...
Info |
---|
Oracle Integration 3 instances only support OAuth authentication. Basic Auth cannot be used in FlexDeploy for these instances |
JWT User Assertion
JWT User Assertion requires an ssl certificate to be uploaded to Oracle Cloud Infrastructure and referenced in FlexDeploy. The key can be self-signed or from a more trusted chain.
...
Generate certificate
...
Create Oracle Identity Application with the JWT Assertion grant type
...
Add public key to Oracle Identity Console
...
Prerequisite
For both OAuth methods, we need a certificate to be generated from the endpoint where flexdeploy server is going to execute the plugin operations for OIC/VBCS.
1. Generate certificate
If you already have a public/private key and their keystore location feel free to skip this step.
...
Info |
---|
The first 3 steps to this process are nicely outlined by Oracle in this blog: https://www.ateam-oracle.com/authentication-and-user-propagation-for-api-calls |
Warning |
---|
The private key MUST have a passphrase otherwise you may see an error: "Cannot recover Key" |
For this section, see the heading: Create a Signing Key Pair. Be sure this is done on the FlexDeploy server or the server where your OIC workflows will run.
2. Create Oracle Identity Application with the JWT Assertion grant type
Info |
---|
The first 3 steps to this process are nicely outlined by Oracle in this blog: https://www.ateam-oracle.com/authentication-and-user-propagation-for-api-calls |
For this section, see step 1 under the heading: Configuring IDCS. This process is also outlined below for Resource Owner, however you need to be sure to select the correct grants and upload your certificate.
Make sure that the Client Type is set to Confidential, or you will get a 400 error when using it.
3. Add public key to Oracle Identity Console
Info |
---|
The first 3 steps to this process are nicely outlined by Oracle in this blog: https://www.ateam-oracle.com/authentication-and-user-propagation-for-api-calls |
For this section, see step 2 under the heading: Configuring IDCS.
4. Create FlexDeploy Cloud Account
Lastly you need to create a cloud account in FlexDeploy specifying your client application information as well as the certificate information.
...
Resource Owner
Continuing with this step, we assume you don’t have third party certificates and going to generate a self signed cert. |
Keystore
1 Create the Keystore.
Code Block |
---|
keytool -genkey -keyalg RSA -alias <your_alias ex FlexDeploySandbox> -keystore <keystore_file ex FDSandboxkeystore.jks> -storepass <new_keystore_pass> -validity 365 -keysize 2048 |
Info |
---|
if you don’t need to use password in the command, you can remove -storepass <new_keystore_pass>, it will prompt to enter the keystore password. |
2 Export to generate a cert file. Make sure that the aliases are unique.
Code Block |
---|
keytool -exportcert -alias <your_alias ex FlexDeploySandbox> -file <filename ex flexdeployad.cer> -keystore <keystore_file ex FDSandboxkeystore.jks> -storepass <keystore_pass> |
Install the Certificate
Install the cer file generated in the previous step #2 into the JDK cacerts used by FlexDeploy endpoint.
First figure out JDK used by FlexDeploy and/or Endpoint as applicable.
For example, cd /u01/jdk1.8.0_372
cd jre/lib/security/
Copy .cer file in this folder.
cp cacerts cacerts.bak
../../bin/keytool -importcert -keystore cacerts -alias <alias name> -file <certificate file name>
Type password (likely “changeit”)
Resource Owner
Create a Confidential Application in Identity Console
Add cer file to Partner Settings
Create FlexDeploy Cloud Account
1. Create a Confidential Application in Oracle Identity Console
...
Give it a meaningful name such as ‘FlexDeploy OAuth App’.
Click Next.
On the client configuration select Configure this application as a client now. Be sure to select the grant type of Resource Owner, Client Credentials and add scopes for your OIC Instances where you want to use this application.
Copy the scope that ends in /ic/api to notepad
For Client Type, select Confidential and import the cer (
flexdeployad.cer
) file generated earlier. Make sure to use the same alias name used to generate the file(exFlexDeploySandbox
).
...
You can accept the default values throughout the rest of the configuration.
Copy the client id and secret that show up after completing the application (you can access this from the configuration tab as well)
Activate your application
...
2. Add cer file to Partner Settings
We have configured the signing certificate in the Confidential Application, IDCS requires to configure the signing certificate as a Trusted Partner Certificate as well. Go to Settings → Partner Settings and Import the cer file. Make sure to use the same alias name used to generate the file(ex FlexDeploySandbox).
...
3. Create the Cloud Account in FlexDeploy
...
JWT User Assertion
JWT User Assertion requires an ssl certificate to be uploaded to Oracle Cloud Infrastructure and referenced in FlexDeploy. The key can be self-signed or from a more trusted chain.
Create Oracle Identity Application with the JWT Assertion grant type
Add cer file to Partner Settings
Create FlexDeploy Cloud Account
1. Create
...
Oracle Identity Application with the JWT Assertion grant type
...
Give it a meaningful name such as ‘FlexDeploy OAuth App’.
Click Next.
On the client configuration select Configure this application as a client now. Be sure to select the grant type of Resource Owner JWT Assertion, Client Credentials and add scopes for the your OIC Instances where you want to use this application.
Copy the scope that ends in /ic/api to notepad
...
For Client Type, select Confidential and import the cer (
flexdeployad.cer
) file generated earlier. Make sure to use the same alias name used to generate the file(exFlexDeploySandbox
).
...
You can accept the default values throughout the rest of the configuration.
Copy the client id and secret that show up after completing the application (you can access this from the configuration tab as well)
Activate your application
...
2. Create the Cloud Account in FlexDeploy
...
...
2. Add cer file to Partner Settings
We have configured the signing certificate in the Confidential Application, IDCS requires to configure the signing certificate as a Trusted Partner Certificate as well. Go to Settings → Partner Settings and Import the cer file. Make sure to use the same alias name used to generate the file(ex FlexDeploySandbox).
...
3. Create FlexDeploy Cloud Account
Lastly you need to create a cloud account in FlexDeploy specifying your client application information as well as the certificate information.
...