1. Administering Oracle Advanced Authentication and Oracle Adaptive Risk Management
  2. Upgrading OAA, OARM, and OUA
  3. Upgrading OAA, OARM, and OUA
  4. Preparing the Environment for Upgrade

6.1 Preparing the Environment for Upgrade

Before starting an upgrade, you must prepare your existing environment.

General Prerequisites

The following must be met before performing the upgrade:
  • The Kubernetes cluster must be upgraded to meet the minimum version requirements outlined in Document ID 2723908.1 on My Oracle Support.
  • The OAA and OARM deployment must be up and running.
  • Make sure the installation host prerequisites are met as per Installation Host Requirements.
  • The installation host must have access to the NFS volumes for the existing deployment. See Configuring NFS Volumes.

Upgrading To Include Oracle Universal Authenticator

If you haven't previously configured Oracle Universal Authenticator (OUA) and want to upgrade OAA to include OUA, you must perform the following steps:
  1. Upgrade Oracle Access Management (OAM) to April 24 Bundle Patch or later.
  2. Follow OAM Requirements for Oracle Universal Authenticator.
  3. Add an additional image registry, oaa-drss, to your repository. See Installing a Container Image Registry (CIR).
  4. Add the LDAP attribute obpsftid: true to any user who is to use OUA. See Creating Users and Groups in the LDAP Store.

Push Notification for Android Devices

From June 2024 Google are removing deprecated FCM legacy APIs, see Migrate from legacy FCM APIs to HTTP v1. As a result, if you have push notifications for Android configured in your existing deployment, you need to perform some changes to your existing configuration:
  1. Login to Google Firebase console at https://console.firebase.google.com/.
  2. Click on your existing Firebase project, for example OAAAndroidPUSH.

    Note:

    If you no longer have access to the account that created the project, you will need to create a new project using the instructions in Creating a Google Firebase Project Enabled for Google Cloud Messaging and then update the senderId parameter as per Configuring OAA Properties for Android Push Notification.
  3. In the left navigation pane of the project window, click the Settings icon, and then select Project settings.
  4. Go to the Service Accounts tab and click Generate new private key. In the Generate new private key window, click Generate key. This will generate a service account json file. Download and save the file, for example service-account.json, and keep it secure.
  5. Create a directory in the NFS volume <NFS_VAULT_PATH> and copy the json file across:
    cd <NFS_VAULT_PATH>
$ mkdir -p ChallengeOMAPUSH/gcm
$ cp service-account.json <NFS_VAULT_PATH>/ChallengeOMAPUSH/gcm
$ sudo chmod 444 <NFS_VAULT_PATH>/ChallengeOMAPUSH/gcm/service-account.json
  6. Edit the <NFS_LOG_PATH>/status.info and set the following vault parameters to false, then save the file:
    VAULTINSTALL=false
VAULTCHECK=false

Preparing the Environment for Upgrade

  1. Take a backup of the existing installOAA.properties in case you need to rollback the upgrade:
    cd <NFS_CONFIG_PATH>
cp installOAA.properties installOAA.properties.<release-date>
  2. Download and extract the latest OAA installation files to the installation host as per Downloading Installation Files and Preparing the Management Container.

    Note:

    When you unzip the file it will create the oaa-install directory, for example $WORKDIR/oaaimages/oaa-install. This directory will be used in the steps that follow.
  3. Find the name of the existing OAA Management container:
    kubectl get pods -n <namespace> | grep oaamgmt
    For example:
    kubectl get pods -n oaans | grep oaamgmt
    The output will look similar to the following:
    oaamgmt-oaa-mgmt-bf6d5c88-29lrn           1/1     Running   0          64d
  4. Copy the installOAA.properties for the current deployment to the $WORKDIR/oaaimages/oaa-install directory:
    kubectl cp <namespace>/<oaamgmt-pod>:/u01/oracle/scripts/settings/installOAA.properties $WORKDIR/oaaimages/oaa-install/installOAA.properties
    For example:
    kubectl cp oaans/oaamgmt-oaa-mgmt-bf6d5c88-29lrn:/u01/oracle/scripts/settings/installOAA.properties $WORKDIR/oaaimages/oaa-install/installOAA.properties
  5. Edit the $WORKDIR/oaaimages/oaa-install/installOAA.properties and change the install.global.image.tag to the image tag for the latest release.

    Note:

    You can find the correct value for install.global.image.tag in the $WORKDIR/oaaimages/oaa-install/installOAA.properties.template.
  6. If you are upgrading an installation to include OUA, you must edit the $WORKDIR/oaaimages/oaa-install/installOAA.properties and change the following:
    • common.deployment.mode=OUA
    • install.global.drssapikey=drssapikeytobesetduringinstallation.

      Note:

      Change drssapikeytobesetduringinstallation to a value of your choice.
    • Edit the OUA Configuration section as per Oracle Universal Authenticator Configuration.
  7. If you have push notifications for Android configured, you must edit the $WORKDIR/oaaimages/oaa-install/installOAA.properties file and update the common.deployment.push.gcmjsonfile parameter to point at the service-account.json file downloaded earlier:
    common.deployment.push.gcmjsonfile=/u01/oracle/service/store/oaa/ChallengeOMAPUSH/gcm/service-account.json

    Note:

    /u01/oracle/service/store/oaa/ChallengeOMAPUSH/gcm/service-account.json is the internal mapping to <NFS_VAULT_PATH>/ChallengeOMAPUSH/gcm/service-account.json.
  8. Ensure that the OAA Management helm chart (oaamgmt) is visible by running the following command:
    helm ls -n <namespace> | grep oaamgmt
    For example:
    helm ls -n oaans | grep oaamgmt
    The output should look similar to the following:
    oaamgmt   oaans   1   <DATE> <TIME> +0000 UTC deployed   oaa-mgmt-1.0.0-12.2.1.4.1-<TAG>   0.1.0

Next Steps: Performing the Upgrade.