If an existing WebSphere® Application Server Network Deployment OIDC Relying Party
TAI configuration is relatively simple, you can migrate the TAI configuration to your managed Liberty servers. You can alternatively configure an
OpenID Connect (OIDC) Relying Party (RP or client) to manage Liberty servers in your cell.
To migrate a relatively simple OIDC relying party TAI configuration, use the following information.
- Review the OIDC known issues and limitations to determine the restrictions for
migrating your OIDC configuration.
- Follow the instructions in Configuring an OpenID Connect Relying Party.
After you
migrate an existing OIDC TAI configuration, for it to be used on the managed
Liberty server, you must add a callback URL to your
OpenID Provider (OP). Use the following syntax for the callback URL.
https://(host):(port)/oidcclient/redirect/(providerId)
.
To configure an OIDC relying party to manage Liberty servers in a cell, complete the following
task.
Before you begin
Your keys and certificates must be loaded into keystores and truststores as described in the
following information.
- Make sure that you have keystores and truststores through one of the following methods.
- You use the default keystores and truststores.
- You configure keystores and truststores through the
wsadmin command or as
WebSphere managed keystores through the administrative console. If you use the administrative
console, go to the page where you configure the keystores by clicking
.
- Make sure that your keys and certificates are loaded into your keystores and truststores. For
more information, see the following topics:
About this task
You can create an OIDC configuration that is specific to the managed Liberty servers in your cell. This task uses the
administrative console. You can also use the wsadmin command to perform the same
function.
Procedure
- Determine the key and truststores for your configuration.
You can use the following short names for well-known keys and truststores:
CellDefaultKeyStore
CellDefaultTrustStore
NodeDefaultKeyStore
NodeDefaultTrustStore
If you want to use any other managed key or truststore, you can use the following format for the
value when you configure a key or truststore reference property:
name=STORE_NAME
managementScope=(cell):CELL_NAME:(node):NODE_NAME. The following code is an example of the
format:
name=myKeyStoreRef managementScope=(cell):myCell:(node):myNode
To
find the value for the managementScope option in the administrative console, select
. In the
table, find your keystore in the Management Scope column.
- Enable the OIDC feature by using the TAI configuration pages in the administrative
console.
- Click .
- If the Enable trust association field is not checked, check it,
and then click
Apply.
- Click
Interceptors.
- Click
New and enter openidConnectClient-1.0 in the
Interceptor class name field.
When you configure
openidConnectClient-1.0 as the class name for a trust
association interceptor and the
WebSphere Application Server Network Deployment servers start,
the following error message is displayed in the
SystemOut.log and
SystemErr.log files. Disregard the
message.
SECJ0125E: Trust Association Init Unable to load Trust Association class openidConnectClient-1.0.
- To customize how the OIDC feature behaves, add Liberty custom properties.
- Find the attribute names and values to configure.
To find the attribute names and values, see the Liberty
openidConnectClient properties.
You can use the following substitution variables:
${BOOTSTRAP_ADDRESS_host} for the hostname
${httpEndpoint_port} for the HTTP port
${httpEndpoint_secure_port} for the HTTPS port
- Determine the number of OIDC Relying Party (RP) entries that you want to
configure.
Each RP that you configure migrates to a separate openidConnectClient entry in
the managed Liberty server
server.xml file.
Each RP that you configure has an attribute that is specific to the RP, and
client_(n) is added as a prefix to each attribute.
For example, if you have two RPs, add client_1 as a prefix to one
RP and client_2 as a prefix to the other RP.
- Add the
client_(n). prefix to each attribute that you are
configuring.
The following example adds
client_(n). as a prefix to the
accessTokenCacheEnabled
attribute.
client_1.accessTokenCacheEnabled
The following example shows how to set values for the
authzParameter attribute
and the
tokenParameter attribute. The example has two
authzParameter attributes, which are specified as
authzParameter_1
and
authzParameter_2.
- The
client_1.authzParameter_1 attribute is set to the following
values.name=param1, value=param1Value
.
- The
client_1.authzParameter_2 attribute is set to the following
values.name=param2, value=param2Value
.
- The
client_1.tokenParameter_1 attribute is set to the following
values.name=param1, value=param1Value
- To configure the requests that your RPs intercept, add the
client_(n).authFilter_(n) properties.
See the Liberty
authFilter properties page to see the attribute names and values
that you can configure.
You can configure more than one authFilter property. The authentication filter conditions are
combined together through a logical AND. Example property names are
client_1.authFilter_1 and client_1.authFilter_2.
The value that you enter for the property depends on the filter type that you choose as shown in
the following examples.
- The
client_1.authFilter_1 attribute is set to the following
value.type=requestUrl, urlPattern=/SimpleServlet,
matchType=contains
- The
client_1.authFilter_2 attribute is set to the following
value.type=remoteAddress, value=127.0.0.1, matchType=greaterThan
- The
client_1.authFilter_3 attribute is set to the following value.
type=cookie, name=MyCookie, matchType=equals
- After you are finished entering properties, click OK and then
Save.
After the configuration is synchronized with each node, your OIDC configuration is available on
all managed Liberty servers in your cell.
- Configure your OpenID Provider with your new managed Liberty RP.
Follow the instructions for your OpenID Provider to set the following callback URL, where
id is the value for your
id property.
https://(host):(httpsPort)/oidcclient/redirect/(id)
You can find the HTTPS port of a Liberty server
with the following steps.
- In the administrative console, click .
- Expand Ports.
The HTTPS port number is the value for
the WC_defaulthost_secure port.