3 Managing Mobile Security Access Server Applications

Mobile Security Access Server (MSAS) applications group related URLs to be proxied through the MSAS server. You can secure these URLs using access policies and assertions. Each application contains the definition of the URLS to be proxied, as well as the security artifacts and policies attached to each URL.

This chapter includes the following sections:

• Mobile Security Access Server Application Types

• Reserved Applications in MSAS

• Viewing MSAS Applications in the Environment

• Creating a Virtual Application

• Creating a Proxy Application

• Viewing the Applications in an MSAS Instance

• Searching for MSAS Applications

• Viewing MSAS Application Details

• Editing an MSAS Application

• Managing URLs in an MSAS Application

• Exporting MSAS Applications

• Importing MSAS Applications

• Categorizing MSAS Applications Using Tags

• Deleting MSAS Applications

3.1 Mobile Security Access Server Application Types

Mobile Security Access Server (MSAS) can act as a forward proxy or a reverse proxy for URL traffic.

• As a forward proxy, MSAS acts as an intermediary allowing clients to directly access back-end resources.

• As a reverse proxy, MSAS hides the back-end resources from the clients. The response to the client looks like it originated from MSAS.

MSAS uses the concept of application types to capture how MSAS handles a particular URL, that is as a forward proxy or a reverse proxy. Each application:

• Contains the definition of one or more virtual URLs or proxy URLs.

• Contains related security artifacts and access policies attached to each URL.

The applications are deployed to MSAS instances, and can be exported and imported from test to production environments.

Mobile Security Access Server supports the types of applications described in the following table.

Type	Console Icon	Description
Virtual Application		Virtual applications allow customers to create new URLs in MSAS for back-end URLs. These new MSAS URLs are also called virtual URLs. Customers can then provide the MSAS URLs to clients and completely hide the back-end URLs. In this model, MSAS behaves as a reverse proxy for the back-end URL.
Proxy Application		Applications defined in the MSAS environment that specify back-end URLs that will be proxied directly through the Mobile Security Access Server. In this case, the Mobile Security Access Server acts as a forward proxy. The back-end URLs are visible to the client but the requests are proxied through the Mobile Security Access Server.
Direct URL		Reserved application per MSAS instance that you can edit to specify URLs that are directly accessed and are not intercepted by the Mobile Security Access Server. This application is created by default when you create an MSAS instance. You cannot create or delete this type of application. For details about using this application to configure directly-accessed URLs, see "Configuring Direct URLs."
Blocked URL		Reserved application per MSAS instance that you can edit to specify URLs that are designated as inaccessible. This application is created by default when you create an MSAS instance. You cannot create or delete this type of application. For details about using this application to configure blocked URLs, see "Configuring Blocked URLs."

3.2 Reserved Applications in MSAS

Table 3-1 describes the reserved applications that are created by default when you create an MSAS instance.

Table 3-1 Default Virtual and Proxy Applications

Application Name	Type	Description
BLOCK	Blocked URL	Used to specify URLs that are designated as inaccessible, or blacklisted. You can add URLS to, and delete URLs, from this application, but you cannot edit the application name, or delete the application.
DIRECT	Direct URL	Used to specify URLs that can be directly accessed and are not intercepted by the Mobile Security Access Server. You can add and delete URLS, but you cannot edit the application name, or delete the application
msm-reverse-proxy	Virtual	Provides virtual URLs for Mobile Security Manager (MSM) services such as Mobile Device Management (MDM) and Mobile Application Management (MAM). You can configure the URLs defined in this application, but you cannot add or delete URLs, change the name of the application, or delete the application. WARNING: Deleting this application will destabilize an MSAS instance and lead to undefined behavior. In this case you will need to create an entirely new instance.
msm	Proxy	Used to secure forward-proxy requests for MSM services such as Enhanced Client/Proxy (ECP) and Mobile File Manager (MFM). You can configure the URLs defined in this application, but you cannot add or delete URLs, change the name of the application, or delete the application. WARNING: Deleting this application will destabilize an MSAS instance and lead to undefined behavior. In this case you will need to create an entirely new instance.
Default URL	Proxy	This application is provided for convenience purposes and is used to secure all forward-proxy requests by default. It contains a wildcard path (/) that applies to all URLs in the environment that are not defined explicitly in a proxy application. By using a default URL, you do not need to define every URL in the system using a proxy URL. You can edit the URL defined in the application, and you can add or delete proxy URLs. You can edit the name of this application, and delete it.
OAM Pass-through Proxy App	Proxy	Proxy application that contains default pass-through OAM URLs required when using MSAS as a WebGate. Warning: If you are using MSAS as a WebGate, you should not delete this application. Doing so can lead to undefined behavior.

