This chapter contains information about managing Oracle Access Management Mobile and Social on IBM WebSphere.
This chapter contains the following sections:
Configuring Mobile Services for Oracle Adaptive Access Manager
Moving Mobile and Social From a Test to Production Environment on IBM WebSphere
You can run Oracle Access Management commands from the IBM WebSphere wsadmin command line interface. For details, see Using the Oracle Fusion Middleware wsadmin Commands.
Oracle Access Management commands are documented in the Web Logic Scripting Tool Command Reference. Oracle Access Management commands are functionally identical on WebLogic and WebSphere. When running Mobile and Social wsadmin commands, however, you must prefix the command name with the Mobile and Social idaas_commands category name. For example:
idaas_commands.createServiceProvider(...)
You must install and configure an IHS WebGate to use OAuth Services in Mobile and Social. The WebGate serves as a proxy so that client authorization and token endpoint requests access the WebGate instead of accessing the Oracle Access Management server directly.
Install the IHS 11g WebGate for OAM using the instructions in Installing WebGates for Oracle Access Manager.
Configure the WebGate by defining the following resource and creating an authentication policy and authorization policy.
Open the Oracle Access Management console.
Under Access Manager, click Application Domains. and click Search to view the Application Domains on the Search Application Domains page.
Click to edit the Application Domain.
On the Application Domains page, click the Resources tab.
Create the following resource. If you are using the existing IAMSuiteAgent Host Identifier, the resource is already present and can be searched on using the Resource URL field.
/ms_oauth/oauth2/ui/**
Click to select the resource, then click the Edit button.
Under the Protection heading, choose the following options from the menus and click Apply:
Protection Level - Protected
Authentication Policy - Protected HigherLevel Policy
Authorization Policy - Protected Resource Policy
These settings allow the WebGate to perform user authentication and user authorization.
Add the following resources and set the Protection Level to Excluded:
/ms_oauth/oauth2/endpoints/** /ms_oauth/oauth2/oammsui/** /ms_oauth/style/** /ms_oauth/img/** /oam/**
The WebGate does not protect Excluded resources and allows them to be accessed.
Modify the IHS httpd.conf file as follows:
Add the following lines to enable the proxy module:
LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so
Set the Reverse Proxy settings by updating the following lines:
<IfModule mod_proxy.c>
#Enable the forward proxy server. Note: Do not use the ProxyRequests #directive if all you require is reverse proxy.
#
ProxyRequests Off
#
#<Proxy *>
# Order Allow,Deny
# Deny from all
# Allow from .example.com
#</Proxy>
#
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing Via: #headers)
# Set to one of: Off | On | Full | Block
#
#ProxyVia On
ProxyPass /ms_oauth http://host02.us.example.com:60412/ms_oauth
ProxyPass /oam http://host02.us.example.com:60412/oam
ProxyPassReverse /ms_oauth http://host02.us.example.com:60412/ms_oauth
ProxyPassReverse /oam http://host02.us.example.com:60412/oam
</IfModule>
# End of proxy directives.
Update the Access Manager Load Balancing settings as follows:
Open the Oracle Access Management console.
Under Configuration, click Access Manager Settings.
In the Load Balancing section, change the OAM Server Host and the OAM Server Port settings to the WebGate's host and port settings.
Click Apply.
Update the WebSphere enableMultiReadOfPostData setting as follows:
Open the WebSphere administration console.
Choose Application Servers > oam_server1 > Web Container > Custom Properties.
Enable the follow preperty value by setting its value to true:
com.ibm.ws.webcontainer.enableMultiReadOfPostData
Restart the servers.
Complete the following steps. The steps in this procedure assume you already ran the was_config script to deploy the OAM applications on WebSphere. If you have not yet run the was_config script, use the oam-server.ear file instead of the oam_server_11.1.2.0.0.ear file.
If you already ran the was_config script, open the Dmgr instance's deployed app directory and locate the oam_server_11.1.2.0.0.ear file:
/scratch/was-setup/IBM/WebSphere/AppServer/profiles/Dmgr03/config/cells/<cell-name>/applications/oam_server_11.1.2.0.0.ear
If you have not yet run the was_config script, open the following directory and locate the oam-server.ear file:
/scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps
Back up the .ear file:
cp oam_server_11.1.2.0.0.ear oam_server_11.1.2.0.0.ear.original
Note:
Remember to modify all commands to use the oam-server.ear file instead of theoam_server_11.1.2.0.0.ear file if you have not yet run the was_config script.Create a temporary directory and go to that directory:
mkdir /scratch/was-setup/IBM/WebSphere/AppServer/profiles/Dmgr03/config/cells/<cell-name>/applications/tmp-ear cd /scratch/was-setup/IBM/WebSphere/AppServer/profiles/Dmgr03/config/cells/<cell-name>/applications/tmp-ear
Extract the oam_server_11.1.2.0.0.ear file into the tmp-ear directory:
jar -xvf ../oam_server_11.1.2.0.0.ear
Create another temporary directory inside tmp-ear and go to that directory:
mkdir tmp-ms-war cd tmp-ms-war
You should be in this directory:
/scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/tmp-ear/tmp-ms-war
Extract the ms_oauth.war into the tmp-ms-war directory:
jar -xvf ../ms_oauth.war
Open the WEB-INF/web.xml file for editing and update it by adding comment tags around the security-constraint as follows:
<!-- BEGIN: Comment the following security constraint if either the OAM WebGate is front-ending OAM in a WebSphere setup or if the WebLogic server Domain Agent is not used.
