Weekly_Partition_tables.sql

14.12 Upgrading the Database from 10.1.4.5.bp2 to 10.1.4.5.bp5

This section provides information about the setup and execution of the database patch to reduce the column size in the OAAM database.

Note:

Before you start the upgrade process, it is strongly recommended that you perform a full database backup.

14.12.1 Database Pre-requisite

The prerequisites for applying the database patch are:

This patch should be applied where the Oracle Adaptive Access Manager 10.1.4.5.bp2 database patch is already installed.
Ensure that the database server is not connected to the application server(s).

14.12.2 Database Patch Details

Patch details are listed below for the Oracle Database and MS SQL Server.

The list of objects impacted is provided in 10.1.4.5.bp5 Database Patch Details.

14.12.2.1 Oracle

This patch includes the oaam_db_patch_oracle_10_1_4_5_05.sql script for the Oracle database that will drop the not null constraint for the REF_ID, REF_TYPE from the VR_DYN_ACTION_INST_HIST, VR_DYN_ACTION_INST tables.

14.12.2.2 Microsoft SQL Server

This patch includes two scripts for the Microsoft SQL Server to reduce column size. They are listed below. These scripts will create and run the stored procedure, sp_oaam_changecolumnsize, to change the column size for the OAAM tables to fix the "index data length exceeding 900 byte" exception.

cr_sp_OAAM_ChangeColumnsize.sql
exec_sp_OAAM_ChangeColumnsize.sql

14.12.3 Database Patch Installation Instructions

Installation instructions for Oracle and the MS SQL Server are listed below.

For Oracle

To apply the OAAM database patch:

Create the patch directory, oaam_db_patch_oracle_10.1.4.5_05.
Copy oaam_db_patch_oracle_10_1_4_5_05.sql from the oaam_db\db_patches\bp05\oracle-script directory to your patch directory.
Log in to the database using the Oracle Adaptive Access Manager schema username and password.

For example:
```
sqlplus <OAAM>/<PASSWORD>
```
Run oaam_db_patch_oracle_10_1_4_5_05.sql.

For example:
```
SQL > @ oaam_db_patch_oracle_10_1_4_5_05.sql
```
Check oaam_db_patch_oracle_10_1_4_5_05.sql.log for any error. Please contact Oracle Support if you experience any ORA- errors in the log.

Note:
Ignore the ORA-01451, ORA-01418, and ORA-01408 errors.

For Microsoft SQL Server

To apply the database patch for an Oracle Adaptive Access Manager database on a Microsoft SQL Server:

Create a patch directory, oaam_db_patch_mssql_10.1.4.5_bp05.
Copy all the scripts from the extracted zip to your patch directory.

For non-Unicode, the scripts are in the oaam_db\db_patches\bp05\msql_db_nonunicode directory.

For unicode, the scripts are in the oaam_db\db_patches\bp05\msql_db_unicode directory.
Log in to the OAAM database using Microsoft SQL Server Management Studio.
For a non- Unicode database:
1. For a non-Unicode database, open the patch file from the msql_db_nonunicode directory using File > Open >File, and then navigate to the patch directory.
2. In the Query window, please follow these instructions:
  
  Change USE [DATABASE_NAME] to USE < your OAAM Database>.
  
  Select cr_sp_OAAM_ChangeColumnsize.sql and Execute.
  
  Select exec_sp_OAAM_ChangeColumnsize.sql and Execute.
For a Unicode database:
1. For a Unicode database, open the patch file from the msql_db_Unicode directory using File > Open > File, and then navigate to the patch directory.
2. In the Query window, please follow these instructions:
  
  Change USE [DATABASE_NAME] to USE < your OAAM Database>.
  
  Select cr_sp_OAAM_ChangeColumnsize.sql and Execute.
  
  Select exec_sp_OAAM_ChangeColumnsize.sql and Execute.

14.12.4 Validation

To validate that the scripts are successfully executed, please check the output from SQL Server Management Studio.

14.12.5 Server Restart

After the upgrade process, restart the application server.

