10 PDC REST Services Manager Security

Learn how to set up security for Oracle Communications Pricing Design Center (PDC) REST Services Manager.

Topics in this document:

• About PDC REST Services Manager Security
• Setting Up OAuth for PDC REST Services Manager with Oracle Identity Cloud Service
• Setting Up OAuth for PDC REST Services Manager with Oracle Access Management
• Securing Inbound Communications
• Securing Outbound Requests to PDC
• Encrypting Sensitive Data
• PDC REST Services Manager Security Configuration Reference Information

For more information, see PDC REST Services Manager Integration Guide.

About PDC REST Services Manager Security

PDC REST Services Manager uses the following security protocols to secure inbound and outbound requests:

• OAuth 2.0: Authenticates your enterprise product catalog's identity and authorizes it to access the PDC REST Services Manager API by validating an OAuth access token that is passed in the header of every HTTP/HTTPS request to the PDC REST Services Manager API.

  You can enable OAuth for PDC REST Services Manager using either Oracle Identity Cloud Service or Oracle Access Management.

• TLS: Secures communication from your enterprise product catalog to PDC REST Services Manager.
• T3S: Secures communication from PDC REST Services Manager to PDC.

Setting up PDC REST Services Manager security involves these tasks:

1. One of the following, depending on your OAuth provider:
   • Setting Up OAuth for PDC REST Services Manager with Oracle Identity Cloud Service
   • Setting Up OAuth for PDC REST Services Manager with Oracle Access Management
2. Securing Inbound Communications
3. Securing Outbound Requests to PDC

You can also encrypt sensitive data, such as passwords, by using the RestServicesManager.sh script. See "Encrypting Sensitive Data".

Setting Up OAuth for PDC REST Services Manager with Oracle Identity Cloud Service

Setting up OAuth for PDC REST Services Manager with Oracle Identity Cloud Service involves these tasks:

1. Creating Confidential OAuth Applications for PDC REST Services Manager
2. Setting Up Security with Oracle Identity Cloud Service in the PDC REST Services Manager Configuration File
3. Requesting an OAuth Access Token from Oracle Identity Cloud Service

Creating Confidential OAuth Applications for PDC REST Services Manager

Add your enterprise product catalog as a confidential application to IDCS by following the instructions in "Add a Confidential Application" in Administering Oracle Identity Cloud Service. When adding the confidential application, ensure that you:

• Select Confidential for the Client Type option.
• Add a scope named pubevent for accessing the Publish Event endpoint in PDC REST Services Manager.
• Add a scope named metrics for accessing the Metrics endpoint in PDC REST Services Manager.

After you add the confidential application, Oracle Identity Cloud Service provides you with the following information. You will need it when requesting an OAuth access token and when configuring inbound communication to PDC REST Services Manager:

• The Oracle Identity Cloud Service URL for requesting OAuth access tokens. For example:

  https://idcs_hostname/oauth2/v1/token

  where idcs_hostname is the hostname of the server of your Oracle Identity Cloud Service instance

• The primary audience URL
• The client ID and client secret. Encode these in base-64 before using them to request OAuth access tokens.

Setting Up Security with Oracle Identity Cloud Service in the PDC REST Services Manager Configuration File

To set the Oracle Identity Cloud Service details in the PDC REST Services Manager application.yaml file:

1. Open the PDC_RSM_home/apps/conf/application.yaml file in a text editor, where PDC_RSM_home is the directory in which you installed PDC REST Services Manager.
2. Set the keys under security as shown in Table 10-1.

   Table 10-1 Security Keys in the application.yaml File

   Key	Description
   config.require-encryption	Controls whether requests require encryption using client_id and client_secret. Set this to true.
   enabled	Enables or disables security. Enable security in production environments by setting this to true.
   properties.idcs-uri	The base URL of your Oracle Identity Cloud Service instance in this format: https://idcs-TenantID.identity.oraclecloud.com
   properties.idcs-client-id	The client ID for your confidential application.
   properties.idcs-client-secret	The Base64-encrypted client secret obtained from your Oracle Identity Cloud Service application. For security purposes, do not store the client secret in plain-text. To encrypt the client secret, see "Encrypting Sensitive Data".
   properties.frontend-uri	The base URL of your confidential application when run. For example: http://localhost:8080
   properties.audience	The primary audience as provisioned for the PDC REST Services Manager application in Oracle Identity Cloud Service. For example: http://localhost:8080/ Note: Ensure that you include the trailing slash in the URL.
   properties.proxy-host	The hostname of the proxy server, if required.
   web-server.paths.<0>.abac.scopes	The scope defined in Oracle Identity Cloud Service for protecting the TMF620 publishEvent endpoint.
   web-server.paths.<1>.abac.scopes	The scope defined in Oracle Identity Cloud Service for protecting the metrics endpoint.