3.3 Viewing MSAS Applications in the Environment

To view all the applications in the MSAS environment:

1. From the Oracle Access Management home page, click the Mobile Security tab from the list of tabs at the top of the page.

2. From the Mobile Security Launch Pad, click Applications in the Mobile Security Access Server section to display the MSAS Applications page.

   Alternatively, from the Mobile Security Launch Pad, click Environments, then click Applications in the MSAS tile.

   The MSAS Applications page is displayed.

3. Click Load More Items to display additional applications as required.

3.4 Creating a Virtual Application

Virtual MSAS applications include one or more virtual URLs, or reverse-proxy URLs. In reverse-proxy, you create a virtual URL to hide the actual URL from the client.

To create a virtual application:

1. Navigate to the MSAS Applications page:

   • From the Mobile Security Launch Pad in the OAM console, click Applications in the Mobile Security Access Server section.

   • Alternatively, from the Mobile Security Launch Pad, click Environments, then click Applications in the MSAS tile.

2. Click +Create, then Virtual Application.

3. In the Create Virtual Application window, provide the name, display name, description, and MSAS instance for the application and click Save.

   Field	Description
   Name	Enter a name for the application. The name must: Be unique within the MSAS instance. Adhere to the XML xs:NCName format using only valid NCName ASCII characters. For example, it must start with a letter or underscore (_), and cannot contain any space characters or colons (:). For the NCName format definition, see the W3C document Namespaces in XML 1.0 (Third Edition) at http://www.w3.org/TR/REC-xml-names/#NT-NCName
   Display Name	Optionally, enter a meaningful name that can be used to identify the application in the console.
   Description	Optionally, enter a brief description of the application.
   MSAS Instance	From the menu, select the instance that will contain the application.

   
   

4. In the URLs page, click +URL or Create URL to add virtual URLs to the application.

5. In the Add URL window, click Add to configure the virtual URL and enter the host URL, name, MSAS URI, and HTTP method. To add more than one URL, click Add again and complete the fields. When you have defined the URLs, click Save. Note that once you click Save, you need to click +URL again to add more URLs.

   Field	Description
   Host URL	Enter the URL to add to the application. This URL will not be visible to clients. For example, http://host1:port1/actualURL.
   Name	Enter a meaningful name for the virtual URL. This name will be used to identify the virtual URL in the console.
   MSAS URI	Enter the virtual URL that will be visible to clients. It must be unique within the MSAS instance and will identify the relative path of the virtualized URL. For example /actualURL. The full virtual web application URL will resolve to http://msas_host:msas_port/actualURL.
   HTTP Method	Select the HTTP method to use for the virtual URL. GET—Retrieves the information specified in the request URI. POST—Requests that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request URI. PUT—Requests that the target resource be created or modified with the entity enclosed in the request message. HEAD— Identical to GET but without the message body in the response. OPTIONS—Returns the HTTP methods that the server supports for the URL. TRACE—Loops the received request back to the client so that they can see what was received by the server and any intermediaries. CONNECT—Not supported. DELETE—Delete the resource specified in the request URL. All—All HTTP verbs. For details about HTTP methods, see the Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content RFC document at https://tools.ietf.org/html/rfc7231.
   Description	Optionally, enter a description for the virtual URL.
   2-way SSL	Reserved for future use.

   
   

6. On the URLs page, click the URL icon or the URL Name to open the URL Policy Configuration page for the URL. The URL Policy Configuration page opens in a new tab. From this page, you can secure the URL at the policy enforcement points. For details, see Chapter 5, "Securing Mobile Security Access Server Resources."

3.5 Creating a Proxy Application

Proxy applications include one or more forward proxy URLs. In forward proxy, the client is aware of the URL and can access it directly using a proxy server configured on the client side.

To create a proxy application:

1. Navigate to the MSAS Applications page:

   • From the Mobile Security Launch Pad in the OAM console, click Applications in the Mobile Security Access Server section.

   • Alternatively, from the Mobile Security Launch Pad, click Environments, then click Applications in the MSAS tile.

2. Click +Create, then Proxy Application.

3. In the Create Proxy Application window, provide the name, display name, description, and MSAS instance for the application and click Save.

