diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/README.md b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/README.md index 6d64bdc3..a7569a05 100644 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/README.md +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/README.md @@ -95,7 +95,7 @@ The scripts perform the following actions: * Create OIRI users in Oracle Identity Governance as described in [Creating User Names and Groups in Oracle Identity Governance](https://docs.oracle.com/en/middleware/fusion-middleware/12.2.1.4/ikedg/installing-and-configuring-oracle-identity-role-intelligence.html). * Perform an initial OIG data load into OIRI as described in [Performing an Initial Data Load Using the Data Ingester](https://docs.oracle.com/en/middleware/fusion-middleware/12.2.1.4/ikedg/installing-and-configuring-oracle-identity-role-intelligence.html#GUID-38ECFCFD-E80F-4F29-B90E-644BE522C058). * Create OIRI Kubernetes Services either NodePort or Ingress as described in [Creating the Kubernetes NodePort Services](https://docs.oracle.com/en/middleware/fusion-middleware/12.2.1.4/ikedg/installing-and-configuring-oracle-identity-role-intelligence.html#GUID-9368D654-3A45-40D3-82E1-EFB7EFE45929). -* Deploy Oracle Advanced Authentication and Risk Management as described in [Deploying Oracle Advanced Authentication](https://docs.oracle.com/en/middleware/fusion-middleware/12.2.1.4/ikedg/installing-and-configuring-oracle-advanced-authentication-oaa.html#GUID-C0B16343-3E9C-41FB-9E32-9FDCA9A4025B). +* Deploy Oracle Advanced Authentication, Risk Management and Univeral Authentication as described in [Deploying Oracle Advanced Authentication](https://docs.oracle.com/en/middleware/fusion-middleware/12.2.1.4/ikedg/installing-and-configuring-oracle-advanced-authentication-oaa.html#GUID-C0B16343-3E9C-41FB-9E32-9FDCA9A4025B). * Create OAA Users as described in [Creating Users and Groups in LDAP](https://docs.oracle.com/en/middleware/fusion-middleware/12.2.1.4/ikedg/installing-and-configuring-oracle-advanced-authentication-oaa.html#GUID-278C0CB3-9CC1-400C-B06B-B5DF8603B2EC). * Create OAA Test User as described in [Creating a Test User](https://docs.oracle.com/en/middleware/fusion-middleware/12.2.1.4/ikedg/installing-and-configuring-oracle-advanced-authentication-oaa.html#GUID-10B461F2-C309-4273-936A-35387EF7332C). * Integrate OAA with Unified Messaging Service as described in [Configuring Email/SMS Servers](https://docs.oracle.com/en/middleware/fusion-middleware/12.2.1.4/ikedg/installing-and-configuring-oracle-advanced-authentication-oaa.html#GUID-2020B622-4AAB-485E-8965-1BF071B32B48). @@ -260,8 +260,10 @@ These parameters determine which products the deployment scripts attempt to depl | **INSTALL\_WLSOPER** | `true` | Set to `true` to deploy WebLogic Kubernetes Operator. | | **INSTALL\_OAM** | `true` | Set to `true` to configure OAM. | | **INSTALL\_OIG** | `true` | Set to `true` to configure OIG. | -|**INSTALL\_OIRI** | `true` | Set to `true` to configure OIRI. | +| **INSTALL\_OIRI** | `true` | Set to `true` to configure OIRI. | | **INSTALL\_OAA** | `true` | Set to `true` to configure OAA.| +| **INSTALL\_RISK** | `true` | Set to `true` to configure RISK.| +| **INSTALL\_OUA** | `true` | Set to `true` to configure OUA.| ### Control Parameters @@ -272,6 +274,7 @@ These parameters are used to specify the type of Kubernetes deployment and the n |**USE\_REGISTRY** | `false` | Set to `true` to obtain images from a Container Registry.| | **USE\_INGESS** | `true` | Set to true if using and ingress controller| |**IMAGE\_TYPE** | `crio` | Set to `crio` or `docker` depending on your container engine.| +|**OPER\_ENABLE\_SECRET** | `false` | Set to `true` or `false` depending on your wish to set the secret for oparator install.| ### Generic Parameters @@ -301,6 +304,8 @@ If you are pulling images from GitHub or Docker hub, then you can also specify t |**GIT\_TOKEN** | `ghp_aO8fqRNVdfsfshOxsWk40uNMS` | The GitHub token. Stored in password file| |**DH\_USER** | *`username`* | The Docker user name for `hub.docker.com`. Used for obtaining public images. If you are hosting the public images in your registry then specify that registry username.| |**DH\_PWD** | *`mypassword`* | The Docker password for `hub.docker.com`. Used for obtaining public images. If you are hosting the public images in your registry then specify that registry users password. Stored in password file.| +|**WDT\_IMAGE\_REGISTRY** | `iad.ocir.io/mytenancy` | Set to the location of your container internal registry.| +|**WDT\_IMAGE\_REG\_USER** | `mytenancy/oracleidentitycloudservice/email@example.com` | Set to your internal registry user name.| @@ -407,6 +412,7 @@ These parameters are specific to OHS. These parameters are used to construct th |**OHS\_PORT** |`7777`| The port your Oracle HTTP Servers listen on.| |**OHS\_HTTPS\_PORT** |`4443`| The SSL port your Oracle HTTP Servers listen on.| |**NM\_PORT** |`5556`| The port to use for Node Manager.| + ### OUD Parameters These parameters are specific to OUD. When deploying OUD, you also require the generic LDAP parameters. @@ -422,6 +428,10 @@ These parameters are specific to OUD. When deploying OUD, you also require the g |**LDAP\_USER\_PWD** | *``* | The password to assign to all users being created in LDAP. **Note**: This value should have at least one capital letter, one number, and should be at least eight characters long. |**OUD\_PWD\_EXPIRY** | `2024-01-02`| The date when the user passwords you are creating expires.| |**OUD\_CREATE\_NODEPORT** | `true`| Set to `true` if you want to create NodePort services for OUD. These services are used to interact with OUD from outside of the Kubernetes cluster.| +|**OUD\_CPU** |`200m`| Initial CPU Units allocated to OUD pods (1000m = 1 CPU core).| +|**OUD\_MAX\_CPU** |`1`| Maximum CPU cores allocated to the OUD Containers.| +|**OUD\_MEMORY** |`2Gi`| Initial Memory allocated to OUD pods.| +|**OUD\_MAX\_MEMORY** |`4Gi`| Maximum amount of that an OUD pods can consume.| ### OUDSM Parameters List of parameters used to determine how Oracle Directory Services Manager will be deployed. @@ -477,6 +487,7 @@ These parameters determines how the WebLogic Kubernetes Operator is provisioned. | --- | --- | --- | |**OPERNS** | `opns` | The Kubernetes namespace used to hold the WebLogic Kubernetes Operator.| |**OPER\_ACT** | `operadmin` | The Kubernetes service account for use by the WebLogic Kubernetes Operator.| +|**OPER\_ENABLE\_SECRET** | `false` | Set to true if using your own Container Registry that requires authentication.| ### OAM Parameters These parameters determine how OAM is deployed and configured. @@ -502,12 +513,17 @@ These parameters determine how OAM is deployed and configured. |**OAM\_LOGIN\_LBR\_PROTOCOL** | `https` | The protocol of the load balancer port to use for logging in to OAM.| |**OAM\_ADMIN\_LBR\_HOST** | `iadadmin.example.com` | The load balancer name to use for accessing OAM administrative functions.| |**OAM\_ADMIN\_LBR\_PORT** | `80` | The load balancer port to use for accessing OAM administrative functions.| +|**OAM\_ADMIN\_LBR\_PROTOCOL** | `http` | The load balancer protocol to use for accessing OAM administrative functions.| |**OAM\_COOKIE\_DOMAIN** | `.example.com` | The OAM cookie domain is generally similar to the search base. Ensure that you have a '`.`' (dot) at the beginning.| |**OAM\_OIG\_INTEG** | `true` | Set to `true` if OAM is integrated with OIG.| |**OAM\_OAP\_HOST** | `k8worker1.example.com` | The name of one of the Kubernetes worker nodes used for OAP calls.| |**OAM\_OAP\_PORT** | `5575` | The internal Kubernetes port used for OAM requests.| |**OAMSERVER\_JAVA\_PARAMS** | "`-Xms2048m -Xmx8192m`" | The internal Kubernetes port used for OAM requests.| |**COPY\_WG\_FILES** | `true` | Set to true if you wish the deployment to copy the WebGate Artifacts to your Oracle HTTP Server(s)| +|**OAM\_CPU** |`500m`| Initial CPU Units allocated to OAM pods (1000m = 1 CPU core).| +|**OAM\_MAX\_CPU** |`1`| Maximum CPU cores allocated to the OAM Containers.| +|**OAM\_MEMORY** |`2Gi`| Initial Memory allocated to OAM pods.| +|**OAM\_MAX\_MEMORY** |`8Gi`| Maximum amount of that an OAM pods can consume.| ### OIG Parameters These parameters determine how OIG is provisioned and configured. @@ -532,6 +548,7 @@ These parameters determine how OIG is provisioned and configured. |**OIG\_WEBLOGIC\_PWD** | *``* | The OIG WebLogic administration user.| |**OIG\_ADMIN\_LBR\_HOST** | `igdadmin.example.com` | The load balancer name to use for accessing OIG administrative functions.| |**OIG\_ADMIN\_LBR\_PORT** | `80` | The load balancer port you use for accessing the OIG administrative functions.| +|**OIG\_ADMIN\_LBR\_PROTOCOL** | `80` | The load balancer protocol to you use for accessing the OIG administrative functions.| |**OIG\_LBR\_HOST** | `prov.example.com` | The load balancer name to use for accessing the OIG Identity Console.| |**OIG\_LBR\_PORT** | `443` | The load balancer port to use for accessing the OIG Identity Console.| |**OIG\_LBR\_PROTOCOL** | `https` | The load balancer protocol to use for accessing the OIG Identity Console.| @@ -555,6 +572,14 @@ These parameters determine how OIG is provisioned and configured. |**OIG\_EMAIL\_PWD** | *``* | The password of your SMTP server.| |**OIG\_EMAIL\_FROM\_ADDRESS** | `from@example.com` | The '`From`' email address used when emails are sent.| |**OIG\_EMAIL\_REPLY\_ADDRESS** | `noreplies@example.com` | The '`Reply`' to email address of the emails that are sent.| +|**OIG\_CPU** |`500m`| Initial CPU Units allocated to OAM pods (1000m = 1 CPU core).| +|**OIM\_MAX\_CPU** |`1`| Maximum CPU cores allocated to the OIM Containers.| +|**OIM\_MEMORY** |`4Gi`| Initial Memory allocated to OIM pods.| +|**OIM\_MAX\_MEMORY** |`8Gi`| Maximum amount of that an OIM pods can consume.| +|**SOA\_CPU** |`1000m`| Initial CPU Units allocated to SOA pods (1000m = 1 CPU core).| +|**SOA\_MAX\_CPU** |`1`| Maximum CPU cores allocated to the SOA Containers.| +|**SOA\_MEMORY** |`4Gi`| Initial Memory allocated to SOA pods.| +|**SOA\_MAX\_MEMORY** |`10Gi`| Maximum amount of that an SOA pods can consume.| ### OIRI Parameters @@ -580,6 +605,9 @@ These parameters determine how OIRI is provisioned and configured. |**OIRI\_DB\_SYS\_PWD** |`MySysPassword`| The SYS password of the OIRI database.| |**OIRI\_RCU\_PREFIX** |`ORIEDG`| The RCU prefix to use for the OIRI schemas.| |**OIRI\_SCHEMA\_PWD** |`MySchemPassword`| The password to use for the OIRI schemas that get created. If you are using special characters, you may need to escape them with a '`\`'. For example: '`Password\#`'.| +|**OIRI\_OIG\_DB\_SCAN** |`dbscan.example.com`| The database SCAN address of the grid infrastructure for OIG Database.| +|**OIRI\_OIG\_DB\_LISTENER** |`1521`| The OIG database listener port.| +|**OIRI\_OIG\_DB\_SERVICE** |`oigsvc.example.com`| The database service which connects to the database you want to use for storing mining OIG schemas.| |**OIRI\_CREATE\_OHS** |`true`| This value instructs the scripts to generate OHS entries for connecting to OIRI. You should set this to `true` unless you are configuring a standalone OIRI.| |**OIRI\_INGRESS\_HOST** |`igdadmin.example.com`| If you are creating a fully integrated deployment and want OIRI to be included in the OHS deployment, then this value should be set to the OIG Administration host name. For example: `iagadmin.example.com`.

If you are deploying OIRI standalone using Ingress to route requests, then set this value to the virtual hostname you want to use. For example: `oiri.example.com`.| |**OIRI\_KEYSTORE\_PWD** |`MyKeystore_Password100`| The password to use for the OIRI keystore.| @@ -589,9 +617,13 @@ These parameters determine how OIRI is provisioned and configured. |**OIRI\_SERVICE\_USER** |`oirisvc`| The user name for the OIG OIRI service account.| |**OIRI\_SERVICE\_PWD** |`MyPassword1`| The password for **OIRI_SERVICE_USER**.| |**OIRI\_OIG\_URL** |`http://$OIG_DOMAIN_NAME-cluster-oim-cluster.$OIGNS.svc.cluster.local:14000`| The URL to access OIG. If internal to the Kubernetes cluster, use the Kubernetes service name as shown in the sample value. If external, use the `IGDINTERNAL` URL.| +|**OIRI\_OIG\_SERVER** |`t3://$OIG_DOMAIN_NAME-oim-server1.$OIGNS.svc.cluster.local:14000`| The T3 URL to access the OIG oim server (used to Create Users in OIG).| |**OIRI\_LOAD\_DATA** |`true`| Set to `true` if you want to load data from the OIG database.| - - +|**OIRI\_OIG\_XELSYSADM\_USER** |`xelsysadm`| Set to an OIM Administrator , used to create users in OIG.| +|**OIRI\_OIG\_USER\_PWD** |`mypassword`| Password of the OIRI_OIG_XELSYSADM_USER. | +|**OIRI\_OIG\_XELL\_FILE=** | If your OIG is not inside Kubernetes, you need to manually acquire the [OIG rest certificate](https://docs.oracle.com/en/middleware/fusion-middleware/12.2.1.4/ikedg/installing-and-configuring-oracle-identity-role-intelligence.html#GUID-B37680A8-5A03-4E55-B373-5BDC2AD4AAB6). Set this parameter to the location of that file. Leave blank if OIG is in Kubernetes.| +|**OIRI\_CREATE\_OIG_\USER** |`true`| Set to true to allow the automation scripts to create the OIRI users in OIG. | +|**OIRI\_SET\_OIG_\COMPLIANCE** |`true`| Set to true to allow the automation scripts place OIG in compliance mode. | ### OAA Parameters These parameters determine how OAA is provisioned and configured. @@ -629,6 +661,8 @@ These parameters determine how OAA is provisioned and configured. |**OAA\_API\_PWD** |`oaapassword`| The password to be used for OAA API interactions.| |**OAA\_POLICY\_PWD** |`oaapassword`| The password to be used for OAA policy interactions.| |**OAA\_FACT\_PWD** |`oaapassword`| The password to be used for OAA keystores for factor interactions.| +|**OAA\_ADD\_USERS\_LDAP** |`true`| Set to `true` if you wish to add existing users in LDAP in User Search base to OAA_USER_GROUP.| +|**OAA\_ADD\_USERS\_OUA\_OBJ** |`true`| Set to `true` if you wish to set ldap parameter obpsftid to all existing users in OAA_USER_GROUP.| #### OAA Filesystem Vault Parameters @@ -699,6 +733,41 @@ These parameters determine how OAA is provisioned and configured. |**OAA\_PUS\H_REPLICAS** |`2`| The number of OAA PUSH service pods to be created. For HA, the minimum number is two.| |**OAA\_RISK\_REPLICAS** |`2`| The number of OAA RISK service pods to be created. For HA, the minimum number is two.| |**OAA\_RISKCC\_REPLICAS** |`2`| The number of OAA RISK CC service pods to be created. For HA, the minimum number is two.| +|**OAA\_KBA\_REPLICAS** |`2`| The number of KBA service pods to be created. For HA, the minimum number is two.| +|**OAA\_DRSS\_REPLICAS** |`2`| The number of OUA service pods to be created. For HA, the minimum number is two.| + +#### Resource Parameters + +| **Parameter** | **Sample Value** | **Comments** | +| --- | --- | --- | +|**OAA\_OAA\_CPU** |`200m`| Initial CPU Units allocated to OAA pod (1000m = 1 CPU core).| +|**OAA\_OAA\_MEMORY** |`1Gi`| Initial Memory allocated to OAA pod.| +|**OAA\_ADMIN\_CPU** |`200m`| Initial CPU Units allocated to ADMIN pod (1000m = 1 CPU core).| +|**OAA\_ADMIN\_MEMORY** |`1Gi`| Initial Memory allocated to ADMIN pod.| +|**OAA\_POLICY\_CPU** |`200m`| Initial CPU Units allocated to POLICY pod (1000m = 1 CPU core).| +|**OAA\_POLICY\_MEMORY** |`1Gi`| Initial Memory allocated to POLICY pod.| +|**OAA\_SPUI\_CPU** |`200m`| Initial CPU Units allocated to SPUI pod (1000m = 1 CPU core).| +|**OAA\_SPUI\_MEMORY** |`1Gi`| Initial Memory allocated to SPUI pod.| +|**OAA\_TOTP\_CPU** |`200m`| Initial CPU Units allocated to TOTP pod (1000m = 1 CPU core).| +|**OAA\_TOTP\_MEMORY** |`1Gi`| Initial Memory allocated to TOTP pod.| +|**OAA\_YOTP\_CPU** |`200m`| Initial CPU Units allocated to YOTP pod (1000m = 1 CPU core).| +|**OAA\_YOTP\_MEMORY** |`1Gi`| Initial Memory allocated to YOTP pod.| +|**OAA\_FIDO\_CPU** |`200m`| Initial CPU Units allocated to FIDO pod (1000m = 1 CPU core).| +|**OAA\_FIDO\_MEMORY** |`1Gi`| Initial Memory allocated to FIDO pod.| +|**OAA\_EMAIL\_CPU** |`200m`| Initial CPU Units allocated to EMAIL pod (1000m = 1 CPU core).| +|**OAA\_EMAIL\_MEMORY** |`1Gi`| Initial Memory allocated to EMAIL pod.| +|**OAA\_PUSH\_CPU** |`200m`| Initial CPU Units allocated to PUSH pod (1000m = 1 CPU core).| +|**OAA\_PUSH\_MEMORY** |`1Gi`| Initial Memory allocated to PUSH pod.| +|**OAA\_SMS\_CPU** |`200m`| Initial CPU Units allocated to SMS pod (1000m = 1 CPU core).| +|**OAA\_SMS\_MEMORY** |`1Gi`| Initial Memory allocated to SMS pod.| +|**OAA\_KBA\_CPU** |`200m`| Initial CPU Units allocated to KBA pod (1000m = 1 CPU core).| +|**OAA\_KBA\_MEMORY** |`1Gi`| Initial Memory allocated to KBA pod.| +|**OAA\_RISK\_CPU** |`200m`| Initial CPU Units allocated to RISK pod (1000m = 1 CPU core).| +|**OAA\_RISK\_MEMORY** |`1Gi`| Initial Memory allocated to RISK pod.| +|**OAA\_RISKCC\_CPU** |`200m`| Initial CPU Units allocated to RISKCC pod (1000m = 1 CPU core).| +|**OAA\_RISKCC\_MEMORY** |`1Gi`| Initial Memory allocated to RISKCC pod.| +|**OAA\_DRSS\_CPU** |`200m`| Initial CPU Units allocated to DRSS pod (1000m = 1 CPU core).| +|**OAA\_DRSS\_MEMORY** |`1Gi`| Initial Memory allocated to DRSS pod.| ### Port Mappings diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/functions.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/functions.sh index 4f022caa..3d7d5fed 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/functions.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/functions.