3. In the providers section, ensure that the oidc and abac providers are not commented out. Comment out the oamoidc provider.
4. In the app.httpClients.security section, set the keys based on the type of authentication required by your enterprise product catalog. These keys allow you to secure outbound requests from PDC REST Services Manager to your enterprise product catalog. See:
   • OAuth Configuration Properties for Outbound Requests
   • Basic Authentication Configuration Properties for Outbound Requests
5. Save and close the application.yaml file.

   See "Example application.yaml Security Configuration with Oracle Identity Cloud Service" for a sample file showing the appropriate properties.

6. Restart PDC REST Services Manager by running the following command from the PDC_RSM_home/apps/bin directory:

   ./RestServicesManager.sh restart

Requesting an OAuth Access Token from Oracle Identity Cloud Service

Request an OAuth access token from Oracle Identity Cloud Service to include in requests to the PDC REST Services Manager APIs. For more information, see "Generate Access Token and Other OAuth Runtime Tokens to Access the Resource" in REST API for Oracle Identity Cloud Service.

To request an OAuth access token using cURL, use the following format for your HTTP/HTTPS request to the Oracle Identity Cloud Service URL:

curl -i
-H "Authorization: Basic encoded_credentials"
-H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" 
--request POST https://idcs_hostname/oauth2/v1/token 
-d 'grant_type=client_credentials&scope=https://primaryAudience/scope'

where:

• encoded_credentials is either the client ID and client secret (clientID:clientSecret) or user name and password (username:password) in Base64-encoded format.
• idcs_hostname is the host name of your Oracle Identity Cloud Service instance.
• primaryAudience is the host name and port of your confidential application.
• scope is one of the following:
  • pubevent: Authorizes access to the Publish Event endpoint.
  • metrics: Authorizes access to the Metrics endpoint.

After you submit the request, Oracle Identity Cloud Service returns an OAuth access token. Your client must pass this OAuth access token in the header of every HTTP/HTTPS request sent to the PDC REST Services Manager.

Setting Up OAuth for PDC REST Services Manager with Oracle Access Management

Setting up OAuth for PDC REST Services Manager using Oracle Access Management involves these high-level steps:

1. Installing the Oracle Access Management software. For the list of supported versions, see "Additional BRM Software Requirements" in BRM Compatibility Matrix.

   For more information about installing the Oracle Access Management software, see Oracle Fusion Middleware Installing and Configuring Oracle Identity and Access Management.

2. Installing the Oracle Unified Directory software with the HTTP port enabled. For the list of supported versions, see "Additional BRM Software Requirements" in BRM Compatibility Matrix.

   For more information about installing Oracle Unified Directory, see Oracle Fusion Middleware Installing Oracle Unified Directory.

3. Enabling OAuth Services for PDC REST Services Manager
4. Creating an OAuth Identity Domain for PDC REST Services Manager
5. Creating a Resource Server for PDC REST Services Manager
6. Creating an OAuth Client for PDC REST Services Manager
7. Setting Up Security with Oracle Access Management in the PDC REST Services Manager Configuration File
8. Requesting an OAuth Access Token from Oracle Access Management

Note:

If you use both BRM REST Services Manager and PDC REST Services Manager, you must set up separate OAuth identity domains, resource servers, and clients for each component.

Enabling OAuth Services for PDC REST Services Manager

Enable OAuth services in Oracle Access Management as described in "Enabling or Disabling Available Services" in Oracle Fusion Middleware Administering Oracle Access Management. Ensure that the following services are enabled:

• Access Manager
• OAuth
• OpenIDConnect

Creating an OAuth Identity Domain for PDC REST Services Manager

You create an OAuth identity domain to control the authentication and authorization of users who can sign in to PDC REST Services Manager, and what features they can access. You create all artifacts, such as the resource server and OAuth client, under the identity domain.

