Scribd
Upload
28 views2 pages

How RPO Works

The Refresh Passwords Offline workflow on FA VMs involves synchronizing pod state, updating OPSS wallet and keystore, and refreshing datasource credentials. Key steps include backing up and updating security credentials, syncing keystores with the database, and updating WLS dataSource and OID authenticator credentials. The process is executed during PREDOWNTIME and ensures that all security configurations are current and consistent across domains.

Uploaded by

Mansur Khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
28 views2 pages

How RPO Works

The Refresh Passwords Offline workflow on FA VMs involves synchronizing pod state, updating OPSS wallet and keystore, and refreshing datasource credentials. Key steps include backing up and updating security credentials, syncing keystores with the database, and updating WLS dataSource and OID authenticator credentials. The process is executed during PREDOWNTIME and ensures that all security configurations are current and consistent across domains.

Uploaded by

Mansur Khan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

How Refresh Passwords Offline Works?

At a high level, the Refresh Passwords Offline WF does the following on FA VMs (omitted IDM vm details due to scope):

Steps currently in order in FA/FA-HAOPT/AUXVM vms


1. Synchronizing pod state from database to filesystem (for PREDOWNTIME only)
This run only during PREDOWNTIME. Looks up the SYS secret from vault to pass to the podstatesync script

2. Rewire OPSS wallet and bootstrap principal keys and credentials


a. Create pre backup (_pre_cwallet.sso)
a. Load opss secret from file downloaded from OCI Vault by cloud-init.
b. Import opss encryption key downloaded from OCI Vault by cloud-init into the bootstrap wallet.
For simplicity, the opss encryption key is protected by a password. Historically this was called the opssSecret, but really it is a separate secret
c. Update bootstrap wallet with opss secret downloaded from OCI Vault. This is the actual FUSION_OPSS schema password that gets rotated.

"Updated opss wallet with current bootstrap security principal and current password"
"Current and prior bootstrap security principal key names are the same"

Retrieve bootstrap security principal key from jps-config-jse.xml file. Also from the vault (3rd line). If both are same, don't add to boostrap wallet, else
if both prior key and current key are different, update bootstrap wallet.

d. updateJPSConfigInAllDomains (config/fmwconfig/jps-config-jse.xml, config/fmwconfig/jps-config.xml)


z. Create post backup (_post_cwallet.sso)

3. Syncs OPSS keystore xml


a.
* Runs the syncKeyStores.sh to sync key store from DB. This is needed to
* rewire MT with the database because just burning the encryption key is
* not enough. Both the encryption key and the keystore files must be in sync.
* Internally this tool deletes the fa.oracleoutsourcing.com's keystores.xml
* and then rebuilds it from data in the DB. This is important for upgrades,
* P2Ts, Pod Restores, etc where the filesystem doesn't match the encryption
* key in the DB.

Updated file(partial update):


config/fmwconfig/keystores.xml
b. Keep pre-backup beforeSyncKeyStores_keystores_999999.xml
c. Run script:
/modules/oracle.jps/common/bin/syncKeyStores.sh
d.
* This is a more complete and thorough exporting of the keystores.xml
* file than executeSyncKeyStores. However, a prereq for this is that
* there is that the system stripe in the keystores.xml files matches the
* DB. The output is the full keystores.xml file then needs to by copied
* to all the logical hostnames (ie fa2.oracleoutsourcing.com etc).

Run script:
/modules/oracle.jps/common/wlstscripts/migrateSecurityStore.py

Executing script: [/u01/APPLTOP/fmw/oracle_common/common/bin/wlst.sh, /u01/APPLTOP/fmw/oracle_common/modules/oracle.jps/common


/wlstscripts/migrateSecurityStore.py,
-type, keyStore, -srcConfigFile, /u01/APPLTOP/instance/domains/fa.oracleoutsourcing.com/FADomain/config/fmwconfig/jps-config-jse.xml, -
toFileStore, /aplm/scratch/EUTH-OPT2.euth1.mdt01phx0
1dmo.oraclevcn.com_REFRESH_PASSWORDS_OFFLINE_d2a31553-e6ee-449d-aabb-b2bfce23647c/migrateSecurityStore, -src, default]

e. updateKeyStoreInAllDomains
backup_keystore_999999 <-- backup DIRECTORY
copy from {toFileStore}/keystores.xml to {srcConfigFile}

4. Updates WLS dataSource and OID authenticator credentials


a. Read IDRO user from CS
b. Read APPID (BI datasources) and datasource passwords from CSF
c. For each domain, update datasource (jdbc xmls) and OIDAuthenticator (config.xml) if rewireDatasources is true
uses makeGenericScriptTemplateBuilder() wlstUpdateCredentials.py
d. Copy jdbc xmls from fa domain dir on all other domains after taking backup: eg., /u01/APPLTOP/instance/domains/opt3.oracleoutsourcing.com
/FADomain/config/1708747270_refresh-passwords-jdbc-backups
Note that config.xml is not copied. It is not only not needed but avoidable(?) too.

5. Update WLS Boot Password


a. Read FUSION_APPS_PROV_PATCH_APPID cred from CSF
b. Take back up boot.properties (_refreshPasswordsOffline_yyyyMMdd_HHmmss_Z)
c. update creds in boot.properties all the domain dirs

6. Update CSF Entries from vault into CSF


a. Get SYS secter from vault
b. Update the CSF FUSION_APPS_DBA-key password with this.

7. For MSI, sync BI datasources in MSI mode (Only in PREDOWNTIME, msi-startup-enabled flag)
a. Use bi-pwd-reset.sh to sync BI datasources in MSI mode (/fmw/otbi/facade/pwdreset/bi-pwd-reset.sh)

Related articles
Content by label

There is no content with the specified labels

You might also like