Oracle by Example brandingProtecting an On-premises Application with Oracle Identity Cloud Service by Using WebGate

section 0Before You Begin

This 15-minute tutorial shows you how to protect a sample Acme application (on-premises) with Oracle Identity Cloud Service by configuring WebGate.

Background

Oracle Access Management uses WebGate to protect on-premises web application. Instead of relying on Oracle Access Manager for authentication service, WebGate can now interact with Oracle Identity Cloud Service and protect the on-premises web application by using cloud service to authenticate users to access the web application.

Process for Oracle Service Cloud integration
Description of the illustration acmeapp.png

When an unauthenticated user tries to access the application protected by Oracle Identity Cloud Service, the user is redirected to the Sign In page of Oracle Identity Cloud Service for authentication.

What Do You Need?

  • This tutorial assumes that you have installed Oracle HTTP Server, front ending WebLogic Admin Server through WLS proxy plugin
  • Note:

    • The WebLogic Proxy Plug-in is manually configured by specifying directives in mod_wl_ohs.conf (found in directory, $DOMAIN_HOME/config/fmwconfig/components/OHS/instances/componentName)
    • Refer Prerequisites for Configuring the WebLogic Proxy Plug-in and perform the steps in the WebLogic Server Administration console before configuring the WebLogic Proxy Plug-in
  • This tutorial assumes that you have installed the following:
  • Download and deploy your application in WebLogic Admin Server
    In this example, the acmeapp.war file is deployed in WebLogic Admin Server at http://<hostname>:7001/AcmeApp/index.html
  • After deploying and configuring, ensure the application is accessible through Oracle HTTP Server port 7777
    In this example, the Acme application is accessible at URL: http://<hostname>:7777/AcmeApp/index.html
  • Download the cloud_config.txt and cloud_policy.txt files to your webgate folder ($OAM_DOMAIN/config/fmwconfig/components/OHS/ohs1/webgate/config)
  • Access to an instance of Oracle Identity Cloud Service and have the rights to register a trusted application

section 1Register an Application in Oracle Identity Cloud Service

In this section, you'll register and activate the Acme application in Oracle Identity Cloud Service.

  1. Login to the Oracle Identity Cloud Service console using the URL: https://idcshost:port.
  2. In the Oracle Identity Cloud Service console, expand the Navigation Drawer, click Applications, and then click Add.
  3. Select Trusted Application.
  4. Follow the table to guide you with the fields and descriptions for the Details tab, values provided are with respect to the Acme application:

    No. Field Values
    1. Name Acmeapp
    2. Description Sample application to be protected by IDCS.
    3. Application URL http://<hostname>:7777/AcmeApp/index.html
    Enter the Acmeapp URL, host:port is the Oracle HTTP Server where your WebGate is configured.
    4. Display Settings Select Display in My Apps and User can request access checkboxes.
  5. Process for Oracle Service Cloud integration
    Description of the illustration details.png
  6. Click Next.
  7. Select Configure this application as a client now.
  8. Follow the table to guide you with the fields and descriptions for the Client tab, values provided are with respect to the Acme application:
    No. Field Values
    1. Allowed Grant Types Select Resource Owner, Refresh Token and Authorization Code.
    2. Allow non-HTTPS URLs Select the checkbox if the application is not https based.
    3. Redirect URL http://<hostname>:7777/oauth/callback
    Enter the host:port of the OHS where WebGate is configured.
    4. Introspect Select the Introspect checkbox.
  9. Process for Oracle Service Cloud integration
    Description of the illustration config.png
  10. Click Next.
  11. Select Configure this application as a resource server now.
  12. Follow the table to guide you with the fields and descriptions for the Resources tab, values provided are with respect to the Acme application:
    No. Field Values
    1. Primary Audience Acmeapp
    Enter name of the application.
    2. Secondary Audience http://<hostname>:7777
    Enter the host:port of the OHS where WebGate is configured.
    Click Add.
    3. Allowed Scopes Click on Add.
    Enter acmescope as the scope.
    Select the Requires Consent checkbox.
    Click Add.
    4. Is Refresh Token Allowed Select the Is Refresh Token Allowed checkbox.
  13. Process for Oracle Service Cloud integration
    Description of the illustration resource.png
  14. On the panes that follow, click Next until you reach the last pane, and then click Finish to save the application.
  15. Record the values of Client ID and Client Secret for the application, and then click Close.
  16. After the application is created and saved. Select the Configuration tab, expand the Client Configuration> section. In the Accessing APIs from Other Applications section, under Allowed Scopes, click Add. In the Add Scope dialog, select Acmeapp (name of the application) and click on Add to assign the Acme application to the scope. Click Save to save your changes.
  17. Select the Configuration tab, expand the Client Configuration section. In the Accessing APIs from Other Applications section, under Grant the client access to Identity Cloud Service Admin APIs, click Add. In the Add App Role dialog, select Identity Domain Administrator role and click on Add to assign the app Roles. Click Save to save your changes.
  18. To activate the application, click Activate button, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

section 2Configure WebGate to Interact with Oracle Identity Cloud Service

In this section, you will configure WebGate to interact with Oracle Identity Cloud Service:

