- Using Oracle WebLogic Server for OCI
- Manage a Domain
- Upgrade the Oracle Identity Cloud Service App Gateway Version
Upgrade the Oracle Identity Cloud Service App Gateway Version
If your Oracle WebLogic Server
for OCI domain uses Oracle Identity Cloud
Service for authentication, you must upgrade the App Gateway on each compute instance in the
domain as an opc
user. The latest App Gateway version is
21.2.2.
The upgrade steps are required only if both of these are true:
-
You selected the Enable Authentication Using Identity Cloud Service option when creating the domain.
-
The Oracle Identity Cloud Service App Gateway version is later than 19.2.1.
To upgrade the Oracle Identity Cloud Service App Gateway version, perform the following steps:
Note:
You must delete the existing container and recreate the container with a new version of the image.- Download the Oracle Identity Cloud
Service App Gateway Docker image.
- Access the Identity Cloud Service console.
- Expand the Navigation Drawer, click Settings, and then click Downloads.
- In the Downloads page, click Download to the
right of App Gateway Docker Image for Identity Cloud
Service, and download the file,
idcs-appgateway-docker<version>.zip
to a location on your system. - Navigate to the directory where you downloaded the file, and extract
the contents of the zip file.Example:
unzip idcs-appgateway-docker-<version>.zip
After unzip, the file,appgateway-<version>.tar.gz
is created.
- Download the Oracle Identity Cloud
Service App Gateway wallet tool (optional).
- Repeat steps a and b from step 1.
- In the Downloads page, download the wallet file. For example,
idcs-appgateway-wallet-tool-<version>.zip
.
- Copy the Oracle Identity Cloud
Service App Gateway Docker image and App Gateway wallet tool to one of the virtual
machines in the Oracle WebLogic Server
for OCI instance.
For example, copy the files,
appgateway-<version>.tar.gz
andidcs-appgateway-wallet-tool-<version>.zip
. - Deploy the Oracle Identity Cloud
Service App Gateway Docker image.
- In the Oracle WebLogic Server
for OCI virtual machine (VM) instance, load the
.tar.gz
file to the local Podman registry.sudo podman load -i <.tar.gz file>
Example:
sudo podman load --input /tmp/appgateway-<version>.tar.gz
- Verify that you see the image in the local Docker registry.
sudo podman images
- In the Oracle WebLogic Server
for OCI virtual machine (VM) instance, load the
- Deploy the Oracle Identity Cloud
Service App Gateway wallet file (optional).
- Create a new
wallet_tool
directory,/usr/lib/wallet_tool
.sudo mkdir -p /usr/lib/wallettool/
- Extract the
idcs-appgateway-wallet-tool zip
to/usr/lib/wallet_tool
.sudo unzip /tmp/idcs-appgateway-wallet-tool-<version>.zip -d /usr/lib/wallet_tool/
- Create a new
- Create the
cwallet.sso
file (optional).If the wallet file is not deleted, you can use the existing wallet file (
cwallet.sso
) to upgrade to the latest App Gateway version, or upgrade the App Gateway wallet tool and generate a newcwallet.sso
file.Use one of the following methods to create the
cwallet.sso
file.- Manual:
-
Retrieve the client ID and client secret of the
app_gateway
using information in theidcs_artfacts.txt
in the/u01/data
directory.cat /u01/data/.idcs_artifacts.txt
-
Take a note of the
displayName
of theapp_gateway
in/u01/data/.idcs_artifacts.txt
.Example:
{ "confidential_app": { "meta": { "location": "https://idcs-<GUID>.identity.oraclecloud.com:443/admin/v1/Apps/<confidential_app_ID>" } }, "app_gateway": { "meta": { "location": "https://idcs-<GUID>.identity.oraclecloud.com:443/admin/v1/CloudGates/<app_gateway_ID>" }, "displayName": "idcs0706_app_gateway_2021-06-07T14:57:22.297066", "id": "< app_gateway_ID>" }, "enterprise_app": { "meta": { "location": "https://idcs-<GUID>.identity.oraclecloud.com:443/admin/v1/Apps/<enterprise_app_ID>" } } }
Note:
Note: You must belong to the Administrator group in Oracle Identity Cloud Service to access this information.