You will not have to restart the database server.

14.13 10.1.4.5.bp5 Database Patch Details

The Oracle and MS SQL Server objects that will be altered are listed below.

14.13.1 Oracle

The Oracle objects that will be altered are:

VR_DYN_ACTION_INST_HIST.REF_TYPE
VR_DYN_ACTION_INST_HIST.REF_ID
VR_DYN_ACTION_INST.REF_TYPE
VR_DYN_ACTION_INST.REF_ID

14.13.2 MS SQL Server

The MS SQL Server objects that will be altered are:

§ V_B_ENUM, PROP_NAME
§ V_B_ENUM_ELMNT, PROP_NAME
§ V_FPRINTS, HASH_VALUE
§ V_LOCK, LOCK_NAME
§ V_PAT_ENT_OPER, LABEL
§ V_PATTERN, LABEL
§ VCRYPT_ACCOUNTS, ACCT_NAME
§ VCRYPT_ISP, ISP_NAME
§ VCRYPT_PROFILE, PROFILE_NAME
§ VCRYPT_RULE, RULE_NAME
§ VCRYPT_STRING_VALUE_ELEMENT, ELEMENT_VALUE
§ VCRYPT_TRACKER_USERNODE_LOGS, EXT_SESSION_ID
§ VCRYPT_USER_GROUPS, GROUP_NAME
§ VCRYPT_USER_ROLES, ROLE_NAME
§ VCRYPT_VALUE_LIST, LIST_NAME
§ VR_DYN_ACTION, ACTION_NAME
§ VR_OVERRIDE, OBJECT_VALUE
§ VR_RULE_CONDN, CONDN_NAME
§ VS_TASK, TASK_NAME
§ VS_TASK_GRP, GRP_NAME
§ VT_ENTITY_DEF, LABEL
§ VT_ENTITY_ONE, ENTITY_KEY
§ VT_IP_CLUSTER, LABEL
§ VT_IP_CLUSTER_GROUP, LABEL
§ VT_TRX_DATA, DATA1
§ VT_TRX_DATA, DATA2
§ VT_TRX_DATA, DATA3
§ VT_TRX_DEF, LABEL
§ VT_TRX_DEF, TRX_DEF_KEY
§ VT_TRX_INPUT_DEF, LABEL
§ VT_TRX_INPUT_DEF, TRX_DEF_KEY
§ VT_USER_SESS, EXT_SESSION_ID
§ V_B_ENUM_HIST, LABEL
§ V_B_ENUM_HIST, PROP_NAME
§ V_B_ENUM_ELMNT_HIST, PROP_NAME
§ V_PAT_ENT_OPER_HIST, LABEL
§ V_PATTERN_HIST, LABEL
§ VCRYPT_ACCOUNTS_HIST, ACCT_NAME
§ VCRYPT_ISP_HIST, ISP_NAME
§ VCRYPT_PROFILE_HIST, PROFILE_NAME
§ VCRYPT_RULE_HIST, RULE_NAME
§ VCRYPT_USER_GROUPS_HIST, GROUP_NAME
§ VCRYPT_USER_ROLES_HIST, ROLE_NAME
§ VCRYPT_VALUE_LIST_HIST, LIST_NAME
§ VR_DYN_ACTION_HIST, ACTION_NAME
§ VR_OVERRIDE_HIST, OBJECT_VALUE
§ VR_RULE_CONDN_HIST, CONDN_NAME
§ VS_TASK_HIST, TASK_NAME
§ VS_TASK_GRP_HIST, GRP_NAME
§ VT_ENTITY_DEF_HIST, LABEL
§ VT_TRX_DEF_HIST, LABEL
§ VT_TRX_DEF_HIST, TRX_DEF_KEY
§ VT_TRX_INPUT_DEF_HIST, LABEL
§ VT_TRX_INPUT_DEF_HIST, TRX_DEF_KEY

14.14 Upgrading the Database from 10.1.4.5.bp5 to 10.1.4.5.bp6

This section provides information about the setup and execution of the database patch to create additional indexes to improve system performance.

