Deploying Oracle Advanced Authentication on Oracle Cloud Marketplace

Introduction

This tutorial shows you how to deploy Oracle Advanced Authentication (OAA) and dependant products on Oracle Cloud Marketplace for evaluation purposes.

Once deployed, Administrators can perform evaluation of Multi-Factor Authentication (MFA) with OAA for Oracle Access Management (OAM) protected applications.

Note: Administrators should be aware of the following:

• This deployment should only be used for evaluation purposes and should only be used with non-sensitive data.
• Push Notification factor is not currently supported with OAA on Oracle Cloud Marketplace.
• Oracle Universal Authenticator is not currently supported with OAA on Oracle Cloud Marketplace.

OAA on Oracle Cloud Marketplace is deployed in a Kubernetes (K8S) cluster using the Oracle Kubernetes Engine (OKE). The deployment on Oracle Cloud Marketplace deploys the following Oracle products and components:

• Oracle Database
• Oracle Unified Directory (OUD)
• Oracle Access Management (OAM)
• Oracle Advanced Authentication (OAA)
• Oracle HTTP Server (OHS)

The deployed architecture is as follows:

Factors Available

The following factors are available with the OAA Marketplace deployment without any further Administrator configuration:

• Time-based One Time Passcode (TOTP) with a Mobile Authenticator
• FIDO2
• YubiKey

The following factors require additional Administrator configuration post deployment if they are required for evaluation:

• Security Questions
• Email
• SMS

Note: In all cases the end user will need to access the Self-Service Portal to add the factors to evaluate. More information on Administrator and end user tasks can be found in the Next Tutorial section.

Users Created

The deployment creates the following users in Oracle Unified Directory:

• weblogic_iam - Username to login to the OAM Administration console.
• oaaadmin - Username to login to the OAA Administration console.
• oaauser1, oaauser2, oaauser3, oaauser4, oaauser5 - Usernames for end user to authenticate through OAM, and to login to the OAA Self-Service Portal.

NFS Volumes Created

The following are the NFS volumes created for OAA by the Oracle Cloud Marketplace deployment:

• <NFS_CREDS_PATH>: /mnt/oaa/oaacredpv
• <NFS_CONFIG_PATH>: /mnt/oaa/oaaconfigpv
• <NFS_VAULT_PATH>: /mnt/oaa/oaavaultpv
• <NFS_LOGS_PATH>: /mnt/oaa/oaalogpv

These volumes are accessible from the bastion node.

For more information on the NFS volumes and their contents, see Configuring NFS Volumes.

Typical End User Flow

The following is a typical flow that can be evaluated using OAA on Oracle Cloud Marketplace:

1. An end user, for example oaauser1, configures their factors for MFA in the Self-Service Portal.
2. The end user accesses a page (bank-emp.html) which is protected via OAM and an OAA MFA policy.
3. The end user is redirected to OAM to login with their credentials (oaauser1/<password>).
4. OAM triggers MFA based on OAA policies. The user is asked to complete MFA or Passwordless authentication using one of their configured factors.
5. Upon successful authentication, the protected page is displayed.

OCI Prerequisites

Before deploying OAA on Oracle Cloud Marketplace, you must have administrator access on an OCI public tenancy.

The following shows the quotas required in your Availability Domain to deploy OAA:

• 1 OKE Cluster
• 4 compute nodes for the Node Pool (8 CPU with 64GB RAM)
• 1 compute node for the Bastion (2 CPU with 16GB RAM )
• 1 File System, 2 Mount Targets
• 1 Load Balancer (100 Mbps)
• 2 Virtual Cloud Networks (VCNs) with internet, NAT, and Service Gateway

Note: Optional - It is recommended to create a new compartment for the OAA deployment. See, Creating a Compartment.

To check your quotas:

1. OAA requires four (4) or more compute nodes for the Node Pool and one (1) compute node for the Bastion in the respective Availability Domain. To check you have enough compute nodes available:

   1. Access the OCI console and access the Navigation Menu.
   2. Navigate to Governance & Administration > Limits, Quota and Usage.
   3. Select the Show deprecated limits checkbox.
   4. From the SERVICE drop down menu select Compute.
   5. From the SCOPE menu select the appropriate Availability Domain.
   6. From the COMPARTMENT menu select the root compartment.
   7. In the Resource menu select the Node Shape to check. You must choose a shape that allows 8 CPU with 64GB RAM for the node pool, and 2 CPU and 16GB RAM for the bastion.
   8. Check the Available column and make sure you have sufficient computes available for the Node Shape you wish to deploy.

