10 PDC REST Services Manager Security
Learn how to set up security for Oracle Communications Pricing Design Center (PDC) REST Services Manager.
Topics in this document:
- About PDC REST Services Manager Security
- Setting Up OAuth for PDC REST Services Manager with Oracle Identity Cloud Service
- Setting Up OAuth for PDC REST Services Manager with Oracle Access Management
- Securing Inbound Communications
- Securing Outbound Requests to PDC
- Encrypting Sensitive Data
- PDC REST Services Manager Security Configuration Reference Information
For more information, see PDC REST Services Manager Integration Guide.
About PDC REST Services Manager Security
PDC REST Services Manager uses the following security protocols to secure inbound and outbound requests:
- OAuth 2.0: Authenticates your enterprise product catalog's identity and
authorizes it to access the PDC REST Services Manager API by validating an OAuth
access token that is passed in the header of every HTTP/HTTPS request to the PDC
REST Services Manager API.
You can enable OAuth for PDC REST Services Manager using either Oracle Identity Cloud Service or Oracle Access Management.
- TLS: Secures communication from your enterprise product catalog to PDC REST Services Manager.
- T3S: Secures communication from PDC REST Services Manager to PDC.
Setting up PDC REST Services Manager security involves these tasks:
- One of the following, depending on your OAuth provider:
- Securing Inbound Communications
- Securing Outbound Requests to PDC
You can also encrypt sensitive data, such as passwords, by using the RestServicesManager.sh script. See "Encrypting Sensitive Data".
Setting Up OAuth for PDC REST Services Manager with Oracle Identity Cloud Service
Setting up OAuth for PDC REST Services Manager with Oracle Identity Cloud Service involves these tasks:
Creating Confidential OAuth Applications for PDC REST Services Manager
Add your enterprise product catalog as a confidential application to IDCS by following the instructions in "Add a Confidential Application" in Administering Oracle Identity Cloud Service. When adding the confidential application, ensure that you:
- Select Confidential for the Client Type option.
- Add a scope named pubevent for accessing the Publish Event endpoint in PDC REST Services Manager.
- Add a scope named metrics for accessing the Metrics endpoint in PDC REST Services Manager.
After you add the confidential application, Oracle Identity Cloud Service provides you with the following information. You will need it when requesting an OAuth access token and when configuring inbound communication to PDC REST Services Manager:
- The Oracle Identity Cloud Service URL for requesting OAuth access
tokens. For
example:
https://idcs_hostname/oauth2/v1/token
where idcs_hostname is the hostname of the server of your Oracle Identity Cloud Service instance
- The primary audience URL
- The client ID and client secret. Encode these in base-64 before using them to request OAuth access tokens.
Setting Up Security with Oracle Identity Cloud Service in the PDC REST Services Manager Configuration File
To set the Oracle Identity Cloud Service details in the PDC REST Services Manager application.yaml file:
- Open the PDC_RSM_home/apps/conf/application.yaml file in a text editor, where PDC_RSM_home is the directory in which you installed PDC REST Services Manager.
- Set the keys under security as shown in Table 10-1.
Table 10-1 Security Keys in the application.yaml File
Key Description config.require-encryption Controls whether requests require encryption using client_id and client_secret. Set this to true.
enabled Enables or disables security. Enable security in production environments by setting this to true.
properties.idcs-uri
The base URL of your Oracle Identity Cloud Service instance in this format:
https://idcs-TenantID.identity.oraclecloud.com
properties.idcs-client-id
The client ID for your confidential application.
properties.idcs-client-secret
The Base64-encrypted client secret obtained from your Oracle Identity Cloud Service application.
For security purposes, do not store the client secret in plain-text. To encrypt the client secret, see "Encrypting Sensitive Data".
properties.frontend-uri
The base URL of your confidential application when run. For example:
http://localhost:8080
properties.audience
The primary audience as provisioned for the PDC REST Services Manager application in Oracle Identity Cloud Service. For example:
http://localhost:8080/
Note: Ensure that you include the trailing slash in the URL.
properties.proxy-host
The hostname of the proxy server, if required.
web-server.paths.<0>.abac.scopes
The scope defined in Oracle Identity Cloud Service for protecting the TMF620 publishEvent endpoint.
web-server.paths.<1>.abac.scopes
The scope defined in Oracle Identity Cloud Service for protecting the metrics endpoint.
