oracle
diff --git a/‎documentation/domains/Domain.json
Lines changed: 5 additions & 4 deletions b/‎documentation/domains/Domain.json
Lines changed: 5 additions & 4 deletions
diff --git a/‎documentation/domains/Domain.md
Lines changed: 4 additions & 4 deletions b/‎documentation/domains/Domain.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎documentation/site/content/managing-domains/domain-on-pv/usage.md
Lines changed: 103 additions & 6 deletions b/‎documentation/site/content/managing-domains/domain-on-pv/usage.md
Lines changed: 103 additions & 6 deletions
@@ -177,7 +177,7 @@
       "type": "object",
       "properties": {
         "initializeDomainOnPV": {
-          "description": "Configuration to initialize a WebLogic Domain on persistent volume (`Domain on PV`) and initialize related resources such as a persistent volume and a persistent volume claim. If specified, the operator will perform these one-time initialization steps only if the domain and resources do not already exist. The operator will not recreate or update the domain and resources when they already exist.  For more information, see https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/choosing-a-model/ and https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/domain-on-pv-initialization ",
+          "description": "Configuration to initialize a WebLogic Domain on persistent volume (`Domain on PV`) and initialize related resources such as a persistent volume and a persistent volume claim. If specified, the operator will perform these one-time initialization steps only if the domain and resources do not already exist. The operator will not recreate or update the domain and resources when they already exist.  For more information, see https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/choosing-a-model/ and https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/domain-on-pv ",
           "$ref": "#/definitions/InitializeDomainOnPV"
         },
         "overrideDistributionStrategy": {
@@ -190,7 +190,8 @@
           ]
         },
         "opss": {
-          "description": "Settings for OPSS security.",
+          "deprecated": "true",
+          "description": "Settings for OPSS security for the Model in Image JRF Domain. This field is deprecated, and will be removed in a future release. For JRF domain on PV initialization, use `configuration.initializeDomainOnPV.domain.opss` section for configuring OPSS security settings.",
           "$ref": "#/definitions/Opss"
         },
         "model": {
@@ -822,11 +823,11 @@
       "type": "object",
       "properties": {
         "walletFileSecret": {
-          "description": "Name of a Secret containing the OPSS key wallet file, which must be in a key named `walletFile`. Use this to allow a JRF domain to reuse its entries in the RCU database. This allows you to specify a wallet file that was obtained from the domain home after the domain was booted for the first time.",
+          "description": "Name of a Secret containing the OPSS key wallet file, which must be in a key named `walletFile`. Use this to allow a JRF domain to reuse its schemas in the RCU database. This allows you to specify a wallet file that was obtained from the domain home after the domain was booted for the first time.",
           "type": "string"
         },
         "walletPasswordSecret": {
-          "description": "Name of a Secret containing the OPSS key passphrase, which must be in a key named `walletPassword`. Used to encrypt and decrypt the wallet that is used for accessing the domain\u0027s entries in its RCU database.The password must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters.",
+          "description": "Name of a Secret containing the OPSS key passphrase, which must be in a key named `walletPassword`. Used to encrypt and decrypt the wallet that is used for accessing the domain\u0027s schemas in its RCU database. The password must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters.",
           "type": "string"
         }
       }
 
@@ -83,10 +83,10 @@ The current status of the operation of the WebLogic domain. Updated automaticall
 
