Configuring OAuth in WebSphere Application Server for Mobile App

Optionally, you can configure OAuth, which is an open standard for authorization, in WebSphere Application Server for use as your authentication mechanism for the Mobile App.

About this task

When the Mobile App is started, it attempts an OAuth authentication. If the OAuth authentication mechanism is used, the user name and password are not stored on the mobile device.

If OAuth is not configured in WebSphere Application Server, the application uses the basic authentication mechanism. The user name and password are stored in an encrypted format on the mobile device.

Procedure

  1. Enable OAuth function in WebSphere Application Server.
    1. Enable application security.
      Validate that application security is enabled in your application server. Application security is not enabled by default in WebSphere Application Server.
      1. On the WebSphere Application Server administration console, click Security > Global security.
      2. Select Enable application security.
      3. Save your changes and restart the server.
    2. Enable OAuth services.
      1. Stop the server.
      2. At a command prompt, change location to the app_server_root/bin directory.

        The value of app_server_root on a Windows system might be C:\Program Files\IBM\Websphere\Appserver.

      3. Run one of the following commands. Successful completion displays the message: ADMA5013I: Application WASOauth20SP installed successfully.
        • wsadmin -conntype NONE 
–f installOAuth2Service.py install nodeName serverName
-profileName profileName
        • wsadmin -f installOAuth2Service.py install clusterName

        Where:

        nodeName
        Node name of the target application server.
        serverName
        Name of the target application server.
        profileName
        Name of the profile where the OAuth service provider is installed.
        clusterName
        Name of the cluster where the OAuth service provider is installed.
    3. Enable the OAuth Trust Association interceptor.
      1. On the WebSphere Application Server administrative console, click Security > Global security > Security Domains > ISIMSecurity Domain.
      2. Under Security Attributes, expand Trust Association.
      3. Select the option Customize for this domain and check Enable trust association.
      4. Click Interceptors.
      5. Click New and create a new interceptor with an Interceptor class name of com.ibm.ws.security.oauth20.tai.OAuthTAI
      6. Add three custom properties:
        • Name: provider_1.name

          Value: OAuthIsimm

        • Name: provider_1.filter

          Value: request-url^=isimm

          If you specified a different web context root during the installation of the IBM® Security Identity Manager Mobile App WebSphere application, use that value instead of isimm.

        • Name: provider_1.oauthOnly

          Value: false

      7. Click OK and save the changes.
      8. Restart the IBM WebSphere Application Server.
      9. Click Global Security.
      10. Under Custom properties, specify this custom property information:

        Name: com.ibm.websphere.security.InvokeTAIbeforeSSO

        Value: com.ibm.ws.security.oauth20.tai.OAuthTAI

        If this custom property exists, edit its value to add com.ibm.ws.security.oauth20.tai.OAuthTAI.

      11. Click OK.
      12. Save the configuration.
      13. Restart WebSphere Application Server.
        Note: Verify that Trust Association is enabled after you restart WebSphere Application Server.
    4. Copy the OAuth Mediator JAR file.
      1. Extract the package isimmobileversion.zip. An example is isimmobile60-6.0.4.1.zip.
      2. Copy the oauth20/com.ibm.itim.security.oauth20.mediator.jar file to the app_server_root/plugins directory.
    5. Copy the mediator.properties file.
      1. Extract the package isimmobileversion.zip. An example is isimmobile60-6.0.4.1.zip.
      2. Copy the oauth20/ mediator.properties file to the was_profile_root/properties directory.

        The value of was_profile_root on a Windows system might be C:\Program Files\IBM\Websphere\Appserver\Profiles\profileName.

      3. Edit the necessary properties and uncomment them. If you do not edit the properties, the default values are used.
        #isimm.oauth.mediator.provider.url=corbaloc:iiop:localhost:2809
#isimm.oauth.mediator.provider.realm=itimCustomRealm
#isimm.oauth.mediator.contextFactory=com.ibm.itim.apps.impl.websphere.WebSpherePlatformContextFactory
#isimm.oauth.mediator.loginContext=WSLogin
    6. Define an OAuth provider and add an OAuth client.
      The OAuth provider is defined with a provider configuration file called OAuthIsimm.xml and the client is specified in the base.clients.xml file.
      1. Extract the package isimmobileversion.zip. An example is isimmobile60-6.0.4.1.zip.
      2. Copy the oauth20/OAuthIsimm.xml (the OAuth provider) and oauth20/base.clients.xml (the OAuth client) files to the was_profile_root/config/cells/cell_name/oauth20 directory. Create the oauth20 directory if it does not exist.
      3. Restart the WebSphere Application Server.
      Note: After tokens are granted to authorized clients and OAuth services are restarted, authorized clients cannot continue to access the OAuth services. The lack of access occurs because the token that was granted is not persisted. The client is again prompted for authentication to continue with newly generated tokens.
    7. Validate OAuth function.

      Before you run the IBM Security Identity Manager Mobile App, validate that OAuth is configured properly in the WebSphere Application Server by running two cURL commands. cURL is an open software command-line utility that you can use to transfer files with URL syntax.

      If the commands run successfully, OAuth is configured properly in WebSphere Application Server.
      Note: You can download the cURL command-line utility from the Internet or obtain a Chrome browser plug-in that is named Dev HTTP Client from the Chrome web store.
      Example command 1
      Verify that the tokens are granted appropriately to valid IBM Security Identity Manager users only. Obtain client_id and client_secret values from the base.clients.xml file in the oauth20 folder in the isimmobileversion.zip package and use those values in the following command:

      curl -k -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" -d "grant_type=password&client_id=client_id&client_secret=client_secret&username=approver&password=passw0rd" http://172.20.0.130:9080/oauth2/endpoint/OAuthIsimm/token

      Output is similar to this example: 

      {"access_token":"ej3yNolPszGOzyO5FIJ1pExKktnvtE8N26NnCdua", 
"token_type":"bearer","expires_in":3599,"scope":"","refresh_token":
"wX6LoFw6Il6RKpN4AzDbZxNK5Tzt6Chhkpiy9ocYjfcmQodMFn"}
      Example command 2:
      Verify that the granted token can be used to access Mobile App.

      curl -k -v --header "Authorization: Bearer access_token_from_command1_output" http://172.20.0.130:9080/isimm/apis/v1/persons

      The –v option in the command generates a detailed output. The output is the same as when you run http://172.20.0.130:9080/ isimm/apis/v1/persons from an Internet browser.

  2. Run the IBM Security Identity Manager Mobile App.
    1. Start the IBM Security Identity Manager Mobile App on your mobile device.
    2. Verify that the application runs successfully.