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2021, 2023, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of common functions and procedures used by the provisioning and deletion scripts @@ -184,6 +184,10 @@ install_operator() cd $WORKDIR/samples CMD="helm install weblogic-kubernetes-operator charts/weblogic-operator --namespace $OPERNS --set image=$OPER_IMAGE:$OPER_VER --set serviceAccount=$OPER_ACT " CMD="$CMD --set \"enableClusterRoleBinding=true\" --set \"javaLoggingLevel=FINE\" --set \"domainNamespaceSelectionStrategy=LabelSelector\" --set \"domainNamespaceLabelSelector=weblogic-operator\=enabled\" " + if [ "$OPER_ENABLE_SECRET" = "true" ] + then + CMD="$CMD --set \"imagePullSecrets[0].name=regcred\" " + fi if [ "$USE_ELK" = "true" ] then ELK_PROTO=$(echo $ELK_HOST | cut -f1 -d:) @@ -271,6 +275,21 @@ delete_crd() fi } +# +# Get Kubernetes Version +# +get_k8_ver() +{ + kubectl version --short >/dev/null 2>&1 + if [ $? -eq 0 ] + then + KVER=$(kubectl version --short=true 2>/dev/null | grep Server | cut -f2 -d: | cut -f1 -d + | sed 's/ v//' | cut -f 1-3 -d.) + else + KVER=$(kubectl version 2>/dev/null | grep Server | cut -f2 -d: | cut -f1 -d + | sed 's/ v//' | cut -f 1-3 -d.) + fi + + echo $KVER +} # # Get Kubernetes NodePort Port # @@ -359,7 +378,7 @@ copy_to_k8() namespace=$3 domain_name=$4 - kubectl cp $filename $namespace/$domain_name-adminserver:$PV_MOUNT/$destination + kubectl -c weblogic-server cp $filename $namespace/$domain_name-adminserver:$PV_MOUNT/$destination if [ $? -gt 0 ] then echo "Failed to copy $filename." @@ -434,6 +453,28 @@ create_domain_secret() print_time STEP "Create Domain Secret" $ST $ET >> $LOGDIR/timings.log } +create_domain_secret_wdt() +{ + namespace=$1 + domain_name=$2 + wlsuser=$3 + wlspwd=$4 + + ST=$(date +%s) + print_msg "Creating a Kubernetes Domain Secret" + if [ "$domain_name" = "$OIG_DOMAIN_NAME" ] + then + cd $WORKDIR/samples/create-oim-domain/domain-home-on-pv/wdt-utils + else + cd $WORKDIR/samples/create-access-domain/domain-home-on-pv/wdt-utils + fi + ./create-secret.sh -l "username=$wlsuser" -l "password=$wlspwd" -n $namespace -d $domain_name -s $domain_name-weblogic-credentials > $LOGDIR/domain_secret.log 2>&1 + + print_status $? $LOGDIR/domain_secret.log + ET=$(date +%s) + + print_time STEP "Create Domain Secret" $ST $ET >> $LOGDIR/timings.log +} create_rcu_secret() { namespace=$1 @@ -453,6 +494,32 @@ create_rcu_secret() print_time STEP "Create RCU Secret" $ST $ET >> $LOGDIR/timings.log } +create_rcu_secret_wdt() +{ + namespace=$1 + domain_name=$2 + rcuprefix=$3 + rcupwd=$4 + syspwd=$5 + dbhost=$6 + dbport=$7 + dbservice=$8 + + ST=$(date +%s) + print_msg "Creating a Kubernetes RCU Secret" + if [ "$domain_name" = "$OIG_DOMAIN_NAME" ] + then + cd $WORKDIR/samples/create-oim-domain/domain-home-on-pv/wdt-utils + else + cd $WORKDIR/samples/create-access-domain/domain-home-on-pv/wdt-utils + fi + ./create-secret.sh -l "rcu_prefix=$rcuprefix" -l "rcu_schema_password=$rcupwd" -l "db_host=$dbhost" -l "db_port=$dbport" -l "db_service=$dbservice" -l "dba_user=sys" -l "dba_password=$syspwd" -n $namespace -d $domain_name -s $domain_name-rcu-credentials > $LOGDIR/rcu_secret.log 2>&1 + + print_status $? $LOGDIR/rcu_secret.log + ET=$(date +%s) + + print_time STEP "Create RCU Secret" $ST $ET >> $LOGDIR/timings.log +} # Create a working directory inside the Kubernetes container # create_workdir() @@ -462,11 +529,11 @@ create_workdir() ST=$(date +%s) print_msg "Creating Work directory inside container" - kubectl exec -n $namespace -ti $domain_name-adminserver -- mkdir -p $K8_WORKDIR + kubectl exec -n $namespace -ti $domain_name-adminserver -c weblogic-server -- mkdir -p $K8_WORKDIR print_status $? printf "\t\t\tCreating Keystores directory inside container - " - kubectl exec -n $namespace -ti $domain_name-adminserver -- mkdir -p $PV_MOUNT/keystores + kubectl exec -n $namespace -ti $domain_name-adminserver -c weblogic-server -- mkdir -p $PV_MOUNT/keystores print_status $? ET=$(date +%s) @@ -481,7 +548,7 @@ run_command_k8() domain_name=$2 command=$3 - kubectl exec -n $namespace -ti $domain_name-adminserver -- $command + kubectl exec -n $namespace -ti $domain_name-adminserver -c weblogic-server -- $command } # Execute a command inside the Kubernetes container @@ -493,7 +560,7 @@ run_wlst_command() command=$3 WLSRETCODE=0 - kubectl exec -n $namespace -ti $domain_name-adminserver -- /u01/oracle/oracle_common/common/bin/wlst.sh $command + kubectl exec -n $namespace -ti $domain_name-adminserver -c weblogic-server -- /u01/oracle/oracle_common/common/bin/wlst.sh $command if [ $? -gt 0 ] then echo "Failed to Execute wlst command: $command" @@ -526,6 +593,7 @@ download_samples() print_time STEP "Download IDM Samples" $ST $ET >> $LOGDIR/timings.log } + # Copy Samples to Working Directory # copy_samples() @@ -573,6 +641,19 @@ download_maa_samples() print_time STEP "Download MAA Samples" $ST $ET >> $LOGDIR/timings.log } +# Generate the files required to Build the Domain Creation Image +# +generate_wdt_model_files() +{ + print_msg "Generating WDT Model Files" + + cd $WORKDIR/samples/create-*-domain/domain-home-on-pv/wdt-utils/generate_models_utils + ./generate_wdt_models.sh -i $WORKDIR/create-domain-wdt.yaml -o $WORKDIR >$LOGDIR/generate_wdt_models.log 2>&1 + print_status $? $LOGDIR/generate_wdt_models.log + ET=`date +%s` + print_time STEP "Generate WDT Model Files" $ST $ET >> $LOGDIR/timings.log +} + # Create helper pod # create_helper_pod () @@ -586,7 +667,7 @@ create_helper_pod () if [ "$?" = "0" ] then echo "Already Created" - check_running $NS helper + check_running $NS helper 5 else if [ "$USE_REGISTRY" = "true" ] then @@ -596,7 +677,7 @@ create_helper_pod () kubectl run helper --image $IMAGE -n $NS -- sleep infinity > $LOGDIR/helper.log 2>&1 print_status $? $LOGDIR/helper.log fi - check_running $NS helper + check_running $NS helper 20 fi ET=$(date +%s) print_time STEP "Create Helper Pod" $ST $ET >> $LOGDIR/timings.log @@ -607,7 +688,7 @@ create_helper_pod () remove_helper_pod() { NS=$1 - kubectl -n $NS delete pod,svc helper + kubectl -n $NS delete pod helper --force 2> /dev/null echo "Helper Pod Deleted:" } @@ -1133,15 +1214,25 @@ check_running() NAMESPACE=$1 SERVER_NAME=$2 DELAY=$3 - - printf "\t\t\tChecking $SERVER_NAME " + STEP=$4 + if ! [[ $DELAY =~ ^[0-9]+$ ]] + then + STEP=$DELAY + unset DELAY + fi + if [ "$STEP" = "true" ] + then + print_msg "Checking $SERVER_NAME" + else + printf "\t\t\tChecking $SERVER_NAME " + fi + if [ "$SERVER_NAME" = "adminserver" ] then sleep ${DELAY:=120} else sleep ${DELAY:=120} fi - X=0 RETRIES=1 MAX_RETRIES=50 @@ -1190,17 +1281,6 @@ check_running() exit 1 fi - if [ "$SERVER_NAME" = "oim-server1" ] - then - kubectl logs -n $OIGNS ${OIG_DOMAIN_NAME}-oim-server1 | grep -q "BootStrap configuration Failed" - if [ $? = 0 ] - then - echo "BootStrap configuration Failed - check kubectl logs -n $OIGNS ${OIG_DOMAIN_NAME}-oim-server1" - exit 1 - fi - fi - - if [ ! "$RUNNING" = "0" ] then X=$MAX_RETRIES @@ -1223,6 +1303,71 @@ check_running() fi } +# Check introspector +# +check_introspector() +{ + NAMESPACE=$1 + + ST=$(date +%s) + print_msg "Waiting for Introspector to complete" + + POD_RUNNING=true + while [ "$POD_RUNNING" = "true" ] + do + POD=$(kubectl -n $NAMESPACE get pods -o wide --no-headers=true --ignore-not-found | grep introspect | head -1 ) + + if [ "$POD" = "" ] + then + POD_RUNNING=false + else + PODSTATUS=$(echo $POD | awk '{ print $3 }') + if [ "$PODSTATUS" = "CrashLoopBackOff" ] || [ "$PODSTATUS" = "Pending" ] || [ "$PODSTATUS" = "Init:CrashLoopBackOff" ] || [ "$PODSTATUS" = "Init:Pending" ] + then + echo $POD > $LOGDIR/check_introspector.log 2>&1 + POD_NAME=$(echo $POD | cut -f1 -d ' ') + kubectl describe pod -n $NAMESPACE $POD_NAME >> $LOGDIR/check_introspector.log 2>&1 + kubectl logs -n $NAMESPACE $POD_NAME >> $LOGDIR/check_introspector.log 2>&1 + echo "Pod introspector has failed - Pod Status: $PODSTATUS - Check Logfile: $LOGDIR/check_introspector.log" + exit 1 + fi + fi + echo -e ".\c" + sleep 60 + done + + if [ "$POD_RUNNING" = "false" ] + then + echo " Completed." + fi + ET=`date +%s` + print_time STEP "Waiting for Introspector" $ST $ET >> $LOGDIR/timings.log +} + +# Check domain created successfully +# +check_domain_ok() +{ + NAMESPACE=$1 + DOMAIN_NAME=$2 + + ST=$(date +%s) + print_msg "Check Domain created without error" + + kubectl describe domain -n $NAMESPACE $DOMAIN_NAME > $LOGDIR/domain_status.log + grep -q SEVERE $LOGDIR/domain_status.log + if [ $? -eq 0 ] + then + echo "Failed - Check Logfile: $LOGDIR/domain_status.log" + exit 1 + else + echo "Success" + fi + + ET=`date +%s` + print_time STEP "Check Domain Created without Error" $ST $ET >> $LOGDIR/timings.log +} + # Check whether a Kubernetes pod has shutdown # check_stopped() @@ -1238,7 +1383,7 @@ check_stopped() while [ $X -lt $RETRIES ] do - POD=$(kubectl --namespace $NAMESPACE get pod | grep $SERVER_NAME) + POD=$(kubectl --ignore-not-found=true --namespace $NAMESPACE get pod | grep $SERVER_NAME) PODSTATUS=$(echo $POD | awk '{ print $3 }') RUNNING=$(echo $POD | awk '{ print $2 }') if [ "$POD" = "" ] @@ -1379,6 +1524,7 @@ get_lbr_certificate() print_msg "Obtaining Load Balancer Certificate $LBRHOST:$LBRPORT" ST=$(date +%s) + openssl s_client -connect ${LBRHOST}:${LBRPORT} -showcerts /dev/null|openssl x509 -outform PEM > $WORKDIR/${LBRHOST}.pem 2>$LOGDIR/lbr_cert.log print_status $? $LOGDIR/lbr_cert.log @@ -2499,3 +2645,42 @@ copy_files_to_dr() ET=$(date +%s) print_time STEP "Copying OHS Configuration to $DR_HOST" $ST $ET >> $LOGDIR/timings.log } + +# Check health-check is not being blocked +# +check_healthcheck_ok() +{ + ST=$(date +%s) + print_msg "Checking Health-check is not blocked" + + printf "\n\t\t\t$OHS_HOST1 - " + blocked_ip=$( $SSH ${OHS_USER}@$OHS_HOST1 grep health-check.html $OHS_DOMAIN/servers/ohs?/logs/access_log | grep 403 | awk '{ print $1 }' | tail -1 ) + if [ "$blocked_ip" = "" ] + then + echo "Success" + else + printf "Blocked by IP Address: $blocked_ip - Fixing - " + $SSH ${OHS_USER}@$OHS_HOST1 -C sed -i \"/ require host/a "\\ require ip $blocked_ip"\" $OHS_DOMAIN/config/fmwconfig/components/OHS/ohs?/webgate.conf + print_status $? + printf "\t\t\tRestarting OHS $OHS_HOST1 - " + $SSH ${OHS_USER}@$OHS_HOST1 "$OHS_DOMAIN/bin/restartComponent.sh $OHS1_NAME" > $LOGDIR/restart_$OHS_HOST1.log 2>&1 + print_status $? $LOGDIR/restart_$OHS_HOST1.log + fi + + if [ ! "$OHS_HOST2" = "" ] + then + printf "\n\t\t\t$OHS_HOST2 - " + blocked_ip=$( $SSH ${OHS_USER}@$OHS_HOST2 grep health-check.html $OHS_DOMAIN/servers/ohs?/logs/access_log | grep 403 | awk '{ print $1 }' | tail -1 ) + if [ "$blocked_ip" = "" ] + then + echo "Success" + else + printf "Blocked by IP Address: $blocked_ip - Fixing - " + $SSH ${OHS_USER}@$OHS_HOST2 -C sed -i \"/ require host/a "\\ require ip $blocked_ip"\" $OHS_DOMAIN/config/fmwconfig/components/OHS/ohs?/webgate.conf + print_status $? + printf "\t\t\tRestarting OHS $OHS_HOST2 - " + $SSH ${OHS_USER}@$OHS_HOST2 "$OHS_DOMAIN/bin/restartComponent.sh $OHS2_NAME" > $LOGDIR/restart_$OHS_HOST2.log 2>&1 + print_status $? $LOGDIR/restart_$OHS_HOST2.log + fi + fi +} diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oaa_functions.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oaa_functions.sh index dadc9fbc..95d10027 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oaa_functions.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oaa_functions.sh @@ -1,4 +1,5 @@ -# Copyright (c) 2022, 2023, Oracle and/or its affiliates. +#!/bin/bash +# Copyright (c) 2022, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of functions and procedures to provision and Configure Oracle Advanced Authentication @@ -111,7 +112,7 @@ prepare_property_file() ST=$(date +%s) kubectl cp $OAANS/oaa-mgmt:/u01/oracle/installsettings/installOAA.properties $WORKDIR/installOAA.properties > $LOGDIR/create_property.log 2>&1 - kubectl cp $OAANS/oaa-mgmt:/u01/oracle/installsettings/oaaoverride.yaml $WORKDIR/oaaoverride.yaml > $LOGDIR/create_property.log 2>&1 + cp $TEMPLATE_DIR/oaaoverride.yaml $WORKDIR/oaaoverride.yaml > $LOGDIR/create_property.log 2>&1 propfile=$WORKDIR/installOAA.properties override=$WORKDIR/oaaoverride.yaml @@ -129,9 +130,22 @@ prepare_property_file() replace_value database.name "" $propfile replace_value database.createschema true $propfile replace_value common.deployment.name $OAA_DEPLOYMENT $propfile + replace_value oauth.applicationid $OAA_DEPLOYMENT $propfile replace_value common.kube.namespace $OAANS $propfile replace_value common.deployment.keystorepassphrase $OAA_KEYSTORE_PWD $propfile replace_value common.deployment.truststorepassphrase $OAA_KEYSTORE_PWD $propfile + + if [ "$INSTALL_OAA" = "true" ] && [ "$INSTALL_OUA" = "true" ] && [ "$INSTALL_RISK" = "true" ] + then + replace_value common.deployment.mode OUA $propfile + replace_value install.global.drssapikey $OAA_API_PWD $propfile + elif [ "$INSTALL_OAA" = "true" ] && [ "$INSTALL_RISK" = "true" ] + then + replace_value common.deployment.mode Both $propfile + elif [ "$INSTALL_OAA" = "true" ] + then + replace_value common.deployment.mode OAA $propfile + fi replace_value oauth.domainname $OAA_DOMAIN $propfile replace_value oauth.identityprovider OAMIDSTORE $propfile replace_value oauth.clientpassword $OAA_OAUTH_PWD $propfile @@ -216,6 +230,8 @@ prepare_property_file() replace_value install.risk.service.type NodePort $propfile replace_value install.risk.riskcc.service.type NodePort $propfile replace_value install.customfactor.service.type NodePort $propfile + replace_value install.oaa-drss.service.type NodePort $propfile + else replace_value install.service.type ClusterIP $propfile replace_value install.oaa-admin-ui.service.type ClusterIP $propfile @@ -231,6 +247,7 @@ prepare_property_file() replace_value install.risk.service.type ClusterIP $propfile replace_value install.risk.riskcc.service.type ClusterIP $propfile replace_value install.customfactor.service.type ClusterIP $propfile + replace_value install.oaa-drss.service.type ClusterIP $propfile awk -v "var=install.ingress.hosts\\\\[0\\\\].host=${OAM_LOGIN_LBR_HOST}\ninstall.ingress.hosts\\\\[1\\\\].host=${OAM_ADMIN_LBR_HOST}" '/install.ingress.hosts/ && !x {print var; x=1} 1' $propfile > ${propfile}1 mv ${propfile}1 $propfile fi @@ -249,10 +266,11 @@ prepare_property_file() sed -i "/sms:/{n;s/replicaCount.*/replicaCount: $OAA_SMS_REPLICAS/}" $override sed -i "/oaa-policy:/{n;s/replicaCount.*/replicaCount: $OAA_POLICY_REPLICAS/}" $override sed -i "/push:/{n;s/replicaCount.*/replicaCount: $OAA_PUSH_REPLICAS/}" $override - echo "resources:" >> $override - echo " requests:" >> $override - echo " cpu: $OAA_OAA_CPU" >> $override - echo " memory: \"$OAA_OAA_MEMORY\"" >> $override + sed -i "/risk:/{n;s/replicaCount.*/replicaCount: $OAA_RISK_REPLICAS/}" $override + sed -i "/risk-cc:/{n;s/replicaCount.*/replicaCount: $OAA_RISKCC_REPLICAS/}" $override + sed -i "/oaa-drss:/{n;s/replicaCount.*/replicaCount: $OAA_DRSS_REPLICAS/}" $override + sed -i "/oaa-kba:/{n;s/replicaCount.*/replicaCount: $OAA_KBA_REPLICAS/}" $override + sed -i "/^replicaCount:/a\resources:\n requests:\n cpu: $OAA_OAA_CPU\n memory: \"$OAA_OAA_MEMORY\"" $override sed -i "/spui:/a\ resources:\n requests:\n cpu: $OAA_SPUI_CPU\n memory: \"$OAA_SPUI_MEMORY\"" $override sed -i "/totp:/a\ resources:\n requests:\n cpu: $OAA_TOTP_CPU\n memory: \"$OAA_TOTP_MEMORY\"" $override sed -i "/yotp:/a\ resources:\n requests:\n cpu: $OAA_YOTP_CPU\n memory: \"$OAA_YOTP_MEMORY\"" $override @@ -264,8 +282,9 @@ prepare_property_file() sed -i "/oaa-policy:/a\ resources:\n requests:\n cpu: $OAA_POLICY_CPU\n memory: \"$OAA_POLICY_MEMORY\"" $override sed -i "/customfactor:/a\ resources:\n requests:\n cpu: $OAA_CUSTOM_CPU\n memory: \"$OAA_CUSTOM_MEMORY\"" $override sed -i "/risk:/a\ resources:\n requests:\n cpu: $OAA_RISK_CPU\n memory: \"$OAA_RISK_MEMORY\"" $override - sed -i "/^riskcc:/a\ resources:\n requests:\n cpu: $OAA_RISKCC_CPU\n memory: \"$OAA_RISKCC_MEMORY\"" $override + sed -i "/risk-cc:/a\ resources:\n requests:\n cpu: $OAA_RISKCC_CPU\n memory: \"$OAA_RISKCC_MEMORY\"" $override sed -i "/oaa-admin-ui:/a\ resources:\n requests:\n cpu: $OAA_ADMIN_CPU\n memory: \"$OAA_ADMIN_MEMORY\"" $override + sed -i "/oaa-drss:/a\ resources:\n requests:\n cpu: $OAA_DRSS_CPU\n memory: \"$OAA_DRSS_MEMORY\"" $override copy_to_oaa $propfile /u01/oracle/scripts/settings/installOAA.properties $OAANS oaa-mgmt >> $LOGDIR/create_property.log 2>&1 @@ -293,7 +312,7 @@ create_rbac() kubectl apply -f $WORKDIR/$filename > $LOGDIR/create_rbac.log 2>&1 print_status $? $LOGDIR/create_rbac.log - KVER=`kubectl version --short 2>/dev/null | grep Server | cut -f2 -d: |sed 's/v//;s/ //g' ` + KVER=$(get_k8_ver) KVER=${KVER:0:4} if [ $KVER > "1.23" ] then @@ -543,6 +562,9 @@ validate_oauth() print_time STEP "Validate OAuth" $ST $ET >> $LOGDIR/timings.log } +# +# Add all existing users in LDAP in User Search base to OAA_USER_GROUP +# add_existing_users() { @@ -623,14 +645,10 @@ create_ohs_entries() ST=$(date +%s) print_msg "Add OHS Directives" - - cp $TEMPLATE_DIR/ohs_login.conf $WORKDIR - cp $TEMPLATE_DIR/ohs_admin.conf $WORKDIR + print_status $? + cp $TEMPLATE_DIR/create_ohs_wallet.sh $WORKDIR - update_variable "" $K8_WORKER_HOST1 $WORKDIR/ohs_login.conf - update_variable "" $K8_WORKER_HOST2 $WORKDIR/ohs_login.conf - if [ "$USE_INGRESS" = "false" ] then OAA_K8=`get_k8_port oaa $OAANS` @@ -646,8 +664,7 @@ create_ohs_entries() OAA_KBA_K8=`get_k8_port kba $OAANS` RISK_ANAL_K8=`get_k8_port risk $OAANS` RISK_CC_K8=`get_k8_port risk-cc $OAANS` - OUA_K8=`get_k8_port oua $OAANS` - OUA_ADMIN_K8=`get_k8_port oua-admin-ui $OAANS` + OAA_DRSS_K8=`get_k8_port oaa-drs $OAANS` else OAA_K8=$INGRESS_HTTP_PORT OAA_POLICY_K8=$INGRESS_HTTP_PORT @@ -662,50 +679,21 @@ create_ohs_entries() OAA_KBA_K8=$INGRESS_HTTP_PORT RISK_ANAL_K8=$INGRESS_HTTP_PORT RISK_CC_K8=$INGRESS_HTTP_PORT - OUA_K8=$INGRESS_HTTP_PORT - OUA_ADMIN_K8=$INGRESS_HTTP_PORT - sed -i '/SecureProxy/d' $WORKDIR/ohs_login.conf - sed -i '/SecureProxy/d' $WORKDIR/ohs_admin.conf + OAA_DRSS_K8=$INGRESS_HTTP_PORT fi - update_variable "" $OAA_K8 $WORKDIR/ohs_login.conf - update_variable "" $OAA_FIDO_K8 $WORKDIR/ohs_login.conf - update_variable "" $OAA_SPUI_K8 $WORKDIR/ohs_login.conf - update_variable "" $OAA_EMAIL_K8 $WORKDIR/ohs_login.conf - update_variable "" $OAA_SMS_K8 $WORKDIR/ohs_login.conf - update_variable "" $OAA_TOTP_K8 $WORKDIR/ohs_login.conf - update_variable "" $OAA_YOTP_K8 $WORKDIR/ohs_login.conf - update_variable "" $OAA_KBA_K8 $WORKDIR/ohs_login.conf - update_variable "" $OAA_PUSH_K8 $WORKDIR/ohs_login.conf - update_variable "" $OAA_POLICY_K8 $WORKDIR/ohs_login.conf - update_variable "" $RISK_ANAL_K8 $WORKDIR/ohs_login.conf - update_variable "" $RISK_CC_K8 $WORKDIR/ohs_login.conf - update_variable "" $OUA_K8 $WORKDIR/ohs_login.conf - - update_variable "" $K8_WORKER_HOST1 $WORKDIR/ohs_admin.conf - update_variable "" $K8_WORKER_HOST2 $WORKDIR/ohs_admin.conf - update_variable "" $OAA_ADMINUI_K8 $WORKDIR/ohs_admin.conf - update_variable "" $OAA_KBA_K8 $WORKDIR/ohs_admin.conf - update_variable "" $OUA_ADMIN_K8 $WORKDIR/ohs_admin.conf OHSHOST1FILES=$LOCAL_WORKDIR/OHS/$OHS_HOST1 OHSHOST2FILES=$LOCAL_WORKDIR/OHS/$OHS_HOST2 - grep -q "/oaa/rui" $OHSHOST1FILES/login_vh.conf - if [ $? -gt 0 ] + NODELIST=$(kubectl get nodes --no-headers=true | cut -f1 -d ' ') + create_location $TEMPLATE_DIR/locations.txt "$NODELIST" $OHSHOST1FILES + print_status $? + + if [ ! "$OHS_HOST2" = "" ] then - sed -i '/<\/VirtualHost>/d' $OHSHOST1FILES/iadadmin_vh.conf - sed -i '/<\/VirtualHost>/d' $OHSHOST1FILES/login_vh.conf - cat $WORKDIR/ohs_login.conf >> $OHSHOST1FILES/login_vh.conf - cat $WORKDIR/ohs_admin.conf >> $OHSHOST1FILES/iadadmin_vh.conf - - if [ ! "$OHS_HOST2" = "" ] - then - sed -i '/<\/VirtualHost>/d' $OHSHOST2FILES/iadadmin_vh.conf - sed -i '/<\/VirtualHost>/d' $OHSHOST2FILES/login_vh.conf - cat $WORKDIR/ohs_login.conf >> $OHSHOST2FILES/login_vh.conf - cat $WORKDIR/ohs_admin.conf >> $OHSHOST2FILES/iadadmin_vh.conf - fi + create_location $TEMPLATE_DIR/locations.txt "$NODELIST" $OHSHOST2FILES + print_status $? fi update_variable "" $OHS_ORACLE_HOME $WORKDIR/create_ohs_wallet.sh @@ -713,7 +701,6 @@ create_ohs_entries() update_variable "" $K8_WORKER_HOST1 $WORKDIR/create_ohs_wallet.sh update_variable "" $OAA_K8 $WORKDIR/create_ohs_wallet.sh - print_status $? ET=$(date +%s) print_time STEP "Add OHS Directives" $ST $ET >> $LOGDIR/timings.log } @@ -964,6 +951,7 @@ register_tap() print_time STEP "Create OAM TAP Partner" $ST $ET >> $LOGDIR/timings.log } + # Create UMS integration # configure_ums() @@ -982,7 +970,8 @@ configure_ums() GET_CURL_COMMAND="curl -s -X GET -u $USER" POST_CURL_COMMAND="curl --location -k --request POST " - PUT_CURL_COMMAND="curl --location -k --request PUT " + PUT_CURL_COMMAND="curl --fail --location -k --request PUT " + PUT_CURL_COMMAND1="curl --location -k --request PUT " CONTENT_TYPE="-H 'Content-Type: application/json' -H 'Authorization: Basic $USER'" PAYLOAD="-d '[" \ @@ -991,13 +980,26 @@ configure_ums() PAYLOAD=$PAYLOAD"{ \"name\": \"bharosa.uio.default.challenge.type.enum.ChallengeEmail.umsClientPass\",\"value\": \"$OAA_EMAIL_PWD\"}," PAYLOAD=$PAYLOAD"{ \"name\": \"bharosa.uio.default.challenge.type.enum.ChallengeSMS.umsClientURL\",\"value\": \"$OAA_SMS_SERVER\"}," PAYLOAD=$PAYLOAD"{ \"name\": \"bharosa.uio.default.challenge.type.enum.ChallengeSMS.umsClientName\",\"value\": \"$OAA_SMS_USER\"}," - PAYLOAD=$PAYLOAD"{ \"name\": \"bharosa.uio.default.challenge.type.enum.ChallengeSMS.umsClientPass\",\"value\": \"$OAA_SMS_PWD\"}" + PAYLOAD=$PAYLOAD"{ \"name\": \"bharosa.uio.default.challenge.type.enum.ChallengeSMS.umsClientPass\",\"value\": \"$OAA_SMS_PWD\"}", + PAYLOAD=$PAYLOAD"{ \"name\": \"oaa.default.spui.pref.runtime.autoCreateUser\",\"value\": \"true\"}" PAYLOAD=$PAYLOAD" ]'" - echo "$PUT_CURL_COMMAND $REST_API $CONTENT_TYPE $PAYLOAD" > $LOGDIR/configure_ums.log 2>&1 + echo "$PUT_CURL_COMMAND1 $REST_API $CONTENT_TYPE $PAYLOAD" > $LOGDIR/configure_ums.log 2>&1 eval "$PUT_CURL_COMMAND $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/configure_ums.log 2>&1 - print_status $? $LOGDIR/configure_ums.log - + if [ $? -gt 0 ] + then + eval $PUT_CURL_COMMAND1 >> $LOGDIR/configure_ums.log 2>&1 + grep -q "already exists" $LOGDIR/configure_ums.log + if [ $? = 0 ] + then + echo "Already Exists" + else + echo "Failed - see logfile $LOGDIR/configure_ums.log" + exit 1 + fi + else + echo "Success" + fi ET=$(date +%s) print_time STEP "Create OAA Agent" $ST $ET >> $LOGDIR/timings.log @@ -1032,17 +1034,24 @@ create_oaa_agent() echo "$POST_CURL_COMMAND $REST_API $CONTENT_TYPE $PAYLOAD" > $LOGDIR/create_oaa_agent.log 2>&1 eval "$POST_CURL_COMMAND $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/create_oaa_agent.log 2>&1 - sleep 10 + sleep 15 echo "$GET_CURL_COMMAND | jq -r .agents[].agentgid" >> $LOGDIR/create_oaa_agent.log 2>&1 - XX="$GET_CURL_COMMAND | jq -r .agents[].agentgid" - AGENTID=`eval $XX` + XX="$GET_CURL_COMMAND" - if [ "$AGENTID" = "" ] + echo "" >> $LOGDIR/create_oaa_agent.log + eval $XX >> $LOGDIR/oaa_agent.log 2>&1 + + grep -q "agentgid" $LOGDIR/oaa_agent.log + if [ $? -eq 0 ] then - echo "Failed - Check Logfile $LOGDIR/create_oaa_agent.log" - exit 1 + AGENTID=$(grep "status" $LOGDIR/oaa_agent.log | jq -r .agents[].agentgid) + echo "Success" + else + echo "Failed - Check Logfile $LOGDIR/create_oaa_agent.log" + exit 1 fi + printf "\t\t\tUpdating Agent - " REST_API="'$ADMINURL/oaa-policy/agent/v1/$AGENTID'" PAYLOAD1="-d '{\"description\" : \"OAM TAP Agent\"," PAYLOAD1=$PAYLOAD1"\"privateKey\": \"$OAA_KEY\"," @@ -1059,7 +1068,8 @@ create_oaa_agent() ET=$(date +%s) print_time STEP "Create OAA Agent" $ST $ET >> $LOGDIR/timings.log } - + + # Obtain OAA Plugin # copy_plugin() @@ -1144,6 +1154,7 @@ create_auth_module() update_variable "" $OAM_LOGIN_LBR_PROTOCOL $filename update_variable "" $OAM_LOGIN_LBR_HOST $filename update_variable "" $OAM_LOGIN_LBR_PORT $filename + update_variable "" $OAA_DEPLOYMENT $filename ADMINURL=http://$OAM_ADMIN_LBR_HOST:$OAM_ADMIN_LBR_PORT @@ -1293,7 +1304,7 @@ delete_auth_policy() LOG=$1 - DELETE_URL="http://$OAM_ADMIN_LBR_HOST:$OAM_ADMIN_LBR_PORT/oam/services/rest/11.1.2.0.0/ssa/policyadmin/authnpolicy?appdomain=IAM Suite&name=OAA_MFA-Policy" + DELETE_URL="http://$OAM_ADMIN_LBR_HOST:$OAM_ADMIN_LBR_PORT/oam/services/rest/11.1.2.0.0/ssa/policyadmin/authnpolicy?appdomain=IAM%20Suite&name=OAA_MFA-Policy" USER=`encode_pwd $LDAP_OAMADMIN_USER:$LDAP_USER_PWD` @@ -1310,6 +1321,47 @@ delete_auth_policy() fi } + +# Set OAA Cookie Domain +# +create_cookie_domain() +{ + ST=$(date +%s) + print_msg "Setting OAA Cookie Domain" + + USER=`encode_pwd ${OAA_DEPLOYMENT}-oaa-policy:${OAA_API_PWD}` + PUT_CURL_COMMAND="curl -k -g --fail --request PUT --location " + PUT_CURL_COMMAND1="curl -k -g --request PUT --location " + CONTENT_TYPE="-H 'Content-Type: application/json' -H 'Authorization: Basic $USER'" + PAYLOAD="-d '[{\"name\": \"oaa.browser.cookie.domain\", \"value\": \"$OAM_LOGIN_LBR_HOST\"}," + PAYLOAD=$PAYLOAD"{ \"name\": \"oaa.risk.integration.postauth.cp\",\"value\": \"postauth\"}" + PAYLOAD=$PAYLOAD" ]'" + ADMINURL=$OAM_ADMIN_LBR_PROTOCOL://$OAM_ADMIN_LBR_HOST:$OAM_ADMIN_LBR_PORT + REST_API="'$ADMINURL/policy/config/property/v1'" + + echo " " > $LOGDIR/create_cookie_domain.log 2>&1 + echo "$PUT_CURL_COMMAND1 $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/create_cookie_domain.log 2>&1 + eval "$PUT_CURL_COMMAND $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/create_cookie_domain.log 2>&1 + if [ $? -gt 0 ] + then + eval "$PUT_CURL_COMMAND1 $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/create_cookie_domain.log 2>&1 + grep -q "already exists" $LOGDIR/create_cookie_domain.log + if [ $? = 0 ] + then + echo "Already Exists" + else + echo "Failed - see logfile $LOGDIR/create_cookie_domain.log" + exit 1 + fi + else + echo "Success" + fi + + + ET=$(date +%s) + print_time STEP "Setting OAA Cookie Domain" $ST $ET >> $LOGDIR/timings.log +} + # Create OAA Test User # @@ -1365,6 +1417,425 @@ create_test_user() print_time STEP "Create Test User $OAA_USER in LDAP" $ST $ET >> $LOGDIR/timings.log } + + +# Register OUA as an OAM Partner Application +# +register_tap_oua() +{ + + ST=$(date +%s) + print_msg "Creating OAM TAP Partner for OUA" + cp $TEMPLATE_DIR/create_tap_partner_oua.py $WORKDIR + + filename=$WORKDIR/create_tap_partner_oua.py + update_variable "" $OAM_DOMAIN_NAME $filename + update_variable "" $OAM_WEBLOGIC_USER $filename + update_variable "" $OAM_WEBLOGIC_PWD $filename + update_variable "" $OAMNS $filename + update_variable "" $OAM_ADMIN_PORT $filename + update_variable "" $OAA_KEYSTORE_PWD $filename + update_variable "" $OAM_LOGIN_LBR_PROTOCOL $filename + update_variable "" $OAM_LOGIN_LBR_HOST $filename + update_variable "" $OAM_LOGIN_LBR_PORT $filename + + copy_to_k8 $filename workdir $OAMNS $OAM_DOMAIN_NAME + run_wlst_command $OAMNS $OAM_DOMAIN_NAME $PV_MOUNT/workdir/create_tap_partner_oua.py > $LOGDIR/register_tap_oua.log + + print_status $WLSRETCODE $LOGDIR/register_tap_oua.log + + printf "\t\t\tCopy keystore to $WORKDIR - " + copy_from_k8 $PV_MOUNT/workdir/OAMOUAKeyStore.jks $WORKDIR/OAMOUAKeyStore.jks $OAMNS $OAM_DOMAIN_NAME + print_status $RETCODE $LOGDIR/register_tap_oua.log + + ET=$(date +%s) + print_time STEP "Creating OAM TAP Partner for OUA" $ST $ET >> $LOGDIR/timings.log +} + +# Edit properties file for OUA +# +edit_properties_oua() +{ + ST=$(date +%s) + print_msg "Editing properties file for OUA" + + echo "kubectl cp $WORKDIR/OAMOUAKeyStore.jks $OAANS/oaa-mgmt:/u01/oracle/scripts/creds/OAMOUAKeyStore.jks" > $LOGDIR/edit_properties_oua.log 2>&1 + kubectl cp $WORKDIR/OAMOUAKeyStore.jks $OAANS/oaa-mgmt:/u01/oracle/scripts/creds/OAMOUAKeyStore.jks + echo "kubectl cp $OAANS/oaa-mgmt:/u01/oracle/scripts/settings/installOAA.properties $WORKDIR/installOAA.properties" >> $LOGDIR/edit_properties_oua.log 2>&1 + kubectl cp $OAANS/oaa-mgmt:/u01/oracle/scripts/settings/installOAA.properties $WORKDIR/installOAA.properties >> $LOGDIR/edit_properties_oua.log 2>&1 + propfile=$WORKDIR/installOAA.properties + + sed -i "s/#\s*oua.tapAgentName/oua.tapAgentName/" $propfile + sed -i "s/#\s*oua.tapAgentFilePass/oua.tapAgentFilePass/" $propfile + sed -i "s/#\s*oua.tapAgentFileLocation/oua.tapAgentFileLocation/" $propfile + sed -i "s/#\s*oua.oamRuntimeEndpoint/oua.oamRuntimeEndpoint/" $propfile + + replace_value oua.tapAgentName "OAM-OUA-TAP" $propfile + ENCODED_TAP_PWD=$(encode_pwd $OAA_KEYSTORE_PWD) + replace_value oua.tapAgentFilePass $ENCODED_TAP_PWD $propfile + replace_value oua.tapAgentFileLocation "/u01/oracle/scripts/creds/OAMOUAKeyStore.jks" $propfile + replace_value oua.oamRuntimeEndpoint "$OAM_LOGIN_LBR_PROTOCOL://$OAM_LOGIN_LBR_HOST:$OAM_LOGIN_LBR_PORT" $propfile + + echo "kubectl cp $propfile $OAANS/oaa-mgmt:/u01/oracle/scripts/settings/installOAA.properties" >> $LOGDIR/edit_properties_oua.log 2>&1 + kubectl cp $propfile $OAANS/oaa-mgmt:/u01/oracle/scripts/settings/installOAA.properties >> $LOGDIR/edit_properties_oua.log 2>&1 + print_status $? $LOGDIR/edit_properties_oua.log + ET=$(date +%s) + print_time STEP "Editing properties file for OUA" $ST $ET >> $LOGDIR/timings.log +} + +# Configure DRSS for OUA +# +configure_drss_oua() +{ + ST=$(date +%s) + print_msg "Configuring DRSS for OUA" + + kubectl exec -n $OAANS -ti oaa-mgmt -- sed -i '1 i\#!/bin/bash' /u01/oracle/scripts/drssconfig/configureDRSS.sh + oaa_mgmt "/u01/oracle/scripts/drssconfig/configureDRSS.sh -f /u01/oracle/scripts/settings/installOAA.properties" > $LOGDIR/configure_drss_oua.log 2>&1 + if [ $? = 0 ] + then + grep -iq "Agent not found with global id" $LOGDIR/configure_drss_oua.log + if [ $? = 0 ] + then + printf "Agent not created. Retrying ... \n" + oaa_mgmt "/u01/oracle/scripts/drssconfig/configureDRSS.sh -f /u01/oracle/scripts/settings/installOAA.properties" > $LOGDIR/configure_drss_oua.log 2>&1 + grep -iq "Agent not found with global id" $LOGDIR/configure_drss_oua.log + if [ $? = 0 ] + then + print_status 1 $LOGDIR/configure_drss_oua.log + fi + else + print_status 0 $LOGDIR/configure_drss_oua.log + fi + fi + + ET=$(date +%s) + print_time STEP "Configuring DRSS for OUA" $ST $ET >> $LOGDIR/timings.log +} + +# Set DRSS parameter for OUA +# +set_drss_param_oua() +{ + ST=$(date +%s) + print_msg "Setting DRSS parameter for OUA" + + propfile="$WORKDIR/installOAA.properties" + DRSS_API_KEY=`grep "install.global.drssapikey" $propfile | cut -d '=' -f 2` + OAA_DEP_UPPERCASE=$(echo "$OAA_DEPLOYMENT" | tr '[:lower:]' '[:upper:]') + USER=`encode_pwd ${OAA_DEP_UPPERCASE}_OAA_DRSS:$DRSS_API_KEY` + PUT_CURL_COMMAND="curl -k -g --fail --request PUT --location " + PUT_CURL_COMMAND1="curl -k -g --request PUT --location " + CONTENT_TYPE="-H 'Content-Type: application/json' -H 'Authorization: Basic $USER'" + OAUTH_APPID=`grep "oauth.applicationid" $propfile | cut -d '=' -f 2` + PAYLOAD="-d '[{\"name\": \"oua.drss.oaa.group\", \"value\": \"$OAUTH_APPID\"}" + PAYLOAD=$PAYLOAD" ]'" + ADMINURL=$OAM_LOGIN_LBR_PROTOCOL://$OAM_LOGIN_LBR_HOST:$OAM_LOGIN_LBR_PORT + REST_API="'$ADMINURL/oaa-drss/oua/property/v1'" + + echo " " > $LOGDIR/set_drss_param_oua.log 2>&1 + echo "$PUT_CURL_COMMAND1 $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/set_drss_param_oua.log 2>&1 + eval "$PUT_CURL_COMMAND $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/set_drss_param_oua.log 2>&1 + if [ $? -gt 0 ] + then + eval "$PUT_CURL_COMMAND1 $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/set_drss_param_oua.log 2>&1 + grep -q "already exists" $LOGDIR/set_drss_param_oua.log + if [ $? = 0 ] + then + echo "Already Exists" + else + echo "Failed - see logfile $LOGDIR/set_drss_param_oua.log" + exit 1 + fi + else + echo "Success" + fi + + ET=$(date +%s) + print_time STEP "Setting DRSS parameter for OUA" $ST $ET >> $LOGDIR/timings.log +} + +# Enable OAM Identity Service +# +enable_oam_identity_service() +{ + ST=$(date +%s) + print_msg "Enabling OAM Identity Service" + + ADMINURL=$OAM_ADMIN_LBR_PROTOCOL://$OAM_ADMIN_LBR_HOST:$OAM_ADMIN_LBR_PORT + REST_API="$ADMINURL/iam/admin/config/api/v1/config?path=/DeployedComponent/Server/NGAMServer/Profile/IdentityManagement/IdentityServiceConfiguration/IdentityServiceEnabled" + USER=`encode_pwd $LDAP_WLSADMIN_USER:$LDAP_USER_PWD` + PUT_CURL_COMMAND="curl -s -X PUT " + GET_CURL_COMMAND="curl -s -X GET " + CONTENT_TYPE="-H 'Content-Type: text/xml' -H 'Authorization: Basic $USER'" + + XX="$GET_CURL_COMMAND $REST_API $CONTENT_TYPE | grep "IdentityServiceEnabled" | grep -iq true" + echo "$XX" > $LOGDIR/enable_oam_identity_service.log 2>&1 + eval "$XX" >> $LOGDIR/enable_oam_identity_service.log 2>&1 + if [ $? -eq 0 ] + then + echo "IdentityServiceEnabled set to true Already " >> $LOGDIR/enable_oam_identity_service.log 2>&1 + echo "Already Exists " + return 0 + else + PAYLOAD="-d @$TEMPLATE_DIR/service.xml" + echo " " >> $LOGDIR/enable_oam_identity_service.log 2>&1 + echo "$PUT_CURL_COMMAND $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/enable_oam_identity_service.log 2>&1 + eval "$PUT_CURL_COMMAND $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/enable_oam_identity_service.log 2>&1 + print_status $? $LOGDIR/enable_oam_identity_service.log + fi + + ET=$(date +%s) + print_time STEP "Enabling OAM Identity Service" $ST $ET >> $LOGDIR/timings.log +} + +# Set RequireAuthorizationHeader for OAM +# +set_oam_authz_header() +{ + ST=$(date +%s) + print_msg "Setting RequireAuthorizationHeader for OAM" + + ADMINURL=$OAM_ADMIN_LBR_PROTOCOL://$OAM_ADMIN_LBR_HOST:$OAM_ADMIN_LBR_PORT + REST_API="$ADMINURL/iam/admin/config/api/v1/config?path=/DeployedComponent/Server/NGAMServer/Profile/RestServices/Token/RequireAuthorizationHeader" + USER=`encode_pwd $LDAP_WLSADMIN_USER:$LDAP_USER_PWD` + PUT_CURL_COMMAND="curl -s -X PUT " + GET_CURL_COMMAND="curl -s -X GET " + CONTENT_TYPE="-H 'Content-Type: text/xml' -H 'Authorization: Basic $USER'" + + XX="$GET_CURL_COMMAND $REST_API $CONTENT_TYPE | grep "RequireAuthorizationHeader" | grep -iq true" + echo "$XX" > $LOGDIR/set_oam_authz_header.log 2>&1 + eval "$XX" >> $LOGDIR/set_oam_authz_header.log 2>&1 + if [ $? -eq 0 ] + then + echo "RequireAuthorizationHeader set to true Already " >> $LOGDIR/set_oam_authz_header.log 2>&1 + echo "Already Exists " + else + PAYLOAD="-d @$TEMPLATE_DIR/session.xml" + echo " " >> $LOGDIR/set_oam_authz_header.log 2>&1 + echo "$PUT_CURL_COMMAND $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/set_oam_authz_header.log 2>&1 + eval "$PUT_CURL_COMMAND $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/set_oam_authz_header.log 2>&1 + print_status $? $LOGDIR/set_oam_authz_header.log + fi + # Restart Domain + # + new_step + if [ $STEPNO -gt $PROGRESS ] && [ "$INSTALL_OUA" = "true" ] + then + stop_domain $OAMNS $OAM_DOMAIN_NAME + update_progress + fi + new_step + if [ $STEPNO -gt $PROGRESS ] && [ "$INSTALL_OUA" = "true" ] + then + start_domain $OAMNS $OAM_DOMAIN_NAME + update_progress + fi + ET=$(date +%s) + print_time STEP "Setting RequireAuthorizationHeader for OAM" $ST $ET >> $LOGDIR/timings.log +} + +# Set User Identity Store for OAM +# +set_userid_store () +{ + ST=$(date +%s) + print_msg "Setting User Identity Store on OAM for OUA" + + USER=`encode_pwd $LDAP_WLSADMIN_USER:$LDAP_USER_PWD` + ADMINURL=$OAM_ADMIN_LBR_PROTOCOL://$OAM_ADMIN_LBR_HOST:$OAM_ADMIN_LBR_PORT + GET_CURL_COMMAND="curl -s -X GET " + CONTENT_TYPE="-H 'Content-Type: text/xml' -H 'Authorization: Basic $USER'" + REST_API="$ADMINURL/iam/admin/config/api/v1/config?path=/DeployedComponent/Server/NGAMServer/Profile/ssoengine/PersistentLogin" + XX="$GET_CURL_COMMAND $REST_API $CONTENT_TYPE | grep "UserAttributeName" | grep -iq obPSFTID" + echo "$XX" > $LOGDIR/set_userid_store.log 2>&1 + eval "$XX" >> $LOGDIR/set_userid_store.log 2>&1 + counter=0 + if [ $? -eq 0 ] + then + echo "UserAttributeName obPSFTID is set Already " >> $LOGDIR/set_userid_store.log 2>&1 + counter=$(expr $counter + 1) + fi + + REST_API="$ADMINURL/iam/admin/config/api/v1/config?path=/Resource/LDAP" + XX="$GET_CURL_COMMAND $REST_API $CONTENT_TYPE | grep "ENABLE_PASSWORD_POLICY" | grep -iq true" + echo "$XX" >> $LOGDIR/set_userid_store.log 2>&1 + eval "$XX" >> $LOGDIR/set_userid_store.log 2>&1 + if [ $? -eq 0 ] + then + echo "ENABLE_PASSWORD_POLICY is set to true Already " >> $LOGDIR/set_userid_store.log 2>&1 + counter=$(expr $counter + 1) + fi + + REST_API="$ADMINURL/iam/admin/config/api/v1/config?path=/Resource/LDAP" + XX="$GET_CURL_COMMAND $REST_API $CONTENT_TYPE | grep "USER_SCHEMA" | grep -iq Oblix" + echo "$XX" >> $LOGDIR/set_userid_store.log 2>&1 + eval "$XX" >> $LOGDIR/set_userid_store.log 2>&1 + if [ $? -eq 0 ] + then + echo "USER_SCHEMA is set to Oblix Already " >> $LOGDIR/set_userid_store.log 2>&1 + counter=$(expr $counter + 1) + + fi + + if [ $counter -eq 3 ] + then + echo "Already Exists " + return 0 + else + cp $TEMPLATE_DIR/configure_oam_oua.py $WORKDIR + filename=$WORKDIR/configure_oam_oua.py + update_variable "" $OAM_DOMAIN_NAME $filename + update_variable "" $OAM_WEBLOGIC_USER $filename + update_variable "" $OAM_WEBLOGIC_PWD $filename + update_variable "" $OAMNS $filename + update_variable "" $OAM_ADMIN_PORT $filename + + copy_to_k8 $filename workdir $OAMNS $OAM_DOMAIN_NAME + echo " " >> $LOGDIR/set_userid_store.log 2>&1 + echo "Executing WLST command: "run_wlst_command $OAMNS $OAM_DOMAIN_NAME $PV_MOUNT/workdir/configure_oam_oua.py >> $LOGDIR/set_userid_store.log + run_wlst_command $OAMNS $OAM_DOMAIN_NAME $PV_MOUNT/workdir/configure_oam_oua.py >> $LOGDIR/set_userid_store.log + print_status $? $LOGDIR/set_userid_store.log + fi + + ET=$(date +%s) + print_time STEP "Setting User Identity Store on OAM for OUA" $ST $ET >> $LOGDIR/timings.log +} + +# Set ldap attribute to true to all the users in OAA_USER_GROUP +# +set_ldapattr_to_oaausers() +{ + ST=$(date +%s) + print_msg "Setting ldap attribute to all the users in OAA_USER_GROUP" + + cp $TEMPLATE_DIR/search_modify_oaa_users.sh $WORKDIR + shfile=$WORKDIR/search_modify_oaa_users.sh + chmod +x $shfile + update_variable "" ${LDAP_EXTERNAL_HOST:=$OUD_POD_PREFIX-oud-ds-rs-lbr-ldap.$OUDNS.svc.cluster.local} $shfile + update_variable "" ${LDAP_EXTERNAL_PORT:=1389} $shfile + update_variable "" $LDAP_ADMIN_USER $shfile + update_variable "" $LDAP_ADMIN_PWD $shfile + update_variable "" $OAA_USER_GROUP $shfile + update_variable "" $LDAP_GROUP_SEARCHBASE $shfile + update_variable "" $LDAP_USER_SEARCHBASE $shfile + + kubectl cp $shfile $OUDNS/$OUD_POD_PREFIX-oud-ds-rs-0:/u01/oracle/config-input > $LOGDIR/set_ldapattr_to_oaausers.log 2>&1 + if [ $? -gt 0 ] + then + echo "Failed to copy $shfile." + exit 1 + fi + kubectl exec -ti -n $OUDNS $OUD_POD_PREFIX-oud-ds-rs-0 -c oud-ds-rs -- /u01/oracle/config-input/search_modify_oaa_users.sh >> $LOGDIR/set_ldapattr_to_oaausers.log 2>&1 + + if [ $? = 0 ] + then + grep -qi "already modified" $LOGDIR/set_ldapattr_to_oaausers.log + if [ $? = 0 ] + then + echo "Already exists" + else + echo " Success" + fi + else + grep -qi "failed" $LOGDIR/set_ldapattr_to_oaausers.log + if [ $? = 0 ] + then + echo "Failed - see logfile $LOGDIR/set_ldapattr_to_oaausers.log" + print_status 1 $LOGDIR/set_ldapattr_to_oaausers.log + + fi + fi + ET=$(date +%s) + print_time STEP "Setting ldap attribute to all the users in OAA_USER_GROUP" $ST $ET >> $LOGDIR/timings.log +} + + + +# Add all the users under OAA-App-User group to the OAA DB +# + +add_oua_usersToDB() +{ + ST=$(date +%s) + print_msg "Adding all the users under $OAA_USER_GROUP group to the OAA DB" + + cp $TEMPLATE_DIR/search_oaa_users.sh $WORKDIR + shfile=$WORKDIR/search_oaa_users.sh + chmod +x $shfile + update_variable "" ${LDAP_EXTERNAL_HOST:=$OUD_POD_PREFIX-oud-ds-rs-lbr-ldap.