1. Migrate JCS - SaaS Extension apps to WebLogic Server on Oracle Cloud Infrastructure
  2. Provision and Configure Oracle Cloud Infrastructure Services

Provision and Configure Oracle Cloud Infrastructure Services

A summary is provided here of the provisioning and configuration for Oracle WebLogic Server for OCI and other services required for your Oracle Fusion extension applications, including Single Sign-On (SSO) and web services security configuration. See the full product documentation for details.

Configuration Required Notes
Basic Domain (non-JRF) N/A none
Configure SSL Domain (Post creation) Required none
Database configuration Required none
Oracle Identity Cloud Service WebLogic Authentication Required none
Integrate OPSS User and Group APIs with Oracle Identity Cloud Service Optional Required if app is using Oracle Platform Security Services (OPSS) to create authorization policies
JRF-Enabled Domain Required none
Load Balancer and SSL Enabled Required Must be configured as a public Load Balancer. Additionally, you will need to obtain a CA certificate and import it to your Load Balancer..
Local VCN Peering Optional Required if VCNs for Oracle WebLogic Server for OCI and database instances are different.
Minimum Oracle WebLogic Server Version Required 12.2.1.3 or later
Private Subnet for WLS Domain Optional none
Oracle WebLogic Server Edition Required Enterprise Edition
Oracle WebLogic Server Server Nodes Required Minimum 1, maximum 8. Oracle Java Cloud Service - SaaS Extension supported 1, 2, or 4 nodes.
Weblogic VMs Shape Required 1 OCPU / 8 GB RAM or larger shape.

Perform Prerequisite Steps for Oracle WebLogic Server for OCI Deployment

A number of prerequisites are needed before you can deploy Oracle WebLogic Server for OCI.

The Oracle WebLogic Server for OCI documentation provides detailed information about the configuration prerequisites required before you can deploy Oracle WebLogic Server for OCI. Here is a summary of prerequisite steps with some key requirements. Check the Oracle WebLogic Server for OCI product documentation for details about each choice, requirement, and step.
  1. Create a database in Oracle Cloud Infrastructure.
    A JRF-enabled domain supports the Oracle Application Development Framework (ADF). When you create a domain with Oracle WebLogic Server for OCI and associate it with an existing database, Oracle WebLogic Server for OCI does the following:
    • Provisions the schemas to support the JRF components in the selected database
    • Provisions data sources in the domain that provide connectivity to the selected database
    • Deploys the JRF components and libraries to the domain

    Choose one of these database options:

    • Oracle Autonomous Transaction Processing (recommended)
    • Oracle Cloud Infrastructure supported Bare Metal and Virtual Machine DB Systems
    Check the Oracle WebLogic Server for OCI product documentation for details.
  2. Oracle WebLogic Server for OCI can create a Virtual Cloud Network and one or more subnets in Oracle Cloud Infrastructure for a new Oracle WebLogic Server domain, or you can choose to create your own VCN and subnet(s) manually, before creating a domain.
  3. Oracle recommends creating your Oracle WebLogic Server for OCI in a private subnet for security reasons. Create a subnet for the bastion node.
    1. To access the Oracle WebLogic Server Administration Console and Oracle Enterprise Manager dashboard, create dynamic port tunneling with the bastion node and use a SOCKS5 proxy with the selected port.
    2. Access the Oracle WebLogic Server Administration Console in a private subnet.
      Oracle WebLogic Server compute instances assigned to a private subnet are not accessible from the public Internet. To access the Oracle WebLogic Server Administration Consoleto administer such instances, you can use the bastion instance that's created on a public subnet and dynamic port forwarding with a secure shell (SSH) utility.
    3. Similarly, access the Fusion Middleware Control Console in a private subnet, again by using the bastion instance with dynamic port forwarding.
    4. Create a route rule to allow Oracle WebLogic Server for OCI Compute instances to access the public Internet. In the Route Table for your private subnet, create a rule with Destination 0.0.0.0/0, Target Type NAT Gateway.
  4. In the Oracle Identity Cloud Service instance associated with your Oracle Fusion Applications instance, create a Confidential Application, and then identify its client ID and client secret.
    1. In the Oracle Identity Cloud Service console, select the Application tab, click Add, and then in the Add Application window, select Confidential Application.
    2. On the Details page, give the new application a name. Other details are optional.
    3. On the Client page, select Configure this Application as a Client Now.
    4. Under Authorization, enable the following Allowed Grant Types: Resource Owner, Client Credentials, and JWT Assertion.
    5. Click Next, and on the Authorization page, click Finish to save the application.
    6. Make a copy of the client ID and client secret in the Application Added notification box.
    7. Now that the application is created and saved, click the Configuration tab, and expand the Client Configuration section.
    8. In Token Issuance Policy, within the Grant the client access to Identity Cloud Service Admin APIs subsection, click on the Add button and select the Identity Domain Administrator role.
    9. Click Save.
    10. Activate the new application. Select Applications, and then select the application. Click Activate next to the application name.
  5. Prepare Vault secrets: an encryption key and secrets for passwords.
    An encryption key allows you to encrypt the contents of secrets required for Oracle WebLogic Server for OCI. You can use an existing key, or use Oracle Cloud Infrastructure Vault to create a vault and encryption key.
    Use secrets in Oracle Cloud Infrastructure Vault to store the passwords that you need to create a domain within Oracle WebLogic Server for OCI. You must provide secrets for these passwords:
    • Administrator password for the new domain
    • Administrator password for the database
    • Client secret for the Confidential Application you created in Oracle Identity Cloud Service for authentication
    1. Create a Vault service instance in the Oracle Cloud Infrastructure console, by selecting Vault, in the Security area.
    2. Create an encryption key. Select your Vault Instance, and click Master Encryption Key.
    3. To create secrets for the passwords mentioned above, navigate to the Vault that contains your encryption key. Complete the following steps for each of the secrets you need to create.
    4. Click Secrets, and then click Create Secret.
    5. Enter a name to identify the secret.
    6. Select your encryption key.
      The key is used to encrypt the secret contents while they're imported to the vault.
    7. In Secret Contents, enter the password you want to store in this secret.
      Ensure the password meets the rules for the account with which it will be used. Passwords entered in plain-text are base64-encoded before they are sent to Oracle WebLogic Server for OCI.
    8. Click Create Secret.
    9. When the secret is created, click the name. Copy the OCID for the secret.