To create an identity domain, submit a request to the Add a new OAuth Identity Domain endpoint of the Oracle Access Manager OAuth REST API. See "Add a new OAuth Identity Domain" in REST API for OAuth in Oracle Access Manager for more information about this endpoint.

The following shows an example cURL command for creating an identity domain named PDC_RSM_Domain, with the OUD identity provider (for Oracle Unified Directory):

curl -i --header 'Content-Type: application/json' 
--header 'Authorization:Basic encoded_admin' 
--request POST http//:oam_host:oam_port/oam/services/rest/ssa/api/v1/oauthpolicyadmin/oauthidentitydomain 
--data-raw '{"name":"PDC_RSM_Domain","identityProvider":"OUD","description":"Identity Domain for PDC REST Services Manager","tokenSettings":[
{"tokenType":"ACCESS_TOKEN","tokenExpiry":3600,"lifeCycleEnabled":false,"refreshTokenEnabled":false,"refreshTokenExpiry":86400,"refreshTokenLifeCycleEnabled":false}]'

where:

• encoded_admin is the base64-encoded format of the Oracle Access Management administrator user name and password.
• oam_host:oam_port is the host name and port for the Oracle Access Management server.

If the identity domain was created successfully, you will see a response similar to this:

Sucessfully created entity - OAuthIdentityDomain, detail - OAuth Identity Domain :: Name - PDC_RSM_Domain, Id - 19f85bc53b49561ea52f039474c2c4b, 
Description - Identity Domain for PDC REST Services Manager, TrustStore Identifiers - PDC_RSM_Domain,Identity Provider - OUD, TokenSettings -
[{"tokenType":"ACCESS_TOKEN","tokenExpiry":3600,"lifeCycleEnabled":false,"refreshTokenEnabled":false,"refreshTokenExpiry":86400,"refreshTokenLifeCycleEnabled":false}],
ConsentPageURL - /oam/pages/consent.jsp, ErrorPageURL -  /oam/pages/servererror.jsp, CustomAttrs - null

Creating a Resource Server for PDC REST Services Manager

A resource server hosts the protected resources. It must be capable of accepting and responding to resource requests using OAuth access tokens.

To create a resource server, submit a request to the Add a new Resource Server endpoint of the Oracle Access Management OAuth REST API. See "Add a new Resource Server" in REST API for OAuth in Oracle Access Manager for more information about this endpoint.

The following shows an example of creating a resource server named PDCRSMResourceServer with the all and read scopes, an identity domain named PDC_RSM_Domain, and static and dynamic customer attributes:

curl -k -u wls_admin:password -H 'Content-Type: application/json' 'http://oam_host:oam_port/oam/services/rest/ssa/api/v1/oauthpolicyadmin/application'
-d '{"name":"PDCRSMResourceServer","description":"Resource server for PDC REST Services Manager",
"scopes":[{"scopeName":"all","description":"All permissions"},{"scopeName":"read","description":"Read permissions"}],
"tokenAttributes":[{"attrName":"sessionId","attrValue":"$session.id","attrType":"DYNAMIC"},{"attrName":"resSrvAttr","attrValue":"RESOURCECONST","attrType":"STATIC"}],"idDomain":"PDC_RSM_Domain","audienceClaim":{"subjects":["ab0"]}}' 

where:

• wls_admin:password is the administrator user name and password for Oracle WebLogic Server.
• resource_server is the name of the resource server that you want to create.
• scopeN is the name of a scope.

After the scopes are defined under the resource server, refer to them as resource_server.scope for subsequent tasks, such as creating the OAuth client and requesting an OAuth token. For example, PDCRSMResourceServer.all.

If the resource server is created successfully, you will see a response similar to this:

Successfully created entity - OAuthResourceServer, detail - IdentityDomain="PDC_RSM_Domain",Name="PDCRSMResourceServer",Description="Resource server for PDC REST Services Manager",
resourceServerId="4953a4f4-8c3f-41fd-99b5-837cfa9f9ecb",resourceServerNameSpacePrefix="PDCRSMResourceServer.",audienceClaim="{"subjects":["ab0"]}",
resServerType="CUSTOM_RESOURCE_SERVER",Scopes="[{"scopeName":"all","description":"All permissions"},{"scopeName":"read","description":"Read permissions"}]",
tokenAttributes="[{"attrName":"sessionId","attrValue":"$session.id","attrType":DYNAMIC},{"attrName":"resSrvAttr","attrValue":"RESOURCECONST","attrType":STATIC}]

Creating an OAuth Client for PDC REST Services Manager

You create an OAuth client for PDC REST Services Manager to authenticate requests.

