Understanding OAA/OARM Backup and Recovery

B Understanding OAA/OARM Backup and Recovery

This chapter contains information on backup and recovery techniques. It contains the following sections:

B.1 Backing Up OAA/OARM

Oracle recommends that you periodically take a full backup OAA/OARM data so that you can recover from any unforeseen event and restore your OAA/OARM system.

OAA/OARM consists of file system data, policy and configuration data, and runtime data:

File system data is stored in the NFS volumes. This data includes wallets, the vault, installation properties, and logs.
Policy and configuration data is stored in the database. This data includes assurance levels, rules, policies, actions, groups, customized configuration properties, and transaction definitions.
Runtime data is stored in the database, This data includes user preferences, user sessions, custom user activities, and online transaction and processing data.

A full backup consists of file system data, and a backup of the database.

Oracle also recommends taking policy and configuration data snapshots at various intervals, or when significant policy or configuration changes are made.

Topics:

B.1.1 Backing Up File System Data

Oracle recommends that you periodically backup OAA/OARM file system data so that you can recover from any unforeseen event and restore your OAA/OARM system.

OAA/OARM file system data is stored in the NFS volumes; <NFS_CONFIG_PATH>, <NFS_CREDS_PATH>, <NFS_LOGS_PATH>, and <NFS_VAULT_PATH>.

You must backup the contents of these NFS volumes, by copying, or creating a compressed zip or tar file, and storing the files in a safe and secure location.

For more information on the NFS volumes, see: Configuring NFS Volumes.

B.1.2 Backing Up Runtime Data

Oracle recommends that you periodically backup OAA/OARM runtime data so that you can recover from any unforeseen event and restore your OAA/OARM system.

To backup runtime data use standard database backup techniques.

For OCI based databases, see Backup Data in Your Databases .

For non OCI based databases, see Backup and Recovery User's Guide.

B.1.3 Backing Up Policy and Configuration Data

Oracle recommends that you periodically backup OAA/OARM policy and configuration data so that you can recover from any unforeseen event and restore your OAA/OARM system.

To backup policy and configuration data:

Create a snapshot of the configuration using the <PolicyUrl>/policy/risk/v1/snapshots REST API endpoint. For example:

curl --location --request POST '<PolicyUrl>/policy/risk/v1/snapshots/' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic <Base64Encoded(<username>:<password>)>' \
--data '{
    "name":"Backup Snapshot <DATE>",
    "description": "This is a snapshot from <DATE>"
}'

For details about finding the PolicyUrl and authenticating, see OAA Admin API.

For more details about the snapshot endpoint, see Snapshot REST Endpoints.

The above command will return a snapshotId, for example:

{
    "status": "201",
    "message": "Snapshot created successfully.",
    "snapshot": {
        "name": "Backup Snapshot <DATE>",
        "description": "This is a snapshot from <DATE>",
        "snapshotId": "3",
        "createTime": "<DATE>"
    }
}

Export the snapshot to a zip file using the snapshotId returned above, as follows:
```
curl --location --request GET '<PolicyUrl>/policy/risk/v1/snapshots/<snapshotId>' \
--header 'Authorization: Basic <Base64Encoded(<username>:<password>)>' >snapshot<DATE>.zip
```
Store the downloaded zip file in a safe and secure location.

B.2 Restoring OAA/OARM

In order to restore system or runtime data, you must first have created a backup. See Backing Up OAA/OARM.

The steps to restore OAA/OARM depend on the reasons for restoring and whether you are restoring to the same OAA/OARM installation and/or database installation, or to a new installation and/or database installation . The sections below outline the recovery steps based on different scenarios:

B.2.1 Restoring to an Existing Installation

The instructions below can be used to perform the following:

A full system restore, where you need to perform a full restore of the file system data, the database (runtime data), and policy and configuration data, to the existing installation. This will restore the environment to the point the last full backup was taken.
A partial restore, where you only need to restore one of either system data, policy and configuration data, the database, or a combination thereof, to the existing installation.