   Field	Description
   Name	Enter a name for the application. The name must: Be unique within the MSAS instance. Adhere to the XML xs:NCName format using only valid NCName ASCII characters. For example, it must start with a letter or underscore (_), and cannot contain any space characters or colons (:). For the NCName format definition, see the W3C document Namespaces in XML 1.0 (Third Edition) at http://www.w3.org/TR/REC-xml-names/#NT-NCName
   Display Name	Optionally, enter a meaningful name that can be used to identify the application in the console.
   Description	Optionally, enter a brief description of the application.
   MSAS Instance	From the menu, select the instance that will contain the application.

   
   

4. In the Proxy URLs page, click +Proxy URL or Create URL to add proxy URLs to the application.

5. In the Add Proxy URL window, click Add to configure the proxy URL and enter a host URL, and name. To add more than one URL, click Add again and complete the fields. When you have defined the URLs, click Save. Note that once you click Save, you need to click +Proxy URL again to add more URLs.

   Field	Description
   Host URL	Enter the URL to add to the application. It must be unique to all applications in the MSAS instance.
   Name	Enter a meaningful name for the proxy URL. This name will be used to identify the proxy URL in the console.
   Description	Optionally, enter a description for the proxy URL.
   2-way SSL	Reserved for future use.

   
   

6. On the URLs page, click the URL icon or the URL Name to open the URL Policy Configuration page for the URL in a new tab. From this page, you can secure the URL at the policy enforcement points. For details, see Chapter 5, "Securing Mobile Security Access Server Resources."

3.6 Viewing the Applications in an MSAS Instance

To view the applications in an MSAS instance:

1. From the Oracle Access Management home page, click the Mobile Security tab from the list of tabs at the top of the page.

2. From the Mobile Security Launch Pad, click Applications in the Mobile Security Access Server section to display the MSAS Applications page.

3. Use the Search field to filter the list of applications by MSAS Instance Name:

   1. From the Search menu, select MSAS Instance Name.

   2. Enter all or part of the MSAS Instance Name in the field and click the Search icon.

   An initial set of applications in the instance is displayed.

4. Click Load More Items to display additional applications as required.

Alternatively, you can navigate to the MSAS applications page directly from the instance. When you do so, only the applications in the instance are displayed. To do so:

1. From the Oracle Access Management home page, select the Mobile Security tab from the list of tabs at the top of the page.

2. From the Mobile Security Launch Pad, click Environments in the Mobile Security Access Server section.

3. Click MSAS or Instances in the MSAS tile to open the MSAS Instances Summary page.

4. If necessary, use the Search field to refine the list of instances or to locate a specific instance. Enter all or part of a name in the Search field and press the search icon.

5. Click Applications in the tile for the desired instance. The first 5 applications in the instance are displayed in the MSAS Applications page.

6. Click Load More Items to display additional applications as required.

3.7 Searching for MSAS Applications

To search for applications in the environment or in an instance:

1. Navigate to the MSAS Applications page:

   1. From the Oracle Access Management home page, select the Mobile Security tab from the list of tabs at the top of the page.

   2. In the Mobile Security Access Server section click Applications. Alternatively, you can click Environments, then click Applications in the MSAS tile.

2. Select the type of search and enter the search value in the Search field. Valid search fields are:

   • Name—Returns all applications with a name matching the value specified.

   • MSAS Instance Name—Returns all applications in an MSAS instance that matches the MSAS Instance Name specified.

   • Tags—Returns all applications that contain the tag matching the value specified.

   You can use percent % as a wildcard, any place in the name. Asterisk * is not recognized as a wildcard and is treated as plain text. Searches using the Name and Tag field are case insensitive, but searches using the MSAS Instance Name field are case sensitive.

3. To search for applications by type, or to further refine the results from the search menu, select the type of applications for which you want to search and display in the results from the Type menu. Valid options are:

   • Virtual Applications—Applications defined in the MSAS environment that specify virtual URLs for back-end URLs. In this case MSAS acts as a reverse proxy.

   • Proxy Applications—Applications defined in the MSAS environment that specify back-end URLs that are proxied directly through the Mobile Security Access Server. In this case MSAS acts as a forward proxy.

   • Direct URL—Reserved application that defines URLs that can be directly accessed and are not intercepted by the Mobile Security Access Server.

   • Blocked URL—Reserved application that defines URLs that are designated as inaccessible, or blacklisted.