<security-constraint>
<web-resource-collection>
<web-resource-name>OAuthSecuredResources</web-resource-name>
<url-pattern>/oauth2/ui/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>valid-users</role-name>
</auth-constraint>
</security-constraint>
END of security constraint needing to be commented -->
Recreate the .war file in the tmp-ms-war directory:
jar cvf ms_oauth.war
Copy the updated .war file to the parent directory, then remove the tmp-ms-war directory located in tmp-ear/:
cp /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/tmp-ear/tmp-ms-war/ms_oauth.war /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/tmp-ear rm -rf /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/tmp-ear/tmp-ms-war
Create the oam-server.ear archive in the tmp-ear directory:
jar cvf oam_server_11.1.2.0.0.ear .
Copy the tmp-ear/oam_server_11.1.2.0.0.ear archive file to the parent directory:
cp /scratch/was-setup/IBM/WebSphere/AppServer/profiles/Dmgr03/config/cells/<cell-name>/applications/tmp-ear/oam_server_11.1.2.0.0.ear /scratch/was-setup/IBM/WebSphere/AppServer/profiles/Dmgr03/config/cells/<cell-name>/applications/oam_server_11.1.2.0.0.ear
Skip this step if you have not yet run the was_config script.
Open deployments/oam_server_11.1.2.0.0.ear/deployments.xml for editing and change useMetadataFromBinaries="false" to useMetadataFromBinaries="true".
Restart the WebSphere server.
The WebGate will now reverse-proxy OAuth URLs as well as OAM managed server URLs. All authorization and token endpoint requests are now accessed using the WebGate host and port values instead of the actual OAM host and port values.
Most topics in the Administrator's Guide for Oracle Access Management apply to both WebSphere and WebLogic environments. In the "Configuring Mobile Services" chapter, when referring to the "Configuring Mobile Services for Oracle Adaptive Access Manager" section, use the following modified steps instead of the steps documented in the "Configuring the WebLogic Administration Domain" section.
Add users and groups from the WebSphere administration console. To do so, click Users and Groups > Manage Users/Manage Groups. Refer to the WebSphere documentation for more information.
Create a new data source in WebSphere using the WebSphere administration console using the same name and values of the OAAM_SERVER_DS datasource defined in the oaam_server scope. Create this new DS in the scope of the managed server where oam_server is installed.
Note:
To extend an OAM domain for OAAM, runwas_config.sh on top of the OAM install and choose the option to use the existing WebSphere Application Server profile.Complete the item in this section to configure IBM WebSphere to support Social Identity.
This section includes the following items:
Follow these steps to configure WebSphere to provide proper SSL support for Social Identity in Mobile and Social.
Import the default IBM certificates from the trust keystore trust.p12 into the JDK cacerts keystore. This will ensure that both the relying party (that is, the Social Identity service provider) and the Oracle Access Management console can use SSL properly.
In Mozilla Firefox open the following URL using the correct values for the machine where the instance is installed:
http://<host name>:<port>/ibm/console
The browser presents a security page and prompts you to trust the certificate.
View the certificate and export it to a file using the .der format.
If necessary, copy the .der file to the server where WebSphere is deployed.
In the WebSphere Application Server Administrative console, choose Security > SSL certificate and key management.
For both the Cell and Node levels where OAM is deployed, change the trust store file name setting from trust.p12 to the cacerts file that ships with the default IBM WebSphere JDK. Typically this file is located here:
<WAS_HOME>/java/jre/lib/security/cacerts
Save your changes.
Click Signer Certificates to see all the signer certificates in the cacerts file.
Click Add, type an alias name, and type the path to the .der file you exported in step 2.
Save your settings.
Download security certificates for your social identity providers. The following instructions are for the Mozilla Firefox browser.
For Google, download the certificate from the following link:
http://www.geotrust.com/resources/root-certificates/index.html
Under Root 1 - Equifax Secure Certificate Authority, right-click the Download - Equifax Secure Certificate Authority link, and choose Save As.
For Yahoo, download the certificate from the following link:
https://open.login.yahooapis.com
Right-click the page, choose View Page Info, click Details, click View Certificate, click the Details tab, click Export..., and save the certificate as a .pem file.
For Facebook, Twitter, and LinkedIn, type the following at a command prompt:
$>openssl s_client -connect server:port 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
where server:port is as follows:
Facebook: graph.facebook.com:443
LinkedIn: api.linkedin.com:443
Twitter: api.twitter.com:443
Use the IBM console to import the certificates.