Create an Oracle WebLogic Server for OCI Instance

Create a JRF-enabled domain instance of Oracle WebLogic Server for OCI to host your Java applications.

The Oracle WebLogic Server for OCI documentation provides detailed information about the steps to create your Oracle WebLogic Server for OCI instance. Here is a summary of the steps. Check the Oracle WebLogic Server for OCI product documentation for details about each step.

From Marketplace, create a stack by entering parameters that automatically create a domain. When creating a JRF-enabled domain, you specify an Oracle Autonomous Transaction Processing database or Oracle Cloud Infrastructure Database. You can also specify a public subnet (either a regional or availability domain-specific) or a private subnet for the domain. You must specify Oracle WebLogic Server 12c as the version for a JRF-enabled domain if you intend to use an Oracle Autonomous Transaction Processing database.

  1. Use Marketplace to specify initial stack information. In the Oracle Cloud Infrastructure console, navigate to the Marketplace section and select Applications.
  2. In the Search field, type Oracle WebLogic Server Cloud, and select the desired Stack to create.
    The stack choices correspond to different editions and license offers. Oracle may change the offers available from time to time. At the time of this publication, Oracle offered Bring Your Own License (BYOL) and Universal Credit Model (UCM) license options. For example: Enterprise Edition BYOL, Standard Edition BYOL, or Enterprise Edition UCM.
  3. In the pop-up menu, select your preferred version, and select your target Compartment. Acknowledge that you have reviewed and accepted the Oracle Standard Terms and Restrictions by selecting the check box, and then click Launch Stack.
  4. In the Stack Information step, you can optionally change the default name, add a description, and apply tags. Then click Next.
  5. On the Configure Variables page of the wizard, configure instance parameters. You will need to specify the resource name prefix, and a shape and OCPU count for compute instances. Enter the SSH public key, select the number of managed servers you want to create, a user name for the Oracle WebLogic Server administrator, and the OCID of the secret that contains the password for this administrator.
  6. On the same page, select WLS Instance Advanced Configuration, and configure advanced parameters for a domain. You can change default port numbers and remove the sample application here.
  7. Select the VCNs that you created for your Oracle WebLogic Server instance. Configure network parameters and WebLogic Server console ports as needed.
  8. Select Provision Load Balancer and configure the load balancer network for HTTPS.
    You may find that the default timeout value causes issue. Oracle suggests setting the Load Balancer timeout to 60 seconds as a starting point, and then adjusting if needed. After the Oracle WebLogic Server for OCI provisioning is completed, navigate to your Load Balancer in the Oracle Cloud Infrastructure console and change configuration settings there.
  9. Select Enable Authentication Using Identity Cloud Service. Enter your tenant name, which is also referred to as the instance ID. Enter the client ID of the Confidential Application you created earlier, and enter the OCID of the secret that contains the client secret of that application.
  10. In the Database section, select Provision with JRF, and then enter the details from the database you created earlier. The database is not for application data - it contains the required infrastructure schemas for the JRF-enabled domain. You will need to provide the compartment, database, VCN if it is different from the WebLogic Server VCN, and the OCID of the secret that contains the password for the database administrator account.
  11. Review the summary in the wizard and then click Create.

