Configuring Oracle Access Manager Using WDT

18 Configuring Oracle Access Manager Using WDT

Install and configure an initial domain, which can be used as the starting point for an enterprise deployment. Later, configure the domain.

A complete Oracle Identity and Access Management uses a split domain deployment, where there is a single domain for Oracle Access Management and a different domain for Oracle Identity Governance.

In version 4.1.2 of the WebLogic Kubernetes Operator, two different methods to create Oracle WebLogic domains are available. The traditional WLST method uses WLST scripts to create the domain which is the method employed in the Enterprise Deployment Guide for several releases.

Starting with this release, the Enterprise Deployment Guide will use the Weblogic Deployment Tools (WDT) to create the domains. The WDT uses templates to create domains which simplifies the installation procedure. For more information about WebLogic deployment tools, see WebLogic Deploy Tooling

This chapter includes the following topics:

About the Initial Infrastructure Domain
Before you create the initial Infrastructure domain, ensure that you review the key concepts.
Installing Oracle Access Manager (OAM) on the Kubernetes Infrastructure
Before creating the OAM Kubernetes infrastructure, you should have downloaded the Oracle Access Manager Image and installed the Oracle WebLogic Operator.
Creating a Namespace for Oracle Access Manager
Create a namespace to contain all the Oracle Access Manager Kubernetes objects.
Creating a Container Registry Secret
If you are using a container registry and want to pull the Oracle container images on demand, you must create a secret which contains the login details of the container registry.
Creating a Kubernetes Secret for Docker Hub Images
This secret allows Kubernetes to pull an image from hub.docker.com which contains third-party images such as helm, kubectl, and logstash commands.
Creating the Database Schemas for Access Manager
Oracle Fusion Middleware components require schemas in a database, these schemas are created by the WebLogic Deployment Tools at the time of deployment.
Creating the Oracle Access Manager Domain
To configure the Oracle Access Manager domain, you should configure the WebLogic Operator for the domain namespace, create the Kubernetes secrets, and then create the Access domain.
Updating the Domain
When you first create the domain, some information may be missing. You can add this information using a simple curl script.
Performing the Post-Configuration Tasks for Oracle Access Management Domain
The post-configuration tasks for the OAM domain include creating the server overrides file and updating the data sources.
Restarting the Domain
Restart the domain for the changes to take effect.
Validating the Administration Server
Before you perform the configuration steps, validate that the Administration Server has started successfully by ensuring that you have access to the Oracle WebLogic Server Administration Console and Oracle Enterprise Manager Fusion Middleware Control, both installed and configured on the Administration Server.
Removing OAM Server from WebLogic Server 12c Default Coherence Cluster
Exclude all Oracle Access Management (OAM) clusters (including Policy Manager and OAM runtime server) from the default WebLogic Server 12c coherence cluster by using the WebLogic Server Administration Console.
Tuning the WebLogic Server
Tune the WebLogic Server for optimum performance by adding the Minimum Thread Constraint and removing the Max Thread and Capacity constraints.
Enabling Virtualization
You can use the Fusion Middleware Control to enable virtualization.
Restarting the Domain
Restart the domain for the changes to take effect.
Configuring and Integrating with LDAP
Configuration and integration of OAM with LDAP requires you to first set a global passphrase. You then configure OAM to use the LDAP directory. In addition, create the Webgate_IDM agent if not present and finally assign administration rights to the LDAP users to access the MBeans stored in the Administration Server.
Updating WebGate Agents
When you run idmConfigTool, it changes the default OAM security model and creates a new WebGate SSO agent. However, it does not change the existing WebGate SSO agents to the new security model. After you run idmConfigTool, you must update any WebGate agents that previously existed.
Updating Host Identifiers
When you access the domain, you enter using different load balancer entry points. You must add each of these entry points (virtual hosts) to the policy list. Adding these entry points ensures that if you request access to a resource using login.example.com or prov.example.com, you have access to the same set of policy rules.
Adding the Missing Policies to OAM
If any policies are missing, you have to add to ensure that Oracle Access Manager functions correctly.
Validating the Authentication Providers
Set the order of identity assertion and authentication providers in the WebLogic Server Administration Console.
Configuring Oracle ADF and OPSS Security with Oracle Access Manager
Some Oracle Fusion Middleware management consoles use Oracle Application Development Framework (Oracle ADF) security, which can integrate with Oracle Access Manager Single Sign-on (SSO). These applications can take advantage of Oracle Platform Security Services (OPSS) SSO for user authentication, but you must first configure the domain-level jps-config.xml file to enable these capabilities.
Enabling Forgotten Password
This section describes how to set up the One Time Pin forgotten password functionality which is provided with Oracle Access Manager
Restarting the Access Domain
Restart the Access domain in Kubernetes for the changes to take effect.
Setting the Initial Server Count
When you first created the domain, you specified that only one Managed Server should be started. After you complete the configuration, you can increase the initial server count to the actual number you require.
Centralized Monitoring Using Grafana and Prometheus
If you are using a centralized Prometheus and Grafana deployment to monitor your infrastructure, you can send Oracle Access Management data to this application.
Centralized Log File Monitoring Using Elasticsearch and Kibana
If you are using Elasticsearch and Kibana, you can configure a Logstash pod to send the log files to the centralized Elasticsearch/Kibana console. Before you configure the Logstash pod, ensure that you have access to a centralized Elasticsearch deployment.
Backing Up the Configuration
As a best practice, Oracle recommends you to back up the configuration after you have successfully extended a domain or at another logical point. Back up only after you have verified that the installation is successful so far. This is a quick backup to enable immediate restoration in case of problems in later steps.

Parent topic: Configuring the Enterprise Deployment

About the Initial Infrastructure Domain

Before you create the initial Infrastructure domain, ensure that you review the key concepts.

Parent topic: Configuring Oracle Access Manager Using WDT

About the Software Distribution

You create the initial infrastructure domain for an enterprise deployment by using the Oracle Weblogic Operator. The Oracle Access Manager software is distrubted as a pre-built container image. See Identifying and Obtaining Software Distributions for an Enterprise Deployment. This distribution contains all of the necessary components to install and configure Oracle Access Manager.

See Understanding Oracle Fusion Middleware Infrastructure in Understanding Oracle Fusion Middleware.

Parent topic: About the Initial Infrastructure Domain

Characteristics of the Domain

The following table lists some of the key characteristics of the domain that you are about to create. Reviewing these characteristics helps you to understand the purpose and context of the procedures that are used to configure the domain.

Many of these characteristics are described in more detail in Understanding a Typical Enterprise Deployment.

Characteristic of the Domain	More Information
Each WebLogic Server is placed into a pod in the Kubernetes cluster.	See About the Kubernetes Deployment.
Places each Kubernetes domain object in a dedicated Kubernetes namespace.	See About the Kubernetes Deployment.
Uses Kubernetes services to interact with the WebLogic Managed Servers.	See Creating the Kubernetes Services.
Uses Kubernetes persistent volumes to hold the domain configuration.	See unresolvable-reference.html#GUID-373A3448-D7BA-41F6-BFDB-4D7DDB2B03F1.
Each Kubernetes pod is built from a pre-built Oracle container image.	See Identifying and Obtaining Software Distributions for an Enterprise Deployment.
Uses a per domain Node Manager configuration.	See About the Node Manager Configuration in a Typical Enterprise Deployment.
Requires a separately installed LDAP-based authentication provider.	See Installing and Configuring Oracle Unified Directory.
Certificates are stored in Oracle Keystore Service.	See Configuring Oracle OPSS Keystore Service.

Parent topic: About the Initial Infrastructure Domain

Variables Used in this Chapter

The later sections of this chapter provide instructions to create a number of files. These sample files contain variables which you need to substitute with values applicable to your deployment.

Variables are formatted as <VARIABLE_NAME>. The following table provides the values you should set for each of these variables.

Table 18-1 The Variables to be Changed

Variable	Sample Value(s)	Description
<REGISTRY_ADDRESS>	`iad.ocir.io/<mytenancy>`	The location of the container registry.
<REGISTRY_SECRET_NAME>	`regcred`	The name of the Kubernetes secret containing the container registry credentials. Required only if you are pulling images directly from a container registry. See Creating a Container Registry Secret.
<REG_USER>	`mytenancy/oracleidentitycloudservice/myemail@email.com`	The name of the user you use to log in to the container registry.
<REG_PWD>	<password>	The container registry user password.
<OAM_REPOSITORY>	`oracle/oam` `local/oracle/oam` `container-registry.oracle.com/middleware/oam_cpu` `<REGISTRY_ADDRESS>/oracle/oam`	The name of the OAM software repository. If you have downloaded and staged a container image, this value will be: `oracle/oam`. If you use OLCNE, the value will be `local/oracle/oam`. If you are using the Oracle container registry, the value will be: `container-registry.oracle.com/middleware/oam_cpu`. If you are using a container registry, the value will be the name of the registry with the product name: `<REGISTRY_ADDRESS>/oracle/oam`.
<OAM_VER>	`12.2.1.4-jdk8-ol7-220418.0839` `latest`	The version of the image you want to use. The value will be the version you have downloaded and staged either locally or in the container registry.
<PVSERVER>	`nfsserver.example.com`	The name or IP address of the NFS server. Note: This name should be resolvable inside the Kubernetes cluster.
<OAMNS>	`oamns`	The domain namespace to be used to store OAM objects.
<WORKDIR>	`workdir/OAM`	The location where you want to create the working directory for OAM.
<K8_WORKDIR>	`/u01/oracle/user_projects/workdir`	Working directory inside the Kubernetes container.
<OAM_SHARE>	`/exports/IAMPVS/oampv`	The NFS export for the persistence store.
<OAM_DB_SCAN>	`dbscan.example.com`	The SCAN address of the database cluster.
<OAM_DB_LISTENER>	`1521`	The database listener port number.
<OAM_DB_SERVICE>	`iadedg.example.com`	The name of the database service to use.
<OAM_DB_SYS_PWD>	`MySysPWD__001`	The SYS password for the database.
<OAM_RCU_PREFIX>	`IADEDG`	The prefix used when the database schemas are created.
<OAM_COOKIE_DOMAIN>	`.example.com`	The domain you want to associate the OAM cookie with this is normally the same as the <LDAP_SEARCHBASE> in the domain format.
<OAM_OIG_INTEG>	`false`	If you are intending Oracle Identity Governance to handle forgotten password functionality, set this parameter to `true`. If you are using the new OAM forgotten password functionality, set the value to `false`.
<OAM_SCHEMA_PWD>	`MySchemaPWD__001`	The password you want to set for the product schemas being created.
<OAM_DOMAIN_NAME>	`accessdomain`	The name of the Kubernetes domain to be created.
<OAM_DOMAIN_SECRET>	`accessdomain-weblogic-credentials`	The name of the secret you want to create, for the namespace that is used. The name of the secret must be `<OAM_DOMAIN_NAME>-weblogic-credentials`.
<OAM_ADMIN_LBR_HOST>	`iadadmin.example.com`	The virtual host of the OAM administration functions.
<OAM_RCU_SECRET>	`accessdomain-rcu-credentials`	The name of the RCU secret. The name of the secret must be `<OAM_DOMAIN_NAME>-rcu-credentials`. See Creating the RCU Secret.
<OAM_LOGIN_LBR_HOST>	`login.example.com`	The name of your login load balancer virtual name.
<OAM_LOGIN_LBR_PROTOCOL>	`https`	The type of access protocol used for the login load balancer. In an SSL terminated environment, this value will be `https`.
<OAM_LOGIN_LBR_PORT>	`443`	The port of the login load balancer virtual name.
<OAM_OAP_HOST>	`oap.example.com` `accessdomain-oap.oamns.svc.cluster.local`.	An externally resolvable host name for legacy WebGate communications. This host can be either a Kubernetes worker node or a load balancer entry point that points to multiple Kubernetes worker nodes. If you are only interacting inside the Kubernetes cluster, the host name will be `<OAM_DOMAIN_NAME>-oap.<OAMNS>.svc.cluster.local`.
<OAP_MODE>	`open` or `cert`	The OAP security mode you want to use if you are using the native OAP calls from WebGate. Oracle recommends that you conduct interactions with OAM using OAP over REST, in which case the transport mode is not used. In these scenarios, set the <OAP_MODE> to `Open` so that you can remove the need to manage certificates.
<WG_CONNECTIONS>	`20`	The maximum number of connections supported by the WebGate agent.
<OAM_SERVER_COUNT>	`5`	The number of Managed Servers required. Oracle highly recommends you to set this value to a number greater than the anticipated need in the system's lifetime. It creates a number of server definitions in the WebLogic domain and ensures that you have a simple mechanism to scale up the system when the demand increases. This value does not reflect the number of server instances you actually start with; it just enables you to start additional servers if your needs change. Adding additional server definitions post domain creation is a complex task and should be avoided, if possible.
<OAM_INITIAL_SERVERS>	`1`	The number of Managed Servers to start. Oracle recommends you to set this value to `1` for the the duration of the configuration.
<OAM_MAX_CPU>	`1`	The maximum number of CPUs each `OAM_SERVER` pod is allowed to consume. CPU is measured in CPU cores. The value of 1 is equal to 1 CPU core or 1 virtual core.
<OAM_CPU>	`500m`	The initial number of CPUs each `OAM_SERVER` pod is allowed to consume. It is measured in CPU cycles and the value of 1000m is equal to 1 CPU core or 1 virtual core. CPU is measured in CPU cores and the value of 1 is equal to 1 CPU core or 1 virtual core.
<OAM_MAX_MEMORY>	`8Gi`	The maximum amount of memory that the `OAM_SERVER` pods are allowed to consume. Memory is measured in standard units where 1G is equal to 1Gi.
<OAM_MEMORY>	`2Gi`	The initial amount of memory that the `OAM_SERVER` pods are allowed to consume. Memory is measured in standard units where 1G is equal to 1Gi.
<OAMSERVER_JAVA_PARAMS>	`-Xms2048m -Xmx8192m`	The maximum (Xmx) and minimum heap size allocated to each `OAM_SERVER`. The size is represented as a number of Mb. Note: The maximum amount of heap size must be less than the maximum amount allowed to be used by the Pod <OAM_MAX_MEMORY>
<LDAP_HOST>	`edg-oud-ds-rs-lbr-ldap.oudns.svc.cluster.local` For OUD, this value will be `<OUD_PREFIX>-oud-ds-rs-lbr-ldap.<OUDNS>.svc.cluster.local`.	The name of the host where the LDAP directory is running.
<LDAP_PORT>	`1389` (OUD)	The port used to connect to LDAP. If your directory is stored in a Kubernetes environment, this will be the internal Kubernetes service port. If your directory is outside of Kubernetes, it will be the regular LDAP port.
<LDAP_ADMIN_USER>	`cn=oudadmin`	The user name of the directory administrator.
<LDAP_SEARCHBASE>	`dc=example,dc=com`	The directory tree for your organization. This is where all the data is stored.
<LDAP_GROUP_SEARCHBASE>	`cn=Groups,dc=example,dc=com`	The location in the directory where groups/roles are stored.
<LDAP_USER_SEARCHBASE>	`cn=Users,dc=example,dc=com`	The location in the directory where names of users are stored.
<LDAP_SYSTEMIDS>	`cn=systemids,dc=example,dc=com`	The name of a container where you want to store system ids. The user names placed in this container are not subject to OIM reconciliation or password aging. This container is reserved for users such as <LDAP_OAMLDAP_USER> and <LDAP_OIGLDAP_USER>.
<LDAP_TYPE>	`OUD`	It is the type of directory: OUD or OID.
<LDAP_WLSADMIN_USER>	`weblogic_iam`	The name of the user who administers the WebLogic domain. This name is an LDAP user name used for single sign-on authentication. The <OAM_WEBLOGIC_USER> is the internal WebLogic user name assigned during the domain creation process.
<LDAP_OAMADMIN_USER>	`oamadmin`	The name of the user who administers OAM.
<LDAP_OAMLDAP_USER>	`oamLDAP`	The name of a user that OAM will use to connect to the directory for validating logins.
<LDAP_WLSADMIN_GRP>	`WLSAdministrators`	Users assigned to this role will be able to log in to the WebLogic Administration Console and FMW Control.
<LDAP_OAMADMIN_GRP>	`OAMAdministrators`	Users assigned to this role will be able to log in to the OAM Administration Console and configure OAM.
<OAM_OAP_SERVICE_PORT>	`30540`	The Kubernetes service port for the OAM OAP requests.
<OAM_ADMIN_PORT>	`7001`	The internal port assigned to the OAM Administration Server.
<OAM_OAP_PORT>	`5575`	The internal OAP port number. If you are using the Kubernetes service, this value can be the internal port number.
<OAP_SERVICE_PORT>	`30540`	The Kubernetes service port which fronts the OAM OAP cluster nodes. If you are using the Kubernetes service, this value can be the internal port number.
<OAM_EXT_T3_PORT>	`30012`	The external T3 port.
<OAM_OAM_K8>	`30410`	The Kubernetes service port for the OAM Managed Servers.
<OAM_POLICY_K8>	`30510`	The Kubernetes service port for the OAM Policy Manager Servers.
<OAM_ADMIN_K8>	`30701`	The external OAM WebLogic Kubernetes service port for the external WebLogic Administration Server.
<ELK_HOST>	`https://elasticsearch-es-http.elkns.svc:9200`	The host and port of the centralized Elasticsearch deployment. This host can be inside the Kubernetes cluster or external to it. This host is used only when Elasticsearch is used.
<ELK_VER>	`8.11.0`	The version of Elasticsearch you want to use.

Parent topic: About the Initial Infrastructure Domain

Kubernetes Services

If you are using NodePort Services, the following Kubernetes services are created as part of the deployment:

Table 18-2 Kubernetes NodePort Services

Service Name	Type	Service Port	Mapped Port
`accessdomain-oam-policy-NodePort`	`NodePort`	`30510`	`15000`
`accessdomain-oam-oam-NodePort`	`NodePort`	`30410`	`14100`
`accessdomain-adminserver-external`	`NodePort`	`30701`	`7001`
`accessdomain-adminserver`	`ClusterIP`	`7001` `3012` Note: `3012` is the T3 Service port.	`7001/3012`

If you use an Ingress-based deployment, the following Ingress services will be created as part of this deployment:

Table 18-3 Ingress Services

Service Name	Host Name
`oamadmin-ingress`	`iadadmin.example.com`
`oamruntime-ingress`	`login.example.com`

Parent topic: About the Initial Infrastructure Domain

Installing Oracle Access Manager (OAM) on the Kubernetes Infrastructure

Before creating the OAM Kubernetes infrastructure, you should have downloaded the Oracle Access Manager Image and installed the Oracle WebLogic Operator.