- In the providers section, ensure that the oidc and abac providers are not commented out. Comment out the oamoidc provider.
- In the app.httpClients.security section, set the keys based on the type of authentication required by your enterprise product catalog. These keys allow you to secure outbound requests from PDC REST Services Manager to your enterprise product catalog. See:
- Save and close the application.yaml file.
See "Example application.yaml Security Configuration with Oracle Identity Cloud Service" for a sample file showing the appropriate properties.
- Restart PDC REST Services Manager by running the following command from
the PDC_RSM_home/apps/bin directory:
./RestServicesManager.sh restart
Requesting an OAuth Access Token from Oracle Identity Cloud Service
Request an OAuth access token from Oracle Identity Cloud Service to include in requests to the PDC REST Services Manager APIs. For more information, see "Generate Access Token and Other OAuth Runtime Tokens to Access the Resource" in REST API for Oracle Identity Cloud Service.
To request an OAuth access token using cURL, use the following format for your HTTP/HTTPS request to the Oracle Identity Cloud Service URL:
curl -i
-H "Authorization: Basic encoded_credentials"
-H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8"
--request POST https://idcs_hostname/oauth2/v1/token
-d 'grant_type=client_credentials&scope=https://primaryAudience/scope'
where:
- encoded_credentials is either the client ID and client secret (clientID:clientSecret) or user name and password (username:password) in Base64-encoded format.
- idcs_hostname is the host name of your Oracle Identity Cloud Service instance.
- primaryAudience is the host name and port of your confidential application.
- scope is one of the following:
- pubevent: Authorizes access to the Publish Event endpoint.
- metrics: Authorizes access to the Metrics endpoint.
After you submit the request, Oracle Identity Cloud Service returns an OAuth access token. Your client must pass this OAuth access token in the header of every HTTP/HTTPS request sent to the PDC REST Services Manager.
Setting Up OAuth for PDC REST Services Manager with Oracle Access Management
Setting up OAuth for PDC REST Services Manager using Oracle Access Management involves these high-level steps:
- Installing the Oracle Access Management software. For the list of
supported versions, see "Additional BRM Software
Requirements" in BRM Compatibility Matrix.
For more information about installing the Oracle Access Management software, see Oracle Fusion Middleware Installing and Configuring Oracle Identity and Access Management.
- Installing the Oracle Unified Directory software with the HTTP port
enabled. For the list of supported versions, see "Additional BRM Software
Requirements" in BRM Compatibility Matrix.
For more information about installing Oracle Unified Directory, see Oracle Fusion Middleware Installing Oracle Unified Directory.
- Enabling OAuth Services for PDC REST Services Manager
- Creating an OAuth Identity Domain for PDC REST Services Manager
- Creating a Resource Server for PDC REST Services Manager
- Creating an OAuth Client for PDC REST Services Manager
- Setting Up Security with Oracle Access Management in the PDC REST Services Manager Configuration File
- Requesting an OAuth Access Token from Oracle Access Management
Note:
If you use both BRM REST Services Manager and PDC REST Services Manager, you must set up separate OAuth identity domains, resource servers, and clients for each component.
Enabling OAuth Services for PDC REST Services Manager
Enable OAuth services in Oracle Access Management as described in "Managing Common Services and Certificate Validation" in Oracle Fusion Middleware Administering Oracle Access Management. Ensure that the following services are enabled:
- Access Manager
- OAuth
- OpenIDConnect
Creating an OAuth Identity Domain for PDC REST Services Manager
You create an OAuth identity domain to control the authentication and authorization of users who can sign in to PDC REST Services Manager, and what features they can access. You create all artifacts, such as the resource server and OAuth client, under the identity domain.
To create an identity domain, submit a request to the Add a new OAuth Identity Domain endpoint of the Oracle Access Manager OAuth REST API. See "Add a new OAuth Identity Domain" in REST API for OAuth in Oracle Access Manager for more information about this endpoint.