For more information on the compute shapes available refer to Compute Shapes.

1. OAA requires two (2) Virtual Cloud Network (VCN) resources to be available in the tenancy. To check you have enough VCN’s available:

   1. From the SERVICE drop down menu select Virtual Cloud Network.
   2. From the SCOPE menu select your tenancy.
   3. In the Resource menu select Virtual Cloud Networks Count.
   4. Check the Available column and make sure at least two (2) VCN’s are available.

2. OAA requires one (1) 100Mbps Load Balancer resource to be available:

   1. From the SERVICE drop down menu select LbaaS.
   2. From the SCOPE menu select your tenancy.
   3. In the Resource menu select 100Mbps Load Balancer Count.
   4. Check the Available column and make sure at least one (1) Load Balancer is available.

3. OAA requires one (1) OKE cluster to be available:

   1. From the SERVICE drop down menu select Container Engine.
   2. From the SCOPE menu select your tenancy.
   3. In the Resource menu select Basic Cluster Count.
   4. Check the Available column and make sure at least one (1) is available.

4. OAA requires one (1) File System resource and one (2) Mount Target resources to be available:

   1. From the SERVICE drop down menu select File Storage.
   2. From the SCOPE menu select your Availability Domain.
   3. Check the Available column and make sure at least one (1) resource is available for File System Count and two (2) resources are available for Mount Target Count.

For more information on resources see Compartment Quotas.

Provision OAA on Oracle Cloud Marketplace

1. Access the Oracle Cloud Marketplace.

2. Search for the listing Oracle Advanced Authentication and select it.

3. In the Oracle Advanced Authentication listing, check the Version details show Version: 12.2.1.4.1-<DATE>.

4. Launch the installation into your tenancy by selecting Get App.

5. Sign-in to your tenancy.

6. In the upper right of the screen, select the OCI region.

7. Select the compartment where the OAA Instance will be deployed.

   Note: Do not select the default (root) compartment.

   Make sure you select the check box regarding the terms and conditions.

8. Click Launch Stack.

9. In the Stack Information screen, edit the Name as appropriate and add a Description if required. Click Next.

10. In the Configure Variables screen enter the variables as below and click Next:

    Tenancy Details:

    Name	Value
    Region	The region should be the same as mentioned in the URL of the OCI console.
    Availability Domain	The Availability Domain where OAA will be deployed.

    Oracle Kubernetes Engine (OKE):

    Click Show OKE advanced options:

    Name	Value
    OKE Nodepool Instance Shape	Choose the shape for the node pool computes, for example VM.Standard.E4.Flex.
    OCPU Count	8
    Memory	64GB
    Size of the Node Pool	Four (4) or more. As per the OCI Prerequisites section, make sure you check the availability of the compute resources in the Availability Domain chosen for the Node Pool Shape. For example if you specify four (4) nodes make sure four (4) compute resources of the chosen VM Shape are available.

    Bastion - Compute Nodes:

    Name	Value
    Bastion Instance Shape	Choose the shape for the bastion, for example: VM.Standard.E4.Flex. As per the OCI Prerequisites section, make sure you check the availability of the compute resources in the Availability Domain chosen for the bastion node. One (1) compute resource of the chosen VM Shape is required.
    OCPU Count	2
    Memory	16GB
    Common Password	The common password to use for all components. The password must match regular expression: ^[a-zA-Z0-9.\-/+=@_]*$|

    The rest of the variables can remain as per their default values.

11. In the Review screen verify the configuration variables and select Create.

    This will trigger a job that will be displayed in the OCI console. The job will show as IN PROGRESS and in the Logs section at the bottom of the screen, details of the deployment progress are displayed.

    The job will take approximately 90 minutes to complete. Once the job is successful the job status will show SUCCEEDED.

Adding the Public IP to the Local Hosts File

In this section you find the public IP address of the load balancer. The IP address and hostname (login.example.com) is then added to the local hosts file of any computer that needs to evaluate OAA.

1. Access the OCI console, and from the Navigation Menu select Resource Manager > Stacks.

2. Select the relevant compartment from the drop down list. A list of stacks in the compartment will be displayed. Select the stack just created, for example OAA.