To create an OAuth client, submit a request to the Add a new OAuth Client endpoint of the Oracle Access Management OAuth REST API. See "Add a new OAuth Client" in REST API for OAuth in Oracle Access Manager for more information about this endpoint.

The following shows an example cURL request for creating a confidential OAuth client named PDCRSMClient with the PDCRSMResourceServer.all and default PDCRSMResourceServer.read scopes, an identity domain named PDC_RSM_Domain, and some custom attributes.

curl -k -u wls_admin:password -H 'Content-Type: application/json' 'http://oam_host:oam_port/oam/services/rest/ssa/api/v1/oauthpolicyadmin/client'
-d'{"attributes":[{"attrName":"customAttribute1","attrValue":"Custom Value1","attrType":"static"},{"attrName":"customAttribute2","attrValue":"Custom Value2","attrType":"static"}],
"secret":"client_secret","id":"client_id","scopes":["PDCRSMResourceServer.all","PDCRSMResourceServer.read"],"clientType":"CONFIDENTIAL_CLIENT",
"idDomain":"PDC_RSM_Domain","description":"PDC RSM OAuth client","name":"PDCRSMClient","grantTypes":["CLIENT_CREDENTIALS"],
"defaultScope":"PDCRSMResourceServer.read","redirectURIs":[{"url":"http://redirect_host:redirect_port/oauth/callback","isHttps":true}]}'

where:

• client_id and client_secret are the client ID and client password.
• redirect_host:redirect_port is the URL for your client application.

If the client is created successfully, the response will be similar to this:

Sucessfully created entity - OAuthClient, detail - OAuth Client - uid = 4b37dd63-08dd-45b5-b5a5-c1e788cb2ff2, name = PDCRSMClient, id =  PDCRSMClientId,
identityDomain = PDC_RSM_Domain, description = PDC RSM OAuth client, secret = PDCRSMPassword, clientType = CONFIDENTIAL_CLIENT, grantTypes = [CLIENT_CREDENTIALS],
attributes = [{"attrName":"customAttribute1","attrValue":"Custom  Value1","attrType":STATIC},{"attrName":"customAttribute2","attrValue":"Custom  Value2","attrType":STATIC},
{"attrName":"sessionId","attrValue":"session.id","attrType":DYNAMIC},{"attrName":"resSrvAttr","attrValue":"RESOURCECONST","attrType":STATIC}],  scopes =
[PDCRSMResourceServer.all, PDCRSMResourceServer.read], defaultScope = PDCRSMResourceServer.read, redirectURIs = [{"url":"http://redirect_host:redirect_port/oauth/callback","isHttps":true}]

Setting Up Security with Oracle Access Management in the PDC REST Services Manager Configuration File

To set the Oracle Access Management details in the PDC REST Services Manager application.yaml file:

1. Open the PDC_RSM_home/apps/conf/application.yaml file in a text editor, where PDC_RSM_home is the directory in which you installed PDC REST Services Manager.
2. Set the keys under security as shown in Table 10-2.