To download the Oracle Access Manager Image and load it into the container image repository (this repository must be visible to each Kubernetes node), see Identifying and Obtaining Software Distributions for an Enterprise Deployment.
To install the Oracle WebLogic Operator, see Installing and Configuring WebLogic Kubernetes Operator.

Prerequisites
Before creating the Oracle Access Manager (OAM) on the kubernetes infrastructure, you must download the Oracle Access Manager container image and installed the Oracle WebLogic Operator.

Parent topic: Configuring Oracle Access Manager Using WDT

Prerequisites

Before creating the Oracle Access Manager (OAM) on the kubernetes infrastructure, you must download the Oracle Access Manager container image and installed the Oracle WebLogic Operator.

To download the Oracle Access Manager Image and load it into the Docker image repository (this repository must be visible to each Kubernetes node), see Identifying and Obtaining Software Distributions for an Enterprise Deployment.
To install the Oracle WebLogic Operator, see Installing and Configuring WebLogic Kubernetes Operator.

Setting Up a Product Specific Work Directory

Parent topic: Installing Oracle Access Manager (OAM) on the Kubernetes Infrastructure

Setting Up a Product Specific Work Directory

Before you begin the installation, you must have downloaded and staged the Oracle Access Manager container image and the sample code repository. See Identifying and Obtaining Software Distributions for an Enterprise Deployment.

You must also have deployed the Oracle WebLogic Operator as described in Installing the WebLogic Kubernetes Operator.

This section describes the procedure to copy the downloaded sample deployment scripts to a temporary working directory on the configuration host for OAM.

Create a temporary working directory as the install user. The install user should have kubectl access to the Kubernetes cluster.
```
mkdir -p /<WORKDIR>
```
For example:
```
mkdir -p /workdir/OAM
```
Change directory to this location:
```
cd /workdir/OAM
```

Copy the sample scripts to the work directory.

cp -R <WORKDIR>/fmw-kubernetes/OracleAccessManagement/kubernetes <WORKDIR>/samples

For example:

cp -R /workdir/OAM/fmw-kubernetes/OracleAccessManagement/kubernetes /workdir/OAM/samples

Parent topic: Prerequisites

Creating a Namespace for Oracle Access Manager

Create a namespace to contain all the Oracle Access Manager Kubernetes objects.

To create a namespace, use the following command:
```
kubectl create namespace oamns
```
The output appears as follows:
```
namespace/oamns created
```
Tag the namespace so that the WebLogic Kubernetes Operator can manage it.
```
kubectl label namespaces oamns weblogic-operator=enabled
```

Parent topic: Configuring Oracle Access Manager Using WDT

Creating a Container Registry Secret

If you are using a container registry and want to pull the Oracle container images on demand, you must create a secret which contains the login details of the container registry.

If you have staged your container images locally, there is no need to perform this step.

To create a container registry secret, use the following command:

kubectl create secret -n <OAMNS> docker-registry <REGISTRY_SECRET_NAME> --docker-server=<REGISTRY_ADDRESS> --docker-username=<REG_USER> --docker-password=<REG_PWD>

For example:

kubectl create secret -n oamns docker-registry regcred --docker-server=iad.ocir.io/mytenancy --docker-username=mytenancy/oracleidentitycloudservice/myemail@email.com --docker-password=<password>

Parent topic: Configuring Oracle Access Manager Using WDT

Creating a Kubernetes Secret for Docker Hub Images

This secret allows Kubernetes to pull an image from hub.docker.com which contains third-party images such as helm, kubectl, and logstash commands.

Note:

If you are pulling the images from your own container registry, then this step is not required.

You should have an account on hub.docker.com. If you want to stage the images in your own repository, you can do so and modify the helm override file as appropriate.

To create a Kubernetes secret for hub.docker.com, use the following command:

$ kubectl create secret docker-registry dockercred --docker-server="https://index.docker.io/v1/" --docker-username="<DH_USER>" --docker-password="<DH_PWD>" --namespace=<OAMNS>

For example:

$ kubectl create secret docker-registry dockercred --docker-server="https://index.docker.io/v1/" --docker-username="username" --docker-password="<mypassword>" --namespace=oamns

Parent topic: Configuring Oracle Access Manager Using WDT

Creating the Database Schemas for Access Manager

Oracle Fusion Middleware components require schemas in a database, these schemas are created by the WebLogic Deployment Tools at the time of deployment.

The tool creates the following schemas:

Metadata Services (MDS)
Audit Services (IAU)
Audit Services Append (IAU_APPEND)
Audit Services Viewer (IAU_VIEWER)
Oracle Platform Security Services (OPSS)
User Messaging Service (UMS)
WebLogic Services (WLS)
Common Infrastructure Services (STB)
Oracle Access Manager (OAM)

For more information about RCU and how the schemas are created and stored in the database, see Preparing for Schema Creation in Creating Schemas with the Repository Creation Utility.

You must install and configure a certified database and ensure that the database is up and running.

See Preparing an Existing Database for an Enterprise Deployment

Parent topic: Configuring Oracle Access Manager Using WDT

Creating the Oracle Access Manager Domain

To configure the Oracle Access Manager domain, you should configure the WebLogic Operator for the domain namespace, create the Kubernetes secrets, and then create the Access domain.

Parent topic: Configuring Oracle Access Manager Using WDT

Creating the Kubernetes Secrets

Rather than passing the credentials directly into the domain creation process, you can use the Kubernetes secrets to store the credentials in the encrypted format. The WebLogic Operator reads these secrets instead of asking for credentials.

Parent topic: Creating the Oracle Access Manager Domain

Creating the Domain Secret

The domain secret contains information about the WebLogic Administration user who creates the domain.

Use the following command to create the domain secret:

cd <WORKDIR>/samples/create-access-domain/domain-home-on-pv/wdt-utils

./create-secret.sh -l "username=<OAM_WEBLOGIC_USER>" -l "password=<OAM_WEBLOGIC_PWD>" -n <OAMNS> -d <OAM_DOMAIN_NAME> -s <OAM_DOMAIN_SECRET>

For example:

cd /workdir/OAM/samples/create-access-domain/domain-home-on-pv/wdt-utils

./create-secret.sh -l "username=weblogic" -l "password=mypassword" -n oamns -d accessdomain -s accessdomain-weblogic-credentials

The output appears as follows:

@@ Info: Setting up secret 'accessdomain-weblogic-credentials'.
secret/accessdomain-credentials created
secret/accessdomain-credentials labeled

Verify that the secret has been created, using the following command:

kubectl get secret accessdomain-weblogic-credentials -o yaml -n oamns

Parent topic: Creating the Kubernetes Secrets

Creating the RCU Secret

The RCU secret is used by the WebLogic Operator to determine how to connect to the database schemas that you have already created. See Creating the Database Schemas for Access Manager.

To create the RCU secret, perform the following steps:

Use the following command:

cd <WORKDIR>/samples/create-access-domain/domain-home-on-pv/wdt-utils

./create-secret.sh -l "rcu_prefix=<OAM_RCU_PREFIX>" -l "rcu_schema_password=<OAM_SCHEMA_PWD>" -l "db_host=<DB_HOST>" -l "db_port=<DB_PORT>" -l "db_service=<OAM_DB_SERVICE>" -l "dba_user=sys" -l "dba_password=<OAM_SYS_PWD>" -n <OAMNS> -d <OAM_DOMAIN_NAME> -s <OAM_RCU_SECRET>

For example:

cd /workdir/OAM/samples/create-access-domain/domain-home-on-pv/wdt-utils

./create-secret.sh -l "rcu_prefix=IADEDG" -l "rcu_schema_password=MySchemaPWD__001" -l "db_host=DB-SCAN.example.com" -l "db_port=1521" -l "db_service=oam_s.example.com" -l "dba_user=sys" -l "dba_password= MySysPWD__001" -n oamns -d accessdomain -s accessdomain-rcu-credentials

The output appears as follows:

@@ Info: Setting up secret 'accessdomain-rcu-credentials'.
secret/accessdomain-rcu-credentials created
secret/accessdomain-rcu-credentials labeled

Verify that the secret has been created, using the command:

kubectl get secret accessdomain-rcu-credentials -o yaml -n oamns

Parent topic: Creating the Kubernetes Secrets

Creating the Access Domain

The procedure to create the Access domain includes creating the domain configuration file, creating the domain using the WebLogic Kubernetes Operator, setting the memory parameters, initializing the domain, and verifying the domain.

Parent topic: Creating the Oracle Access Manager Domain

Creating the Domain Configuration File

A configuration file is used to tell the WebLogic Operator how to create the domain. This configuration file is named create-domain-wdt.yaml and is located in <WORKDIR>/samples/create-access-domain/domain-home-on-pv/wdt-utils/generate_models_utils/create-domain-wdt.yaml.

Create a copy of the /workdir/OAM/create-domain-wdt.yaml file. For example:

cp /workdir/OAM/samples/create-access-domain/domain-home-on-pv/wdt-utils/generate_models_utils/create-domain-wdt.yaml /workdir/OAM

Update the following values in the create-domain-wdt.yaml file:

domainUID: <OAM_DOMAIN_NAME> 
domainPVMountPath: /u01/oracle/user_projects/
domainHome: /u01/oracle/user_projects/domains/<OAM_DOMAIN_NAME> 
image: <OAM_REPOSITORY>:<OAM_VER>
imagePullSecretName: <REGISTRY_SECRET_NAME>
namespace: <OAMNS> 
logHome: /u01/oracle/user_projects/domains/logs/<OAM_DOMAIN_NAME>
weblogicDomainStorageNFSServer: <PVSERVER>
weblogicDomainStorageType: NFS
weblogicDomainStoragePath: <OAM_SHARE>
edgInstall: true
oamServerJavaParams: <OAMSERVER_JAVA_PARAMS>
oamMaxCPU: <OAM_MAX_CPU>
oamCPU: <OAM_CPU>
oamMaxMemory: <OAM_MAX_MEMORY>
oamMemory: <OAM_MEMORY>     
exposeAdminNodePort: true
configuredManagedServerCount: <OAM_SERVER_COUNT>
initialManagedServerReplicas: <OAM_INITIAL_SERVERS>
productionModeEnabled: true
exposeAdminT3Channel: true
adminNodePort: <OAM_ADMIN_K8>
datasourceType: agl

Where:

domainUID is the name you wish to assign to the domain.
domainPVMountPath is the location inside the container where the persistent volume is mounted.
logHome is the location of the log files.
exposeAdminNodePort is the parameter that should be set to 'True' to enable direct access to the Administration Server outside of the Kubernetes cluster. This is required for the post domain configuration regardless of whether or not an Ingress controller is used.
productionModeEnabled is the parameter that should be set to 'True'.
exposeAdminT3Channel is the parameter that should be set to 'True' to enable T3 to communicate outside of the domain. This communication is used to configure the domain after it is created.
datasourceType is the type of datasource to create. AGL (Active Grid Link) is the recommended option for maximum availability.
edgInstall identifies the installation as an EDG type deployment. Setting this value allows the installation to implement best practice rather than this being an after deployment exercise.

For example:


# Copyright (c) 2024, Oracle and/or its affiliates.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.

# The version of this inputs file. Do not modify.
version: create-weblogic-sample-domain-inputs-v1

# Port number for admin server
adminPort: 7001

# Unique ID identifying a domain.
# This ID must not contain an underscope ("_"), and must be lowercase and unique across all domains in a Kubernetes cluster
domainUID: accessdomain

# Number of managed servers to generate for the domain
configuredManagedServerCount: 5

# Number of managed servers to initially start for the domain
initialManagedServerReplicas: 1

# Boolean indicating if production mode is enabled for the domain
productionModeEnabled: true

# Port for the T3Channel of the NetworkAccessPoint
t3ChannelPort: 30012

# dataSource Type
# supported values are agl or generic. Use agl for active gridlink type of datasource
# generic datasource is not applicable for RAC DB.
datasourceType: agl

# If set to true, generated model will have EDG recommended datasource type i.e. AGL and necessary connection pool parameters.
edgInstall: true

# Home of the WebLogic domain
domainHome: /u01/oracle/user_projects/domains/accessdomain
# OAM Docker image.
image: iad.ocir.io/<mytenancy>/idm/oam:12.2.1.4-jdk8-ol8-240112

# Name of the Kubernetes secret to pull the images from container registry.
# The presence of the secret will be validated when this parameter is enabled.
imagePullSecretName: regcred

# The in-pod location for domain log, server logs, server out, and node manager log files
logHome: /u01/oracle/user_projects/domains/logs/accessdomain

# Public address for T3Channel of the NetworkAccessPoint. This value should be set to the
# kubernetes server address, which you can get by running "${KUBERNETES_CLI:-kubectl} cluster-info". If this
# value is not set to that address, WLST will not be able to connect from outside the
# kubernetes cluster.
# t3PublicAddress:
# Boolean to indicate if the channel should be exposed as a service
exposeAdminT3Channel: true

# NodePort to expose for the admin server
adminNodePort: 30701

# Boolean to indicate if the adminNodePort will be exposed
exposeAdminNodePort: true

# Name of the domain namespace
namespace: oamns

#Java Option for WebLogic Server #NOT IN EDG
javaOptions: -Dweblogic.StdoutDebugEnabled=false

# Mount path of the domain persistent volume.
domainPVMountPath: /u01/oracle/user_projects
## Persistent volume type for the persistent storage.
## The value must be 'HOST_PATH' or 'NFS'.
## If using 'NFS', weblogicDomainStorageNFSServer must be specified.
weblogicDomainStorageType: NFS
#
## The server name or ip address of the NFS server to use for the persistent storage.
## The following line must be uncomment and customized if weblogicDomainStorateType is NFS:
weblogicDomainStorageNFSServer: nfsserver.example.com
#
## Physical path of the persistent storage.
## When weblogicDomainStorageType is set to HOST_PATH, this value should be set the to path to the
## domain storage on the Kubernetes host.
## When weblogicDomainStorageType is set to NFS, then weblogicDomainStorageNFSServer should be set
## to the IP address or name of the DNS server, and this value should be set to the exported path
## on that server.
## Note that the path where the domain is mounted in the WebLogic containers is not affected by this
## setting, that is determined when you create your domain.
## The following line must be uncommented and customized:
weblogicDomainStoragePath: /exports/IAMPVS/oampv
#
## Reclaim policy of the persistent storage
## The valid values are: 'Retain', 'Delete', and 'Recycle'
weblogicDomainStorageReclaimPolicy: Retain
#
## Total storage allocated to the persistent storage.
weblogicDomainStorageSize: 10Gi
#
# Pod Resource Allocation
#
oamServerJavaParams: -Xms2048m -Xmx8192m
# Max CPU Cores pod is allowed to consume.
oamMaxCPU: 1
# Initial CPU Units 1000m = 1 CPU core
oamCPU: 500m
 # Max Memory pod is allowed to consume.
oamMaxMemory: 8Gi
# Initial Memory allocated to pod.
oamMemory: 2Gi

Save the configuration file.

Parent topic: Creating the Access Domain

Generating WDT Auxiliary Image

While creating a domain using the WebLogic deployment tool, a dedicated image is created that describes the deployment. This is based on the domain creation file described in Creating the Domain Configuration File. This image is then stored in a local container registry.

The benefit of using an auxiliary image with the configuration is that it can be used repeatedly to create multiple environments with slightly different properties. For example, the same image file can be used to create a development, testing, and production environment where only the database connection details vary. You need not create a new image each time you create a similar environment. This image must be stored in a registry where images are loaded, and you need have access to this registry.

The following sections describe how to generate the WDT model files, create an auxiliary image, and upload it to your repository.

Generating WDT Model Files

Perform the following steps to generate the WDT model files from the Domain Configuration file:

Change the directory to WDT utils directory of the samples downloaded.

cd <WORKDIR>/samples/create-access-domain/domain-home-on-pv/wdt-utils/generate_models_utils

For Example:

cd /workdir/OAM//samples/create-access-domain/domain-home-on-pv/wdt-utils/generate_models_utils

Generate the model files using the generate_wdt_models.sh utility.
```
./generate_wdt_models.sh -i <WORKDIR>/create-domain-wdt.yaml -o <WORKDIR>
```
Use -i to specify the location of the Domain configuration file you created in Creating the Domain Configuration File.

Use -o to specify where the WDT Model files and templates should be created.

For Example:
```
./generate_wdt_models.sh -i /workdir/OAM/create-domain-wdt.yaml -o /workdir/OAM
```
After running the utility, a directory is created called weblogic-domains which contain the generated files.

Sample Output with Input Parameters


export version="create-weblogic-sample-domain-inputs-v1"
export adminPort="7001"
export domainUID="accessdomain"
export configuredManagedServerCount="5"
export initialManagedServerReplicas="1"
export productionModeEnabled="true"
export t3ChannelPort="30012"
export datasourceType="agl"
export edgInstall="true"
export domainHome="/u01/oracle/user_projects/domains/accessdomain"
export image="iad.ocir.io/<mytenancy>/oam:12.2.1.4-jdk8-ol8-240112"
export imagePullSecretName="regcred"
export logHome="/u01/oracle/user_projects/domains/logs/accessdomain"
export exposeAdminT3Channel="true"
export adminNodePort="30701"
export exposeAdminNodePort="true"
export namespace="oamns"
javaOptions=-Dweblogic.StdoutDebugEnabled=false
export domainPVMountPath="/u01/oracle/user_projects"
export weblogicDomainStorageType="NFS"
export weblogicDomainStorageNFSServer="nfsserver.example.com"
export weblogicDomainStoragePath="/exports/IAMPVS/oampv"
export weblogicDomainStorageReclaimPolicy="Retain"
export weblogicDomainStorageSize="10Gi"
export oamServerJavaParams="-Xms2048m -Xmx8192m"
export oamMaxCPU="1"
export oamCPU="500m"
export oamMaxMemory="8Gi"
export oamMemory="2Gi"
validateWlsDomainName called with accessdomain
WDT model file, property file and sample domain.yaml are genereted successfully at /workdir/OAM/weblogic-domains/accessdomain

Creating Image Property File

After the model files are created, they need to be added to an image, and uploaded to your registry which begins with describing the target registry in a property file.