Create a Database Source for Application Data

Create a database source to store data for your Java applications that will run on Oracle WebLogic Server for OCI.

You can choose to use Oracle Autonomous Transaction Processing or Oracle Cloud Infrastructure Database (DB System) to store your application data.

Oracle WebLogic Server for OCI provides two utility scripts to help you create Oracle Autonomous Transaction Processing data sources: a download script that downloads the wallet files to a node, and a create script that creates the data source using the wallet files and data source properties you provide. To run the scripts, you need to access the nodes in your WebLogic domain as the opc user. The scripts are located in /opt/scripts/utils and can only be run as the oracle user.

Use the Oracle WebLogic Server Administration Console to create a data source and establish a connection with an Oracle Cloud Infrastructure Database (DB System). After verifying the PDB name for your DB System, use the Oracle WebLogic Server Administration Console to create a Java Database Connectivity (JDBC) data source.

Whichever data source you use, the database must allow the Oracle WebLogic Server compute instances to access the database listen port (1521 by default). Update your access control list (ACL), if necessary.

Details of these database source creation and configuration steps are in the Oracle WebLogic Server for OCI product documentation.

Configure OAuth-Based Authentication in Oracle Identity Cloud Service for RESTful Web Services

To enable RESTful Web Services data interactions, you can configure Oracle Identity Cloud Service to handle OAuth-based authentication by modifying the Confidential Application.

When the Oracle WebLogic Server for OCI is deployed, it is registered with the Oracle Identity Cloud Service instance associated with your Fusion Applications SaaS instance, which itself is federated for single sign-on (SSO), with Fusion Applications acting as the identity provider. However, this only enables user pass-through authentication. To secure REST-based web services, use OAuth-based token exchange between Oracle Web Services Manager and Oracle Identity Cloud Service

All JRF-enabled domains include Oracle Web Services Manager, which provides a policy framework to manage and secure web services consistently across your organization. Both Oracle Web Services Manager and Oracle Identity Cloud Service support the OAuth protocol. The web service client requests an access token by authenticating with the authorization server (Oracle Identity Cloud Service) and presenting the authorization grant. The Oracle Web Services Manager server-side agent validates the access token and then accepts the client request if valid.

  1. Configure OAuth for the web services provider by importing certificates and creating global policy attachments. Detailed steps to configure OAuth for the web services provider are in the Oracle WebLogic Server for OCI product documentation.
  2. Establish trust between Oracle Web Services Manager in your client domain and Oracle Identity Cloud Service by importing certificates and creating global policy attachments. The global policy affects all web service clients deployed to this domain. Alternatively, you can create policies for individual applications.
    1. Connect to the Administration Server node in your client domain as the opc user.
      ssh -i <path_to_private_key> opc@<node_public_ip>
    2. Change to the oracle user.
      sudo su - oracle
    3. Copy and paste the following text into a new file named config_owsm_client.py.
      def config_policyset(policy_set_name,subject_type):
    try:
        beginWSMSession()
        createWSMPolicySet(policy_set_name,subject_type,resource_scope,desc,is_enabled)
        attachWSMPolicy(policy)
        setWSMPolicyOverride(policy,'token.uri',token_uri)
        setWSMPolicyOverride(policy,'oauth2.client.csf.key',csf_key)
        validateWSMPolicySet(policy_set_name)
    finally:
        commitWSMSession()
        displayWSMPolicySet(policy_set_name)
 
