Migration of Oracle EPM Cloud Instances to OCI – Be Ready!
Oracle is migrating all EPM Cloud instances from Classic environments (using Identity Cloud) to Oracle Cloud Infrastructure (OCI) environments. If no action is taken, there is a risk of the service account lock, causing your Cloud instance to be unusable until corrective action is completed. Below is a summary of what some customers have experienced and the steps to avoid this situation.
Important Changes to Identity Administration
In Oracle’s initial email to your organization, a table of URLs is provided, showing which of your environments will be migrated to OCI, along with the Data Center where they will be housed. The table also shows the one and only one user who will be made a member of the new Administrators group in OCI (highlighted with red arrows) – this group replaces your current Identity Domain Administrators group. This named person is often a corporate or other executive who signed the contract with Oracle, not a person who is one of the existing Identity Domain Administrators. Also, this person is the only person to whom Oracle sent instructions on accessing the new environment.
Oracle’s email provides configuration instructions for the new OCI environment. The task requires the named person to log in after the migration and perform a few tasks to make your system ready. The problem some customers are experiencing is they have not performed this crucial task, resulting in service account locking issues. If you experience this issue and open a ticket with Oracle, they will most likely provide the below URL:
To prevent these issues and any environment downtime, the steps below must be completed. These changes require a bit of work on the customer’s part to ensure your environment continues to operate seamlessly. Follow all steps outlined in Oracle’s initial email but the items below are the most critical of these:
- The person’s password listed in columns Account Administrator Email and Service Administrator Email (noted with red arrows) will likely be expired so they will need to log in at https://cloud.oracle.com and reset their password.
- Oracle now enforces two-factor authentication, so they will need to install Oracle Mobile Authenticator on their mobile phone. A QR Code will be provided during the web-based configuration process to add the necessary profile to the app.
- Once logged in, they can add one or more others to the Administrators group in OCI. It is especially important that they also add any service or user accounts that are used for scheduled or other script-based automation or other tasks, such as EPM Automate scripts.
- Users’ accounts that execute scripts of this kind should also be sent a Reset Password request so that they can create their new OCI-based password. This will expire regularly, and email notification of the expiration will be provided, so ensure that the email accounts of any service account users are monitored. If encrypted passwords are used in scripts, they will need to be re-encrypted.
- If your organization uses Single Sign-On (SSO) this will also need to be configured in OCI.
If you find yourself in the above situation, PARC Consulting stands ready to help you through the configuration process and provide the information you will need to use the new OCI environment.