1. Enterprise Deployment Guide for Oracle Identity and Access Management in a Kubernetes Cluster
  2. Automating the Identity and Access Management Enterprise Deployment

C Automating the Identity and Access Management Enterprise Deployment

A number of sample scripts have been developed which enable you to deploy Oracle Identity and Access Management on Kubernetes. These scripts are provided as samples for you to use to develop your own applications.

You must ensure that you are using the July 2022 or a later release of Identity and Access Management for this utility to work.

You can run the scripts from any host that has access to your Kubernetes cluster. If you want the scripts to automatically copy files to your Oracle HTTP Servers, you must have passwordless SSH set up from the deployment host to each of your web hosts.

If you are deploying Oracle Advanced Authentication, you must have passwordless SSH set up from the deployment host to one of your database nodes. In addition, for the duration of the deployment, your OAA database service must only be running on this database host.

This appendix includes the following topics:

  • Obtaining the Scripts
    The automation scripts are available for download from GitHub.
  • Scope of Scripts
    Learn about the actions that the scripts perform as part of the deployment process. There are also tasks that the scripts do not perform.
  • Key Concepts of the Scripts
    To make things simple and easy to manage, the scripts include these files: a response file with details of the environment and template files you can easily modify or add as required.
  • Directory Structure
    After you deploy the scripts, they will have a directory structure. In addition, while the scripts are working, they create a working directory.
  • Getting Started
  • Creating a Response File
    A sample response and password file is created for you in the responsefile directory. You can edit these files either directly or by running the start_here.sh shell script in the script's home directory.
  • Validating Your Environment
    You can run the prereqchecks.sh script, which exists in the script's home directory, to check your environment. This script is based on the response file you created earlier.
  • Provisioning the Environment
    There are a number of provisioning scripts located in the script directory. These scripts use a working directory defined in the response file for temporary files.
  • Log Files
    The provisioning scripts create log files for each product inside the working directory in a logs sub-directory.
  • Files You Need to Keep
    After a provisioning run that creates a domain is complete, there are files that you need to keep safely. These files are used to start and stop the domain as well as contain instructions to start the domain.
  • Archiving Files After Installation/Configuration
    As part of running the scripts, a number of working files are created in the WORKDIR directory prior to copying to the persistent volume in /u01/user_projects/workdir.
  • Oracle HTTP Server Configuration Files
    Each provisioning script creates sample files for configuring your Oracle HTTP Server. These files are generated and stored in the working directory under the OHS subdirectory.
  • Utilities
    In the scripts directory, there is a subdirectory called utils. This directory contains sample utilities you may find useful.
  • Reference - Response File
    The parameters in the response file are used to control the provisioning of the various products in the Kubernetes cluster. These parameters are divided into generic and product-specific parameters.
  • Components of the Deployment Scripts
    For reference purposes, this section includes the name and function of all the objects that make up the deployment scripts.

Obtaining the Scripts

The automation scripts are available for download from GitHub.

To obtain the scripts, use the following command:
git clone https://github.com/oracle/fmw-kubernetes.git
The scripts appear in the following directory:
fmw-kubernetes/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement
Move these template scripts to your working directory. For example:
cp -R kubernetes/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/* /workdir/scripts

If you are provisioning Oracle Identity Governance, you must also download the Oracle Connector Bundle for OUD and extract it to a location which is accessible by the provisioning scripts. For example, /workdir/connectors/OID-12.2.1.3.0. The connector directory name must start with OID-12.2.1.

If you are provisioning Oracle HTTP Server, you must download the Oracle HTTP installer and place it in the $SCRIPTDIR/templates/ohs/installer location. The installer must be the ZIP file. For example, fmw_12.2.1.4.0_ohs_linux64_Disk1_1of1.zip.

Parent topic: Automating the Identity and Access Management Enterprise Deployment

Scope of Scripts

Learn about the actions that the scripts perform as part of the deployment process. There are also tasks that the scripts do not perform.

Parent topic: Automating the Identity and Access Management Enterprise Deployment

What the Scripts Will do

The scripts will deploy Oracle Unified Directory (OUD), Oracle Access Manager (OAM), and Oracle Identity Governance (OIG). They will integrate each of the products. You can choose to integrate one or more products.

The scripts perform the following actions:

Parent topic: Scope of Scripts

What the Scripts Will Not Do

While the scripts perform the majority of the deployment, they do not perform the following tasks:

  • Deploy the Container Runtime Environment, Kubernetes, or Helm.
  • Configure the load balancer.
  • Download the container images for these products.
  • Tune the WebLogic Server.
  • Configure the One Time Pin (OTP) forgotten password functionality for OAM.
  • Configure the OIM workflow notifications to be sent by email.
  • Set up the OIM challenge questions.
  • Provision Business Intelligence Publisher (BIP).
  • Set up the links to the Oracle BI Publisher environment. However, the scripts will deploy reports into the environment.
  • Enable the BI certification reports in OIG as described in Enable Certification Reports.
  • Configure Oracle HTTP Server to send log files and monitoring data to Elasticsearch and Prometheus.
  • Configure Oracle Database Server to send log files and monitoring data to Elasticsearch and Prometheus.

Parent topic: Scope of Scripts

Key Concepts of the Scripts

To make things simple and easy to manage, the scripts include these files: a response file with details of the environment and template files you can easily modify or add as required.

Note:

Provisioning scripts are re-enterant. If something fails, you can restart the script from the point at which it failed.

Parent topic: Automating the Identity and Access Management Enterprise Deployment

Directory Structure

After you deploy the scripts, they will have a directory structure. In addition, while the scripts are working, they create a working directory.

Figure C-1 Directory Structure of the Scripts

Directory Structure of the Scripts

Figure C-2 Working Directory of the Scripts

Working Directory of the Scripts

Parent topic: Automating the Identity and Access Management Enterprise Deployment

Getting Started

If you are provisioning Oracle Identity Governance, you must also download the Oracle Connector Bundle for OUD and extract it to a location which is accessible by the provisioning scripts. For example, /workdir/connectors/OID-12.2.1.3.0. The connector directory name must start with OID-12.2.1.

If you are provisioning the Oracle HTTP Server, you must download the Oracle HTTP installer and place it in the location $SCRIPTDIR/templates/ohs/installer. The installer must be the ZIP file. For example: fmw_12.2.1.4.0_ohs_linux64_Disk1_1of1.zip.

If you want to install the Oracle HTTP Server or copy files to it, you must set up passwordless SSH from the deployment host, during provisioning.

Parent topic: Automating the Identity and Access Management Enterprise Deployment

Creating a Response File

A sample response and password file is created for you in the responsefile directory. You can edit these files either directly or by running the start_here.sh shell script in the script's home directory.
For example:
./start_here.sh [ -r responsefile -p passwordfile ]

You can run the above script as many times as you want on the same file. Pressing the Enter key on any response retains the existing value.

Values are stored in the idm.rsp and .idmpwds files unless the command is started with the -r and -p options, in which case the files updated will be that specified.

Note:

  • The file consists of key/value pairs. There should be no spaces between the name of the key and its value. For example:

    Key=value

  • If you are using complex passwords, that is, passwords which contain characters such as !, *, and $, then you should separate these characters by a \. For example: hello!$ should be entered as hello\!\$. Complex passwords used for databases should be enclosed in quotes (""). For example: "hello!$"

Parent topic: Automating the Identity and Access Management Enterprise Deployment

Validating Your Environment

You can run the prereqchecks.sh script, which exists in the script's home directory, to check your environment. This script is based on the response file you created earlier. See Creating a Response File.

The script performs several checks such as (but not limited to) the following:

  • Ensures that the container images are available on each node.
  • Checks that the NFS file shares have been created.
  • Ensures that the load balancers are reachable.
To invoke the script use the following command:
cd <SCRIPTDIR> 
./prereqchecks.sh [-r responsefile -p passwordfile]

Where, -r and -p are optional.

Parent topic: Automating the Identity and Access Management Enterprise Deployment

Provisioning the Environment

There are a number of provisioning scripts located in the script directory. These scripts use a working directory defined in the response file for temporary files.

Table C-1 Provisioning Scripts Located in the Script Directory

File Purpose

provision.sh

Umbrella script that invokes each of the scripts (which can be invoked manually) mentioned in the following rows.

provision_ingress.sh

Deploys an Ingress controller.

provision_elk.sh

Deploys Elasticsearch and Kibana.

provision_prom.sh

Deploys Prometheus and Grafana.

provision_ohs.sh

Installs Oracle HTTP Server and deploys WebGate.

provision_oud.sh

Deploys Oracle Unified Directory.

provision_oudsm.sh

Deploys Oracle Unified Directory Services Manager.

provision_operator.sh

Deploys WebLogic Operator.

provision_oam.sh

Deploys Oracle Access Manager.

provision_oig.sh

Deploys Oracle Identity Governance.

provision_oiri.sh

Deploys Oracle Identity Role Intelligence.

provision_oaa.sh

Deploys Oracle Advanced Authentication.
Each of the above commands can be provided with a specific response file (default is idm.rsp) and password file (default is .idmpwds), by appending:
-r responsefile -p passwordfile

These files must exist in the response file directory.