ip='<admin_server_IP>'
port='<admin_server_port>'
user='<admin_user>'
pwd='<password>'
client_id='<idcs_app_client_id>'
client_secret='<idcs_app_client_secret>'
token_uri = '<token_endpoint>'
dn_list = '<dn_list>'
    4. Update the variables in config_owsm_client.py.
      • The IP address of this node
      • The port number of the Administration Server (the default is 7001)
      • The user name and password of the domain administrator
      • The client ID and secret of the confidential application in Oracle Identity Cloud Service that was created for the domain
      • The Oracle Identity Cloud Service token endpoint
      • The distinguished name (DN) to use for the generated certificate in Oracle Web Services Manager
      • The name of the web service client application that is deployed to the domain
      For example:
      ip='203.0.113.30'
port='7001'
user='weblogic'
pwd='<password>'
client_id='ABCD1234efgh5678IJKL9012'
client_secret='<idcs_app_client_secret>'
token_uri = 'https://idcs-1234abcd5678EFGH9012ijkl.identity.oraclecloud.com/oauth2/v1/token'
dn_list = 'CN=OWSM, OU=ST, O=Oracle, L=RedWood, ST=CA, C=US'
app_resource = 'resource=oauth-client'
    5. Copy and paste the following text into config_owsm_client.py, and after the variable declarations.
      connect(user, pwd,'t3://' + ip + ':' + port)

csf_key = 'idcs.oauth2.client.credentials'
createCred(map='oracle.wsm.security',key=csf_key,user=client_id,password=client_secret)

is_enabled = true
policy = 'oracle/oauth2_config_client_policy'
resource_scope = 'Domain("*")'
desc = ''
config_policyset('oauth-ps-config-rest-connection','rest-connection')
config_policyset('oauth-ps-config-rest-client','rest-client')
config_policyset('oauth-ps-config-ws-connection','ws-connection')
config_policyset('oauth-ps-config-ws-client','ws-client')
config_policyset('oauth-ps-config-ws-callback','ws-callback')
refreshWSMCache()

svc = getOpssService(name='KeyStoreService')
try:
   svc.createKeyStore(appStripe='owsm', name='keystore', password='',permission=true)
except Exception, ex:
   ex_msg = str(ex)
   if 'Keystore keystore in stripe owsm already exists' in ex_msg:
      print 'Keystore keystore in stripe owsm already exists. Continue...'
   else:
      raise
svc.generateKeyPair(appStripe='owsm', name='keystore', password='', dn=dn_list, keysize='2048', alias='orakey', keypassword='')
 
svc.exportKeyStoreCertificate(appStripe='owsm', name='keystore', password='', alias='orakey', keypassword='', type='TrustedCertificate', filepath='/tmp/orakey.cert')
    6. Run config_owsm_client.py using WLST.
      /u01/app/oracle/middleware/oracle_common/common/bin/wlst.sh config_owsm_client.py
      Verify that the script ran successfully by reviewing the output. For example: 
      ...
Credential created successfully.
Session started for modification.
The policy set was created successfully in the session.
Policy reference "oracle/oauth2_config_client_policy" added.
...
Creating policy set oauth-ps-config-rest-connection in repository.
Session committed successfully.
...
Session started for modification.
The policy set was created successfully in the session.
Policy reference "oracle/oauth2_config_client_policy" added.
...
Creating policy set oauth-ps-config-rest-client in repository.
Session committed successfully.
...
Keystore created
Key pair generated
Certificate exported.
    7. Change the owner of the generated certificate file to the opc user.
      exit
sudo chown opc:opc /tmp/orakey.cert
    8. Download the certificate file as the opc user.
      scp -i <path_to_private_key> opc@<node_public_ip>:/tmp/orakey.cert .
  3. Update the pre-configured confidential application for the web services client by importing the orakey.cert certificate you just downloaded and creating a scope for your Fusion-based Oracle Cloud Applications.
    1. From the Oracle Identity Cloud Service console, in the navigation menu, click Applications, and then click the confidential application that was created for your client domain.
    2. Click the Configuration tab, and under Client Configuration, select Trusted for Client Type.
    3. For Certificate, click Import.
    4. For Certificate Alias, enter a unique name. For example, orakey_jh305082020.
    5. Select the file orakey.cert that you downloaded in the previous step, and then click Import.
    6. Click Add Scope.
    7. Select Oracle Applications Cloud (Fusion), with a Scope similar to this example:
      urn:opc:resource:fa:instanceid=201911110urn:opc:resource:consumer::all
    8. Click Add, and then click Save.
  4. A grantPermission is needed for any application that will consume REST services. WSIdentityPermission needs to be granted before the identity propagation takes places because Oracle WebLogic Server for OCI doesn’t allow it by default and without it, an AccessControlException will be thrown. Apply the grantPermission using wlst. For example:
    grantPermission(appStripe=None, codeBaseURL='file:${common.components.home}/modules/oracle.wsm.common/wsm-agent-core.jar',principalClass=None,principalName=None,permClass='oracle.wsm.security.WSIdentityPermission',permTarget=app_resource, permActions='assert')
  5. You can deploy and validate this OAuth setup with Oracle WebLogic Server for OCI by deploying and testing the sample web service client application, as described in the Oracle WebLogic Server for OCI product documentation. Alternatively, you can deploy and test your own web service client application.

