Secure a Domain Using Identity Cloud Service

Use Oracle Identity Cloud Service to protect applications and restrict administrative access for an Oracle WebLogic Server domain that you created with Oracle WebLogic Server for OCI.

By default, a domain is configured to use the local WebLogic Server identity store to maintain administrators, application users, groups, and roles. These security elements are used to authenticate users, and to also authorize access to your applications and to tools like the WebLogic Server Administration Console.

When you create a domain running WebLogic Server 12c, you can also choose to enable Oracle Identity Cloud Service for authentication. The following diagram illustrates this configuration.

Description of the illustration architecture_idcs_diagram.png

See About Oracle Identity Cloud Service Concepts in Administering Oracle Identity Cloud Service.

Topics:

• Create WebLogic Administrator Groups
• Update WebLogic Administrator Roles
• Update Protected Application Resources
• Update Application Deployment Descriptors

Create WebLogic Administrator Groups

Create groups in Oracle Identity Cloud Service to grant users administrative access to your domain.

Global roles in WebLogic Server control the administrative operations that a user can perform in the domain. For example, users with the Deployer role can deploy Java applications to the domain. By default, these roles are assigned to group names like Deployers. After creating these groups in Oracle Identity Cloud Service, you can add users to them.

When you create a domain, you specify a default administrative user. This user is configured in the default WebLogic Server identity store. You can use standard WebLogic Server tools like the Administration Console in order to modify this user or to change its password.

1. From the Identity Cloud Service console, expand the Navigation Drawer, and then click Groups.
2. Create the following groups.
   • Administrators
   • Deployers
   • Operators
   • Monitors

   By default, members of these groups will have administrative access to all domains that you create with Oracle WebLogic Server for OCI and that you configure to use Oracle Identity Cloud Service.

3. Optional: Create groups to control administrative access to a specific domain.
   For example:

   • MyDomain_Administrators
   • MyDomain_Deployers
   • MyDomain_Operators
   • MyDomain_Monitors

See these topics in Administering Oracle Identity Cloud Service:

• Create Groups
• Assign User Accounts to the Group

Update WebLogic Administrator Roles

Map groups in Oracle Identity Cloud Service to the administrator roles in your domain.

By default, the global administrator roles in a domain are mapped to these groups.

• Administrators
• Deployers
• Operators
• Monitors

If you do not modify the administrator roles in a domain, members of these groups in Oracle Identity Cloud Service will have access to all domains that you create with Oracle WebLogic Server for OCI and that you configure to use Oracle Identity Cloud Service.

Sign in to the WebLogic Server Administration Console for your domain. See Access the WebLogic Console.

1. From the WebLogic Server Administration Console, click Security Realms.
2. Click the default realm.
3. Click the Roles and Policies tab.
4. From the Roles table, expand Global Roles, and then expand Roles.
5. Click View Role Conditions for the Admin role.
6. Click the group name assigned to this role. The default is Administrators.
7. Enter the name of the Oracle Identity Cloud Service group to which you want to map to this role.
8. Click OK, and then click Save.
9. From the breadcrumb links at the top of the page, click Realm Roles.
10. Repeat from step 4 for each administrator role that you want to update.

Update Protected Application Resources

Configure the URL patterns that Oracle Identity Cloud Service uses to determine which application requests require authentication for your domain.

Oracle WebLogic Server for OCI provisions each compute instance in the domain with the App Gateway software appliance. The App Gateway acts as a reverse proxy, intercepts HTTP requests to the domain, and ensures that the users are authenticated with Oracle Identity Cloud Service.

Oracle WebLogic Server for OCI also creates an enterprise application in Oracle Identity Cloud Service for the domain. The enterprise application defines which resources require the user to be authenticated, and which resources don't require authentication.

By default, all requests whose URI begins with /__protected (two underscore characters followed by the word "protected") are protected. For example, a client request to the URL https://<lb_host>/__protected/myapp/doaction requires authentication, while a request to https://<lb_host>/myapp/doaction does not.