Parent topic: Automating the Identity and Access Management Enterprise Deployment

Log Files

The provisioning scripts create log files for each product inside the working directory in a logs sub-directory.
This directory also contains the following two files:
  • progressfile – This file contains the last successfully executed step. If you want to restart the process at a different step, update this file.
  • timings.log – This file is used for informational purposes to show how much time was spent on each stage of the provisioning process.

Parent topic: Automating the Identity and Access Management Enterprise Deployment

Files You Need to Keep

After a provisioning run that creates a domain is complete, there are files that you need to keep safely. These files are used to start and stop the domain as well as contain instructions to start the domain.
A copy of these files is stored in the working directory under the TO_KEEP subdirectory.

You should also keep any override files that are generated.

Parent topic: Automating the Identity and Access Management Enterprise Deployment

Archiving Files After Installation/Configuration

As part of running the scripts, a number of working files are created in the WORKDIR directory prior to copying to the persistent volume in /u01/user_projects/workdir.
Many of these files contain passwords required for the setup. You should archive these files after completing the deployment.

The response file uses a hidden file in the responsefile directory to store passwords.

Parent topic: Automating the Identity and Access Management Enterprise Deployment

Oracle HTTP Server Configuration Files

Each provisioning script creates sample files for configuring your Oracle HTTP Server. These files are generated and stored in the working directory under the OHS subdirectory. If required, the scripts can also copy these configuration files to Oracle HTTP server and restart it.

Parent topic: Automating the Identity and Access Management Enterprise Deployment

Utilities

In the scripts directory, there is a subdirectory called utils. This directory contains sample utilities you may find useful.

These utilities are used for:

  • Loading container images to each of the Kubernetes nodes.
  • Deleting deployments.

Parent topic: Automating the Identity and Access Management Enterprise Deployment

Reference - Response File

The parameters in the response file are used to control the provisioning of the various products in the Kubernetes cluster. These parameters are divided into generic and product-specific parameters.

Parent topic: Automating the Identity and Access Management Enterprise Deployment

Products to Deploy

These parameters determine which products the deployment scripts attempt to deploy.

Table C-2 List of Products to Deploy

Parameter Sample Value Comments

INSTALL_INGRESS

true

Set the value to true to configure an Ingress controller.

INSTALL_ELK

false

Set the value to true to install and configure Elasticsearch and Kibana.

INSTALL_PROM

false

Set the value to true to install and configure Prometheus and Grafana.

INSTALL_OHS

true

Set the value to true to install the Oracle HTTP Server.

INSTALL_OUD

true

Set the value to true to configure OUD.

INSTALL_OUDSM

true

Set the value to true to configure OUDSM.

INSTALL_WLSOPER

true

 Set the value to true to deploy Oracle WebLogic Operator.

INSTALL_OAM

true

Set the value to true to configure OAM.

INSTALL_OIG

true

Set the value to true to configure OIG.

INSTALL_OIRI

true

Set the value to true to configure OIRI.

INSTALL_OAA

true

Set the value to true to configure OAA.

INSTALL_RISK

true

Set the value to true to configure RISK.

INSTALL_OUA

true

Set the value to true to configure OUA.

Parent topic: Reference - Response File

Control Parameters

These parameters are used to specify the type of Kubernetes deployment and the names of the temporary directories you want the deployment to use, during the provisioning process.

Table C-3 List of Control Parameters in the Response File

Parameter Sample Value Comments

USE_REGISTRY

false

Set to true to pull images from a container registry.

IMAGE_TYPE

crio

Set to crio or docker depending on your container engine.

IMAGE_DIR

/container/images

The location where you have downloaded the container images. Used by the load_images.sh script.

LOCAL_WORKDIR

/workdir

The location where you want to create the working directory.

K8_WORKDIR

/u01/oracle/user_projects/workdir

The location inside the Kubernetes containers to which working files are copied.

K8_WORKER_HOST1

k8worker1.example.com

The name of a Kubernetes worker node used in generating the OHS sample files.

K8_WORKER_HOST2

k8worker2.example.com

The name of a Kubernetes worker node used in generating the OHS sample files.

Parent topic: Reference - Response File

Registry Parameters

These parameters are used to determine whether or not you are using a container registry. If you are, then it allows you to store the login credentials to the repository so that you are able to store the credentials as registry secrets in the individual product namespaces.

If you are pulling images from GitHub or Docker hub, then you can also specify the login parameters here so that you can create the appropriate Kubernetes secrets.

Table C-4 List of Registry Parameters in the Response File

Parameter Sample Value Comments

REGISTRY

iad.ocir.io/mytenancy

Set to the location of your container registry.

REG_USER

mytenancy/oracleidentitycloudservice/email@example.com

Set to your registry user name.

REG_PWD

<password>

Set to your registry password.

CREATE_REGSECRET

false

Set to true to create a registry secret for automatically pulling images.

CREATE_GITSECRET

true

Specify whether to create a secret for GitHub. This parameter ensures that you do not see errors relating to GitHub not allowing anonymous downloads.

GIT_USER

gituser

The GitHub user's name.

GIT_TOKEN

ghp_aO8fqRNVdfsfshOxsWk40uNMS

The GitHub token.

DH_USER

username

The Docker user name for hub.docker.com. Used for obtaining the public images. If you are hosting the public images in the registry, then specify the user name for that registry.

DH_PWD

mypassword

The Docker password for hub.docker.com. Used for obtaining the public images. If you are hosting the public images in the registry, then specify the user's password for that registry.

Parent topic: Reference - Response File

Image Parameters

These parameters are used to specify the names and versions of the container images you want to use for the deployment. These images must be available either locally or in your container registry. The names and versions must be identical to the images in the registry or the images stored locally.

These can include registry prefixes if you use a registry. Use the local/ prefix if you use the Oracle Cloud Native Environment.

Table C-5 List of Image Parameters in the Response File

Parameter Sample Value Comments

OPER_IMAGE

ghcr.io/oracle/weblogic-kubernetes-operator

The WebLogic Operator image name.

OUD_IMAGE

$REGISTRY/oud

The OUD image name.

OUDSM_IMAGE

$REGISTRY/oudsm

The OUDSM image name.

OAM_IMAGE

$REGISTRY/oam

The OAM image name.

OIG_IMAGE

$REGISTRY/oig

The OIG image name.

OIRI_CLI_IMAGE

$REGISTRY/oiri-cli

The OIRI CLI image name.

OIRI_IMAGE

$REGISTRY/oiri

The OIRI image name.

OIRI_UI_IMAGE

$REGISTRY/oiri-ui

The OIRI UI image name.

OIRI_DING_IMAGE

$REGISTRY/oiri-ding

The OIRI DING image name.

OAA_MGT_IMAGE

$REGISTRY/oracle/shared/oaa-mgmt

The OAA Management container image.

KUBECTL_REPO

bitnami/kubectl

The kubectl image used by OUD.

BUSYBOX_REPO

docker.io/busybox

The busybox image used by OUD.

PROM_REPO

-

If you are using your own container registry and have staged the Prometheus and Grafana images in this registry, then set this variable to the location of your registry. Leave it blank if you want to obtain the images from the public repositories.

ELK_REPO

-

If you are using your own container registry and have staged the Elastic Search and Kibana images in this registry, then set this variable to the location of your registry. Leave it blank if you want to obtain the images from the public repositories.

OPER_VER

3.3.0

The version of the WebLogic Operator.

OUD_VER

12.2.1.4-jdk8-ol7-<DATE>

The OUD version.

OUDSM_VER

12.2.1.4-jdk8-ol7-<DATE>

The OUDSM version.

OAM_VER

12.2.1.4-jdk8-ol7-<DATE>

The OAM version.

OIG_VER

12.2.1.4-jdk8-ol7-<DATE>

The OIG version.

OIRICLI_VER

12.2.1.4-jdk8-ol7-<DATE>

OIRI CLI version.

OIRI_VER

12.2.1.4-jdk8-ol7-<DATE>

The OIRI version.

OIRIUI_VER

12.2.1.4-jdk8-ol7-<DATE>

The OIRI UI version.