The following shows an example cURL command for creating an identity domain named PDC_RSM_Domain, with the OUD identity provider (for Oracle Unified Directory):
curl -i --header 'Content-Type: application/json'
--header 'Authorization:Basic encoded_admin'
--request POST http//:oam_host:oam_port/oam/services/rest/ssa/api/v1/oauthpolicyadmin/oauthidentitydomain
--data-raw '{"name":"PDC_RSM_Domain","identityProvider":"OUD","description":"Identity Domain for PDC REST Services Manager","tokenSettings":[
{"tokenType":"ACCESS_TOKEN","tokenExpiry":3600,"lifeCycleEnabled":false,"refreshTokenEnabled":false,"refreshTokenExpiry":86400,"refreshTokenLifeCycleEnabled":false}]'
where:
- encoded_admin is the base64-encoded format of the Oracle Access Management administrator user name and password.
- oam_host:oam_port is the host name and port for the Oracle Access Management server.
If the identity domain was created successfully, you will see a response similar to this:
Sucessfully created entity - OAuthIdentityDomain, detail - OAuth Identity Domain :: Name - PDC_RSM_Domain, Id - 19f85bc53b49561ea52f039474c2c4b,
Description - Identity Domain for PDC REST Services Manager, TrustStore Identifiers - PDC_RSM_Domain,Identity Provider - OUD, TokenSettings -
[{"tokenType":"ACCESS_TOKEN","tokenExpiry":3600,"lifeCycleEnabled":false,"refreshTokenEnabled":false,"refreshTokenExpiry":86400,"refreshTokenLifeCycleEnabled":false}],
ConsentPageURL - /oam/pages/consent.jsp, ErrorPageURL - /oam/pages/servererror.jsp, CustomAttrs - null
Creating a Resource Server for PDC REST Services Manager
A resource server hosts the protected resources. It must be capable of accepting and responding to resource requests using OAuth access tokens.
To create a resource server, submit a request to the Add a new Resource Server endpoint of the Oracle Access Management OAuth REST API. See "Add a new Resource Server" in REST API for OAuth in Oracle Access Manager for more information about this endpoint.
The following shows an example of creating a resource server named PDCRSMResourceServer with the all and read scopes, an identity domain named PDC_RSM_Domain, and static and dynamic customer attributes:
curl -k -u wls_admin:password -H 'Content-Type: application/json' 'http://oam_host:oam_port/oam/services/rest/ssa/api/v1/oauthpolicyadmin/application'
-d '{"name":"PDCRSMResourceServer","description":"Resource server for PDC REST Services Manager",
"scopes":[{"scopeName":"all","description":"All permissions"},{"scopeName":"read","description":"Read permissions"}],
"tokenAttributes":[{"attrName":"sessionId","attrValue":"$session.id","attrType":"DYNAMIC"},{"attrName":"resSrvAttr","attrValue":"RESOURCECONST","attrType":"STATIC"}],"idDomain":"PDC_RSM_Domain","audienceClaim":{"subjects":["ab0"]}}'
where:
- wls_admin:password is the administrator user name and password for Oracle WebLogic Server.
- resource_server is the name of the resource server that you want to create.
- scopeN is the name of a scope.
After the scopes are defined under the resource server, refer to them as resource_server.scope for subsequent tasks, such as creating the OAuth client and requesting an OAuth token. For example, PDCRSMResourceServer.all.
If the resource server is created successfully, you will see a response similar to this:
Successfully created entity - OAuthResourceServer, detail - IdentityDomain="PDC_RSM_Domain",Name="PDCRSMResourceServer",Description="Resource server for PDC REST Services Manager",
resourceServerId="4953a4f4-8c3f-41fd-99b5-837cfa9f9ecb",resourceServerNameSpacePrefix="PDCRSMResourceServer.",audienceClaim="{"subjects":["ab0"]}",
resServerType="CUSTOM_RESOURCE_SERVER",Scopes="[{"scopeName":"all","description":"All permissions"},{"scopeName":"read","description":"Read permissions"}]",
tokenAttributes="[{"attrName":"sessionId","attrValue":"$session.id","attrType":DYNAMIC},{"attrName":"resSrvAttr","attrValue":"RESOURCECONST","attrType":STATIC}]
Creating an OAuth Client for PDC REST Services Manager
You create an OAuth client for PDC REST Services Manager to authenticate requests.
