51.4 Configuring a Webgate to Support Social Identity

You can configure a Webgate for use with the OAuth Service. The Webgate serves as a proxy so that client authorization and token endpoint requests access the Webgate instead of accessing the Oracle Access Management server directly.

To configure a WebLogic environments only:

1. Install the Oracle HTTP Server 11g Webgate for OAM using the instructions in Installing Webgates for Oracle Access Manager.

2. Configure the Webgate by defining the following resource and creating an authentication policy and authorization policy.

   1. Open the Oracle Access Management console.

   2. Under Access Manager, click Application Domains.

   3. Find the target domain and open it for editing.

   4. Select the Resources tab.

   5. Create the following resource. If you are using the existing IAMSuiteAgent Host Identifier, the resource is already present and can be searched on using the Resource URL field.

      /ms_oauth/oauth2/ui/**
      

      Click to select the resource, then click the Edit button.

   6. Under the Protection heading, choose the following options from the menus and click Apply:

      Protection Level - Protected

      Authentication Policy - Protected HigherLevel Policy

      Authorization Policy - Protected Resource Policy

      These settings allow the Webgate to perform user authentication and user authorization.

   7. Add the following resources and set the Protection Level to Excluded:

      /ms_oauth/oauth2/endpoints/**
      /ms_oauth/oauth2/oammsui/**
      /ms_oauth/style/**
      /ms_oauth/img/**
      /oam/**
      

      The Webgate does not protect Excluded resources and allows them to be accessed.

3. Add the following lines to the mod_wl_ohs.conf file and restart the Webgate. For WebLogicPort, be sure to add the managed port details for your environment.

   # the following directive proxies all the OAuth requests
   <IfModule weblogic_module>
         WebLogicHost host123.us.example.com
         WebLogicPort 17100
         Debug ON
         WLLogFile /tmp/weblogic.log
         MatchExpression /ms_oauth/*
   </IfModule>
   # the following directive proxies all the OAM managed server requests. 
    
   <IfModule weblogic_module>
         WebLogicHost host123.us.example.com
         WebLogicPort 17100
         Debug ON
         WLLogFile /tmp/weblogic.log
         MatchExpression /oam/*
   </IfModule>
   

4. Update the Access Manager Load Balancing settings as follows:

   1. In the Oracle Access Management console, click Configuration at the top of the window.

   2. Select Access Manager from the View menu in the Settings section.

   3. In the Load Balancing section, change the OAM Server Host and the OAM Server Port settings to the Webgate's host and port settings.

   4. Click Apply.

5. Complete the following steps.

   1. Open $ORACLE_HOME/ORACLE_IDM1/oam/server/apps/ and locate the oam-server.ear file. For example:

      cd /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps
      

   2. Back up the.ear file:

      cp oam-server.ear oam-server.ear.original
      

   3. Create a temporary directory and go to that directory:

      mkdir tmp-ear 
      cd tmp-ear/
      

   4. Extract the oam-server.ear file into the tmp-ear directory:

      jar -xvf ../oam-server.ear
      

   5. Create another temporary directory inside tmp-ear and go to that directory:

      mkdir tmp-ms-war
      cd tmp-ms-war
      

      You should be in this directory:

      /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/tmp-ear/tmp-ms-war
      

   6. Extract the ms_oauth.war into the tmp-ms-war directory:

      jar -xvf ../ms_oauth.war
      

   7. Open the WEB-INF/web.xml file for editing and update it by adding comment tags around the security-constraint as follows:

      <!-- BEGIN: Comment the following security constraint if either the OAM Webgate is front-ending OAM in a WebSphere setup or if the WebLogic server Domain Agent is not used. 
          <security-constraint>
              <web-resource-collection>
                  <web-resource-name>OAuthSecuredResources</web-resource-name>
                  <url-pattern>/oauth2/ui/*</url-pattern>
              </web-resource-collection>
              <auth-constraint>
                  <role-name>valid-users</role-name>
              </auth-constraint>
          </security-constraint>
       END of security constraint needing to be commented -->
      

   8. Recreate the.war file in the tmp-ms-war directory:

      jar cvf ms_oauth.war 
      

   9. Copy the updated.war file to the parent directory, then remove the tmp-ms-war directory located in tmp-ear/:

      cp /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/tmp-ear/tmp-ms-war/ms_oauth.war /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/tmp-ear
      
      rm -rf /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/tmp-ear/tmp-ms-war
      

   10. Create the oam-server.ear archive in the tmp-ear directory:

        jar cvf oam-server.ear .
       

   11. Copy the tmp-ear/oam_server.ear archive file to the parent directory:

       cp /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/tmp-ear/oam-server.ear /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/oam-server.ear
       

   12. Restart the WebSphere server.

   The Webgate will now reverse-proxy OAuth URLs as well as OAM managed server URLs. All authorization and token endpoint requests are now accessed using the Webgate host and port values instead of the actual OAM host and port values.