   • ALL—All types of applications in the environment.

     For more information, see "Mobile Security Access Server Application Types".

4. From the Sort By menu, select the order to display the search results. You can sort by Application name, MSAS Instance Name, or by applications that were modified most recently.

3.8 Viewing MSAS Application Details

To view the details for an MSAS application:

1. Navigate to the MSAS Applications page:

   1. From the Oracle Access Management home page, select the Mobile Security tab from the list of tabs at the top of the page.

   2. In the Mobile Security Access Server section click Applications. Alternatively, you can click Environments, then click Applications in the MSAS tile.

   3. If necessary, narrow the list of applications displayed by using the Search field. See "Searching for MSAS Applications".

2. Click the icon, or the name of the application for which you want to view the details.

3. Use the MSAS Application Details page to:

   • View summary information about the application such as the associated instance, security context, and when it was last modified.

   • View the number of URLs configured in the application. Click the URLs search icon to navigate to the URLs or Proxy URLs page to view details about the URLs. See "Managing URLs in an MSAS Application".

   • Navigate to the Application Roles page where you can view or search for configured roles, add or delete roles, and configure role hierarchy. See "Managing Roles in an MSAS Application".

   • View and edit the tags configured in the application.You can use tags to categorize applications to make them easier to locate in the console. See "Categorizing MSAS Applications Using Tags".

   • Export the application.

3.9 Editing an MSAS Application

After you create an MSAS application, you can add or edit URLs, application roles, and tags in the application.

To edit an MSAS application:

1. Navigate to the MSAS Applications page:

   1. From the Oracle Access Management home page, select the Mobile Security tab from the list of tabs at the top of the page.

   2. In the Mobile Security Access Server section click Applications. Alternatively, you can click Environments, then click Applications in the MSAS tile.

   3. If necessary, narrow the list of applications displayed by using the Search field. See "Searching for MSAS Applications".

2. Click the icon, or the name of the application that you want to edit.

3. In the MSAS Application Details page, you can edit the application as follows:

   • Click the URLs search icon to navigate to the URLs or Proxy URLs page. From this page you can search for URLs in the application, view details about the URLs, edit the URL definition, add or delete URLs, and navigate to the URL Policy Configuration page. See "Managing URLs in an MSAS Application".

   • Click the Application Roles search icon to navigate to the Application Roles page where you can view or search for configured roles, and add roles. See

   • Click the tags icon to add or edit tags in the application.You can use tags to categorize applications to make them easier to locate in the console. See "Categorizing MSAS Applications Using Tags".

4. When you have finished editing the application, click Apply to save your changes.

Note:

When an application is being edited, the name in the tab is shown in italics. When you click Apply or Revert to save or discard the changes, the font returns to normal.

3.10 Managing URLs in an MSAS Application

You can manage the URLs in an application from the Proxy URLs or URLs page (virtual URLs). From this page you can search for URLs in the application, view details about the URLs, edit the URL definition, add or delete URLs, and navigate to the URL Policy Configuration page where you can attach policies and assertions to secure the URLs.

To manage the URLs in an MSAS application, navigate to the URLs or Proxy URLs page:

1. From the Mobile Security Launch Pad in the OAM console, click Applications in the Mobile Security Access Server section. Alternatively, you can click Environments, then click Applications in the MSAS tile.

2. If necessary, narrow the list of applications displayed on the MSAS Applications page using the Search field. See "Searching for MSAS Applications".

3. Click the application type icon, or the name of the application for which you want to manage the URLs to open the MSAS Application Detail page. The number of URLs configured in the application is displayed.

4. Click the URLs search icon to open the URLs or Proxy URLs page.

5. Use the URLs or Proxy URLs page to:

   • View a list of the virtual or proxy URLS configured in the application.

   • Search for virtual or proxy URLs in the application. Enter all or part of the URL name in the Search field and press the search icon.

   • Add virtual or proxy URLs to an application. Click +Proxy URL or +URL (for virtual applications) and complete the fields. For more information about adding URLs to an application, see "Creating a Virtual Application" and "Creating a Proxy Application".

   • Delete virtual or proxy URLs from an application. Click the Options menu icon then Delete in the row containing the URL to be deleted.

   • Edit the definition of a URL. Click the Options menu icon, then Edit, in the row containing the URL to be edited. In the pop-up window, edit the fields as required and click Apply.