To create an OAuth client, submit a request to the Add a new OAuth Client endpoint of the Oracle Access Management OAuth REST API. See "Add a new OAuth Client" in REST API for OAuth in Oracle Access Manager for more information about this endpoint.
The following shows an example cURL request for creating a confidential OAuth client named PDCRSMClient with the PDCRSMResourceServer.all and default PDCRSMResourceServer.read scopes, an identity domain named PDC_RSM_Domain, and some custom attributes.
curl -k -u wls_admin:password -H 'Content-Type: application/json' 'http://oam_host:oam_port/oam/services/rest/ssa/api/v1/oauthpolicyadmin/client'
-d'{"attributes":[{"attrName":"customAttribute1","attrValue":"Custom Value1","attrType":"static"},{"attrName":"customAttribute2","attrValue":"Custom Value2","attrType":"static"}],
"secret":"client_secret","id":"client_id","scopes":["PDCRSMResourceServer.all","PDCRSMResourceServer.read"],"clientType":"CONFIDENTIAL_CLIENT",
"idDomain":"PDC_RSM_Domain","description":"PDC RSM OAuth client","name":"PDCRSMClient","grantTypes":["CLIENT_CREDENTIALS"],
"defaultScope":"PDCRSMResourceServer.read","redirectURIs":[{"url":"http://redirect_host:redirect_port/oauth/callback","isHttps":true}]}'
where:
- client_id and client_secret are the client ID and client password.
- redirect_host:redirect_port is the URL for your client application.
If the client is created successfully, the response will be similar to this:
Sucessfully created entity - OAuthClient, detail - OAuth Client - uid = 4b37dd63-08dd-45b5-b5a5-c1e788cb2ff2, name = PDCRSMClient, id = PDCRSMClientId,
identityDomain = PDC_RSM_Domain, description = PDC RSM OAuth client, secret = PDCRSMPassword, clientType = CONFIDENTIAL_CLIENT, grantTypes = [CLIENT_CREDENTIALS],
attributes = [{"attrName":"customAttribute1","attrValue":"Custom Value1","attrType":STATIC},{"attrName":"customAttribute2","attrValue":"Custom Value2","attrType":STATIC},
{"attrName":"sessionId","attrValue":"session.id","attrType":DYNAMIC},{"attrName":"resSrvAttr","attrValue":"RESOURCECONST","attrType":STATIC}], scopes =
[PDCRSMResourceServer.all, PDCRSMResourceServer.read], defaultScope = PDCRSMResourceServer.read, redirectURIs = [{"url":"http://redirect_host:redirect_port/oauth/callback","isHttps":true}]
Setting Up Security with Oracle Access Management in the PDC REST Services Manager Configuration File
To set the Oracle Access Management details in the PDC REST Services Manager application.yaml file:
- Open the PDC_RSM_home/apps/conf/application.yaml file in a text editor, where PDC_RSM_home is the directory in which you installed PDC REST Services Manager.
- Set the keys under security as shown in Table 10-2.
Table 10-2 Security Keys in the application.yaml File
Key Description enabled Enables or disables security. Enable security in production environments by setting this to true.
config.require-encryption Controls whether requests require encryption using client_id and client_secret. Set this to false.
properties.token-endpoint-uri The URL for requesting an OAuth token from Oracle Access Management. For example, http://oam_host:oam_port/oauth2/rest/token
properties.introspect-endpoint-uri The URL for validating an OAuth token from Oracle Access Management. For example, http://oam_host:oam_port/oauth2/rest/token/info
properties.oauth-identity-domain-name The name of the OAuth identity domain that you created in "Creating an OAuth Identity Domain for PDC REST Services Manager." For example, PDC_RSM_Domain.