In the WebSphere Application Server Administrative console, choose Security > SSL certificate and key management.
Click Keystores and certificates under Related items.
For both the Cell and Node levels, import the certificates as follows: Click the trust store name, click Signer certificates under Additional properties, and import the certificates.
Hard-restart both the OAM managed server and the server hosting the Oracle Access Management console.
If your apps are protected by Access Manager and use Social Identity to provide users with additional log-in and registration options, you must configure user LDAP so that local log-in works properly. Because WebSphere does not include an embedded LDAP server like WebLogic, the LDAP user repository must be configured manually.
Configure your environment as follows:
Add to the LDAP repository the wasadmin user that is used to log in to the administration console.
Ensure that the following uid attributes are the same:
The uid attribute in the app using Social Identity. See the "Editing or Deleting an Application Profile" section in the Administrator's Guide for Oracle Access Management for details. The OAMApplication Application Profile that is included with Mobile and Social is preconfigured to work with Access Manager and requires only minor configuration changes to get working in your environment.
The uid attribute used for Access Manager log-in. See the "Editing or Deleting an Application Profile" section in the Administrator's Guide for Oracle Access Management for details.
The uid attribute for (Mobile and Social) User Profile Services. See the "Editing or Deleting a User Profile Service Provider" section in the Administrator's Guide for Oracle Access Management for details.
If your app is directly integrated with Mobile and Social, and if Social Identity and User Profile Services both point to a user repository other than the Access Manager user repository, both configurations should have the same uid attribute.
Note:
For all configurations, do not use the same attribute for the account linking attribute and the uid attribute. The account linking attribute and the uid attribute must be separate.Complete both of the following procedures to migrate Mobile and Social from a Test to Production environment:
Copy Mobile and Social From a Test Environment to a Production Environment
Update the Challenge URL After Moving Mobile and Social From a Test to a Production Environment
The following steps describe how to copy Mobile and Social from a test environment to a production environment.
Important:
Complete these steps after you finish moving Access Manager from the test environment to the production environment. For more information, see "Moving Access Manager From a Test to Production Environment on IBM WebSphere" in the Oracle Fusion Middleware Third-Party Application Server Guide.Update oam-config.xml in the production environment with the secretKey value from the test environment.
In the test environment, use a text editor to open oam-config.xml in the fmwconfig directory and, for object accessgate-oic, copy the value of the secretKey attribute.
For example:
<Setting Name="accessgate-oic" Type="htf:map"> <Setting Name="ConfigurationProfile" Type="xsd:string">DefaultProfile</Setting> <Setting Name="aaaTimeoutThreshold" Type="xsd:string">-1</Setting>
...
<Setting Name="secretKey" Type="xsd:string">A686408D1020B93EAA8B411EE0137847FD2968D1285A2A37BB0BE0B00238F50464E9C01EB3E5319AED6D7CAC81BD9FF7</Setting>
In the production environment, use a text editor to open oam-config.xml in the fmwconfig directory and, for object accessgate-oic, replace the value of the attribute secretKey with the value from the test host.
Copy the idaas.xml, oauth.xml, and oic_rp.xml files from the test environment fmwconfig directory to the production environment fmwconfig directory.
In the production environment, edit the host and port information as appropriate in oic_rp.xml.
Search for the name of the test host and replace it with the name of the production host. Verify that the port number is correct for the host URL.
For example:
<SystemConfiguration>
<hostURL>https://prod123.example.com:14101</hostURL>
Stop the node manager.
Synchronize the node and start the node manager.
Restart the oam_server1 and OracleAdminServer applications.
Complete the following configuration steps on each production machine to finish migrating Mobile and Social from a test to a production environment.
Note:
Before performing these steps, complete the "Copy Mobile and Social From a Test Environment to a Production Environment" steps.Open the Oracle Access Management console.
Under Access Manager, click Authentication Schemes.
Type OICScheme in the search box and click Search.
Click OICScheme in the Search Results to open it for editing.
The Authentication Schemes configuration page opens.
Update the Challenge Redirect URL value to point to the production machine, not the test machine, then click Apply.
For example: https://production_machine:port/oic_rp/login.jsp
Update the Mobile and Social credential store framework (CSF) entry to point from the test machine to the production machine. To do this, run the following WLST command:
createCred(map="OIC_MAP", key=" https://<production machine host>:<production machine port>/oam/server/dap/cred_submit ", user="="<description>", password=" DCC5332B4069BAB4E016C390432627ED", desc="<description>");
For password, use the value from oam-config.xml, which is located in the domain home/config/fmwconfig directory on the production machine. Use the value from the RPPartner entry, TapCipherKey attribute.
In the Oracle Access Management console, do the following:
Under Mobile and Social, click Social Identity.
In the Application Profiles section, select OAMApplicaton and click Edit. (If using an application profile name other than OAMApplication, edit that instead.)
Update the Registration URL field host name and port to point to the production machine.
Click Apply.