Oracle Identity Cloud Service (IDCS) Overview:
Oracle Identity Cloud Service (IDCS) is a comprehensive security and identity platform. It allows for an integration of both cloud and on-prem applications with Single Sign-On (SSO) and provides a sophisticated security layer. IDCS offers a multitude of ways to configure applications so that users may access applications through SSO.
For an overview of the benefits of integrating IDCS with WebCenter, please see our blog, “Benefits of Integrating Oracle Identity Cloud Service (IDCS) with WebCenter Content.”
Configuring IDCS for WebCenter Suite:
Note: This guide is applicable to 12.2.1.4.0 WebCenter domains hosted on-prem or in OCI, with the following managed servers:
- WebCenter Content
- WebCenter Content UI
- WebCenter Imaging
- WebCenter Enterprise Capture
Prerequisites:
- The WebCenter domain is installed and accessible.
- All current bundle patches are installed.
Note: Official documentation from Oracle does not state a specific patch level required, Oracle simply recommends that the most current bundle patch is installed.
Configure the WebCenter Domain with IDCS:
From OCI, create an IDCS Confidential Application—
1. In the Oracle Cloud Infrastructure page, in the menu select Identity → Federation
2. Select the Identity Provider link
3. Select the Oracle Identity Cloud Service Console link
4. In the menu select Applications
5. Click the + Add link
6. Select Confidential Application
7. Enter a Name
8. Click the Next button
9. Click the Next button
10. Click the Finish button
11. In the newly created application page, select the Configuration link
12. Expand Client Configuration and check the Register Client radio button
13. For the Allowed Grant Types, select the appropriate grant
14. For the Client Type, select the appropriate Client Type
15. In the Token Issuance Policy → Grant the client access to Identity Cloud Service Admin APIs section click the + Add button
16. Check the following boxes for:
- Identity Domain Administrator
- Cloud Gate
Note: When the domain is within OCI, these are required to allow access to the Fusion Middleware Enterprise Manager, EM.
17. Click the Add button
18. Click the Save button
19. Expand General Configuration and note the Client ID
20. Click the Show Secret button and note the secret and the IDCS hostname
The Client ID, Secret, and IDCS hostname will be needed when configuring the WebLogic IDCS provider.
21. Click the Activate link
Note: Users and Groups do not need to be added to the Application.
Users added in Oracle Identity Cloud Service Console → Users will be able to log into the managed servers.
Update SSL.hostnameVerifier Property in Domain Environment on all Nodes
IDCS will be accessed over SSL.
1. Stop the Admin Server and all managed servers in the WebLogic domain
2. Make a backup copy of the <WCC domain>/bin/setDomainEnv.sh or <Drive>:\<WCC domain>\bin\setDomainEnv.cmd
3. Edit the setDomainEnv.sh or setDomainEnv.cmd file
For Linux or Unix, on a new line directly above the line that says JAVA_PROPERTIES=”${JAVA_PROPERTIES} ${EXTRA_JAVA_PROPERTIES}”, add the following entries:
EXTRA_JAVA_PROPERTIES=”-Dweblogic.security.SSL.hostnameVerifier=weblogic.security.utils.SSLWLSWildcardHostnameVerifier ${EXTRA_JAVA_PROPERTIES}”
export EXTRA_JAVA_PROPERTIES
For Windows, on a line directly above set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -Ducm.oracle.home=%UCM_ORACLE_HOME%:
set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -Dweblogic.security.SSL.hostnameVerifier=weblogic.security.utils.SSLWLSWildcardHostnameVerifier
4. Save and exit the file
5. Start the AdminServer for the WebLogic domain
Create the IDCS Security Provider
1. In the WebLogic domain’s AdminServer console page, select Security Realms → myrealm → Providers
2. Click the New button
3. Enter a Name
4. In the Type drop down menu select OracleIdentityCloudIntegrator
5. Click the OK button
6. Click the Reorder button and place the provider at the top
7. Select the DefaultAuthenticator link
8. Set the Control Flag to SUFFICIENT
9. Click the Save button
10. Select the new IDCS provider link
11. Set the Control Flag to SUFFICIENT
12. In the Active Types, move REMOTE_USER and AUTHORIZATION from Available to Chosen
13. Click the Save button
14. Select the Provider Specific tab
15. Enter the Host
Note: Go by the previously noted IDCS Federation console URL.
However, the host is not the entire host name, only web domain URIs.
