Protecting
an On-premises Application with Oracle Identity Cloud Service by Using
WebGate
Before You Begin
This 15-minute tutorial shows you how to protect a sample Acme application (on-premises) with Oracle Identity Cloud Service by configuring WebGate.
Background
Oracle Access Management uses WebGate to protect on-premises web application. Instead of relying on Oracle Access Manager for authentication service, WebGate can now interact with Oracle Identity Cloud Service and protect the on-premises web application by using cloud service to authenticate users to access the web application.
When an unauthenticated user tries to access the application protected by Oracle Identity Cloud Service, the user is redirected to the Sign In page of Oracle Identity Cloud Service for authentication.
What Do You Need?
- This tutorial assumes that you have installed Oracle HTTP Server, front ending WebLogic Admin Server through WLS proxy plugin
- The WebLogic Proxy Plug-in is manually configured by
specifying directives in mod_wl_ohs.conf (found in directory,
$DOMAIN_HOME/config/fmwconfig/components/OHS/instances/componentName) - Refer Prerequisites for Configuring the WebLogic Proxy Plug-in and perform the steps in the WebLogic Server Administration console before configuring the WebLogic Proxy Plug-in
- This tutorial assumes that you have installed the following:
- Download and deploy your application in WebLogic Admin
Server
In this example, the acmeapp.war file is deployed in WebLogic Admin Server athttp://<hostname>:7001/AcmeApp/index.html - After deploying and configuring, ensure the application is
accessible through Oracle HTTP Server port 7777
In this example, the Acme application is accessible at URL:http://<hostname>:7777/AcmeApp/index.html - Download the cloud_config.txt
and cloud_policy.txt
files to your webgate folder
($OAM_DOMAIN/config/fmwconfig/components/OHS/ohs1/webgate/config) - Access to an instance of Oracle Identity Cloud Service and have the rights to register a confidential application
Note:
Register
an Application in Oracle Identity Cloud Service
In this section, you'll register and activate the Acme application in Oracle Identity Cloud Service.
- Login to the Oracle Identity Cloud Service console using the
URL:
https://idcshost:port. - In the Oracle Identity Cloud Service console, expand the Navigation Drawer, click Applications, and then click Add.
- Select Confidential Application.
-
Follow the table to guide you with the fields and descriptions for the Details tab, values provided are with respect to the Acme application:
No. Field Values 1. Name Acmeapp2. Description Sample application to be protected by IDCS. 3. Application URL http://<hostname>:7777/AcmeApp/index.html
Enter the Acmeapp URL, host:port is the Oracle HTTP Server where your WebGate is configured.4. Display Settings Select Display in My Apps and User can request access checkboxes.
- Click Next.
- Select Configure this application as a client now.
- Follow the table to guide you with the fields and
descriptions for the Client tab, values
provided are with respect to the Acme application:
No. Field Values 1. Allowed Grant Types Select Resource Owner, Refresh Token and Authorization Code. 2. Allow non-HTTPS URLs Select the checkbox if the application is not https based. 3. Redirect URL http://<hostname>:7777/oauth/callback
Enter the host:port of the OHS where WebGate is configured.4. Introspect Select the Introspect checkbox. - Click Next.
- Select Configure this application as a resource server now.
- Follow the table to guide you with the fields and
descriptions for the Resources tab, values
provided are with respect to the Acme application:
No. Field Values 1. Primary Audience Acmeapp
Enter name of the application.2. Secondary Audience http://<hostname>:7777
Enter the host:port of the OHS where WebGate is configured.
Click Add.3. Allowed Scopes Click on Add.
Enter acmescope as the scope.
Select the Requires Consent checkbox.
Click Add.
4. Is Refresh Token Allowed Select the Is Refresh Token Allowed checkbox. - On the panes that follow, click Next until you reach the last pane, and then click Finish to save the application.
- Record the values of Client ID and Client Secret for the application, and then click Close.
- After the application is created and saved. Select the Configuration tab, expand the Client Configuration section. In the Accessing APIs from Other Applications section, under Allowed Scopes, click Add. In the Add Scope dialog, select Acmeapp (name of the application) and click on Add to assign the Acme application to the scope. Click Save to save your changes.
- Select the Configuration tab, expand the Client Configuration section. In the Accessing APIs from Other Applications section, under Grant the client access to Identity Cloud Service Admin APIs, click Add. In the Add App Role dialog, select Identity Domain Administrator role and click on Add to assign the app Roles. Click Save to save your changes.
