This chapter describes the Universal Risk Snapshot feature, which is new in Oracle Adaptive Access Manager 11g.
This chapter contains the following sections:
Backing Up the System Configuration to a Database, Database and File, or File
Backing Up the Current System Configuration to the System Database
Backing Up the Current System Configuration to a Database and File
This section introduces you to the concept of OAAM Snapshots and how they are used in Oracle Adaptive Access Manager.
Using Universal Risk Snapshot, security administrators can configure OAAM system snapshots to migrate security data across environments or restore security configuration to a known state.
An OAAM Snapshot is a backup of the current system configuration. In the event of an error on the original system, you can restore the system to a pre-defined point.
Universal Risk Snapshot enables System Administrators to store and manage a system image. They can:
Back up the system configuration for safety, security, or versioning purposes
Replicate the system configuration for use with other servers--for example, from test to production environment, for production troubleshooting, and others.
Restore the system configuration from a pre-defined point
Universal Risk Snapshot only handle configuration data (metadata). It does not handle runtime data, such as sessions, transaction data, cases, rule logs, action logs, and others.
When the OAAM Snapshot is created, the OAAM Server metadata is copied from the database.
An OAAM Snapshot can be restored from a file or from the database depending on where it was stored.
For OAAM Snapshots, the metadata is stored with the following items:
| Artifact | Comments | Additional clarifications |
|---|---|---|
| Policy Sets | Policy Set overrides | |
| Policies | All Policies | Trigger combinations are included |
| Rule Instances | All rule instances | |
| Conditions | All rule conditions | |
| Groups | Group Definitions for all groups whether linked or not | Group Members for alerts and actions only will be exported |
| Patterns | All patterns | |
| Transaction Definitions | All transaction definitions | |
| Entities | All entities whether linked or not | |
| Properties | Only the ones in the database | |
| Enums | Only the ones in the database | |
| Configurable Actions | ||
| Challenge Questions | Includes validations, categories, and configurations (Answer Logic and others) |
An OAAM Snapshot backup saves all the existing configurations (both active and inactive items) including all group definitions. Only Action and Alert group members are included in the backup. Other group members can be exported using the group user interface if needed.
You can choose to create a backup OAAM Snapshot in the database or to a local file system or both.
You can restore the OAAM system configuration from a file or database.
Restore replaces the current system configuration with the restored configuration and also deletes and disables the additional configurations in the existing system.
Note:
The exception is when a group definition is imported into the system. The restore does not delete the additional group members that are already available.When you create an OAAM Snapshot, all the configurations for functional areas are selected, both active and disabled. For example, if you have ten policies within your policy set, and five of them are active and five of them are disabled, all policies, their configuration, and their status information are included when the OAAM Snapshot is created.
Data that is not stored or restored is listed as:
Runtime data (examples: user-node logs, session and transaction logs, fingerprints, pattern collected data, generated alerts data, rule / policy logs data)
Geolocation data
User action logs as related to server API logs
OAAM Snapshots do not include the members of any groups with the exception of actions and alerts. However the groups themselves are included in the OAAM Snapshot. To back up group members, the export groups function must be used separate from the OAAM Snapshot. These group members must be imported using the Group user interface if needed.
Though configurable action definitions are included on restore, you must ensure that the necessary Java classes are manually copied into the required folders.
The status of the items are preserved on backup and restore. For example, disabled items remain disabled on backup and restore.
You cannot selectively select individual items to include in an OAAM Snapshot or perform selective restoration. If you only want to include certain configurations in your OAAM Snapshot, you can export them from their module (separate user interfaces), and import them back and then create the OAAM Snapshot.
Restore works as follows:
The metadata existing in the system is deactivated. Data cannot be deleted (policies or patterns) because it would violate database constraints. Therefore, all the active artifacts are set to an "inactive" or a "deleted" state as appropriate.
Afterward, the artifacts being imported are inserted into the current database.
During this insert process, if there are artifacts in the old system and also in the incoming OAAM Snapshot, the artifacts are restored as they appear in the incoming OAAM Snapshot.
Groups in the incoming OAAM Snapshot do not contain members. If the same group exists (by name) in the existing system, after the system restore, the restored group contains members.
To navigate to the System Snapshot Search page, perform the following steps:
Log in to the OAAM Administration Console as a user with the environment administrator role assigned.