- In the Oracle Identity Cloud
Service console, expand the Navigation
Drawer, click
Security, and then click
App Gateways. In the App
Gateways page, search for the App Gateway with the noted
displayName
and take a note of the client ID and client secret. -
Navigate to
/u01/data/cloudgate_config/
directory and create thecwallet.sso
file.cd /u01/data/cloudgate_config/
export LD_LIBRARY_PATH=/usr/lib/wallet_tool/lib/:/usr/lib
echo <client_secret> | /usr/lib/wallet_tool/cgwallettool --create -i <client_id>
-
- Using Scripts:
Note:
You can use scripts to create the
cwallet.sso
file for Oracle WebLogic Server for OCI version 21.2.3 or later; version 21.2.3 has the latest scripts to support Oracle Identity Cloud Service App Gateway version 21.2.2.-
Add the Oracle Identity Cloud Service client ID and client secret to
/u01/data/cloudgate_config/appgateway-env
. -
Run the
create_idcs_cloudgate_cwallet.sh
script as a root user.Note:
Make sure you are using the latest version of thecreate_idcs_cloudgate_cwallet.sh
script.Example:sudo echo "" >> /u01/data/cloudgate_config/appgateway-env sudo echo "CG_APP_NAME=<client_id>" >> /u01/data/cloudgate_config/appgateway-env sudo echo "CG_APP_SECRET=<client_secret>" >> /u01/data/cloudgate_config/appgateway-env sudo sh /opt/scripts/idcs/create_idcs_cloudgate_cwallet.sh
-
- Manual:
- Stop and remove the existing App Gateway container.
sudo podman container stop appgateway
sudo podman container rm appgateway
- Create and start the new App Gateway container.
Use one of the following methods to create and start the new App Gateway container:
- Manual:
-
Run the
update_metadata
script to update the metadata fordocker_image_version
anddocker_image_name
to point to the latest version.Example:
sudo python3 /opt/scripts/utils/update_metadata.py -k idcs_cloudgate_docker_image_version -v <version> sudo python3 /opt/scripts/utils/update_metadata.py -k idcs_cloudgate_docker_image_name -v idcs/idcs-appgateway
Note:
This step to update the metadata script is required if you upgrade the Oracle Identity Cloud Service App Gateway version during scale out. -
Navigate to the
/u01/data/cloudgate_config/
directory and change the permissions to777
and the owner to8000:8000
for this directory.Example:cd /u01/data/cloudgate_config/ sudo chmod -R 777 /u01/data/cloudgate_config/ sudo chown -R 8000:8000 /u01/data/cloudgate_config/*
-
Start the App Gateway container using the
podman run
command.Note:
You must mount the local folder,
/u01/data/cloudgate_config
volume to the directory,/usr/local/nginx/conf/
inside the container<my-container>
.The
cwallet.sso
file that contains the client ID and client secret must be copied to the folder,/usr/local/nginx/conf/
in the container so that the container can reference the wallet file.Example:sudo podman run -it -d --name appgateway --log-driver=journald --security-opt label=disable --env-file /u01/data/cloudgate_config/appgateway-env / --env HOST_MACHINE=`hostname -f` --env CLOUDGATE_VERSION=<version> / --volume /u01/data/cloudgate_config/:/usr/local/nginx/conf/:z / --net=host idcs/idcs-appgateway:<version>
-
- Using Scripts:
Note:
You can use scripts to create the
cwallet.sso
file for Oracle WebLogic Server for OCI version 21.2.3 or later; version 21.2.3 has the latest scripts to support Oracle Identity Cloud Service App Gateway version 21.2.2.-
Run the
update_metadata
script to update the metadata fordocker_image_version
anddocker_image_name
to point to latest version.Example:
sudo python3 /opt/scripts/utils/update_metadata.py -k idcs_cloudgate_docker_image_version -v <version> sudo python3 /opt/scripts/utils/update_metadata.py -k idcs_cloudgate_docker_image_name -v idcs/idcs-appgateway
-
Start the App Gateway container using
run_cloudgate.sh
.sudo sh /opt/scripts/idcs/run_cloudgate.sh
-
- Manual:
- Verify the upgrade.
- Check the App Gateway container logs.
sudo podman logs appgateway
- Log in and connect to the container using
bash
.Example:sudo podman exec -it appgateway bash
- Navigate to the
bin
folder in the container, and check thecloudgate-env
file.Example:cd /usr/local/nginx/logs/ cd /scratch/oracle/idcs-cloudgate/latest/bin/ ./cg-env
- Check the App Gateway container logs.
- Remove the existing Oracle Identity Cloud
Service Docker image.
sudo podman image rm opc-delivery.docker.oraclecorp.com/idcs/<container_name:existing_version>
- Repeat from step 3 for all remaining compute instances in this domain.