If the database needs to be restored, restore the database using standard database recovery techniques. Consult your Oracle Database documentation for further details.
If OAA/OARM file system data needs to be restored, follow section Restoring file system data to an existing installation in Restoring OAA/OARM File System Data.

Restart the OAA/OARM pods by running the following command:

 kubectl get deployment -n <namespace> | grep <deployment-name> | awk '{print $1}' | xargs kubectl rollout restart deployment -n <namespace>

For example:

kubectl get deployment -n oaans | grep oaainstall | awk '{print $1}' | xargs kubectl rollout restart deployment -n oaans

The output will look similar to the following:

deployment.apps/oaainstall-email restarted
deployment.apps/oaainstall-fido restarted
deployment.apps/oaainstall-oaa restarted
deployment.apps/oaainstall-oaa-admin-ui restarted
deployment.apps/oaainstall-oaa-kba restarted
deployment.apps/oaainstall-oaa-policy restarted
deployment.apps/oaainstall-push restarted
deployment.apps/oaainstall-risk restarted
deployment.apps/oaainstall-risk-cc restarted
deployment.apps/oaainstall-sms restarted
deployment.apps/oaainstall-spui restarted
deployment.apps/oaainstall-totp restarted
deployment.apps/oaainstall-yotp restarted
deployment.apps/oaamgmt-oaa-mgmt restarted

The above command starts new OAA/OARM pods first, before shutting down the original pods.

Run the following command to check the status of the pods:

kubectl get pods -n <namespace>

For example:

kubectl gets pods -n oaans

Once all the previous pods are terminated, and the new pods are at

READY
                                1/1

, the system is restored:

NAME                             READY   STATUS    RESTARTS   AGE
oaainstall-email-75cccd89f8-9xrgs          1/1     Running   0          5m34s
oaainstall-fido-68777f8cc8-pfw8c           1/1     Running   0          5m34s
oaainstall-oaa-74d5669788-lj5cp            1/1     Running   0          5m34s
oaainstall-oaa-admin-ui-585d55c45b-fzdvk   1/1     Running   0          5m34s
oaainstall-oaa-kba-5b9db9f8db-zwkh2        1/1     Running   0          5m34s
oaainstall-oaa-policy-559fb4d777-qjvwm     1/1     Running   0          5m34s
oaainstall-push-6898c6cb56-l4mg2           1/1     Running   0          5m34s
oaainstall-risk-cc-db558dc5c-qlh8q         1/1     Running   0          5m34s
oaainstall-risk-f48b794bc-j46pz            1/1     Running   0          5m34s
oaainstall-sms-659677b84b-wf7sn            1/1     Running   0          5m34s
oaainstall-spui-6fc8685df9-fhp9w           1/1     Running   0          5m33s
oaainstall-totp-cccd94786-622qd            1/1     Running   0          5m33s
oaainstall-yotp-5fbfd55d4c-d6wqn           1/1     Running   0          5m33s
oaamgmt-oaa-mgmt-94f84ccc6-gwdp2           1/1     Running   0          5m32s

If you need to import any policy and configuration data from snapshots taken after the last database backup, follow Restoring OAA/OARM Policy and Configuration Data.

B.2.2 Restoring to a New Installation

The instructions below can be used to perform the following:

A full system restore, where you need to perform a full restore of the file system data, the database (runtime data), and policy and configuration data, to a new installation and database environment. This will restore all file system data, policy and configuration data, and runtime data to the point the last full backup was taken.
A partial restore where you only need to restore one of either system data, policy and configuration data, the database (runtime data), or a combination thereof, to a new installation.

Note:
If you are only restoring the database to a new database installation, you still need to follow step 3 to restore the OAA/OARM file system data.