Perform the following steps to create an image property file:

Run the following command to ensure java is installed on your machine:
```
which java
```

Copy the property file to your work directory.

cp <WORKDIR>/samples/create-access-domain/domain-home-on-pv/wdt-utils/build-domain-creation-image/properties/build-domain-creation-image.properties <WORKDIR>

For Example:

cp/workdir/OAM/samples/create-access-domain/domain-home-on-pv/wdt-utils/build-domain-creation-image/properties/build-domain-creation-image.properties /workdir/OAM

Edit the file build-domain-creation-image.properties and add the following values:

JAVA_HOME set this to the location of your JAVA installation found in Step 1.

For Example,

/usr

REPOSITORY set this to the location in your registry where the image file is to reside.
For Example,
```
iad.ocir.io/<mytenancy>/idm/oam_wdt
```
.
Where oam_wdt is the name of the image you wish to create.
IMAGE_TAG used to assign a tag to the uploaded image, you can use anything here. In case of this example, we can use <OAM_DOMAIN_NAME>.
IMAGE_PUSH_REQUIRES_AUTH must be set to true if you do not allow non-authenticated uploads to your registry.
REG_USER must be set to the user in your registry where you wish to upload the image. This user must have upload privileges.
WDT_MODEL_FILE must be set to the file oam.yaml which was generated in the step above. For example, <WORKDIR>/weblogic-domains/<OAM_DOMAIN_NAME>/oam.yaml.
WDT_VARIABLE_FILE must be set to the file oam.properties which was generated in the step above. For example, <WORKDIR>/weblogic-domains/<OAM_DOMAIN_NAME>/oam.properties.

REG_PWD must be set to the password of the above user and placed in a separate file in buiidpwd in the <WORKDIR>as shown below:

REG_PASSWORD="<mypwd>"

Sample build-domain-creation-image.properties


# Copyright (c) 2024, Oracle and/or its affiliates.
# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
# Input Property file for build-domain-creation-image.sh script

#
# set the JAVA_HOME environment variable to match the location of your Java installation. Java 8 or newer is required
#
JAVA_HOME=/usr

#
# Image Details
#
#Set the IMAGE_TAG, default oam-aux-v1 if not set.
IMAGE_TAG=accessdomain
# Set the BASE_IMAGE, default ghcr.io/oracle/oraclelinux:8-slim if not set.
BASE_IMAGE=ghcr.io/oracle/oraclelinux:8-slim

#
# Container Registry
#
#Image will be created with REPOSITORY:IMAGE_TAG
REPOSITORY=iad.ocir.io<mytenancy>idm/oam_wdt
# Container registry username
REG_USER=<mytenancy>/oracleidentitycloudservice/my.user@example.com
#Set it to false if authentication is not required for pushing the image to registry, for example docker login already done in the host before invoking the script.
IMAGE_PUSH_REQUIRES_AUTH=true

#
# WDT and WIT Variables
#
#Full path to wdt model files
WDT_MODEL_FILE=/workdir/OAM/weblogic-domains/accessdomain/oam.yaml
#Full path to wdt variable files
WDT_VARIABLE_FILE=/workdir/OAM/weblogic-domains/accessdomain/oam.properties
#Full path to wdt archive files
WDT_ARCHIVE_FILE=""
#If not set, Latest version will be used.
WDT_VERSION="3.5.3"
#If not set, latest will be used during every fresh run
WIT_VERSION="1.12.1"

#In Most cases, no need to use these parameters. Please refer https://oracle.github.io/weblogic-image-tool/userguide/tools/create-aux-image/ for
details about them.
TARGET=""
CHOWN=""

Uploading WDT Auxiliary Image

Use the utility build-domain-creation-image.sh to create and upload the Auxiliary image:

For Example:

cd <WORKDIR>/samples/create-access-domain/domain-home-on-pv/wdt-utils/build-domain-creation-image

./build-domain-creation-image.sh -i <WORKDIR>/build-domain-creation-image.properties -p <WORKDIR>/.buildpwd

For Example:

cd /workdir/OAM/samples/create-access-domain/domain-home-on-pv/wdt-utils/build-domain-creation-image

./build-domain-creation-image.sh -i /workdir/OAM/build-domain-creation-image.properties -p /workdir/OAM/.buildpwd

Extract from Sample Output


[INFO ] Build successful. Build time=74s. Image tag=iad.ocir.io/<mytenancy>/idm/oam_wdt:accessdomain
Getting image source signatures
Copying blob sha256:432308aaf1ccdd6c69ff6e6f6d6c762e55e183284ca57d31228bd3578275f9a9
Copying blob sha256:8b4d3bacf0d79476c744efb9d80fc05c5e1298b2ce8c5ed88edc9a4a01198ba9
Copying blob sha256:c5a8db0bbcb50dce5017361d8a2c11f42b221f9e6842d439b562657a6669cc2a
Copying blob sha256:812776fce264cf4a8e82c7d839ba60603e449b47f52582b0a5d68e730fc0b01e
Copying blob sha256:0bcef3ba673ac9fd91ac95ae8c19fa3cb29a9ad107bec305e8772e2cc968ce2a
Copying blob sha256:b782e2701e7e72e55c4cd2e849f9dc9baf602d7eec7eb89ffda3329f9b784f36
Copying blob sha256:1d8523ddf53e8404bc9d4020673d36854e721cd878e209e2649acac359b2555a
Copying blob sha256:cd00e719df55595b05a92e0741a09ad88a07c0c67caa65c78902f3c00214c72f
Copying blob sha256:520d935025c94d503a6d9f31b029f5ee4c2f4b8a8326d94dbf2caa80f8c71151
Copying blob sha256:9a9ca1edb11ff224553c91c7cf5f032f68db7a5f45080b567db3d6e9dee25e4e
Copying blob sha256:1a47311837bde5a83fcb02ba004ed5f015c2c3d73172a7082126417db874bd1b
Copying config sha256:1ae5d3f21cd522491aff21083c6618f954f6a5684b31b958c28d23b7b8c096af
Writing manifest to image destination
Storing signatures
Pushed image iad.ocir.io/<mytenancy>/idm/oam_wdt:accessdomain to image repository

Parent topic: Creating the Access Domain

Updating domain.yaml

While generating the WDT model files, a file called domain.yaml was created in the directory <WORKDIR>/weblogic-domains/<OAM_DOMAIN_NAME>. This file is used to create the WebLogic domain. Before using this file the auxiliary image you create must be added to the file by editing

domain.yaml

Locate the variable in the file %DOMAIN_CREATION_IMAGE% and replace it with the name of your image as <REPOSITORY>:<IMAGE_TAG> obtained from the file build-domain-creation-image.properties.

For example,

iad.ocir.io/mytenancy/idm/oam_wdt:accessdomain

Note:

If the registry where your image is located is different to the registry where your OAM image is stored then create a new secret with the credentials for the Auxiliary image registry using a different name to the main registry.

For example:

kubectl create secret -n oamns docker-registry regcred2 --docker-server=iad.ocir.io/mytenancy2 --docker-username=mytenancy/oracleidentitycloudservice/myemail@email.com --docker-password=<password>

Update the file domain.yaml and replace the lines with the name of your new secret.

Add additional secret name if you are using a different registry for domain creation image.

Identify which secret contains the credentials for pulling an image.

  imagePullSecrets:

  - name: regcred2

Parent topic: Creating the Access Domain

Creating the Domain Using the WebLogic Operator

Create the domain using the following command:

cd <WORKDIR>/weblogic-domains/<OAM_DOMAIN_NAME>

kubectl create -f <WORKDIR>/weblogic-domains/<OAM_DOMAIN_NAME>/domain.yaml

For example:

cd /workdir/OAM/weblogic-domains/accessdomain

kubectl create -f /workdir/OAM/weblogic-domains/accessdomain/domain.yaml

Use the following to monitor the domain creation:

kubectl logs -n <OAMNS> <OAM_DOMAIN_DOMAIN>-introspector

kubectl describe domain -n <OAMNS> <OAM_DOMAIN_NAME>

For Example:

kubectl logs -n oamns accessdomain-introspector

kubectl describe domain -n oamns accessdomain

For more information, see the WebLogic operator logs.

For Example:

kubectl logs -n opns weblogic-operator-688f5dcdc4-qxnnz | grep <OAM_DOMAIN_NAME>

After the domain is created, the OAM Kubernetes pods is started automatically and can be viewed using the command:

kubectl get pods -n <OAMNS>

Parent topic: Creating the Access Domain

Verifying the Domain

To verify the creation of the domain, perform the following steps:

To confirm that the domain is created, use the following command:
```
kubectl describe domain <OAM_DOMAIN_NAME> -n <OAMNS>
```
For example:
```
kubectl describe domain accessdomain -n oamns
```

Verify that the domain pods and services have been created, using the following command:

kubectl get all,domains -n oamns

The output will look similar to the following:

NAME                                        TYPE        CLUSTER-IP        EXTERNAL-IP  PORT(S)          AGE     SELECTOR
service/accessdomain-adminserver            ClusterIP   None              <none>       7001/TCP         22m     weblogic.createdByOperator=true,weblogic.domainUID=accessdomain,weblogic.serverName=AdminServer
service/accessdomain-adminserver-external   NodePort    10.97.64.5        <none>       7001:30701/TCP   3h46m   weblogic.createdByOperator=true,weblogic.domainUID=accessdomain,weblogic.serverName=AdminServer
service/accessdomain-cluster-oam-cluster    ClusterIP   10.108.180.115    <none>       14100/TCP        3h21m   weblogic.clusterName=oam_cluster,weblogic.createdByOperator=true,weblogic.domainUID=accessdomain
service/accessdomain-cluster-policy-cluster ClusterIP   10.99.138.102     <none>       15100/TCP        3h21m   weblogic.clusterName=policy_cluster,weblogic.createdByOperator=true,weblogic.domainUID=accessdomain
service/accessdomain-oam-policy-mgr1        ClusterIP   None              <none>       15100/TCP        9m48s   weblogic.createdByOperator=true,weblogic.domainUID=accessdomain,weblogic.serverName=oam_policy_mgr1
service/accessdomain-oam-policy-mgr2        ClusterIP   10.96.151.188     <none>       15100/TCP        9m48s   weblogic.createdByOperator=true,weblogic.domainUID=accessdomain,weblogic.serverName=oam_policy_mgr2
service/accessdomain-oam-server1            ClusterIP   None              <none>       14100/TCP        9m48s   weblogic.createdByOperator=true,weblogic.domainUID=accessdomain,weblogic.serverName=oam_server1
service/accessdomain-oam-server2            ClusterIP   None              <none>       14100/TCP        9m48s   weblogic.createdByOperator=true,weblogic.domainUID=accessdomain,weblogic.serverName=oam_server2

Note:

It will take several minutes before all the services listed above appear. A pod with a STATUS of 0/1 indicates that the pod has already started but the OAM server associated with the pod is just starting. While the pods are starting, you can check the startup status in the pod logs by using the following commands:

kubectl logs accessdomain-adminserver -n oamns
kubectl logs accessdomain-oam-policy-mgr1 -n oamns 
kubectl logs accessdomain-oam-server1 -n oamns

Parent topic: Creating the Access Domain

Creating the Kubernetes Services

By default, the OAM domain gets created with all the components (except the Administration Server) configured as ClusterIP services. This means that the Oracle Access Manager components are visible only within the Kubernetes cluster.

In an enterprise deployment, all interactions with the WebLogic components take place through the Oracle HTTP Server which sits outside of the Kubernetes cluster. You should expose the WebLogic components to the outside world by creating additional services. You can use either NodePort Services or an Ingress controller.

Parent topic: Creating the Oracle Access Manager Domain

Creating the NodePort Services

You should create NodePort Services for each of the following OAM components:

Parent topic: Creating the Kubernetes Services

Creating an OAM NodePort Service

To create an OAM NodePort Service:

Create a text file called /workdir/OAM/oam_nodeport.yaml with the following content:

kind: Service
apiVersion: v1
metadata:
  name: <OAM_DOMAIN_NAME>-oam-nodeport
  namespace: <OAMNS>
spec:
  type: NodePort
  selector:
    weblogic.clusterName: oam_cluster
  ports:
    - targetPort: 14100
      port: 14100
      nodePort: <OAM_OAM_K8>
      protocol: TCP

Note:

Ensure that the namespace is set to the namespace you want to use.

Create the service using the following command:
```
kubectl create -f /workdir/OAM/oam_nodeport.yaml
```
The output appears as follows:
```
service/accessdomain-oam-nodeport created
```

Parent topic: Creating the NodePort Services

Creating a Policy Manager NodePort Service

To create a policy manager NodePort Service:

Create a text file called /workdir/OAM/policy_nodeport.yaml with the following content:

kind: Service
apiVersion: v1
metadata:
  name: <OAM_DOMAIN_NAME>-oam-policy-nodeport
  namespace: <OAMNS>
spec:
  type: NodePort
  selector:
    weblogic.clusterName: policy_cluster
  ports:
    - targetPort: 15100
      port: 15100
      nodePort: <OAM_POLICY_K8>
      protocol: TCP

Note:

Ensure that the namespace is set to the namespace you want to use.

Create the service using the following command:
```
kubectl create -f /workdir/OAM/policy_nodeport.yaml
```
The output appears as follows:
```
service/accessdomain-oam-policy-nodeport created
```

Parent topic: Creating the NodePort Services

Creating an OAP Legacy NodePort Service

If you are using legacy WebGates which communicate with OAM using the OAP protocol, then you will need to create an additional service.

To create a OAM legacy NodePort Service:

Create a text file called /workdir/OAM/oap_nodeport.yaml with the following content:

kind: Service
apiVersion: v1
metadata:
  name: <OAM_DOMAIN_NAME>-oap-nodeport
  namespace: <OAMNS>
spec:
  type: NodePort
  selector:
    weblogic.clusterName: oam_cluster
  ports:
    - targetPort: 5575
      port: 5575
      nodePort: <OAM_OAP_SERVICE_PORT>
      protocol: TCP

Create the service using the following command:
```
kubectl create -f /workdir/OAM/oap_nodeport.yaml
```
The output appears as follows:
```
service/accessdomain-oap-nodeport created
```

Parent topic: Creating the NodePort Services

Creating the Ingress Services

To create Ingress services, you must first create an Ingress controller. For more information about the installation procedure, see Installing and Configuring Ingress Controller.

The Ingress service is created inside the product namespace. It tells the Ingress controller how to direct requests inside the namespace.

Note:

The example below creates two Ingress services, one for each of the OAM virtual hosts.

iadadmin.example.com
login.example.com

To create an Ingress service:

Copy the values.yaml file from the <WORKDIR>/samples/charts/ingress-per-domain directory to the working directory and rename the file to override_ingress.yaml.

Edit the <WORKDIR>/override_ingress.yaml file and set the values as follows:

set domainUID to <OAM_DOMAIN_NAME>
set adminServerPort to <OAM_ADMIN_PORT>
set hostName.enabled to true
set admin to <OAM_ADMIN_LBR_HOST>
set runtime to <OAM_LOGIN_LBR_HOST>

For example:

# Load balancer type. Supported values are: NGINX
type: NGINX

# SSL configuration Type. Supported Values are : NONSSL,SSL
sslType: NONSSL

# domainType. Supported values are: oam
domainType: oam

#WLS domain as backend to the load balancer
wlsDomain:
  domainUID: accessdomain
  adminServerName: AdminServer
  adminServerPort: 7001
  adminServerSSLPort:
  oamClusterName: oam_cluster
  oamManagedServerPort: 14100
  oamManagedServerSSLPort:
  policyClusterName: policy_cluster
  policyManagedServerPort: 15100
  policyManagedServerSSLPort:

# Host specific values
hostName:
  enabled: true
  admin: iadadmin.example.com
  runtime: login.example.com

Create the Ingress services by running the following commands:

cd <WORKDIR>/samples

helm install oam-nginx charts/ingress-per-domain --namespace <OAMNS> --values <WORKDIR>/override_ingress.yaml

Validate that the Ingress service has been created correctly by using the following command:
```
kubectl get ingress -n oamns
```

Parent topic: Creating the Kubernetes Services

Creating an OAM ClusterIP Service

Create a ClusterIP service for OAP connections.

For this service, create the oap_clusterip.yaml file with the following contents:

kind: Service
apiVersion: v1
metadata:
  name: <OAM_DOMAIN_NAME>-oap
  namespace: <OAMNS>
spec:
  type: ClusterIP
  selector:
    weblogic.clusterName: oam_cluster
  ports:
    - port: 5575
      protocol: TCP

Create the service using the following command:

kubectl create -f /workdir/OAM/oap_clusterip.yaml

The output appears as follows:

service/accessdomain-oap created

Parent topic: Creating the Kubernetes Services

Validating Services

To validate that the services have been created correctly, use the following command:

 kubectl get service -n oamns

The output of this commands appears as follows:

NAME                                      TYPE 	   	 CLUSTER-IP 		 EXTERNAL-IP PORT(S)   		 AGE
accessdomain-adminserver 	   	  ClusterIP      None <none>             30012/TCP,7001/TCP    		 4d15h
accessdomain-adminserver-ext 	          NodePort       10.96.127.191 <none>    30012:30012/TCP,7001:30701/TCP  4d15h
accessdomain-cluster-oam-cluster   	  ClusterIP      10.96.43.35 <none>      14100/TCP 			 4d15h
accessdomain-cluster-policy-cluster       ClusterIP      10.96.8.16 <none>       15100/TCP 			 4d15h
accessdomain-oam-nodeport 		  NodePort 	 10.96.104.168 <none>    14100:30410/TCP 		 4d15h
accessdomain-oam-policy-mgr1 	          ClusterIP      None <none> 	     	 15100/TCP 			 4d15h
accessdomain-oam-policy-mgr2 	          ClusterIP      None <none> 	     	 15100/TCP 			 4d15h
accessdomain-oam-policy-mgr3 	          ClusterIP      10.96.36.96 <none>      15100/TCP 			 4d15h
accessdomain-oam-policy-mgr4 	          ClusterIP      10.96.171.61 <none>     15100/TCP 			 4d15h
accessdomain-oam-policy-mgr5 	          ClusterIP      10.96.200.171 <none>    15100/TCP 			 4d15h
accessdomain-oam-server1 		  ClusterIP      None <none> 	      	 14100/TCP 			 4d15h
accessdomain-oam-server2 		  ClusterIP      None <none> 	      	 14100/TCP 			 4d15h
accessdomain-oam-server3 		  ClusterIP      10.96.93.51 <none>      14100/TCP 			 4d15h
accessdomain-oam-server4 	          ClusterIP      10.96.223.123 <none>    14100/TCP 			 4d15h
accessdomain-oam-server5 		  ClusterIP      10.96.143.94 <none>     14100/TCP 			 4d15h
accessdomain-oap 			  ClusterIP      10.96.171.107 <none>    5575/TCP 			 4d15h
accessdomain-policy-nodeport              NodePort       10.96.169.250 <none>    15100:30510/TCP 		 4d15h

Parent topic: Creating the Kubernetes Services

Updating the Domain

When you first create the domain, some information may be missing. You can add this information using a simple curl script.