OIRIDING_VER

12.2.1.4-jdk8-ol7-<DATE>

The OIRI DING version.

OAAMGT_VER

12.2.1.4-jdk8-ol7-<DATE>

The OAA MGMT container version.

OAA_VER

12.2.1.4-jdk8-ol7-<DATE>

The OAA version.

Parent topic: Reference - Response File

Generic Parameters

These generic parameters apply to all deployments.

Table C-6 Parameters to Control the Deployment of all Products

Parameter Sample Value Comments

PVSERVER

nfsserver.example.com

The name or IP address of the NFS server used for persistent volumes.

Note: If you use a name, then the name must be resolvable inside the Kubernetes cluster. If it is not resolvable, you can add it by updating CoreDNS. See Adding Individual Host Entries to CoreDNS.

IAM_PVS

/exports/IAMPVS

The export path on the NFS server where persistent volumes are located.

PV_MOUNT

/u01/oracle/user_projects

The path to mount the PV inside the Kubernetes container. Oracle recommends you to not change this value.

Parent topic: Reference - Response File

Ingress Parameters

These parameters determine how the Ingress controller is deployed.

Table C-7 Ingress Parameters that Determine the Deployment of Ingress Controller

Parameter Sample Value Comments

INGRESSNS

ingressns

The Kubernetes namespace used to hold the Ingress objects.

INGRESS_TYPE

nginx

The type of Ingress controller you wan to deploy. At this time, The script supports only nginx.

INGRESS_ENABLE_TCP

true

Set to true if you want the controller to forward LDAP requests.

INGRESS_NAME

idmedg

The name of the Ingress controller used to create an Nginx Class.

INGRESS_SSL

false

Set to true if you want to configure the Ingress controller for SSL.

INGRESS_DOMAIN

example.com

Used when creating self-signed certificates for the Ingress controller.

INGRESS_REPLICAS

2

The number of Ingress controller replicas to start with. This value should be a minimum of two for high availability.

Parent topic: Reference - Response File

Elasticsearch Parameters

These parameters determine how to send log files to Elasticsearch.

Table C-8 Parameters to Send Log Files to Elasticsearch

Parameter Sample Value Comments

USE_ELK

false

Set to true if you want to send log files to Elasticsearch.

ELKNS

elkns

The Kubernetes namespace used to hold Elasticsearch objects.

ELK_OPER_VER

2.10.0

The version of the Elastic Search operator you want to use.

ELK_VER

8.11.0

The version of Elasticsearch/Logstash to use.

ELK_HOST

https://elasticsearch-es-http.<ELKNS>.svc:9200

The address of the Elasticsearch server to which log files are to be sent. If you are using ELK inside a Kubernetes cluster, specify the address provided as the sample value. If you are using an Elasticsearch outside of the Kubernetes cluster, specify the external address. The host name you specify must be resolvable inside the Kubernetes cluster.

ELK_SHARE

/exports/IAMPVS/elkpv

The mount point on the NFS server where the ELK persistent volume is exported.

ELK_STORAGE

nfs-client

The storage class to use for the Elasticsearch stateful sets.

Parent topic: Reference - Response File

Prometheus Parameters

These parameters determine how to send monitoring information to Prometheus.

Table C-9 Parameters for Sending Monitoring Information to Prometheus

Parameter Sample Value Comments

USE_PROM

false

Set to true if you want to send monitoring data to Prometheus.

PROMNS

monitoring

The Kubernetes namespace used to hold the Prometheus deployment.

Parent topic: Reference - Response File

OHS Parameters

OHS parameters are used to formulate how sample OHS configuration files are created. They also control whether you want the Oracle HTTP server files to be propagated to the Oracle HTTP server hosts automatically. If you choose automatic propagation, you should ensure that a passwordless SSL is possible from the deployment host to the Oracle HTTP servers.

Table C-10 Parameters Used by Oracle HTTP Server to Create Sample OHS Configuration Files

Parameter Sample Value Comments

UPDATE_OHS

true

Set this value to true if you want the scripts to automatically copy the generated OHS configuration files. After the files the copied, the Oracle HTTP Server restarts.

Note: This value is independent of whether you are installing the Oracle HTTP Server or not.

OHS_HOST1

webhost1.example.com

The fully qualified name of the host running the first Oracle HTTP Server.

OHS_HOST2

webhost2.example.com

The fully qualified name of the host running the second Oracle HTTP Server. Leave it blank if you do not have a second Oracle HTTP Server.

OHS_LBR_NETWORK

webtier.example.com

The Network subnets where the OHS health checks originate. Multiple entries must be enclosed in quotes and separated by space.

DEPLOY_WG

true

Deploys WebGate in OHS_ORACLE_HOME.

COPY_WG_FILES

true

Set this to true if you want the scripts to automatically copy the generated WebGate artifacts to the OHS Server.

Note: You should have first deployed the WebGate.

OHS_INSTALLER

 fmw_12.2.1.4.0_ohs_linux64_Disk1_1of1.zip

The name of the OHS installer ZIP file.

OHS_BASE

/u02/private

The location of the OHS base directory. The binaries and the configuration files are below this location.

The Oracle inventory is also placed in this location when installing the Oracle HTTP Server.

OHS_ORACLE_HOME

$OHS_BASE/oracle/products/ohs

The location of the OHS binaries.

OHS_DOMAIN

$OHS_BASE/oracle/config/domains/ohsDomain

The location of the OHS domain on OHS_HOST1 and OHS_HOST2.

OHS1_NAME

ohs1

The component name of the first OHS instance (on OHS_HOST1).

OHS2_NAME

ohs2

The component name of the second OHS instance (on OHS_HOST2).

NM_ADMIN_USER

admin

The name of the admin user you want to assign to Node Manager if you install the Oracle HTTP Server.

OHS_PORT

7777

The port your Oracle HTTP Servers listen on.

OHS_HTTPS_PORT

4443

The SSL port on which Oracle HTTP Servers listen.

NM_PORT

5556

The port to use for Node Manager.

Parent topic: Reference - Response File

OUD Parameters

These parameters are specific to OUD. When deploying OUD, you also require the generic LDAP parameters.

Table C-11 OUD Parameters that Determine the Deployment of Oracle Unified Directory

Parameter Sample Value Comments

OUDNS

oudns

The Kubernetes namespace used to hold the OUD objects.

OUD_SHARE

$IAM_PVS/oudpv

The mount point on the NFS server where the OUD persistent volume is exported.

OUD_CONFIG_SHARE

$IAM_PVS/oudconfigpv

The mount point on the NFS server where the OUD configuration persistent volume is exported.

OUD_LOCAL_SHARE

/nfs_volumes/oudconfigpv

The local directory where OUD_CONFIG_SHARE is mounted. Used to hold seed files.

OUD_LOCAL_PVSHARE

/nfs_volumes/oudpv

The local directory where OUD_SHARE is mounted. Used for deletion.

OUD_POD_PREFIX

edg

The prefix used for the OUD pods.

OUD_REPLICAS

1

The number of OUD replicas to create. If you require two OUD instances, set this to 1. This value is in addition to the primary instance.

OUD_REGION

us

The OUD region to use should be the first part of the searchbase without the dc=.

LDAP_USER_PWD

<password1>

The password to assign to all users being created in LDAP.

Note: This value should have at least one capital letter, one number, and should be at least eight characters long.

OUD_PWD_EXPIRY

2024-01-02

The date when the user passwords you are creating expires.

OUD_CREATE_NODEPORT

true

Set to True if you want to create NodePort Services for OUD. These services are used to interact with OUD from outside of the Kubernetes cluster.

OUD_MAX_CPU

1

Maximum CPU cores allocated to the OUD containers.

OUD_CPU

200m

Initial CPU units allocated to the OUD Pods where 1000m is equal to 1 CPU core.

OUD_MAX_MEMORY

4Gi

Maximum amount of memory that an OUD container can consume.

OUD_MEMORY

2Gi

Initial memory allocated to the OUD pods.

Parent topic: Reference - Response File

OUDSM Parameters

These parameters are used to control the way OUDSM is deployed.

Table C-12 Parameters that Determine the Deployment of Oracle Directory Services Manager

Parameter Sample Value Comments

OUDSMNS

oudsmns

The Kubernetes namespace used to hold the OUDSM objects.

OUDSM_USER

weblogic

The name of the administration user you want to use for the WebLogic domain that is created when you install OUDSM.

OUDSM_PWD

<password>

The password you want to use for OUDSM_USER.

OUDSM_SHARE

$IAM_PVS/oudsmpv

The mount point on the NFS server where the OUDSM persistent volume is mounted.