   Table 10-2 Security Keys in the application.yaml File

   Key	Description
   enabled	Enables or disables security. Enable security in production environments by setting this to true.
   config.require-encryption	Controls whether requests require encryption using client_id and client_secret. Set this to false.
   properties.token-endpoint-uri	The URL for requesting an OAuth token from Oracle Access Management. For example, http://oam_host:oam_port/oauth2/rest/token
   properties.introspect-endpoint-uri	The URL for validating an OAuth token from Oracle Access Management. For example, http://oam_host:oam_port/oauth2/rest/token/info
   properties.oauth-identity-domain-name	The name of the OAuth identity domain that you created in "Creating an OAuth Identity Domain for PDC REST Services Manager." For example, PDC_RSM_Domain.
   properties.authorization-endpoint-uri	The URL for authorizing role-based access. PDC REST Services Manager does not support role-based access, so this will not be used. For example, http://oam_host:oam_port/oauth2/authorize
   properties.frontend-uri	The URL for the OAuth client you created in "Creating an OAuth Client for PDC REST Services Manager." For example, http://oam_host:oam_port
   properties.proxy-host	The URL for your proxy server, if needed.
   properties.audience	The name of the OAuth resource server that you created in "Creating a Resource Server for PDC REST Services Manager." For example, PDCRSMResourceServer.
   properties.scope-audience	The primary audience for PDC REST Services Manager in the Oracle Access Management resource, used for error handling. This is the same as properties.frontend-uri, ending with /. For example, http://oam_host:oam_port/
   providers.oamoidc.validate_with_jwk	Whether to validate with JSON web keys. Set this to false.
   providers.oamoidc.token-endpoint-uri	The URL for requesting an OAuth token from Oracle Access Management. For example, http://oam_host:oam_port/oauth2/rest/token
   providers.oamoidc.authorization-endpoint-uri	The URL for authorizing role-based access. PDC REST Services Manager does not support role-based access, so this will not be used. For example, http://oam_host:oam_port/oauth2/authorize
   providers.oamoidc.introspect-endpoint-uri	The URL for validating an OAuth token from Oracle Access Management. For example, http://oam_host:oam_port/oauth2/rest/token/info
   providers.oamoidc.scope-audience	The primary audience for PDC REST Services Manager in the Oracle Access Management resource. Set this to "${ALIAS=security.properties.scope-audience}".
   providers.oamoidc.audience	The name of the OAuth resource server that you created in "Creating a Resource Server for PDC REST Services Manager." For example, PDCRSMResourceServer.
   providers.oamoidc.proxy-host	The URL for your proxy server, if needed. Set this to "${ALIAS=security.properties.proxy-host}".
   providers.oamoidc.frontend-uri	The URL for your application. Set this to "${ALIAS=security.properties.frontend-uri}".
   providers.oamoidc.cookie-use	Whether to use cookies. Set this to false.
   providers.oamoidc.header-use	Whether to use headers. Set this to true.
   providers.oamoidc.redirect	Whether to use a redirect URL. Set this to false.
   providers.oamoidc.oidc-metadata-well-known	Whether to use OpenID Connect Discovery metadata. Set this to false.
   providers.oamoidc.oauth-identity-domain-name	The name of the OAuth identity domain that you created in "Creating an OAuth Identity Domain for PDC REST Services Manager." For example, PDC_RSM_Domain.
   web-server.paths.methods	The methods allowed for the endpoint. For the projectPublishEvent endpoint, set this to ["get", "post]. For the metrics endpoint, set this to ["get"].
   web-server.paths.authenticate	Whether authentication is enabled for the endpoint. Set this to true.
   web-server.paths.authorize	Whether authorization is enabled for the endpoint. Set this to true.
   web-server.paths.abac.scopes	The scopes that control access to the endpoint. Use the scopes that you configured in Creating a Resource Server for PDC REST Services Manager, without the resource server name. For example, read or all.

3. In the providers section, ensure that the oamoidc and abac providers are not commented out. Comment out the oidc provider.
4. In the app.httpClients.security section, set the keys based on the type of authentication required by your enterprise product catalog. These keys allow you to secure outbound requests from PDC REST Services Manager to your enterprise product catalog. See:
   • OAuth Configuration Properties for Outbound Requests
   • Basic Authentication Configuration Properties for Outbound Requests
5. Save and close the application.yaml file.

   See "Example application.yaml Security Configuration with Oracle Access Management" for a sample file showing the appropriate properties.

6. Restart PDC REST Services Manager by running the following command from the PDC_RSM_home/apps/bin directory:

   ./RestServicesManager.sh restart

Requesting an OAuth Access Token from Oracle Access Management

You create an access token for OAuth authentication by submitting a request to the Create Access Token Flow endpoint of the Oracle Access Management OAuth REST API. For more information, see "Create Access Token Flow" in REST API for OAuth in Oracle Access Manager.

To request an OAuth access token, use cURL to send an HTTP/HTTPS request to the Oracle Access Management URL:

curl -i --header 'Authorization: Basic encoded_admin' 
--header "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" 
--header "X-OAUTH-IDENTITY-DOMAIN-NAME: identity_domain" 
--request POST http://oam_host:oam_port/oauth2/rest/token 
--data-urlencode "grant_type=CLIENT_CREDENTIALS&scope=resource_server.scope"

where:

• encoded_admin is the base64-encoded format of the Oracle Access Management administrator user name and password.
• identity_domain is the name of the OAuth identity domain created in Oracle Access Management for PDC REST Services Manager.
• oam_host:oam_port is the host name and port for the Oracle Access Management server.
• resource_server is the name of the Oracle Access Management resource server created for PDC REST Services Manager.
• scope is the name of a scope.