This procedure performs the following actions:

Adds an internally resolvable hostname to each OAM Server.
Sets the OAP port number for each OAM Server.
Changes the OAP settings replacing the local host name with the load balancer host name.
Updates the REST points for Oracle 12c WebGate HTTP OAM APIs in the existing WebGate agents.
Updates the federation entry points to use the load balancer.
Changes the OAP security mode for legacy WebGates in the ready-to-use WebGate agents.
Updates the timeout settings.
Updates the maximum number of connections for ready-to-use WebGates.

Create a file called /workdir/OAM/modify_oam.xml with the following information in it:

<Configuration>
<Setting Name="host" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server1/host"><OAM_DOMAIN_NAME>-oam-server1</Setting>
<Setting Name="host" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server2/host"><OAM_DOMAIN_NAME>-oam-server2</Setting>
<Setting Name="host" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server3/host"><OAM_DOMAIN_NAME>-oam-server3</Setting>
<Setting Name="host" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server4/host"><OAM_DOMAIN_NAME>-oam-server4</Setting>
<Setting Name="host" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server5/host"><OAM_DOMAIN_NAME>-oam-server5</Setting>
<Setting Name="Port" Type="xsd:integer" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server1/oamproxy/Port"><OAP_PORT></Setting>
<Setting Name="Port" Type="xsd:integer" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server2/oamproxy/Port"><OAP_PORT></Setting>
<Setting Name="Port" Type="xsd:integer" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server3/oamproxy/Port"><OAP_PORT></Setting>
<Setting Name="Port" Type="xsd:integer" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server4/oamproxy/Port"><OAP_PORT></Setting>
<Setting Name="Port" Type="xsd:integer" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server5/oamproxy/Port"><OAP_PORT></Setting>
<Setting Name="serverhost" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/OAMServerProfile/OAMSERVER/serverhost"><OAM_LOGIN_LBR_HOST></Setting>
<Setting Name="serverport" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/OAMServerProfile/OAMSERVER/serverport"><OAM_LOGIN_LBR_PORT></Setting>
<Setting Name="serverprotocol" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/OAMServerProfile/OAMSERVER/serverprotocol"><OAM_LOGIN_LBR_PROTOCOL></Setting>
<Setting Name="serverhost" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/OAMServerProfile/OAMServerBackChannel/serverhost"><OAM_LOGIN_LBR_HOST></Setting>
<Setting Name="serverport" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/OAMServerProfile/OAMServerBackChannel/serverport"><OAM_LOGIN_LBR_HOST></Setting>
<Setting Name="serverprotocol" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/OAMServerProfile/OAMServerBackChannel/serverprotocol"><OAM_LOGIN_LBR_PROTOCOL></Setting>
<Setting Name="OAMRestEndPointHostName" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/UserDefinedParameters/OAMRestEndPointHostName"><OAM_LOGIN_LBR_HOST></Setting>
<Setting Name="OAMRestEndPointPort" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/UserDefinedParameters/OAMRestEndPointPort"><OAM_LOGIN_LBR_PORT></Setting>
<Setting Name="providerid" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/STS/fedserverconfig/providerid"><OAM_LOGIN_LBR_PROTOCOL>://<OAM_LOGIN_LBR_HOST>:<OAM_LOGIN_LBR_PORT>/oam/fed</Setting>
<Setting Name="Value" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server1/CoherenceConfiguration/LocalHost/Value"><OAM_DOMAIN_NAME>-oam-server1</Setting>
<Setting Name="Value" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server2/CoherenceConfiguration/LocalHost/Value"><OAM_DOMAIN_NAME>-oam-server2</Setting>
<Setting Name="Value" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server3/CoherenceConfiguration/LocalHost/Value"><OAM_DOMAIN_NAME>-oam-server3</Setting>
<Setting Name="Value" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server4/CoherenceConfiguration/LocalHost/Value"><OAM_DOMAIN_NAME>-oam-server4</Setting>
<Setting Name="Value" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server5/CoherenceConfiguration/LocalHost/Value"><OAM_DOMAIN_NAME>-oam-server5</Setting>
<Setting Name="assertionissuer" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/STS/issuancetemplates/saml11-issuance-template/assertionissuer"><OAM_LOGIN_LBR_HOST></Setting>
<Setting Name="assertionissuer" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/STS/issuancetemplates/saml20-issuance-template/assertionissuer"><OAM_LOGIN_LBR_HOST></Setting>
<Setting Name="openid20realm" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/STS/spglobal/openid20realm"><OAM_LOGIN_LBR_PROTOCOL>://<OAM_LOGIN_LBR_HOST>:<OAM_LOGIN_LBR_PORT></Setting>
<Setting Name="logoutRedirectUrl" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/logoutRedirectUrl"><OAM_LOGIN_LBR_PROTOCOL>://<OAM_LOGIN_LBR_HOST>:<OAM_LOGIN_LBR_PORT>/oam/server/logout</Setting>
<Setting Name="security" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/security"><OAP_MODE></Setting>
<Setting Name="security" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/IAMSuiteAgent/security"><OAP_MODE></Setting>
<Setting Name="logoutRedirectUrl" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/IAMSuiteAgent/UserDefinedParameters/logoutRedirectUrl"><OAM_LOGIN_LBR_PROTOCOL>://<OAM_LOGIN_LBR_HOST>:<OAM_LOGIN_LBR_PORT>/oam/server/logout</Setting>
<Setting Name="Timeout" Type="htf:timeInterval" Path="/DeployedComponent/Server/NGAMServer/Profile/Sme/SessionConfigurations/Timeout">15 M</Setting>

<Setting Name="PrimaryServerList" Type="htf:list" Path="/DeployedComponent/Agent/WebGate/Instance/IAMSuiteAgent/PrimaryServerList">
<Setting Name="0" Type="htf:map" Path="/DeployedComponent/Agent/WebGate/Instance/IAMSuiteAgent/PrimaryServerList/0">
<Setting Name="host" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList/0/host"><OAM_OAP_HOST></Setting>
<Setting Name="port" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList/0/port"><OAP_SERVICE_PORT></Setting>
<Setting Name="numOfConnections" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList/0/numOfConnections"><WG_CONNECTIONS></Setting>
</Setting>
</Setting>

<Setting Name="PrimaryServerList" Type="htf:list" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList">
<Setting Name="0" Type="htf:map" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList/0">
<Setting Name="port" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList/0/port"><OAP_SERVICE_PORT></Setting>
<Setting Name="numOfConnections" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList/0/numOfConnections"><WG_CONNECTIONS></Setting>
<Setting Name="host" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList/0/host"><OAM_OAP_HOST></Setting>
</Setting>
</Setting>
</Configuration>

Note:

You need one entry of NGAMServer/Instance/<servername>/host for each oam_server in the domain.
You need one entry of NGAMServer/Instance/<servername>/port for each oam_server in the domain.
You need one entry of NGAMServer/Instance/<servername>/CoherenceConfiguration for each oam_server in the domain.

For example:

<Configuration>
<Setting Name="host" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server1/host">accessdomain-oam-server1</Setting>
<Setting Name="host" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server2/host">accessdomain-oam-server2</Setting>
<Setting Name="host" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server3/host">accessdomain-oam-server3</Setting>
<Setting Name="host" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server4/host">accessdomain-oam-server4</Setting>
<Setting Name="host" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server5/host">accessdomain-oam-server5</Setting>
<Setting Name="Port" Type="xsd:integer" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server1/oamproxy/Port">5575</Setting>
<Setting Name="Port" Type="xsd:integer" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server2/oamproxy/Port">5575</Setting>
<Setting Name="Port" Type="xsd:integer" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server3/oamproxy/Port">5575</Setting>
<Setting Name="Port" Type="xsd:integer" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server4/oamproxy/Port">5575</Setting>
<Setting Name="Port" Type="xsd:integer" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server5/oamproxy/Port">5575</Setting>
<Setting Name="serverhost" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/OAMServerProfile/OAMSERVER/serverhost">login.example.com</Setting>
<Setting Name="serverport" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/OAMServerProfile/OAMSERVER/serverport"></Setting>
<Setting Name="serverprotocol" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/OAMServerProfile/OAMSERVER/serverprotocol">https</Setting>
<Setting Name="serverhost" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/OAMServerProfile/OAMServerBackChannel/serverhost">login.example.com</Setting>
<Setting Name="serverport" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/OAMServerProfile/OAMServerBackChannel/serverport"></Setting>
<Setting Name="serverprotocol" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/OAMServerProfile/OAMServerBackChannel/serverprotocol">https</Setting>
<Setting Name="OAMRestEndPointHostName" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/UserDefinedParameters/OAMRestEndPointHostName">login.example.com</Setting>
<Setting Name="OAMRestEndPointPort" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/UserDefinedParameters/OAMRestEndPointPort"></Setting>
<Setting Name="providerid" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/STS/fedserverconfig/providerid">https://login.example.com:443/oam/fed</Setting>
<Setting Name="Value" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server1/CoherenceConfiguration/LocalHost/Value">accessdomain-oam-server1</Setting>
<Setting Name="Value" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server2/CoherenceConfiguration/LocalHost/Value">accessdomain-oam-server2</Setting>
<Setting Name="Value" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server3/CoherenceConfiguration/LocalHost/Value">accessdomain-oam-server3</Setting>
<Setting Name="Value" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server4/CoherenceConfiguration/LocalHost/Value">accessdomain-oam-server4</Setting>
<Setting Name="Value" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Instance/oam_server5/CoherenceConfiguration/LocalHost/Value">accessdomain-oam-server5</Setting>
<Setting Name="assertionissuer" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/STS/issuancetemplates/saml11-issuance-template/assertionissuer">login.example.com</Setting>
<Setting Name="assertionissuer" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/STS/issuancetemplates/saml20-issuance-template/assertionissuer">login.example.com</Setting>
<Setting Name="openid20realm" Type="xsd:string" Path="/DeployedComponent/Server/NGAMServer/Profile/STS/spglobal/openid20realm">https://login.example.com:443</Setting>
<Setting Name="logoutRedirectUrl" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/logoutRedirectUrl">https://login.example.com:443/oam/server/logout</Setting>
<Setting Name="security" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/security">open</Setting>
<Setting Name="security" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/IAMSuiteAgent/security">open</Setting>
<Setting Name="logoutRedirectUrl" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/IAMSuiteAgent/UserDefinedParameters/logoutRedirectUrl">https://login.example.com:/oam/server/logout</Setting>
<Setting Name="Timeout" Type="htf:timeInterval" Path="/DeployedComponent/Server/NGAMServer/Profile/Sme/SessionConfigurations/Timeout">15 M</Setting>

<Setting Name="PrimaryServerList" Type="htf:list" Path="/DeployedComponent/Agent/WebGate/Instance/IAMSuiteAgent/PrimaryServerList">
<Setting Name="0" Type="htf:map" Path="/DeployedComponent/Agent/WebGate/Instance/IAMSuiteAgent/PrimaryServerList/0">
<Setting Name="host" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList/0/host">oam.example.com</Setting>
<Setting Name="port" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList/0/port">30540</Setting>
<Setting Name="numOfConnections" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList/0/numOfConnections">20</Setting>
</Setting>
</Setting>

<Setting Name="PrimaryServerList" Type="htf:list" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList">
<Setting Name="0" Type="htf:map" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList/0">
<Setting Name="port" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList/0/port">30540</Setting>
<Setting Name="numOfConnections" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList/0/numOfConnections">20</Setting>
<Setting Name="host" Type="xsd:string" Path="/DeployedComponent/Agent/WebGate/Instance/accessgate-oic/PrimaryServerList/0/host">oam.example.com</Setting>
</Setting>
</Setting>
</Configuration>

Save the file.

Apply the configuration changes using curl. For example:

curl -x '' -X PUT http://<K8_WORKER_NODE1>:<OAM_ADMIN_K8>/iam/admin/config/api/v1/config -ikL -H 'Content-Type: application/xml' --user <OAM_WEBLOGIC_USER>:<OAM_WEBLOGIC_PWD> -H 'cache-control: no-cache' -d @/workdir/OAM/modify_oam.xml

For example:

curl -x '' -X PUT http://k8worker1.example.com:30701/iam/admin/config/api/v1/config -ikL -H 'Content-Type: application/xml' --user weblogic:<password> -H 'cache-control: no-cache' -d @/workdir/OAM/modify_oam.xml

Parent topic: Configuring Oracle Access Manager Using WDT

Performing the Post-Configuration Tasks for Oracle Access Management Domain

The post-configuration tasks for the OAM domain include creating the server overrides file and updating the data sources.

Parent topic: Configuring Oracle Access Manager Using WDT

Limiting Pods to Specific Worker Nodes

If you want to ensure that the OAM servers start only on a specific set of worker servers, complete the following steps:

Parent topic: Performing the Post-Configuration Tasks for Oracle Access Management Domain

Labeling the Kubernetes Worker Nodes

Label the worker nodes you want to include in scheduling. This can be as granular as you need. For example, if you want to schedule the OAM processes to run on a set of nodes, then label that set with a label such as oamservers. If you want to dictate that the Administration Server runs on a specific set of worker nodes and oam_server on a different set, then create two labels, oamadmin and oamservers.

Add a label to a Kubernetes node using the following command:

kubectl label node worker1 name=oamservers

Parent topic: Limiting Pods to Specific Worker Nodes

Restricting Processes to Labels

To ensure that the OAM pods run on only worker nodes with the appropriate label, edit the domain.yaml file located in the following path:

<WORKDIR>/samples/create-access-domain/domain-home-on-pv/output/weblogic-domains/<OAM_DOMAIN_NAME>/

For example:

/workdir/OAM/samples/create-access-domain/domain-home-on-pv/output/weblogic-domains/accessdomain/

Alter the Managed Servers section for all the Managed Servers configured in the cluster and ensure that only the labeled worked nodes are used for scheduling.

For oam_server1 and oam_server2, the entries will look similar to:

   managedServers:
   - serverName: oam_server1
     serverPod:
       nodeSelector:
         name: oamservers
   - serverName: oam_server2
     serverPod:
       nodeSelector:
         names: oamservers

Parent topic: Limiting Pods to Specific Worker Nodes

Creating the Server Overrides File

The serverOverrides file is used to set specific Java values when the containers start. The parameters are appended to the configuration in the setDomainEnv.sh file but unlike the setDomainEnv.shfile, the serverOverrides file is not overwritten during the upgrade.

Parent topic: Performing the Post-Configuration Tasks for Oracle Access Management Domain

Disabling the Derby Database

Disable the embedded Derby database, which is a file-based database, packaged with Oracle WebLogic Server. The Derby database is used primarily for development environments. Therefore, you must disable it when you are configuring a production-ready enterprise deployment environment. Otherwise, the Derby database process starts automatically when you start the Managed servers.

To disable the Derby database:

Create a file called /workdir/OAM/setUserOverrides.sh with the following content:
```
DERBY_FLAG=false
```
Save and close the file.

Parent topic: Creating the Server Overrides File

Enabling the Managed Servers to Use IPv4 Networking

If the Managed Server is configured to use IPv6 networking, you may encounter issues when you start the Managed Server. Therefore, you must enable the Managed Servers to use IPv4 networking.

Edit the setUserOverrides.sh file and add the following line:
```
JAVA_OPTIONS="${JAVA_OPTIONS} -Djava.net.preferIPv4Stack=true"
```
Save and close the file.

Parent topic: Creating the Server Overrides File

Setting the Memory Parameters in IAMAccessDomain

The initial startup parameter in the IAMAccessDomain, which defines the memory usage, is insufficient. You must increase the value of this parameter.

To change the memory allocation setting:

Change the following memory allocation in the setUserOverrides.sh file by updating the Java maximum memory allocation pool (Xmx) to 8192m and initial memory allocation pool (Xms) to 8192m. For example, add the following line:
```
MEM_ARGS="-Xms8192m -Xmx8192m"
```
Note:
For larger systems, these values should be:
```
MEM_ARGS="-Xms8192m -Xmx8192m"
```
Save and close the file.

Parent topic: Creating the Server Overrides File

Copying Server Overrides to the Kubernetes Containers

In a Kubernetes environment, there is no editior inside the container. To work around this issue, create the file on the master node and copy it to the Kubernetes container using the following commands:

chmod 755 /workdir/OAM/setUserOverrides.sh

kubectl cp <WORKDIR>/setUserOverrides.sh <OAMNS>/<OAM_DOMAIN_NAME>-adminserver:/u01/oracle/user_projects/domains/<OAM_DOMAIN_NAME>/bin/setUserOverrides.sh

For example:

kubectl cp /workdir/OAM/setUserOverrides.sh oamns/accessdomain-adminserver:/u01/oracle/user_projects/domains/accessdomain/bin/setUserOverrides.sh

Parent topic: Creating the Server Overrides File

Restarting the Domain

Restart the domain for the changes to take effect.

To restart the domain, use the following commands:

kubectl -n <OAMNS> patch domains <OAM_DOMAIN_NAME> --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "Never" }]'

After all the Kubernetes pods (with the exception of the helper pod) in the namespace have stopped, you can restart the domain by using the following command:

kubectl -n <OAMNS> patch domains <OAM_DOMAIN_NAME> --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "IfNeeded" }]'

Note:

Check that all the Kubernetes pods (with the exception of the helper pod) in the namespace have stopped by using the following command:

kubectl -n <OAMNS> get all

All the Kubernetes pods (with the exception of the helper pod) in the namespace will be stopped when there are no entries for the Administration Server or the Managed Servers.

For example:

kubectl -n oamns patch domains accessdomain --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "Never" }]'
kubectl -n oamns patch domains accessdomain --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "IfNeeded" }]'

Parent topic: Configuring Oracle Access Manager Using WDT

Validating the Administration Server

Before you perform the configuration steps, validate that the Administration Server has started successfully by ensuring that you have access to the Oracle WebLogic Server Administration Console and Oracle Enterprise Manager Fusion Middleware Control, both installed and configured on the Administration Server.