OUDSM_LOCAL_SHARE

/nfs_volumes/oudsmpv

The local directory where OUDSM_SHARE is mounted. It is used by the deletion procedure.

OUDSM_INGRESS_HOST

oudsm.example.com

Used when you are using an Ingress controller. This name must resolve in DNS and point to one of the Kubernetes worker nodes or to the network load balancer entry for the Kubernetes workers.

Parent topic: Reference - Response File

LDAP Parameters

This table lists the parameters which are common to all LDAP type of deployments.

Table C-13 Parameters for All LDAP Deployments

Parameter Sample Value Comments

LDAP_OAMADMIN_USER

oamadmin

The name of the user you want to create for the OAM administration tasks.

LDAP_ADMIN_USER

cn=oudadmin

The name of the OUD administrator user.

LDAP_ADMIN_PWD

<password>

The password you want to use for the OUD administrator user.

LDAP_SEARCHBASE

dc=example,dc=com

The OUD search base.

LDAP_GROUP_SEARCHBASE

cn=Groups,dc=example,dc=com

The search base where names of groups are stored in the LDAP directory.

LDAP_USER_SEARCHBASE

cn=Users,dc=example,dc=com

The search base where names of users are stored in the LDAP directory.

LDAP_RESERVE_SEARCHBASE

cn=Reserve,dc=example,dc=com

The search base where reservations are stored in the LDAP directory.

LDAP_SYSTEMIDS

systemids

The special directory tree inside the OUD search base to store system user names, which will not be managed through OIG.

LDAP_OIGADMIN_GRP

OIMAdministrators

The name of the group you want to use for the OIG administration tasks.

LDAP_OAMADMIN_GRP

OAMAdministrators

The name of the group you want to use for the OAM administration tasks.

LDAP_WLSADMIN_GRP

WLSAdministrators

The name of the group you want to use for the WebLogic administration tasks.

LDAP_OAMLDAP_USER

oamLDAP

The name of the user you want to use to connect the OAM domain to LDAP for user validation.

LDAP_OIGLDAP_USER

oimLDAP

The name of the user you want to use to connect the OIG domain to LDAP for integration. This user will have read/write access.

LDAP_WLSADMIN_USER

weblogic_iam

The name of a user you want to use for logging in to the WebLogic Administration Console and Fusion Middleware Control.

LDAP_XELSYSADM_USER

xelsysadm

The name of the user to administer OIG.

LDAP_USER_PWD

<userpassword>

The password to be assigned to all the LDAP user accounts.

LDAP_EXTERNAL_HOST

  

Specify only if the LDAP host does not reside inside the current Kubernetes cluster. In this case, enter the host name where LDAP is running.

LDAP_EXTERNAL_PORT

  

Specify only if the LDAP host does not reside inside the current Kubernetes cluster. In this case, enter the port on which LDAP is listening.

Parent topic: Reference - Response File

SSL Parameters

The deployment scripts create self-signed certificates. The parameters are used to determine what values will be added to those certificates.

Table C-14 Parameters Used to Create Self-Signed Certificates

Parameter Sample Value Comments

SSL_COUNTRY

US

The abbreviation for the name of the country.

SSL_ORG

Example Company

The name of the organization.

SSL_CITY

City

The name of the city.

SSL_STATE

State

The name of the state.

Parent topic: Reference - Response File

WebLogic Operator for Kubernetes Parameters

These parameters determines how the Oracle WebLogic Operator is provisioned.

Table C-15 Parameter that Determines the Deployment of Oracle WebLogic Operator for Kubernetes

Parameter Sample Value Comments

OPERNS

opns

The Kubernetes namespace used to hold the WebLogic Kubernetes Operator.

OPER_ACT

operadmin

The Kubernetes service account for use by the WebLogic Kubernetes Operator.

OPER_ENABLE_SECRET

false

Set to true while using your own Container Registry that requires authentication.

Parent topic: Reference - Response File

OAM Parameters

These parameters determine how OAM is deployed and configured.

Table C-16 Parameters that Determine the Deployment of Oracle Access Manager

Parameter Sample Value Comments

OAMNS

oamns

The Kubernetes namespace used to hold the OAM objects.

OAM_SHARE

$IAM_PVS/oampv

The mount point on the NFS server where the OAM persistent volume is exported.

OAM_LOCAL_SHARE

/nfs_volumes/oampv

The local directory where OAM_SHARE is mounted. It is used by the deletion procedure.

OAM_SERVER_COUNT

5

The number of OAM servers to configure. This value should be more than you expect to use.

OAM_SERVER_INITIAL

2

The number of OAM Managed Servers you want to start for normal running. You will need at least two servers for high availability.

OAM_DB_SCAN

dbscan.example.com

The database scan address to be used by the grid infrastructure.

OAM_DB_LISTENER

1521

The database listener port.

OAM_DB_SERVICE

iadedg.example.com

The database service that connects to the database you want to use for storing the OAM schemas.

OAM_DB_SYS_PWD

DBSysPassword

The SYS password of the OAM database.

OAM_RCU_PREFIX

IADEDG

The RCU prefix to use for the OAM schemas.

OAM_SCHEMA_PWD

SchemaPassword

The password to use for the OAM schemas that get created. If you are using special characters, you may need to escape them with a '\'. For example: 'Password\#'.

OAM_WEBLOGIC_USER

weblogic

The OAM WebLogic administration user name.

OAM_WEBLOGIC_PWD

<password1>

The password to be used for OAM_WEBLOGIC_USER.

OAM_DOMAIN_NAME

accessdomain

The name of the OAM domain you want to create.

OAM_LOGIN_LBR_HOST

login.example.com

The load balancer name for logging in to OAM.

OAM_LOGIN_LBR_PORT

443

The load balancer port to use for logging in to OAM.

OAM_LOGIN_LBR_PROTOCOL

https

The protocol of the load balancer port to use for logging in to OAM.

OAM_ADMIN_LBR_HOST

iadadmin.example.com

The load balancer name to use for accessing OAM administrative functions.

OAM_ADMIN_LBR_PORT

80

The load balancer port to use for accessing OAM administrative functions.

OAM_COOKIE_DOMAIN

.example.com

The OAM cookie domain is generally similar to the search base. Ensure that you have a '.' (dot) at the beginning.

OAM_OIG_INTEG

true

Set to true if OAM is integrated with OIG.

OAM_OAP_HOST

k8worker1.example.com

The name of one of the Kubernetes worker nodes used for OAP calls.

OAM_OAP_PORT

5575

The internal Kubernetes port used for OAM requests.

OAMSERVER_JAVA_PARAMS

"-Xms2048m -Xmx8192m"

The Java memory parameters to use for OAM Managed Servers.

OAM_CPU

500m

Initial CPU units allocated to OUD pods where 1000m is equal to 1 CPU core.

OAM_MAX_CPU

1

Maximum CPU cores allocated to the OAM pods.

OAM_MEMORY

2Gi

Initial memory allocated to OAM pods.

OAM_MAX_MEMORY

8Gi

Maximum amount of that an OAM pods can consume.

Parent topic: Reference - Response File

OIG Parameters

These parameters determine how OIG is provisioned and configured.

Table C-17 Parameters that determine the Deployment of Oracle Identity Governance

Parameter Sample Value Comments

OIGNS

oigns

The Kubernetes namespace used to hold the OIG objects.

CONNECTOR_DIR

/workdir/OIG/connectors/

The location on the file system where you have downloaded and extracted the OUD connector bundle.

OIG_SHARE

$IAM_PVS/oigpv

The mount point on the NFS server where the OIG persistent volume is exported.

OIG_LOCAL_SHARE

/local_volumes/oigpv

The local directory where OIG_SHARE is mounted. It is used by the deletion procedure.

OIG_SERVER_COUNT

5

The number of OIM/SOA servers to configure. This value should be more than you expect to use.

OIG_SERVER_INITIAL

2

The number of OIM/SOA Managed Servers you want to start for normal running. You will need at least two servers for high availability.

OIG_DOMAIN_NAME

governancedomain

The name of the OIG domain you want to create.

OIG_DB_SCAN

dbscan.example.com

The database scan address used by the grid infrastructure.

OIG_DB_LISTENER

1521

The database listener port.

OIG_DB_SERVICE

edgigd.example.com

The database service which connects to the database you want to use for storing the OIG schemas.

OIG_DB_SYS_PWD

MySysPassword

The SYS password of the OIG database.

OIG_RCU_PREFIX

IGDEDG

The RCU prefix to use for OIG schemas.

OIG_SCHEMA_PWD

MySchemPassword

The password to use for the OIG schemas that get created. If you are using special characters, you may need to escape them with a '\'. For example: 'Password\#'.