The following shows an example cURL request for creating an OAuth access token for the PDC_RSM_domain identity domain, PDCRSMResourceServer resource server, and all scope:

curl --location --header 'Authorization: Basic encoded_admin'
--header "Content-Type: application/x-www-form-urlencoded;charset=UTF-8"
--header "X-OAUTH-IDENTITY-DOMAIN-NAME: PDC_RSM_Domain" 
--request POST http://oam_host:oam_port/oauth2/rest/token
--data-urlencode "grant_type=CLIENT_CREDENTIALS&scope=PDCRSMResourceServer.all"

If the request is successful, Oracle Access Management returns something similar to this:

{"access_token":"access_token",
"token_type":"Bearer","expires_in":3600}

Your client must pass this OAuth access token in the header of every HTTP/HTTPS request sent to the PDC REST Services Manager.

Securing Inbound Communications

You secure communications sent from your enterprise product catalog to the PDC REST Services Manager APIs by enabling TLS in PDC REST Services Manager.

To secure inbound communications to PDC REST Services Manager:

1. Create a PKCS12 certificate file.

2. Copy the PKCS12 certificate file to a location that is accessible by PDC REST Services Manager, such as ~/certs.

3. Edit the following entries in the PDC_RSM_home/apps/conf/application.yaml file:

   • server.ssl.private-key.keystore-path: Set this to the file system path of the PKCS12 file containing the X.509 certificate and private key.

   • server.ssl.private-key.keystore-passphrase: Set this to the password for the PKCS12 file. For example, if you used OpenSSL to create the PKCS12 certificate file, set it to the export password. For security, encrypt the password so it is not stored in clear text. See "Encrypting Sensitive Data" for more information.

     Note:

     Set the server.ssl.private-key.keystore-passphrase key only if the PKCS file was created using a password.

     For example:

     server:
       ...
       ssl:
         private-key:
           keystore-path: "/scratch/ri-user-1/certs/certificate.p12"
           keystore-passphrase: "${passPhrase}"

4. Restart PDC REST Services Manager by running the following command from the PDC_RSM_home/apps/bin directory:

   ./RestServicesManager.sh restart

Securing Outbound Requests to PDC

During installation, the PDC REST Services Manager installer prompts you for the information required to connect PDC REST Services Manager to PDC. To secure the communications from PDC REST Services Manager to PDC, enable the T3S protocol in PDC REST Services Manager.

To enable T3S in PDC REST Services Manager:

1. Go to the PDC_RSM_home/apps/conf directory.

2. In the application.yaml file, set the app.pdc.url key to the T3S protocol and a secure PDC port.

   For example:

   app:
     pdc:
       url: "t3s://pdc.example.com:8002" 

3. Restart PDC REST Services Manager by running the following command from the PDC_RSM_home/apps/bin directory:

   ./RestServicesManager.sh restart

If you want to change it to use the insecure T3 protocol, set the app.pdc.url key to the T3 protocol and an insecure PDC port. For example:

app:
  pdc:
    url: "t3://pdc.example.com:8001" 

Encrypting Sensitive Data

You can encrypt sensitive data, such as passwords, by using the RestServicesManager.sh script.

To encrypt sensitive data:

1. Go to the PDC_RSM_home/apps/bin directory, where PDC_RSM_home is the directory in which you installed PDC REST Services Manager.

2. Run the following command:

   ./RestServicesManager.sh hash

   The Enter value to hash prompt appears.

3. Enter the sensitive information that you want to encrypt.

   The encrypted password is displayed.

PDC REST Services Manager Security Configuration Reference Information

The following topics contain reference information about PDC REST Services Manager security configuration properties and sample application.yaml configuration files:

• OAuth Configuration Properties for Outbound Requests
• Basic Authentication Configuration Properties for Outbound Requests
• Example application.yaml Security Configuration with Oracle Identity Cloud Service
• Example application.yaml Security Configuration with Oracle Access Management

OAuth Configuration Properties for Outbound Requests

Table 10-3 describes the keys to configure when your enterprise product catalog uses an OAuth 2.0 authentication type. All keys are nested under app.httpClients.security.oauth2.