Note:

Before you start the upgrade process, it is strongly recommended that you perform a full database backup.

14.14.1 Database Pre-requisite

The prerequisites for applying the database patch are:

This patch must be applied where the Oracle Adaptive Access Manager 10.1.4.5.bp02 and higher is already installed.
The database server is not connected to the application server(s).

14.14.2 Database Patch Details

Patch details are listed below for the Oracle Database and MS SQL Server.

This patch includes a script that will create a few additional indexes for system performance. This patch will also remove unique key constraint from the V_B_ENUM table.

14.14.3 Objects Impacted

The following objects will be altered when the patch is applied.

Index Created

VT_TRACKER_USERNODE_LOGS_IDX14 ON VCRYPT_TRACKER_USERNODE_LOGS("USER_LOGIN_ID")
V_CASE_HIST_IDX1 ON V_CASE_HIST("CASE_ID","TO_TIME")
V_CASE_IDX2 ON V_CASE("CASE_TYPE")

14.14.4 Database Patch Installation Instructions

Installation instructions for Oracle and the MS SQL Server are listed below.

For Oracle

To apply the OAAM database patch:

Create the patch directory, oaam_db_patch_oracle_10.1.4.5_06.
Copy oaam_db_patch_oracle_10_1_4_5_06.sql from the extracted zip to your patch directory.
Log in to the database using the Oracle Adaptive Access Manager schema username and password.

For example:
```
sqlplus <OAAM>/<PASSWORD>
```
Run oaam_db_patch_oracle_10_1_4_5_06.sql.

For example:
```
SQL > @ oaam_db_patch_oracle_10_1_4_5_06.sql
```
Check oaam_db_patch_oracle_10_1_4_5_06.sql.log for any error. Please contact Oracle Support if you experience any ORA- errors in the log.

Note:
Ignore the ORA-01451, ORA-01418, and ORA-01408 errors.

For Microsoft SQL Server

To apply the database patch for an Oracle Adaptive Access Manager database on a Microsoft SQL Server:

Create a patch directory, oaam_db_patch_mssql_10.1.4.5_bp06.
Copy all the scripts from the extracted zip to your patch directory.
Log in to the OAAM database using Microsoft SQL Server Management Studio.
Open the patch file from the Microsoft SQL directory using File > Open >File, and then navigate to the patch directory.
In the Query window, please follow these instructions:
1. Change USE [DATABASE_NAME] to USE < your OAAM Database>.
2. Select oaam_db_patch_mssql_10_1_4_5_06.sql and execute.

14.14.5 Validation

To validate that the scripts are successfully executed, please check the output from SQL Server Management Studio.

14.14.6 Server Restart

After the upgrade process, restart the application server.

You will not have to restart the database server.

14.15 Documentation Corrections

This section contains last minute information not included in the Oracle Adaptive Access Manager Release 10g (10.1.4.5) documentation library:

14.15.1 Configuration to Log Rule Executions Based on Total Rule Processing Time Taken

Rule execution logs are not configurable and therefore may affect Adaptive Risk Manager performance. Users who experience large numbers of log ins per day will have many rows of data written in the logs.

Configurable parameters are provided to address this issue. Users can now configure "n," a numeric property for time, so that logging is performed only if the total time taken for the Runtime is greater than "n" milliseconds. The parameter can be configured globally or for a specific runtime.

For example, the properties, as set below, logs for all Runtime process rules, only if the total time taken is more than 1000 ms.

vcrypt.tracker.rules.trace.policySet=false
vcrypt.tracker.rules.trace.policySet.min.ms=1000

14.15.2 Pattern Member Condition Does Not Take into Account the Bucket

When an Entity: Pattern Membership rule condition is evaluated, it does not take into account the current bucket that the pattern authentication operation belongs to.

To resolve this issue, the "ENTITY: Entity is member of bucket N times in a given time period" condition has been created.