OIG_WEBLOGIC_USER

weblogic

The OIG WebLogic administration user.

OIG_WEBLOGIC_PWD

<password>

The password you want to use for OIG_WEBLOGIC_USER.

OIG_ADMIN_LBR_HOST

igdadmin.example.com

The load balancer name to use for accessing OIG administrative functions.

OIG_ADMIN_LBR_PORT

80

The load balancer port you use for accessing the OIG administrative functions.

OIG_LBR_HOST

prov.example.com

The load balancer name to use for accessing the OIG Identity Console.

OIG_LBR_PORT

443

The load balancer port to use for accessing the OIG Identity Console.

OIG_LBR_PROTOCOL

https

The load balancer protocol to use for accessing the OIG Identity Console.

OIG_LBR_INT_HOST

igdinternal.example.com

The load balancer name you will use for accessing OIG internal callbacks.

OIG_LBR_INT_PORT

7777

The load balancer port to use for accessing the OIG internal callbacks.

OIG_LBR_INT_PROTOCOL

http

The load balancer protocol to use for accessing OIG internal callbacks.

OIG_ENABLE_T3

false

Set this value to true if you want to enable access to the Design Console.

OIG_BI_INTEG

true

Set to true to configure BIP integration.

OIG_BI_HOST

bi.example.com

The load balancer name you will use for accessing BI Publisher.

OIG_BI_PORT

443

The load balancer port you will use for accessing BI Publisher.

OIG_BI_PROTOCOL

https

The load balancer protocol you will use for accessing BI Publisher.

OIG_BI_USER

idm_report

The BI user name you want to use for running reports in the BI Publisher deployment.

OIG_BI_USER_PWD

BIPassword

The password of the OIG_BI_USER.

OIMSERVER_JAVA_PARAMS

"-Xms4096m -Xmx8192m"

The memory parameters to use for the oim_servers.

SOASERVER_JAVA_PARAMS

 "-Xms4096 -XMx8192m"

The memory parameters to use for soa_servers.

OIG_EMAIL_CREATE

true

If set to true, OIG will be configured for email notifications.

OIG_EMAIL_SERVER

sendmail.example.com

The name of your SMTP email server.

OIG_EMAIL_PORT

25

The port of your SMTP server. The valid values are None or TLS.

OIG_EMAIL_SECURITY

None

The security mode of your SMTP server.

OIG_EMAIL_ADDRESS

myemail.example.com

The user name that is used to connect to the SMTP server, if one is required.

OIG_EMAIL_PWD

<password>

The password of your SMTP server.

OIG_EMAIL_FROM_ADDRESS

from@example.com

The 'From' email address used when emails are sent.

OIG_EMAIL_REPLY_ADDRESS

noreplies@example.com

The 'Reply' to email address of the emails that are sent.

Parent topic: Reference - Response File

OIRI Parameters

These parameters determine how OIRI is provisioned and configured.

Table C-18 Parameters that Determine the Deployment of Oracle Identity Role Intelligence

Parameter Sample Value Comments

OIRINS

oirins

The Kubernetes namespace used to hold the OIRI objects.

DINGNS

dingns

The Kubernetes namespace used to hold the OIRI DING objects.

OIRI_REPLICAS

noreplies@example.com

The number of OIRI servers to start the deployment.

OIRI_UI_REPLICAS

2

The number of OIRI UI Servers to start the deployment.

OIRI_SPARK_REPLICAS

2

The number of OIRI UI servers to start the deployment.

OIRI_SHARE

$IAM_PVS/oiripv

The mount point on the NFS server where the OIRI persistent volume is exported.

OIRI_LOCAL_SHARE

/nfs_volumes/oiripv

The local directory where OIRI_SHARE is mounted. It is used by the deletion procedure.

OIRI_SHARE_SIZE

10Gi

The size of the OIRI persistent volume.

OIRI_DING_SHARE

$IAM_PVS/dingpv

The mount point on the NFS server where the OIRI DING persistent volume is exported.

OIRI_DING_LOCAL_SHARE

/nfs_volumes/dingpv

The local directory where OIRI_DING_SHARE is mounted. It is used by the deletion procedure.

OIRI_DING_SHARE_SIZE

10Gi

The size of the OIRI DING persistent volume.

OIRI_WORK_SHARE

$IAM_PVS/workpv

The mount point on the NFS server where the OIRI work persistent volume is exported.

OIRI_DB_SCAN

dbscan.example.com

The database SCAN address of the grid infrastructure.

OIRI_DB_LISTENER

1521

The database listener port.

OIRI_DB_SERVICE

edgoiri.example.com

The database service which connects to the database you want to use for storing the OIRI schemas.

OIRI_DB_SYS_PWD

MySysPassword

The SYS password of the OIRI database.

OIRI_RCU_PREFIX

oiriedg

The RCU prefix to use for the OIRI schemas.

OIRI_SCHEMA_PWD

MySchemPassword

The password to use for the OIRI schemas that get created. If you are using special characters, you may need to escape them with a '\'. For example: 'Password\#'.

OIRI_OIG_DB_SCAN

dbscan.example.com

The database SCAN address of the grid infrastructure for OIG Database.

OIRI_OIG_DB_LISTENER

1521

The OIG database listener port.

OIRI_OIG_DB_SERVICE

oigsvc.example.com

The database service which connects to the database you want to use for storing mining OIG schemas.|

OIRI_CREATE_OHS

true

This value instructs the scripts to generate OHS entries for connecting to OIRI. You should set this to true unless you are configuring a standalone OIRI.

OIRI_INGRESS_HOST

igdadmin.example.com

If you are creating a fully integrated deployment and want OIRI to be included in the OHS deployment, then this value should be set to the OIG Administration host name. For example: iagadmin.example.com.

If you are deploying OIRI standalone using Ingress to route requests, then set this value to the virtual hostname you want to use. For example: oiri.example.com.

OIRI_KEYSTORE_PWD

MyKeystore_Password100

The password to use for the OIRI keystore.

OIRI_ENG_GROUP

OrclOIRIRoleEngineer

The name of the OIG OIRI group - DO NOT CHANGE.

OIRI_ENG_USER

oiri

The user to be created in OIG for UI login.

OIRI_ENG_PWD

MyPassword1

The password of the OIRI_ENG_USER.

OIRI_SERVICE_USER

oirisvc

The user name for the OIG OIRI service account.

OIRI_SERVICE_PWD

MyPassword1

The password for OIRI_SERVICE_USER.

OIRI_OIG_URL

http://$OIG_DOMAIN_NAME-cluster-oim-cluster.$OIGNS.svc.cluster.local:14000

The URL to access OIG. If internal to the Kubernetes cluster, use the Kubernetes service name as shown in the sample value. If external, use the IGDINTERNAL URL.

OIRI_OIG_SERVER

t3://<OIG_DOMAIN_NAME>-oim-server1.oigns.svc.cluster.local:14000`

The T3 URL to access the OIG oim server (used to create users in OIG)

OIRI_LOAD_DATA

true

Set to true if you want to load data from the OIG database.

OIRI_OIG_XELSYSADM_USER

xelsysadm

 Set to an OIM Administrator which is used to create users in OIG.

OIRI_OIG_USER_PWD

mypassword

 Password of the OIRI_OIG_XELSYSADM_USER.

OIRI_OIG_XELL_FILE

If your OIG is not inside Kubernetes, you need to manually aquire the OIG rest certificate. See Obtaining the OIG SSL Certificate. Set this parameter to the location of that file. Leave it blank if OIG is in Kubernetes.

OIRI_CREATE_OIG_USER

true

Set to true to allow the automation scripts to create the OIRI users in OIG.

OIRI_SET_OIG_COMPLIANCE

true

Set to true to allow the automation scripts place OIG in compliance mode.

Parent topic: Reference - Response File

OAA Parameters

These parameters determine how OAA is provisioned and configured.

Table C-19 Parameters that Determine the Deployment of Oracle Advanced Authentication and Risk Management

Parameter Sample Value Comments

OAANS

oaans

The Kubernetes namespace used to hold the OAA objects.

OAACONS

coherence

The Kubernetes namespace used to hold the Coherence objects.

OAA_DEPLOYMENT

edg

A name for your OAA deployment. Do not use the name oaa because this is reserved for internal use.

OAA_DOMAIN

OAADomain

The name of the OAM OAuth domain you want to create.

OAA_VAULT_TYPE

file|oci

The type of vault to use: file system or OCI.

OAA_CREATE_OHS

true

Set to false if you are installing OAA standalone front ended by Ingress.

OAA_CONFIG_SHARE

$IAM_PVS/oaaconfigpv

The mount point on the NFS server where the OAA configuration persistent volume is exported.

