Provision and Configure Oracle Cloud Infrastructure Services
A summary is provided here of the provisioning and configuration for Oracle WebLogic Server for OCI and other services required for your Oracle Fusion extension applications, including Single Sign-On (SSO) and web services security configuration. See the full product documentation for details.
Configuration | Required | Notes |
---|---|---|
Basic Domain (non-JRF) | N/A | none |
Configure SSL Domain (Post creation) | Required | none |
Database configuration | Required | none |
Oracle Identity Cloud Service WebLogic Authentication | Required | none |
Integrate OPSS User and Group APIs with Oracle Identity Cloud Service | Optional | Required if app is using Oracle Platform Security Services (OPSS) to create authorization policies |
JRF-Enabled Domain | Required | none |
Load Balancer and SSL Enabled | Required | Must be configured as a public Load Balancer. Additionally, you will need to obtain a CA certificate and import it to your Load Balancer.. |
Local VCN Peering | Optional | Required if VCNs for Oracle WebLogic Server for OCI and database instances are different. |
Minimum Oracle WebLogic Server Version | Required | 12.2.1.3 or later |
Private Subnet for WLS Domain | Optional | none |
Oracle WebLogic Server Edition | Required | Enterprise Edition |
Oracle WebLogic Server Server Nodes | Required | Minimum 1, maximum 8. Oracle Java Cloud Service - SaaS Extension supported 1, 2, or 4 nodes. |
Weblogic VMs Shape | Required | 1 OCPU / 8 GB RAM or larger shape. |
Perform Prerequisite Steps for Oracle WebLogic Server for OCI Deployment
A number of prerequisites are needed before you can deploy Oracle WebLogic Server for OCI.
Create an Oracle WebLogic Server for OCI Instance
Create a JRF-enabled domain instance of Oracle WebLogic Server for OCI to host your Java applications.
From Marketplace, create a stack by entering parameters that automatically create a domain. When creating a JRF-enabled domain, you specify an Oracle Autonomous Transaction Processing database or Oracle Cloud Infrastructure Database. You can also specify a public subnet (either a regional or availability domain-specific) or a private subnet for the domain. You must specify Oracle WebLogic Server 12c as the version for a JRF-enabled domain if you intend to use an Oracle Autonomous Transaction Processing database.
Create a Database Source for Application Data
Create a database source to store data for your Java applications that will run on Oracle WebLogic Server for OCI.
You can choose to use Oracle Autonomous Transaction Processing or Oracle Cloud Infrastructure Database (DB System) to store your application data.
Oracle WebLogic Server
for OCI provides two utility scripts to help you create Oracle Autonomous Transaction
Processing data sources: a download script that downloads the wallet files to a node, and a
create script that creates the data source using the wallet files and data source
properties you provide. To run the scripts, you need to access the nodes in your
WebLogic domain as the opc
user. The scripts are located in
/opt/scripts/utils
and can only be run as the
oracle
user.
Use the Oracle WebLogic Server Administration Console to create a data source and establish a connection with an Oracle Cloud Infrastructure Database (DB System). After verifying the PDB name for your DB System, use the Oracle WebLogic Server Administration Console to create a Java Database Connectivity (JDBC) data source.
Whichever data source you use, the database must allow the Oracle WebLogic Server compute instances to access the database listen port (1521 by default). Update your access control list (ACL), if necessary.
Details of these database source creation and configuration steps are in the Oracle WebLogic Server for OCI product documentation.
Configure OAuth-Based Authentication in Oracle Identity Cloud Service for RESTful Web Services
To enable RESTful Web Services data interactions, you can configure Oracle Identity Cloud Service to handle OAuth-based authentication by modifying the Confidential Application.
When the Oracle WebLogic Server for OCI is deployed, it is registered with the Oracle Identity Cloud Service instance associated with your Fusion Applications SaaS instance, which itself is federated for single sign-on (SSO), with Fusion Applications acting as the identity provider. However, this only enables user pass-through authentication. To secure REST-based web services, use OAuth-based token exchange between Oracle Web Services Manager and Oracle Identity Cloud Service
All JRF-enabled domains include Oracle Web Services Manager, which provides a policy framework to manage and secure web services consistently across your organization. Both Oracle Web Services Manager and Oracle Identity Cloud Service support the OAuth protocol. The web service client requests an access token by authenticating with the authorization server (Oracle Identity Cloud Service) and presenting the authorization grant. The Oracle Web Services Manager server-side agent validates the access token and then accepts the client request if valid.
Configure SOAP Services for Identity Propagation
If your Java application needs to access a Fusion-based Oracle Applications SOAP Web Services endpoint, you must perform some manual configuration steps to set up identity propagation.
Because the security configuration for SOAP web service interactions requires you to contact Oracle Support to get a certificate, Oracle recommends using REST web service protocols instead whenever possible. REST identity propagation is pre-configured, which avoids this manual configuration and support ticket requirement.
Fusion Applications SOAP WSDLs contain an X509 certificate in binary form, that needs to be imported into the client machine certificate key store. This is so that the client application can encrypt web service requests to Fusion Applications and that the Fusion applications environment can decrypt the request successfully. In addition, a certificate needs to be generated on the client machine and then imported into the Fusion Applications environment certificate keystore. Oracle Support can help with importing the certificate into a Fusion Applications environment.
The two certificates enable two-way SSL which is a requirement of the SAML implementation in Fusion Applications and is part of the WS-Security 1.1 specification.
To configure your environment for identity propagation for SOAP Web Services, you will use your Oracle WebLogic Server for OCI as a SOAP Client and your Fusion Applications service will be a SOAP Service. You will use Oracle Web Services Manager (OWSM) Policies for identity propagation.