In the Navigation tree, select System Snapshots under Environment.
Alternative methods to open search pages are listed in Section 3.5, "Using Search, Create, and Import."
In the System Snapshot Search page, you can perform the following tasks:
Search for an OAAM Snapshot
Restore an OAAM Snapshot from the database
Restore an OAAM Snapshot from a file
Back up the current system configuration to a file or database
Delete selected OAAM Snapshots from the database
In the System Snapshots Search page, you search for an OAAM Snapshot by specifying criteria in the Search filter.
When the System Snapshot Search page first appears, the Search Results table shows a list of OAAM Snapshots in the Oracle Adaptive Access Manager environment.
To search for OAAM Snapshots:
In the Navigation tree, open System Snapshots under Environment.
The System Snapshots Search page is displayed.
Specify criteria in the Search Filter to locate the OAAM Snapshot and click Search.
Searches are not case sensitive
Searches can return results if you enter part of the name in the search.
Searches trim the spaces entered.
Clicking Reset instead of Search will reset the search criteria.
The search result is shown based on the entered search criteria.
Table 25-1 System Search Filter Criteria
| Filter and fields | Description |
|---|---|
|
Snapshot Name |
Name of the OAAM Snapshot. For an OAAM Snapshot from a database, it is the name provided by the user; for file based backups, it is the file name. The OAAM Snapshot with the specified name is displayed in the Results Table. |
|
Notes |
Notes describing why the OAAM Snapshot was created. All backup names with the specified Notes keyword is displayed in the Results Table. |
|
Backup date |
Date at which the backup was taken. To locates a backup taken within a given create date range, enter the start and end dates you want for the range. All backup names that were backed up during the specified date range is displayed. |
To import an OAAM Snapshot for use in the system, follow the instructions below:
Open System Snapshot under Environment in the Navigation tree.
The System Snapshots Search page is displayed.
Click Load from File.
A Load and Restore Snapshot dialog appears. You are given the opportunity to back up your current system since importing an OAAM Snapshot will overwrite what you have in the current system.
If you want to keep a backup of your current system, select the Back up the current system now box, enter the name and notes for the backup, and click Continue.
When the Load and Restore Snapshot dialog appears with a message that the current system has been successfully stored in the database, click OK.
Then, the Load and Restore Snapshot page appears for you to choose an OAAM Snapshot to load into the server so you can run the basic authentication flows.
If you are sure you do not want to back up your current configuration or you are importing the OAAM Snapshot into an empty system, you can leave the dialog blank and click Continue.
Since you did not choose to back up your system, you are given a warning that you are loading a new OAAM Snapshot and the details of the metadata may be overwritten. If you decide to take a backup, you can click Back to take you to the previous page where you can provide details for a backup. If you want to proceed with the import, click Continue.
The Load and Restore Snapshot page appears for you to choose an OAAM Snapshot to load into the server so you can run the basic authentication flows.
Now that you are ready to load the OAAM Snapshot, click Browse on the dialog in which you can enter the filename of the OAAM Snapshot you want to load. A screen appears for you to navigate to the directory where the OAAM Snapshot file is located. Click Open. Then, click Load to load the OAAM Snapshot into the system.
If you are loading the standard OAAM Snapshot for the first time, the OAAM Snapshot file, oaam_base_snapshot.zip is located in the Oracle_IDM1/oaam/init directory where the OAAM base content is shipped.
Click OK.
Once the OAAM Snapshot has been loaded, a summary of the OAAM Snapshot is displayed.
The Preview tab is available, in which you are given the option to do the following:
View the conditions, rules, policies, and so on, in the OAAM Snapshot.
View the actions that are taken on the objects. For example, if you are loading an OAAM Snapshot with configurable actions and you do not have configurable actions in the system, the system will disable the configurable actions.
Filter the objects to see only the updates, or only the changes, or only the additions, and so on.
In general, you want to see all that changes in your system when you load the OAAM Snapshot because it has the potential to invalidate all the content in your system or overwrite your existing metadata.
The Update button is available so that you can update or change to another OAAM Snapshot to view what the changes would be as compared to existing system snapshot.
So far, you have loaded the OAAM Snapshot into the system and viewed the changes as compared to the existing metadata. The items in the OAAM Snapshot are not effective yet. Unless you click Restore, the items in the OAAM Snapshot have not been applied.