properties.authorization-endpoint-uri The URL for authorizing role-based access. PDC REST Services Manager does not support role-based access, so this will not be used. For example, http://oam_host:oam_port/oauth2/authorize
properties.frontend-uri The URL for the OAuth client you created in "Creating an OAuth Client for PDC REST Services Manager." For example, http://oam_host:oam_port
properties.proxy-host The URL for your proxy server, if needed. properties.audience The name of the OAuth resource server that you created in "Creating a Resource Server for PDC REST Services Manager." For example, PDCRSMResourceServer. properties.scope-audience The primary audience for PDC REST Services Manager in the Oracle Access Management resource, used for error handling. This is the same as properties.frontend-uri, ending with /. For example, http://oam_host:oam_port/
providers.oamoidc.validate_with_jwk Whether to validate with JSON web keys. Set this to false.
providers.oamoidc.token-endpoint-uri The URL for requesting an OAuth token from Oracle Access Management. For example, http://oam_host:oam_port/oauth2/rest/token
providers.oamoidc.authorization-endpoint-uri The URL for authorizing role-based access. PDC REST Services Manager does not support role-based access, so this will not be used. For example, http://oam_host:oam_port/oauth2/authorize
providers.oamoidc.introspect-endpoint-uri The URL for validating an OAuth token from Oracle Access Management. For example, http://oam_host:oam_port/oauth2/rest/token/info
providers.oamoidc.scope-audience The primary audience for PDC REST Services Manager in the Oracle Access Management resource. Set this to "${ALIAS=security.properties.scope-audience}".
providers.oamoidc.audience The name of the OAuth resource server that you created in "Creating a Resource Server for PDC REST Services Manager." For example, PDCRSMResourceServer. providers.oamoidc.proxy-host The URL for your proxy server, if needed. Set this to "${ALIAS=security.properties.proxy-host}".
providers.oamoidc.frontend-uri The URL for your application. Set this to "${ALIAS=security.properties.frontend-uri}".
providers.oamoidc.cookie-use Whether to use cookies. Set this to false.
providers.oamoidc.header-use Whether to use headers. Set this to true.
providers.oamoidc.redirect Whether to use a redirect URL. Set this to false.
providers.oamoidc.oidc-metadata-well-known Whether to use OpenID Connect Discovery metadata. Set this to false.
providers.oamoidc.oauth-identity-domain-name The name of the OAuth identity domain that you created in "Creating an OAuth Identity Domain for PDC REST Services Manager." For example, PDC_RSM_Domain.
web-server.paths.methods The methods allowed for the endpoint. - For the projectPublishEvent endpoint, set this to ["get", "post].
- For the metrics endpoint, set this to ["get"].
web-server.paths.authenticate Whether authentication is enabled for the endpoint. Set this to true.
web-server.paths.authorize Whether authorization is enabled for the endpoint. Set this to true.
web-server.paths.abac.scopes The scopes that control access to the endpoint. Use the scopes that you configured in Creating a Resource Server for PDC REST Services Manager, without the resource server name. For example, read or all.
- In the providers section, ensure that the oamoidc and abac providers are not commented out. Comment out the oidc provider.
- In the app.httpClients.security section, set the keys based on the type of authentication required by your enterprise product catalog. These keys allow you to secure outbound requests from PDC REST Services Manager to your enterprise product catalog. See:
- Save and close the application.yaml file.
See "Example application.yaml Security Configuration with Oracle Access Management" for a sample file showing the appropriate properties.
- Restart PDC REST Services Manager by running the following command from
the PDC_RSM_home/apps/bin directory:
./RestServicesManager.sh restart
Requesting an OAuth Access Token from Oracle Access Management
You create an access token for OAuth authentication by submitting a request to the Create Access Token Flow endpoint of the Oracle Access Management OAuth REST API. For more information, see "Create Access Token Flow" in REST API for OAuth in Oracle Access Manager.
To request an OAuth access token, use cURL to send an HTTP/HTTPS request to the Oracle Access Management URL:
curl -i --header 'Authorization: Basic encoded_admin'
--header "Content-Type: application/x-www-form-urlencoded;charset=UTF-8"
--header "X-OAUTH-IDENTITY-DOMAIN-NAME: identity_domain"
--request POST http://oam_host:oam_port/oauth2/rest/token
--data-urlencode "grant_type=CLIENT_CREDENTIALS&scope=resource_server.scope"
where:
- encoded_admin is the base64-encoded format of the Oracle Access Management administrator user name and password.