Note:

Any changes to the Oracle Identity Cloud Service applications configuration take an hour to be propagated to the App Gateway running on the compute instances.

1. From the Identity Cloud Service console, expand the Navigation Drawer, and then click Applications.
2. Click the enterprise application associated with your domain.

   The name of the application is <stack>_enterprise_idcs_app_<timestamp>. For example, myweblogic_enterprise_idcs_app_2019-08-01T01:02:01.123456.

3. Click the SSO Configuration tab.
4. Expand Resources.
5. Add, remove, or update the resources in this application.

   You can use regular expressions (regex) to define the protected URL patterns. If you use regular expressions, you must select the Regex check box.

   For example, suppose the Java applications deployed to this domain are configured to use the context roots store and marketplace. To protect all requests to the marketplace application, and also requests to the path /store/cart, add the following resources:

   • /marketplace/.*
   • /store/cart/.*
6. Expand Authentication Policy.
7. Under Managed Resources, add, remove, or update the managed resource policy for each resource.

   Set the policy's Authentication Method to Form or Access Token. You can use other authentication methods. See Developing Secure Web Applications in Developing Applications with the WebLogic Security Service.

   You can also change the order in which the managed resources are evaluated. If you are using the default configuration set up by Oracle WebLogic Server for OCI, you must move any added managed resources higher up the order than the Make all paths public resource.

   To move the order of the managed resources:

   • For Oracle Identity Cloud Service
     1. Go to your enterprise application page, and click SSO Configuration and then expand Authentication Policy.
     2. Under Managed Resources, right-click the resource that you created and select Cut.
     3. Click the Make all paths public resource and select Paste Before.
   • For Identity Domains:
     1. Go to your enterprise application page, and click SSO Configuration, and then click Edit SSO configuration.
     2. Under Managed Resources, click Edit Priority for the resource that you created to move the resource in the order of priority than the Make all paths public resource.

See About Enterprise Applications in Administering Oracle Identity Cloud Service.

Update Application Deployment Descriptors

Secure a Java application that's deployed to your domain by updating the application’s context path, security constraints, and role assignments.

Oracle WebLogic Server supports the Java Enterprise Edition declarative model for securing web applications with XML deployment descriptors.

Let's assume that you have created a managed resource with Forms or Access Token. Then, to ensure that the identity is propagated to the web application, complete the following steps:

1. Update the value of context-root in the application’s weblogic.xml file. Prefix the current value with one of the protected resource URLs that are defined in the Oracle Identity Cloud Service enterprise application for this domain.

   By default, the only protected context root is /__protected (two underscore characters followed by the word "protected"). For example:

   <context-root>/__protected/store</context-root>

2. Create one or more security-role elements in the application’s web.xml file.

   Simply list the user roles for your application. For example:

   <security-role>
     <role-name>HRAdmin</role-name>
   </security-role>
   

3. Create one or more security-constraint elements in the application’s web.xml file.

   Each security constraint grants access to one or more URL patterns in your application, and to specific roles. For example:

   <security-constraint>
     <web-resource-collection>
       <web-resource-name>AdminPages</web-resource-name>
       <url-pattern>/admin/*</url-pattern>
     </web-resource-collection>
     <auth-constraint>
       <role-name>HRAdmin</role-name>
     </auth-constraint>
   </security-constraint>
   

   Do not include the context root path in the URL patterns.

4. Create one or more security-role-assignment elements in the application’s weblogic.xml file.

   Map your application roles to specific users and/or groups found in Oracle Identity Cloud Service. For example:

   
   <security-role-assigment>
     <role-name>HRAdmin</role-name>
     <principal-name>HRManagersGroup</principal-name>
   </security-role-assigment>
   

5. Set the login configuration of the application to CLIENT-CERT.

   <login-config>
       <auth-method>CLIENT-CERT</auth-method>
       <realm-name>default</realm-name>
   </login-config>

6. Redeploy your application for these changes to take effect.
   For example, use the WebLogic Server Administration Console.