1. Administering Oracle Advanced Authentication and Oracle Adaptive Risk Management
  2. Transitioning from Oracle Adaptive Access Manager (OAAM) to Oracle Adaptive Risk Management (OARM) and Oracle Advanced Authentication (OAA)
  3. Procedure for Transitioning from OAAM to OAA and OARM
  4. Performing the Transition

9.2 Performing the Transition

Prerequisites: Ensure you have followed the prerequisites before starting the transition. For details, see Prerequisite Configurations for Installing OAA, OARM, and OUA.

Perform the following steps to transition from OAAM to OAA, OARM, and OUA.

  1. Obtain the bharosa.uio.default.user.group property value from the OAAM Administration console.
    1. Login to the OAAM Administration console. For example: http://oaam.example.com:14200/oaam_admin.
    2. In the left hand navigation menu select Properties and search for the property bharosa.uio.default.user.group.
    3. In the Search Results make note of the value returned. This value will be set later for oauth.applicationid in installOAA.properties.
  2. Obtain the OAAM schema details. You must have the following information prior to performing the transition
    • The hostname and listener port of the cloned OAAM database
    • The name of the OAAM schema (for example, DEV_OAAM) and the schema password
    • The SYS schema password
  3. Export OAAM Config Keys from Oracle Fusion Middleware Enterprise Manager 11g.
    1. Login to the Oracle Fusion Middleware Enterprise Manager 11g for OAAM. For example, http://oaam.example.com:7001/em
    2. In the left hand navigation menu expand WebLogic Domain. Right click on the domain and select Security and then Credentials.
    3. In the Credentials pane expand oaam and make sure the keys DESede_db_key_alias and DESede_config_key_alias exist.
    4. Select DESede_db_key_alias key and click Edit. Make note of the value under "Credential."
    5. Select DESede_config_key_alias key and click Edit. Make note of the value under "Credential".
  4. Set the following properties in the installOAA.properties. For details about the instalOAA.properties file, see Preparing the Properties file for Installation
    1. Set oauth.applicationid to the value returned earlier for bharosa.uio.default.user.group.
    2. The following database parameters must be set to the cloned OAAM database and schemas:
      database.createschema=false
database.host=<OAAM_DB_HOST>
database.port=<OAAM_DB_PORT>
database.sysuser=sys
database.syspassword=<SYS_PASSWORD>
database.schema=<OAAM_SCHEMA>
database.schemapassword=<OAM_SCHEMA_PASSWORD>
database.svc=<OAAM_DB_SERVICE_NAME>
database.name=<OAAM_DB_NAME>
      For example,
      database.createschema=false
database.host=oaamdb.example.com
database.port=1521
database.sysuser=sys
database.syspassword=<password>
database.schema=DEV_OAAM
database.schemapassword=<password>
database.svc=oaamdb.example.com
database.name=oaamdb

      Note:

      database.tablespace=DEV_OAA_TBS is not required because database.createschema=false.
    3. Set the deployment mode based on the install type. Possible values are OAA, Both, or OUA. Default mode is Both, which installs OAA integrated with OARM.
      For example: 
      common.deployment.mode=Both
    4. Set the OAAM configuration keys:
      • Base64 encoded config key from the migrating system:common.migration.configkey=

        If enabled, the value is placed in the vault and used for migration of legacy data.

        Set the parameter common.migration.configkey to the value returned for DESede_config_key_alias in Oracle Fusion Middleware Enterprise Manager 11. For example:
        common.migration.configkey=Z147tibEm2iDoV5o5kwV0BUIvCo0Auxu
      • Base64 encoded db key from the migrating system: common.migration.dbkey=

        If enabled, the value is placed in the vault and used for migration of DB data.

        Set the parameter common.migration.dbkey to the value returned for DESede_db_key_alias in Oracle Fusion Middleware Enterprise Manager 11. For example:
        common.migration.dbkey=8b/3zUb0Bz3qIz5uwg0jUW77W3oZtVtK
    5. If the OAAM environment is integrated with OIM 12cPS4 then set the following parameter: 
      common.oim.integration=true

      This also enables the forgot password functionality.

    6. Set the import snapshot property to false:
      common.deployment.import.snapshot=false

      Note:

      This is a very important step. Don't set this value to true. If you set this value to true your OAAM data will be overwritten!
  5. If you intend to install OUA, you must change the following in the installOAA.properties:
    • common.deployment.mode=OUA
    • install.global.drssapikey=drssapikeytobesetduringinstallation.

      Note:

      Change drssapikeytobesetduringinstallation to a value of your choice.
    • Edit the OUA Configuration section as per Oracle Universal Authenticator Configuration.
  6. Deploy OAA, OARM, and OUA. For details, see Deploying OAA, OARM, and OUA.
  7. Set the vcryptuser.groupid.lowercase configuration property so that OAA and OAAM use the same groupid convention. Use the <PolicyUrl>/policy/config/property/v1 REST API as shown in the following sample request.
    curl --location -g --request PUT '<PolicyUrl>/policy/config/property/v1' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Base64Encoded(<username>:<password>)>' \
--data '[
{
"name": "vcryptuser.groupid.lowercase",
 "value": "false"
 }
]'

    Note:

    In this case remove /oaa-policy from the <PolicyUrl>, for example use https://<host>:<port>/policy/config/property/v1 not https://<host>:<port>/oaa-policy/policy/config/property/v1

    For details about finding the PolicyUrl and authenticating, see OAA Admin API.

    For details about the REST API, see Configuration Properties REST Endpoints

  8. If you have performed an NodePort only installation, perform post-installation tasks. See Post-Installation Steps for NodePort.
  9. Follow the Post Installation Steps for Installs Containing OARM.

    Note:

    Do NOT follow Post Installation Steps for All Installations as you will overwrite the risk policies.
  10. If you have changed the oauth.applicationid parameter from the default value myoaaprotectedapp1 in the installOAA.properties then follow the Update the oua.drss.oaa.group Property section in Post Installation Steps for Oracle Universal Authenticator.

    Note:

    Do NOT follow the Run configureDRSS.sh To Create OUA Integration Agent Components section as this will have been done automatically for you during the transition.
  11. If you were previously using an OAM-OAAM integrated environment then OAM 12cPS4 must be rewired to use OAA. For details see, Integrate Oracle Access Management with Oracle Advanced Authentication.

    Note:

    In the section Update the WebGate to use the OAA MFA Scheme for the protected application, update your protected applications to use the new Authentication Policy: OAA_MFA-Policy.