- identity_domain is the name of the OAuth identity domain created in Oracle Access Management for PDC REST Services Manager.
- oam_host:oam_port is the host name and port for the Oracle Access Management server.
- resource_server is the name of the Oracle Access Management resource server created for PDC REST Services Manager.
- scope is the name of a scope.
The following shows an example cURL request for creating an OAuth access token for the PDC_RSM_domain identity domain, PDCRSMResourceServer resource server, and all scope:
curl --location --header 'Authorization: Basic encoded_admin'
--header "Content-Type: application/x-www-form-urlencoded;charset=UTF-8"
--header "X-OAUTH-IDENTITY-DOMAIN-NAME: PDC_RSM_Domain"
--request POST http://oam_host:oam_port/oauth2/rest/token
--data-urlencode "grant_type=CLIENT_CREDENTIALS&scope=PDCRSMResourceServer.all"
If the request is successful, Oracle Access Management returns something similar to this:
{"access_token":"access_token",
"token_type":"Bearer","expires_in":3600}
Your client must pass this OAuth access token in the header of every HTTP/HTTPS request sent to the PDC REST Services Manager.
Securing Inbound Communications
You secure communications sent from your enterprise product catalog to the PDC REST Services Manager APIs by enabling TLS in PDC REST Services Manager.
To secure inbound communications to PDC REST Services Manager:
-
Create a PKCS12 certificate file.
-
Copy the PKCS12 certificate file to a location that is accessible by PDC REST Services Manager, such as ~/certs.
-
Edit the following entries in the PDC_RSM_home/apps/conf/application.yaml file:
-
server.ssl.private-key.keystore-path: Set this to the file system path of the PKCS12 file containing the X.509 certificate and private key.
-
server.ssl.private-key.keystore-passphrase: Set this to the password for the PKCS12 file. For example, if you used OpenSSL to create the PKCS12 certificate file, set it to the export password. For security, encrypt the password so it is not stored in clear text. See "Encrypting Sensitive Data" for more information.
Note:
Set the server.ssl.private-key.keystore-passphrase key only if the PKCS file was created using a password.For example:
server: ... ssl: private-key: keystore-path: "/scratch/ri-user-1/certs/certificate.p12" keystore-passphrase: "${passPhrase}"
-
-
Restart PDC REST Services Manager by running the following command from the PDC_RSM_home/apps/bin directory:
./RestServicesManager.sh restart
Securing Outbound Requests to PDC
During installation, the PDC REST Services Manager installer prompts you for the information required to connect PDC REST Services Manager to PDC. To secure the communications from PDC REST Services Manager to PDC, enable the T3S protocol in PDC REST Services Manager.
To enable T3S in PDC REST Services Manager:
-
Go to the PDC_RSM_home/apps/conf directory.
-
In the application.yaml file, set the app.pdc.url key to the T3S protocol and a secure PDC port.
For example:
app: pdc: url: "t3s://pdc.example.com:8002"
-
Restart PDC REST Services Manager by running the following command from the PDC_RSM_home/apps/bin directory:
./RestServicesManager.sh restart
If you want to change it to use the insecure T3 protocol, set the app.pdc.url key to the T3 protocol and an insecure PDC port. For example:
app:
pdc:
url: "t3://pdc.example.com:8001"
Encrypting Sensitive Data
You can encrypt sensitive data, such as passwords, by using the RestServicesManager.sh script.
To encrypt sensitive data:
-
Go to the PDC_RSM_home/apps/bin directory, where PDC_RSM_home is the directory in which you installed PDC REST Services Manager.
-
Run the following command:
./RestServicesManager.sh hash
The Enter value to hash prompt appears.
-
Enter the sensitive information that you want to encrypt.
The encrypted password is displayed.
PDC REST Services Manager Security Configuration Reference Information
The following topics contain reference information about PDC REST Services Manager security configuration properties and sample application.yaml configuration files:
OAuth Configuration Properties for Outbound Requests
Table 10-3 describes the keys to configure when your enterprise product catalog uses an OAuth 2.0 authentication type. All keys are nested under app.httpClients.security.oauth2.