Condition	ENTITY: Entity is member of bucket N times in a given time period
Description	Condition to check if this Entity is a member of the bucket a number of times in a given time period. This condition can be used to check the current behavior against the pattern. Please note that this is a count-based condition. So, if you configure to trigger it, for example, for a count less than three, it will trigger on the first login that matches the fingerprint.
Pre-Requisites	Ensure that the following pre-requisites are met: 10.1.4.5.bp2 or later must be installed. Entities and patterns must be defined before adding this condition to rules/ policys.
Assumptions	Auto-Learning is enabled.
Available since version	10.1.4.5.bp2
Checkpoints	All checkpoints see the note for pre-auth though.

14.15.3 Randomize KBA Questions

The oaam.kba.questions.randomorder property has been added for presenting KBA questions in random order instead of sequentially. Randomization will be performed Online only (Adaptive Strong Authenticator) if the oaam.kba.questions.randomorder property is missing or is set to true. For the CSR Get Challenge Question flow, question access will always be sequential.

14.15.4 No Rule Logs Shown in Offline Application

The following properties in tracker.properties can be used to enable the rule log using fingerprint:

# Int property determining finger print logging or detailed logging. Detailed
logging if exceeds this. Inclusive
vcrypt.tracker.rulelog.exectime.maxlimit=-1
# Boolean property to do both fingerprint and detailed logging. Overrides
vcrypt.tracker.rulelog.exectime.maxlimit.
vcrypt.tracker.rulelog.logBoth=false

14.15.5 Slider in OAAM 10.1.4.5 bpX

The slider is now available for 10.1.4.5.bp6. Users will have to look at the reference/sample class BharosaHelper and use the new methods.

Note: The names of the new methods in the reference class, BharosaHelper.java, are listed as follows:

public int validateSlider( BharosaSession bharosaSession, HttpServletRequest request )
public void sliderOptIn( BharosaSession bharosaSession, String newPin )
public void sliderOptOut( BharosaSession bharosaSession )
public String getSliderHTML( BharosaSession bharosaSession )
public static String getSliderTutorialHTML()
public String getUserPinStatus( BharosaSession bharosaSession )
public boolean isPinEnabled( BharosaSession bharosaSession )
public void registerDevice(BharosaSession bharosaSession, String regDeviceStr)

14.15.6 Session: Time Unit Condition

The "Session: Time Unit" condition is described below.

Condition	Day of the Week
Description	The condition determines if a particular time unit (in the current time) is in a particular position in the time unit. This condition uses the request date if available to evaluate the date function requested with the use of parameters. If the request date is not available, then the current server date time will be used.
Example	This condition can determine if the day of the week is equal to (or not equal to or other comparison operators) Monday or Tuesday and so on. It can also determine if the day of the month matches a certain criterion of the day of the month. It can also try to match the same criterion if the month of the year is <value> or not <value> or in or not in <value>.

Condition

Day of the Week

Description

The condition determines if a particular time unit (in the current time) is in a particular position in the time unit.

This condition uses the request date if available to evaluate the date function requested with the use of parameters.

If the request date is not available, then the current server date time will be used.

Example

This condition can determine if the day of the week is equal to (or not equal to or other comparison operators) Monday or Tuesday and so on.

It can also determine if the day of the month matches a certain criterion of the day of the month.

It can also try to match the same criterion if the month of the year is <value> or not <value> or in or not in <value>.

