Before You Begin

This 45-minute tutorial shows you how to provision an Oracle WebLogic Server domain using Oracle Cloud Identity Cloud Service for authentication, in Oracle Cloud Infrastructure Marketplace.

Background

You can use Oracle WebLogic Server for Oracle Cloud Infrastructure (Oracle WebLogic Server for OCI) to create an Oracle WebLogic Server domain that integrates with Oracle Identity Cloud Service (IDCS). This service provides a security platform for users to securely and easily access your applications.

You can create a domain only for Oracle Cloud accounts that include Oracle Identity Cloud Service 19.2.1 or later.

To enable Oracle Identity Cloud Service, the domain must be running WebLogic Server 12c and must include a load balancer.

Ensure that you create a confidential application for Oracle WebLogic Server for OCI or use an existing confidential application before you enable integration with Oracle Identity Cloud Service. Oracle WebLogic Server for OCI uses the client ID and client secret of this confidential application to provision an App Gateway and other security components in Oracle Identity Cloud Service. This tutorial creates a confidential application, WLSOCIDCS using an existing identity provider, WLS_IDCS.

This tutorial uses Oracle WebLogic Suite BYOL application to create new subnets in an existing virtual cloud network (VCN) to support WebLogic Server 12c with a load balancer and uses Oracle Identity Cloud Service to authenticate application users to provision a non-JRF domain.

You can use the same procedure with Oracle WebLogic Suite UCM, and Oracle WebLogic Server Enterprise Edition BYOL and UCM applications.

Provisioning a domain in Oracle WebLogic Server for OCI requires one or more secrets in Oracle Cloud Infrastructure Vault. Secrets store one or more passwords you would require when creating a WebLogic Server cluster.

This tutorial uses a standard vault, which is hosted on a hardware security module (HSM) partition with multiple tenants, and uses a more cost-efficient, key-based metric for billing purposes.

You can estimate the cost of the resources and services that you want to use to provision your instance. See Oracle Cloud Cost Estimator.

What Do You Need?

• An Oracle Cloud Infrastructure cloud tenant.
• An Oracle Cloud Infrastructure user name and password.
• A member of the IDCS_Administrators group in Oracle Cloud Identity Service. See Create WebLogic Administrator Groups.
• An understanding of all the prerequisite tasks required to create a domain with Oracle WebLogic Server for OCI.

  You should also complete all the prerequisite tasks before you proceed with this tutorial. See Before You Begin with Oracle WebLogic Server for Oracle Cloud Infrastructure.

Create a Confidential Application

1. Sign in to the Oracle Cloud Infrastructure Console.
2. Click the navigation menu and select Identity and Security. Under Identity, click Federation.
3. Click the existing identity provider WLS_IDCS, that you have configured for Oracle Cloud Service.
4. Click the Oracle Identity Cloud Service Console URL and sign in with your credentials.
5. In Applications and Services, click  to go to the Applications page.
6. Click Add, and then select Confidential Application.
7. For Name, enter WLSOCIDCS.
8. For Description, provide a description, and then click Next.
9. Click Configure this application as a client now.
10. For Allowed Grant Types, select Client Credentials.
11. Locate Grant the client access to Identity Cloud Service Admin APIs and click Add.
12. In the Add App Role window, select Identity Domain Administrator.
    Note: If you are creating a domain for WebLogic Server 12.2.1.4.0, you must also select Cloud Gate App role. You can add this Cloud Gate role after you create your WebLogic Server domain, but do not forget to restart the domain.
13. Click Add and then click Next.
14. Under Resources, keep the default settings, and then click Next.
15. Under Web Tier Policy, keep the default settings, and then click Next.
16. Under Authorization, keep the default settings, click Next, and then click Finish.
17. Take a note of the Client ID and Client Secret values.
18. Click Activate and press OK in the confirmation window.

Create a Secret for Your WebLogic and Identity Cloud Service Passwords

1. In the vault, click Secrets, and then click Create Secret.
2. For Name, enter WebLogicAdminSecret.
3. Select the key WebLogicOCIKey that you created.
4. For Secret Contents, enter the password you want to use for the WebLogic Server administrator.

   The password must start with a letter, is between 8 and 30 characters long, contain at least one number, and, optionally, any number of the special characters ($ # _).

5. Click Create Secret.

   Wait for the secret to be created.