OAA_CRED_SHARE

$IAM_PVS/oaacredpv

The mount point on the NFS server where the OAA credentials persistent volume is exported.

OAA_LOG_SHARE

$IAM_PVS/oaalogpv

The mount point on the NFS server where the OAA log files persistent volume is exported.

OAA_LOCAL_CONFIG_SHARE

/nfs_volumes/oaaconfigpv

The local directory where OAA_CONFIG_SHARE is mounted. It is used by the deletion procedure.

OAA_LOCAL_CRED_SHARE

/nfs_volumes/oaacredpv

The local directory where OAA_CRED_SHARE is mounted. It is used by the deletion procedure.

OAA_LOCAL_LOG_SHARE

/nfs_volumes/oaalogpv

The local directory where OAA_LOG_SHARE is mounted. It is used by the deletion procedure.

OAA_DB_SCAN

dbscan.example.com

The database SCAN address of the grid infrastructure.

OAA_DB_LISTENER

1521

The database listener port.

OAA_DB_SERVICE

oaa_s.example.com

The database service which connects to the database you want to use for storing the OAA schemas.

OAA_DB_SYS_PWD

MySysPassword

The SYS password of the OAA database.

OAA_RCU_PREFIX

OAAEDG

The prefix to use for the OAA schemas.

OAA_SCHEMA_PWD

MySchemPassword

The password to use for the OAA schemas that are created. If you are using special characters, you may need to escape them with a '\'. For example: 'Password#'.

OAA_DB_SID

iamdb11

The SID of the database on the database server.

Parent topic: Reference - Response File

OAA Users/Groups/Passwords

Table C-20 User Names and Groups Used for OAA

Users/Groups Example Description

OAA_ADMIN_GROUP

OAA-Admin-Role

The OIG role to create for OAA administration functions. This group is created in OIG.

OAA_USER_GROUP

OAA-App-User

The group which will be assigned to the OAA users. This group is created in OIG.

OAA_ADMIN_USER

oaaadmin

The name of the user to use for OAA administration functions. This user name is created in OIG.

OAA_ADMIN_PWD

oaaAdminPassword

The password to be assigned to the OAA_ADMIN_USER.

OAA_KEYSTORE_PWD

oaapassword

The password to be used for OAA keystores.

OAA_OAUTH_PWD

oaapassword

The password to be used for OAA OAuth domain.

OAA_API_PWD

oaapassword

The password to be used for OAA API interactions.

OAA_POLICY_PWD

oaapassword

The password to be used for OAA policy interactions.

OAA_FACT_PWD

oaapassword

The password to be used for OAA keystores for factor interactions.

OAA_ADD_USERS_LDAP

true

Adds all existing LDAP users to the OAA_USER_GROUP LDAP group, allowing existing users to log in via OAA.

OAA_ADD_USERS_OUA_OBJ

true

Adds the OUA Object class to all existing users in LDAP thereby allowing all existing users to log in via Oracle Universal Authentication.

Parent topic: OAA Parameters

OAA File System Vault Parameters

Table C-21 Parameters Used for File System Vault

Users/Groups Example Description

OAA_VAULT_SHARE

$IAM_PVS/oaavaultpv

The mount point on the NFS server where the OAA file vault persistent volume is exported.

OAA_LOCAL_VAULT_SHARE

/nfs_volumes/oaavaultpv

The local directory where OAA_VAULT_SHARE is mounted. It is used by the deletion procedure.

OAA_VAULT_PWD

oaapassword

The password to use for the file-based vault.

Parent topic: OAA Parameters

OAA OCI Vault Parameters

Table C-22 Parameters Used for OAA OCI Vault

Parameter Sample Value Comments

OAA_OCI_OPER

-

To obtain this value, encode the value of the API key that you downloaded at the time of creating the vault. See Creating a Vault.

OAA_OCI_TENANT

-

To obtain this value, log in to the OCI console, navigate to Profile and click Tenancy. Use the OCID value.

OAA_OCI_USER

-

To obtain this value, log in to the OCI console, navigate to Profile and click Username. Use the OCID value.

OAA_OCI_FP

-

To obtain this value, log in to the OCI console, navigate to Profiles, select User Settings, and then click API Keys. Use the value of the fingerprint for the API Key you created earlier. See Creating a Vault.

OAA_OCI_COMPARTMENT

-

To obtain this value, log in to the OCI console, navigate to Identity and Security and click Compartments. Select the compartment in which you created the vault and use the OCID value.

OAA_OCI_VAULT_ID

-

To obtain this value, log in to the OCI console, navigate to Identity and Security and select Vault. Click the vault you created earlier. See Creating a Vault. Use the OCID value.

OAA_OCI_KEY

-

To obtain this value, log in to the OCI console, navigate to Identity and Security, select Vault, and then click the vault you created earlier. See Creating a Vault. Click the key you created earlier. For example, vaultkey. Use the OCID value.

Parent topic: OAA Parameters

Ingress Parameters

Table C-23 Parameters Used for the Deployment of Ingress

Parameter Sample Value Comments

OAA_ADMIN_HOST

iadadmin.example.com

The virtual host used for administration operations. Unless you are using OAA in the standalone mode, set this value to the OAM admin virtual host.

OAA_RUNTIME_HOST

login.example.com

The virtual host used for OAA runtime operations. Unless you are using OAA in the standalone mode, set this vale to the OAM virtual host.

Parent topic: OAA Parameters

Email Server Parameters

Table C-24 Parameters Used for the Email Server

Parameter Sample Value Comments

OAA_EMAIL_SERVER

http://governancedomain-cluster-soa-cluster.oigns.svc.cluster.local:8001/ucs/messaging/webservice

The entry point of the Oracle Unified Messaging server. If the OIG domain is internal to the Kubernetes cluster, you can use the internal Kubernetes service name. For example: http://<OIG_DOMAIN_NAME>-cluster-soa-cluster.<OIGNS>.svc.cluster.local:8001/ucs/messaging/webservice.

If your UMS server is external to the Kubernetes cluster, you can use the URL you configured to access it. For example: http://igdinternal.example.com/ucs/messaging/webservice.

OAA_EMAIL_USER

weblogic

The user name you use to connect to the UMS server.

OAA_EMAIL_PWD

umspassword

The password you use to connect to the UMS server.

OAA_SMS_SERVER

http://$OIG_DOMAIN_NAME-cluster-soa-cluster.$OIGNS.svc.cluster.local:8001/ucs/messaging/webservice

The entry point of the Oracle Unified Messaging server you use to send SMS messages. This is usually the same as OAA_EMAIL_SERVER.

OAA_SMS_USER

weblogic

The user name you use to connect to the UMS server.

OAA_SMS_PWD

umspassword

The password you use to connect to the UMS server.

Parent topic: OAA Parameters

Test User Parameters

Table C-25 Parameters Used for Creating a Test User

Parameter Sample Value Comments

OAA_CREATE_TESTUSER

true

Set this value to true if you want the scripts to create a test user for OAA.

OAA_USER

oaauser

The name you want to assign to the test user.

OAA_USER_PWD

testpassword

The password you want to assign to the test user.

OAA_USER_EMAIL

test_user@example.com

The email address of the test user you are creating.

OAA_USER_POSTCODE

-

The post code/zip code of the test user you are creating.

Parent topic: OAA Parameters

HA Parameters

Table C-26 Parameters Used for High Availability

Parameter Sample Value Comments

OAA_REPLICAS

2

The number of OAA service pods to be created. For HA, the minimum number is two.

OAA_ADMIN_REPLICAS

2

The number of OAA administration pods to be created. For HA, the minimum number is two.

OAA_POLICY_REPLICAS

2

The number of OAA policy pods to be created. For HA, the minimum number is two.

OAA_SPUI_REPLICAS

2

The number of OAA SPUI service pods to be created. For HA, the minimum number is two.

OAA_TOTP_REPLICAS

2

The number of OAA TOTP service pods to be created. For HA, the minimum number is two.

OAA_YOTP_REPLICAS

2

The number of OAA YOTP service pods to be created. For HA, the minimum number is two.

OAA_FIDO_REPLICAS

2

The number of OAA FIDO service pods to be created. For HA, the minimum number is two.

OAA_EMAIL_REPLICAS

2

The number of OAA EMAIL service pods to be created. For HA, the minimum number is two.

OAA_SMS_REPLICAS

2

The number of OAA SMS service pods to be created. For HA, the minimum number is two.

OAA_PUSH_REPLICAS

2

The number of OAA PUSH service pods to be created. For HA, the minimum number is two.

OAA_RISK_REPLICAS

2

The number of OAA RISK service pods to be created. For HA, the minimum number is two.