$OUDNS.svc.cluster.local} $shfile + update_variable "" ${LDAP_EXTERNAL_PORT:=1389} $shfile + update_variable "" $LDAP_ADMIN_USER $shfile + update_variable "" $LDAP_ADMIN_PWD $shfile + update_variable "" $OAA_USER_GROUP $shfile + update_variable "" $LDAP_GROUP_SEARCHBASE $shfile + + kubectl cp $shfile $OUDNS/$OUD_POD_PREFIX-oud-ds-rs-0:/u01/oracle/config-input > $LOGDIR/add_oua_usersToDB.log 2>&1 + if [ $? -gt 0 ] + then + echo "Failed to copy $shfile." + print_status 1 $LOGDIR/add_oua_usersToDB.log + fi + kubectl exec -ti -n $OUDNS $OUD_POD_PREFIX-oud-ds-rs-0 -c oud-ds-rs -- /u01/oracle/config-input/search_oaa_users.sh >> $LOGDIR/add_oua_usersToDB.log 2>&1 + if [ $? -gt 0 ] + then + echo "Failed to connect to OUD pod - Check OUD is running." + print_status 1 $LOGDIR/add_oua_usersToDB.log + fi + + ADMINURL=$OAM_LOGIN_LBR_PROTOCOL://$OAM_LOGIN_LBR_HOST:$OAM_LOGIN_LBR_PORT + REST_API="'$ADMINURL/oaa/runtime/preferences/v1'" + propfile="$WORKDIR/installOAA.properties" + OAA_DEP_UPPERCASE=$(echo "$OAA_DEPLOYMENT" | tr '[:lower:]' '[:upper:]') + USER=`encode_pwd "${OAA_DEP_UPPERCASE}-OAA:${OAA_API_PWD}"` + + CONTENT_TYPE="-H 'Content-Type: application/json' -H 'Authorization: Basic $USER'" + OAUTH_APPID=`grep "oauth.applicationid" $propfile | cut -d '=' -f 2` + PAYLOAD="-d @$WORKDIR/oua_user_add.json" + + counter=0 + for unique_member in `grep "uniqueMember:" "$LOGDIR/add_oua_usersToDB.log" | awk '{print $2}' | cut -f1 -d "," | cut -f2 -d "="` + do + counter=$(expr $counter + 1) + cp $TEMPLATE_DIR/oua_user_add.json $WORKDIR + filename=$WORKDIR/oua_user_add.json + update_variable "" $OAUTH_APPID $filename + update_variable "" $unique_member $filename + echo " " >> $LOGDIR/add_oua_usersToDB.log 2>&1 + POST_CURL_COMMAND="curl -k -g --fail --request POST --location " + POST_CURL_COMMAND1="curl -k -g --request POST --location " + echo "$POST_CURL_COMMAND1 $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/add_oua_usersToDB.log 2>&1 + eval "$POST_CURL_COMMAND $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/add_oua_usersToDB.log 2>&1 + if [ $? -gt 0 ] + then + eval "$POST_CURL_COMMAND1 $REST_API $CONTENT_TYPE $PAYLOAD" >> $LOGDIR/add_oua_usersToDB.log 2>&1 + grep -iq "Cannot Create User" $LOGDIR/add_oua_usersToDB.log + if [ $? = 0 ] + then + echo "Cannot Create User $unique_member as it already exists" >> $LOGDIR/add_oua_usersToDB.log 2>&1 + else + echo "Failed - see logfile $LOGDIR/add_oua_usersToDB.log" + print_status 1 $LOGDIR/add_oua_usersToDB.log + exit 1 + fi + else + echo "$unique_member added to OAA DB " >> $LOGDIR/add_oua_usersToDB.log 2>&1 + sleep 1 + fi + done + + if [ $counter -eq `grep -i "already exists" $LOGDIR/add_oua_usersToDB.log | wc -l` ]; then + echo "Already Exists" + return 0 + else + echo "Success" + fi + + ET=$(date +%s) + print_time STEP "Adding all the users under $OAA_USER_GROUP group to the OAA DB" $ST $ET >> $LOGDIR/timings.log +} + + # Modify the template to create a cronjob # create_dr_cronjob_files() diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oam_functions.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oam_functions.sh index 62006249..665209f3 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oam_functions.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oam_functions.sh @@ -1,4 +1,4 @@ -# Copyright (c) 2021, 2023, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of procedures used to configure OAM @@ -36,11 +36,19 @@ create_persistent_volumes() # edit_domain_creation_file() { - filename=$1 - ST=`date +%s` print_msg "Creating Domain Configuration File" - cp $WORKDIR/samples/create-access-domain/domain-home-on-pv/create-domain-inputs.yaml $filename + + if [ "$WLS_CREATION_TYPE" = "WLST" ] + then + filename=$WORKDIR/create-domain-inputs.yaml + cp $WORKDIR/samples/create-access-domain/domain-home-on-pv/create-domain-inputs.yaml $filename + else + filename=$WORKDIR/create-domain-wdt.yaml + cp $WORKDIR/samples/create-access-domain/domain-home-on-pv/wdt-utils/generate_models_utils/create-domain-wdt.yaml $filename + replace_value2 edgInstall true $filename + fi + ST=`date +%s` if [ "$CREATE_REGSECRET" = "true" ] then @@ -68,12 +76,77 @@ edit_domain_creation_file() replace_value2 t3ChannelPort $OAM_ADMIN_T3_K8 $filename replace_value2 datasourceType agl $filename + if [ "$WLS_CREATION_TYPE" = "WDT" ] + then + replace_value2 weblogicDomainStorageNFSServer $PVSERVER $filename + replace_value2 weblogicDomainStorageType NFS $filename + replace_value2 weblogicDomainStoragePath $OAM_SHARE $filename + replace_value2 edgInstall true $filename + replace_value2 oamServerJavaParams "$OAMSERVER_JAVA_PARAMS" $filename + replace_value2 oamMaxCPU "$OAM_MAX_CPU" $filename + replace_value2 oamCPU "$OAM_CPU" $filename + replace_value2 oamMaxMemory "$OAM_MAX_MEMORY" $filename + replace_value2 oamMemory "$OAM_MEMORY" $filename + fi print_status $? printf "\t\t\tCopy saved to $WORKDIR\n" ET=`date +%s` print_time STEP "Create Domain Configuration File" $ST $ET >> $LOGDIR/timings.log } +# Build WDT Domain Creation Image +# +build_wdt_image() +{ + print_msg "Build WDT Domain Creation Image" + + cd $WORKDIR/samples/create-access-domain/domain-home-on-pv/wdt-utils/build-domain-creation-image/ + filename=$WORKDIR/build-domain-creation-image.properties + cp properties/build-domain-creation-image.properties $filename + if [ $? -gt 0 ] + then + echo "Failed to create copy file $WORKDIR/samples/create-access-domain/domain-home-on-pv/wdt-utils/build-domain-creation-image/properties/build-domain-creation-image.properties" + exit 1 + fi + + JAVA_HOME=$(dirname $(dirname $(which java))) + if [ "$JAVA_HOME" = "" ] + then + echo "JAVA_HOME must be set to continue" + exit 1 + fi + + replace_value JAVA_HOME "$JAVA_HOME" $filename + replace_value REPOSITORY ${WDT_IMAGE_REGISTRY}/oam_wdt $filename + replace_value REG_USER $WDT_IMAGE_REG_USER $filename + replace_value IMAGE_PUSH_REQUIRES_AUTH true $filename + echo "REG_PASSWORD=\"$WDT_IMAGE_REG_PWD\"" > $WORKDIR/.buildpwd + replace_value WDT_MODEL_FILE "$WORKDIR/weblogic-domains/$OAM_DOMAIN_NAME/oam.yaml" $filename + replace_value WDT_VARIABLE_FILE "$WORKDIR/weblogic-domains/$OAM_DOMAIN_NAME/oam.properties" $filename + replace_value IMAGE_TAG $OAM_DOMAIN_NAME $filename + + ./build-domain-creation-image.sh -i $filename -p $WORKDIR/.buildpwd > $LOGDIR/build_wdt_image.log 2>&1 + print_status $? $LOGDIR/build_wdt_image.log + ET=`date +%s` + print_time STEP "Generate WDT Model Files" $ST $ET >> $LOGDIR/timings.log +} + +add_image_wdt() +{ + print_msg "Adding image name to domain.yaml" + + filename=$WORKDIR/weblogic-domains/$OAM_DOMAIN_NAME/domain.yaml + update_variable "%DOMAIN_CREATION_IMAGE%" "${WDT_IMAGE_REGISTRY}/oam_wdt:$OAM_DOMAIN_NAME" $filename + + if [ ! "$REGISTRY" = "$WDT_IMAGE_REGISTRY" ] + then + sed -i "/regcred/a\ - name: regcred2\n" $filename + fi + + print_status $? + ET=`date +%s` + print_time STEP "Adding image name to domain.yaml" $ST $ET >> $LOGDIR/timings.log +} # Update Java parameters for WebLogic Clusters in domain.yaml update_java_parameters() @@ -140,6 +213,52 @@ create_oam_domain() print_time STEP "Initialise the Domain" $ST $ET >> $LOGDIR/timings.log } + +create_oam_domain_wdt() +{ + + print_msg "Initialising the Domain" + ST=`date +%s` + + printf "\n\t\t\tCreating the domain - " + oper_pod=$(kubectl get pods -n $OPERNS --no-headers=true | grep -v webhook | head -1 | awk '{ print $1 }') + if [ "$oper_pod" = "" ] + then + echo "Failed to get the name of the WebLogic Operator Pod." + exit 1 + fi + + kubectl create -f $WORKDIR/weblogic-domains/$OAM_DOMAIN_NAME/domain.yaml > $LOGDIR/create_domain.log 2>$LOGDIR/create_domain.log + print_status $? $LOGDIR/create_domain.log + + + printf "\t\t\tChecking no errors in WebLogic Operator log - " + sleep 30 + kubectl logs -n $OPERNS $oper_pod --since=60s| grep $OAM_DOMAIN_NAME | grep SEVERE >> $LOGDIR/create_domain.log + grep -q SEVERE $LOGDIR/create_domain.log + if [ $? -eq 0 ] + then + echo "Failed - Check Logfile: $LOGDIR/create_domain.log" + exit 1 + fi + + sleep 30 + kubectl logs -n $OPERNS $oper_pod --since=120s| grep $OAM_DOMAIN_NAME | grep SEVERE >> $LOGDIR/create_domain.log + grep -q SEVERE $LOGDIR/create_domain.log + if [ $? -eq 0 ] + then + echo "Failed - Check Logfile: $LOGDIR/create_domain.log" + exit 1 + else + echo "Success" + fi + + ET=`date +%s` + + print_time STEP "Initialise the Domain" $ST $ET >> $LOGDIR/timings.log + +} + # # Start the domain for the first time. # @@ -159,12 +278,6 @@ perform_first_start() kubectl apply -f output/weblogic-domains/$OAM_DOMAIN_NAME/domain.yaml > $LOGDIR/first_start.log print_status $? $LOGDIR/first_start.log - - # Check that the domain is started - # - check_running $OAMNS adminserver - check_running $OAMNS oam-server1 - ET=`date +%s` print_time STEP "Start the Domain" $ST $ET >> $LOGDIR/timings.log @@ -724,7 +837,7 @@ create_oam_ohs_config() { ST=`date +%s` - print_msg "Creating OHS Config Files" + print_msg "Creating OHS Config Files for $OHS_HOST1" OHS_PATH=$LOCAL_WORKDIR/OHS if [ ! -d $OHS_PATH/$OHS_HOST1 ] then @@ -737,43 +850,36 @@ create_oam_ohs_config() if [ ! "$OHS_HOST1" = "" ] then - if [ ! "$INGRESS_HOST" = "" ] - then - K8_WORKER_HOST1=$INGRESS_HOST - K8_WORKER_HOST2=$INGRESS_HOST - fi + printf "\n\t\t\tCreating Virtual Host Files - " cp $TEMPLATE_DIR/iadadmin_vh.conf $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf cp $TEMPLATE_DIR/login_vh.conf $OHS_PATH/$OHS_HOST1/login_vh.conf update_variable "" $OHS_HOST1 $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf update_variable "" $OHS_PORT $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf + update_variable "" $OAM_ADMIN_LBR_PROTOCOL $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf update_variable "" $OAM_ADMIN_LBR_HOST $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf update_variable "" $OAM_ADMIN_LBR_PORT $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf - update_variable "" $K8_WORKER_HOST1 $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf - update_variable "" $K8_WORKER_HOST2 $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf update_variable "" $OHS_HOST1 $OHS_PATH/$OHS_HOST1/login_vh.conf update_variable "" $OHS_PORT $OHS_PATH/$OHS_HOST1/login_vh.conf update_variable "" $OAM_LOGIN_LBR_PROTOCOL $OHS_PATH/$OHS_HOST1/login_vh.conf update_variable "" $OAM_LOGIN_LBR_HOST $OHS_PATH/$OHS_HOST1/login_vh.conf update_variable "" $OAM_LOGIN_LBR_PORT $OHS_PATH/$OHS_HOST1/login_vh.conf - update_variable "" $K8_WORKER_HOST1 $OHS_PATH/$OHS_HOST1/login_vh.conf - update_variable "" $K8_WORKER_HOST2 $OHS_PATH/$OHS_HOST1/login_vh.conf + print_status $? if [ "$USE_INGRESS" = "true" ] then - update_variable "" $INGRESS_HTTP_PORT $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf - update_variable "" $INGRESS_HTTP_PORT $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf - update_variable "" $INGRESS_HTTP_PORT $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf - update_variable "" $INGRESS_HTTP_PORT $OHS_PATH/$OHS_HOST1/login_vh.conf - else - update_variable "" $OAM_ADMIN_K8 $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf - update_variable "" $OAM_POLICY_K8 $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf - update_variable "" $OAM_OAM_K8 $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf - update_variable "" $OAM_OAM_K8 $OHS_PATH/$OHS_HOST1/login_vh.conf + OAM_ADMIN_K8=$INGRESS_HTTP_PORT + OAM_POLICY_K8=$INGRESS_HTTP_PORT + OAM_OAM_K8=$INGRESS_HTTP_PORT fi + + NODELIST=$(kubectl get nodes --no-headers=true | cut -f1 -d ' ') + create_location $TEMPLATE_DIR/locations.txt "$NODELIST" $OHS_PATH/$OHS_HOST1 + fi if [ ! "$OHS_HOST2" = "" ] then + printf "\n\t\t\tCreating Virtual Host files for $OHS_HOST2 - " cp $OHS_PATH/$OHS_HOST1/iadadmin_vh.conf $OHS_PATH/$OHS_HOST2/iadadmin_vh.conf cp $OHS_PATH/$OHS_HOST1/login_vh.conf $OHS_PATH/$OHS_HOST2/login_vh.conf sed -i "s/$OHS_HOST1/$OHS_HOST2/" $OHS_PATH/$OHS_HOST2/login_vh.conf diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/ohs_functions.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/ohs_functions.sh index 04d6bf5b..4a7c2709 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/ohs_functions.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/ohs_functions.sh @@ -444,20 +444,30 @@ copy_lbr_cert() update_ohs_route() { print_msg "Change OHS Routing" + echo ST=$(date +%s) - - OLD_HOST1=$(grep WebLogicCluster $WORKDIR/*_vh.conf | sed "s/WebLogicCluster//" | tr -d ' ' | sed 's/,/:/' | cut -f2,4 -d: | tr ":" "\n" |sort | uniq | head -1 ) - OLD_HOST2=$(grep WebLogicCluster $WORKDIR/*_vh.conf | sed "s/WebLogicCluster//" | tr -d ' ' | sed 's/,/:/' | cut -f2,4 -d: | tr ":" "\n" |sort | uniq | tail -1 ) - NEW_HOST1=$(kubectl get nodes | cut -f1 -d " " | sed "/NAME/d" | head -1) - NEW_HOST2=$(kubectl get nodes | cut -f1 -d " " | sed "/NAME/d" | tail -1) - - printf "\n\t\t\tChanging $OLD_HOST1 to $NEW_HOST1 - " - sed -i "s/$OLD_HOST1/$NEW_HOST1/g" $WORKDIR/*_vh.conf > $LOGDIR/update_ohs_route.log 2>&1 - print_status $? $LOGDIR/update_ohs_route.log - printf "\n\t\t\tChanging $OLD_HOST2 to $NEW_HOST2 - " - sed -i "s/$OLD_HOST2/$NEW_HOST2/g" $WORKDIR/*_vh.conf >> $LOGDIR/update_ohs_route.log 2>&1 - print_status $? $LOGDIR/update_ohs_route.log + + FILES=$(ls -1 $WORKDIR/*vh.conf) + K8NODES=$(get_k8nodes) + + + for file in $FILES + do + printf "\t\t\tProcessing File:$file - " + PORTS=$(grep WebLogicCluster $file | sed "s/WebLogicCluster//" | awk 'BEGIN { RS = "," } { print $0 }' | cut -f2 -d: | sort | uniq) + for PORT in $PORTS + do + ROUTE="WebLogicCluster " + for NODE in $K8NODES + do + ROUTE="$ROUTE,$NODE:$PORT" + done + DIRECTIVE=$(echo $ROUTE | sed 's/,//') + sed -i "/:$PORT/c\ $DIRECTIVE" $file >> $LOGDIR/update_ohs_route.log 2>&1 + done + print_status $? $LOGDIR/update_ohs_route.log + done ET=$(date +%s) print_time STEP "Change OHS Routing" $ST $ET >> $LOGDIR/timings.log @@ -496,7 +506,7 @@ copy_ohs_dr_config() print_msg "Copy OHS Config" ST=$(date +%s) - printf "\t\t\tCopy OHS Config to $OHS_HOST1 - " + printf "\n\t\t\tCopy OHS Config to $OHS_HOST1 - " $SCP $WORKDIR/$OHS_HOST1/*vh.conf $OHS_HOST1:$OHS_DOMAIN/config/fmwconfig/components/OHS/$OHS1_NAME/moduleconf/ > $LOGDIR/copy_ohs_config.log 2>&1 print_status $? $LOGDIR/copy_ohs_config.log @@ -509,3 +519,110 @@ copy_ohs_dr_config() ET=$(date +%s) print_time STEP "Change OHS Routing" $ST $ET >> $LOGDIR/timings.log } + +# Add location directives to OHS Config Files +# +create_location() +{ + locfile=$1 + nodes=$2 + ohs_path=$3 + + printf "\t\t\tAdding location Directives to OHS conf file - " + while IFS= read -r LOCATIONS + do + file=$(echo $LOCATIONS | cut -f1 -d:) + location=$(echo $LOCATIONS | cut -f2 -d:) + port=$(echo $LOCATIONS | cut -f3 -d:) + ssl=$(echo $LOCATIONS | cut -f4 -d:) + + conf_file=${file}_vh.conf + + case $file in + iadadmin) + protocol=$OAM_ADMIN_LBR_PROTOCOL + ;; + login) + protocol=$OAM_LOGIN_LBR_PROTOCOL + ;; + prov) + protocol=$OIG_LBR_PROTOCOL + ;; + igdinternal) + protocol=$OIG_LBR_INT_PROTOCOL + ;; + igdadmin) + protocol=$OIG_ADMIN_LBR_PROTOCOL + ;; + *) + echo "FILE:$file" + ;; + esac + + sed -i "/<\/VirtualHost>/d" $ohs_path/$conf_file + + printf "Adding Location $location to $ohs_path/$conf_file - " >> $LOGDIR/$file.log + grep -q "$location>" $ohs_path/$conf_file + if [ $? -eq 1 ] + then + printf "\n " >> $ohs_path/$conf_file + printf "\n WLSRequest ON" >> $ohs_path/$conf_file + printf "\n DynamicServerList OFF" >> $ohs_path/$conf_file + + if [ "$ssl" = "Y" ] && [ "$USE_INGRESS" = "false" ] + then + printf "\n SecureProxy ON" >> $ohs_path/$conf_file + printf "\n WLSSLWallet \"${ORACLE_INSTANCE}/ohswallet\"" >> $ohs_path/$conf_file + fi + + if [ "$file" = "login" ] + then + printf "\n WLCookieName OAMJSESSIONID" >> $ohs_path/$conf_file + echo $location | grep -q well-known + if [ $? -eq 0 ] + then + printf "\n PathTrim /.well-known" >> $ohs_path/$conf_file + printf "\n PathPrepend /oauth2/rest" >> $ohs_path/$conf_file + fi + + elif [ "$file" = "prov" ] + then + printf "\n WLCookieName oimjsessionid" >> $ohs_path/$conf_file + elif [ "$file" = "igdinternal" ] + then + if [ "$location" = "/spmlws" ] + then + printf "\n PathTrim /weblogic" >> $ohs_path/$conf_file + fi + fi + + if [ "$protocol" = "https" ] + then + printf "\n WLProxySSL ON" >> $ohs_path/$conf_file + printf "\n WLProxySSLPassThrough ON" >> $ohs_path/$conf_file + fi + + cluster_cmd=" WebLogicCluster " >> $ohs_path/$conf_file + node_count=0 + for node in $nodes + do + if [ $node_count -eq 0 ] + then + cluster_cmd=$cluster_cmd"$node:$(($port))" + else + cluster_cmd=$cluster_cmd",$node:$(($port))" + fi + ((node_count++)) + done + printf "\n$cluster_cmd" >> $ohs_path/$conf_file + + printf "\n \n" >> $ohs_path/$conf_file + echo "Success" >>$LOGDIR/$file.log + else + echo "Already Exists" >>$LOGDIR/$file.log + fi + + printf "\n\n" >> $ohs_path/$conf_file + done < $locfile + +} diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oig_functions.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oig_functions.sh index 65fe0053..10d19063 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oig_functions.