Table 10-3 OAuth 2.0 Keys

Key	Description
tokenEndpoint	The URL for requesting an OAuth token. For example, http://host:port/oauth2/rest/token.
clientId	The client ID used to authenticate the request from PDC REST Services Manager.
clientSecret	The encrypted client secret used to authenticate the request from PDC REST Services Manager. To encrypt the client secret, see "Encrypting Sensitive Data".
scope	The scopes required by the enterprise product catalog. If you are using Oracle Access Management, use the format resourceServerName.scope. For example, ResourceServer.read. If you are using Oracle Identity Cloud Service, use the format urn:opc:resource:consumer::scope.
grantType	The grant type to be used for the OAuth flow: client_credentials or password. If you are using Oracle Access Management, only client_credentials is supported.
username	The user name required for accessing the enterprise product catalog. Set this only when grantType is password.
password	The encrypted password required for accessing the enterprise product catalog. To encrypt the password, see "Encrypting Sensitive Data". Set this only when grantType is password.
domainId	The Oracle Access Management Identity domain. Set this only when using Oracle Access Management.

The following shows an example configuration when grantType is client_credentials.

app:
  httpClients:
    - urlRegex: "local.*:8889"
      security:
        oauth2:
          tokenEndpoint: "http://host:port/oauth2/v1/token"
          clientId: "ClientID"
          clientSecret: "EncryptedClientSecret"
          scope: "https://hostnameurn:opc:resource:consumer::all"
          grantType: "client_credentials"

The following shows an example configuration when grantType is password:

app:
  httpClients:
    - urlRegex: "local.*:8889"
      security:
        oauth2:
          tokenEndpoint: "http://host:port:8889/oauth2/v1/token"
          clientId: "ClientID"
          clientSecret: "EncryptedClientSecret"
          scope: "https://hostnameurn:opc:resource:consumer::all"
          grantType: "password"
          username: "ApplicationUsername"
          password: "EncryptedApplicationPassword"

Basic Authentication Configuration Properties for Outbound Requests

Table 10-4 describes the keys to configure when your enterprise product catalog uses a Basic authentication type. All keys are nested under app.httpClients.security.basicAuth.

Table 10-4 basicAuth Keys

Key	Description
username	The user name required for accessing the enterprise product catalog.
password	The password required for accessing the enterprise product catalog.

The following shows an example configuration for Basic authentication:

app:
  httpClients:
    - urlRegex: "local.*:8889"
      security:
        basicAuth:
          username: "ApplicationUsername"
          password: "ApplicationPassword"

Example application.yaml Security Configuration with Oracle Identity Cloud Service

The following shows sample entries in the application.yaml file for configuring PDC REST Services Manager OAuth security with Oracle Identity Cloud Service:

security:
  config.require-encryption: true
  enabled: true
  properties:
    idcs-uri: "idcsURI"
    idcs-client-id: "clientId"
    idcs-client-secret: ${clientSecret}
    frontend-uri: "http://localhost:8080"
    audience: "http://localhost:8080/"
    proxy-host: ""
  providers:
    - abac:
      # Adds ABAC Provider - it does not require any configuration
    - oidc:
        validate-with-jwk: false
        client-id: "${ALIAS=security.properties.idcs-client-id}"
        client-secret: "${ALIAS=security.properties.idcs-client-secret}"
        identity-uri: "${ALIAS=security.properties.idcs-uri}"
        realm: "pdcrsm"
        audience: "${ALIAS=security.properties.audience}"
        proxy-host: "${ALIAS=security.properties.proxy-host}"
        redirect: false
        cookie-use: false
        header-use: true
    #- oamoidc:
    #    validate-with-jwk: false
    #    token-endpoint-uri: "http://oam_host:oam_port/oauth2/rest/token"
    #    authorization-endpoint-uri: "http://oam_host:oam_port/oauth2/authorize"
    #    introspect-endpoint-uri: "http://oam_host:oam_port/oauth2/rest/token/info"
    #    scope-audience: "${ALIAS=security.properties.scope-audience}"
    #    audience: "PDCRSMResourceServer"
    #    proxy-host: "${ALIAS=security.properties.proxy-host}"
    #    frontend-uri: "${ALIAS=security.properties.frontend-uri}"
    #    redirect: false
    #    cookie-use: false
    #    header-use: true
    #    oidc-metadata-well-known: false 
    #    oauth-identity-domain-name: "PDC_RSM_Domain"
  # Comment/Uncomment/Override for protection of resources
  web-server:
    paths:
      - path: "/productCatalogManagement/v1/projectPublishEvent[/{*}]"
        methods: ["get", "post"]
        authenticate: true
        authorize: true
        abac:
          scopes: ["pubevent"]
      - path: "/metrics[/{*}]"
        methods: ["get"]
        authenticate: true
        authorize: true
        abac:
          scopes: ["metrics"]
...
app:
  httpClients:
    - urlRegex: "http://catalog_host:catalog_port/*"
      security:
        oauth2:
          tokenEndpoint: "http://hostname/oauth2/v1/token"
          clientId: "ClientID"
          clientSecret: "EncryptedClientSecret"
          scope: "https://hostnameurn:opc:resource:consumer::all"
          grantType: "client_credentials"
  pdc:
    url: "t3s://pdc_host:secure_pdc_port"
...
server:
  ...
  ssl:
    private-key:
      keystore-path: "file_path/certificate.p12"
      keystore-passphrase: "${passPhrase}"