Table 10-3 OAuth 2.0 Keys
Key | Description |
---|---|
tokenEndpoint | The URL for requesting an OAuth token.
For example, http://host:port/oauth2/rest/token. |
clientId | The client ID used to authenticate the request from PDC REST Services Manager. |
clientSecret | The encrypted client secret used to authenticate the
request from PDC REST Services Manager.
To encrypt the client secret, see "Encrypting Sensitive Data". |
scope | The scopes required by the enterprise product
catalog.
If you are using Oracle Access Management, use the format resourceServerName.scope. For example, ResourceServer.read. If you are using Oracle Identity Cloud Service, use the format urn:opc:resource:consumer::scope. |
grantType | The grant type to be used for the OAuth flow:
client_credentials or password.
If you are using Oracle Access Management, only client_credentials is supported. |
username | The user name required for accessing the enterprise
product catalog.
Set this only when grantType is password. |
password | The encrypted password required for accessing the
enterprise product catalog.
To encrypt the password, see "Encrypting Sensitive Data". Set this only when grantType is password. |
domainId | The Oracle Access Management Identity domain.
Set this only when using Oracle Access Management. |
The following shows an example configuration when grantType is client_credentials.
app:
httpClients:
- urlRegex: "local.*:8889"
security:
oauth2:
tokenEndpoint: "http://host:port/oauth2/v1/token"
clientId: "ClientID"
clientSecret: "EncryptedClientSecret"
scope: "https://hostnameurn:opc:resource:consumer::all"
grantType: "client_credentials"
The following shows an example configuration when grantType is password:
app:
httpClients:
- urlRegex: "local.*:8889"
security:
oauth2:
tokenEndpoint: "http://host:port:8889/oauth2/v1/token"
clientId: "ClientID"
clientSecret: "EncryptedClientSecret"
scope: "https://hostnameurn:opc:resource:consumer::all"
grantType: "password"
username: "ApplicationUsername"
password: "EncryptedApplicationPassword"
Basic Authentication Configuration Properties for Outbound Requests
Table 10-4 describes the keys to configure when your enterprise product catalog uses a Basic authentication type. All keys are nested under app.httpClients.security.basicAuth.
Table 10-4 basicAuth Keys
Key | Description |
---|---|
username | The user name required for accessing the enterprise product catalog. |
password | The password required for accessing the enterprise product catalog. |
The following shows an example configuration for Basic authentication:
app:
httpClients:
- urlRegex: "local.*:8889"
security:
basicAuth:
username: "ApplicationUsername"
password: "ApplicationPassword"
Example application.yaml Security Configuration with Oracle Identity Cloud Service
The following shows sample entries in the application.yaml file for configuring PDC REST Services Manager OAuth security with Oracle Identity Cloud Service:
security:
config.require-encryption: true
enabled: true
properties:
idcs-uri: "idcsURI"
idcs-client-id: "clientId"
idcs-client-secret: ${clientSecret}
frontend-uri: "http://localhost:8080"
audience: "http://localhost:8080/"
proxy-host: ""
providers:
- abac:
# Adds ABAC Provider - it does not require any configuration
- oidc:
validate-with-jwk: false
client-id: "${ALIAS=security.properties.idcs-client-id}"
client-secret: "${ALIAS=security.properties.idcs-client-secret}"
identity-uri: "${ALIAS=security.properties.idcs-uri}"
realm: "pdcrsm"
audience: "${ALIAS=security.properties.audience}"
proxy-host: "${ALIAS=security.properties.proxy-host}"
redirect: false
cookie-use: false
header-use: true
#- oamoidc:
# validate-with-jwk: false
# token-endpoint-uri: "http://oam_host:oam_port/oauth2/rest/token"
# authorization-endpoint-uri: "http://oam_host:oam_port/oauth2/authorize"
# introspect-endpoint-uri: "http://oam_host:oam_port/oauth2/rest/token/info"
# scope-audience: "${ALIAS=security.properties.scope-audience}"
# audience: "PDCRSMResourceServer"
# proxy-host: "${ALIAS=security.properties.proxy-host}"
# frontend-uri: "${ALIAS=security.properties.frontend-uri}"
# redirect: false
# cookie-use: false
# header-use: true
# oidc-metadata-well-known: false
# oauth-identity-domain-name: "PDC_RSM_Domain"
# Comment/Uncomment/Override for protection of resources
web-server:
paths:
- path: "/productCatalogManagement/v1/projectPublishEvent[/{*}]"
methods: ["get", "post"]
authenticate: true
authorize: true
abac:
scopes: ["pubevent"]
- path: "/metrics[/{*}]"
methods: ["get"]
authenticate: true
authorize: true
abac:
scopes: ["metrics"]
...