   • Navigate to a page where you can view or edit the security configuration of a URL using policies and assertions. Click the URL icon or the URL name to open the URL Policy Configuration page for the URL in a new tab. From this page, you can secure the URL at the policy enforcement points. For details, see Chapter 5, "Securing Mobile Security Access Server Resources."

3.11 Exporting MSAS Applications

You can export an MSAS application in a zip archive to be used in a different MSAS environment. Used in combination with Import, you can move applications between repositories. You export applications from the MSAS Applications page, or the MSAS Application Details page for a specific application.

Note:

You cannot export the BLOCK, DIRECT, msm, and msm-reverse-proxy reserved applications.

Also, you should not export the OAM Pass-through Proxy App reserved application.

To export an MSAS application:

1. Navigate to the MSAS Applications page:

   1. From the Oracle Access Management home page, select the Mobile Security tab from the list of tabs at the top of the page.

   2. In the Mobile Security Access Server section click Applications. Alternatively, you can click Environments, then click Applications in the MSAS tile.

   3. If necessary, narrow the list of applications displayed in the MSAS Applications page by using the Search field. See "Searching for MSAS Applications".

2. In the MSAS Applications page, click the Options menu icon in the row for the application to be exported and click Export. Alternatively, click the icon or the name of the application in the table then, on the MSAS Application Details page, click Export.

3. Save the zip archive to your file system.

The directory structure for each application is maintained in the archive file using the following structure:

META-INF/virtualapplication/MSASInstanceName/application_name

3.12 Importing MSAS Applications

You can use the import feature to import a zip archive containing an MSAS application into your environment. Used in combination with Export, you can move applications between different repositories.

To import an MSAS application:

1. Navigate to the MSAS Applications page.

   1. From the Oracle Access Management home page, select the Mobile Security tab from the list of tabs at the top of the page.

   2. In the Mobile Security Access Server section click Applications. Alternatively, you can click Environments, then click Applications in the MSAS tile.

2. Click Import.

3. In the Import MSAS Application window: l

   1. Locate the zip archive to be imported on your local file system.

   2. Select the MSAS instance to which you want to import the application.

   3. Click Import. The imported application is added to the list of applications in the Applications table.

Notes:

All application names in an instance must be unique. If you attempt to import an application with the same name as an application that already exists in the instance, you are prompted to select an alternate zip file.

The applications to be imported must use the following directory structure:

META-INF/virtualapplication/MSASInstanceName/application_name

3.13 Categorizing MSAS Applications Using Tags

Tags provide a way to categorize applications to make them easier to find in the console. After you create an application, you can edit the application to add tags. You can then use the tags in the search field in the MSAS Applications page to quickly find applications with the assigned tag.

To use tags in an application:

1. Navigate to the MSAS Applications page:

   1. From the Oracle Access Management home page, select the Mobile Security tab from the list of tabs at the top of the page.

   2. In the Mobile Security Access Server section click Applications. Alternatively, you can click Environments, then click Applications in the MSAS tile.

   3. If necessary, narrow the list of applications displayed by using the Search field. See "Searching for MSAS Applications".

2. Click the icon, or the name of the application to which you want to add tags.

3. In the MSAS Application Details page, click the Tags icon to open the Tags window.

4. To add, edit, or delete a tag:

   • To add a tag, click Add and enter the tag name in the Tag field.

   • To delete a tag, click the X in the row containing the tag to be deleted.

   • To edit a tag, click the tag name and edit the tag name in the Tag field as required.

5. Click OK to close the Tags window and click Apply to save the changes in the application.

3.14 Deleting MSAS Applications

You can delete MSAS applications from the MSAS Applications page.

Note:

You cannot delete the BLOCK, DIRECT, msm, and msm-reverse-proxy reserved applications.

Also, you should not delete the OAM Pass-through Proxy App reserved application.

To delete an MSAS application:

1. Navigate to the MSAS Applications page:

   1. From the Oracle Access Management home page, select the Mobile Security tab from the list of tabs at the top of the page.

   2. In the Mobile Security Access Server section click Applications. Alternatively, you can click Environments, then click Applications in the MSAS tile.

   3. If necessary, narrow the list of applications displayed in the MSAS Applications page by using the Search field. See "Searching for MSAS Applications".

2. In the MSAS Applications page, click the Options menu icon in the row for the application to be deleted and click Delete.

3. In the Delete Application window, click Delete to confirm the deletion.

   The application is removed from the table in the MSAS Applications page.