5.1.6.2 Configuring OAuth and Oracle HTTP Server
OAA, OARM, and OUA need access to an Oracle Access Management (OAM) deployment with the OAuth service enabled. You must configure Oracle HTTP Server with the relevant entries for OAM OAuth and OAA.
The User Interface (UI) components of OAA, OARM, and OUA (the
Administration Console and Self-Service Portal) are protected by OAM OAuth. The OAA
installation will configure OAM OAuth for you by:
- Enabling OAuth in OAM.
- Creating the required OAuth components (Identity Domain, Resource, Client) for OAA.
- Creating the required OAM resources within the existing
IAM Suiteapplication domain.
As per the OAA sandbox deployment architecture in Supported Architectures, OHS is used as a proxy to OAM and OAA. The Oracle HTTP Server (OHS) must be updated with the relevant entries to facilitate the deployment.
Configure Oracle HTTP Server
The instructions below assume that SSL is terminated at OHS, and hence
all entries are updated in the relevant SSL <VirtualHost>
section in the ssl.conf. If you have a different architecture, for
example SSL is terminated at the load balancer, then update the relevant OHS
configuration file for your environment. For more information on updating OHS
configutation files, see Working with Oracle HTTP Server.
- Add the following entries for the RewriteRules for OAuth:
Note:
OAADomainwill be the OAuth domain that gets created in OAM by the OAA installation.<IfModule mod_rewrite.c> RewriteEngine on RewriteRule ^/oauth2/rest/authorize? /oauth2/rest/authorize?domain=OAADomain [PT,QSA,L] RewriteRule ^/oauth2/rest/token? /oauth2/rest/token?domain=OAADomain [PT,QSA,L] RewriteRule ^/oauth2/rest/token/info? /oauth2/rest/token/info?domain=OAADomain [PT,QSA,L] RewriteRule ^/oauth2/rest/authz? /oauth2/rest/authz?domain=OAADomain [PT,QSA,L] RewriteRule ^/oauth2/rest/userinfo? /oauth2/rest/userinfo?domain=OAADomain [PT,QSA,L] RewriteRule ^/oauth2/rest/security? /oauth2/rest/security?domain=OAADomain [PT,QSA,L] RewriteRule ^/oauth2/rest/userlogout? /oauth2/rest/userlogout?domain=OAADomain [PT,QSA,L] </IfModule> <IfModule mod_headers.c> #Add Identity domain header always for OpenID requests RequestHeader set X-OAUTH-IDENTITY-DOMAIN-NAME "OAADomain" </IfModule> - Ensure the following OAM entries exist in your OHS configuration
file:
Note:
The entries below should already exist given the OAM sandbox deployment architecture prerequisite. They are listed here for completeness.#OAM entries <Location /oam> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> </Location> <Location /oam/services/rest/auth> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> </Location> <Location /oam/services/rest/access> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> </Location> <Location /oamfed> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> </Location> # OAM Forgotten Password Page <Location /otpfp/> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> </Location> <Location /ms_oauth> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> </Location> <Location /oauth2> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> </Location> <Location /.well-known/openid-configuration> WLSRequest ON DynamicServerList OFF PathTrim /.well-known PathPrepend /oauth2/rest WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> </Location> <Location /.well-known/oidc-configuration> WLSRequest ON DynamicServerList OFF PathTrim /.well-known PathPrepend /oauth2/rest WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> </Location> <Location /CustomConsent> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> </Location> <Location /iam/access> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_Managed_Server_Host> WebLogicPort <OAM_Managed_Server_Port> </Location> # WebLogic Console Access <Location /console> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_AdminServer_Host> WebLogicPort <OAM_AdminServer_Port> </Location> <Location /management> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_AdminServer_Host> WebLogicPort <OAM_AdminServer_Port> </Location> <Location /consolehelp> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_AdminServer_Host> WebLogicPort <OAM_AdminServer_Port> </Location> <Location /em> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_AdminServer_Host> WebLogicPort <OAM_AdminServer_Port> </Location> <Location /oamconsole> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_AdminServer_Host> WebLogicPort <OAM_AdminServer_Port> </Location> <Location /access> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_Policy_Managed_Server_Host> WebLogicPort <OAM_Policy_Managed_Server_Port> </Location> <Location /iam/admin> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_AdminServer_Host> WebLogicPort <OAM_AdminServer_Port> </Location> <Location /oam/services/rest/11.1.2.0.0> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_AdminServer_Host> WebLogicPort <OAM_AdminServer_Port> </Location> <Location /oam/services/rest/ssa> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_AdminServer_Host> WebLogicPort <OAM_AdminServer_Port> </Location> <Location /oam/services> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_AdminServer_Host> WebLogicPort <OAM_AdminServer_Port> </Location> <Location /dms> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicHost <OAM_AdminServer_Host> WebLogicPort <OAM_AdminServer_Port> </Location> - Add the following OAA entries to the OHS configuration
file:
Note:
Administrators should be aware of the following:- The following assumes you will be deploying OAA to a
Kubernetes cluster with three worker nodes
<K8S_WORKER_HOST1>,<K8S_WORKER_HOST2>,<K8S_WORKER_HOST3>. Modify as required and replace these values with the fully qualified hostnames of the relevant worker nodes as per Configuration Checkpoint. - Port
30777is the HTTP port of the ingress controller that you will create later in Configuring the Ingress Controller.