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oig_functions.sh @@ -37,11 +37,19 @@ create_persistent_volumes() # edit_domain_creation_file() { - filename=$1 - - print_msg "Creating Domain Configuration File" - cp $WORKDIR/samples/create-oim-domain/domain-home-on-pv/create-domain-inputs.yaml $filename ST=$(date +%s) + print_msg "Creating Domain Configuration File" + + if [ "$WLS_CREATION_TYPE" = "WLST" ] + then + filename=$WORKDIR/create-domain-inputs.yaml + cp $WORKDIR/samples/create-oim-domain/domain-home-on-pv/create-domain-inputs.yaml $filename + else + filename=$WORKDIR/create-domain-wdt.yaml + cp $WORKDIR/samples/create-oim-domain/domain-home-on-pv/wdt-utils/generate_models_utils/create-domain-wdt.yaml $filename + replace_value2 edgInstall true $filename + fi + if [ "$CREATE_REGSECRET" = "true" ] then replace_value2 imagePullSecretName regcred $filename @@ -72,12 +80,91 @@ edit_domain_creation_file() replace_value2 t3ChannelPort $OIG_ADMIN_T3_K8 $filename replace_value2 frontEndHost $OIG_LBR_HOST $filename replace_value2 frontEndPort $OIG_LBR_PORT $filename + + if [ "$WLS_CREATION_TYPE" = "WDT" ] + then + replace_value2 weblogicDomainStorageNFSServer $PVSERVER $filename + replace_value2 weblogicDomainStorageType NFS $filename + replace_value2 weblogicDomainStoragePath $OIG_SHARE $filename + replace_value2 edgInstall true $filename + replace_value2 oamServerJavaParams "$OIGSERVER_JAVA_PARAMS" $filename + replace_value2 soaServerJavaParams "$SOASERVER_JAVA_PARAMS" $filename + replace_value2 oimMaxCPU "$OIM_MAX_CPU" $filename + replace_value2 oimCPU "$OIM_CPU" $filename + replace_value2 oimMaxMemory "$OIM_MAX_MEMORY" $filename + replace_value2 oimMemory "$OIM_MEMORY" $filename + replace_value2 oimMaxCPU "$OIM_MAX_CPU" $filename + replace_value2 oimCPU "$OIM_CPU" $filename + replace_value2 oimMaxMemory "$OIM_MAX_MEMORY" $filename + replace_value2 oimMemory "$OIM_MEMORY" $filename + replace_value2 soaMaxCPU "$SOA_MAX_CPU" $filename + replace_value2 soaCPU "$SOA_CPU" $filename + replace_value2 soaMaxMemory "$SOA_MAX_MEMORY" $filename + replace_value2 soaMemory "$SOA_MEMORY" $filename + replace_value2 soaMaxCPU "$SOA_MAX_CPU" $filename + replace_value2 soaCPU "$SOA_CPU" $filename + replace_value2 soaMaxMemory "$SOA_MAX_MEMORY" $filename + replace_value2 soaMemory "$SOA_MEMORY" $filename + fi print_status $? printf "\t\t\tCopy saved to $WORKDIR\n" ET=$(date +%s) print_time STEP "Create Domain Configuration File" $ST $ET >> $LOGDIR/timings.log } +# Build WDT Domain Creation Image +# +build_wdt_image() +{ + print_msg "Build WDT Domain Creation Image" + + cd $WORKDIR/samples/create-oim-domain/domain-home-on-pv/wdt-utils/build-domain-creation-image/ + filename=$WORKDIR/build-domain-creation-image.properties + cp properties/build-domain-creation-image.properties $filename + if [ $? -gt 0 ] + then + echo "Failed to create copy file $WORKDIR/samples/create-oim-domain/domain-home-on-pv/wdt-utils/build-domain-creation-image/properties/build-domain-creation-image.properties" + exit 1 + fi + + JAVA_HOME=$(dirname $(dirname $(which java))) + if [ "$JAVA_HOME" = "" ] + then + echo "JAVA_HOME must be set to continue" + exit 1 + fi + + replace_value JAVA_HOME "$JAVA_HOME" $filename + replace_value REPOSITORY ${WDT_IMAGE_REGISTRY}/oig_wdt $filename + replace_value REG_USER $WDT_IMAGE_REG_USER $filename + replace_value IMAGE_PUSH_REQUIRES_AUTH true $filename + echo "REG_PASSWORD=\"$WDT_IMAGE_REG_PWD\"" > $WORKDIR/.buildpwd + replace_value WDT_MODEL_FILE "$WORKDIR/weblogic-domains/$OIG_DOMAIN_NAME/oig.yaml" $filename + replace_value WDT_VARIABLE_FILE "$WORKDIR/weblogic-domains/$OIG_DOMAIN_NAME/oig.properties" $filename + replace_value IMAGE_TAG $OIG_DOMAIN_NAME $filename + + ./build-domain-creation-image.sh -i $filename -p $WORKDIR/.buildpwd > $LOGDIR/build_wdt_image.log 2>&1 + print_status $? $LOGDIR/build_wdt_image.log + ET=`date +%s` + print_time STEP "Generate WDT Model Files" $ST $ET >> $LOGDIR/timings.log +} + +add_image_wdt() +{ + print_msg "Adding image name to domain.yaml" + + filename=$WORKDIR/weblogic-domains/$OIG_DOMAIN_NAME/domain.yaml + update_variable "%DOMAIN_CREATION_IMAGE%" "${WDT_IMAGE_REGISTRY}/oig_wdt:$OIG_DOMAIN_NAME" $filename + + if [ ! "$REGISTRY" = "$WDT_IMAGE_REGISTRY" ] + then + sed -i "/regcred/a\ - name: regcred2\n" $filename + fi + + print_status $? + ET=`date +%s` + print_time STEP "Adding image name to domain.yaml" $ST $ET >> $LOGDIR/timings.log +} # Create the OIG domain # create_oig_domain() @@ -128,6 +215,51 @@ create_oig_domain() } +create_oig_domain_wdt() +{ + + print_msg "Initialising the Domain" + ST=`date +%s` + + printf "\n\t\t\tCreating the domain - " + oper_pod=$(kubectl get pods -n $OPERNS --no-headers=true | grep -v webhook | head -1 | awk '{ print $1 }') + if [ "$oper_pod" = "" ] + then + echo "Failed to get the name of the WebLogic Operator Pod." + exit 1 + fi + + kubectl create -f $WORKDIR/weblogic-domains/$OIG_DOMAIN_NAME/domain.yaml > $LOGDIR/create_domain.log 2>$LOGDIR/create_domain.log + print_status $? $LOGDIR/create_domain.log + + + printf "\t\t\tChecking no errors in WebLogic Operator log - " + sleep 30 + kubectl logs -n $OPERNS $oper_pod --since=60s| grep $OIG_DOMAIN_NAME | grep SEVERE >> $LOGDIR/create_domain.log + grep -q SEVERE $LOGDIR/create_domain.log + if [ $? -eq 0 ] + then + echo "Failed - Check Logfile: $LOGDIR/create_domain.log" + exit 1 + fi + + sleep 90 + kubectl logs -n $OPERNS $oper_pod --since=120s| grep $OIG_DOMAIN_NAME | grep SEVERE >> $LOGDIR/create_domain.log + grep -q SEVERE $LOGDIR/create_domain.log + if [ $? -eq 0 ] + then + echo "Failed - Check Logfile: $LOGDIR/create_domain.log" + exit 1 + else + echo "Success" + fi + + ET=`date +%s` + + print_time STEP "Initialise the Domain" $ST $ET >> $LOGDIR/timings.log +} + + # Update the oim_cluster memory parameters # update_java_parameters() @@ -159,6 +291,7 @@ update_java_parameters() print_time STEP "Update Java Parameters" $ST $ET >> $LOGDIR/timings.log } + # Start the OIG domain for the first time. # start Admin server and SOA then OIM # @@ -179,7 +312,7 @@ perform_initial_start() check_running $OIGNS soa-server1 scale_cluster $OIGNS $OIG_DOMAIN_NAME oim-cluster 1 - kubectl logs -n $OIGNS $OIG_DOMAIN_NAME-oim-server1 | grep -q "BootStrap configuration Successfull" + kubectl logs -n $OIGNS $OIG_DOMAIN_NAME-oim-server1 -c weblogic-server | grep -q "BootStrap configuration Successfull" if [ "$?" = "0" ] then echo "BOOTSTRAP SUCCESSFULL" > $LOGDIR/initial_start.log 2>&1 @@ -191,6 +324,24 @@ perform_initial_start() print_time STEP "First Domain Start " $ST $ET >> $LOGDIR/timings.log } +check_oim_bootstrap() +{ + + print_msg "Checking OIM Bootstrap" + ST=$(date +%s) + kubectl logs -n $OIGNS ${OIG_DOMAIN_NAME}-oim-server1 -c weblogic-server | grep -q "BootStrap configuration Failed" + if [ $? = 0 ] + then + echo "BootStrap configuration Failed - check kubectl logs -n $OIGNS ${OIG_DOMAIN_NAME}-oim-server1" + exit 1 + else + echo "Bootstrap Successful." + fi + + ET=$(date +%s) + print_time STEP "Check OIM Bootstrap Start " $ST $ET >> $LOGDIR/timings.log +} + # Create Ingress Services for OIG # create_oig_ingress_manual() @@ -308,7 +459,7 @@ copy_connector() exit 1 fi - kubectl exec -ti $OIG_DOMAIN_NAME-oim-server1 -n $OIGNS -- mkdir -p /u01/oracle/user_projects/domains/ConnectorDefaultDirectory + kubectl exec -ti $OIG_DOMAIN_NAME-oim-server1 -c weblogic-server -n $OIGNS -- mkdir -p /u01/oracle/user_projects/domains/ConnectorDefaultDirectory if ! [ "$?" = "0" ] then echo "Fail" @@ -316,7 +467,7 @@ copy_connector() fi printf "\t\t\tCopy Connector to container - " - kubectl cp $CONNECTOR_DIR/${CONNECTOR_VER} $OIGNS/$OIG_DOMAIN_NAME-adminserver:/u01/oracle/user_projects/domains/ConnectorDefaultDirectory + copy_to_k8 $CONNECTOR_DIR/${CONNECTOR_VER} domains/ConnectorDefaultDirectory $OIGNS $OIG_DOMAIN_NAME print_status $? ET=$(date +%s) @@ -759,8 +910,21 @@ run_recon_jobs() run_command_k8 $OIGNS $OIG_DOMAIN_NAME "$PV_MOUNT/workdir/runJob.sh "> $LOGDIR/recon_jobs.log 2>&1 + if [ $? -gt 0 ] + then + echo "Failed see logfile: $LOGDIR/recon_jobs.log + exit 1 + fi - print_status $? $LOGDIR/recon_jobs.log + grep -q NullPointer recon_jobs.log + + if [ $? -eq 0 ] + then + echo "Failed see logfile: $LOGDIR/recon_jobs.log + exit 1 + else + echo "Success" + fi ET=$(date +%s) print_time STEP "Run Recon Jobs" $ST $ET >> $LOGDIR/timings.log } @@ -857,7 +1021,7 @@ set_email_notifications() update_variable "" $OIG_EMAIL_REPLY_ADDRESS $filename copy_to_k8 $filename workdir $OIGNS $OIG_DOMAIN_NAME - kubectl exec -n $OIGNS -ti $OIG_DOMAIN_NAME-adminserver -- /u01/oracle/soa/common/bin/wlst.sh $PV_MOUNT/workdir/update_notifications.py > $LOGDIR/update_notifications.log + kubectl exec -n $OIGNS -ti $OIG_DOMAIN_NAME-adminserver -c weblogic-server -- /u01/oracle/soa/common/bin/wlst.sh $PV_MOUNT/workdir/update_notifications.py > $LOGDIR/update_notifications.log print_status $? $LOGDIR/update_notifications.log ET=$(date +%s) @@ -921,7 +1085,7 @@ create_oig_ohs_config() ST=$(date +%s) - print_msg "Creating OHS Conf files" + print_msg "Creating OHS Config files" OHS_PATH=$LOCAL_WORKDIR/OHS if ! [ -d $OHS_PATH/$OHS_HOST1 ] then @@ -934,12 +1098,14 @@ create_oig_ohs_config() if [ ! "$OHS_HOST1" = "" ] then + printf "\n\t\t\tCreating Virtual Host Files - " cp $TEMPLATE_DIR/igdadmin_vh.conf $OHS_PATH/$OHS_HOST1/igdadmin_vh.conf cp $TEMPLATE_DIR/igdinternal_vh.conf $OHS_PATH/$OHS_HOST1/igdinternal_vh.conf cp $TEMPLATE_DIR/prov_vh.conf $OHS_PATH/$OHS_HOST1/prov_vh.conf update_variable "" $OHS_HOST1 $OHS_PATH/$OHS_HOST1/igdadmin_vh.conf update_variable "" $OHS_PORT $OHS_PATH/$OHS_HOST1/igdadmin_vh.conf + update_variable "" $OIG_ADMIN_LBR_PROTOCOL $OHS_PATH/$OHS_HOST1/igdadmin_vh.conf update_variable "" $OIG_ADMIN_LBR_HOST $OHS_PATH/$OHS_HOST1/igdadmin_vh.conf update_variable "" $OIG_ADMIN_LBR_PORT $OHS_PATH/$OHS_HOST1/igdadmin_vh.conf update_variable "" $K8_WORKER_HOST1 $OHS_PATH/$OHS_HOST1/igdadmin_vh.conf @@ -950,38 +1116,32 @@ create_oig_ohs_config() update_variable "" $OIG_LBR_PROTOCOL $OHS_PATH/$OHS_HOST1/prov_vh.conf update_variable "" $OIG_LBR_HOST $OHS_PATH/$OHS_HOST1/prov_vh.conf update_variable "" $OIG_LBR_PORT $OHS_PATH/$OHS_HOST1/prov_vh.conf - update_variable "" $K8_WORKER_HOST1 $OHS_PATH/$OHS_HOST1/prov_vh.conf - update_variable "" $K8_WORKER_HOST2 $OHS_PATH/$OHS_HOST1/prov_vh.conf update_variable "" $OHS_HOST1 $OHS_PATH/$OHS_HOST1/igdinternal_vh.conf update_variable "" $OHS_PORT $OHS_PATH/$OHS_HOST1/igdinternal_vh.conf update_variable "" $OIG_LBR_INT_PROTOCOL $OHS_PATH/$OHS_HOST1/igdinternal_vh.conf update_variable "" $OIG_LBR_INT_HOST $OHS_PATH/$OHS_HOST1/igdinternal_vh.conf update_variable "" $OIG_LBR_INT_PORT $OHS_PATH/$OHS_HOST1/igdinternal_vh.conf - update_variable "" $K8_WORKER_HOST1 $OHS_PATH/$OHS_HOST1/igdinternal_vh.conf - update_variable "" $K8_WORKER_HOST2 $OHS_PATH/$OHS_HOST1/igdinternal_vh.conf + print_status $? if [ "$USE_INGRESS" = "true" ] then - update_variable "" $INGRESS_HTTP_PORT $OHS_PATH/$OHS_HOST1/igdadmin_vh.conf - update_variable "" $INGRESS_HTTP_PORT $OHS_PATH/$OHS_HOST1/prov_vh.conf - update_variable "" $INGRESS_HTTP_PORT $OHS_PATH/$OHS_HOST1/prov_vh.conf - update_variable "" $INGRESS_HTTP_PORT $OHS_PATH/$OHS_HOST1/igdinternal_vh.conf - update_variable "" $INGRESS_HTTP_PORT $OHS_PATH/$OHS_HOST1/igdinternal_vh.conf - update_variable "" $INGRESS_HTTP_PORT $OHS_PATH/$OHS_HOST1/igdadmin_vh.conf - else - update_variable "" $OIG_OIM_PORT_K8 $OHS_PATH/$OHS_HOST1/igdadmin_vh.conf - update_variable "" $OIG_OIM_PORT_K8 $OHS_PATH/$OHS_HOST1/prov_vh.conf - update_variable "" $OIG_SOA_PORT_K8 $OHS_PATH/$OHS_HOST1/prov_vh.conf - update_variable "" $OIG_OIM_PORT_K8 $OHS_PATH/$OHS_HOST1/igdinternal_vh.conf - update_variable "" $OIG_SOA_PORT_K8 $OHS_PATH/$OHS_HOST1/igdinternal_vh.conf - update_variable "" $OIG_ADMIN_K8 $OHS_PATH/$OHS_HOST1/igdadmin_vh.conf + OIG_OIM_PORT_K8=$INGRESS_HTTP_PORT + OIG_OIM_PORT_K8=$INGRESS_HTTP_PORT + OIG_SOA_PORT_K8=$INGRESS_HTTP_PORT + OIG_OIM_PORT_K8=$INGRESS_HTTP_PORT + OIG_SOA_PORT_K8=$INGRESS_HTTP_PORT + OIG_ADMIN_K8=$INGRESS_HTTP_PORT fi fi + NODELIST=$(kubectl get nodes --no-headers=true | cut -f1 -d ' ') + create_location $TEMPLATE_DIR/locations.txt "$NODELIST" $OHS_PATH/$OHS_HOST1 + if [ ! "$OHS_HOST2" = "" ] then + printf "\n\t\t\tCreating Virtual Host files for $OHS_HOST2 - " cp $OHS_PATH/$OHS_HOST1/igdadmin_vh.conf $OHS_PATH/$OHS_HOST2/igdadmin_vh.conf cp $OHS_PATH/$OHS_HOST1/prov_vh.conf $OHS_PATH/$OHS_HOST2/prov_vh.conf cp $OHS_PATH/$OHS_HOST1/igdinternal_vh.conf $OHS_PATH/$OHS_HOST2/igdinternal_vh.conf diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oiri_functions.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oiri_functions.sh index 0bc74cbd..a21b4499 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oiri_functions.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oiri_functions.sh @@ -1,4 +1,4 @@ -# Copyright (c) 2021, 2023, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of functions and procedures to provision and Configure Oracle Identity Role Intelligence @@ -114,7 +114,7 @@ create_rbac() kubectl apply -f $WORKDIR/$filename > $LOGDIR/create_rbac.log 2>&1 print_status $? $LOGDIR/create_rbac.log - KVER=`kubectl version --short 2>/dev/null | grep Server | cut -f2 -d: |sed 's/v//;s/ //g' ` + KVER=$(get_k8_ver) KVER=${KVER:0:4} if [ $KVER > "1.23" ] then @@ -212,9 +212,9 @@ setup_config_files() ST=`date +%s` k8url=`grep server: $KUBECONFIG | sed 's/server://;s/ //g'` echo oiri_cli "/oiri-cli/scripts/setupConfFiles.sh -m prod \ - --oigdbhost $OIG_DB_SCAN \ - --oigdbport $OIG_DB_LISTENER \ - --oigdbsname $OIG_DB_SERVICE \ + --oigdbhost $OIRI_OIG_DB_SCAN \ + --oigdbport $OIRI_OIG_DB_LISTENER \ + --oigdbsname $OIRI_OIG_DB_SERVICE \ --oiridbhost $OIRI_DB_SCAN \ --oiridbport $OIRI_DB_LISTENER \ --oiridbsname $OIRI_DB_SERVICE \ @@ -226,9 +226,9 @@ setup_config_files() --sparkk8smasterurl k8s://${k8url} \ --oigserverurl $OIRI_OIG_URL " > $LOGDIR/setup_config.log oiri_cli "/oiri-cli/scripts/setupConfFiles.sh -m prod \ - --oigdbhost $OIG_DB_SCAN \ - --oigdbport $OIG_DB_LISTENER \ - --oigdbsname $OIG_DB_SERVICE \ + --oigdbhost $OIRI_OIG_DB_SCAN \ + --oigdbport $OIRI_OIG_DB_LISTENER \ + --oigdbsname $OIRI_OIG_DB_SERVICE \ --oiridbhost $OIRI_DB_SCAN \ --oiridbport $OIRI_DB_LISTENER \ --oiridbsname $OIRI_DB_SERVICE \ @@ -323,49 +323,60 @@ create_keystore() get_oig_certificate() { print_msg "Obtaining OIG Certificate" - ST=`date +%s` - run_command_k8 $OIGNS $OIG_DOMAIN_NAME "keytool -export -rfc -alias xell \ + ST=$(date +%s) + if [ "$OIRI_OIG_XELL_FILE" = "" ] + then + run_command_k8 $OIGNS $OIG_DOMAIN_NAME "keytool -export -rfc -alias xell \ -file $PV_MOUNT/workdir/xell.pem \ -keystore $PV_MOUNT/domains/$OIG_DOMAIN_NAME/config/fmwconfig/default-keystore.jks \ -storepass $OIG_WEBLOGIC_PWD" > $LOGDIR/get_oig_cert.log - print_status $? + print_status $? - printf "\t\t\tCopy Certificate to working directory -" - copy_from_k8 $PV_MOUNT/workdir/xell.pem $WORKDIR/xell.pem $OIGNS $OIG_DOMAIN_NAME >> $LOGDIR/get_oig_cert.log 2>&1 - print_status $RETCODE $LOGDIR/get_oig_cert.log + printf "\t\t\tCopy Certificate to working directory - " + copy_from_k8 $PV_MOUNT/workdir/xell.pem $WORKDIR/xell.pem $OIGNS $OIG_DOMAIN_NAME >> $LOGDIR/get_oig_cert.log 2>&1 + print_status $RETCODE $LOGDIR/get_oig_cert.log - printf "\t\t\tCopy Certificate PEM to working directory -" - copy_to_oiri $WORKDIR/xell.pem /app/k8s/xell.pem $OIRINS oiri-cli >> $LOGDIR/get_oig_cert.log 2>&1 - print_status $RETCODE $LOGDIR/get_oig_cert.log + printf "\t\t\tCopy Certificate PEM to working directory - " + copy_to_oiri $WORKDIR/xell.pem /app/k8s/xell.pem $OIRINS oiri-cli >> $LOGDIR/get_oig_cert.log 2>&1 + print_status $RETCODE $LOGDIR/get_oig_cert.log + else + printf "\t\t\tCopy Certificate PEM to working directory - " + copy_to_oiri $OIRI_OIG_XELL_FILE /app/k8s/xell.pem $OIRINS oiri-cli >> $LOGDIR/get_oig_cert.log 2>&1 + print_status $RETCODE $LOGDIR/get_oig_cert.log + fi - printf "\t\t\tImport OIG Certificate into OIRI -" + printf "\t\t\tImport OIG Certificate into OIRI - " oiri_cli "keytool -import \ -alias xell \ -file /app/k8s/xell.pem \ -keystore /app/oiri/data/keystore/keystore.jks\ -storepass $OIRI_KEYSTORE_PWD -noprompt" >> $LOGDIR/get_oig_cert.log 2>&1 print_status $? $LOGDIR/get_oig_cert.log - printf "\t\t\tGet Loadbalancer Certificate - " - get_lbr_certificate $OIG_LBR_HOST $OIG_LBR_PORT >> $LOGDIR/get_oig_cert.log 2>&1 - grep -q Failed $LOGDIR/get_oig_cert.log - if [ $? = 0 ] - then - echo "Failed see logfile $LOGDIR/get_oig_cert.log" - else - echo "Success" - fi - - printf "\t\t\tCopy Loadbalancer Certificate - " - copy_to_oiri $WORKDIR/$OIG_LBR_HOST.pem /app/k8s/$OIG_LBR_HOST.pem $OIRINS oiri-cli >> $LOGDIR/get_oig_cert.log 2>&1 - print_status $RETCODE $LOGDIR/get_oig_cert.log - printf "\t\t\tImport OIG Loadbalancer Certificate into OIRI -" - oiri_cli "keytool -import \ - -alias oigssl \ - -file /app/k8s/$OIG_LBR_HOST.pem \ - -keystore /app/oiri/data/keystore/keystore.jks\ - -storepass $OIRI_KEYSTORE_PWD -noprompt" >> $LOGDIR/get_oig_cert.log 2>&1 - print_status $? $LOGDIR/get_oig_cert.log + if [ "$OIG_LBR_PROTOCOL" = "https" ] + then + printf "\t\t\tGet Loadbalancer Certificate - " + get_lbr_certificate $OIG_LBR_HOST $OIG_LBR_PORT >> $LOGDIR/get_oig_cert.log 2>&1 + grep -q Failed $LOGDIR/get_oig_cert.log + if [ $? = 0 ] + then + echo "Failed see logfile $LOGDIR/get_oig_cert.log" + else + echo "Success" + fi + + printf "\t\t\tCopy Loadbalancer Certificate - " + copy_to_oiri $WORKDIR/$OIG_LBR_HOST.pem /app/k8s/$OIG_LBR_HOST.pem $OIRINS oiri-cli >> $LOGDIR/get_oig_cert.log 2>&1 + print_status $RETCODE $LOGDIR/get_oig_cert.log + + printf "\t\t\tImport OIG Loadbalancer Certificate into OIRI - " + oiri_cli "keytool -import \ + -alias oigssl \ + -file /app/k8s/$OIG_LBR_HOST.pem \ + -keystore /app/oiri/data/keystore/keystore.jks\ + -storepass $OIRI_KEYSTORE_PWD -noprompt" >> $LOGDIR/get_oig_cert.log 2>&1 + print_status $? $LOGDIR/get_oig_cert.log + fi ET=`date +%s` print_time STEP "Obtain and Load OIG Certificates" $ST $ET >> $LOGDIR/timings.log @@ -449,13 +460,14 @@ create_users() # Perform variable substitution in template files # update_variable "" $OIG_DOMAIN_NAME $USERFILE - update_variable "" $LDAP_XELSYSADM_USER $USERFILE - update_variable "" $LDAP_USER_PWD $USERFILE + update_variable "" $OIRI_OIG_XELSYSADM_USER $USERFILE + update_variable "" $OIRI_OIG_USER_PWD $USERFILE update_variable "" $OIRI_ENG_USER $USERFILE update_variable "" $OIRI_ENG_PWD $USERFILE update_variable "" $OIRI_ENG_GROUP $USERFILE update_variable "" $OIRI_SERVICE_USER $USERFILE update_variable "" $OIRI_SERVICE_PWD $USERFILE + update_variable "" $OIRI_OIG_SERVER $USERFILE copy_to_k8 $TEMPLATE_DIR/createAdminUser.java workdir $OIGNS $OIG_DOMAIN_NAME copy_to_k8 $USERFILE workdir $OIGNS $OIG_DOMAIN_NAME @@ -642,44 +654,28 @@ set_incremental() create_ohs_entries() { print_msg "Update OHS Files" + echo ST=`date +%s` - UIFILE=$WORKDIR/ohs1.conf - APIFILE=$WORKDIR/ohs2.conf - - cp $TEMPLATE_DIR/ohs1.conf $UIFILE - cp $TEMPLATE_DIR/ohs2.conf $APIFILE - update_variable "" $K8_WORKER_HOST1 $UIFILE - update_variable "" $K8_WORKER_HOST2 $UIFILE - update_variable "" $K8_WORKER_HOST1 $APIFILE - update_variable "" $K8_WORKER_HOST2 $APIFILE if [ "$USE_INGRESS" = "true" ] then - update_variable "" $INGRESS_HTTP_PORT $UIFILE - update_variable "" $INGRESS_HTTP_PORT $APIFILE - else - update_variable "" $OIRI_UI_K8 $UIFILE - update_variable "" $OIRI_K8 $APIFILE + OIRI_UI_K8=$INGRESS_HTTP_PORT + OIRI_K8=$INGRESS_HTTP_PORT fi OHSHOST1FILES=$LOCAL_WORKDIR/OHS/$OHS_HOST1 OHSHOST2FILES=$LOCAL_WORKDIR/OHS/$OHS_HOST2 + NODELIST=$(kubectl get nodes --no-headers=true | cut -f1 -d ' ') + if [ ! "$OHS_HOST1" = "" ] then - sed -i '/<\/VirtualHost>/d' $OHSHOST1FILES/igdadmin_vh.conf - sed -i '/<\/VirtualHost>/d' $OHSHOST1FILES/igdinternal_vh.conf - cat $UIFILE >> $OHSHOST1FILES/igdadmin_vh.conf - cat $APIFILE >> $OHSHOST1FILES/igdadmin_vh.conf - cat $APIFILE >> $OHSHOST1FILES/igdinternal_vh.conf + create_location $TEMPLATE_DIR/locations.txt "$NODELIST" $OHSHOST1FILES + print_status $? fi if [ ! "$OHS_HOST2" = "" ] then - sed -i '/<\/VirtualHost>/d' $OHSHOST2FILES/igdadmin_vh.conf - sed -i '/<\/VirtualHost>/d' $OHSHOST2FILES/igdinternal_vh.conf - cat $UIFILE >> $OHSHOST2FILES/igdadmin_vh.conf - cat $APIFILE >> $OHSHOST2FILES/igdadmin_vh.conf - cat $APIFILE >> $OHSHOST2FILES/igdinternal_vh.conf + create_location $TEMPLATE_DIR/locations.txt "$NODELIST" $OHSHOST2FILES fi print_status $? diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oud_functions.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oud_functions.sh index bb3f3f90..7bdbcded 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oud_functions.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/common/oud_functions.sh @@ -1,4 +1,4 @@ -# Copyright (c) 2021, 2023, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of the checks that can be performed before Provisioning Identity Management @@ -85,7 +85,7 @@ create_override() update_variable "" $OUDSM_INGRESS_HOST $OVERRIDE_FILE - KUBERNETES_VER=`kubectl version --short=true 2>/dev/null | grep Server | cut -f2 -d: | cut -f1 -d + | sed 's/ v//' | cut -f 1-3 -d.