- To activate the application, click Activate button, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.
Configure
WebGate to Interact with Oracle Identity Cloud Service
In this section, you will configure WebGate to interact with Oracle Identity Cloud Service:
- Launch a terminal window and navigate to the WebGate folder:
- In the WebGate folder, edit the downloaded cloud.config
file:
Follow the below table to guide you with the fields and descriptions for the cloud.config file:vi cloud.configNo. Field Values 1. callbackPrefix http://<hostname>:port/oauth/callback
Note:> The value must be same as the value provided in the Redirect URL> field when registering the Acme application.
2. externalIDUrl https://idcshost:port
Enter the Identity Cloud Service path.3. httpsCertAuthFile Download the certificates from the following URL:
http://curl.haxx.se/ca/cacert.pem
Note: This step is optional, turn it on for security purpose.
Enter the path only ifhttpsVerifyHostandhttpsVerifyServeris true, else leave it blank. - In the WebGate folder, edit the downloaded cloud.policy
file:
Follow the below table to guide you with the fields and descriptions for the cloud.policy file:vi cloud.policyNo. Field Values 1. filter /AcmeApp/private/home.jsp
Enter the path of a URL against which the resource request is matched.
2. scope Acmeappacmescope email openid
Specify the scopes configured for the application in Identity Cloud Service console.3. idcsscope acmescope email openid
Each value in this field has a corresponding value in the scope field.4. headers Specify a list of headers WebGate will inject before forwarding it to the protected server.
cd $OAM_DOMAIN/config/fmwconfig/components/OHS/ohs1/webgate/config
Create
a Wallet in WebGate Folder to Store ClientID and Client Secret
In this section, you will create a wallet in the WebGate folder to store Client ID and Client Secret of the Acme application:
- Navigate to the OHS Middleware Home and set Java Home in that directory:
- Launch a terminal window, and create a wallet by using the
orapkiutility:
The output should look similar to this:./orapki wallet create -wallet <WebGateInstanceDir>/config/cwg_wallet -auto_login
Oracle PKI Tool : Version 12.2.1.3.0 Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
Enter password: Enter password again: Operation is successfully completed. - Add Client ID and Secret of the registered Acme application
to the wallet using the
mkstoreutility:./mkstore -wrl <WebGateInstanceDir>/config/cwg_wallet -createUserCredential <mapName> <mapkeyName> <client_id> <client_secret>mapName = CWG
mapKeyName = id_secret_key
Example:
The output should look similar to this:./mkstore -wrl <WebGateInstanceDir>/config/cwg_wallet -createUserCredential CWG id_secret_key 123456789abcdef123456789abcdef12 aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeeeOracle Secret Store Tool : Version 12.2.1.3.0 Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved. Enter wallet password: - Add symmetric key using the
opensslutility for token encryption:openssl enc <encryption algo> -k "<secret/passphrase>" -P -md <hashing algo>encryption algo = -aes-128-gcm
hashing algo = sha256
Example:
The output should look similar to this:openssl enc -aes-128-gcm -k "god bless you" -P -md sha256salt = AAAAAAAAAAAA key = BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB iv = CCCCCCCCCCCCCCCCCCCCCCCC - Add symmetric key to the wallet using the
mkstoreutility:./mkstore -wrl <WebGateInstanceDir>/config/cwg_wallet -createUserCredential <mapName> <MapkeyName> <keyName> <symmetrickey>mapName = CWG
mapKeyName = enc_key
keyName = enc
Example:./mkstore -wrl <WebGateInstanceDir>/config/cwg_wallet -createUserCredential CWG enc_key enc BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
The output should look similar to this:Oracle Secret Store Tool : Version 12.2.1.3.0 Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved. Enter wallet password: - Restart the OHS server:
export JAVA_HOME=<ohs_middleware>/oracle_common/jdk/jre/
cd <ohs_middleware>/ORACLE_COMMON/BINcd $DOMAIN_HOME/bin
./stopComponent.sh ohs1
./startComponent.sh ohs1
Test
the Acme Application
- Launch the Acme application in a browser using the URL,
http://<hostname>:7777/AcmeApp/private/home.jsp.
You are redirected to the Oracle Identity Cloud Service Sign In page. - Enter the login credentials.
You are redirected to the consent page.
Note: The consent page is displayed to users only for the first time they login. - Click Allow.
The Acme application home page appears.
Want
to Learn More?