## OAA entries <Location /oaa-admin> WLSRequest ON WLCookieName OAMJSESSIONID DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777, <K8S_WORKER_HOST2>:30777, <K8S_WORKER_HOST3>:30777 </Location> <Location /admin-ui> WLSRequest ON WLCookieName OAMJSESSIONID DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /oaa-policy> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /policy> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /risk-cc> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /oua-admin-ui> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /oaa/runtime> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /oaa/rui> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /oaa/authnui> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /fido> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /oaa-email-factor> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /oaa-sms-factor> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /oaa-totp-factor> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /oaa-push-factor> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /oaa-yotp-factor> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /oaa-kba> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /risk-analyzer> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /oua> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> <Location /oaa-drss> WLSRequest ON DynamicServerList OFF WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAMJSESSIONID WebLogicCluster <K8S_WORKER_HOST1>:30777,<K8S_WORKER_HOST2>:30777,<K8S_WORKER_HOST3>:30777 </Location> - The following assumes you will be deploying OAA to a
Kubernetes cluster with three worker nodes
- Restart Oracle HTTP Server. See, Restarting Oracle HTTP Server Instances .
OAM Resources in OAM
As previously mentioned, the OAA installation will create all the
required OAM resources and associated policies in the existing IAM
Suite application domain.
The following table shows all the resources added by the OAA
installation:
| Product | Resource Type | Host Identifier | Resource URL | Protection Level | Authentication Policy | Authorization Policy |
|---|---|---|---|---|---|---|
| OAM | HTTP | IAMSuiteAgent | /oauth2/rest/** |
Excluded | ||
| OAM | HTTP | IAMSuiteAgent | /oam/** |
Excluded | ||
| OAM | HTTP | IAMSuiteAgent | /.well-known/openid-configuration |
Excluded | ||
| OAM | HTTP | IAMSuiteAgent | /iam/access/binding/api/v10/oap/** |
Excluded | ||
| OAM | HTTP | IAMSuiteAgent | /oam/services/rest/** |
Excluded | ||
| OAM | HTTP | IAMSuiteAgent | /iam/admin/config/api/v1/config/** |
Excluded | ||
| OAM | HTTP | IAMSuiteAgent | /oauth2/rest/approval |
Protected | OAuth Authentication Policy | Protected Resource Policy |
| OAM | HTTP | IAMSuiteAgent | /oam/pages/consent.jsp |
Protected | OAuth Authentication Policy | Protected Resource Policy |
| OAA | HTTP | IAMSuiteAgent | /oaa-admin/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /admin-ui/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /oaa/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /policy/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /oaa-email-factor/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /oaa-sms-factor/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /oaa-totp-factor/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /oaa-yotp-factor/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /fido/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /oaa-kba/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /oaa-push-factor/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /risk-analyzer/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /risk-cc/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /consolehelp/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /otpfp/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /oua/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /oua-admin-ui/** |
Excluded | ||
| OAA | HTTP | IAMSuiteAgent | /oaa-drss/** |
Excluded |
Note:
If you are using something other thanIAM Suite and
IAMSuiteAgent you will need to create all these resources
manually.