To apply the OAAM Snapshot, click Restore.
Once you have applied the OAAM Snapshot, make sure it appears in the System Snapshots page. Perform a search to view all OAAM Snapshots that have been loaded into the database. You can click on any OAAM Snapshot to view it and you can click Restore to apply changes. Use this feature to back up your system periodically and it will be stored in memory of the database or a file or in both.
For information on how to importing an OAAM Snapshot using CLI, see "Import Snapshot".
To view details for an OAAM Snapshot:
In the Navigation tree, select System Snapshots under Environment.
The System Snapshots Search page is displayed.
Specify criteria in the Search Filter to locate the OAAM Snapshot and click Search.
Clicking Reset instead of Search will reset the search criteria.
Click the OAAM Snapshot name in the Results table, the Snapshot Details page for the specific OAAM Snapshot is displayed.
The backup name, notes, system user, client IP, server IP, and server name for the backup is displayed in the Summary tab.
The Snapshot Preview tab displays the configuration details for the following
Answer Hint
Question Category
Conditions
Validations
Questions
Groups
Policies
Entity Definition
Scheduler Task Group
Pattern
You can back up a system configuration to a database, a database and file, or a file.
To start the backup process:
In the Navigation tree, open System Snapshots under Environment.
The System Snapshots Search page is displayed.
Click Backup in the right upper corner of the page or Back up from the Actions menu.
The Backup Current System page is displayed.From this page, you can choose an option and provide the necessary information.
The current system can be backed up to the system database or to a file or to both.
Select Backup type.
Database. For more information, see Backing Up the Current System Configuration to the System Database.
Database and File. For more information, see Backing Up the Current System Configuration to a Database and File
File. For information, see Backing Up the Current System Configuration to a File.
To back up the current system to the system database:
From the Backup Current System page, select Database for the Backup Type.
Enter a name for the backup.
Enter notes for the backup.
Click Back Up.
A dialog appears with a message that the current system has been successfully stored in the database.
Click OK.
The system snapshot is created in the database.
To back up the current system in a database and file:
From the Backup Current System page, select Database and File for the Backup Type.
Enter a name for the backup.
Enter notes for the backup.
Enter a file name for the ZIP file.
Click Back Up.
A dialog appears with a message that the current system has been successfully stored in the database.
Click OK.
The system snapshot is created in the database and file.
Verify that the OAAM Snapshot is saved in database and file
Search by the OAAM Snapshot name in the System Snapshots Search page.
If backup is saved in the database, the OAAM Snapshot name is listed in the results table.
To back up the current system to a file:
From the Backup Current System page, select File for the Backup Type.
Enter a name for the backup.
Enter notes for the backup.
Enter a file name for the ZIP file.
Click Back Up.
A dialog appears with a message that the current system has been successfully stored in the database.
Click OK.
The system snapshot is created in the file.
For information on how to export an OAAM Snapshot using CLI, see "Export a Snapshot".
You can restore a system configuration from an OAAM Snapshot of the same system or another system. You cannot choose to restore only a subset of the OAAM Snapshot.
Restoring an OAAM Snapshot replaces the system configuration completely.
If an error occurs during an operation, you can restore the system to an OAAM Snapshot that predates the error.
To perform the restore operation:
Open System Snapshot under Environment in the Navigation tree.
The System Snapshots Search page is displayed.
Click Search to populate the Results tab or search for the OAAM Snapshot you want to use to restore the system.
Select an OAAM Snapshot from the Results table.
Click Restore or select Restore from the Actions menu.
A Back Up Current Configuration dialog appears, which offer you the option to back up the current system before replacing it. You can press Back up, Skip, or Cancel.
Enter a name for the backup.
Enter notes for the backup.
If you press Back up and the backup is successful, a message appears with a message that the current system was successfully stored in the database.
Click Restore.
A summary displays a list of items being imported and the status of the operation.
Click OK.
An error message appears if the file was in the wrong format.
To load an OAAM Snapshot into the system database:
Open System Snapshot under Environment in the Navigation tree.
The System Snapshots Search page is displayed.
Click Load from File.
A Load and Restore Snapshot dialog appears for you to enter the name and notes for the current system configuration you are backing up in the database.
Enter the name and notes for the current system configuration and click Continue.