Note:

For the validation to work, you need to have a browser capable of communicating with the Kubernetes worker nodes.

To navigate to Fusion Middleware Control, enter the following URL, and log in with the Oracle WebLogic Server administrator credentials:

http://k8worker1.example.com:30701/em

To navigate to the Oracle WebLogic Server Administration Console, enter the following URL, and log in with the same administration credentials:

http://k8worker1.example.com:30701/console

Parent topic: Configuring Oracle Access Manager Using WDT

Removing OAM Server from WebLogic Server 12c Default Coherence Cluster

Exclude all Oracle Access Management (OAM) clusters (including Policy Manager and OAM runtime server) from the default WebLogic Server 12c coherence cluster by using the WebLogic Server Administration Console.

From release 12.2.1.3.0 onwards, OAM server-side session management uses database and does not require coherence cluster to be established. In some environments, warnings and errors are observed due to default coherence cluster initialized by WebLogic. To avoid or fix these errors, exclude all of the OAM clusters from default WebLogic Server coherence cluster using the following steps:

Log in to the WebLogic Server Administration Console, using the URL:
http://k8worker1.example.com:30701/console
In the left pane of the console, expand Environment and select Coherence Clusters.
The Summary of Coherence Clusters page displays the Coherence cluster configurations that have been created in this domain.
Click defaultCoherenceCluster and select the Members tab.
Click Lock and Edit.
From Servers and Clusters, deselect all OAM clusters (including policy manager and OAM runtime server).
Click Save.
Click Activate changes.

Parent topic: Configuring Oracle Access Manager Using WDT

Tuning the WebLogic Server

Tune the WebLogic Server for optimum performance by adding the Minimum Thread Constraint and removing the Max Thread and Capacity constraints.

Adding the Minimum Thread Constraint to Worker Manager OAPOverRestWM

Log in to the WebLogic Server Console at http://k8worker1.example.com:30701/console.
Click Lock & Edit.
In Domain Structure, click Deployments.
On the Deployments page, click Next until you see oam_server.
Expand oam_server by clicking the + icon, and then click /iam/access/binding.
Click the Configuration tab, followed by the Workload tab.
Click wm/OAPOverRestWM.
Under Application Scoped Work Managed Components, click New.
In Create a New Work Manager Component, select Minumum Threads Constraint and click Next.
In Minimum Threads Constraint Properties, enter the Count as 400 and click Finish.
In Save Deployment Plan, change the Path to /u01/oracle/user_projects/domains/accessdomain/Plan.xml.
Click OK, and then click Activate Changes.

Removing the Maximum Thread Constraint and Capacity Constraint

Log in to the WebLogic Server Console at http://k8worker1.example.com:30701/console.
Click Lock & Edit.
In Domain Structure, click Deployments.
On the Deployments page, click Next until you see oam_server.
Expand oam_server by clicking the + icon, and then click /iam/access/binding.
Click the Configuration tab, followed by the Workload tab.
Click wm/OAPOverRestWM.
Under Application Scoped Work Managed Components, select Capacity and MaxThreadsCount, and then click Delete.
In the Delete Work Manage Components screen, click OK to delete.
Click Release Configuration.

Parent topic: Configuring Oracle Access Manager Using WDT

Enabling Virtualization

You can use the Fusion Middleware Control to enable virtualization.

To enable virtualization:

Log in to Oracle Fusion Middleware Console using the URL:
http://k8worker1.example.com:30701/em
Click WebLogic Domain > Security > Security Provider Configuration.
Expand Security Store Provider.
Expand Identity Store Provider.
Click Configure.
Add a custom property.
Select virtualize property with value true and click OK.
Click OK again to persist the change.

For more information about the virtualize property, see OPSS System and Configuration Properties in Securing Applications with Oracle Platform Security Services.

Parent topic: Configuring Oracle Access Manager Using WDT

Restarting the Domain

Restart the domain for the changes to take effect.

To restart the domain, use the following commands:

kubectl -n <OAMNS> patch domains <OAM_DOMAIN_NAME> --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "Never" }]'

After all the Kubernetes pods (with the exception of the helper pod) in the namespace have stopped, you can restart the domain by using the following command:

kubectl -n <OAMNS> patch domains <OAM_DOMAIN_NAME> --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "IfNeeded" }]'

Note:

Check that all the Kubernetes pods (with the exception of the helper pod) in the namespace have stopped by using the following command:

kubectl -n <OAMNS> get all

All the Kubernetes pods (with the exception of the helper pod) in the namespace will be stopped when there are no entries for the Administration Server or the Managed Servers.

For example:

kubectl -n oamns patch domains accessdomain --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "Never" }]'
kubectl -n oamns patch domains accessdomain --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "IfNeeded" }]'

Parent topic: Configuring Oracle Access Manager Using WDT

Configuring and Integrating with LDAP

Configuration and integration of OAM with LDAP requires you to first set a global passphrase. You then configure OAM to use the LDAP directory. In addition, create the Webgate_IDM agent if not present and finally assign administration rights to the LDAP users to access the MBeans stored in the Administration Server.

Parent topic: Configuring Oracle Access Manager Using WDT

Obtaining a Global Passphrase

By default, Oracle Access Manager is configured to use the open security model. If you plan to change this mode using idmConfigTool, you must know the global passphrase. By default, Oracle creates a global passphrase for you. You can override this value, if required.

Note:

If you are using the latest 12c WebGate functionality using OAP over REST calls, it is not important to change the security mode because REST calls do not use the OAP transport mode.

Obtaining the Default Global Passphrase

Parent topic: Configuring and Integrating with LDAP

Obtaining the Default Global Passphrase

You will need the global passphrase while creating the WebGate agents. To obtain the global passphrase:

Start a bash shell in the Administration Server container using the command:

kubectl exec -n <OAMNS> -ti <OAM_DOMAIN_NAME>-adminserver -- /bin/bash

For example:

kubectl exec -n oamns -ti accessdomain-adminserver -- /bin/bash

Start WLST by using the following command:

/u01/oracle/oracle_common/common/bin/wlst.sh

Connect to the domain using the command:

connect('<OAM_WEBLOGIC_USER>','<OAM_WEBLOGIC_PWD>','t3://<OAM_DOMAIN_NAME>-domain-adminserver.<OAMNS>.svc.cluster.local:<OAM_EXT_T3_PORT>')

For example:

connect('weblogic','<password>','t3://accessdomain-adminserver.oamns.svc.cluster.local:30012')

Issue the WLST command:
```
displaySimpleModeGlobalPassphrase()
```

The system generated passphrase is displayed.

Parent topic: Obtaining a Global Passphrase

Configuring Access Manager to Use the LDAP Directory

After completing the initial installation and setting the security model, you have to associate Oracle Access Manager with the LDAP directory. You can use Oracle Unified Directory (OUD) as the LDAP directory.

To associate Access Manager and the LDAP directory, perform the following tasks:

Parent topic: Configuring and Integrating with LDAP

Creating a Configuration File

Configuring Oracle Access Management to use LDAP requires you to run the idmConfigTool utility. Therefore, you must create a configuration file called oam.props to use during the configuration. The contents of this file are:

#IDSTORE PROPERTIES
  
IDSTORE_HOST: <LDAP_HOSTNAME>
IDSTORE_PORT: <LDAP_PORT>
IDSTORE_BINDDN:<LDAP_ADMIN_USER>
IDSTORE_SEARCHBASE: <LDAP_SEARCHBASE>
IDSTORE_GROUPSEARCHBASE: <LDAP_GROUP_SEARCHBASE>
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: <LDAP_USER_SEARCHBASE>
IDSTORE_SYSTEMIDBASE: <LDAP_SYSTEMIDS>
IDSTORE_NEW_SETUP: true
IDSTORE_DIRECTORYTYPE: <LDAP_TYPE>
IDSTORE_WLSADMINUSER: <LDAP_WLSADMIN_USER>
IDSTORE_WLSADMINGROUP: <LDAP_WLSADMIN_GRP>
IDSTORE_OAMADMINUSER: <LDAP_OAMADMIN_USER>
IDSTORE_OAMSOFTWAREUSER: <LDAP_OAMLDAP_USER>
# OAM Properties
OAM11G_SERVER_LOGIN_ATTRIBUTE: uid
OAM11G_IDSTORE_NAME: OAMIDSTORE
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: <LDAP_OAMADMIN_GRP>
PRIMARY_OAM_SERVERS: <OAM_DOMAIN_NAME>-oap.<OAMNS>.svc.cluster.local:<OAM_OAP_PORT>
WEBGATE_TYPE: ohsWebgate12c
ACCESS_GATE_ID: Webgate_IDM
OAM11G_OIM_WEBGATE_PASSWD: <LDAP_USER_PWD>
COOKIE_DOMAIN: <OAM_COOKIE_DOMAIN>
COOKIE_EXPIRY_INTERVAL: 120
OAM11G_WG_DENY_ON_NOT_PROTECTED: true
OAM11G_IDM_DOMAIN_OHS_HOST: <OAM_LOGIN_LBR_HOST>
OAM11G_IDM_DOMAIN_OHS_PORT: <OAM_LOGIN_LBR_PORT>
OAM11G_IDM_DOMAIN_OHS_PROTOCOL: <OAM_LOGIN_LBR_PROTOCOL>
OAM11G_SERVER_LBR_HOST: <OAM_LOGIN_LBR_HOST>
OAM11G_SERVER_LBR_PORT: <OAM_LOGIN_LBR_PORT>
OAM11G_SERVER_LBR_PROTOCOL: <OAM_LOGIN_LBR_PROTOCOL>
OAM11G_OAM_SERVER_TRANSFER_MODE: open
OAM_TRANSFER_MODE: open
OAM11G_SSO_ONLY_FLAG: false
OAM11G_IMPERSONATION_FLAG: false
OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
OAM11G_OIM_INTEGRATION_REQ: <OAM_OIG_INTEG>
OAM11G_OIM_OHS_URL: <OIG_LBR_PROTOCOL>://<OIG_LBR_HOST>:<OIG_LBR_PORT>/
# WebLogic Properties
WLSHOST:<OAM_DOMAIN_NAME>-adminserver.<OAMNS>.svc.cluster.local
WLSPORT: 7001
WLSADMIN: <OAM_WEBLOGIC_USER>

For example:

#IDSTORE PROPERTIES
IDSTORE_HOST: edg-oud-ds-rs-lbr-ldap.oudns.svc.cluster.local
IDSTORE_PORT: 1389
IDSTORE_BINDDN: cn=oudadmin
IDSTORE_SEARCHBASE: dc=example,dc=com
IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
IDSTORE_USERNAMEATTRIBUTE: cn
IDSTORE_LOGINATTRIBUTE: uid
IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com
IDSTORE_SYSTEMIDBASE: cn=systemids,dc=example,dc=com
IDSTORE_NEW_SETUP: true
IDSTORE_DIRECTORYTYPE: OUD
IDSTORE_WLSADMINUSER: weblogic_iam
IDSTORE_WLSADMINGROUP: WLSAdministrators
IDSTORE_OAMADMINUSER: oamadmin
IDSTORE_OAMSOFTWAREUSER: oamLDAP
# OAM Properties
OAM11G_SERVER_LOGIN_ATTRIBUTE: uid
OAM11G_IDSTORE_NAME: OAMIDSTORE
OAM11G_IDSTORE_ROLE_SECURITY_ADMIN: OAMAdministrators
PRIMARY_OAM_SERVERS: accessdomain-oap.oamns.svc.cluster.local:5575
WEBGATE_TYPE: ohsWebgate12c
ACCESS_GATE_ID: Webgate_IDM
OAM11G_OIM_WEBGATE_PASSWD: Password
COOKIE_DOMAIN: .example.com
COOKIE_EXPIRY_INTERVAL: 120
OAM11G_WG_DENY_ON_NOT_PROTECTED: true
OAM11G_IDM_DOMAIN_OHS_HOST: login.example.com
OAM11G_IDM_DOMAIN_OHS_PORT: 443
OAM11G_IDM_DOMAIN_OHS_PROTOCOL: https
OAM11G_SERVER_LBR_HOST: login.example.com
OAM11G_SERVER_LBR_PORT: 443
OAM11G_SERVER_LBR_PROTOCOL: https
OAM11G_OAM_SERVER_TRANSFER_MODE: open
OAM_TRANSFER_MODE: open
OAM11G_SSO_ONLY_FLAG: false
OAM11G_IMPERSONATION_FLAG: false
OAM11G_IDM_DOMAIN_LOGOUT_URLS: /console/jsp/common/logout.jsp,/em/targetauth/emaslogout.jsp
OAM11G_OIM_INTEGRATION_REQ: false 
OAM11G_OIM_OHS_URL: https://prov.example.com:443/
# WebLogic Properties
WLSHOST:accessdomain-adminserver.oamns.svc.cluster.local
WLSPORT: 7001
WLSADMIN: weblogic

Note:

It is not possible to use vi or similar commands in a WebLogic Kubernetes container. Therefore, this file should be created outside of the container, and then copied into the container.

In this example, the file is copied to the /u01/oracle/user_projects/workdir directory. If this directory does not exist inside the container, you will first need to create it.

kubectl exec -n <OAMNS>-ti accessdomain-adminserver mkdir <K8_WORKDIR>

For example:

kubectl exec -n oamns -ti accessdomain-adminserver mkdir /u01/oracle/user_projects/workdir

After you create the directory, copy the file to this directory.

kubectl cp /workdir/OAM/oam.props oamns/accessdomain-adminserver:/u01/oracle/user_projects/workdir

Parent topic: Configuring Access Manager to Use the LDAP Directory

Integrating Oracle Access Manager and LDAP Using the idmConfigTool

Note:

Before running the idmconfigTool, ensure that the oam_server1 and oam_server2 Managed Servers are shut down.

To stop the OAM servers, use the following command:

cd /workdir/OPER/samples/domain-lifecycle

./stopCluster.sh -c oam_cluster -d accessdomain -n oamns -v

To integrate Oracle Access Manager with the LDAP directory:

Connect to the AdminServer container and start a shell:

kubectl exec -n oamns -ti accessdomain-adminserver -- /bin/bash

Set the environment variables MW_HOME, JAVA_HOME, and ORACLE_HOME.

export CLASSPATH=$CLASSPATH:/u01/oracle/wlserver/server/lib/weblogic.jar
export ORACLE_HOME=/u01/oracle/idm
export MW_HOME=/u01/oracle

Run the idmConfigTool utility to perform the integration.
The syntax of the command on Linux is:
```
cd $ORACLE_HOME/idmtools/bin
./idmConfigTool.sh -configOAM input_file=configfile 
```
For example:
```
./idmConfigTool.sh -configOAM input_file=/u01/oracle/user_projects/workdir/oam.props
```
When the command runs you are prompted to enter the password of the account you are connecting to the Identity Store with. You are also asked to specify the passwords you want to assign to these accounts:
- IDSTORE_PWD_OAMSOFTWAREUSER
- IDSTORE_PWD_OAMADMINUSER
- OAM11G_WLS_ADMIN_PASSWD
Check the log file for any errors or warnings and correct them. A file named automation.log is created in the directory where you run the tool.

Restart the domain using the following commands:

kubectl -n oamns patch domains accessdomain --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "NEVER" }]'

Wait for all processes to shut down, and then use the following command:

kubectl -n oamns patch domains accessdomain --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "IF_NEEDED" }]'

Check whether oam_server1 has restarted. If not, use the following commands:

cd /workdir/OPER/weblogic-kubernetes-operator/kubernetes/samples/scripts/domain-lifecycle

./startCluster.sh -c oam_cluster -d accessdomain -n oamns

Note:

After you run idmConfigTool, several files are created that you need for subsequent tasks. Keep these in a safe location.

The following files exist in this directory: /u01/oracle/user_projects/domains/accessdomain/output/Webgate_IDM.

You will require these files when you install the WebGate software.

cwallet.sso
ObAccessClient.xml
password.xml
aaa_cert.pem
aaa_key.pem

Parent topic: Configuring Access Manager to Use the LDAP Directory

Validating the OAM LDAP Integration

To validate that the OAM LDAP integration has completed correctly:

Access the OAM Console using the following URL:
```
http://iadadmin.example.com/oamconsole
```
or, if you have not yet configured the Oracle HTTP Server, you can use:
```
http://k8worker.example.com:30701/oamconsole
```
Log in as the Access Manager administration user you created when you prepared the ID Store. For example oamadmin.
Click Agents from the Application Security screen.
When the Search SSO Agents screen appears, click Search.
You should see the WebGate agent Webgate_IDM.

Note:
If you discover that the Webgate_IDM Agent does not exist, you can create it manually. See Creating the Webgate_IDM Agent.
Log in to the WebLogic Administration Server Console as the default administrative user. For example, weblogic.
Click Security Realms on the left navigation pane.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for myrealm, go to the Users and Groups tab.

Note:
The list of users and groups will be visible only after you restart the domain.
Go to the Users tab and check to see that LDAP users are displayed from the directory connector. For example: OUDAuthenticator.
Go to the Groups tab and check to see that LDAP groups are displayed from the directory connector. For example: OUDAuthenticator.

Parent topic: Configuring Access Manager to Use the LDAP Directory

Creating the Webgate_IDM Agent

If you discover that the idmConfigTool has not created the Webgate_IDM agent, you can create it.

To create a Webgate_IDM agent:

Create a file called Webgate_IDM.xml with the following contents:

<?xml version="1.0" encoding="UTF-8"?>

<!--
 Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.

   NAME: OAM11GRequest_short.xml - Template for OAM 11G Agent Registration Request file
         (Shorter version - Only mandatory values - Default values will be used for all other fields)
   DESCRIPTION: Modify with specific values and pass file as input to the tool.

-->
<OAM11GRegRequest>

    <serverAddress>http://<OAM_DOMAIN_NAME>-adminserver.<OAMNS>.svc.cluster.local:7001</serverAddress>
    <hostIdentifier>IAMSuiteAgent</hostIdentifier>
    <agentName>Webgate_IDM</agentName>
    <autoCreatePolicy>false</autoCreatePolicy>
    <protectedResourcesList>
        <resource>/**</resource>
    </protectedResourcesList>
    <publicResourcesList>
        <resource>/public/**</resource>
    </publicResourcesList>
    <excludedResourcesList>
        <resource>/excluded/**</resource>
    </excludedResourcesList>

</OAM11GRegRequest>

For example:

<?xml version="1.0" encoding="UTF-8"?>

<!--
 Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.