` + KUBERNETES_VER=$(get_k8_ver) update_variable "" $KUBERNETES_VER $OVERRIDE_FILE update_variable "" $KUBECTL_REPO $OVERRIDE_FILE update_variable "" $BUSYBOX_REPO $OVERRIDE_FILE @@ -441,6 +441,7 @@ create_oud_logstash_cm() update_variable "" $OUDNS $WORKDIR/logstash_cm.yaml update_variable "" $ELK_HOST $WORKDIR/logstash_cm.yaml + update_variable "" $ELK_USER $WORKDIR/logstash_cm.yaml update_variable "" $ELK_USER_PWD $WORKDIR/logstash_cm.yaml kubectl create -f $WORKDIR/logstash_cm.yaml >$LOGDIR/logstash_cm.log 2>&1 diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/oke_utils/responsefile/oci_oke.rsp b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/oke_utils/responsefile/oci_oke.rsp index ead4b009..e29a04de 100644 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/oke_utils/responsefile/oci_oke.rsp +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/oke_utils/responsefile/oci_oke.rsp @@ -1,4 +1,4 @@ -# Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2023,2024 Oracle and/or its affiliates. All rights reserved. # Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl. # # This is an example of a responsefile for the create_infra.sh script @@ -188,6 +188,8 @@ BASTION_INSTANCE_SHAPE="VM.Standard.E4.Flex" BASTION_SHAPE_CONFIG="'{\"memoryInGBs\": 16.0, \"ocpus\": 1.0, \"baselineOcpuUtilization\": \"BASELINE_1_8\"}'" BASTION_PUBLIC_IP="true" BASTION_HOSTNAME="idm-bastion" +BASTION_ELK_PORT=31920 +BASTION_KIBANA_PORT=31800 # Configuration of OHS and WebTier OHS_SECLIST_DISPLAY_NAME="ohs-seclist" diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/prereqchecks.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/prereqchecks.sh index 2ccd055b..41a85bb3 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/prereqchecks.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/prereqchecks.sh @@ -82,6 +82,22 @@ then WARN=$((WARN+1)) fi +echo -n "Checking KUBECONFIG File : " +if [ -n "$KUBECONFIG" ] +then + if [ -f "$KUBECONFIG" ] + then + echo "Success" + else + echo "Failed - KUBECONFIG file $KUBECONFIG does not exist" + FAIL=$((FAIL+1)) + fi +else + echo "Failed - KUBECONFIG variable not set" + FAIL=$((FAIL+1)) +fi + + if [ ! "$USE_REGISTRY" = "true" ] then echo -n "Checking Images Directory : " diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision.sh index 6ec4bfc1..51c295ac 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2021, 2023, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of an Umbrella script that will perform a full end to end Identity Managment Provisioning @@ -32,7 +32,7 @@ do p) PWDFILE=$SCRIPTDIR/responsefile/$OPTARG ;; - ignorePrereqs) + i) IGNOREREQS=true ;; ?) diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oaa.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oaa.sh index 545dc13b..ce24873f 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oaa.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oaa.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2022, 2023, Oracle and/or its affiliates. +# Copyright (c) 2022, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of a script which can be used to deploy Oracle Advanced Authentication @@ -49,6 +49,7 @@ fi . $SCRIPTDIR/common/functions.sh . $SCRIPTDIR/common/oaa_functions.sh +. $SCRIPTDIR/common/ohs_functions.sh START_TIME=`date +%s` @@ -62,6 +63,12 @@ then exit 1 fi +if [ "$INSTALL_OUA" = "true" ] && [ "$INSTALL_OAA" != "true" ] +then + echo "You have not requested Oracle Advanced Authentication" + exit 1 +fi + if [ "$USE_INGRESS" = "true" ] then INGRESS_HTTP_PORT=`get_k8_port $INGRESS_NAME $INGRESSNS http ` @@ -101,11 +108,14 @@ fi # Add Existig Users to OAA Group # -new_step -if [ $STEPNO -gt $PROGRESS ] +if [ "$OAA_ADD_USERS_LDAP" = "true" ] then - add_existing_users oud - update_progress + new_step + if [ $STEPNO -gt $PROGRESS ] + then + add_existing_users oud + update_progress + fi fi # Create Kubernetes Namespace(s) @@ -120,32 +130,37 @@ fi # Create a Container Registry Secret if requested # -new_step -if [ $STEPNO -gt $PROGRESS ] && [ "$CREATE_REGSECRET" = "true" ] +if [ "$CREATE_REGSECRET" = "true" ] then - create_registry_secret $REGISTRY $REG_USER $REG_PWD $OAANS - update_progress + new_step + if [ $STEPNO -gt $PROGRESS ] + then + create_registry_secret $REGISTRY $REG_USER $REG_PWD $OAANS + update_progress + fi fi - # Create GitHub Secret if requested # -new_step -if [ $STEPNO -gt $PROGRESS ] +if [ "$CREATE_GITSECRET" = "true" ] then - if [ "$CREATE_GITSECRET" = "true" ] - then + new_step + if [ $STEPNO -gt $PROGRESS ] + then create_git_secret $GIT_USER $GIT_TOKEN $OAANS + update_progress fi - update_progress fi -new_step -if [ $STEPNO -gt $PROGRESS ] && [ "$CREATE_REGSECRET" = "true" ] +if [ "$CREATE_REGSECRET" = "true" ] then - create_registry_secret "https://index.docker.io/v1/" $DH_USER $DH_PWD $OAANS dockercred - update_progress + new_step + if [ $STEPNO -gt $PROGRESS ] + then + create_registry_secret "https://index.docker.io/v1/" $DH_USER $DH_PWD $OAANS dockercred + update_progress + fi fi # Create a Management Container @@ -213,7 +228,6 @@ then update_progress fi - # Enable OAM Auth new_step @@ -275,6 +289,29 @@ then fi fi +# Register TAP for OUA +# +if [ "$INSTALL_OUA" = "true" ] +then + new_step + if [ $STEPNO -gt $PROGRESS ] + then + register_tap_oua + update_progress + fi +fi + +# Edit properties file for OUA +# +if [ "$INSTALL_OUA" = "true" ] +then + new_step + if [ $STEPNO -gt $PROGRESS ] + then + edit_properties_oua + update_progress + fi +fi # Deploy OAA # @@ -286,7 +323,6 @@ then fi - # Add OHS entries for OAA to OAM ohs config files if Ingress is not being used # if [ "$USE_INGRESS" = "false" ] @@ -319,20 +355,29 @@ then fi fi - new_step if [ $STEPNO -gt $PROGRESS ] then - check_running $OAANS email 0 - check_running $OAANS yotp 0 - check_running $OAANS totp 0 - check_running $OAANS fido 0 - check_running $OAANS kba 0 - check_running $OAANS sms 0 - check_running $OAANS push 0 - check_running $OAANS spui 0 - check_running $OAANS policy 0 - check_running $OAANS fido 0 + check_running $OAANS email 0 true + check_running $OAANS yotp 0 + check_running $OAANS totp 0 + check_running $OAANS fido 0 + check_running $OAANS kba 0 + check_running $OAANS sms 0 + check_running $OAANS push 0 + check_running $OAANS spui 0 + check_running $OAANS policy 0 + check_running $OAANS oaa-admin 0 + check_running $OAANS oaa 0 + if [ "$INSTALL_OUA" = "true" ] + then + check_running $OAANS drss 0 + fi + if [ "$INSTALL_RISK" = "true" ] + then + check_running $OAANS risk-cc 0 + check_running $OAANS risk 0 + fi update_progress fi @@ -349,7 +394,7 @@ fi new_step if [ $STEPNO -gt $PROGRESS ] then - check_running $OAMNS adminserver 0 + check_running $OAMNS adminserver 0 update_urls update_progress fi @@ -372,7 +417,6 @@ then update_progress fi - # Create OAA Agent # new_step @@ -382,8 +426,6 @@ then update_progress fi - - # Install OAA Plugin # new_step @@ -393,7 +435,6 @@ then update_progress fi - # Create OAM Authentication Module # new_step @@ -421,6 +462,15 @@ then update_progress fi +# Set OAA Cookie Domain +# +new_step +if [ $STEPNO -gt $PROGRESS ] +then + create_cookie_domain + update_progress +fi + # Create Test User # new_step @@ -430,6 +480,80 @@ then update_progress fi +# Configure DRSS for OUA +# +if [ "$INSTALL_OUA" = "true" ] +then + new_step + if [ $STEPNO -gt $PROGRESS ] + then + configure_drss_oua + update_progress + fi +fi + +# Set DRSS parameter for OUA +# +if [ "$INSTALL_OUA" = "true" ] +then + new_step + if [ $STEPNO -gt $PROGRESS ] + then + set_drss_param_oua + update_progress + fi +fi + +# Enable OAM Identity Service +# +if [ "$INSTALL_OUA" = "true" ] +then + new_step + if [ $STEPNO -gt $PROGRESS ] + then + enable_oam_identity_service + update_progress + fi +fi + +# Set RequireAuthorizationHeader for OAM +# +if [ "$INSTALL_OUA" = "true" ] +then + new_step + if [ $STEPNO -gt $PROGRESS ] + then + set_oam_authz_header + update_progress + fi +fi + +# Set User Identity Store for OAM +# +if [ "$INSTALL_OUA" = "true" ] +then + new_step + if [ $STEPNO -gt $PROGRESS ] + then + set_userid_store + update_progress + fi +fi + + +# Set ldap attribute to true to all the users in OAA_USER_GROUP +# +if [ "$OAA_ADD_USERS_OUA_OBJ" = "true" ] && [ "$INSTALL_OUA" = "true" ] +then + new_step + if [ $STEPNO -gt $PROGRESS ] + then + set_ldapattr_to_oaausers + update_progress + fi +fi + + FINISH_TIME=`date +%s` print_time TOTAL "Create OAA" $START_TIME $FINISH_TIME print_time TOTAL "Create OAA" $START_TIME $FINISH_TIME >> $LOGDIR/timings.log diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oam.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oam.sh index f41a0c69..ae26473f 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oam.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oam.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2021, 2023, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of a script which can be used to deploy Oracle Access Manager and wire it to @@ -50,6 +50,7 @@ fi . $SCRIPTDIR/common/functions.sh . $SCRIPTDIR/common/oam_functions.sh +. $SCRIPTDIR/common/ohs_functions.sh START_TIME=`date +%s` @@ -88,7 +89,6 @@ echo echo -n "Provisioning OAM on " date +"%a %d %b %Y %T" echo "--------------------------------------------" -echo create_local_workdir create_logdir @@ -146,6 +146,19 @@ then update_progress fi +if [ "$WLS_CREATION_TYPE" = "WDT" ] && [ ! "$REGISTRY" = "$WDT_IMAGE_REGISTRY" ] +then + new_step + if [ $STEPNO -gt $PROGRESS ] + then + if [ "$CREATE_REGSECRET" = "true" ] + then + create_registry_secret $WDT_IMAGE_REGISTRY $WDT_IMAGE_REG_USER $WDT_IMAGE_REG_PWD $OAMNS regcred2 + fi + update_progress + fi +fi + new_step if [ $STEPNO -gt $PROGRESS ] && [ "$CREATE_REGSECRET" = "true" ] then @@ -165,89 +178,167 @@ then update_progress fi -new_step -if [ $STEPNO -gt $PROGRESS ] -then - create_helper_pod $OAMNS $OAM_IMAGE:$OAM_VER - update_progress -fi +# Create Kubernetes Secrets +# -# Create RCU Schema Objects new_step if [ $STEPNO -gt $PROGRESS ] then - create_schemas $OAMNS $OAM_DB_SCAN $OAM_DB_LISTENER $OAM_DB_SERVICE $OAM_RCU_PREFIX OAM $OAM_DB_SYS_PWD $OAM_SCHEMA_PWD + if [ "$WLS_CREATION_TYPE" = "WDT" ] + then + create_domain_secret_wdt $OAMNS $OAM_DOMAIN_NAME $OAM_WEBLOGIC_USER $OAM_WEBLOGIC_PWD + else + create_domain_secret $OAMNS $OAM_DOMAIN_NAME $OAM_WEBLOGIC_USER $OAM_WEBLOGIC_PWD + fi update_progress fi -# Create Kubernetes Secrets -# - new_step if [ $STEPNO -gt $PROGRESS ] then - create_domain_secret $OAMNS $OAM_DOMAIN_NAME $OAM_WEBLOGIC_USER $OAM_WEBLOGIC_PWD + if [ "$WLS_CREATION_TYPE" = "WDT" ] + then + create_rcu_secret_wdt $OAMNS $OAM_DOMAIN_NAME $OAM_RCU_PREFIX $OAM_SCHEMA_PWD $OAM_DB_SYS_PWD $OAM_DB_SCAN $OAM_DB_LISTENER $OAM_DB_SERVICE + else + create_rcu_secret $OAMNS $OAM_DOMAIN_NAME $OAM_RCU_PREFIX $OAM_SCHEMA_PWD $OAM_DB_SYS_PWD + fi update_progress fi - -new_step -if [ $STEPNO -gt $PROGRESS ] +if [ "$WLS_CREATION_TYPE" = "WLST" ] then - create_rcu_secret $OAMNS $OAM_DOMAIN_NAME $OAM_RCU_PREFIX $OAM_SCHEMA_PWD $OAM_DB_SYS_PWD + new_step + if [ $STEPNO -gt $PROGRESS ] + then + create_helper_pod $OAMNS $OAM_IMAGE:$OAM_VER update_progress -fi + fi -# Create Persistent Volumes -# + # Create RCU Schema Objects + new_step + if [ $STEPNO -gt $PROGRESS ] + then + create_schemas $OAMNS $OAM_DB_SCAN $OAM_DB_LISTENER $OAM_DB_SERVICE $OAM_RCU_PREFIX OAM $OAM_DB_SYS_PWD $OAM_SCHEMA_PWD + update_progress + fi -new_step -if [ $STEPNO -gt $PROGRESS ] -then + + # Create Persistent Volumes + # + + new_step + if [ $STEPNO -gt $PROGRESS ] + then create_persistent_volumes update_progress -fi + fi -new_step -if [ $STEPNO -gt $PROGRESS ] -then - check_pv_ok $OAM_DOMAIN_NAME - update_progress -fi + new_step + if [ $STEPNO -gt $PROGRESS ] + then + check_pv_ok $OAM_DOMAIN_NAME + update_progress + fi -new_step -if [ $STEPNO -gt $PROGRESS ] -then + new_step + if [ $STEPNO -gt $PROGRESS ] + then check_pvc_ok $OAM_DOMAIN_NAME $OAMNS update_progress -fi + fi +fi + # Create Domain Configuration File # new_step if [ $STEPNO -gt $PROGRESS ] then - edit_domain_creation_file $WORKDIR/create-domain-inputs.yaml + edit_domain_creation_file update_progress fi -# Initialise Domain -# -new_step -if [ $STEPNO -gt $PROGRESS ] +if [ "$WLS_CREATION_TYPE" = "WDT" ] then - create_oam_domain + new_step + if [ $STEPNO -gt $PROGRESS ] + then + generate_wdt_model_files + update_progress + fi + + new_step + if [ $STEPNO -gt $PROGRESS ] + then + build_wdt_image + update_progress + fi + + new_step + if [ $STEPNO -gt $PROGRESS ] + then + add_image_wdt update_progress + fi + + new_step + if [ $STEPNO -gt $PROGRESS ] + then + create_oam_domain_wdt + update_progress + fi + + new_step + if [ $STEPNO -gt $PROGRESS ] + then + check_running $OAMNS introspector true + update_progress + fi + + new_step + if [ $STEPNO -gt $PROGRESS ] + then + check_introspector $OAMNS + update_progress + fi + + new_step + if [ $STEPNO -gt $PROGRESS ] + then + check_domain_ok $OAMNS $OAM_DOMAIN_NAME + update_progress + fi +else + + # Initialise Domain + # + new_step + if [ $STEPNO -gt $PROGRESS ] + then + create_oam_domain + update_progress + fi + + # Start Domain + # + new_step + if [ $STEPNO -gt $PROGRESS ] + then + perform_first_start + update_progress + fi fi -# Start Domain + +# Check that the domain is started # new_step if [ $STEPNO -gt $PROGRESS ] then - perform_first_start + check_running $OAMNS adminserver true + check_running $OAMNS oam-server1 update_progress fi @@ -260,7 +351,6 @@ then if [ "$USE_INGRESS" = "true" ] then create_oam_ingress - #create_oam_ingress_manual else create_oam_nodeport fi @@ -367,13 +457,27 @@ then create_wg_agent update_progress fi -# Add Weblogic Plugin -# -new_step -if [ $STEPNO -gt $PROGRESS ] + + +if [ "$WLS_CREATION_TYPE" = "WLST" ] then - set_weblogic_plugin - update_progress + new_step + # Add Weblogic Plugin + # + if [ $STEPNO -gt $PROGRESS ] + then + set_weblogic_plugin + update_progress + + # Update OAM Datasouce + # + new_step + if [ $STEPNO -gt $PROGRESS ] + then + update_oamds + update_progress + fi + fi fi # Add ADF logout @@ -385,14 +489,6 @@ then update_progress fi -# Update OAM Datasouce -# -new_step -if [ $STEPNO -gt $PROGRESS ] -then - update_oamds - update_progress -fi # Enable DB Fan # @@ -514,6 +610,12 @@ then fi +new_step +if [ $STEPNO -gt $PROGRESS ] +then + check_healthcheck_ok + update_progress +fi FINISH_TIME=`date +%s` print_time TOTAL "Create OAM" $START_TIME $FINISH_TIME diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oig.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oig.sh index 6d8edfa0..759c4ee7 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oig.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oig.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2021, 2023, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of provisioning Oracle Identity Governance and wiring it to Oracle Unified Directory @@ -51,6 +51,7 @@ fi . $SCRIPTDIR/common/functions.sh . $SCRIPTDIR/common/oig_functions.sh +. $SCRIPTDIR/common/ohs_functions.sh START_TIME=`date +%s` @@ -137,6 +138,19 @@ then update_progress fi +if [ "$WLS_CREATION_TYPE" = "WDT" ] && [ ! "$REGISTRY" = "$WDT_IMAGE_REGISTRY" ] +then + new_step + if [ $STEPNO -gt $PROGRESS ] + then + if [ "$CREATE_REGSECRET" = "true" ] + then + create_registry_secret $WDT_IMAGE_REGISTRY $WDT_IMAGE_REG_USER $WDT_IMAGE_REG_PWD $OIGNS regcred2 + fi + update_progress + fi +fi + new_step if [ $STEPNO -gt $PROGRESS ] && [ "$CREATE_REGSECRET" = "true" ] then @@ -151,62 +165,76 @@ then update_progress fi +# Create Kubernetes Secrets +# + new_step if [ $STEPNO -gt $PROGRESS ] then - create_helper_pod $OIGNS $OIG_IMAGE:$OIG_VER + if [ "$WLS_CREATION_TYPE" = "WDT" ] + then + create_domain_secret_wdt $OIGNS $OIG_DOMAIN_NAME $OIG_WEBLOGIC_USER $OIG_WEBLOGIC_PWD + else + create_domain_secret $OIGNS $OIG_DOMAIN_NAME $OIG_WEBLOGIC_USER $OIG_WEBLOGIC_PWD + fi update_progress fi -# Create RCU Schema Objects new_step if [ $STEPNO -gt $PROGRESS ] then - create_schemas $OIGNS $OIG_DB_SCAN $OIG_DB_LISTENER $OIG_DB_SERVICE $OIG_RCU_PREFIX OIG $OIG_DB_SYS_PWD $OIG_SCHEMA_PWD + if [ "$WLS_CREATION_TYPE" = "WDT" ] + then + create_rcu_secret_wdt $OIGNS $OIG_DOMAIN_NAME $OIG_RCU_PREFIX $OIG_SCHEMA_PWD $OIG_DB_SYS_PWD $OIG_DB_SCAN $OIG_DB_LISTENER $OIG_DB_SERVICE + else + create_rcu_secret $OIGNS $OIG_DOMAIN_NAME $OIG_RCU_PREFIX $OIG_SCHEMA_PWD $OIG_DB_SYS_PWD + fi update_progress fi -# Create Kubernetes Secrets -# - -new_step -if [ $STEPNO -gt $PROGRESS ] +if [ "$WLS_CREATION_TYPE" = "WLST" ] then - create_domain_secret $OIGNS $OIG_DOMAIN_NAME $OIG_WEBLOGIC_USER $OIG_WEBLOGIC_PWD + new_step + if [ $STEPNO -gt $PROGRESS ] + then + create_helper_pod $OIGNS $OIG_IMAGE:$OIG_VER update_progress -fi + fi -new_step -if [ $STEPNO -gt $PROGRESS ] -then - create_rcu_secret $OIGNS $OIG_DOMAIN_NAME $OIG_RCU_PREFIX $OIG_SCHEMA_PWD $OIG_DB_SYS_PWD + # Create RCU Schema Objects + new_step + if [ $STEPNO -gt $PROGRESS ] + then + create_schemas $OIGNS $OIG_DB_SCAN $OIG_DB_LISTENER $OIG_DB_SERVICE $OIG_RCU_PREFIX OIG $OIG_DB_SYS_PWD $OIG_SCHEMA_PWD update_progress -fi + fi -# Create Persistent Volumes -# + # Create Persistent Volumes + # -new_step -if [ $STEPNO -gt $PROGRESS ] -then + new_step + if [ $STEPNO -gt $PROGRESS ] + then create_persistent_volumes update_progress -fi + fi -new_step -if [ $STEPNO -gt $PROGRESS ] -then + new_step + if [ $STEPNO -gt $PROGRESS ] + then check_pv_ok $OIG_DOMAIN_NAME update_progress -fi + fi -new_step -if [ $STEPNO -gt $PROGRESS ] -then + new_step + if [ $STEPNO -gt $PROGRESS ] + then check_pvc_ok $OIG_DOMAIN_NAME $OIGNS update_progress -fi + fi + +fi # Create Domain Configuration File # @@ -214,45 +242,131 @@ fi new_step if [ $STEPNO -gt $PROGRESS ] then - edit_domain_creation_file $WORKDIR/create-domain-inputs.yaml + edit_domain_creation_file update_progress fi -# Initialise Domain -# -new_step -if [ $STEPNO -gt $PROGRESS ] +if [ "$WLS_CREATION_TYPE" = "WDT" ] then - create_oig_domain - update_progress -fi + new_step + if [ $STEPNO -gt $PROGRESS ] + then + generate_wdt_model_files + update_progress + fi -# Update Java Parameters -# -new_step -if [ $STEPNO -gt $PROGRESS ] -then - update_java_parameters + new_step + if [ $STEPNO -gt $PROGRESS ] + then + build_wdt_image update_progress -fi + fi -# Increase Timeouts -# -new_step -if [ $STEPNO -gt $PROGRESS ] -then - increase_to + new_step + if [ $STEPNO -gt $PROGRESS ] + then + add_image_wdt update_progress + fi + + new_step + if [ $STEPNO -gt $PROGRESS ] + then + create_oig_domain_wdt + update_progress + fi + + new_step + if [ $STEPNO -gt $PROGRESS ] + then + check_running $OIGNS introspector true + update_progress + fi + + new_step + if [ $STEPNO -gt $PROGRESS ] + then + check_introspector $OIGNS + update_progress + fi + + new_step + if [ $STEPNO -gt $PROGRESS ] + then + check_domain_ok $OIGNS $OIG_DOMAIN_NAME + update_progress + fi + + # Check that the domain is started + # + new_step + if [ $STEPNO -gt $PROGRESS ] + then + check_running $OIGNS adminserver true + update_progress + fi + + new_step + if [ $STEPNO -gt $PROGRESS ] + then + check_running $OIGNS soa-server1 true + update_progress + fi + + + new_step + if [ $STEPNO -gt $PROGRESS ] + then + scale_cluster $OIGNS $OIG_DOMAIN_NAME oim-cluster 1 + update_progress + fi + +else + + # Initialise Domain + # + new_step + if [ $STEPNO -gt $PROGRESS ] + then + create_oig_domain + update_progress + fi + + # Update Java Parameters + # + new_step + if [ $STEPNO -gt $PROGRESS ] + then + update_java_parameters + update_progress + fi + + # Increase Timeouts + # + new_step + if [ $STEPNO -gt $PROGRESS ] + then + increase_to + update_progress + fi + + # Perform Initial Domain Start + # + new_step + if [ $STEPNO -gt $PROGRESS ] + then + perform_initial_start + update_progress + fi fi -# Perform Initial Domain Start -# new_step if [ $STEPNO -gt $PROGRESS ] then - perform_initial_start - update_progress + check_oim_bootstrap + update_progress fi + # Create Services # @@ -288,22 +402,25 @@ then fi -# Update MDS Datasource -new_step -if [ $STEPNO -gt $PROGRESS ] -then - update_mds - update_progress -fi - -# Set Weblogic Plugin -# -new_step -if [ $STEPNO -gt $PROGRESS ] +if [ "$WLS_CREATION_TYPE" = "WLST" ] then - set_weblogic_plugin - update_progress + # Update MDS Datasource + new_step + if [ $STEPNO -gt $PROGRESS ] + then + update_mds + update_progress + fi + + # Set Weblogic Plugin + # + new_step + if [ $STEPNO -gt $PROGRESS ] + then + set_weblogic_plugin + update_progress + fi fi if [ "$INSTALL_OAM" = "true" ] && [ "$OAM_OIG_INTEG" = "true" ] @@ -402,7 +519,7 @@ then if [ $STEPNO -gt $PROGRESS ] then configure_sso - update_progress + update_progress fi # Enable OAM Notifications @@ -424,34 +541,48 @@ then fi fi + # Get Loadbalancer Certificates # -new_step -if [ $STEPNO -gt $PROGRESS ] +certs=false +if [ "$INSTALL_OAM" = "true" ] && [ "$OAM_OIG_INTEG" = "true" ] then - if [ "$INSTALL_OAM" = "true" ] && [ "$OAM_OIG_INTEG" = "true" ] + new_step + if [ $STEPNO -gt $PROGRESS ] then - get_lbr_certificate $OAM_LOGIN_LBR_HOST $OAM_LOGIN_LBR_PORT + get_lbr_certificate $OAM_LOGIN_LBR_HOST $OAM_LOGIN_LBR_PORT + update_progress fi - if [ "$OIG_BI_INTEG" = "true" ] || [ "$OIG_BI_INTEG" = "TRUE" ] - then - if [ "$OIG_BI_PROTOCOL" = "https" ] || [ "$OIG_BI_PROTOCOL" = "HTTPS" ] - then - get_lbr_certificate $OIG_BI_HOST $OIG_BI_PORT - fi + certs=true +fi + +if [ "$OIG_BI_INTEG" = "true" ] || [ "$OIG_BI_INTEG" = "TRUE" ] +then + if [ "$OIG_BI_PROTOCOL" = "https" ] || [ "$OIG_BI_PROTOCOL" = "HTTPS" ] + then + new_step + if [ $STEPNO -gt $PROGRESS ] + then + get_lbr_certificate $OIG_BI_HOST $OIG_BI_PORT + update_progress fi - update_progress + certs=true + fi fi # Add certificates to Oracle Keystore Service # -new_step -if [ $STEPNO -gt $PROGRESS ] +if [ "$certs" = "true" ] then - add_certs_to_kss - update_progress + new_step + if [ $STEPNO -gt $PROGRESS ] + then + add_certs_to_kss + update_progress + fi fi + if [ "$INSTALL_OAM" = "true" ] && [ "$OAM_OIG_INTEG" = "true" ] then # Restart Domain diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oiri.