app:
httpClients:
- urlRegex: "http://catalog_host:catalog_port/*"
security:
oauth2:
tokenEndpoint: "http://hostname/oauth2/v1/token"
clientId: "ClientID"
clientSecret: "EncryptedClientSecret"
scope: "https://hostnameurn:opc:resource:consumer::all"
grantType: "client_credentials"
pdc:
url: "t3s://pdc_host:secure_pdc_port"
...
server:
...
ssl:
private-key:
keystore-path: "file_path/certificate.p12"
keystore-passphrase: "${passPhrase}"
Example application.yaml Security Configuration with Oracle Access Management
The following shows sample entries in the application.yaml file for configuring PDC REST Services Manager OAuth security with Oracle Access Management:
security:
config.require-encryption: false
enabled: true
properties:
token-endpoint-uri: "http://oam_host:oam_port/oauth2/rest/token"
introspect-endpoint-uri: "http://oam_host:oam_port/oauth2/rest/token/info"
oauth-identity-domain-name: "PDC_RSM_Domain"
authorization-endpoint-uri: "http://oam_host:oam_port/oauth2/authorize"
frontend-uri: "http://localhost:8080"
proxy-host: ""
audience: "PDCRSMResourceServer"
scope-audience: "http://localhost:8080/"
providers:
- abac:
# Adds ABAC Provider - it does not require any configuration
#- oidc:
# validate-with-jwk: false
# client-id: "${ALIAS=security.properties.idcs-client-id}"
# client-secret: "${ALIAS=security.properties.idcs-client-secret}"
# identity-uri: "${ALIAS=security.properties.idcs-uri}"
# realm: "pdcrsm"
# audience: "${ALIAS=security.properties.audience}"
# proxy-host: "${ALIAS=security.properties.proxy-host}"
# redirect: false
# cookie-use: false
# header-use: true
- oamoidc:
validate-with-jwk: false
token-endpoint-uri: "http://oam_host:oam_port/oauth2/rest/token"
authorization-endpoint-uri: "http://oam_host:oam_port/oauth2/authorize"
introspect-endpoint-uri: "http://oam_host:oam_port/oauth2/rest/token/info"
scope-audience: "${ALIAS=security.properties.scope-audience}"
audience: "PDCRSMResourceServer"
proxy-host: "${ALIAS=security.properties.proxy-host}"
frontend-uri: "${ALIAS=security.properties.frontend-uri}"
redirect: false
cookie-use: false
header-use: true
oidc-metadata-well-known: false
oauth-identity-domain-name: "PDC_RSM_Domain"
# Comment/Uncomment/Override for protection of resources
web-server:
paths:
- path: "/productCatalogManagement/v1/projectPublishEvent[/{*}]"
methods: ["get", "post"]
authenticate: true
authorize: true
abac:
scopes: ["read", "all"]]
- path: "/metrics[/{*}]"
methods: ["get"]
authenticate: true
authorize: true
abac:
scopes: ["read", "all"]
...
app:
httpClients:
- urlRegex: "http://catalog_host:catalog_port/*"
security:
oauth2:
tokenEndpoint: "http://oam_host:oam_port/oauth2/rest/token"
clientId: "EncryptedClientID"
clientSecret: "EncryptedClientSecret"
scope: "ResourceServer.all"
grantType: "client_credentials"
domainId: "OAM_Domain"
pdc:
url: "t3s://pdc_host:secure_pdc_port"
...
server:
...
ssl:
private-key:
keystore-path: "file_path/certificate.p12"
keystore-passphrase: "${passPhrase}"