  1. Launch a terminal window and navigate to the WebGate folder:
  2. cd $OAM_DOMAIN/config/fmwconfig/components/OHS/ohs1/webgate/config
  3. In the WebGate folder, edit the downloaded cloud.config file:
    vi cloud.config
    Follow the below table to guide you with the fields and descriptions for the cloud.config file:
    No. Field Values
    1. callbackPrefix http://<hostname>:port/oauth/callback
    Note:> The value must be same as the value provided in the Redirect URL> field when registering the Acme application.
    2. externalIDUrl https://idcshost:port
    Enter the Identity Cloud Service path.
    3. httpsCertAuthFile Download the certificates from the following URL:
    http://curl.haxx.se/ca/cacert.pem
    Note: This step is optional, turn it on for security purpose.
    Enter the path only if httpsVerifyHost and httpsVerifyServer is true, else leave it blank.
  4. In the WebGate folder, edit the downloaded cloud.policy file:
    vi cloud.policy
    Follow the below table to guide you with the fields and descriptions for the cloud.policy file:
    No. Field Values
    1. filter /AcmeApp/private/home.jsp
    Enter the path of a URL against which the resource request is matched.
    2. scope Acmeappacmescope email openid
    Specify the scopes configured for the application in Identity Cloud Service console.
    3. idcsscope acmescope email openid
    Each value in this field has a corresponding value in the scope field.
    4. headers Specify a list of headers WebGate will inject before forwarding it to the protected server.

section 3Create a Wallet in WebGate Folder to Store ClientID and Client Secret

In this section, you will create a wallet in the WebGate folder to store Client ID and Client Secret of the Acme application:

  1. Navigate to the OHS Middleware Home and set Java Home in that directory:
  2. export JAVA_HOME=<ohs_middleware>/oracle_common/jdk/jre/ 
    cd <ohs_middleware>/ORACLE_COMMON/BIN
  3. Launch a terminal window, and create a wallet by using the orapki utility:
    ./orapki wallet create -wallet <WebGateInstanceDir>/config/cwg_wallet -auto_login
    The output should look similar to this:
    Oracle PKI Tool : Version 12.2.1.3.0
    Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
    Enter password: Enter password again: Operation is successfully completed.
  4. Add Client ID and Secret of the registered Acme application to the wallet using the mkstore utility:
    ./mkstore -wrl <WebGateInstanceDir>/config/cwg_wallet -createUserCredential <mapName> <mapkeyName> <client_id> <client_secret>
    mapName = CWG
    mapKeyName = id_secret_key

    Example:
    ./mkstore -wrl <WebGateInstanceDir>/config/cwg_wallet -createUserCredential CWG id_secret_key 123456789abcdef123456789abcdef12 aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
    The output should look similar to this:
    Oracle Secret Store Tool : Version 12.2.1.3.0
    Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
    
    Enter wallet password:
    
  5. Add symmetric key using the openssl utility for token encryption:
    openssl enc <encryption algo> -k "<secret/passphrase>" -P -md <hashing algo>
    encryption algo = -aes-128-gcm
    hashing algo = sha256

    Example:
    openssl enc -aes-128-gcm -k "god bless you" -P -md sha256
    The output should look similar to this:
    salt = AAAAAAAAAAAA
    key = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    iv = CCCCCCCCCCCCCCCCCCCCCCCC
  6. Add symmetric key to the wallet using the mkstore utility:
    ./mkstore -wrl <WebGateInstanceDir>/config/cwg_wallet -createUserCredential <mapName> <MapkeyName> <keyName> <symmetrickey>
    mapName = CWG
    mapKeyName = enc_key
    keyName = enc

    Example:
    ./mkstore -wrl <WebGateInstanceDir>/config/cwg_wallet -createUserCredential CWG enc_key enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    The output should look similar to this:
    Oracle Secret Store Tool : Version 12.2.1.3.0
    Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
    
    Enter wallet password:
    
  7. Restart the OHS server:
  8. cd $DOMAIN_HOME/bin
    ./stopComponent.sh ohs1
    ./startComponent.sh ohs1

section 4Test the Acme Application

  1. Launch the Acme application in a browser using the URL, http://<hostname>:7777/AcmeApp/private/home.jsp.
    You are redirected to the Oracle Identity Cloud Service Sign In page.
  2. Enter the login credentials.
    You are redirected to the consent page.
    Note: The consent page is displayed to users only for the first time they login.
  3. Click Allow.
    The Acme application home page appears.

more informationWant to Learn More?