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oiri.sh index 684dc6bc..178f1533 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oiri.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_oiri.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2021, 2023, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of a script which can be used to deploy Oracle Identity Role Intelligence @@ -48,6 +48,7 @@ then fi . $SCRIPTDIR/common/functions.sh . $SCRIPTDIR/common/oiri_functions.sh +. $SCRIPTDIR/common/ohs_functions.sh START_TIME=`date +%s` @@ -198,7 +199,7 @@ then fi -# Obtain OIG certificate and add to oiri-clie +# Obtain OIG certificate and add to oiri-cli # new_step if [ $STEPNO -gt $PROGRESS ] @@ -234,20 +235,26 @@ fi # Create an Service Account, Engineering user and Role in OIG # -new_step -if [ $STEPNO -gt $PROGRESS ] +if [ "$OIRI_CREATE_OIG_USER" = "true" ] then - create_users - update_progress + new_step + if [ $STEPNO -gt $PROGRESS ] + then + create_users + update_progress + fi fi # Ensure that OIG is running in Compliance Mode # -new_step -if [ $STEPNO -gt $PROGRESS ] +if [ "$OIRI_SET_OIG_COMPLIANCE" = "true" ] then - set_compliance_mode - update_progress + new_step + if [ $STEPNO -gt $PROGRESS ] + then + set_compliance_mode + update_progress + fi fi # Having created the wallet ensure that the details inside are correct diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_operator.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_operator.sh index 95bc3360..648523fc 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_operator.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/provision_operator.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2021, 2023, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of deploying the WebLogic Kubernetes Operator @@ -81,7 +81,6 @@ echo "--------------------------------------------------------------------" >> $ STEPNO=1 PROGRESS=$(get_progress) -new_step if [ $STEPNO -gt $PROGRESS ] then download_samples @@ -112,14 +111,14 @@ fi # Create a Container Registry Secret if requested # -new_step -if [ $STEPNO -gt $PROGRESS ] +if [ "$CREATE_REGSECRET" = "true" ] && [ "$OPER_ENABLE_SECRET" = "true" ] then - if [ "$CREATE_REGSECRET" = "true" ] - then - create_registry_secret $REGISTRY $REG_USER $REG_PWD $OPERNS - update_progress - fi + new_step + if [ $STEPNO -gt $PROGRESS ] + then + create_registry_secret $REGISTRY $REG_USER $REG_PWD $OPERNS + update_progress + fi fi new_step @@ -140,9 +139,7 @@ fi new_step if [ $STEPNO -gt $PROGRESS ] then - print_msg "Wait for Operator to Start" - echo - check_running $OPERNS weblogic-operator 10 + check_running $OPERNS weblogic-operator 10 true update_progress fi diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/responsefile/.idmpwds b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/responsefile/.idmpwds index 14f2f862..a861bb1b 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/responsefile/.idmpwds +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/responsefile/.idmpwds @@ -1,4 +1,4 @@ -# Copyright (c) 2022, 2023, Oracle and/or its affiliates. +# Copyright (c) 2022, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of a file containing setup passwords for IDM @@ -7,6 +7,7 @@ # Registry Passwords # REG_PWD="" +WDT_IMAGE_REG_PWD="" GIT_TOKEN="" DH_PWD="" @@ -47,6 +48,7 @@ OIRI_SCHEMA_PWD="Welcome__H0m3" OIRI_KEYSTORE_PWD="Welcome1_01#" OIRI_ENG_PWD="MyPassword" OIRI_SERVICE_PWD="MyPassword" +OIRI_OIG_USER_PWD=$LDAP_USER_PWD # OAA Passwords # diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/responsefile/idm.rsp b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/responsefile/idm.rsp index 8424fe7f..96311bd2 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/responsefile/idm.rsp +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/responsefile/idm.rsp @@ -3,7 +3,7 @@ # # This is an example of a responsefile for IDM Provisioning on Kubernetes # -# Version: 4.2 +# Version: 5.0 ############################################################################################ # CONTROL Parameters # @@ -14,13 +14,15 @@ # INSTALL_OHS=true INSTALL_INGRESS=true -INSTALL_OUDSM=true +INSTALL_OUDSM=false INSTALL_WLSOPER=true INSTALL_OUD=true INSTALL_OAM=true INSTALL_OIG=true -INSTALL_OIRI=false +INSTALL_OIRI=true INSTALL_OAA=true +INSTALL_RISK=true +INSTALL_OUA=true INSTALL_ELK=false INSTALL_PROM=false @@ -51,8 +53,8 @@ K8_WORKDIR=/u01/oracle/user_projects/workdir # Kubernetes Worker Nodes used in OHS configuration and for Configuration calls # -K8_WORKER_HOST1=worker1.example.com -K8_WORKER_HOST2=worker2.example.com +K8_WORKER_HOST1=work1.example.com +K8_WORKER_HOST2=work2.example.com # SSL Certificate Entries - Used when creating Self-Signed Certificates # @@ -71,6 +73,11 @@ REGISTRY=iad.ocir.io/mytenancy/idm REG_USER=mytenancy/oracleidentitycloudservice/myemail@example.com CREATE_REGSECRET=true +# Used for storing the domain images for creating domains via WDT +# +WDT_IMAGE_REGISTRY=$REGISTRY +WDT_IMAGE_REG_USER=mytenancy/oracleidentitycloudservice/myemail@example.com + # GitHub # GIT_USER=gituser @@ -117,11 +124,9 @@ OIRICLI_VER=12.2.1.4-jdk8-ol7-DATE OIRI_VER=12.2.1.4-jdk8-ol7-DATE OIRIUI_VER=12.2.1.4-jdk8-ol7-DATE OIRIDING_VER=12.2.1.4-jdk8-ol7-DATE -OAAMGT_VER=12.2.1.4-jdk8-ol7-DATE OAA_VER=12.2.1.4-jdk8-ol7-DATE - -OPER_VER=4.1.2 - +OAAMGT_VER=12.2.1.4-jdk8-ol7-DATE +OPER_VER=4.1.8 ############################################################################################ # NFS Parameters # ############################################################################################ @@ -166,7 +171,7 @@ INGRESS_TYPE=nginx INGRESSNS=ingressns INGRESS_ENABLE_TCP=true INGRESS_NAME=idmedg -INGRESS_SSL=true +INGRESS_SSL=false INGRESS_SERVICE_TYPE=NodePort INGRESS_DOMAIN=example.com INGRESS_REPLICAS=2 @@ -247,6 +252,7 @@ OUDSM_SERVICE_PORT=30901 # OPERNS=opns OPER_ACT=operadmin +OPER_ENABLE_SECRET=false ############################################################################################ # OAM Parameters # @@ -268,6 +274,7 @@ OAM_LOGIN_LBR_PORT=443 OAM_LOGIN_LBR_PROTOCOL=https OAM_ADMIN_LBR_HOST=iadadmin.example.com OAM_ADMIN_LBR_PORT=80 +OAM_ADMIN_LBR_PROTOCOL=http OAM_COOKIE_DOMAIN=.example.com OAM_OAP_HOST=0.0.0.0 @@ -280,7 +287,7 @@ OAM_OAMADMIN_USER=$LDAP_OAMADMIN_USER OAMSERVER_JAVA_PARAMS="-Xms2048m -Xmx8192m " OAM_MAX_CPU=1 # Max CPU Cores pod is allowed to consume. OAM_CPU=500m # Initial CPU Units 1000m = 1 CPU core -OAM_MAX_MEMORY=2Gi # Max Memory pod is allowed to consume. +OAM_MAX_MEMORY=8Gi # Max Memory pod is allowed to consume. OAM_MEMORY=2Gi # Initial Memory allocated to pod. # OAM Ports @@ -312,6 +319,7 @@ OIG_RCU_PREFIX=IGD OIG_WEBLOGIC_USER=weblogic OIG_ADMIN_LBR_HOST=igdadmin.example.com OIG_ADMIN_LBR_PORT=80 +OIG_ADMIN_LBR_PROTOCOL=http OIG_LBR_HOST=prov.example.com OIG_LBR_PORT=443 OIG_LBR_PROTOCOL=https @@ -325,20 +333,21 @@ OIG_BI_PORT=443 OIG_BI_PROTOCOL=https OIG_BI_USER=idm_report OIG_EMAIL_CREATE=true -OIG_EMAIL_SERVER=smtp.example.com +OIG_EMAIL_SERVER=smtp.example.com OIG_EMAIL_PORT=25 OIG_EMAIL_SECURITY=None OIG_EMAIL_ADDRESS=email@example.com OIG_EMAIL_FROM_ADDRESS=fromaddress@example.com OIG_EMAIL_REPLY_ADDRESS=noreplies@example.com + # Pod Resource Allocation # OIMSERVER_JAVA_PARAMS="-Xms4096m -Xmx8192m " SOASERVER_JAVA_PARAMS="-Xms4096m -Xmx8192m " OIM_MAX_CPU=1 # Max CPU Cores pod is allowed to consume. OIM_CPU=500m # Initial CPU Units 1000m = 1 CPU core -OIM_MAX_MEMORY=4Gi # Max Memory pod is allowed to consume. +OIM_MAX_MEMORY=8Gi # Max Memory pod is allowed to consume. OIM_MEMORY=4Gi # Initial Memory allocated to pod. SOA_MAX_CPU=1 # Max CPU Cores pod is allowed to consume. SOA_CPU=1000m # Initial CPU Units 1000m = 1 CPU core @@ -404,7 +413,11 @@ OIRI_WORK_SHARE=$IAM_PVS/workpv OIRI_DB_SCAN=db-scan.example.com OIRI_DB_LISTENER=1521 OIRI_DB_SERVICE=oirisvc.example.com -OIRI_RCU_PREFIX=ORI +OIRI_RCU_PREFIX=OIRI + +OIRI_OIG_DB_SCAN=$OIG_DB_SCAN +OIRI_OIG_DB_LISTENER=$OIG_DB_LISTENER +OIRI_OIG_DB_SERVICE=$OIG_DB_SERVICE # Ingress Parameters # @@ -420,7 +433,12 @@ OIRI_SERVICE_USER=oirisvc # OIG Parameters # OIRI_OIG_URL=http://$OIG_DOMAIN_NAME-cluster-oim-cluster.$OIGNS.svc.cluster.local:14000 +OIRI_OIG_SERVER=t3://$OIG_DOMAIN_NAME-oim-server1.$OIGNS.svc.cluster.local:14000/ OIRI_LOAD_DATA=true +OIRI_OIG_XELSYSADM_USER=$LDAP_XELSYSADM_USER +OIRI_OIG_XELL_FILE= +OIRI_CREATE_OIG_USER=true +OIRI_SET_OIG_COMPLIANCE=true # Number of Container Instances # @@ -468,6 +486,8 @@ OAA_RCU_PREFIX=OAA OAA_ADMIN_GROUP=OAA-Admin-Role OAA_USER_GROUP=OAA-App-User OAA_ADMIN_USER=oaaadmin +OAA_ADD_USERS_LDAP=true +OAA_ADD_USERS_OUA_OBJ=true # File Vault @@ -520,6 +540,8 @@ OAA_SMS_REPLICAS=2 OAA_PUSH_REPLICAS=2 OAA_RISK_REPLICAS=2 OAA_RISKCC_REPLICAS=2 +OAA_DRSS_REPLICAS=2 +OAA_KBA_REPLICAS=2 # Resource Allocations # @@ -547,6 +569,8 @@ OAA_KBA_CPU=200m # Initial CPU Units 1000m = 1 CPU core OAA_KBA_MEMORY=1Gi # Initial Memory allocated to pod. OAA_CUSTOM_CPU=200m # Initial CPU Units 1000m = 1 CPU core OAA_CUSTOM_MEMORY=1Gi # Initial Memory allocated to pod. +OAA_DRSS_CPU=200m # Initial CPU Units 1000m = 1 CPU core +OAA_DRSS_MEMORY=1Gi # Initial Memory allocated to pod. OAA_RISK_CPU=200m # Initial CPU Units 1000m = 1 CPU core OAA_RISK_MEMORY=1Gi # Initial Memory allocated to pod. OAA_RISKCC_CPU=200m # Initial CPU Units 1000m = 1 CPU core @@ -559,4 +583,5 @@ OAA_RISKCC_MEMORY=1Gi # Initial Memory allocated to pod. ############################################################################################ # DELETE_SAMPLES=true +WLS_CREATION_TYPE=WDT SAMPLES_REP="https://github.com/oracle/fmw-kubernetes.git" diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/start_here.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/start_here.sh index 77b45757..8f6e6cb7 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/start_here.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/start_here.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2021, 2023, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example script to populate the responsefile @@ -385,6 +385,26 @@ else INSTALL_OAA=false fi +echo -n " Do you wish to install/config Oracle Adaptive Risk Management (y/n) : " +read ANS + +if check_yes $ANS +then + INSTALL_RISK=true +else + INSTALL_RISK=false +fi + +echo -n " Do you wish to install/config Oracle Universal Authenticator (y/n) : " +read ANS + +if check_yes $ANS +then + INSTALL_OUA=true +else + INSTALL_OUA=false +fi + replace_value INSTALL_ELK $INSTALL_ELK $RSPFILE replace_value INSTALL_PROM $INSTALL_PROM $RSPFILE replace_value INSTALL_INGRESS $INSTALL_INGRESS $RSPFILE @@ -397,6 +417,8 @@ replace_value INSTALL_OAM $INSTALL_OAM $RSPFILE replace_value INSTALL_OIG $INSTALL_OIG $RSPFILE replace_value INSTALL_OIRI $INSTALL_OIRI $RSPFILE replace_value INSTALL_OAA $INSTALL_OAA $RSPFILE +replace_value INSTALL_RISK $INSTALL_RISK $RSPFILE +replace_value INSTALL_OUA $INSTALL_OUA $RSPFILE replace_value USE_INGRESS $USE_INGRESS $RSPFILE replace_value USE_ELK $USE_ELK $RSPFILE @@ -903,7 +925,7 @@ then fi - echo -n "Enter Number of OUD Replicas required (In addition to Primary) [$OUD_REPLICAS]:" + echo -n "Enter Number of OUD Replicas required [$OUD_REPLICAS]:" read ANS if [ ! "$ANS" = "" ] @@ -1173,6 +1195,35 @@ then fi fi + + echo -n "Do you wish to set the secret for oparator install (y/n) : " + read ANS + if check_yes $ANS + then + OPER_ENABLE_SECRET=true + else + OPER_ENABLE_SECRET=false + fi + replace_value OPER_ENABLE_SECRET $OPER_ENABLE_SECRET $RSPFILE + + if [ "$WLS_CREATION_TYPE" = "WDT" ] + then + echo -n "Enter the WDT image registry [$WDT_IMAGE_REGISTRY]:" + read ANS + + if [ ! "$ANS" = "" ] + then + replace_value WDT_IMAGE_REGISTRY $ANS $$RSPFILE + fi + + echo -n "Enter the WDT image registry user [$WDT_IMAGE_REG_USER]:" + read ANS + + if [ ! "$ANS" = "" ] + then + replace_value WDT_IMAGE_REG_USER $ANS $$RSPFILE + fi + fi fi if [ "$INSTALL_OAM" = "true" ] @@ -1452,6 +1503,13 @@ then fi fi + echo -n "Enter OAM Admin Loadbalancer Protocol [$OAM_ADMIN_LBR_PROTOCOL]:" + read ANS + if [ ! "$ANS" = "" ] + then + replace_value OAM_ADMIN_LBR_PROTOCOL $ANS $RSPFILE + fi + if [ "$GET_USER" = "true" ] then @@ -1717,6 +1775,13 @@ then fi fi + echo -n "Enter OIG Admin Loadbalancer Protocol [$OIG_ADMIN_LBR_PROTOCOL]:" + read ANS + if [ ! "$ANS" = "" ] + then + replace_value OIG_ADMIN_LBR_PROTOCOL $ANS $RSPFILE + fi + if [ "$GET_PORT" = "true" ] then echo -n "Enter Admin Server Port for OIG [$OIG_ADMIN_PORT]:" @@ -2168,6 +2233,34 @@ then echo "Leaving value as previously defined" fi + echo -n "Enter OIG Database Scan Address (Use Hostname for non-RAC) [$OIRI_OIG_DB_SCAN]:" + read ANS + + if [ ! "$ANS" = "" ] + then + replace_value OIRI_OIG_DB_SCAN $ANS $RSPFILE + fi + + echo -n "Enter OIG Database Listener Port [$OIRI_OIG_DB_LISTENER]:" + read ANS + + if [ ! "$ANS" = "" ] + then + if check_number $ANS + then + replace_value OIRI_OIG_DB_LISTENER $ANS $RSPFILE + else + echo "Port must be numeric - leaving value unchanged." + fi + fi + + echo -n "Enter OIG Database Service Name [$OIRI_OIG_DB_SERVICE]:" + read ANS + + if [ ! "$ANS" = "" ] + then + replace_value OIRI_DB_SERVICE $ANS $RSPFILE + fi echo -n "Enter Password for OIRI Keystore: " read -s ANS @@ -2258,6 +2351,68 @@ then replace_value OIRI_OIG_URL $ANS $RSPFILE fi + echo -n "Create Users in OIG :" + read ANS + + if [ "$ANS" = "y" ] + then + + replace_value OIRI_CREATE_OIG_USER true $RSPFILE + + echo -n "Enter T3 URL for oim-server1 [$OIRI_OIG_SERVER]:" + read ANS + + if [ ! "$ANS" = "" ] + then + replace_value OIRI_OIG_SERVER $ANS $RSPFILE + fi + + echo -n "Enter OIG Administration User [$OIRI_OIG_XELSYSADM_USER]:" + read ANS + + if [ ! "$ANS" = "" ] + then + replace_value OIRI_OIG_XELSYSADM_USER $ANS $RSPFILE + fi + + echo -n "Enter Password for $OIRI_OIG_XELSYSADM_USER: " + read -s ANS + + if [ ! "$ANS" = "" ] + then + echo + echo -n "Confirm Password :" + read -s ACHECK + if [ ! "$ANS" = "$ACHECK" ] + then + echo "Passwords do not match!" + exit + else + echo + replace_password OIRI_OIG_USER_PWD $ANS $PWDFILE + fi + else + echo "Leaving value as previously defined" + fi + + fi + + echo -n "Place OIG into Compliance Mode :" + read ANS + + if [ "$ANS" = "y" ] + then + replace_value OIRI_SET_OIG_COMPLIANCE true $RSPFILE + fi + + echo -n "Enter Location of xell.pem file (leave blank if OIG is inside Kubernetes) [$OIRI_OIG_XELL_FILE]:" + read ANS + + if [ ! "$ANS" = "" ] + then + replace_value OIRI_OIG_XELL_FILE $ANS $RSPFILE + fi + echo -n "Perform Initial OIG Data Load [$OIRI_LOAD_DATA]:" read ANS @@ -2492,6 +2647,7 @@ then replace_value OAA_EMAIL_REPLICAS $ANS $RSPFILE replace_value OAA_SMS_REPLICAS $ANS $RSPFILE replace_value OAA_PUSH_REPLICAS $ANS $RSPFILE + replace_value OAA_KBA_REPLICAS $ANS $RSPFILE else echo "Port must be numeric - leaving value unchanged." fi @@ -2818,7 +2974,50 @@ then echo "Leaving value as previously defined" fi + if [ ! "$ANS" = "" ] + then + replace_value OAA_EMAIL_USER $ANS $RSPFILE + replace_value OAA_SMS_USER $ANS $RSPFILE + fi + + echo -n "Do you wish to add existing users in LDAP in User Search base to OAA_USER_GROUP (y/n) : " + read ANS + if check_yes $ANS + then + OAA_ADD_USERS_LDAP=true + else + OAA_ADD_USERS_LDAP=false + fi + replace_value OAA_ADD_USERS_LDAP $OAA_ADD_USERS_LDAP $RSPFILE + fi + +if [ "$INSTALL_OUA" = "true" ] +then + echo -n "Do you wish set ldap param obpsftid to all existing users in OAA_USER_GROUP (y/n) : " + read ANS + if check_yes $ANS + then + OAA_ADD_USERS_OUA_OBJ=true + else + OAA_ADD_USERS_OUA_OBJ=false + fi + replace_value OAA_ADD_USERS_OUA_OBJ $OAA_ADD_USERS_OUA_OBJ $RSPFILE + + echo -n "Enter Number of OUA DRSS Servers to start [$OAA_DRSS_REPLICAS]:" + read ANS + + if [ ! "$ANS" = "" ] + then + if check_number $ANS + then + replace_value OAA_DRSS_REPLICAS $ANS $RSPFILE + else + echo "Replica must be numeric - leaving value unchanged." + fi + fi +fi + echo echo "Oracle HTTP Server Parameters" echo "-----------------------------" diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/configure_oam_oua.py b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/configure_oam_oua.py new file mode 100644 index 00000000..416a9b13 --- /dev/null +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/configure_oam_oua.py @@ -0,0 +1,9 @@ +# Copyright (c) 2024, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +# +# This is an example WLST script to Register OAA as a TAP Partner of OAM +# +connect('','','t3://-adminserver..svc.cluster.local:') +editUserIdentityStore(name='OAMIDSTORE',enablePasswordPolicy='true',idStorePwdSchema='Oblix',idStoreGlobalUserId='uid',idStoreChallengeQuestions='mail',idStoreChallengeAnswers='pager',isNative='true') +configurePersistentLogin(enable="true",validityInDays="30", maxAuthnLevel="2", userAttribute="obPSFTID") +exit() diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/create_auth_module.xml b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/create_auth_module.xml index 2c0a1a65..ca22e096 100644 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/create_auth_module.xml +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/create_auth_module.xml @@ -1,5 +1,5 @@ + + true + \ No newline at end of file diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/session.xml b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/session.xml new file mode 100644 index 00000000..57f990b8 --- /dev/null +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/session.xml @@ -0,0 +1,10 @@ + + + true + \ No newline at end of file diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/test_user.ldif b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/test_user.ldif index c0480b03..6f2acb61 100644 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/test_user.ldif +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/test_user.ldif @@ -1,3 +1,9 @@ +#!