   NAME: OAM11GRequest_short.xml - Template for OAM 11G Agent Registration Request file
         (Shorter version - Only mandatory values - Default values will be used for all other fields)
   DESCRIPTION: Modify with specific values and pass file as input to the tool.

-->
<OAM11GRegRequest>

    <serverAddress>http://accessdomain-adminserver.oamns.svc.cluster.local:7001</serverAddress>
    <hostIdentifier>IAMSuiteAgent</hostIdentifier>
    <agentName>Webgate_IDM</agentName>
    <autoCreatePolicy>false</autoCreatePolicy>
    <protectedResourcesList>
        <resource>/**</resource>
    </protectedResourcesList>
    <publicResourcesList>
        <resource>/public/**</resource>
    </publicResourcesList>
    <excludedResourcesList>
        <resource>/excluded/**</resource>
    </excludedResourcesList>

</OAM11GRegRequest>

Save the file.

Copy the file to the Kubernetes container using the following command:

kubectl cp /workdir/OAM/Webgate_IDM.xml <OAMNS>/<OAM_DOMAIN_NAME>-adminserver:/u01/oracle/idm/oam/server/rreg/Webgate_IDM.xml

For example:

kubectl cp /workdir/OAM/Webgate_IDM.xml oamns/accessdomain-adminserver:/u01/oracle/idm/oam/server/rreg/Webgate_IDM.xml

Create the WebGate Agent by using the following commands:

kubectl exec -n oamns -ti accessdomain-adminserver -- /bin/bash
cd /u01/oracle/idm/oam/server/rreg/bin
./oamreg.sh inband /u01/oracle/idm/oam/server/rreg/Webgate_IDM.xml

You are prompted to enter your administrative credentials. Provide the name of the OAM Administration User and the Password. In addition, you are asked whether you want to create a WebGate password. This password is optional.

For example:

kubectl exec -n oamns -ti accessdomain-adminserver /bin/bash

cd /u01/oracle/idm/oam/server/rreg/bin
./oamreg.sh inband /u01/oracle/idm/oam/server/rreg/Webgate_IDM.xml

----------------------------------------
Request summary:
OAM11G Agent Name:Webgate_IDM
URL String:IAMSuiteAgent
Registering in Mode:inband
Your registration request is being sent to the Admin server at: http://accessdomain-adminserver.oamns.svc.cluster.local:7001
----------------------------------------
Mar 30, 2021 12:33:32 PM oracle.security.jps.util.JpsUtil disableAudit
INFO: JpsUtil: isAuditDisabled set to true
Inband registration process completed successfully! Output artifacts are created in the output folder.

When prompted, enter your administration user name which is oamadmin unless you have changed it. Specify the oamadmin password. When asked whether you want to enter a password for WebGate, select Yes and specify a suitable password.

The WebGate artifacts are created in the /u01/oracle/idm/oam/server/rreg/output/Webgate_IDM directory. In a Kubernetes environment, this directory is not persistent. Therefore, you should copy the files to the domain_home/output directory.
For example:
```
cp -r /u01/oracle/idm/oam/server/rreg/output/Webgate_IDM /u01/oracle/user_projects/domains/accessdomain/output
```
Verify that the WebGate agent Webgate_IDM exists in the oamconsole. See Validating the OAM LDAP Integration.

Parent topic: Configuring and Integrating with LDAP

Adding LDAP Groups to WebLogic Administrators

Oracle Access Manager requires access to the MBeans stored within the Administration Server. To enable the LDAP users to log in to the WebLogic Console and Fusion Middleware Control, you must assign them the WebLogic administration rights. For Oracle Access Manager to invoke these Mbeans, users in the OAMAdministrators group must have the WebLogic administration rights.

Parent topic: Configuring and Integrating with LDAP

Using the WebLogic Console

To add the LDAP Groups OAMAdministrators and WLSAdministrators to the WebLogic Administrators:

Log in to the WebLogic Administration Server Console as the default administrative user. For example, weblogic.
In the left pane of the console, click Security Realms.
On the Summary of Security Realms page, click myrealm under the Realms table.
On the Settings page for myrealm, click the Roles & Policies tab.
On the Realm Roles page, expand the Global Roles entry under the Roles table.
Click the Roles link to go to the Global Roles page.
On the Global Roles page, click the Admin role to go to the Edit Global Roles page.
On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.
On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.
On the Edit Arguments Page, Specify OAMAdministrators in the Group Argument field and click Add.
Repeat for the Group WLSAdministrators.
Click Finish to return to the Edit Global Roles page.
The Role Conditions table now shows the groups OAMAdministrators or WLSAdministrators as role conditions.
Click Save to finish adding the Admin role to the OAMAdministrators and IDM Administrators Groups.

Parent topic: Adding LDAP Groups to WebLogic Administrators

Using WLST

You can also add the LDAP Groups by using WLST:

Start WLST using the following command:

ORACLE_HOME/oracle_common/common/bin/wlst.sh

Connect to the Administration Server using:

connect('<OAM_WEBLOGIC_USER>','<OAM_WEBLOGIC_PWD>','t3://<OAM_DOMAIN_NAME>-adminserver.<OAMNS>.svc.cluster.local:<OAM_ADMIN_PORT>')

Use the following WLST commands after a successful connection:

cd('/SecurityConfiguration/accessdomain/Realms/myrealm/RoleMappers/XACMLRoleMapper')

cmo.setRoleExpression('', 'Admin', 'Grp(<LDAP_OAMADMIN_GRP>)|Grp(<LDAP_WLSADMIN_GRP>)|Grp(Administrators)')
exit()

For example:

connect('weblogic','password','t3://accessdomain-adminserver.oamns.svc.cluster.local:7001')

cd('/SecurityConfiguration/accessdomain/Realms/myrealm/RoleMappers/XACMLRoleMapper')

cmo.setRoleExpression('', 'Admin', 'Grp(OAMAdministrators)|Grp(WLSAdministrators)|Grp(Administrators)')
exit()

Parent topic: Adding LDAP Groups to WebLogic Administrators

Updating WebGate Agents

When you run idmConfigTool, it changes the default OAM security model and creates a new WebGate SSO agent. However, it does not change the existing WebGate SSO agents to the new security model. After you run idmConfigTool, you must update any WebGate agents that previously existed.

To update the WebGate agents:

Change the security mode to match that of the OAM servers. Failure to do so will result in a security mismatch error.
When WebGates are created at first install, they are unaware that a highly available (HA) installation is performed. After enabling HA, you must ensure that all of the OAM servers are included in the agent configuration, to ensure system continuity.
When WebGates are created at first install, they are unaware that a highly available (HA) install is performed. You must check that any logout URLs are redirected to the hardware load balancer than one of the local OAM servers.
A WebGate agent called IAMSuiteAgent is created out of the box. This is created without any password protection and needs to have one added.

To perform these actions, complete the following steps:

Log in to the OAM Console at http://iadadmin.example.com/oamconsole using the OAM administration user (oamadmin).
Click Agents pad on the Application Security screen.
Ensure that the WebGates tab is selected.
Click Search.
Click an agent, for example: IAMSuiteAgent.
Set the Security value to the same value you defined for OAM Transfer Mode on the Access Manager Configuration screen during response file creation.

If you have changed the OAM security model using the idmConfigTool, change the security model used by any existing WebGates to reflect this change.

Click Apply.
In the Primary Server list, click + and add any missing Access Manager Servers.
If a password has not already been assigned, enter a password into the Access Client Password field and click Apply.

Assign an Access Client Password, such as the Common IAM Password (COMMON_IDM_PASSWORD) you used during the response file creation or an Access Manager-specific password, if you have set one.
Set Maximum Connections to 50. This is the maximum number of connections for the primary servers, which is 10 x the number of OAM servers. In this case, the number of OAM servers is 5. Therefore, the number of connections is 10 x 5 = 50.

If you see the following in the User Defined Parameters or the Logout redirect URL:

logoutRedirectUrl=http://OAMHOST1.example.com:14100/oam/server/logout

Change it to:

logoutRedirectUrl=https://login.example.com/oam/server/logout

Click Apply.
Repeat Steps through for each WebGate.
Check that the security setting matches that of your Access Manager servers.

Parent topic: Configuring Oracle Access Manager Using WDT

Updating Host Identifiers

When you access the domain, you enter using different load balancer entry points. You must add each of these entry points (virtual hosts) to the policy list. Adding these entry points ensures that if you request access to a resource using login.example.com or prov.example.com, you have access to the same set of policy rules.

To update the host identifiers:

Access the OAM Console at http://iadadmin.example.com/oamconsole.
Log in as the Access Manager administration user you created when you prepared the ID Store. For example: oamadmin.
Select Launch Pad if not already displayed.
Click on Host Identifiers under Access Manager.
Click Search.
Click on IAMSuiteAgent.
Click + in the operations box.

Enter the following information.

Table 18-4 Host Name Port Values

Host Name	Port
`iadadmin.example.com`	80
`igdadmin.example.com`	80
`igdinternal.example.com`	7777
`prov.example.com`	443
`login.example.com`	443
`ohs1.example.com`	7777
`ohs2.example.com`	7777

Click Apply.

Parent topic: Configuring Oracle Access Manager Using WDT

Adding the Missing Policies to OAM

If any policies are missing, you have to add to ensure that Oracle Access Manager functions correctly.

You need to add the following additional policies:

Table 18-5 OAM Policy Information

Product	Resource Type	Host Identifier	Resource URL	Protection Level	Authentication Policy	Authorization Policy
ALL	HTTP	IAMSuiteAgent	`/consolehelp/**`	Excluded
ALL	HTTP	IAMSuiteAgent	`/management/**`	Excluded
ALL	HTTP	IAMSuiteAgent	`/otpfp/**`	Excluded
ALL	HTTP	IAMSuiteAgent	`/dms/**`	Excluded
OIG	HTTP	IAMSuiteAgent	`/OIGUI/**`	Protected	Protected Higher Level Policy	Protected Resource Policy
OAM	HTTP	IAMSuiteAgent	`/iam/access/binding/api/v10/oap/**`	Excluded
OAM	HTTP	IAMSuiteAgent	`/oam/services/rest/**`	Excluded
OAM	HTTP	IAMSuiteAgent	`/iam/admin/config/api/v1/config/**`	Excluded
OAM	HTTP	IAMSuiteAgent	`/oauth2/rest/**`	Excluded
OAM	HTTP	IAMSuiteAgent	`/.well-known/openid-configuration`	Excluded
OAM	HTTP	IAMSuiteAgent	`/oauth2/rest/approval`	Protected	Protected Higer Level Policy	Protected Resource Policy
OAM	HTTP	IAMSuiteAgent	`/oam/pages/consent.jsp`	Protected	Protected Higer Level Policy	Protected Resource Policy
OIG	HTTP	IAMSuiteAgent	`/iam/**`	Protected	Protected Higher Level Policy	Protected Resource Policy
OIG	HTTP	IAMSuiteAgent	`/iam/governance/**`	Excluded
OIG	HTTP	IAMSuiteAgent	`/FacadeWebApp/**`	Protected	Protected Higher Level Policy	Protected Resource Policy
OIG	HTTP	IAMSuiteAgent	`/IdentityAuditCallbackService/**`	Excluded
OIG	HTTP	IAMSuiteAgent	`/soa/composer`	Protected	Protected Higher Level Policy	Protected Resource Policy
OIG	HTTP	IAMSuiteAgent	`/soa-infra`	Protected	Protected Higher Level Policy	Protected Resource Policy
OIG	HTTP	IAMSuiteAgent	`/integration/**`	Protected	Protected Higher Level Policy	Protected Resource Policy
OUDSM	HTTP	IAMSuiteAgent	`/oudsm`	Excluded
OIRI	HTTP	IAMSuiteAgent	`/oiri/api/**`	Excluded
OIRI	HTTP	IAMSuiteAgent	`/oiri/ui/**`	Excluded
OAA	HTTP	IAMSuiteAgent	`/oaa-admin/**`	Excluded
OAA	HTTP	IAMSuiteAgent	`/admin-ui/**`	Excluded
OAA	HTTP	IAMSuiteAgent	`/oaa/**`	Excluded
OAA	HTTP	IAMSuiteAgent	`/policy/**`	Excluded
OAA	HTTP	IAMSuiteAgent	`/oaa-policy/**`	Excluded
OAA	HTTP	IAMSuiteAgent	`/oaa-email-factor/**`	Excluded
OAA	HTTP	IAMSuiteAgent	`/oaa-sms-factor/**`	Excluded
OAA	HTTP	IAMSuiteAgent	`/oaa-totp-factor/**`	Excluded
OAA	HTTP	IAMSuiteAgent	`/oaa-yotp-factor/**`	Excluded
OAA	HTTP	IAMSuiteAgent	`/fido/**`	Excluded
OAA	HTTP	IAMSuiteAgent	`/oaa-kba/**`	Excluded
OAA	HTTP	IAMSuiteAgent	`/oaa-push-factor/**`	Excluded
OARM	HTTP	IAMSuiteAgent	`/risk-analyzer/**`	Excluded
OARM	HTTP	IAMSuiteAgent	`/risk-cc/**`	Excluded
OUA	HTTP	IAMSuiteAgent	`/oua/**`	Excluded
OUA	HTTP	IAMSuiteAgent	`/oua-admin-ui/**`	Excluded
OUA	HTTP	IAMSuiteAgent	`/oaa-drss/**`	Excluded

Note:

/otpfp is only required if you have implemented the OAM forgotten password functionality.

/management is only required if you are using the WebLogic Remote Console.

To add these policies:

Log in to the OAM Console at http://iadadmin.example.com/oamconsole using the oamadmin user.
From the Launch pad click Application Domains in the Access Manager section.
Click Search on the Search page.

A list of application domains appears.
Click the domain IAM Suite.
Click the Resources Tab.
Click Create.
Enter the information specified in the table above.
Click Apply.

Parent topic: Configuring Oracle Access Manager Using WDT

Validating the Authentication Providers

Set the order of identity assertion and authentication providers in the WebLogic Server Administration Console.

To set the order:

Log in to the WebLogic Server Administration Console, if not already logged in.
Click Lock & Edit.
From the left navigation, select Security Realms.
Click the myrealm default realm entry.
Click the Providers tab.
From the table of providers, click the DefaultAuthenticator.
Set the Control Flag to SUFFICIENT.
Click Save to save the settings.
From the navigation breadcrumbs, click Providers to return to the list of providers.
Click Reorder.

Sort the providers to ensure that the OAM Identity Assertion provider is first and the DefaultAuthenticator provider is last.

Table 18-6 Sort order

Sort Order	Provider	Control Flag
1	OAMIDAsserter	`REQUIRED`
2	LDAP Authentication Provider	`SUFFICIENT`
3	DefaultIdentityAsserter	`N/A`
4	Trust Service Identity Asserter	`N/A`
5	DefaultAuthenticator	`SUFFICIENT`

Click OK.
Click Activate Changes to propagate the changes.

Parent topic: Configuring Oracle Access Manager Using WDT

Configuring Oracle ADF and OPSS Security with Oracle Access Manager

Some Oracle Fusion Middleware management consoles use Oracle Application Development Framework (Oracle ADF) security, which can integrate with Oracle Access Manager Single Sign-on (SSO). These applications can take advantage of Oracle Platform Security Services (OPSS) SSO for user authentication, but you must first configure the domain-level jps-config.xml file to enable these capabilities.

The domain-level jps-config.xml file is located in the following location after you create an Oracle Fusion Middleware domain:

/u01/oracle/user_projects/domain/<OAM_DOMAIN_NAME>/config/fmwconfig/jps-config.xml

Note:

The domain-level jps-config.xml should not be confused with the jps-config.xml that is deployed with custom applications.

To update the OPSS configuration to delegate SSO actions in Oracle Access Manager, complete the following steps:

Connect to the AdminServer container using the following command:
```
kubectl exec -n oamns -ti accessdomain-adminserver -- /bin/bash
```
Start the WebLogic Server Scripting Tool (WLST):

ORACLE_COMMON_HOME/common/bin/wlst.sh

For example:

/u01/oracle/oracle_common/common/bin/wlst.sh

Connect to the Administration Server, by using the following WLST command:

connect('<OAM_WEBLOGIC_USER>','<OAM_WEBLOGIC_PWD>','t3://<OAM_DOMAIN_NAME>-adminserver.<OAMNS>.svc.cluster.local:<OAM_ADMIN_PORT>')

For example:

connect('weblogic','<password>','t3://accessdomain-adminserver.oamns.svc.cluster.local:7001')

Run the addOAMSSOProvider command, as shown:

addOAMSSOProvider(loginuri="/${app.context}/adfAuthentication", logouturi="/oam/logout.html")

Disconnect from the Administration Server by entering the following command:
exit()
Exit from the container using the exit command.

Parent topic: Configuring Oracle Access Manager Using WDT

Enabling Forgotten Password

This section describes how to set up the One Time Pin forgotten password functionality which is provided with Oracle Access Manager

If you want to configure the Challenge Question forgotten password functionality, as provided by Oracle Identity Governance, see Configuring and Integrating with LDAP and Integrating Oracle Identity Governance and Oracle Access Manager.

Parent topic: Configuring Oracle Access Manager Using WDT

Prerequisites for Enabling Forgotten Password

Forgotten Password Management in Oracle Access Manager takes the form of sending an Email or SMS message with a link to reset the password.

Email or SMS is sent using the Oracle User Messaging Service. Before enabling the Oracle Forgotten Password functionality, you first need to have an Oracle User Messaging deployment. This is often located inside the Oracle Governance Domain but can be located inside the Access Domain if that is all you are installing. Alternatively, it could be a completely independent domain.

Forgotten Password functionality works only if you have successfully configured Single Sign-On as described in Configuring Single Sign-On for an Enterprise Deployment.

Adding the User Messaging Service to the Access domain or creating a User Messaging Service domain is outside of the scope of the this EDG. For more information about installing and configuring the Oracle User Messaging Service, see Installing User Messaging Service and Configuring Oracle User Messaging Service in Administering Oracle User Messaging Service.

Parent topic: Enabling Forgotten Password

Adding Permissions to the oamLDAP User

When created out of the box, the oamLDAP user (the user who links OAM to LDAP) is granted privileges to read user data in the LDAP directory. However, the oamLDAP user is not granted permission to update users information. You need to add these privileges for the OAM forgotten password functionality to work.

To add the privileges:

Create the ldif file outside of the OUD host, using your preferred text editor, and then copy the file to the LDAPHOST1 machine.

