Protect an Application Deployed in WebLogic Server with Oracle Access Management 12c

Introduction

This tutorial shows you how to deploy a sample application to WebLogic Server and protect it with Oracle Access Management 12c.

This is the tenth and final tutorial in the series Getting Started with Oracle Access Management 12c. Read them sequentially.

Objective

Most organizations deploy applications to WebLogic Server and want to protect them with Oracle Access Management.

Prerequisites

To have followed Create and Configure a WebGate.

Create a New Domain and Managed Server

In this section you will create a new WebLogic domain and Managed Server ready to deploy a sample application.

  1. Launch a terminal window as oracle and enter the following command:

    cd /u01/app/oracle/product/middleware/oracle_common/common/bin
./config.sh

  2. Follow the table below to guide you through the configuration screens:

    Step Window Description Choice or Values
    1 Create Domain Select Create a new domain

    Domain Location: /u01/app/oracle/admin/domains/app_domain
    2 Templates Select Create Domain Using Product Templates
    Select: Basic WebLogic Server Domain
    3 Administrator Account Name: weblogic
    Password: <password>
    Confirm: <password>
    4 Domain Mode and JDK Domain Mode: Production
    JDK: Oracle Hotspot
    5 Advanced Configuration Select: Administration Server, Node Manager, and Topology
    6 Administration Server Listen Port: 8001
    7 Node Manager Node Manager Type: Per Domain Default Location
    Username: weblogic
    Password: <password>
    Confirm Password: <password>
    8 Managed Servers Click Add
    Server Name: app_server1
    Listen Port: 8003
    9 Clusters Click Next
    10 Server Templates Click Next
    11 Machines Click Add
    Name: app_machine
    Port: 5557
    12 Assign Servers to Machines Select: Admin Server and app_server1
    Highlight app_machine and click the right arrow
    13 Virtual Targets Click Next
    14 Partitions Click Next
    15 Configuration Summary Click Create
    16 Configuration Progress Click Next
    17 End of Configuration Click Finish

Start the Application Domain Servers

  1. Launch a terminal window as oracle and enter the following commands to start the application domain AdminServer. Enter the WebLogic administrator credentials (weblogic/<password>) when prompted:

    cd /u01/app/oracle/admin/domains/app_domain/
./startWebLogic.sh

    Wait until the terminal displays the message Server started in RUNNING mode. Minimize the window.

  2. In another terminal window start Node Manager by running the following command:

    cd /u01/app/oracle/admin/domains/app_domain/bin
./startNodeManager.sh

  3. Start the app_server1 Managed Server by starting a browser and logging into the Oracle WebLogic Server Administration console at http://oam.example.com:8001/console. Login with username and password weblogic/<password>.

  4. In the Domain Structure pane, expand app_domain > Environment > Servers.

  5. Click the Control tab and select the app_server1 checkbox. Click Start.

  6. In the Server Life Cycle Assistant page click Yes.

  7. Click the refresh icon and wait for the app_server1 to say RUNNING.

Deploy a Sample Application to WebLogic Server

  1. In this section you will download and deploy a sample bank application and deploy it to app_server1.

  2. Download the mybank.war file and move to /stage.

    Note: Oracle accepts no responsibility for this application. It is intended for use as a test sample application only.

  3. In a browser access the Oracle WebLogic Server Administration console at http://oam.example.com:8001/console. Login with username and password weblogic/<password>.

  4. Under Domain Structure > app_domain, click Deployments.

  5. Click Lock and Edit in the Change Center panel.

  6. Under Deployments click Install.

  7. Change the Path to /stage and press Enter. Select the mybank.war radio button and click Next.

  8. In the Install Application Assistant page, ensure Install this deployment as an application is selected and click Next.

  9. Select the app_server1 checkbox and click Next.

  10. Click Finish.

  11. Once the mybank application is deployed, click Activate Changes in the Change Centre panel.

  12. In the Summary of Deployments page click the Control tab.

  13. Select the mybank checkbox and click Start > Servicing all Requests. Select Yes to start the deployment.

  14. Test you can access the mybank application by accessing the url http://oam.example.com:8003/mybank. The page should display as follows:

    Description of the illustration mybank.jpg

Configure MOD_WL_OHS

In this section you will configure mod_wl_ohs so you can access the mybank application via Oracle HTTP Server.

  1. Launch a browser and access Fusion Middleware Control via https://oam.example.com:7002/em. Login with weblogic/<password>.