Note:

The instructions below assume that if file system data is to be restored to a new installation environment, that the necessary installation prerequsites for that new environment are met. See, Prerequisite Configurations for Installing OAA, OARM, and OUA

If the database needs to be restored to a new environment, restore the database using standard database recovery techniques. Consult your Oracle Database documentation for further details.
If you need to restore the file system data to a new installation environment, download the OAA/OARM installation files to that environment. See Downloading Installation Files and Preparing the Management Container.
Restore OAA/OARM file system data by following section Restoring file system data to a new installation in Restoring OAA/OARM File System Data.
If you need to import any policy and configuration data from snapshots taken after the last database backup, follow Restoring OAA/OARM Policy and Configuration Data.

B.2.3 Cloning an Installation

This scenario assumes you want to clone the existing installation to a new environment, using system data, and/or policy and configuration data, from the existing environment. In this scenario no runtime data is restored.

Note:

The instructions below assume that if file system data is to be cloned to a new installation, the necessary installation prerequsites for that new environment are met. See, Prerequisite Configurations for Installing OAA, OARM, and OUA

Download the OAA/OARM installation files to the new system. See Downloading Installation Files and Preparing the Management Container.
Restore OAA/OARM file system data to the new system by following section Restoring file system data to a new installation in Restoring OAA/OARM File System Data.
Restore policy and configuration data by following Restoring OAA/OARM Policy and Configuration Data.

B.2.4 Restoring OAA/OARM File System Data

In order to restore OAA/OARM file system data, you must first have created a backup. See Backing Up File System Data.

Restoring file system data to an existing installation

To restore file system data to the same environment:

Copy the file system data from the backup to the NFS volumes <NFS_CONFIG_PATH>, <NFS_CREDS_PATH>, <NFS_LOGS_PATH>, and <NFS_VAULT_PATH>.
Review the <NFS_CONFIG_PATH>/installOAA.properties file and ensure all the external resources such as NFS, the Oracle Database, and OAM OAuth endpoints are available and running.

Check if the OAA Management container is running:

kubectl get pods -n <namespace> | grep oaamgmt

For example:

kubectl get pods -n oaans | grep oaamgmt

If the OAA Management container isn't running, you must perform the following steps:
1. Copy the installOAA.properties from the <NFS_CONFIG_PATH> to the$WORKDIR/oaaimages/oaa-install directory.
2. Start the OAA Management by following: Creating the Management Container.
Continue with the instructions to restart the OAA/OARM pods in section Restoring to an Existing Installation .

Restoring file system data to a new installation

To restore file system data to a new environment:

Copy the file system data from the backup to the NFS volumes <NFS_CONFIG_PATH>, <NFS_CREDS_PATH>, <NFS_LOGS_PATH>, and <NFS_VAULT_PATH>.
Review the <NFS_CONFIG_PATH>/installOAA.properties file and ensure all the external resources such as NFS, the Oracle Database, and OAM OAuth endpoints are available and running.

Note:
If you are restoring to a new system and/or database, make sure all the relevant parameters reference the new system and/or database.
Remove the <NFS_LOGS_PATH>/status.info file.
Copy the installOAA.properties from the <NFS_CONFIG_PATH> to the$WORKDIR/oaaimages/oaa-install directory.
Start the OAA Management Container by following: Creating the Management Container.
Run the OAA install script from inside the OAA Management container. See Deploying OAA, OARM, and OUA. This will create a new deployment based on your restored OAA/OARM file system data.

B.2.5 Restoring OAA/OARM Policy and Configuration Data

In order to restore policy and configuration data, you must have either previously created a snapshot, or have the snapshot zip file from a prior backup.

Note:

It is recommended to take a snapshot of the current policy and configuration data before following the steps below. See, Backing Up Policy and Configuration Data.

Restoring from a previous snapshotId

To restore from a previous snapshotId:

curl --location --request POST '<PolicyUrl>/policy/risk/v1/snapshots/<snapshotId>/apply' \
--header 'Authorization: Basic <Base64Encoded(<username>:<password>)>' \
--data ''

For details about finding the PolicyUrl and authenticating, see OAA Admin API.