Example application.yaml Security Configuration with Oracle Access Management

The following shows sample entries in the application.yaml file for configuring PDC REST Services Manager OAuth security with Oracle Access Management:

security:
  config.require-encryption: false
  enabled: true
  properties:
    token-endpoint-uri: "http://oam_host:oam_port/oauth2/rest/token"
    introspect-endpoint-uri: "http://oam_host:oam_port/oauth2/rest/token/info"
    oauth-identity-domain-name: "PDC_RSM_Domain"
    authorization-endpoint-uri: "http://oam_host:oam_port/oauth2/authorize"
    frontend-uri: "http://localhost:8080"
    proxy-host: ""    
    audience: "PDCRSMResourceServer"
    scope-audience: "http://localhost:8080/"
  providers:
    - abac:
      # Adds ABAC Provider - it does not require any configuration
    #- oidc:
    #    validate-with-jwk: false
    #    client-id: "${ALIAS=security.properties.idcs-client-id}"
    #    client-secret: "${ALIAS=security.properties.idcs-client-secret}"
    #    identity-uri: "${ALIAS=security.properties.idcs-uri}"
    #    realm: "pdcrsm"
    #    audience: "${ALIAS=security.properties.audience}"
    #    proxy-host: "${ALIAS=security.properties.proxy-host}"
    #    redirect: false
    #    cookie-use: false
    #    header-use: true
    - oamoidc:
       validate-with-jwk: false
	token-endpoint-uri: "http://oam_host:oam_port/oauth2/rest/token"
	authorization-endpoint-uri: "http://oam_host:oam_port/oauth2/authorize"
	introspect-endpoint-uri: "http://oam_host:oam_port/oauth2/rest/token/info"
	scope-audience: "${ALIAS=security.properties.scope-audience}"
       audience: "PDCRSMResourceServer"
       proxy-host: "${ALIAS=security.properties.proxy-host}"
	frontend-uri: "${ALIAS=security.properties.frontend-uri}"
       redirect: false
       cookie-use: false
       header-use: true
	oidc-metadata-well-known: false
	oauth-identity-domain-name: "PDC_RSM_Domain"
  # Comment/Uncomment/Override for protection of resources
  web-server:
    paths:
      - path: "/productCatalogManagement/v1/projectPublishEvent[/{*}]"
        methods: ["get", "post"]
        authenticate: true
        authorize: true
        abac:
          scopes: ["read", "all"]]
      - path: "/metrics[/{*}]"
        methods: ["get"]
        authenticate: true
        authorize: true
        abac:
          scopes: ["read", "all"]
...
app:
  httpClients:
    - urlRegex: "http://catalog_host:catalog_port/*"
      security:
        oauth2:
          tokenEndpoint: "http://oam_host:oam_port/oauth2/rest/token"
          clientId: "EncryptedClientID"
          clientSecret: "EncryptedClientSecret"
          scope: "ResourceServer.all"
          grantType: "client_credentials"
	   domainId: "OAM_Domain"

  pdc:
    url: "t3s://pdc_host:secure_pdc_port"
...
server:
  ...
  ssl:
    private-key:
      keystore-path: "file_path/certificate.p12"
      keystore-passphrase: "${passPhrase}"