You can configure a Webgate for use with the OAuth Service. The Webgate serves as a proxy so that client authorization and token endpoint requests access the Webgate instead of accessing the Oracle Access Management server directly.
To configure a WebLogic environments only:
Install the Oracle HTTP Server 11g Webgate for OAM using the instructions in Installing Webgates for Oracle Access Manager.
Configure the Webgate by defining the following resource and creating an authentication policy and authorization policy.
Open the Oracle Access Management console.
Under Access Manager, click Application Domains.
Find the target domain and open it for editing.
Select the Resources tab.
Create the following resource. If you are using the existing IAMSuiteAgent Host Identifier, the resource is already present and can be searched on using the Resource URL field.
Click to select the resource, then click the Edit button.
Under the Protection heading, choose the following options from the menus and click Apply:
Protection Level - Protected
Authentication Policy - Protected HigherLevel Policy
Authorization Policy - Protected Resource Policy
These settings allow the Webgate to perform user authentication and user authorization.
Add the following resources and set the Protection Level to Excluded:
/ms_oauth/oauth2/endpoints/** /ms_oauth/oauth2/oammsui/** /ms_oauth/style/** /ms_oauth/img/** /oam/**
The Webgate does not protect Excluded resources and allows them to be accessed.
Add the following lines to the
mod_wl_ohs.conf file and restart the Webgate. For
WebLogicPort, be sure to add the managed port details for your environment.
# the following directive proxies all the OAuth requests <IfModule weblogic_module> WebLogicHost host123.us.example.com WebLogicPort 17100 Debug ON WLLogFile /tmp/weblogic.log MatchExpression /ms_oauth/* </IfModule> # the following directive proxies all the OAM managed server requests. <IfModule weblogic_module> WebLogicHost host123.us.example.com WebLogicPort 17100 Debug ON WLLogFile /tmp/weblogic.log MatchExpression /oam/* </IfModule>
Update the Access Manager Load Balancing settings as follows:
In the Oracle Access Management console, click Configuration at the top of the window.
Select Access Manager from the View menu in the Settings section.
In the Load Balancing section, change the OAM Server Host and the OAM Server Port settings to the Webgate's host and port settings.
Complete the following steps.
/ORACLE_IDM1/oam/server/apps/ and locate the
oam-server.ear file. For example:
Back up the
cp oam-server.ear oam-server.ear.original
Create a temporary directory and go to that directory:
mkdir tmp-ear cd tmp-ear/
oam-server.ear file into the
jar -xvf ../oam-server.ear
Create another temporary directory inside
tmp-ear and go to that directory:
mkdir tmp-ms-war cd tmp-ms-war
You should be in this directory:
ms_oauth.war into the
jar -xvf ../ms_oauth.war
WEB-INF/web.xml file for editing and update it by adding comment tags around the security-constraint as follows:
<!-- BEGIN: Comment the following security constraint if either the OAM Webgate is front-ending OAM in a WebSphere setup or if the WebLogic server Domain Agent is not used. <security-constraint> <web-resource-collection> <web-resource-name>OAuthSecuredResources</web-resource-name> <url-pattern>/oauth2/ui/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>valid-users</role-name> </auth-constraint> </security-constraint> END of security constraint needing to be commented -->
.war file in the
jar cvf ms_oauth.war
Copy the updated
.war file to the parent directory, then remove the
tmp-ms-war directory located in
cp /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/tmp-ear/tmp-ms-war/ms_oauth.war /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/tmp-ear rm -rf /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/tmp-ear/tmp-ms-war
oam-server.ear archive in the
jar cvf oam-server.ear .
tmp-ear/oam_server.ear archive file to the parent directory:
cp /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/tmp-ear/oam-server.ear /scratch/test/Oracle/Middleware/Oracle_IDM1/oam/server/apps/oam-server.ear
Restart the WebSphere server.
The Webgate will now reverse-proxy OAuth URLs as well as OAM managed server URLs. All authorization and token endpoint requests are now accessed using the Webgate host and port values instead of the actual OAM host and port values.