For more details about the snapshot endpoint, see Snapshot REST Endpoints.

Restoring from a snapshot zip file

To restore from a snapshot zip file:

Import the snapshot zip file:

curl --location --request POST '<PolicyUrl>/policy/risk/v1/snapshots/' \
--header 'Content-Type: application/octet-stream' \
--header 'Authorization: Basic <Base64Encoded(<username>:<password>)>' \
--data-binary '@<PATH>/snapshot<DATE>.zip'

This will return a snapshotId:

{
  "status": "201",
  "message": "Snapshot created successfully.",
  "snapshot": {
    "name": "Backup Snapshot <DATE>",
    "description": "This is a snapshot from <DATE>",
    "snapshotId": "4",
    "createTime": "<DATE>"
  }
}

Apply the snapshot:

curl --location --request POST '<PolicyUrl>/policy/risk/v1/snapshots/<snapshotId>/apply' \
--header 'Authorization: Basic <Base64Encoded(<username>:<password>)>' \
--data ''

The output will be similar to the following:

{
  "serverResponseTime": 1683106368000,
  "clientContext": {
    "invocationContext": {
      "createTime": 1683106335536,
      "invocationId": "d61f7f30-a264-4be0-bb2d-9e5e88c58d19",
      "traceDataXml": "<OARMInvocationContext><invocationId><![CDATA[d61f7f30-a264-4be0-bb2d-9e5e88c58d19]]></invocationId><locale></locale><createTime><DATE></createTime></OARMInvocationContext>"
    },
    "sessionContext": {
      "sessionId": "",
      "clientId": "",
      "clientVersion": "",
      "userPrincipal": "",
      "ipAddress": "",
      "userAgent": "",
      "createTime": 1683106335537,
      "appName": "UASPolicyApi",
      "accessControlledRole": false,
      "orgAccessList": [],
      "roles": [],
      "traceDataXml": "<OARMSessionContextOARMSessionContext><clientId></clientId><userAgentString></userAgentString><userPrincipal></userPrincipal><roles><![CDATA[[]]]></roles><ip></ip><clientVersion></clientVersion><createTime><DATE></createTime></OARMSessionContextOARMSessionContext>"
    },
    "taskContext": {
      "taskId": "d61f7f30-a264-4be0-bb2d-9e5e88c58d19",
      "createTime": 1683106335536,
      "traceDataXml": "<OARMTaskContext><taskId><![CDATA[d61f7f30-a264-4be0-bb2d-9e5e88c58d19]]></taskId><createTime><DATE></createTime></OARMTaskContext>"
    },
    "traceDataXml": "<clientContext><OARMSessionContextOARMSessionContext><clientId></clientId><userAgentString></userAgentString><userPrincipal></userPrincipal><roles><![CDATA[[]]]></roles><ip></ip><clientVersion></clientVersion><createTime><DATE></createTime></OARMSessionContextOARMSessionContext><OARMTaskContext><taskId><![CDATA[d61f7f30-a264-4be0-bb2d-9e5e88c58d19]]></taskId><createTime><DATE></createTime></OARMTaskContext><OARMInvocationContext><invocationId><![CDATA[d61f7f30-a264-4be0-bb2d-9e5e88c58d19]]></invocationId><locale></locale><createTime><DATE></createTime></OARMInvocationContext></clientContext>"
  },
  "object": true,
  "error": false,
  "success": true,
  "oarmmessages": [],
  "warning": false,
  "serverVersion": "11.1.1.2.0",
  "systemError": false,
  "serverId": "oaainstall-oaa-policy-77bccf774b-48b6s/10.244.1.206",
  "traceDataXml": "<OARMResponse><serverId><![CDATA[oaainstall-oaa-policy-77bccf774b-48b6s/10.244.1.206]]></serverId><status><![CDATA[SUCCESS]]></status><serverResponseTime><DATE></serverResponseTime><serverVersion><![CDATA[11.1.1.2.0]]></serverVersion><messageList></messageList></OARMResponse>"