 | Name | Type | Description |
 | --- | --- | --- |
-| `initializeDomainOnPV` | [Initialize Domain On PV](#initialize-domain-on-pv) | Configuration to initialize a WebLogic Domain on persistent volume (`Domain on PV`) and initialize related resources such as a persistent volume and a persistent volume claim. If specified, the operator will perform these one-time initialization steps only if the domain and resources do not already exist. The operator will not recreate or update the domain and resources when they already exist.  For more information, see https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/choosing-a-model/ and https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/domain-on-pv-initialization  |
+| `initializeDomainOnPV` | [Initialize Domain On PV](#initialize-domain-on-pv) | Configuration to initialize a WebLogic Domain on persistent volume (`Domain on PV`) and initialize related resources such as a persistent volume and a persistent volume claim. If specified, the operator will perform these one-time initialization steps only if the domain and resources do not already exist. The operator will not recreate or update the domain and resources when they already exist.  For more information, see https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/choosing-a-model/ and https://oracle.github.io/weblogic-kubernetes-operator/managing-domains/domain-on-pv  |
 | `introspectorJobActiveDeadlineSeconds` | integer | The introspector job timeout value in seconds. If this field is specified, then the operator's ConfigMap `data.introspectorJobActiveDeadlineSeconds` value is ignored. Defaults to 120 seconds. |
 | `model` | [Model](#model) | Model in image model files and properties. |
-| `opss` | [Opss](#opss) | Settings for OPSS security. |
+| `opss` | [Opss](#opss) | Settings for OPSS security for the Model in Image JRF Domain. This field is deprecated, and will be removed in a future release. For JRF domain on PV initialization, use `configuration.initializeDomainOnPV.domain.opss` section for configuring OPSS security settings. |
 | `overrideDistributionStrategy` | string | Determines how updated configuration overrides are distributed to already running WebLogic Server instances following introspection when the `domainHomeSourceType` is PersistentVolume or Image. Configuration overrides are generated during introspection from Secrets, the `overridesConfigMap` field, and WebLogic domain topology. Legal values are `Dynamic`, which means that the operator will distribute updated configuration overrides dynamically to running servers, and `OnRestart`, which means that servers will use updated configuration overrides only after the server's next restart. The selection of `OnRestart` will not cause servers to restart when there are updated configuration overrides available. See also `domains.spec.introspectVersion`. Defaults to `Dynamic`. |
 | `overridesConfigMap` | string | The name of the ConfigMap for WebLogic configuration overrides. |
 | `secrets` | Array of string | A list of names of the Secrets for WebLogic configuration overrides or model. |
@@ -245,8 +245,8 @@ The current status of the operation of the WebLogic domain. Updated automaticall
 
 | Name | Type | Description |
 | --- | --- | --- |
-| `walletFileSecret` | string | Name of a Secret containing the OPSS key wallet file, which must be in a key named `walletFile`. Use this to allow a JRF domain to reuse its entries in the RCU database. This allows you to specify a wallet file that was obtained from the domain home after the domain was booted for the first time. |
-| `walletPasswordSecret` | string | Name of a Secret containing the OPSS key passphrase, which must be in a key named `walletPassword`. Used to encrypt and decrypt the wallet that is used for accessing the domain's entries in its RCU database.The password must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters. |
+| `walletFileSecret` | string | Name of a Secret containing the OPSS key wallet file, which must be in a key named `walletFile`. Use this to allow a JRF domain to reuse its schemas in the RCU database. This allows you to specify a wallet file that was obtained from the domain home after the domain was booted for the first time. |
+| `walletPasswordSecret` | string | Name of a Secret containing the OPSS key passphrase, which must be in a key named `walletPassword`. Used to encrypt and decrypt the wallet that is used for accessing the domain's schemas in its RCU database. The password must have a minimum length of eight characters and contain alphabetic characters combined with numbers or special characters. |
 
 ### Introspector Job Pod
 
 
@@ -238,15 +238,112 @@ spec:
 | `createIfNotExists`         | Specifies whether the operator should create the RCU schema first, before creating the domain. | `domain` or `domainAndRCU` (drop existing RCU schema and create new RCU schema) | N (default `domain`) |
 | `domainCreationImages`      | WDT domain images.                                                                    | An array of images.                                                          | Y                                |
 | `domainCreationConfigMap`   | Optional ConfigMap containing extra WDT models.                                       | Kubernetes ConfigMap name.                                               | N                                                  |
-| `osss.walletPasswordSecret` | Password for extracting OPSS wallet encryption key for JRF domain.               | Kubernetes secret name with key `walletPassword`.                       | Y                                                                   |
-| `osss.walletFileSecret`     | Extracted OPSS wallet file.                                                        | Kubernetes secret name with key `walletFile`.                            | N (Only needed when recreating the domain during disaster recovery) |
+| `osss.walletPasswordSecret` | Password for extracting OPSS wallet encryption key for JRF domain.               | Kubernetes Secret name with the key `walletPassword`.                       | Y                                                                   |
+| `osss.walletFileSecret`     | Extracted OPSS wallet file.                                                        | Kubernetes Secret name with the key `walletFile`.                            | N (Only needed when recreating the domain during disaster recovery) |
 
-**After a JRF domain is successfully deployed**: follow the next section [Best Practices](#best-practices) to download and back up the OPSS wallet.
+**After a JRF domain is successfully deployed**: follow the next section, [Best practices](#best-practices), to download and back up the OPSS wallet.
 