The Load and Restore Snapshot dialog appears with a message that the current system has been successfully stored in the database.
Click OK.
The Load and Restore Snapshot page appears for you to choose an OAAM Snapshot to load.
Browse for an OAAM Snapshot, and click Load to load the OAAM Snapshot into the system database.
If you press Load, the loaded snaphot is restored and becomes the current OAAM Snapshot. If you select this option, you cannot preview the OAAM Snapshot before restoring it.
Click OK.
Click Restore.
The policy/rule cache is not updated after restoring an OAAM Snapshot. You must restart the OAAM Server server for the policies to become active.
OAAM Snapshot restore considerations are described in this section.
OAAM Snapshot ZIP files will have the server version from which it was taken. When re-storing if the version is determined to be in-compatible then the OAAM Snapshot restore fails.
If the OAAM Snapshot is restored in a system that is running, the effect is applicable in about 30 seconds when all the database artifacts are reloaded.
When the OAAM Snapshot is restored in a system running with multiple servers connected to the same database, the OAAM Snapshot is effective in approximately 20 seconds when servers reload their database artifacts.
All the servers are running on the same version of Oracle Adaptive Access Manager.
The OAAM Snapshot restore is checked by the server in which the restore was performed. If a server in a cluster is not compatible with the OAAM Snapshot being restored, the server does not function since it is trying to read information from a database that it does not understand. The database schema might be compatible, but servers could differ in interpretation of features/ column value.
To delete OAAM Snapshots:
In the Navigation tree, select System Snapshots under Environment.
Click Search to view a list of OAAM Snapshots in the system.
Select the OAAM Snapshot to delete and click the Delete icon or Delete Selected from the Action menu.
A Confirm Dialog appears with the message, "Are you sure you want to delete the selected Snapshot?"
Click Delete.
A confirmation dialog appears with the message, "Selected Snapshots are deleted successfully."
Click OK.
This section describes example use cases for using OAAM Snapshots.
Jeff a Security Administrator must migrate the policy changes and all dependent items from the test environment to the production environment.
Jeff goes into OAAM Admin in the test environment and exports the policy set
As part of the export process the policies, rules, conditions, linked patterns, linked groups (alert and action groups have members included by default. Other group types do not include member unless specified), enumerations used in policies, transactions and entities used in the policies and configurable actions used in the policies are all selected for export to a file.
On import into the production environment a warning message alerts Jeff to the files that will be overwritten.
An OAAM Snapshot is a record of how the rules and policies were configured; it contains the session information.
The user creates an OAAM Snapshot so that historical data can be viewed later and research conducted using an offline system.
A timestamp is put on the OAAM Snapshot.
Later, the user restores the older OAAM Snapshot to perform fraud analysis.
The user runs rules and policies to determine how the system acted at that time in the past.
The user has multiple OAAM Snapshots saved from different points in time and re-uses them in an offline system for performing research.
An OAAM Snapshot is a copy of the system configuration and contains the configuration for policies, rules, groups, and other elements in the system.
The user makes modifications to the policy set in the production system.
The user realizes that the changes were not the ones wanted.
The user restores the OAAM Snapshot, replacing the entire system all together.
The user is working on several OAAM Snapshots offline, testing the rules and ensuring that the policies work as expected. He has finished work on OAAM SnapshotID 1 and OAAM SnapshotID 3, and he is now working on another configuration. Out of all the OAAM Snapshots he has worked on, he wants to restore OAAM SnapshotID 3. He identifies OAAM SnapshotID 3 by OAAM Snapshot ID and restores it in the production system.
This section outlines some best practices for using OAAM Snapshots.
Before you perform a restore in a production system, you should be aware that you are about to replace the entire system configuration in the production system. Create an OAAM Snapshot of the current policy set before the actual restore since you do not want to lose the current configuration if the restore fails or if there are any other issues that you did not anticipate. After you have restored the OAAM Snapshot, there is no way for you to perform an undo. When you have a backup available, you can restore that configuration into your system immediately if the restore fails.
Only when an OAAM Snapshot is successfully created, should you restore the OAAM Snapshot from an offline system to the online system.
When the configurable actions are included with an OAAM Snapshot. You should copy the Java classes to the specified directory after the OAAM Snapshot creation so that the configurable actions are not broken when they are brought back into a system.