OAA_RISKCC_REPLICAS

2

The number of OAA RISK CC service pods to be created. For HA, the minimum number is two.

OAA_DRSS_REPLICAS

2

The number of OUA service pods to be created. For HA, the minimum number is two.

Parent topic: OAA Parameters

Resource Parameters

Table C-27 Resource Parameters

Parameter Sample Value Comments

OAA_OAA_CPU

200m

Initial CPU units allocated to OAA pod where 1000m is equal to 1 CPU core.

OAA_OAA_MEMORY

1Gi

Initial Memory allocated to OAA pod.

OAA_ADMIN_CPU

200m

Initial CPU units allocated to ADMIN pod where 1000m is equal to 1 CPU core.

OAA_ADMIN_MEMORY

1Gi

Initial memory allocated to ADMIN pod.

OAA_POLICY_CPU

200m

Initial CPU units allocated to POLICY pod where 1000m is equal to 1 CPU core.

OAA_POLICY_MEMORY

1Gi

Initial memory allocated to POLICY pod.

OAA_SPUI_CPU

200m

Initial CPU units allocated to a SPUI pod where 1000m is equal to 1 CPU core.

OAA_SPUI_MEMORY

1Gi

Initial memory allocated to SPUI pod.

OAA_TOTP_CPU

200m

Initial CPU units allocated to TOTP pod where 1000m is equal to 1 CPU core.|

OAA_TOTP_MEMORY

1Gi

Initial memory allocated to TOTP pod.

OAA_YOTP_CPU

200m

Initial CPU units allocated to YOTP pod where 1000m is equal to 1 CPU core.

OAA_YOTP_MEMORY

1Gi

Initial memory allocated to YOTP pod.

OAA_FIDO_CPU

200m

Initial CPU units allocated to FIDO pod where 1000m is equal to 1 CPU core.

OAA_FIDO_MEMORY

1Gi

Initial memory allocated to FIDO pod.

OAA_EMAIL_CPU

200m

Initial CPU units allocated to EMAIL pod where 1000m is equal to 1 CPU core.

OAA_EMAIL_MEMORY

1Gi

Initial memory allocated to EMAIL pod.

OAA_PUSH_CPU

200m

Initial CPU units allocated to PUSH pod where 1000m is equal to 1 CPU core.

OAA_PUSH_MEMORY

1Gi

Initial memory allocated to PUSH pod.

OAA_SMS_CPU

200m

Initial CPU units allocated to SMS pod where 1000m is equal to 1 CPU core.

OAA_SMS_MEMORY

1Gi

Initial memory allocated to SMS pod.

OAA_KBA_CPU

200m

Initial CPU Units allocated to KBA pod where 1000m is equal to 1 CPU core.

OAA_KBA_MEMORY

1Gi

Initial memory allocated to KBA pod.

OAA_RISK_CPU

200m

Initial CPU units allocated to RISK pod where 1000m is equal to 1 CPU core.

OAA_RISK_MEMORY

1Gi

Initial memory allocated to RISK pod.

OAA_RISKCC_CPU

200m

Initial CPU units allocated to RISKCC pod where 1000m is equal to 1 CPU core.

OAA_RISKCC_MEMORY

1Gi

Initial memory allocated to RISKCC pod.

OAA_DRSS_CPU

200m

Initial CPU units allocated to DRSS pod where 1000m is equal to 1 CPU core.

OAA_DRSS_MEMORY

1Gi

Initial memory allocated to DRSS pod.

Parent topic: OAA Parameters

Port Mappings

In some cases, you can specify your own ports. The scripts allow you to override the default values by setting these parameters.

Table C-28 Parameters that Determine the Ports Used in the Deployment

Parameter Sample Value Comments

ELK_KIBANA_K8

31800

The port to use for the Kibana requests.

Note: This value must be within the Kubernetes service port range.

ELK_K8

31920

The port to use for the Elasticsearch requests.

Note: This value must be within the Kubernetes service port range.

PROM_GRAF_K8

30900

The port to use for Grafana requests.

Note: This value must be within the Kubernetes service port range.

PROM_K8

30901

The port to use for Prometheus requests.

Note: This value must be within the Kubernetes service port range.

PROM_ALERT_K8

30902

The port to use for Alert Manager requests.

Note: This value must be within the Kubernetes service port range.

OUD_LDAP_K8

31389

The port to use for OUD LDAP requests.

Note: This value must be within the Kubernetes service port range.

OUD_LDAPS_K8

31636

The port to use for OUD LDAPS requests.

Note: This value must be within the Kubernetes service port range.

OUDSM_SERVICE_PORT

30901

The port to use for OUDSM requests.

Note: This value must be within the Kubernetes service port range.

OAM_ADMIN_PORT

7001

The internal WebLogic administration port to use for the OAM domain. This port is available only in the Kubernetes cluster.

OAM_ADMIN_K8

30701

The external port to use for the OAM Administration Server requests.

Note: This value must be within the Kubernetes service port range.

OAM_OAM_K8

30410

The external port to use for the OAM Managed Server requests.

Note: This value must be within the Kubernetes service port range.

OAM_POLICY_K8

30510

The external port to use for the OAM Policy server requests.

Note: This value must be within the Kubernetes service port range.

OAM_OAP_SERVICE_PORT

30540

The external port to use for the OAP server requests. This port is for legacy WebGates and is optional.

Note: This value must be within the Kubernetes service port range.

OIG_SOA_PORT_K8

30801

The external port to use for the SOA Managed Server requests.

Note: This value must be in the Kubernetes service port range.

OAM_OAP_PORT

5575

The internal Kubernetes port used for OAM requests.

OIG_ADMIN_PORT

7101

The internal port used for the OIG WebLogic Administration Server.

OIG_ADMIN_K8

30711

The external port to use for the OIG Administration Server requests.

Note: This value must be in the Kubernetes service port range.

OIG_OIM_PORT_K8

30140

The external port to use for the OIM Managed Server requests.

Note: this must be in the Kubernetes service port range.

OIG_OIM_T3_PORT_K8

30142

The external port to use for the OIM Managed Server T3 requests.

Note: This value must be in the Kubernetes service port range.

OHS_PORT

7777

The HTTP Server listen address.

Parent topic: Reference - Response File

Components of the Deployment Scripts

For reference purposes, this section includes the name and function of all the objects that make up the deployment scripts.

Table C-29 Components of the Deployment Scripts

Name Location Function

idm.rsp

responsefile

The file that contains the details of the target environment. Must be updated for each deployment.

start_here.sh

The file that populates the response file.

prereqchecks.sh

The file that checks the environment prior to provisioning.

provision.sh

The file that provisions everything.

provision_ingress.sh

The file that installs/configures the Ingress controller.

provision_elk.sh

The file that installs/configures Elastic Search and Kibana.

provision_prom.sh

The file that installs/configures Prometheus and Grafana.

provision_oud.sh

The file that installs/configures OUD.

provision_oudsm.sh

The file that installs/configures OUDSM.

provision_oam.sh

The file that installs/configures OAM.

provision_oig.sh

The file that installs/configures OIG.

provision_oiri.sh

The file that installs/configures OIRI.

provision_oaa.sh

The file that installs/configures OAA.

ingress_functions.sh

common

The common functions/procedures used by the Ingress provisioning scripts.

functions.sh

common

The common functions/procedures used by all the provisioning scripts.

prom_functions.sh

common

The common functions/procedures used by the Prometheus provisioning scripts.

oud_functions.sh

common

The common functions/procedures used by the OUD and OUDSM provisioning scripts.

oam_functions.sh

common

The common functions/procedures used by the OAM provisioning scripts.

oig_functions.sh

common

The common functions/procedures used by the OIG provisioning scripts.

oiri_functions.sh

common

The common functions/procedures used by the OIRI provisioning scripts.

oaa_functions.sh

common

The common functions/procedures used by the OAA provisioning scripts.

elk_cluster.yaml

templates/elk

The template file used to create an ELK cluster.

kibana.yaml

templates/elk

The template file used to create a Kibana deployment.

elk_nodeport.yaml

templates/elk

The template file used to create an ELK NodePort Service.

kibana_nodeport.yaml

templates/elk

The template file used to create a Kibana NodePort Service.

override_prom.yaml

templates/prometheus

The template file used to create a Prometheus deployment.

alert_nodeport.yaml

templates/prometheus

The template file used to create the Alert Manager NodePort Service.

grafana_nodeport.yaml

templates/prometheus

The template file used to create the Grafana NodePort Service.

prometheus_nodeport.yaml

templates/prometheus

The template file used to create the Prometheus NodePort Service.

base.ldif

templates/oud

The template file used to seed OUD with users and groups.