-### Best Practices
+### Best practices
 
-For a JRF domain, it is a best practice to download and save the OPSS wallet in a safely backed-up location _immediately_.  It is also highly recommended that you store this wallet in
-a Kubernetes secret in the same namespace.   In case you need to recover the domain directory, then the secret will be ready.  For details, see [Disaster Recovery]({{< relref "/managing-domains/working-with-wdt-models/jrf-domain#disaster-recovery-when-the-domain-home-directory-is-destroyed">}}).  
+Oracle recommends that you save the OPSS wallet file in a safe, backed-up location __immediately__ after an initial JRF domain is created.
+In addition, you should make sure to store the wallet in a Kubernetes Secret in the same namespace. This will allow the secret to be available when the domain needs to be recovered in a disaster scenario or if the domain directory gets corrupted. There is no way to reuse the original RCU schema without this specific wallet key.
+Therefore, for disaster recovery, **you should back up this encryption key**.
+
+
+#### Back up the JRF domain home directory and database
+
+Oracle recommends that you back up the domain home directory and database after the initial JRF domain is created, and then periodically, making sure all the latest changes are backed up.
+
+A JRF domain has a one-to-one relationship with the RCU schema.  After a domain is created using a particular RCU schema,
+that schema _cannot_ be reused by another domain and the same schema _cannot_ be shared across different domains. Any attempts to
+create a new domain using the existing RCU schema will result in an error.
+
+{{% notice warning %}}
+If the domain home is not properly backed up, you potentially can lose existing data if the domain home is corrupted or deleted.
+That's because recreating the domain requires dropping the existing RCU schema and creating a new RCU schema. Therefore, backing up the existing domain home should be
+the highest priority in your Kubernetes environment.
+{{% /notice %}}
+
+A Domain on PV domain configuration might get updated after its initial deployment. For example, using WLST or the console, you might have deployed
+ new applications, added custom OPSS keystores, and added OWSM policies, and such.
+In that case, the original WDT model files used to create the initial domain will _not_ match the current state of the domain (the WDT model files are _not_ the source of truth).
+Therefore, if you recreate the domain using the original WDT model files, you will lose all the subsequent updates. In order to preserve the domain updates, you should restore the domain from
+the backup copy of the domain home directory and connect to the existing RCU schema from the database backup.
+
+#### Store the OPSS wallet in a Kubernetes Secret and update `opss.walletFileSecret` in the domain resource
+After the domain is created, the operator automatically exports the OPSS wallet and stores it in an introspector ConfigMap; the name of the ConfigMap follows the pattern `<domain uid>-weblogic-domain-introspect-cm` with the key `ewallet.p12`. Oracle recommends that you save the OPSS wallet file in a safe, backed-up location __immediately__ after an initial JRF domain is created. In addition, you should make sure to store the wallet in a Kubernetes Secret in the same namespace. This will allow the secret to be available when the domain needs to be recovered in a disaster scenario or if the domain directory gets corrupted.
+
+The following are the high-level steps for storing the OPSS wallet in a Kubernetes Secret.
+1. The operator provides a utility script, [OPSS wallet utility](https://orahub.oci.oraclecorp.com/weblogic-cloud/weblogic-kubernetes-operator/-/blob/main/kubernetes/samples/scripts/domain-lifecycle/opss-wallet.sh), for extracting the wallet file and storing it in a Kubernetes `walletFileSecret`. In addition, you should also save the wallet file in a safely backed-up location outside of Kubernetes. For example, the following command saves the OPSS wallet for the `sample-domain1` domain in the `sample-ns` namespace to a file named `ewallet.p12` in the `/tmp` directory and also stores it in the wallet secret named `jrf-wallet-file-secret`.
+
+   ```