This file has the following content:

dn: cn=Users,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "*")(targetfilter=
"(objectclass=inetorgperson)")(targetscope = "subtree") (version 3.0; acl
"iam admin changepwd"; allow (compare,search,read,selfwrite,add,write,delete)
userdn = "ldap:///cn=oamLDAP,cn=systemids,dc=example,dc=com";)

Save the file.

Note:

You should create this file outside of the 'oud' container, and then copy it into the container.

If you have mounted the OUD config persistent volume to your install host, you can directly create the file in that location. To mount the config file, see Installing and Configuring Oracle Unified Directory.

To copy the file to the OUD node, use the following command:

kubectl cp add_aci.ldif oudns/edg-oud-ds-rs-0:add_aci.ldif

Connect to the OUD node to run the ldapmodify command, using the following command:

kubectl exec -it  edg-oud-ds-rs-0 -n oudns -- /bin/bash

Add the ACI to OUD by using the following command:

/u01/oracle/user_projects/edg-oud-ds-rs-0/OUD/bin/ldapmodify -c -D cn=oudadmin -h edg-oud-ds-rs-lbr-ldap.oudns.svc.cluster.local -p 1389 -f /u01/oracle/config-input/add_aci.ldif

Parent topic: Enabling Forgotten Password

Enabling Adaptive Authentication Service

Forgotten password requires you to enable the Adaptive Authentication Service.

To enable this service:

Log in to the Oracle Access Management Administration Console as the oamadmin user, using the following URL:
http://iadadmin.example.com/oamconsole
Click Configuration.
Click Available Services.
Click Enable Service next to Adaptive Authentication Service.
When prompted, confirm that you want to enable the service.

Parent topic: Enabling Forgotten Password

Configuring Adaptive Authentication Plug-in

After you enable the Adaptive Authentication Service, it needs to be informed about the User Messaging Service.

To configure the Adaptive Authentication Plug-in:

Log in to the Oracle Access Management Administration Console as the oamadmin user, using the following URL:
http://iadadmin.example.com/oamconsole
From the Application Security Launch Pad, click Authentication Plug-ins in the Plug-ins panel. From the Authentication Plug-in tab, type Adaptive in the quick search box above the Plug-in Name column and hit Enter.
The AdaptiveAuthenticationPlugin is displayed.

Enter the following plug in properties:

Table 18-7 AdaptiveAuthentication Plug-In Properties

Attribute Value

Attribute	Value
UmsAvailable	True
UmsClientURL	Specify the entry point of your User Messaging service. If you have configured Oracle Identity Manager, then this will be:`http://igdinternal.example.com:7777/ucs/messaging/webservice` If your UMS server is inside the Kubernetes cluster, you can access it using the Kubernetes service name. For example: `http://<OIG_DOMAIN_NAME>-cluster-soa-cluster.<OIGNS>.svc.cluster.local:8001/ucs/messaging/webservice`.

UmsAvailable

True

UmsClientURL

Specify the entry point of your User Messaging service. If you have configured Oracle Identity Manager, then this will be:http://igdinternal.example.com:7777/ucs/messaging/webservice

If your UMS server is inside the Kubernetes cluster, you can access it using the Kubernetes service name. For example: http://<OIG_DOMAIN_NAME>-cluster-soa-cluster.<OIGNS>.svc.cluster.local:8001/ucs/messaging/webservice.

Click Save.

Parent topic: Enabling Forgotten Password

Enabling Password Management in the Directory

By default, OAM is not set to enable password management. You have to enable it through the OAM Console.

To enable Password Management in the directory:

Log in to the Oracle Access Management Administration Console as the oamadmin user, using the following URL:
http://iadadmin.example.com/oamconsole
Click Configuration.
Click User Identity Stores.
Click the LDAP identity store in the OAM Identity Store section. For example: OAMIDSTORE.
Click Edit.
Select Enable Password Management.

Enter the details in the User Information field.

Table 18-8 User Information Details

Attribute	Description
Global Common ID Attribute	The unique identifier in LDAP for the user. For example: uid.
First Name	The LDAP attribute which holds the users name. For example: cn.
Last Name	The LDAP attribute which holds the users last name. For example: sn.
Email Address	The LDAP attribute which holds the user's email address. For example: mail.

Click Apply.

Parent topic: Enabling Forgotten Password

Storing the User Messaging Credentials in CSF

Before you can access the User Messaging Service, you need to store the credentials in the WebLogic credential store.

To store the credentials:

Connect to the Administration Server by using the following command:
```
kubectl exec -n oamns -ti accessdomain-adminserver -- /bin/bash
```
Execute the following set of WLST commands:
```
/u01/oracle/oracle_common/common/bin/wlst.sh
connect('<OAM_WEBLOGIC_USER>','<OAM_WEBLOGIC_PWD>','t3://<OAM_DOMAIN_NAME>-adminserver.<OAMNS>.svc.cluster.local:<OAM_ADMIN_PORT>'). 
createCred(map="OAM_CONFIG", key="umsKey", user="weblogic", password="password")
createCred(map="OAM_CONFIG", key="oam_rest_cred", user="oamadmin", password="password")
exit ()
```
The umsKey is used to provide the credentials to the unified messaging server that sends out your email or sms notifications.

The oam_rest_cred is the user who is allowed to invoke the REST Services in the OAM Server.

In the above commands, weblogic is the domain administrative user and password is its associated password.

Parent topic: Enabling Forgotten Password

Setting Up the Forgot Password Link on the Login Page

The following REST API command enables the OTP forgot password link on the default login page in OAM.

 curl -X -k PUT \
  https://login.example.com/oam/services/rest/access/api/v1/config/otpforgotpassword/ \
  -u oamadmin:Password \
  -H 'content-type: application/json' \
  -d '{"displayOTPForgotPassworLink":"true","defaultOTPForgotPasswordLink":"false","localToOAMServer":"true","forgotPasswordURL":"https://login.example.com/otpfp/pages/fp.jsp", "mode":"userselectchallenge"}'

Enter the required attributes and values:

Table 18-9 Forgot Password Link on Login Page

Attributes	Value
ForgotPasswordURL	The OAM Forgotten Password URL. For example, https://login.example.com/otpfp/pages/fp.jsp
mode	distribution_mode The distribution mode determines how the password reset URL is sent to the end user. Valid values are: email, sms, userchoose, userselectchallenge. The last entry enables the user to choose from masked values. Email - An OTP is sent to the email configured in the mail field. SMS - An OTP is sent to the mobile number configured in the mobile field. Userchoose - An OTP is sent by letting the user choose either the email or the mobile option, without the exact values. Userselectchallenge - User can see the masked values either as email or mobile and select one of the options.

Attributes

Value

ForgotPasswordURL

The OAM Forgotten Password URL. For example, https://login.example.com/otpfp/pages/fp.jsp

mode

distribution_mode

The distribution mode determines how the password reset URL is sent to the end user. Valid values are: email, sms, userchoose, userselectchallenge. The last entry enables the user to choose from masked values.

Email - An OTP is sent to the email configured in the mail field.
SMS - An OTP is sent to the mobile number configured in the mobile field.
Userchoose - An OTP is sent by letting the user choose either the email or the mobile option, without the exact values.
Userselectchallenge - User can see the masked values either as email or mobile and select one of the options.

Note:

If you are using self signed certificates in the load balancer the curl command may object with a message similar to:

curl performs SSL certificate verification by default, using a bundle of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you like to turn off curl's verification of the certificate, use the -k (or --insecure) option.

If you see this message and are sure, add -k after -u oamadmin:Password.

Verify that this has succeeded by accessing the followig URL in a browser:

https://login.example.com/oam/services/rest/access/api/v1/config/otpforgotpassword

When prompted, enter your oamadmin account and password.

Note:

One of the OAM Managed Servers must be running for this command to succeed.

Parent topic: Enabling Forgotten Password

Adding the Oracle Access Manager Load Balancer Certificate to the Oracle Keystore Service

The Oracle Access Manager forgot password functionality requires that the SSL certificate used by the load balancer be added to the Oracle Keystore Service Trusted Certificates.

To add the certificate, do the following:

Create a directory to hold user created keystores and certificates.

kubectl exec -n <OAMNS> -ti <OAM_DOMAIN_NAME>-adminserver -- mkdir -p SHARED_CONFIG_DIR/keystores

For example:

kubectl exec -n oamns -ti accessdomain-adminserver -- mkdir -p /u01/oracle/user_projects/keystores

Obtain the certificate from the load balancer. You can obtain the load balancer certificate from using a browser, such as Firefox. However, the easiest way to obtain the certificate is to use the openssl command. The syntax of the command is as follows:
```
openssl s_client -connect LOADBALANCER -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM>/workdir/OAM/LOADBALANCER.pem
```
For example:
```
openssl s_client -connect login.example.com:443 -showcerts </dev/null 2>/dev/null|openssl x509 -outform PEM>/workdir/OAM/login.example.com.pem
```
The openssl command saves the certificate to a file called login.example.com.pem in /workdir/OAM.

Copy the certificate to the Kubernetes container by using the following command:

kubectl cp <FILENAME> <OAMNS>/<OAM_DOMAIN_NAME>-adminserver:<SHARED_CONFIG_DIR>/keystores

For example:

kubectl cp login.example.com.pem oamns/accessdomain-adminserver:/u01/oracle/user_projects/keystores/login.example.com.pem

Load the certificate into the Oracle Keystore Service using WLST.

Connect to the container using the command:

kubectl exec -n oamns -ti accessdomain-adminserver -- /bin/bash

Connect to WLST by using the following command:
```
ORACLE_HOME/oracle_common/common/bin/wlst.sh
```

Connect to the Administration Server using the following command:

connect('<OAM_WEBLOGIC_USER>','<OAM_WEBLOGIC_PWD>','t3://<OAM_DOMAIN_NAME>-adminserver.<OAMNS>.svc.cluster.local:<OAM_ADMIN_PORT>')

For example:

connect('weblogic','<password>','t3://accessdomain-adminserver.oamns.svc.cluster.local:7001')

Download the access artifacts by using the following command:

downloadAccessArtifacts(domain_home="/u01/oracle/user_projects/domains/accessdomain",
      propsFile="/u01/oracle/user_projects/workdir/db.props"

Note:

For information about the contents of the properties file, see Doc ID 2318818.1.

Load the certificate using the following commands:

svc = getOpssService(name='KeyStoreService')
svc.importKeyStoreCertificate(appStripe='system',name='trust',password='', keypassword='',alias='<CertificateName>',type='TrustedCertificate', filepath='/<SHARED_CONFIG_DIR>/keystores/<LOADBALANCER>.pem')

Synchronize the keystore service with the file system by using the following command:

syncKeyStores(appStripe='system', keystoreFormat='KSS')

For example:

connect('weblogic','password','t3://accessdomain-adminserver.oamns.svc.cluster.local:7101')
svc = getOpssService(name='KeyStoreService')
svc.importKeyStoreCertificate(appStripe='system',name='trust',password='', keypassword='',alias='login.example.com',type='TrustedCertificate', filepath='/u01/oracle/user_projects/keystores/login.example.com.pem')
syncKeyStores(appStripe='system',keystoreFormat='KSS')
exit()

Save the access artifacts by using the following command:

saveAccessArtifacts(domain_home="/u01/oracle/user_projects/domains/accessdomain",
      propsFile="/u01/oracle/user_projects/work/db.props"

You will need to restart the domain for the changes to take effect. The default password for the Node Manager keystores is COMMON_IAM_PASSWORD. You will be prompted to confirm that the certificate is valid.

Parent topic: Enabling Forgotten Password

Configuring a Custom Host Name Verifier

If using a wildcard certificate, you have to change the default value for the host name verifier from BEA Hostname Verifier to the custom value weblogic.security.utils.SSLWLSWildcardHostnameVerifier.

To change the default value of the host name verifier:

Log in to the WebLogic Server Administration Console.
Click Lock & Edit.
Navigate to Summary of Servers and click oam_server1.
Click the SSL tab, expand the Advanced section.
Set the Hostname Verification field to Custom Hostname Verifier.
In the Custom Hostname Verifier field, enter weblogic.security.utils.SSLWLSWildcardHostnameVerifier.
Click Save.

Note:

Follow these steps to change the host name verifier for all the OAM Managed Servers.

Parent topic: Enabling Forgotten Password

Validating the Forgotten Password Functionality

If you have set up the OAM Forgotten Password functionality, rather than off-loading to OIM, you can validate the forgotten password using the curl command, which shows you the password policies in force.

To validate the Forgotten Password functionality, run the following curl command:

curl -X GET https://login.example.com/oam/services/rest/access/api/v1/pswdmanagement/UserPasswordPolicyRetriever/oamadmin?description=true  -u oamadmin:<password> -k

This command displays the password policies.

If this command works, access the protected URL listed below. After you enable single sign-on, you see a link for the forgotten password on the login page. Click this link and enter the user name for which you want to reset the password. Click Generate Pin to receive an email, which enables you to change the password.

http://iadadmin.example.com/console

Note:

Before validating, ensure that you enable SSO as described in Configuring Single Sign-On for an Enterprise Deployment. Else, validation fails.

Parent topic: Enabling Forgotten Password

Restarting the Access Domain

Restart the Access domain in Kubernetes for the changes to take effect.

To restart the domain:

Stop the domain.

kubectl -n oamns patch domains accessdomain --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "NEVER" }]'

Start the domain.

kubectl -n oamns patch domains accessdomain --type='json' -p='[{"op": "replace", "path": "/spec/serverStartPolicy", "value": "IF_NEEDED" }]'

Parent topic: Configuring Oracle Access Manager Using WDT

Setting the Initial Server Count

When you first created the domain, you specified that only one Managed Server should be started. After you complete the configuration, you can increase the initial server count to the actual number you require.

To increase the server count, use the following command:

kubectl patch cluster -n <OAMNS> <OAM_DOMAIN_NAME>-${CLUSTER_NAME} --type=merge -p '{"spec":{"replicas":<INITIAL_SERVER_COUNT>}}'

If you want two OAM and two Policy Manager Managed Servers, use the following commands:

kubectl patch cluster -n oamns accessedomain-oam-cluster --type=merge -p '{"spec":{"replicas":2}}'

kubectl patch cluster -n oamns accessdomain-policy-cluster --type=merge -p '{"spec":{"replicas":2}}'

Parent topic: Configuring Oracle Access Manager Using WDT

Centralized Monitoring Using Grafana and Prometheus

If you are using a centralized Prometheus and Grafana deployment to monitor your infrastructure, you can send Oracle Access Management data to this application. If you have not yet deployed Prometheus and Grafana, see Installing Prometheus and Grafana.

To use the centralized Prometheus and Grafana for monitoring your infrastructure, perform the following steps:

Parent topic: Configuring Oracle Access Manager Using WDT

Downloading and Compiling the Monitoring Application

To download and configure the monitoring application for the Oracle Access Manager WebLogic cluster:

Change the directory to the sample scripts which set up monitoring:
```
cd <WORKDIR>/samples/monitoring-service/scripts
```
For example:
```
cd /workdir/OAM/samples/monitoring-service/scripts
```

Run the get-wls-exporter.sh script.

Before you run the script, set the environment variables that determine your environment setup:

export adminServerPort=<OAM_ADMIN_PORT>

export wlsMonitoringExporterTopolicyCluster=true

export policyManagedServerPort=15100

export wlsMonitoringExporterTooamCluster=true

export oamManagedServerPort=14100

export domainNamespace=<OAMNS>

export domainUID=<OAM_DOMAIN_NAME>

export weblogicCredentialsSecretName=<OAM_DOMAIN_NAME>-credentials

For example:

export adminServerPort=7001

export wlsMonitoringExporterTopolicyCluster=true

export policyManagedServerPort=15100

export wlsMonitoringExporterTooamCluster=true

export oamManagedServerPort=14100

export domainNamespace=oamns

export domainUID=accessdomain

export weblogicCredentialsSecretName=accessdomain-credentials

Execute the script using the following command:

./get-wls-exporter.sh

The output appears as follows:

% Total    % Received % Xferd   Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0     0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0     0 --:--:-- --:--:-- --:--:--     0

  0     0    0     0    0     0      0     0 --:--:-- --:--:-- --:--:--     0
  5 2196k    5  127k    0     0  74408     0  0:00:30  0:00:01  0:00:29  129k
100 2196k  100 2196k    0     0  1017k     0  0:00:02  0:00:02 --:--:-- 1582k
created /home/opc/workdir/OAM/samples/monitoring-service/scripts/wls-exporter-deploy dir
adminServerName is empty, setting to default "AdminServer"
oamClusterName is empty, setting to default "oam_cluster"
policyClusterName is empty, setting to default "policy_cluster"
created /tmp/ci-x9jR7O0jjm
/tmp/ci-x9jR7O0jjm ~/workdir/OAM/samples/monitoring-service/scripts
in temp dir
  adding: WEB-INF/weblogic.xml (deflated 61%)
  adding: config.yml (deflated 60%)
~/workdir/OAM/samples/monitoring-service/scripts
created /tmp/ci-mRTU0hjM1q
/tmp/ci-mRTU0hjM1q ~/workdir/OAM/samples/monitoring-service/scripts
in temp dir
  adding: WEB-INF/weblogic.xml (deflated 61%)
  adding: config.yml (deflated 60%)
~/workdir/OAM/samples/monitoring-service/scripts
created /tmp/ci-OD0EAjb7M5
/tmp/ci-OD0EAjb7M5 ~/workdir/OAM/samples/monitoring-service/scripts
in temp dir
  adding: WEB-INF/weblogic.xml (deflated 61%)
  adding: config.yml (deflated 60%)
~/workdir/OAM/samples/monitoring-service/scripts

Parent topic: Centralized Monitoring Using Grafana and Prometheus

Deploying the Monitoring Application into the WebLogic Domain

The earlier section created a number of WAR files containing the monitoring application. See Downloading and Compiling the Monitoring Application. These files need to be deployed inside the WebLogic domain. Oracle provides a script to deploy the files. Before you run the script, copy the files to the container containing the WebLogic Administration Server.