Configure SOAP Services for Identity Propagation

If your Java application needs to access a Fusion-based Oracle Applications SOAP Web Services endpoint, you must perform some manual configuration steps to set up identity propagation.

Because the security configuration for SOAP web service interactions requires you to contact Oracle Support to get a certificate, Oracle recommends using REST web service protocols instead whenever possible. REST identity propagation is pre-configured, which avoids this manual configuration and support ticket requirement.

Fusion Applications SOAP WSDLs contain an X509 certificate in binary form, that needs to be imported into the client machine certificate key store. This is so that the client application can encrypt web service requests to Fusion Applications and that the Fusion applications environment can decrypt the request successfully. In addition, a certificate needs to be generated on the client machine and then imported into the Fusion Applications environment certificate keystore. Oracle Support can help with importing the certificate into a Fusion Applications environment.

The two certificates enable two-way SSL which is a requirement of the SAML implementation in Fusion Applications and is part of the WS-Security 1.1 specification.

To configure your environment for identity propagation for SOAP Web Services, you will use your Oracle WebLogic Server for OCI as a SOAP Client and your Fusion Applications service will be a SOAP Service. You will use Oracle Web Services Manager (OWSM) Policies for identity propagation.

  1. Export your Oracle WebLogic Server for OCI orakey certificate.
    1. Log on to the Oracle Enterprise Manager console, for example by navigating to:
      http://<PublicIp>:7001/em
    2. Click WebLogic Domain and select Security, and then select Keystore.
    3. In the Keystore table, expand owsm and select the keystore row, click the Manage button.
    4. Select the orakey entry and make a note of the Subject Name value in that row.
    5. Click Export.
      A Certificate window opens, showing the orakey certificate.
    6. Click Export Certificate, and save the exported file as orakey_<WLSOCI_NAME>.cert.
  2. File a service request with My Oracle Support to establish trust in your Fusion Applications.
    Oracle Support will configure your Fusion Apps instance to trust invocations from your WebLogic Server bearing the certificate information you just exported. You will need to provide all of the following details:
    • Your Oracle Fusion Applications cloud service Service Name, Identity Domain, and Data Center
    • The exported orakey certificate
    • Instructions for Oracle Support explicitly stating your request. For example:
    I am opening this SR to request a certificate exchange to establish trust and enable SAML assertion for SOAP WS between my Oracle WebLogic Server for OCI Marketplace instance and Fusion Applications cloud services. Attached is the certificate from my Oracle WebLogic Server for OCI instance. I need you to import that certificate into my Fusion Applications instance and to export the Fusion Applications OWSM orakey certificate and OWSM cloudca certificate (the ones starting with CN=<podname>_fasvc, DC=cloud, DC=com" and "CN=Cloud9CA-2, DC=cloud, DC=com) and attach them to this SR. Also, please restart Fusion Applications as required at the end for the certificate exchange to be effective.
    Monitor your support ticket and provide any additional information requested by Oracle Support. Oracle Support will add your certificate to the Fusion Applications instance Keystore and set up Issuer Trust to enable SAML Assertion for SOAP web services. Oracle Support will notify you when the task is complete, and send you a copy of:
    • Your Oracle Fusion applications OWSM orakey certificate
    • Your Oracle Fusion applications OWSM cloudca certificate
    You will need these certificates for the next step.
  3. Import the Fusion Applications orakey certificate into Oracle WebLogic Server for OCI:
    1. Log on to the Oracle Enterprise Manager console, for example by navigating to:
      http://<PublicIp>:7001/em
    2. Click WebLogic Domain and select Security, and then select Keystore.
    3. In the Keystore table, expand owsm and select the keystore row, click the Manage button, and then click Import.
    4. In the Import Certificate box, select Trusted Certificate. Enter an alias such as orakey_mysaasenv. Select the Select a file that contains the Certificate or Certificate Chain option, and click Browse... to select the orakey certificate provided to you by Oracle Support.
    5. Import the cloudca certificate in the same manner, using an alias such as cloudca_faehyp71.
      You may already have a cloudca certificate in the table, but it may not be the correct certificate. After importing the cloudca certificate provided to you by oracle support, you can verify you have the correct certificate by inspecting its Subject Name. It should be similar to the following example, pointing to your Fusion Applications instance:
      CN=FAEncryption,DC=cloud,DC=oracle,DC=com
You should now see your certificates with their aliases listed in the Manage Certificates: owsm/keystore table.