3. Click the job that just ran. In the Resources section click the Logs link for the job.

4. In the Logs output search for the string load_balancer_public_ip using the browser search. Note the public IP address of the Load Balancer.

5. Add an entry to your local hosts file to map the Load Balancer IP to the defined hostname. This must be done on all computers that need to evaluate OAA.

   Note: You must use the hostname listed below:

   <LB_PUBLIC_IP> login.example.com
   

Downloading the Trusted Certificate Authority

In this section you download the Certificate Authority (CA) certificate that signed the load balancer certificate. You then import the CA certificate into any browser that needs to access and test OAA.

Note: This is a requirement if you need to test OAA FIDO2 authentication, and also to prevent certificate errors in the browser when accessing OAA or OAM URL’s.

1. Run the following command to get the certificates:

   openssl s_client -connect login.example.com:443 -showcerts </dev/null 2>/dev/null| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certs.pem
   

   Note: Use Git Bash to perform the above command if running on a Windows environment.

2. Edit the certs.pem. The certs.pem contains two certificates. The top certificate in the file is the load balancer certificate. The bottom certificate in the file is the CA certificate. Copy the CA certificate (from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----).

3. Create a new file oaamktplaceca.pem and paste the copied certificate to this file and save.

4. Copy the oaamktplaceca.pem to any machine whose browser will access the OAA and OAM URL’s.

5. Import the certificate into the browser’s Trusted Certificate Authority store. Consult your browser documentation for further details if required.

Connecting via SSH to the Bastion Host

To connect via SSH to the bastion host:

1. Access the OCI console, and from the Navigation Menu select Resource Manager > Stacks.

2. Select the relevant compartment from the drop down list. A list of stacks in the compartment will be displayed. Select the stack just created, for example OAA.

3. Click the job that just ran. In the Resources section click the View State link for the job.

4. In the View State window search for the string ssh_to_bastion using the browser search. At the end of the value line note down the IP address, for example: opc@<bastion_ip>.

5. From the same value line, copy the private key data displayed (from -----BEGIN RSA PRIVATE KEY---- to -----END RSA PRIVATE KEY-----\n). Create a file, for example oaamktplace.key, and paste the copied value into the file and save:

   -----BEGIN RSA PRIVATE KEY-----\nXXXXXXXXXXXXYYYYYYYYYYYYYYPPPPPPPPPPP++YYYYY
   YYYYTTTTTTTTTTT\IIIIIIIIIhhhhjjuuuuuu/VVVuuuuuuuuuuu908888/zdS1UCdLr/Q2q9yd12
   etc.....................................................................
   +Qjl5\nxOByCUtZ8TbRbQMgEA/6G6wzVQ+mjCPy0n0ykxhWaHVj22ytfxKtApNLjwhtlZm
   \npD58jI0CgYEAv3GvEcfVPg92KmN8OH+hSrkLzz22bemNqioRvKi2mXBwfk0xu0kK\nvTdjVqwbD
   lCeAhISJxXdsT3J83pyeaGm6TrxBwUptJ8SzlZgFptpJffE1acAq8m\nXd7RoF2rBqZ5HHYYYYYkl
   kkk90zedjxPoJW6XxC3ljingatsgJzAixIMSc8=\n-----END RSA PRIVATE KEY-----\n
   

6. Issue the following command to convert remove the “\n” characters and change the permissions on the file:

   sed -i 's/\\n/\n/g' oaamktplace.key
   

   chmod 400 oaamktplace.key
   

   Note: Administrators should be aware of the following:

   • If running on a Windows environment, you can run the command using a tool like Git Bash, or alternatively edit the key file in a text editor and remove all “\n” characters.
   • On Windows do not run the chmod 400 command, instead change the properties of the file to read-only.

   Open the oaamktplace.key file and validate the \n characters are removed.

7. Connect to the bastion host using the private key file:

   ssh -i oaamktplace.key opc@<bastion_ip>
   

   The login should be successful.

Validating the OAA Deployment

In this section, you check that all components of the OAA environment are running correctly, and that you can access the Administration consoles and Self-Service Portal.