  2. Click on the oam_domain navigation tree in the top left of the page. Select HTTP Server > ohs1.

  3. From the Oracle HTTP Server drop down menu select Administration > mod_wl_ohs Configuration.

  4. Click the unlocked padlock icon in the top right of the page and select Lock and Edit.

  5. Select the Provide WebLogic Server Host and Port details radio button and enter the following details:

    • WebLogic Host: oam.example.com
    • WebLogic Port: 8003

  6. In the Locations field click Add Row and enter the following details and click Apply:

    • Location: /mybank
    • WebLogic Host: oam.example.com
    • WebLogic Host: 8003

  7. Click the Padlock in the top right corner and select Activate Changes.

  8. Once the Confirmation message is returned, click the Restart button and confirm the restart. Once complete you should see the Completed Successfully message.

Configure WebLogic Plugin

In this section you set WebLogic Plugin Enabled to true. This is required because in the /mybank scenario we are terminating SSL at OHS. The path of communication is:

Browser -> https -> OHS:4443 -> http -> app_server1:8003

Failure to set WebLogic Plugin Enabled to true will result in the browser redirecting to an HTTP URL http://oam.example.com:4443/mybank after login instead of HTTPS https://oam.example.com:4443/mybank, and the connection will fail.

  1. In a browser access the Oracle WebLogic Server Administration console at http://oam.example.com:8001/console. Login with username and password weblogic/<password>.

  2. Navigate to app_domain > Environment > Servers > app_server1.

  3. Click on Advanced.

  4. Click Lock and Edit.

  5. Set WebLogic Plug-In Enabled to yes, and click Save.

  6. Click Activate Changes.

  7. Navigate to the Domain Structure pane, expand app_domain > Environment > Servers.

  8. Click the Control tab and select the app_server1 checkbox. Click Shutdown > Force shutdown now.

  9. In the Server Life Cycle Assistant page click Yes. Click on the refresh icon and wait until the server says SHUTDOWN.

  10. Select the app_server1 checkbox. Click Start. In the Server Life Cycle Assistant page click Yes. Click on the refresh icon and wait until the server says RUNNING.

  11. Launch an Incognito or private browser. Access the mybank application via the OHS URL: https://oam.example.com:4443/mybank.

    Note : As all OHS pages are currently protected via Oracle Access Management, you should be redirected to the OAM SSO login page.

  12. Log in as weblogic/<password> if using the Embedded LDAP server, or if you configured OUD then login as ahall/welcome1.

    If successful the Online Banking page should be displayed:

    Description of the illustration mybanksuccess.jpg

Protect the Application

By default the Oracle WebGate and Oracle Access Management is protecting all OHS URL’s under http://oam.example.com:7777 and https://oam.example.com:4443. In this section you will unprotect all OHS URL’s and then configure OAM to protect only the /mybank application.

  1. Launch a browser and access the OAM console https://oam.example.com:7002/oamconsole. Login with weblogic/<password>.

  2. In the Application Security launch pad, under the Access Manager pane, click Application Domains.

  3. In the Search Application Domains pane click Search.

  4. Click webgate_7777 and then Resources.

  5. Click Search and in the Search Results select the Resource URL /** and click Edit.

  6. Under Protection, set Protection Level to Excluded. Click Apply. Changing Protection Level to Excluded means that all URL’s under http://oam.example.com:7777 and https://oam.example.com:4443 are now unprotected.

  7. Close the current tabs to return to the webgate_7777 Resources tab.

  8. Set up a policy to protect the mybank application /mybank, by clicking Create. Create the /mybank resource as follows and click Apply:

    Name Value
    Type HTTP
    Description mybank application
    Host Identifier webgate_7777
    Resource URL /mybank
    Protection Level Protected
    Authentication Policy Protected Resource Policy
    Authorization Policy Protected Resource Policy

    Leave the rest of the fields as default.

  9. Click the Duplicate button and change the Resource URL to /mybank/.../* and click Apply.

  10. Launch an Incognito or private browser. Access the OHS homepage URLs http://oam.example.com:7777 and https://oam.example.com:4443 As the homepage is now unprotected you should see the OHS home page without being challenged for a password.

  11. Access the mybank application https://oam.example.com:4443/mybank. As this application is protected you should be redirected to the OAM login page.

    Log in as weblogic/<password> if using the Embedded LDAP server, or if you configured OUD then login as ahall/welcome1. If successful the Online Banking page should be displayed.

    Repeat with the HTTP URL http://oam.example.com:7777/mybank.

Learn More

Feedback

To provide feedback on this tutorial, please contact idm_user_assistance_ww_grp@oracle.com.

Acknowledgements