In the part 1 about implementing SSO for the application , We have covered a high level explanation about how the solution works with details about the setup required. Incase you haven't looked into the part 1 yet, please do look into it before proceeding with Part 2. In this part , we would be covering about the AppGateway Setup for the environment.
Step 1: Download, Deploy & Configure App Gateway:
This section describes about how to download the Appgateway software/utility , deploy and configure it on the Compute Instance deployed for this setup. Below are the pre-requisites -
AppGateway Docker image for Identity Cloud Service.
AppGateway Wallet Tool.
IDCS Account with administrator access.
Step 1.1: Downloading the required utilities:
Sign on to IDCS Console as administrator.
Click on Hamburger Menu -> Settings -> Downloads.
Download the "AppGateway Docker image for Identity Cloud Service" latest version image form the downloads page.
Download the "AppGateway Wallet Tool" from the downloads page.
Step 1.2: Deploy the wallet tool & Docker image on the compute instance
Create a Linux Server in the subnet as per your setup.
Harden the OS as per your OS Hardening policy.
Update the system with the latest security & Kernel patch set using the below commands –
Yum update all
yum updateinfo list security all
yum --security update
Copy the latest idcs-appgateway docker image & appgateway-wallet image downloaded to the server.
Install docker on the appgateway server and start the docker service.
Unzip the idcs-appgateway docker image and upload the image to the docker service running on the app gateway server. Use command "docker images" to validate the uploaded image.
Using the appgateway-wallet file, create a wallet on the system and copy the library path of the wallet for future use.
Step 1.3: Configure AppGateway in IDCS
Logon to the Cloud – IDCS page.
Create an AppGateway under IDCS – Security.
Click on the Add Button and Create one by name PeopleSoft-APPGW-SSO.
Click on Next and move to the Hosts page.
Click on the Add host and add the host and the port details of your respective AppGateway Compute instance.
Please note that the port (your choice) mentioned would be the port where you have your APPGW services running on the APPGW Server and SSL enabled should be yes. From IDCS Versions starting from 19 all the APPGW services should be SSL enabled.
Host Identifier: hostname
Host: IP
Port: 8443
SSL Enabled: Yes
Additional Properties:
ssl_certificate /scratch/docker/cloudgate/certs/appgw.crt;
ssl_certificate_key /scratch/docker/cloudgate/certs/appgw.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
Save the details.
Click on Finish
Activate the AppGateway.
Step 1.4: Create AppGateway Wallet on the Server
We are going to create a wallet here to link the appgateway services on the server to the appgateway created on IDCS.
Gather the Client ID from the activated IDCS – Security – AppGateway.
Click on ShowSecret and gather the secret ID from the AppGateway.
Create a folder for the wallet, example - /u01/SSO/wallet/
Create the SSO Wallet using the below command
export LD_LIBRARY_PATH=/u01/wallet/lib/
echo <secretcodefrom IDCS> | /u01/wallet/cgwallettool --create -i <ClientID from IDCS>
Step 1.5: Configure AppGateway Services on the Server
Create the app gateway environment variable as below in /u01/SSO. Please gather the idcs URL without https. It should be used in the below configuration.
cat appgateway-env
CG_APP_TENANT=<idcs-*****************>
IDCS_INSTANCE_URL=<idcs url>
NGINX_DNS_RESOLVER=<dns resolver IP on your server>
As mentioned earlier, SSL certificates needs to be generated for the URL intended to be used for accessing the APPGW/SSO URL. Copy the root/main certificate into the directory along with the key used while generating the CSR.
Use the below command to start the docker container services.
docker run -it -d --name SSO --env-file /u01/SSO/appgateway-env --env HOST_MACHINE=`hostname -f` --volume /u01/SSO/wallet/cwallet.sso:/usr/local/nginx/conf/cwallet.sso --net=host idcsimagename:version
Once run, check the docker status using the command “docker ps -a” and gather the docker container details. The docker status should be seen as "running" and not "exited".
Copy the certificates to the docker container using below command. "SSO" which you see in the below command is the name of the container which we have created in the above step.
Docker cp /u01/SSO/cer/rootcert.crt SSO:/scratch/docker/cloudgate/certs/appgw.crt
docker cp /u01/SSO/cer/privatekey.key SSO:/scratch/docker/cloudgate/certs/appgw.key
Logon to the docker container and perform changes to cloudgate.config to enable trace (loglevel - trace3) and add the backend details to the docker to point to the application post authentication.
docker exec -it containerID bash
Create the backend.conf using the following data under origin_conf folder. Note that the application url shouldn't have https:// added to it. For example if the URL is https://www.google.com, the upstream name should be "google.com". The Load balancer details should be of the PeopleSoft application.
nginx [ /usr/local/nginx/conf/origin_conf ]$ cat backend.conf
upstream applicationurl {
server LoadbalancerIP:LoadBalancerport ;
}
Restart the appgateway services to apply changes which were done –
/scratch/oracle/idcs-cloudgate/latest/bin/cg-stop
/scratch/oracle/idcs-cloudgate/latest/bin/agent-stop
/scratch/oracle/idcs-cloudgate/latest/bin/cg-start
/scratch/oracle/idcs-cloudgate/latest/bin/agent-start
Please note that a server file should be generated in the agent folder, which means nginx service has been started. (If you don't see any file generated in the agent folder, watch out the nginx logs to understand why the services hasn't been started)
Validate the nginx services running by monitoring the logs in the nginx logs directory.
Exit the container and validate the services running using netstat command.
netstat -tnlp
You should see a service running on the nginx/appgw port configured for the APPGW which is 8443 as per our example.
Step 1.6: Create Load Balancer pointing to the nginx services on the APPGW Server.
Create a Load balancer using the SSL certificates generated and backend set pointing to the App Gateway Server's with port - 8443 (nginx service).
Work with your DNS team to have the domain pointing to this Load balancer's private IP.
Watch out for the next part for the rest of the setup.
Commenti