1. From the ssh session on the bastion host, run the following command to check the status of the OAA pods:

   kubectl get pods -n oaans
   

   The output will look similar to the following. All the pods should be READY 1\1 and RUNNING:

   NAME                                READY   STATUS    RESTARTS   AGE
   edg-email-74766c4548-v58qd          1/1     Running   0          1h
   edg-fido-6d45456459-pbjw6           1/1     Running   0          1h
   edg-oaa-9c9bb4bf-r2fx9              1/1     Running   0          1h
   edg-oaa-admin-ui-79866b8fdc-8lh4z   1/1     Running   0          1h
   edg-oaa-drss-6b47b788b6-8xtlk       1/1     Running   0          1h
   edg-oaa-kba-686c76679c-29nfl        1/1     Running   0          1h
   edg-oaa-policy-6448db6fd8-bzjjb     1/1     Running   0          1h
   edg-push-77dc7db499-rcgp4           1/1     Running   0          1h
   edg-risk-59b856c99c-9qvhn           1/1     Running   0          1h
   edg-risk-cc-6fb6d7b94c-7z8vq        1/1     Running   0          1h
   edg-sms-688679d548-jlxpc            1/1     Running   0          1h
   edg-spui-86dd46d59f-rtgpn           1/1     Running   0          1h
   edg-totp-7f9db7894-mjx82            1/1     Running   0          1h
   edg-yotp-7c88b7fff5-wjjm4           1/1     Running   0          1h
   oaamgmt                             1/1     Running   0          1h
   

2. Open a Web browser on your computer and access the following consoles. Login with the relevant username, using the <COMMON_PASSWORD> you entered during the deployment. Make sure you logout of the console before accessing the next console:

   Console	URL	Username
   OAM Administration Console	https://login.example.com/oamconsole	weblogic_iam
   OAA Administration Console	https://login.example.com/oaa-admin/index.html	oaaadmin
   OAA Self-Service Portal	https://login.example.com/oaa/rui	oaauser1 - oaauser5

   Note: If you have imported the CA certificate into the browser correctly, there should be no certificate errors.

Destroying or Deleting the OAA Stack

If you need to destroy the OAA stack to clean up from a failed deployment, or delete the stack completely, perform the following steps:

Note: Step 1 and 2 below may not be possible if the deployment failed before creating the bastion host, or if invoke_oaa did not execute. If either case, go direct to step 3.

1. Connect via SSH to the bastion host as per the section Connecting via SSH to the Bastion Host.

2. Run the following command on the bastion host:

   /home/opc/oaascripts/utils/delete_all.sh
   

3. In the OCI Console navigate to Developer Services > Resource Manager > Stacks.

4. Find and click the OAA stack.

5. On the Stack Details page click Destroy. This will start a destroy job to destroy the stack.

6. Once the destroy job is successful, if you need to delete the stack completely, click on Stack Details in the breadcrumb, then select More actions > Delete Stack.

7. Ensure that clusters are deleted by navigating to Developer Services > Kubernetes Clusters (OKE). If not, manually delete the clusters.

8. When the clusters are terminated, the instances should also be automatically terminated. Navigate to Compute > Instances and check the instances are deleted. If not deleted, terminate those manually.

9. Check the load balancer and file storage by navigating to Networking > Load Balancers. If resources still exist, then manually terminate them.

10. Check the VCN’s are destroyed by by navigating to Networking > Virtual Cloud Networks. If not destroyed, then manually terminate the VCNs. If there are problems terminating the VCN’s, follow the Troubleshooting section in Subnet or VCN Deletion.

11. Check if the Identity Policies are removed by navigating to Identity & Security > Identity > Policies. If not destroyed, then delete manually.

12. Navigate to Identity & Security > Identity > Domains. Select the root compartment and select your Domain. Click Dynamic Groups and check the Dynamic Groups are removed. If not destroyed, then delete manually.

13. When the above steps are completed, wait a few minutes to ensure all resources are cleaned up. Then check the limits to ensure those resources are now free by navigating to Governance & Administration > Limits, Quota and Usage.

Next Tutorial

To test the MFA flow, see Configuring Oracle Advanced Authentication and Validating End User Flow on Oracle Cloud Marketplace.

Feedback

To provide feedback on this tutorial, please contact idm_user_assistance_ww_grp@oracle.com.

For technical support, contact Oracle Support.

Acknowledgements

• Author - Russ Hodgson

Title and Copyright Information

Deploying Oracle Advanced Authentication on Oracle Cloud Marketplace

G34451-01

Copyright ©2025, Oracle and/or its affiliates.