6. Click the secret name.
7. Copy the OCID for the WebLogic administrator secret.
8. In the vaults page, click Create Secret again.
9. For Name, enter WebLogicIDCSSecret.
10. Select the key WebLogicOCIKey that you created.
11. For Secret Contents, enter the client secret of your confidential application that you noted when you created the confidential application.
12. Click Create Secret.

    Wait for the secret to be created.

13. Click the secret name.
14. Copy the OCID for the Identity Cloud Service Client secret.

Create the Stack

1. On the Stack Information page of the Create Stack wizard, the name of the stack is displayed (application name appended with the time stamp).
2. Enter a description for the stack. However, this information is optional.

   The following additional details are also displayed:

   • Create in Compartment - The name of the compartment you selected earlier, upon launching the stack.
   • Terraform Version - 0.12x
3. Click Next.

   The Configure Variables page opens.

4. For Resource Name Prefix, type MyIDCSWLS.

   You can use a maximum of 16 characters to define the prefix. This prefix will be used by all the resources that are created when you create the stack.

5. For WebLogic Server Shape, select VM.Standard2.4. This shape will be used by all compute instances.

   You can select another shape for the compute instance.

6. For SSH Public Key, upload the SSH public key file or paste the contents of the file.

   After creating the stack, you can connect to the WebLogic Server compute instances by using an SSH client and the corresponding private key.

7. For WebLogic Server Node Count, select 2.

   This value indicates the number of Managed servers you want to create.

8. For WebLogic Server Admin User Name, weblogic is the default name.

   Use the default name.

9. For Secrets OCID for WebLogic Server Admin Password, enter the Oracle Cloud Infrastructure Domain (OCID) of the secret. This secret stores the password for the WebLogic Server administrator.

   Note: Creating the secrets for passwords is one of the prerequisite tasks you should complete before starting this tutorial.

10. For Virtual Cloud Network Strategy, select Use Existing VCN.
11. For Network Compartment, retain the stack compartment that you selected earlier, upon launching the stack.

    All the network resources and the domain compute instances will be created in this stack compartment.

12. Select an Existing Network in which to create the compute instances, network resources, and load balancers.
13. For Subnet Strategy, select Create New Subnet.
14. For WebLogic Server Subnet CIDR, enter a CIDR for the new subnet.
15. For Bastion Host Subnet CIDR, enter a CIDR for the new subnet.
16. For Bastion Host Shape, select VM.Standard2.4.
17. Click Add Load Balancer.
18. For Create or Use Existing Load Balancer, select Create New Load Balancer.
19. For Load Balancer Subnet CIDR, enter a CIDR for the new load balancer subnet.
20. For Minimum Bandwidth for Load Balancer Flexible and for Maximum Bandwidth for Load Balancer Flexible, retain the default values.

    This creates a flexible load balancer with the specified minimum and maximum bandwidth.

21. Select the Enable Authentication Using Identity Cloud Service check box.
22. Keep the default values for IDCS Host Domain Name and IDCS Port.
23. For IDCS Tenant, enter the instance ID found in the URL you used to access the IDCS application. This ID has the format: idcs-<GUID>.

    Note: To find the instance GUID, in the IDCS console, click the <user name>, and select About.

24. For IDCS Client ID, enter values that you noted when you created the confidential application.
25. For Secrets OCID for IDCS Client Secret, enter the OCID that you generated for your Identity Cloud Service Client secret.
26. Keep the default value for IDCS Redirect Port; this port is used for the App Gateway software appliance.
27. Select Add File System Storage.
28. For File Storage Availability Domain, select the availability domain in which you want to create the file system and mount target.
29. For Existing Subnet for mount Target, select the existing subnet to use for mount target.

    Note: This subnet must be available in the selected VCN.

30. Ensure that the OCI Policies check box is selected.
31. Click Next to verify the details you've entered.
32. On the Review page of the wizard, review the information you've provided, and then click Create.

    The Job Details page of the stack in Resource Manager opens. The job name has the ormjobyyyymmddnnnnnn format.

33. Monitor the progress of the job periodically until it is finished.

    If an email address is associated with your user profile, you will receive an email notification.

You can now access and manage your new domain that is configured with Oracle Identity Cloud Service.

Want to Learn More?

• Oracle WebLogic Server for Oracle Cloud Infrastructure Help Center
•  About Identity Cloud Service
•  Add a Confidential Application