99-user.ldif

templates/oud

The template file used to seed OUD schema changes.

oud_nodeport.yaml

templates/oud

The template used to create the OUD NodePort Services for Kubernetes.

override_oud.yaml

templates/oud

The OUD Helm override template file.

oudsm_nodeport.yaml

templates/oudsm

The template used to create the OUDSM NodePort Services for Kubernetes.

override_oudsm.yaml

templates/oudsm

The OUD Helm override template file.

add_admin_roles.py

templates/oam

The template used to add LDAP groups to the WebLogic administration role.

configoam.props

templates/oam

The template property file used to run idmConfigTool - configOAM.

runidmConfigTool.sh

templates/oam

The template file used to run idmConfigTool in container.

fix_gridlink.sh

templates/oam

The template file used to enable gridlink on data sources.

oamconfig_modify_template.xml

templates/oam

The template file used to perform the initial OAM setup.

oam_nodeport.yaml

templates/oam

The template file used to create the OAM Managed Server NodePort Service.

oap_clusterip.yaml

templates/oam

The template file used to create the OAM OAP internal Managed Server NodePort Service.

oap_nodeport.yaml

templates/oam

the template file used to create the OAM OAP external Managed Server NodePort Service.

policy_nodeport.yaml

templates/oam

The template file used to create the Policy Manager Managed Server NodePort Service.

resource_list.txt

templates/oam

The list of resources to add to the OAM IAMSuite Resource list.

set_weblogic_plugin.py

templates/oam

The template file used to enable WebLogic plug-in in the domain.

create_wg.sh

templates/oam

The template file used to manually create the WebGate agent.

Webgate_IDM.xml

templates/oam

The template property file used to manually create the WebGate agent.

config_adf_security.py

templates/oam

The template file used to create the SSO partner application.

oamDomain.sedfile

templates/oam

The template Sedfile used to exit domain.yaml.

oamSetUserOverrides.sh

templates/oam

The setUserOverrides.sh template file.

remove_coherence.py

templates/oam

The template file used to remove OAM from the default coherence cluster.

update_oamds.py

templates/oam

The template file used to update the OAMDS data source.

login_vh.conf

templates/oam

The template file used to create the sample OHS Config.

iadadmin_vh.conf

templates/oam

The template file used to create the sample OHS Config.

create_admin_roles.py

templates/oig

The template file used to assign LDAP groups to the WebLogic administration role.

create_oud_authenticator.py

templates/oig

The template file used to create the OUD authenticator.

get_passphrase.sh

templates/oig

The template file used to obtain the global passphrase from OAM.

get_passphrase.py

templates/oig

The template file used to obtain the OAM global passphrase.

oam_integration.sh

templates/oig

The template file used to run OIGOAMIntegration.sh - configureSSOIntegration.

oigSetUserOverrides.sh

templates/oig

The setUserOverrides.sh template file.

soa_nodeport.yaml

templates/oig

The template file used to create the SOA external Managed Server NodePort Service.

oim_nodeport.yaml

templates/oig

The template file used to create the OIM external Managed Server NodePort Service.

add_object_classes.sh

templates/oig

The template file used to run IGOAMIntegration.sh -addMissingObjectClasses.

createWLSAuthenticators.sh

templates/oig

The template file used to run OIGOAMIntegration.sh -configureWLSAuthnProviders.

oam_notifications.sh

templates/oig

The template file used to run OIGOAMIntegration.sh -enableOAMSessionDeletion.

config_connector.sh

templates/oig

The template file used to run OIGOAMIntegration.sh -configureLDAPConnector.

create_oim_auth.sh

templates/oig

The template file used to run OIGOAMIntegration.sh -configureWLSAuthnProviders.

runJob.sh

templates/oig

The template shell script used to run the reconciliation jobs.

runJob.java

templates/oig

The Java script used to run the reconciliation jobs.

lib

templates/oig

The OIM libraries required by runJob.java.

update_soa.py

templates/oig

The template script used to update SOA URLs.

oamoig.sedfile

templates/oig

The Sedfile used to create the OIGOAMIntegration property files.

autn.sedfile

templates/oig

The supplementary Sedfile used to create the OIGOAMIntegration property files.

create_oigoam_files.sh

templates/oig

The template script used to generate the OIGOAMIntegration property files.

fix_gridlink.sh

templates/oig

The template script used to enable gridlink on data sources.

update_match_attr.sh

templates/oig

The template script used to update the Match attribute.

oigDomain.sedfile

templates/oig

The template script used to update the domain_soa_oim.yaml file.

update_mds.py

templates/oig

The template file used to update the MDS data source.

set_weblogic_plugin.py

templates/oig

The template file used to set the WebLogic plug-in.

update_bi.py

templates/oig

The template file used to enable BI integration.

igdinternal_vh.conf

templates/oig

The template file used to create the sample OHS Config.

igdadmin_vh.conf

templates/oig

The template file used to create the sample OHS Config.

prov_vh.conf

templates/oig

The template file used to create the sample OHS Config.

createAdminUser.java

templates/oiri

The template file used to create the OIRI user names in OIG.

createAdminUser.sh

templates/oiri

The template file used to create, compile, and run createAdminUser.java.

setCompliance.java

templates/oiri

The template file used to place OIG into the Compliance Mode.

setCompliance.sh

templates/oiri

The template file used to create, compile, and run setCompliance.java.

oiri-cli.yaml

templates/oiri

The template file used to start the OIRI CLI.

ding-cli.yaml

templates/oiri

The template file used to start the OIRI DING CLI.

oiri_nodeport.yaml

templates/oiri

The template file used to create the OIRI NodePort Service.

oiriui_nodeport.yaml

templates/oiri

The template file used to create the OIRI UI NodePort Service.

ohs1.conf

templates/oiri

The template file used to create the sample OHS Config.

ohs2.conf

templates/oiri

The template file used to create the sample OHS Configuration.

create_auth_module.xml

templates/oaa

The template file used to create the OAM authentication module.

create_auth_policy.json

templates/oaa

The template file used to create the OAM authentication policy.

create_auth_scheme.xml

templates/oaa

The template file used to create the OAM authentication scheme.

create_ohs_wallet.sh

templates/oaa

The template file used to create an Oracle HTTP server wallet.

create_schemas.sh

templates/oaa

The template file used to create the OAA schemas.

delete_schemas

templates/oaa

The template file used to delete OAA schemas.

create_tap_partner.py

templates/oaa

The template file used to create the OAM TAP partner.

enable_oauth.xml

templates/oaa

The template file used to enable OAM OAuth.

helmconfig

templates/oaa

The template file for helm.

oaa-mgmt-oci.yaml

templates/oaa

The template file used to create the OAA management pod when using the OCI vault.

oaa-mgmt-vfsi.yaml

templates/oaa

The template file used to create the OAA management pod when using the file system vault.

oaaoverride.yaml

templates/oaa

The template file used for helm to set pod counts.

ohs_admin.conf

templates/oaa

The template file used for OAA administration OHS entries.

ohs_login.conf

templates/oaa

The template file used for OAA runtime OHS entries.

ohs_header.conf

templates/oaa

The template file used for OAM OAuth header entries for OHS.

oud_add_existing_users.sh

templates/oaa

The template file used to add existing user names to the OAA LDAP group.

oud_add_users.sh

templates/oaa

The template file used to create OAA users and groups.

users.ldif

templates/oaa

The template file used to create the OAA users and groups in LDAP.

oud_test_user.sh

templates/oaa

The template file used to create the OAA test user.

test_user.ldif

templates/oaa

 The template file used to create the OAA test user in LDAP.

delete_all.sh

utils

The file used to delete all the deployments.

delete_elk.sh

utils

The file used to delete the Elastic Search deployment.

delete_prom.sh

utils

The file used to delete the Prometheus deployment.

delete_image.sh

utils

The file used to delete a container image from the Kubernetes worker hosts.

delete_oam.sh

utils

The file used to delete the OAM deployment.

delete_oig.sh

utils

The file used to delete the OIG deployment.

delete_operator.sh

utils

The file used to delete the WLS Kubernetes Operator deployment.

delete_oud.sh

utils

The file used to delete the OUD deployment.

delete_oudsm.sh

utils

The file used to delete the OUDSM deployment.

delete_oiri.sh

utils

The file used to delete the OIRI deployment.

delete_oaa.sh

utils

The file used to delete the OAA deployment.

delete_ingress.sh

utils

The file used to delete the Ingress controller.

load_images.sh

utils

The file used to load the container image onto each Kubernetes worker host.

Parent topic: Automating the Identity and Access Management Enterprise Deployment