Such as identity.oraclecloud.com
16. Enter the Port as 443
17. For the Tenant enter the IDCS Federation console hostname such as idcs-8b3d7c85b01e486b88b4e2166f5a3b13
18. Add the previously noted Client ID
19. Add the previously noted Secret
20. Click the Save button
Import Certificate in KSS Store
Obtaining the IDCS certificate
1. On the system the WCC domain AdminServer is installed on, open a shell as the user that owns the WebCenter domain files and directories
2. Run the following:
echo -n | openssl s_client -showcerts -servername <Full IDCS Federation console host> -connect <Full IDCS Federation console host>:443|sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > /tmp/idcs_cert_chain.crt
As an example:
echo -n | openssl s_client -showcerts -servername idcs-NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN.identity.oraclecloud.com -connect idcs-NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN.identity.oraclecloud.com:443|sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > /tmp/patch/idcs_cert_chain.crt
Import the certificate
1. Run <WC middleware>/oracle_common/common/bin/wlst.sh
2. Run the following wlst commands
connect(“weblogic”,”Welcome_1″,”t3://<System Host Name or IP Address>:<AdminServer port — Typically 7001>”)
svc=getOpssService(name=’KeyStoreService’)
svc.importKeyStoreCertificate(appStripe=’system’,name=’trust’,password=”,alias=’idcs_root_ca’,type=’TrustedCertificate’,filepath=’/tmp/patch/idcs_cert_chain.crt’,keypassword=”)
syncKeyStores(appStripe=’system’,keystoreFormat=’KSS’)
exit()
3. Start the AdminServer
In myrealm → Users and Groups, the IDCS users and groups will not be displayed as is typical for LDAP providers and the defaultauthenticator. It doesn’t use an All Users Filter or an All Groups Filter.
Import the OPSS SCIM Template
Note: This is required when IDCS users will be getting their WCC/WEC roles and accounts from IDCS group memberships.
If it’s planned to use IDCS just for SAML SSO and an LDAP server will be used for group memberships, skip this step.
In WebCenter 12c, the user authentication is done through the Weblogic LDAP providers, including the IDCS provider. For user authorization and getting role and account memberships, the libOVD Identity Governance Framework API is used.
By default, libOVD doesn’t access IDCS. It has to be modified to allow access.
To do that, perform the following steps on the system that the AdminServer is running on.
1. <WCC middleware>/oracle_common/common/bin/wlst.sh (It’s not required to connect to the AdminServer port.)
2. readDomain(<DOMAIN_HOME>)
For example:
readDomain(‘/u01/data/domains/WebCenter_domain’)
3. addTemplate(‘<MIDDLEWARE_HOME>/oracle_common/common/templates/wls/oracle.opss_scim_template.jar’)
For example:
addTemplate(‘/u01/app/oracle/middleware/oracle_common/common/templates/wls/oracle.opss_scim_template.jar’)
This step may throw a warning, which can be ignored.
WARNING: The addTemplate is deprecated. Use selectTemplate followed by loadTemplates in place of addTemplate.
4. updateDomain()
5. closeDomain()
6. Restart the AdminServer
7. Restart the managed server(s)
Verify User Login and Group Memberships
At this point, users should be able to log into the WebCenter managed server.
WCC users should get their expected roles and accounts (if accounts are being used).
Test to ensure that users can log into the WCC and that their group memberships will be displayed as roles and accounts in their profile page.
IDCS users and groups should be able to be added to Capture Application Roles.
Logging for when users are having authentication (login) or authorization (group membership) issues for authentication:
1. In the domain AdminServer console, select servers → <WC managed server> → Debug
2. Expand weblogic → security
3. Check the box for atn, leave the atz box unchecked.
4. Click the Enable button
A managed server restart is not required.
The securityAtn entries will get written to the <WC domain>/servers/<WC MS>/logs/<WC MS>.log file
For authorization:
1. Go into the domain Enterprise Manager, EM
2. Select the <Managed Server> link
3. In the WebLogic Server drop down menu select Logs → Log Configuration
4. Expand Root Logger
5. Expand oracle → oracle.ods
6. Set the oracle.ods.virtualization to TRACE:32 (FINEST)
7. Check the box for Persist log level state across component restarts
8. Click the Apply button
A managed server restart is not required.
The oracle.ods.virtualization entries will get written to the <WC domain>/servers/<WC MS>/logs/<WC MS>-diagnostic.log file
Access logs on IDCS:
1. In the Oracle Identity Cloud Service Console drop down menu select Settings → Diagnostics
2. In the Diagnostics Type drop down menu select Service View (includes Activity View and Data View)
3. Click the Save button
4. In the drop down menu select Reports → Diagnostic Data
5. In the Log Type select Service View (includes Activity View and Data View)
6. Click the Download Report button
7. Open the CSV file
Is your organization interested in IDCS or already have IDCS and are looking to integrate IDCS into your WebCenter environment? Contact Inspired ECM to learn how we can help.