Parameters

Parameters	Description	Possible Values
Time Unit	Enum What is the time unit you are looking for? The default value is Day of the Week	Possible values are: Day of the Week Day of the Month Day of the Year Month of the Year Hour of the Day Week of the Month Week of the Year Year
Comparison operator	Enum What comparison you want to make with the time unit. The default value = Equal To	Possible values are: Equal To Not Equal To Less Than More Than Less than Equal to More than Equal to IN not IN
Comparison value	String The default value = "" (empty string), that represents integer or string that represents comma separated integers. Example: "1" or "1,2,3,4". The user can use comma-separated values when using the IN or NOT in operator. If comma-separated values are used for any other operators, it will be determined as an error and the value of the #5 parameter below will be returned. If the string does not represent a number (or a list of comma separated numbers) then it is determined as an error and a value of parameter #5 will be returned.	Correct values of this parameter for different time units. Day of the Week: 1 through 7 (1 = Monday). Day of the Month: 1 through 31 Day of the Year: 1 through 366 Month of the Year: 0 through 11 (0 = January) Hour of the Day: 0 through 23 Week of the Month: 0 through 6 Week of the Year 1 through 53 Year: positive integer
IS Condition True	Boolean Default value = true This will the return a value if the comparison is true.
Error Return value	Boolean Default value = false If the user has configured the value of the comparison value (#3) above incorrectly, or if there is any other error determining the date or <some value> then this value will be returned. Example: To configure the day of the week as a weekday, we will use the following values: Time Unit = Day of the Week Comparison Operator = "IN" Comparison Value = "1,2,3,4,5" Is Condition True = "true" Error Return value = "false"

14.15.7 Using Time Extraction Scheme for Time Portion

This section describes how to check transaction aggregate/count that includes filter criteria involving the time portion of date.

14.15.7.1 Use Cases that require using "Time Extraction"

It is recommended to use the "Time Extraction" mapping scheme if the following kind of rules have to be specified:

Check if there are "n" or more number of transactions by the same user between 9am and 5am regardless of the date
Check if there are "n" or more number of transactions and the sum of the amount of those greater than "x" amount that happened between 2am and 5am regardless of the date

14.15.7.2 During Transaction Definition Phase

The Transaction Definition Phrase is described below.

If time portion of transaction timestamp has to be considered in the filter criteria, then add a source field in the transaction definition with the internal Id as oaam.transaction.datetime. Make sure internal Id is exactly the same without any spaces. The name and description of that source field can be, for example, like "Transaction Timestamp". In this case the client application does not need to populate this source field, it will be implicitly available.
- If time has to be extracted from some other source field other than the transaction timestamp, make sure the source field is a date time field and the client application sends a valid date time value in the format: yyyy-MM-dd'T'HH:mm:ss.SSSz
Add a numeric field to either "Transaction Data" or "Entity" that can store the time value. The time value is stored in the precision of milliseconds. The formula used to derive the time value is:
- Timevalue = hour * 10000000 + minute * 100000 + seconds * 1000 + milliSeconds;
Now both the source field and destination field are set up. Go to 'Data Mapping' or 'Entity Mapping' based on whether the destination field is "Transaction Data" or "Entity Data". There, select the destination field as the time field and map it to the source date-time field using the "Extract Time" mapping scheme available in the list of mappings.
Once the transaction definition is completed and activated, the time value will be populated in the time field column whenever transaction data is created. You can verify the value of the time field using the formula specified in the previous step.

14.15.7.3 Using the time field in transaction rules

The time field usage in transaction rules is described below.

The time field can be used like a numeric field in the transaction rules. You can specify filter conditions that use operators like "greater than", "less than", and others.
You can specify the value to be compared in any of the following formats:
- HH24:MM:SS:MS (Most recommended if milliseconds precision is required)
- HH24:MM:SS
- HH24:MM
Apart from specifying the value in the above format there are no special steps for using it in the transaction rules

14.15.7.4 Limitations of time extraction and usage in transaction rules

Limitations of time extraction and usage in transaction rules are listed as follows:

Time value is stored in a 24-hour format and is not stored along with date. Because of this, filter expressions that involve time spread across different dates can be specified. For example, a filter expression like "greater than 23:00:00:000 and less than 5:00:00:000" is not valid.
Since time value is stored at the precision of milli-seconds, it is recommended not to use a time field with "equals" and "not-equals" operators in the filter expression of the transaction rules. If it is absolutely necessary, be aware that the application will check for the "exact" time value (including milliseconds), so make sure the proper value is specified in the filter expression.
Currently the user interface will display the numeric value of the time field without any formatting while displaying the transaction details.