To deploy the application:

Change directory to the sample file location:

cd <WORKDIR>/samples/monitoring-service/scripts

For example:

cd /workdir/OAM/samples/monitoring-service/scripts

Copy files to the Administration Server container by using the following commands:

kubectl cp <WORKDIR>/samples/monitoring-service/scripts/wls-exporter-deploy  <OAMNS>/<OAM_DOMAIN_NAME>-adminserver:/u01/oracle

kubectl cp <WORKDIR>/samples/monitoring-service/scripts/deploy-weblogic-monitoring-exporter.py  <OAMNS>/<OAM_DOMAIN_NAME>-adminserver:/u01/oracle/wls-exporter-deploy

For example:

kubectl cp /workdir/OAM/samples/monitoring-service/scripts/wls-exporter-deploy  oamns/accessdomain -adminserver:/u01/oracle

kubectl cp /workdir/OAM/samples/monitoring-service/scripts/deploy-weblogic-monitoring-exporter.py  oamns/accessdomain-adminserver:/u01/oracle/wls-exporter-deploy

Deploy the application using the following command:

kubectl exec -it -n <OAMNS> <OAM_DOMAIN_NAME>-adminserver -- /u01/oracle/oracle_common/common/bin/wlst.sh \
-domainName <OAM_DOMAIN_NAME> \
-adminServerName AdminServer \
-adminURL <OAM_DOMAIN_NAME>-adminserver:<OAM_ADMIN_PORT> \
-username <OAM_WEBLOGIC_USER> \
-password <OAM_WEBLOGIC_PWD> \
-oamClusterName oam_cluster \
-wlsMonitoringExporterTooamCluster true \
-policyClusterName policy_cluster \
-wlsMonitoringExporterTopolicyCluster true

For example:

kubectl exec -it -n oamns acccessdomain-adminserver -- /u01/oracle/oracle_common/common/bin/wlst.sh \
-domainName accessdomain \
-adminServerName AdminServer \
-adminURL accessdomain-adminserver:7001 \
-username weblogic \
-password MyPassword \
-oamClusterName oam_cluster \
-wlsMonitoringExporterTooamCluster true \
-policyClusterName policy_cluster \
-wlsMonitoringExporterTopolicyCluster true

The output appears as follows:

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Connecting to t3://accessdomain-adminserver:7001 with userid weblogic ...
Successfully connected to Admin Server "AdminServer" that belongs to domain "accessdomain".

Warning: An insecure protocol was used to connect to the server.
To ensure on-the-wire security, the SSL port or Admin port should be used instead.

Deploying .........
Deploying application from /u01/oracle/wls-exporter-deploy/wls-exporter-adminserver.war to targets AdminServer (upload=true) ...
<Aug 18, 2022 10:12:01 AM GMT> <Info> <J2EE Deployment SPI> <BEA-260121> <Initiating deploy operation for application, wls-exporter-adminserver [archive: /u01/oracle/wls-exporter-deploy/wls-exporter-adminserver.war], to AdminServer .>
.Completed the deployment of Application with status completed
Current Status of your Deployment:
Deployment command type: deploy
Deployment State : completed
Deployment Message : no message
Starting application wls-exporter-adminserver.
<Aug 18, 2022 10:12:07 AM GMT> <Info> <J2EE Deployment SPI> <BEA-260121> <Initiating start operation for application, wls-exporter-adminserver [archive: null], to AdminServer .>
.Completed the start of Application with status completed
Current Status of your Deployment:
Deployment command type: start
Deployment State : completed
Deployment Message : no message
Deploying .........
Deploying application from /u01/oracle/wls-exporter-deploy/wls-exporter-oam.war to targets oam_cluster (upload=true) ...
<Aug 18, 2022 10:12:10 AM GMT> <Info> <J2EE Deployment SPI> <BEA-260121> <Initiating deploy operation for application, wls-exporter-oam [archive: /u01/oracle/wls-exporter-deploy/wls-exporter-oam.war], to oam_cluster .>
..Completed the deployment of Application with status completed
Current Status of your Deployment:
Deployment command type: deploy
Deployment State : completed
Deployment Message : no message
Starting application wls-exporter-oam.
<Aug 18, 2022 10:12:18 AM GMT> <Info> <J2EE Deployment SPI> <BEA-260121> <Initiating start operation for application, wls-exporter-oam [archive: null], to oam_cluster .>
.Completed the start of Application with status completed
Current Status of your Deployment:
Deployment command type: start
Deployment State : completed
Deployment Message : no message
Deploying .........
Deploying application from /u01/oracle/wls-exporter-deploy/wls-exporter-policy.war to targets policy_cluster (upload=true) ...
<Aug 18, 2022 10:12:22 AM GMT> <Info> <J2EE Deployment SPI> <BEA-260121> <Initiating deploy operation for application, wls-exporter-policy [archive: /u01/oracle/wls-exporter-deploy/wls-exporter-policy.war], to policy_cluster .>
.Completed the deployment of Application with status completed
Current Status of your Deployment:
Deployment command type: deploy
Deployment State : completed
Deployment Message : no message
Starting application wls-exporter-policy.
<Aug 18, 2022 10:12:26 AM GMT> <Info> <J2EE Deployment SPI> <BEA-260121> <Initiating start operation for application, wls-exporter-policy [archive: null], to policy_cluster .>
.Completed the start of Application with status completed
Current Status of your Deployment:
Deployment command type: start
Deployment State : completed
Deployment Message : no message
Disconnected from weblogic server: AdminServer


Exiting WebLogic Scripting Tool.

<Aug 18, 2022 10:12:30 AM GMT> <Warning> <JNDI> <BEA-050001> <WLContext.close() was called in a different thread than the one in which it was created.>

Parent topic: Centralized Monitoring Using Grafana and Prometheus

Configuring the Prometheus Operator

Prometheus enables you to collect metrics from the WebLogic Monitoring Exporter. The Prometheus Operator identifies the targets by using service discovery. To get the WebLogic Monitoring Exporter end point discovered as a target, you must create a service monitor that points to the service.

The exporting of metrics from wls-exporter requires basicAuth. Therefore, a Kubernetes secret is created with the user name and password that are base64 encoded. This secret is used in the ServiceMonitor deployment. The wls-exporter-ServiceMonitor.yaml file has basicAuth with credentials as username: <OAM_WEBLOGIC_USER> and password: <OAM_WEBLOGIC_PWD> in base64 encoded.

Run the following command to get the base64 encoded version of the weblogic username:
```
echo -n "weblogic” | base64
```
The output appears as follows:
```
d2VibG9naWM=
```
Run the following command to get the base64 encoded version of the weblogic password:
```
echo -n "<OAM_WEBLOGIC_PWD>" | base64
```
The output appears as follows:
```
V2VsY29tZTE=
```
Copy the template file <WORKDIR>/samples/monitoring-service/manifests/wls-exporter-ServiceMonitor.yaml.template to <WORKDIR>/samples/monitoring-service/manifests/wls-exporter-ServiceMonitor.yaml.

Update the <WORKDIR>/samples/monitoring-service/manifests/wls-exporter-ServiceMonitor.yaml location and change the user and password values to the values returned in Step 2.

Also, change the values of the following to match the OAM namespace, domain name, and Prometheus release name. For example:

namespace: oamns
weblogic.domainName: accessdomain

release: kube-prometheus

You can get the release name by using the command:

kubectl get prometheuses.monitoring.coreos.com --all-namespaces -o jsonpath="{.items[*].spec.serviceMonitorSelector}"

For example:

apiVersion: v1
kind: Secret
metadata:
  name: basic-auth
  namespace: oamns
data:
  password: V2VsY29tZTE=
  user: d2VibG9naWM=
type: Opaque
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
  name: wls-exporter
  namespace: oamns
  labels:
    k8s-app: wls-exporter
    release: monitoring
spec:
  namespaceSelector:
    matchNames:
    - oamns
  selector:
    matchLabels:
      weblogic.domainName: accessdomain
  endpoints:
  - basicAuth:
      password:
        name: basic-auth
        key: password
      username:
        name: basic-auth
        key: user
    port: default
    relabelings:
      - action: labelmap
        regex: __meta_kubernetes_service_label_(.+)
    interval: 10s
    honorLabels: true
    path: /wls-exporter/metrics

Update the <WORKDIR>/samples/monitoring-service/manifests/prometheus-roleSpecific-domain-namespace.yaml and <WORKDIR>/samples/monitoring-service/manifests/prometheus-roleBinding-domain-namespace.yaml files and change the namespace to match the OAM namespace. For example:

prometheus-roleSpecific-domain-namespace.yaml

apiVersion: rbac.authorization.k8s.io/v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: Role
  metadata:
    name: prometheus-k8s
    namespace: oamns
  rules:
  - apiGroups:
    - ""
    resources:
    - services
    - endpoints
    - pods
    verbs:
    - get
    - list
    - watch
kind: RoleList

prometheus-roleBinding-domain-namespace.yaml:

apiVersion: rbac.authorization.k8s.io/v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: prometheus-k8s
    namespace: oamns
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: Role
    name: prometheus-k8s
  subjects:
  - kind: ServiceAccount
    name: prometheus-k8s
    namespace: monitoring
kind: RoleBindingList

Run the following command to enable Prometheus:

kubectl apply -f

The output appears as follows:

rolebinding.rbac.authorization.k8s.io/prometheus-k8s created
role.rbac.authorization.k8s.io/prometheus-k8s created
secret/basic-auth created
servicemonitor.monitoring.coreos.com/wls-exporter created

Parent topic: Centralized Monitoring Using Grafana and Prometheus

Discovering the Prometheus Service

After you deploy ServiceMonitor, wls-exporter is discovered by Prometheus and is able to collect the metrics.

Access the following URL to view the Prometheus service discovery:

http://<K8_WORKER1>:32101/service-discovery
Click <OAMNS>/wls-exporter/0, and then click Show More. Verify that all the targets are listed.

Parent topic: Centralized Monitoring Using Grafana and Prometheus

Centralized Log File Monitoring Using Elasticsearch and Kibana

If you are using Elasticsearch and Kibana, you can configure a Logstash pod to send the log files to the centralized Elasticsearch/Kibana console. Before you configure the Logstash pod, ensure that you have access to a centralized Elasticsearch deployment.

OAM persistent volume, so it can be loaded by the Logstash pod to hunt for log files.
The location of the log files in the persistent volumes.
The location of the centralized Elasticsearch.

To configure the Logstash pod, perform the following steps. The assumption is that you have an Elasticsearch running inside the Kubernetes cluster, in a namespace called elkns.

Parent topic: Configuring Oracle Access Manager Using WDT

Creating a Secret for Elasticsearch

Logstash requires credentials to connect to the elasticsearch deployment. These credentials are stored in Kubernetes as a secret.

If your Elasticsearch uses an API key for authentication, then use the following command:

kubectl create secret generic elasticsearch-pw-elastic -n <OAMNS> --from-literal password=<ELK_APIKEY>

For example:

kubectl create secret generic elasticsearch-pw-elastic -n oamns --from-literal password=afshfashfkahf5f

If Elasticsearch uses a user name and password for authentication, then use the following command:

kubectl create secret generic elasticsearch-pw-elastic -n <OAMNS> --from-literal password=<ELK_PWD>

For example:

kubectl create secret generic elasticsearch-pw-elastic -n oamns --from-literal password=mypassword

You can find the Elasticsearch password using the following command:

kubectl get secret elasticsearch-es-elastic-user -n <ELKNS> -o go-template='{{.data.elastic | base64decode}}'

Parent topic: Centralized Log File Monitoring Using Elasticsearch and Kibana

Creating a Configuration Map for ELK Certificate

If you have configured a production ready Elasticsearch deployment, you would have configured SSL. Logstash needs to trust the Elasticsearch certificate to be able to communicate with it. To enable this trust, you should create a configuration map with the contents of the Elasticsearch certificate.

You would have already saved the Elasticsearch self-signed certificate. See Copying the Elasticsearch Certificate. If you have a production certificate you can use that instead.

Create the configuration map using the certificate by running the following command:

kubectl create configmap elk-cert --from-file=<WORKDIR>/ELK/elk.crt -n <OAMNS>

For example:

kubectl create configmap elk-cert --from-file=/workdir/ELK/elk.crt -n oamns

Parent topic: Centralized Log File Monitoring Using Elasticsearch and Kibana

Creating a Configuration Map for Logstash

Logstash looks for log files in the OAM installations and sends them to the centralized Elasticsearch. The configuration map is used to instruct Logstash where the log files reside and where to send them.

Create a file called <WORKDIR>/OAM/logstash_cm.yaml with the following contents:

apiVersion: v1
kind: ConfigMap
metadata:
  name: oam-logstash-configmap
  namespace: <OAMNS>
data:
  logstash.yaml: |
  #http.host: "0.0.0.0"
  logstash-config.conf: |
    input {
      file {
        path => "/u01/oracle/user_projects/domains/logs/accessdomain/AdminServer*.log"
        tags => "Adminserver_log"
        start_position => beginning
      }
      file {
        path => "/u01/oracle/user_projects/domains/logs/accessdomain/oam_policy_mgr*.log"
        tags => "Policymanager_log"
        start_position => beginning
      }
      file {
        path => "/u01/oracle/user_projects/domains/logs/accessdomain/oam_server*.log"
        tags => "Oamserver_log"
        start_position => beginning
      }
      file {
        path => "/u01/oracle/user_projects/domains/accessdomain/servers/AdminServer/logs/AdminServer-diagnostic.log"
        tags => "Adminserver_diagnostic"
        start_position => beginning
      }
      file {
        path => "/u01/oracle/user_projects/domains/accessdomain/servers/**/logs/oam_policy_mgr*-diagnostic.log"
        tags => "Policy_diagnostic"
        start_position => beginning
      }
      file {
        path => "/u01/oracle/user_projects/domains/accessdomain/servers/**/logs/oam_server*-diagnostic.log"
        tags => "Oamserver_diagnostic"
        start_position => beginning
      }
      file {
        path => "/u01/oracle/user_projects/domains/accessdomain/servers/**/logs/access*.log"
        tags => "Access_logs"
        start_position => beginning
      }
      file {
        path => "/u01/oracle/user_projects/domains/accessdomain/servers/AdminServer/logs/auditlogs/OAM/audit.log"
        tags => "Audit_logs"
        start_position => beginning
      }
    }
    filter {
      grok {
        match => [ "message", "<%{DATA:log_timestamp}> <%{WORD:log_level}> <%{WORD:thread}> <%{HOSTNAME:hostname}> <%{HOSTNAME:servername}> <%{DATA:timer}> <<%{DATA:kernel}>> <> <%{DATA:uuid}> <%{NUMBER:timestamp}> <%{DATA:misc}> <%{DATA:log_number}> <%{DATA:log_message}>" ]
      }
    if "_grokparsefailure" in [tags] {
        mutate {
            remove_tag => [ "_grokparsefailure" ]
        }
    }
    }
    output {
      elasticsearch {
        hosts => ["<ELK_HOST>"]
        cacert => '/usr/share/logstash/config/certs/elk.crt'
        index => "oamlogs-000001"
        ssl => true
        ssl_certificate_verification => false
        user => "<ELK_USER>"
        password => "${ELASTICSEARCH_PASSWORD}"
      }
    }

Save the file.

Create the configuration map using the following command:

kubectl create -f <WORKDIR>/OAM/logstash_cm.yaml

For example:

kubectl create -f /workdir/OAM/logstash_cm.yaml

Validate that the configuration map has been created by using the following command:
```
kubectl get cm -n <OAMNS>
```
You should see oam-logstash-configmap in the list of configuration maps.

Parent topic: Centralized Log File Monitoring Using Elasticsearch and Kibana

Creating a Logstash Deployment

After you create the configuration map, you can create the Logstash deployment. This deployment resides in the OAM namespace.

Determine the mount point of the OAM persistent volume by using the following command:
```
kubectl describe domains <OAM_DOMAIN_NAME> -n <OAMNS> | grep "Mount Path"
```
For example:
```
kubectl describe domains accessdomain -n oamns | grep "Mount Path"
```
Make a note of this value. You will require it for the file that is created in the next step.

Create a file called <WORKDIR>/OAM/logstash.yaml with the following contents:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: oam-logstash
  namespace: <OAMNS>
spec:
  selector:
    matchLabels:
      k8s-app: logstash
  template: # create pods using pod definition in this template
    metadata:
      labels:
        k8s-app: logstash
    spec:
      imagePullSecrets:
      - name: dockercred
      containers:
      - command:
        - logstash
        image: logstash:<ELK_VER>
        imagePullPolicy: IfNotPresent
        name: oam-logstash
        env:
        - name: ELASTICSEARCH_PASSWORD
          valueFrom:
            secretKeyRef:
              name: elasticsearch-pw-elastic
              key: password
        ports:
        - containerPort: 5044
          name: logstash
        volumeMounts:
        - mountPath: <MOUNT_PATH>
          name: weblogic-domain-storage-volume
        - name: shared-logs
          mountPath: /shared-logs
        - mountPath: /usr/share/logstash/pipeline/
          name: oam-logstash-pipeline
        - mountPath: /usr/share/logstash/config/certs
          name: elk-cert
      volumes:
      - configMap:
          defaultMode: 420
          items:
          - key: ca.crt
            path: elk.crt
          name: elk-cert
        name: elk-cert
      - configMap:
          defaultMode: 420
          items:
          - key: logstash-config.conf
            path: logstash-config.conf
          name: oam-logstash-configmap
        name: oam-logstash-pipeline
      - configMap:
          defaultMode: 420
          items:
          - key: logstash.yaml
            path: logstash.yaml
          name: oam-logstash-configmap
        name: config-volume
      - name: weblogic-domain-storage-volume
        persistentVolumeClaim:
          claimName: <OAM_DOMAIN_NAME>-domain-pvc
      - name: shared-logs
        emptyDir: {}

Note:

If you are using your own registry, include the registry name in the image tag. If you have created a regcred secret for your registry, replace the imagePullSecrets name with the secret name you created. For example: regcred.

Save the file.

Create the Logstash deployment by using the following command:

kubectl create -f <WORKDIR>/OAM/logstash.yaml

For example:

kubectl create -f /workdir/OAM/logstash.yaml

You can now create a pod called logstash by using the following command:
```
kubectl get pod -n oamns
```
Your logs will now be available in the Kibana console.

Parent topic: Centralized Log File Monitoring Using Elasticsearch and Kibana

Backing Up the Configuration

As a best practice, Oracle recommends you to back up the configuration after you have successfully extended a domain or at another logical point. Back up only after you have verified that the installation is successful so far. This is a quick backup to enable immediate restoration in case of problems in later steps.

In a Kubernetes environment, it is sufficient to back up the persistent volume and the database.

The backup destination is the local disk. You can discard this backup when the enterprise deployment setup is complete. After the enterprise deployment setup is complete, you can initiate the regular deployment-specific Backup and Recovery process.

For information about backing up your configuration, see Performing Backups and Recoveries for an Enterprise Deployment.

Parent topic: Configuring Oracle Access Manager Using WDT