/bin/bash +# Copyright (c) 2024, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +# +# This is an example of Creating an OAA Schemas +# dn: cn=, changetype: add objectClass: orclUserV2 @@ -21,6 +27,7 @@ orclSAMAccountName: cn: postalCode: obpasswordchangeflag: false +obpsftid: true ds-pwp-password-policy-dn: cn=FAPolicy,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleContext, dn:cn=, diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/users.ldif b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/users.ldif index ae7e8b88..dcb4f0ce 100644 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/users.ldif +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oaa/users.ldif @@ -1,3 +1,9 @@ +#!/bin/bash +# Copyright (c) 2024, Oracle and/or its affiliates. +# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. +# +# This is an example of Creating an OAA Schemas +# dn: cn=, changetype: add objectClass: orclUserV2 diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/iadadmin_vh.conf b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/iadadmin_vh.conf index 3d53fd1e..e7c29f57 100644 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/iadadmin_vh.conf +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/iadadmin_vh.conf @@ -4,90 +4,12 @@ # This is an example of an OHS virtual host conf file for iadadmin_vh.conf # :> - ServerName http://: + ServerName ://: ServerAdmin you@your.address RewriteEngine On RewriteOptions inherit UseCanonicalName On RequestHeader set "X-Forwarded-Host" "" - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/locations.txt b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/locations.txt new file mode 100644 index 00000000..aef54292 --- /dev/null +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/locations.txt @@ -0,0 +1,24 @@ +login:/oam:OAM_OAM_K8 +login:/oamservices/rest/auth:OAM_OAM_K8 +login:/oamservices/rest/access:OAM_OAM_K8 +login:/iam/access:OAM_OAM_K8 +login:/oamfed:OAM_OAM_K8 +login:/otpfp:OAM_OAM_K8 +login:/ms_oauth:OAM_OAM_K8 +login:/oauth2:OAM_OAM_K8 +login: /.well-known/openid-configuration:OAM_OAM_K8 +login: /.well-known/oidc-configuration:OAM_OAM_K8 +login: /CustomConsent:OAM_OAM_K8 +iadadmin:/console:OAM_ADMIN_K8 +iadadmin:/management:OAM_ADMIN_K8 +iadadmin:/consolehelp:OAM_ADMIN_K8 +iadadmin:/em:OAM_ADMIN_K8 +iadadmin:/oamconsole:OAM_ADMIN_K8 +iadadmin:/oam/admin/api:OAM_ADMIN_K8 +iadadmin:/oam/services/rest:OAM_ADMIN_K8 +iadadmin:/iam/admin:OAM_ADMIN_K8 +iadadmin:/oam/services/rest/11.1.2.0.0:OAM_ADMIN_K8 +iadadmin:/oam/services/rest/ssa:OAM_ADMIN_K8 +iadadmin:/dms:OAM_ADMIN_K8 +iadadmin:/oam:OAM_OAM_K8 +iadadmin:/access:OAM_POLICY_K8 diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/login_vh.conf b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/login_vh.conf index ac875df7..0d43ec19 100644 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/login_vh.conf +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/login_vh.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2021, 2023, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of an OHS virtual host conf file for login_vh.conf @@ -11,107 +11,4 @@ UseCanonicalName On RequestHeader set "X-Forwarded-Host" "" - #OAM Entries - - WLSRequest ON - WLProxySSL ON - WLProxySSLPassThrough ON - WLCookieName OAMJSESSIONID - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - WLProxySSL ON - WLProxySSLPassThrough ON - WLCookieName OAMJSESSIONID - WebLogicCluster :,: - - - - WLSRequest ON - WLProxySSL ON - WLProxySSLPassThrough ON - WLCookieName OAMJSESSIONID - WebLogicCluster :,: - - - - WLSRequest ON - WLProxySSL ON - WLProxySSLPassThrough ON - WLCookieName OAMJSESSIONID - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - WLCookieName OAMJSESSIONID - WLProxySSL ON - WLProxySSLPassThrough ON - - - # OAM Forgotten Password Page - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - WLCookieName OAMJSESSIONID - WLProxySSL ON - WLProxySSLPassThrough ON - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - WLCookieName OAMJSESSIONID - WLProxySSL ON - WLProxySSLPassThrough ON - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - WLCookieName OAMJSESSIONID - WLProxySSL ON - WLProxySSLPassThrough ON - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - WLCookieName OAMJSESSIONID - PathTrim /.well-known - PathPrepend /oauth2/rest - WLProxySSL ON - WLProxySSLPassThrough ON - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - WLCookieName OAMJSESSIONID - PathTrim /.well-known - PathPrepend /oauth2/rest - WLProxySSL ON - WLProxySSLPassThrough ON - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - WLCookieName OAMJSESSIONID - WLProxySSL ON - WLProxySSLPassThrough ON - - diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/resource_list.txt b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/resource_list.txt index 8400b41c..6924d32f 100644 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/resource_list.txt +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oam/resource_list.txt @@ -30,4 +30,5 @@ /risk-cc/**:EXCLUDED:: /oua/**:EXCLUDED:: /oua-admin-ui/**:EXCLUDED:: +/oaa-drss/**:EXCLUDED:: /dms/**:EXCLUDED:: diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/igdadmin_vh.conf b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/igdadmin_vh.conf index c0df2d7e..77cbf75f 100644 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/igdadmin_vh.conf +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/igdadmin_vh.conf @@ -4,99 +4,12 @@ # This is an example of an OHS conf file for igdadmin_vh.conf # :> - ServerName : + ServerName ://: ServerAdmin you@your.address RewriteEngine On RewriteOptions inherit UseCanonicalName On RequestHeader set "X-Forwarded-Host" "" - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLCookieName oimjsessionid - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLCookieName oimjsessionid - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLCookieName oimjsessionid - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLCookieName oimjsessionid - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - -# OIM self service console - - WLCookieName oimjsessionid - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLCookieName oimjsessionid - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLCookieName oimjsessionid - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - -# Scheduler webservice URL - - WLCookieName oimjsessionid - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/igdinternal_vh.conf b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/igdinternal_vh.conf index 6fbef584..086a611a 100644 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/igdinternal_vh.conf +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/igdinternal_vh.conf @@ -1,150 +1,13 @@ -# Copyright (c) 2021, 2022, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of an OHS conf file for igdinternal.conf # :> - ServerName http://: + ServerName ://: ServerAdmin you@your.address RewriteEngine On RewriteOptions inherit RequestHeader set "X-Forwarded-Host" "" - - WLSRequest ON - DynamicServerList OFF - WebLogicCluster :,: - WLProxySSL OFF - WLProxySSLPassThrough OFF - - - - WLSRequest ON - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - - # OIM, role-sod profile - - WLSRequest ON - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - - # Callback webservice for SOA. SOA calls this when a request is approved/rejected - # Provide the SOA Managed Server Port - - WLSRequest ON - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - - # used for FA Callback service. - - WLSRequest ON - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - - # spml xsd profile - - WLSRequest ON - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - - # OIM, spml dsml profile - - WLSRequest ON - PathTrim /weblogic - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - -# SOA Infra - - WLSRequest ON - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - - # UMS Email Support - - WLSRequest ON - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - - - WLSRequest ON - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - - # SOA Callback webservice for SOD - Provide the SOA Managed Server Ports - - SetHandler weblogic-handler - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - - - SetHandler weblogic-handler - DynamicServerList OFF - WebLogicCluster :,: - WLCookieName oimjsessionid - - - - SetHandler weblogic-handler - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - - - SetHandler weblogic-handler - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - - diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/locations.txt b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/locations.txt new file mode 100644 index 00000000..9a2c9d79 --- /dev/null +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/locations.txt @@ -0,0 +1,37 @@ +prov:/identity:OIG_OIM_PORT_K8 +prov:/HTTPClnt:OIG_OIM_PORT_K8 +prov:/reqsvc:OIG_OIM_PORT_K8 +prov:/FacadeWebApp:OIG_OIM_PORT_K8 +prov:/iam:OIG_OIM_PORT_K8 +prov:/OIGUI:OIG_OIM_PORT_K8 +igdadmin:/console:OIG_ADMIN_K8 +igdadmin:/management:OIG_ADMIN_K8 +igdadmin:/consolehelp:OIG_ADMIN_K8 +igdadmin:/em:OIG_ADMIN_K8 +igdadmin:/oim:OIG_OIM_PORT_K8 +igdadmin:/iam:OIG_OIM_PORT_K8 +igdadmin:/sysadmin:OIG_OIM_PORT_K8 +igdadmin:/admin:OIG_OIM_PORT_K8 +igdadmin:/identity:OIG_OIM_PORT_K8 +igdadmin:/OIGUI:OIG_OIM_PORT_K8 +igdadmin:/FacadeWebApp:OIG_OIM_PORT_K8 +igdadmin:/SchedulerService-web:OIG_OIM_PORT_K8 +igdadmin:/dms:OIG_ADMIN_K8 +igdinternal:/wsm-pm:OIG_OIM_PORT_K8 +igdinternal:/sodcheck:OIG_SOA_PORT_K8 +igdinternal:/soa-infra:OIG_SOA_PORT_K8 +igdinternal:/ws_utc:OIG_SOA_PORT_K8 +igdinternal:/ucs:OIG_SOA_PORT_K8 +igdinternal:/soa/composer:OIG_SOA_PORT_K8 +igdinternal:/integration:OIG_SOA_PORT_K8 +igdinternal:/sdpmessaging/userprefs-ui:OIG_SOA_PORT_K8 +igdinternal:/role-sod:OIG_OIM_PORT_K8 +igdinternal:/workflowservice:OIG_OIM_PORT_K8 +igdinternal:/callbackResponseService:OIG_OIM_PORT_K8 +igdinternal:/provisioning-callback:OIG_OIM_PORT_K8 +igdinternal:/CertificationCallbackService:OIG_OIM_PORT_K8 +igdinternal:/IdentityAuditCallbackService:OIG_OIM_PORT_K8 +igdinternal:/spml-xsd:OIG_OIM_PORT_K8 +igdinternal:/spmlws:OIG_OIM_PORT_K8 +igdinternal:/reqsvc:OIG_OIM_PORT_K8 +igdinternal:/iam:OIG_OIM_PORT_K8 diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/prov_vh.conf b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/prov_vh.conf index 3c73e3af..2e0932d1 100644 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/prov_vh.conf +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/prov_vh.conf @@ -1,4 +1,4 @@ -# Copyright (c) 2021, 2022, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of an OHS conf file for prov_vh.conf @@ -12,58 +12,4 @@ UseCanonicalName On RequestHeader set "X-Forwarded-Host" " - - WLSRequest ON - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - WLProxySSL ON - WLProxySSLPassThrough ON - - - - WLSRequest ON - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - WLProxySSL ON - WLProxySSLPassThrough ON - - -# Requests webservice URL - - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - WLProxySSL ON - WLProxySSLPassThrough ON - - - - SetHandler weblogic-handler - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - WLProxySSL ON - WLProxySSLPassThrough ON - - - - SetHandler weblogic-handler - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - WLProxySSL ON - WLProxySSLPassThrough ON - - - - SetHandler weblogic-handler - WLCookieName oimjsessionid - DynamicServerList OFF - WebLogicCluster :,: - WLProxySSL ON - WLProxySSLPassThrough ON - - diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/runJob.java b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/runJob.java index cf9e4c2f..0b46baab 100644 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/runJob.java +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oig/runJob.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2021, Oracle and/or its affiliates. + * Copyright (c) 2021, 2024 Oracle and/or its affiliates. * Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. * * This is an example of a Java script to run an OIG Job Now @@ -50,7 +50,7 @@ static public void main(String[] args) { schedulerService = (SchedulerService) oimClient.getService(SchedulerService.class); - //System.out.println("Scheuler Service : " + schedulerService); + //System.out.println("Scheduler Service : " + schedulerService); JobDetails[] user_operations_jobs; ScheduledTask user_operations_task; diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oiri/createAdminUser.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oiri/createAdminUser.sh index 397af961..ca0aedfc 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oiri/createAdminUser.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oiri/createAdminUser.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2021, 2022, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example file to compile java program and Run Recon Jobs @@ -10,6 +10,6 @@ echo "Compiling Java Code:" javac /u01/oracle/user_projects/workdir/createAdminUser.java -Xlint:deprecation -Xlint:unchecked > createAdminUser_compile.log 2> createAdminUser_compile_err.log -java -Djava.security.policy=/u01/oracle/user_projects/workdir/lib/xl.policy -Djava.security.auth.login.config=/u01/oracle/user_projects/workdir/lib/authwl.conf -DAPPSERVER_TYPE=wls -Dweblogic.Name=oim_server1 createAdminUser t3://-oim-server1.oigns.svc.cluster.local:14000/ +java -Djava.security.policy=/u01/oracle/user_projects/workdir/lib/xl.policy -Djava.security.auth.login.config=/u01/oracle/user_projects/workdir/lib/authwl.conf -DAPPSERVER_TYPE=wls -Dweblogic.Name=oim_server1 createAdminUser diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oiri/locations.txt b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oiri/locations.txt new file mode 100644 index 00000000..578cefe9 --- /dev/null +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/templates/oiri/locations.txt @@ -0,0 +1,3 @@ +igdadmin:/oiri/api:OIRI_K8 +igdadmin:/oiri/ui:OIRI_UI_K8 +igdinternal:/oiri/api:OIRI_K8 diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oaa.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oaa.sh index 3f866834..2a3af208 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oaa.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oaa.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2022, 2023, Oracle and/or its affiliates. +# Copyright (c) 2022, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of a script which will delete an OAA deployment @@ -117,6 +117,7 @@ echo "Deleting Authentication Scheme" printf "\nDeleting Authentication Scheme" >> $LOG delete_auth_scheme $LOG + if [ $PROGRESS -gt 14 ] then echo "Deleting Schemas" diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oam.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oam.sh index 5c72c02f..fa79a6b4 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oam.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oam.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2021, 2023, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of a script which will delete an OAM deployment @@ -107,14 +107,12 @@ check_stopped $OAMNS adminserver # Drop OAM Schemas # ST=`date +%s` -printf "Dropping Schemas - " -kubectl get pod -n $OAMNS helper > /dev/null 2>&1 -if [ $? -gt 0 ] -then - create_helper_pod $OAMNS $OAM_IMAGE:$OAM_VER -fi +echo "Recreating Helper Pod." +remove_helper_pod $OAMNS +create_helper_pod $OAMNS $OAM_IMAGE:$OAM_VER +printf "Dropping Schemas - " drop_schemas $OAMNS $OAM_DB_SCAN $OAM_DB_LISTENER $OAM_DB_SERVICE $OAM_RCU_PREFIX OAM $OAM_DB_SYS_PWD $OAM_SCHEMA_PWD >> $LOG 2>&1 ET=`date +%s` diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oig.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oig.sh index 644c4636..de96ff1b 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oig.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oig.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2021, 2023, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of a script which will delete an OIG deployment @@ -119,6 +119,13 @@ check_stopped $OIGNS adminserver # Drop the OIG schemas # +echo "Recreating helper pod." + +kubectl delete pod -n $OIGNS helper > /dev/null 2>&1 + +create_helper_pod $OIGNS $OIG_IMAGE:$OIG_VER + + ST=`date +%s` kubectl get pod -n $OIGNS helper > /dev/null 2>&1 diff --git a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oud.sh b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oud.sh index f2222543..3b7d5637 100755 --- a/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oud.sh +++ b/FMWKubernetesMAA/OracleEnterpriseDeploymentAutomation/OracleIdentityManagement/utils/delete_oud.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright (c) 2021, 2023, Oracle and/or its affiliates. +# Copyright (c) 2021, 2024, Oracle and/or its affiliates. # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. # # This is an example of a script which will delete an OUD deployment @@ -64,14 +64,17 @@ echo echo Log of Delete Session can be found at: $LOG echo -echo "Check OUDSM is not installed" -kubectl get svc -n $OUDNS | grep oudsm -if [ $? = 0 ] +if [ "$OUDNS" = "$OUDSMNS" ] then - echo "Need to delete OUDSM first." - exit 1 + echo "Check OUDSM is not installed" + kubectl get svc -n $OUDSMNS | grep oudsm + + if [ $? = 0 ] + then + echo "Need to delete OUDSM first." + exit 1 + fi fi - if [ "$USE_INGRESS" = "true" ] then echo "Delete Ingress"