+   $ opss-wallet.sh -n sample-ns -d sample-domain1 -s -r -wf /tmp/ewallet.p12 -ws jrf-wallet-file-secret
+   ```
+
+   Replace `/tmp/ewallet.p12` in the previous command with the name of the file to be stored in a safe location and replace `jrf-wallet-file-secret` with the Secret name of your choice. For more information, see the `OPSS wallet utility` section in the [README](https://github.com/oracle/weblogic-kubernetes-operator/tree/{{< latestMinorVersion >}}/kubernetes/samples/scripts/domain-lifecycle/README.md) file.
+
+2. Save the extracted wallet file (`/tmp/ewallet.p12` in the example) to a safe location, outside of Kubernetes.
+3. Add the `opss.walletFileSecret` to the domain resource YAML file under `configuration.initializeDomainOnPV.domain`.
+
+   ```
+     ...
+     configuration:
+       initializeDomainOnPV:
+       ...
+         domain:
+           ...
+           opss:
+             walletFileSecret: jrf-wallet-file-secret
+             ...
+   ```
+
+   You can use the following `patch` command to add it to the domain resource.
+
+   ```
+   $ kubectl -n sample-ns patch domain sample-domain1 --type='JSON' -p='[ { "op" : "add", "path" : "/spec/configuration/initializeDomainOnPV/domain/opss/walletFileSecret", "value" : "jrf-wallet-file-secret" }]'
+   ```
+
+#### Recovering the domain when it's corrupted or in other disaster scenarios
+
+If the domain home directory is corrupted, and you have a recent backup of the domain home directory, then perform the following steps to recover the domain.
+
+1. Restore the domain home directory from the backup copy.
+2. Update the `restartVersion` of the domain resource to restart the domain. For example,
+
+   ```
+   $ kubectl -n sample-ns patch domain sample-domain1 --type='JSON' -p='[ { "op" : "replace", "path" : "/spec/restartVersion", "value" : "15" }]'
+   ```
+3. After the domain is restarted, check the WebLogic domain configuration to ensure that it has the latest changes.
+   **Note:** If you made any changes that are persisted in the domain home directory after your last backup, you must reapply those changes to the domain home directory.
+   However, because the operator will reconnect to the same RCU schema, the data stored in the OPSS, MDS, or OWSM tables will be current.
+
+4. Reapply any domain configuration changes persisted to the domain home directory, such as
+   data source connections, JMS destinations, or new application EAR deployments, after your last backup. To make these changes, use WLST, the WebLogic Server Administration Console, or Enterprise Manager.
+
+In the rare scenario where the domain home directory is corrupted, and you do **not** have a recent backup of the domain home directory, or if the backup copy is also corrupted, then you can recreate the domain from the WDT model files without losing any RCU schema data.
+
+1. Delete the domain home directory from the persistent volume.
+2. Add or replace the `domain.spec.introspectVersion` in the domain resource with a new value. The following is a sample `patch` command to update the `introspectVersion` for the sample domain.
+
+   ```
+   $ kubectl -n sample-ns patch domain sample-domain1 --type='JSON' -p='[ { "op" : "replace", "path" : "/spec/intropsectVersion", "value" : "15" }]'
+   ```
+
+3. The operator will then create a new domain from the existing WDT models and reuse the original RCU schema.
+
+    **NOTE:**
+    All the updates made to the domain after the initial deployment will **not** be available in the recovered domain.
+    However, this allows you to access the original RCU schema database without losing all its data.
+
+4. Apply all the domain configuration changes persisted to the domain home file system, such as data source connections, JMS destinations, or new application EAR deployments, that are not in the WDT model files. These are the changes you have made _after_ the initial domain deployment.
+
+5. Update the `restartVersion` of the domain resource to restart the domain.
+
+   ```
+   $ kubectl -n sample-ns patch domain sample-domain1 --type='JSON' -p='[ { "op" : "replace", "path" : "/spec/restartVersion", "value" : "15" }]'
+   ```
+
+For more information, see [Disaster Recovery]({{< relref "/managing-domains/working-with-wdt-models/jrf-domain#disaster-recovery-for-domain-on-pv-deployment">}}).  
 
 ### Troubleshooting