1. Administering Oracle Identity Cloud Service
  2. Configure Security Settings
  3. Manage Oracle Identity Cloud Service App Gateways
  4. Run App Gateway in SSL Mode on Port 1024 or Lower

Run App Gateway in SSL Mode on Port 1024 or Lower

You can configure App Gateway to run in SSL mode on port number 1024 or lower.

Note:

To run your App Gateway server in Secure Sockets Layer (SSL) mode, you need to have an valid certificate.

Configure App Gateway in Identity Cloud Service Console

Update your App Gateway configuration to enable the server to listen on port number 443 and in Secure Sockets Layer (SSL) mode.

  1. Sign in to Oracle Identity Cloud Service console, expand the Navigation Drawer, click Security, click App Gateways, and then click the name of your App Gateway..
  2. In the Hosts tab, click the name of the host you created.
  3. in the Edit Hosts window, update the following parameters as per the example below:
    Parameter Value
    Port 443
    SSL Enabled Selected.
    Additional Properties 
    ssl_certificate /scratch/myappgateway.example.com.cert;
ssl_certificate_key /scratch/myappgateway.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;

    Note:

    You need to generate a valid certificate to be used as the SSL certificate. The certificate file (myappgateway.example.com.cert) and the certificate key file (myappgateway.example.com.key ) are referenced as an example.
  4. Click Save.

Configure the App Gateway Server

Execute the following procedure to enable your App Gateway server to run on port 443 in SSL mode.

Note:

Generate a valid certificate to your App Gateway to run on SSL mode, and copy the certificate file and the certificate key file to your desktop.
  1. Use a SSH client such as PuTTY to log in to the App Gateway server.
  2. Execute the following commands to update a privileged user.
    • For App Gateway OVA 20.4.1-4.0.0 and higher.
      sed -i "s/touch \$source_log/touch \$source_log \&\& chown \$NGINX_USER:\$NGINX_USER \$source_log/g" /scratch/oracle/cloudgate/ova/bin/jobs/manage-logs.sh
sudo sed -i "s/ oracle / root /g" /etc/cron.d/cloudgate-jobs 
sudo sed -i "/User=oracle/d" /etc/systemd/system/cloudgate-nginx.service
sudo sed -i "/User=oracle/d" /etc/systemd/system/cloudgate-agent.service
    • For earlier App Gateway OVA versions.
      sed -i "s/touch \$source_log/touch \$source_log \&\& chown \$NGINX_USER:\$NGINX_USER \$source_log/g" /scratch/oracle/cloudgate/ova/bin/jobs/manage-logs.sh 
sudo sed -i "s/ oracle / root /g" /etc/cron.d/cloudgate-jobs 
sudo sed -i "s/sudo -u oracle//g" /etc/init.d/cloudgate-nginx 
sudo sed -i "s/sudo -u oracle//g" /etc/init.d/cloudgate-agent
  3. Execute the following commands to change permission of the folders.
    sudo chmod -R 755 /scratch/
sudo chown root:root /scratch/oracle/cloudgate/home/bin/nginx
cd /usr/local/nginx/sbin/
rm nginx
sudo ln -sf /scratch/oracle/cloudgate/home/bin/nginx
  4. Copy the certificate file (for example, myappgateway.example.com.cert) and the certificate key file (for example, myappgateway.example.com.key) from your desktop to the /scratch/ folder.
  5. Add user oracle to the nginx.conf file by executing the following command.
    sudo sed -i "/working_directory.*/a user oracle;" /usr/local/nginx/conf/nginx.conf
  6. Edit the /scratch/oracle/cloudgate/ova/bin/setup/cloudgate-env file. You can use the following command or any other text editor of your choice: vi /scratch/oracle/cloudgate/ova/bin/setup/cloudgate-env
  7. Replace the value of the CG_CALLBACK_PREFIX parameter with the following https://%hostid%
  8. Save the /scratch/oracle/cloudgate/ova/bin/setup/cloudgate-env file.
  9. Run the following sed commands to enable running the server with sudo command:
    sed -i s/verify_running_as_user/#verify_running_as_user/g /scratch/oracle/cloudgate/ova/bin/setup/setup-cloudgate
sudo sed -i "/create_wallet || .*/a chmod -R 755 /scratch/oracle/cloudgate/wallet/" /scratch/oracle/cloudgate/ova/bin/setup/setup-cloudgate
  10. Confirm the setup-cloudgate file is configured with the values of your Oracle Identity Cloud Service tenant, and the values of the CG_APP_NAME and CG_APP_SECRET of the App Gateway you registered in Oracle Identity Cloud Service console.
  11. The setup-cloudgate script runs in sudo mode. Run the following sed commands to remove sudo from the commands in setup-cloudgate script.
    sed -i 's/$SUDO $SYSTEMCTL/$SYSTEMCTL/g' /scratch/oracle/cloudgate/ova/bin/setup/setup-cloudgate
sed -i 's/$SUDO \"$TEE\"/\"$TEE\"/g' /scratch/oracle/cloudgate/ova/bin/setup/setup-cloudgate
  12. Run the following command to reconfigure App Gateway according to the parameters registered in the Oracle Identity Cloud Service console (in this case, port number 443 and SSL Enabled.
    sudo -E /scratch/oracle/cloudgate/ova/bin/setup/setup-cloudgate
After the setup-cloudgate script finishes, the App Gateway server starts automatically. You can access any application protected by your App Gateway using HTTPs, App Gateway domain, and port number 443 (default HTTPs port). For example, https://myappgateway.example.com/myapp/index

Start and Stop App Gateway Server Using sudo Command

Because you set up your App Gateway server to run on port 443, you need to start and stop App Gateway server and agent using sudo command.

  1. To stop the App Gateway server and agent use the following command:
    sudo -E /scratch/oracle/cloudgate/home/bin/cg-stop
sudo -E /scratch/oracle/cloudgate/home/bin/agent-stop
  2. To start the App Gateway server and agent use the following command:
    sudo -E /scratch/oracle/cloudgate/home/bin/cg-start
sudo -E /scratch/oracle/cloudgate/home/bin/agent-start