Add IDCS After Creating a Domain

After you create a domain, you can add Oracle Identity Cloud Service (IDCS) to your Oracle WebLogic Server for OCI instance.

Note:

This procedure applies to domains that are created from November 2021 (Release 21.4.2) onwards. For previous releases, contact Support.
Prerequisites:
  • Create a confidential application in IDCS to use IDCS for authentication in the domain. You will need the client ID and client secret for this confidential application. See Create a Confidential Application.
  • An OCI secret with the IDCS client secret value in the tenancy. Create Secrets for Passwords. Copy the Secret OCID.
  • At the root compartment level, create an OCI policy with the following policy statement:
    Allow dynamic-group <service-prefix>-wlsc-principal-group to read secret-bundles in tenancy where target.secret.id ='<secret-ocid>'

    Where, <secret-ocid> is the OCI secret that you obtained in the previous step.

  • Add a Load Balancer, if not already configured. See Add a Load Balancer.

Complete the following steps to add IDCS to your domain:

  1. Create a JSON file that contains the following information:
    { "is_idcs_selected" : "true", "idcs_host" : "<Domain name to access IDCS> (typically, identity.oraclecloud.com)", "idcs_port" : "443", "idcs_tenant" : "<IDCS Instance ID> (format is idcs-<GUID>)", "idcs_client_id" : "<Client ID of the confidential application in IDCS>", "idcs_client_secret_ocid" : "<Client secret of the confidential application>", "idcs_cloudgate_port" : "9999", "idcs_cloudgate_docker_image_tar" : "/u01/zips/APP-GATEWAY/21.2.2/appgateway-21.2.2-2105050509.tar.gz", "load_balancer_id" : "<OCID of the Load Balancer>", "lbip" : "<IP address of the Load Balancer>" }

    Note:

    Add the backend_set_name parameter to the JSON payload if you configured a Load Balancer prior to Stack creation per the instructions in Configure the Load Balancer. This will allow the script to locate the backend set to update backends for.

    For example:

    "backend_set_name" : "bs_lb_2024-0706-1459"

    In the JSON file, use the client ID and client secret that you created for the confidential application. See Prerequisites.

  2. Log in as a root user to the Administration server.
  3. Save the JSON file to an accessible location.
  4. Run the following command to verify if a Podman is available and displays the status as loaded: 
    systemctl status podman
  5. Run the following command: 
    python3 /opt/scripts/idcs/configure_idcs.py <json-file-location>
  6. Log in to each of the nodes and complete step 3 through step 5:
  7. If the domain is a JRF domain, then add the OPSS SCIM template to the domain.
    1. Change to the oracle user.
      sudo su - oracle
    2. Run the following commands only on the VM where the Administrator server is running:
      /u01/app/oracle/middleware/oracle_common/common/bin/wlst.sh readDomain("/u01/data/domains/<domain_name>") addTemplate("/u01/app/oracle/middleware/oracle_common/common/templates/wls/oracle.opss_scim_template.jar") updateDomain() closeDomain() exit()
  8. Restart the Administration server
  9. If the domain is a JRF domain and you added the OPSS SCIM template, then restart the managed servers.